Merge pull request #17 from maester365/fb_DetectBreakGlass

Add ID1005 - Emergency account check

src/Maester.psd1

@@ -69,9 +69,9 @@ RequiredModules = @(@{ModuleName = 'Microsoft.Graph.Authentication'; GUID = '883
 NestedModules = @()
 
 # Functions to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no functions to export.
-FunctionsToExport = 'Get-MtConditionalAccessPolicies', 
-               'Test-MtAppManagementPolicyEnabled', 'Test-MtCaAllAppsExists', 
-               'Test-MtCaDeviceComplianceExists', 'Test-MtConditionalAccessWhatIf'
+FunctionsToExport    = @('Get-MtConditionalAccessPolicies',
+    'Test-MtAppManagementPolicyEnabled', 'Test-MtCaAllAppsExists',
+    'Test-MtCaDeviceComplianceExists', 'Test-MtConditionalAccessWhatIf', 'Test-MtCaEmergencyAccessExists')
 
 # Cmdlets to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no cmdlets to export.
 CmdletsToExport = @()

src/public/Test-MtCaEmergencyAccessExists.ps1

@@ -0,0 +1,37 @@
+<#
+ .Synopsis
+  Checks if the tenant has at least one emergency account or account group excluded from all conditional access policies
+
+ .Description
+  It is recommended to have at least one emergency account or account group excluded from all conditional access policies.
+  This allows for emergency access to the tenant in case of a misconfiguration or other issues.
+
+  Learn more:
+  https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/security-emergency-access
+
+ .Example
+  Test-MtCaEmergencyAccessExists
+#>
+
+Function Test-MtCaEmergencyAccessExists {
+    [CmdletBinding()]
+    [OutputType([bool])]
+    param ()
+
+    $policies = Get-MtConditionalAccessPolicies | Select-Object -ExpandProperty value | Where-Object { $_.state -eq "enabled" }
+
+    Set-StrictMode -Off
+
+    $result = $false
+    $PolicyCount = $policies | Measure-Object | Select-Object -ExpandProperty Count
+    $ExcludedUsers = $policies.conditions.users.excludeUsers | Group-Object -NoElement | Sort-Object -Property Count -Descending | Select-Object -First 1 | Select-Object -ExpandProperty Count
+    $ExcludedGroups = $policies.conditions.users.excludeGroups | Group-Object -NoElement | Sort-Object -Property Count -Descending | Select-Object -First 1 | Select-Object -ExpandProperty Count
+    # If the number of enabled policies is not the same as the number of excluded users or groups, there is no emergency access
+    if ($PolicyCount -eq $ExcludedUsers -or $PolicyCount -eq $ExcludedGroups) {
+        $result = $true
+    }
+
+    Set-StrictMode -Version Latest
+
+    return $result
+}

tests/Identity/Test-ConditionalAccessBaseline.Tests.ps1

@@ -1,13 +1,15 @@
 
 Describe "Conditional Access Baseline Policies" -Tag "CA", "Security", "All" {
     It "ID1001: At least one Conditional Access policy is configured with device compliance" {
-        Test-MtCaDeviceComplianceExists | Should -Be $true
+        Test-MtCaDeviceComplianceExists | Should -Be $true -Because "There is no policy which requires device compliances"
     }
     It "ID1003: At least one Conditional Access policy is configured with All Apps" {
-        Test-MtCaAllAppsExists -SkipCheckAllUsers | Should -Be $true
+        Test-MtCaAllAppsExists -SkipCheckAllUsers | Should -Be $true -Because "There is no policy scoped to All Apps"
     }
     It "ID1004: At least one Conditional Access policy is configured with All Apps and All Users" {
-        Test-MtCaAllAppsExists | Should -Be $true
+        Test-MtCaAllAppsExists | Should -Be $true -Because "There is no policy scoped to All Apps and All Users"
+    }
+    It "ID1005: All Conditional Access policies are configured to exclude at least one emergency account or group" {
+        Test-MtCaEmergencyAccessExists | Should -Be $true -Because "There is no emergency access account or group present in all enabled policies"
     }
-
 }