diff --git a/src/Maester.psd1 b/src/Maester.psd1 index 0b9960e3..41753243 100644 --- a/src/Maester.psd1 +++ b/src/Maester.psd1 @@ -69,9 +69,9 @@ RequiredModules = @(@{ModuleName = 'Microsoft.Graph.Authentication'; GUID = '883 NestedModules = @() # Functions to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no functions to export. -FunctionsToExport = 'Get-MtConditionalAccessPolicies', - 'Test-MtAppManagementPolicyEnabled', 'Test-MtCaAllAppsExists', - 'Test-MtCaDeviceComplianceExists', 'Test-MtConditionalAccessWhatIf' +FunctionsToExport = @('Get-MtConditionalAccessPolicies', + 'Test-MtAppManagementPolicyEnabled', 'Test-MtCaAllAppsExists', + 'Test-MtCaDeviceComplianceExists', 'Test-MtConditionalAccessWhatIf', 'Test-MtCaEmergencyAccessExists') # Cmdlets to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no cmdlets to export. CmdletsToExport = @() diff --git a/src/public/Test-MtCaEmergencyAccessExists.ps1 b/src/public/Test-MtCaEmergencyAccessExists.ps1 new file mode 100644 index 00000000..03ef5d46 --- /dev/null +++ b/src/public/Test-MtCaEmergencyAccessExists.ps1 @@ -0,0 +1,37 @@ +<# + .Synopsis + Checks if the tenant has at least one emergency account or account group excluded from all conditional access policies + + .Description + It is recommended to have at least one emergency account or account group excluded from all conditional access policies. + This allows for emergency access to the tenant in case of a misconfiguration or other issues. + + Learn more: + https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/security-emergency-access + + .Example + Test-MtCaEmergencyAccessExists +#> + +Function Test-MtCaEmergencyAccessExists { + [CmdletBinding()] + [OutputType([bool])] + param () + + $policies = Get-MtConditionalAccessPolicies | Select-Object -ExpandProperty value | Where-Object { $_.state -eq "enabled" } + + Set-StrictMode -Off + + $result = $false + $PolicyCount = $policies | Measure-Object | Select-Object -ExpandProperty Count + $ExcludedUsers = $policies.conditions.users.excludeUsers | Group-Object -NoElement | Sort-Object -Property Count -Descending | Select-Object -First 1 | Select-Object -ExpandProperty Count + $ExcludedGroups = $policies.conditions.users.excludeGroups | Group-Object -NoElement | Sort-Object -Property Count -Descending | Select-Object -First 1 | Select-Object -ExpandProperty Count + # If the number of enabled policies is not the same as the number of excluded users or groups, there is no emergency access + if ($PolicyCount -eq $ExcludedUsers -or $PolicyCount -eq $ExcludedGroups) { + $result = $true + } + + Set-StrictMode -Version Latest + + return $result +} \ No newline at end of file diff --git a/tests/Identity/Test-ConditionalAccessBaseline.Tests.ps1 b/tests/Identity/Test-ConditionalAccessBaseline.Tests.ps1 index 68057b49..702d98d0 100644 --- a/tests/Identity/Test-ConditionalAccessBaseline.Tests.ps1 +++ b/tests/Identity/Test-ConditionalAccessBaseline.Tests.ps1 @@ -1,13 +1,15 @@  Describe "Conditional Access Baseline Policies" -Tag "CA", "Security", "All" { It "ID1001: At least one Conditional Access policy is configured with device compliance" { - Test-MtCaDeviceComplianceExists | Should -Be $true + Test-MtCaDeviceComplianceExists | Should -Be $true -Because "There is no policy which requires device compliances" } It "ID1003: At least one Conditional Access policy is configured with All Apps" { - Test-MtCaAllAppsExists -SkipCheckAllUsers | Should -Be $true + Test-MtCaAllAppsExists -SkipCheckAllUsers | Should -Be $true -Because "There is no policy scoped to All Apps" } It "ID1004: At least one Conditional Access policy is configured with All Apps and All Users" { - Test-MtCaAllAppsExists | Should -Be $true + Test-MtCaAllAppsExists | Should -Be $true -Because "There is no policy scoped to All Apps and All Users" + } + It "ID1005: All Conditional Access policies are configured to exclude at least one emergency account or group" { + Test-MtCaEmergencyAccessExists | Should -Be $true -Because "There is no emergency access account or group present in all enabled policies" } - }