Merge pull request #31 from maester365/fb_AdditionalChecks

Add new cmdlets and tests for Conditional Access policies

src/Maester.psd1

@@ -8,129 +8,135 @@
 
 @{
 
-# Script module or binary module file associated with this manifest.
-RootModule = 'Maester.psm1'
+    # Script module or binary module file associated with this manifest.
+    RootModule           = 'Maester.psm1'
 
-# Version number of this module.
-ModuleVersion = '0.0.11'
+    # Version number of this module.
+    ModuleVersion        = '0.0.11'
 
-# Supported PSEditions
-CompatiblePSEditions = 'Core', 'Desktop'
+    # Supported PSEditions
+    CompatiblePSEditions = 'Core', 'Desktop'
 
-# ID used to uniquely identify this module
-GUID = '502a7fe7-b1ae-4bf5-98db-00831b14ed6f'
+    # ID used to uniquely identify this module
+    GUID                 = '502a7fe7-b1ae-4bf5-98db-00831b14ed6f'
 
-# Author of this module
-Author = 'Microsoft Identity'
+    # Author of this module
+    Author               = 'Microsoft Identity'
 
-# Company or vendor of this module
-CompanyName = 'Microsoft Corporation'
+    # Company or vendor of this module
+    CompanyName          = 'Microsoft Corporation'
 
-# Copyright statement for this module
-Copyright = 'Microsoft Corporation. All rights reserved.'
+    # Copyright statement for this module
+    Copyright            = 'Microsoft Corporation. All rights reserved.'
 
-# Description of the functionality provided by this module
-Description = 'This cmdlets in this module help you write Pester tests for your Microsoft 365 tenant configuration.'
+    # Description of the functionality provided by this module
+    Description          = 'This cmdlets in this module help you write Pester tests for your Microsoft 365 tenant configuration.'
 
-# Minimum version of the PowerShell engine required by this module
-PowerShellVersion = '5.1'
+    # Minimum version of the PowerShell engine required by this module
+    PowerShellVersion    = '5.1'
 
-# Name of the PowerShell host required by this module
-# PowerShellHostName = ''
+    # Name of the PowerShell host required by this module
+    # PowerShellHostName = ''
 
-# Minimum version of the PowerShell host required by this module
-# PowerShellHostVersion = ''
+    # Minimum version of the PowerShell host required by this module
+    # PowerShellHostVersion = ''
 
-# Minimum version of Microsoft .NET Framework required by this module. This prerequisite is valid for the PowerShell Desktop edition only.
-# DotNetFrameworkVersion = ''
+    # Minimum version of Microsoft .NET Framework required by this module. This prerequisite is valid for the PowerShell Desktop edition only.
+    # DotNetFrameworkVersion = ''
 
-# Minimum version of the common language runtime (CLR) required by this module. This prerequisite is valid for the PowerShell Desktop edition only.
-# ClrVersion = ''
+    # Minimum version of the common language runtime (CLR) required by this module. This prerequisite is valid for the PowerShell Desktop edition only.
+    # ClrVersion = ''
 
-# Processor architecture (None, X86, Amd64) required by this module
-# ProcessorArchitecture = ''
+    # Processor architecture (None, X86, Amd64) required by this module
+    # ProcessorArchitecture = ''
 
-# Modules that must be imported into the global environment prior to importing this module
-RequiredModules = @(@{ModuleName = 'Microsoft.Graph.Authentication'; GUID = '883916f2-9184-46ee-b1f8-b6a2fb784cee'; ModuleVersion = '2.2.0'; })
+    # Modules that must be imported into the global environment prior to importing this module
+    RequiredModules      = @(@{ModuleName = 'Microsoft.Graph.Authentication'; GUID = '883916f2-9184-46ee-b1f8-b6a2fb784cee'; ModuleVersion = '2.2.0'; })
 
-# Assemblies that must be loaded prior to importing this module
-# RequiredAssemblies = @()
+    # Assemblies that must be loaded prior to importing this module
+    # RequiredAssemblies = @()
 
-# Script files (.ps1) that are run in the caller's environment prior to importing this module.
-# ScriptsToProcess = @()
+    # Script files (.ps1) that are run in the caller's environment prior to importing this module.
+    # ScriptsToProcess = @()
 
-# Type files (.ps1xml) to be loaded when importing this module
-# TypesToProcess = @()
+    # Type files (.ps1xml) to be loaded when importing this module
+    # TypesToProcess = @()
 
-# Format files (.ps1xml) to be loaded when importing this module
-# FormatsToProcess = @()
+    # Format files (.ps1xml) to be loaded when importing this module
+    # FormatsToProcess = @()
 
-# Modules to import as nested modules of the module specified in RootModule/ModuleToProcess
-NestedModules = @()
+    # Modules to import as nested modules of the module specified in RootModule/ModuleToProcess
+    NestedModules        = @()
 
-# Functions to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no functions to export.
-FunctionsToExport = 'Clear-MtGraphCache', 'Get-MtConditionalAccessPolicies', 
-               'Invoke-MtGraphRequest', 'Test-MtAppManagementPolicyEnabled', 
-               'Test-MtCaAllAppsExists', 'Test-MtCaDeviceComplianceExists', 
-               'Test-MtCaEmergencyAccessExists', 'Test-MtCaMfaForAdmins', 
-               'Test-MtCaMfaForAllUsers', 'Test-MtConditionalAccessWhatIf'
+    # Functions to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no functions to export.
+    FunctionsToExport    = 'Clear-MtGraphCache', 'Get-MtConditionalAccessPolicies',
+    'Invoke-MtGraphRequest', 'Test-MtAppManagementPolicyEnabled',
+    'Test-MtCaAllAppsExists', 'Test-MtCaDeviceComplianceExists',
+    'Test-MtCaEmergencyAccessExists', 'Test-MtCaMfaForAdmins',
+    'Test-MtCaMfaForAllUsers', 'Test-MtConditionalAccessWhatIf',
+    'Test-MtCaMfaForAdminManagement', 'Test-MtCaBlockLegacyOtherAuthentication',
+    'Test-MtCaBlockLegacyExchangeActiveSyncAuthentication', 'Test-MtCaSecureSecurityInfoRegistration',
+    'Test-MtCaMfaForRiskySignIns', 'Test-MtCaRequirePasswordChangeForHighUserRisk',
+    'Test-MtCaDeviceComplianceAdminsExists', 'Test-MtCaBlockUnknownOrUnsupportedDevicePlatforms',
+    'Test-MtCaMfaForGuests', 'Test-MtCaEnforceNonPersistentBrowserSession',
+    'Test-MtCaEnforceSignInFrequency', 'Test-MtCaApplicationEnforcedRestrictions'
 
-# Cmdlets to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no cmdlets to export.
-CmdletsToExport = @()
+    # Cmdlets to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no cmdlets to export.
+    CmdletsToExport      = @()
 
-# Variables to export from this module
-# VariablesToExport = @()
+    # Variables to export from this module
+    # VariablesToExport = @()
 
-# Aliases to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no aliases to export.
-AliasesToExport = @()
+    # Aliases to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no aliases to export.
+    AliasesToExport      = @()
 
-# DSC resources to export from this module
-# DscResourcesToExport = @()
+    # DSC resources to export from this module
+    # DscResourcesToExport = @()
 
-# List of all modules packaged with this module
-# ModuleList = @()
+    # List of all modules packaged with this module
+    # ModuleList = @()
 
-# List of all files packaged with this module
-# FileList = @()
+    # List of all files packaged with this module
+    # FileList = @()
 
-# Private data to pass to the module specified in RootModule/ModuleToProcess. This may also contain a PSData hashtable with additional module metadata used by PowerShell.
-PrivateData = @{
+    # Private data to pass to the module specified in RootModule/ModuleToProcess. This may also contain a PSData hashtable with additional module metadata used by PowerShell.
+    PrivateData          = @{
 
-    PSData = @{
+        PSData = @{
 
-        # Tags applied to this module. These help with module discovery in online galleries.
-        Tags = 'Microsoft','365','Cloud','Test','Pester','Entra','AzureAD','Automation','Regression','DevOps'
+            # Tags applied to this module. These help with module discovery in online galleries.
+            Tags       = 'Microsoft', '365', 'Cloud', 'Test', 'Pester', 'Entra', 'AzureAD', 'Automation', 'Regression', 'DevOps'
 
-        # A URL to the license for this module.
-        LicenseUri = 'https://raw.githubusercontent.com/microsoft/maester/main/LICENSE'
+            # A URL to the license for this module.
+            LicenseUri = 'https://raw.githubusercontent.com/microsoft/maester/main/LICENSE'
 
-        # A URL to the main website for this project.
-        ProjectUri = 'https://github.com/microsoft/maester'
+            # A URL to the main website for this project.
+            ProjectUri = 'https://github.com/microsoft/maester'
 
-        # A URL to an icon representing this module.
-        # IconUri = ''
+            # A URL to an icon representing this module.
+            # IconUri = ''
 
-        # ReleaseNotes of this module
-        # ReleaseNotes = ''
+            # ReleaseNotes of this module
+            # ReleaseNotes = ''
 
-        # Prerelease string of this module
-        # Prerelease = ''
+            # Prerelease string of this module
+            # Prerelease = ''
 
-        # Flag to indicate whether the module requires explicit user acceptance for install/update/save
-        # RequireLicenseAcceptance = $false
+            # Flag to indicate whether the module requires explicit user acceptance for install/update/save
+            # RequireLicenseAcceptance = $false
 
-        # External dependent modules of this module
-        # ExternalModuleDependencies = @()
+            # External dependent modules of this module
+            # ExternalModuleDependencies = @()
 
-    } # End of PSData hashtable
+        } # End of PSData hashtable
 
- } # End of PrivateData hashtable
+    } # End of PrivateData hashtable
 
-# HelpInfo URI of this module
-# HelpInfoURI = ''
+    # HelpInfo URI of this module
+    # HelpInfoURI = ''
 
-# Default prefix for commands exported from this module. Override the default prefix using Import-Module -Prefix.
-# DefaultCommandPrefix = ''
+    # Default prefix for commands exported from this module. Override the default prefix using Import-Module -Prefix.
+    # DefaultCommandPrefix = ''
 
 }
 

src/public/Test-MtCaAllAppsExists.ps1

@@ -7,7 +7,7 @@
   and ideally should be enabled for all users.
 
   Learn more:
-  https://learn.microsoft.com/en-us/entra/identity/conditional-access/plan-conditional-access#apply-conditional-access-policies-to-every-app
+  https://learn.microsoft.com/entra/identity/conditional-access/plan-conditional-access#apply-conditional-access-policies-to-every-app
 
  .Example
   Test-MtCaAllAppsExists
@@ -24,18 +24,20 @@ Function Test-MtCaAllAppsExists {
     [switch] $SkipCheckAllUsers = $false
   )
 
-  $policies = Get-MtConditionalAccessPolicies
-
   Set-StrictMode -Off
+  $policies = Get-MtConditionalAccessPolicies | Where-Object { $_.state -eq "enabled" }
 
   $result = $false
   foreach ($policy in $policies) {
-    if ($policy.conditions.applications.includeApplications -eq 'all' `
-        -and $policy.state -eq 'enabled') {
-
-      $result = $SkipCheckAllUsers.IsPresent `
-        -or $policy.conditions.users.includeusers -eq 'all'
+    if ( ( $SkipCheckAllUsers.IsPresent -or $policy.conditions.users.includeUsers -eq "All" ) `
+        -and $policy.conditions.applications.includeApplications -eq 'all' `
+    ) {
+      $result = $true
+      $currentresult = $true
+    } else {
+      $currentresult = $false
     }
+    Write-Verbose "$($policy.displayName) - $currentresult"
   }
 
   return $result

src/public/Test-MtCaApplicationEnforcedRestrictions.ps1

@@ -0,0 +1,40 @@
+<#
+ .Synopsis
+  Checks if the tenant has at least one conditional access policy is configured to enable application enforced restrictions
+
+ .Description
+    Application enforced restrictions conditional access policy can be helpful to minimize the risk of data leakage from a shared device.
+
+  Learn more:
+  https://aka.ms/CATemplatesAppRestrictions
+
+ .Example
+  Test-MtCaApplicationEnforcedRestrictions
+#>
+
+Function Test-MtCaApplicationEnforcedRestrictions {
+    [CmdletBinding()]
+    [OutputType([bool])]
+    param ()
+
+    Set-StrictMode -Off
+    $policies = Get-MtConditionalAccessPolicies | Where-Object { $_.state -eq "enabled" }
+
+    $result = $false
+    foreach ($policy in $policies) {
+        if ( $policy.conditions.users.includeUsers -eq "All" `
+                -and $policy.conditions.clientAppTypes -eq "All" `
+                -and $policy.sessionControls.applicationEnforcedRestrictions.isEnabled -eq $true `
+                -and "Office365" -in $policy.conditions.applications.includeApplications `
+        ) {
+            $result = $true
+            $currentresult = $true
+        } else {
+            $currentresult = $false
+        }
+        Write-Verbose "$($policy.displayName) - $currentresult"
+    }
+    Set-StrictMode -Version Latest
+
+    return $result
+}

src/public/Test-MtCaBlockLegacyExchangeActiveSyncAuthentication.ps1

@@ -0,0 +1,41 @@
+<#
+ .Synopsis
+  Checks if the tenant has at least one conditional access policy that blocks legacy authentication for Exchange Active Sync authentication.
+
+ .Description
+    Legacy authentication is an unsecure method to authenticate. This function checks if the tenant has at least one
+    conditional access policy that blocks legacy authentication.
+
+  Learn more:
+  https://learn.microsoft.com/entra/identity/conditional-access/howto-conditional-access-policy-block-legacy
+
+ .Example
+  Test-MtCaBlockLegacyExchangeActiveSyncAuthentication
+#>
+
+Function Test-MtCaBlockLegacyExchangeActiveSyncAuthentication {
+    [CmdletBinding()]
+    [OutputType([bool])]
+    param ()
+
+    Set-StrictMode -Off
+    $policies = Get-MtConditionalAccessPolicies | Where-Object { $_.state -eq "enabled" }
+
+    $result = $false
+    foreach ($policy in $policies) {
+        if ( $policy.grantcontrols.builtincontrols -contains 'block' `
+                -and "exchangeActiveSync" -in $policy.conditions.clientAppTypes `
+                -and $policy.conditions.applications.includeApplications -eq "00000002-0000-0ff1-ce00-000000000000" `
+                -and $policy.conditions.users.includeUsers -eq "All" `
+        ) {
+            $result = $true
+            $currentresult = $true
+        } else {
+            $currentresult = $false
+        }
+        Write-Verbose "$($policy.displayName) - $currentresult"
+    }
+    Set-StrictMode -Version Latest
+
+    return $result
+}

src/public/Test-MtCaBlockLegacyOtherAuthentication.ps1

@@ -0,0 +1,43 @@
+<#
+ .Synopsis
+  Checks if the tenant has at least one conditional access policy that blocks legacy authentication.
+
+ .Description
+    Legacy authentication is an unsecure method to authenticate. This function checks if the tenant has at least one
+    conditional access policy that blocks legacy authentication.
+
+  Learn more:
+  https://learn.microsoft.com/entra/identity/conditional-access/howto-conditional-access-policy-block-legacy
+
+ .Example
+  Test-MtCaBlockLegacyOtherAuthentication
+#>
+
+Function Test-MtCaBlockLegacyOtherAuthentication {
+    [CmdletBinding()]
+    [OutputType([bool])]
+    param ()
+
+    Set-StrictMode -Off
+    $policies = Get-MtConditionalAccessPolicies | Where-Object { $_.state -eq "enabled" }
+    # Remove policies that require password change, as they are related to user risk and not MFA on signin
+    $policies = $policies | Where-Object { $_.grantcontrols.builtincontrols -notcontains 'passwordChange' }
+
+    $result = $false
+    foreach ($policy in $policies) {
+        if ( $policy.grantcontrols.builtincontrols -contains 'block' `
+                -and "other" -in $policy.conditions.clientAppTypes `
+                -and $policy.conditions.applications.includeApplications -eq "All" `
+                -and $policy.conditions.users.includeUsers -eq "All" `
+        ) {
+            $result = $true
+            $currentresult = $true
+        } else {
+            $currentresult = $false
+        }
+        Write-Verbose "$($policy.displayName) - $currentresult"
+    }
+    Set-StrictMode -Version Latest
+
+    return $result
+}