Allowance for lower values in CR04

powershell/internal/eidsca/Test-MtEidscaCR04.md

@@ -5,7 +5,7 @@ Specifies the duration the request is active before it automatically expires if
 #### Test script
 ```
 https://graph.microsoft.com/beta/policies/adminConsentRequestPolicy
-.requestDurationInDays = '30'
+.requestDurationInDays <= '30'
 ```
 
 #### Related links

powershell/internal/eidsca/Test-MtEidscaCR04.ps1

@@ -8,12 +8,12 @@
 
     Queries policies/adminConsentRequestPolicy
     and returns the result of
-     graph/policies/adminConsentRequestPolicy.requestDurationInDays -eq '30'
+     graph/policies/adminConsentRequestPolicy.requestDurationInDays -le '30'
 
 .EXAMPLE
     Test-MtEidscaCR04
 
-    Returns the result of graph.microsoft.com/beta/policies/adminConsentRequestPolicy.requestDurationInDays -eq '30'
+    Returns the result of graph.microsoft.com/beta/policies/adminConsentRequestPolicy.requestDurationInDays -le '30'
 #>
 
 function Test-MtEidscaCR04 {
@@ -28,15 +28,15 @@ function Test-MtEidscaCR04 {
     $result = Invoke-MtGraphRequest -RelativeUri "policies/adminConsentRequestPolicy" -ApiVersion beta
 
     [string]$tenantValue = $result.requestDurationInDays
-    $testResult = $tenantValue -eq '30'
+    $testResult = $tenantValue -le '30'
     $tenantValueNotSet = $null -eq $tenantValue -and '30' -notlike '*$null*'
 
     if($testResult){
-        $testResultMarkdown = "Well done. The configuration in your tenant and recommended value is **'30'** for **policies/adminConsentRequestPolicy**"
+        $testResultMarkdown = "Well done. The configuration in your tenant and recommended value is less than or equal to **'30'** for **policies/adminConsentRequestPolicy**"
     } elseif ($tenantValueNotSet) {
         $testResultMarkdown = "Your tenant is **not configured explicitly**.`n`nThe recommended value is **'30'** for **policies/adminConsentRequestPolicy**. It seems that you are using a default value by Microsoft. We recommend to set the setting value explicitly since non set values could change depending on what Microsoft decides the current default should be."
     } else {
-        $testResultMarkdown = "Your tenant is configured as **$($tenantValue)**.`n`nThe recommended value is **'30'** for **policies/adminConsentRequestPolicy**"
+        $testResultMarkdown = "Your tenant is configured as **$($tenantValue)**.`n`nThe recommended value is less than or equal to **'30'** for **policies/adminConsentRequestPolicy**"
     }
     Add-MtTestResultDetail -Result $testResultMarkdown
 

tests/EIDSCA/Test-EIDSCA.Generated.Tests.ps1

@@ -404,9 +404,9 @@ Describe "Consent Framework - Admin Consent Request" -Tag "EIDSCA", "Security",
     It "EIDSCA.CR04: Consent Framework - Admin Consent Request - Consent request duration (days). See https://maester.dev/docs/tests/EIDSCA.CR04" -TestCases @{ EnabledAdminConsentWorkflow = ($EnabledAdminConsentWorkflow) } {
         <#
             Check if "https://graph.microsoft.com/beta/policies/adminConsentRequestPolicy"
-            .requestDurationInDays = '30'
+            .requestDurationInDays <= '30'
         #>
-        Test-MtEidscaControl -CheckId CR04 | Should -Be '30'
+        Test-MtEidscaControl -CheckId CR04 | Should -BeLessOrEqual '30'
     }
 }
 

website/docs/tests/eidsca/EIDSCA.CR04.md

@@ -25,7 +25,7 @@ Specifies the duration the request is active before it automatically expires if
 | **Recommendation** |  |
 | **Configuration** | policies/adminConsentRequestPolicy |
 | **Setting** | `requestDurationInDays` |
-| **Recommended Value** | '30' |
+| **Recommended Value** | '<=30' |
 | **Default Value** |  |
 | **Graph API Docs** | [adminConsentRequestPolicy resource type - Microsoft Graph v1.0 - Microsoft Learn](https://learn.microsoft.com/en-us/graph/api/resources/adminconsentrequestpolicy) |
 | **Graph Explorer** | [Open in Graph Explorer](https://developer.microsoft.com/en-us/graph/graph-explorer?request=policies/adminConsentRequestPolicy&method=GET&version=beta&GraphUrl=https://graph.microsoft.com) |