Merge pull request #158 from maester365/merill-wb

Fixed formatting of CISA test results

powershell/internal/Get-GraphObjectMarkdown.ps1

@@ -24,7 +24,7 @@ Function Get-GraphObjectMarkdown {
         [Parameter(Mandatory = $true)]
         [ValidateSet('ConditionalAccess', 'Users',
             'Groups', 'IdentityProtection', 'AuthenticationMethod',
-            'AuthorizationPolicy', 'ConsentPolicy')]
+            'AuthorizationPolicy', 'ConsentPolicy', 'Domains')]
         [string] $GraphObjectType
     )
 

powershell/public/CISA/Entra/Test-MtCisaAppAdminConsent.ps1

@@ -27,10 +27,10 @@ Function Test-MtCisaAppAdminConsent {
     $testResult = $reviewers.Count -ge 1
 
     if ($testResult) {
-        $testResultMarkdown = "Well done. Your tenant admin consent request policy has at least 1 reviewer:`n`n%TestResult%"
+        $testResultMarkdown = "Well done. Your tenant admin consent request policy has at least 1 reviewer."
     } else {
         $testResultMarkdown = "Your tenant admin consent request policy is not configured."
     }
-    Add-MtTestResultDetail -Result $testResultMarkdown -GraphObjectType AuthorizationPolicy -GraphObjects "Admin consent"
+    Add-MtTestResultDetail -Result $testResultMarkdown
     return $testResult
 }

powershell/public/CISA/Entra/Test-MtCisaAppGroupOwnerConsent.ps1

@@ -25,10 +25,10 @@ Function Test-MtCisaAppGroupOwnerConsent {
         Select-Object -ExpandProperty value) -eq $false
 
     if ($testResult) {
-        $testResultMarkdown = "Well done. Your tenant admin consent request policy has at least 1 reviewer:`n`n%TestResult%"
+        $testResultMarkdown = "Well done. Groups owners cannot consent to applications."
     } else {
-        $testResultMarkdown = "Your tenant admin consent request policy is not configured."
+        $testResultMarkdown = "Your tenant allows group owners to consent to applications."
     }
-    Add-MtTestResultDetail -Result $testResultMarkdown -GraphObjectType ConsentPolicy -GraphObjects "Group owner consent"
+    Add-MtTestResultDetail -Result $testResultMarkdown
     return $testResult
 }

powershell/public/CISA/Entra/Test-MtCisaMethodsMigration.ps1

@@ -25,11 +25,11 @@ Function Test-MtCisaMethodsMigration {
     $testResult = $migrationState -eq "migrationComplete"
 
     if ($testResult) {
-        $testResultMarkdown = "Well done. Your tenant has completed the migration to Authentication Methods:`n`n%TestResult%"
+        $testResultMarkdown = "Well done. Your tenant has completed the migration to Authentication Methods."
     } else {
         $testResultMarkdown = "Your tenant has not completed the migration to Authentication Methods."
     }
-    Add-MtTestResultDetail -Result $testResultMarkdown -GraphObjectType AuthenticationMethod -GraphObjects $migrationState
+    Add-MtTestResultDetail -Result $testResultMarkdown
 
     return $testResult
 }

powershell/public/CISA/Entra/Test-MtCisaPasswordExpiration.md

@@ -4,7 +4,7 @@ The National Institute of Standards and Technology (NIST), OMB, and Microsoft ha
 
 #### Remediation action:
 
-If phishing-resistant MFA has not been deployed yet and Microsoft Authenticator is in use, configure Authenticator to display context information to users when they log in.
+Configure password policies to set passwords to never expire.
 
 1. [Configure the **Password expiration policy** to **Set passwords to never expire**](https://learn.microsoft.com/en-us/microsoft-365/admin/manage/set-password-expiration-policy?view=o365-worldwide#set-password-expiration-policy).
 

powershell/public/CISA/Entra/Test-MtCisaPasswordExpiration.ps1

@@ -38,11 +38,12 @@ Function Test-MtCisaPasswordExpiration {
     $testResult = $managedDomains.Count -ge 1
 
     if ($testResult) {
-        $testResultMarkdown = "Well done. Your tenant has at least 1 managed domain with a password validity of 100 years or greater:`n`n%TestResult%"
+        $testResultMarkdown = "Well done. Your tenant password expiration policy is set to never expire."
     } else {
-        $testResultMarkdown = "Your tenant does not prevent password expiration."
+        $testResultMarkdown = "Your tenant does not have password expiration set to never expire."
     }
-    Add-MtTestResultDetail -Result $testResultMarkdown -GraphObjectType Domains -GraphObjects $managedDomains
+
+    Add-MtTestResultDetail -Result $testResultMarkdown
 
     return $testResult
 }

powershell/public/CISA/Entra/Test-MtCisaPrivilegedPhishResistant.ps1

@@ -11,7 +11,7 @@
     Returns true if at least one policy requires phishing resistant methods for the specific roles
 #>
 
-Function Test-MtCisaPhishResistant {
+Function Test-MtCisaPrivilegedPhishResistant {
     [CmdletBinding()]
     [OutputType([bool])]
     param()

powershell/public/CISA/Entra/Test-MtCisaWeakFactor.ps1

@@ -25,18 +25,32 @@ Function Test-MtCisaWeakFactor {
 
     $result = Get-MtAuthenticationMethodPolicyConfig
 
-    $policies = $result | Where-Object {`
-        $_.id -in $weakFactors -and `
-        $_.state -eq "enabled" }
+    $weakAuthMethods = $result | Where-Object { $_.id -in $weakFactors }
 
-    $testResult = $policies.Count -eq 0
+    $enabledWeakMethods = $weakAuthMethods | Where-Object { $_.state -eq "enabled" }
+
+    $testResult = $enabledWeakMethods.Count -eq 0
 
     if ($testResult) {
-        $testResultMarkdown = "Well done. Your tenant has SMS, Voice Call, and Email One-Time Passcode (OTP) authentication methods disabled:`n`n%TestResult%"
+        $testResultMarkdown = "Well done. All weak authentication methods are disabled in your tenant.`n`n%TestResult%"
     } else {
-        $testResultMarkdown = "Your tenant does not have SMS, Voice Call, and Email One-Time Passcode (OTP) authentication methods disabled."
+        $testResultMarkdown = "One or more weak methods are enabled in your tenant.`n`n%TestResult%"
+    }
+
+    # Auth method does not support deep links.
+    $authMethodsLink = "https://entra.microsoft.com/#view/Microsoft_AAD_IAM/AuthenticationMethodsMenuBlade/~/AdminAuthMethods"
+    $result = "| Authentication Method | State | Test Result |`n"
+    $result += "| --- | --- | --- |`n"
+    foreach ($item in $weakAuthMethods) {
+        $methodResult = "✅ Pass"
+        if ($item.state -eq "enabled") {
+            $methodResult = "❌ Fail"
+        }
+        $result += "| [$($item.id)]($authMethodsLink) | $($item.state) | $($methodResult) |`n"
     }
-    Add-MtTestResultDetail -Result $testResultMarkdown -GraphObjectType AuthenticationMethod -GraphObjects $policies
+    $testResultMarkdown = $testResultMarkdown -replace "%TestResult%", $result
+
+    Add-MtTestResultDetail -Result $testResultMarkdown
 
     return $testResult
 }

powershell/public/Connect-Maester.ps1

@@ -21,10 +21,12 @@ Function Connect-Maester {
       # If specified, the cmdlet will include the scope to send email (Mail.Send).
       [switch] $SendMail,
 
+      # If specified, the cmdlet will use the device code flow to authenticate.
       [switch] $UseDeviceCode,
 
-      [ValidateSet("China", "Germany", "Global", "USGov", "USGovDOD")]
-      [string]$Environment = $Global
+      # The environment to connect to. Default is Global.
+      [ValidateSet("China", "Germany", "Global", "USGov", "USGovDoD")]
+      [string]$Environment = "Global"
    )
 
    Write-Verbose "Connecting to Microsoft Graph"

powershell/public/Invoke-Maester.ps1

@@ -263,7 +263,7 @@ Function Invoke-Maester {
             Write-MtProgress -Activity "Creating html report"
             $output = Get-MtHtmlReport -MaesterResults $maesterResults
             $output | Out-File -FilePath $out.OutputHtmlFile -Encoding UTF8
-            Write-Host "🔥 Measter test report generated at $($out.OutputHtmlFile)" -ForegroundColor Green
+            Write-Host "🔥 Maester test report generated at $($out.OutputHtmlFile)" -ForegroundColor Green
 
             if ( ( Get-MtUserInteractive ) -and ( -not $NonInteractive ) ) {
                 # Open test results in default browser

tests/CISA/Entra/Test-MtCisaWeakFactor.Tests.ps1

@@ -4,8 +4,11 @@ BeforeDiscovery {
 
 Describe "CISA SCuBA" -Tag "MS.AAD", "MS.AAD.3.5", "CISA", "Security", "All" -Skip:( $EntraIDPlan -eq "Free" ) {
     It "MS.AAD.3.5: The authentication methods SMS, Voice Call, and Email One-Time Passcode (OTP) SHALL be disabled." {
-        if(-not (Test-MtCisaMethodsMigration)) {
-            Test-MtCisaWeakFactor | Should -Be $true -Because "all weak authentication methods are disabled."
-        }
+
+        $isMethodsMigrationComplete = Test-MtCisaMethodsMigration
+
+        $isWeakFactorDisabled = Test-MtCisaWeakFactor
+
+        $isWeakFactorDisabled -and $isMethodsMigrationComplete | Should -Be $true -Because "all weak authentication methods are disabled."
     }
 }

website/docs/contributing.md

@@ -87,6 +87,6 @@ npm start
 You will now be able to edit add and edit markdown files in the ./website/docs folder and see the changes in real-time in your browser.
 
 - Read the [markdown documentation](https://docusaurus.io/docs/markdown-features) for more information on some of the custom markdown features available.
-- You can search for icons at [Iconify](https://icon-sets.iconify.design/) and include them in the markdown. See the [Daily Automation](https://measter.dev/docs/automation/) page for examples.
+- You can search for icons at [Iconify](https://icon-sets.iconify.design/) and include them in the markdown. See the [Daily Automation](https://maester.dev/docs/automation/) page for examples.
 - The `Command Reference` section is auto-generated. To update the documentation for this, the .ps1 file for the command needs to be updated with comment-based documentation.