From 8894a6332f0f75777c6ee10aed9dd6bfd43b1d57 Mon Sep 17 00:00:00 2001 From: Thomas Naunheim Date: Fri, 8 Nov 2024 07:11:12 +0100 Subject: [PATCH 1/4] Added support for less equal operator in EIDSCA --- build/eidsca/Update-EidscaTests.ps1 | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/build/eidsca/Update-EidscaTests.ps1 b/build/eidsca/Update-EidscaTests.ps1 index 24e6bde2..a40c7ad1 100644 --- a/build/eidsca/Update-EidscaTests.ps1 +++ b/build/eidsca/Update-EidscaTests.ps1 @@ -46,7 +46,7 @@ function GetVersion($graphUri) { function GetRecommendedValue($RecommendedValue) { if($RecommendedValue -notlike "@('*,*')") { - $compareOperators = @(">=",">","<") + $compareOperators = @(">=","<=",">","<") foreach ($compareOperator in $compareOperators) { if ($RecommendedValue.StartsWith($compareOperator)) { $RecommendedValue = $RecommendedValue.Replace($compareOperator, "") @@ -82,6 +82,13 @@ function GetCompareOperator($RecommendedValue) { powershell = 'ge' text = 'is greater than or equal to' } + } elseif ($RecommendedValue.StartsWith("<=")) { + $compareOperator = [PSCustomObject]@{ + name = '<=' + pester = 'BeLessOrEqual' + powershell = 'le' + text = 'is less than or equal to' + } } elseif ($RecommendedValue.StartsWith(">")) { $compareOperator = [PSCustomObject]@{ name = '>' From a569d1abefb440692537b7e1792824b718bae67f Mon Sep 17 00:00:00 2001 From: Thomas Naunheim Date: Fri, 8 Nov 2024 07:11:31 +0100 Subject: [PATCH 2/4] Allowance for lower values in CR04 --- powershell/internal/eidsca/Test-MtEidscaCR04.md | 2 +- powershell/internal/eidsca/Test-MtEidscaCR04.ps1 | 10 +++++----- tests/EIDSCA/Test-EIDSCA.Generated.Tests.ps1 | 4 ++-- website/docs/tests/eidsca/EIDSCA.CR04.md | 2 +- 4 files changed, 9 insertions(+), 9 deletions(-) diff --git a/powershell/internal/eidsca/Test-MtEidscaCR04.md b/powershell/internal/eidsca/Test-MtEidscaCR04.md index 58f92d98..bf158f62 100644 --- a/powershell/internal/eidsca/Test-MtEidscaCR04.md +++ b/powershell/internal/eidsca/Test-MtEidscaCR04.md @@ -5,7 +5,7 @@ Specifies the duration the request is active before it automatically expires if #### Test script ``` https://graph.microsoft.com/beta/policies/adminConsentRequestPolicy -.requestDurationInDays = '30' +.requestDurationInDays <= '30' ``` #### Related links diff --git a/powershell/internal/eidsca/Test-MtEidscaCR04.ps1 b/powershell/internal/eidsca/Test-MtEidscaCR04.ps1 index 3f9197d3..d1ab28b8 100644 --- a/powershell/internal/eidsca/Test-MtEidscaCR04.ps1 +++ b/powershell/internal/eidsca/Test-MtEidscaCR04.ps1 @@ -8,12 +8,12 @@ Queries policies/adminConsentRequestPolicy and returns the result of - graph/policies/adminConsentRequestPolicy.requestDurationInDays -eq '30' + graph/policies/adminConsentRequestPolicy.requestDurationInDays -le '30' .EXAMPLE Test-MtEidscaCR04 - Returns the result of graph.microsoft.com/beta/policies/adminConsentRequestPolicy.requestDurationInDays -eq '30' + Returns the result of graph.microsoft.com/beta/policies/adminConsentRequestPolicy.requestDurationInDays -le '30' #> function Test-MtEidscaCR04 { @@ -28,15 +28,15 @@ function Test-MtEidscaCR04 { $result = Invoke-MtGraphRequest -RelativeUri "policies/adminConsentRequestPolicy" -ApiVersion beta [string]$tenantValue = $result.requestDurationInDays - $testResult = $tenantValue -eq '30' + $testResult = $tenantValue -le '30' $tenantValueNotSet = $null -eq $tenantValue -and '30' -notlike '*$null*' if($testResult){ - $testResultMarkdown = "Well done. The configuration in your tenant and recommended value is **'30'** for **policies/adminConsentRequestPolicy**" + $testResultMarkdown = "Well done. The configuration in your tenant and recommended value is less than or equal to **'30'** for **policies/adminConsentRequestPolicy**" } elseif ($tenantValueNotSet) { $testResultMarkdown = "Your tenant is **not configured explicitly**.`n`nThe recommended value is **'30'** for **policies/adminConsentRequestPolicy**. It seems that you are using a default value by Microsoft. We recommend to set the setting value explicitly since non set values could change depending on what Microsoft decides the current default should be." } else { - $testResultMarkdown = "Your tenant is configured as **$($tenantValue)**.`n`nThe recommended value is **'30'** for **policies/adminConsentRequestPolicy**" + $testResultMarkdown = "Your tenant is configured as **$($tenantValue)**.`n`nThe recommended value is less than or equal to **'30'** for **policies/adminConsentRequestPolicy**" } Add-MtTestResultDetail -Result $testResultMarkdown diff --git a/tests/EIDSCA/Test-EIDSCA.Generated.Tests.ps1 b/tests/EIDSCA/Test-EIDSCA.Generated.Tests.ps1 index cdfffc91..77409932 100644 --- a/tests/EIDSCA/Test-EIDSCA.Generated.Tests.ps1 +++ b/tests/EIDSCA/Test-EIDSCA.Generated.Tests.ps1 @@ -404,9 +404,9 @@ Describe "Consent Framework - Admin Consent Request" -Tag "EIDSCA", "Security", It "EIDSCA.CR04: Consent Framework - Admin Consent Request - Consent request duration (days). See https://maester.dev/docs/tests/EIDSCA.CR04" -TestCases @{ EnabledAdminConsentWorkflow = ($EnabledAdminConsentWorkflow) } { <# Check if "https://graph.microsoft.com/beta/policies/adminConsentRequestPolicy" - .requestDurationInDays = '30' + .requestDurationInDays <= '30' #> - Test-MtEidscaControl -CheckId CR04 | Should -Be '30' + Test-MtEidscaControl -CheckId CR04 | Should -BeLessOrEqual '30' } } diff --git a/website/docs/tests/eidsca/EIDSCA.CR04.md b/website/docs/tests/eidsca/EIDSCA.CR04.md index a544c9ad..5a431a61 100644 --- a/website/docs/tests/eidsca/EIDSCA.CR04.md +++ b/website/docs/tests/eidsca/EIDSCA.CR04.md @@ -25,7 +25,7 @@ Specifies the duration the request is active before it automatically expires if | **Recommendation** | | | **Configuration** | policies/adminConsentRequestPolicy | | **Setting** | `requestDurationInDays` | -| **Recommended Value** | '30' | +| **Recommended Value** | '<=30' | | **Default Value** | | | **Graph API Docs** | [adminConsentRequestPolicy resource type - Microsoft Graph v1.0 - Microsoft Learn](https://learn.microsoft.com/en-us/graph/api/resources/adminconsentrequestpolicy) | | **Graph Explorer** | [Open in Graph Explorer](https://developer.microsoft.com/en-us/graph/graph-explorer?request=policies/adminConsentRequestPolicy&method=GET&version=beta&GraphUrl=https://graph.microsoft.com) | From da5c70189783346db87b1888d00a9e9ac5749da5 Mon Sep 17 00:00:00 2001 From: Thomas Naunheim Date: Sun, 10 Nov 2024 12:34:43 +0100 Subject: [PATCH 3/4] Updated operator to PowerShell syntax to avoid rendering issues --- build/eidsca/Update-EidscaTests.ps1 | 2 +- powershell/internal/eidsca/@template.md | 2 +- .../internal/eidsca/Test-MtEidscaAF01.md | 2 +- .../internal/eidsca/Test-MtEidscaAF02.md | 2 +- .../internal/eidsca/Test-MtEidscaAF03.md | 2 +- .../internal/eidsca/Test-MtEidscaAF04.md | 2 +- .../internal/eidsca/Test-MtEidscaAF05.md | 2 +- .../internal/eidsca/Test-MtEidscaAF06.md | 2 +- .../internal/eidsca/Test-MtEidscaAG01.md | 2 +- .../internal/eidsca/Test-MtEidscaAG02.md | 2 +- .../internal/eidsca/Test-MtEidscaAG03.md | 2 +- .../internal/eidsca/Test-MtEidscaAM01.md | 2 +- .../internal/eidsca/Test-MtEidscaAM02.md | 2 +- .../internal/eidsca/Test-MtEidscaAM03.md | 2 +- .../internal/eidsca/Test-MtEidscaAM04.md | 2 +- .../internal/eidsca/Test-MtEidscaAM06.md | 2 +- .../internal/eidsca/Test-MtEidscaAM07.md | 2 +- .../internal/eidsca/Test-MtEidscaAM09.md | 2 +- .../internal/eidsca/Test-MtEidscaAM10.md | 2 +- .../internal/eidsca/Test-MtEidscaAP01.md | 2 +- .../internal/eidsca/Test-MtEidscaAP04.md | 2 +- .../internal/eidsca/Test-MtEidscaAP05.md | 2 +- .../internal/eidsca/Test-MtEidscaAP06.md | 2 +- .../internal/eidsca/Test-MtEidscaAP07.md | 2 +- .../internal/eidsca/Test-MtEidscaAP08.md | 2 +- .../internal/eidsca/Test-MtEidscaAP09.md | 2 +- .../internal/eidsca/Test-MtEidscaAP10.md | 2 +- .../internal/eidsca/Test-MtEidscaAP14.md | 2 +- .../internal/eidsca/Test-MtEidscaAS04.md | 2 +- .../internal/eidsca/Test-MtEidscaAT01.md | 2 +- .../internal/eidsca/Test-MtEidscaAT02.md | 2 +- .../internal/eidsca/Test-MtEidscaAV01.md | 2 +- .../internal/eidsca/Test-MtEidscaCP01.md | 2 +- .../internal/eidsca/Test-MtEidscaCP03.md | 2 +- .../internal/eidsca/Test-MtEidscaCP04.md | 2 +- .../internal/eidsca/Test-MtEidscaCR01.md | 2 +- .../internal/eidsca/Test-MtEidscaCR02.md | 2 +- .../internal/eidsca/Test-MtEidscaCR03.md | 2 +- .../internal/eidsca/Test-MtEidscaCR04.md | 2 +- .../internal/eidsca/Test-MtEidscaPR01.md | 2 +- .../internal/eidsca/Test-MtEidscaPR02.md | 2 +- .../internal/eidsca/Test-MtEidscaPR03.md | 2 +- .../internal/eidsca/Test-MtEidscaPR05.md | 2 +- .../internal/eidsca/Test-MtEidscaPR06.md | 2 +- .../internal/eidsca/Test-MtEidscaST08.md | 2 +- .../internal/eidsca/Test-MtEidscaST09.md | 2 +- tests/EIDSCA/Test-EIDSCA.Generated.Tests.ps1 | 88 +++++++++---------- 47 files changed, 90 insertions(+), 90 deletions(-) diff --git a/build/eidsca/Update-EidscaTests.ps1 b/build/eidsca/Update-EidscaTests.ps1 index a40c7ad1..f112ce5b 100644 --- a/build/eidsca/Update-EidscaTests.ps1 +++ b/build/eidsca/Update-EidscaTests.ps1 @@ -437,7 +437,7 @@ Describe "%ControlName%" -Tag "EIDSCA", "Security", "All", "%CheckId%" { It "%CheckId%: %ControlName% - %DisplayName%. See https://maester.dev/docs/tests/%DocName%"%TestCases% { <# Check if "https://graph.microsoft.com/%ApiVersion%/%RelativeUri%" - .%CurrentValue% %CompareOperator% %RecommendedValue% + .%CurrentValue% -%PwshCompareOperator% %RecommendedValue% #> Test-MtEidscaControl -CheckId %CheckShortId% | Should -%ShouldOperator% %RecommendedValue% } diff --git a/powershell/internal/eidsca/@template.md b/powershell/internal/eidsca/@template.md index 0e5c83a2..40da64d9 100644 --- a/powershell/internal/eidsca/@template.md +++ b/powershell/internal/eidsca/@template.md @@ -5,7 +5,7 @@ #### Test script ``` https://graph.microsoft.com/%ApiVersion%/%RelativeUri% -.%CurrentValue% %CompareOperator% %RecommendedValue% +.%CurrentValue% -%PwshCompareOperator% %RecommendedValue% ``` #### Related links diff --git a/powershell/internal/eidsca/Test-MtEidscaAF01.md b/powershell/internal/eidsca/Test-MtEidscaAF01.md index 7bb9eaf8..f020d6d2 100644 --- a/powershell/internal/eidsca/Test-MtEidscaAF01.md +++ b/powershell/internal/eidsca/Test-MtEidscaAF01.md @@ -5,7 +5,7 @@ enabled #### Test script ``` https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Fido2') -.state = 'enabled' +.state -eq 'enabled' ``` #### Related links diff --git a/powershell/internal/eidsca/Test-MtEidscaAF02.md b/powershell/internal/eidsca/Test-MtEidscaAF02.md index 1e98f208..7ca88fdf 100644 --- a/powershell/internal/eidsca/Test-MtEidscaAF02.md +++ b/powershell/internal/eidsca/Test-MtEidscaAF02.md @@ -5,7 +5,7 @@ Allows users to register a FIDO key through the MySecurityInfo portal, even if e #### Test script ``` https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Fido2') -.isSelfServiceRegistrationAllowed = 'true' +.isSelfServiceRegistrationAllowed -eq 'true' ``` #### Related links diff --git a/powershell/internal/eidsca/Test-MtEidscaAF03.md b/powershell/internal/eidsca/Test-MtEidscaAF03.md index 6c2b823a..6fa78d64 100644 --- a/powershell/internal/eidsca/Test-MtEidscaAF03.md +++ b/powershell/internal/eidsca/Test-MtEidscaAF03.md @@ -5,7 +5,7 @@ Requires the FIDO security key metadata to be published and verified with the FI #### Test script ``` https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Fido2') -.isAttestationEnforced = 'true' +.isAttestationEnforced -eq 'true' ``` #### Related links diff --git a/powershell/internal/eidsca/Test-MtEidscaAF04.md b/powershell/internal/eidsca/Test-MtEidscaAF04.md index f3ac3053..7d945274 100644 --- a/powershell/internal/eidsca/Test-MtEidscaAF04.md +++ b/powershell/internal/eidsca/Test-MtEidscaAF04.md @@ -5,7 +5,7 @@ Restrict usage of FIDO2 from unauthorized vendors or platforms #### Test script ``` https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Fido2') -.keyRestrictions.isEnforced = 'true' +.keyRestrictions.isEnforced -eq 'true' ``` #### Related links diff --git a/powershell/internal/eidsca/Test-MtEidscaAF05.md b/powershell/internal/eidsca/Test-MtEidscaAF05.md index c2cc1261..eeffc8a2 100644 --- a/powershell/internal/eidsca/Test-MtEidscaAF05.md +++ b/powershell/internal/eidsca/Test-MtEidscaAF05.md @@ -5,7 +5,7 @@ You can work with your Security key provider to determine the AAGuids of their d #### Test script ``` https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Fido2') -.keyRestrictions.aaGuids -notcontains $null = 'true' +.keyRestrictions.aaGuids -notcontains $null -eq 'true' ``` #### Related links diff --git a/powershell/internal/eidsca/Test-MtEidscaAF06.md b/powershell/internal/eidsca/Test-MtEidscaAF06.md index fd00c06b..be45f950 100644 --- a/powershell/internal/eidsca/Test-MtEidscaAF06.md +++ b/powershell/internal/eidsca/Test-MtEidscaAF06.md @@ -5,7 +5,7 @@ You should use Block or Allow as value to allow- or blocklisting of AAGuids. #### Test script ``` https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Fido2') -.keyRestrictions.aaGuids -notcontains $null -and ($result.keyRestrictions.enforcementType -eq 'allow' -or $result.keyRestrictions.enforcementType -eq 'block') = 'true' +.keyRestrictions.aaGuids -notcontains $null -and ($result.keyRestrictions.enforcementType -eq 'allow' -or $result.keyRestrictions.enforcementType -eq 'block') -eq 'true' ``` #### Related links diff --git a/powershell/internal/eidsca/Test-MtEidscaAG01.md b/powershell/internal/eidsca/Test-MtEidscaAG01.md index 9c4cff52..851d6a9e 100644 --- a/powershell/internal/eidsca/Test-MtEidscaAG01.md +++ b/powershell/internal/eidsca/Test-MtEidscaAG01.md @@ -5,7 +5,7 @@ On September 30th, 2025, the legacy multifactor authentication and self-service #### Test script ``` https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy -.policyMigrationState = 'migrationComplete' +.policyMigrationState -eq 'migrationComplete' ``` #### Related links diff --git a/powershell/internal/eidsca/Test-MtEidscaAG02.md b/powershell/internal/eidsca/Test-MtEidscaAG02.md index ed627228..b3194556 100644 --- a/powershell/internal/eidsca/Test-MtEidscaAG02.md +++ b/powershell/internal/eidsca/Test-MtEidscaAG02.md @@ -5,7 +5,7 @@ Allows to integrate report of fraud attempt by users to identity protection: Use #### Test script ``` https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy -.reportSuspiciousActivitySettings.state = 'enabled' +.reportSuspiciousActivitySettings.state -eq 'enabled' ``` #### Related links diff --git a/powershell/internal/eidsca/Test-MtEidscaAG03.md b/powershell/internal/eidsca/Test-MtEidscaAG03.md index 3ca2f70c..56185c93 100644 --- a/powershell/internal/eidsca/Test-MtEidscaAG03.md +++ b/powershell/internal/eidsca/Test-MtEidscaAG03.md @@ -5,7 +5,7 @@ Apply this feature to all users. #### Test script ``` https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy -.reportSuspiciousActivitySettings.includeTarget.id = 'all_users' +.reportSuspiciousActivitySettings.includeTarget.id -eq 'all_users' ``` #### Related links diff --git a/powershell/internal/eidsca/Test-MtEidscaAM01.md b/powershell/internal/eidsca/Test-MtEidscaAM01.md index 4b9c44e1..084821cb 100644 --- a/powershell/internal/eidsca/Test-MtEidscaAM01.md +++ b/powershell/internal/eidsca/Test-MtEidscaAM01.md @@ -5,7 +5,7 @@ enabled #### Test script ``` https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator') -.state = 'enabled' +.state -eq 'enabled' ``` #### Related links diff --git a/powershell/internal/eidsca/Test-MtEidscaAM02.md b/powershell/internal/eidsca/Test-MtEidscaAM02.md index 6aa86944..9316dfee 100644 --- a/powershell/internal/eidsca/Test-MtEidscaAM02.md +++ b/powershell/internal/eidsca/Test-MtEidscaAM02.md @@ -5,7 +5,7 @@ true #### Test script ``` https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator') -.isSoftwareOathEnabled = 'true' +.isSoftwareOathEnabled -eq 'true' ``` #### Related links diff --git a/powershell/internal/eidsca/Test-MtEidscaAM03.md b/powershell/internal/eidsca/Test-MtEidscaAM03.md index 8747f7e4..c3eb7ad7 100644 --- a/powershell/internal/eidsca/Test-MtEidscaAM03.md +++ b/powershell/internal/eidsca/Test-MtEidscaAM03.md @@ -5,7 +5,7 @@ Defines if number matching is required for MFA notifications. #### Test script ``` https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator') -.featureSettings.numberMatchingRequiredState.state = 'enabled' +.featureSettings.numberMatchingRequiredState.state -eq 'enabled' ``` #### Related links diff --git a/powershell/internal/eidsca/Test-MtEidscaAM04.md b/powershell/internal/eidsca/Test-MtEidscaAM04.md index a1b1b8fd..7c69bc49 100644 --- a/powershell/internal/eidsca/Test-MtEidscaAM04.md +++ b/powershell/internal/eidsca/Test-MtEidscaAM04.md @@ -5,7 +5,7 @@ Object Id or scope of users which will be showing number matching in the Authent #### Test script ``` https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator') -.featureSettings.numberMatchingRequiredState.includeTarget.id = 'all_users' +.featureSettings.numberMatchingRequiredState.includeTarget.id -eq 'all_users' ``` #### Related links diff --git a/powershell/internal/eidsca/Test-MtEidscaAM06.md b/powershell/internal/eidsca/Test-MtEidscaAM06.md index 25136907..fa70be33 100644 --- a/powershell/internal/eidsca/Test-MtEidscaAM06.md +++ b/powershell/internal/eidsca/Test-MtEidscaAM06.md @@ -5,7 +5,7 @@ Determines whether the user's Authenticator app will show them the client app th #### Test script ``` https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator') -.featureSettings.displayAppInformationRequiredState.state = 'enabled' +.featureSettings.displayAppInformationRequiredState.state -eq 'enabled' ``` #### Related links diff --git a/powershell/internal/eidsca/Test-MtEidscaAM07.md b/powershell/internal/eidsca/Test-MtEidscaAM07.md index 55940da0..dd4949a2 100644 --- a/powershell/internal/eidsca/Test-MtEidscaAM07.md +++ b/powershell/internal/eidsca/Test-MtEidscaAM07.md @@ -5,7 +5,7 @@ Object Id or scope of users which will be showing app information in the Authent #### Test script ``` https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator') -.featureSettings.displayAppInformationRequiredState.includeTarget.id = 'all_users' +.featureSettings.displayAppInformationRequiredState.includeTarget.id -eq 'all_users' ``` #### Related links diff --git a/powershell/internal/eidsca/Test-MtEidscaAM09.md b/powershell/internal/eidsca/Test-MtEidscaAM09.md index 58288f54..d0b7d4fa 100644 --- a/powershell/internal/eidsca/Test-MtEidscaAM09.md +++ b/powershell/internal/eidsca/Test-MtEidscaAM09.md @@ -5,7 +5,7 @@ Determines whether the user's Authenticator app will show them the geographic lo #### Test script ``` https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator') -.featureSettings.displayLocationInformationRequiredState.state = 'enabled' +.featureSettings.displayLocationInformationRequiredState.state -eq 'enabled' ``` #### Related links diff --git a/powershell/internal/eidsca/Test-MtEidscaAM10.md b/powershell/internal/eidsca/Test-MtEidscaAM10.md index 7f51639c..3b487c90 100644 --- a/powershell/internal/eidsca/Test-MtEidscaAM10.md +++ b/powershell/internal/eidsca/Test-MtEidscaAM10.md @@ -5,7 +5,7 @@ Object Id or scope of users which will be showing geographic location in the Aut #### Test script ``` https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator') -.featureSettings.displayLocationInformationRequiredState.includeTarget.id = 'all_users' +.featureSettings.displayLocationInformationRequiredState.includeTarget.id -eq 'all_users' ``` #### Related links diff --git a/powershell/internal/eidsca/Test-MtEidscaAP01.md b/powershell/internal/eidsca/Test-MtEidscaAP01.md index 8b49af40..f8137dce 100644 --- a/powershell/internal/eidsca/Test-MtEidscaAP01.md +++ b/powershell/internal/eidsca/Test-MtEidscaAP01.md @@ -5,7 +5,7 @@ Administrators with sensitive roles should use phishing-resistant authentication #### Test script ``` https://graph.microsoft.com/beta/policies/authorizationPolicy -.allowedToUseSSPR = 'false' +.allowedToUseSSPR -eq 'false' ``` #### Related links diff --git a/powershell/internal/eidsca/Test-MtEidscaAP04.md b/powershell/internal/eidsca/Test-MtEidscaAP04.md index 9eaff9a5..110888ad 100644 --- a/powershell/internal/eidsca/Test-MtEidscaAP04.md +++ b/powershell/internal/eidsca/Test-MtEidscaAP04.md @@ -5,7 +5,7 @@ CISA SCuBA 2.18: Only users with the Guest Inviter role SHOULD be able to invite #### Test script ``` https://graph.microsoft.com/beta/policies/authorizationPolicy -.allowInvitesFrom in @('adminsAndGuestInviters','none') +.allowInvitesFrom -in @('adminsAndGuestInviters','none') ``` #### Related links diff --git a/powershell/internal/eidsca/Test-MtEidscaAP05.md b/powershell/internal/eidsca/Test-MtEidscaAP05.md index 160293aa..7b5732e8 100644 --- a/powershell/internal/eidsca/Test-MtEidscaAP05.md +++ b/powershell/internal/eidsca/Test-MtEidscaAP05.md @@ -5,7 +5,7 @@ Indicates whether users can sign up for email based subscriptions. #### Test script ``` https://graph.microsoft.com/beta/policies/authorizationPolicy -.allowedToSignUpEmailBasedSubscriptions = 'false' +.allowedToSignUpEmailBasedSubscriptions -eq 'false' ``` #### Related links diff --git a/powershell/internal/eidsca/Test-MtEidscaAP06.md b/powershell/internal/eidsca/Test-MtEidscaAP06.md index b38b197a..2e3fc649 100644 --- a/powershell/internal/eidsca/Test-MtEidscaAP06.md +++ b/powershell/internal/eidsca/Test-MtEidscaAP06.md @@ -5,7 +5,7 @@ Controls whether users can join the tenant by email validation. To join, the use #### Test script ``` https://graph.microsoft.com/beta/policies/authorizationPolicy -.allowEmailVerifiedUsersToJoinOrganization = 'false' +.allowEmailVerifiedUsersToJoinOrganization -eq 'false' ``` #### Related links diff --git a/powershell/internal/eidsca/Test-MtEidscaAP07.md b/powershell/internal/eidsca/Test-MtEidscaAP07.md index aca208f2..c41492fb 100644 --- a/powershell/internal/eidsca/Test-MtEidscaAP07.md +++ b/powershell/internal/eidsca/Test-MtEidscaAP07.md @@ -5,7 +5,7 @@ CISA SCuBA 2.18: Guest users SHOULD have limited access to Azure AD directory ob #### Test script ``` https://graph.microsoft.com/beta/policies/authorizationPolicy -.guestUserRoleId = '2af84b1e-32c8-42b7-82bc-daa82404023b' +.guestUserRoleId -eq '2af84b1e-32c8-42b7-82bc-daa82404023b' ``` #### Related links diff --git a/powershell/internal/eidsca/Test-MtEidscaAP08.md b/powershell/internal/eidsca/Test-MtEidscaAP08.md index 851b147b..cd35439c 100644 --- a/powershell/internal/eidsca/Test-MtEidscaAP08.md +++ b/powershell/internal/eidsca/Test-MtEidscaAP08.md @@ -5,7 +5,7 @@ Microsoft recommends to allow to user consent for apps from verified publisher f #### Test script ``` https://graph.microsoft.com/beta/policies/authorizationPolicy -.permissionGrantPolicyIdsAssignedToDefaultUserRole | Sort-Object -Descending | select-object -first 1 = 'ManagePermissionGrantsForSelf.microsoft-user-default-low' +.permissionGrantPolicyIdsAssignedToDefaultUserRole | Sort-Object -Descending | select-object -first 1 -eq 'ManagePermissionGrantsForSelf.microsoft-user-default-low' ``` #### Related links diff --git a/powershell/internal/eidsca/Test-MtEidscaAP09.md b/powershell/internal/eidsca/Test-MtEidscaAP09.md index 1ea520de..28c06665 100644 --- a/powershell/internal/eidsca/Test-MtEidscaAP09.md +++ b/powershell/internal/eidsca/Test-MtEidscaAP09.md @@ -5,7 +5,7 @@ Indicates whether user consent for risky apps is allowed. For example, consent r #### Test script ``` https://graph.microsoft.com/beta/policies/authorizationPolicy -.allowUserConsentForRiskyApps = 'false' +.allowUserConsentForRiskyApps -eq 'false' ``` #### Related links diff --git a/powershell/internal/eidsca/Test-MtEidscaAP10.md b/powershell/internal/eidsca/Test-MtEidscaAP10.md index b47d353f..117a7c00 100644 --- a/powershell/internal/eidsca/Test-MtEidscaAP10.md +++ b/powershell/internal/eidsca/Test-MtEidscaAP10.md @@ -5,7 +5,7 @@ CISA SCuBA 2.6: Only Administrators SHALL Be Allowed To Register Third-Party App #### Test script ``` https://graph.microsoft.com/beta/policies/authorizationPolicy -.defaultUserRolePermissions.allowedToCreateApps = 'false' +.defaultUserRolePermissions.allowedToCreateApps -eq 'false' ``` #### Related links diff --git a/powershell/internal/eidsca/Test-MtEidscaAP14.md b/powershell/internal/eidsca/Test-MtEidscaAP14.md index 49070de6..7a3094e7 100644 --- a/powershell/internal/eidsca/Test-MtEidscaAP14.md +++ b/powershell/internal/eidsca/Test-MtEidscaAP14.md @@ -5,7 +5,7 @@ Restrict this default permissions for members have huge impact on collaboration #### Test script ``` https://graph.microsoft.com/beta/policies/authorizationPolicy -.defaultUserRolePermissions.allowedToReadOtherUsers = 'true' +.defaultUserRolePermissions.allowedToReadOtherUsers -eq 'true' ``` #### Related links diff --git a/powershell/internal/eidsca/Test-MtEidscaAS04.md b/powershell/internal/eidsca/Test-MtEidscaAS04.md index 1043d92b..7dbfb2dd 100644 --- a/powershell/internal/eidsca/Test-MtEidscaAS04.md +++ b/powershell/internal/eidsca/Test-MtEidscaAS04.md @@ -5,7 +5,7 @@ Avoid to use SMS as primary sign in factor (instead of a password) and consider #### Test script ``` https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Sms') -.includeTargets.isUsableForSignIn = 'false' +.includeTargets.isUsableForSignIn -eq 'false' ``` #### Related links diff --git a/powershell/internal/eidsca/Test-MtEidscaAT01.md b/powershell/internal/eidsca/Test-MtEidscaAT01.md index 3e37b207..7953ef31 100644 --- a/powershell/internal/eidsca/Test-MtEidscaAT01.md +++ b/powershell/internal/eidsca/Test-MtEidscaAT01.md @@ -5,7 +5,7 @@ Use Temporary Access Pass for secure onboarding users (initial password replacem #### Test script ``` https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('TemporaryAccessPass') -.state = 'enabled' +.state -eq 'enabled' ``` #### Related links diff --git a/powershell/internal/eidsca/Test-MtEidscaAT02.md b/powershell/internal/eidsca/Test-MtEidscaAT02.md index a05ab40e..abfb144d 100644 --- a/powershell/internal/eidsca/Test-MtEidscaAT02.md +++ b/powershell/internal/eidsca/Test-MtEidscaAT02.md @@ -5,7 +5,7 @@ Avoid to allow reusable passes and restrict usage to one-time use (if applicable #### Test script ``` https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('TemporaryAccessPass') -.isUsableOnce = 'true' +.isUsableOnce -eq 'true' ``` #### Related links diff --git a/powershell/internal/eidsca/Test-MtEidscaAV01.md b/powershell/internal/eidsca/Test-MtEidscaAV01.md index 5a8f3978..a8d8cc61 100644 --- a/powershell/internal/eidsca/Test-MtEidscaAV01.md +++ b/powershell/internal/eidsca/Test-MtEidscaAV01.md @@ -5,7 +5,7 @@ Choose authentication methods with number matching (Authenticator) #### Test script ``` https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Voice') -.state = 'disabled' +.state -eq 'disabled' ``` #### Related links diff --git a/powershell/internal/eidsca/Test-MtEidscaCP01.md b/powershell/internal/eidsca/Test-MtEidscaCP01.md index e9deacb1..fae34896 100644 --- a/powershell/internal/eidsca/Test-MtEidscaCP01.md +++ b/powershell/internal/eidsca/Test-MtEidscaCP01.md @@ -5,7 +5,7 @@ CISA SCuBA 2.7: Non-Admin Users SHALL Be Prevented From Providing Consent To Thi #### Test script ``` https://graph.microsoft.com/beta/settings -.values | where-object name -eq 'EnableGroupSpecificConsent' | select-object -expand value = 'False' +.values | where-object name -eq 'EnableGroupSpecificConsent' | select-object -expand value -eq 'False' ``` #### Related links diff --git a/powershell/internal/eidsca/Test-MtEidscaCP03.md b/powershell/internal/eidsca/Test-MtEidscaCP03.md index 6ed318c1..2693cf00 100644 --- a/powershell/internal/eidsca/Test-MtEidscaCP03.md +++ b/powershell/internal/eidsca/Test-MtEidscaCP03.md @@ -5,7 +5,7 @@ Defines whether user consent will be blocked when a risky request is detected #### Test script ``` https://graph.microsoft.com/beta/settings -.values | where-object name -eq 'BlockUserConsentForRiskyApps' | select-object -expand value = 'true' +.values | where-object name -eq 'BlockUserConsentForRiskyApps' | select-object -expand value -eq 'true' ``` #### Related links diff --git a/powershell/internal/eidsca/Test-MtEidscaCP04.md b/powershell/internal/eidsca/Test-MtEidscaCP04.md index c7b3358c..557dbca6 100644 --- a/powershell/internal/eidsca/Test-MtEidscaCP04.md +++ b/powershell/internal/eidsca/Test-MtEidscaCP04.md @@ -5,7 +5,7 @@ CISA SCuBA 2.7: Non-Admin Users SHALL Be Prevented From Providing Consent To Thi #### Test script ``` https://graph.microsoft.com/beta/settings -.values | where-object name -eq 'EnableAdminConsentRequests' | select-object -expand value = 'true' +.values | where-object name -eq 'EnableAdminConsentRequests' | select-object -expand value -eq 'true' ``` #### Related links diff --git a/powershell/internal/eidsca/Test-MtEidscaCR01.md b/powershell/internal/eidsca/Test-MtEidscaCR01.md index eb79b81c..7d6c5625 100644 --- a/powershell/internal/eidsca/Test-MtEidscaCR01.md +++ b/powershell/internal/eidsca/Test-MtEidscaCR01.md @@ -5,7 +5,7 @@ Defines if admin consent request feature is enabled or disabled #### Test script ``` https://graph.microsoft.com/beta/policies/adminConsentRequestPolicy -.isEnabled = 'true' +.isEnabled -eq 'true' ``` #### Related links diff --git a/powershell/internal/eidsca/Test-MtEidscaCR02.md b/powershell/internal/eidsca/Test-MtEidscaCR02.md index 05cabba4..32a76df1 100644 --- a/powershell/internal/eidsca/Test-MtEidscaCR02.md +++ b/powershell/internal/eidsca/Test-MtEidscaCR02.md @@ -5,7 +5,7 @@ Specifies whether reviewers will receive notifications #### Test script ``` https://graph.microsoft.com/beta/policies/adminConsentRequestPolicy -.notifyReviewers = 'true' +.notifyReviewers -eq 'true' ``` #### Related links diff --git a/powershell/internal/eidsca/Test-MtEidscaCR03.md b/powershell/internal/eidsca/Test-MtEidscaCR03.md index c608019d..c81ae87e 100644 --- a/powershell/internal/eidsca/Test-MtEidscaCR03.md +++ b/powershell/internal/eidsca/Test-MtEidscaCR03.md @@ -5,7 +5,7 @@ Specifies whether reviewers will receive reminder emails #### Test script ``` https://graph.microsoft.com/beta/policies/adminConsentRequestPolicy -.remindersEnabled = 'true' +.remindersEnabled -eq 'true' ``` #### Related links diff --git a/powershell/internal/eidsca/Test-MtEidscaCR04.md b/powershell/internal/eidsca/Test-MtEidscaCR04.md index bf158f62..a48dd0a8 100644 --- a/powershell/internal/eidsca/Test-MtEidscaCR04.md +++ b/powershell/internal/eidsca/Test-MtEidscaCR04.md @@ -5,7 +5,7 @@ Specifies the duration the request is active before it automatically expires if #### Test script ``` https://graph.microsoft.com/beta/policies/adminConsentRequestPolicy -.requestDurationInDays <= '30' +.requestDurationInDays -le '30' ``` #### Related links diff --git a/powershell/internal/eidsca/Test-MtEidscaPR01.md b/powershell/internal/eidsca/Test-MtEidscaPR01.md index d39261d7..401775de 100644 --- a/powershell/internal/eidsca/Test-MtEidscaPR01.md +++ b/powershell/internal/eidsca/Test-MtEidscaPR01.md @@ -5,7 +5,7 @@ If set to Enforce, users will be prevented from setting banned passwords and the #### Test script ``` https://graph.microsoft.com/beta/settings -.values | where-object name -eq 'BannedPasswordCheckOnPremisesMode' | select-object -expand value = 'Enforce' +.values | where-object name -eq 'BannedPasswordCheckOnPremisesMode' | select-object -expand value -eq 'Enforce' ``` #### Related links diff --git a/powershell/internal/eidsca/Test-MtEidscaPR02.md b/powershell/internal/eidsca/Test-MtEidscaPR02.md index 73bb90de..320f00b5 100644 --- a/powershell/internal/eidsca/Test-MtEidscaPR02.md +++ b/powershell/internal/eidsca/Test-MtEidscaPR02.md @@ -5,7 +5,7 @@ If set to Yes, password protection is turned on for Active Directory domain cont #### Test script ``` https://graph.microsoft.com/beta/settings -.values | where-object name -eq 'EnableBannedPasswordCheckOnPremises' | select-object -expand value = 'True' +.values | where-object name -eq 'EnableBannedPasswordCheckOnPremises' | select-object -expand value -eq 'True' ``` #### Related links diff --git a/powershell/internal/eidsca/Test-MtEidscaPR03.md b/powershell/internal/eidsca/Test-MtEidscaPR03.md index 67de6525..55aa0b71 100644 --- a/powershell/internal/eidsca/Test-MtEidscaPR03.md +++ b/powershell/internal/eidsca/Test-MtEidscaPR03.md @@ -5,7 +5,7 @@ When enabled, the words in the list below are used in the banned password system #### Test script ``` https://graph.microsoft.com/beta/settings -.values | where-object name -eq 'EnableBannedPasswordCheck' | select-object -expand value = 'True' +.values | where-object name -eq 'EnableBannedPasswordCheck' | select-object -expand value -eq 'True' ``` #### Related links diff --git a/powershell/internal/eidsca/Test-MtEidscaPR05.md b/powershell/internal/eidsca/Test-MtEidscaPR05.md index 724246d4..5ef08de4 100644 --- a/powershell/internal/eidsca/Test-MtEidscaPR05.md +++ b/powershell/internal/eidsca/Test-MtEidscaPR05.md @@ -5,7 +5,7 @@ The minimum length in seconds of each lockout. If an account locks repeatedly, t #### Test script ``` https://graph.microsoft.com/beta/settings -.values | where-object name -eq 'LockoutDurationInSeconds' | select-object -expand value >= '60' +.values | where-object name -eq 'LockoutDurationInSeconds' | select-object -expand value -ge '60' ``` #### Related links diff --git a/powershell/internal/eidsca/Test-MtEidscaPR06.md b/powershell/internal/eidsca/Test-MtEidscaPR06.md index 6ac24211..357ead63 100644 --- a/powershell/internal/eidsca/Test-MtEidscaPR06.md +++ b/powershell/internal/eidsca/Test-MtEidscaPR06.md @@ -5,7 +5,7 @@ How many failed sign-ins are allowed on an account before its first lockout. If #### Test script ``` https://graph.microsoft.com/beta/settings -.values | where-object name -eq 'LockoutThreshold' | select-object -expand value = '10' +.values | where-object name -eq 'LockoutThreshold' | select-object -expand value -eq '10' ``` #### Related links diff --git a/powershell/internal/eidsca/Test-MtEidscaST08.md b/powershell/internal/eidsca/Test-MtEidscaST08.md index 3f19e2cb..06bef847 100644 --- a/powershell/internal/eidsca/Test-MtEidscaST08.md +++ b/powershell/internal/eidsca/Test-MtEidscaST08.md @@ -5,7 +5,7 @@ CISA SCuBA 2.18: Guest users SHOULD have limited access to Azure AD directory ob #### Test script ``` https://graph.microsoft.com/beta/settings -.values | where-object name -eq 'AllowGuestsToBeGroupOwner' | select-object -expand value = 'false' +.values | where-object name -eq 'AllowGuestsToBeGroupOwner' | select-object -expand value -eq 'false' ``` #### Related links diff --git a/powershell/internal/eidsca/Test-MtEidscaST09.md b/powershell/internal/eidsca/Test-MtEidscaST09.md index 1f9b7d0a..0d5f9f75 100644 --- a/powershell/internal/eidsca/Test-MtEidscaST09.md +++ b/powershell/internal/eidsca/Test-MtEidscaST09.md @@ -5,7 +5,7 @@ Manages if guest accounts can access resources through Microsoft 365 Group membe #### Test script ``` https://graph.microsoft.com/beta/settings -.values | where-object name -eq 'AllowGuestsToAccessGroups' | select-object -expand value = 'True' +.values | where-object name -eq 'AllowGuestsToAccessGroups' | select-object -expand value -eq 'True' ``` #### Related links diff --git a/tests/EIDSCA/Test-EIDSCA.Generated.Tests.ps1 b/tests/EIDSCA/Test-EIDSCA.Generated.Tests.ps1 index 77409932..2b1818d1 100644 --- a/tests/EIDSCA/Test-EIDSCA.Generated.Tests.ps1 +++ b/tests/EIDSCA/Test-EIDSCA.Generated.Tests.ps1 @@ -7,7 +7,7 @@ Describe "Default Authorization Settings" -Tag "EIDSCA", "Security", "All", "EID It "EIDSCA.AP01: Default Authorization Settings - Enabled Self service password reset for administrators. See https://maester.dev/docs/tests/EIDSCA.AP01" { <# Check if "https://graph.microsoft.com/beta/policies/authorizationPolicy" - .allowedToUseSSPR = 'false' + .allowedToUseSSPR -eq 'false' #> Test-MtEidscaControl -CheckId AP01 | Should -Be 'false' } @@ -16,7 +16,7 @@ Describe "Default Authorization Settings" -Tag "EIDSCA", "Security", "All", "EID It "EIDSCA.AP04: Default Authorization Settings - Guest invite restrictions. See https://maester.dev/docs/tests/EIDSCA.AP04" { <# Check if "https://graph.microsoft.com/beta/policies/authorizationPolicy" - .allowInvitesFrom in @('adminsAndGuestInviters','none') + .allowInvitesFrom -in @('adminsAndGuestInviters','none') #> Test-MtEidscaControl -CheckId AP04 | Should -BeIn @('adminsAndGuestInviters','none') } @@ -25,7 +25,7 @@ Describe "Default Authorization Settings" -Tag "EIDSCA", "Security", "All", "EID It "EIDSCA.AP05: Default Authorization Settings - Sign-up for email based subscription. See https://maester.dev/docs/tests/EIDSCA.AP05" { <# Check if "https://graph.microsoft.com/beta/policies/authorizationPolicy" - .allowedToSignUpEmailBasedSubscriptions = 'false' + .allowedToSignUpEmailBasedSubscriptions -eq 'false' #> Test-MtEidscaControl -CheckId AP05 | Should -Be 'false' } @@ -34,7 +34,7 @@ Describe "Default Authorization Settings" -Tag "EIDSCA", "Security", "All", "EID It "EIDSCA.AP06: Default Authorization Settings - User can join the tenant by email validation. See https://maester.dev/docs/tests/EIDSCA.AP06" { <# Check if "https://graph.microsoft.com/beta/policies/authorizationPolicy" - .allowEmailVerifiedUsersToJoinOrganization = 'false' + .allowEmailVerifiedUsersToJoinOrganization -eq 'false' #> Test-MtEidscaControl -CheckId AP06 | Should -Be 'false' } @@ -43,7 +43,7 @@ Describe "Default Authorization Settings" -Tag "EIDSCA", "Security", "All", "EID It "EIDSCA.AP07: Default Authorization Settings - Guest user access. See https://maester.dev/docs/tests/EIDSCA.AP07" { <# Check if "https://graph.microsoft.com/beta/policies/authorizationPolicy" - .guestUserRoleId = '2af84b1e-32c8-42b7-82bc-daa82404023b' + .guestUserRoleId -eq '2af84b1e-32c8-42b7-82bc-daa82404023b' #> Test-MtEidscaControl -CheckId AP07 | Should -Be '2af84b1e-32c8-42b7-82bc-daa82404023b' } @@ -52,7 +52,7 @@ Describe "Default Authorization Settings" -Tag "EIDSCA", "Security", "All", "EID It "EIDSCA.AP08: Default Authorization Settings - User consent policy assigned for applications. See https://maester.dev/docs/tests/EIDSCA.AP08" { <# Check if "https://graph.microsoft.com/beta/policies/authorizationPolicy" - .permissionGrantPolicyIdsAssignedToDefaultUserRole | Sort-Object -Descending | select-object -first 1 = 'ManagePermissionGrantsForSelf.microsoft-user-default-low' + .permissionGrantPolicyIdsAssignedToDefaultUserRole | Sort-Object -Descending | select-object -first 1 -eq 'ManagePermissionGrantsForSelf.microsoft-user-default-low' #> Test-MtEidscaControl -CheckId AP08 | Should -Be 'ManagePermissionGrantsForSelf.microsoft-user-default-low' } @@ -61,7 +61,7 @@ Describe "Default Authorization Settings" -Tag "EIDSCA", "Security", "All", "EID It "EIDSCA.AP09: Default Authorization Settings - Risk-based step-up consent. See https://maester.dev/docs/tests/EIDSCA.AP09" { <# Check if "https://graph.microsoft.com/beta/policies/authorizationPolicy" - .allowUserConsentForRiskyApps = 'false' + .allowUserConsentForRiskyApps -eq 'false' #> Test-MtEidscaControl -CheckId AP09 | Should -Be 'false' } @@ -70,7 +70,7 @@ Describe "Default Authorization Settings" -Tag "EIDSCA", "Security", "All", "EID It "EIDSCA.AP10: Default Authorization Settings - Default User Role Permissions - Allowed to create Apps. See https://maester.dev/docs/tests/EIDSCA.AP10" { <# Check if "https://graph.microsoft.com/beta/policies/authorizationPolicy" - .defaultUserRolePermissions.allowedToCreateApps = 'false' + .defaultUserRolePermissions.allowedToCreateApps -eq 'false' #> Test-MtEidscaControl -CheckId AP10 | Should -Be 'false' } @@ -79,7 +79,7 @@ Describe "Default Authorization Settings" -Tag "EIDSCA", "Security", "All", "EID It "EIDSCA.AP14: Default Authorization Settings - Default User Role Permissions - Allowed to read other users. See https://maester.dev/docs/tests/EIDSCA.AP14" { <# Check if "https://graph.microsoft.com/beta/policies/authorizationPolicy" - .defaultUserRolePermissions.allowedToReadOtherUsers = 'true' + .defaultUserRolePermissions.allowedToReadOtherUsers -eq 'true' #> Test-MtEidscaControl -CheckId AP14 | Should -Be 'true' } @@ -89,7 +89,7 @@ Describe "Default Settings - Consent Policy Settings" -Tag "EIDSCA", "Security", It "EIDSCA.CP01: Default Settings - Consent Policy Settings - Group owner consent for apps accessing data. See https://maester.dev/docs/tests/EIDSCA.CP01" -TestCases @{ SettingsApiAvailable = $SettingsApiAvailable } { <# Check if "https://graph.microsoft.com/beta/settings" - .values | where-object name -eq 'EnableGroupSpecificConsent' | select-object -expand value = 'False' + .values | where-object name -eq 'EnableGroupSpecificConsent' | select-object -expand value -eq 'False' #> Test-MtEidscaControl -CheckId CP01 | Should -Be 'False' } @@ -98,7 +98,7 @@ Describe "Default Settings - Consent Policy Settings" -Tag "EIDSCA", "Security", It "EIDSCA.CP03: Default Settings - Consent Policy Settings - Block user consent for risky apps. See https://maester.dev/docs/tests/EIDSCA.CP03" -TestCases @{ SettingsApiAvailable = $SettingsApiAvailable } { <# Check if "https://graph.microsoft.com/beta/settings" - .values | where-object name -eq 'BlockUserConsentForRiskyApps' | select-object -expand value = 'true' + .values | where-object name -eq 'BlockUserConsentForRiskyApps' | select-object -expand value -eq 'true' #> Test-MtEidscaControl -CheckId CP03 | Should -Be 'true' } @@ -107,7 +107,7 @@ Describe "Default Settings - Consent Policy Settings" -Tag "EIDSCA", "Security", It "EIDSCA.CP04: Default Settings - Consent Policy Settings - Users can request admin consent to apps they are unable to consent to. See https://maester.dev/docs/tests/EIDSCA.CP04" -TestCases @{ SettingsApiAvailable = $SettingsApiAvailable } { <# Check if "https://graph.microsoft.com/beta/settings" - .values | where-object name -eq 'EnableAdminConsentRequests' | select-object -expand value = 'true' + .values | where-object name -eq 'EnableAdminConsentRequests' | select-object -expand value -eq 'true' #> Test-MtEidscaControl -CheckId CP04 | Should -Be 'true' } @@ -117,7 +117,7 @@ Describe "Default Settings - Password Rule Settings" -Tag "EIDSCA", "Security", It "EIDSCA.PR01: Default Settings - Password Rule Settings - Password Protection - Mode. See https://maester.dev/docs/tests/EIDSCA.PR01" -TestCases @{ SettingsApiAvailable = $SettingsApiAvailable } { <# Check if "https://graph.microsoft.com/beta/settings" - .values | where-object name -eq 'BannedPasswordCheckOnPremisesMode' | select-object -expand value = 'Enforce' + .values | where-object name -eq 'BannedPasswordCheckOnPremisesMode' | select-object -expand value -eq 'Enforce' #> Test-MtEidscaControl -CheckId PR01 | Should -Be 'Enforce' } @@ -126,7 +126,7 @@ Describe "Default Settings - Password Rule Settings" -Tag "EIDSCA", "Security", It "EIDSCA.PR02: Default Settings - Password Rule Settings - Password Protection - Enable password protection on Windows Server Active Directory. See https://maester.dev/docs/tests/EIDSCA.PR02" { <# Check if "https://graph.microsoft.com/beta/settings" - .values | where-object name -eq 'EnableBannedPasswordCheckOnPremises' | select-object -expand value = 'True' + .values | where-object name -eq 'EnableBannedPasswordCheckOnPremises' | select-object -expand value -eq 'True' #> Test-MtEidscaControl -CheckId PR02 | Should -Be 'True' } @@ -135,7 +135,7 @@ Describe "Default Settings - Password Rule Settings" -Tag "EIDSCA", "Security", It "EIDSCA.PR03: Default Settings - Password Rule Settings - Enforce custom list. See https://maester.dev/docs/tests/EIDSCA.PR03" -TestCases @{ SettingsApiAvailable = $SettingsApiAvailable } { <# Check if "https://graph.microsoft.com/beta/settings" - .values | where-object name -eq 'EnableBannedPasswordCheck' | select-object -expand value = 'True' + .values | where-object name -eq 'EnableBannedPasswordCheck' | select-object -expand value -eq 'True' #> Test-MtEidscaControl -CheckId PR03 | Should -Be 'True' } @@ -144,7 +144,7 @@ Describe "Default Settings - Password Rule Settings" -Tag "EIDSCA", "Security", It "EIDSCA.PR05: Default Settings - Password Rule Settings - Smart Lockout - Lockout duration in seconds. See https://maester.dev/docs/tests/EIDSCA.PR05" { <# Check if "https://graph.microsoft.com/beta/settings" - .values | where-object name -eq 'LockoutDurationInSeconds' | select-object -expand value >= '60' + .values | where-object name -eq 'LockoutDurationInSeconds' | select-object -expand value -ge '60' #> Test-MtEidscaControl -CheckId PR05 | Should -BeGreaterOrEqual '60' } @@ -153,7 +153,7 @@ Describe "Default Settings - Password Rule Settings" -Tag "EIDSCA", "Security", It "EIDSCA.PR06: Default Settings - Password Rule Settings - Smart Lockout - Lockout threshold. See https://maester.dev/docs/tests/EIDSCA.PR06" { <# Check if "https://graph.microsoft.com/beta/settings" - .values | where-object name -eq 'LockoutThreshold' | select-object -expand value = '10' + .values | where-object name -eq 'LockoutThreshold' | select-object -expand value -eq '10' #> Test-MtEidscaControl -CheckId PR06 | Should -Be '10' } @@ -163,7 +163,7 @@ Describe "Default Settings - Classification and M365 Groups" -Tag "EIDSCA", "Sec It "EIDSCA.ST08: Default Settings - Classification and M365 Groups - M365 groups - Allow Guests to become Group Owner. See https://maester.dev/docs/tests/EIDSCA.ST08" { <# Check if "https://graph.microsoft.com/beta/settings" - .values | where-object name -eq 'AllowGuestsToBeGroupOwner' | select-object -expand value = 'false' + .values | where-object name -eq 'AllowGuestsToBeGroupOwner' | select-object -expand value -eq 'false' #> Test-MtEidscaControl -CheckId ST08 | Should -Be 'false' } @@ -172,7 +172,7 @@ Describe "Default Settings - Classification and M365 Groups" -Tag "EIDSCA", "Sec It "EIDSCA.ST09: Default Settings - Classification and M365 Groups - M365 groups - Allow Guests to have access to groups content. See https://maester.dev/docs/tests/EIDSCA.ST09" { <# Check if "https://graph.microsoft.com/beta/settings" - .values | where-object name -eq 'AllowGuestsToAccessGroups' | select-object -expand value = 'True' + .values | where-object name -eq 'AllowGuestsToAccessGroups' | select-object -expand value -eq 'True' #> Test-MtEidscaControl -CheckId ST09 | Should -Be 'True' } @@ -182,7 +182,7 @@ Describe "Authentication Method - General Settings" -Tag "EIDSCA", "Security", " It "EIDSCA.AG01: Authentication Method - General Settings - Manage migration. See https://maester.dev/docs/tests/EIDSCA.AG01" { <# Check if "https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy" - .policyMigrationState = 'migrationComplete' + .policyMigrationState -eq 'migrationComplete' #> Test-MtEidscaControl -CheckId AG01 | Should -Be 'migrationComplete' } @@ -191,7 +191,7 @@ Describe "Authentication Method - General Settings" -Tag "EIDSCA", "Security", " It "EIDSCA.AG02: Authentication Method - General Settings - Report suspicious activity - State. See https://maester.dev/docs/tests/EIDSCA.AG02" { <# Check if "https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy" - .reportSuspiciousActivitySettings.state = 'enabled' + .reportSuspiciousActivitySettings.state -eq 'enabled' #> Test-MtEidscaControl -CheckId AG02 | Should -Be 'enabled' } @@ -200,7 +200,7 @@ Describe "Authentication Method - General Settings" -Tag "EIDSCA", "Security", " It "EIDSCA.AG03: Authentication Method - General Settings - Report suspicious activity - Included users/groups. See https://maester.dev/docs/tests/EIDSCA.AG03" { <# Check if "https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy" - .reportSuspiciousActivitySettings.includeTarget.id = 'all_users' + .reportSuspiciousActivitySettings.includeTarget.id -eq 'all_users' #> Test-MtEidscaControl -CheckId AG03 | Should -Be 'all_users' } @@ -210,7 +210,7 @@ Describe "Authentication Method - Microsoft Authenticator" -Tag "EIDSCA", "Secur It "EIDSCA.AM01: Authentication Method - Microsoft Authenticator - State. See https://maester.dev/docs/tests/EIDSCA.AM01" { <# Check if "https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')" - .state = 'enabled' + .state -eq 'enabled' #> Test-MtEidscaControl -CheckId AM01 | Should -Be 'enabled' } @@ -219,7 +219,7 @@ Describe "Authentication Method - Microsoft Authenticator" -Tag "EIDSCA", "Secur It "EIDSCA.AM02: Authentication Method - Microsoft Authenticator - Allow use of Microsoft Authenticator OTP. See https://maester.dev/docs/tests/EIDSCA.AM02" -TestCases @{ EnabledAuthMethods = $EnabledAuthMethods } { <# Check if "https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')" - .isSoftwareOathEnabled = 'true' + .isSoftwareOathEnabled -eq 'true' #> Test-MtEidscaControl -CheckId AM02 | Should -Be 'true' } @@ -228,7 +228,7 @@ Describe "Authentication Method - Microsoft Authenticator" -Tag "EIDSCA", "Secur It "EIDSCA.AM03: Authentication Method - Microsoft Authenticator - Require number matching for push notifications. See https://maester.dev/docs/tests/EIDSCA.AM03" -TestCases @{ EnabledAuthMethods = $EnabledAuthMethods } { <# Check if "https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')" - .featureSettings.numberMatchingRequiredState.state = 'enabled' + .featureSettings.numberMatchingRequiredState.state -eq 'enabled' #> Test-MtEidscaControl -CheckId AM03 | Should -Be 'enabled' } @@ -237,7 +237,7 @@ Describe "Authentication Method - Microsoft Authenticator" -Tag "EIDSCA", "Secur It "EIDSCA.AM04: Authentication Method - Microsoft Authenticator - Included users/groups of number matching for push notifications. See https://maester.dev/docs/tests/EIDSCA.AM04" -TestCases @{ EnabledAuthMethods = $EnabledAuthMethods } { <# Check if "https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')" - .featureSettings.numberMatchingRequiredState.includeTarget.id = 'all_users' + .featureSettings.numberMatchingRequiredState.includeTarget.id -eq 'all_users' #> Test-MtEidscaControl -CheckId AM04 | Should -Be 'all_users' } @@ -246,7 +246,7 @@ Describe "Authentication Method - Microsoft Authenticator" -Tag "EIDSCA", "Secur It "EIDSCA.AM06: Authentication Method - Microsoft Authenticator - Show application name in push and passwordless notifications. See https://maester.dev/docs/tests/EIDSCA.AM06" -TestCases @{ EnabledAuthMethods = $EnabledAuthMethods } { <# Check if "https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')" - .featureSettings.displayAppInformationRequiredState.state = 'enabled' + .featureSettings.displayAppInformationRequiredState.state -eq 'enabled' #> Test-MtEidscaControl -CheckId AM06 | Should -Be 'enabled' } @@ -255,7 +255,7 @@ Describe "Authentication Method - Microsoft Authenticator" -Tag "EIDSCA", "Secur It "EIDSCA.AM07: Authentication Method - Microsoft Authenticator - Included users/groups to show application name in push and passwordless notifications. See https://maester.dev/docs/tests/EIDSCA.AM07" -TestCases @{ EnabledAuthMethods = $EnabledAuthMethods } { <# Check if "https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')" - .featureSettings.displayAppInformationRequiredState.includeTarget.id = 'all_users' + .featureSettings.displayAppInformationRequiredState.includeTarget.id -eq 'all_users' #> Test-MtEidscaControl -CheckId AM07 | Should -Be 'all_users' } @@ -264,7 +264,7 @@ Describe "Authentication Method - Microsoft Authenticator" -Tag "EIDSCA", "Secur It "EIDSCA.AM09: Authentication Method - Microsoft Authenticator - Show geographic location in push and passwordless notifications. See https://maester.dev/docs/tests/EIDSCA.AM09" -TestCases @{ EnabledAuthMethods = $EnabledAuthMethods } { <# Check if "https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')" - .featureSettings.displayLocationInformationRequiredState.state = 'enabled' + .featureSettings.displayLocationInformationRequiredState.state -eq 'enabled' #> Test-MtEidscaControl -CheckId AM09 | Should -Be 'enabled' } @@ -273,7 +273,7 @@ Describe "Authentication Method - Microsoft Authenticator" -Tag "EIDSCA", "Secur It "EIDSCA.AM10: Authentication Method - Microsoft Authenticator - Included users/groups to show geographic location in push and passwordless notifications. See https://maester.dev/docs/tests/EIDSCA.AM10" -TestCases @{ EnabledAuthMethods = $EnabledAuthMethods } { <# Check if "https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')" - .featureSettings.displayLocationInformationRequiredState.includeTarget.id = 'all_users' + .featureSettings.displayLocationInformationRequiredState.includeTarget.id -eq 'all_users' #> Test-MtEidscaControl -CheckId AM10 | Should -Be 'all_users' } @@ -283,7 +283,7 @@ Describe "Authentication Method - FIDO2 security key" -Tag "EIDSCA", "Security", It "EIDSCA.AF01: Authentication Method - FIDO2 security key - State. See https://maester.dev/docs/tests/EIDSCA.AF01" { <# Check if "https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Fido2')" - .state = 'enabled' + .state -eq 'enabled' #> Test-MtEidscaControl -CheckId AF01 | Should -Be 'enabled' } @@ -292,7 +292,7 @@ Describe "Authentication Method - FIDO2 security key" -Tag "EIDSCA", "Security", It "EIDSCA.AF02: Authentication Method - FIDO2 security key - Allow self-service set up. See https://maester.dev/docs/tests/EIDSCA.AF02" -TestCases @{ EnabledAuthMethods = $EnabledAuthMethods } { <# Check if "https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Fido2')" - .isSelfServiceRegistrationAllowed = 'true' + .isSelfServiceRegistrationAllowed -eq 'true' #> Test-MtEidscaControl -CheckId AF02 | Should -Be 'true' } @@ -301,7 +301,7 @@ Describe "Authentication Method - FIDO2 security key" -Tag "EIDSCA", "Security", It "EIDSCA.AF03: Authentication Method - FIDO2 security key - Enforce attestation. See https://maester.dev/docs/tests/EIDSCA.AF03" -TestCases @{ EnabledAuthMethods = $EnabledAuthMethods } { <# Check if "https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Fido2')" - .isAttestationEnforced = 'true' + .isAttestationEnforced -eq 'true' #> Test-MtEidscaControl -CheckId AF03 | Should -Be 'true' } @@ -310,7 +310,7 @@ Describe "Authentication Method - FIDO2 security key" -Tag "EIDSCA", "Security", It "EIDSCA.AF04: Authentication Method - FIDO2 security key - Enforce key restrictions. See https://maester.dev/docs/tests/EIDSCA.AF04" -TestCases @{ EnabledAuthMethods = $EnabledAuthMethods } { <# Check if "https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Fido2')" - .keyRestrictions.isEnforced = 'true' + .keyRestrictions.isEnforced -eq 'true' #> Test-MtEidscaControl -CheckId AF04 | Should -Be 'true' } @@ -319,7 +319,7 @@ Describe "Authentication Method - FIDO2 security key" -Tag "EIDSCA", "Security", It "EIDSCA.AF05: Authentication Method - FIDO2 security key - Restricted. See https://maester.dev/docs/tests/EIDSCA.AF05" -TestCases @{ EnabledAuthMethods = $EnabledAuthMethods } { <# Check if "https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Fido2')" - .keyRestrictions.aaGuids -notcontains $null = 'true' + .keyRestrictions.aaGuids -notcontains $null -eq 'true' #> Test-MtEidscaControl -CheckId AF05 | Should -Be 'true' } @@ -328,7 +328,7 @@ Describe "Authentication Method - FIDO2 security key" -Tag "EIDSCA", "Security", It "EIDSCA.AF06: Authentication Method - FIDO2 security key - Restrict specific keys. See https://maester.dev/docs/tests/EIDSCA.AF06" -TestCases @{ EnabledAuthMethods = $EnabledAuthMethods } { <# Check if "https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Fido2')" - .keyRestrictions.aaGuids -notcontains $null -and ($result.keyRestrictions.enforcementType -eq 'allow' -or $result.keyRestrictions.enforcementType -eq 'block') = 'true' + .keyRestrictions.aaGuids -notcontains $null -and ($result.keyRestrictions.enforcementType -eq 'allow' -or $result.keyRestrictions.enforcementType -eq 'block') -eq 'true' #> Test-MtEidscaControl -CheckId AF06 | Should -Be 'true' } @@ -338,7 +338,7 @@ Describe "Authentication Method - Temporary Access Pass" -Tag "EIDSCA", "Securit It "EIDSCA.AT01: Authentication Method - Temporary Access Pass - State. See https://maester.dev/docs/tests/EIDSCA.AT01" { <# Check if "https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('TemporaryAccessPass')" - .state = 'enabled' + .state -eq 'enabled' #> Test-MtEidscaControl -CheckId AT01 | Should -Be 'enabled' } @@ -347,7 +347,7 @@ Describe "Authentication Method - Temporary Access Pass" -Tag "EIDSCA", "Securit It "EIDSCA.AT02: Authentication Method - Temporary Access Pass - One-time. See https://maester.dev/docs/tests/EIDSCA.AT02" -TestCases @{ EnabledAuthMethods = $EnabledAuthMethods } { <# Check if "https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('TemporaryAccessPass')" - .isUsableOnce = 'true' + .isUsableOnce -eq 'true' #> Test-MtEidscaControl -CheckId AT02 | Should -Be 'true' } @@ -357,7 +357,7 @@ Describe "Authentication Method - Voice call" -Tag "EIDSCA", "Security", "All", It "EIDSCA.AV01: Authentication Method - Voice call - State. See https://maester.dev/docs/tests/EIDSCA.AV01" { <# Check if "https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Voice')" - .state = 'disabled' + .state -eq 'disabled' #> Test-MtEidscaControl -CheckId AV01 | Should -Be 'disabled' } @@ -367,7 +367,7 @@ Describe "Authentication Method - SMS" -Tag "EIDSCA", "Security", "All", "EIDSCA It "EIDSCA.AS04: Authentication Method - SMS - Use for sign-in. See https://maester.dev/docs/tests/EIDSCA.AS04" -TestCases @{ EnabledAuthMethods = $EnabledAuthMethods } { <# Check if "https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Sms')" - .includeTargets.isUsableForSignIn = 'false' + .includeTargets.isUsableForSignIn -eq 'false' #> Test-MtEidscaControl -CheckId AS04 | Should -Be 'false' } @@ -377,7 +377,7 @@ Describe "Consent Framework - Admin Consent Request" -Tag "EIDSCA", "Security", It "EIDSCA.CR01: Consent Framework - Admin Consent Request - Policy to enable or disable admin consent request feature. See https://maester.dev/docs/tests/EIDSCA.CR01" { <# Check if "https://graph.microsoft.com/beta/policies/adminConsentRequestPolicy" - .isEnabled = 'true' + .isEnabled -eq 'true' #> Test-MtEidscaControl -CheckId CR01 | Should -Be 'true' } @@ -386,7 +386,7 @@ Describe "Consent Framework - Admin Consent Request" -Tag "EIDSCA", "Security", It "EIDSCA.CR02: Consent Framework - Admin Consent Request - Reviewers will receive email notifications for requests. See https://maester.dev/docs/tests/EIDSCA.CR02" -TestCases @{ EnabledAdminConsentWorkflow = ($EnabledAdminConsentWorkflow) } { <# Check if "https://graph.microsoft.com/beta/policies/adminConsentRequestPolicy" - .notifyReviewers = 'true' + .notifyReviewers -eq 'true' #> Test-MtEidscaControl -CheckId CR02 | Should -Be 'true' } @@ -395,7 +395,7 @@ Describe "Consent Framework - Admin Consent Request" -Tag "EIDSCA", "Security", It "EIDSCA.CR03: Consent Framework - Admin Consent Request - Reviewers will receive email notifications when admin consent requests are about to expire. See https://maester.dev/docs/tests/EIDSCA.CR03" -TestCases @{ EnabledAdminConsentWorkflow = ($EnabledAdminConsentWorkflow) } { <# Check if "https://graph.microsoft.com/beta/policies/adminConsentRequestPolicy" - .remindersEnabled = 'true' + .remindersEnabled -eq 'true' #> Test-MtEidscaControl -CheckId CR03 | Should -Be 'true' } @@ -404,7 +404,7 @@ Describe "Consent Framework - Admin Consent Request" -Tag "EIDSCA", "Security", It "EIDSCA.CR04: Consent Framework - Admin Consent Request - Consent request duration (days). See https://maester.dev/docs/tests/EIDSCA.CR04" -TestCases @{ EnabledAdminConsentWorkflow = ($EnabledAdminConsentWorkflow) } { <# Check if "https://graph.microsoft.com/beta/policies/adminConsentRequestPolicy" - .requestDurationInDays <= '30' + .requestDurationInDays -le '30' #> Test-MtEidscaControl -CheckId CR04 | Should -BeLessOrEqual '30' } From 1ca6bcd08f2a5fdf1074352d9636b8350c83f67a Mon Sep 17 00:00:00 2001 From: Thomas Naunheim Date: Fri, 29 Nov 2024 19:22:21 +0100 Subject: [PATCH 4/4] Updated description of recommended value for compare operators --- build/eidsca/Update-EidscaTests.ps1 | 4 ++++ website/docs/tests/eidsca/EIDSCA.CR04.md | 2 +- website/docs/tests/eidsca/EIDSCA.PR05.md | 2 +- 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/build/eidsca/Update-EidscaTests.ps1 b/build/eidsca/Update-EidscaTests.ps1 index f112ce5b..286b45b9 100644 --- a/build/eidsca/Update-EidscaTests.ps1 +++ b/build/eidsca/Update-EidscaTests.ps1 @@ -62,6 +62,10 @@ function GetRecommendedValueMarkdown($RecommendedValueMarkdown) { if($RecommendedValueMarkdown -like "@('*,*')") { $RecommendedValueMarkdown = $RecommendedValueMarkdown -replace "@\(", "" -replace "\)", "" return "$RecommendedValueMarkdown" + } elseif ($RecommendedValueMarkdown.StartsWith(">") -or $RecommendedValueMarkdown.StartsWith("<")) { + $RecommendedValueText = (GetCompareOperator($RecommendedValueMarkdown)).Text + $RecommendedValueMarkdown = "$RecommendedValueText $RecommendedValue" + return "$RecommendedValueMarkdown" } else { return "'$RecommendedValueMarkdown'" } diff --git a/website/docs/tests/eidsca/EIDSCA.CR04.md b/website/docs/tests/eidsca/EIDSCA.CR04.md index 5a431a61..45b1c009 100644 --- a/website/docs/tests/eidsca/EIDSCA.CR04.md +++ b/website/docs/tests/eidsca/EIDSCA.CR04.md @@ -25,7 +25,7 @@ Specifies the duration the request is active before it automatically expires if | **Recommendation** | | | **Configuration** | policies/adminConsentRequestPolicy | | **Setting** | `requestDurationInDays` | -| **Recommended Value** | '<=30' | +| **Recommended Value** | is less than or equal to '30' | | **Default Value** | | | **Graph API Docs** | [adminConsentRequestPolicy resource type - Microsoft Graph v1.0 - Microsoft Learn](https://learn.microsoft.com/en-us/graph/api/resources/adminconsentrequestpolicy) | | **Graph Explorer** | [Open in Graph Explorer](https://developer.microsoft.com/en-us/graph/graph-explorer?request=policies/adminConsentRequestPolicy&method=GET&version=beta&GraphUrl=https://graph.microsoft.com) | diff --git a/website/docs/tests/eidsca/EIDSCA.PR05.md b/website/docs/tests/eidsca/EIDSCA.PR05.md index 250ceb5f..61426a4a 100644 --- a/website/docs/tests/eidsca/EIDSCA.PR05.md +++ b/website/docs/tests/eidsca/EIDSCA.PR05.md @@ -25,7 +25,7 @@ The minimum length in seconds of each lockout. If an account locks repeatedly, t | **Recommendation** | [Prevent attacks using smart lockout - Microsoft Entra ID - Microsoft Learn](https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-password-smart-lockout) | | **Configuration** | settings | | **Setting** | `values | where-object name -eq 'LockoutDurationInSeconds' | select-object -expand value` | -| **Recommended Value** | '>=60' | +| **Recommended Value** | is greater than or equal to '60' | | **Default Value** | 60 | | **Graph API Docs** | [directorySetting resource type - Microsoft Graph beta - Microsoft Learn](https://learn.microsoft.com/en-us/graph/api/resources/directorysetting) | | **Graph Explorer** | [Open in Graph Explorer](https://developer.microsoft.com/en-us/graph/graph-explorer?request=settings&method=GET&version=beta&GraphUrl=https://graph.microsoft.com) |