diff --git a/build/eidsca/Update-EidscaTests.ps1 b/build/eidsca/Update-EidscaTests.ps1 index a3493580..24e6bde2 100644 --- a/build/eidsca/Update-EidscaTests.ps1 +++ b/build/eidsca/Update-EidscaTests.ps1 @@ -306,6 +306,12 @@ function UpdateTemplate($template, $control, $controlItem, $docName, $isDoc) { } $output = $template + + # Replace string with int if DefaultValue is a number and expecting an int as configuration value + if ($controlItem.DefaultValue -match "^[\d\.]+$") { + $output = $output -replace 'string', 'int' + } + $output = $output -replace '%DocName%', $docName $output = $output -replace '%ControlName%', $control.ControlName $output = $output -replace '%Description%', $control.Description @@ -434,6 +440,7 @@ Describe "%ControlName%" -Tag "EIDSCA", "Security", "All", "%CheckId%" { $testOutput = UpdateTemplate -template $testTemplate -control $control -controlItem $controlItem -docName $docName $docsOutput = UpdateTemplate -template $docsTemplate -control $control -controlItem $controlItem -docName $docName -isDoc $true $psOutput = UpdateTemplate -template $psTemplate -control $control -controlItem $controlItem -docName $docName + $psMarkdownOutput = UpdateTemplate -template $psMarkdownTemplate -control $control -controlItem $controlItem -docName $docName -isDoc $true if ($testOutput -ne '') { diff --git a/powershell/internal/eidsca/Test-MtEidscaAM01.ps1 b/powershell/internal/eidsca/Test-MtEidscaAM01.ps1 index 5a62d126..e430e915 100644 --- a/powershell/internal/eidsca/Test-MtEidscaAM01.ps1 +++ b/powershell/internal/eidsca/Test-MtEidscaAM01.ps1 @@ -21,6 +21,7 @@ function Test-MtEidscaAM01 { [OutputType([bool])] param() + $result = Invoke-MtGraphRequest -RelativeUri "policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')" -ApiVersion beta [string]$tenantValue = $result.state diff --git a/powershell/internal/eidsca/Test-MtEidscaAM02.md b/powershell/internal/eidsca/Test-MtEidscaAM02.md index d43f2b61..6aa86944 100644 --- a/powershell/internal/eidsca/Test-MtEidscaAM02.md +++ b/powershell/internal/eidsca/Test-MtEidscaAM02.md @@ -1,11 +1,11 @@ Defines if users can use the OTP code generated by the Authenticator App. -enabled +true #### Test script ``` https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator') -.state = 'enabled' +.isSoftwareOathEnabled = 'true' ``` #### Related links diff --git a/powershell/internal/eidsca/Test-MtEidscaAM02.ps1 b/powershell/internal/eidsca/Test-MtEidscaAM02.ps1 index 5ddbe2f2..3f48f3d2 100644 --- a/powershell/internal/eidsca/Test-MtEidscaAM02.ps1 +++ b/powershell/internal/eidsca/Test-MtEidscaAM02.ps1 @@ -1,6 +1,6 @@ <# .SYNOPSIS - Checks if Authentication Method - Microsoft Authenticator - Allow use of Microsoft Authenticator OTP is set to 'enabled' + Checks if Authentication Method - Microsoft Authenticator - Allow use of Microsoft Authenticator OTP is set to 'true' .DESCRIPTION @@ -8,12 +8,12 @@ Queries policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator') and returns the result of - graph/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator').state -eq 'enabled' + graph/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator').isSoftwareOathEnabled -eq 'true' .EXAMPLE Test-MtEidscaAM02 - Returns the result of graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator').state -eq 'enabled' + Returns the result of graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator').isSoftwareOathEnabled -eq 'true' #> function Test-MtEidscaAM02 { @@ -27,16 +27,16 @@ function Test-MtEidscaAM02 { } $result = Invoke-MtGraphRequest -RelativeUri "policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')" -ApiVersion beta - [string]$tenantValue = $result.state - $testResult = $tenantValue -eq 'enabled' - $tenantValueNotSet = $null -eq $tenantValue -and 'enabled' -notlike '*$null*' + [string]$tenantValue = $result.isSoftwareOathEnabled + $testResult = $tenantValue -eq 'true' + $tenantValueNotSet = $null -eq $tenantValue -and 'true' -notlike '*$null*' if($testResult){ - $testResultMarkdown = "Well done. The configuration in your tenant and recommended value is **'enabled'** for **policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')**" + $testResultMarkdown = "Well done. The configuration in your tenant and recommended value is **'true'** for **policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')**" } elseif ($tenantValueNotSet) { - $testResultMarkdown = "Your tenant is **not configured explicitly**.`n`nThe recommended value is **'enabled'** for **policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')**. It seems that you are using a default value by Microsoft. We recommend to set the setting value explicitly since non set values could change depending on what Microsoft decides the current default should be." + $testResultMarkdown = "Your tenant is **not configured explicitly**.`n`nThe recommended value is **'true'** for **policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')**. It seems that you are using a default value by Microsoft. We recommend to set the setting value explicitly since non set values could change depending on what Microsoft decides the current default should be." } else { - $testResultMarkdown = "Your tenant is configured as **$($tenantValue)**.`n`nThe recommended value is **'enabled'** for **policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')**" + $testResultMarkdown = "Your tenant is configured as **$($tenantValue)**.`n`nThe recommended value is **'true'** for **policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')**" } Add-MtTestResultDetail -Result $testResultMarkdown diff --git a/powershell/internal/eidsca/Test-MtEidscaCR03.md b/powershell/internal/eidsca/Test-MtEidscaCR03.md index 69d56065..c608019d 100644 --- a/powershell/internal/eidsca/Test-MtEidscaCR03.md +++ b/powershell/internal/eidsca/Test-MtEidscaCR03.md @@ -5,7 +5,7 @@ Specifies whether reviewers will receive reminder emails #### Test script ``` https://graph.microsoft.com/beta/policies/adminConsentRequestPolicy -.notifyReviewers = 'true' +.remindersEnabled = 'true' ``` #### Related links diff --git a/powershell/internal/eidsca/Test-MtEidscaCR03.ps1 b/powershell/internal/eidsca/Test-MtEidscaCR03.ps1 index 0f2476a4..c41087de 100644 --- a/powershell/internal/eidsca/Test-MtEidscaCR03.ps1 +++ b/powershell/internal/eidsca/Test-MtEidscaCR03.ps1 @@ -8,12 +8,12 @@ Queries policies/adminConsentRequestPolicy and returns the result of - graph/policies/adminConsentRequestPolicy.notifyReviewers -eq 'true' + graph/policies/adminConsentRequestPolicy.remindersEnabled -eq 'true' .EXAMPLE Test-MtEidscaCR03 - Returns the result of graph.microsoft.com/beta/policies/adminConsentRequestPolicy.notifyReviewers -eq 'true' + Returns the result of graph.microsoft.com/beta/policies/adminConsentRequestPolicy.remindersEnabled -eq 'true' #> function Test-MtEidscaCR03 { @@ -27,7 +27,7 @@ function Test-MtEidscaCR03 { } $result = Invoke-MtGraphRequest -RelativeUri "policies/adminConsentRequestPolicy" -ApiVersion beta - [string]$tenantValue = $result.notifyReviewers + [string]$tenantValue = $result.remindersEnabled $testResult = $tenantValue -eq 'true' $tenantValueNotSet = $null -eq $tenantValue -and 'true' -notlike '*$null*' diff --git a/powershell/internal/eidsca/Test-MtEidscaPR05.ps1 b/powershell/internal/eidsca/Test-MtEidscaPR05.ps1 index d5b7c365..7a30ac1b 100644 --- a/powershell/internal/eidsca/Test-MtEidscaPR05.ps1 +++ b/powershell/internal/eidsca/Test-MtEidscaPR05.ps1 @@ -1,6 +1,6 @@ <# .SYNOPSIS - Checks if Default Settings - Password Rule Settings - Smart Lockout - Lockout duration in seconds is greater or equal to '60' + Checks if Default Settings - Password Rule Settings - Smart Lockout - Lockout duration in seconds is set to '60' .DESCRIPTION @@ -24,8 +24,8 @@ function Test-MtEidscaPR05 { $result = Invoke-MtGraphRequest -RelativeUri "settings" -ApiVersion beta - [string]$tenantValue = $result.values | where-object name -eq 'LockoutDurationInSeconds' | select-object -expand value - $testResult = [int]$tenantValue -ge [int]'60' + [int]$tenantValue = $result.values | where-object name -eq 'LockoutDurationInSeconds' | select-object -expand value + $testResult = $tenantValue -ge '60' $tenantValueNotSet = $null -eq $tenantValue -and '60' -notlike '*$null*' if($testResult){ diff --git a/powershell/internal/eidsca/Test-MtEidscaPR06.ps1 b/powershell/internal/eidsca/Test-MtEidscaPR06.ps1 index 1a01a151..a971db55 100644 --- a/powershell/internal/eidsca/Test-MtEidscaPR06.ps1 +++ b/powershell/internal/eidsca/Test-MtEidscaPR06.ps1 @@ -24,7 +24,7 @@ function Test-MtEidscaPR06 { $result = Invoke-MtGraphRequest -RelativeUri "settings" -ApiVersion beta - [string]$tenantValue = $result.values | where-object name -eq 'LockoutThreshold' | select-object -expand value + [int]$tenantValue = $result.values | where-object name -eq 'LockoutThreshold' | select-object -expand value $testResult = $tenantValue -eq '10' $tenantValueNotSet = $null -eq $tenantValue -and '10' -notlike '*$null*' diff --git a/tests/EIDSCA/Test-EIDSCA.Generated.Tests.ps1 b/tests/EIDSCA/Test-EIDSCA.Generated.Tests.ps1 index c271e7be..cdfffc91 100644 --- a/tests/EIDSCA/Test-EIDSCA.Generated.Tests.ps1 +++ b/tests/EIDSCA/Test-EIDSCA.Generated.Tests.ps1 @@ -219,9 +219,9 @@ Describe "Authentication Method - Microsoft Authenticator" -Tag "EIDSCA", "Secur It "EIDSCA.AM02: Authentication Method - Microsoft Authenticator - Allow use of Microsoft Authenticator OTP. See https://maester.dev/docs/tests/EIDSCA.AM02" -TestCases @{ EnabledAuthMethods = $EnabledAuthMethods } { <# Check if "https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')" - .state = 'enabled' + .isSoftwareOathEnabled = 'true' #> - Test-MtEidscaControl -CheckId AM02 | Should -Be 'enabled' + Test-MtEidscaControl -CheckId AM02 | Should -Be 'true' } } Describe "Authentication Method - Microsoft Authenticator" -Tag "EIDSCA", "Security", "All", "EIDSCA.AM03" { @@ -395,7 +395,7 @@ Describe "Consent Framework - Admin Consent Request" -Tag "EIDSCA", "Security", It "EIDSCA.CR03: Consent Framework - Admin Consent Request - Reviewers will receive email notifications when admin consent requests are about to expire. See https://maester.dev/docs/tests/EIDSCA.CR03" -TestCases @{ EnabledAdminConsentWorkflow = ($EnabledAdminConsentWorkflow) } { <# Check if "https://graph.microsoft.com/beta/policies/adminConsentRequestPolicy" - .notifyReviewers = 'true' + .remindersEnabled = 'true' #> Test-MtEidscaControl -CheckId CR03 | Should -Be 'true' } diff --git a/website/docs/tests/eidsca/EIDSCA.AM02.md b/website/docs/tests/eidsca/EIDSCA.AM02.md index ab745cd2..f669c386 100644 --- a/website/docs/tests/eidsca/EIDSCA.AM02.md +++ b/website/docs/tests/eidsca/EIDSCA.AM02.md @@ -22,11 +22,11 @@ Defines if users can use the OTP code generated by the Authenticator App. ### Details of configuration item | | | |-|-| -| **Recommendation** | enabled | +| **Recommendation** | true | | **Configuration** | policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator') | -| **Setting** | `state` | -| **Recommended Value** | 'enabled' | -| **Default Value** | enabled | +| **Setting** | `isSoftwareOathEnabled` | +| **Recommended Value** | 'true' | +| **Default Value** | true | | **Graph API Docs** | [microsoftAuthenticatorAuthenticationMethodConfiguration resource type - Microsoft Graph v1.0 - Microsoft Learn](https://learn.microsoft.com/en-us/graph/api/resources/microsoftauthenticatorauthenticationmethodconfiguration) | | **Graph Explorer** | [Open in Graph Explorer](https://developer.microsoft.com/en-us/graph/graph-explorer?request=policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')&method=GET&version=beta&GraphUrl=https://graph.microsoft.com) | diff --git a/website/docs/tests/eidsca/EIDSCA.CR03.md b/website/docs/tests/eidsca/EIDSCA.CR03.md index e71a965e..b9997ac2 100644 --- a/website/docs/tests/eidsca/EIDSCA.CR03.md +++ b/website/docs/tests/eidsca/EIDSCA.CR03.md @@ -10,7 +10,7 @@ Specifies whether reviewers will receive reminder emails | | | |-|-| -| **Name** | notifyReviewers | +| **Name** | remindersEnabled | | **Control** | Consent Framework - Admin Consent Request | | **Description** | Represents the policy for enabling or disabling the Azure AD admin consent workflow. The admin consent workflow allows users to request access for apps that they wish to use and that require admin authorization before users can use the apps to access organizational data. | | **Severity** | | @@ -24,7 +24,7 @@ Specifies whether reviewers will receive reminder emails |-|-| | **Recommendation** | | | **Configuration** | policies/adminConsentRequestPolicy | -| **Setting** | `notifyReviewers` | +| **Setting** | `remindersEnabled` | | **Recommended Value** | 'true' | | **Default Value** | | | **Graph API Docs** | [adminConsentRequestPolicy resource type - Microsoft Graph v1.0 - Microsoft Learn](https://learn.microsoft.com/en-us/graph/api/resources/adminconsentrequestpolicy) |