From 74d6d4aa6364026d909d5e915fd805c070f1c3b3 Mon Sep 17 00:00:00 2001 From: Majed Ayoub Date: Thu, 26 Dec 2024 12:23:00 -0500 Subject: [PATCH 1/6] fix(MS.AAD.6.1): password expiration must be configured for all domains --- .../public/cisa/entra/Test-MtCisaPasswordExpiration.ps1 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/powershell/public/cisa/entra/Test-MtCisaPasswordExpiration.ps1 b/powershell/public/cisa/entra/Test-MtCisaPasswordExpiration.ps1 index 1f3c30eb..9b9f17c8 100644 --- a/powershell/public/cisa/entra/Test-MtCisaPasswordExpiration.ps1 +++ b/powershell/public/cisa/entra/Test-MtCisaPasswordExpiration.ps1 @@ -8,7 +8,7 @@ .EXAMPLE Test-MtCisaPasswordExpiration - Returns true if at least 1 domain has password expiration of 100 years or greater + Returns true if all domains have password expiration of 100 years or greater .LINK https://maester.dev/docs/commands/Test-MtCisaPasswordExpiration @@ -41,7 +41,7 @@ function Test-MtCisaPasswordExpiration { $_.authenticationType -eq "Managed" -and ` $_.PasswordValidityPeriodInDays -ge 36500} - $testResult = ($managedDomains|Measure-Object).Count -ge 1 + $testResult = ($result | Measure-Object).Count - ($managedDomains|Measure-Object).Count -eq 0 if ($testResult) { $testResultMarkdown = "Well done. Your tenant password expiration policy is set to never expire." From e59e6496a69f8598b5a133a2d06bf6b1a2a85062 Mon Sep 17 00:00:00 2001 From: Majed Ayoub Date: Thu, 26 Dec 2024 12:32:43 -0500 Subject: [PATCH 2/6] fix: use cleaner filter expression, only compare results against managed domains --- .../cisa/entra/Test-MtCisaPasswordExpiration.ps1 | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/powershell/public/cisa/entra/Test-MtCisaPasswordExpiration.ps1 b/powershell/public/cisa/entra/Test-MtCisaPasswordExpiration.ps1 index 9b9f17c8..46aecabb 100644 --- a/powershell/public/cisa/entra/Test-MtCisaPasswordExpiration.ps1 +++ b/powershell/public/cisa/entra/Test-MtCisaPasswordExpiration.ps1 @@ -8,7 +8,8 @@ .EXAMPLE Test-MtCisaPasswordExpiration - Returns true if all domains have password expiration of 100 years or greater + Returns true if all managed domains have password expiration configured + to be of 100 years or greater .LINK https://maester.dev/docs/commands/Test-MtCisaPasswordExpiration @@ -37,11 +38,11 @@ function Test-MtCisaPasswordExpiration { #$federatedDomains = $result | Where-Object {` # $_.authenticationType -ne "Managed"} - $managedDomains = $result | Where-Object {` - $_.authenticationType -eq "Managed" -and ` - $_.PasswordValidityPeriodInDays -ge 36500} + $managedDomains = $result | Where-Object authenticationType -eq "Managed" - $testResult = ($result | Measure-Object).Count - ($managedDomains|Measure-Object).Count -eq 0 + $compliantDomains = $managedDomains | Where-Object PasswordValidityPeriodInDays -ge 36500 + + $testResult = ($managedDomains | Measure-Object).Count - ($compliantDomains|Measure-Object).Count -eq 0 if ($testResult) { $testResultMarkdown = "Well done. Your tenant password expiration policy is set to never expire." From d34a94f7069bcc17b788d84447c67dc83e1d4cc3 Mon Sep 17 00:00:00 2001 From: Majed Ayoub Date: Thu, 26 Dec 2024 12:34:24 -0500 Subject: [PATCH 3/6] fix: disregard unverified domains as they cannot be configured --- .../public/cisa/entra/Test-MtCisaPasswordExpiration.ps1 | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/powershell/public/cisa/entra/Test-MtCisaPasswordExpiration.ps1 b/powershell/public/cisa/entra/Test-MtCisaPasswordExpiration.ps1 index 46aecabb..1da38361 100644 --- a/powershell/public/cisa/entra/Test-MtCisaPasswordExpiration.ps1 +++ b/powershell/public/cisa/entra/Test-MtCisaPasswordExpiration.ps1 @@ -38,11 +38,13 @@ function Test-MtCisaPasswordExpiration { #$federatedDomains = $result | Where-Object {` # $_.authenticationType -ne "Managed"} - $managedDomains = $result | Where-Object authenticationType -eq "Managed" + $verifiedDomains = $result | Where-Object isVerified + + $managedDomains = $verifiedDomains | Where-Object authenticationType -eq "Managed" $compliantDomains = $managedDomains | Where-Object PasswordValidityPeriodInDays -ge 36500 - $testResult = ($managedDomains | Measure-Object).Count - ($compliantDomains|Measure-Object).Count -eq 0 + $testResult = ($managedDomains | Measure-Object).Count - ($compliantDomains | Measure-Object).Count -eq 0 if ($testResult) { $testResultMarkdown = "Well done. Your tenant password expiration policy is set to never expire." From ce74e11a6cd00e2c6bad401834234ba82a40e510 Mon Sep 17 00:00:00 2001 From: Majed Ayoub Date: Thu, 26 Dec 2024 12:35:20 -0500 Subject: [PATCH 4/6] fix: example description given more detail --- powershell/public/cisa/entra/Test-MtCisaPasswordExpiration.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/powershell/public/cisa/entra/Test-MtCisaPasswordExpiration.ps1 b/powershell/public/cisa/entra/Test-MtCisaPasswordExpiration.ps1 index 1da38361..1ae4d330 100644 --- a/powershell/public/cisa/entra/Test-MtCisaPasswordExpiration.ps1 +++ b/powershell/public/cisa/entra/Test-MtCisaPasswordExpiration.ps1 @@ -8,7 +8,7 @@ .EXAMPLE Test-MtCisaPasswordExpiration - Returns true if all managed domains have password expiration configured + Returns true if all verified managed domains have password expiration configured to be of 100 years or greater .LINK From 7265036332bc57d91240c02e94a632ec8f66e438 Mon Sep 17 00:00:00 2001 From: Michael <431932+soulemike@users.noreply.github.com> Date: Wed, 5 Mar 2025 19:02:22 -0700 Subject: [PATCH 5/6] Update Test-MtCisaPasswordExpiration.ps1 --- .../entra/Test-MtCisaPasswordExpiration.ps1 | 43 +++++++++++++++---- 1 file changed, 35 insertions(+), 8 deletions(-) diff --git a/powershell/public/cisa/entra/Test-MtCisaPasswordExpiration.ps1 b/powershell/public/cisa/entra/Test-MtCisaPasswordExpiration.ps1 index 1ae4d330..21016504 100644 --- a/powershell/public/cisa/entra/Test-MtCisaPasswordExpiration.ps1 +++ b/powershell/public/cisa/entra/Test-MtCisaPasswordExpiration.ps1 @@ -1,4 +1,4 @@ -<# +<# .SYNOPSIS Checks if passwords are set to not expire @@ -34,10 +34,6 @@ function Test-MtCisaPasswordExpiration { #$users = Get-MgUser -All -Property PasswordPolicies #$users|?{$_.PasswordPolicies -like "*DisablePasswordExpiration*"} - #Would need to handle exception for federated domains - #$federatedDomains = $result | Where-Object {` - # $_.authenticationType -ne "Managed"} - $verifiedDomains = $result | Where-Object isVerified $managedDomains = $verifiedDomains | Where-Object authenticationType -eq "Managed" @@ -47,12 +43,43 @@ function Test-MtCisaPasswordExpiration { $testResult = ($managedDomains | Measure-Object).Count - ($compliantDomains | Measure-Object).Count -eq 0 if ($testResult) { - $testResultMarkdown = "Well done. Your tenant password expiration policy is set to never expire." + $testResultMarkdown = "Well done. Your tenant password expiration policy is set to never expire.`n`n%TestResult%" } else { - $testResultMarkdown = "Your tenant does not have password expiration set to never expire." + $testResultMarkdown = "Your tenant does not have password expiration set to never expire.`n`n%TestResult%" + } + + $pass = "✅ Pass" + $fail = "❌ Fail" + $skip = "🗄️ Skipped" + $default = "✔️" + + $resultDetails = "| Domain (Default) | Verified | Type | Validation |`n" + $resultDetails += "| --- | --- | --- | --- |`n" + foreach($domain in $result){ + if($domain.isDefault){ + $isDefault = "$($domain.id) ($default)" + }else{ + $isDefault = "$($domain.id) ()" + } + if($domain.isVerified){ + $isVerified = "Verified" + }else{ + $isVerified = "Unverified" + } + if($domain.id -in $compliantDomains.id){ + $testValue = $pass + }elseif($domain.authenticationType -eq "Federated"){ + $testValue = $skip + }else{ + $testValue = $fail + } + + $resultDetails += "| $isDefault | $isVerified | $($domain.authenticationType) | $testValue |`n" } + $testResultMarkdown = $testResultMarkdown -replace "%TestResult%", $resultDetails + Add-MtTestResultDetail -Result $testResultMarkdown return $testResult -} \ No newline at end of file +} From fcfbf3b0625e916535cc8451df754d541a765cf3 Mon Sep 17 00:00:00 2001 From: Michael <431932+soulemike@users.noreply.github.com> Date: Wed, 5 Mar 2025 20:48:31 -0700 Subject: [PATCH 6/6] Update Test-MtCisaPasswordExpiration.ps1 --- powershell/public/cisa/entra/Test-MtCisaPasswordExpiration.ps1 | 2 ++ 1 file changed, 2 insertions(+) diff --git a/powershell/public/cisa/entra/Test-MtCisaPasswordExpiration.ps1 b/powershell/public/cisa/entra/Test-MtCisaPasswordExpiration.ps1 index 21016504..17fafb25 100644 --- a/powershell/public/cisa/entra/Test-MtCisaPasswordExpiration.ps1 +++ b/powershell/public/cisa/entra/Test-MtCisaPasswordExpiration.ps1 @@ -70,6 +70,8 @@ function Test-MtCisaPasswordExpiration { $testValue = $pass }elseif($domain.authenticationType -eq "Federated"){ $testValue = $skip + }elseif($isVerified -eq "Unverified"){ + $testValue = $skip }else{ $testValue = $fail }