Improve conditional access tests

powershell/public/Get-MtConditionalAccessPolicy.ps1

@@ -13,10 +13,14 @@
 #>
 function Get-MtConditionalAccessPolicy {
   [CmdletBinding()]
-  param()
+  param(
+    # Specify if this request should skip cache and go directly to Graph.
+    [Parameter(Mandatory = $false)]
+    [Switch]$DisableCache
+  )
 
   Write-Verbose -Message "Getting conditional access policies."
 
-  return Invoke-MtGraphRequest -RelativeUri 'identity/conditionalAccess/policies' -ApiVersion beta
+  return Invoke-MtGraphRequest -RelativeUri 'identity/conditionalAccess/policies' -ApiVersion beta -DisableCache:$DisableCache
 
 }

powershell/public/Test-MtCaApplicationEnforcedRestriction.ps1

@@ -26,6 +26,12 @@ function Test-MtCaApplicationEnforcedRestriction {
 
     $policies = Get-MtConditionalAccessPolicy | Where-Object { $_.state -eq "enabled" }
 
+    $testDescription = "
+Microsoft recommends blocking or limiting access to SharePoint, OneDrive, and Exchange content from unmanaged devices.
+
+See [Use application enforced restrictions for unmanaged devices - Microsoft Learn](https://aka.ms/CATemplatesAppRestrictions)"
+    $testResult = "These conditional access policies enforce restrictions for unmanaged devices:`n`n"
+
     $result = $false
     foreach ($policy in $policies) {
         if ( $policy.conditions.users.includeUsers -eq "All" `
@@ -35,11 +41,17 @@ function Test-MtCaApplicationEnforcedRestriction {
         ) {
             $result = $true
             $currentresult = $true
+            $testResult += "  - [$($policy.displayname)](https://entra.microsoft.com/#view/Microsoft_AAD_ConditionalAccess/PolicyBlade/policyId/$($($policy.id))?%23view/Microsoft_AAD_ConditionalAccess/ConditionalAccessBlade/~/Policies?=)`n"
         } else {
             $currentresult = $false
         }
         Write-Verbose "$($policy.displayName) - $currentresult"
     }
 
+    if ($result -eq $false) {
+        $testResult = "There was no conditional access policy enforcing restrictions for unmanaged devices."
+    }
+    Add-MtTestResultDetail -Description $testDescription -Result $testResult
+
     return $result
 }

powershell/public/Test-MtCaDeviceCodeFlow.ps1

@@ -21,13 +21,18 @@ function Test-MtCaDeviceCodeFlow {
     [OutputType([bool])]
     param ()
 
-    $policies = Get-MtConditionalAccessPolicy | Where-Object { $_.state -eq "enabled" }
+    $policies = Get-MtConditionalAccessPolicy | Where-Object { $_.state -eq 'enabled' -and $_.conditions.authenticationFlows.transferMethods -contains 'deviceCodeFlow' }
     $policiesResult = New-Object System.Collections.ArrayList
     $result = $false
 
     foreach ($policy in $policies) {
-        if ( $policy.conditions.authenticationFlows.transfermethods -eq "deviceCodeFlow")
-        {
+        if ($policy.conditions.users.includeUsers -eq 'All' `
+            -and $policy.conditions.clientAppTypes -eq 'all' `
+            -and ( `
+                ($policy.grantcontrols.builtincontrols -contains 'block' -and (-not $policy.conditions.locations -or $policy.conditions.locations.includeLocations -eq 'All')) -or `
+                ($policy.grantControls.builtInControls -contains 'compliantDevice' -or $policy.grantControls.builtInControls -contains 'domainJoinedDevice' )
+            )
+        ) {
             $result = $true
             $currentresult = $true
             $policiesResult.Add($policy) | Out-Null
@@ -38,9 +43,12 @@ function Test-MtCaDeviceCodeFlow {
     }
 
     if ( $result ) {
-        $testResult = "Well done! The following conditional access policies are targeting the Device Code authentication flow:`n`n%TestResult%"
+        $testResult = "Well done! The following conditional access policies sufficiently cover Device Code authentication flow:`n`n%TestResult%"
+    } elseif ( $policies ) {
+        $policiesResult = $policies
+        $testResult = "None of the following conditional access policies sufficiently cover Device Code authentication flow:`n`n%TestResult%"
     } else {
-        $testResult = "No conditional access policy found that targets the Device Code authentication flow."
+        $testResult = 'No conditional access policy found that targets the Device Code authentication flow.'
     }
 
     Add-MtTestResultDetail -Result $testResult -GraphObjects $policiesResult -GraphObjectType ConditionalAccess

powershell/public/Test-MtCaGap.ps1

@@ -60,7 +60,7 @@ function Get-RelatedPolicy {
     foreach ($obj in $Arr) {
         # Check if the excluded object is present in the policy
         if ($obj.ExcludedObjects -contains $ObjName) {
-            $result += "        - Excluded in policy '$($obj.PolicyName)'`n`n"
+            $result += "        > Excluded in policy '$($obj.PolicyName)'`n"
         }
     }
 
@@ -144,8 +144,8 @@ function Test-MtCaGap {
         $_.Conditions.ClientApplications.IncludeServicePrincipals | ForEach-Object { $includedServicePrincipals.Add($_) | Out-Null }
         $_.Conditions.Locations.ExcludeLocations | ForEach-Object { $excludedLocations.Add($_) | Out-Null }
         $_.Conditions.Locations.IncludeLocations | ForEach-Object { $includedLocations.Add($_) | Out-Null }
-        $_.Conditions.Locations.Platforms | ForEach-Object { $excludedPlatforms.Add($_) | Out-Null }
-        $_.Conditions.Locations.Platforms | ForEach-Object { $includedPlatforms.Add($_) | Out-Null }
+        $_.Conditions.Platforms.ExcludePlatforms | ForEach-Object { $excludedPlatforms.Add($_) | Out-Null }
+        $_.Conditions.Platforms.IncludePlatforms | ForEach-Object { $includedPlatforms.Add($_) | Out-Null }
 
         # Create a mapping for each policy with excluded objects
         [System.Collections.ArrayList]$allExcluded = $_.Conditions.Users.ExcludeUsers + `
@@ -154,7 +154,7 @@ function Test-MtCaGap {
             $_.Conditions.Applications.ExcludeApplications + `
             $_.Conditions.ClientApplications.ExcludeServicePrincipals + `
             $_.Conditions.Locations.ExcludeLocations + `
-            $_.Conditions.Locations.Platforms
+            $_.Conditions.Platforms.ExcludePlatforms
         # Create the mapping
         $mapping = [PSCustomObject]@{
             PolicyName = $_.DisplayName
@@ -194,59 +194,87 @@ function Test-MtCaGap {
         # Add user objects to results
         if ($differencesUsers.Count -ne 0) {
             $testResult = "The following user objects did not have a fallback:`n`n"
-            $differencesUsers | ForEach-Object {
-                $DisplayName = Invoke-MtGraphRequest -RelativeUri "users/$_" -Select displayName | Select-Object -ExpandProperty displayName
-                $testResult += "    - $_ ($DisplayName)`n`n" # Add Name?
-                $testResult += Get-RelatedPolicy -Arr $mappingArray -ObjName $_
+            ForEach ($Object in $differencesUsers) {
+                Try {
+                    $DisplayName = (Invoke-MtGraphRequest -RelativeUri 'users' -ApiVersion v1.0 -UniqueId $Object -ErrorAction Stop).displayName
+                } Catch {
+                    $DisplayName = "${Object} (Unable to resolve GUID)"
+                }
+                $testResult += "`n    User: ${DisplayName}`n"
+                $testResult += Get-RelatedPolicy -Arr $mappingArray -ObjName $Object
             }
         }
         # Add group objects to results
         if ($differencesGroups.Count -ne 0) {
             $testResult += "The following group objects did not have a fallback:`n`n"
-            $differencesGroups | ForEach-Object {
-                $DisplayName = Invoke-MtGraphRequest -RelativeUri "groups/$_" -Select displayName | Select-Object -ExpandProperty displayName
-                $testResult += "    - $_ ($DisplayName)`n`n" # Add Name?
-                $testResult += Get-RelatedPolicy -Arr $mappingArray -ObjName $_
+            ForEach ($Object in $differencesGroups) {
+                Try {
+                    $DisplayName = (Invoke-MtGraphRequest -RelativeUri 'groups' -ApiVersion v1.0 -UniqueId $Object -ErrorAction Stop).displayName
+                } Catch {
+                    $DisplayName = "${Object} (Unable to resolve GUID)"
+                }
+                $testResult += "`n    Group: ${DisplayName}`n"
+                $testResult += Get-RelatedPolicy -Arr $mappingArray -ObjName $Object
             }
         }
         # Add role objects to results
         if ($differencesRoles.Count -ne 0) {
             $testResult += "The following role objects did not have a fallback:`n`n"
-            $differencesRoles | ForEach-Object {
-                $testResult += "    - $_`n`n"
+            ForEach ($Object in $differencesRoles) {
+                Try {
+                    $DisplayName = (Invoke-MtGraphRequest -RelativeUri 'directoryRoles' -ApiVersion v1.0 -UniqueId $Object -ErrorAction Stop).displayName
+                } Catch {
+                    $DisplayName = "${Object} (Unable to resolve GUID)"
+                }
+                $testResult += "`n    Role: ${DisplayName}`n"
                 $testResult += Get-RelatedPolicy -Arr $mappingArray -ObjName $_
             }
         }
         # Add application objects to results
         if ($differencesApplications.Count -ne 0) {
             $testResult += "The following application objects did not have a fallback:`n`n"
-            $differencesApplications | ForEach-Object {
-                $testResult += "    - $_`n`n"
-                $testResult += Get-RelatedPolicy -Arr $mappingArray -ObjName $_
+            ForEach ($Object in $differencesApplications) {
+                Try {
+                    $DisplayName = (Invoke-MtGraphRequest -RelativeUri 'serviceprincipals' -ApiVersion v1.0 -Filter "appId eq '${Object}'" -ErrorAction Stop).displayName
+                } Catch {
+                    $DisplayName = "${Object} (Unable to resolve GUID)"
+                }
+                $testResult += "`n    Application: ${DisplayName}`n"
+                $testResult += Get-RelatedPolicy -Arr $mappingArray -ObjName $Object
             }
         }
         # Add service principal objects to results
         if ($differencesServicePrincipals.Count -ne 0) {
             $testResult += "The following service principal objects did not have a fallback:`n`n"
-            $differencesServicePrincipals | ForEach-Object {
-                $testResult += "    - $_`n`n"
-                $testResult += Get-RelatedPolicy -Arr $mappingArray -ObjName $_
+            ForEach ($Object in $differencesServicePrincipals) {
+                Try {
+                    $DisplayName = (Invoke-MtGraphRequest -RelativeUri 'serviceprincipals' -ApiVersion v1.0 -UniqueId $Object -ErrorAction Stop).displayName
+                } Catch {
+                    $DisplayName = "${Object} (Unable to resolve GUID)"
+                }
+                $testResult += "`n    Service Principal: ${DisplayName}`n"
+                $testResult += Get-RelatedPolicy -Arr $mappingArray -ObjName $Object
             }
         }
         # Add location objects to results
         if ($differencesLocations.Count -ne 0) {
             $testResult += "The following location objects did not have a fallback:`n`n"
-            $differencesLocations | ForEach-Object {
-                $testResult += "    - $_`n`n"
-                $testResult += Get-RelatedPolicy -Arr $mappingArray -ObjName $_
+            ForEach ($Object in $differencesLocations) {
+                Try {
+                    $DisplayName = (Invoke-MtGraphRequest -RelativeUri 'identity/conditionalAccess/namedLocations' -ApiVersion v1.0 -UniqueId $Object -ErrorAction Stop).displayName
+                } Catch {
+                    $DisplayName = "${Object} (Unable to resolve GUID)"
+                }
+                $testResult += "`n    Location: ${DisplayName}`n"
+                $testResult += Get-RelatedPolicy -Arr $mappingArray -ObjName $Object
             }
         }
         # Add platform objects to results
         if ($differencesPlatforms.Count -ne 0) {
             $testResult += "The following platform objects did not have a fallback:`n`n"
-            $differencesPlatforms | ForEach-Object {
-                $testResult += "    - $_`n`n"
-                $testResult += Get-RelatedPolicy -Arr $mappingArray -ObjName $_
+            ForEach ($Object in $differencesPlatforms) {
+                $testResult += "`n    Platform: ${Object}`n"
+                $testResult += Get-RelatedPolicy -Arr $mappingArray -ObjName $Object
             }
         }
     }

powershell/public/Test-MtCaGroupsRestricted.md

@@ -0,0 +1,5 @@
+Security Groups will be used to exclude and include users from Conditional Access Policies. Modify group membership outside of Conditional Access Administrator or other privileged roles can lead to bypassing Conditional Access Policies.
+
+To prevent this, you can protect these groups by using Restricted Management Administrative Units or Role Assignable Groups. Role Assignable Group should be used in combination of assignments to Entra ID roles. Restricted Management Administrative Units should be used to protect groups by restricting management to specific users or groups. This test checks if all groups used in Conditional Access Policies are protected.
+
+See [Restricted management administrative units in Microsoft Entra ID - Microsoft Entra ID | Microsoft Learn](https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/admin-units-restricted-management)

powershell/public/Test-MtCaGroupsRestricted.ps1

@@ -55,7 +55,7 @@ Function Test-MtCaGroupsRestricted {
   $result = ($UnrestrictedGroups | Measure-Object).Count -eq 0
 
   if ( $result ) {
-    $ResultDescription = "Well done! All security groups with assignment in Conditional Access are protected!"
+    $ResultDescription = "Well done! All security groups with assignment in Conditional Access are protected."
   } else {
     $ResultDescription = "These security groups with assignments in Conditional Access are not protected by Restricted Management Admin Units or Role Assignable groups."
     $ImpactedCaGroups = "`n`n#### Impacted Conditional Access Policies`n`n | Security Group | Condition | Policy name | `n"
@@ -81,7 +81,7 @@ Function Test-MtCaGroupsRestricted {
   }
 
   $resultMarkdown = $ResultDescription + $ImpactedCaGroups
-  Add-MtTestResultDetail -Description $testDescription -Result $resultMarkdown
+  Add-MtTestResultDetail -Result $resultMarkdown
 
   return $result
 }

powershell/public/Test-MtCaLicenseUtilization.ps1

@@ -71,7 +71,6 @@ function Test-MtCaLicenseUtilization {
         }
     }
 
-    $testDescription =
     $testDescription = "This test checks the utilization of Entra ID $License licenses in the tenant."
     $testResult = "Total users entitled for Entra ID $($License): **$($Result.EntitledLicenseCount)**`n`nTotal $License licenses utilized: **$($Result.TotalLicensesUtilized)**"
     Add-MtTestResultDetail -Description $testDescription -Result $testResult

powershell/public/Test-MtCaMfaForAdminManagement.ps1

@@ -28,13 +28,33 @@ function Test-MtCaMfaForAdminManagement {
     $policies = Get-MtConditionalAccessPolicy | Where-Object { $_.state -eq "enabled" }
     $policiesResult = New-Object System.Collections.ArrayList
 
+    $testDescription = "
+Microsoft recommends requiring MFA for Azure Management.
+
+See [Require MFA for administrators - Microsoft Learn](https://learn.microsoft.com/entra/identity/conditional-access/howto-conditional-access-policy-admin-mfa)"
+
     $result = $false
     foreach ($policy in $policies) {
         if ( ( $policy.grantcontrols.builtincontrols -contains 'mfa' `
                     -or $policy.grantcontrols.authenticationStrength.requirementsSatisfied -contains 'mfa' ) `
-                -and $policy.conditions.users.includeUsers -eq "All" `
+                -and ($policy.conditions.users.includeUsers -eq "All" `
+                -or ("62e90394-69f5-4237-9190-012177145e10" -in $policy.conditions.users.includeRoles `
+                -and "194ae4cb-b126-40b2-bd5b-6091b380977d" -in $policy.conditions.users.includeRoles `
+                -and "f28a1f50-f6e7-4571-818b-6a12f2af6b6c" -in $policy.conditions.users.includeRoles `
+                -and "29232cdf-9323-42fd-ade2-1d097af3e4de" -in $policy.conditions.users.includeRoles `
+                -and "b1be1c3e-b65d-4f19-8427-f6fa0d97feb9" -in $policy.conditions.users.includeRoles `
+                -and "729827e3-9c14-49f7-bb1b-9608f156bbb8" -in $policy.conditions.users.includeRoles `
+                -and "b0f54661-2d74-4c50-afa3-1ec803f12efe" -in $policy.conditions.users.includeRoles `
+                -and "fe930be7-5e62-47db-91af-98c3a49a38b1" -in $policy.conditions.users.includeRoles `
+                -and "c4e39bd9-1100-46d3-8c65-fb160da0071f" -in $policy.conditions.users.includeRoles `
+                -and "9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3" -in $policy.conditions.users.includeRoles `
+                -and "158c047a-c907-4556-b7ef-446551a6b5f7" -in $policy.conditions.users.includeRoles `
+                -and "966707d0-3269-4727-9be2-8c3a10f19b9d" -in $policy.conditions.users.includeRoles `
+                -and "7be44c8a-adaf-4e2a-84d6-ab2649e08a13" -in $policy.conditions.users.includeRoles `
+                -and "e8611ab8-c189-46e8-94e1-60213ab1f814" -in $policy.conditions.users.includeRoles )) `
                 -and ("797f4846-ba00-4fd7-ba43-dac1f8f63013" -in $policy.conditions.applications.includeApplications `
-                    -or $policy.conditions.applications.includeApplications -contains "All") `
+                -or "MicrosoftAdminPortals" -in $policy.conditions.applications.includeApplications `
+                -or $policy.conditions.applications.includeApplications -contains "All") `
         ) {
             $result = $true
             $currentresult = $true
@@ -50,7 +70,7 @@ function Test-MtCaMfaForAdminManagement {
     } else {
         $testResult = "No conditional access policy requires multi-factor authentication for azure management resources."
     }
-    Add-MtTestResultDetail -GraphObjects $policiesResult -Result $testResult -GraphObjectType ConditionalAccess
+    Add-MtTestResultDetail -Description $testDescription -GraphObjects $policiesResult -Result $testResult -GraphObjectType ConditionalAccess
 
     return $result
 }

powershell/public/Test-MtCaReferencedGroupsExist.ps1

@@ -30,9 +30,9 @@ Function Test-MtCaReferencedGroupsExist {
     $Groups = $Policies.conditions.users.includeGroups + $Policies.conditions.users.excludeGroups | Select-Object -Unique
 
     $GroupsWhichNotExist = [System.Collections.Concurrent.ConcurrentBag[psobject]]::new()
-    $Groups | ForEach-Object -Parallel {
+    $Groups | ForEach-Object { # Removed -Parallel as it caused errors
       $Group = $_
-      $NotExistedGroup = $using:GroupsWhichNotExist
+      $NotExistedGroup = $GroupsWhichNotExist # Adjusted after not running in parallel anymore
       $GraphQueryResult = Invoke-MtGraphRequest -RelativeUri "groups/$($Group)" -ApiVersion beta -ErrorVariable GraphErrorResult -ErrorAction SilentlyContinue
       if ([string]::IsNullOrEmpty($GraphQueryResult)) {
         $NotExistedGroup.Add($Group) | Out-Null