Skip to content

Commit

Permalink
Fix maester365#416
Browse files Browse the repository at this point in the history
  • Loading branch information
@soulemike
soulemike committed Aug 26, 2024
1 parent d67b524 commit 888dc37
Show file tree
Hide file tree
Showing 3 changed files with 24 additions and 22 deletions.
2 changes: 1 addition & 1 deletion powershell/Maester.psd1
View file
Original file line number Diff line number Diff line change
Expand Up @@ -95,7 +95,7 @@ FunctionsToExport = 'Add-MtTestResultDetail', 'Clear-MtGraphCache', 'Connect-Mae
'Test-MtCaLicenseUtilization', 'Test-MtCaMfaForAdmin',
'Test-MtCaMfaForAdminManagement', 'Test-MtCaMfaForAllUsers',
"Test-MtCaGroupsRestricted",
"Test-MtCaGaps",
"Test-MtCaGap",
'Test-MtCaMfaForGuest', 'Test-MtCaMfaForRiskySignIn',
'Test-MtCaRequirePasswordChangeForHighUserRisk',
'Test-MtCaSecureSecurityInfoRegistration', 'Test-MtCisaDiagnosticSettings',
Expand Down
42 changes: 22 additions & 20 deletions powershell/public/Test-MtCaGaps.ps1 → powershell/public/Test-MtCaGap.ps1
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,13 +11,14 @@
https://learn.microsoft.com/en-us/entra/identity/monitoring-health/workbook-conditional-access-gap-analyzer
.Example
Test-MtCaGaps
Test-MtCaGap
.LINK
https://maester.dev/docs/commands/Test-MtCaGaps
https://maester.dev/docs/commands/Test-MtCaGap
#>
function Get-ObjectDifferences {
function Get-ObjectDifference {
[CmdletBinding()]
[OutputType([object[]])]
param (
[System.Collections.ArrayList]$excludedObjects,
[System.Collections.ArrayList]$includedObjects
Expand All @@ -38,8 +39,9 @@ function Get-ObjectDifferences {
return $objectDifferences
}

function Get-RalatedPolicies {
function Get-RelatedPolicies {
[CmdletBinding()]
[OutputType([string])]
param (
[System.Collections.ArrayList]$Arr,
[String]$ObjName
Expand All @@ -57,7 +59,7 @@ function Get-RalatedPolicies {
return $result
}

function Test-MtCaGaps {
function Test-MtCaGap {
[CmdletBinding()]
[OutputType([bool])]
param ()
Expand Down Expand Up @@ -138,14 +140,14 @@ function Test-MtCaGaps {
Write-Verbose "Created a mapping with all excluded objects for each policy:`n $mapping"

# Find which objects are excluded without a fallback
[System.Collections.ArrayList]$differencesUsers = @(Get-ObjectDifferences -excludedObjects $excludedUsers -includedObjects $includedUsers)
[System.Collections.ArrayList]$differencesGroups = @(Get-ObjectDifferences -excludedObjects $excludedGroups -includedObjects $includedGroups)
[System.Collections.ArrayList]$differencesRoles = @(Get-ObjectDifferences -excludedObjects $excludedRoles -includedObjects $includedRoles)
[System.Collections.ArrayList]$differencesApplications = @(Get-ObjectDifferences -excludedObjects $excludedApplications -includedObjects $includedApplications)
[System.Collections.ArrayList]$differencesServicePrincipals = @(Get-ObjectDifferences -excludedObjects $excludedServicePrincipals -includedObjects $includedServicePrincipals)
[System.Collections.ArrayList]$differencesLocations = @(Get-ObjectDifferences -excludedObjects $excludedLocations -includedObjects $includedLocations)
[System.Collections.ArrayList]$differencesPlatforms = @(Get-ObjectDifferences -excludedObjects $excludedPlatforms -includedObjects $includedPlatforms)
Write-Host "Finished searching for gaps in policies."
[System.Collections.ArrayList]$differencesUsers = @(Get-ObjectDifference -excludedObjects $excludedUsers -includedObjects $includedUsers)
[System.Collections.ArrayList]$differencesGroups = @(Get-ObjectDifference -excludedObjects $excludedGroups -includedObjects $includedGroups)
[System.Collections.ArrayList]$differencesRoles = @(Get-ObjectDifference -excludedObjects $excludedRoles -includedObjects $includedRoles)
[System.Collections.ArrayList]$differencesApplications = @(Get-ObjectDifference -excludedObjects $excludedApplications -includedObjects $includedApplications)
[System.Collections.ArrayList]$differencesServicePrincipals = @(Get-ObjectDifference -excludedObjects $excludedServicePrincipals -includedObjects $includedServicePrincipals)
[System.Collections.ArrayList]$differencesLocations = @(Get-ObjectDifference -excludedObjects $excludedLocations -includedObjects $includedLocations)
[System.Collections.ArrayList]$differencesPlatforms = @(Get-ObjectDifference -excludedObjects $excludedPlatforms -includedObjects $includedPlatforms)
Write-Verbose "Finished searching for gaps in policies."

# Check if all excluded objects have fallbacks
if (
Expand All @@ -167,55 +169,55 @@ function Test-MtCaGaps {
$testResult = "The following user objects did not have a fallback:`n`n"
$differencesUsers | ForEach-Object {
$testResult += " - $_`n`n"
$testResult += Get-RalatedPolicies -Arr $mappingArray -ObjName $_
$testResult += Get-RelatedPolicies -Arr $mappingArray -ObjName $_
}
}
# Add group objects to results
if ($differencesGroups.Count -ne 0) {
$testResult += "The following group objects did not have a fallback:`n`n"
$differencesGroups | ForEach-Object {
$testResult += " - $_`n`n"
$testResult += Get-RalatedPolicies -Arr $mappingArray -ObjName $_
$testResult += Get-RelatedPolicies -Arr $mappingArray -ObjName $_
}
}
# Add role objects to results
if ($differencesRoles.Count -ne 0) {
$testResult += "The following role objects did not have a fallback:`n`n"
$differencesRoles | ForEach-Object {
$testResult += " - $_`n`n"
$testResult += Get-RalatedPolicies -Arr $mappingArray -ObjName $_
$testResult += Get-RelatedPolicies -Arr $mappingArray -ObjName $_
}
}
# Add application objects to results
if ($differencesApplications.Count -ne 0) {
$testResult += "The following application objects did not have a fallback:`n`n"
$differencesApplications | ForEach-Object {
$testResult += " - $_`n`n"
$testResult += Get-RalatedPolicies -Arr $mappingArray -ObjName $_
$testResult += Get-RelatedPolicies -Arr $mappingArray -ObjName $_
}
}
# Add service principal objects to results
if ($differencesServicePrincipals.Count -ne 0) {
$testResult += "The following service principal objects did not have a fallback:`n`n"
$differencesServicePrincipals | ForEach-Object {
$testResult += " - $_`n`n"
$testResult += Get-RalatedPolicies -Arr $mappingArray -ObjName $_
$testResult += Get-RelatedPolicies -Arr $mappingArray -ObjName $_
}
}
# Add location objects to results
if ($differencesLocations.Count -ne 0) {
$testResult += "The following location objects did not have a fallback:`n`n"
$differencesLocations | ForEach-Object {
$testResult += " - $_`n`n"
$testResult += Get-RalatedPolicies -Arr $mappingArray -ObjName $_
$testResult += Get-RelatedPolicies -Arr $mappingArray -ObjName $_
}
}
# Add platform objects to results
if ($differencesPlatforms.Count -ne 0) {
$testResult += "The following platform objects did not have a fallback:`n`n"
$differencesPlatforms | ForEach-Object {
$testResult += " - $_`n`n"
$testResult += Get-RalatedPolicies -Arr $mappingArray -ObjName $_
$testResult += Get-RelatedPolicies -Arr $mappingArray -ObjName $_
}
}
}
Expand Down
2 changes: 1 addition & 1 deletion tests/Maester/Entra/Test-ConditionalAccessBaseline.Tests.ps1
View file
Original file line number Diff line number Diff line change
Expand Up @@ -60,7 +60,7 @@
Test-MtCaGroupsRestricted | Should -Be $true -Because "there is one or more policy without protection of included or excluded groups"
}
It "MT.1036: All excluded objects should have a fallback include in another policy. See https://maester.dev/docs/tests/MT.1036" -Tag "MT.1036", "Warning" {
Test-MtCaGaps | Should -Be $true -Because "there is one ore more object excluded without an include fallback in another policy."
Test-MtCaGap | Should -Be $true -Because "there is one ore more object excluded without an include fallback in another policy."
}
Context "License utilization" {
It "MT.1022: All users utilizing a P1 license should be licensed. See https://maester.dev/docs/tests/MT.1022" -Tag "MT.1022" {
Expand Down

0 comments on commit 888dc37

Please sign in to comment.