-
Notifications
You must be signed in to change notification settings - Fork 99
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #488 from maester365/tnh-CaInvalidGroups
Added check for invalid CA group targeting
- Loading branch information
Showing
4 changed files
with
100 additions
and
4 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
This test checks if there are any Conditional Access policies that target deleted security groups. | ||
|
||
This usually happens when a group is deleted but is still referenced in a Conditional Access policy. | ||
|
||
Deleted groups in your policy can lead to unexpected gaps. This may result in Conditional Access policies not being applied to the users you intended or the policy not being applied at all. | ||
|
||
To fix this issue: | ||
|
||
* Open the impacted Conditional access policy. | ||
* If the group is no longer needed, click Save to remove the referenced group from the policy. | ||
* If the group is still needed, update the policy to target a valid group. | ||
|
||
<!--- Results ---> | ||
|
||
%TestResult% |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,78 @@ | ||
<# | ||
.Synopsis | ||
Checks if any conditional access policies include or exclude groups that have been deleted. | ||
.Description | ||
Security Groups will be used to exclude and include users from Conditional Access Policies. | ||
Assignments are still visible in the policy definition in Microsoft Graph API even the group is deleted. | ||
This test checks if all groups used in Conditional Access Policies still exist and shows invalid or deleted items. | ||
.Example | ||
Test-MtCaReferencedGroupsExist | ||
.LINK | ||
https://maester.dev/docs/commands/Test-MtCaReferencedGroupsExist | ||
#> | ||
|
||
Function Test-MtCaReferencedGroupsExist { | ||
[CmdletBinding()] | ||
[OutputType([bool])] | ||
param () | ||
|
||
Write-Verbose "Running Test-MtCaReferencedGroupsExist" | ||
# Execute the test only when PowerShell Core and parallel processing is supported | ||
if ($PSVersionTable.PSEdition -eq 'Core') { | ||
|
||
$testDescription = "" | ||
$Policies = Get-MtConditionalAccessPolicy | ||
|
||
$Groups = $Policies.conditions.users.includeGroups + $Policies.conditions.users.excludeGroups | Select-Object -Unique | ||
|
||
$GroupsWhichNotExist = [System.Collections.Concurrent.ConcurrentBag[psobject]]::new() | ||
$Groups | ForEach-Object -Parallel { | ||
$Group = $_ | ||
$NotExistedGroup = $using:GroupsWhichNotExist | ||
$GraphQueryResult = Invoke-MtGraphRequest -RelativeUri "groups/$($Group)" -ApiVersion beta -ErrorVariable GraphErrorResult -ErrorAction SilentlyContinue | ||
if ([string]::IsNullOrEmpty($GraphQueryResult)) { | ||
$NotExistedGroup.Add($Group) | Out-Null | ||
} | ||
} | ||
|
||
$result = ($GroupsWhichNotExist | Measure-Object).Count -eq 0 | ||
|
||
if ( $result ) { | ||
$ResultDescription = "Well done! All Conditional Access policies are targeting active groups." | ||
} else { | ||
$ResultDescription = "These Conditional Access policies are referencing deleted security groups." | ||
$ImpactedCaGroups = "`n`n#### Impacted Conditional Access policies`n`n | Conditional Access policy | Deleted security group | Condition | `n" | ||
$ImpactedCaGroups += "| --- | --- | --- |`n" | ||
} | ||
|
||
$GroupsWhichNotExist | Sort-Object | ForEach-Object { | ||
$InvalidGroupId = $_ | ||
$ImpactedPolicies = Get-MtConditionalAccessPolicy | Where-Object { $_.conditions.users.includeGroups -contains $InvalidGroupId -or $_.conditions.users.excludeGroups -contains $InvalidGroupId } | ||
foreach ($ImpactedPolicy in $ImpactedPolicies) { | ||
if ($ImpactedPolicy.conditions.users.includeGroups -contains $InvalidGroupId) { | ||
$Condition = "include" | ||
} elseif ($ImpactedPolicy.conditions.users.excludeGroups -contains $InvalidGroupId) { | ||
$Condition = "exclude" | ||
} else { | ||
$Condition = "Unknown" | ||
} | ||
$Policy = (Get-GraphObjectMarkdown -GraphObjects $ImpactedPolicy -GraphObjectType ConditionalAccess -AsPlainTextLink) | ||
$ImpactedCaGroups += "| $($Policy) | $($InvalidGroupId) | $($Condition) | `n" | ||
} | ||
} | ||
$ImpactedCaGroups += "`n`nNote: Names are not available for deleted groups. If the group was deleted in the last 30 days it may be available under [Entra admin centre - Deleted groups](https://entra.microsoft.com/#view/Microsoft_AAD_IAM/GroupsManagementMenuBlade/~/DeletedGroups/menuId/DeletedGroups).`n`n" | ||
|
||
$resultMarkdown = $ResultDescription + $ImpactedCaGroups | ||
Add-MtTestResultDetail -Description $testDescription -Result $resultMarkdown | ||
return $result | ||
|
||
} else { | ||
Write-Verbose "PowerShell Core not available, skip the test" | ||
# PowerShell Core not available, skip the test | ||
Add-MtTestResultDetail -SkippedBecause Custom -SkippedCustomReason "Requires PowerShell 7.x or above. This test uses features that are not available in Windows PowerShell (5.x)." | ||
return $null | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters