Skip to content

Commit

Permalink
Merge pull request #418 from maester365/tnh-20240801EidscaUpdate
Browse files Browse the repository at this point in the history
Updated EIDSCA description and added check AS.04
  • Loading branch information
merill authored Aug 16, 2024
2 parents f5ab8c4 + 50c0fee commit 573f77e
Show file tree
Hide file tree
Showing 8 changed files with 109 additions and 5 deletions.
2 changes: 0 additions & 2 deletions powershell/internal/eidsca/Test-MtEidscaAM01.ps1
Original file line number Diff line number Diff line change
Expand Up @@ -21,8 +21,6 @@ function Test-MtEidscaAM01 {
[OutputType([bool])]
param()



$result = Invoke-MtGraphRequest -RelativeUri "policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')" -ApiVersion beta

[string]$tenantValue = $result.state
Expand Down
18 changes: 18 additions & 0 deletions powershell/internal/eidsca/Test-MtEidscaAS04.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
Determines if users can use this authentication method to sign in to Microsoft Entra ID. true if users can use this method for primary authentication, otherwise false.

Avoid to use SMS as primary sign in factor (instead of a password) and consider to implement a MFA or passwordless option also for your special user groups, such as front-line workers.

#### Test script
```
https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Sms')
.includeTargets.isUsableForSignIn = 'false'
```

#### Related links

- [Open in Graph Explorer](https://developer.microsoft.com/en-us/graph/graph-explorer?request=policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Sms')&method=GET&version=beta&GraphUrl=https://graph.microsoft.com)
- [phoneAuthenticationMethod resource type - Microsoft Graph v1.0 | Microsoft Learn](https://learn.microsoft.com/en-us/graph/api/resources/phoneauthenticationmethod)


<!--- Results --->
%TestResult%
44 changes: 44 additions & 0 deletions powershell/internal/eidsca/Test-MtEidscaAS04.ps1
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
<#
.SYNOPSIS
Checks if Authentication Method - SMS - Use for sign-in is set to 'false'
.DESCRIPTION
Determines if users can use this authentication method to sign in to Microsoft Entra ID. true if users can use this method for primary authentication, otherwise false.
Queries policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Sms')
and returns the result of
graph/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Sms').includeTargets.isUsableForSignIn -eq 'false'
.EXAMPLE
Test-MtEidscaAS04
Returns the result of graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Sms').includeTargets.isUsableForSignIn -eq 'false'
#>

function Test-MtEidscaAS04 {
[CmdletBinding()]
[OutputType([bool])]
param()

if ( $EnabledAuthMethods -notcontains 'Sms' ) {
Add-MtTestResultDetail -SkippedBecause 'Custom' -SkippedCustomReason 'Authentication method of Sms is not enabled.'
return $null
}
$result = Invoke-MtGraphRequest -RelativeUri "policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Sms')" -ApiVersion beta

[string]$tenantValue = $result.includeTargets.isUsableForSignIn
$testResult = $tenantValue -eq 'false'
$tenantValueNotSet = $null -eq $tenantValue -and 'false' -notlike '*$null*'

if($testResult){
$testResultMarkdown = "Well done. The configuration in your tenant and recommended value is **'false'** for **policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Sms')**"
} elseif ($tenantValueNotSet) {
$testResultMarkdown = "Your tenant is **not configured explicitly**.`n`nThe recommended value is **'false'** for **policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Sms')**. It seems that you are using a default value by Microsoft. We recommend to set the setting value explicitly since non set values could change depending on what Microsoft decides the current default should be."
} else {
$testResultMarkdown = "Your tenant is configured as **$($tenantValue)**.`n`nThe recommended value is **'false'** for **policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Sms')**"
}
Add-MtTestResultDetail -Result $testResultMarkdown

return $tenantValue
}
2 changes: 1 addition & 1 deletion powershell/public/eidsca/Test-MtEidscaControl.ps1
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ function Test-MtEidscaControl {
param(
# Id for the EIDSCA control check to test
[Parameter(Mandatory)]
[ValidateSet('AP01','AP04','AP05','AP06','AP07','AP08','AP09','AP10','AP14','CP01','CP03','CP04','PR01','PR02','PR03','PR05','PR06','ST08','ST09','AG01','AG02','AG03','AM01','AM02','AM03','AM04','AM06','AM07','AM09','AM10','AF01','AF02','AF03','AF04','AF05','AF06','AT01','AT02','AV01','CR01','CR02','CR03','CR04')]
[ValidateSet('AP01','AP04','AP05','AP06','AP07','AP08','AP09','AP10','AP14','CP01','CP03','CP04','PR01','PR02','PR03','PR05','PR06','ST08','ST09','AG01','AG02','AG03','AM01','AM02','AM03','AM04','AM06','AM07','AM09','AM10','AF01','AF02','AF03','AF04','AF05','AF06','AT01','AT02','AV01','AS04','CR01','CR02','CR03','CR04')]
[string]
$CheckId
)
Expand Down
10 changes: 10 additions & 0 deletions tests/EIDSCA/Test-EIDSCA.Generated.Tests.ps1
Original file line number Diff line number Diff line change
Expand Up @@ -363,6 +363,16 @@ Describe "Authentication Method - Voice call" -Tag "EIDSCA", "Security", "All",
}
}

Describe "Authentication Method - SMS" -Tag "EIDSCA", "Security", "All", "EIDSCA.AS04" {
It "EIDSCA.AS04: Authentication Method - SMS - Use for sign-in. See https://maester.dev/docs/tests/EIDSCA.AS04" -TestCases @{ EnabledAuthMethods = $EnabledAuthMethods } {
<#
Check if "https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Sms')"
.includeTargets.isUsableForSignIn = 'false'
#>
Test-MtEidscaControl -CheckId AS04 | Should -Be 'false'
}
}

Describe "Consent Framework - Admin Consent Request" -Tag "EIDSCA", "Security", "All", "EIDSCA.CR01" {
It "EIDSCA.CR01: Consent Framework - Admin Consent Request - Policy to enable or disable admin consent request feature. See https://maester.dev/docs/tests/EIDSCA.CR01" {
<#
Expand Down
34 changes: 34 additions & 0 deletions website/docs/tests/eidsca/EIDSCA.AS04.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
---
title: EIDSCA.AS04 - Authentication Method - SMS - Use for sign-in
slug: /tests/EIDSCA.AS04
sidebar_class_name: hidden
---

# Authentication Method - SMS - Use for sign-in

Determines if users can use this authentication method to sign in to Microsoft Entra ID. true if users can use this method for primary authentication, otherwise false.

| | |
|-|-|
| **Name** | isUsableForSignIn |
| **Control** | Authentication Method - SMS |
| **Description** | Define configuration settings and users or groups that are enabled to use text messages for authentication. |
| **Severity** | High |

## How to fix

[Microsoft Learn - Configure and enable users for SMS-based authentication using Microsoft Entra ID](https://learn.microsoft.com/en-us/entra/identity/authentication/howto-authentication-sms-signin)

### Details of configuration item
| | |
|-|-|
| **Recommendation** | Avoid to use SMS as primary sign in factor (instead of a password) and consider to implement a MFA or passwordless option also for your special user groups, such as front-line workers. |
| **Configuration** | policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Sms') |
| **Setting** | `includeTargets.isUsableForSignIn` |
| **Recommended Value** | 'false' |
| **Default Value** | true |
| **Graph API Docs** | [phoneAuthenticationMethod resource type - Microsoft Graph v1.0 - Microsoft Learn](https://learn.microsoft.com/en-us/graph/api/resources/phoneauthenticationmethod) |
| **Graph Explorer** | [Open in Graph Explorer](https://developer.microsoft.com/en-us/graph/graph-explorer?request=policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Sms')&method=GET&version=beta&GraphUrl=https://graph.microsoft.com) |



2 changes: 1 addition & 1 deletion website/docs/tests/eidsca/EIDSCA.AT01.md
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ Whether the Temporary Access Pass is enabled in the tenant.

## How to fix


[Microsoft Learn - Enable Temporary Access Pass](https://learn.microsoft.com/en-us/entra/identity/authentication/howto-authentication-temporary-access-pass#enable-the-temporary-access-pass-policy)

### Details of configuration item
| | |
Expand Down
2 changes: 1 addition & 1 deletion website/docs/tests/eidsca/EIDSCA.AT02.md
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ Determines whether the pass is limited to a one-time use.

## How to fix


[Microsoft Learn - Require one-time use (Step 5)](https://learn.microsoft.com/en-us/entra/identity/authentication/howto-authentication-temporary-access-pass#enable-the-temporary-access-pass-policy)

### Details of configuration item
| | |
Expand Down

0 comments on commit 573f77e

Please sign in to comment.