-
Notifications
You must be signed in to change notification settings - Fork 99
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #418 from maester365/tnh-20240801EidscaUpdate
Updated EIDSCA description and added check AS.04
- Loading branch information
Showing
8 changed files
with
109 additions
and
5 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
Determines if users can use this authentication method to sign in to Microsoft Entra ID. true if users can use this method for primary authentication, otherwise false. | ||
|
||
Avoid to use SMS as primary sign in factor (instead of a password) and consider to implement a MFA or passwordless option also for your special user groups, such as front-line workers. | ||
|
||
#### Test script | ||
``` | ||
https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Sms') | ||
.includeTargets.isUsableForSignIn = 'false' | ||
``` | ||
|
||
#### Related links | ||
|
||
- [Open in Graph Explorer](https://developer.microsoft.com/en-us/graph/graph-explorer?request=policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Sms')&method=GET&version=beta&GraphUrl=https://graph.microsoft.com) | ||
- [phoneAuthenticationMethod resource type - Microsoft Graph v1.0 | Microsoft Learn](https://learn.microsoft.com/en-us/graph/api/resources/phoneauthenticationmethod) | ||
|
||
|
||
<!--- Results ---> | ||
%TestResult% |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,44 @@ | ||
<# | ||
.SYNOPSIS | ||
Checks if Authentication Method - SMS - Use for sign-in is set to 'false' | ||
.DESCRIPTION | ||
Determines if users can use this authentication method to sign in to Microsoft Entra ID. true if users can use this method for primary authentication, otherwise false. | ||
Queries policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Sms') | ||
and returns the result of | ||
graph/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Sms').includeTargets.isUsableForSignIn -eq 'false' | ||
.EXAMPLE | ||
Test-MtEidscaAS04 | ||
Returns the result of graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Sms').includeTargets.isUsableForSignIn -eq 'false' | ||
#> | ||
|
||
function Test-MtEidscaAS04 { | ||
[CmdletBinding()] | ||
[OutputType([bool])] | ||
param() | ||
|
||
if ( $EnabledAuthMethods -notcontains 'Sms' ) { | ||
Add-MtTestResultDetail -SkippedBecause 'Custom' -SkippedCustomReason 'Authentication method of Sms is not enabled.' | ||
return $null | ||
} | ||
$result = Invoke-MtGraphRequest -RelativeUri "policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Sms')" -ApiVersion beta | ||
|
||
[string]$tenantValue = $result.includeTargets.isUsableForSignIn | ||
$testResult = $tenantValue -eq 'false' | ||
$tenantValueNotSet = $null -eq $tenantValue -and 'false' -notlike '*$null*' | ||
|
||
if($testResult){ | ||
$testResultMarkdown = "Well done. The configuration in your tenant and recommended value is **'false'** for **policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Sms')**" | ||
} elseif ($tenantValueNotSet) { | ||
$testResultMarkdown = "Your tenant is **not configured explicitly**.`n`nThe recommended value is **'false'** for **policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Sms')**. It seems that you are using a default value by Microsoft. We recommend to set the setting value explicitly since non set values could change depending on what Microsoft decides the current default should be." | ||
} else { | ||
$testResultMarkdown = "Your tenant is configured as **$($tenantValue)**.`n`nThe recommended value is **'false'** for **policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Sms')**" | ||
} | ||
Add-MtTestResultDetail -Result $testResultMarkdown | ||
|
||
return $tenantValue | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,34 @@ | ||
--- | ||
title: EIDSCA.AS04 - Authentication Method - SMS - Use for sign-in | ||
slug: /tests/EIDSCA.AS04 | ||
sidebar_class_name: hidden | ||
--- | ||
|
||
# Authentication Method - SMS - Use for sign-in | ||
|
||
Determines if users can use this authentication method to sign in to Microsoft Entra ID. true if users can use this method for primary authentication, otherwise false. | ||
|
||
| | | | ||
|-|-| | ||
| **Name** | isUsableForSignIn | | ||
| **Control** | Authentication Method - SMS | | ||
| **Description** | Define configuration settings and users or groups that are enabled to use text messages for authentication. | | ||
| **Severity** | High | | ||
|
||
## How to fix | ||
|
||
[Microsoft Learn - Configure and enable users for SMS-based authentication using Microsoft Entra ID](https://learn.microsoft.com/en-us/entra/identity/authentication/howto-authentication-sms-signin) | ||
|
||
### Details of configuration item | ||
| | | | ||
|-|-| | ||
| **Recommendation** | Avoid to use SMS as primary sign in factor (instead of a password) and consider to implement a MFA or passwordless option also for your special user groups, such as front-line workers. | | ||
| **Configuration** | policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Sms') | | ||
| **Setting** | `includeTargets.isUsableForSignIn` | | ||
| **Recommended Value** | 'false' | | ||
| **Default Value** | true | | ||
| **Graph API Docs** | [phoneAuthenticationMethod resource type - Microsoft Graph v1.0 - Microsoft Learn](https://learn.microsoft.com/en-us/graph/api/resources/phoneauthenticationmethod) | | ||
| **Graph Explorer** | [Open in Graph Explorer](https://developer.microsoft.com/en-us/graph/graph-explorer?request=policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Sms')&method=GET&version=beta&GraphUrl=https://graph.microsoft.com) | | ||
|
||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters