From 7bea8ce59b1cfa5f64504a7ca41a0837c6cc106a Mon Sep 17 00:00:00 2001 From: ehaines Date: Mon, 3 Feb 2025 12:54:16 -0500 Subject: [PATCH] changed to check all necessary fields for policy 3.3 --- PowerShell/ScubaGear/Rego/AADConfig.rego | 19 +- .../Unit/Rego/AAD/AADConfig_03_test.rego | 1263 +++++++++++++++-- .../Products/TestPlans/aad.testplan.yaml | 35 +- 3 files changed, 1205 insertions(+), 112 deletions(-) diff --git a/PowerShell/ScubaGear/Rego/AADConfig.rego b/PowerShell/ScubaGear/Rego/AADConfig.rego index 1740147b0e..b8895415c5 100644 --- a/PowerShell/ScubaGear/Rego/AADConfig.rego +++ b/PowerShell/ScubaGear/Rego/AADConfig.rego @@ -262,27 +262,23 @@ MSAuthEnabled := true if { # Returns true if MS Authenticator is configured per the baseline, false if it is not default MSAuthProperlyConfigured := false MSAuthProperlyConfigured := true if { - MSAuth.State == "enabled" - + MSAuthEnabled == true + MSAuthOTP := MSAuth.AdditionalProperties.isSoftwareOathEnabled # either true/false + MSAuthOTP == false # Make sure that MS Auth shows the app name and geographic location Settings := MSAuth.AdditionalProperties.featureSettings Settings.displayAppInformationRequiredState.state == "enabled" Settings.displayLocationInformationRequiredState.state == "enabled" - # Make sure that the configuration applies to all users - some target in MSAuth.AdditionalProperties.includeTargets - target.id == "all_users" + # Make sure that the configuration applies to all users + Settings.displayAppInformationRequiredState.includeTarget.id == "all_users" + Settings.displayLocationInformationRequiredState.includeTarget.id == "all_users" } default AAD_3_3_Not_Applicable := false -# Returns true no matter what if phishing-resistant MFA is being enforced -AAD_3_3_Not_Applicable := true if { - count(PhishingResistantMFAPolicies) > 0 -} # Returns true if phishing-resistant MFA is not being enforced but MS Auth is disabled AAD_3_3_Not_Applicable := true if { - count(PhishingResistantMFAPolicies) == 0 MSAuthEnabled == false } @@ -311,7 +307,6 @@ tests contains { "RequirementMet": Status } if { AAD_3_3_Not_Applicable == false - Status := MSAuthProperlyConfigured == true } @@ -1186,4 +1181,4 @@ tests contains { "ReportDetails": NotCheckedDetails("MS.AAD.8.3v1"), "RequirementMet": false } -#-- +#-- \ No newline at end of file diff --git a/PowerShell/ScubaGear/Testing/Unit/Rego/AAD/AADConfig_03_test.rego b/PowerShell/ScubaGear/Testing/Unit/Rego/AAD/AADConfig_03_test.rego index d0ba3275a4..7bc7161dcf 100644 --- a/PowerShell/ScubaGear/Testing/Unit/Rego/AAD/AADConfig_03_test.rego +++ b/PowerShell/ScubaGear/Testing/Unit/Rego/AAD/AADConfig_03_test.rego @@ -545,148 +545,1241 @@ test_State_Incorrect_V1 if { # # Policy MS.AAD.3.3v1 #-- -test_PhishingMFAEnforced_MicrosoftAuthEnabled_NotApplicable if { - Auth := json.patch(AuthenticationMethod, - [{"op": "add", "path": "authentication_method_feature_settings/3/State", "value": "enabled"}, - {"op": "remove", "path": "authentication_method_feature_settings/2"}, - {"op": "remove", "path": "authentication_method_feature_settings/1"}]) +# Test 1: MicrosoftAuthEnabled, isSoftwareOathEnabled false, displayAppInformationRequiredState enabled for not_all_users, displayLocationInformationRequiredState enabled for all_users +test_MicrosoftAuthEnabled_Correct if { + CAP := json.patch(ConditionalAccessPolicies, [{"op": "add", "path": "GrantControls/BuiltInControls", "value": ["mfa"]}, {"op": "remove", "path": "GrantControls/AuthenticationStrength"}]) + Auth := json.patch(AuthenticationMethod, [ + {"op": "add", "path": "authentication_method_feature_settings/0/State", "value": "enabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/isSoftwareOathEnabled", "value": false}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/state", "value": "enabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/includeTarget/id", "value": "all_users"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/state", "value": "enabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/includeTarget/id", "value": "all_users"}, + {"op": "remove", "path": "authentication_method_feature_settings/2"}, + {"op": "remove", "path": "authentication_method_feature_settings/1"} + ]) + Output := aad.tests with input.conditional_access_policies as [CAP] with input.authentication_method as [Auth] + TestResult("MS.AAD.3.3v1", Output, PASS, true) == true +} +# Test 2: MicrosoftAuthEnabled, isSoftwareOathEnabled true, displayAppInformationRequiredState enabled for all_users, +# displayLocationInformationRequiredState enabled for all_users +test_MicrosoftAuthEnabled_isSoftwareOathEnabled_Incorrect if { + CAP := json.patch(ConditionalAccessPolicies, [{"op": "add", "path": "GrantControls/BuiltInControls", "value": ["mfa"]}, {"op": "remove", "path": "GrantControls/AuthenticationStrength"}]) + Auth := json.patch(AuthenticationMethod, [ + {"op": "add", "path": "authentication_method_feature_settings/0/State", "value": "enabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/isSoftwareOathEnabled", "value": true}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/state", "value": "enabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/includeTarget/id", "value": "all_users"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/state", "value": "enabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/includeTarget/id", "value": "all_users"}, + {"op": "remove", "path": "authentication_method_feature_settings/2"}, + {"op": "remove", "path": "authentication_method_feature_settings/1"} + ]) + Output := aad.tests with input.conditional_access_policies as [CAP] with input.authentication_method as [Auth] + TestResult("MS.AAD.3.3v1", Output, FAIL, false) == true +} - Output := aad.tests with input.conditional_access_policies as [ConditionalAccessPolicies] - with input.authentication_method as [Auth] +# Test 3: MicrosoftAuthEnabled, isSoftwareOathEnabled true, displayAppInformationRequiredState enabled for all_users, displayLocationInformationRequiredState enabled for not_all_users +test_MicrosoftAuthEnabled_isSoftwareOathEnabled_LocationTarget_Incorrect if { + CAP := json.patch(ConditionalAccessPolicies, [{"op": "add", "path": "GrantControls/BuiltInControls", "value": ["mfa"]}, {"op": "remove", "path": "GrantControls/AuthenticationStrength"}]) + Auth := json.patch(AuthenticationMethod, [ + {"op": "add", "path": "authentication_method_feature_settings/0/State", "value": "enabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/isSoftwareOathEnabled", "value": true}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/state", "value": "enabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/includeTarget/id", "value": "all_users"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/state", "value": "enabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/includeTarget/id", "value": "not_all_users"}, + {"op": "remove", "path": "authentication_method_feature_settings/2"}, + {"op": "remove", "path": "authentication_method_feature_settings/1"} + ]) + Output := aad.tests with input.conditional_access_policies as [CAP] with input.authentication_method as [Auth] + TestResult("MS.AAD.3.3v1", Output, FAIL, false) == true +} +# Test 4: MicrosoftAuthDisabled, isSoftwareOathEnabled true, displayAppInformationRequiredState enabled for not_all_users, displayLocationInformationRequiredState enabled for not_all_users +test_MicrosoftAuthDisabled_NotApplicable_1 if { + CAP := json.patch(ConditionalAccessPolicies, [{"op": "add", "path": "GrantControls/BuiltInControls", "value": ["mfa"]}, {"op": "remove", "path": "GrantControls/AuthenticationStrength"}]) + Auth := json.patch(AuthenticationMethod, [ + {"op": "add", "path": "authentication_method_feature_settings/0/State", "value": "disabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/isSoftwareOathEnabled", "value": true}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/state", "value": "enabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/includeTarget/id", "value": "not_all_users"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/state", "value": "enabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/includeTarget/id", "value": "not_all_users"}, + {"op": "remove", "path": "authentication_method_feature_settings/2"}, + {"op": "remove", "path": "authentication_method_feature_settings/1"} + ]) + Output := aad.tests with input.conditional_access_policies as [CAP] with input.authentication_method as [Auth] PolicyId := "MS.AAD.3.3v1" ReportDetailStr := concat(" ", [ "This policy is only applicable if phishing-resistant MFA is not enforced and MS Authenticator is enabled.", "See %v for more info"]) - TestResult(PolicyId, Output, CheckedSkippedDetails(PolicyId, ReportDetailStr), false) == true + TestResult(PolicyId, Output, CheckedSkippedDetails(PolicyId, ReportDetailStr), true) == false +} + +# Test 5: MicrosoftAuthDisabled, isSoftwareOathEnabled false, displayAppInformationRequiredState enabled for all_users, displayLocationInformationRequiredState enabled for all_users +test_MicrosoftAuthDisabled_NotApplicable_2 if { + CAP := json.patch(ConditionalAccessPolicies, [{"op": "add", "path": "GrantControls/BuiltInControls", "value": ["mfa"]}, {"op": "remove", "path": "GrantControls/AuthenticationStrength"}]) + Auth := json.patch(AuthenticationMethod, [ + {"op": "add", "path": "authentication_method_feature_settings/0/State", "value": "disabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/isSoftwareOathEnabled", "value": false}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/state", "value": "enabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/includeTarget/id", "value": "all_users"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/state", "value": "enabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/includeTarget/id", "value": "all_users"}, + {"op": "remove", "path": "authentication_method_feature_settings/2"}, + {"op": "remove", "path": "authentication_method_feature_settings/1"} + ]) + Output := aad.tests with input.conditional_access_policies as [CAP] with input.authentication_method as [Auth] + PolicyId := "MS.AAD.3.3v1" + ReportDetailStr := concat(" ", [ + "This policy is only applicable if phishing-resistant MFA is not enforced and MS Authenticator is enabled.", + "See %v for more info"]) + + TestResult(PolicyId, Output, CheckedSkippedDetails(PolicyId, ReportDetailStr), true) == false +} + +# Test 6: MicrosoftAuthEnabled, isSoftwareOathEnabled false, displayAppInformationRequiredState disabled for all_users, displayLocationInformationRequiredState enabled for all_users +test_MicrosoftAuthEnabled_AppInformationDisabled_Incorrect if { + CAP := json.patch(ConditionalAccessPolicies, [{"op": "add", "path": "GrantControls/BuiltInControls", "value": ["mfa"]}, {"op": "remove", "path": "GrantControls/AuthenticationStrength"}]) + Auth := json.patch(AuthenticationMethod, [ + {"op": "add", "path": "authentication_method_feature_settings/0/State", "value": "enabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/isSoftwareOathEnabled", "value": false}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/state", "value": "disabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/includeTarget/id", "value": "all_users"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/state", "value": "enabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/includeTarget/id", "value": "all_users"}, + {"op": "remove", "path": "authentication_method_feature_settings/2"}, + {"op": "remove", "path": "authentication_method_feature_settings/1"} + ]) + Output := aad.tests with input.conditional_access_policies as [CAP] with input.authentication_method as [Auth] + TestResult("MS.AAD.3.3v1", Output, FAIL, false) == true } -test_PhishingMFAEnforced_MicrosoftAuthDisabled_NotApplicable if { - Auth := json.patch(AuthenticationMethod, - [{"op": "add", "path": "authentication_method_feature_settings/0/State", "value": "disabled"}, - {"op": "add", "path": "authentication_method_feature_settings/3/State", "value": "enabled"}, - {"op": "remove", "path": "authentication_method_feature_settings/2"}, - {"op": "remove", "path": "authentication_method_feature_settings/1"}]) +# Test 7: MicrosoftAuthEnabled, isSoftwareOathEnabled true, displayAppInformationRequiredState disabled for not_all_users, displayLocationInformationRequiredState disabled for all_users +test_isSoftwareOathEnabled_AppInformation_Target_Information_Incorrect_1 if { + CAP := json.patch(ConditionalAccessPolicies, [{"op": "add", "path": "GrantControls/BuiltInControls", "value": ["mfa"]}, {"op": "remove", "path": "GrantControls/AuthenticationStrength"}]) + Auth := json.patch(AuthenticationMethod, [ + {"op": "add", "path": "authentication_method_feature_settings/0/State", "value": "enabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/isSoftwareOathEnabled", "value": true}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/state", "value": "disabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/includeTarget/id", "value": "not_all_users"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/state", "value": "disabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/includeTarget/id", "value": "all_users"}, + {"op": "remove", "path": "authentication_method_feature_settings/2"}, + {"op": "remove", "path": "authentication_method_feature_settings/1"} + ]) + Output := aad.tests with input.conditional_access_policies as [CAP] with input.authentication_method as [Auth] + TestResult("MS.AAD.3.3v1", Output, FAIL, false) == true +} - Output := aad.tests with input.conditional_access_policies as [ConditionalAccessPolicies] - with input.authentication_method as [Auth] +# Test 8: MicrosoftAuthDisabled, isSoftwareOathEnabled true, displayAppInformationRequiredState disabled for all_users, displayLocationInformationRequiredState disabled for not_all_users +test_MicrosoftAuthDisabled_NotApplicable_3 if { + CAP := json.patch(ConditionalAccessPolicies, [{"op": "add", "path": "GrantControls/BuiltInControls", "value": ["mfa"]}, {"op": "remove", "path": "GrantControls/AuthenticationStrength"}]) + Auth := json.patch(AuthenticationMethod, [ + {"op": "add", "path": "authentication_method_feature_settings/0/State", "value": "disabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/isSoftwareOathEnabled", "value": true}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/state", "value": "disabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/includeTarget/id", "value": "all_users"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/state", "value": "disabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/includeTarget/id", "value": "not_all_users"}, + {"op": "remove", "path": "authentication_method_feature_settings/2"}, + {"op": "remove", "path": "authentication_method_feature_settings/1"} + ]) + Output := aad.tests with input.conditional_access_policies as [CAP] with input.authentication_method as [Auth] + + PolicyId := "MS.AAD.3.3v1" + ReportDetailStr := concat(" ", [ + "This policy is only applicable if phishing-resistant MFA is not enforced and MS Authenticator is enabled.", + "See %v for more info"]) + + TestResult(PolicyId, Output, CheckedSkippedDetails(PolicyId, ReportDetailStr), true) == false +} + +# Test 9: MicrosoftAuthDisabled, isSoftwareOathEnabled false, displayAppInformationRequiredState disabled for not_all_users, displayLocationInformationRequiredState enabled for all_users +test_MicrosoftAuthDisabled_NotApplicable_4 if { + CAP := json.patch(ConditionalAccessPolicies, [{"op": "add", "path": "GrantControls/BuiltInControls", "value": ["mfa"]}, {"op": "remove", "path": "GrantControls/AuthenticationStrength"}]) + Auth := json.patch(AuthenticationMethod, [ + {"op": "add", "path": "authentication_method_feature_settings/0/State", "value": "disabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/isSoftwareOathEnabled", "value": false}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/state", "value": "disabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/includeTarget/id", "value": "not_all_users"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/state", "value": "enabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/includeTarget/id", "value": "all_users"}, + {"op": "remove", "path": "authentication_method_feature_settings/2"}, + {"op": "remove", "path": "authentication_method_feature_settings/1"} + ]) + Output := aad.tests with input.conditional_access_policies as [CAP] with input.authentication_method as [Auth] +PolicyId := "MS.AAD.3.3v1" + ReportDetailStr := concat(" ", [ + "This policy is only applicable if phishing-resistant MFA is not enforced and MS Authenticator is enabled.", + "See %v for more info"]) + + TestResult(PolicyId, Output, CheckedSkippedDetails(PolicyId, ReportDetailStr), true) == false +} + +# Test 10: MicrosoftAuthDisabled, isSoftwareOathEnabled false, displayAppInformationRequiredState enabled for not_all_users, displayLocationInformationRequiredState disabled for all_users +test_MicrosoftAuthDisabled_NotApplicable_5 if { + CAP := json.patch(ConditionalAccessPolicies, [{"op": "add", "path": "GrantControls/BuiltInControls", "value": ["mfa"]}, {"op": "remove", "path": "GrantControls/AuthenticationStrength"}]) + Auth := json.patch(AuthenticationMethod, [ + {"op": "add", "path": "authentication_method_feature_settings/0/State", "value": "disabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/isSoftwareOathEnabled", "value": false}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/state", "value": "enabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/includeTarget/id", "value": "not_all_users"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/state", "value": "disabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/includeTarget/id", "value": "all_users"}, + {"op": "remove", "path": "authentication_method_feature_settings/2"}, + {"op": "remove", "path": "authentication_method_feature_settings/1"} + ]) + Output := aad.tests with input.conditional_access_policies as [CAP] with input.authentication_method as [Auth] +PolicyId := "MS.AAD.3.3v1" + ReportDetailStr := concat(" ", [ + "This policy is only applicable if phishing-resistant MFA is not enforced and MS Authenticator is enabled.", + "See %v for more info"]) + + TestResult(PolicyId, Output, CheckedSkippedDetails(PolicyId, ReportDetailStr), true) == false +} +# Test 11: MicrosoftAuthEnabled, isSoftwareOathEnabled true, displayAppInformationRequiredState disabled for all_users, displayLocationInformationRequiredState disabled for all_users +test_isSoftwareOathEnabled_AppInformation_Target_Information_Incorrect_2 if { + CAP := json.patch(ConditionalAccessPolicies, [{"op": "add", "path": "GrantControls/BuiltInControls", "value": ["mfa"]}, {"op": "remove", "path": "GrantControls/AuthenticationStrength"}]) + Auth := json.patch(AuthenticationMethod, [ + {"op": "add", "path": "authentication_method_feature_settings/0/State", "value": "enabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/isSoftwareOathEnabled", "value": true}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/state", "value": "disabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/includeTarget/id", "value": "all_users"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/state", "value": "disabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/includeTarget/id", "value": "all_users"}, + {"op": "remove", "path": "authentication_method_feature_settings/2"}, + {"op": "remove", "path": "authentication_method_feature_settings/1"} + ]) + Output := aad.tests with input.conditional_access_policies as [CAP] with input.authentication_method as [Auth] + TestResult("MS.AAD.3.3v1", Output, FAIL, false) == true +} +# Test 12: MicrosoftAuthEnabled, isSoftwareOathEnabled false, displayAppInformationRequiredState disabled +# for not_all_users, displayLocationInformationRequiredState disabled for not_all_users +test_MicrosoftAuthEnabled_Correct_12 if { + CAP := json.patch(ConditionalAccessPolicies, [{"op": "add", "path": "GrantControls/BuiltInControls", "value": ["mfa"]}, {"op": "remove", "path": "GrantControls/AuthenticationStrength"}]) + Auth := json.patch(AuthenticationMethod, [ + {"op": "add", "path": "authentication_method_feature_settings/0/State", "value": "enabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/isSoftwareOathEnabled", "value": false}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/state", "value": "disabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/includeTarget/id", "value": "not_all_users"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/state", "value": "disabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/includeTarget/id", "value": "not_all_users"}, + {"op": "remove", "path": "authentication_method_feature_settings/2"}, + {"op": "remove", "path": "authentication_method_feature_settings/1"} + ]) + Output := aad.tests with input.conditional_access_policies as [CAP] with input.authentication_method as [Auth] + TestResult("MS.AAD.3.3v1", Output, FAIL, false) == true +} + +# Test 13: MicrosoftAuthDisabled, isSoftwareOathEnabled true, displayAppInformationRequiredState enabled for all_users, displayLocationInformationRequiredState disabled for not_all_users +test_MicrosoftAuthDisabled_NotApplicable_6 if { + CAP := json.patch(ConditionalAccessPolicies, [{"op": "add", "path": "GrantControls/BuiltInControls", "value": ["mfa"]}, {"op": "remove", "path": "GrantControls/AuthenticationStrength"}]) + Auth := json.patch(AuthenticationMethod, [ + {"op": "add", "path": "authentication_method_feature_settings/0/State", "value": "disabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/isSoftwareOathEnabled", "value": true}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/state", "value": "enabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/includeTarget/id", "value": "all_users"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/state", "value": "disabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/includeTarget/id", "value": "not_all_users"}, + {"op": "remove", "path": "authentication_method_feature_settings/2"}, + {"op": "remove", "path": "authentication_method_feature_settings/1"} + ]) + Output := aad.tests with input.conditional_access_policies as [CAP] with input.authentication_method as [Auth] PolicyId := "MS.AAD.3.3v1" ReportDetailStr := concat(" ", [ "This policy is only applicable if phishing-resistant MFA is not enforced and MS Authenticator is enabled.", "See %v for more info"]) - TestResult(PolicyId, Output, CheckedSkippedDetails(PolicyId, ReportDetailStr), false) == true + TestResult(PolicyId, Output, CheckedSkippedDetails(PolicyId, ReportDetailStr), true) == false +} + +# Test 14: MicrosoftAuthDisabled, isSoftwareOathEnabled false, displayAppInformationRequiredState disabled for all_users, displayLocationInformationRequiredState enabled for not_all_users +test_MicrosoftAuthDisabled_NotApplicable_7 if { + CAP := json.patch(ConditionalAccessPolicies, [{"op": "add", "path": "GrantControls/BuiltInControls", "value": ["mfa"]}, {"op": "remove", "path": "GrantControls/AuthenticationStrength"}]) + Auth := json.patch(AuthenticationMethod, [ + {"op": "add", "path": "authentication_method_feature_settings/0/State", "value": "disabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/isSoftwareOathEnabled", "value": false}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/state", "value": "disabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/includeTarget/id", "value": "all_users"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/state", "value": "enabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/includeTarget/id", "value": "not_all_users"}, + {"op": "remove", "path": "authentication_method_feature_settings/2"}, + {"op": "remove", "path": "authentication_method_feature_settings/1"} + ]) + Output := aad.tests with input.conditional_access_policies as [CAP] with input.authentication_method as [Auth] + PolicyId := "MS.AAD.3.3v1" + ReportDetailStr := concat(" ", [ + "This policy is only applicable if phishing-resistant MFA is not enforced and MS Authenticator is enabled.", + "See %v for more info"]) + + TestResult(PolicyId, Output, CheckedSkippedDetails(PolicyId, ReportDetailStr), true) == false +} + +# Test 15: MicrosoftAuthDisabled, isSoftwareOathEnabled true, displayAppInformationRequiredState disabled for not_all_users, displayLocationInformationRequiredState enabled for all_users +test_MicrosoftAuthDisabled_NotApplicable_8 if { + CAP := json.patch(ConditionalAccessPolicies, [{"op": "add", "path": "GrantControls/BuiltInControls", "value": ["mfa"]}, {"op": "remove", "path": "GrantControls/AuthenticationStrength"}]) + Auth := json.patch(AuthenticationMethod, [ + {"op": "add", "path": "authentication_method_feature_settings/0/State", "value": "disabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/isSoftwareOathEnabled", "value": true}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/state", "value": "disabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/includeTarget/id", "value": "not_all_users"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/state", "value": "enabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/includeTarget/id", "value": "all_users"}, + {"op": "remove", "path": "authentication_method_feature_settings/2"}, + {"op": "remove", "path": "authentication_method_feature_settings/1"} + ]) + Output := aad.tests with input.conditional_access_policies as [CAP] with input.authentication_method as [Auth] + PolicyId := "MS.AAD.3.3v1" + ReportDetailStr := concat(" ", [ + "This policy is only applicable if phishing-resistant MFA is not enforced and MS Authenticator is enabled.", + "See %v for more info"]) + + TestResult(PolicyId, Output, CheckedSkippedDetails(PolicyId, ReportDetailStr), true) == false +} +# Test 16: MicrosoftAuthEnabled, isSoftwareOathEnabled true, displayAppInformationRequiredState enabled for all_users, displayLocationInformationRequiredState disabled for all_users +test_isSoftwareOathEnabled_LocationInformation_Incorrect if { + CAP := json.patch(ConditionalAccessPolicies, [{"op": "add", "path": "GrantControls/BuiltInControls", "value": ["mfa"]}, {"op": "remove", "path": "GrantControls/AuthenticationStrength"}]) + Auth := json.patch(AuthenticationMethod, [ + {"op": "add", "path": "authentication_method_feature_settings/0/State", "value": "enabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/isSoftwareOathEnabled", "value": true}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/state", "value": "enabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/includeTarget/id", "value": "all_users"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/state", "value": "disabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/includeTarget/id", "value": "all_users"}, + {"op": "remove", "path": "authentication_method_feature_settings/2"}, + {"op": "remove", "path": "authentication_method_feature_settings/1"} + ]) + Output := aad.tests with input.conditional_access_policies as [CAP] with input.authentication_method as [Auth] + TestResult("MS.AAD.3.3v1", Output, FAIL, false) == true } -test_PhishingMFANotEnforced_MicrosoftAuthDisabled_NotApplicable if { - CAP := json.patch(ConditionalAccessPolicies, - [{"op": "add", "path": "GrantControls/BuiltInControls", - "value": ["mfa"]}]) +# Test 17: MicrosoftAuthEnabled, isSoftwareOathEnabled false, displayAppInformationRequiredState enabled for all_users, displayLocationInformationRequiredState disabled for not_all_users +test_MicrosoftAuthEnabled_Correct_17 if { + CAP := json.patch(ConditionalAccessPolicies, [{"op": "add", "path": "GrantControls/BuiltInControls", "value": ["mfa"]}, {"op": "remove", "path": "GrantControls/AuthenticationStrength"}]) + Auth := json.patch(AuthenticationMethod, [ + {"op": "add", "path": "authentication_method_feature_settings/0/State", "value": "enabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/isSoftwareOathEnabled", "value": false}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/state", "value": "enabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/includeTarget/id", "value": "all_users"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/state", "value": "disabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/includeTarget/id", "value": "not_all_users"}, + {"op": "remove", "path": "authentication_method_feature_settings/2"}, + {"op": "remove", "path": "authentication_method_feature_settings/1"} + ]) + Output := aad.tests with input.conditional_access_policies as [CAP] with input.authentication_method as [Auth] + TestResult("MS.AAD.3.3v1", Output, FAIL, false) == true +} - Auth := json.patch(AuthenticationMethod, - [{"op": "add", "path": "authentication_method_feature_settings/0/State", "value": "disabled"}, - {"op": "add", "path": "authentication_method_feature_settings/3/State", "value": "enabled"}, - {"op": "remove", "path": "authentication_method_feature_settings/2"}, - {"op": "remove", "path": "authentication_method_feature_settings/1"}]) +# Test 18: MicrosoftAuthEnabled, isSoftwareOathEnabled true, displayAppInformationRequiredState disabled for all_users, displayLocationInformationRequiredState enabled for not_all_users +test_isSoftwareOathEnabled_AppInformation_LocationInformation_Incorrect_3 if { + CAP := json.patch(ConditionalAccessPolicies, [{"op": "add", "path": "GrantControls/BuiltInControls", "value": ["mfa"]}, {"op": "remove", "path": "GrantControls/AuthenticationStrength"}]) + Auth := json.patch(AuthenticationMethod, [ + {"op": "add", "path": "authentication_method_feature_settings/0/State", "value": "enabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/isSoftwareOathEnabled", "value": true}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/state", "value": "disabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/includeTarget/id", "value": "all_users"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/state", "value": "enabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/includeTarget/id", "value": "not_all_users"}, + {"op": "remove", "path": "authentication_method_feature_settings/2"}, + {"op": "remove", "path": "authentication_method_feature_settings/1"} + ]) + Output := aad.tests with input.conditional_access_policies as [CAP] with input.authentication_method as [Auth] + TestResult("MS.AAD.3.3v1", Output, FAIL, false) == true +} - Output := aad.tests with input.conditional_access_policies as [CAP] - with input.authentication_method as [Auth] +# Test 19: MicrosoftAuthDisabled, isSoftwareOathEnabled false, displayAppInformationRequiredState enabled for all_users, displayLocationInformationRequiredState disabled for all_users +test_MicrosoftAuthDisabled_NotApplicable_9 if { + CAP := json.patch(ConditionalAccessPolicies, [{"op": "add", "path": "GrantControls/BuiltInControls", "value": ["mfa"]}, {"op": "remove", "path": "GrantControls/AuthenticationStrength"}]) + Auth := json.patch(AuthenticationMethod, [ + {"op": "add", "path": "authentication_method_feature_settings/0/State", "value": "disabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/isSoftwareOathEnabled", "value": false}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/state", "value": "enabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/includeTarget/id", "value": "all_users"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/state", "value": "disabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/includeTarget/id", "value": "all_users"}, + {"op": "remove", "path": "authentication_method_feature_settings/2"}, + {"op": "remove", "path": "authentication_method_feature_settings/1"} + ]) + Output := aad.tests with input.conditional_access_policies as [CAP] with input.authentication_method as [Auth] + PolicyId := "MS.AAD.3.3v1" + ReportDetailStr := concat(" ", [ + "This policy is only applicable if phishing-resistant MFA is not enforced and MS Authenticator is enabled.", + "See %v for more info"]) + + TestResult(PolicyId, Output, CheckedSkippedDetails(PolicyId, ReportDetailStr), true) == false +} + +# Test 20: MicrosoftAuthDisabled, isSoftwareOathEnabled true, displayAppInformationRequiredState enabled for not_all_users, displayLocationInformationRequiredState disabled for all_users +test_MicrosoftAuthDisabled_NotApplicable_10 if { + CAP := json.patch(ConditionalAccessPolicies, [{"op": "add", "path": "GrantControls/BuiltInControls", "value": ["mfa"]}, {"op": "remove", "path": "GrantControls/AuthenticationStrength"}]) + Auth := json.patch(AuthenticationMethod, [ + {"op": "add", "path": "authentication_method_feature_settings/0/State", "value": "disabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/isSoftwareOathEnabled", "value": true}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/state", "value": "enabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/includeTarget/id", "value": "not_all_users"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/state", "value": "disabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/includeTarget/id", "value": "all_users"}, + {"op": "remove", "path": "authentication_method_feature_settings/2"}, + {"op": "remove", "path": "authentication_method_feature_settings/1"} + ]) + Output := aad.tests with input.conditional_access_policies as [CAP] with input.authentication_method as [Auth] + PolicyId := "MS.AAD.3.3v1" + ReportDetailStr := concat(" ", [ + "This policy is only applicable if phishing-resistant MFA is not enforced and MS Authenticator is enabled.", + "See %v for more info"]) + TestResult(PolicyId, Output, CheckedSkippedDetails(PolicyId, ReportDetailStr), true) == false +} + +# Test 21: MicrosoftAuthDisabled, isSoftwareOathEnabled false, displayAppInformationRequiredState disabled for not_all_users, displayLocationInformationRequiredState disabled for all_users +test_MicrosoftAuthDisabled_NotApplicable_11 if { + CAP := json.patch(ConditionalAccessPolicies, [{"op": "add", "path": "GrantControls/BuiltInControls", "value": ["mfa"]}, {"op": "remove", "path": "GrantControls/AuthenticationStrength"}]) + Auth := json.patch(AuthenticationMethod, [ + {"op": "add", "path": "authentication_method_feature_settings/0/State", "value": "disabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/isSoftwareOathEnabled", "value": false}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/state", "value": "disabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/includeTarget/id", "value": "not_all_users"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/state", "value": "disabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/includeTarget/id", "value": "all_users"}, + {"op": "remove", "path": "authentication_method_feature_settings/2"}, + {"op": "remove", "path": "authentication_method_feature_settings/1"} + ]) + Output := aad.tests with input.conditional_access_policies as [CAP] with input.authentication_method as [Auth] PolicyId := "MS.AAD.3.3v1" ReportDetailStr := concat(" ", [ "This policy is only applicable if phishing-resistant MFA is not enforced and MS Authenticator is enabled.", "See %v for more info"]) - TestResult(PolicyId, Output, CheckedSkippedDetails(PolicyId, ReportDetailStr), false) == true + TestResult(PolicyId, Output, CheckedSkippedDetails(PolicyId, ReportDetailStr), true) == false +} + +# Test 22: MicrosoftAuthEnabled, isSoftwareOathEnabled false, displayAppInformationRequiredState disabled for all_users, displayLocationInformationRequiredState disabled for not_all_users +test_AppInformation_LocationInformation_Incorrect if { + CAP := json.patch(ConditionalAccessPolicies, [{"op": "add", "path": "GrantControls/BuiltInControls", "value": ["mfa"]}, {"op": "remove", "path": "GrantControls/AuthenticationStrength"}]) + Auth := json.patch(AuthenticationMethod, [ + {"op": "add", "path": "authentication_method_feature_settings/0/State", "value": "enabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/isSoftwareOathEnabled", "value": false}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/state", "value": "disabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/includeTarget/id", "value": "all_users"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/state", "value": "disabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/includeTarget/id", "value": "not_all_users"}, + {"op": "remove", "path": "authentication_method_feature_settings/2"}, + {"op": "remove", "path": "authentication_method_feature_settings/1"} + ]) + Output := aad.tests with input.conditional_access_policies as [CAP] with input.authentication_method as [Auth] + TestResult("MS.AAD.3.3v1", Output, FAIL, false) == true } -test_PhishingMFANotEnforced_MicrosoftAuthEnabled_Correct if { - CAP := json.patch(ConditionalAccessPolicies, - [{"op": "add", "path": "GrantControls/BuiltInControls", "value": ["mfa"]}, - {"op": "remove", "path": "GrantControls/AuthenticationStrength"}]) +# Test 23: MicrosoftAuthDisabled, isSoftwareOathEnabled true, displayAppInformationRequiredState disabled for all_users, displayLocationInformationRequiredState enabled for all_users +test_MicrosoftAuthDisabled_NotApplicable_12 if { + CAP := json.patch(ConditionalAccessPolicies, [{"op": "add", "path": "GrantControls/BuiltInControls", "value": ["mfa"]}, {"op": "remove", "path": "GrantControls/AuthenticationStrength"}]) + Auth := json.patch(AuthenticationMethod, [ + {"op": "add", "path": "authentication_method_feature_settings/0/State", "value": "disabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/isSoftwareOathEnabled", "value": true}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/state", "value": "disabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/includeTarget/id", "value": "all_users"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/state", "value": "enabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/includeTarget/id", "value": "all_users"}, + {"op": "remove", "path": "authentication_method_feature_settings/2"}, + {"op": "remove", "path": "authentication_method_feature_settings/1"} + ]) + Output := aad.tests with input.conditional_access_policies as [CAP] with input.authentication_method as [Auth] + PolicyId := "MS.AAD.3.3v1" + ReportDetailStr := concat(" ", [ + "This policy is only applicable if phishing-resistant MFA is not enforced and MS Authenticator is enabled.", + "See %v for more info"]) - Auth := json.patch(AuthenticationMethod, - [{"op": "add", "path": "authentication_method_feature_settings/3/State", "value": "enabled"}, - {"op": "remove", "path": "authentication_method_feature_settings/2"}, - {"op": "remove", "path": "authentication_method_feature_settings/1"}]) + TestResult(PolicyId, Output, CheckedSkippedDetails(PolicyId, ReportDetailStr), true) == false +} + +# Test 24: MicrosoftAuthEnabled, isSoftwareOathEnabled true, displayAppInformationRequiredState enabled for not_all_users, displayLocationInformationRequiredState disabled for not_all_users +test_isSoftwareOathEnabled_AppInformation_LocationInformation_Incorrect_4 if { + CAP := json.patch(ConditionalAccessPolicies, [{"op": "add", "path": "GrantControls/BuiltInControls", "value": ["mfa"]}, {"op": "remove", "path": "GrantControls/AuthenticationStrength"}]) + Auth := json.patch(AuthenticationMethod, [ + {"op": "add", "path": "authentication_method_feature_settings/0/State", "value": "enabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/isSoftwareOathEnabled", "value": true}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/state", "value": "enabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/includeTarget/id", "value": "not_all_users"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/state", "value": "disabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/includeTarget/id", "value": "not_all_users"}, + {"op": "remove", "path": "authentication_method_feature_settings/2"}, + {"op": "remove", "path": "authentication_method_feature_settings/1"} + ]) + Output := aad.tests with input.conditional_access_policies as [CAP] with input.authentication_method as [Auth] + TestResult("MS.AAD.3.3v1", Output, FAIL, false) == true +} - Output := aad.tests with input.conditional_access_policies as [CAP] - with input.authentication_method as [Auth] +# Test 25: MicrosoftAuthEnabled, isSoftwareOathEnabled false, displayAppInformationRequiredState enabled for not_all_users, displayLocationInformationRequiredState disabled for all_users +test_AppInformationTargetId_LocationInformation_Incorrect if { + CAP := json.patch(ConditionalAccessPolicies, [{"op": "add", "path": "GrantControls/BuiltInControls", "value": ["mfa"]}, {"op": "remove", "path": "GrantControls/AuthenticationStrength"}]) + Auth := json.patch(AuthenticationMethod, [ + {"op": "add", "path": "authentication_method_feature_settings/0/State", "value": "enabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/isSoftwareOathEnabled", "value": false}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/state", "value": "enabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/includeTarget/id", "value": "not_all_users"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/state", "value": "disabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/includeTarget/id", "value": "all_users"}, + {"op": "remove", "path": "authentication_method_feature_settings/2"}, + {"op": "remove", "path": "authentication_method_feature_settings/1"} + ]) + Output := aad.tests with input.conditional_access_policies as [CAP] with input.authentication_method as [Auth] + TestResult("MS.AAD.3.3v1", Output, FAIL, false) == true +} - TestResult("MS.AAD.3.3v1", Output, PASS, true) == true +# Test 26: MicrosoftAuthDisabled, isSoftwareOathEnabled true, displayAppInformationRequiredState enabled for all_users, displayLocationInformationRequiredState enabled for not_all_users +test_MicrosoftAuthDisabled_NotApplicable_13 if { + CAP := json.patch(ConditionalAccessPolicies, [{"op": "add", "path": "GrantControls/BuiltInControls", "value": ["mfa"]}, {"op": "remove", "path": "GrantControls/AuthenticationStrength"}]) + Auth := json.patch(AuthenticationMethod, [ + {"op": "add", "path": "authentication_method_feature_settings/0/State", "value": "disabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/isSoftwareOathEnabled", "value": true}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/state", "value": "enabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/includeTarget/id", "value": "all_users"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/state", "value": "enabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/includeTarget/id", "value": "not_all_users"}, + {"op": "remove", "path": "authentication_method_feature_settings/2"}, + {"op": "remove", "path": "authentication_method_feature_settings/1"} + ]) + Output := aad.tests with input.conditional_access_policies as [CAP] with input.authentication_method as [Auth] + PolicyId := "MS.AAD.3.3v1" + ReportDetailStr := concat(" ", [ + "This policy is only applicable if phishing-resistant MFA is not enforced and MS Authenticator is enabled.", + "See %v for more info"]) + + TestResult(PolicyId, Output, CheckedSkippedDetails(PolicyId, ReportDetailStr), true) == false +} + +# Test 27: MicrosoftAuthDisabled, isSoftwareOathEnabled false, displayAppInformationRequiredState enabled for all_users, displayLocationInformationRequiredState disabled for not_all_users +test_MicrosoftAuthDisabled_NotApplicable_14 if { + CAP := json.patch(ConditionalAccessPolicies, [{"op": "add", "path": "GrantControls/BuiltInControls", "value": ["mfa"]}, {"op": "remove", "path": "GrantControls/AuthenticationStrength"}]) + Auth := json.patch(AuthenticationMethod, [ + {"op": "add", "path": "authentication_method_feature_settings/0/State", "value": "disabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/isSoftwareOathEnabled", "value": false}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/state", "value": "enabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/includeTarget/id", "value": "all_users"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/state", "value": "disabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/includeTarget/id", "value": "not_all_users"}, + {"op": "remove", "path": "authentication_method_feature_settings/2"}, + {"op": "remove", "path": "authentication_method_feature_settings/1"} + ]) + Output := aad.tests with input.conditional_access_policies as [CAP] with input.authentication_method as [Auth] + PolicyId := "MS.AAD.3.3v1" + ReportDetailStr := concat(" ", [ + "This policy is only applicable if phishing-resistant MFA is not enforced and MS Authenticator is enabled.", + "See %v for more info"]) + + TestResult(PolicyId, Output, CheckedSkippedDetails(PolicyId, ReportDetailStr), true) == false +} + +# Test 28: MicrosoftAuthDisabled, isSoftwareOathEnabled true, displayAppInformationRequiredState disabled +# for not_all_users, displayLocationInformationRequiredState disabled for not_all_users +test_MicrosoftAuthDisabled_NotApplicable_15 if { + CAP := json.patch(ConditionalAccessPolicies, [{"op": "add", "path": "GrantControls/BuiltInControls", "value": ["mfa"]}, {"op": "remove", "path": "GrantControls/AuthenticationStrength"}]) + Auth := json.patch(AuthenticationMethod, [ + {"op": "add", "path": "authentication_method_feature_settings/0/State", "value": "disabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/isSoftwareOathEnabled", "value": true}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/state", "value": "disabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/includeTarget/id", "value": "not_all_users"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/state", "value": "disabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/includeTarget/id", "value": "not_all_users"}, + {"op": "remove", "path": "authentication_method_feature_settings/2"}, + {"op": "remove", "path": "authentication_method_feature_settings/1"} + ]) + Output := aad.tests with input.conditional_access_policies as [CAP] with input.authentication_method as [Auth] + PolicyId := "MS.AAD.3.3v1" + ReportDetailStr := concat(" ", [ + "This policy is only applicable if phishing-resistant MFA is not enforced and MS Authenticator is enabled.", + "See %v for more info"]) + + TestResult(PolicyId, Output, CheckedSkippedDetails(PolicyId, ReportDetailStr), true) == false +} + +# Test 29: MicrosoftAuthEnabled, isSoftwareOathEnabled true, displayAppInformationRequiredState disabled for not_all_users, displayLocationInformationRequiredState enabled for all_users +test_isSoftwareOathEnabled_AppInformation_Incorrect if { + CAP := json.patch(ConditionalAccessPolicies, [{"op": "add", "path": "GrantControls/BuiltInControls", "value": ["mfa"]}, {"op": "remove", "path": "GrantControls/AuthenticationStrength"}]) + Auth := json.patch(AuthenticationMethod, [ + {"op": "add", "path": "authentication_method_feature_settings/0/State", "value": "enabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/isSoftwareOathEnabled", "value": true}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/state", "value": "disabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/includeTarget/id", "value": "not_all_users"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/state", "value": "enabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/includeTarget/id", "value": "all_users"}, + {"op": "remove", "path": "authentication_method_feature_settings/2"}, + {"op": "remove", "path": "authentication_method_feature_settings/1"} + ]) + Output := aad.tests with input.conditional_access_policies as [CAP] with input.authentication_method as [Auth] + TestResult("MS.AAD.3.3v1", Output, FAIL, false) == true } -test_PhishingMFANotEnforced_MicrosoftAuthEnabled_AppnameDisabled_Incorrect if { - CAP := json.patch(ConditionalAccessPolicies, - [{"op": "add", "path": "GrantControls/BuiltInControls", "value": ["mfa"]}, - {"op": "remove", "path": "GrantControls/AuthenticationStrength"}]) +# Test 30: MicrosoftAuthEnabled, isSoftwareOathEnabled false, displayAppInformationRequiredState disabled for all_users, displayLocationInformationRequiredState enabled for all_users +test_AppInformation_Incorrect if { + CAP := json.patch(ConditionalAccessPolicies, [{"op": "add", "path": "GrantControls/BuiltInControls", "value": ["mfa"]}, {"op": "remove", "path": "GrantControls/AuthenticationStrength"}]) + Auth := json.patch(AuthenticationMethod, [ + {"op": "add", "path": "authentication_method_feature_settings/0/State", "value": "enabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/isSoftwareOathEnabled", "value": false}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/state", "value": "disabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/includeTarget/id", "value": "all_users"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/state", "value": "enabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/includeTarget/id", "value": "all_users"}, + {"op": "remove", "path": "authentication_method_feature_settings/2"}, + {"op": "remove", "path": "authentication_method_feature_settings/1"} + ]) + Output := aad.tests with input.conditional_access_policies as [CAP] with input.authentication_method as [Auth] + TestResult("MS.AAD.3.3v1", Output, FAIL, false) == true +} - Auth := json.patch(AuthenticationMethod, - [{"op": "add", "path": "authentication_method_feature_settings/3/State", "value": "enabled"}, - {"op": "remove", "path": "authentication_method_feature_settings/2"}, - {"op": "remove", "path": "authentication_method_feature_settings/1"}, - {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/state", "value": "disabled"}]) +# Test 31: MicrosoftAuthDisabled, isSoftwareOathEnabled false, displayAppInformationRequiredState enabled for not_all_users, displayLocationInformationRequiredState enabled for not_all_users +test_MicrosoftAuthDisabled_NotApplicable_16 if { + CAP := json.patch(ConditionalAccessPolicies, [{"op": "add", "path": "GrantControls/BuiltInControls", "value": ["mfa"]}, {"op": "remove", "path": "GrantControls/AuthenticationStrength"}]) + Auth := json.patch(AuthenticationMethod, [ + {"op": "add", "path": "authentication_method_feature_settings/0/State", "value": "disabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/isSoftwareOathEnabled", "value": false}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/state", "value": "enabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/includeTarget/id", "value": "not_all_users"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/state", "value": "enabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/includeTarget/id", "value": "not_all_users"}, + {"op": "remove", "path": "authentication_method_feature_settings/2"}, + {"op": "remove", "path": "authentication_method_feature_settings/1"} + ]) + Output := aad.tests with input.conditional_access_policies as [CAP] with input.authentication_method as [Auth] + PolicyId := "MS.AAD.3.3v1" + ReportDetailStr := concat(" ", [ + "This policy is only applicable if phishing-resistant MFA is not enforced and MS Authenticator is enabled.", + "See %v for more info"]) - Output := aad.tests with input.conditional_access_policies as [CAP] - with input.authentication_method as [Auth] + TestResult(PolicyId, Output, CheckedSkippedDetails(PolicyId, ReportDetailStr), true) == false +} +# Test 32: MicrosoftAuthEnabled, isSoftwareOathEnabled true, displayAppInformationRequiredState enabled for all_users, displayLocationInformationRequiredState disabled for not_all_users +test_isSoftwareOathEnabled_LocationInformation_Incorrect_1 if { + CAP := json.patch(ConditionalAccessPolicies, [{"op": "add", "path": "GrantControls/BuiltInControls", "value": ["mfa"]}, {"op": "remove", "path": "GrantControls/AuthenticationStrength"}]) + Auth := json.patch(AuthenticationMethod, [ + {"op": "add", "path": "authentication_method_feature_settings/0/State", "value": "enabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/isSoftwareOathEnabled", "value": true}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/state", "value": "enabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/includeTarget/id", "value": "all_users"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/state", "value": "disabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/includeTarget/id", "value": "not_all_users"}, + {"op": "remove", "path": "authentication_method_feature_settings/2"}, + {"op": "remove", "path": "authentication_method_feature_settings/1"} + ]) + Output := aad.tests with input.conditional_access_policies as [CAP] with input.authentication_method as [Auth] + TestResult("MS.AAD.3.3v1", Output, FAIL, false) == true +} +# Test 33: MicrosoftAuthEnabled, isSoftwareOathEnabled false, displayAppInformationRequiredState enabled for not_all_users, displayLocationInformationRequiredState enabled for all_users +test_AppInformationTargetId_Incorrect if { + CAP := json.patch(ConditionalAccessPolicies, [{"op": "add", "path": "GrantControls/BuiltInControls", "value": ["mfa"]}, {"op": "remove", "path": "GrantControls/AuthenticationStrength"}]) + Auth := json.patch(AuthenticationMethod, [ + {"op": "add", "path": "authentication_method_feature_settings/0/State", "value": "enabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/isSoftwareOathEnabled", "value": false}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/state", "value": "enabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/includeTarget/id", "value": "not_all_users"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/state", "value": "enabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/includeTarget/id", "value": "all_users"}, + {"op": "remove", "path": "authentication_method_feature_settings/2"}, + {"op": "remove", "path": "authentication_method_feature_settings/1"} + ]) + Output := aad.tests with input.conditional_access_policies as [CAP] with input.authentication_method as [Auth] TestResult("MS.AAD.3.3v1", Output, FAIL, false) == true } -test_PhishingMFANotEnforced_MicrosoftAuthEnabled_GeolocationDisabled_Incorrect if { - CAP := json.patch(ConditionalAccessPolicies, - [{"op": "add", "path": "GrantControls/BuiltInControls", "value": ["mfa"]}, - {"op": "remove", "path": "GrantControls/AuthenticationStrength"}]) +# Test 34: MicrosoftAuthDisabled, isSoftwareOathEnabled true, displayAppInformationRequiredState disabled for all_users, displayLocationInformationRequiredState enabled for not_all_users +test_MicrosoftAuthDisabled_NotApplicable_17 if { + CAP := json.patch(ConditionalAccessPolicies, [{"op": "add", "path": "GrantControls/BuiltInControls", "value": ["mfa"]}, {"op": "remove", "path": "GrantControls/AuthenticationStrength"}]) + Auth := json.patch(AuthenticationMethod, [ + {"op": "add", "path": "authentication_method_feature_settings/0/State", "value": "disabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/isSoftwareOathEnabled", "value": true}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/state", "value": "disabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/includeTarget/id", "value": "all_users"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/state", "value": "enabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/includeTarget/id", "value": "not_all_users"}, + {"op": "remove", "path": "authentication_method_feature_settings/2"}, + {"op": "remove", "path": "authentication_method_feature_settings/1"} + ]) + Output := aad.tests with input.conditional_access_policies as [CAP] with input.authentication_method as [Auth] + PolicyId := "MS.AAD.3.3v1" + ReportDetailStr := concat(" ", [ + "This policy is only applicable if phishing-resistant MFA is not enforced and MS Authenticator is enabled.", + "See %v for more info"]) - Auth := json.patch(AuthenticationMethod, - [{"op": "add", "path": "authentication_method_feature_settings/3/State", "value": "enabled"}, - {"op": "remove", "path": "authentication_method_feature_settings/2"}, - {"op": "remove", "path": "authentication_method_feature_settings/1"}, - {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/state", "value": "disabled"}]) + TestResult(PolicyId, Output, CheckedSkippedDetails(PolicyId, ReportDetailStr), true) == false +} + +# Test 35: MicrosoftAuthDisabled, isSoftwareOathEnabled false, displayAppInformationRequiredState disabled +# for not_all_users, displayLocationInformationRequiredState enabled for not_all_users +test_MicrosoftAuthDisabled_NotApplicable_18 if { + CAP := json.patch(ConditionalAccessPolicies, [{"op": "add", "path": "GrantControls/BuiltInControls", "value": ["mfa"]}, {"op": "remove", "path": "GrantControls/AuthenticationStrength"}]) + Auth := json.patch(AuthenticationMethod, [ + {"op": "add", "path": "authentication_method_feature_settings/0/State", "value": "disabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/isSoftwareOathEnabled", "value": false}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/state", "value": "disabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/includeTarget/id", "value": "not_all_users"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/state", "value": "enabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/includeTarget/id", "value": "not_all_users"}, + {"op": "remove", "path": "authentication_method_feature_settings/2"}, + {"op": "remove", "path": "authentication_method_feature_settings/1"} + ]) + Output := aad.tests with input.conditional_access_policies as [CAP] with input.authentication_method as [Auth] + PolicyId := "MS.AAD.3.3v1" + ReportDetailStr := concat(" ", [ + "This policy is only applicable if phishing-resistant MFA is not enforced and MS Authenticator is enabled.", + "See %v for more info"]) - Output := aad.tests with input.conditional_access_policies as [CAP] - with input.authentication_method as [Auth] + TestResult(PolicyId, Output, CheckedSkippedDetails(PolicyId, ReportDetailStr), true) == false +} + +# Test 36: MicrosoftAuthEnabled, isSoftwareOathEnabled true, displayAppInformationRequiredState disabled for all_users, displayLocationInformationRequiredState enabled for not_all_users +test_isSoftwareOathEnabled_AppInformation_LocationInformation_Incorrect_5 if { + CAP := json.patch(ConditionalAccessPolicies, [{"op": "add", "path": "GrantControls/BuiltInControls", "value": ["mfa"]}, {"op": "remove", "path": "GrantControls/AuthenticationStrength"}]) + Auth := json.patch(AuthenticationMethod, [ + {"op": "add", "path": "authentication_method_feature_settings/0/State", "value": "enabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/isSoftwareOathEnabled", "value": true}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/state", "value": "disabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/includeTarget/id", "value": "all_users"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/state", "value": "enabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/includeTarget/id", "value": "not_all_users"}, + {"op": "remove", "path": "authentication_method_feature_settings/2"}, + {"op": "remove", "path": "authentication_method_feature_settings/1"} + ]) + Output := aad.tests with input.conditional_access_policies as [CAP] with input.authentication_method as [Auth] + TestResult("MS.AAD.3.3v1", Output, FAIL, false) == true +} +# Test 37: MicrosoftAuthEnabled, isSoftwareOathEnabled false, displayAppInformationRequiredState enabled for all_users, displayLocationInformationRequiredState enabled for not_all_users +test_LocationInformationTargetId_Incorrect if { + CAP := json.patch(ConditionalAccessPolicies, [{"op": "add", "path": "GrantControls/BuiltInControls", "value": ["mfa"]}, {"op": "remove", "path": "GrantControls/AuthenticationStrength"}]) + Auth := json.patch(AuthenticationMethod, [ + {"op": "add", "path": "authentication_method_feature_settings/0/State", "value": "enabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/isSoftwareOathEnabled", "value": false}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/state", "value": "enabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/includeTarget/id", "value": "all_users"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/state", "value": "enabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/includeTarget/id", "value": "not_all_users"}, + {"op": "remove", "path": "authentication_method_feature_settings/2"}, + {"op": "remove", "path": "authentication_method_feature_settings/1"} + ]) + Output := aad.tests with input.conditional_access_policies as [CAP] with input.authentication_method as [Auth] TestResult("MS.AAD.3.3v1", Output, FAIL, false) == true } -test_PhishingMFANotEnforced_MicrosoftAuthEnabled_AppNameDisabled_GeolocationDisabled_Incorrect if { - CAP := json.patch(ConditionalAccessPolicies, - [{"op": "add", "path": "GrantControls/BuiltInControls", "value": ["mfa"]}, - {"op": "remove", "path": "GrantControls/AuthenticationStrength"}]) +# Test 38: MicrosoftAuthDisabled, isSoftwareOathEnabled true, displayAppInformationRequiredState enabled for not_all_users, displayLocationInformationRequiredState enabled for all_users +test_MicrosoftAuthDisabled_NotApplicable_19 if { + CAP := json.patch(ConditionalAccessPolicies, [{"op": "add", "path": "GrantControls/BuiltInControls", "value": ["mfa"]}, {"op": "remove", "path": "GrantControls/AuthenticationStrength"}]) + Auth := json.patch(AuthenticationMethod, [ + {"op": "add", "path": "authentication_method_feature_settings/0/State", "value": "disabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/isSoftwareOathEnabled", "value": true}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/state", "value": "enabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/includeTarget/id", "value": "not_all_users"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/state", "value": "enabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/includeTarget/id", "value": "all_users"}, + {"op": "remove", "path": "authentication_method_feature_settings/2"}, + {"op": "remove", "path": "authentication_method_feature_settings/1"} + ]) + Output := aad.tests with input.conditional_access_policies as [CAP] with input.authentication_method as [Auth] + PolicyId := "MS.AAD.3.3v1" + ReportDetailStr := concat(" ", [ + "This policy is only applicable if phishing-resistant MFA is not enforced and MS Authenticator is enabled.", + "See %v for more info"]) - Auth := json.patch(AuthenticationMethod, - [{"op": "add", "path": "authentication_method_feature_settings/3/State", "value": "enabled"}, - {"op": "remove", "path": "authentication_method_feature_settings/2"}, - {"op": "remove", "path": "authentication_method_feature_settings/1"}, - {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/state", "value": "disabled"}, - {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/state", "value": "disabled"}]) + TestResult(PolicyId, Output, CheckedSkippedDetails(PolicyId, ReportDetailStr), true) == false +} + +# Test 39: MicrosoftAuthDisabled, isSoftwareOathEnabled false, displayAppInformationRequiredState enabled for all_users, displayLocationInformationRequiredState enabled for all_users +test_MicrosoftAuthDisabled_NotApplicable_20 if { + CAP := json.patch(ConditionalAccessPolicies, [{"op": "add", "path": "GrantControls/BuiltInControls", "value": ["mfa"]}, {"op": "remove", "path": "GrantControls/AuthenticationStrength"}]) + Auth := json.patch(AuthenticationMethod, [ + {"op": "add", "path": "authentication_method_feature_settings/0/State", "value": "disabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/isSoftwareOathEnabled", "value": false}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/state", "value": "enabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/includeTarget/id", "value": "all_users"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/state", "value": "enabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/includeTarget/id", "value": "all_users"}, + {"op": "remove", "path": "authentication_method_feature_settings/2"}, + {"op": "remove", "path": "authentication_method_feature_settings/1"} + ]) + Output := aad.tests with input.conditional_access_policies as [CAP] with input.authentication_method as [Auth] + PolicyId := "MS.AAD.3.3v1" + ReportDetailStr := concat(" ", [ + "This policy is only applicable if phishing-resistant MFA is not enforced and MS Authenticator is enabled.", + "See %v for more info"]) - Output := aad.tests with input.conditional_access_policies as [CAP] - with input.authentication_method as [Auth] + TestResult(PolicyId, Output, CheckedSkippedDetails(PolicyId, ReportDetailStr), true) == false +} +# Test 40: MicrosoftAuthEnabled, isSoftwareOathEnabled true, displayAppInformationRequiredState enabled for not_all_users, displayLocationInformationRequiredState enabled for not_all_users +test_isSoftwareOathEnabled_AppInformationTargetId_LocationInformationTargetId_Incorrect if { + CAP := json.patch(ConditionalAccessPolicies, [{"op": "add", "path": "GrantControls/BuiltInControls", "value": ["mfa"]}, {"op": "remove", "path": "GrantControls/AuthenticationStrength"}]) + Auth := json.patch(AuthenticationMethod, [ + {"op": "add", "path": "authentication_method_feature_settings/0/State", "value": "enabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/isSoftwareOathEnabled", "value": true}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/state", "value": "enabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/includeTarget/id", "value": "not_all_users"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/state", "value": "enabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/includeTarget/id", "value": "not_all_users"}, + {"op": "remove", "path": "authentication_method_feature_settings/2"}, + {"op": "remove", "path": "authentication_method_feature_settings/1"} + ]) + Output := aad.tests with input.conditional_access_policies as [CAP] with input.authentication_method as [Auth] + TestResult("MS.AAD.3.3v1", Output, FAIL, false) == true +} +# Test 41: MicrosoftAuthEnabled, isSoftwareOathEnabled false, displayAppInformationRequiredState disabled for not_all_users, displayLocationInformationRequiredState enabled for not_all_users +test_AppInformation_LocationInfomration_Incorrect if { + CAP := json.patch(ConditionalAccessPolicies, [{"op": "add", "path": "GrantControls/BuiltInControls", "value": ["mfa"]}, {"op": "remove", "path": "GrantControls/AuthenticationStrength"}]) + Auth := json.patch(AuthenticationMethod, [ + {"op": "add", "path": "authentication_method_feature_settings/0/State", "value": "enabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/isSoftwareOathEnabled", "value": false}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/state", "value": "disabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/includeTarget/id", "value": "not_all_users"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/state", "value": "enabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/includeTarget/id", "value": "not_all_users"}, + {"op": "remove", "path": "authentication_method_feature_settings/2"}, + {"op": "remove", "path": "authentication_method_feature_settings/1"} + ]) + Output := aad.tests with input.conditional_access_policies as [CAP] with input.authentication_method as [Auth] TestResult("MS.AAD.3.3v1", Output, FAIL, false) == true } -test_PhishingMFANotEnforced_MicrosoftAuthEnabled_includeTargetsNotAll_Incorrect if { - CAP := json.patch(ConditionalAccessPolicies, - [{"op": "add", "path": "GrantControls/BuiltInControls", "value": ["mfa"]}, - {"op": "remove", "path": "GrantControls/AuthenticationStrength"}]) +# Test 42: MicrosoftAuthDisabled, isSoftwareOathEnabled true, displayAppInformationRequiredState enabled for all_users, displayLocationInformationRequiredState disabled for all_users +test_MicrosoftAuthDisabled_NotApplicable_21 if { + CAP := json.patch(ConditionalAccessPolicies, [{"op": "add", "path": "GrantControls/BuiltInControls", "value": ["mfa"]}, {"op": "remove", "path": "GrantControls/AuthenticationStrength"}]) + Auth := json.patch(AuthenticationMethod, [ + {"op": "add", "path": "authentication_method_feature_settings/0/State", "value": "disabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/isSoftwareOathEnabled", "value": true}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/state", "value": "enabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/includeTarget/id", "value": "all_users"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/state", "value": "disabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/includeTarget/id", "value": "all_users"}, + {"op": "remove", "path": "authentication_method_feature_settings/2"}, + {"op": "remove", "path": "authentication_method_feature_settings/1"} + ]) + Output := aad.tests with input.conditional_access_policies as [CAP] with input.authentication_method as [Auth] + PolicyId := "MS.AAD.3.3v1" + ReportDetailStr := concat(" ", [ + "This policy is only applicable if phishing-resistant MFA is not enforced and MS Authenticator is enabled.", + "See %v for more info"]) - Auth := json.patch(AuthenticationMethod, - [{"op": "add", "path": "authentication_method_feature_settings/3/State", "value": "enabled"}, - {"op": "remove", "path": "authentication_method_feature_settings/2"}, - {"op": "remove", "path": "authentication_method_feature_settings/1"}, - {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/includeTargets/0/id", "value": "not_all_users"}]) + TestResult(PolicyId, Output, CheckedSkippedDetails(PolicyId, ReportDetailStr), true) == false +} + +# Test 43: MicrosoftAuthDisabled, isSoftwareOathEnabled false, displayAppInformationRequiredState enabled +# for not_all_users, displayLocationInformationRequiredState disabled for not_all_users +test_MicrosoftAuthDisabled_NotApplicable_22 if { + CAP := json.patch(ConditionalAccessPolicies, [{"op": "add", "path": "GrantControls/BuiltInControls", "value": ["mfa"]}, {"op": "remove", "path": "GrantControls/AuthenticationStrength"}]) + Auth := json.patch(AuthenticationMethod, [ + {"op": "add", "path": "authentication_method_feature_settings/0/State", "value": "disabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/isSoftwareOathEnabled", "value": false}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/state", "value": "enabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/includeTarget/id", "value": "not_all_users"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/state", "value": "disabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/includeTarget/id", "value": "not_all_users"}, + {"op": "remove", "path": "authentication_method_feature_settings/2"}, + {"op": "remove", "path": "authentication_method_feature_settings/1"} + ]) + Output := aad.tests with input.conditional_access_policies as [CAP] with input.authentication_method as [Auth] + PolicyId := "MS.AAD.3.3v1" + ReportDetailStr := concat(" ", [ + "This policy is only applicable if phishing-resistant MFA is not enforced and MS Authenticator is enabled.", + "See %v for more info"]) - Output := aad.tests with input.conditional_access_policies as [CAP] - with input.authentication_method as [Auth] + TestResult(PolicyId, Output, CheckedSkippedDetails(PolicyId, ReportDetailStr), true) == false +} + +# Test 44: MicrosoftAuthEnabled, isSoftwareOathEnabled true, displayAppInformationRequiredState enabled for all_users, displayLocationInformationRequiredState enabled for all_users +test_isSoftwareOathEnabled_Incorrect if { + CAP := json.patch(ConditionalAccessPolicies, [{"op": "add", "path": "GrantControls/BuiltInControls", "value": ["mfa"]}, {"op": "remove", "path": "GrantControls/AuthenticationStrength"}]) + Auth := json.patch(AuthenticationMethod, [ + {"op": "add", "path": "authentication_method_feature_settings/0/State", "value": "enabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/isSoftwareOathEnabled", "value": true}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/state", "value": "enabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/includeTarget/id", "value": "all_users"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/state", "value": "enabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/includeTarget/id", "value": "all_users"}, + {"op": "remove", "path": "authentication_method_feature_settings/2"}, + {"op": "remove", "path": "authentication_method_feature_settings/1"} + ]) + Output := aad.tests with input.conditional_access_policies as [CAP] with input.authentication_method as [Auth] + TestResult("MS.AAD.3.3v1", Output, FAIL, false) == true +} + +# Test 45: MicrosoftAuthEnabled, isSoftwareOathEnabled false, displayAppInformationRequiredState disabled for not_all_users, displayLocationInformationRequiredState disabled for all_users +test_AppInformationDisabled_LocationInformationDisabled_Incorrect if { + CAP := json.patch(ConditionalAccessPolicies, [{"op": "add", "path": "GrantControls/BuiltInControls", "value": ["mfa"]}, {"op": "remove", "path": "GrantControls/AuthenticationStrength"}]) + Auth := json.patch(AuthenticationMethod, [ + {"op": "add", "path": "authentication_method_feature_settings/0/State", "value": "enabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/isSoftwareOathEnabled", "value": false}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/state", "value": "disabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/includeTarget/id", "value": "not_all_users"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/state", "value": "disabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/includeTarget/id", "value": "all_users"}, + {"op": "remove", "path": "authentication_method_feature_settings/2"}, + {"op": "remove", "path": "authentication_method_feature_settings/1"} + ]) + Output := aad.tests with input.conditional_access_policies as [CAP] with input.authentication_method as [Auth] + TestResult("MS.AAD.3.3v1", Output, FAIL, false) == true +} + +# Test 46: MicrosoftAuthDisabled, isSoftwareOathEnabled true, displayAppInformationRequiredState disabled for all_users, displayLocationInformationRequiredState disabled for not_all_users +test_MicrosoftAuthDisabled_NotApplicable_23 if { + CAP := json.patch(ConditionalAccessPolicies, [{"op": "add", "path": "GrantControls/BuiltInControls", "value": ["mfa"]}, {"op": "remove", "path": "GrantControls/AuthenticationStrength"}]) + Auth := json.patch(AuthenticationMethod, [ + {"op": "add", "path": "authentication_method_feature_settings/0/State", "value": "disabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/isSoftwareOathEnabled", "value": true}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/state", "value": "disabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/includeTarget/id", "value": "all_users"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/state", "value": "disabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/includeTarget/id", "value": "not_all_users"}, + {"op": "remove", "path": "authentication_method_feature_settings/2"}, + {"op": "remove", "path": "authentication_method_feature_settings/1"} + ]) + Output := aad.tests with input.conditional_access_policies as [CAP] with input.authentication_method as [Auth] + PolicyId := "MS.AAD.3.3v1" + ReportDetailStr := concat(" ", [ + "This policy is only applicable if phishing-resistant MFA is not enforced and MS Authenticator is enabled.", + "See %v for more info"]) + + TestResult(PolicyId, Output, CheckedSkippedDetails(PolicyId, ReportDetailStr), true) == false +} + +# Test 47: MicrosoftAuthDisabled, isSoftwareOathEnabled false, displayAppInformationRequiredState disabled for all_users, displayLocationInformationRequiredState enabled for all_users +test_MicrosoftAuthDisabled_NotApplicable_24 if { + CAP := json.patch(ConditionalAccessPolicies, [{"op": "add", "path": "GrantControls/BuiltInControls", "value": ["mfa"]}, {"op": "remove", "path": "GrantControls/AuthenticationStrength"}]) + Auth := json.patch(AuthenticationMethod, [ + {"op": "add", "path": "authentication_method_feature_settings/0/State", "value": "disabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/isSoftwareOathEnabled", "value": false}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/state", "value": "disabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/includeTarget/id", "value": "all_users"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/state", "value": "enabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/includeTarget/id", "value": "all_users"}, + {"op": "remove", "path": "authentication_method_feature_settings/2"}, + {"op": "remove", "path": "authentication_method_feature_settings/1"} + ]) + Output := aad.tests with input.conditional_access_policies as [CAP] with input.authentication_method as [Auth] + PolicyId := "MS.AAD.3.3v1" + ReportDetailStr := concat(" ", [ + "This policy is only applicable if phishing-resistant MFA is not enforced and MS Authenticator is enabled.", + "See %v for more info"]) + + TestResult(PolicyId, Output, CheckedSkippedDetails(PolicyId, ReportDetailStr), true) == false +} +# Test 48: MicrosoftAuthEnabled, isSoftwareOathEnabled true, displayAppInformationRequiredState disabled for not_all_users, displayLocationInformationRequiredState disabled for not_all_users +test_isSoftwareAuthEnabled_AppInformationDisabled_LocationInformation_Disabled_Incorrect if { + CAP := json.patch(ConditionalAccessPolicies, [{"op": "add", "path": "GrantControls/BuiltInControls", "value": ["mfa"]}, {"op": "remove", "path": "GrantControls/AuthenticationStrength"}]) + Auth := json.patch(AuthenticationMethod, [ + {"op": "add", "path": "authentication_method_feature_settings/0/State", "value": "enabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/isSoftwareOathEnabled", "value": true}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/state", "value": "disabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/includeTarget/id", "value": "not_all_users"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/state", "value": "disabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/includeTarget/id", "value": "not_all_users"}, + {"op": "remove", "path": "authentication_method_feature_settings/2"}, + {"op": "remove", "path": "authentication_method_feature_settings/1"} + ]) + Output := aad.tests with input.conditional_access_policies as [CAP] with input.authentication_method as [Auth] + TestResult("MS.AAD.3.3v1", Output, FAIL, false) == true +} + +# Test 49: MicrosoftAuthEnabled, isSoftwareOathEnabled false, displayAppInformationRequiredState enabled for all_users, displayLocationInformationRequiredState disabled for all_users +test_LocationInformationDisabled_Incorrect if { + CAP := json.patch(ConditionalAccessPolicies, [{"op": "add", "path": "GrantControls/BuiltInControls", "value": ["mfa"]}, {"op": "remove", "path": "GrantControls/AuthenticationStrength"}]) + Auth := json.patch(AuthenticationMethod, [ + {"op": "add", "path": "authentication_method_feature_settings/0/State", "value": "enabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/isSoftwareOathEnabled", "value": false}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/state", "value": "enabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/includeTarget/id", "value": "all_users"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/state", "value": "disabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/includeTarget/id", "value": "all_users"}, + {"op": "remove", "path": "authentication_method_feature_settings/2"}, + {"op": "remove", "path": "authentication_method_feature_settings/1"} + ]) + Output := aad.tests with input.conditional_access_policies as [CAP] with input.authentication_method as [Auth] + TestResult("MS.AAD.3.3v1", Output, FAIL, false) == true +} +# Test 50: MicrosoftAuthDisabled, isSoftwareOathEnabled true, displayAppInformationRequiredState enabled for not_all_users, displayLocationInformationRequiredState disabled for all_users +test_MicrosoftAuthDisabled_NotApplicable_25 if { + CAP := json.patch(ConditionalAccessPolicies, [{"op": "add", "path": "GrantControls/BuiltInControls", "value": ["mfa"]}, {"op": "remove", "path": "GrantControls/AuthenticationStrength"}]) + Auth := json.patch(AuthenticationMethod, [ + {"op": "add", "path": "authentication_method_feature_settings/0/State", "value": "disabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/isSoftwareOathEnabled", "value": true}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/state", "value": "enabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/includeTarget/id", "value": "not_all_users"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/state", "value": "disabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/includeTarget/id", "value": "all_users"}, + {"op": "remove", "path": "authentication_method_feature_settings/2"}, + {"op": "remove", "path": "authentication_method_feature_settings/1"} + ]) + Output := aad.tests with input.conditional_access_policies as [CAP] with input.authentication_method as [Auth] + PolicyId := "MS.AAD.3.3v1" + ReportDetailStr := concat(" ", [ + "This policy is only applicable if phishing-resistant MFA is not enforced and MS Authenticator is enabled.", + "See %v for more info"]) + + TestResult(PolicyId, Output, CheckedSkippedDetails(PolicyId, ReportDetailStr), true) == false +} + +# Test 51: MicrosoftAuthDisabled, isSoftwareOathEnabled false, displayAppInformationRequiredState disabled for not_all_users, displayLocationInformationRequiredState enabled for all_users +test_MicrosoftAuthDisabled_NotApplicable_26 if { + CAP := json.patch(ConditionalAccessPolicies, [{"op": "add", "path": "GrantControls/BuiltInControls", "value": ["mfa"]}, {"op": "remove", "path": "GrantControls/AuthenticationStrength"}]) + Auth := json.patch(AuthenticationMethod, [ + {"op": "add", "path": "authentication_method_feature_settings/0/State", "value": "disabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/isSoftwareOathEnabled", "value": false}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/state", "value": "disabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/includeTarget/id", "value": "not_all_users"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/state", "value": "enabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/includeTarget/id", "value": "all_users"}, + {"op": "remove", "path": "authentication_method_feature_settings/2"}, + {"op": "remove", "path": "authentication_method_feature_settings/1"} + ]) + Output := aad.tests with input.conditional_access_policies as [CAP] with input.authentication_method as [Auth] + PolicyId := "MS.AAD.3.3v1" + ReportDetailStr := concat(" ", [ + "This policy is only applicable if phishing-resistant MFA is not enforced and MS Authenticator is enabled.", + "See %v for more info"]) + + TestResult(PolicyId, Output, CheckedSkippedDetails(PolicyId, ReportDetailStr), true) == false +} + +# Test 52: MicrosoftAuthEnabled, isSoftwareOathEnabled true, displayAppInformationRequiredState enabled for all_users, displayLocationInformationRequiredState enabled for not_all_users +test_isSoftwareOathEnabled_LocationInformation_TargetId_Incorrect if { + CAP := json.patch(ConditionalAccessPolicies, [{"op": "add", "path": "GrantControls/BuiltInControls", "value": ["mfa"]}, {"op": "remove", "path": "GrantControls/AuthenticationStrength"}]) + Auth := json.patch(AuthenticationMethod, [ + {"op": "add", "path": "authentication_method_feature_settings/0/State", "value": "enabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/isSoftwareOathEnabled", "value": true}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/state", "value": "enabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/includeTarget/id", "value": "all_users"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/state", "value": "enabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/includeTarget/id", "value": "not_all_users"}, + {"op": "remove", "path": "authentication_method_feature_settings/2"}, + {"op": "remove", "path": "authentication_method_feature_settings/1"} + ]) + Output := aad.tests with input.conditional_access_policies as [CAP] with input.authentication_method as [Auth] + TestResult("MS.AAD.3.3v1", Output, FAIL, false) == true +} + +# Test 53: MicrosoftAuthEnabled, isSoftwareOathEnabled false, displayAppInformationRequiredState enabled for not_all_users, displayLocationInformationRequiredState enabled for not_all_users +test_AppInformationTargetID_LocationInformationTargetId_Incorrect if { + CAP := json.patch(ConditionalAccessPolicies, [{"op": "add", "path": "GrantControls/BuiltInControls", "value": ["mfa"]}, {"op": "remove", "path": "GrantControls/AuthenticationStrength"}]) + Auth := json.patch(AuthenticationMethod, [ + {"op": "add", "path": "authentication_method_feature_settings/0/State", "value": "enabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/isSoftwareOathEnabled", "value": false}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/state", "value": "enabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/includeTarget/id", "value": "not_all_users"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/state", "value": "enabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/includeTarget/id", "value": "not_all_users"}, + {"op": "remove", "path": "authentication_method_feature_settings/2"}, + {"op": "remove", "path": "authentication_method_feature_settings/1"} + ]) + Output := aad.tests with input.conditional_access_policies as [CAP] with input.authentication_method as [Auth] + TestResult("MS.AAD.3.3v1", Output, FAIL, false) == true +} + +# Test 54: MicrosoftAuthDisabled, isSoftwareOathEnabled true, displayAppInformationRequiredState disabled for not_all_users, displayLocationInformationRequiredState enabled for all_users +test_MicrosoftAuthDisabled_NotApplicable_27 if { + CAP := json.patch(ConditionalAccessPolicies, [{"op": "add", "path": "GrantControls/BuiltInControls", "value": ["mfa"]}, {"op": "remove", "path": "GrantControls/AuthenticationStrength"}]) + Auth := json.patch(AuthenticationMethod, [ + {"op": "add", "path": "authentication_method_feature_settings/0/State", "value": "disabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/isSoftwareOathEnabled", "value": true}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/state", "value": "disabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/includeTarget/id", "value": "not_all_users"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/state", "value": "enabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/includeTarget/id", "value": "all_users"}, + {"op": "remove", "path": "authentication_method_feature_settings/2"}, + {"op": "remove", "path": "authentication_method_feature_settings/1"} + ]) + Output := aad.tests with input.conditional_access_policies as [CAP] with input.authentication_method as [Auth] + PolicyId := "MS.AAD.3.3v1" + ReportDetailStr := concat(" ", [ + "This policy is only applicable if phishing-resistant MFA is not enforced and MS Authenticator is enabled.", + "See %v for more info"]) + + TestResult(PolicyId, Output, CheckedSkippedDetails(PolicyId, ReportDetailStr), true) == false +} + +# Test 55: MicrosoftAuthDisabled, isSoftwareOathEnabled false, displayAppInformationRequiredState enabled for all_users, displayLocationInformationRequiredState disabled for all_users +test_MicrosoftAuthDisabled_NotApplicable_28 if { + CAP := json.patch(ConditionalAccessPolicies, [{"op": "add", "path": "GrantControls/BuiltInControls", "value": ["mfa"]}, {"op": "remove", "path": "GrantControls/AuthenticationStrength"}]) + Auth := json.patch(AuthenticationMethod, [ + {"op": "add", "path": "authentication_method_feature_settings/0/State", "value": "disabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/isSoftwareOathEnabled", "value": false}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/state", "value": "enabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/includeTarget/id", "value": "all_users"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/state", "value": "disabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/includeTarget/id", "value": "all_users"}, + {"op": "remove", "path": "authentication_method_feature_settings/2"}, + {"op": "remove", "path": "authentication_method_feature_settings/1"} + ]) + Output := aad.tests with input.conditional_access_policies as [CAP] with input.authentication_method as [Auth] + PolicyId := "MS.AAD.3.3v1" + ReportDetailStr := concat(" ", [ + "This policy is only applicable if phishing-resistant MFA is not enforced and MS Authenticator is enabled.", + "See %v for more info"]) + + TestResult(PolicyId, Output, CheckedSkippedDetails(PolicyId, ReportDetailStr), true) == false +} +# Test 56: MicrosoftAuthEnabled, isSoftwareOathEnabled true, displayAppInformationRequiredState disabled for all_users, displayLocationInformationRequiredState disabled for not_all_users +test_isSoftwareOathEnabled_AppInformationDisabled_LocationInformation_Incorrect if { + CAP := json.patch(ConditionalAccessPolicies, [{"op": "add", "path": "GrantControls/BuiltInControls", "value": ["mfa"]}, {"op": "remove", "path": "GrantControls/AuthenticationStrength"}]) + Auth := json.patch(AuthenticationMethod, [ + {"op": "add", "path": "authentication_method_feature_settings/0/State", "value": "enabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/isSoftwareOathEnabled", "value": true}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/state", "value": "disabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/includeTarget/id", "value": "all_users"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/state", "value": "disabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/includeTarget/id", "value": "not_all_users"}, + {"op": "remove", "path": "authentication_method_feature_settings/2"}, + {"op": "remove", "path": "authentication_method_feature_settings/1"} + ]) + Output := aad.tests with input.conditional_access_policies as [CAP] with input.authentication_method as [Auth] + TestResult("MS.AAD.3.3v1", Output, FAIL, false) == true +} + +# Test 57: MicrosoftAuthEnabled, isSoftwareOathEnabled false, displayAppInformationRequiredState disabled for all_users, displayLocationInformationRequiredState disabled for all_users +test_AppInformationDisabled_LocationInformationDisabled_Incorrect_2 if { + CAP := json.patch(ConditionalAccessPolicies, [{"op": "add", "path": "GrantControls/BuiltInControls", "value": ["mfa"]}, {"op": "remove", "path": "GrantControls/AuthenticationStrength"}]) + Auth := json.patch(AuthenticationMethod, [ + {"op": "add", "path": "authentication_method_feature_settings/0/State", "value": "enabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/isSoftwareOathEnabled", "value": false}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/state", "value": "disabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/includeTarget/id", "value": "all_users"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/state", "value": "disabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/includeTarget/id", "value": "all_users"}, + {"op": "remove", "path": "authentication_method_feature_settings/2"}, + {"op": "remove", "path": "authentication_method_feature_settings/1"} + ]) + Output := aad.tests with input.conditional_access_policies as [CAP] with input.authentication_method as [Auth] TestResult("MS.AAD.3.3v1", Output, FAIL, false) == true } +# Test 58: MicrosoftAuthDisabled, isSoftwareOathEnabled true, displayAppInformationRequiredState enabled for not_all_users, displayLocationInformationRequiredState disabled for not_all_users +test_MicrosoftAuthDisabled_NotApplicable_29 if { + CAP := json.patch(ConditionalAccessPolicies, [{"op": "add", "path": "GrantControls/BuiltInControls", "value": ["mfa"]}, {"op": "remove", "path": "GrantControls/AuthenticationStrength"}]) + Auth := json.patch(AuthenticationMethod, [ + {"op": "add", "path": "authentication_method_feature_settings/0/State", "value": "disabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/isSoftwareOathEnabled", "value": true}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/state", "value": "enabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/includeTarget/id", "value": "not_all_users"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/state", "value": "disabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/includeTarget/id", "value": "not_all_users"}, + {"op": "remove", "path": "authentication_method_feature_settings/2"}, + {"op": "remove", "path": "authentication_method_feature_settings/1"} + ]) + Output := aad.tests with input.conditional_access_policies as [CAP] with input.authentication_method as [Auth] + PolicyId := "MS.AAD.3.3v1" + ReportDetailStr := concat(" ", [ + "This policy is only applicable if phishing-resistant MFA is not enforced and MS Authenticator is enabled.", + "See %v for more info"]) + + TestResult(PolicyId, Output, CheckedSkippedDetails(PolicyId, ReportDetailStr), true) == false +} + +# Test 59: MicrosoftAuthDisabled, isSoftwareOathEnabled false, displayAppInformationRequiredState disabled +# for not_all_users, displayLocationInformationRequiredState disabled for not_all_users +test_MicrosoftAuthDisabled_NotApplicable_30 if { + CAP := json.patch(ConditionalAccessPolicies, [{"op": "add", "path": "GrantControls/BuiltInControls", "value": ["mfa"]}, {"op": "remove", "path": "GrantControls/AuthenticationStrength"}]) + Auth := json.patch(AuthenticationMethod, [ + {"op": "add", "path": "authentication_method_feature_settings/0/State", "value": "disabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/isSoftwareOathEnabled", "value": false}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/state", "value": "disabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/includeTarget/id", "value": "not_all_users"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/state", "value": "disabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/includeTarget/id", "value": "not_all_users"}, + {"op": "remove", "path": "authentication_method_feature_settings/2"}, + {"op": "remove", "path": "authentication_method_feature_settings/1"} + ]) + Output := aad.tests with input.conditional_access_policies as [CAP] with input.authentication_method as [Auth] + PolicyId := "MS.AAD.3.3v1" + ReportDetailStr := concat(" ", [ + "This policy is only applicable if phishing-resistant MFA is not enforced and MS Authenticator is enabled.", + "See %v for more info"]) + + TestResult(PolicyId, Output, CheckedSkippedDetails(PolicyId, ReportDetailStr), true) == false +} + +# Test 60: MicrosoftAuthEnabled, isSoftwareOathEnabled true, displayAppInformationRequiredState enabled for all_users, displayLocationInformationRequiredState disabled for all_users +test_isSoftwareOathEnabled_LocationInformationDisabled_Incorrect if { + CAP := json.patch(ConditionalAccessPolicies, [{"op": "add", "path": "GrantControls/BuiltInControls", "value": ["mfa"]}, {"op": "remove", "path": "GrantControls/AuthenticationStrength"}]) + Auth := json.patch(AuthenticationMethod, [ + {"op": "add", "path": "authentication_method_feature_settings/0/State", "value": "enabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/isSoftwareOathEnabled", "value": true}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/state", "value": "enabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/includeTarget/id", "value": "all_users"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/state", "value": "disabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/includeTarget/id", "value": "all_users"}, + {"op": "remove", "path": "authentication_method_feature_settings/2"}, + {"op": "remove", "path": "authentication_method_feature_settings/1"} + ]) + Output := aad.tests with input.conditional_access_policies as [CAP] with input.authentication_method as [Auth] + TestResult("MS.AAD.3.3v1", Output, FAIL, false) == true +} + +# Test 61: MicrosoftAuthDisabled, isSoftwareOathEnabled true, displayAppInformationRequiredState enabled for all_users, displayLocationInformationRequiredState enabled for all_users +test_MicrosoftAuthDisabled_NotApplicable_31 if { + CAP := json.patch(ConditionalAccessPolicies, [{"op": "add", "path": "GrantControls/BuiltInControls", "value": ["mfa"]}, {"op": "remove", "path": "GrantControls/AuthenticationStrength"}]) + Auth := json.patch(AuthenticationMethod, [ + {"op": "add", "path": "authentication_method_feature_settings/0/State", "value": "disabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/isSoftwareOathEnabled", "value": true}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/state", "value": "enabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/includeTarget/id", "value": "all_users"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/state", "value": "enabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/includeTarget/id", "value": "all_users"}, + {"op": "remove", "path": "authentication_method_feature_settings/2"}, + {"op": "remove", "path": "authentication_method_feature_settings/1"} + ]) + Output := aad.tests with input.conditional_access_policies as [CAP] with input.authentication_method as [Auth] + PolicyId := "MS.AAD.3.3v1" + ReportDetailStr := concat(" ", [ + "This policy is only applicable if phishing-resistant MFA is not enforced and MS Authenticator is enabled.", + "See %v for more info"]) + + TestResult(PolicyId, Output, CheckedSkippedDetails(PolicyId, ReportDetailStr), true) == false +} + +# Test 62: MicrosoftAuthDisabled, isSoftwareOathEnabled false, displayAppInformationRequiredState enabled for not_all_users, displayLocationInformationRequiredState enabled for all_users +test_MicrosoftAuthDisabled_NotApplicable_32 if { + CAP := json.patch(ConditionalAccessPolicies, [{"op": "add", "path": "GrantControls/BuiltInControls", "value": ["mfa"]}, {"op": "remove", "path": "GrantControls/AuthenticationStrength"}]) + Auth := json.patch(AuthenticationMethod, [ + {"op": "add", "path": "authentication_method_feature_settings/0/State", "value": "disabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/isSoftwareOathEnabled", "value": false}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/state", "value": "enabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/includeTarget/id", "value": "not_all_users"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/state", "value": "enabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/includeTarget/id", "value": "all_users"}, + {"op": "remove", "path": "authentication_method_feature_settings/2"}, + {"op": "remove", "path": "authentication_method_feature_settings/1"} + ]) + Output := aad.tests with input.conditional_access_policies as [CAP] with input.authentication_method as [Auth] + PolicyId := "MS.AAD.3.3v1" + ReportDetailStr := concat(" ", [ + "This policy is only applicable if phishing-resistant MFA is not enforced and MS Authenticator is enabled.", + "See %v for more info"]) + + TestResult(PolicyId, Output, CheckedSkippedDetails(PolicyId, ReportDetailStr), true) == false +} +# Test 63: MicrosoftAuthDisabled, isSoftwareOathEnabled false, displayAppInformationRequiredState disabled for all_users, displayLocationInformationRequiredState disabled for all_users +test_MicrosoftAuthDisabled_NotApplicable_33 if { + CAP := json.patch(ConditionalAccessPolicies, [{"op": "add", "path": "GrantControls/BuiltInControls", "value": ["mfa"]}, {"op": "remove", "path": "GrantControls/AuthenticationStrength"}]) + Auth := json.patch(AuthenticationMethod, [ + {"op": "add", "path": "authentication_method_feature_settings/0/State", "value": "disabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/isSoftwareOathEnabled", "value": false}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/state", "value": "disabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayAppInformationRequiredState/includeTarget/id", "value": "all_users"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/state", "value": "disabled"}, + {"op": "add", "path": "authentication_method_feature_settings/0/AdditionalProperties/featureSettings/displayLocationInformationRequiredState/includeTarget/id", "value": "all_users"}, + {"op": "remove", "path": "authentication_method_feature_settings/2"}, + {"op": "remove", "path": "authentication_method_feature_settings/1"} + ]) + Output := aad.tests with input.conditional_access_policies as [CAP] with input.authentication_method as [Auth] + PolicyId := "MS.AAD.3.3v1" + ReportDetailStr := concat(" ", [ + "This policy is only applicable if phishing-resistant MFA is not enforced and MS Authenticator is enabled.", + "See %v for more info"]) + + TestResult(PolicyId, Output, CheckedSkippedDetails(PolicyId, ReportDetailStr), true) == false +} + #-- # diff --git a/Testing/Functional/Products/TestPlans/aad.testplan.yaml b/Testing/Functional/Products/TestPlans/aad.testplan.yaml index 1104982f9b..87ea78c029 100644 --- a/Testing/Functional/Products/TestPlans/aad.testplan.yaml +++ b/Testing/Functional/Products/TestPlans/aad.testplan.yaml @@ -227,7 +227,7 @@ TestPlan: updates: authentication_method[0].authentication_method_feature_settings: - Id: MicrosoftAuthenticator - State: enabled + State: disabled AdditionalProperties: featureSettings: displayAppInformationRequiredState: @@ -239,22 +239,22 @@ TestPlan: Postconditions: [] IsNotChecked: true ExpectedResult: false - - TestDescription: MS.AAD.3.3v1 Not-applicable case - PhishingMFA Not Enforced MS Auth Disabled + - TestDescription: MS.AAD.3.3v1 Not-applicable case - MS Auth Disabled Preconditions: - Command: UpdateProviderExport Splat: updates: authentication_method[0].authentication_method_feature_settings: - - Id: MicrosoftAuthenticator - State: disabled - AdditionalProperties: - featureSettings: - displayAppInformationRequiredState: - state: disabled - displayLocationInformationRequiredState: - state: disabled - includeTargets: - - id: "all_users" + Id: MicrosoftAuthenticator + State: disabled + # AdditionalProperties: + # featureSettings: + # displayAppInformationRequiredState: + # state: disabled + # displayLocationInformationRequiredState: + # state: disabled + # includeTargets: + # - id: "all_users" Postconditions: [] IsNotChecked: true ExpectedResult: false @@ -285,13 +285,18 @@ TestPlan: - Id: MicrosoftAuthenticator State: enabled AdditionalProperties: + isSoftwareOathEnabled: false featureSettings: displayAppInformationRequiredState: state: enabled + includeTarget: + id: "all_users" displayLocationInformationRequiredState: state: enabled - includeTargets: - - id: "all_users" + includeTarget: + id: "all_users" + # includeTargets: + # - id: "all_users" Postconditions: [] ExpectedResult: true @@ -1229,4 +1234,4 @@ TestPlan: Preconditions: [] Postconditions: [] IsNotChecked: true - ExpectedResult: false + ExpectedResult: false \ No newline at end of file