Remove an unnecessary cmdlet from aad policy check 5.3 to improve per…

…formance of the provider (#896) * WIP * Update test plan * Fix 5.3 step 3 instructions
cisagov · Feb 9, 2024 · 67bf207 · 67bf207
1 parent 8c8a7e1
commit 67bf207
Show file tree

Hide file tree

Showing 7 changed files with 90 additions and 34 deletions.
diff --git a/PowerShell/ScubaGear/Modules/Providers/ExportAADProvider.psm1 b/PowerShell/ScubaGear/Modules/Providers/ExportAADProvider.psm1
@@ -102,12 +102,9 @@ function Export-AADProvider {
     # 5.1, 5.2, 8.1 & 8.3
     $AuthZPolicies = ConvertTo-Json @($Tracker.TryCommand("Get-MgBetaPolicyAuthorizationPolicy"))
 
-    # 5.4
+    # 5.3, 5.4
     $DirectorySettings = ConvertTo-Json -Depth 10 @($Tracker.TryCommand("Get-MgBetaDirectorySetting"))
 
-    # 5.3
-    $AdminConsentReqPolicies = ConvertTo-Json @($Tracker.TryCommand("Get-MgBetaPolicyAdminConsentRequestPolicy"))
-
     # Read the properties and relationships of an authentication method policy
     $AuthenticationMethodPolicy = ConvertTo-Json @($Tracker.TryCommand("Get-MgBetaPolicyAuthenticationMethodPolicy"))
 
@@ -122,7 +119,6 @@ function Export-AADProvider {
     "conditional_access_policies": $AllPolicies,
     "cap_table_data": $CapTableData,
     "authorization_policies": $AuthZPolicies,
-    "admin_consent_policies": $AdminConsentReqPolicies,
     "privileged_users": $PrivilegedUsers,
     "privileged_roles": $PrivilegedRoles,
     "service_plans": $ServicePlans,

diff --git a/PowerShell/ScubaGear/Rego/AADConfig.rego b/PowerShell/ScubaGear/Rego/AADConfig.rego
@@ -521,31 +521,51 @@ tests contains {
 # MS.AAD.5.3v1
 #--
 
-# Save the policy Id of any not enabled
-BadConsentPolicies contains Policy.Id if {
-    some Policy in input.admin_consent_policies
-    Policy.IsEnabled == false
+# For specific setting, save the value & group.
+AllAdminConsentSettings contains {
+    "SettingsGroup": SettingGroup.DisplayName,
+    "Name": Setting.Name,
+    "Value": Setting.Value
+} if {
+    some SettingGroup in input.directory_settings
+    some Setting in SettingGroup.Values
+    Setting.Name == "EnableAdminConsentRequests"
 }
 
-# Get all policies
-AllConsentPolicies contains {
-    "PolicyId": Policy.Id,
-    "IsEnabled": Policy.IsEnabled
+# Save all settings that have a value of false
+GoodAdminConsentSettings contains {
+    "SettingsGroup": Setting.SettingsGroup,
+    "Name": Setting.Name,
+    "Value": Setting.Value
 } if {
-    some Policy in input.admin_consent_policies
+    some Setting in AllAdminConsentSettings
+    lower(Setting.Value) == "true"
+}
+
+# Save all settings that have a value of true
+BadAdminConsentSettings contains {
+    "SettingsGroup": Setting.SettingsGroup,
+    "Name": Setting.Name,
+    "Value": Setting.Value
+} if {
+    some Setting in AllAdminConsentSettings
+    lower(Setting.Value) == "false"
 }
 
 # If there is a policy that is not enabled, fail
 tests contains {
     "PolicyId": "MS.AAD.5.3v1",
     "Criticality": "Shall",
-    "Commandlet": ["Get-MgBetaPolicyAdminConsentRequestPolicy"],
-    "ActualValue": {"all_consent_policies": AllConsentPolicies},
+    "Commandlet": ["Get-MgBetaDirectorySetting"],
+    "ActualValue": {"all_admin_consent_policies": AllAdminConsentSettings},
     "ReportDetails": ReportDetailsBoolean(Status),
     "RequirementMet": Status
 } if {
-    BadPolicies := BadConsentPolicies
-    Status := count(BadPolicies) == 0
+    Conditions := [
+        count(BadAdminConsentSettings) == 0,
+        count(GoodAdminConsentSettings) > 0
+    ]
+    Status := count(FilterArray(Conditions, false)) == 0
 }
 #--
 

diff --git a/...baGear/Testing/Unit/PowerShell/CreateReport/CreateReportStubs/ProviderSettingsExport.json b/...baGear/Testing/Unit/PowerShell/CreateReport/CreateReportStubs/ProviderSettingsExport.json
@@ -11860,7 +11860,6 @@
     "Get-MgBetaPolicyAuthorizationPolicy",
     "Get-MgBetaSecuritySecureScore",
     "Get-MgBetaDirectorySetting",
-    "Get-MgBetaPolicyAdminConsentRequestPolicy",
     "Get-MgBetaPolicyAuthenticationMethodPolicy"
 ],
     "aad_unsuccessful_commands": [

diff --git a/...hell/ScubaGear/Testing/Unit/PowerShell/Providers/AADProvider/Export-AADProvider.Tests.ps1 b/...hell/ScubaGear/Testing/Unit/PowerShell/Providers/AADProvider/Export-AADProvider.Tests.ps1
@@ -63,11 +63,7 @@ InModuleScope -ModuleName ExportAADProvider {
                                 $this.SuccessfulCommands += $Command
                                 return [pscustomobject]@{}
                             }
-                            "Get-MgBetaPolicyAdminConsentRequestPolicy" {
-                                $this.SuccessfulCommands += $Command
-                                return [pscustomobject]@{}
-                            }
-                            "Get-MgBetaPolicyAuthenticationMethodPolicy" {
+                             "Get-MgBetaPolicyAuthenticationMethodPolicy" {
                                 $this.SuccessfulCommands += $Command
                                 return [pscustomobject]@{}
                             }

diff --git a/PowerShell/ScubaGear/Testing/Unit/Rego/AAD/AADConfig_05_test.rego b/PowerShell/ScubaGear/Testing/Unit/Rego/AAD/AADConfig_05_test.rego
@@ -140,23 +140,51 @@ test_PermissionGrantPolicyIdsAssignedToDefaultUserRole_Incorrect_V2 if {
 #--
 test_IsEnabled_Correct if {
     Output := aad.tests with input as {
-        "admin_consent_policies": [
+        "directory_settings": [
             {
-                "IsEnabled": true,
-                "Id": "policy ID"
+                "DisplayName": "Setting display name",
+                "Values": [
+                    {
+                        "Name":  "EnableAdminConsentRequests",
+                        "Value":  "true"
+                    }
+                ]
             }
         ]
     }
 
     TestResult("MS.AAD.5.3v1", Output, PASS, true) == true
 }
 
+test_IsEnabled_Incorrect_Missing if {
+    Output := aad.tests with input as {
+        "directory_settings": [
+            {
+                "DisplayName": "Setting display name",
+                "Values": [
+                    {
+                        "Name":  "EnableGroupSpecificConsent",
+                        "Value":  "false"
+                    }
+                ]
+            }
+        ]
+    }
+
+    TestResult("MS.AAD.5.3v1", Output, FAIL, false) == true
+}
+
 test_IsEnabled_Incorrect if {
     Output := aad.tests with input as {
-        "admin_consent_policies": [
+        "directory_settings": [
             {
-                "IsEnabled": false,
-                "Id": null
+                "DisplayName": "Setting display name",
+                "Values": [
+                    {
+                        "Name":  "EnableAdminConsentRequests",
+                        "Value":  "false"
+                    }
+                ]
             }
         ]
     }

diff --git a/PowerShell/ScubaGear/baselines/aad.md b/PowerShell/ScubaGear/baselines/aad.md
@@ -441,7 +441,7 @@ Group owners SHALL NOT be allowed to consent to applications.
 
 2. Then in **Azure Active Directory** under **Manage**, select **Enterprise Applications.**
 
-3. Select **Admin consent settings**.
+3. Under **Security**, select **Consent and permissions**. Then select **User Consent Settings**.
 
 4. Under **Admin consent requests** > **Users can request admin consent to apps they are unable to consent to** select **Yes**.
 

diff --git a/Testing/Functional/Products/TestPlans/aad.testplan.yaml b/Testing/Functional/Products/TestPlans/aad.testplan.yaml
@@ -541,15 +541,32 @@ TestPlan:
           - Command: UpdateProviderExport
             Splat:
               updates:
-                admin_consent_policies[0].IsEnabled: false
+                directory_settings[0].DisplayName: Consent Policy Settings
+                directory_settings[0].Values:
+                  - Name: EnableAdminConsentRequests
+                    Value: ""
         Postconditions: []
         ExpectedResult: false
-      - TestDescription: MS.AAD.5.3v1 Compliant case - Admin Consent workflow is configured
+      - TestDescription: MS.AAD.5.3v1 Non-Compliant case - No Admin Consent workflow configured false
         Preconditions:
           - Command: UpdateProviderExport
             Splat:
               updates:
-                admin_consent_policies[0].IsEnabled: true
+                directory_settings[0].DisplayName: Consent Policy Settings
+                directory_settings[0].Values:
+                  - Name: EnableAdminConsentRequests
+                    Value: "false"
+        Postconditions: []
+        ExpectedResult: false
+      - TestDescription: MS.AAD.5.3v1 Compliant case - Admin Consent workflow is configured true
+        Preconditions:
+          - Command: UpdateProviderExport
+            Splat:
+              updates:
+                directory_settings[0].DisplayName: Consent Policy Settings
+                directory_settings[0].Values:
+                  - Name: EnableAdminConsentRequests
+                    Value: "true"
         Postconditions: []
         ExpectedResult: true