From 67bf207e07e833d51ede25650466f6aacf8628ae Mon Sep 17 00:00:00 2001 From: Richard Crutchfield Date: Fri, 9 Feb 2024 09:55:16 -0500 Subject: [PATCH] Remove an unnecessary cmdlet from aad policy check 5.3 to improve performance of the provider (#896) * WIP * Update test plan * Fix 5.3 step 3 instructions --- .../Modules/Providers/ExportAADProvider.psm1 | 6 +-- PowerShell/ScubaGear/Rego/AADConfig.rego | 46 +++++++++++++------ .../ProviderSettingsExport.json | 1 - .../AADProvider/Export-AADProvider.Tests.ps1 | 6 +-- .../Unit/Rego/AAD/AADConfig_05_test.rego | 40 +++++++++++++--- PowerShell/ScubaGear/baselines/aad.md | 2 +- .../Products/TestPlans/aad.testplan.yaml | 23 ++++++++-- 7 files changed, 90 insertions(+), 34 deletions(-) diff --git a/PowerShell/ScubaGear/Modules/Providers/ExportAADProvider.psm1 b/PowerShell/ScubaGear/Modules/Providers/ExportAADProvider.psm1 index e9cb965aff..df2f1c8db8 100644 --- a/PowerShell/ScubaGear/Modules/Providers/ExportAADProvider.psm1 +++ b/PowerShell/ScubaGear/Modules/Providers/ExportAADProvider.psm1 @@ -102,12 +102,9 @@ function Export-AADProvider { # 5.1, 5.2, 8.1 & 8.3 $AuthZPolicies = ConvertTo-Json @($Tracker.TryCommand("Get-MgBetaPolicyAuthorizationPolicy")) - # 5.4 + # 5.3, 5.4 $DirectorySettings = ConvertTo-Json -Depth 10 @($Tracker.TryCommand("Get-MgBetaDirectorySetting")) - # 5.3 - $AdminConsentReqPolicies = ConvertTo-Json @($Tracker.TryCommand("Get-MgBetaPolicyAdminConsentRequestPolicy")) - # Read the properties and relationships of an authentication method policy $AuthenticationMethodPolicy = ConvertTo-Json @($Tracker.TryCommand("Get-MgBetaPolicyAuthenticationMethodPolicy")) @@ -122,7 +119,6 @@ function Export-AADProvider { "conditional_access_policies": $AllPolicies, "cap_table_data": $CapTableData, "authorization_policies": $AuthZPolicies, - "admin_consent_policies": $AdminConsentReqPolicies, "privileged_users": $PrivilegedUsers, "privileged_roles": $PrivilegedRoles, "service_plans": $ServicePlans, diff --git a/PowerShell/ScubaGear/Rego/AADConfig.rego b/PowerShell/ScubaGear/Rego/AADConfig.rego index 1080740691..dff633885b 100644 --- a/PowerShell/ScubaGear/Rego/AADConfig.rego +++ b/PowerShell/ScubaGear/Rego/AADConfig.rego @@ -521,31 +521,51 @@ tests contains { # MS.AAD.5.3v1 #-- -# Save the policy Id of any not enabled -BadConsentPolicies contains Policy.Id if { - some Policy in input.admin_consent_policies - Policy.IsEnabled == false +# For specific setting, save the value & group. +AllAdminConsentSettings contains { + "SettingsGroup": SettingGroup.DisplayName, + "Name": Setting.Name, + "Value": Setting.Value +} if { + some SettingGroup in input.directory_settings + some Setting in SettingGroup.Values + Setting.Name == "EnableAdminConsentRequests" } -# Get all policies -AllConsentPolicies contains { - "PolicyId": Policy.Id, - "IsEnabled": Policy.IsEnabled +# Save all settings that have a value of false +GoodAdminConsentSettings contains { + "SettingsGroup": Setting.SettingsGroup, + "Name": Setting.Name, + "Value": Setting.Value } if { - some Policy in input.admin_consent_policies + some Setting in AllAdminConsentSettings + lower(Setting.Value) == "true" +} + +# Save all settings that have a value of true +BadAdminConsentSettings contains { + "SettingsGroup": Setting.SettingsGroup, + "Name": Setting.Name, + "Value": Setting.Value +} if { + some Setting in AllAdminConsentSettings + lower(Setting.Value) == "false" } # If there is a policy that is not enabled, fail tests contains { "PolicyId": "MS.AAD.5.3v1", "Criticality": "Shall", - "Commandlet": ["Get-MgBetaPolicyAdminConsentRequestPolicy"], - "ActualValue": {"all_consent_policies": AllConsentPolicies}, + "Commandlet": ["Get-MgBetaDirectorySetting"], + "ActualValue": {"all_admin_consent_policies": AllAdminConsentSettings}, "ReportDetails": ReportDetailsBoolean(Status), "RequirementMet": Status } if { - BadPolicies := BadConsentPolicies - Status := count(BadPolicies) == 0 + Conditions := [ + count(BadAdminConsentSettings) == 0, + count(GoodAdminConsentSettings) > 0 + ] + Status := count(FilterArray(Conditions, false)) == 0 } #-- diff --git a/PowerShell/ScubaGear/Testing/Unit/PowerShell/CreateReport/CreateReportStubs/ProviderSettingsExport.json b/PowerShell/ScubaGear/Testing/Unit/PowerShell/CreateReport/CreateReportStubs/ProviderSettingsExport.json index 4668af5006..7dfcfe3a6b 100644 --- a/PowerShell/ScubaGear/Testing/Unit/PowerShell/CreateReport/CreateReportStubs/ProviderSettingsExport.json +++ b/PowerShell/ScubaGear/Testing/Unit/PowerShell/CreateReport/CreateReportStubs/ProviderSettingsExport.json @@ -11860,7 +11860,6 @@ "Get-MgBetaPolicyAuthorizationPolicy", "Get-MgBetaSecuritySecureScore", "Get-MgBetaDirectorySetting", - "Get-MgBetaPolicyAdminConsentRequestPolicy", "Get-MgBetaPolicyAuthenticationMethodPolicy" ], "aad_unsuccessful_commands": [ diff --git a/PowerShell/ScubaGear/Testing/Unit/PowerShell/Providers/AADProvider/Export-AADProvider.Tests.ps1 b/PowerShell/ScubaGear/Testing/Unit/PowerShell/Providers/AADProvider/Export-AADProvider.Tests.ps1 index 5adbc9cec2..06c56c546c 100644 --- a/PowerShell/ScubaGear/Testing/Unit/PowerShell/Providers/AADProvider/Export-AADProvider.Tests.ps1 +++ b/PowerShell/ScubaGear/Testing/Unit/PowerShell/Providers/AADProvider/Export-AADProvider.Tests.ps1 @@ -63,11 +63,7 @@ InModuleScope -ModuleName ExportAADProvider { $this.SuccessfulCommands += $Command return [pscustomobject]@{} } - "Get-MgBetaPolicyAdminConsentRequestPolicy" { - $this.SuccessfulCommands += $Command - return [pscustomobject]@{} - } - "Get-MgBetaPolicyAuthenticationMethodPolicy" { + "Get-MgBetaPolicyAuthenticationMethodPolicy" { $this.SuccessfulCommands += $Command return [pscustomobject]@{} } diff --git a/PowerShell/ScubaGear/Testing/Unit/Rego/AAD/AADConfig_05_test.rego b/PowerShell/ScubaGear/Testing/Unit/Rego/AAD/AADConfig_05_test.rego index 696ca16d36..c3356575ff 100644 --- a/PowerShell/ScubaGear/Testing/Unit/Rego/AAD/AADConfig_05_test.rego +++ b/PowerShell/ScubaGear/Testing/Unit/Rego/AAD/AADConfig_05_test.rego @@ -140,10 +140,15 @@ test_PermissionGrantPolicyIdsAssignedToDefaultUserRole_Incorrect_V2 if { #-- test_IsEnabled_Correct if { Output := aad.tests with input as { - "admin_consent_policies": [ + "directory_settings": [ { - "IsEnabled": true, - "Id": "policy ID" + "DisplayName": "Setting display name", + "Values": [ + { + "Name": "EnableAdminConsentRequests", + "Value": "true" + } + ] } ] } @@ -151,12 +156,35 @@ test_IsEnabled_Correct if { TestResult("MS.AAD.5.3v1", Output, PASS, true) == true } +test_IsEnabled_Incorrect_Missing if { + Output := aad.tests with input as { + "directory_settings": [ + { + "DisplayName": "Setting display name", + "Values": [ + { + "Name": "EnableGroupSpecificConsent", + "Value": "false" + } + ] + } + ] + } + + TestResult("MS.AAD.5.3v1", Output, FAIL, false) == true +} + test_IsEnabled_Incorrect if { Output := aad.tests with input as { - "admin_consent_policies": [ + "directory_settings": [ { - "IsEnabled": false, - "Id": null + "DisplayName": "Setting display name", + "Values": [ + { + "Name": "EnableAdminConsentRequests", + "Value": "false" + } + ] } ] } diff --git a/PowerShell/ScubaGear/baselines/aad.md b/PowerShell/ScubaGear/baselines/aad.md index c3250d10da..eb5dcaf496 100644 --- a/PowerShell/ScubaGear/baselines/aad.md +++ b/PowerShell/ScubaGear/baselines/aad.md @@ -441,7 +441,7 @@ Group owners SHALL NOT be allowed to consent to applications. 2. Then in **Azure Active Directory** under **Manage**, select **Enterprise Applications.** -3. Select **Admin consent settings**. +3. Under **Security**, select **Consent and permissions**. Then select **User Consent Settings**. 4. Under **Admin consent requests** > **Users can request admin consent to apps they are unable to consent to** select **Yes**. diff --git a/Testing/Functional/Products/TestPlans/aad.testplan.yaml b/Testing/Functional/Products/TestPlans/aad.testplan.yaml index 910c1bb64f..6c75e219e9 100644 --- a/Testing/Functional/Products/TestPlans/aad.testplan.yaml +++ b/Testing/Functional/Products/TestPlans/aad.testplan.yaml @@ -541,15 +541,32 @@ TestPlan: - Command: UpdateProviderExport Splat: updates: - admin_consent_policies[0].IsEnabled: false + directory_settings[0].DisplayName: Consent Policy Settings + directory_settings[0].Values: + - Name: EnableAdminConsentRequests + Value: "" Postconditions: [] ExpectedResult: false - - TestDescription: MS.AAD.5.3v1 Compliant case - Admin Consent workflow is configured + - TestDescription: MS.AAD.5.3v1 Non-Compliant case - No Admin Consent workflow configured false Preconditions: - Command: UpdateProviderExport Splat: updates: - admin_consent_policies[0].IsEnabled: true + directory_settings[0].DisplayName: Consent Policy Settings + directory_settings[0].Values: + - Name: EnableAdminConsentRequests + Value: "false" + Postconditions: [] + ExpectedResult: false + - TestDescription: MS.AAD.5.3v1 Compliant case - Admin Consent workflow is configured true + Preconditions: + - Command: UpdateProviderExport + Splat: + updates: + directory_settings[0].DisplayName: Consent Policy Settings + directory_settings[0].Values: + - Name: EnableAdminConsentRequests + Value: "true" Postconditions: [] ExpectedResult: true