Implement AAD 3.4

cisagov · Jul 21, 2023 · 33b4380 · 33b4380
1 parent 411e15b
commit 33b4380
Show file tree

Hide file tree

Showing 3 changed files with 40 additions and 11 deletions.
diff --git a/PowerShell/ScubaGear/Modules/Providers/ExportAADProvider.psm1 b/PowerShell/ScubaGear/Modules/Providers/ExportAADProvider.psm1
@@ -100,6 +100,9 @@ function Export-AADProvider {
     # 2.7 Policy Bullet 2]
     $AdminConsentReqPolicies = ConvertTo-Json @($Tracker.TryCommand("Get-MgPolicyAdminConsentRequestPolicy"))
 
+    # Read the properties and relationships of an authentication method policy
+    $AuthenticationMethodPolicy = ConvertTo-Json @($Tracker.TryCommand("Get-MgPolicyAuthenticationMethodPolicy"))
+
     $SuccessfulCommands = ConvertTo-Json @($Tracker.GetSuccessfulCommands())
     $UnSuccessfulCommands = ConvertTo-Json @($Tracker.GetUnSuccessfulCommands())
 
@@ -113,6 +116,7 @@ function Export-AADProvider {
     "privileged_roles": $PrivilegedRoles,
     "service_plans": $ServicePlans,
     "directory_settings": $DirectorySettings,
+    "authentication_method": $AuthenticationMethodPolicy,
     "aad_successful_commands": $SuccessfulCommands,
     "aad_unsuccessful_commands": $UnSuccessfulCommands,
 "@

diff --git a/Rego/AADConfig.rego b/Rego/AADConfig.rego
@@ -361,15 +361,15 @@ tests[{
 #--
 # At this time we are unable to test for X because of NEW POLICY
 tests[{
-    "PolicyId": PolicyId,
-    "Criticality" : "Should/Not-Implemented",
-    "Commandlet" : [],
-    "ActualValue" : [],
-    "ReportDetails" : NotCheckedDetails(PolicyId),
-    "RequirementMet" : false
+    "PolicyId": "MS.AAD.3.4v1",
+    "Criticality" : "Shall",
+    "Commandlet" : ["Get-MgPolicyAuthenticationMethodPolicy"],
+    "ActualValue" : [Policy.PolicyMigrationState],
+    "ReportDetails" : ReportDetailsBoolean(Status),
+    "RequirementMet" : Status
 }] {
-    PolicyId := "MS.AAD.3.4v1"
-    true
+    Policy := input.authentication_method[_]
+    Status := Policy.PolicyMigrationState == "migrationComplete"
 }
 #--
 

diff --git a/Testing/Unit/Rego/AAD/AADConfig_03_test.rego b/Testing/Unit/Rego/AAD/AADConfig_03_test.rego
@@ -1,6 +1,7 @@
 package aad
 import future.keywords
 import data.report.utils.NotCheckedDetails
+import data.report.utils.ReportDetailsBoolean
 
 
 #
@@ -1285,16 +1286,40 @@ test_NotImplemented_Correct_V2 if {
 #
 # MS.AAD.3.4v1
 #--
-test_NotImplemented_Correct_V3 if {
+test_Migrated_Correct if {
     PolicyId := "MS.AAD.3.4v1"
 
-    Output := tests with input as { }
+    Output := tests with input as { 
+        "authentication_method": [
+            {
+                "PolicyMigrationState": "migrationComplete"
+            }
+        ]
+    }
+
+    RuleOutput := [Result | Result = Output[_]; Result.PolicyId == PolicyId]
+
+    count(RuleOutput) == 1
+    RuleOutput[0].RequirementMet
+    RuleOutput[0].ReportDetails == ReportDetailsBoolean(true)
+}
+
+test_Migrated_Incorrect if {
+    PolicyId := "MS.AAD.3.4v1"
+
+    Output := tests with input as { 
+        "authentication_method": [
+            {
+                "PolicyMigrationState": "preMigration"
+            }
+        ]
+    }
 
     RuleOutput := [Result | Result = Output[_]; Result.PolicyId == PolicyId]
 
     count(RuleOutput) == 1
     not RuleOutput[0].RequirementMet
-    RuleOutput[0].ReportDetails == NotCheckedDetails(PolicyId)
+    RuleOutput[0].ReportDetails == ReportDetailsBoolean(false)
 }
 #--