Skip to content

Commit

Permalink
Implement MS.AAD.3.4v1 - Migration Authentication Method policy (#445)
Browse files Browse the repository at this point in the history
* Implement AAD 3.4

* Remove MS Graph 2.0 from GitHub Action, Run PowerShell Tests (#446)

* Remove MS Graph 2.0

* Add MS Graph 2.0 removal to SmokeTest

* Add path to run smoke test

* Fix YAML error

* Structural baseline updates (cleaned up) (#334)

* Update aad.md

all updates

* Update defender.md

all updates

* Update exchange.md

all updates

* Rename exchange.md to exo.md

* Update onedrive.md

* Update powerbi.md

all updates

* Update powerplatform.md

all updates

* Update sharepoint.md

all updates

* Update teams.md

all updates

* Update baselines/defender.md

good catch!

Co-authored-by: Addam Schroll <[email protected]>

* Update baselines/powerbi.md

Co-authored-by: Addam Schroll <[email protected]>

* Update baselines/powerbi.md

Co-authored-by: Addam Schroll <[email protected]>

* Update baselines/aad.md

Co-authored-by: Addam Schroll <[email protected]>

* Update aad.md

referenced old policy number

* Update powerbi.md

---------

Co-authored-by: Addam Schroll <[email protected]>

* Initial drop of secure baseline automation  (#336)

* initial teams drop

* Add markdown check

* Fix spelling

* Check action

* Test Action

* Check version

* Fix Markdown test

* Add path *.md

* Update anchor func

* Update AAD

* WIP

* WIP

* WIP

* WIP

* WIP

* Structural baseline updates (cleaned up) (#334)

* Update aad.md

all updates

* Update defender.md

all updates

* Update exchange.md

all updates

* Rename exchange.md to exo.md

* Update onedrive.md

* Update powerbi.md

all updates

* Update powerplatform.md

all updates

* Update sharepoint.md

all updates

* Update teams.md

all updates

* Update baselines/defender.md

good catch!

Co-authored-by: Addam Schroll <[email protected]>

* Update baselines/powerbi.md

Co-authored-by: Addam Schroll <[email protected]>

* Update baselines/powerbi.md

Co-authored-by: Addam Schroll <[email protected]>

* Update baselines/aad.md

Co-authored-by: Addam Schroll <[email protected]>

* Update aad.md

referenced old policy number

* Update powerbi.md

---------

Co-authored-by: Addam Schroll <[email protected]>

* WIP

* Structural baseline updates (cleaned up) (#334)

* Update aad.md

all updates

* Update defender.md

all updates

* Update exchange.md

all updates

* Rename exchange.md to exo.md

* Update onedrive.md

* Update powerbi.md

all updates

* Update powerplatform.md

all updates

* Update sharepoint.md

all updates

* Update teams.md

all updates

* Update baselines/defender.md

good catch!

Co-authored-by: Addam Schroll <[email protected]>

* Update baselines/powerbi.md

Co-authored-by: Addam Schroll <[email protected]>

* Update baselines/powerbi.md

Co-authored-by: Addam Schroll <[email protected]>

* Update baselines/aad.md

Co-authored-by: Addam Schroll <[email protected]>

* Update aad.md

referenced old policy number

* Update powerbi.md

---------

Co-authored-by: Addam Schroll <[email protected]>

* initial teams drop

* Update AAD

* WIP

* WIP

* WIP

* WIP

* WIP

* Structural baseline updates (cleaned up) (#334)

* Update aad.md

all updates

* Update defender.md

all updates

* Update exchange.md

all updates

* Rename exchange.md to exo.md

* Update onedrive.md

* Update powerbi.md

all updates

* Update powerplatform.md

all updates

* Update sharepoint.md

all updates

* Update teams.md

all updates

* Update baselines/defender.md

good catch!

Co-authored-by: Addam Schroll <[email protected]>

* Update baselines/powerbi.md

Co-authored-by: Addam Schroll <[email protected]>

* Update baselines/powerbi.md

Co-authored-by: Addam Schroll <[email protected]>

* Update baselines/aad.md

Co-authored-by: Addam Schroll <[email protected]>

* Update aad.md

referenced old policy number

* Update powerbi.md

---------

Co-authored-by: Addam Schroll <[email protected]>

* initial teams drop

* Update AAD

* WIP

* Structural baseline updates (cleaned up) (#334)

* Update aad.md

all updates

* Update defender.md

all updates

* Update exchange.md

all updates

* Rename exchange.md to exo.md

* Update onedrive.md

* Update powerbi.md

all updates

* Update powerplatform.md

all updates

* Update sharepoint.md

all updates

* Update teams.md

all updates

* Update baselines/defender.md

good catch!

Co-authored-by: Addam Schroll <[email protected]>

* Update baselines/powerbi.md

Co-authored-by: Addam Schroll <[email protected]>

* Update baselines/powerbi.md

Co-authored-by: Addam Schroll <[email protected]>

* Update baselines/aad.md

Co-authored-by: Addam Schroll <[email protected]>

* Update aad.md

referenced old policy number

* Update powerbi.md

---------

Co-authored-by: Addam Schroll <[email protected]>

* Fix UT errors

* Default baseline for testing

* Updates based on review comments

* Call Import-SecureBaseline once

* Update for review comments

* Review updates

* Add help comment

* remove unused import

* Fix OPA  check issues

* fix opa tests action

* Update action to test

* Action update

* Sum PS/Bug as Errors

* Update darkmode colors

* Fix UT after Rebase

* Fix UT

* Fix error log

* Update UT for NewReport

* Update link color

---------

Co-authored-by: Andrew Huynh <[email protected]>
Co-authored-by: Addam Schroll <[email protected]>
Co-authored-by: Sloane4 <[email protected]>

* Add quiet mode for invoke-scuba (#357)

* Add quiet option

* Invert Stance on Defender Preset Policies in Markdown (#355)

* Inverted 2.1, removed applicable controls

* Ironed out baselines for the using the preset policies

* Minor wording updates to MS.DEFENDER.1.1v1 rationale

* Minor wording updates to MS.DEFENDER.2.3v1 policy statement

* Minor wording updates to MS.DEFENDER.2.3v1 rationale

* Update to MS.DEFENDER.2.4v1 license restrictions in GCC high and DoD regions

* Minor wording updates to MS.DEFENDER.3.1v1 rationale

* Minor wording update to MS.DEFENDER.2.3v1 rationale

* Minor wording change to Safe Attachments group text

* Remove hyphen from Safe Attachments policy group title.

* Added new policy item 1.1v1 and renumered others; added sensitive accounts language

---------

Co-authored-by: Addam Schroll <[email protected]>
Co-authored-by: Addam Schroll <[email protected]>

* Substantiative changes to Sharepoint Baseline minus Rationale (#360)

* Structural baseline updates (cleaned up) (#334)

---------

* Split policies for testing purposes

* Addition for github issue: Add a new SharePoint Guest sign in Policy #307

* Updated for github issue: Direct the user to save in policy implementation SharePoint #301

* Initial drop of secure baseline automation  (#336)

* initial teams drop

* Add markdown check

* Structural baseline updates (cleaned up) (#334)

* Update aad.md

all updates

* Update defender.md

all updates

* Update exchange.md

all updates

* Rename exchange.md to exo.md

* Update onedrive.md

* Update powerbi.md

all updates

all updates

* Update sharepoint.md

all updates

* Update teams.md

all updates

* Update baselines/defender.md

* Structural baseline updates (cleaned up) (#334)

* Update aad.md

all updates

* Update defender.md

all updates

* Update exchange.md

all updates

* Rename exchange.md to exo.md

* Update onedrive.md

* Update powerbi.md

all updates

* Update powerplatform.md

all updates

* Update sharepoint.md

all updates

* Update teams.md

all updates

* Update baselines/defender.md

good catch!

Co-authored-by: Addam Schroll <[email protected]>

* Update baselines/powerbi.md

Co-authored-by: Addam Schroll <[email protected]>

* Update baselines/powerbi.md

Co-authored-by: Addam Schroll <[email protected]>

* Update baselines/aad.md

Co-authored-by: Addam Schroll <[email protected]>

* Update aad.md

referenced old policy number

* Update powerbi.md

---------

Co-authored-by: Addam Schroll <[email protected]>

* initial teams drop

* Update AAD

* WIP

* WIP

* WIP

* WIP

* WIP

* Structural baseline updates (cleaned up) (#334)

* Update aad.md

all updates

* Update defender.md

all updates

* Update exchange.md

all updates

* Rename exchange.md to exo.md

* Update onedrive.md

* Update powerbi.md

all updates

* Update powerplatform.md

all updates

* Update sharepoint.md

all updates

* Update teams.md

all updates

* Update baselines/defender.md

good catch!

Co-authored-by: Addam Schroll <[email protected]>

* Update baselines/powerbi.md

Co-authored-by: Addam Schroll <[email protected]>

* Update baselines/powerbi.md

Co-authored-by: Addam Schroll <[email protected]>

* Update baselines/aad.md

Co-authored-by: Addam Schroll <[email protected]>

* Update aad.md

referenced old policy number

* Update powerbi.md

---------

Co-authored-by: Addam Schroll <[email protected]>

* initial teams drop

* Update AAD

* WIP

* Structural baseline updates (cleaned up) (#334)

* Update aad.md

all updates

* Update defender.md

all updates

* Update exchange.md

all updates

* Rename exchange.md to exo.md

* Update onedrive.md

* Update powerbi.md

all updates

* Update powerplatform.md

all updates

* Update sharepoint.md

all updates

* Update teams.md

all updates

* Update baselines/defender.md

good catch!

Co-authored-by: Addam Schroll <[email protected]>

* Update baselines/powerbi.md

Co-authored-by: Addam Schroll <[email protected]>

* Update baselines/powerbi.md

Co-authored-by: Addam Schroll <[email protected]>

* Update baselines/aad.md

Co-authored-by: Addam Schroll <[email protected]>

* Update aad.md

referenced old policy number

* Update powerbi.md

---------

Co-authored-by: Addam Schroll <[email protected]>

* Fix UT errors

* Default baseline for testing

* Updates based on review comments

* Call Import-SecureBaseline once

* Update for review comments

* Review updates

* Add help comment

* remove unused import

* Fix OPA  check issues

* fix opa tests action

* Update action to test

* Action update

* Sum PS/Bug as Errors

* Update darkmode colors

* Fix UT after Rebase

* Fix UT

* Fix error log

* Update UT for NewReport

* Update link color

---------

Co-authored-by: Andrew Huynh <[email protected]>
Co-authored-by: Addam Schroll <[email protected]>
Co-authored-by: Sloane4 <[email protected]>

* Update for github issue Sharepoint 2.3 Sharing settings cannot be more restrictive than the tenant level #288

* Updat for github issue Update SharePoint Policy 2.4 Code #300

* Additional changes for #288

* Update with correct implementations

* Update for github issue #303

* Added some rational & fixed policy numbers

* Split policy 5 to improve setting check & report.

* Updated for duplicates with onedrive

* Add resource for details about reauthentication github issue #299

* Removed Should & Shall from intro paragraphs.

* Split implementation for each policy item

* Updated code to match baseline TODO Unit tests

* Updated unit tests

* Fixed policy 4

* Update commandlet for MS.SHAREPOINT.5.2v1

* Updated content style guide for new rego structure

* Readded comments to MS.SHAREPOINT.5.2v1

* Baseline updated with requested fixes (addam)

* Move updates to content style guide to new branch (not part of current scope)

* Update ErrMsg for MS.SHAREPOINT.4 to be more readable

---------

Co-authored-by: Andrew Huynh <[email protected]>
Co-authored-by: Addam Schroll <[email protected]>
Co-authored-by: Richard Crutchfield <[email protected]>

* Fix test location file path (#367)

* Enhanced smoke test - check for missing results (#356)

* Structural baseline updates (cleaned up) (#334)

* Update aad.md

all updates

* Update defender.md

all updates

* Update exchange.md

all updates

* Rename exchange.md to exo.md

* Update onedrive.md

* Update powerbi.md

all updates

* Update powerplatform.md

all updates

* Update sharepoint.md

all updates

* Update teams.md

all updates

* Update baselines/defender.md

good catch!

Co-authored-by: Addam Schroll <[email protected]>

* Update baselines/powerbi.md

Co-authored-by: Addam Schroll <[email protected]>

* Update baselines/powerbi.md

Co-authored-by: Addam Schroll <[email protected]>

* Update baselines/aad.md

Co-authored-by: Addam Schroll <[email protected]>

* Update aad.md

referenced old policy number

* Update powerbi.md

---------

Co-authored-by: Addam Schroll <[email protected]>

* Initial drop of secure baseline automation  (#336)

* initial teams drop

* Add markdown check

* Fix spelling

* Check action

* Test Action

* Check version

* Fix Markdown test

* Add path *.md

* Update anchor func

* Update AAD

* WIP

* WIP

* WIP

* WIP

* WIP

* Structural baseline updates (cleaned up) (#334)

* Update aad.md

all updates

* Update defender.md

all updates

* Update exchange.md

all updates

* Rename exchange.md to exo.md

* Update onedrive.md

* Update powerbi.md

all updates

* Update powerplatform.md

all updates

* Update sharepoint.md

all updates

* Update teams.md

all updates

* Update baselines/defender.md

good catch!

Co-authored-by: Addam Schroll <[email protected]>

* Update baselines/powerbi.md

Co-authored-by: Addam Schroll <[email protected]>

* Update baselines/powerbi.md

Co-authored-by: Addam Schroll <[email protected]>

* Update baselines/aad.md

Co-authored-by: Addam Schroll <[email protected]>

* Update aad.md

referenced old policy number

* Update powerbi.md

---------

Co-authored-by: Addam Schroll <[email protected]>

* WIP

* Structural baseline updates (cleaned up) (#334)

* Update aad.md

all updates

* Update defender.md

all updates

* Update exchange.md

all updates

* Rename exchange.md to exo.md

* Update onedrive.md

* Update powerbi.md

all updates

* Update powerplatform.md

all updates

* Update sharepoint.md

all updates

* Update teams.md

all updates

* Update baselines/defender.md

good catch!

Co-authored-by: Addam Schroll <[email protected]>

* Update baselines/powerbi.md

Co-authored-by: Addam Schroll <[email protected]>

* Update baselines/powerbi.md

Co-authored-by: Addam Schroll <[email protected]>

* Update baselines/aad.md

Co-authored-by: Addam Schroll <[email protected]>

* Update aad.md

referenced old policy number

* Update powerbi.md

---------

Co-authored-by: Addam Schroll <[email protected]>

* initial teams drop

* Update AAD

* WIP

* WIP

* WIP

* WIP

* WIP

* Structural baseline updates (cleaned up) (#334)

* Update aad.md

all updates

* Update defender.md

all updates

* Update exchange.md

all updates

* Rename exchange.md to exo.md

* Update onedrive.md

* Update powerbi.md

all updates

* Update powerplatform.md

all updates

* Update sharepoint.md

all updates

* Update teams.md

all updates

* Update baselines/defender.md

good catch!

Co-authored-by: Addam Schroll <[email protected]>

* Update baselines/powerbi.md

Co-authored-by: Addam Schroll <[email protected]>

* Update baselines/powerbi.md

Co-authored-by: Addam Schroll <[email protected]>

* Update baselines/aad.md

Co-authored-by: Addam Schroll <[email protected]>

* Update aad.md

referenced old policy number

* Update powerbi.md

---------

Co-authored-by: Addam Schroll <[email protected]>

* initial teams drop

* Update AAD

* WIP

* Structural baseline updates (cleaned up) (#334)

* Update aad.md

all updates

* Update defender.md

all updates

* Update exchange.md

all updates

* Rename exchange.md to exo.md

* Update onedrive.md

* Update powerbi.md

all updates

* Update powerplatform.md

all updates

* Update sharepoint.md

all updates

* Update teams.md

all updates

* Update baselines/defender.md

good catch!

Co-authored-by: Addam Schroll <[email protected]>

* Update baselines/powerbi.md

Co-authored-by: Addam Schroll <[email protected]>

* Update baselines/powerbi.md

Co-authored-by: Addam Schroll <[email protected]>

* Update baselines/aad.md

Co-authored-by: Addam Schroll <[email protected]>

* Update aad.md

referenced old policy number

* Update powerbi.md

---------

Co-authored-by: Addam Schroll <[email protected]>

* Fix UT errors

* Default baseline for testing

* Updates based on review comments

* Call Import-SecureBaseline once

* Update for review comments

* Review updates

* Add help comment

* remove unused import

* Fix OPA  check issues

* fix opa tests action

* Update action to test

* Action update

* Sum PS/Bug as Errors

* Update darkmode colors

* Fix UT after Rebase

* Fix UT

* Fix error log

* Update UT for NewReport

* Update link color

---------

Co-authored-by: Andrew Huynh <[email protected]>
Co-authored-by: Addam Schroll <[email protected]>
Co-authored-by: Sloane4 <[email protected]>

* Check if missing reported

* Change missing to warning

* Fix UT for warning

* Update Testing/Unit/PowerShell/CreateReport/New-Report.Tests.ps1

* Update Testing/Unit/PowerShell/CreateReport/New-Report.Tests.ps1

* Align with updated defender.md

* Update to match defender

---------

Co-authored-by: Andrew Huynh <[email protected]>
Co-authored-by: Addam Schroll <[email protected]>
Co-authored-by: Sloane4 <[email protected]>

* One drive baseline (#370)

* update onedrive baseline

* remove should shall language

* remove Configuring On-Premises Devices session at the end of the doc

* Update wording for policy1

Co-authored-by: Addam Schroll <[email protected]>

* Update policy 2 to keep consistency

Co-authored-by: Addam Schroll <[email protected]>

* Update wording for note

Co-authored-by: Addam Schroll <[email protected]>

* Spelling error fix

Co-authored-by: Addam Schroll <[email protected]>

* spelling fix

Co-authored-by: Addam Schroll <[email protected]>

* change name to match with sharepoint

* Update onedrive.md

remove MS.ONEDRIVE.3.1v1 because it is actually duplicate of policy MS.ONEDRIVE.1.1v1 @Sloane4 Might want to remove the reference in MS.SHAREPOINT.2.1v1

* Update onedrive.md

revert changes

---------

Co-authored-by: Addam Schroll <[email protected]>

* DLP policy group additions and updates (#381)

* Adjudicate Substantive AAD Baseline Comments (#379)

* Updated to reflect phishing-resistant preferences

* Updated to reflect phishing resistant pref'starting

* Updates to AAD Policy 2.4

* Updates to aad policies

* Updates to aad markdown

* aad updates

* aad baseline updates

* aad baseline update (2.10)

* aad baseline updates (removed 2.9)

* updates to aad baseline (16.2)

* aad 4.1 implementation updates

* updates to aad 4 baseline policy implementations

* Updates to aad policy 14

* updates to aad baseline

* updates to aad.4.7v1 implementation

* updates to aad.4.7v1

* Consolidated highly privileged user policies

* fixes to aad.11.x

* updates to policy 7

* Update to AAD 11 policy front matter (intro text)

* updates to aad baseline

* testing write to GitHub

* backup of revisions 062223

* backup 062323 6:47

* backup 062623

---------

Co-authored-by: Ted Kolovos <[email protected]>

* Added SharePoint to MS.DEFENDER.4.2v1 locations (#402)

* Update aad scubagear code to align to revised baseline (#408)

* Rearranged policies to match baseline updates

* Added versioning for duplicate unit test title

* Removed unused import

* Updated MS.AAD.7.1v1 from less than 5 to less than 9

* Updated comment?

* Updated yaml file

* Comment update

* Differentiate policy id vs implementation (#414)

* Updated ReportDetails on tests to match patch results (#426)

* Address Power Platform pilot comments and substantive changes in the baseline document Part 2 (#424)

* power platform baseline doc refactor

* address Grant's comments

* forgot to update this header

* consistent Policies header

* Update Smoke Test to handle CAP  (#418)

* Fix CAP table check

* Fix lint issue

* update MS.AAD.7.6v1 to only check for global admin (#428)

* Combine Sharepoint with OneDrive and address feedback from review period (#393)

* draft update & merge of Sharepoint OneDrive

* fixed policies wrong spelling

* fixed note indent formatting

* delete onedrive md file - have a combined file now

* missing heading for some implementations

* Added rationales for all policy items.

* spelling errors and removed instructions comma

* changed IDs to SHAREPOINT based on team vote

* fixed duplicate ID in instructions

---------

Co-authored-by: Addam Schroll <[email protected]>

* Implement MS.AAD.3.1v1 phishing resistant mfa for all users (#433)

* Structural baseline updates (cleaned up) (#334)

* Update aad.md

all updates

* Update defender.md

all updates

* Update exchange.md

all updates

* Rename exchange.md to exo.md

* Update onedrive.md

* Update powerbi.md

all updates

* Update powerplatform.md

all updates

* Update sharepoint.md

all updates

* Update teams.md

all updates

* Update baselines/defender.md

good catch!

Co-authored-by: Addam Schroll <[email protected]>

* Update baselines/powerbi.md

Co-authored-by: Addam Schroll <[email protected]>

* Update baselines/powerbi.md

Co-authored-by: Addam Schroll <[email protected]>

* Update baselines/aad.md

Co-authored-by: Addam Schroll <[email protected]>

* Update aad.md

referenced old policy number

* Update powerbi.md

---------

Co-authored-by: Addam Schroll <[email protected]>

* Initial drop of secure baseline automation  (#336)

* initial teams drop

* Add markdown check

* Fix spelling

* Check action

* Test Action

* Check version

* Fix Markdown test

* Add path *.md

* Update anchor func

* Update AAD

* WIP

* WIP

* WIP

* WIP

* WIP

* Structural baseline updates (cleaned up) (#334)

* Update aad.md

all updates

* Update defender.md

all updates

* Update exchange.md

all updates

* Rename exchange.md to exo.md

* Update onedrive.md

* Update powerbi.md

all updates

* Update powerplatform.md

all updates

* Update sharepoint.md

all updates

* Update teams.md

all updates

* Update baselines/defender.md

good catch!

Co-authored-by: Addam Schroll <[email protected]>

* Update baselines/powerbi.md

Co-authored-by: Addam Schroll <[email protected]>

* Update baselines/powerbi.md

Co-authored-by: Addam Schroll <[email protected]>

* Update baselines/aad.md

Co-authored-by: Addam Schroll <[email protected]>

* Update aad.md

referenced old policy number

* Update powerbi.md

---------

Co-authored-by: Addam Schroll <[email protected]>

* WIP

* Structural baseline updates (cleaned up) (#334)

* Update aad.md

all updates

* Update defender.md

all updates

* Update exchange.md

all updates

* Rename exchange.md to exo.md

* Update onedrive.md

* Update powerbi.md

all updates

* Update powerplatform.md

all updates

* Update sharepoint.md

all updates

* Update teams.md

all updates

* Update baselines/defender.md

good catch!

Co-authored-by: Addam Schroll <[email protected]>

* Update baselines/powerbi.md

Co-authored-by: Addam Schroll <[email protected]>

* Update baselines/powerbi.md

Co-authored-by: Addam Schroll <[email protected]>

* Update baselines/aad.md

Co-authored-by: Addam Schroll <[email protected]>

* Update aad.md

referenced old policy number

* Update powerbi.md

---------

Co-authored-by: Addam Schroll <[email protected]>

* initial teams drop

* Update AAD

* WIP

* WIP

* WIP

* WIP

* WIP

* Structural baseline updates (cleaned up) (#334)

* Update aad.md

all updates

* Update defender.md

all updates

* Update exchange.md

all updates

* Rename exchange.md to exo.md

* Update onedrive.md

* Update powerbi.md

all updates

* Update powerplatform.md

all updates

* Update sharepoint.md

all updates

* Update teams.md

all updates

* Update baselines/defender.md

good catch!

Co-authored-by: Addam Schroll <[email protected]>

* Update baselines/powerbi.md

Co-authored-by: Addam Schroll <[email protected]>

* Update baselines/powerbi.md

Co-authored-by: Addam Schroll <[email protected]>

* Update baselines/aad.md

Co-authored-by: Addam Schroll <[email protected]>

* Update aad.md

referenced old policy number

* Update powerbi.md

---------

Co-authored-by: Addam Schroll <[email protected]>

* initial teams drop

* Update AAD

* WIP

* Structural baseline updates (cleaned up) (#334)

* Update aad.md

all updates

* Update defender.md

all updates

* Update exchange.md

all updates

* Rename exchange.md to exo.md

* Update onedrive.md

* Update powerbi.md

all updates

* Update powerplatform.md

all updates

* Update sharepoint.md

all updates

* Update teams.md

all updates

* Update baselines/defender.md

good catch!

Co-authored-by: Addam Schroll <[email protected]>

* Update baselines/powerbi.md

Co-authored-by: Addam Schroll <[email protected]>

* Update baselines/powerbi.md

Co-authored-by: Addam Schroll <[email protected]>

* Update baselines/aad.md

Co-authored-by: Addam Schroll <[email protected]>

* Update aad.md

referenced old policy number

* Update powerbi.md

---------

Co-authored-by: Addam Schroll <[email protected]>

* Fix UT errors

* Default baseline for testing

* Updates based on review comments

* Call Import-SecureBaseline once

* Update for review comments

* Review updates

* Add help comment

* remove unused import

* Fix OPA  check issues

* fix opa tests action

* Update action to test

* Action update

* Sum PS/Bug as Errors

* Update darkmode colors

* Fix UT after Rebase

* Fix UT

* Fix error log

* Update UT for NewReport

* Update link color

---------

Co-authored-by: Andrew Huynh <[email protected]>
Co-authored-by: Addam Schroll <[email protected]>
Co-authored-by: Sloane4 <[email protected]>

* Add quiet mode for invoke-scuba (#357)

* Add quiet option

* Invert Stance on Defender Preset Policies in Markdown (#355)

* Inverted 2.1, removed applicable controls

* Ironed out baselines for the using the preset policies

* Minor wording updates to MS.DEFENDER.1.1v1 rationale

* Minor wording updates to MS.DEFENDER.2.3v1 policy statement

* Minor wording updates to MS.DEFENDER.2.3v1 rationale

* Update to MS.DEFENDER.2.4v1 license restrictions in GCC high and DoD regions

* Minor wording updates to MS.DEFENDER.3.1v1 rationale

* Minor wording update to MS.DEFENDER.2.3v1 rationale

* Minor wording change to Safe Attachments group text

* Remove hyphen from Safe Attachments policy group title.

* Added new policy item 1.1v1 and renumered others; added sensitive accounts language

---------

Co-authored-by: Addam Schroll <[email protected]>
Co-authored-by: Addam Schroll <[email protected]>

* Substantiative changes to Sharepoint Baseline minus Rationale (#360)

* Structural baseline updates (cleaned up) (#334)

---------

* Split policies for testing purposes

* Addition for github issue: Add a new SharePoint Guest sign in Policy #307

* Updated for github issue: Direct the user to save in policy implementation SharePoint #301

* Initial drop of secure baseline automation  (#336)

* initial teams drop

* Add markdown check

* Structural baseline updates (cleaned up) (#334)

* Update aad.md

all updates

* Update defender.md

all updates

* Update exchange.md

all updates

* Rename exchange.md to exo.md

* Update onedrive.md

* Update powerbi.md

all updates

all updates

* Update sharepoint.md

all updates

* Update teams.md

all updates

* Update baselines/defender.md

* Structural baseline updates (cleaned up) (#334)

* Update aad.md

all updates

* Update defender.md

all updates

* Update exchange.md

all updates

* Rename exchange.md to exo.md

* Update onedrive.md

* Update powerbi.md

all updates

* Update powerplatform.md

all updates

* Update sharepoint.md

all updates

* Update teams.md

all updates

* Update baselines/defender.md

good catch!

Co-authored-by: Addam Schroll <[email protected]>

* Update baselines/powerbi.md

Co-authored-by: Addam Schroll <[email protected]>

* Update baselines/powerbi.md

Co-authored-by: Addam Schroll <[email protected]>

* Update baselines/aad.md

Co-authored-by: Addam Schroll <[email protected]>

* Update aad.md

referenced old policy number

* Update powerbi.md

---------

Co-authored-by: Addam Schroll <[email protected]>

* initial teams drop

* Update AAD

* WIP

* WIP

* WIP

* WIP

* WIP

* Structural baseline updates (cleaned up) (#334)

* Update aad.md

all updates

* Update defender.md

all updates

* Update exchange.md

all updates

* Rename exchange.md to exo.md

* Update onedrive.md

* Update powerbi.md

all updates

* Update powerplatform.md

all updates

* Update sharepoint.md

all updates

* Update teams.md

all updates

* Update baselines/defender.md

good catch!

Co-authored-by: Addam Schroll <[email protected]>

* Update baselines/powerbi.md

Co-authored-by: Addam Schroll <[email protected]>

* Update baselines/powerbi.md

Co-authored-by: Addam Schroll <[email protected]>

* Update baselines/aad.md

Co-authored-by: Addam Schroll <[email protected]>

* Update aad.md

referenced old policy number

* Update powerbi.md

---------

Co-authored-by: Addam Schroll <[email protected]>

* initial teams drop

* Update AAD

* WIP

* Structural baseline updates (cleaned up) (#334)

* Update aad.md

all updates

* Update defender.md

all updates

* Update exchange.md

all updates

* Rename exchange.md to exo.md

* Update onedrive.md

* Update powerbi.md

all updates

* Update powerplatform.md

all updates

* Update sharepoint.md

all updates

* Update teams.md

all updates

* Update baselines/defender.md

good catch!

Co-authored-by: Addam Schroll <[email protected]>

* Update baselines/powerbi.md

Co-authored-by: Addam Schroll <[email protected]>

* Update baselines/powerbi.md

Co-authored-by: Addam Schroll <[email protected]>

* Update baselines/aad.md

Co-authored-by: Addam Schroll <[email protected]>

* Update aad.md

referenced old policy number

* Update powerbi.md

---------

Co-authored-by: Addam Schroll <[email protected]>

* Fix UT errors

* Default baseline for testing

* Updates based on review comments

* Call Import-SecureBaseline once

* Update for review comments

* Review updates

* Add help comment

* remove unused import

* Fix OPA  check issues

* fix opa tests action

* Update action to test

* Action update

* Sum PS/Bug as Errors

* Update darkmode colors

* Fix UT after Rebase

* Fix UT

* Fix error log

* Update UT for NewReport

* Update link color

---------

Co-authored-by: Andrew Huynh <[email protected]>
Co-authored-by: Addam Schroll <[email protected]>
Co-authored-by: Sloane4 <[email protected]>

* Update for github issue Sharepoint 2.3 Sharing settings cannot be more restrictive than the tenant level #288

* Updat for github issue Update SharePoint Policy 2.4 Code #300

* Additional changes for #288

* Update with correct implementations

* Update for github issue #303

* Added some rational & fixed policy numbers

* Split policy 5 to improve setting check & report.

* Updated for duplicates with onedrive

* Add resource for details about reauthentication github issue #299

* Removed Should & Shall from intro paragraphs.

* Split implementation for each policy item

* Updated code to match baseline TODO Unit tests

* Updated unit tests

* Fixed policy 4

* Update commandlet for MS.SHAREPOINT.5.2v1

* Updated content style guide for new rego structure

* Readded comments to MS.SHAREPOINT.5.2v1

* Baseline updated with requested fixes (addam)

* Move updates to content style guide to new branch (not part of current scope)

* Update ErrMsg for MS.SHAREPOINT.4 to be more readable

---------

Co-authored-by: Andrew Huynh <[email protected]>
Co-authored-by: Addam Schroll <[email protected]>
Co-authored-by: Richard Crutchfield <[email protected]>

* Fix test location file path (#367)

* Enhanced smoke test - check for missing results (#356)

* Structural baseline updates (cleaned up) (#334)

* Update aad.md

all updates

* Update defender.md

all updates

* Update exchange.md

all updates

* Rename exchange.md to exo.md

* Update onedrive.md

* Update powerbi.md

all updates

* Update powerplatform.md

all updates

* Update sharepoint.md

all updates

* Update teams.md

all updates

* Update baselines/defender.md

good catch!

Co-authored-by: Addam Schroll <[email protected]>

* Update baselines/powerbi.md

Co-authored-by: Addam Schroll <[email protected]>

* Update baselines/powerbi.md

Co-authored-by: Addam Schroll <[email protected]>

* Update baselines/aad.md

Co-authored-by: Addam Schroll <[email protected]>

* Update aad.md

referenced old policy number

* Update powerbi.md

---------

Co-authored-by: Addam Schroll <[email protected]>

* Initial drop of secure baseline automation  (#336)

* initial teams drop

* Add markdown check

* Fix spelling

* Check action

* Test Action

* Check version

* Fix Markdown test

* Add path *.md

* Update anchor func

* Update AAD

* WIP

* WIP

* WIP

* WIP

* WIP

* Structural baseline updates (cleaned up) (#334)

* Update aad.md

all updates

* Update defender.md

all updates

* Update exchange.md

all updates

* Rename exchange.md to exo.md

* Update onedrive.md

* Update powerbi.md

all updates

* Update powerplatform.md

all updates

* Update sharepoint.md

all updates

* Update teams.md

all updates

* Update baselines/defender.md

good catch!

Co-authored-by: Addam Schroll <[email protected]>

* Update baselines/powerbi.md

Co-authored-by: Addam Schroll <[email protected]>

* Update baselines/powerbi.md

Co-authored-by: Addam Schroll <[email protected]>

* Update baselines/aad.md

Co-authored-by: Addam Schroll <[email protected]>

* Update aad.md

referenced old policy number

* Update powerbi.md

---------

Co-authored-by: Addam Schroll <[email protected]>

* WIP

* Structural baseline updates (cleaned up) (#334)

* Update aad.md

all updates

* Update defender.md

all updates

* Update exchange.md

all updates

* Rename exchange.md to exo.md

* Update onedrive.md

* Update powerbi.md

all updates

* Update powerplatform.md

all updates

* Update sharepoint.md

all updates

* Update teams.md

all updates

* Update baselines/defender.md

good catch!

Co-authored-by: Addam Schroll <[email protected]>

* Update baselines/powerbi.md

Co-authored-by: Addam Schroll <[email protected]>

* Update baselines/powerbi.md

Co-authored-by: Addam Schroll <[email protected]>

* Update baselines/aad.md

Co-authored-by: Addam Schroll <[email protected]>

* Update aad.md

referenced old policy number

* Update powerbi.md

---------

Co-authored-by: Addam Schroll <[email protected]>

* initial teams drop

* Update AAD

* WIP

* WIP

* WIP

* WIP

* WIP

* Structural baseline updates (cleaned up) (#334)

* Update aad.md

all updates

* Update defender.md

all updates

* Update exchange.md

all updates

* Rename exchange.md to exo.md

* Update onedrive.md

* Update powerbi.md

all updates

* Update powerplatform.md

all updates

* Update sharepoint.md

all updates

* Update teams.md

all updates

* Update baselines/defender.md

good catch!

Co-authored-by: Addam Schroll <[email protected]>

* Update baselines/powerbi.md

Co-authored-by: Addam Schroll <[email protected]>

* Update baselines/powerbi.md

Co-authored-by: Addam Schroll <[email protected]>

* Update baselines/aad.md

Co-authored-by: Addam Schroll <[email protected]>

* Update aad.md

referenced old policy number

* Update powerbi.md

---------

Co-authored-by: Addam Schroll <[email protected]>

* initial teams drop

* Update AAD

* WIP

* Structural baseline updates (cleaned up) (#334)

* Update aad.md

all updates

* Update defender.md

all updates

* Update exchange.md

all updates

* Rename exchange.md to exo.md

* Update onedrive.md

* Update powerbi.md

all updates

* Update powerplatform.md

all updates

* Update sharepoint.md

all updates

* Update teams.md

all updates

* Update baselines/defender.md

good catch!

Co-authored-by: Addam Schroll <[email protected]>

* Update baselines/powerbi.md

Co-authored-by: Addam Schroll <[email protected]>

* Update baselines/powerbi.md

Co-authored-by: Addam Schroll <[email protected]>

* Update baselines/aad.md

Co-authored-by: Addam Schroll <[email protected]>

* Update aad.md

referenced old policy number

* Update powerbi.md

---------

Co-authored-by: Addam Schroll <[email protected]>

* Fix UT errors

* Default baseline for testing

* Updates based on review comments

* Call Import-SecureBaseline once

* Update for review comments

* Review updates

* Add help comment

* remove unused import

* Fix OPA  check issues

* fix opa tests action

* Update action to test

* Action update

* Sum PS/Bug as Errors

* Update darkmode colors

* Fix UT after Rebase

* Fix UT

* Fix error log

* Update UT for NewReport

* Update link color

---------

Co-authored-by: Andrew Huynh <[email protected]>
Co-authored-by: Addam Schroll <[email protected]>
Co-authored-by: Sloane4 <[email protected]>

* Check if missing reported

* Change missing to warning

* Fix UT for warning

* Update Testing/Unit/PowerShell/CreateReport/New-Report.Tests.ps1

* Update Testing/Unit/PowerShell/CreateReport/New-Report.Tests.ps1

* Align with updated defender.md

* Update to match defender

---------

Co-authored-by: Andrew Huynh <[email protected]>
Co-authored-by: Addam Schroll <[email protected]>
Co-authored-by: Sloane4 <[email protected]>

* One drive baseline (#370)

* update onedrive baseline

* remove should shall language

* remove Configuring On-Premises Devices session at the end of the doc

* Update wording for policy1

Co-authored-by: Addam Schroll <[email protected]>

* Update policy 2 to keep consistency

Co-authored-by: Addam Schroll <[email protected]>

* Update wording for note

Co-authored-by: Addam Schroll <[email protected]>

* Spelling error fix

Co-authored-by: Addam Schroll <[email protected]>

* spelling fix

Co-authored-by: Addam Schroll <[email protected]>

* change name to match with sharepoint

* Update onedrive.md

remove MS.ONEDRIVE.3.1v1 because it is actually duplicate of policy MS.ONEDRIVE.1.1v1 @Sloane4 Might want to remove the reference in MS.SHAREPOINT.2.1v1

* Update onedrive.md

revert changes

---------

Co-authored-by: Addam Schroll <[email protected]>

* DLP policy group additions and updates (#381)

* Adjudicate Substantive AAD Baseline Comments (#379)

* Updated to reflect phishing-resistant preferences

* Updated to reflect phishing resistant pref'starting

* Updates to AAD Policy 2.4

* Updates to aad policies

* Updates to aad markdown

* aad updates

* aad baseline updates

* aad baseline update (2.10)

* aad baseline updates (removed 2.9)

* updates to aad baseline (16.2)

* aad 4.1 implementation updates

* updates to aad 4 baseline policy implementations

* Updates to aad policy 14

* updates to aad baseline

* updates to aad.4.7v1 implementation

* updates to aad.4.7v1

* Consolidated highly privileged user policies

* fixes to aad.11.x

* updates to policy 7

* Update to AAD 11 policy front matter (intro text)

* updates to aad baseline

* testing write to GitHub

* backup of revisions 062223

* backup 062323 6:47

* backup 062623

---------

Co-authored-by: Ted Kolovos <[email protected]>

* Added SharePoint to MS.DEFENDER.4.2v1 locations (#402)

* Update aad scubagear code to align to revised baseline (#408)

* Rearranged policies to match baseline updates

* Added versioning for duplicate unit test title

* Removed unused import

* Updated MS.AAD.7.1v1 from less than 5 to less than 9

* Updated comment?

* Updated yaml file

* Comment update

* Differentiate policy id vs implementation (#414)

* WIP

* Updated ReportDetails on tests to match patch results (#426)

* Address Power Platform pilot comments and substantive changes in the baseline document Part 2 (#424)

* power platform baseline doc refactor

* address Grant's comments

* forgot to update this header

* consistent Policies header

* wip

* Implemented AAD 3.1

* WIP

* wip

* Implemented AAD 3.1

* Update Rego/AADConfig.rego

* Update Smoke Test to handle CAP  (#418)

* Fix CAP table check

* Fix lint issue

* update MS.AAD.7.6v1 to only check for global admin (#428)

* Combine Sharepoint with OneDrive and address feedback from review period (#393)

* draft update & merge of Sharepoint OneDrive

* fixed policies wrong spelling

* fixed note indent formatting

* delete onedrive md file - have a combined file now

* missing heading for some implementations

* Added rationales for all policy items.

* spelling errors and removed instructions comma

* changed IDs to SHAREPOINT based on team vote

* fixed duplicate ID in instructions

---------

Co-authored-by: Addam Schroll <[email protected]>

* Adjudicate review comments

* WIP

* wip

* Implemented AAD 3.1

* WIP

* wip

* Update Rego/AADConfig.rego

* Adjudicate review comments

---------

Co-authored-by: Andrew Huynh <[email protected]>
Co-authored-by: Addam Schroll <[email protected]>
Co-authored-by: Sloane4 <[email protected]>
Co-authored-by: Alden Hilton <[email protected]>
Co-authored-by: Addam Schroll <[email protected]>
Co-authored-by: Cassandra Diaz <[email protected]>
Co-authored-by: Dylan Gao <[email protected]>
Co-authored-by: Shanti Satyapal <[email protected]>
Co-authored-by: Ted Kolovos <[email protected]>
Co-authored-by: David Bui <[email protected]>
Co-authored-by: Ted Kolovos <[email protected]>

* Implement AAD 3.4

---------

Co-authored-by: Andrew Huynh <[email protected]>
Co-authored-by: Addam Schroll <[email protected]>
Co-authored-by: Sloane4 <[email protected]>
Co-authored-by: Alden Hilton <[email protected]>
Co-authored-by: Addam Schroll <[email protected]>
Co-authored-by: Cassandra Diaz <[email protected]>
Co-authored-by: Dylan Gao <[email protected]>
Co-authored-by: Shanti Satyapal <[email protected]>
Co-authored-by: Ted Kolovos <[email protected]>
Co-authored-by: David Bui <[email protected]>
Co-authored-by: Ted Kolovos <[email protected]>
  • Loading branch information
12 people authored Aug 7, 2023
1 parent a23d228 commit abfb0a5
Show file tree
Hide file tree
Showing 5 changed files with 63 additions and 11 deletions.
11 changes: 11 additions & 0 deletions .github/workflows/run_powershell_tests.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ on:
paths:
- "**.ps1"
- "**.psm1"
- ".github/workflows/run_powershell_tests.yaml"
pull_request:
types: [opened, reopened]
branches:
Expand All @@ -24,7 +25,17 @@ jobs:
- name: Check out repository code
uses: actions/checkout@v3

- name: Remove Graph 2.0
shell: powershell
run: |
# Remove Microsoft.Graph module(s) from image until SCUBA steps up to 2.0+
Write-Output "NOTICE: Removing Microsoft.Graph version 2.0. Remove this step when SCuBA steps up to this version."
Uninstall-Module Microsoft.Graph -ErrorAction SilentlyContinue
Get-InstalledModule Microsoft.Graph.* | %{ if($_.Name -ne "Microsoft.Graph.Authentication"){ Write-Output "Removing: $($_.Name)"; Uninstall-Module $_.Name -AllowPrerelease -AllVersions } }
Uninstall-Module Microsoft.Graph.Authentication -AllowPrerelease -AllVersions
- name: Run Pester Tests
if: '!cancelled()'
shell: powershell
run: |
./SetUp.ps1
Expand Down
12 changes: 12 additions & 0 deletions .github/workflows/run_smoke_test.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,8 @@ on:
pull_request_review:
types: [submitted]
push:
paths:
- ".github/workflows/run_smoke_test.yaml"
branches:
- "main"
- "*smoke*"
Expand All @@ -26,6 +28,16 @@ jobs:
steps:
- name: Checkout repo code
uses: actions/checkout@v3

- name: Remove Graph 2.0
shell: powershell
run: |
# Remove Microsoft.Graph module(s) from image until SCUBA steps up to 2.0+
Write-Output "NOTICE: Removing Microsoft.Graph version 2.0. Remove this step when SCuBA steps up to this version."
Uninstall-Module Microsoft.Graph -ErrorAction SilentlyContinue
Get-InstalledModule Microsoft.Graph.* | %{ if($_.Name -ne "Microsoft.Graph.Authentication"){ Write-Output "Removing: $($_.Name)"; Uninstall-Module $_.Name -AllowPrerelease -AllVersions } }
Uninstall-Module Microsoft.Graph.Authentication -AllowPrerelease -AllVersions
- name: Execute ScubaGear and Check Outputs
run: |
. Testing/Functional/SmokeTest/SmokeTestUtils.ps1
Expand Down
4 changes: 4 additions & 0 deletions PowerShell/ScubaGear/Modules/Providers/ExportAADProvider.psm1
Original file line number Diff line number Diff line change
Expand Up @@ -100,6 +100,9 @@ function Export-AADProvider {
# 2.7 Policy Bullet 2]
$AdminConsentReqPolicies = ConvertTo-Json @($Tracker.TryCommand("Get-MgPolicyAdminConsentRequestPolicy"))

# Read the properties and relationships of an authentication method policy
$AuthenticationMethodPolicy = ConvertTo-Json @($Tracker.TryCommand("Get-MgPolicyAuthenticationMethodPolicy"))

$SuccessfulCommands = ConvertTo-Json @($Tracker.GetSuccessfulCommands())
$UnSuccessfulCommands = ConvertTo-Json @($Tracker.GetUnSuccessfulCommands())

Expand All @@ -113,6 +116,7 @@ function Export-AADProvider {
"privileged_roles": $PrivilegedRoles,
"service_plans": $ServicePlans,
"directory_settings": $DirectorySettings,
"authentication_method": $AuthenticationMethodPolicy,
"aad_successful_commands": $SuccessfulCommands,
"aad_unsuccessful_commands": $UnSuccessfulCommands,
"@
Expand Down
16 changes: 8 additions & 8 deletions Rego/AADConfig.rego
Original file line number Diff line number Diff line change
Expand Up @@ -361,15 +361,15 @@ tests[{
#--
# At this time we are unable to test for X because of NEW POLICY
tests[{
"PolicyId": PolicyId,
"Criticality" : "Should/Not-Implemented",
"Commandlet" : [],
"ActualValue" : [],
"ReportDetails" : NotCheckedDetails(PolicyId),
"RequirementMet" : false
"PolicyId": "MS.AAD.3.4v1",
"Criticality" : "Shall",
"Commandlet" : ["Get-MgPolicyAuthenticationMethodPolicy"],
"ActualValue" : [Policy.PolicyMigrationState],
"ReportDetails" : ReportDetailsBoolean(Status),
"RequirementMet" : Status
}] {
PolicyId := "MS.AAD.3.4v1"
true
Policy := input.authentication_method[_]
Status := Policy.PolicyMigrationState == "migrationComplete"
}
#--

Expand Down
31 changes: 28 additions & 3 deletions Testing/Unit/Rego/AAD/AADConfig_03_test.rego
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
package aad
import future.keywords
import data.report.utils.NotCheckedDetails
import data.report.utils.ReportDetailsBoolean


#
Expand Down Expand Up @@ -1285,16 +1286,40 @@ test_NotImplemented_Correct_V2 if {
#
# MS.AAD.3.4v1
#--
test_NotImplemented_Correct_V3 if {
test_Migrated_Correct if {
PolicyId := "MS.AAD.3.4v1"

Output := tests with input as { }
Output := tests with input as {
"authentication_method": [
{
"PolicyMigrationState": "migrationComplete"
}
]
}

RuleOutput := [Result | Result = Output[_]; Result.PolicyId == PolicyId]

count(RuleOutput) == 1
RuleOutput[0].RequirementMet
RuleOutput[0].ReportDetails == ReportDetailsBoolean(true)
}

test_Migrated_Incorrect if {
PolicyId := "MS.AAD.3.4v1"

Output := tests with input as {
"authentication_method": [
{
"PolicyMigrationState": "preMigration"
}
]
}

RuleOutput := [Result | Result = Output[_]; Result.PolicyId == PolicyId]

count(RuleOutput) == 1
not RuleOutput[0].RequirementMet
RuleOutput[0].ReportDetails == NotCheckedDetails(PolicyId)
RuleOutput[0].ReportDetails == ReportDetailsBoolean(false)
}
#--

Expand Down

0 comments on commit abfb0a5

Please sign in to comment.