Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

MT.1020 not catching dir sync accounts #582

Open
vegazbabz opened this issue Dec 13, 2024 · 4 comments
Open

MT.1020 not catching dir sync accounts #582

vegazbabz opened this issue Dec 13, 2024 · 4 comments
Assignees
@f-bader
Labels
bug Something isn't working entra Microsoft Entra

Comments

@vegazbabz
Copy link

This test is not catching the directory synchronization accounts:
https://maester.dev/docs/tests/MT.1020/
@merill
Copy link
Contributor

merill commented Dec 14, 2024

Can you share some details on what you are seeing and what you expected to see?

Any repro steps would help.

Thanks

@merill merill added question Further information is requested entra Microsoft Entra labels Dec 14, 2024
@vegazbabz
Copy link
Author

I have tried it from both an Azure DevOps pipeline and from a local PS session.

I think you need to check for the Entra User displayname "On-Premises Directory Synchronization Service Account" or upn beginning with "sync_". Not sure how you do the check today, but I have 7 CA Policies that shows up as not having the sync dir acc in them. But that is not true, as we do not have them excepted.
So your check for that service account is erroneous.

@merill
Copy link
Contributor

merill commented Dec 14, 2024

Got it. I see the error now.

Microsoft made changes to the role for the sync account. This could be why Maester is failing to detect this in tenants.

@f-bader if you have bandwidth to check on this. Tx

https://github.com/maester365/maester/blob/main/powershell/public/Test-MtCaExclusionForDirectorySyncAccount.ps1

@merill merill added bug Something isn't working and removed question Further information is requested labels Dec 14, 2024
@vegazbabz
Copy link
Author

@f-bader

You might want to add another check in the if clause, checking for excludeUsers and not only excludeRoles like:
-or ( $DirectorySynchronizationAccounts -in $policy.conditions.users.excludeUsers)

if ( $PolicyIncludesAllUsers -or $PolicyIncludesRole ) {
            # Skip this policy, because all directory synchronization accounts are included and therefor must not be excluded
            $currentresult = $true
            Write-Verbose "Skipping $($policy.displayName) - $currentresult"
        } else {
            if (( $DirectorySynchronizationAccountRoleTemplateId -in $policy.conditions.users.excludeRoles) -or ( $DirectorySynchronizationAccounts -in $policy.conditions.users.excludeUsers) ) {
                # Directory synchronization accounts are excluded
                $currentresult = $true
            } else {
                # Directory synchronization accounts are not excluded
                $currentresult = $false
                $result = $false
                $testResult += "  - [$($policy.displayname)](https://entra.microsoft.com/#view/Microsoft_AAD_ConditionalAccess/PolicyBlade/policyId/$($($policy.id))?%23view/Microsoft_AAD_ConditionalAccess/ConditionalAccessBlade/~/Policies?=)`n"
            }
        }

image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@f-bader f-bader

Labels
bug Something isn't working entra Microsoft Entra
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@merill @f-bader @vegazbabz