Add test MT.1106 to verify Protected Actions Auth Contexts have CA policies #1356
Conversation
…ons Auth Context validation Co-authored-by: SamErde <[email protected]>
Deploying maester with
|
| Latest commit: |
550d061
|
| Status: | ✅ Deploy successful! |
| Preview URL: | https://acf90e9f.maester.pages.dev |
| Branch Preview URL: | https://copilot-add-maester-test-con.maester.pages.dev |
Co-authored-by: SamErde <[email protected]>
SamErde
added
enhancement
There was a problem hiding this comment.
Pull request overview
Adds a new validation test to ensure that protected actions using Authentication Contexts are actually enforced by Conditional Access policies, plus associated documentation and baseline test wiring.
- Introduces Test-MtCaAuthContextProtectedActionsExist to detect Authentication Contexts used by Protected Actions but not referenced by any CA policy.
- Wires the test into the Conditional Access baseline suite (MT.1090).
- Adds user-facing documentation for the test and website page.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
| website/docs/tests/maester/MT.1090.md | New website doc explaining MT.1090 test purpose, remediation steps, and links. |
| tests/Maester/Entra/Test-ConditionalAccessBaseline.Tests.ps1 | Adds the MT.1090 test case to the Entra Conditional Access baseline suite. |
| powershell/public/maester/entra/Test-MtCaAuthContextProtectedActionsExist.ps1 | Implements the test logic to correlate protected actions’ Authentication Contexts with CA policies. |
| powershell/public/maester/entra/Test-MtCaAuthContextProtectedActionsExist.md | Adds command documentation with remediation steps and related links. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| $caPolicies = Get-MtConditionalAccessPolicy | ||
|
|
||
| # Collect all auth context IDs referenced in CA policies | ||
| $authContextsInCAPolicies = [System.Collections.Generic.HashSet[string]]::new() | ||
| foreach ($policy in $caPolicies) { | ||
| if ($policy.conditions.applications.includeAuthenticationContextClassReferences) { | ||
| foreach ($context in $policy.conditions.applications.includeAuthenticationContextClassReferences) { | ||
| [void]$authContextsInCAPolicies.Add($context) | ||
| } | ||
| } | ||
| } |
There was a problem hiding this comment.
CA policy state is not considered when determining protection. Disabled policies do not enforce Authentication Contexts, so counting them can yield false positives. Please filter to enabled policies before collecting includeAuthenticationContextClassReferences, e.g.: $caPolicies = Get-MtConditionalAccessPolicy | Where-Object { $_.state -eq 'enabled' }.
There was a problem hiding this comment.
A 'Disabled' or 'ReportOnly' policy might still be in development. Should we still alert on these? I lean very slightly towards 'yes' because the ultimate goal is to have them in effect and not create a false sense of security with regards to the protected action configuration.
There was a problem hiding this comment.
Changed to filter only enabled CA policies in commit 550d061: $caPolicies = Get-MtConditionalAccessPolicy | Where-Object { $_.state -eq 'enabled' }. Regarding @SamErde's point about disabled/report-only policies - the current implementation alerts if the auth context is only in disabled policies, since those don't provide actual protection.
There was a problem hiding this comment.
That's right, the test should still fail if the policy is not enabled.
powershell/public/maester/entra/Test-MtCaAuthContextProtectedActionsExist.ps1
Outdated
Show resolved
Hide resolved
powershell/public/maester/entra/Test-MtCaAuthContextProtectedActionsExist.ps1
Outdated
Show resolved
Hide resolved
powershell/public/maester/entra/Test-MtCaAuthContextProtectedActionsExist.md
Outdated
Show resolved
Hide resolved
Co-authored-by: Copilot <[email protected]>
SamErde
left a comment
SamErde
left a comment
There was a problem hiding this comment.
The test ID 'MT.1090' is already taken. 'MT.1106' should be used for this test. References within this PR need to be changed accordingly.
…s, check isEnabled for rules, detect deleted contexts Co-authored-by: SamErde <[email protected]>
Renamed to MT.1106 in commit 550d061. Updated the website doc, test file reference, title, and slug accordingly. |
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 4 out of 4 changed files in this pull request and generated no new comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Description
Fixes the issue where Protected Actions with Authentication Contexts assigned may not actually be protected if the context isn't referenced by any Conditional Access policy. Without a CA policy enforcing the auth context, users aren't prompted for step-up authentication.
Fixes #997
Changes:
Test-MtCaAuthContextProtectedActionsExist.ps1- New test function that:identity/conditionalAccess/authenticationContextClassReferencesunifiedRoleManagementPolicyAuthenticationContextRulerules (withisEnabledcheck)includeAuthenticationContextClassReferencesTest-MtCaAuthContextProtectedActionsExist.md- Function documentationTest-ConditionalAccessBaseline.Tests.ps1- Added MT.1106 test caseMT.1106.md- Website documentationContribution Checklist
Before submitting this PR, please confirm you have completed the following:
/powershell/tests/pester.ps1on your local system.Join us at the Maester repository discussions 💬 or Entra Discord 🧑💻 for more help and conversations!
Original prompt
💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.