ScubaGear icon indicating copy to clipboard operation
ScubaGear copied to clipboard

Published 20 hours ago verified publisher icon cisagov

Enhance Entra Id to handle various tenant license states

Open dagarwal-mitre opened this issue 1 year ago • 2 comments

💡 Summary

Currently the Entra Id export provider assumes that the tenant has a current M365 license(s) and will produce either unexpected results or errors if the tenant is not in a functional license state. The scope of this issue is to add logic to the provider to handle various tenant license states which are currently not programmed for such as expired licenses or no licenses (in a brand new tenant). The goal is to properly report on these license states and ensure that the logic in the provider executes without inconsistent results or errors. We also would like to warn users if their licenses are near the expiration date.

From previous analyses, there are a subset of policy checks that can still be conducted against a tenant even if there are no active M365 licenses. That can be tested as part of this issue.

Implementation notes

  • [ ] Make sure the provider handles expired licenses
  • [ ] Make sure the provider handles no licenses (new tenant)
  • [ ] Make sure the provider handles licenses near the expiration date
  • [ ] Document which policy checks can be conducted if the tenant is not in an active license state (the first two bullets above). Make sure the code has a path to execute those policy checks when the the tenant is not in an active license state.
  • [ ] Make sure the provider does not crash under any of the scenarios above
  • [ ] Make sure the provider does not produce inconsistent results (incorrect policy checks) under any of the scenarios above
  • [ ] Make sure the report notifies the user about the state of licenses that need attention such as expired licenses, no licenses or licenses that will expire soon

dagarwal-mitre avatar Aug 13 '24 18:08 dagarwal-mitre

Related: https://github.com/cisagov/ScubaGear/issues/979 https://github.com/cisagov/ScubaGear/pull/1145

tkol2022 avatar Feb 13 '25 19:02 tkol2022

No licenses

This previous pull request contains a comment with some sample code that might help prototype and develop the solution for the "no license" scenario for brand new tenants but it is not a complete solution to handle all the requirements of this issue. Therefore just use it as a helpful reference.

tkol2022 avatar Feb 19 '25 17:02 tkol2022

During Standup, 8/25 @dagarwal-ecs stated that this ticket is done and he would like a tenant with no licenses for a more thorough test. @dagarwal-ecs will create a pull request.

FollyBeachGurl avatar Aug 25 '25 18:08 FollyBeachGurl

Standup Update: Under review and Devesh will create new tickets for the feature work for this PR.

FollyBeachGurl avatar Sep 11 '25 19:09 FollyBeachGurl

New issue created, #1821

dagarwal-ecs avatar Sep 22 '25 17:09 dagarwal-ecs