maester365
🪲 MT.1014 fails, despite all recommended admin roles being covered by recommended policy
To Reproduce
- install maester 1.3.0.
- autoinstall pester 5.5.0
- connect-azaccount -tenant -scope
- invoke-maester
Expected behavior
Result: PASS
Environment Data
PSVersion 7.5.2 PSEdition Core GitCommitId 7.5.2 OS Microsoft Windows 10.0.26100, Arm64 Platform Win32NT PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…} PSRemotingProtocolVersion 2.3 SerializationVersion 1.1.0.1 WSManStackVersion 3.0 Tenant license M365 Business Premium + Entra P2
@GeldHades27355 can you upload the json from the conditional access policy too search for the reason the test failed?
Admins compliant devices for local admins.json
Does that help?
Bear in mind that one admin is excluded, due to being a break glass account.
thanks @GeldHades27355 for the json file.
Exclusion is fine. Admin Roles are correct.
There are two things that cause the failure.
- Error in code base. I will create a PR for that.
- You added only compliant devices. Not the "Entra hybrid joined devices".
Correct - we do not allow hybrid joined devices on our tenants. Given Microsoft's recommendation to NOT hybrid join devices anymore, I'd vote for not penalizing folks who do not allow it, if they fulfil the main requirement that devices should be compliant.
@merill Should the test reflect the CA policy templates, or do you agree with @GeldHades27355? I share his view and would use the blue box at the beginning of this document to strengthen the argument.
I think we can find a way to change this to check for compliant OR hybrid and still be compliant with the intent of Microsoft's recommended CA policy. Or, more explicitly, we could check for compliant and Entra-joined OR compliant and hybrid-joined.
if ( 'domainJoinedDevice' -in $policy.grantControls.builtInControls -and
'compliantDevice' -in $policy.grantControls.builtInControls -and
$policy.grantControls.operator -eq "OR" -and $PolicyIncludesAllRoles -and
$policy.conditions.applications.includeApplications -eq "All"
)
