maester365
🪲 ignore the built-in configurations that can't be modified
Thanks for reporting the bug. Please ensure you've gone through the following checklist before opening an issue:
- Make sure you can reproduce this issue using the latest released version of
Maester. - Please search the existing issues to see if there has been a similar issue filed.
Describe the bug
It's some sort of bug. I want to request if it's possible to ignore all the default configuration in the tenant that can't be modified. For example ORCA.107: End-user spam notification is enabled.
| Quarantine Policy | Setting | Current Value | Result |
|---|---|---|---|
| ORGPOLICY-LimitedAccess-RequestByUser | ESNEnabled | True | ✅ Pass |
| DefaultFullAccessPolicy | ESNEnabled | False | ❌ Fail |
| AdminOnlyAccessPolicy | ESNEnabled | False | 🗄 Skip |
| Quarantine Policy | Setting | Current Value | Result |
|---|---|---|---|
| ORGPOLICY-LimitedAccess-RequestByUser | ESNEnabled | True | ✅ Pass |
| DefaultFullAccessPolicy | ESNEnabled | False | ❌ Fail |
| AdminOnlyAccessPolicy | ESNEnabled | False | 🗄 Skip |
| Policy | Setting | Current Value | Result |
|---|---|---|---|
| ORGPOLICY Safe Links Policy 1.0 | AllowClickThrough | False | ✅ Pass |
| Built-In Protection Policy | AllowClickThrough | True | ❌ Fail |
As you can see the DefaultFullAccessPolicy fails, but i can't change that value to succeed.
Expected behavior
Ignore the built-ins. This is just one example, but there are many more.
Thats a good call out. @soulemike what do you think of excluding the default policy failtures if there are other polies that do secure the setting?
Thats a good call out. @soulemike what do you think of excluding the default policy failtures if there are other polies that do secure the setting?
And even if there is no other custom setting, it's still not possible to modify it, so at this point this test can only give you an extra negative score.
Maybe this is one of these kind of checks which can be marked as warning instead of failure. I know Maester has not such kind of status. But maybe this can be a reason why it should be one of these kind of statuses
Yeah, since these are read-only, they should be skipped or checked for scoping ideally to confirm they aren't in use. I know ORCA passes a property on the objects for read-only, so we may just need to map that into the Maester public cmdlet. This may take a bit to get to, I have a few other updates I was hoping to work on prior, but rebuilding the ORCA tests is part of that, so may try to work this in.
I was just testing and it appears that the skip is not working once the tests are regenerated, but the test itself passes even though all policies are skipped, so leaving issue open.