maester365
EIDSCA.AV01: Authentication Method - Voice call - State - not applicable for all environments.
Some companies that use computers in sterile rooms where cell phones are not allowed because they can interfere with the manufacturing process, the only MFA method that works is FIDO2 / PIV / Phone Call (desk phone) – each location having different policies based on geographical location and local rules. I do admit that Phone Call is insecure. Perhaps a Warning should be added as flag?
In general, I would like to keep the recommendation to avoid voice call as MFA options. Integrate a kind of severity to identify a check as "hard recommendation" or "it depends" would be great addition. This is something what needs to implement in all checks. @Azdamus : Allow voice calls would be strongly scoped to a user group in your described scenario?
I agree. In terms of script logic, my thinking is something along the lines of:
- If Voice Call is set to "All Users" - Failed
- If Voice Call is set to "One or more group IDs," - Review and add recommendation note. Having a review tag, will trigger the admin's sense to actually go and review the groups that have that feature on. This makes the posture check even more valuable. imho
- If Voice call is set to "Disabled" / $null - Passed
Going to a "Hard recommendation" flag system can become tedious to manage and categorise. What classifies as a gentle recommendation, what classifies as hard recommendation, what is the criteria, etc.
@Azdamus : We will working on a feature to customize and/or waive the recommended value in Maester. Currently, the only option is to host a customized version of the EIDSCA.json file with the adjusted RecommendValue. You can build customized EIDSCA by providing AadSecConfigUrl parameter in Update-EidscaTests.
Stay tuned for any updates regarding an integrated option in Maester.