maester icon indicating copy to clipboard operation
maester copied to clipboard
verified publisher icon maester365

MT.1020 not catching dir sync accounts

Open vegazbabz opened this issue 1 year ago • 7 comments

This test is not catching the directory synchronization accounts: https://maester.dev/docs/tests/MT.1020/

vegazbabz avatar Dec 13 '24 16:12 vegazbabz

Can you share some details on what you are seeing and what you expected to see?

Any repro steps would help.

Thanks

merill avatar Dec 14 '24 02:12 merill

I have tried it from both an Azure DevOps pipeline and from a local PS session.

I think you need to check for the Entra User displayname "On-Premises Directory Synchronization Service Account" or upn beginning with "sync_". Not sure how you do the check today, but I have 7 CA Policies that shows up as not having the sync dir acc in them. But that is not true, as we do not have them excepted. So your check for that service account is erroneous.

vegazbabz avatar Dec 14 '24 09:12 vegazbabz

Got it. I see the error now.

Microsoft made changes to the role for the sync account. This could be why Maester is failing to detect this in tenants.

@f-bader if you have bandwidth to check on this. Tx

https://github.com/maester365/maester/blob/main/powershell/public/Test-MtCaExclusionForDirectorySyncAccount.ps1

merill avatar Dec 14 '24 13:12 merill

@f-bader

You might want to add another check in the if clause, checking for excludeUsers and not only excludeRoles like: -or ( $DirectorySynchronizationAccounts -in $policy.conditions.users.excludeUsers)

if ( $PolicyIncludesAllUsers -or $PolicyIncludesRole ) {
            # Skip this policy, because all directory synchronization accounts are included and therefor must not be excluded
            $currentresult = $true
            Write-Verbose "Skipping $($policy.displayName) - $currentresult"
        } else {
            if (( $DirectorySynchronizationAccountRoleTemplateId -in $policy.conditions.users.excludeRoles) -or ( $DirectorySynchronizationAccounts -in $policy.conditions.users.excludeUsers) ) {
                # Directory synchronization accounts are excluded
                $currentresult = $true
            } else {
                # Directory synchronization accounts are not excluded
                $currentresult = $false
                $result = $false
                $testResult += "  - [$($policy.displayname)](https://entra.microsoft.com/#view/Microsoft_AAD_ConditionalAccess/PolicyBlade/policyId/$($($policy.id))?%23view/Microsoft_AAD_ConditionalAccess/ConditionalAccessBlade/~/Policies?=)`n"
            }
        }

image

vegazbabz avatar Dec 14 '24 13:12 vegazbabz

@vegazbabz

Sorry for the delay in this.

I'm just re-reading the issue and you said

but I have 7 CA Policies that shows up as not having the sync dir acc in them. But that is not true, as we do not have them excepted.

Was that a typo when you said we do not have them excepted? Because, the check is to verify that you have the sync accounts excepted but you are saying you don't have the excepted.

@f-bader I think given the new change that's been announced where you can use service principals for sync accounts. We'll need to update this test to be smarter so if this role is assigned to a Service Principal we don't need to apply this check but if it is a user principal then we will need to.

merill avatar May 05 '25 23:05 merill

Good catch. I think we can check if there is an valid certificate assigned to the App and if that's the case skip this test

f-bader avatar May 06 '25 19:05 f-bader

I wonder if there will be an API available to find out what account Entra Sync is using? Let me find out...

merill avatar May 06 '25 22:05 merill