maester icon indicating copy to clipboard operation
maester copied to clipboard
verified publisher icon maester365

#️⃣ Pick next Maester test sequence number

Open merill opened this issue 10 months ago • 34 comments

This issue tracks the next available sequence number for a new core Maester test (tests starting with MT.xxxx prefix)

If you are starting work on a new test

  • Look up the last number that's been reserved (go all the way to the last comment in this post)
  • Add a new comment with number you are reserving
  • Start writing your new test knowing that no one else can steal 😂 your test number

Note: This sequence number does not apply to tests from CISA, CIS, ORCA and EIDSCA as they already provide unique #s for their tests.

Why are we doing this? To avoid conflicts where you starting work on a new test and someone else checks in a PR that gets merged before yours. Now you need to spend time fixing up your PR to use another number.

merill avatar Feb 24 '25 02:02 merill

MT.1052 - Reserved for CA policy on DCF

merill avatar Feb 24 '25 02:02 merill

MT.1055 - Microsoft 365 Teams/Group creation restricted to approved users

merill avatar Mar 18 '25 08:03 merill

MT.1056 - Azure User Access Admin should not be enabled

Oppedijk avatar Apr 14 '25 08:04 Oppedijk

MT.1057 - App registrations should not have secrets #912

svrooij avatar May 08 '25 21:05 svrooij

MT.1058 - Exchange Application Access Policies should be configured #945

l-gosling avatar May 17 '25 15:05 l-gosling

MT.1059 - Microsoft Defender for Identity @Cloud-Architekt fyi

merill avatar Jun 25 '25 02:06 merill

MT.1060 - (experimental) drift tests using file detection.

svrooij avatar Jun 26 '25 08:06 svrooij

MT.1061 Mfa on device registration conflict

RobbeVandenDaele avatar Jun 30 '25 05:06 RobbeVandenDaele

MT.1062 - Ensure direct send is configure to reject

bastienperez avatar Jun 30 '25 08:06 bastienperez

MT.1063 - All Application Owners should have MFA set up

marcel-ngn avatar Jun 30 '25 12:06 marcel-ngn

MT.1064 - Ensure that write permissions are required to create new management groups

brianveldman avatar Jul 07 '25 20:07 brianveldman

MT.1065 - Ensure Soft Delete is enabled on all Recovery Services Vaults

brianveldman avatar Jul 15 '25 15:07 brianveldman

MT.1066 - Ensure that conditional access policies do not reference invalid or missing users, groups, or roles

SamErde avatar Jul 17 '25 14:07 SamErde

MT.1067 - Ensure that authentication method policies do not reference invalid or missing groups

SamErde avatar Jul 17 '25 15:07 SamErde

MT.1068 - Restrict non-admin users from creating tenants

marcel-ngn avatar Jul 23 '25 12:07 marcel-ngn

MT.1069 - Restrict non-admin users from creating security groups

marcel-ngn avatar Jul 24 '25 08:07 marcel-ngn

MT.1070 - Entra Device join permissions should be restricted to selected users or disabled

marcel-ngn avatar Jul 27 '25 13:07 marcel-ngn

MT.1075 - Require explicit assignment of Third Party Entra Apps

edit: changed from 1071 to 1073 as it seems 1071 and 1072 are already in use as per maester-config.json :( edit: 1073 and 1074 also already exist in PR's....

jflieben avatar Aug 21 '25 13:08 jflieben

MT.1073 - Require explicit assignment of Third Party Entra Apps

edit: changed from 1071 to 1073 as it seems 1071 and 1072 are already in use as per maester-config.json :(

Thanks for taking the time to add your test # here. Unfortunately, there's also a pending PR for 1073. Could you please bump yours to 1074?

I think we'll need to edit the PR template to make it harder for others to miss this step. 😉

SamErde avatar Aug 21 '25 13:08 SamErde

MT.1073 - Require explicit assignment of Third Party Entra Apps edit: changed from 1071 to 1073 as it seems 1071 and 1072 are already in use as per maester-config.json :(

Thanks for taking the time to add your test # here. Unfortunately, there's also a pending PR for 1073. Could you please bump yours to 1074?

I think we'll need to edit the PR template to make it harder for others to miss this step. 😉

1074 is also taken in a PR already, changed to 1075. I don't know how to change the branch name, but changed the relevant files

jflieben avatar Aug 21 '25 13:08 jflieben

MT.1076 - Microsoft Online Exchange Routing Addresses (MOERA) SHOULD NOT be used for sent mail.

soulemike avatar Aug 25 '25 14:08 soulemike

MT.1077 - App registrations with privileged API permissions should have no owners MT.1078 - App Registrations with high-privileged directory roles should have no owners MT.1079 - Privileged API permissions on workload identities should not be unused MT.1080 - Credentials, token or cookies from high-privileged users should not be exposed on vulnerable endpoints MT.1081 - Hybrid users should not be assigned to Entra ID role assignments

Cloud-Architekt avatar Aug 27 '25 19:08 Cloud-Architekt

MT.1082 - Ensure Soft Delete is enabled on all Key Vaults

brianveldman avatar Aug 29 '25 08:08 brianveldman

MT.1083 - Ensure Delicensing Resiliency is enabled

l-gosling avatar Aug 29 '25 19:08 l-gosling

MT.1084 - Seamless Single SignOn should be disabled for all domains in EntraID Connect servers.

RobbeVandenDaele avatar Sep 05 '25 10:09 RobbeVandenDaele

MT.1085 - Pending approvals for Critical Asset Management should not be present

Cloud-Architekt avatar Nov 02 '25 13:11 Cloud-Architekt

MT.1086 - Devices should not share both critical and non-critical user credentials. MT.1087 - Devices should not be public exposed with remotely exploitable, highly likely to be exploited, high or critical severity CVE's. MT.1088 - Devices with critical credentials should be protected by TPM.

RobbeVandenDaele avatar Nov 06 '25 21:11 RobbeVandenDaele

MT.1089 - Devices with critical credentials should be protected by Credential Guard.

RobbeVandenDaele avatar Nov 11 '25 21:11 RobbeVandenDaele

  • MT.1090 - Global administrator role should not be added as local administrator on the device during Microsoft Entra join
  • MT.1091 - Registering user should not be added as local administrator on the device during Microsoft Entra join

nicolonsky avatar Nov 12 '25 09:11 nicolonsky

  • MT.1092 - Intune APNS certificate should be valid for more than 30 days
  • MT.1093 - Apple Automated Device Enrollment Tokens should be valid for more than 30 days
  • MT.1094 - Apple Volume Purchase Program Tokens should be valid for more than 30 days
  • MT.1095 - Android Enterprise Account Connection should be healthy
  • MT.1096 - Intune Multi Admin approval should be configured
  • MT.1097 - Certificate Connectors should be healthy and running supported versions
  • MT.1098 - Mobile Threat Defense Connectors should be healthy
  • MT.1099 - Windows Diagnostic Data Processing should be enabled
  • MT.1100 - Intune Audit Logs should be retained
  • MT.1101 - Default Branding Profile should be customized
  • MT.1102 - Windows Feature Update Policy Settings should not reference end of support builds

nicolonsky avatar Nov 12 '25 13:11 nicolonsky