maester365
MT.1020 - Incorrectly presenting policies that are scoped to All Users
Noticing with this test that currently it is advising that we have 6-8 policies that are currently including either All Users or scoping to Sync_ accounts.
There must be something wrong with the logic unless it's looking for every policy to explicitly exclude the sync accounts? The policies it is complaining about are all either scoped to individuals, groups, or role based but none are relevant to the "Sync_" accounts.
The policy does the following:
- Checks to see if it's configured for all applications, and if not passes.
- Checks to see if it only applies to external/guest accounts, if so, passes
- Checks for legacy authentication block, if yes, passes
Then it goes onto the more complex logic, if checks to see if the sync accounts are included in the policy explicitly, either by user account or role. If they are, the policy is specifically for those accounts, to it passes.
It then checks to see whether or not the sync accounts have been excluded from the policies, if they haven't, the test fails.
So, either the logic on the check is wrong, or the purpose/description of the test is wrong. At no point does it check if all users are included in the policy. The only user check is whether or not sync accounts are included or not.
So, the test logic would need more checks on the users, or the description changed to state only All Cloud Apps regardless of users.
There are some new updates that will be coming in this space. I think we can remove this test altogether (looking for sync accounts) at that point. Should be out in the next month or two.
I will validate but agree that with the changes ahead this should no longer be required
There are some new updates that will be coming in this space. I think we can remove this test altogether (looking for sync accounts) at that point. Should be out in the next month or two.
Any change on this one yet?
