Michael

Here is CISA's implementation, which you can see the same requirements. https://github.com/cisagov/ScubaGear/blob/30a78bcd52390883a3f5167fcbfe9a546b161ca4/PowerShell/ScubaGear/Rego/AADConfig.rego#L282 The current method with Maester to handle what you are looking for would be to remove, skip, or...

Just as an aside to the idea above, we published a blog around controls. https://maester.dev/blog/compensating-controls

The addition as another type would allow for it to process both endpoints. I am not certain offhand the different combinations that may be possible to occur, but I don't...

Yeah, since these are read-only, they should be skipped or checked for scoping ideally to confirm they aren't in use. I know ORCA passes a property on the objects for...

I was just testing and it appears that the skip is not working once the tests are regenerated, but the test itself passes even though all policies are skipped, so...

Since CIS calls out default specifically, I think this test is still valid. I think there is merit to actually checking which policies have a filter set though and what...

MT.1076 - Microsoft Online Exchange Routing Addresses (MOERA) SHOULD NOT be used for sent mail.

Good catch and suggested resolution. I was trying to find something definitive on it, but with the expansion of TLDs I think technically there are some that may use _-...