Refine how ScubaGear validates conditional access policies (similar to #1815) #1818
Description
Prerequisites
- This issue has an informative and human-readable title.
💡 Summary
Purpose of this issue is to address gaps in how Scubagear assesses conditional access policies. Currently the tool does not check all of the assignments available for conditional access policies such as:
- Network
- Conditions
- user risk
- sign-in risk
- insider risk
- device platforms
- locations
- client apps
- filter for devices
- authentication flows
- Session
Motivation and context
This would help eliminate false "PASS"s in ScubaGear for conditional access policies that have any of the listed assignments configured. These assignments introduce gaps and vulnerabilities into the tenant.
Implementation notes
Ensure Scubagear only produces a "PASS" result for a conditional access policy for the following controls without any additional assignments (seen above) selected:
- MS.AAD.3.1v1
- MS.AAD.3.2v1
- MS.AAD.3.6v1
- MS.AAD.3.7v1
- MS.AAD.3.8v1
- MS.AAD.3.9v1
Acceptance criteria
- Rego for policies identified above have been updated to reflect the implementation above
- functional tests have been updated to include 4 of the assignments above have been set and "FAIL" when run