public/maester/entra/Test-MtCaMfaForAdminManagement.ps1
|
<#
.Synopsis Checks if the tenant has at least one conditional access policy requiring multifactor authentication to access Azure management. .Description MFA for Azure management is a critical security control. This function checks if the tenant has at least one conditional access policy requiring multifactor authentication to access Azure management. Learn more: https://learn.microsoft.com/entra/identity/conditional-access/howto-conditional-access-policy-azure-management .Example Test-MtCaMfaForAdminManagement .LINK https://mycorp.dev/docs/commands/Test-MtCaMfaForAdminManagement #> function Test-MtCaMfaForAdminManagement { [CmdletBinding()] [OutputType([bool])] param () if ( ( Get-MtLicenseInformation EntraID ) -eq "Free" ) { Add-MtTestResultDetail -SkippedBecause NotLicensedEntraIDP1 return $null } $policies = Get-MtConditionalAccessPolicy | Where-Object { $_.state -eq "enabled" } $policiesResult = New-Object System.Collections.ArrayList $testDescription = " Microsoft recommends requiring MFA for Azure Management. See [Require MFA for administrators - Microsoft Learn](https://learn.microsoft.com/entra/identity/conditional-access/howto-conditional-access-policy-admin-mfa)" $result = $false foreach ($policy in $policies) { if ( ( $policy.grantcontrols.builtincontrols -contains 'mfa' ` -or $policy.grantcontrols.authenticationStrength.requirementsSatisfied -contains 'mfa' ) ` -and ($policy.conditions.users.includeUsers -eq "All" ` -or ("62e90394-69f5-4237-9190-012177145e10" -in $policy.conditions.users.includeRoles ` -and "194ae4cb-b126-40b2-bd5b-6091b380977d" -in $policy.conditions.users.includeRoles ` -and "f28a1f50-f6e7-4571-818b-6a12f2af6b6c" -in $policy.conditions.users.includeRoles ` -and "29232cdf-9323-42fd-ade2-1d097af3e4de" -in $policy.conditions.users.includeRoles ` -and "b1be1c3e-b65d-4f19-8427-f6fa0d97feb9" -in $policy.conditions.users.includeRoles ` -and "729827e3-9c14-49f7-bb1b-9608f156bbb8" -in $policy.conditions.users.includeRoles ` -and "b0f54661-2d74-4c50-afa3-1ec803f12efe" -in $policy.conditions.users.includeRoles ` -and "fe930be7-5e62-47db-91af-98c3a49a38b1" -in $policy.conditions.users.includeRoles ` -and "c4e39bd9-1100-46d3-8c65-fb160da0071f" -in $policy.conditions.users.includeRoles ` -and "9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3" -in $policy.conditions.users.includeRoles ` -and "158c047a-c907-4556-b7ef-446551a6b5f7" -in $policy.conditions.users.includeRoles ` -and "966707d0-3269-4727-9be2-8c3a10f19b9d" -in $policy.conditions.users.includeRoles ` -and "7be44c8a-adaf-4e2a-84d6-ab2649e08a13" -in $policy.conditions.users.includeRoles ` -and "e8611ab8-c189-46e8-94e1-60213ab1f814" -in $policy.conditions.users.includeRoles )) ` -and ("797f4846-ba00-4fd7-ba43-dac1f8f63013" -in $policy.conditions.applications.includeApplications ` -or "MicrosoftAdminPortals" -in $policy.conditions.applications.includeApplications ` -or $policy.conditions.applications.includeApplications -contains "All") ` ) { $result = $true $currentresult = $true $policiesResult.Add($policy) | Out-Null } else { $currentresult = $false } Write-Verbose "$($policy.displayName) - $currentresult" } if ( $result ) { $testResult = "The following conditional access policies require multi-factor authentication for azure management:`n`n%TestResult%" } else { $testResult = "No conditional access policy requires multi-factor authentication for azure management resources." } Add-MtTestResultDetail -Description $testDescription -GraphObjects $policiesResult -Result $testResult -GraphObjectType ConditionalAccess return $result } |