Closed OfficialEsco closed 6 months ago
Two things; only sponsors can create frs, and we'll never introduce a feature that will allow users to decrease security for all their tenants as a whole.
We are sponsors. (Ren Røros Digital) So the recommended way is to manually disable Security Defaults before we deploy the standards? Or when needing Conditional Access?
Correct!
Brainstorming from Discord https://discord.com/channels/905453405936447518/905454401639047228/1247976533973270600
If a policy enables MFA we could disable Security Defaults
Where-Object {
($_.policyApplies -eq $true -AND $_.state -eq "enabled") -AND
($_.grantControls.builtInControls -eq 'MFA' -OR $_.grantControls.authenticationStrength) -AND
$_.conditions.applications.includeApplications -eq "All"
}
authenticationStrength contains https://graph.microsoft.com/beta/$metadata#identity/conditionalAccess/policies('xx-xx-xx-xx-xx')/grantControls/authenticationStrength/$entity
so it needs future investigation
Description of the new feature - must be an in-depth explanation of the feature you want, reasoning why, and the added benefits for MSPs as a whole.
I'm not sure if there is a clear reason why this is not a feature, but you cannot deploy Conditional Access policy's without "Security Defaults" being Disabled, which means when you've added policies to "Conditional Access Template" it does nothing until "Security Defaults" have been manually disabled on the tenant.
Would it be smart to add a optional input for "Enable Security Default" which includes $true (default) and $false? Also add a warning to the description that you cannot deploy policy's when its Enabled?
PowerShell commands you would normally use to achieve above request
$body = '{ "isEnabled": false }'
A quick change to Invoke-CIPPStandardSecurityDefaults.ps1 should do the job