ScubaGear currently only support exclusions of users or groups from conditional access policies via a feature in the configuration file. The user can configure specific users and groups that are to be "ignored" by the tool when running the policy check. There are additional types of exclusions that a user can define in conditional access policies that there is currently no way to exclude in the configuration file. Those exclusion types are A) exclusion of guest users and B) exclusion of applications. See the related coding issue here for more details and screenshots. Here is a link to the currently supported exclusions in the config file.
The scope of this issue is to discuss with CISA and determine if changes need to be made to the baselines and/or ScubaGear.
Implementation notes
[ ] Discuss with CISA and document a decision here
[ ] If necessary, create a new issue to update language in the baseline (this may or may not be needed)
[ ] If necessary, create a new issue to add the new exclusion types to ScubaGear. This would require new config file entry types and a change to the affected Rego code that checks the exclusions. Note, checks for exclusions should be implemented in helper rulesets to maximize code consistency and re-use.
💡 Summary
ScubaGear currently only support exclusions of users or groups from conditional access policies via a feature in the configuration file. The user can configure specific users and groups that are to be "ignored" by the tool when running the policy check. There are additional types of exclusions that a user can define in conditional access policies that there is currently no way to exclude in the configuration file. Those exclusion types are A) exclusion of guest users and B) exclusion of applications. See the related coding issue here for more details and screenshots. Here is a link to the currently supported exclusions in the config file.
The scope of this issue is to discuss with CISA and determine if changes need to be made to the baselines and/or ScubaGear.
Implementation notes