Implement new AAD Rego policy MS.AAD.3.3v1 MS authenticator context information

[tkol2022]

💡 Summary

Implement a new Rego policy check for MS.AAD.3.3v1 If Phishing-resistant MFA has not been enforced yet and Microsoft Authenticator is enabled, it SHALL be configured to show login context information.

• If policy MS.AAD.3.1v1 Passes, then this policy MS.AAD.3.3v1 will automatically Pass. See the way the OneDrive expiration date for Anyone links is dependent on a different setting for an example.
• You must also check if MS Authenticator is enabled on the Azure Active Directory > Security > Authentication methods page. If Authenticator is not enabled, then this policy will automatically Pass since there is no reason to check the configuration settings.
• If Authenticator is enabled, then you need to check to ensure the Authenticator settings match the values detailed in the implementation instructions.

Acceptance criteria

How do we know when this work is done?

• [ ] Test the code for all possible value combinations of MS.AAD.3.1v1 and MS.AAD.3.3v1 to ensure that the report produces an accurate Pass or Fail. You must also test scenarios where the MS Authenticator authentication method is Enabled and Disabled to ensure the results product expected evaluations.
• [ ] Test in all tenants

[tkol2022]

@schrolla Did some hands-on research on this one. It can be assigned to someone now. Whoever starts working on this should check in with me to get some guidance.

Turns out an existing Cmdlet in the AAD provider can be used to get the data needed for this issue: Get-MgBetaPolicyAuthenticationMethodPolicy but the code might need to be adjusted to get the cmdlet to expose the data needed for this issue and Crutch recently modified the respective provider line of code in PR #902 so whoever works on this will need to work from Crutch's version to eliminate conflicts.

Here is an example of how to check whether the MS authenticator is enabled. (Get-MgBetaPolicyAuthenticationMethodPolicy).authenticationMethodConfigurations | fl

Here is an example of how to interrogate the configuration settings of MS authenticator to see if show application name and show geographic location configurations match the baseline:

((Get-MgBetaPolicyAuthenticationMethodPolicy).authenticationMethodConfigurations | Where-Object { $_.Id -eq 'MicrosoftAuthenticator' }).AdditionalProperties["featureSettings"] | fl

For the feature settings displayAppInformationRequiredState and displayLocationInformationRequiredState you have to make sure they are enabled and that they are scoped to All Users per the baseline.

[tkol2022]

Here is an example of what a properly configured MS authenticator looks like in the Azure AD authentication methods page in the portal.

[schrolla]

@tkol2022 Thanks for digging in to this one to find the needed settings and cmdlets!

[tkol2022]

This should not affect the coding of this issue but I'm just documenting it here for historical references.

@nanda-katikaneni and I tested the MS Authenticator settings for (show application name and geographic location). We found that, as long as MS Authenticator is Enabled and setup as per the 3.3 implementation requirements, the MS Authenticator app uses those features regardless of what value the tenant is set to in Authentication Methods > Manage Migration > migration status. In other words, the tenant does not have to be at the Migration Complete status for the authenticator configuration to work.