Closed tkol2022 closed 4 months ago
@schrolla Did some hands-on research on this one. It can be assigned to someone now. Whoever starts working on this should check in with me to get some guidance.
Turns out an existing Cmdlet in the AAD provider can be used to get the data needed for this issue: Get-MgBetaPolicyAuthenticationMethodPolicy but the code might need to be adjusted to get the cmdlet to expose the data needed for this issue and Crutch recently modified the respective provider line of code in PR #902 so whoever works on this will need to work from Crutch's version to eliminate conflicts.
Here is an example of how to check whether the MS authenticator is enabled.
(Get-MgBetaPolicyAuthenticationMethodPolicy).authenticationMethodConfigurations | fl
Here is an example of how to interrogate the configuration settings of MS authenticator to see if show application name and show geographic location configurations match the baseline:
((Get-MgBetaPolicyAuthenticationMethodPolicy).authenticationMethodConfigurations | Where-Object { $_.Id -eq 'MicrosoftAuthenticator' }).AdditionalProperties["featureSettings"] | fl
For the feature settings displayAppInformationRequiredState and displayLocationInformationRequiredState you have to make sure they are enabled and that they are scoped to All Users per the baseline.
Here is an example of what a properly configured MS authenticator looks like in the Azure AD authentication methods page in the portal.
@tkol2022 Thanks for digging in to this one to find the needed settings and cmdlets!
This should not affect the coding of this issue but I'm just documenting it here for historical references.
@nanda-katikaneni and I tested the MS Authenticator settings for (show application name and geographic location). We found that, as long as MS Authenticator is Enabled and setup as per the 3.3 implementation requirements, the MS Authenticator app uses those features regardless of what value the tenant is set to in Authentication Methods > Manage Migration > migration status. In other words, the tenant does not have to be at the Migration Complete status for the authenticator configuration to work.
💡 Summary
Implement a new Rego policy check for MS.AAD.3.3v1 If Phishing-resistant MFA has not been enforced yet and Microsoft Authenticator is enabled, it SHALL be configured to show login context information.
Acceptance criteria
How do we know when this work is done?