Refine conditional access policy evaluation

[schrolla]

Description

This epic is a larger feature to continue evolving the ScubaGear AAD conditional access policy evaluation logic. The work is improve the AAD secure configuration baselines by enhancing evaluation and assessment of conditional access policy (CAP) settings.

Initiative / Goal

The goal is to improve ScubaGear assessment checks of AAD policies that require a CAP to apply broadly to the tenant's users or applications. At this time, due to the large number of conditions available in CAPs, the tool may provide a false negative (pass) when one or more CAPs meet a baseline policy broadly but has additional conditions that limit its application more narrowly than the policy indicates.

Relevant Issues

• 1170

• 1184

• 86

• 1323

Hypothesis

By improving the evaluation of Azure AD CAPs, ScubaGear can better highlight tenant configurations that do not match the recommended security settings for strong access control. This hypothesis can be tested by collecting feedback from agencies and running the tool internally against tenants in which CAPs meeting the edge cases where a variety of conditions are set to limit the application of a policy to the tenant users and applications.

Acceptance criteria

Criteria that are considered must have for feature launch and in-scope for this epic include:

• [ ] Additional conditions for ScubaGear evaluation have been identified
• [ ] New unit and functional tests have been added that exercise the new conditions
• [ ] New evaluation logic has been successfully added to the ScubaGear Azure AD provider and Rego module
• [ ] All new unit and functional tests successfully pass using the new logic

Stakeholders / Resources

Include CISA decision makers and dev team members in discussions about this epic. Resources needed for this epic include access to test tenants and possibly ability to temporarily modify privileged roles for testing purposes.

Timeline

The current projected timeline for delivery of this epic feature is with the associated release milestone.

Associated Tasks

[tkol2022]

I added issues that I felt were related to this epic in the description above. Please review. We should probably set a priority order to work the respective issues.

[tkol2022]

@schrolla @mitchelbaker-cisa @dagarwal-mitre I performed a detailed re-review of the issues still open associated with this epic and here are my suggestions:

• Issues #1170 and #1323 should be worked together because I feel that testing these will take some time from the developer and pull request reviewer and if we had two separate pull requests it might be inefficient. I think we should implement these two first because they are finely scoped and may require less design time.
• Issue #86 can be worked separately and the code needed to implement it may not be as generic as the issues in the first bullet. If we want to push any issues to next release, my recommendation would be this one.
• If we need to push any of these to the next release to focus on the service principal epic we can do that but I would recommend we work these as soon as possible because we want the conditional access policy checks to be as precise as possible in the coming months.