Closed tkol2022 closed 2 months ago
Related issue #738 . Task both together.
@tkol2022 Julian and I are working on this issue, and we believe that AAD policy check 3.3 is also missing the user exclusions. Could you please take a look and confirm this?
@tkol2022 Julian and I are working on this issue, and we believe that AAD policy check 3.3 is also missing the user exclusions. Could you please take a look and confirm this?
Yes, that is be design. Although you can technically exclude users from showing login context information during MFA for authenticator, there probably wouldn't be any good reason for an organization to turn that off for any users.
🐛 Summary
The Rego code for AAD policy check 3.7 is missing support for user/group exclusions. All of the policies related to conditional access should support exclusions for consistency.
To reproduce
Take a look at the source code for AAD policy 3.7 and you will see that it is missing the exclusion code block (taken from 3.8) in the screenshot below.
Expected behavior
I expected the policy to support exclusions so that it is consistent with all other policies related to conditional access.