search

cisagov / ScubaGear

Automation to assess the state of your M365 tenant against CISA's baselines
https://www.cisa.gov/resources-tools/services/secure-cloud-business-applications-scuba-project
Creative Commons Zero v1.0 Universal
1.58k stars 214 forks source link

AAD policy check 3.7 is missing support for user exclusions #988

Closed tkol2022 closed 2 months ago

tkol2022 commented 6 months ago

🐛 Summary

The Rego code for AAD policy check 3.7 is missing support for user/group exclusions. All of the policies related to conditional access should support exclusions for consistency.

To reproduce

Take a look at the source code for AAD policy 3.7 and you will see that it is missing the exclusion code block (taken from 3.8) in the screenshot below. image

Expected behavior

I expected the policy to support exclusions so that it is consistent with all other policies related to conditional access.

schrolla commented 5 months ago

Related issue #738 . Task both together.

dagarwal-mitre commented 3 months ago

@tkol2022 Julian and I are working on this issue, and we believe that AAD policy check 3.3 is also missing the user exclusions. Could you please take a look and confirm this?

tkol2022 commented 3 months ago

@tkol2022 Julian and I are working on this issue, and we believe that AAD policy check 3.3 is also missing the user exclusions. Could you please take a look and confirm this?

Yes, that is be design. Although you can technically exclude users from showing login context information during MFA for authenticator, there probably wouldn't be any good reason for an organization to turn that off for any users.