EIDSCA.AV01: Authentication Method - Voice call - State - not applicable for all environments.

[Azdamus]

Some companies that use computers in sterile rooms where cell phones are not allowed because they can interfere with the manufacturing process, the only MFA method that works is FIDO2 / PIV / Phone Call (desk phone) – each location having different policies based on geographical location and local rules. I do admit that Phone Call is insecure. Perhaps a Warning should be added as flag?

[Cloud-Architekt]

In general, I would like to keep the recommendation to avoid voice call as MFA options. Integrate a kind of severity to identify a check as "hard recommendation" or "it depends" would be great addition. This is something what needs to implement in all checks. @Azdamus : Allow voice calls would be strongly scoped to a user group in your described scenario?

[Azdamus]

I agree. In terms of script logic, my thinking is something along the lines of:

• If Voice Call is set to "All Users" - Failed
• If Voice Call is set to "One or more group IDs," - Review and add recommendation note. Having a review tag, will trigger the admin's sense to actually go and review the groups that have that feature on. This makes the posture check even more valuable. imho
• If Voice call is set to "Disabled" / $null - Passed

Going to a "Hard recommendation" flag system can become tedious to manage and categorise. What classifies as a gentle recommendation, what classifies as hard recommendation, what is the criteria, etc.

[Cloud-Architekt]

@Azdamus : We will working on a feature to customize and/or waive the recommended value in Maester. Currently, the only option is to host a customized version of the EIDSCA.json file with the adjusted RecommendValue. You can build customized EIDSCA by providing AadSecConfigUrl parameter in Update-EidscaTests.

Stay tuned for any updates regarding an integrated option in Maester.