Align warnings with available licenses. Report unlicensed features as "unlicensed" (in grey).

[GeldHades27355]

For example: M365 BP doesn't include EID P2, so there is no advanced user risk management. But all tests for risk management still fail, bringing the score down.

(Secure Score and Security Admin Center is also not great at this)

Is there a way to correlate the warnings with available licenses, so reports more accurately reflect open actions?

So include the tests, just make sure folks know there's nothing they can do about some results without upgrading.

[f-bader]

We already have tests that change depending on the available license or are completely skipped if the license is not present in the tenant. Could you provide me with a few examples so I can check if those can be easily skipped as well?

[f-bader]

Hi @GeldHades27355 if you could provide some examples I think we can help

[GeldHades27355]

I'd love to, but I'm seriously busy on other things right now, sorry!

I mentioned one example in the initial post: Business Premium does not include Entra ID P2, only P1. So User Risk management is not included, but I still get a "fail". I'd expect a "warning" at best, or a "Not licensed" ideally. And I'd expect a score related to the maximum possible with the current license.

tbh I'm not sure how to deal with mixed environments, with both P1 and P2 active... maybe one score using max P1 and a second using max P1 as benchmarks?

In general, this shouldn't be hard. Entra P1 va. free vs. P2 comparison tables exist galore, for example here: https://www.microsoft.com/en-us/security/business/microsoft-entra-pricing

[Snozzberries]

@GeldHades27355 M365 BP does include Entra ID P1. You can see in the service plan reference for M365 BP that it includes the license GUID 41781fb2-bc02-4b7c-bd55-b576c07bb09d, which would be satisfy the appropriate skips.

Though @f-bader this did make me think, would it make sense to have a MD section added to the report for licenses skipped because of unlicensed features, and storing that in the module variable.

I am not super familiar with the report building cmdlets but some rough pseudocode

#Test-*.Tests.ps1
if(-not $licensed){
  $__MtSession += #test ID or test invocation
}

#Get-MtMarkdownReport.ps1
function GetUnlicensed {}
$templateMarkdown = $templateMarkdown -replace '%UnlicensedSummary%', (GetUnlicnesed)

[GeldHades27355]

Yes, as I mentioned, BP includes Entra P1. So I get a "fail" for user risk management, which is, indeed, not enabled. That doesn't seem right to me. It should return "unlicensed" or "warning" at worst.

Unless this was already fixed in the last few weeks? (sorry, no time to test)

Is there a chance that check is failing?

[Snozzberries]

Ahh, understood. It would be helpful if you could confirm what tests you specifically see failing though you feel they should be skipped.

Here is an initial list I would consider:

• [ ] https://github.com/maester365/maester/blob/main/tests/Maester/Entra/Test-ConditionalAccessBaseline.Tests.ps1#L36
• [ ] https://github.com/maester365/maester/blob/main/tests/Maester/Entra/Test-ConditionalAccessBaseline.Tests.ps1#L39
• [ ] https://github.com/maester365/maester/blob/main/tests/EIDSCA/Test-EIDSCA.Generated.Tests.ps1#L65
• [ ] https://github.com/maester365/maester/blob/main/tests/EIDSCA/Test-EIDSCA.Generated.Tests.ps1#L130
• [ ] https://github.com/maester365/maester/blob/main/tests/EIDSCA/Test-EIDSCA.Generated.Tests.ps1#L180-L363

[GeldHades27355]

Sorry for the exasperation - does anyone READ what I post?

User Risk fails, as an example. P1 doesnt't support that - so BP doesn't either.

I dont' have time for more tests right now, sorry!

[Snozzberries]

Thanks for sharing your concern @GeldHades27355, there are multiple user risk tests that appear may not have logic to skip when the tenant is unlicensed (see above), I am sure we will continue improving the solution and hopefully those improvements will address your concern.

[merill]

I've verified that all risky user related tests check for P2 requirement and are skipped if the tenant does not have P2.

This is most probably a case where there are some users licensed for P2 but not all. Even if that were the case the tests will pass if the policies exist and are scoped to the number of users that have the P2 license.

Closing this for now.

[GeldHades27355]

Cool. Thanks @merill. 👍 JFYI: none of the tenant(s) I tested on had EP2 in any way. Neither explicitly as a subcription, nor as part of a bundle, such as M365 E5. All tenants I tested on have M365 Business Premium (including P1) only.

[merill]

Got it. I think I know the issue. We use the /organizations endpoint for the licence check for P1 and P2 which might not be the right way to check.

The /subscribedSkus would be the most accurate.