bmsimp
diff --git a/‎Modules/CIPPCore/Public/Tests/Invoke-CippTestZTNA21883.ps1‎
Lines changed: 109 additions & 0 deletions b/‎Modules/CIPPCore/Public/Tests/Invoke-CippTestZTNA21883.ps1‎
Lines changed: 109 additions & 0 deletions
diff --git a/‎Modules/CIPPCore/Public/Tests/Invoke-CippTestZTNA21889.ps1‎
Lines changed: 123 additions & 0 deletions b/‎Modules/CIPPCore/Public/Tests/Invoke-CippTestZTNA21889.ps1‎
Lines changed: 123 additions & 0 deletions
diff --git a/‎Modules/CIPPCore/Public/Tests/Invoke-CippTestZTNA21892.ps1‎
Lines changed: 129 additions & 0 deletions b/‎Modules/CIPPCore/Public/Tests/Invoke-CippTestZTNA21892.ps1‎
Lines changed: 129 additions & 0 deletions
@@ -0,0 +1,109 @@
+function Invoke-CippTestZTNA21883 {
+    <#
+    .SYNOPSIS
+    Checks if workload identities are configured with risk-based policies
+
+    .DESCRIPTION
+    Verifies that Conditional Access policies exist that:
+    - Block authentication based on service principal risk
+    - Are enabled
+    - Target service principals
+
+    .FUNCTIONALITY
+    Internal
+    #>
+    [CmdletBinding()]
+    param(
+        [Parameter(Mandatory = $true)]
+        [string]$Tenant
+    )
+
+    try {
+        # Get Conditional Access policies from cache
+        $Policies = New-CIPPDbRequest -TenantFilter $Tenant -Type 'ConditionalAccessPolicies'
+
+        if (-not $Policies) {
+            Add-CippTestResult -TestId 'ZTNA21883' -TenantFilter $Tenant -TestType 'ZeroTrustNetworkAccess' -Status 'Skipped' `
+                -ResultMarkdown 'No Conditional Access policies found in cache.' `
+                -Risk 'Medium' -Name 'Workload identities configured with risk-based policies' `
+                -UserImpact 'High' -ImplementationEffort 'Low' `
+                -Category 'Access control'
+            return
+        }
+
+        # Filter for policies that:
+        # - Block authentication
+        # - Include service principals
+        # - Are enabled
+        $MatchedPolicies = [System.Collections.Generic.List[object]]::new()
+        foreach ($Policy in $Policies) {
+            $blocksAuth = $false
+            if ($Policy.grantControls.builtInControls) {
+                foreach ($control in $Policy.grantControls.builtInControls) {
+                    if ($control -eq 'block') {
+                        $blocksAuth = $true
+                        break
+                    }
+                }
+            }
+
+            $includesSP = $false
+            if ($Policy.conditions.clientApplications.includeServicePrincipals) {
+                $includesSP = $true
+            }
+
+            $isEnabled = $Policy.state -eq 'enabled'
+
+            if ($blocksAuth -and $includesSP -and $isEnabled) {
+                $MatchedPolicies.Add($Policy)
+            }
+        }
+
+        # Determine pass/fail
+        if ($MatchedPolicies.Count -ge 1) {
+            $Status = 'Passed'
+            $ResultMarkdown = "✅ **Pass**: Workload identities are protected by risk-based Conditional Access policies.`n`n"
+            $ResultMarkdown += "## Matching policies`n`n"
+            $ResultMarkdown += "| Policy name | State | Service principals | Grant controls |`n"
+            $ResultMarkdown += "| :---------- | :---- | :----------------- | :------------- |`n"
+
+            foreach ($Policy in $MatchedPolicies) {
+                $policyLink = "https://entra.microsoft.com/#view/Microsoft_AAD_ConditionalAccess/PolicyBlade/policyId/$($Policy.id)"
+                $policyName = if ($Policy.displayName) { $Policy.displayName } else { 'Unnamed' }
+                $spTargets = if ($Policy.conditions.clientApplications.includeServicePrincipals) {
+                    ($Policy.conditions.clientApplications.includeServicePrincipals | Select-Object -First 3) -join ', '
+                    if ($Policy.conditions.clientApplications.includeServicePrincipals.Count -gt 3) {
+                        $spTargets += " (and $($Policy.conditions.clientApplications.includeServicePrincipals.Count - 3) more)"
+                    }
+                    $spTargets
+                } else {
+                    'None'
+                }
+                $grants = if ($Policy.grantControls.builtInControls) {
+                    $Policy.grantControls.builtInControls -join ', '
+                } else {
+                    'None'
+                }
+                $ResultMarkdown += "| [$policyName]($policyLink) | $($Policy.state) | $spTargets | $grants |`n"
+            }
+        } else {
+            $Status = 'Failed'
+            $ResultMarkdown = "❌ **Fail**: No Conditional Access policies found that protect workload identities with risk-based controls.`n`n"
+            $ResultMarkdown += 'Workload identities should be protected by policies that block authentication when service principal risk is detected.'
+        }
+
+        Add-CippTestResult -TestId 'ZTNA21883' -TenantFilter $Tenant -TestType 'ZeroTrustNetworkAccess' -Status $Status `
+            -ResultMarkdown $ResultMarkdown `
+            -Risk 'Medium' -Name 'Workload identities configured with risk-based policies' `
+            -UserImpact 'High' -ImplementationEffort 'Low' `
+            -Category 'Access control'
+
+    } catch {
+        Add-CippTestResult -TestId 'ZTNA21883' -TenantFilter $Tenant -TestType 'ZeroTrustNetworkAccess' -Status 'Failed' `
+            -ResultMarkdown "❌ **Error**: $($_.Exception.Message)" `
+            -Risk 'Medium' -Name 'Workload identities configured with risk-based policies' `
+            -UserImpact 'High' -ImplementationEffort 'Low' `
+            -Category 'Access control'
+        Write-LogMessage -API 'ZeroTrustNetworkAccess' -tenant $Tenant -message "Test ZTNA21883 failed: $($_.Exception.Message)" -sev Error
+    }
+}
@@ -0,0 +1,123 @@
+function Invoke-CippTestZTNA21889 {
+    <#
+    .SYNOPSIS
+    Checks if organization has reduced password surface area by enabling multiple passwordless authentication methods
+
+    .DESCRIPTION
+    Verifies that both FIDO2 Security Keys and Microsoft Authenticator are enabled with proper configuration
+    to reduce reliance on passwords.
+
+    .FUNCTIONALITY
+    Internal
+    #>
+    [CmdletBinding()]
+    param(
+        [Parameter(Mandatory = $true)]
+        [string]$Tenant
+    )
+
+    try {
+        # Get authentication methods policy from cache
+        $AuthMethodsPolicy = New-CIPPDbRequest -TenantFilter $Tenant -Type 'AuthenticationMethodsPolicy'
+
+        if (-not $AuthMethodsPolicy) {
+            Add-CippTestResult -TestId 'ZTNA21889' -TenantFilter $Tenant -TestType 'ZeroTrustNetworkAccess' -Status 'Skipped' `
+                -ResultMarkdown 'Unable to retrieve authentication methods policy from cache.' `
+                -Risk 'High' -Name 'Reduce the user-visible password surface area' `
+                -UserImpact 'Medium' -ImplementationEffort 'Medium' `
+                -Category 'Access control'
+            return
+        }
+
+        # Extract FIDO2 and Microsoft Authenticator configurations
+        $Fido2Config = $null
+        $AuthenticatorConfig = $null
+
+        if ($AuthMethodsPolicy.authenticationMethodConfigurations) {
+            foreach ($config in $AuthMethodsPolicy.authenticationMethodConfigurations) {
+                if ($config.id -eq 'Fido2') {
+                    $Fido2Config = $config
+                }
+                if ($config.id -eq 'MicrosoftAuthenticator') {
+                    $AuthenticatorConfig = $config
+                }
+            }
+        }
+
+        # Check FIDO2 configuration
+        $Fido2Enabled = $Fido2Config.state -eq 'enabled'
+        $Fido2HasTargets = $Fido2Config.includeTargets -and $Fido2Config.includeTargets.Count -gt 0
+        $Fido2Valid = $Fido2Enabled -and $Fido2HasTargets
+
+        # Check Microsoft Authenticator configuration
+        $AuthEnabled = $AuthenticatorConfig.state -eq 'enabled'
+        $AuthHasTargets = $AuthenticatorConfig.includeTargets -and $AuthenticatorConfig.includeTargets.Count -gt 0
+        $AuthMode = $null
+        if ($AuthenticatorConfig.includeTargets) {
+            foreach ($target in $AuthenticatorConfig.includeTargets) {
+                if ($target.authenticationMode) {
+                    $AuthMode = $target.authenticationMode
+                    break
+                }
+            }
+        }
+
+        if ([string]::IsNullOrEmpty($AuthMode)) {
+            $AuthMode = 'Not configured'
+            $AuthModeValid = $false
+        } else {
+            $AuthModeValid = ($AuthMode -eq 'any') -or ($AuthMode -eq 'deviceBasedPush')
+        }
+        $AuthValid = $AuthEnabled -and $AuthHasTargets -and $AuthModeValid
+
+        # Determine pass/fail
+        $Status = if ($Fido2Valid -and $AuthValid) { 'Passed' } else { 'Failed' }
+
+        # Build result message
+        if ($Status -eq 'Passed') {
+            $ResultMarkdown = "✅ **Pass**: Your organization has implemented multiple passwordless authentication methods reducing password exposure.`n`n"
+        } else {
+            $ResultMarkdown = "❌ **Fail**: Your organization relies heavily on password-based authentication, creating security vulnerabilities.`n`n"
+        }
+
+        # Build detailed markdown table
+        $ResultMarkdown += "## Passwordless authentication methods`n`n"
+        $ResultMarkdown += "| Method | State | Include targets | Authentication mode | Status |`n"
+        $ResultMarkdown += "| :----- | :---- | :-------------- | :------------------ | :----- |`n"
+
+        # FIDO2 row
+        $Fido2State = if ($Fido2Enabled) { '✅ Enabled' } else { '❌ Disabled' }
+        $Fido2TargetsDisplay = if ($Fido2Config.includeTargets -and $Fido2Config.includeTargets.Count -gt 0) {
+            "$($Fido2Config.includeTargets.Count) target(s)"
+        } else {
+            'None'
+        }
+        $Fido2Status = if ($Fido2Valid) { '✅ Pass' } else { '❌ Fail' }
+        $ResultMarkdown += "| FIDO2 Security Keys | $Fido2State | $Fido2TargetsDisplay | N/A | $Fido2Status |`n"
+
+        # Microsoft Authenticator row
+        $AuthState = if ($AuthEnabled) { '✅ Enabled' } else { '❌ Disabled' }
+        $AuthTargetsDisplay = if ($AuthenticatorConfig.includeTargets -and $AuthenticatorConfig.includeTargets.Count -gt 0) {
+            "$($AuthenticatorConfig.includeTargets.Count) target(s)"
+        } else {
+            'None'
+        }
+        $AuthModeDisplay = if ($AuthModeValid) { "✅ $AuthMode" } else { "❌ $AuthMode" }
+        $AuthStatus = if ($AuthValid) { '✅ Pass' } else { '❌ Fail' }
+        $ResultMarkdown += "| Microsoft Authenticator | $AuthState | $AuthTargetsDisplay | $AuthModeDisplay | $AuthStatus |`n"
+
+        Add-CippTestResult -TestId 'ZTNA21889' -TenantFilter $Tenant -TestType 'ZeroTrustNetworkAccess' -Status $Status `
+            -ResultMarkdown $ResultMarkdown `
+            -Risk 'High' -Name 'Reduce the user-visible password surface area' `
+            -UserImpact 'Medium' -ImplementationEffort 'Medium' `
+            -Category 'Access control'
+
+    } catch {
+        Add-CippTestResult -TestId 'ZTNA21889' -TenantFilter $Tenant -TestType 'ZeroTrustNetworkAccess' -Status 'Failed' `
+            -ResultMarkdown "❌ **Error**: $($_.Exception.Message)" `
+            -Risk 'High' -Name 'Reduce the user-visible password surface area' `
+            -UserImpact 'Medium' -ImplementationEffort 'Medium' `
+            -Category 'Access control'
+        Write-LogMessage -API 'ZeroTrustNetworkAccess' -tenant $Tenant -message "Test ZTNA21889 failed: $($_.Exception.Message)" -sev Error
+    }
+}
@@ -0,0 +1,129 @@
+function Invoke-CippTestZTNA21892 {
+    <#
+    .SYNOPSIS
+    Verifies that all sign-in activity is restricted to managed devices
+
+    .DESCRIPTION
+    Checks for Conditional Access policies that:
+    - Apply to all users
+    - Apply to all applications
+    - Require compliant or hybrid joined devices
+    - Are enabled
+
+    .FUNCTIONALITY
+    Internal
+    #>
+    [CmdletBinding()]
+    param(
+        [Parameter(Mandatory = $true)]
+        [string]$Tenant
+    )
+
+    try {
+        # Get Conditional Access policies from cache
+        $Policies = New-CIPPDbRequest -TenantFilter $Tenant -Type 'ConditionalAccessPolicies'
+
+        if (-not $Policies) {
+            Add-CippTestResult -TestId 'ZTNA21892' -TenantFilter $Tenant -TestType 'ZeroTrustNetworkAccess' -Status 'Skipped' `
+                -ResultMarkdown 'No Conditional Access policies found in cache.' `
+                -Risk 'High' -Name 'All sign-in activity comes from managed devices' `
+                -UserImpact 'High' -ImplementationEffort 'High' `
+                -Category 'Access control'
+            return
+        }
+
+        # Find policies that require managed devices for all users and apps
+        $MatchingPolicies = [System.Collections.Generic.List[object]]::new()
+        foreach ($Policy in $Policies) {
+            # Check if applies to all users
+            $appliesToAllUsers = $false
+            if ($Policy.conditions.users.includeUsers) {
+                foreach ($user in $Policy.conditions.users.includeUsers) {
+                    if ($user -eq 'All') {
+                        $appliesToAllUsers = $true
+                        break
+                    }
+                }
+            }
+
+            # Check if applies to all apps
+            $appliesToAllApps = $false
+            if ($Policy.conditions.applications.includeApplications) {
+                foreach ($app in $Policy.conditions.applications.includeApplications) {
+                    if ($app -eq 'All') {
+                        $appliesToAllApps = $true
+                        break
+                    }
+                }
+            }
+
+            # Check if requires compliant or hybrid joined device
+            $requiresCompliantDevice = $false
+            $requiresHybridJoined = $false
+            if ($Policy.grantControls.builtInControls) {
+                foreach ($control in $Policy.grantControls.builtInControls) {
+                    if ($control -eq 'compliantDevice') {
+                        $requiresCompliantDevice = $true
+                    }
+                    if ($control -eq 'domainJoinedDevice') {
+                        $requiresHybridJoined = $true
+                    }
+                }
+            }
+
+            $isEnabled = $Policy.state -eq 'enabled'
+
+            # Policy matches if enabled, applies to all users/apps, and requires managed device
+            if ($isEnabled -and $appliesToAllUsers -and $appliesToAllApps -and ($requiresCompliantDevice -or $requiresHybridJoined)) {
+                $MatchingPolicies.Add([PSCustomObject]@{
+                        PolicyId           = $Policy.id
+                        PolicyState        = $Policy.state
+                        DisplayName        = $Policy.displayName
+                        AllUsers           = $appliesToAllUsers
+                        AllApps            = $appliesToAllApps
+                        CompliantDevice    = $requiresCompliantDevice
+                        HybridJoinedDevice = $requiresHybridJoined
+                        IsFullyCompliant   = $isEnabled -and $appliesToAllUsers -and $appliesToAllApps -and ($requiresCompliantDevice -or $requiresHybridJoined)
+                    })
+            }
+        }
+
+        # Determine pass/fail
+        if ($MatchingPolicies.Count -gt 0) {
+            $Status = 'Passed'
+            $ResultMarkdown = "✅ **Pass**: Conditional Access policies require managed devices for all sign-in activity.`n`n"
+            $ResultMarkdown += "## Matching policies`n`n"
+            $ResultMarkdown += "| Policy name | State | All users | All apps | Compliant device | Hybrid joined |`n"
+            $ResultMarkdown += "| :---------- | :---- | :-------- | :------- | :--------------- | :------------ |`n"
+
+            foreach ($Policy in $MatchingPolicies) {
+                $policyLink = "https://entra.microsoft.com/#view/Microsoft_AAD_ConditionalAccess/PolicyBlade/policyId/$($Policy.PolicyId)"
+                $policyName = if ($Policy.DisplayName) { $Policy.DisplayName } else { 'Unnamed' }
+                $allUsers = if ($Policy.AllUsers) { '✅' } else { '❌' }
+                $allApps = if ($Policy.AllApps) { '✅' } else { '❌' }
+                $compliant = if ($Policy.CompliantDevice) { '✅' } else { '❌' }
+                $hybrid = if ($Policy.HybridJoinedDevice) { '✅' } else { '❌' }
+
+                $ResultMarkdown += "| [$policyName]($policyLink) | $($Policy.PolicyState) | $allUsers | $allApps | $compliant | $hybrid |`n"
+            }
+        } else {
+            $Status = 'Failed'
+            $ResultMarkdown = "❌ **Fail**: No Conditional Access policies found that require managed devices for all sign-in activity.`n`n"
+            $ResultMarkdown += 'Organizations should enforce that all sign-ins come from managed devices (compliant or hybrid Azure AD joined) to ensure security controls are applied.'
+        }
+
+        Add-CippTestResult -TestId 'ZTNA21892' -TenantFilter $Tenant -TestType 'ZeroTrustNetworkAccess' -Status $Status `
+            -ResultMarkdown $ResultMarkdown `
+            -Risk 'High' -Name 'All sign-in activity comes from managed devices' `
+            -UserImpact 'High' -ImplementationEffort 'High' `
+            -Category 'Access control'
+
+    } catch {
+        Add-CippTestResult -TestId 'ZTNA21892' -TenantFilter $Tenant -TestType 'ZeroTrustNetworkAccess' -Status 'Failed' `
+            -ResultMarkdown "❌ **Error**: $($_.Exception.Message)" `
+            -Risk 'High' -Name 'All sign-in activity comes from managed devices' `
+            -UserImpact 'High' -ImplementationEffort 'High' `
+            -Category 'Access control'
+        Write-LogMessage -API 'ZeroTrustNetworkAccess' -tenant $Tenant -message "Test ZTNA21892 failed: $($_.Exception.Message)" -sev Error
+    }
+}