three new tests

KelvinTegelaar · KelvinTegelaar · commit 9d2831db4caf · 2026-01-03T23:07:16.000+01:00
diff --git a/Modules/CIPPCore/Public/Tests/ZTNA/Identity/Invoke-CippTestZTNA21782.ps1 b/Modules/CIPPCore/Public/Tests/ZTNA/Identity/Invoke-CippTestZTNA21782.ps1
@@ -0,0 +1,94 @@
+function Invoke-CippTestZTNA21782 {
+    <#
+    .SYNOPSIS
+    Privileged accounts have phishing-resistant methods registered
+    #>
+    param($Tenant)
+
+    try {
+        $UserRegistrationDetails = New-CIPPDbRequest -TenantFilter $Tenant -Type 'UserRegistrationDetails'
+        $RoleAssignments = New-CIPPDbRequest -TenantFilter $Tenant -Type 'RoleAssignments'
+
+        if (-not $UserRegistrationDetails -or -not $RoleAssignments) {
+            Add-CippTestResult -TenantFilter $Tenant -TestId 'ZTNA21782' -TestType 'Identity' -Status 'Skipped' -ResultMarkdown 'No data found in database. This may be due to missing required licenses or data collection not yet completed.' -Risk 'High' -Name 'Privileged accounts have phishing-resistant methods registered' -UserImpact 'Low' -ImplementationEffort 'Medium' -Category 'Privileged Access'
+            return
+        }
+
+        $PhishResistantMethods = @('passKeyDeviceBound', 'passKeyDeviceBoundAuthenticator', 'windowsHelloForBusiness')
+
+        # Join user registration details with role assignments
+        $results = $UserRegistrationDetails | Where-Object {
+            $userId = $_.id
+            $RoleAssignments | Where-Object { $_.principalId -eq $userId }
+        } | ForEach-Object {
+            $user = $_
+            $userRoles = $RoleAssignments | Where-Object { $_.principalId -eq $user.id }
+            $hasPhishResistant = $false
+
+            if ($user.methodsRegistered) {
+                foreach ($method in $PhishResistantMethods) {
+                    if ($user.methodsRegistered -contains $method) {
+                        $hasPhishResistant = $true
+                        break
+                    }
+                }
+            }
+
+            [PSCustomObject]@{
+                id                       = $user.id
+                userDisplayName          = $user.userDisplayName
+                roleDisplayName          = ($userRoles.roleDefinitionName -join ', ')
+                methodsRegistered        = $user.methodsRegistered
+                phishResistantAuthMethod = $hasPhishResistant
+            }
+        }
+
+        $totalUserCount = $results.Length
+        $phishResistantPrivUsers = $results | Where-Object { $_.phishResistantAuthMethod }
+        $phishablePrivUsers = $results | Where-Object { !$_.phishResistantAuthMethod }
+
+        $phishResistantPrivUserCount = $phishResistantPrivUsers.Length
+
+        $passed = $totalUserCount -eq $phishResistantPrivUserCount
+
+        $testResultMarkdown = if ($passed) {
+            "Validated that all privileged users have registered phishing resistant authentication methods.`n`n%TestResult%"
+        } else {
+            "Found privileged users that have not yet registered phishing resistant authentication methods`n`n%TestResult%"
+        }
+
+        $mdInfo = "## Privileged users`n`n"
+
+        if ($passed) {
+            $mdInfo = "All privileged users have registered phishing resistant authentication methods.`n`n"
+        } else {
+            $mdInfo = "Found privileged users that have not registered phishing resistant authentication methods.`n`n"
+        }
+
+        $mdInfo = $mdInfo + "| User | Role Name | Phishing resistant method registered |`n"
+        $mdInfo = $mdInfo + "| :--- | :--- | :---: |`n"
+
+        $userLinkFormat = 'https://entra.microsoft.com/#view/Microsoft_AAD_UsersAndTenants/UserProfileMenuBlade/~/UserAuthMethods/userId/{0}/hidePreviewBanner~/true'
+
+        $mdLines = @($phishablePrivUsers | Sort-Object userDisplayName | ForEach-Object {
+                $userLink = $userLinkFormat -f $_.id
+                "|[$($_.userDisplayName)]($userLink)| $($_.roleDisplayName) | ❌ |`n"
+            })
+        $mdInfo = $mdInfo + ($mdLines -join '')
+
+        $mdLines = @($phishResistantPrivUsers | Sort-Object userDisplayName | ForEach-Object {
+                $userLink = $userLinkFormat -f $_.id
+                "|[$($_.userDisplayName)]($userLink)| $($_.roleDisplayName) | ✅ |`n"
+            })
+        $mdInfo = $mdInfo + ($mdLines -join '')
+
+        $testResultMarkdown = $testResultMarkdown -replace '%TestResult%', $mdInfo
+
+        Add-CippTestResult -TenantFilter $Tenant -TestId 'ZTNA21782' -TestType 'Identity' -Status $(if ($passed) { 'Passed' } else { 'Failed' }) -ResultMarkdown $testResultMarkdown -Risk 'High' -Name 'Privileged accounts have phishing-resistant methods registered' -UserImpact 'Low' -ImplementationEffort 'Medium' -Category 'Privileged Access'
+
+    } catch {
+        $ErrorMessage = Get-CippException -Exception $_
+        Write-LogMessage -API 'Tests' -tenant $Tenant -message "Failed to run test: $($ErrorMessage.NormalizedError)" -sev Error -LogData $ErrorMessage
+        Add-CippTestResult -TenantFilter $Tenant -TestId 'ZTNA21782' -TestType 'Identity' -Status 'Failed' -ResultMarkdown "Test failed: $($ErrorMessage.NormalizedError)" -Risk 'High' -Name 'Privileged accounts have phishing-resistant methods registered' -UserImpact 'Low' -ImplementationEffort 'Medium' -Category 'Privileged Access'
+    }
+}
diff --git a/Modules/CIPPCore/Public/Tests/ZTNA/Identity/Invoke-CippTestZTNA21801.ps1 b/Modules/CIPPCore/Public/Tests/ZTNA/Identity/Invoke-CippTestZTNA21801.ps1
@@ -0,0 +1,95 @@
+function Invoke-CippTestZTNA21801 {
+    <#
+    .SYNOPSIS
+    Users have strong authentication methods configured
+    #>
+    param($Tenant)
+
+    try {
+        $UserRegistrationDetails = New-CIPPDbRequest -TenantFilter $Tenant -Type 'UserRegistrationDetails'
+        $Users = New-CIPPDbRequest -TenantFilter $Tenant -Type 'Users'
+
+        if (-not $UserRegistrationDetails -or -not $Users) {
+            Add-CippTestResult -TenantFilter $Tenant -TestId 'ZTNA21801' -TestType 'Identity' -Status 'Skipped' -ResultMarkdown 'No data found in database. This may be due to missing required licenses or data collection not yet completed.' -Risk 'Medium' -Name 'Users have strong authentication methods configured' -UserImpact 'Medium' -ImplementationEffort 'Medium' -Category 'Credential Management'
+            return
+        }
+
+        $PhishResistantMethods = @('passKeyDeviceBound', 'passKeyDeviceBoundAuthenticator', 'windowsHelloForBusiness')
+
+        $results = $UserRegistrationDetails | Where-Object {
+            $userId = $_.id
+            $matchingUser = $Users | Where-Object { $_.id -eq $userId -and $_.accountEnabled }
+            $matchingUser
+        } | ForEach-Object {
+            $regDetail = $_
+            $matchingUser = $Users | Where-Object { $_.id -eq $regDetail.id }
+            $hasPhishResistant = $false
+
+            if ($regDetail.methodsRegistered) {
+                foreach ($method in $PhishResistantMethods) {
+                    if ($regDetail.methodsRegistered -contains $method) {
+                        $hasPhishResistant = $true
+                        break
+                    }
+                }
+            }
+
+            [PSCustomObject]@{
+                id                           = $regDetail.id
+                displayName                  = $regDetail.userDisplayName
+                phishResistantAuthMethod     = $hasPhishResistant
+                lastSuccessfulSignInDateTime = $matchingUser.signInActivity.lastSuccessfulSignInDateTime
+            }
+        }
+
+        $totalUserCount = $results.Length
+        $phishResistantUsers = $results | Where-Object { $_.phishResistantAuthMethod }
+        $phishableUsers = $results | Where-Object { !$_.phishResistantAuthMethod }
+
+        $phishResistantUserCount = $phishResistantUsers.Length
+
+        $passed = $totalUserCount -eq $phishResistantUserCount
+
+        $testResultMarkdown = if ($passed) {
+            "Validated that all users have registered phishing resistant authentication methods.`n`n%TestResult%"
+        } else {
+            "Found users that have not yet registered phishing resistant authentication methods`n`n%TestResult%"
+        }
+
+        $mdInfo = "## Users strong authentication methods`n`n"
+
+        if ($passed) {
+            $mdInfo = "All users have registered phishing resistant authentication methods.`n`n"
+        } else {
+            $mdInfo = "Found users that have not registered phishing resistant authentication methods.`n`n"
+        }
+
+        $mdInfo = $mdInfo + "| User | Last sign in | Phishing resistant method registered |`n"
+        $mdInfo = $mdInfo + "| :--- | :--- | :---: |`n"
+
+        $userLinkFormat = 'https://entra.microsoft.com/#view/Microsoft_AAD_UsersAndTenants/UserProfileMenuBlade/~/UserAuthMethods/userId/{0}/hidePreviewBanner~/true'
+
+        $mdLines = @($phishableUsers | Sort-Object displayName | ForEach-Object {
+                $userLink = $userLinkFormat -f $_.id
+                $lastSignInDate = if ($_.lastSuccessfulSignInDateTime) { (Get-Date $_.lastSuccessfulSignInDateTime -Format 'yyyy-MM-dd') } else { 'Never' }
+                "|[$($_.displayName)]($userLink)| $lastSignInDate | ❌ |`n"
+            })
+        $mdInfo = $mdInfo + ($mdLines -join '')
+
+        $mdLines = @($phishResistantUsers | Sort-Object displayName | ForEach-Object {
+                $userLink = $userLinkFormat -f $_.id
+                $lastSignInDate = if ($_.lastSuccessfulSignInDateTime) { (Get-Date $_.lastSuccessfulSignInDateTime -Format 'yyyy-MM-dd') } else { 'Never' }
+                "|[$($_.displayName)]($userLink)| $lastSignInDate | ✅ |`n"
+            })
+        $mdInfo = $mdInfo + ($mdLines -join '')
+
+        $testResultMarkdown = $testResultMarkdown -replace '%TestResult%', $mdInfo
+
+        Add-CippTestResult -TenantFilter $Tenant -TestId 'ZTNA21801' -TestType 'Identity' -Status $(if ($passed) { 'Passed' } else { 'Failed' }) -ResultMarkdown $testResultMarkdown -Risk 'Medium' -Name 'Users have strong authentication methods configured' -UserImpact 'Medium' -ImplementationEffort 'Medium' -Category 'Credential Management'
+
+    } catch {
+        $ErrorMessage = Get-CippException -Exception $_
+        Write-LogMessage -API 'Tests' -tenant $Tenant -message "Failed to run test: $($ErrorMessage.NormalizedError)" -sev Error -LogData $ErrorMessage
+        Add-CippTestResult -TenantFilter $Tenant -TestId 'ZTNA21801' -TestType 'Identity' -Status 'Failed' -ResultMarkdown "Test failed: $($ErrorMessage.NormalizedError)" -Risk 'Medium' -Name 'Users have strong authentication methods configured' -UserImpact 'Medium' -ImplementationEffort 'Medium' -Category 'Credential Management'
+    }
+}
diff --git a/Modules/CIPPCore/Public/Tests/ZTNA/Identity/Invoke-CippTestZTNA21817.ps1 b/Modules/CIPPCore/Public/Tests/ZTNA/Identity/Invoke-CippTestZTNA21817.ps1
@@ -0,0 +1,80 @@
+function Invoke-CippTestZTNA21817 {
+    <#
+    .SYNOPSIS
+    Global Administrator role activation triggers an approval workflow
+    #>
+    param($Tenant)
+
+    try {
+        $RoleManagementPolicies = New-CIPPDbRequest -TenantFilter $Tenant -Type 'RoleManagementPolicies'
+
+        if (-not $RoleManagementPolicies) {
+            Add-CippTestResult -TenantFilter $Tenant -TestId 'ZTNA21817' -TestType 'Identity' -Status 'Skipped' -ResultMarkdown 'No data found in database. This may be due to missing required licenses or data collection not yet completed.' -Risk 'High' -Name 'Global Administrator role activation triggers an approval workflow' -UserImpact 'Low' -ImplementationEffort 'Medium' -Category 'Application Management'
+            return
+        }
+
+        $globalAdminRoleId = '62e90394-69f5-4237-9190-012177145e10'
+
+        $globalAdminPolicy = $RoleManagementPolicies | Where-Object {
+            $_.scopeId -eq '/' -and
+            $_.scopeType -eq 'DirectoryRole' -and
+            $_.roleDefinitionId -eq $globalAdminRoleId
+        }
+
+        $tableRows = ''
+        $result = $false
+
+        if ($globalAdminPolicy) {
+            $approvalRule = $globalAdminPolicy.rules | Where-Object { $_.id -like '*Approval_EndUser_Assignment*' }
+
+            if ($approvalRule -and $approvalRule.setting.isApprovalRequired -eq $true) {
+                $approverCount = 0
+                foreach ($stage in $approvalRule.setting.approvalStages) {
+                    $approverCount = $approverCount + ($stage.primaryApprovers | Measure-Object).Count
+                }
+
+                if ($approverCount -gt 0) {
+                    $result = $true
+                    $testResultMarkdown = "✅ **Pass**: Approval required with $approverCount primary approver(s) configured.`n`n%TestResult%"
+                    $primaryApprovers = ($approvalRule.setting.approvalStages[0].primaryApprovers.description -join ', ')
+                    $escalationApprovers = ($approvalRule.setting.approvalStages[0].escalationApprovers.description -join ', ')
+                    $tableRows = "| Yes | $primaryApprovers | $escalationApprovers |`n"
+                } else {
+                    $testResultMarkdown = "❌ **Fail**: Approval required but no approvers configured.`n`n%TestResult%"
+                    $tableRows = "| Yes | None | None |`n"
+                }
+            } else {
+                $testResultMarkdown = "❌ **Fail**: Approval not required for Global Administrator role activation.`n`n%TestResult%"
+                $tableRows = "| No | N/A | N/A |`n"
+            }
+        } else {
+            $testResultMarkdown = "❌ **Fail**: No PIM policy found for Global Administrator role.`n`n%TestResult%"
+            $tableRows = "| N/A | N/A | N/A |`n"
+        }
+
+        $passed = $result
+
+        $reportTitle = 'Global Administrator role activation and approval workflow'
+
+        $formatTemplate = @'
+
+## {0}
+
+
+| Approval Required | Primary Approvers | Escalation Approvers |
+| :---------------- | :---------------- | :------------------- |
+{1}
+
+'@
+
+        $mdInfo = $formatTemplate -f $reportTitle, $tableRows
+        $testResultMarkdown = $testResultMarkdown -replace '%TestResult%', $mdInfo
+
+        Add-CippTestResult -TenantFilter $Tenant -TestId 'ZTNA21817' -TestType 'Identity' -Status $(if ($passed) { 'Passed' } else { 'Failed' }) -ResultMarkdown $testResultMarkdown -Risk 'High' -Name 'Global Administrator role activation triggers an approval workflow' -UserImpact 'Low' -ImplementationEffort 'Medium' -Category 'Application Management'
+
+    } catch {
+        $ErrorMessage = Get-CippException -Exception $_
+        Write-LogMessage -API 'Tests' -tenant $Tenant -message "Failed to run test: $($ErrorMessage.NormalizedError)" -sev Error -LogData $ErrorMessage
+        Add-CippTestResult -TenantFilter $Tenant -TestId 'ZTNA21817' -TestType 'Identity' -Status 'Failed' -ResultMarkdown "Test failed: $($ErrorMessage.NormalizedError)" -Risk 'High' -Name 'Global Administrator role activation triggers an approval workflow' -UserImpact 'Low' -ImplementationEffort 'Medium' -Category 'Application Management'
+    }
+}
