Prerequisites
💡 Summary
Based on analysis of the conditional access policies of various organizations, we have known for a while that organizations need to be able to exclude specific cloud apps from Entra conditional access policies for various reasons and currently ScubaGear does not support that. We also know that organizations sometimes need the ability to exclude guest users (e.g. when enforcing phishing-resistant MFA).
The scope of this policy is to add two new Entra CA exclusion types via the ScubaGear config file. The decision to add this capability was adjudicated in #1171.
- Exclusion type 1 - Exclude specific cloud apps
- Exclusion type 2 - Exclude guest users
The screenshot below summarized the key parts of a conditional access policy where cloud app exclusions are configured.
Motivation and context
Scuba should continue to make the assessment code more flexible so that it helps enforce strong security practices and not produce situations where the report shows an organization failing because the policies are too rigid when the key requirements are being met.
Implementation scope
The next couple of sections below describe the changes needed in more detail. You should make the modifications to the Rego policies for the following Scuba Entra policies since there are the ones that work on conditional access:
- 1.1, 2.1, 2.3, 3.1, 3.2, 3.6, 3.7, 3.8, 3.9
Implementation for cloud app exclusions
- Design the new config file YAML variables that will support cloud app exclusions. Look at existing user / group exclusions for inspiration.
- Modify the Rego for all Scuba Entra policies that audit conditional access policies and add code that supports cloud app exclusions. You likely need to create a new method in the helper file /Rego/Utils/AAD.Rego that is similar to the existing method UserExclusionsFullyExempt. You can all it CloudAppExclusionsFullyExempt. Then modify the the Scuba Rego policies in AADConfig.Rego to call this helper method and reduce code duplication. You can call the new helper method right after the two methods in the screenshot below.
- Remove the line of code in AADConfig.Rego that checks if there are any excluded cloud apps (screenshot below) since the new helper method from step 2 will take care of the exclusion logic.
- Create unit tests with new exclusion scenarios.
Here is an example of what cloud app exclusions look like in the ScubaResults.json:
Implementation for guest user exclusions
- Design the new config file YAML variables that will support guest user exclusions. Look at existing user / group exclusions for inspiration, however the exclusions for guest users is a little different. For guest users there is a node in the JSON with the path Users > ExcludeGuestsOrExternalUsers > GuestOrExternalUserTypes which can contain one or more of the following values: internalGuest,b2bCollaborationGuest,b2bCollaborationMember,b2bDirectConnectUser,otherExternalUser,serviceProvider. We want to support all of those values so implement the capability in a way that is easy for the user.
- Modify the Rego for all Scuba Entra policies that audit conditional access policies and add code that supports guest exclusions. You likely need to create a new method in the helper file /Rego/Utils/AAD.Rego that is similar to the existing method UserExclusionsFullyExempt. You can all it GuestUserExclusionsFullyExempt. Then modify the the Scuba Rego policies in AADConfig.Rego to call this helper method and reduce code duplication. You can call the new helper method right after the two methods in the screenshot below.
- Create unit tests with new exclusion scenarios.
Here is an example of what guest user exclusions look like in the ScubaResults.json:
Implementation to update the ScubaGear documentation
- Modify the file in the path below to ensure that the ScubaGear documentation describes how to exclude cloud apps and guest users. Be explicit that for guest users only specific Scuba policies can exclude guests.
https://github.com/cisagov/ScubaGear/blob/v1.6.0/docs/configuration/configuration.md#conditional-access-policy-exclusions
- Modify the sample aad_config.yaml in the path below to add example exclusions for cloud apps and guest users.
https://github.com/cisagov/ScubaGear/blob/v1.6.0/PowerShell/ScubaGear/Sample-Config-Files/aad_config.yaml
Acceptance criteria
Prerequisites
💡 Summary
Based on analysis of the conditional access policies of various organizations, we have known for a while that organizations need to be able to exclude specific cloud apps from Entra conditional access policies for various reasons and currently ScubaGear does not support that. We also know that organizations sometimes need the ability to exclude guest users (e.g. when enforcing phishing-resistant MFA).
The scope of this policy is to add two new Entra CA exclusion types via the ScubaGear config file. The decision to add this capability was adjudicated in #1171.
The screenshot below summarized the key parts of a conditional access policy where cloud app exclusions are configured.
Motivation and context
Scuba should continue to make the assessment code more flexible so that it helps enforce strong security practices and not produce situations where the report shows an organization failing because the policies are too rigid when the key requirements are being met.
Implementation scope
The next couple of sections below describe the changes needed in more detail. You should make the modifications to the Rego policies for the following Scuba Entra policies since there are the ones that work on conditional access:
Implementation for cloud app exclusions
Here is an example of what cloud app exclusions look like in the ScubaResults.json:
Implementation for guest user exclusions
Here is an example of what guest user exclusions look like in the ScubaResults.json:
Implementation to update the ScubaGear documentation
https://github.com/cisagov/ScubaGear/blob/v1.6.0/docs/configuration/configuration.md#conditional-access-policy-exclusions
https://github.com/cisagov/ScubaGear/blob/v1.6.0/PowerShell/ScubaGear/Sample-Config-Files/aad_config.yaml
Acceptance criteria