Merge pull request #723 from tdcthosc/tdc-improve-mt-1029-1032-tests

merill · web-flow · commit 4ad8c3dc709d · 2025-03-06T14:52:30.000+11:00
Improve mt.1029-1032 tests
diff --git a/powershell/public/Test-MtPimAlertsExists.ps1 b/powershell/public/Test-MtPimAlertsExists.ps1
@@ -41,15 +41,17 @@ function Test-MtPimAlertsExists {
 
     # Get PIM Alerts and store as object to be used in the test
     Write-Verbose "Getting PIM Alerts"
-    $Alert = Invoke-MtGraphRequest -ApiVersion "beta" -RelativeUri "privilegedAccess/aadroles/resources/$($tenantId)/alerts" | Where-Object { $_.id -eq $AlertId -and $_.isActive -eq "True" }
-
-    $AffectedRoleAssignments = $Alert.additionalData | ForEach-Object {
-      $CurrentItem = $_.item
-      $result = New-Object psobject
-      foreach ($entry in $CurrentItem.GetEnumerator()) {
-        $result | Add-Member -MemberType NoteProperty -Name $entry.key -Value $entry.value -Force
+    $Alert = Invoke-MtGraphRequest -ApiVersion "beta" -RelativeUri "privilegedAccess/aadroles/resources/$($tenantId)/alerts" | Where-Object { $_.id -eq $AlertId }
+
+    if ($Alert.Where({$_.isActive -eq "True"}).additionalData) {
+      $AffectedRoleAssignments = $Alert.Where({$_.isActive -eq "True"}).additionalData | ForEach-Object {
+        $CurrentItem = $_.item
+        $result = New-Object psobject
+        foreach ($entry in $CurrentItem.GetEnumerator()) {
+          $result | Add-Member -MemberType NoteProperty -Name $entry.key -Value $entry.value -Force
+        }
+        $result
       }
-      $result
     }
 
     # Filtering based on (EntraOps) Enterprise Access Model Tiering
@@ -66,43 +68,44 @@ function Test-MtPimAlertsExists {
         Write-Verbose "$($_.AssigneeUserPrincipalName) has been defined as Break Glass and removed from $($Alert.id)"
       }
       $AffectedRoleAssignments = $AffectedRoleAssignments | Where-Object { $_.AssigneeId -notin $($FilteredBreakGlass).Id }
-
-      # Set number of affected Items to value of filtered items (for example, original alert has two affected items, but all of them are break glass and excluded from the test)
-      $Alert.numberOfAffectedItems = $AffectedRoleAssignments.Count
     }
 
-    # Create test result and details
-    if ($Alert.Count -gt "0" -and $AffectedRoleAssignments.Count -gt 0) {
+    # Set number of affected Items to value of filtered items (for example, original alert has two affected items, but all of them are break glass and excluded from the test)
+    $Alert.numberOfAffectedItems = $AffectedRoleAssignments.Count
 
-      $testDescription = "
+    # Create test result and details
+    $convertHtmlLinkToMD = '<a.*?href=["'']([^"'']*)["''][^>]*>([^<]*)<\/a>' # Regular expression to detect HTML links
+    $testDescription = "
 
 **Security Impact**`n`n
-$($Alert.securityImpact)
+$($Alert.securityImpact -replace $convertHtmlLinkToMD, '[$2]($1)')
 
 **Mitigation steps**`n`n
-$($Alert.mitigationSteps)
+$($Alert.mitigationSteps -replace $convertHtmlLinkToMD, '[$2]($1)')
 
 **How to prevent**`n`n
-$($Alert.howToPrevent)
+$($Alert.howToPrevent -replace $convertHtmlLinkToMD, '[$2]($1)')
 "
 
-      $AffectedRoleAssignmentSummary = @()
-      $AffectedRoleAssignmentSummary += foreach ($AffectedRoleAssignment in $AffectedRoleAssignments) {
-        if ($null -ne $AffectedRoleAssignment.AssigneeDisplayName -or $null -ne $AffectedRoleAssignment.RoleDisplayName) {
-          "  -  $($AffectedRoleAssignment.AssigneeDisplayName) with $($AffectedRoleAssignment.RoleDisplayName) by AssigneeId $($AffectedRoleAssignment.AssigneeId)`n"
-        } else {
-          "  -  $($AffectedRoleAssignment.AssigneeName) ($($AffectedRoleAssignment.AssigneeUserPrincipalName))`n"
-        }
+    $AffectedRoleAssignmentSummary = @()
+    $AffectedRoleAssignmentSummary += foreach ($AffectedRoleAssignment in $AffectedRoleAssignments) {
+      if ($null -ne $AffectedRoleAssignment.AssigneeDisplayName -or $null -ne $AffectedRoleAssignment.RoleDisplayName) {
+        "  -  $($AffectedRoleAssignment.AssigneeDisplayName) with $($AffectedRoleAssignment.RoleDisplayName) by AssigneeId $($AffectedRoleAssignment.AssigneeId)`n"
+      } else {
+        "  -  $($AffectedRoleAssignment.AssigneeName) ($($AffectedRoleAssignment.AssigneeUserPrincipalName))`n"
       }
+    }
 
+    if ($Alert.Count -gt "0" -and $AffectedRoleAssignments.Count -gt 0) {
       $testResult = "$($Alert.alertDescription)`n`n
 $($AffectedRoleAssignmentSummary)
 Get more details from the PIM alert [$($Alert.alertName)](https://portal.azure.com/#view/Microsoft_Azure_PIMCommon/AlertDetail/providerId/aadroles/alertId/$($AlertId)/resourceId/$($tenantId)) in the Azure Portal.
 "
-
-      Add-MtTestResultDetail -Description $testDescription -Result $testResult
+    } else {
+      $testResult = "All privileged role assignments are managed by PIM. Well done!"
     }
 
+    Add-MtTestResultDetail -Description $testDescription -Result $testResult
     return $Alert
   }
 }
