diff --git a/PowerShell/ScubaGear/Rego/AADConfig.rego b/PowerShell/ScubaGear/Rego/AADConfig.rego
index 699ea8ab8..cfd9ba2b7 100644
--- a/PowerShell/ScubaGear/Rego/AADConfig.rego
+++ b/PowerShell/ScubaGear/Rego/AADConfig.rego
@@ -444,15 +444,16 @@ tests contains {
ManagedDeviceAuth contains CAPolicy.DisplayName if {
some CAPolicy in input.conditional_access_policies
- Contains(CAPolicy.Conditions.Users.IncludeUsers, "All") == true
- Contains(CAPolicy.Conditions.Applications.IncludeApplications, "All") == true
- CAPolicy.State == "enabled"
+ PolicyConditionsMatch(CAPolicy) == true
- Conditions := [
- "compliantDevice" in CAPolicy.GrantControls.BuiltInControls,
- "domainJoinedDevice" in CAPolicy.GrantControls.BuiltInControls,
- ]
- count(FilterArray(Conditions, true)) > 0
+ "compliantDevice" in CAPolicy.GrantControls.BuiltInControls
+ "domainJoinedDevice" in CAPolicy.GrantControls.BuiltInControls
+ count(CAPolicy.GrantControls.BuiltInControls) == 2
+ CAPolicy.GrantControls.Operator == "OR"
+
+ # Only match policies with user and group exclusions if all exempted
+ UserExclusionsFullyExempt(CAPolicy, "MS.AAD.3.7v1") == true
+ GroupExclusionsFullyExempt(CAPolicy, "MS.AAD.3.7v1") == true
}
# Pass if at least 1 policy meets all conditions
diff --git a/PowerShell/ScubaGear/Testing/Unit/Rego/AAD/AADConfig_03_test.rego b/PowerShell/ScubaGear/Testing/Unit/Rego/AAD/AADConfig_03_test.rego
index 2752843b3..d0ba3275a 100644
--- a/PowerShell/ScubaGear/Testing/Unit/Rego/AAD/AADConfig_03_test.rego
+++ b/PowerShell/ScubaGear/Testing/Unit/Rego/AAD/AADConfig_03_test.rego
@@ -943,7 +943,9 @@ test_ExcludeRoles_Incorrect_V2 if {
#--
test_ConditionalAccessPolicies_Correct_V3 if {
CAP := json.patch(ConditionalAccessPolicies,
- [{"op": "add", "path": "GrantControls/BuiltInControls", "value": ["domainJoinedDevice"]}])
+ [{"op": "add", "path": "GrantControls/BuiltInControls", "value": ["compliantDevice", "domainJoinedDevice"]},
+ {"op": "add", "path": "GrantControls/Operator", "value": "OR"}
+ ])
Output := aad.tests with input.conditional_access_policies as [CAP]
@@ -957,8 +959,9 @@ test_ConditionalAccessPolicies_Correct_V3 if {
test_BuiltInControls_Correct if {
CAP := json.patch(ConditionalAccessPolicies,
- [{"op": "add", "path": "GrantControls/BuiltInControls", "value": ["compliantDevice"]}])
-
+ [{"op": "add", "path": "GrantControls/BuiltInControls", "value": ["compliantDevice", "domainJoinedDevice"]},
+ {"op": "add", "path": "GrantControls/Operator", "value": "OR"}
+ ])
Output := aad.tests with input.conditional_access_policies as [CAP]
ReportDetailStr := concat("", [
@@ -969,10 +972,42 @@ test_BuiltInControls_Correct if {
TestResult("MS.AAD.3.7v1", Output, ReportDetailStr, true) == true
}
+test_ExcludeUserCorrect_V1 if {
+ CAP := json.patch(ConditionalAccessPolicies,
+ [{"op": "add", "path": "GrantControls/BuiltInControls", "value": ["compliantDevice", "domainJoinedDevice"]},
+ {"op": "add", "path": "Conditions/Users/ExcludeUsers", "value": ["SpecialPerson"]},
+ {"op": "add", "path": "GrantControls/Operator", "value": "OR"}])
+
+ Output := aad.tests with input.conditional_access_policies as [CAP]
+ with input.scuba_config.Aad["MS.AAD.3.7v1"] as ScubaConfig
+ with input.scuba_config.Aad["MS.AAD.3.7v1"].CapExclusions.Users as ["SpecialPerson"]
+
+ ReportDetailArrayStrs := ["conditional access policy(s) found that meet(s) all requirements:"]
+ TestResultContains("MS.AAD.3.7v1", Output, ReportDetailArrayStrs, true) == true
+}
+
+test_ExcludeGroup_Correct_V1 if {
+ CAP := json.patch(ConditionalAccessPolicies,
+ [{"op": "add", "path": "GrantControls/BuiltInControls", "value": ["compliantDevice", "domainJoinedDevice"]},
+ {"op": "add", "path": "Conditions/Users/ExcludeGroups","value": ["SpecialGroup"]},
+ {"op": "add", "path": "GrantControls/Operator", "value": "OR"}
+ ])
+
+ Output := aad.tests with input.conditional_access_policies as [CAP]
+ with input.scuba_config.Aad["MS.AAD.3.7v1"] as ScubaConfig
+ with input.scuba_config.Aad["MS.AAD.3.7v1"].CapExclusions.Groups as ["SpecialGroup"]
+
+ ReportDetailArrayStrs := ["conditional access policy(s) found that meet(s) all requirements:"]
+ TestResultContains("MS.AAD.3.7v1", Output, ReportDetailArrayStrs, true) == true
+}
+
+
test_IncludeApplications_Incorrect_V3 if {
CAP := json.patch(ConditionalAccessPolicies,
[{"op": "add", "path": "Conditions/Applications/IncludeApplications", "value": [""]},
- {"op": "add", "path": "GrantControls/BuiltInControls", "value": ["compliantDevice"]}])
+ {"op": "add", "path": "GrantControls/BuiltInControls", "value": ["compliantDevice", "domainJoinedDevice"]},
+ {"op": "add", "path": "GrantControls/Operator", "value": "OR"}
+ ])
Output := aad.tests with input.conditional_access_policies as [CAP]
@@ -984,7 +1019,9 @@ test_IncludeApplications_Incorrect_V3 if {
test_IncludeUsers_Incorrect_V2 if {
CAP := json.patch(ConditionalAccessPolicies,
[{"op": "add", "path": "Conditions/Users/IncludeUsers", "value": [""]},
- {"op": "add", "path": "GrantControls/BuiltInControls", "value": ["compliantDevice"]}])
+ {"op": "add", "path": "GrantControls/BuiltInControls", "value": ["compliantDevice", "domainJoinedDevice"]},
+ {"op": "add", "path": "GrantControls/Operator", "value": "OR"}
+ ])
Output := aad.tests with input.conditional_access_policies as [CAP]
@@ -1007,14 +1044,61 @@ test_BuiltInControls_Incorrect_V3 if {
test_State_Incorrect_V3 if {
CAP := json.patch(ConditionalAccessPolicies,
[{"op": "add", "path": "State", "value": "disabled"},
- {"op": "add", "path": "GrantControls/BuiltInControls", "value": ["compliantDevice"]}])
+ {"op": "add", "path": "GrantControls/BuiltInControls", "value": ["compliantDevice", "domainJoinedDevice"]},
+ {"op": "add", "path": "GrantControls/Operator", "value": "OR"}
+ ])
+
+ Output := aad.tests with input.conditional_access_policies as [CAP]
+
+ ReportDetailStr :=
+ "0 conditional access policy(s) found that meet(s) all requirements. View all CA policies."
+ TestResult("MS.AAD.3.7v1", Output, ReportDetailStr, false) == true
+}
+
+test_ExcludeUserIncorrect_V1 if {
+ CAP := json.patch(ConditionalAccessPolicies,
+ [{"op": "add", "path": "GrantControls/BuiltInControls", "value": ["compliantDevice", "domainJoinedDevice"]},
+ {"op": "add", "path": "Conditions/Users/ExcludeUsers", "value": ["SpecialPerson"]},
+ {"op": "add", "path": "GrantControls/Operator", "value": "OR"}])
+
+ Output := aad.tests with input.conditional_access_policies as [CAP]
+ with input.scuba_config.Aad["MS.AAD.3.7v1"] as ScubaConfig
+ with input.scuba_config.Aad["MS.AAD.3.7v1"].CapExclusions.Users as ["NotSpecialPerson"]
+
+ ReportDetailStr :=
+ "0 conditional access policy(s) found that meet(s) all requirements. View all CA policies."
+ TestResult("MS.AAD.3.7v1", Output, ReportDetailStr, false) == true
+}
+
+test_ExcludeGroupIncorrect_V1 if {
+ CAP := json.patch(ConditionalAccessPolicies,
+ [{"op": "add", "path": "GrantControls/BuiltInControls", "value": ["compliantDevice", "domainJoinedDevice"]},
+ {"op": "add", "path": "Conditions/Users/ExcludeGroups", "value": ["SpecialGroup"]},
+ {"op": "add", "path": "GrantControls/Operator", "value": "OR"}])
Output := aad.tests with input.conditional_access_policies as [CAP]
+ with input.scuba_config.Aad["MS.AAD.3.7v1"] as ScubaConfig
+ with input.scuba_config.Aad["MS.AAD.3.7v1"].CapExclusions.Groups as ["NotSpecialGroup"]
ReportDetailStr :=
"0 conditional access policy(s) found that meet(s) all requirements. View all CA policies."
TestResult("MS.AAD.3.7v1", Output, ReportDetailStr, false) == true
}
+
+test_OperatorIncorrect_V1 if {
+ CAP := json.patch(ConditionalAccessPolicies,
+ [{"op": "add", "path": "GrantControls/BuiltInControls", "value": ["compliantDevice", "domainJoinedDevice"]},
+ {"op": "add", "path": "GrantControls/Operator", "value": ""}
+ ])
+
+ Output := aad.tests with input.conditional_access_policies as [CAP]
+
+ ReportDetailStr := concat("", [
+ "0 conditional access policy(s) found that meet(s) all requirements. View all CA policies."
+ ])
+
+ TestResult("MS.AAD.3.7v1", Output, ReportDetailStr, false) == true
+}
#--
#
@@ -1030,7 +1114,7 @@ test_Correct_V1 if {
TestResultContains("MS.AAD.3.8v1", Output, ReportDetailArrayStrs, true) == true
}
-test_ExcludeUserCorrect_V1 if {
+test_ExcludeUserCorrect_V2 if {
CAP := json.patch(ConditionalAccessPolicies,
[{"op": "add", "path": "GrantControls/BuiltInControls", "value": ["compliantDevice", "domainJoinedDevice"]},
{"op": "add", "path": "Conditions/Users/ExcludeUsers", "value": ["SpecialPerson"]}])
@@ -1043,7 +1127,7 @@ test_ExcludeUserCorrect_V1 if {
TestResultContains("MS.AAD.3.8v1", Output, ReportDetailArrayStrs, true) == true
}
-test_ExcludeGroup_Correct_V1 if {
+test_ExcludeGroup_Correct_V2 if {
CAP := json.patch(ConditionalAccessPolicies,
[{"op": "add", "path": "GrantControls/BuiltInControls", "value": ["compliantDevice", "domainJoinedDevice"]},
{"op": "add", "path": "Conditions/Users/ExcludeGroups","value": ["SpecialGroup"]}])
@@ -1056,7 +1140,7 @@ test_ExcludeGroup_Correct_V1 if {
TestResultContains("MS.AAD.3.8v1", Output, ReportDetailArrayStrs, true) == true
}
-test_ExcludeUserIncorrect_V1 if {
+test_ExcludeUserIncorrect_V2 if {
CAP := json.patch(ConditionalAccessPolicies,
[{"op": "add", "path": "GrantControls/BuiltInControls", "value": ["compliantDevice", "domainJoinedDevice"]},
{"op": "add", "path": "Conditions/Users/ExcludeUsers", "value": ["SpecialPerson"]}])
@@ -1070,7 +1154,7 @@ test_ExcludeUserIncorrect_V1 if {
TestResult("MS.AAD.3.8v1", Output, ReportDetailStr, false) == true
}
-test_ExcludeGroupIncorrect_V1 if {
+test_ExcludeGroupIncorrect_V2 if {
CAP := json.patch(ConditionalAccessPolicies,
[{"op": "add", "path": "GrantControls/BuiltInControls", "value": ["compliantDevice", "domainJoinedDevice"]},
{"op": "add", "path": "Conditions/Users/ExcludeGroups", "value": ["SpecialGroup"]}])