Implement MS.AAD.7.2v1 Policy to check Secure Score #453

ssatyapal123 · 2023-07-21T14:52:50Z

🗣Implement MS.AAD.7.2v1 - Secure Score for Least Privilege Policy##

Implements MS.AAD.7.2v1
Closes #375

💭 Motivation and context

Change allows for automated check eliminating previous manual check

Checks the Secure Score for "Least Privileged Administrative Roles" is 100%

🧪 Testing

Added Rego unit test and checked all unit tests pass
Ran against E5, G5, and G3 tenants and all passed

scubag3forthee:

✅ Pre-approval checklist

This PR has an informative and human-readable title.
Changes are limited to a single goal - eschew scope creep!
All future TODOs are captured in issues, which are referenced
in code comments.
All relevant type-of-change labels have been added.
I have read the CONTRIBUTING document.
These code changes follow cisagov code standards.
All relevant repo and/or project documentation has been updated
to reflect the changes in this PR.
Tests have been added and/or modified to cover the changes in this PR.
All new and existing tests pass.

✅ Pre-merge checklist

Revert dependencies to default branches.
Finalize version.

✅ Post-merge checklist

Create a release.

Dylan-MITRE · 2023-07-26T14:09:51Z

There are some OPA issue with "Testing/Unit/Rego/AAD/AADConfig_07_test.rego:3: rego_compile_error: import data.report.utils.NotCheckedDetails unused" Can you try to fix the unit test to remove the line

* initial teams drop * Add markdown check * Fix spelling * Check action * Test Action * Check version * Fix Markdown test * Add path *.md * Update anchor func * Update AAD * WIP * WIP * WIP * WIP * WIP * Structural baseline updates (cleaned up) (#334) * Update aad.md all updates * Update defender.md all updates * Update exchange.md all updates * Rename exchange.md to exo.md * Update onedrive.md * Update powerbi.md all updates * Update powerplatform.md all updates * Update sharepoint.md all updates * Update teams.md all updates * Update baselines/defender.md good catch! Co-authored-by: Addam Schroll <108814318+schrolla@users.noreply.github.com> * Update baselines/powerbi.md Co-authored-by: Addam Schroll <108814318+schrolla@users.noreply.github.com> * Update baselines/powerbi.md Co-authored-by: Addam Schroll <108814318+schrolla@users.noreply.github.com> * Update baselines/aad.md Co-authored-by: Addam Schroll <108814318+schrolla@users.noreply.github.com> * Update aad.md referenced old policy number * Update powerbi.md --------- Co-authored-by: Addam Schroll <108814318+schrolla@users.noreply.github.com> * WIP * Structural baseline updates (cleaned up) (#334) * Update aad.md all updates * Update defender.md all updates * Update exchange.md all updates * Rename exchange.md to exo.md * Update onedrive.md * Update powerbi.md all updates * Update powerplatform.md all updates * Update sharepoint.md all updates * Update teams.md all updates * Update baselines/defender.md good catch! Co-authored-by: Addam Schroll <108814318+schrolla@users.noreply.github.com> * Update baselines/powerbi.md Co-authored-by: Addam Schroll <108814318+schrolla@users.noreply.github.com> * Update baselines/powerbi.md Co-authored-by: Addam Schroll <108814318+schrolla@users.noreply.github.com> * Update baselines/aad.md Co-authored-by: Addam Schroll <108814318+schrolla@users.noreply.github.com> * Update aad.md referenced old policy number * Update powerbi.md --------- Co-authored-by: Addam Schroll <108814318+schrolla@users.noreply.github.com> * initial teams drop * Update AAD * WIP * WIP * WIP * WIP * WIP * Structural baseline updates (cleaned up) (#334) * Update aad.md all updates * Update defender.md all updates * Update exchange.md all updates * Rename exchange.md to exo.md * Update onedrive.md * Update powerbi.md all updates * Update powerplatform.md all updates * Update sharepoint.md all updates * Update teams.md all updates * Update baselines/defender.md good catch! Co-authored-by: Addam Schroll <108814318+schrolla@users.noreply.github.com> * Update baselines/powerbi.md Co-authored-by: Addam Schroll <108814318+schrolla@users.noreply.github.com> * Update baselines/powerbi.md Co-authored-by: Addam Schroll <108814318+schrolla@users.noreply.github.com> * Update baselines/aad.md Co-authored-by: Addam Schroll <108814318+schrolla@users.noreply.github.com> * Update aad.md referenced old policy number * Update powerbi.md --------- Co-authored-by: Addam Schroll <108814318+schrolla@users.noreply.github.com> * initial teams drop * Update AAD * WIP * Structural baseline updates (cleaned up) (#334) * Update aad.md all updates * Update defender.md all updates * Update exchange.md all updates * Rename exchange.md to exo.md * Update onedrive.md * Update powerbi.md all updates * Update powerplatform.md all updates * Update sharepoint.md all updates * Update teams.md all updates * Update baselines/defender.md good catch! Co-authored-by: Addam Schroll <108814318+schrolla@users.noreply.github.com> * Update baselines/powerbi.md Co-authored-by: Addam Schroll <108814318+schrolla@users.noreply.github.com> * Update baselines/powerbi.md Co-authored-by: Addam Schroll <108814318+schrolla@users.noreply.github.com> * Update baselines/aad.md Co-authored-by: Addam Schroll <108814318+schrolla@users.noreply.github.com> * Update aad.md referenced old policy number * Update powerbi.md --------- Co-authored-by: Addam Schroll <108814318+schrolla@users.noreply.github.com> * Fix UT errors * Default baseline for testing * Updates based on review comments * Call Import-SecureBaseline once * Update for review comments * Review updates * Add help comment * remove unused import * Fix OPA check issues * fix opa tests action * Update action to test * Action update * Sum PS/Bug as Errors * Update darkmode colors * Fix UT after Rebase * Fix UT * Fix error log * Update UT for NewReport * Update link color --------- Co-authored-by: Andrew Huynh <113476170+ahuynhMITRE@users.noreply.github.com> Co-authored-by: Addam Schroll <108814318+schrolla@users.noreply.github.com> Co-authored-by: Sloane4 <cdiaz@mitre.org>

PowerShell/ScubaGear/RequiredVersions.ps1

Rego/AADConfig.rego

out.txt

crutchfield

A few minor changes and comments to consider. Looks good. We can talk about ReportUtils.rego if needed.

crutchfield

Looks great. Thanks for addressing my comments.

nanda-katikaneni · 2023-08-17T15:33:05Z

@ssatyapal123, Can you please resolve the conflicts for this to be merged into Emerald. thanks.

* Initial drop of secure baseline automation (#336) * initial teams drop * Add markdown check * Fix spelling * Check action * Test Action * Check version * Fix Markdown test * Add path *.md * Update anchor func * Update AAD * WIP * WIP * WIP * WIP * WIP * Structural baseline updates (cleaned up) (#334) * Update aad.md all updates * Update defender.md all updates * Update exchange.md all updates * Rename exchange.md to exo.md * Update onedrive.md * Update powerbi.md all updates * Update powerplatform.md all updates * Update sharepoint.md all updates * Update teams.md all updates * Update baselines/defender.md good catch! Co-authored-by: Addam Schroll <108814318+schrolla@users.noreply.github.com> * Update baselines/powerbi.md Co-authored-by: Addam Schroll <108814318+schrolla@users.noreply.github.com> * Update baselines/powerbi.md Co-authored-by: Addam Schroll <108814318+schrolla@users.noreply.github.com> * Update baselines/aad.md Co-authored-by: Addam Schroll <108814318+schrolla@users.noreply.github.com> * Update aad.md referenced old policy number * Update powerbi.md --------- Co-authored-by: Addam Schroll <108814318+schrolla@users.noreply.github.com> * WIP * Structural baseline updates (cleaned up) (#334) * Update aad.md all updates * Update defender.md all updates * Update exchange.md all updates * Rename exchange.md to exo.md * Update onedrive.md * Update powerbi.md all updates * Update powerplatform.md all updates * Update sharepoint.md all updates * Update teams.md all updates * Update baselines/defender.md good catch! Co-authored-by: Addam Schroll <108814318+schrolla@users.noreply.github.com> * Update baselines/powerbi.md Co-authored-by: Addam Schroll <108814318+schrolla@users.noreply.github.com> * Update baselines/powerbi.md Co-authored-by: Addam Schroll <108814318+schrolla@users.noreply.github.com> * Update baselines/aad.md Co-authored-by: Addam Schroll <108814318+schrolla@users.noreply.github.com> * Update aad.md referenced old policy number * Update powerbi.md --------- Co-authored-by: Addam Schroll <108814318+schrolla@users.noreply.github.com> * initial teams drop * Update AAD * WIP * WIP * WIP * WIP * WIP * Structural baseline updates (cleaned up) (#334) * Update aad.md all updates * Update defender.md all updates * Update exchange.md all updates * Rename exchange.md to exo.md * Update onedrive.md * Update powerbi.md all updates * Update powerplatform.md all updates * Update sharepoint.md all updates * Update teams.md all updates * Update baselines/defender.md good catch! Co-authored-by: Addam Schroll <108814318+schrolla@users.noreply.github.com> * Update baselines/powerbi.md Co-authored-by: Addam Schroll <108814318+schrolla@users.noreply.github.com> * Update baselines/powerbi.md Co-authored-by: Addam Schroll <108814318+schrolla@users.noreply.github.com> * Update baselines/aad.md Co-authored-by: Addam Schroll <108814318+schrolla@users.noreply.github.com> * Update aad.md referenced old policy number * Update powerbi.md --------- Co-authored-by: Addam Schroll <108814318+schrolla@users.noreply.github.com> * initial teams drop * Update AAD * WIP * Structural baseline updates (cleaned up) (#334) * Update aad.md all updates * Update defender.md all updates * Update exchange.md all updates * Rename exchange.md to exo.md * Update onedrive.md * Update powerbi.md all updates * Update powerplatform.md all updates * Update sharepoint.md all updates * Update teams.md all updates * Update baselines/defender.md good catch! Co-authored-by: Addam Schroll <108814318+schrolla@users.noreply.github.com> * Update baselines/powerbi.md Co-authored-by: Addam Schroll <108814318+schrolla@users.noreply.github.com> * Update baselines/powerbi.md Co-authored-by: Addam Schroll <108814318+schrolla@users.noreply.github.com> * Update baselines/aad.md Co-authored-by: Addam Schroll <108814318+schrolla@users.noreply.github.com> * Update aad.md referenced old policy number * Update powerbi.md --------- Co-authored-by: Addam Schroll <108814318+schrolla@users.noreply.github.com> * Fix UT errors * Default baseline for testing * Updates based on review comments * Call Import-SecureBaseline once * Update for review comments * Review updates * Add help comment * remove unused import * Fix OPA check issues * fix opa tests action * Update action to test * Action update * Sum PS/Bug as Errors * Update darkmode colors * Fix UT after Rebase * Fix UT * Fix error log * Update UT for NewReport * Update link color --------- Co-authored-by: Andrew Huynh <113476170+ahuynhMITRE@users.noreply.github.com> Co-authored-by: Addam Schroll <108814318+schrolla@users.noreply.github.com> Co-authored-by: Sloane4 <cdiaz@mitre.org> * Updates to ExportAADProvider * Updates to ExportAADProvider * Revert changes to AADConfig.reg * Updates to aad 7.2v1 * Updates to ExportAADProvider * Updates to ExportAADProvider * Update to AAD 7.2 Rego Unit Test * Fixes to aad 7.2 rego unit tests * Updates to AADConfig_07_test.rego * Removed TODO comment in RequredVersions.ps1 * Minor updates to AAD Rego --------- Co-authored-by: Richard Crutchfield <crutchfield@users.noreply.github.com> Co-authored-by: Andrew Huynh <113476170+ahuynhMITRE@users.noreply.github.com> Co-authored-by: Addam Schroll <108814318+schrolla@users.noreply.github.com> Co-authored-by: Sloane4 <cdiaz@mitre.org>

ssatyapal123 added the enhancement This issue or pull request will add new or improve existing functionality label Jul 21, 2023

ssatyapal123 added this to the Emerald milestone Jul 21, 2023

ssatyapal123 requested review from crutchfield and Dylan-MITRE July 21, 2023 14:52

ssatyapal123 self-assigned this Jul 21, 2023

ssatyapal123 changed the title ~~375 aad policy7 2 check secure score~~ Implement MS.AAD.7.2v1 Policy to check Secure Score Jul 24, 2023

crutchfield and others added 10 commits July 27, 2023 10:13

Updates to ExportAADProvider

cdebf75

Updates to ExportAADProvider

26b2d96

Revert changes to AADConfig.reg

6a5994d

Updates to aad 7.2v1

17a934d

Updates to ExportAADProvider

1f70fb7

Updates to ExportAADProvider

25c3c81

Update to AAD 7.2 Rego Unit Test

5c6aca3

Fixes to aad 7.2 rego unit tests

97f7f3d

Updates to AADConfig_07_test.rego

63da748

ssatyapal123 force-pushed the 375-aad-policy7-2-check-secure-score branch from dfb1000 to 63da748 Compare July 27, 2023 14:13