Implement MS.AAD.7.2v1 Policy to check Secure Score

.github/workflows/run_markdown_check.yaml

@@ -1,11 +1,11 @@
-on: 
+on:
     workflow_dispatch:
     pull_request:
         types: [opened, reopened]
         branches:
-        - "main"        
+        - "main"
     pull_request_review:
-        types: [submitted]  
+        types: [submitted]
     push:
         branches:
         - "main"
@@ -14,13 +14,13 @@ on:
         - "baselines/*.md"
 
 name: Markdown Check
-  
+
 jobs:
     Run-Markdown-Check:
         runs-on: windows-latest
         defaults:
             run:
-                shell: powershell 
+                shell: powershell
         permissions:
             contents: read
         steps:

PowerShell/ScubaGear/Modules/Connection/Connection.psm1

@@ -57,6 +57,7 @@ function Connect-Tenant {
                         'UserAuthenticationMethod.Read.All',
                         'RoleManagement.Read.Directory',
                         'GroupMember.Read.All',
+                        'SecurityEvents.Read.All',
                         'Directory.Read.All'
                     )
                     $GraphParams = @{

PowerShell/ScubaGear/Modules/Providers/ExportAADProvider.psm1

@@ -12,13 +12,11 @@ function Export-AADProvider {
     $Tracker = Get-CommandTracker
 
     # The below cmdlet covers the following baselines
+    # - 1.1
     # - 2.1
-    # - 2.2
-    # - 2.3 First Policy bullet
-    # - 2.4 First Policy bullet
-    # - 2.9
-    # - 2.10
-    # - 2.17 first part
+    # - 3.1
+    # - 4.2
+    # - 3.7
     $AllPolicies = $Tracker.TryCommand("Get-MgIdentityConditionalAccessPolicy")
 
     Import-Module $PSScriptRoot/ProviderHelpers/AADConditionalAccessHelper.psm1
@@ -91,13 +89,14 @@ function Export-AADProvider {
     }
     $ServicePlans = ConvertTo-Json -Depth 3 @($ServicePlans)
 
-    # 2.6, 2.7, & 2.18 1st/3rd Policy Bullets
+    # 5.1, 5.2, 8.1 & 8.3
     $AuthZPolicies = ConvertTo-Json @($Tracker.TryCommand("Get-MgPolicyAuthorizationPolicy"))
+    $SecureScore = ConvertTo-Json -Depth 2 @($Tracker.TryCommand("Get-MgSecuritySecureScore", @{"Top"=1}).ControlScores | Where-Object {$_.ControlName -eq 'RoleOverlap'})
 
-    # 2.7 third bullet
+    # 5.4
     $DirectorySettings = ConvertTo-Json -Depth 10 @($Tracker.TryCommand("Get-MgDirectorySetting"))
 
-    # 2.7 Policy Bullet 2]
+    # 5.3
     $AdminConsentReqPolicies = ConvertTo-Json @($Tracker.TryCommand("Get-MgPolicyAdminConsentRequestPolicy"))
 
     # Read the properties and relationships of an authentication method policy
@@ -111,6 +110,7 @@ function Export-AADProvider {
     "conditional_access_policies": $AllPolicies,
     "cap_table_data": $CapTableData,
     "authorization_policies": $AuthZPolicies,
+    "secure_score": $SecureScore,
     "admin_consent_policies": $AdminConsentReqPolicies,
     "privileged_users": $PrivilegedUsers,
     "privileged_roles": $PrivilegedRoles,

PowerShell/ScubaGear/RequiredVersions.ps1

@@ -85,6 +85,11 @@ $ModuleList = @(
         ModuleVersion = [version] '1.14.0'
         MaximumVersion = [version] '1.99.99999'
     },
+    @{
+        ModuleName = 'Microsoft.Graph.Security'
+        ModuleVersion = [version] '1.14.0'
+        MaximumVersion = [version] '1.99.99999'
+    },
     @{
         ModuleName = 'Microsoft.Graph.Teams' #TODO: Verify is needed
         ModuleVersion = [version] '1.14.0'

Rego/AADConfig.rego

@@ -705,22 +705,24 @@ tests[{
 }
 #--
 
-#
 # MS.AAD.7.2v1
 #--
-# At this time we are unable to test for user association to fine-grained privileged roles
-# rather than Global Administrator due to runtime and data response size constraints
+# Check for secure score value for RoleOverlap Control Category
+# Requirements is met if score is equal to 1 (100%) and fails if it is less than 1
+#--
+
 tests[{
-    "PolicyId" : PolicyId,
-    "Criticality" : "Shall/Not-Implemented",
-    "Commandlet" : [],
-    "ActualValue" : [],
-    "ReportDetails" : NotCheckedDetails(PolicyId),
-    "RequirementMet" : false
+    "PolicyId" : "MS.AAD.7.2v1",
+    "Criticality" : "Shall",
+    "Commandlet" : ["Get-MgSecuritySecureScore"],
+    "ActualValue" : SecureScorePolicy,
+    "ReportDetails" : ReportDetailsBoolean(Status),
+    "RequirementMet" : Status
 }] {
-    PolicyId := "MS.AAD.7.2v1"
-    true
+   SecureScorePolicy := input.secure_score[_]
+   Status := SecureScorePolicy.Score == 1.0
 }
+
 #--
 
 #