Rename Entra Connect related checks and move from test logic to cmdlets (#1244)

* Rename to match purpose

* Rewrite to limit test logic outside of cmdlet

* Remove Test-MtDomainsWithSsso from psd1

* Rename correctly

* Make sure unconnected Graph does not throw errors

Author: f-bader

powershell/Maester.psd1

@@ -160,9 +160,9 @@ FunctionsToExport = 'Add-MtTestResultDetail',
     'Test-ORCA244', 'Update-MaesterTests', 'Test-MtAppRegistrationOwnersWithoutMFA',
     'Test-MtManagementGroupWriteRequirement', 'Test-MtDeviceRegistrationMfaConflict', 'Test-MtVaultSoftDelete',
     'Test-MtTenantCreationRestricted', 'Test-MtEntraDeviceJoinRestricted', 'Test-MtSecurityGroupCreationRestricted',
-    'Test-MtCaApprovedClientApp', 'Test-MtCaAzureDevOps', 'Test-MtDirSyncSoftHardMatching',
+    'Test-MtCaApprovedClientApp', 'Test-MtCaAzureDevOps', 'Test-MtEntraIDConnectSyncSoftHardMatching', 'Test-MtEntraIDConnectSyncSsso',
     'Test-MtExoMoeraMailActivity','Test-MtExoDelicensingResiliency',
-    'Test-MtLimitOnMicrosoftDomainUsage', 'Test-MtDomainsWithSsso',
+    'Test-MtLimitOnMicrosoftDomainUsage',
     'Test-MtXspmAppRegWithPrivilegedApiAndOwners',
     'Test-MtXspmAppRegWithPrivilegedRolesAndOwners',
     'Test-MtXspmAppRegWithPrivilegedUnusedPermissions',

powershell/public/maester/entra/Test-MtDomainsWithSsso.ps1

@@ -7,14 +7,14 @@
     This can lead to unintended consequences, such as mismatching user data.
 
 .EXAMPLE
-    Test-MtDirSyncSoftHardMatching
+    Test-MtEntraIDConnectSyncSoftHardMatching
 
     Returns true if soft and hard matching is blocked / disabled
 
 .LINK
-    https://maester.dev/docs/commands/Test-MtDirSyncSoftHardMatching
+    https://maester.dev/docs/commands/Test-MtEntraIDConnectSyncSoftHardMatching
 #>
-function Test-MtDirSyncSoftHardMatching {
+function Test-MtEntraIDConnectSyncSoftHardMatching {
     [CmdletBinding()]
     [OutputType([bool])]
     param()

…/entra/Test-MtDirSyncSoftHardMatching.md …-MtEntraIDConnectSyncSoftHardMatching.mdpowershell/public/maester/entra/Test-MtDirSyncSoftHardMatching.md renamed to powershell/public/maester/entra/Test-MtEntraIDConnectSyncSoftHardMatching.md powershell/public/maester/entra/Test-MtDirSyncSoftHardMatching.md renamed to powershell/public/maester/entra/Test-MtEntraIDConnectSyncSoftHardMatching.md

@@ -0,0 +1,163 @@
+<#
+.SYNOPSIS
+    Ensure Microsoft Entra seamless single sign-on is disabled for all domains.
+
+.DESCRIPTION
+    Microsoft Entra seamless single sign-on (SSSO) provides users with easy access to cloud-based applications by automatically signing them in when they are on their corporate devices connected to the corporate network.
+    However, if not managed properly, it can introduce security risks, especially if devices are compromised or if there are misconfigurations.
+
+.EXAMPLE
+    Test-MtEntraIDConnectSyncSsso
+
+    Returns true if Microsoft Entra seamless single sign-on is disabled
+
+.LINK
+    https://maester.dev/docs/commands/Test-MtEntraIDConnectSyncSsso
+#>
+function Test-MtEntraIDConnectSyncSsso {
+    [CmdletBinding()]
+    [OutputType([bool])]
+    param()
+
+    if (-not (Test-MtConnection Graph)) {
+        Add-MtTestResultDetail -SkippedBecause NotConnectedGraph
+        return $null
+    }
+    $return = $true
+
+    Write-Verbose "Checking if Microsoft Entra seamless single sign-on is disabled..."
+    try {
+        $organizationConfig = Invoke-MtGraphRequest -RelativeUri "organization"
+    } catch {
+        Add-MtTestResultDetail -SkippedBecause Error -SkippedError $_
+        return $null
+    }
+    if ($organizationConfig.onPremisesSyncEnabled -ne $true) {
+        Add-MtTestResultDetail -SkippedBecause 'Custom' -SkippedCustomReason 'OnPremisesSynchronization is not configured'
+        return $null
+    }
+    # Validate if MDI and MDE data is available
+    try {
+        # Check for availability of IdentityLogonEvents table
+        $params = @{
+            ApiVersion  = "beta"
+            RelativeUri = "security/runHuntingQuery"
+            Method      = "POST"
+            ErrorAction = "SilentlyContinue"
+            Body        = (@{"Query" = "IdentityLogonEvents | getschema" } | ConvertTo-Json)
+            OutputType  = "PSObject"
+            Verbose     = $true
+        }
+        $IdentityLogonEventsAvailable = ((Invoke-MtGraphRequest @params).results.ColumnName -contains "LogonType")
+        # Check for availability of DeviceInfo table
+        $params = @{
+            ApiVersion  = "beta"
+            RelativeUri = "security/runHuntingQuery"
+            Method      = "POST"
+            ErrorAction = "SilentlyContinue"
+            Body        = (@{"Query" = "DeviceInfo | getschema" } | ConvertTo-Json)
+            OutputType  = "PSObject"
+            Verbose     = $true
+        }
+        $DeviceInfoAvailable = ((Invoke-MtGraphRequest @params).results.ColumnName -contains "DeviceId")
+        $UnifiedMdiInfoAvailable = $IdentityLogonEventsAvailable -and $DeviceInfoAvailable
+    } catch {
+        Add-MtTestResultDetail -SkippedBecause Error -SkippedError $_
+        return $null
+    }
+
+    if ( $UnifiedMdiInfoAvailable -eq $false) {
+        Add-MtTestResultDetail -SkippedBecause 'Custom' -SkippedCustomReason 'This test requires availability of Microsoft Defender for Identity and Microsoft Defender for Endpoint to get data from Defender XDR Advanced Hunting tables (IdentityLogonEvents and DeviceInfo).'
+        return $null
+    }
+
+    try {
+        $Query = @"
+// Get all device info we can find
+let devices = (
+    DeviceInfo
+    // Search for 14 days
+    | where TimeGenerated > ago(14d)
+    // Normalize DeviceName
+    // --> if it is an IP Address we keep it
+    // --> If it is not an IP Address we only use the hostname for correlation
+    | extend DeviceName = iff(ipv4_is_private(DeviceName), DeviceName, tolower(split(DeviceName, ".")[0]))
+    // Only get interesting data
+    | distinct DeviceName, OSPlatform, OSVersion, DeviceId, OnboardingStatus, Model, JoinType
+);
+IdentityLogonEvents
+// Get the last 14 days of logon events on Domain Controllers
+| where TimeGenerated > ago(14d)
+// Search for Seamless SSO events
+| where Application == "Active Directory" and Protocol == "Kerberos"
+| where TargetDeviceName == "AZUREADSSOACC"
+// Save the domain name of the Domain Controller
+| extend OnPremisesDomainName = strcat(split(DestinationDeviceName, ".")[-2], ".", split(DestinationDeviceName, ".")[-1])
+// Normalize DeviceName
+// --> if it is an IP Address we keep it
+// --> If it is not an IP Address we only use the hostname for correlation
+| extend DeviceName = iff(ipv4_is_private(DeviceName), DeviceName, tolower(split(DeviceName, ".")[0]))
+// Only use interesting data and find more info regarding the source device
+| distinct AccountUpn, OnPremisesDomainName, DeviceName
+| join kind=leftouter devices on DeviceName
+| project-away DeviceName1
+// Check if Seamless SSO usage is expected
+| extend ['Seamless SSO Expected'] = case(
+    // Cases where we do not expect Seamless SSO to be used
+    JoinType == "Hybrid Azure AD Join" or
+    JoinType == "AAD Joined" or
+    JoinType == "AAD Registered", "No",
+    // Cases where we do expect Seamless SSO to be used
+    JoinType == "Domain Joined" or
+    (OSPlatform startswith "Windows" and toreal(OSVersion) < 10.0) , "Yes",
+    // Cases that need to be verified
+    "Unknown (to verify)"
+)
+| extend Obj = bag_pack(
+    "AccountUpn", AccountUpn,
+    "DeviceName", DeviceName,
+    "OSPlatform", OSPlatform,
+    "OSVersion", OSVersion,
+    "OnboardingStatus", OnboardingStatus,
+    "JoinType", JoinType,
+    "Seamless SSO Expected", ['Seamless SSO Expected']
+)
+| summarize JsonArray=make_list(Obj) by OnPremisesDomainName
+"@
+
+        Write-Verbose "Running KQL query to get domains with Seamless SSO usage"
+        $DomainsWithSsso = Invoke-MtGraphSecurityQuery -Query $Query -Timespan "P14D"
+    } catch {
+        Add-MtTestResultDetail -SkippedBecause Error -SkippedError $_
+        return $null
+    }
+
+    try {
+        if ($DomainsWithSsso.Count -gt 0) {
+            $return = $false
+            $testResultMarkdown = "At least one domain has sign-ins with Seamless Single SignOn enabled in Entra ID Connect.`n`n%TestResult%"
+            $result = "| DomainName | AccountUpn | DeviceName | OnboardingStatus | JoinType | Ssso Expected |`n"
+            $result += "| --- | --- | --- | ---  | --- | ---  |`n"
+            foreach ($Domain in $DomainsWithSsso) {
+                $DomainName = $Domain.OnPremisesDomainName
+                $Domain.JsonArray | ForEach-Object {
+                    $AccountUpn = $_.AccountUpn
+                    $DeviceName = $_.DeviceName
+                    $OnboardingStatus = $_.OnboardingStatus
+                    $JoinType = $_.JoinType
+                    $SssoExpected = $_.'Seamless SSO Expected'
+                    $result += "| $($DomainName) | $($AccountUpn) | $($DeviceName) | $($OnboardingStatus) | $($JoinType) | $($SssoExpected) |`n"
+                }
+            }
+            $testResultMarkdown = $testResultMarkdown -replace "%TestResult%", $result
+        } else {
+            $testResultMarkdown = "Well done. We found no evidence of domains where Seamless Single SignOn was still enabled in EntraID Connect via the Microsoft Defender for Identity logs."
+        }
+        Add-MtTestResultDetail -Result $testResultMarkdown
+
+        return $return
+    } Catch {
+        Add-MtTestResultDetail -SkippedBecause Error -SkippedError $_
+        return $null
+    }
+}

…entra/Test-MtDirSyncSoftHardMatching.ps1 …MtEntraIDConnectSyncSoftHardMatching.ps1powershell/public/maester/entra/Test-MtDirSyncSoftHardMatching.ps1 renamed to powershell/public/maester/entra/Test-MtEntraIDConnectSyncSoftHardMatching.ps1 powershell/public/maester/entra/Test-MtDirSyncSoftHardMatching.ps1 renamed to powershell/public/maester/entra/Test-MtEntraIDConnectSyncSoftHardMatching.ps1

@@ -1,15 +1,19 @@
-BeforeAll {
-    $EntraIDPlan = Get-MtLicenseInformation -Product 'EntraID'
-    $RegularUsers = Get-MtUser -Count 5 -UserType 'Member'
-    $AdminUsers = Get-MtUser -Count 5 -UserType 'Admin'
-    $EmergencyAccessUsers = Get-MtUser -Count 5 -UserType 'EmergencyAccess'
-    # Remove emergency access users from regular users
-    $RegularUsers = $RegularUsers | Where-Object { $_.id -notin $EmergencyAccessUsers.id }
-    # Remove emergency access users from admin users
-    $AdminUsers = $AdminUsers | Where-Object { $_.id -notin $EmergencyAccessUsers.id }
-    Write-Verbose "EntraIDPlan: $EntraIDPlan"
-    Write-Verbose "RegularUsers: $($RegularUsers.id)"
-    Write-Verbose "AdminUsers: $($AdminUsers.id)"
+BeforeDiscovery {
+    try {
+        $EntraIDPlan = Get-MtLicenseInformation -Product 'EntraID'
+        $RegularUsers = Get-MtUser -Count 5 -UserType 'Member'
+        $AdminUsers = Get-MtUser -Count 5 -UserType 'Admin'
+        $EmergencyAccessUsers = Get-MtUser -Count 5 -UserType 'EmergencyAccess'
+        # Remove emergency access users from regular users
+        $RegularUsers = $RegularUsers | Where-Object { $_.id -notin $EmergencyAccessUsers.id }
+        # Remove emergency access users from admin users
+        $AdminUsers = $AdminUsers | Where-Object { $_.id -notin $EmergencyAccessUsers.id }
+        Write-Verbose "EntraIDPlan: $EntraIDPlan"
+        Write-Verbose "RegularUsers: $($RegularUsers.id)"
+        Write-Verbose "AdminUsers: $($AdminUsers.id)"
+    } catch {
+        $EntraIDPlan = "NotConnected"
+    }
 }
 
 

…/maester/entra/Test-MtDomainsWithSsso.md …r/entra/Test-MtEntraIDConnectSyncSsso.mdpowershell/public/maester/entra/Test-MtDomainsWithSsso.md renamed to powershell/public/maester/entra/Test-MtEntraIDConnectSyncSsso.md powershell/public/maester/entra/Test-MtDomainsWithSsso.md renamed to powershell/public/maester/entra/Test-MtEntraIDConnectSyncSsso.md

@@ -1,49 +1,13 @@
 BeforeDiscovery {
-
-}
-
-Describe "Maester/Entra" -Tag "EntraIdConnect", "Entra", "Graph", "Security" {
-
-    BeforeAll {
+    try {
         $EntraIDPlan = Get-MtLicenseInformation -Product "EntraID"
+    } catch {
+        $EntraIDPlan = "NotConnected"
     }
+}
 
-    It "MT.1084: Seamless Single SignOn should be disabled for all domains in EntraID Connect servers. See https://maester.dev/docs/tests/MT.1084" -Tag "MT.1084" -Skip:( $EntraIDPlan -ne "P2" ) {
-
-        if ( $UnifiedMdiInfoAvailable -eq $false) {
-            Add-MtTestResultDetail -SkippedBecause 'Custom' -SkippedCustomReason 'This test requires availability of Microsoft Defender for Identity and Microsoft Defender for Endpoint to get data from Defender XDR Advanced Hunting tables (IdentityLogonEvents and DeviceInfo).'
-            return $null
-        }
-
-        try {
-            $DomainsWithSsso = Test-MtDomainsWithSsso
-        } catch {
-            Add-MtTestResultDetail -SkippedBecause Error -SkippedError $_
-            return $null
-        }
-
-        if ($return -or $DomainsWithSsso.Count -eq 0) {
-            $testResultMarkdown = "Well done. We found no evidence of domains where Seamless Single SignOn was still enabled in EntraID Connect via the Microsoft Defender for Identity logs."
-        } else {
-            $testResultMarkdown = "At least one domain has sign-ins with Seamless Single SignOn enabled in Entra ID Connect.`n`n%TestResult%"
-            $result = "| DomainName | AccountUpn | DeviceName | OnboardingStatus | JoinType | Ssso Expected |`n"
-            $result += "| --- | --- | --- | ---  | --- | ---  |`n"
-            foreach ($Domain in $DomainsWithSsso) {
-                $DomainName = $Domain.OnPremisesDomainName
-                $Domain.JsonArray | ForEach-Object {
-                    $AccountUpn = $_.AccountUpn
-                    $DeviceName = $_.DeviceName
-                    $OnboardingStatus = $_.OnboardingStatus
-                    $JoinType = $_.JoinType
-                    $SssoExpected = $_.'Seamless SSO Expected'
-                    $result += "| $($DomainName) | $($AccountUpn) | $($DeviceName) | $($OnboardingStatus) | $($JoinType) | $($SssoExpected) |`n"
-                }
-            }
-            $testResultMarkdown = $testResultMarkdown -replace "%TestResult%", $result
-        }
-        Add-MtTestResultDetail -Result $testResultMarkdown -Description "Enabling Seamless SSO in Entra ID Connect introduces risks of lateral movement between your On-premise domain and Entra ID.`n`nIn the results you will find which domains, users and devices are still using Seamless SSO. Via the column 'Ssso expected' you can learn if Seamless SSO is expected to be used based on enriched device data.`n`nFor more information on the risks regarding Seamless SSO and how to remediate, see: https://maester.dev/docs/tests/MT.1084" -Severity "High"
-        $DomainsWithSsso.Count -eq "0" | Should -Be $True -Because "Seamless Single SignOn should be disabled for all domains in EntraID Connect servers."
-
+Describe "Maester/Entra" -Tag "EntraIdConnect", "Entra", "Graph", "Security" {
+    It "MT.1084: Microsoft Entra seamless single sign-on should be disabled for all domains in EntraID Connect servers. See https://maester.dev/docs/tests/MT.1084" -Tag "MT.1084" -Skip:( $EntraIDPlan -ne "P2" ) {
+        Test-MtEntraIDConnectSyncSSO | Should -Be $True -Because "Microsoft Entra seamless single sign-on should be disabled for all domains in EntraID Connect servers."
     }
-
 }

powershell/public/maester/entra/Test-MtEntraIDConnectSyncSsso.ps1

@@ -1,5 +1,9 @@
 BeforeDiscovery {
-    $DefenderPlan = Get-MtLicenseInformation -Product "DefenderXDR"
+    try {
+        $DefenderPlan = Get-MtLicenseInformation -Product "DefenderXDR"
+    } catch {
+        $DefenderPlan = "NotConnected"
+    }
 }
 
 Describe "Exposure Management" -Tag "Privileged", "Entra", "Graph", "LongRunning", "Security", "EntraOps", "XSPM" -Skip:( $DefenderPlan -ne "DefenderXDR" ) {