MS.AAD.6.1v1 User passwords SHALL NOT expire. will not pass when non-root domains are in play

[rbryndoi]

🐛 Summary

According to Microsoft Support, non-root domains that are configured within Entra inherit their password policies from the parent/root domain. The current tests will always fail on those non-root domains because there is no explicit password expiration policy set, and no way to set the policy (via Graph, or Portal GUI).

To reproduce

Steps to reproduce the behavior:

In an Entra tenant using SCUBA release 1.4

1. Configure a root domain and set the password policy to never expire (per MS documentation)
2. Run Scuba Tests
3. Verify that MS.AAD.6.1v1 passes
4. Create a new domain that is a subdomain of the primary example: "test.root.gov"
5. run "Get-MGDomain" in Graph to get a list of all domains. confirm that your new test domain.
6. Note that the new domain's "IsRoot = False" and the "PasswordValidityPeriodInDays = null"
7. Run Scuba Tests
8. The new subdomain will fail, while the root passes.

Expected behavior

Because the subdomains inherit from the root with no way to override the behavior, I expect the non-root domains to be exempt from evaluation (if the root passes, so will the sub, if the root fails, so will the sub).

[tkol2022]

@mitchelbaker-cisa Can you kindly take a quick look at this since I think you coded a domain / passwords enhancement last year?

@rbryndoi Thanks for reporting!

[mitchelbaker-cisa]

@rbryndoi Thanks for reporting the issue. I took a closer look and reproduced the failure for a subdomain, even if its root-level domain is verified and configured with passwords set to not expire. We'll get a fix out to address.