Add Check for Application Exclusions for Conditional Access Policies

PowerShell/ScubaGear/Rego/AADConfig.rego

@@ -5,7 +5,6 @@ import data.utils.report.NotCheckedDeprecation
 import data.utils.report.CheckedSkippedDetails
 import data.utils.report.ReportDetailsBoolean
 import data.utils.report.ReportDetailsString
-import data.utils.key.IsEmptyContainer
 import data.utils.key.Contains
 import data.utils.key.FilterArray
 import data.utils.key.ConvertToSetWithKey
@@ -181,10 +180,8 @@ tests contains {
 PhishingResistantMFAPolicies contains CAPolicy.DisplayName if {
     some CAPolicy in input.conditional_access_policies
 
-    "All" in CAPolicy.Conditions.Users.IncludeUsers
-    "All" in CAPolicy.Conditions.Applications.IncludeApplications
-    CAPolicy.State == "enabled"
-    count(CAPolicy.Conditions.Applications.ExcludeApplications) == 0
+    PolicyConditionsMatch(CAPolicy)
+
 
     GroupExclusionsFullyExempt(CAPolicy, "MS.AAD.3.1v1") == true
     UserExclusionsFullyExempt(CAPolicy, "MS.AAD.3.1v1") == true
@@ -402,7 +399,7 @@ tests contains {
 PhishingResistantMFAPrivilegedRoles contains CAPolicy.DisplayName if {
     some CAPolicy in input.conditional_access_policies
 
-    CAPolicy.State == "enabled"
+    PolicyConditionsMatch(CAPolicy)
     PrivRolesSet := ConvertToSetWithKey(input.privileged_roles, "RoleTemplateId")
 
     # Filter: only include policies that meet all the requirements
@@ -413,8 +410,6 @@ PhishingResistantMFAPrivilegedRoles contains CAPolicy.DisplayName if {
     count(PrivRolesSet & ConvertToSet(CAPolicy.Conditions.Users.ExcludeRoles)) == 0
 
     # Basic & special conditions
-    Contains(CAPolicy.Conditions.Applications.IncludeApplications, "All") == true
-    IsEmptyContainer(CAPolicy.Conditions.Applications.ExcludeApplications) == true
     GroupExclusionsFullyExempt(CAPolicy, "MS.AAD.3.6v1") == true
     UserExclusionsFullyExempt(CAPolicy, "MS.AAD.3.6v1") == true
 
@@ -480,9 +475,8 @@ tests contains {
 RequireManagedDeviceMFA contains CAPolicy.DisplayName if {
     some CAPolicy in input.conditional_access_policies
 
-    Contains(CAPolicy.Conditions.Users.IncludeUsers, "All") == true
+    PolicyConditionsMatch(CAPolicy)
     Contains(CAPolicy.Conditions.Applications.IncludeUserActions, "urn:user:registersecurityinfo") == true
-    CAPolicy.State == "enabled"
 
     Conditions := [
         "compliantDevice" in CAPolicy.GrantControls.BuiltInControls,

PowerShell/ScubaGear/Rego/Utils/AAD.rego

@@ -2,7 +2,6 @@ package utils.aad
 import rego.v1
 import data.utils.report.ArraySizeStr
 import data.utils.report.Description
-import data.utils.key.IsEmptyContainer
 import data.utils.key.Contains
 import data.utils.key.Count
 import data.utils.key.ConvertToSet
@@ -148,14 +147,21 @@ GroupExclusionsFullyExempt(Policy, PolicyID) := true if {
 # Return true if policy matches all conditions:
 # All for include users & applications,
 # block for built in controls, enabled,
-# & NO excluded roles.
+# & NO excluded users, roles, groups, & applications.
+
 PolicyConditionsMatch(Policy) := true if {
     Contains(Policy.Conditions.Users.IncludeUsers, "All") == true
     Contains(Policy.Conditions.Applications.IncludeApplications, "All") == true
+    Count(Policy.Conditions.Users.ExcludeRoles) == 0
+    Count(Policy.Conditions.Applications.ExcludeApplications) == 0
     Policy.State == "enabled"
-    IsEmptyContainer(Policy.Conditions.Users.ExcludeRoles) == true
+
+    # Uncomment this line of code when we want to check for external or guest users
+    # Object.get() protects against undefined errors
+    # Count(object.get(Policy, ["Conditions", "Users", "ExcludeGuestsOrExternalUsers", "GuestOrExternalUserTypes"], null)) == 0
 } else := false
 
+
 # Save the Allowed MFA items as a set, check if there are any MFA
 # items allowed besides the acceptable ones & if there is at least
 # 1 MFA item allowed. Return true

PowerShell/ScubaGear/Testing/Unit/Rego/AAD/AADBaseConfig.rego

@@ -19,7 +19,13 @@ ConditionalAccessPolicies := {
             ],
             "ExcludeUsers": [],
             "ExcludeGroups": [],
-            "ExcludeRoles": []
+            "ExcludeRoles": [],
+            "ExcludeGuestsOrExternalUsers":  {
+                "ExternalTenants":  {
+                    "MembershipKind":  null
+                },
+                "GuestOrExternalUserTypes":  null
+            },
         },
         "UserRiskLevels": [
             "high"