maester365 · SebastianClaesson · May 11, 2025 · May 11, 2025 · May 11, 2025 · Dec 9, 2025
@@ -186,7 +186,38 @@
     'Test-MtXspmCriticalCredsOnDevicesWithNonCriticalAccounts',
     'Test-MtXspmPublicRemotelyExploitableHighExposureDevices',
     'Test-MtXspmCriticalCredentialsOnNonTpmProtectedDevices',
-    'Test-MtXspmCriticalCredentialsOnNonCredGuardProtectedDevices'
+    'Test-MtXspmCriticalCredentialsOnNonCredGuardProtectedDevices',
+    'Test-AzdoAllowRequestAccessToken',
+    'Test-AzdoAllowTeamAdminsInvitationsAccessToken',
+    'Test-AzdoArtifactsExternalPackageProtectionToken',
+    'Test-AzdoAuditStream',
+    'Test-AzdoEnforceAADConditionalAccess',
+    'Test-AzdoExternalGuestAccess',
+    'Test-AzdoFeedbackCollection',
+    'Test-AzdoLogAuditEvent',
+    'Test-AzdoOrganizationAutomaticEnrollmentAdvancedSecurityNewProject',
+    'Test-AzdoOrganizationBadgesArePrivate',
+    'Test-AzdoOrganizationCreationClassicBuildPipeline',
+    'Test-AzdoOrganizationCreationClassicReleasePipeline',
+    'Test-AzdoOrganizationLimitJobAuthorizationScopeNonReleasePipeline',
+    'Test-AzdoOrganizationLimitJobAuthorizationScopeReleasePipeline',
+    'Test-AzdoOrganizationLimitVariablesAtQueueTime',
+    'Test-AzdoOrganizationOwner',
+    'Test-AzdoOrganizationProtectAccessToRepository',
+    'Test-AzdoOrganizationRepositorySettingsDisableCreationTFVCRepo',
+    'Test-AzdoOrganizationRepositorySettingsGravatarImage',
+    'Test-AzdoOrganizationStageChooser',
+    'Test-AzdoOrganizationStorageUsage',
+    'Test-AzdoOrganizationTaskRestrictionsDisableMarketplaceTask',
+    'Test-AzdoOrganizationTaskRestrictionsDisableNode6Task',
+    'Test-AzdoOrganizationTaskRestrictionsShellTaskArgumentValidation',
+    'Test-AzdoOrganizationTriggerPullRequestGitHubRepository',
+    'Test-AzdoProjectCollectionAdministrator',
+    'Test-AzdoPublicProject',
+    'Test-AzdoResourceUsageProject',
+    'Test-AzdoResourceUsageWorkItemTag',
+    'Test-AzdoSSHAuthentication',
+    'Test-AzdoThirdPartyAccessViaOauth'
 
     # Cmdlets to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no cmdlets to export.
     CmdletsToExport      = @()

@@ -0,0 +1,17 @@
+Request access to Azure DevOps by e-mail notifications to administrators SHOULD BE disabled.
+
+Rationale: Access control to Azure DevOps is to be a controlled process where access is granted and tracked.
+
+#### Remediation action:
+Disable the policy to stop these requests and notifications.
+1. Sign in to your organization
+2. Choose Organization settings.
+3. Select Policies, locate the Request Access policy and toggle it to off.
+4. Provide the URL to your internal process for gaining access. Users see this URL in the error report when they try to access the organization or a project within the organization that they don't have permission to access.
+
+**Results:**
+When users try to access a project without the required permissions, the error message includes the request access URL. This link is shown on the error page to maintain confidentiality, regardless of whether the project exists.
+
+#### Related links
+
+* [Azure DevOps Security - Disable your organization's Request Access policy](https://go.microsoft.com/fwlink/?linkid=2113172)
@@ -0,0 +1,47 @@
+<#
+.SYNOPSIS
+    Returns a boolean depending on the configuration.
+
+.DESCRIPTION
+    Checks the status of the 'Request Access' policy in Azure DevOps to prevent users from requesting access to your organization or projects.
+    When this policy is enabled, users can request access, and administrators receive email notifications for review and approval.
+    Disabling the policy stops these requests and notifications, helping you control access more tightly.
+
+    https://go.microsoft.com/fwlink/?linkid=2113172
+
+.EXAMPLE
+    ```
+    Test-AzdoAllowRequestAccessToken
+    ```
+
+    Returns a boolean depending on the configuration.
+
+.LINK
+    https://maester.dev/docs/commands/Test-AzdoAllowRequestAccessToken
+#>
+
+function Test-AzdoAllowRequestAccessToken {
+    [CmdletBinding()]
+    [OutputType([bool])]
+    param()
+
+    if ($null -eq (Get-ADOPSConnection)['Organization']) {
+        Write-verbose 'Not connected to Azure DevOps'
+        Add-MtTestResultDetail -SkippedBecause Custom -SkippedCustomReason 'Not connected to Azure DevOps'
+        return $null
+    }
+
+    $UserPolicies = Get-ADOPSOrganizationPolicy -PolicyCategory 'User'
+    $Policy = $UserPolicies.policy | where-object -property name -eq 'Policy.AllowRequestAccessToken'
+    $result = $Policy.effectiveValue
+    if ($result) {
+        $resultMarkdown = "When enabled, this policy allows users to request access, triggering email notifications to administrators for review and approval."
+    }
+    else {
+        $resultMarkdown = "Well done. Disabling the policy stops these requests and notifications."
+    }
+
+    Add-MtTestResultDetail -Result $resultMarkdown -Severity 'High'
+
+    return $result
+}
@@ -0,0 +1,19 @@
+Access to Azure DevOps SHOULD BE a controlled process provided by the IAM team or relevant Azure DevOps administrators roles.
+
+Rationale: By default, all administrators can invite new users to their Azure DevOps organization.
+Disabling this policy prevents Team and Project Administrators from inviting new users.
+However, Project Collection Administrators (PCAs) can still add new users to the organization regardless of the policy status.
+Additionally, if a user is already a member of the organization, Project and Team Administrators can add that user to specific projects.
+
+#### Remediation action:
+Disable the policy to stop these invitations.
+1. Sign in to your organization
+2. Choose Organization settings.
+3. Select Policies, locate the **Allow team and project administrators to invite new users** policy and toggle it to off.
+4. Now, only Project Collection Administrators can invite new users to Azure DevOps.
+
+> Project and Team Administrators can directly add users to their projects through the permissions blade. However, if they attempt to add users through the Add Users button located in the Organization settings > Users section, it's not visible to them. Adding a user directly through Project settings > Permissions doesn't result in the user appearing automatically in the Organization settings > Users list. For the user to be reflected in the Users list, they must sign in to the system.
+
+#### Related links
+
+* [Azure DevOps Security - Restrict administrators from inviting new users](https://aka.ms/azure-devops-invitations-policy)
@@ -0,0 +1,48 @@
+<#
+.SYNOPSIS
+    Returns a boolean depending on the configuration.
+
+.DESCRIPTION
+    By default, all administrators can invite new users to their Azure DevOps organization.
+    Disabling this policy prevents Team and Project Administrators from inviting new users or adding Entra groups.
+    However, Project Collection Administrators (PCAs) can still add new users and Entra groups to the organization regardless of the policy status.
+    Additionally, if a user is already a member of the organization, Project and Team Administrators can add that user to specific projects.
+
+    https://aka.ms/azure-devops-invitations-policy
+
+.EXAMPLE
+    ```
+    Test-AzdoAllowTeamAdminsInvitationsAccessToken
+    ```
+
+    Returns a boolean depending on the configuration.
+
+.LINK
+    https://maester.dev/docs/commands/Test-AzdoAllowTeamAdminsInvitationsAccessToken
+#>
+
+function Test-AzdoAllowTeamAdminsInvitationsAccessToken {
+    [CmdletBinding()]
+    [OutputType([bool])]
+    param()
+
+    if ($null -eq (Get-ADOPSConnection)['Organization']) {
+        Write-verbose 'Not connected to Azure DevOps'
+        Add-MtTestResultDetail -SkippedBecause Custom -SkippedCustomReason 'Not connected to Azure DevOps'
+        return $null
+    }
+
+    $PrivacyPolicies = Get-ADOPSOrganizationPolicy -PolicyCategory 'User'
+    $Policy = $PrivacyPolicies.policy | where-object -property name -eq 'Policy.AllowTeamAdminsInvitationsAccessToken'
+    $result = $Policy.effectiveValue
+    if ($result) {
+        $resultMarkdown = "Team and project administrators is allowed to invite new users"
+    }
+    else {
+        $resultMarkdown = "Well done. Enrolling to your Azure DevOps organization should be a controlled process."
+    }
+
+    Add-MtTestResultDetail -Result $resultMarkdown -Severity 'High'
+
+    return $result
+}
@@ -0,0 +1,24 @@
+Externally sourced package versions SHOULD BE manually approved for internal use to prevent malicious packages from a public registry being inadvertently consumed.
+
+Rationale: Previously, Azure Artifacts feeds presented package versions from all of its upstream sources. This includes package versions that were originally pushed to an Azure Artifacts feed (internally sourced) and package versions from common public repositories like npmjs.com, NuGet.org, Maven Central, and PyPI (externally sourced).
+
+Configure a policy for additional security for your private feeds by limiting access to externally sourced packages when internally sources packages are already present. This provides a new layer of security, which prevents malicious packages from a public registry being inadvertently consumed. These changes will not affect any package versions that are already in use or cached in your feed.
+
+#### Remediation action:
+
+Enable the policy to opt-in for additional protective behavior.
+
+1. Sign in to your organization
+2. Choose Organization settings.
+3. Click on policies under the security section
+4. In the security policies section, toggle on ‘Additional protections when using public package registries’
+
+**Results:**
+The security behavior applies:
+when an internally sourced version is already in your feed, or
+when consuming a package from your feed for the first time (i.e. it is not yet in your feed), and at least one of the versions available from an upstream is internally sourced.
+With the new behavior, any versions from the public registry will be blocked and not made available to download. You are able to configure the upstream behavior to allow externally sourced package versions if you choose to.
+
+#### Related links
+
+* [Microsoft Devblogs - Changes to Azure Artifacts Upstream Behavior](https://devblogs.microsoft.com/devops/changes-to-azure-artifact-upstream-behavior/)
@@ -0,0 +1,49 @@
+<#
+.SYNOPSIS
+    Returns a boolean depending on the configuration.
+
+.DESCRIPTION
+    Checks the policy for additional security for your private feeds by limiting access to externally sourced packages when internally sourced packages are already present.
+    This provides a new layer of security, which prevents malicious packages from a public registry being inadvertently consumed.
+    These changes will not affect any package versions that are already in use or cached in your feed.
+
+    https://devblogs.microsoft.com/devops/changes-to-azure-artifact-upstream-behavior
+
+.EXAMPLE
+    ```
+    Test-AzdoArtifactsExternalPackageProtectionToken
+    ```
+
+    Returns a boolean depending on the configuration.
+
+.LINK
+    https://maester.dev/docs/commands/Test-AzdoArtifactsExternalPackageProtectionToken
+#>
+
+function Test-AzdoArtifactsExternalPackageProtectionToken {
+    [CmdletBinding()]
+    [OutputType([bool])]
+    param()
+
+    if ($null -eq (Get-ADOPSConnection)['Organization']) {
+        Write-verbose 'Not connected to Azure DevOps'
+        Add-MtTestResultDetail -SkippedBecause Custom -SkippedCustomReason 'Not connected to Azure DevOps'
+        return $null
+    }
+
+    $SecurityPolicies = Get-ADOPSOrganizationPolicy -PolicyCategory 'Security'
+    $Policy = $SecurityPolicies.policy | where-object -property name -eq 'Policy.ArtifactsExternalPackageProtectionToken'
+    $result = $Policy.effectiveValue
+    if ($result) {
+        $resultMarkdown = "Well done. Your Azure DevOps tenant limits access to externally sourced packages when internally sources packages are already present."
+    }
+    else {
+        $resultMarkdown = "Your tenant should prefer to use internal source packages when present"
+    }
+
+
+
+    Add-MtTestResultDetail -Result $resultMarkdown  -Severity 'High'
+
+    return $result
+}
@@ -0,0 +1,24 @@
+Audit logs SHOULD BE retained according to your organization's needs, and protected from purging.
+
+Rationale: Send auditing data to other Security Incident and Event Management (SIEM) tools and open new possibilities, such as the ability to trigger alerts for specific events, create views on auditing data, and perform anomaly detection. Setting up a stream also allows you to store more than 90-days of auditing data, which is the maximum amount of data that Azure DevOps keeps for your organizations.
+
+#### Remediation action:
+
+Create an audit stream, which sends data to other locations for further processing.
+
+1. Sign in to your organization.
+2. Choose Organization settings.
+3. Select Auditing.
+> If you don't see Auditing in Organization Settings, then auditing is not currently enabled for your organization. Someone in the organization owner or Project Collection Administrators (PCAs) group must enable Auditing in Organization Policies. You will then be able to see events on the Auditing page if you have the appropriate permissions.
+1. Go to the Streams tab, and then select New stream.
+2. Select the stream target that you want to configure, and then select from the following instructions to set up your stream target type.
+   1. Splunk
+   2. Event Grid
+   3. Azure Monitor Log
+
+**Results:**
+Audit streams represent a pipeline that flows audit events from your Azure DevOps organization to a stream target. Every half hour or less, new audit events are bundled and streamed to your targets. 
+
+#### Related links
+
+* [Azure DevOps Security - Create audit streaming](https://learn.microsoft.com/en-us/azure/devops/organizations/audit/auditing-streaming?view=azure-devops)
@@ -0,0 +1,57 @@
+<#
+.SYNOPSIS
+    Returns a boolean depending on the configuration.
+
+.DESCRIPTION
+    Sends auditing data to Security Incident and Event Management (SIEM) tools and open new possibilities,
+    such as the ability to trigger alerts for specific events, create views on auditing data, and perform
+    anomaly detection. Setting up a stream also allows you to store more than 90-days of auditing data,
+    which is the maximum amount of data that Azure DevOps keeps for your organizations.
+
+    https://learn.microsoft.com/en-us/azure/devops/organizations/audit/auditing-streaming?view=azure-devops
+
+.EXAMPLE
+    ```
+    Test-AzdoAuditStream
+    ```
+
+    Returns a boolean depending on the configuration.
+
+.LINK
+    https://maester.dev/docs/commands/Test-AzdoAuditStream
+#>
+
+function Test-AzdoAuditStream {
+    [CmdletBinding()]
+    [OutputType([bool])]
+    param()
+
+    if ($null -eq (Get-ADOPSConnection)['Organization']) {
+        Write-verbose 'Not connected to Azure DevOps'
+        Add-MtTestResultDetail -SkippedBecause Custom -SkippedCustomReason 'Not connected to Azure DevOps'
+        return $null
+    }
+
+    $AuditStreams = Get-ADOPSAuditStreams
+
+    if ($AuditStreams) {
+        if ('Enabled' -in $AuditStreams.status) {
+            $resultMarkdown = "Well done. Audit logs have been configured for long-term storage and purge protection."
+            $result = $true
+        }
+        else {
+            $resultMarkdown = "Audit Streams have been configured for long-term storage and purge protection but is not enabled."
+            $result = $false
+        }
+    }
+    else {
+        $resultMarkdown = "Audit Streams have not been configured for long-term storage and purge protection."
+        $result = $false
+    }
+
+
+
+    Add-MtTestResultDetail -Result $resultMarkdown  -Severity 'Critical'
+
+    return $result
+}
@@ -0,0 +1,20 @@
+Conditional Access Policies SHOULD BE configured for Microsoft Entra ID-backed organizations.
+
+Rationale: When you sign in to the web portal of a Microsoft Entra ID-backed organization, Microsoft Entra ID always performs validation for any Conditional Access Policies (CAPs) set by tenant administrators.
+
+#### Remediation action:
+Disable the policy to stop these requests and notifications.
+1. Sign in to your organization
+2. Choose Organization settings.
+3. Select Policies, and then toggle your policy to on or off as needed.
-Disable the policy to stop these requests and notifications.
-1. Sign in to your organization
-2. Choose Organization settings.
-3. Select Policies, and then toggle your policy to on or off as needed.
+Enable and enforce the relevant Conditional Access policy in Microsoft Entra ID/Azure DevOps so that these requests are evaluated according to your security requirements.
+1. Sign in to your organization
+2. Choose Organization settings.
+3. Select Policies, and then toggle the relevant Conditional Access policy to **On** to enforce it.
-Disable the policy to stop these requests and notifications.
-1. Sign in to your organization
-2. Choose Organization settings.
-3. Select Policies, and then toggle your policy to on or off as needed.
+Enable and enforce the relevant Conditional Access policy in Microsoft Entra ID/Azure DevOps so that these requests are evaluated according to your security requirements.
+1. Sign in to your organization
+2. Choose Organization settings.
+3. Select Policies, and then toggle the relevant Conditional Access policy to **On** to enforce it.
+   1. If the “Enable IP Conditional Access policy Validation” organization policy is enabled, we check IP fencing policies on both web and non-interactive flows, such as non-Microsoft client flows (e.g., using a PAT with git operations).
+   2. Sign-in policies might be enforced for PATs as well. Using PATs to make Microsoft Entra ID calls requires adherence to any sign-in policies that are set. For example, if a sign-in policy requires that a user sign in every seven days, you must also sign in every seven days to continue using PATs for Microsoft Entra ID requests.
+> We support MFA policies on web flows only. For non-interactive flows, if they don't satisfy the conditional access policy, the user isn't prompted for MFA and gets blocked instead.
+> We support IP-fencing conditional access policies (CAPs) for both IPv4 and IPv6 addresses. If your IPv6 address is being blocked, ensure that the tenant administrator configured CAPs to allow your IPv6 address. Additionally, consider including the IPv4-mapped address for any default IPv6 address in all CAP conditions.
+
+**Results:**
+When you sign in to the web portal of a Microsoft Entra ID-backed organization, Microsoft Entra ID always performs validation for any Conditional Access Policies (CAPs) set by tenant administrators.
+
+#### Related links
+
+* [Azure DevOps Security - Conditional Access Policies support on Azure DevOps](https://learn.microsoft.com/en-us/azure/devops/organizations/accounts/change-application-access-policies?view=azure-devops#cap-support-on-azure-devops)