From e26b1c6e29bb7de11455ec10db3b967e17679f33 Mon Sep 17 00:00:00 2001 From: bubbletroubles <42738824+bubbletroubles@users.noreply.github.com> Date: Wed, 31 Dec 2025 10:34:19 +1030 Subject: [PATCH 1/2] agent id fixes --- .../entra/Test-MtCaEmergencyAccessExists.ps1 | 7 +- .../Test-MtCaEmergencyAccessExists.Tests.ps1 | 94 +++++++++++++++++++ 2 files changed, 99 insertions(+), 2 deletions(-) diff --git a/powershell/public/maester/entra/Test-MtCaEmergencyAccessExists.ps1 b/powershell/public/maester/entra/Test-MtCaEmergencyAccessExists.ps1 index 811e44cd7..5925fa6cf 100644 --- a/powershell/public/maester/entra/Test-MtCaEmergencyAccessExists.ps1 +++ b/powershell/public/maester/entra/Test-MtCaEmergencyAccessExists.ps1 @@ -32,8 +32,11 @@ function Test-MtCaEmergencyAccessExists { # Only check policies that are not related to authentication context (the state of policy does not have to be enabled) $policies = Get-MtConditionalAccessPolicy | Where-Object { -not $_.conditions.applications.includeAuthenticationContextClassReferences } - # Remove policies that are scoped to service principals - $policies = $policies | Where-Object { -not $_.conditions.clientApplications.includeServicePrincipals } + # Remove policies that are scoped to service principals or agent identities + $policies = $policies | Where-Object { + -not $_.conditions.clientApplications.includeServicePrincipals -and + -not $_.conditions.clientApplications.includeAgentIdServicePrincipals + } $result = $false $PolicyCount = $policies | Measure-Object | Select-Object -ExpandProperty Count diff --git a/powershell/tests/functions/Test-MtCaEmergencyAccessExists.Tests.ps1 b/powershell/tests/functions/Test-MtCaEmergencyAccessExists.Tests.ps1 index 0ddf18a33..ebe5a0d2d 100644 --- a/powershell/tests/functions/Test-MtCaEmergencyAccessExists.Tests.ps1 +++ b/powershell/tests/functions/Test-MtCaEmergencyAccessExists.Tests.ps1 @@ -145,6 +145,62 @@ } } ] +"@ + return $policyJson | ConvertFrom-Json + } + + function Get-PolicyAgentIdentity { + $policyJson = @" +[ + { + "id": "policy-agent", + "displayName": "Block Agent Identities", + "state": "enabled", + "conditions": { + "applications": { + "includeApplications": ["All"] + }, + "users": { + "includeUsers": ["None"], + "excludeUsers": [], + "excludeGroups": [] + }, + "clientApplications": { + "includeServicePrincipals": [], + "includeAgentIdServicePrincipals": ["All"], + "excludeServicePrincipals": [] + } + } + } +] +"@ + return $policyJson | ConvertFrom-Json + } + + function Get-PolicyServicePrincipal { + $policyJson = @" +[ + { + "id": "policy-sp", + "displayName": "Block Service Principals", + "state": "enabled", + "conditions": { + "applications": { + "includeApplications": ["All"] + }, + "users": { + "includeUsers": ["None"], + "excludeUsers": [], + "excludeGroups": [] + }, + "clientApplications": { + "includeServicePrincipals": ["All"], + "includeAgentIdServicePrincipals": [], + "excludeServicePrincipals": [] + } + } + } +] "@ return $policyJson | ConvertFrom-Json } @@ -371,4 +427,42 @@ Test-MtCaEmergencyAccessExists | Should -BeTrue } } + + Context "Agent Identity and Service Principal policies" { + + It 'Should pass when only an Agent Identity policy exists (should be ignored)' { + $policy = Get-PolicyAgentIdentity + + Mock -ModuleName Maester Get-MtConditionalAccessPolicy { return $policy } + Mock -ModuleName Maester Get-MtMaesterConfigGlobalSetting { return $null } + + # Should pass because Agent Identity policies don't apply to users and should be filtered out + # When all policies are filtered out, there are no policies to check, so it should pass + Test-MtCaEmergencyAccessExists | Should -BeFalse + } + + It 'Should pass when only a Service Principal policy exists (should be ignored)' { + $policy = Get-PolicyServicePrincipal + + Mock -ModuleName Maester Get-MtConditionalAccessPolicy { return $policy } + Mock -ModuleName Maester Get-MtMaesterConfigGlobalSetting { return $null } + + # Should pass because Service Principal policies don't apply to users and should be filtered out + # When all policies are filtered out, there are no policies to check, so it should pass + Test-MtCaEmergencyAccessExists | Should -BeFalse + } + + It 'Should only check user-targeted policies when both Agent Identity and user policies exist' { + # Get both types of policies + $agentPolicy = Get-PolicyAgentIdentity + $userPolicy = Get-PolicyWithUserExclusion -UserIds @($emergencyUserId1) + $policies = @($agentPolicy[0], $userPolicy[0]) + + Mock -ModuleName Maester Get-MtConditionalAccessPolicy { return $policies } + Mock -ModuleName Maester Get-MtMaesterConfigGlobalSetting { return $null } + + # Should pass because the Agent Identity policy is ignored and the user policy has exclusions + Test-MtCaEmergencyAccessExists | Should -BeTrue + } + } } From c3b176cc8a1952438c68141ab0685cfbf3334a56 Mon Sep 17 00:00:00 2001 From: bubbletroubles <42738824+bubbletroubles@users.noreply.github.com> Date: Tue, 3 Feb 2026 20:58:01 +1100 Subject: [PATCH 2/2] Update powershell/tests/functions/Test-MtCaEmergencyAccessExists.Tests.ps1 Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- .../Test-MtCaEmergencyAccessExists.Tests.ps1 | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/powershell/tests/functions/Test-MtCaEmergencyAccessExists.Tests.ps1 b/powershell/tests/functions/Test-MtCaEmergencyAccessExists.Tests.ps1 index ebe5a0d2d..e2b3d62d4 100644 --- a/powershell/tests/functions/Test-MtCaEmergencyAccessExists.Tests.ps1 +++ b/powershell/tests/functions/Test-MtCaEmergencyAccessExists.Tests.ps1 @@ -430,25 +430,25 @@ Context "Agent Identity and Service Principal policies" { - It 'Should pass when only an Agent Identity policy exists (should be ignored)' { + It 'Should return false (no emergency access detected) when only an Agent Identity policy exists (which should be ignored)' { $policy = Get-PolicyAgentIdentity Mock -ModuleName Maester Get-MtConditionalAccessPolicy { return $policy } Mock -ModuleName Maester Get-MtMaesterConfigGlobalSetting { return $null } - # Should pass because Agent Identity policies don't apply to users and should be filtered out - # When all policies are filtered out, there are no policies to check, so it should pass + # Returns $false because Agent Identity policies don't apply to users and are filtered out + # When all policies are filtered out, there are no policies to check, so no emergency access is detected Test-MtCaEmergencyAccessExists | Should -BeFalse } - It 'Should pass when only a Service Principal policy exists (should be ignored)' { + It 'Should return false (no emergency access detected) when only a Service Principal policy exists (which should be ignored)' { $policy = Get-PolicyServicePrincipal Mock -ModuleName Maester Get-MtConditionalAccessPolicy { return $policy } Mock -ModuleName Maester Get-MtMaesterConfigGlobalSetting { return $null } - # Should pass because Service Principal policies don't apply to users and should be filtered out - # When all policies are filtered out, there are no policies to check, so it should pass + # Returns $false because Service Principal policies don't apply to users and are filtered out + # When all policies are filtered out, there are no policies to check, so no emergency access is detected Test-MtCaEmergencyAccessExists | Should -BeFalse }