From e3db8a259684bf086cc502378ffb8720422a85cb Mon Sep 17 00:00:00 2001
From: Brian Reid <31985319+brianreidc7@users.noreply.github.com>
Date: Tue, 10 Feb 2026 12:15:56 +0000
Subject: [PATCH] Federated domains always fail password expiry check

Changed the query to look only for managed domains. For example a Federated domain appears as follows:

authenticationType               : Federated
availabilityStatus               :
id                               : domain.com
isAdminManaged                   : True
isDefault                        : False
isInitial                        : False
isRoot                           : True
isVerified                       : True
supportedServices                : {Email, Intune}
passwordValidityPeriodInDays     :
passwordNotificationWindowInDays :
state                            :

And the original code checked for a value in passwordValidityPeriodInDays, but this is null for Federated domains
---
 powershell/public/cis/Test-MtCisPasswordExpiry.ps1 | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/powershell/public/cis/Test-MtCisPasswordExpiry.ps1 b/powershell/public/cis/Test-MtCisPasswordExpiry.ps1
index 64c6a46d7..8815f9da1 100644
--- a/powershell/public/cis/Test-MtCisPasswordExpiry.ps1
+++ b/powershell/public/cis/Test-MtCisPasswordExpiry.ps1
@@ -29,14 +29,14 @@ function Test-MtCisPasswordExpiry {
         $domains = Invoke-MtGraphRequest -RelativeUri 'domains'
 
         Write-Verbose 'Get domains where passwords are set to expire'
-        $result = $domains | Where-Object { $_.PasswordValidityPeriodInDays -ne '2147483647' }
+        $result = $domains | Where-Object { ($_.PasswordValidityPeriodInDays -ne '2147483647') -and ($_.authenticationType -eq "Managed") }
 
         $testResult = ($result | Measure-Object).Count -eq 0
 
         if ($testResult) {
-            $testResultMarkdown = "Well done. Your tenant passwords are not set to expire:`n`n%TestResult%"
+            $testResultMarkdown = "Well done. Your tenant passwords are not set to expire on all your 'managed' domains:`n`n%TestResult%"
         } else {
-            $testResultMarkdown = "Your tenant has 1 or more domains which expire passwords:`n`n%TestResult%"
+            $testResultMarkdown = "Your tenant has 1 or more 'managed' domains which expire passwords:`n`n%TestResult%"
         }
 
         $resultMd = "| Display Name | Domain |`n"