Merge pull request #3290 from NikCharlebois/AADConditionalAccessPolic…

…y-Auth-Strength

AADConditionalAccessPolicy added Auth Strength

CHANGELOG.md

@@ -4,6 +4,8 @@
 
 * AADAuthenticationStrengthPolicy
   * Initial release
+* AADConditionalAccessPolicy
+  * Added support for the AuthenticationStrength parameter.
 * AADCrossTenantAccessPolicy
   * Initial release
     FIXES [#3251](https://github.com/microsoft/Microsoft365DSC/issues/3251)

Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/MSFT_AADConditionalAccessPolicy.psm1

@@ -176,6 +176,10 @@ function Get-TargetResource
         [System.String[]]
         $CustomAuthenticationFactors,
 
+        [Parameter()]
+        [System.String]
+        $AuthenticationStrength,
+
         #generic
         [Parameter()]
         [ValidateSet('Present', 'Absent')]
@@ -554,6 +558,17 @@ function Get-TargetResource
             }
         }
 
+        $AuthenticationStrengthValue = $null
+        if ($null -ne $Policy.GrantControls -and $null -ne $Policy.GrantControls.AuthenticationStrength -and `
+            $null -ne $Policy.GrantControls.AuthenticationStrength.Id)
+        {
+            $strengthPolicy = Get-MgPolicyAuthenticationStrengthPolicy -AuthenticationStrengthPolicyId $Policy.GrantControls.AuthenticationStrength.Id
+            if ($null -ne $strengthPolicy)
+            {
+                $AuthenticationStrengthValue = $strengthPolicy.DisplayName
+            }
+        }
+
         $result = @{
             DisplayName                              = $Policy.DisplayName
             Id                                       = $Policy.Id
@@ -617,6 +632,7 @@ function Get-TargetResource
             #make false if undefined, true if true
             PersistentBrowserMode                    = [System.String]$Policy.SessionControls.PersistentBrowser.Mode
             #no translation needed
+            AuthenticationStrength                   = $AuthenticationStrengthValue
             #Standard part
             TermsOfUse                               = $termOfUseName
             Ensure                                   = 'Present'
@@ -809,6 +825,10 @@ function Set-TargetResource
         [System.String[]]
         $CustomAuthenticationFactors,
 
+        [Parameter()]
+        [System.String]
+        $AuthenticationStrength,
+
         #generic
         [Parameter()]
         [ValidateSet('Present', 'Absent')]
@@ -1331,7 +1351,7 @@ function Set-TargetResource
         #create and provision Grant Control object
         Write-Verbose -Message 'Set-Targetresource: create and provision Grant Control object'
 
-        if ($GrantControlOperator -and ($BuiltInControls -or $TermsOfUse -or $CustomAuthenticationFactors))
+        if ($GrantControlOperator -and ($BuiltInControls -or $TermsOfUse -or $CustomAuthenticationFactors -or $AuthenticationStrength))
         {
             $GrantControls = @{
                 Operator = $GrantControlOperator
@@ -1345,6 +1365,18 @@ function Set-TargetResource
             {
                 $GrantControls.Add('customAuthenticationFactors', $CustomAuthenticationFactors)
             }
+            if ($AuthenticationStrength)
+            {
+                $strengthPolicy = Get-MgPolicyAuthenticationStrengthPolicy | Where-Object -FilterScript {$_.DisplayName -eq $AuthenticationStrength} -ErrorAction SilentlyContinue
+                if ($null -ne $strengthPolicy)
+                {
+                    $authenticationStrengthInstance = @{
+                        id            = $strengthPolicy.Id
+                        "@odata.type" = "#microsoft.graph.authenticationStrengthPolicy"
+                    }
+                    $GrantControls.Add('authenticationStrength', $authenticationStrengthInstance)
+                }
+            }
 
             if ($TermsOfUse)
             {
@@ -1656,6 +1688,10 @@ function Test-TargetResource
         [System.String[]]
         $CustomAuthenticationFactors,
 
+        [Parameter()]
+        [System.String]
+        $AuthenticationStrength,
+
         #generic
         [Parameter()]
         [ValidateSet('Present', 'Absent')]

Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/MSFT_AADConditionalAccessPolicy.schema.mof

@@ -40,6 +40,7 @@ class MSFT_AADConditionalAccessPolicy : OMI_BaseResource
     [Write, Description("Specifies, whether sign-in frequency is enforced by the Policy.")] Boolean SignInFrequencyIsEnabled;
     [Write, Description("Specifies, whether Browser Persistence is controlled by the Policy.")] Boolean PersistentBrowserIsEnabled;
     [Write, Description("Specifies, what Browser Persistence control is enforced by the Policy."), ValueMap{"Always","Never",""}, Values{"Always","Never",""}] String PersistentBrowserMode;
+    [Write, Description("Name of the associated authentication strength policy.")] String AuthenticationStrength;
     [Write, Description("Specify if the Azure AD CA Policy should exist or not."), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] String Ensure;
     [Write, Description("Credentials for the Microsoft Graph delegated permissions."), EmbeddedInstance("MSFT_Credential")] string Credential;
     [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId;

Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADConditionalAccessPolicy.Tests.ps1

@@ -51,6 +51,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture {
         Context -Name "When Conditional Access Policy doesn't exist but should" -Fixture {
             BeforeAll {
                 $testParams = @{
+                    AuthenticationStrength               = "Phishing-resistant MFA"
                     BuiltInControls                      = @('Mfa', 'CompliantDevice', 'DomainJoinedDevice', 'ApprovedApplication', 'CompliantApplication')
                     ClientAppTypes                       = @('Browser', 'MobileAppsAndDesktopClients')
                     CloudAppSecurityIsEnabled            = $True
@@ -138,6 +139,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture {
             BeforeAll {
                 $testParams = @{
                     ApplicationEnforcedRestrictionsIsEnabled = $True
+                    AuthenticationStrength                   = "Phishing-resistant MFA"
                     BuiltInControls                          = @('Mfa', 'CompliantDevice', 'DomainJoinedDevice', 'ApprovedApplication', 'CompliantApplication')
                     ClientAppTypes                           = @('Browser', 'MobileAppsAndDesktopClients')
                     CloudAppSecurityIsEnabled                = $True
@@ -178,6 +180,13 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture {
                     DeviceFilterRule                         = 'device.isCompliant -eq True -or device.trustType -eq "ServerAD"'
                 }
 
+                Mock -CommandName Get-MgPolicyAuthenticationStrengthPolicy -MockWith {
+                    return @{
+                        Id          = "00000000-0000-0000-0000-000000000004"
+                        DisplayName = "Phishing-resistant MFA"
+                    }
+                }
+
                 Mock -CommandName Get-MgIdentityConditionalAccessPolicy -MockWith {
                     return @{
                         Id              = 'bcc0cf19-ee89-46f0-8e12-4b89123ee6f9'
@@ -216,6 +225,9 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture {
                         GrantControls   = @{
                             _Operator       = 'AND'
                             BuiltInControls = @('Mfa', 'CompliantDevice', 'DomainJoinedDevice', 'ApprovedApplication', 'CompliantApplication')
+                            AuthenticationStrength = @{
+                                Id = "00000000-0000-0000-0000-000000000004"
+                            }
                         }
                         SessionControls = @{
                             ApplicationEnforcedRestrictions = @{
@@ -281,6 +293,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture {
             BeforeAll {
                 $testParams = @{
                     ApplicationEnforcedRestrictionsIsEnabled = $True
+                    AuthenticationStrength                   = "Phishing-resistant MFA"
                     BuiltInControls                          = @('Mfa', 'CompliantDevice', 'DomainJoinedDevice', 'ApprovedApplication', 'CompliantApplication')
                     ClientAppTypes                           = @('Browser', 'MobileAppsAndDesktopClients')
                     CloudAppSecurityIsEnabled                = $True
@@ -321,6 +334,13 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture {
                     DeviceFilterRule                         = 'device.isCompliant -eq True -or device.trustType -eq "ServerAD"'
                 }
 
+                Mock -CommandName Get-MgPolicyAuthenticationStrengthPolicy -MockWith {
+                    return @{
+                        Id          = "00000000-0000-0000-0000-000000000004"
+                        DisplayName = "Phishing-resistant MFA"
+                    }
+                }
+
                 Mock -CommandName Get-MgIdentityConditionalAccessPolicy -MockWith {
                     return @{
                         Id              = 'bcc0cf19-ee89-46f0-8e12-4b89123ee6f9'
@@ -379,8 +399,11 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture {
                             UserRiskLevels   = @('High')
                         }
                         GrantControls   = @{
-                            Operator        = 'AND'
-                            BuiltInControls = @('Mfa', 'CompliantDevice', 'DomainJoinedDevice', 'ApprovedApplication', 'CompliantApplication')
+                            Operator               = 'AND'
+                            BuiltInControls        = @('Mfa', 'CompliantDevice', 'DomainJoinedDevice', 'ApprovedApplication', 'CompliantApplication')
+                            AuthenticationStrength = @{
+                                Id = "00000000-0000-0000-0000-000000000004"
+                            }
                         }
                         SessionControls = @{
                             ApplicationEnforcedRestrictions = @{
@@ -441,6 +464,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture {
             BeforeAll {
                 $testParams = @{
                     ApplicationEnforcedRestrictionsIsEnabled = $True
+                    AuthenticationStrength                   = "Phishing-resistant MFA"
                     BuiltInControls                          = @('Mfa', 'CompliantDevice', 'DomainJoinedDevice', 'ApprovedApplication', 'CompliantApplication')
                     ClientAppTypes                           = @('Browser', 'MobileAppsAndDesktopClients')
                     CloudAppSecurityIsEnabled                = $True
@@ -475,6 +499,13 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture {
                     DeviceFilterRule                         = 'device.isCompliant -eq True -or device.trustType -eq "ServerAD"'
                 }
 
+                Mock -CommandName Get-MgPolicyAuthenticationStrengthPolicy -MockWith {
+                    return @{
+                        Id          = "00000000-0000-0000-0000-000000000004"
+                        DisplayName = "Phishing-resistant MFA"
+                    }
+                }
+
                 Mock -CommandName Get-MgIdentityConditionalAccessPolicy -MockWith {
                     return @{
                         Id              = 'bcc0cf19-ee89-46f0-8e12-4b89123ee6f9'
@@ -511,8 +542,11 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture {
                             UserRiskLevels   = @('High')
                         }
                         GrantControls   = @{
-                            Operator        = 'AND'
-                            BuiltInControls = @('Mfa', 'CompliantDevice', 'DomainJoinedDevice', 'ApprovedApplication', 'CompliantApplication')
+                            Operator               = 'AND'
+                            BuiltInControls        = @('Mfa', 'CompliantDevice', 'DomainJoinedDevice', 'ApprovedApplication', 'CompliantApplication')
+                            AuthenticationStrength = @{
+                                Id = "00000000-0000-0000-0000-000000000004"
+                            }
                         }
                         SessionControls = @{
                             ApplicationEnforcedRestrictions = @{
@@ -582,6 +616,13 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture {
                     Credential = $Credential
                 }
 
+                Mock -CommandName Get-MgPolicyAuthenticationStrengthPolicy -MockWith {
+                    return @{
+                        Id          = "00000000-0000-0000-0000-000000000004"
+                        DisplayName = "Phishing-resistant MFA"
+                    }
+                }
+
                 Mock -CommandName Get-MgIdentityConditionalAccessPolicy -MockWith {
                     return @{
                         Id              = 'bcc0cf19-ee89-46f0-8e12-4b89123ee6f9'
@@ -618,8 +659,11 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture {
                             UserRiskLevels   = @('High')
                         }
                         GrantControls   = @{
-                            _Operator       = 'AND'
-                            BuiltInControls = @('Mfa', 'CompliantDevice', 'DomainJoinedDevice', 'ApprovedApplication', 'CompliantApplication')
+                            _Operator              = 'AND'
+                            BuiltInControls        = @('Mfa', 'CompliantDevice', 'DomainJoinedDevice', 'ApprovedApplication', 'CompliantApplication')
+                            AuthenticationStrength = @{
+                                Id = "00000000-0000-0000-0000-000000000004"
+                            }
                         }
                         SessionControls = @{
                             ApplicationEnforcedRestrictions = @{