Update Rego for AAD Conditional Access Policies to increase consistency and reduce redundancy #1323
Labels
enhancement
This issue or pull request will add new or improve existing functionality
🐛 Summary
Certain CAP policies do not strictly check for what the baseline describes and there are helper methods which can be used to prevent code repetition and increase consistency. Changes are detailed below.
This issue came from the code review done on AAD CAP rego policies #1184
To reproduce
Conditional Access Policies which need to be updated
General notes for the updates needed are to use PolicyConditionsMatch more for consistency and prevent code repetition.
MS.AAD.1.1v1
Similar to 3.7, currently 1.1 checks if Exchange ActiveSync clients and Other clients are clicked, but doesn't check to ensure that those two are the only boxes checked.
MS.AAD.2.3v1
For consistency update line 141 from
PolicyConditionsMatch(CAPolicy)
toPolicyConditionsMatch(CAPolicy) == true
MS.AAD.3.1v1
Check if we can use PolicyConditionsMatch rather than the 3 lines (183-185) used together
Replace
with
PolicyConditionsMatch(CAPolicy) == true
MS.AAD.3.2v1
For consistency update line 221 from
PolicyConditionsMatch(CAPolicy)
toPolicyConditionsMatch(CAPolicy) == true
MS.AAD.3.6v1
Missing check for Target resources > Cloud apps > All cloud apps
To fix this try using PolicyConditionsMatch(CAPolicy) == true
MS.AAD.3.8v1
Use 3.7 as a model for this one as they are very similar
Any helpful log output or screenshots
Paste the results here:
Add any screenshots of the problem here.
The text was updated successfully, but these errors were encountered: