Skip to content

Add test MT.1106 to verify Protected Actions Auth Contexts have CA policies #1356

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Copilot wants to merge 8 commits into
base: main
Choose a base branch
from
Open

Add test MT.1106 to verify Protected Actions Auth Contexts have CA policies #1356

Copilot wants to merge 8 commits into from
+225 −0

Conversation

Copy link
Contributor

Copilot AI commented Dec 2, 2025
edited
Loading

Description

Fixes the issue where Protected Actions with Authentication Contexts assigned may not actually be protected if the context isn't referenced by any Conditional Access policy. Without a CA policy enforcing the auth context, users aren't prompted for step-up authentication.

Fixes #997

Changes:

  • Test-MtCaAuthContextProtectedActionsExist.ps1 - New test function that:
    • Fetches auth contexts from identity/conditionalAccess/authenticationContextClassReferences
    • Checks PIM role management policies for unifiedRoleManagementPolicyAuthenticationContextRule rules (with isEnabled check)
    • Compares against enabled CA policies' includeAuthenticationContextClassReferences
    • Fails if any auth context used in Protected Actions lacks a CA policy reference
    • Detects deleted auth contexts by iterating over protected action contexts and showing "(Deleted or not found)" for missing contexts
  • Test-MtCaAuthContextProtectedActionsExist.md - Function documentation
  • Test-ConditionalAccessBaseline.Tests.ps1 - Added MT.1106 test case
  • MT.1106.md - Website documentation
# Example usage
Test-MtCaAuthContextProtectedActionsExist
# Returns $true if all Protected Action auth contexts have CA policies
# Returns $false with details table if any are unprotected

Contribution Checklist

Before submitting this PR, please confirm you have completed the following:

  • 📖 Read the guidelines for contributing to this repository.
  • 🧪 Ensure the build and unit tests pass by running /powershell/tests/pester.ps1 on your local system.

 

Join us at the Maester repository discussions 💬 or Entra Discord 🧑‍💻 for more help and conversations!

Original prompt

This section details on the original issue you should resolve

<issue_title>🙏Maester Test to Ensure all Protected Actions Auth Context have a conditional access referenced.</issue_title>
<issue_description>Maester Test to Ensure all Protected Actions Auth Context have a conditional access referenced.

Maester Test to Ensure all Protected Actions Auth Context have a conditional access referenced. There is a potential for an auth context to get deleted while still being referenced in a CA

If no Conditional access Policy is referenced by the authentication context then the protected action is not well protecting anything

Image

</issue_description>

Comments on the Issue (you are @copilot in this section)

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

@SamErde
Add Test-MtCaAuthContextProtectedActionsExist test for Protected Acti…
8b6b788 
…ons Auth Context validation

Co-authored-by: SamErde <20478745+SamErde@users.noreply.github.com>
@cloudflare-workers-and-pages
Copy link

cloudflare-workers-and-pages bot commented Dec 2, 2025
edited
Loading

Deploying maester with  Cloudflare Pages  Cloudflare Pages

Latest commit: 6f5ed1f
Status: ✅  Deploy successful!
Preview URL: https://bca10008.maester.pages.dev
Branch Preview URL: https://copilot-add-maester-test-con.maester.pages.dev

View logs

@SamErde
Remove unused API calls for authentication strength policies
532c4f5 
Co-authored-by: SamErde <20478745+SamErde@users.noreply.github.com>
Copilot AI changed the title [WIP] Add Maester test for protected actions auth context Add test MT.1090 to verify Protected Actions Auth Contexts have CA policies Dec 2, 2025
Copilot AI requested a review from SamErde December 2, 2025 16:53
@SamErde SamErde requested a review from Copilot December 2, 2025 17:37
@SamErde SamErde added enhancement New feature or request help wanted Extra attention is needed maester-test Related to a Maester test work started entra Microsoft Entra labels Dec 2, 2025
Copilot AI reviewed Dec 2, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a new validation test to ensure that protected actions using Authentication Contexts are actually enforced by Conditional Access policies, plus associated documentation and baseline test wiring.

  • Introduces Test-MtCaAuthContextProtectedActionsExist to detect Authentication Contexts used by Protected Actions but not referenced by any CA policy.
  • Wires the test into the Conditional Access baseline suite (MT.1090).
  • Adds user-facing documentation for the test and website page.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 4 comments.

File Description
website/docs/tests/maester/MT.1090.md New website doc explaining MT.1090 test purpose, remediation steps, and links.
tests/Maester/Entra/Test-ConditionalAccessBaseline.Tests.ps1 Adds the MT.1090 test case to the Entra Conditional Access baseline suite.
powershell/public/maester/entra/Test-MtCaAuthContextProtectedActionsExist.ps1 Implements the test logic to correlate protected actions’ Authentication Contexts with CA policies.
powershell/public/maester/entra/Test-MtCaAuthContextProtectedActionsExist.md Adds command documentation with remediation steps and related links.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@SamErde SamErde mentioned this pull request Dec 2, 2025
Open
@SamErde
Update website/docs/tests/maester/MT.1090.md
4ca5797 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
SamErde
SamErde requested changes Dec 2, 2025
View reviewed changes
Copy link
Contributor

@SamErde SamErde left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The test ID 'MT.1090' is already taken. 'MT.1106' should be used for this test. References within this PR need to be changed accordingly.

@SamErde
Address review feedback: rename to MT.1106, filter enabled CA policie…
550d061 
…s, check isEnabled for rules, detect deleted contexts

Co-authored-by: SamErde <20478745+SamErde@users.noreply.github.com>
Copy link
Contributor Author

Copilot AI commented Dec 2, 2025

The test ID 'MT.1090' is already taken. 'MT.1106' should be used for this test. References within this PR need to be changed accordingly.

Renamed to MT.1106 in commit 550d061. Updated the website doc, test file reference, title, and slug accordingly.

Copilot AI changed the title Add test MT.1090 to verify Protected Actions Auth Contexts have CA policies Add test MT.1106 to verify Protected Actions Auth Contexts have CA policies Dec 2, 2025
Copilot AI requested a review from SamErde December 2, 2025 18:16
@SamErde SamErde marked this pull request as ready for review December 2, 2025 18:34
@SamErde SamErde requested review from a team as code owners December 2, 2025 18:34
@SamErde SamErde removed help wanted Extra attention is needed work started labels Dec 4, 2025
@SamErde SamErde requested a review from Copilot December 4, 2025 13:27
Copilot AI reviewed Dec 4, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated no new comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@SamErde SamErde requested a review from Copilot December 21, 2025 00:07
Copilot AI reviewed Dec 21, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated no new comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@SamErde
Clarify description for MT.1106 test
4d3cad8 
Updated description to specify 'active' Conditional Access policies.
@SamErde
Clarify test description for Authentication Contexts
f9ead48 
Specify that the CA policy must be active/enforced.
@SamErde
Update synopsis and description for clarity
6f5ed1f
@SamErde SamErde removed request for a team January 21, 2026 13:10
@SamErde SamErde closed this Jan 21, 2026
@SamErde SamErde reopened this Jan 21, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@SamErde SamErde Awaiting requested review from SamErde

Assignees

@SamErde SamErde

Copilot code review Copilot

Labels

enhancement New feature or request entra Microsoft Entra maester-test Related to a Maester test

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

🙏Maester Test to Ensure all Protected Actions Auth Context have a conditional access referenced.

2 participants

@SamErde