21824 - Check will pass even when there are no qualifying CA Policies

[cis-ce]

Noticed while testing ZTA in my sandbox

Steps to reproduce:

• Run the test in an environment with no Conditional Access policies targeting includeGuestsOrExternalUsers

Expected behavior:
The test should fail when no policies enforce sign-in frequency for guests.

Actual behavior:
The test passes incorrectly.

Root cause:

1. When no policies target includeGuestsOrExternalUsers, $filteredCAPolicies is null/empty
2. $matchedPolicies is derived from $filteredCAPolicies, so it's also null/empty
3. The final validation checks $filteredCAPolicies.Count -eq $matchedPolicies.Count
4. Since 0 -eq 0 (or $null -eq $null), the condition evaluates to $true and the test passes

Suggested Fix:
Validate if at least one policy exists

zerotrustassessment/src/powershell/tests/Test-Assessment.21824.ps1

Line 56 in 6aef9c4

if ($filteredCAPolicies.Count -eq $matchedPolicies.Count) {