From ccb173396f477f8b0d9792ef4b6151b8a70e6138 Mon Sep 17 00:00:00 2001
From: Thomas Naunheim <thomas@naunheim.net>
Date: Mon, 5 Aug 2024 20:34:14 +0200
Subject: [PATCH 1/2] Updated EIDSCA checks and added check AS04

---
 .../internal/eidsca/Test-MtEidscaAM01.ps1     |  3 +-
 .../internal/eidsca/Test-MtEidscaAS04.md      | 18 ++++++++
 .../internal/eidsca/Test-MtEidscaAS04.ps1     | 44 +++++++++++++++++++
 .../public/eidsca/Test-MtEidscaControl.ps1    |  2 +-
 tests/EIDSCA/Test-EIDSCA.Generated.Tests.ps1  | 10 +++++
 website/docs/tests/eidsca/EIDSCA.AS04.md      | 34 ++++++++++++++
 website/docs/tests/eidsca/EIDSCA.AT01.md      |  2 +-
 website/docs/tests/eidsca/EIDSCA.AT02.md      |  2 +-
 8 files changed, 110 insertions(+), 5 deletions(-)
 create mode 100644 powershell/internal/eidsca/Test-MtEidscaAS04.md
 create mode 100644 powershell/internal/eidsca/Test-MtEidscaAS04.ps1
 create mode 100644 website/docs/tests/eidsca/EIDSCA.AS04.md

diff --git a/powershell/internal/eidsca/Test-MtEidscaAM01.ps1 b/powershell/internal/eidsca/Test-MtEidscaAM01.ps1
index 92f61ac6..e430e915 100644
--- a/powershell/internal/eidsca/Test-MtEidscaAM01.ps1
+++ b/powershell/internal/eidsca/Test-MtEidscaAM01.ps1
@@ -21,8 +21,7 @@ function Test-MtEidscaAM01 {
     [OutputType([bool])]
     param()
 
-
-
+    
     $result = Invoke-MtGraphRequest -RelativeUri "policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')" -ApiVersion beta
 
     [string]$tenantValue = $result.state
diff --git a/powershell/internal/eidsca/Test-MtEidscaAS04.md b/powershell/internal/eidsca/Test-MtEidscaAS04.md
new file mode 100644
index 00000000..1043d92b
--- /dev/null
+++ b/powershell/internal/eidsca/Test-MtEidscaAS04.md
@@ -0,0 +1,18 @@
+Determines if users can use this authentication method to sign in to Microsoft Entra ID. true if users can use this method for primary authentication, otherwise false.
+
+Avoid to use SMS as primary sign in factor (instead of a password) and consider to implement a MFA or passwordless option also for your special user groups, such as front-line workers.
+
+#### Test script
+```
+https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Sms')
+.includeTargets.isUsableForSignIn = 'false'
+```
+
+#### Related links
+
+- [Open in Graph Explorer](https://developer.microsoft.com/en-us/graph/graph-explorer?request=policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Sms')&method=GET&version=beta&GraphUrl=https://graph.microsoft.com)
+- [phoneAuthenticationMethod resource type - Microsoft Graph v1.0 | Microsoft Learn](https://learn.microsoft.com/en-us/graph/api/resources/phoneauthenticationmethod)
+
+
+<!--- Results --->
+%TestResult%
diff --git a/powershell/internal/eidsca/Test-MtEidscaAS04.ps1 b/powershell/internal/eidsca/Test-MtEidscaAS04.ps1
new file mode 100644
index 00000000..56f62dfc
--- /dev/null
+++ b/powershell/internal/eidsca/Test-MtEidscaAS04.ps1
@@ -0,0 +1,44 @@
+<#
+.SYNOPSIS
+    Checks if Authentication Method - SMS - Use for sign-in is set to 'false'
+
+.DESCRIPTION
+
+    Determines if users can use this authentication method to sign in to Microsoft Entra ID. true if users can use this method for primary authentication, otherwise false.
+
+    Queries policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Sms')
+    and returns the result of
+     graph/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Sms').includeTargets.isUsableForSignIn -eq 'false'
+
+.EXAMPLE
+    Test-MtEidscaAS04
+
+    Returns the result of graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Sms').includeTargets.isUsableForSignIn -eq 'false'
+#>
+
+function Test-MtEidscaAS04 {
+    [CmdletBinding()]
+    [OutputType([bool])]
+    param()
+
+    if ( $EnabledAuthMethods -notcontains 'Sms' ) {
+            Add-MtTestResultDetail -SkippedBecause 'Custom' -SkippedCustomReason 'Authentication method of Sms is not enabled.'
+            return $null
+    }
+    $result = Invoke-MtGraphRequest -RelativeUri "policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Sms')" -ApiVersion beta
+
+    [string]$tenantValue = $result.includeTargets.isUsableForSignIn
+    $testResult = $tenantValue -eq 'false'
+    $tenantValueNotSet = $null -eq $tenantValue -and 'false' -notlike '*$null*'
+
+    if($testResult){
+        $testResultMarkdown = "Well done. The configuration in your tenant and recommended value is **'false'** for **policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Sms')**"
+    } elseif ($tenantValueNotSet) {
+        $testResultMarkdown = "Your tenant is **not configured explicitly**.`n`nThe recommended value is **'false'** for **policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Sms')**. It seems that you are using a default value by Microsoft. We recommend to set the setting value explicitly since non set values could change depending on what Microsoft decides the current default should be."
+    } else {
+        $testResultMarkdown = "Your tenant is configured as **$($tenantValue)**.`n`nThe recommended value is **'false'** for **policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Sms')**"
+    }
+    Add-MtTestResultDetail -Result $testResultMarkdown
+
+    return $tenantValue
+}
diff --git a/powershell/public/eidsca/Test-MtEidscaControl.ps1 b/powershell/public/eidsca/Test-MtEidscaControl.ps1
index 1181e9a8..67633c58 100644
--- a/powershell/public/eidsca/Test-MtEidscaControl.ps1
+++ b/powershell/public/eidsca/Test-MtEidscaControl.ps1
@@ -19,7 +19,7 @@ function Test-MtEidscaControl {
     param(
         # Id for the EIDSCA control check to test
         [Parameter(Mandatory)]
-        [ValidateSet('AP01','AP04','AP05','AP06','AP07','AP08','AP09','AP10','AP14','CP01','CP03','CP04','PR01','PR02','PR03','PR05','PR06','ST08','ST09','AG01','AG02','AG03','AM01','AM02','AM03','AM04','AM06','AM07','AM09','AM10','AF01','AF02','AF03','AF04','AF05','AF06','AT01','AT02','AV01','CR01','CR02','CR03','CR04')]
+        [ValidateSet('AP01','AP04','AP05','AP06','AP07','AP08','AP09','AP10','AP14','CP01','CP03','CP04','PR01','PR02','PR03','PR05','PR06','ST08','ST09','AG01','AG02','AG03','AM01','AM02','AM03','AM04','AM06','AM07','AM09','AM10','AF01','AF02','AF03','AF04','AF05','AF06','AT01','AT02','AV01','AS04','CR01','CR02','CR03','CR04')]
         [string]
         $CheckId
     )
diff --git a/tests/EIDSCA/Test-EIDSCA.Generated.Tests.ps1 b/tests/EIDSCA/Test-EIDSCA.Generated.Tests.ps1
index da4d9bfe..c271e7be 100644
--- a/tests/EIDSCA/Test-EIDSCA.Generated.Tests.ps1
+++ b/tests/EIDSCA/Test-EIDSCA.Generated.Tests.ps1
@@ -363,6 +363,16 @@ Describe "Authentication Method - Voice call" -Tag "EIDSCA", "Security", "All",
     }
 }
 
+Describe "Authentication Method - SMS" -Tag "EIDSCA", "Security", "All", "EIDSCA.AS04" {
+    It "EIDSCA.AS04: Authentication Method - SMS - Use for sign-in. See https://maester.dev/docs/tests/EIDSCA.AS04" -TestCases @{ EnabledAuthMethods = $EnabledAuthMethods } {
+        <#
+            Check if "https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Sms')"
+            .includeTargets.isUsableForSignIn = 'false'
+        #>
+        Test-MtEidscaControl -CheckId AS04 | Should -Be 'false'
+    }
+}
+
 Describe "Consent Framework - Admin Consent Request" -Tag "EIDSCA", "Security", "All", "EIDSCA.CR01" {
     It "EIDSCA.CR01: Consent Framework - Admin Consent Request - Policy to enable or disable admin consent request feature. See https://maester.dev/docs/tests/EIDSCA.CR01" {
         <#
diff --git a/website/docs/tests/eidsca/EIDSCA.AS04.md b/website/docs/tests/eidsca/EIDSCA.AS04.md
new file mode 100644
index 00000000..bab8fb3f
--- /dev/null
+++ b/website/docs/tests/eidsca/EIDSCA.AS04.md
@@ -0,0 +1,34 @@
+---
+title: EIDSCA.AS04 - Authentication Method - SMS - Use for sign-in
+slug: /tests/EIDSCA.AS04
+sidebar_class_name: hidden
+---
+
+# Authentication Method - SMS - Use for sign-in
+
+Determines if users can use this authentication method to sign in to Microsoft Entra ID. true if users can use this method for primary authentication, otherwise false.
+
+| | |
+|-|-|
+| **Name** | isUsableForSignIn |
+| **Control** | Authentication Method - SMS |
+| **Description** | Define configuration settings and users or groups that are enabled to use text messages for authentication. |
+| **Severity** | High |
+
+## How to fix
+
+[Microsoft Learn - Configure and enable users for SMS-based authentication using Microsoft Entra ID](https://learn.microsoft.com/en-us/entra/identity/authentication/howto-authentication-sms-signin)
+
+### Details of configuration item
+| | |
+|-|-|
+| **Recommendation** | Avoid to use SMS as primary sign in factor (instead of a password) and consider to implement a MFA or passwordless option also for your special user groups, such as front-line workers. |
+| **Configuration** | policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Sms') |
+| **Setting** | `includeTargets.isUsableForSignIn` |
+| **Recommended Value** | 'false' |
+| **Default Value** | true |
+| **Graph API Docs** | [phoneAuthenticationMethod resource type - Microsoft Graph v1.0 - Microsoft Learn](https://learn.microsoft.com/en-us/graph/api/resources/phoneauthenticationmethod) |
+| **Graph Explorer** | [Open in Graph Explorer](https://developer.microsoft.com/en-us/graph/graph-explorer?request=policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Sms')&method=GET&version=beta&GraphUrl=https://graph.microsoft.com) |
+
+
+
diff --git a/website/docs/tests/eidsca/EIDSCA.AT01.md b/website/docs/tests/eidsca/EIDSCA.AT01.md
index 57101479..327df614 100644
--- a/website/docs/tests/eidsca/EIDSCA.AT01.md
+++ b/website/docs/tests/eidsca/EIDSCA.AT01.md
@@ -17,7 +17,7 @@ Whether the Temporary Access Pass is enabled in the tenant.
 
 ## How to fix
 
-
+[Microsoft Learn - Enable Temporary Access Pass](https://learn.microsoft.com/en-us/entra/identity/authentication/howto-authentication-temporary-access-pass#enable-the-temporary-access-pass-policy)
 
 ### Details of configuration item
 | | |
diff --git a/website/docs/tests/eidsca/EIDSCA.AT02.md b/website/docs/tests/eidsca/EIDSCA.AT02.md
index a63c3ded..353b1d61 100644
--- a/website/docs/tests/eidsca/EIDSCA.AT02.md
+++ b/website/docs/tests/eidsca/EIDSCA.AT02.md
@@ -17,7 +17,7 @@ Determines whether the pass is limited to a one-time use.
 
 ## How to fix
 
-
+[Microsoft Learn - Require one-time use (Step 5)](https://learn.microsoft.com/en-us/entra/identity/authentication/howto-authentication-temporary-access-pass#enable-the-temporary-access-pass-policy)
 
 ### Details of configuration item
 | | |

From 50c0fee17fef074f846f25b3c5c2f8d7ae55d977 Mon Sep 17 00:00:00 2001
From: Thomas Naunheim <47817884+Cloud-Architekt@users.noreply.github.com>
Date: Thu, 15 Aug 2024 06:35:06 +0200
Subject: [PATCH 2/2] Update Test-MtEidscaAM01.ps1

---
 powershell/internal/eidsca/Test-MtEidscaAM01.ps1 | 1 -
 1 file changed, 1 deletion(-)

diff --git a/powershell/internal/eidsca/Test-MtEidscaAM01.ps1 b/powershell/internal/eidsca/Test-MtEidscaAM01.ps1
index e430e915..5a62d126 100644
--- a/powershell/internal/eidsca/Test-MtEidscaAM01.ps1
+++ b/powershell/internal/eidsca/Test-MtEidscaAM01.ps1
@@ -21,7 +21,6 @@ function Test-MtEidscaAM01 {
     [OutputType([bool])]
     param()
 
-    
     $result = Invoke-MtGraphRequest -RelativeUri "policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')" -ApiVersion beta
 
     [string]$tenantValue = $result.state