MT.1035 - All security groups assigned to Conditional Access Policies should be protected by RMAU.
Overviewβ
Security Groups will be used to exclude and include users from Conditional Access Policies. Modify group membership outside of Conditional Access Administrator or other privileged roles can lead to bypassing Conditional Access Policies.
To prevent this, you can protect these groups by using Restricted Management Administrative Units or Role Assignable Groups. Role Assignable Group should be used in combination of assignments to Entra ID roles. Restricted Management Administrative Units should be used to protect groups by restricting management to specific users or groups. This test checks if all groups used in Conditional Access Policies are protected.
Test Metadataβ
| Field | Value |
|---|---|
| Test ID | MT.1035 |
| Severity | High |
| Suite | Maester |
| Category | CA |
| PowerShell test | Test-MtCaGroupsRestricted |
| Tags | CA, Maester, MT.1035 |
Sourceβ
- Pester test:
tests/Maester/Entra/Test-ConditionalAccessBaseline.Tests.ps1 - PowerShell source:
powershell/public/maester/entra/Test-MtCaGroupsRestricted.ps1