Fix CISA.MS.AAD.1.1 to require legacy auth blocking policy scoped to all cloud apps (#1651)

Copilot · SamErde · web-flow · commit fe8c2ce65e05 · 2026-04-15T21:36:19.000+10:00
* Initial plan * Fix CISA.MS.AAD.1.1 to require CA policy scoped to all cloud apps Add check for conditions.applications.includeApplications containing "All" to both the $blockOther and $blockExchangeActiveSync filters in Test-MtCisaBlockLegacyAuth. Without this check, a CA policy blocking legacy auth for only specific apps (not all cloud apps) would incorrectly pass the test. Fixes #864 Agent-Logs-Url: https://github.com/maester365/maester/sessions/98fa17c8-0648-471d-8fee-2bfa6b730cc8 Co-authored-by: SamErde <20478745+SamErde@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: SamErde <20478745+SamErde@users.noreply.github.com>
diff --git a/powershell/public/cisa/entra/Test-MtCisaBlockLegacyAuth.ps1 b/powershell/public/cisa/entra/Test-MtCisaBlockLegacyAuth.ps1
@@ -34,13 +34,15 @@
     $blockOther = $result | Where-Object {
         $_.grantControls.builtInControls -contains "block" -and
         $_.conditions.clientAppTypes -contains "other" -and
-        $_.conditions.users.includeUsers -contains "All"
+        $_.conditions.users.includeUsers -contains "All" -and
+        $_.conditions.applications.includeApplications -contains "All"
     }
 
     $blockExchangeActiveSync = $result | Where-Object {
         $_.grantControls.builtInControls -contains "block" -and
         $_.conditions.clientAppTypes -contains "exchangeActiveSync" -and
-        $_.conditions.users.includeUsers -contains "All"
+        $_.conditions.users.includeUsers -contains "All" -and
+        $_.conditions.applications.includeApplications -contains "All"
     }
 
     if (($blockOther | Measure-Object).Count -ge 1 -and ($blockExchangeActiveSync | Measure-Object).Count -ge 1) {
@@ -52,7 +54,7 @@
     if ($testResult) {
         $testResultMarkdown = "Your tenant has one or more policies that block legacy authentication:`n`n%TestResult%"
     } else {
-        $testResultMarkdown = "Your tenant lacks sufficient conditional access policies that block legacy authentication."
+        $testResultMarkdown = "Your tenant lacks sufficient conditional access policies that block legacy authentication for all cloud apps."
     }
     Add-MtTestResultDetail -Result $testResultMarkdown -GraphObjectType ConditionalAccess -GraphObjects $blockPolicies
 
