MS.AAD.6.1 Does not account for federated domains

[Jeff-Jerousek]

🐛 Summary

What's wrong? Please be specific.
Any federated domains do not have the fields:
passwordNotificationWindowInDays
passwordValidityPeriodInDays

Note for whoever gets assigned this issue: refer to the instructions in this comment for the code changes needed.

To reproduce

Steps to reproduce the behavior:
Run Get-MgBetaDomain against a tenant with federated domains (ADFS).

Expected behavior

The password policy is enforced locally, an exception for any federated domains would do the trick.

Any helpful log output or screenshots

Paste the results here:

{
  "id": "generic.domain.com",
  "authenticationType": "Federated",
  "isAdminManaged": true,
  "isDefault": false,
  "isInitial": false,
  "isRoot": false,
  "isVerified": true,
  "supportedServices": [ "Email", "OfficeCommunicationsOnline", "OrgIdAuthentication", "Intune" ]
}

Add any screenshots of the problem here.

[buidav]

@tkol2022

[tkol2022]

@Jeff-Jerousek This is an excellent find. Thank you for raising it to our attention. I verified what you are saying and I am thinking to fix this we can add another filter to our Rego code that will only evaluate domains with AuthenticationType = Managed and thus ignore domains that have the type Federated. One of our test tenants has a federated domain and the code incorrectly picked up that domain as being non compliant with 6.1 (screenshots below).

Thoughts?

@gdasher would like your opinion as well?

[Jeff-Jerousek]

It sounds good to me.

You might want to think about changing the wording of the requirement so that it includes Managed domain or indicate that it might be set somewhere else if it's not managed.

[Jeff-Jerousek]

Didn't mean to close, just hit enter.

[gdasher]

I think the proposal is reasonable for changing the tool. I wouldn't change the normative policy requirement but we can offer some color like we do on MFA that it can be implemented the IDP in a federated context.

Aside: I think a similar situation happens with MFA, where an organization could enforce MFA in their IDP (whether ADFS via smart cards and UBE or some other IDP solution that has MFA support). We should take offline whether we want to update the tool for that case as well--the baseline already refers to federated domains explicitly but I don't think the tool does anything differently in that case. I am more torn on MFA than passwords because the situation is more complex (e.g. the CAP policy can be satisfied in some cases by MFA claims, but not at the granularity of "phishing resistant"). But for this issue I think the proposal makes sense.