Maester - PowerShell Commands
Overview
This page lists all the commands available in the Maester PowerShell module.
The Maester PowerShell module is a collection of commands that help you write Pester tests to validate your Microsoft 365 tenant configuration. You can view the Graph API calls for these commands in the Maester GitHub repository's src folder. You can also select the Edit this page
link found in the command's documentation to view the source code for the command.
See the writing Maester tests guide for more information on how to write your own tests using these commands.
Maester Commands
- Maester Commands Overview
- Add-MtTestResultDetailAdd detailed information about a test so that it can be displayed in the test results report.
- Clear-MtDnsCacheResets the local cache of DNS lookups.
- Clear-MtExoCacheResets the local cache of Exchange Online queries.
- Clear-MtGraphCacheResets the local cache of Graph API calls.
- Compare-MtTestResultCompares Maester test result JSON files
- Connect-MaesterHelper method to connect to Microsoft Graph using Connect-MgGraph with the required permission scopes as well as other services such as Azure and Exchange Online.
- ConvertFrom-MailAuthenticationRecordDkimReturns structured RFC compliant object from DKIM record
- ConvertFrom-MailAuthenticationRecordDmarcReturns structured RFC compliant object for a DMARC record
- ConvertFrom-MailAuthenticationRecordMxA simple wrapper for Resolve-DnsName
- ConvertFrom-MailAuthenticationRecordSpfReturns a structured RFC compliant object for the supplied SPF record
- ConvertTo-MtMaesterResultConverts Pester results to the Maester test results format which includes additional information.
- Disconnect-MaesterHelper method to sign out of the current Microsoft Graph session.
- Get-MailAuthenticationRecordObtains and converts the mail authentication records of a domain
- Get-MtAuthenticationMethodPolicyConfigGet details of authentication methods
- Get-MtConditionalAccessPolicyReturns all the conditional access policies in the tenant.
- Get-MtExoRetrieves cached response or requests from cmdlet
- Get-MtGraphScopeReturns the list of Graph scopes required to run Maester.
- Get-MtGroupMemberReturns all the members of the specific group ID.
- Get-MtHtmlReportGenerates a formatted html report using the MaesterResults object created by ConvertTo-MtMaesterResult
- Get-MtLicenseInformationGet license information for a Microsoft 365 product
- Get-MtRoleReturns all the role definitions in the tenant.
- Get-MtRoleMemberReturns all the members of a role.
- Get-MtSessionGets the current Maester session information which includes the current Graph base uri and other details.
- Get-MtUserGet a list of users from the tenant
- Get-MtUserAuthenticationMethodGet the authentication methods for the specified user
- Get-MtUserAuthenticationMethodInfoByTypeReturns DisplayName and IsMfa metadata about a specific user authentication method type
- Get-ObjectDifferenceThis function compares to object arrays
- Get-RelatedPolicyProvides MarkDown text for specific array of objects
- Install-MaesterTestsInstalls the latest ready-made Maester tests built by the Maester team and the required Pester module.
- Invoke-MaesterThis is the main Maester command that runs the tests and generates a report of the results.
- Invoke-MtGraphRequestEnhanced version of Invoke-MgGraphRequest that supports paging, batching and caching.
- Resolve-SPFRecordReturns a list of all IP addresses from an SPF record
- Send-MtMailSend an email with the summary of the Maester test results
- Send-MtTeamsMessageSend an adaptive card in a teams channel with the summary of the Maester test results
- Test-MtAppManagementPolicyEnabledChecks if the default app management policy is enabled.
- Test-MtCaAllAppsExistsChecks if the tenant has at least one fallback policy targetting All Apps and All Users.
- Test-MtCaApplicationEnforcedRestrictionChecks if the tenant has at least one conditional access policy is configured to enable application enforced restrictions
- Test-MtCaBlockLegacyExchangeActiveSyncAuthenticationChecks if the tenant has at least one conditional access policy that blocks legacy authentication for Exchange Active Sync authentication.
- Test-MtCaBlockLegacyOtherAuthenticationChecks if the tenant has at least one conditional access policy that blocks legacy authentication.
- Test-MtCaBlockUnknownOrUnsupportedDevicePlatformChecks if the tenant has at least one Conditional Access policy is configured to block access for unknown or unsupported device platforms
- Test-MtCaDeviceComplianceAdminsExistsChecks if the tenant has at least one conditional access policy requiring device compliance for admins.
- Test-MtCaDeviceComplianceExistsChecks if the tenant has at least one conditional access policy requiring device compliance.
- Test-MtCaEmergencyAccessExistsChecks if the tenant has at least one emergency/break glass account or account group excluded from all conditional access policies
- Test-MtCaEnforceNonPersistentBrowserSessionChecks if the tenant has at least one conditional access policy enforcing non persistent browser session
- Test-MtCaEnforceSignInFrequencyChecks if the tenant has at least one conditional access policy enforcing sign-in frequency for non-corporate devices
- Test-MtCaExclusionForDirectorySyncAccountChecks if all conditional access policies scoped to all cloud apps and all users exclude the directory synchronization accounts
- Test-MtCaGapThis function checks if all objects found in policy exclusions are found in policy inclusions.
- Test-MtCaGroupsRestrictedChecks if groups used in Conditional Access are protected by either Restricted Management Administrative Units or Role Assignable Groups.
- Test-MtCaLicenseUtilizationTest Conditional Access License Utilization and return stats on usage for the specific license.
- Test-MtCaMfaForAdminChecks if the tenant has at least one conditional access policy requiring MFA for admins
- Test-MtCaMfaForAdminManagementChecks if the tenant has at least one conditional access policy requiring multifactor authentication to access Azure management.
- Test-MtCaMfaForAllUsersChecks if the tenant has at least one conditional access policy requiring multifactor authentication for all users
- Test-MtCaMfaForGuestChecks if the tenant has at least one conditional access policy requiring multifactor authentication for all guest users.
- Test-MtCaMfaForRiskySignInChecks if the tenant has at least one conditional access policy requiring multifactor authentication for risky sign-ins.
- Test-MtCaRequirePasswordChangeForHighUserRiskChecks if the tenant has at least one conditional access policy requiring password change for high user risk.
- Test-MtCaSecureSecurityInfoRegistrationChecks if the tenant has at least one conditional access policy securing security info registration.
- Test-MtCaWIFBlockLegacyAuthenticationChecks if the user is blocked from using legacy authentication
- Test-MtCis365PublicGroupChecks if there are public groups
- Test-MtCisAttachmentFilterChecks if the default common attachment types filter is enabled
- Test-MtCisCalendarSharingChecks state of sharing policies
- Test-MtCisCloudAdminChecks if Global Admins are cloud users
- Test-MtCisCustomerLockBoxChecks if the customer lockbox feature is enabled
- Test-MtCisGlobalAdminCountChecks if the number of Global Admins is between 2 and 4
- Test-MtCisInternalMalwareNotificationChecks if notifications for internal users sending malware are enabled
- Test-MtCisOutboundSpamFilterPolicyChecks if Exchange Online Spam Policies are set to notify administrators
- Test-MtCisPasswordExpiryChecks if passwords are set to expire
- Test-MtCisSafeAntiPhishingPolicyChecks if the anti-phishing policy matches CIS recommendations
- Test-MtCisSafeAttachmentChecks if the Safe Attachments policy is enabled
- Test-MtCisSafeAttachmentsAtpPolicyChecks if Safe Attachments for SharePoint, OneDrive, and Microsoft Teams are enabled
- Test-MtCisSafeLinkChecks if safe links for office applications are Enabled
- Test-MtCisSharedMailboxSignInChecks if shared mailboxes allow sign-ins
- Test-MtCisaActivationNotificationChecks for notification on role activation
- Test-MtCisaAntiSpamAllowListChecks state of anti-spam policies
- Test-MtCisaAntiSpamSafeListChecks state of anti-spam policies
- Test-MtCisaAppAdminConsentChecks if admin consent workflow is configured with reviewers
- Test-MtCisaAppGroupOwnerConsentChecks if group owners can consent to apps
- Test-MtCisaAppRegistrationChecks if user app registration is prevented
- Test-MtCisaAppUserConsentChecks if user app consent is prevented
- Test-MtCisaAssignmentNotificationChecks for notification on role assignments
- Test-MtCisaAttachmentFileTypeChecks state of preset security policies
- Test-MtCisaAttachmentFilterChecks state of preset security policies
- Test-MtCisaAuditLogChecks state of purview
- Test-MtCisaAuditLogPremiumChecks state of purview
- Test-MtCisaAuditLogRetentionChecks state of purview
- Test-MtCisaAuthenticatorContextChecks if the Authentication Methods policy for Microsoft Authenticator is set appropriately
- Test-MtCisaAutoExternalForwardingChecks ...
- Test-MtCisaBlockExecutableChecks state of preset security policies
- Test-MtCisaBlockHighRiskSignInChecks if Sign-In Risk Based Policies - MS.AAD.2.3 is set to 'blocked'
- Test-MtCisaBlockHighRiskUserChecks if User Risk Based Policies - MS.AAD.2.1 is set to 'blocked'
- Test-MtCisaBlockLegacyAuthChecks if Baseline Policies Legacy Authentication - MS.AAD.1.1v1 is set to 'blocked'
- Test-MtCisaCalendarSharingChecks state of sharing policies
- Test-MtCisaCloudGlobalAdminChecks if Global Admins are cloud users
- Test-MtCisaContactSharingChecks state of sharing policies
- Test-MtCisaCrossTenantInboundDefaultChecks cross-tenant default inbound access configuration
- Test-MtCisaDiagnosticSettingsChecks for configuration of Entra diagnostic settings
- Test-MtCisaDkimChecks state of DKIM for all EXO domains
- Test-MtCisaDlpChecks state of DLP for EXO
- Test-MtCisaDlpAlternateThis will always return $null
- Test-MtCisaDlpBaselineRuleChecks state of baseline CISA rules for DLP in EXO
- Test-MtCisaDlpPiiChecks state of DLP for EXO
- Test-MtCisaDmarcAggregateCisaChecks state of DMARC records for all exo domains
- Test-MtCisaDmarcRecordExistChecks state of DMARC records for all exo second level domains
- Test-MtCisaDmarcRecordRejectChecks state of DMARC records for all exo domains
- Test-MtCisaDmarcReportChecks state of DMARC records for all exo domains
- Test-MtCisaEmailFilterAlternativePlaceholder
- Test-MtCisaExoAlertChecks state of alerts
- Test-MtCisaExoAlertSiemChecks state of alerts
- Test-MtCisaExternalSenderWarningChecks state of transport policies
- Test-MtCisaGlobalAdminCountChecks if Global Admins is an acceptable number
- Test-MtCisaGlobalAdminRatioChecks the ratio of global admins to privileged roles
- Test-MtCisaGuestInvitationChecks if guest invitations are restricted to admins
- Test-MtCisaGuestUserAccessChecks if guests use proper role template
- Test-MtCisaImpersonationChecks state of preset security policies
- Test-MtCisaImpersonationTipChecks state of preset security policies
- Test-MtCisaMailboxAuditingChecks state of mailbox auditing
- Test-MtCisaMailboxIntelligenceChecks state of preset security policies
- Test-MtCisaMalwareActionChecks state of preset security policies
- Test-MtCisaMalwareZapChecks state of preset security policies
- Test-MtCisaManagedDeviceChecks if Conditional Access Policy requiring managed device is enabled
- Test-MtCisaManagedDeviceRegistrationChecks if a policy is enabled requiring a managed device for registration
- Test-MtCisaMethodsMigrationChecks if migration to Authentication Methods is complete
- Test-MtCisaMfaChecks if Conditional Access Policy requiring MFA is enabled
- Test-MtCisaNotifyHighRiskChecks if Risk Based Policies - MS.AAD.2.2v1 has recipients
- Test-MtCisaPasswordExpirationChecks if passwords are set to not expire
- Test-MtCisaPermanentRoleAssignmentChecks for permanent active role assingments
- Test-MtCisaPhishResistantChecks if Conditional Access Policy using Phishing-Resistant Authentication Strengths is enabled
- Test-MtCisaPrivilegedPhishResistantChecks if Conditional Access Policy requiring phishing resistant authentication methods for privileged roles is enabled
- Test-MtCisaRequireActivationApprovalChecks for approval requirement on activation of Gloabl Admin role
- Test-MtCisaSafeLinkChecks state of URL block list
- Test-MtCisaSafeLinkClickTrackingChecks state of URL direct download scans
- Test-MtCisaSafeLinkDownloadScanChecks state of URL direct download scans
- Test-MtCisaSharePointOnlineSharingChecks state of SharePoint Online sharing
- Test-MtCisaSharePointOnlineSharingAllowedDomainChecks state of SharePoint Online sharing
- Test-MtCisaSmtpAuthenticationChecks state of SMTP authentication in Exchange Online.
- Test-MtCisaSpamActionChecks state of spam filter
- Test-MtCisaSpamAlternativeChecks state of spam filter
- Test-MtCisaSpamBypassChecks state of spam filter
- Test-MtCisaSpamFilterChecks state of spam filter
- Test-MtCisaSpfDirectiveChecks state of SPF records for all exo domains
- Test-MtCisaSpfRestrictionChecks state of SPF records for all exo domains
- Test-MtCisaUnmanagedRoleAssignmentChecks for active role assingments with no start time
- Test-MtCisaWeakFactorChecks if weak Authentication Methods are disabled
- Test-MtConditionalAccessWhatIfTests Conditional Access evaluation with What If for a given scenario.
- Test-MtConnectionChecks if the current session is connected to the specified service.
- Test-MtEidscaAF01Checks if Authentication Method - FIDO2 security key - State is set to 'enabled'
- Test-MtEidscaAF02Checks if Authentication Method - FIDO2 security key - Allow self-service set up is set to 'true'
- Test-MtEidscaAF03Checks if Authentication Method - FIDO2 security key - Enforce attestation is set to 'true'
- Test-MtEidscaAF04Checks if Authentication Method - FIDO2 security key - Enforce key restrictions is set to 'true'
- Test-MtEidscaAF05Checks if Authentication Method - FIDO2 security key - Restricted is set to 'true'
- Test-MtEidscaAF06Checks if Authentication Method - FIDO2 security key - Restrict specific keys is set to 'true'
- Test-MtEidscaAG01Checks if Authentication Method - General Settings - Manage migration is set to 'migrationComplete'
- Test-MtEidscaAG02Checks if Authentication Method - General Settings - Report suspicious activity - State is set to 'enabled'
- Test-MtEidscaAG03Checks if Authentication Method - General Settings - Report suspicious activity - Included users/groups is set to 'all_users'
- Test-MtEidscaAM01Checks if Authentication Method - Microsoft Authenticator - State is set to 'enabled'
- Test-MtEidscaAM02Checks if Authentication Method - Microsoft Authenticator - Allow use of Microsoft Authenticator OTP is set to 'true'
- Test-MtEidscaAM03Checks if Authentication Method - Microsoft Authenticator - Require number matching for push notifications is set to 'enabled'
- Test-MtEidscaAM04Checks if Authentication Method - Microsoft Authenticator - Included users/groups of number matching for push notifications is set to 'all_users'
- Test-MtEidscaAM06Checks if Authentication Method - Microsoft Authenticator - Show application name in push and passwordless notifications is set to 'enabled'
- Test-MtEidscaAM07Checks if Authentication Method - Microsoft Authenticator - Included users/groups to show application name in push and passwordless notifications is set to 'all_users'
- Test-MtEidscaAM09Checks if Authentication Method - Microsoft Authenticator - Show geographic location in push and passwordless notifications is set to 'enabled'
- Test-MtEidscaAM10Checks if Authentication Method - Microsoft Authenticator - Included users/groups to show geographic location in push and passwordless notifications is set to 'all_users'
- Test-MtEidscaAP01Checks if Default Authorization Settings - Enabled Self service password reset for administrators is set to 'false'
- Test-MtEidscaAP04Checks if Default Authorization Settings - Guest invite restrictions is set to @('adminsAndGuestInviters','none')
- Test-MtEidscaAP05Checks if Default Authorization Settings - Sign-up for email based subscription is set to 'false'
- Test-MtEidscaAP06Checks if Default Authorization Settings - User can join the tenant by email validation is set to 'false'
- Test-MtEidscaAP07Checks if Default Authorization Settings - Guest user access is set to '2af84b1e-32c8-42b7-82bc-daa82404023b'
- Test-MtEidscaAP08Checks if Default Authorization Settings - User consent policy assigned for applications is set to 'ManagePermissionGrantsForSelf.microsoft-user-default-low'
- Test-MtEidscaAP09Checks if Default Authorization Settings - Risk-based step-up consent is set to 'false'
- Test-MtEidscaAP10Checks if Default Authorization Settings - Default User Role Permissions - Allowed to create Apps is set to 'false'
- Test-MtEidscaAP14Checks if Default Authorization Settings - Default User Role Permissions - Allowed to read other users is set to 'true'
- Test-MtEidscaAS04Checks if Authentication Method - SMS - Use for sign-in is set to 'false'
- Test-MtEidscaAT01Checks if Authentication Method - Temporary Access Pass - State is set to 'enabled'
- Test-MtEidscaAT02Checks if Authentication Method - Temporary Access Pass - One-time is set to 'true'
- Test-MtEidscaAV01Checks if Authentication Method - Voice call - State is set to 'disabled'
- Test-MtEidscaCP01Checks if Default Settings - Consent Policy Settings - Group owner consent for apps accessing data is set to 'False'
- Test-MtEidscaCP03Checks if Default Settings - Consent Policy Settings - Block user consent for risky apps is set to 'true'
- Test-MtEidscaCP04Checks if Default Settings - Consent Policy Settings - Users can request admin consent to apps they are unable to consent to is set to 'true'
- Test-MtEidscaCR01Checks if Consent Framework - Admin Consent Request - Policy to enable or disable admin consent request feature is set to 'true'
- Test-MtEidscaCR02Checks if Consent Framework - Admin Consent Request - Reviewers will receive email notifications for requests is set to 'true'
- Test-MtEidscaCR03Checks if Consent Framework - Admin Consent Request - Reviewers will receive email notifications when admin consent requests are about to expire is set to 'true'
- Test-MtEidscaCR04Checks if Consent Framework - Admin Consent Request - Consent request duration (days) is set to '30'
- Test-MtEidscaControlTests your environment for compliance with the specified EIDSCA control
- Test-MtEidscaPR01Checks if Default Settings - Password Rule Settings - Password Protection - Mode is set to 'Enforce'
- Test-MtEidscaPR02Checks if Default Settings - Password Rule Settings - Password Protection - Enable password protection on Windows Server Active Directory is set to 'True'
- Test-MtEidscaPR03Checks if Default Settings - Password Rule Settings - Enforce custom list is set to 'True'
- Test-MtEidscaPR05Checks if Default Settings - Password Rule Settings - Smart Lockout - Lockout duration in seconds is set to '60'
- Test-MtEidscaPR06Checks if Default Settings - Password Rule Settings - Smart Lockout - Lockout threshold is set to '10'
- Test-MtEidscaST08Checks if Default Settings - Classification and M365 Groups - M365 groups - Allow Guests to become Group Owner is set to 'false'
- Test-MtEidscaST09Checks if Default Settings - Classification and M365 Groups - M365 groups - Allow Guests to have access to groups content is set to 'True'
- Test-MtPimAlertsExistsChecks if PIM alerts exists
- Test-MtPrivPermanentDirectoryRoleChecks if Permanent Assignments for Entra ID roles exists
- Update-MaesterTestsUpdates the specified folder with the latest ready-made Maester tests built by the Maester team.