Maester Tests

Overview

This section lists the collection of tests that have been created by the Maester community to help you get started with Maester.

The first version of these tests primarily focus on validating your Conditional Access policy configuration. The tests are based on Microsoft's recommendations an each test includes references to the Microsoft documentation for further reading.

Tests

• MT.1001 - At least one Conditional Access policy is configured with device complianceDevice compliance conditional access policy can be used to require devices to be compliant with the tenant's security configuration.
• MT.1002 - Enforce credential configurations on apps and service principalsBy default Microsoft Entra ID allows service principals and applications to be configured with weak credentials.
• MT.1003 - At least one Conditional Access policy is configured with All cloud appsEnsure that every app has at least one Conditional Access policy applied.
• MT.1004 - At least one Conditional Access policy is configured with All Cloud Apps and All UsersEnsure that every app has at least one Conditional Access policy applied and it is assigned to `All users`.
• MT.1005 - All Conditional Access policies are configured to exclude at least one emergency account or group.Checks if the tenant has at least one emergency/break glass account or account group excluded from all conditional access policies
• MT.1006 - At least one Conditional Access policy is configured to require MFA for users with administrator rolesChecks if the tenant has at least one Conditional policy targetting users with administrator roles.
• MT.1007 - At least one Conditional Access policy is configured to require MFA for all usersChecks if the tenant has at least one conditional access policy requiring multifactor authentication for all users
• MT.1008 - At least one Conditional Access policy is configured to require MFA for Azure managementChecks if the tenant has at least one conditional access policy requiring MFA for admins.
• MT.1009 - At least one Conditional Access policy is configured to block other legacy authenticationChecks if the tenant has at least one conditional access policy that blocks legacy authentication.
• MT.1010 - At least one Conditional Access policy is configured to block legacy authentication for Exchange ActiveSyncChecks if the tenant has at least one conditional access policy that blocks legacy authentication for Exchange Active Sync authentication.
• MT.1011 - At least one Conditional Access policy is configured to secure security info registration only from a trusted locationSecurity info registration conditional access policy can secure the registration of security info for users in the tenant.
• MT.1012 - At least one Conditional Access policy is configured to require MFA for risky sign-insChecks if the tenant has at least one conditional access policy requiring multifactor authentication for risky sign-ins.
• MT.1013 - At least one Conditional Access policy is configured to require new password when user risk is highChecks if the tenant has at least one conditional access policy requiring password change for high user risk. Password change for high user risk is a good way to prevent compromised accounts from being used to access your tenant.
• MT.1014 - At least one Conditional Access policy is configured to require compliant or Entra hybrid joined devices for adminsChecks if the tenant has at least one conditional access policy requiring device compliance for admins.
• MT.1015 - At least one Conditional Access policy is configured to block access for unknown or unsupported device platformsChecks if the tenant has at least one Conditional Access policy is configured to block access for unknown or unsupported device platforms.
• MT.1016 - At least one Conditional Access policy is configured to require MFA for guest accessChecks if the tenant has at least one conditional access policy requiring multifactor authentication for all guest users.
• MT.1017 - At least one Conditional Access policy is configured to enforce non persistent browser session for non-corporate devicesNon persistent browser session conditional access policy can be helpful to minimize the risk of data leakage from a shared device.
• MT.1018 - At least one Conditional Access policy is configured to enforce sign-in frequency for non-corporate devicesChecks if the tenant has at least one conditional access policy enforcing sign-in frequency for non-corporate devices
• MT.1019 - At least one Conditional Access policy is configured to enable application enforced restrictionsChecks if the tenant has at least one conditional access policy is configured to enable application enforced restrictions
• MT.1020 - All Conditional Access policies are configured to exclude directory synchronization accounts or do not scope themExclude service accounts like the Microsoft Entra Connect Sync Account from conditional access policies
• MT.1021 - Security Defaults are enabledSecurity defaults make it easier to help protect your organization from identity-related attacks like password spray, replay, and phishing.
• MT.1022 - All users utilizing a P1 license should be licensedChecks if all users utilizing a P1 license are properly licensed.
• MT.1023 - All users utilizing a P2 license should be licensedChecks if all users utilizing a P1 license are properly licensed.
• MT.1024 - Microsoft Entra recommendationsThese recommendations help ensure your tenant is in a secure and healthy state
• MT.1025 - No external user with permanent role assignment on Control PlaneChecks if external user have no high-privileged roles
• MT.1026 - No hybrid user with permanent role assignment on Control PlaneChecks if External user have no high-privileged roles
• MT.1027 - No Service Principal with Client Secret and permanent role assignment on Control PlaneChecks if External user have no high-privileged roles
• MT.1028 - No user with mailbox and permanent role assignment on Control PlaneChecks if privileged user with assignment to high-privileged roles is mail-enabled
• MT.1029 - Stale accounts are not assigned to privileged rolesChecks if PIM alert for users with stale sign-in exists
• MT.1030 - Eligible role assignments on Control Plane are in use by administratorsChecks if PIM alert for unused privileged roles exists
• MT.1031 - Privileged role on Control Plane are managed by PIM onlyChecks if PIM alert for role assignments outside of Privileged Identity Management (PIM) exists
• MT.1032 - Limited number of Global Admins are assignedChecks if PIM alert for too many Global Admins exists
• MT.1033 - User should be blocked from using legacy authenticationChecks if a users is actually blocked from using legacy authentication
• MT.1034 - Emergency access users should not be blockedChecks if emergency access users are not blocked by any conditional access policy
• MT.1035 - All security groups assigned to Conditional Access Policies should be protected by RMAUChecks if groups used in Conditional Access are protected by either Restricted Management Administrative Units or Role Assignable Groups
• MT.1036 - All excluded objects should have a fallback include in another policy.Checks for gaps in conditional access policies, by looking for excluded objects which are not specifically inlcuded in another conditional access policy. This way we try to spot possibly overlooked exclusions which do not have a fallback.
• 🔥 Maester Tests OverviewOverview of the Maester tests