Merge pull request #1164 from microsoft/feature/266-assessment-fix

SagarSathe · web-flow · commit fc89b2283b57 · 2026-05-05T11:30:13.000+05:30
Bugfix/issue-266: Exclude emergency access accounts
diff --git a/src/powershell/private/tests-shared/Get-ZtEmergencyAccessAccounts.ps1 b/src/powershell/private/tests-shared/Get-ZtEmergencyAccessAccounts.ps1
@@ -0,0 +1,169 @@
+<#
+.SYNOPSIS
+    Gets emergency access accounts from the configuration.
+
+.DESCRIPTION
+    Returns emergency access accounts defined in the ZeroTrustAssessment configuration file.
+    Uses Maester-style configuration format where customers explicitly define their
+    emergency/breakglass accounts.
+
+    Configuration format (in zt-config.json) - follows Maester format:
+    {
+        "GlobalSettings": {
+            "EmergencyAccessAccounts": [
+                { "Type": "User", "UserPrincipalName": "breakglass1@contoso.com" },
+                { "Type": "User", "Id": "00000000-0000-0000-0000-000000000001" },
+                { "Type": "Group", "Id": "00000000-0000-0000-0000-000000000002" }
+            ]
+        }
+    }
+
+    Note: Group-based emergency accounts are resolved at runtime via Microsoft Graph API.
+
+.PARAMETER Database
+    The DuckDB database connection used to resolve user information.
+
+.OUTPUTS
+    Array of PSCustomObject with properties:
+    - Id: User's object ID
+    - UserPrincipalName: User's UPN
+    - DisplayName: User's display name
+    - Type: 'User' or 'GroupMember' (indicates user resolved from a configured group)
+
+.EXAMPLE
+    $emergencyAccounts = Get-ZtEmergencyAccessAccounts -Database $Database
+
+.NOTES
+    Created to fix Issue #266 - Test 21815 incorrectly flags emergency access accounts
+    as failures for having permanent privileged role assignments.
+
+    Updated to use config-based approach per PM feedback (FIDO2 requirement too strict).
+#>
+
+function Get-ZtEmergencyAccessAccounts {
+    [CmdletBinding()]
+    param(
+        [Parameter(Mandatory = $true)]
+        $Database
+    )
+
+    Write-PSFMessage '🟦 Start' -Tag Test -Level VeryVerbose
+    Write-PSFMessage 'Getting emergency access accounts from configuration' -Level Verbose
+
+    # Get emergency accounts from PSFConfig (set by Invoke-ZtAssessment)
+    $configuredAccounts = Get-PSFConfigValue -FullName 'ZeroTrustAssessment.EmergencyAccessAccounts'
+
+    if (-not $configuredAccounts -or $configuredAccounts.Count -eq 0) {
+        Write-PSFMessage 'No emergency access accounts configured' -Level Verbose
+        return @()
+    }
+
+    Write-PSFMessage "Found $($configuredAccounts.Count) configured emergency access accounts" -Level Verbose
+
+    $emergencyAccessAccounts = @()
+
+    foreach ($account in $configuredAccounts) {
+        $type = $account.Type
+        $id = $account.Id
+        $upn = $account.UserPrincipalName
+
+        if ($type -eq 'User') {
+            # Resolve user by UPN or ID
+            if ($upn) {
+                # Lower-case both sides for case-insensitive UPN match (portable; avoids DB-specific COLLATE syntax)
+                $escapedUpn = ($upn.ToLowerInvariant()) -replace "'", "''"
+                $sql = "SELECT id, userPrincipalName, displayName FROM User WHERE LOWER(userPrincipalName) = '$escapedUpn'"
+            }
+            elseif ($id) {
+                $guidRef = [System.Guid]::Empty
+                if (-not [System.Guid]::TryParse($id, [ref]$guidRef)) {
+                    Write-PSFMessage "Skipping invalid user entry: Id '$id' is not a valid GUID" -Level Warning
+                    continue
+                }
+                $escapedId = $guidRef.ToString()
+                $sql = "SELECT id, userPrincipalName, displayName FROM User WHERE id = '$escapedId'"
+            }
+            else {
+                Write-PSFMessage "Skipping invalid user entry: no Id or UserPrincipalName provided" -Level Warning
+                continue
+            }
+
+            $user = Invoke-DatabaseQuery -Database $Database -Sql $sql | Select-Object -First 1
+
+            if ($user) {
+                $emergencyAccessAccounts += [PSCustomObject]@{
+                    Id                = $user.id
+                    UserPrincipalName = $user.userPrincipalName
+                    DisplayName       = $user.displayName
+                    Type              = 'User'
+                }
+                Write-PSFMessage "Emergency access user found: $($user.userPrincipalName)" -Level Verbose
+            }
+            else {
+                Write-PSFMessage "Emergency access user not found in tenant: UPN=$upn, Id=$id" -Level Warning
+            }
+        }
+        elseif ($type -eq 'Group') {
+            if (-not $id) {
+                Write-PSFMessage "Skipping invalid group entry: no Id provided" -Level Warning
+                continue
+            }
+
+            $guidRef = [System.Guid]::Empty
+            if (-not [System.Guid]::TryParse($id, [ref]$guidRef)) {
+                Write-PSFMessage "Skipping invalid group entry: Id '$id' is not a valid GUID" -Level Warning
+                continue
+            }
+
+            # Resolve group members via Microsoft Graph API (GroupMember table not available in DB)
+            try {
+                Write-PSFMessage "Resolving emergency access group members via Graph API: Id=$id" -Level Verbose
+                $membersResponse = Get-ZtGroupMember -GroupId $id -Recurse -ErrorAction Stop
+                $members = @($membersResponse | Where-Object { $_.'@odata.type' -eq '#microsoft.graph.user' })
+
+                if ($members.Count -gt 0) {
+                    # Batch all member IDs into a single SQL lookup to avoid N+1 queries;
+                    # member IDs come from Graph API responses which are always valid GUIDs.
+                    $escapedIds = $members | ForEach-Object {
+                        $memberGuid = [System.Guid]::Empty
+                        if ([System.Guid]::TryParse($_.id, [ref]$memberGuid)) {
+                            "'" + $memberGuid.ToString() + "'"
+                        }
+                    } | Where-Object { $_ }
+
+                    if (-not $escapedIds) {
+                        Write-PSFMessage "Emergency access group members had no valid GUIDs: Id=$id" -Level Warning
+                    }
+                    else {
+                        $idList = $escapedIds -join ','
+                        $memberSql = "SELECT id, userPrincipalName, displayName FROM User WHERE id IN ($idList)"
+                        $userDetailsList = @(Invoke-DatabaseQuery -Database $Database -Sql $memberSql)
+
+                        foreach ($userDetails in $userDetailsList) {
+                            $emergencyAccessAccounts += [PSCustomObject]@{
+                                Id                = $userDetails.id
+                                UserPrincipalName = $userDetails.userPrincipalName
+                                DisplayName       = $userDetails.displayName
+                                Type              = 'GroupMember'
+                            }
+                            Write-PSFMessage "Emergency access group member found: $($userDetails.userPrincipalName)" -Level Verbose
+                        }
+                    }
+                }
+                else {
+                    Write-PSFMessage "Emergency access group has no user members: Id=$id" -Level Warning
+                }
+            }
+            catch {
+                Write-PSFMessage "Failed to resolve emergency access group members: Id=$id. Error: $($_.Exception.Message)" -Level Warning
+            }
+        }
+        else {
+            Write-PSFMessage "Skipping unknown account type: $type" -Level Warning
+        }
+    }
+
+    Write-PSFMessage "Total emergency access accounts resolved: $($emergencyAccessAccounts.Count)" -Level Verbose
+
+    return $emergencyAccessAccounts
+}
diff --git a/src/powershell/public/Invoke-ZtAssessment.ps1 b/src/powershell/public/Invoke-ZtAssessment.ps1
@@ -249,6 +249,10 @@ $titleLine
 	#region Preparation
 	Show-ZtiBanner
 
+	# Always reset emergency access accounts at the start of each run to prevent stale
+	# config from a previous Invoke-ZtAssessment call carrying over (Issue #266 follow-up).
+	Set-PSFConfig -FullName 'ZeroTrustAssessment.EmergencyAccessAccounts' -Value $null
+
 	$effectiveIgnore = $IgnoreLanguageMode -or $script:IgnoreLanguageMode
 	if (-not (Test-ZtLanguageMode -IgnoreLanguageMode:$effectiveIgnore)) {
 		Stop-PSFFunction -Message "PowerShell is running in Constrained Language Mode, which is not supported." -EnableException $true -Cmdlet $PSCmdlet
@@ -301,6 +305,21 @@ $titleLine
 				}
 			}
 
+			# Parse EmergencyAccessAccounts if present (Maester-style config with GlobalSettings)
+			$emergencyAccounts = $null
+			if ($configContent.PSObject.Properties.Name -contains 'GlobalSettings' -and
+				$configContent.GlobalSettings.PSObject.Properties.Name -contains 'EmergencyAccessAccounts' -and
+				$configContent.GlobalSettings.EmergencyAccessAccounts -and
+				$configContent.GlobalSettings.EmergencyAccessAccounts.Count -gt 0) {
+				$emergencyAccounts = $configContent.GlobalSettings.EmergencyAccessAccounts
+			}
+			if ($emergencyAccounts -and $emergencyAccounts.Count -gt 0) {
+				Set-PSFConfig -FullName 'ZeroTrustAssessment.EmergencyAccessAccounts' -Value $emergencyAccounts
+				Write-Host "🔐 " -NoNewline -ForegroundColor Cyan
+				Write-Host "Loaded $($emergencyAccounts.Count) emergency access account(s) from configuration." -ForegroundColor White
+			}
+			# Note: stale-clear is now performed unconditionally at the start of Invoke-ZtAssessment.
+
 			Write-Host "✅ " -NoNewline -ForegroundColor Green
 			Write-Host "Configuration loaded successfully. Command line parameters will override configuration file values." -ForegroundColor White
 			Write-Host
diff --git a/src/powershell/tests/Test-Assessment.21815.ps1 b/src/powershell/tests/Test-Assessment.21815.ps1
@@ -31,19 +31,37 @@ function Test-Assessment-21815 {
     Write-ZtProgress -Activity $activity -Status "Getting privileged role assignments"
 
     $sql = @"
-select distinct  principalDisplayName, userPrincipalName, roleDisplayName, privilegeType, isPrivileged
+select distinct  principalId, principalDisplayName, userPrincipalName, roleDisplayName, privilegeType, isPrivileged
 from vwRole
 "@
     $roleAssignments = Invoke-DatabaseQuery -Database $Database -Sql $sql
 
     # Check if any privileged role assignment in the results has privilegeType set to Permanent
-    $results = $roleAssignments | Where-Object { $_.isPrivileged -eq $true -and $_.privilegeType -eq 'Permanent' }
+    $permanentPrivileged = $roleAssignments | Where-Object { $_.isPrivileged -eq $true -and $_.privilegeType -eq 'Permanent' }
+
+    # Issue #266: Exclude emergency access accounts from failures
+    # Emergency accounts are expected to have permanent privileged role assignments per Microsoft best practices
+    Write-ZtProgress -Activity $activity -Status "Identifying emergency access accounts"
+    $emergencyAccounts = Get-ZtEmergencyAccessAccounts -Database $Database
+    $emergencyAccountIds = @($emergencyAccounts | Select-Object -ExpandProperty Id)
+
+    # Filter out emergency access accounts from the results
+    $results = @($permanentPrivileged | Where-Object { $_.principalId -notin $emergencyAccountIds })
+    $excludedEmergencyAccounts = @($permanentPrivileged | Where-Object { $_.principalId -in $emergencyAccountIds })
+
+    # Count of *distinct* excluded emergency accounts (one user can have multiple permanent role assignments)
+    $excludedAccountCount = @($excludedEmergencyAccounts | Select-Object -ExpandProperty principalId -Unique).Count
 
     $testResultMarkdown = ""
 
     if ($results.Count -eq 0) {
         $passed = $true
-        $testResultMarkdown += "No privileged users have permanent role assignments."
+        if ($excludedAccountCount -gt 0) {
+            $testResultMarkdown += "No privileged users have permanent role assignments (excluding $excludedAccountCount emergency access account(s) which are expected to have permanent assignments)."
+        }
+        else {
+            $testResultMarkdown += "No privileged users have permanent role assignments."
+        }
     }
     else {
         $passed = $false
@@ -80,8 +98,32 @@ from vwRole
         $mdInfo = $formatTemplate -f $reportTitle, $tableRows
     }
 
-    # Replace the placeholder with the detailed information
-    $testResultMarkdown = $testResultMarkdown -replace "%TestResult%", $mdInfo
+    # Build section for excluded emergency access accounts (Issue #266)
+    $emergencySection = ''
+    if ($excludedEmergencyAccounts.Count -gt 0) {
+        $emergencySection = @'
+
+## Excluded emergency access accounts
+
+The following emergency access accounts were excluded from this check as they are expected to have permanent privileged role assignments per [Microsoft best practices](https://learn.microsoft.com/entra/identity/role-based-access-control/security-emergency-access).
+
+| User | UPN | Role Name |
+| :--- | :-- | :-------- |
+'@
+        foreach ($emergency in $excludedEmergencyAccounts) {
+            $portalLink = 'https://entra.microsoft.com/#view/Microsoft_AAD_UsersAndTenants/UserProfileMenuBlade/~/AdministrativeRole/userId/{0}/hidePreviewBanner~/true' -f $emergency.principalId
+            $emergencySection += "| [$(Get-SafeMarkdown($emergency.principalDisplayName))]($portalLink) | $($emergency.userPrincipalName) | $($emergency.roleDisplayName) |`n"
+        }
+    }
+
+    if ($passed) {
+        # Pass message has no %TestResult% placeholder; append excluded section if any
+        $testResultMarkdown += $emergencySection
+    }
+    else {
+        # Replace the placeholder with the detailed failure table plus excluded section
+        $testResultMarkdown = $testResultMarkdown -replace "%TestResult%", ($mdInfo + $emergencySection)
+    }
 
     $params = @{
         TestId             = '21815'
