Skip to main content

Test-MtCaGroupsRestricted

SYNOPSIS

Checks if groups used in Conditional Access are protected by either Restricted Management Administrative Units or Role Assignable Groups.

SYNTAX

Test-MtCaGroupsRestricted [-ProgressAction <ActionPreference>] [<CommonParameters>]

DESCRIPTION

Security Groups will be used to exclude and include users from Conditional Access Policies. Modify group membership outside of Conditional Access Administrator or other privileged roles can lead to bypassing Conditional Access Policies. To prevent this, you can protect these groups by using Restricted Management Administrative Units or Role Assignable Groups. Role Assignable Group should be used in combination of assignments to Entra ID roles. Restricted Management Administrative Units should be used to protect groups by restricting management to specific users or groups. This test checks if all groups used in Conditional Access Policies are protected.

Learn more: https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/admin-units-restricted-management

EXAMPLES

EXAMPLE 1

Test-MtCaGroupsRestricted

PARAMETERS

-ProgressAction

{{ Fill ProgressAction Description }}

Type: ActionPreference
Parameter Sets: (All)
Aliases: proga

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

CommonParameters

This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.

INPUTS

OUTPUTS

System.Boolean

NOTES

https://maester.dev/docs/commands/Test-MtCaGroupsRestricted