Improved logic for not explicitly configured values

build/eidsca/Update-EidscaTests.ps1

@@ -366,7 +366,7 @@ function UpdateTemplate($template, $control, $controlItem, $docName, $isDoc) {
         $output = $output -replace '%SkipCheck%', "$($SkipCheck)"
 
         # Extract variable name from the condition to build syntax for TestCases
-        $SkipConditionVariable = ($controlItem.SkipCondition -split ' ')[0]
+        $SkipConditionVariable = ($controlItem.SkipCondition  | Select-String -Pattern '\$([^\s]+)').Matches.Value
         $SkipConditionVariableName = $SkipConditionVariable -replace '[$()]', ''
         $output = $output -replace '%TestCases%', " -TestCases @{ $($SkipConditionVariableName) = $($SkipConditionVariable) }"
     } else {

powershell/internal/eidsca/@templateps1.txt

@@ -26,7 +26,7 @@ function %PSFunctionName% {
 
     [string]$tenantValue = $result.%CurrentValue%
     $testResult = $tenantValue -%PwshCompareOperator% %RecommendedValue%
-    $tenantValueNotSet = $null -eq $tenantValue -and %RecommendedValue% -notlike '*$null*'
+    $tenantValueNotSet = ($null -eq $tenantValue -or $tenantValue -eq "") -and %RecommendedValue% -notlike '*$null*'
 
     if($testResult){
         $testResultMarkdown = "Well done. The configuration in your tenant and recommended value %CompareOperatorText% **%RecommendedValue%** for **%RelativeUri%**"

powershell/internal/eidsca/Test-MtEidscaAF01.ps1

@@ -26,7 +26,7 @@ function Test-MtEidscaAF01 {
 
     [string]$tenantValue = $result.state
     $testResult = $tenantValue -eq 'enabled'
-    $tenantValueNotSet = $null -eq $tenantValue -and 'enabled' -notlike '*$null*'
+    $tenantValueNotSet = ($null -eq $tenantValue -or $tenantValue -eq "") -and 'enabled' -notlike '*$null*'
 
     if($testResult){
         $testResultMarkdown = "Well done. The configuration in your tenant and recommended value is **'enabled'** for **policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Fido2')**"

powershell/internal/eidsca/Test-MtEidscaAF02.ps1

@@ -29,7 +29,7 @@ function Test-MtEidscaAF02 {
 
     [string]$tenantValue = $result.isSelfServiceRegistrationAllowed
     $testResult = $tenantValue -eq 'true'
-    $tenantValueNotSet = $null -eq $tenantValue -and 'true' -notlike '*$null*'
+    $tenantValueNotSet = ($null -eq $tenantValue -or $tenantValue -eq "") -and 'true' -notlike '*$null*'
 
     if($testResult){
         $testResultMarkdown = "Well done. The configuration in your tenant and recommended value is **'true'** for **policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Fido2')**"

powershell/internal/eidsca/Test-MtEidscaAF03.ps1

@@ -29,7 +29,7 @@ function Test-MtEidscaAF03 {
 
     [string]$tenantValue = $result.isAttestationEnforced
     $testResult = $tenantValue -eq 'true'
-    $tenantValueNotSet = $null -eq $tenantValue -and 'true' -notlike '*$null*'
+    $tenantValueNotSet = ($null -eq $tenantValue -or $tenantValue -eq "") -and 'true' -notlike '*$null*'
 
     if($testResult){
         $testResultMarkdown = "Well done. The configuration in your tenant and recommended value is **'true'** for **policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Fido2')**"

powershell/internal/eidsca/Test-MtEidscaAF04.ps1

@@ -29,7 +29,7 @@ function Test-MtEidscaAF04 {
 
     [string]$tenantValue = $result.keyRestrictions.isEnforced
     $testResult = $tenantValue -eq 'true'
-    $tenantValueNotSet = $null -eq $tenantValue -and 'true' -notlike '*$null*'
+    $tenantValueNotSet = ($null -eq $tenantValue -or $tenantValue -eq "") -and 'true' -notlike '*$null*'
 
     if($testResult){
         $testResultMarkdown = "Well done. The configuration in your tenant and recommended value is **'true'** for **policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Fido2')**"

powershell/internal/eidsca/Test-MtEidscaAF05.ps1

@@ -29,7 +29,7 @@ function Test-MtEidscaAF05 {
 
     [string]$tenantValue = $result.keyRestrictions.aaGuids -notcontains $null
     $testResult = $tenantValue -eq 'true'
-    $tenantValueNotSet = $null -eq $tenantValue -and 'true' -notlike '*$null*'
+    $tenantValueNotSet = ($null -eq $tenantValue -or $tenantValue -eq "") -and 'true' -notlike '*$null*'
 
     if($testResult){
         $testResultMarkdown = "Well done. The configuration in your tenant and recommended value is **'true'** for **policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Fido2')**"

powershell/internal/eidsca/Test-MtEidscaAF06.ps1

@@ -29,7 +29,7 @@ function Test-MtEidscaAF06 {
 
     [string]$tenantValue = $result.keyRestrictions.aaGuids -notcontains $null -and ($result.keyRestrictions.enforcementType -eq 'allow' -or $result.keyRestrictions.enforcementType -eq 'block')
     $testResult = $tenantValue -eq 'true'
-    $tenantValueNotSet = $null -eq $tenantValue -and 'true' -notlike '*$null*'
+    $tenantValueNotSet = ($null -eq $tenantValue -or $tenantValue -eq "") -and 'true' -notlike '*$null*'
 
     if($testResult){
         $testResultMarkdown = "Well done. The configuration in your tenant and recommended value is **'true'** for **policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Fido2')**"

powershell/internal/eidsca/Test-MtEidscaAG01.md

@@ -5,7 +5,7 @@ On September 30th, 2025, the legacy multifactor authentication and self-service
 #### Test script
 ```
 https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy
-.policyMigrationState -eq 'migrationComplete'
+.policyMigrationState -in @('migrationComplete', '')
 ```
 
 #### Related links

powershell/internal/eidsca/Test-MtEidscaAG01.ps1

@@ -1,19 +1,19 @@
 <#
 .SYNOPSIS
-    Checks if Authentication Method - General Settings - Manage migration is set to 'migrationComplete'
+    Checks if Authentication Method - General Settings - Manage migration is set to @('migrationComplete', '')
 
 .DESCRIPTION
 
     The state of migration of the authentication methods policy from the legacy multifactor authentication and self-service password reset (SSPR) policies. In January 2024, the legacy multifactor authentication and self-service password reset policies will be deprecated and you'll manage all authentication methods here in the authentication methods policy. Use this control to manage your migration from the legacy policies to the new unified policy.
 
     Queries policies/authenticationMethodsPolicy
     and returns the result of
-     graph/policies/authenticationMethodsPolicy.policyMigrationState -eq 'migrationComplete'
+     graph/policies/authenticationMethodsPolicy.policyMigrationState -in @('migrationComplete', '')
 
 .EXAMPLE
     Test-MtEidscaAG01
 
-    Returns the result of graph.microsoft.com/beta/policies/authenticationMethodsPolicy.policyMigrationState -eq 'migrationComplete'
+    Returns the result of graph.microsoft.com/beta/policies/authenticationMethodsPolicy.policyMigrationState -in @('migrationComplete', '')
 #>
 
 function Test-MtEidscaAG01 {
@@ -25,15 +25,15 @@ function Test-MtEidscaAG01 {
     $result = Invoke-MtGraphRequest -RelativeUri "policies/authenticationMethodsPolicy" -ApiVersion beta
 
     [string]$tenantValue = $result.policyMigrationState
-    $testResult = $tenantValue -eq 'migrationComplete'
-    $tenantValueNotSet = $null -eq $tenantValue -and 'migrationComplete' -notlike '*$null*'
+    $testResult = $tenantValue -in @('migrationComplete', '')
+    $tenantValueNotSet = ($null -eq $tenantValue -or $tenantValue -eq "") -and @('migrationComplete', '') -notlike '*$null*'
 
     if($testResult){
-        $testResultMarkdown = "Well done. The configuration in your tenant and recommended value is **'migrationComplete'** for **policies/authenticationMethodsPolicy**"
+        $testResultMarkdown = "Well done. The configuration in your tenant and recommended value is one of the following values **@('migrationComplete', '')** for **policies/authenticationMethodsPolicy**"
     } elseif ($tenantValueNotSet) {
-        $testResultMarkdown = "Your tenant is **not configured explicitly**.`n`nThe recommended value is **'migrationComplete'** for **policies/authenticationMethodsPolicy**. It seems that you are using a default value by Microsoft. We recommend to set the setting value explicitly since non set values could change depending on what Microsoft decides the current default should be."
+        $testResultMarkdown = "Your tenant is **not configured explicitly**.`n`nThe recommended value is **@('migrationComplete', '')** for **policies/authenticationMethodsPolicy**. It seems that you are using a default value by Microsoft. We recommend to set the setting value explicitly since non set values could change depending on what Microsoft decides the current default should be."
     } else {
-        $testResultMarkdown = "Your tenant is configured as **$($tenantValue)**.`n`nThe recommended value is **'migrationComplete'** for **policies/authenticationMethodsPolicy**"
+        $testResultMarkdown = "Your tenant is configured as **$($tenantValue)**.`n`nThe recommended value is one of the following values **@('migrationComplete', '')** for **policies/authenticationMethodsPolicy**"
     }
     Add-MtTestResultDetail -Result $testResultMarkdown
 

powershell/internal/eidsca/Test-MtEidscaAG02.ps1

@@ -26,7 +26,7 @@ function Test-MtEidscaAG02 {
 
     [string]$tenantValue = $result.reportSuspiciousActivitySettings.state
     $testResult = $tenantValue -eq 'enabled'
-    $tenantValueNotSet = $null -eq $tenantValue -and 'enabled' -notlike '*$null*'
+    $tenantValueNotSet = ($null -eq $tenantValue -or $tenantValue -eq "") -and 'enabled' -notlike '*$null*'
 
     if($testResult){
         $testResultMarkdown = "Well done. The configuration in your tenant and recommended value is **'enabled'** for **policies/authenticationMethodsPolicy**"

powershell/internal/eidsca/Test-MtEidscaAG03.ps1

@@ -26,7 +26,7 @@ function Test-MtEidscaAG03 {
 
     [string]$tenantValue = $result.reportSuspiciousActivitySettings.includeTarget.id
     $testResult = $tenantValue -eq 'all_users'
-    $tenantValueNotSet = $null -eq $tenantValue -and 'all_users' -notlike '*$null*'
+    $tenantValueNotSet = ($null -eq $tenantValue -or $tenantValue -eq "") -and 'all_users' -notlike '*$null*'
 
     if($testResult){
         $testResultMarkdown = "Well done. The configuration in your tenant and recommended value is **'all_users'** for **policies/authenticationMethodsPolicy**"

powershell/internal/eidsca/Test-MtEidscaAM01.ps1

@@ -26,7 +26,7 @@ function Test-MtEidscaAM01 {
 
     [string]$tenantValue = $result.state
     $testResult = $tenantValue -eq 'enabled'
-    $tenantValueNotSet = $null -eq $tenantValue -and 'enabled' -notlike '*$null*'
+    $tenantValueNotSet = ($null -eq $tenantValue -or $tenantValue -eq "") -and 'enabled' -notlike '*$null*'
 
     if($testResult){
         $testResultMarkdown = "Well done. The configuration in your tenant and recommended value is **'enabled'** for **policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')**"

powershell/internal/eidsca/Test-MtEidscaAM02.ps1

@@ -29,7 +29,7 @@ function Test-MtEidscaAM02 {
 
     [string]$tenantValue = $result.isSoftwareOathEnabled
     $testResult = $tenantValue -eq 'true'
-    $tenantValueNotSet = $null -eq $tenantValue -and 'true' -notlike '*$null*'
+    $tenantValueNotSet = ($null -eq $tenantValue -or $tenantValue -eq "") -and 'true' -notlike '*$null*'
 
     if($testResult){
         $testResultMarkdown = "Well done. The configuration in your tenant and recommended value is **'true'** for **policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')**"

powershell/internal/eidsca/Test-MtEidscaAM03.ps1

@@ -29,7 +29,7 @@ function Test-MtEidscaAM03 {
 
     [string]$tenantValue = $result.featureSettings.numberMatchingRequiredState.state
     $testResult = $tenantValue -eq 'enabled'
-    $tenantValueNotSet = $null -eq $tenantValue -and 'enabled' -notlike '*$null*'
+    $tenantValueNotSet = ($null -eq $tenantValue -or $tenantValue -eq "") -and 'enabled' -notlike '*$null*'
 
     if($testResult){
         $testResultMarkdown = "Well done. The configuration in your tenant and recommended value is **'enabled'** for **policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')**"

powershell/internal/eidsca/Test-MtEidscaAM04.ps1

@@ -29,7 +29,7 @@ function Test-MtEidscaAM04 {
 
     [string]$tenantValue = $result.featureSettings.numberMatchingRequiredState.includeTarget.id
     $testResult = $tenantValue -eq 'all_users'
-    $tenantValueNotSet = $null -eq $tenantValue -and 'all_users' -notlike '*$null*'
+    $tenantValueNotSet = ($null -eq $tenantValue -or $tenantValue -eq "") -and 'all_users' -notlike '*$null*'
 
     if($testResult){
         $testResultMarkdown = "Well done. The configuration in your tenant and recommended value is **'all_users'** for **policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')**"

powershell/internal/eidsca/Test-MtEidscaAM06.ps1

@@ -29,7 +29,7 @@ function Test-MtEidscaAM06 {
 
     [string]$tenantValue = $result.featureSettings.displayAppInformationRequiredState.state
     $testResult = $tenantValue -eq 'enabled'
-    $tenantValueNotSet = $null -eq $tenantValue -and 'enabled' -notlike '*$null*'
+    $tenantValueNotSet = ($null -eq $tenantValue -or $tenantValue -eq "") -and 'enabled' -notlike '*$null*'
 
     if($testResult){
         $testResultMarkdown = "Well done. The configuration in your tenant and recommended value is **'enabled'** for **policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')**"

powershell/internal/eidsca/Test-MtEidscaAM07.ps1

@@ -29,7 +29,7 @@ function Test-MtEidscaAM07 {
 
     [string]$tenantValue = $result.featureSettings.displayAppInformationRequiredState.includeTarget.id
     $testResult = $tenantValue -eq 'all_users'
-    $tenantValueNotSet = $null -eq $tenantValue -and 'all_users' -notlike '*$null*'
+    $tenantValueNotSet = ($null -eq $tenantValue -or $tenantValue -eq "") -and 'all_users' -notlike '*$null*'
 
     if($testResult){
         $testResultMarkdown = "Well done. The configuration in your tenant and recommended value is **'all_users'** for **policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')**"

powershell/internal/eidsca/Test-MtEidscaAM09.ps1

@@ -29,7 +29,7 @@ function Test-MtEidscaAM09 {
 
     [string]$tenantValue = $result.featureSettings.displayLocationInformationRequiredState.state
     $testResult = $tenantValue -eq 'enabled'
-    $tenantValueNotSet = $null -eq $tenantValue -and 'enabled' -notlike '*$null*'
+    $tenantValueNotSet = ($null -eq $tenantValue -or $tenantValue -eq "") -and 'enabled' -notlike '*$null*'
 
     if($testResult){
         $testResultMarkdown = "Well done. The configuration in your tenant and recommended value is **'enabled'** for **policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')**"

powershell/internal/eidsca/Test-MtEidscaAM10.ps1

@@ -29,7 +29,7 @@ function Test-MtEidscaAM10 {
 
     [string]$tenantValue = $result.featureSettings.displayLocationInformationRequiredState.includeTarget.id
     $testResult = $tenantValue -eq 'all_users'
-    $tenantValueNotSet = $null -eq $tenantValue -and 'all_users' -notlike '*$null*'
+    $tenantValueNotSet = ($null -eq $tenantValue -or $tenantValue -eq "") -and 'all_users' -notlike '*$null*'
 
     if($testResult){
         $testResultMarkdown = "Well done. The configuration in your tenant and recommended value is **'all_users'** for **policies/authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')**"

powershell/internal/eidsca/Test-MtEidscaAP01.ps1

@@ -29,7 +29,7 @@ function Test-MtEidscaAP01 {
 
     [string]$tenantValue = $result.allowedToUseSSPR
     $testResult = $tenantValue -eq 'false'
-    $tenantValueNotSet = $null -eq $tenantValue -and 'false' -notlike '*$null*'
+    $tenantValueNotSet = ($null -eq $tenantValue -or $tenantValue -eq "") -and 'false' -notlike '*$null*'
 
     if($testResult){
         $testResultMarkdown = "Well done. The configuration in your tenant and recommended value is **'false'** for **policies/authorizationPolicy**"

powershell/internal/eidsca/Test-MtEidscaAP04.ps1

@@ -26,7 +26,7 @@ function Test-MtEidscaAP04 {
 
     [string]$tenantValue = $result.allowInvitesFrom
     $testResult = $tenantValue -in @('adminsAndGuestInviters','none')
-    $tenantValueNotSet = $null -eq $tenantValue -and @('adminsAndGuestInviters','none') -notlike '*$null*'
+    $tenantValueNotSet = ($null -eq $tenantValue -or $tenantValue -eq "") -and @('adminsAndGuestInviters','none') -notlike '*$null*'
 
     if($testResult){
         $testResultMarkdown = "Well done. The configuration in your tenant and recommended value is one of the following values **@('adminsAndGuestInviters','none')** for **policies/authorizationPolicy**"

powershell/internal/eidsca/Test-MtEidscaAP05.ps1

@@ -26,7 +26,7 @@ function Test-MtEidscaAP05 {
 
     [string]$tenantValue = $result.allowedToSignUpEmailBasedSubscriptions
     $testResult = $tenantValue -eq 'false'
-    $tenantValueNotSet = $null -eq $tenantValue -and 'false' -notlike '*$null*'
+    $tenantValueNotSet = ($null -eq $tenantValue -or $tenantValue -eq "") -and 'false' -notlike '*$null*'
 
     if($testResult){
         $testResultMarkdown = "Well done. The configuration in your tenant and recommended value is **'false'** for **policies/authorizationPolicy**"

powershell/internal/eidsca/Test-MtEidscaAP06.ps1

@@ -26,7 +26,7 @@ function Test-MtEidscaAP06 {
 
     [string]$tenantValue = $result.allowEmailVerifiedUsersToJoinOrganization
     $testResult = $tenantValue -eq 'false'
-    $tenantValueNotSet = $null -eq $tenantValue -and 'false' -notlike '*$null*'
+    $tenantValueNotSet = ($null -eq $tenantValue -or $tenantValue -eq "") -and 'false' -notlike '*$null*'
 
     if($testResult){
         $testResultMarkdown = "Well done. The configuration in your tenant and recommended value is **'false'** for **policies/authorizationPolicy**"

powershell/internal/eidsca/Test-MtEidscaAP07.ps1

@@ -26,7 +26,7 @@ function Test-MtEidscaAP07 {
 
     [string]$tenantValue = $result.guestUserRoleId
     $testResult = $tenantValue -eq '2af84b1e-32c8-42b7-82bc-daa82404023b'
-    $tenantValueNotSet = $null -eq $tenantValue -and '2af84b1e-32c8-42b7-82bc-daa82404023b' -notlike '*$null*'
+    $tenantValueNotSet = ($null -eq $tenantValue -or $tenantValue -eq "") -and '2af84b1e-32c8-42b7-82bc-daa82404023b' -notlike '*$null*'
 
     if($testResult){
         $testResultMarkdown = "Well done. The configuration in your tenant and recommended value is **'2af84b1e-32c8-42b7-82bc-daa82404023b'** for **policies/authorizationPolicy**"

powershell/internal/eidsca/Test-MtEidscaAP08.ps1

@@ -21,15 +21,15 @@ function Test-MtEidscaAP08 {
     [OutputType([bool])]
     param()
 
-    if ( ($AuthorizationPolicyAvailable | where-object permissionGrantPolicyIdsAssignedToDefaultUserRole -Match 'ManagePermissionGrantsForSelf*').Count -eq 0 ) {
+    if ( ($AuthorizationPolicyAvailable | where-object permissionGrantPolicyIdsAssignedToDefaultUserRole -Match 'ManagePermissionGrantsForSelf.microsoft-').Count -eq 0 ) {
             Add-MtTestResultDetail -SkippedBecause 'Custom' -SkippedCustomReason 'User Consent has been disabled or customized using Microsoft Graph or Microsoft Graph PowerShell without any assignment to custom policy.'
             return $null
     }
     $result = Invoke-MtGraphRequest -RelativeUri "policies/authorizationPolicy" -ApiVersion beta
 
     [string]$tenantValue = $result.permissionGrantPolicyIdsAssignedToDefaultUserRole -clike 'ManagePermissionGrantsForSelf*'
     $testResult = $tenantValue -eq 'ManagePermissionGrantsForSelf.microsoft-user-default-low'
-    $tenantValueNotSet = $null -eq $tenantValue -and 'ManagePermissionGrantsForSelf.microsoft-user-default-low' -notlike '*$null*'
+    $tenantValueNotSet = ($null -eq $tenantValue -or $tenantValue -eq "") -and 'ManagePermissionGrantsForSelf.microsoft-user-default-low' -notlike '*$null*'
 
     if($testResult){
         $testResultMarkdown = "Well done. The configuration in your tenant and recommended value is **'ManagePermissionGrantsForSelf.microsoft-user-default-low'** for **policies/authorizationPolicy**"

powershell/internal/eidsca/Test-MtEidscaAP09.ps1

@@ -1,6 +1,6 @@
 <#
 .SYNOPSIS
-    Checks if Default Authorization Settings - Risk-based step-up consent is set to 'false'
+    Checks if Default Authorization Settings - Allow user consent on risk-based apps is set to 'false'
 
 .DESCRIPTION
 
@@ -26,7 +26,7 @@ function Test-MtEidscaAP09 {
 
     [string]$tenantValue = $result.allowUserConsentForRiskyApps
     $testResult = $tenantValue -eq 'false'
-    $tenantValueNotSet = $null -eq $tenantValue -and 'false' -notlike '*$null*'
+    $tenantValueNotSet = ($null -eq $tenantValue -or $tenantValue -eq "") -and 'false' -notlike '*$null*'
 
     if($testResult){
         $testResultMarkdown = "Well done. The configuration in your tenant and recommended value is **'false'** for **policies/authorizationPolicy**"

powershell/internal/eidsca/Test-MtEidscaAP10.ps1

@@ -26,7 +26,7 @@ function Test-MtEidscaAP10 {
 
     [string]$tenantValue = $result.defaultUserRolePermissions.allowedToCreateApps
     $testResult = $tenantValue -eq 'false'
-    $tenantValueNotSet = $null -eq $tenantValue -and 'false' -notlike '*$null*'
+    $tenantValueNotSet = ($null -eq $tenantValue -or $tenantValue -eq "") -and 'false' -notlike '*$null*'
 
     if($testResult){
         $testResultMarkdown = "Well done. The configuration in your tenant and recommended value is **'false'** for **policies/authorizationPolicy**"