Change tests for MS.AAD.5.4v1 for teams group consent to not-implemen…

…ted as setting is deprecated (#1460)

* initial commit - change test to not-implemented

* update / remove deprecated unit tests

* remove extra whitespace from testplan

* add missing import to rego

* resolved functional test issue with expectedresult

PowerShell/ScubaGear/Rego/AADConfig.rego

@@ -1,6 +1,7 @@
 package aad
 import rego.v1
 import data.utils.report.NotCheckedDetails
+import data.utils.report.NotCheckedDeprecation
 import data.utils.report.CheckedSkippedDetails
 import data.utils.report.ReportDetailsBoolean
 import data.utils.report.ReportDetailsString
@@ -658,52 +659,17 @@ tests contains {
 # MS.AAD.5.4v1
 #--
 
-# For specific setting, save the value & group.
-AllConsentSettings contains {
-    "SettingsGroup": SettingGroup.DisplayName,
-    "Name": Setting.Name,
-    "Value": Setting.Value
-} if {
-    some SettingGroup in input.directory_settings
-    some Setting in SettingGroup.Values
-    Setting.Name == "EnableGroupSpecificConsent"
-}
-
-# Save all settings that have a value of false
-GoodConsentSettings contains {
-    "SettingsGroup": Setting.SettingsGroup,
-    "Name": Setting.Name,
-    "Value": Setting.Value
-} if {
-    some Setting in AllConsentSettings
-    lower(Setting.Value) == "false"
-}
-
-# Save all settings that have a value of true
-BadConsentSettings contains {
-    "SettingsGroup": Setting.SettingsGroup,
-    "Name": Setting.Name,
-    "Value": Setting.Value
-} if {
-    some Setting in AllConsentSettings
-    lower(Setting.Value) == "true"
-}
+# Microsoft has removed this configuration option
+# We are setting this policy to not-implemented and will likely remove it 
+# from the baseline in the next version.
 
-# If there are no bad settings & more than 1
-# good setting, pass
 tests contains {
     "PolicyId": "MS.AAD.5.4v1",
-    "Criticality": "Shall",
+    "Criticality": "Shall/Not-Implemented",
     "Commandlet": ["Get-MgBetaDirectorySetting"],
-    "ActualValue": AllConsentSettings,
-    "ReportDetails": ReportDetailsBoolean(Status),
-    "RequirementMet": Status
-} if {
-    Conditions := [
-        count(BadConsentSettings) == 0,
-        count(GoodConsentSettings) > 0
-    ]
-    Status := count(FilterArray(Conditions, false)) == 0
+    "ActualValue": [],
+    "ReportDetails": NotCheckedDeprecation,
+    "RequirementMet": false
 }
 #--
 

PowerShell/ScubaGear/Testing/Unit/Rego/AAD/AADBaseConfig.rego

@@ -89,10 +89,6 @@ DirectorySettings := {
         {
             "Name":  "EnableAdminConsentRequests",
             "Value":  "true"
-        },
-        {
-            "Name": "EnableGroupSpecificConsent",
-            "Value": "false"
         }
     ]
 }

PowerShell/ScubaGear/Testing/Unit/Rego/AAD/AADConfig_05_test.rego

@@ -1,6 +1,7 @@
 package aad_test
 import rego.v1
 import data.aad
+import data.utils.report.NotCheckedDeprecation
 import data.utils.key.TestResult
 import data.utils.key.FAIL
 import data.utils.key.PASS
@@ -136,33 +137,11 @@ test_IsEnabled_Incorrect if {
 #
 # Policy MS.AAD.5.4v1
 #--
-test_Value_Correct_Lowercase if {
-    Output := aad.tests with input.directory_settings as [DirectorySettings]
-
-    TestResult("MS.AAD.5.4v1", Output, PASS, true) == true
-}
-
-test_Value_Correct_Uppercase if {
-    Settings := json.patch(DirectorySettings, [{"op": "add", "path": "Values/1/Value", "value": "False"}])
-
-    Output := aad.tests with input.directory_settings as [Settings]
-
-    TestResult("MS.AAD.5.4v1", Output, PASS, true) == true
-}
+test_TeamsGroupConsentDisabled_NotImplemented_V1 if {
+    PolicyId := "MS.AAD.5.4v1"
 
-test_Value_Incorrect_Lowercase if {
-    Settings := json.patch(DirectorySettings, [{"op": "add", "path": "Values/1/Value", "value": "true"}])
-
-    Output := aad.tests with input.directory_settings as [Settings]
-
-    TestResult("MS.AAD.5.4v1", Output, FAIL, false) == true
-}
-
-test_Value_Incorrect_Uppercase if {
-    Settings := json.patch(DirectorySettings, [{"op": "add", "path": "Values/1/Value", "value": "True"}])
-
-    Output := aad.tests with input.directory_settings as [Settings]
+    Output := aad.tests with input.directory_settings as [DirectorySettings]
 
-    TestResult("MS.AAD.5.4v1", Output, FAIL, false) == true
+    TestResult(PolicyId, Output, NotCheckedDeprecation, false) == true
 }
 #--

Testing/Functional/Products/TestPlans/aad.testplan.yaml

@@ -687,40 +687,13 @@ TestPlan:
         ExpectedResult: true
 
   - PolicyId: MS.AAD.5.4v1
-    TestDriver: ScubaCached
+    TestDriver: RunScuba
     Tests:
-      - TestDescription: MS.AAD.5.4v1 Non-Compliant - Allow group owners to consent to apps
-        Preconditions:
-          - Command: UpdateProviderExport
-            Splat:
-              updates:
-                directory_settings[0].Values:
-                  - Name: EnableGroupSpecificConsent
-                    Value: "true"
-                  - Name: BlockUserConsentForRiskyApps
-                    Value: "false"
-                  - Name: EnableAdminConsentRequests
-                    Value: "false"
-                  - Name: ConstrainGroupSpecificConsentToMembersOfGroupId
-                    Value: ""
+      - TestDescription: MS.AAD.5.4v1
+        Preconditions: []
         Postconditions: []
         ExpectedResult: false
-      - TestDescription: MS.AAD.5.4v1 Compliant - Do NOT allow group owners to consent to apps
-        Preconditions:
-          - Command: UpdateProviderExport
-            Splat:
-              updates:
-                directory_settings[0].Values:
-                  - Name: EnableGroupSpecificConsent
-                    Value: "false"
-                  - Name: BlockUserConsentForRiskyApps
-                    Value: "false"
-                  - Name: EnableAdminConsentRequests
-                    Value: "false"
-                  - Name: ConstrainGroupSpecificConsentToMembersOfGroupId
-                    Value: ""
-        Postconditions: []
-        ExpectedResult: true
+        IsNotChecked: true
 
   - PolicyId: MS.AAD.6.1v1
     TestDriver: ScubaCached