private/tests/Test-St0024MfaForAllUsers.ps1

<#
.SYNOPSIS
    Checks that MFA is enforced for all users.
#>


function Test-St0024MfaForAllUsers {
    [CmdletBinding()]
    param()

    Write-PSFMessage '🟦 Start' -Tag Test -Level VeryVerbose

    $activity = "Checking MFA for all users"
    Write-ZtProgress -Activity $activity

    $caps = Invoke-ZtGraphRequest -RelativeUri 'identity/conditionalAccess/policies' -ApiVersion beta

    $mfaPolicies = $caps | Where-Object {`
            $_.grantControls.builtInControls -contains "mfa" -or `
            $_.grantControls.authenticationStrength }

    $mfaAllUsersPolicies = $mfaPolicies | Where-Object {`
            $_.conditions.users.includeUsers -contains "All" `
            -and $_.state -eq "enabled" `
            -and $_.conditions.users.includeUsers -contains "All" }

    $passed = ($mfaAllUsersPolicies | Measure-Object).Count -ge 1

    $totalMfaPolicies = ($mfaPolicies | Measure-Object).Count

    if ($passed) {
        $testResultMarkdown = "Tenant is configured to require multi-factor authentication for all users.`n`n%TestResult%"
        $mfaPolicies = $mfaAllUsersPolicies # Only show the policies that target all users
    }
    elseif ($totalMfaPolicies -ge 1) {
        $testResultMarkdown = "Tenant is configured to require multi-factor authentication but does not target all users and apps or is not enabled.`n`n"
        $testResultMarkdown += "Found $totalMfaPolicies policies requiring multi-factor authentication.`n`n%TestResult%"
    }
    else {
        $testResultMarkdown = "Tenant does not have any conditional access policies that require multi-factor authentication."
    }

    Add-ZtTestResultDetail -TestId 'ST0024' -Title 'Users have strong authentication methods configured'`
        -UserImpact Medium -Risk Medium -ImplementationCost Low `
        -AppliesTo Identity -Tag User, Credential `
        -Status $passed -Result $testResultMarkdown -GraphObjectType ConditionalAccess -GraphObjects $mfaPolicies
}