maester365 · Cloud-Architekt · Apr 3, 2026 · Apr 3, 2026 · Apr 3, 2026 · Copilot
@@ -46,9 +46,9 @@ function GetVersion($graphUri) {
 }
 
 function GetRecommendedValue($RecommendedValue) {
-    if($RecommendedValue -notlike "@('*,*')") {
+    if ($RecommendedValue -notlike "@('*,*')") {
         $isNumericComparison = $false
-        $compareOperators = @(">=","<=",">","<")
+        $compareOperators = @(">=", "<=", ">", "<")
         foreach ($compareOperator in $compareOperators) {
             if ($RecommendedValue.StartsWith($compareOperator)) {
                 $isNumericComparison = $true
@@ -68,7 +68,7 @@ function GetRecommendedValue($RecommendedValue) {
 }
 
 function GetRecommendedValueMarkdown($RecommendedValueMarkdown) {
-    if($RecommendedValueMarkdown -like "@('*,*')") {
+    if ($RecommendedValueMarkdown -like "@('*,*')") {
         $RecommendedValueMarkdown = $RecommendedValueMarkdown -replace "@\(", "" -replace "\)", ""
         return "$RecommendedValueMarkdown"
     } elseif ($RecommendedValueMarkdown.StartsWith(">") -or $RecommendedValueMarkdown.StartsWith("<")) {
@@ -141,8 +141,8 @@ function GetPageTitle($uri) {
     if ($isValidUri) {
         $result = Invoke-WebRequest -Uri $uri
         $output = $uri
-        if ($result.Content -match "<title>(?<title>.*)</title>") {
-            $title = $Matches['title']
+        if ($result.Content -match "(?s)<title>(?<title>.*?)</title>") {
+            $title = $Matches['title'].Trim() -replace '\s+', ' '
         }
     }
     return $title
@@ -280,10 +280,10 @@ mindmap
 }
 
 function GetMarkdownLink($uri, $title, [switch]$lookupTitle) {
-    if([string]::IsNullOrEmpty($uri)) { return '' }
-    if($lookupTitle) {
+    if ([string]::IsNullOrEmpty($uri)) { return '' }
+    if ($lookupTitle) {
         $pageTitle = GetPageTitle($uri)
-        if(![string]::IsNullOrEmpty($pageTitle)) {
+        if (![string]::IsNullOrEmpty($pageTitle)) {
             $title = $pageTitle
         }
     }
@@ -294,7 +294,7 @@ function GetPortalDeepLinkMarkdown($portalDeepLink) {
     $result = $portalDeepLink
     if (![string]::IsNullOrEmpty($portalDeepLink)) {
         $domain = ($uri -as [System.URI]).Host
-        $domain = ($uri -as [System.URI]).Host
+        $domain = ($portalDeepLink -as [System.URI]).Host
-        $domain = ($uri -as [System.URI]).Host
+        $domain = ($portalDeepLink -as [System.URI]).Host
-        $result =  GetMarkdownLink -uri $portalDeepLink -title "[View in $domain]" # Set default markdown
+        $result = GetMarkdownLink -uri $portalDeepLink -title "[View in $domain]" # Set default markdown
 
         if ($portalDeepLink -like "*entra.microsoft.com*" -or $portalDeepLink -like "*Microsoft_AAD_IAM*") {
             $result = GetMarkdownLink -uri $portalDeepLink -title "View in Microsoft Entra admin center"
@@ -339,7 +339,7 @@ function UpdateTemplate($template, $control, $controlItem, $docName, $isDoc) {
         }
 
         # Map severity to Maester values
-        if($controlItem.Severity -eq 'Informational') {
+        if ($controlItem.Severity -eq 'Informational') {
             $controlItem.Severity = 'Info'
         }
 
@@ -382,12 +382,12 @@ function UpdateTemplate($template, $control, $controlItem, $docName, $isDoc) {
     if (-not [string]::IsNullOrWhiteSpace($controlItem.SkipCondition) ) {
         $SkipCheck = "if ( $($controlItem.SkipCondition) ) {
             Add-MtTestResultDetail -SkippedBecause 'Custom' -SkippedCustomReason '$($controlItem.SkipReason)'
-            return " + '$null' +"`
+            return " + '$null' + "`
     }"
         $output = $output -replace '%SkipCheck%', "$($SkipCheck)"
 
         # Extract variable name from the condition to build syntax for TestCases
-        $SkipConditionVariable = ($controlItem.SkipCondition  | Select-String -Pattern '\$([^\s]+)').Matches.Value
+        $SkipConditionVariable = ($controlItem.SkipCondition | Select-String -Pattern '\$([^\s]+)').Matches.Value
         $SkipConditionVariableName = $SkipConditionVariable -replace '[$()]', ''
         $output = $output -replace '%TestCases%', " -TestCases @{ $($SkipConditionVariableName) = $($SkipConditionVariable) }"
     } else {
@@ -424,8 +424,8 @@ function GeneratePublicFunction($folderPath, $controlIds) {
 
 # Start by getting the latest EIDSCA config
 $aadsc = Invoke-WebRequest -Uri $AadSecConfigUrl | ConvertFrom-Json
-$aadsc = ($aadsc | Where-Object {$_.CollectedBy -eq "Maester"}).ControlArea
-$Discovery = ($aadsc | Where-Object {$_.discovery -ne ""}).Discovery
+$aadsc = ($aadsc | Where-Object { $_.CollectedBy -eq "Maester" }).ControlArea
+$Discovery = ($aadsc | Where-Object { $_.discovery -ne "" }).Discovery
 
 # Remove previously generated files
 Get-ChildItem -Path $DocsPath -Filter "*.md" -Exclude "readme.md" | Remove-Item -Force
@@ -457,7 +457,7 @@ foreach ($control in $aadsc) {
         $exportedControls.Add($controlItem.CheckId)
         $docName = $controlItem.CheckId
 
-$testTemplate = @'
+        $testTemplate = @'
 Describe "EIDSCA" -Tag "EIDSCA",  "%CheckId%" {
     It "%CheckId%: %ControlName% - %DisplayName%. See https://maester.dev/docs/tests/%DocName%"%TestCases% {
         <#
@@ -493,13 +493,13 @@ Describe "EIDSCA" -Tag "EIDSCA",  "%CheckId%" {
 GeneratePublicFunction -folderPath $PublicFunctionPath -controlIds $exportedControls
 
 $output = @'
-BeforeAll {
+BeforeDiscovery {
 <DiscoveryFromJson>}
 
 '@
 
 # Replace placeholder with Discovery checks from definition in EIDSCA JSON
-$output = $output.Replace('<DiscoveryFromJson>',($Discovery | Out-String))
+$output = $output.Replace('<DiscoveryFromJson>', ($Discovery | Out-String))
 
 $output += $sb.ToString()
 $output | Out-File $TestFilePath -Encoding utf8
@@ -1,20 +1,20 @@
 function %PSFunctionName% {
-function %PSFunctionName% {
+function %PSFunctionName% {
-function %PSFunctionName% {
+function %PSFunctionName% {
     <#
     .SYNOPSIS
-        Checks if %ControlName% - %DisplayName% is set to %RecommendedValue%
+    Checks if %ControlName% - %DisplayName% is set to %RecommendedValue%
 
     .DESCRIPTION
 
-        %ControlItemDescription%
+    %ControlItemDescription%
 
-        Queries %RelativeUri%
-        and returns the result of
-         graph/%RelativeUri%.%CurrentValue% -%PwshCompareOperator% %RecommendedValue%
+    Queries %RelativeUri%
+    and returns the result of
+    graph/%RelativeUri%.%CurrentValue% -%PwshCompareOperator% %RecommendedValue%
 
     .EXAMPLE
-        %PSFunctionName%
+    %PSFunctionName%
 
-        Returns the result of graph.microsoft.com/beta/%RelativeUri%.%CurrentValue% -%PwshCompareOperator% %RecommendedValue%
+    Returns the result of graph.microsoft.com/beta/%RelativeUri%.%CurrentValue% -%PwshCompareOperator% %RecommendedValue%
     #>
     [CmdletBinding()]
     [OutputType([bool])]
@@ -37,4 +37,4 @@
     Add-MtTestResultDetail -Result $testResultMarkdown -Severity '%Severity%'
 
     return $tenantValue
-}
+}
@@ -1,4 +1,4 @@
-function Test-MtEidscaAF01 {
+function Test-MtEidscaAF01 {
     <#
     .SYNOPSIS
     Checks if Authentication Method - FIDO2 security key - State is set to 'enabled'

@@ -1,4 +1,4 @@
-function Test-MtEidscaAF02 {
+function Test-MtEidscaAF02 {
     <#
     .SYNOPSIS
     Checks if Authentication Method - FIDO2 security key - Allow self-service set up is set to 'true'

@@ -1,4 +1,4 @@
-function Test-MtEidscaAF03 {
+function Test-MtEidscaAF03 {
     <#
     .SYNOPSIS
     Checks if Authentication Method - FIDO2 security key - Enforce attestation is set to 'true'

@@ -1,4 +1,4 @@
-function Test-MtEidscaAF04 {
+function Test-MtEidscaAF04 {
     <#
     .SYNOPSIS
     Checks if Authentication Method - FIDO2 security key - Enforce key restrictions is set to 'true'

@@ -1,4 +1,4 @@
-function Test-MtEidscaAF05 {
+function Test-MtEidscaAF05 {
     <#
     .SYNOPSIS
     Checks if Authentication Method - FIDO2 security key - Restricted is set to 'true'

@@ -1,4 +1,4 @@
-function Test-MtEidscaAF06 {
+function Test-MtEidscaAF06 {
     <#
     .SYNOPSIS
     Checks if Authentication Method - FIDO2 security key - Restrict specific keys is set to 'true'

@@ -1,4 +1,4 @@
-function Test-MtEidscaAG01 {
+function Test-MtEidscaAG01 {
     <#
     .SYNOPSIS
     Checks if Authentication Method - General Settings - Manage migration is set to @('migrationComplete', '')

@@ -1,4 +1,4 @@
-function Test-MtEidscaAG02 {
+function Test-MtEidscaAG02 {
     <#
     .SYNOPSIS
     Checks if Authentication Method - General Settings - Report suspicious activity - State is set to 'enabled'

@@ -1,4 +1,4 @@
-function Test-MtEidscaAG03 {
+function Test-MtEidscaAG03 {
     <#
     .SYNOPSIS
     Checks if Authentication Method - General Settings - Report suspicious activity - Included users/groups is set to 'all_users'

@@ -1,4 +1,4 @@
-function Test-MtEidscaAM01 {
+function Test-MtEidscaAM01 {
     <#
     .SYNOPSIS
     Checks if Authentication Method - Microsoft Authenticator - State is set to 'enabled'

@@ -1,4 +1,4 @@
-function Test-MtEidscaAM02 {
+function Test-MtEidscaAM02 {
     <#
     .SYNOPSIS
     Checks if Authentication Method - Microsoft Authenticator - Allow use of Microsoft Authenticator OTP is set to 'false'

@@ -1,4 +1,4 @@
-function Test-MtEidscaAM03 {
+function Test-MtEidscaAM03 {
     <#
     .SYNOPSIS
     Checks if Authentication Method - Microsoft Authenticator - Require number matching for push notifications is set to 'enabled'

@@ -1,4 +1,4 @@
-function Test-MtEidscaAM04 {
+function Test-MtEidscaAM04 {
     <#
     .SYNOPSIS
     Checks if Authentication Method - Microsoft Authenticator - Included users/groups of number matching for push notifications is set to 'all_users'

@@ -1,4 +1,4 @@
-function Test-MtEidscaAM06 {
+function Test-MtEidscaAM06 {
     <#
     .SYNOPSIS
     Checks if Authentication Method - Microsoft Authenticator - Show application name in push and passwordless notifications is set to 'enabled'

@@ -1,4 +1,4 @@
-function Test-MtEidscaAM07 {
+function Test-MtEidscaAM07 {
     <#
     .SYNOPSIS
     Checks if Authentication Method - Microsoft Authenticator - Included users/groups to show application name in push and passwordless notifications is set to 'all_users'

@@ -1,4 +1,4 @@
-function Test-MtEidscaAM09 {
+function Test-MtEidscaAM09 {
     <#
     .SYNOPSIS
     Checks if Authentication Method - Microsoft Authenticator - Show geographic location in push and passwordless notifications is set to 'enabled'

@@ -1,4 +1,4 @@
-function Test-MtEidscaAM10 {
+function Test-MtEidscaAM10 {
     <#
     .SYNOPSIS
     Checks if Authentication Method - Microsoft Authenticator - Included users/groups to show geographic location in push and passwordless notifications is set to 'all_users'

@@ -1,4 +1,4 @@
-function Test-MtEidscaAP01 {
+function Test-MtEidscaAP01 {
     <#
     .SYNOPSIS
     Checks if Default Authorization Settings - Enabled Self service password reset for administrators is set to 'false'

@@ -1,4 +1,4 @@
-function Test-MtEidscaAP04 {
+function Test-MtEidscaAP04 {
     <#
     .SYNOPSIS
     Checks if Default Authorization Settings - Guest invite restrictions is set to @('adminsAndGuestInviters','none')

@@ -1,4 +1,4 @@
-function Test-MtEidscaAP05 {
+function Test-MtEidscaAP05 {
     <#
     .SYNOPSIS
     Checks if Default Authorization Settings - Sign-up for email based subscription is set to 'false'

@@ -1,4 +1,4 @@
-function Test-MtEidscaAP06 {
+function Test-MtEidscaAP06 {
     <#
     .SYNOPSIS
     Checks if Default Authorization Settings - User can join the tenant by email validation is set to 'false'

@@ -1,4 +1,4 @@
-function Test-MtEidscaAP07 {
+function Test-MtEidscaAP07 {
     <#
     .SYNOPSIS
     Checks if Default Authorization Settings - Guest user access is set to '2af84b1e-32c8-42b7-82bc-daa82404023b'

@@ -1,4 +1,4 @@
-function Test-MtEidscaAP08 {
+function Test-MtEidscaAP08 {
     <#
     .SYNOPSIS
     Checks if Default Authorization Settings - User consent policy assigned for applications is set to 'ManagePermissionGrantsForSelf.microsoft-user-default-low'

@@ -1,4 +1,4 @@
-function Test-MtEidscaAP09 {
+function Test-MtEidscaAP09 {
     <#
     .SYNOPSIS
     Checks if Default Authorization Settings - Allow user consent on risk-based apps is set to 'false'

@@ -1,4 +1,4 @@
-function Test-MtEidscaAP10 {
+function Test-MtEidscaAP10 {
     <#
     .SYNOPSIS
     Checks if Default Authorization Settings - Default User Role Permissions - Allowed to create Apps is set to 'false'

@@ -1,4 +1,4 @@
-function Test-MtEidscaAP14 {
+function Test-MtEidscaAP14 {
     <#
     .SYNOPSIS
     Checks if Default Authorization Settings - Default User Role Permissions - Allowed to read other users is set to 'true'

@@ -5,7 +5,7 @@ Avoid to use SMS as primary sign in factor (instead of a password) and consider
 #### Test script
 ```
 https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Sms')
-.includeTargets.isUsableForSignIn -eq 'false'
+.includeTargets.isUsableForSignIn | select-object -unique -eq 'false'
-.includeTargets.isUsableForSignIn | select-object -unique -eq 'false'
+(.includeTargets.isUsableForSignIn | Select-Object -Unique) -eq 'false'
-.includeTargets.isUsableForSignIn | select-object -unique -eq 'false'
+(.includeTargets.isUsableForSignIn | Select-Object -Unique) -eq 'false'
 ```
 
 #### Related links

@@ -1,4 +1,4 @@
-function Test-MtEidscaAS04 {
+function Test-MtEidscaAS04 {
     <#
     .SYNOPSIS
     Checks if Authentication Method - SMS - Use for sign-in is set to 'false'
@@ -9,12 +9,12 @@
 
     Queries policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Sms')
     and returns the result of
-    graph/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Sms').includeTargets.isUsableForSignIn -eq 'false'
+    graph/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Sms').includeTargets.isUsableForSignIn | select-object -unique -eq 'false'
 
     .EXAMPLE
     Test-MtEidscaAS04
 
-    Returns the result of graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Sms').includeTargets.isUsableForSignIn -eq 'false'
+    Returns the result of graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Sms').includeTargets.isUsableForSignIn | select-object -unique -eq 'false'
     #>
     [CmdletBinding()]
     [OutputType([bool])]
@@ -26,7 +26,7 @@
     }
     $result = Invoke-MtGraphRequest -RelativeUri "policies/authenticationMethodsPolicy/authenticationMethodConfigurations('Sms')" -ApiVersion beta
 
-    [string]$tenantValue = $result.includeTargets.isUsableForSignIn
+    [string]$tenantValue = $result.includeTargets.isUsableForSignIn | select-object -unique
     $testResult = $tenantValue -eq 'false'
     $tenantValueNotSet = ($null -eq $tenantValue -or $tenantValue -eq "") -and 'false' -notlike '*$null*'
-    [string]$tenantValue = $result.includeTargets.isUsableForSignIn | select-object -unique
-    $testResult = $tenantValue -eq 'false'
-    $tenantValueNotSet = ($null -eq $tenantValue -or $tenantValue -eq "") -and 'false' -notlike '*$null*'
+    $tenantValues = @($result.includeTargets.isUsableForSignIn | Select-Object -Unique)
+    [string]$tenantValue = ($tenantValues | ForEach-Object { [string]$_ }) -join ', '
+    $testResult = $tenantValues.Count -gt 0 -and (@($tenantValues | Where-Object { $_ -ne $false })).Count -eq 0
+    $tenantValueNotSet = $tenantValues.Count -eq 0 -and 'false' -notlike '*$null*'
-    [string]$tenantValue = $result.includeTargets.isUsableForSignIn | select-object -unique
-    $testResult = $tenantValue -eq 'false'
-    $tenantValueNotSet = ($null -eq $tenantValue -or $tenantValue -eq "") -and 'false' -notlike '*$null*'
+    $tenantValues = @($result.includeTargets.isUsableForSignIn | Select-Object -Unique)
+    [string]$tenantValue = ($tenantValues | ForEach-Object { [string]$_ }) -join ', '
+    $testResult = $tenantValues.Count -gt 0 -and (@($tenantValues | Where-Object { $_ -ne $false })).Count -eq 0
+    $tenantValueNotSet = $tenantValues.Count -eq 0 -and 'false' -notlike '*$null*'
 

@@ -1,4 +1,4 @@
-function Test-MtEidscaAT01 {
+function Test-MtEidscaAT01 {
     <#
     .SYNOPSIS
     Checks if Authentication Method - Temporary Access Pass - State is set to 'enabled'

@@ -1,4 +1,4 @@
-function Test-MtEidscaAT02 {
+function Test-MtEidscaAT02 {
     <#
     .SYNOPSIS
     Checks if Authentication Method - Temporary Access Pass - One-time is set to 'true'

@@ -1,4 +1,4 @@
-function Test-MtEidscaAV01 {
+function Test-MtEidscaAV01 {
     <#
     .SYNOPSIS
     Checks if Authentication Method - Voice call - State is set to 'disabled'

@@ -1,4 +1,4 @@
-function Test-MtEidscaCP01 {
+function Test-MtEidscaCP01 {
     <#
     .SYNOPSIS
     Checks if Default Settings - Consent Policy Settings - Group owner consent for apps accessing data is set to 'False'

@@ -1,4 +1,4 @@
-function Test-MtEidscaCP03 {
+function Test-MtEidscaCP03 {
     <#
     .SYNOPSIS
     Checks if Default Settings - Consent Policy Settings - Block user consent for risky apps is set to 'true'

@@ -1,4 +1,4 @@
-function Test-MtEidscaCP04 {
+function Test-MtEidscaCP04 {
     <#
     .SYNOPSIS
     Checks if Default Settings - Consent Policy Settings - Users can request admin consent to apps they are unable to consent to is set to 'true'

@@ -1,4 +1,4 @@
-function Test-MtEidscaCR01 {
+function Test-MtEidscaCR01 {
     <#
     .SYNOPSIS
     Checks if Consent Framework - Admin Consent Request - Policy to enable or disable admin consent request feature is set to 'true'

@@ -1,4 +1,4 @@
-function Test-MtEidscaCR02 {
+function Test-MtEidscaCR02 {
     <#
     .SYNOPSIS
     Checks if Consent Framework - Admin Consent Request - Reviewers will receive email notifications for requests is set to 'true'

@@ -1,4 +1,4 @@
-function Test-MtEidscaCR03 {
+function Test-MtEidscaCR03 {
     <#
     .SYNOPSIS
     Checks if Consent Framework - Admin Consent Request - Reviewers will receive email notifications when admin consent requests are about to expire is set to 'true'