Describe the feature
I would like maester to be configurable, so it can ignore specific findings as accepted.
For example in my environment the test CIS.M365.1.2.1 flagged multiple M365 groups, because they are public. The definition is "Ensure that only organizationally managed/approved public groups exist" - it doesn't state that public groups must not exist. It would be perfectly fine if an organization had public M365 groups, if they are aware of the risks and they control them. But right now the test is binary: If there are any public M365 groups, the test will fail.
I think it would make sense to allow the user to configure test-specific exceptions (allowed deviations) - similar to the configuration of EmergencyAccessAccounts accounts in maester-config.json.
For example we could extend the test related config with a AcceptedEntities property or something:
{
"Id": "CIS.M365.1.2.1",
"Severity": "Medium",
"Title": "(L2) Ensure that only organizationally managed/approved public groups exist",
"AcceptedEntities": [
"0c3836ab-09e4-4a27-aa0a-da1933538b03",
"27cfcc4e-c587-4da3-88dd-2997129ef12f"
]
},Impact and importance
This would allow the users to continue to use pre-made tests without the need of rewriting the tests. If the architecture allows it, users can customize testing without changing PowerShell code.
Alternatives you've considered
It would be possible to either not run a specific test, or to write an own alternative - but I don't think that's feasible for a lot of users.
Additional context
No response
Describe the feature
I would like maester to be configurable, so it can ignore specific findings as accepted.
For example in my environment the test
CIS.M365.1.2.1flagged multiple M365 groups, because they are public. The definition is "Ensure that only organizationally managed/approved public groups exist" - it doesn't state that public groups must not exist. It would be perfectly fine if an organization had public M365 groups, if they are aware of the risks and they control them. But right now the test is binary: If there are any public M365 groups, the test will fail.I think it would make sense to allow the user to configure test-specific exceptions (allowed deviations) - similar to the configuration of
EmergencyAccessAccountsaccounts inmaester-config.json.For example we could extend the test related config with a
AcceptedEntitiesproperty or something:{ "Id": "CIS.M365.1.2.1", "Severity": "Medium", "Title": "(L2) Ensure that only organizationally managed/approved public groups exist", "AcceptedEntities": [ "0c3836ab-09e4-4a27-aa0a-da1933538b03", "27cfcc4e-c587-4da3-88dd-2997129ef12f" ] },Impact and importance
This would allow the users to continue to use pre-made tests without the need of rewriting the tests. If the architecture allows it, users can customize testing without changing PowerShell code.
Alternatives you've considered
It would be possible to either not run a specific test, or to write an own alternative - but I don't think that's feasible for a lot of users.
Additional context
No response