maester365 · merill · Apr 1, 2026 · May 11, 2025 · May 11, 2025 · May 11, 2025
@@ -191,7 +191,44 @@
     'Test-MtEntitlementManagementInactivePolicies',
     'Test-MtEntitlementManagementOrphanedResources',
     'Test-MtEntitlementManagementValidApprovers',
-    'Test-MtEntitlementManagementValidResourceRoles'
+    'Test-MtEntitlementManagementValidResourceRoles',
+    'Test-AzdoAllowRequestAccessToken',
+    'Test-AzdoAllowTeamAdminsInvitationsAccessToken',
+    'Test-AzdoArtifactsExternalPackageProtectionToken',
+    'Test-AzdoAuditStream',
+    'Test-AzdoDisableGlobalPATCreation',
+    'Test-AzdoEnableLeakedPersonalAccessTokenAutoRevocation',
+    'Test-AzdoEnforceAADConditionalAccess',
+    'Test-AzdoExternalGuestAccess',
+    'Test-AzdoFeedbackCollection',
+    'Test-AzdoLogAuditEvent',
+    'Test-AzdoOrganizationAutomaticEnrollmentAdvancedSecurityNewProject',
+    'Test-AzdoOrganizationBadgesArePrivate',
+    'Test-AzdoOrganizationCreationClassicBuildPipeline',
+    'Test-AzdoOrganizationCreationClassicReleasePipeline',
+    'Test-AzdoOrganizationCreationRestriction',
+    'Test-AzdoOrganizationLimitJobAuthorizationScopeNonReleasePipeline',
+    'Test-AzdoOrganizationLimitJobAuthorizationScopeReleasePipeline',
+    'Test-AzdoOrganizationLimitVariablesAtQueueTime',
+    'Test-AzdoOrganizationOwner',
+    'Test-AzdoOrganizationProtectAccessToRepository',
+    'Test-AzdoOrganizationRepositorySettingsDisableCreationTFVCRepo',
+    'Test-AzdoOrganizationRepositorySettingsGravatarImage',
+    'Test-AzdoOrganizationStageChooser',
+    'Test-AzdoOrganizationStorageUsage',
+    'Test-AzdoOrganizationTaskRestrictionsDisableMarketplaceTask',
+    'Test-AzdoOrganizationTaskRestrictionsDisableNode6Task',
+    'Test-AzdoOrganizationTaskRestrictionsShellTaskArgumentValidation',
+    'Test-AzdoOrganizationTriggerPullRequestGitHubRepository',
+    'Test-AzdoProjectCollectionAdministrator',
+    'Test-AzdoPublicProject',
+    'Test-AzdoResourceUsageProject',
+    'Test-AzdoResourceUsageWorkItemTag',
+    'Test-AzdoRestrictFullScopePersonalAccessToken',
+    'Test-AzdoRestrictPersonalAccessTokenLifespan',
+    'Test-AzdoSSHAuthentication',
+    'Test-AzdoThirdPartyAccessViaOauth',
+    'Test-AzdoValidateSshKeyExpiration'
 
     # Cmdlets to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no cmdlets to export.
     CmdletsToExport      = @()

@@ -77,7 +77,7 @@ function Add-MtTestResultDetail {
         [ValidateSet('NotConnectedAzure', 'NotConnectedExchange', 'NotConnectedGraph', 'NotDotGovDomain', 'NotLicensedEntraIDP1', 'NotConnectedSecurityCompliance', 'NotConnectedTeams',
             'NotLicensedEntraIDP2', 'NotLicensedEntraIDGovernance', 'NotLicensedEntraWorkloadID', 'NotLicensedExoDlp', "LicensedEntraIDPremium", 'NotSupported', 'Custom',
             'NotLicensedMdo', 'NotLicensedMdoP2', 'NotLicensedMdoP1', 'NotLicensedAdvAudit', 'NotLicensedEop', 'Error', 'NotSupportedAppPermission', 'LimitedPermissions', 'NotLicensedDefenderXDR',
-            'NotLicensedCustomerLockbox','NotAuthorized', 'NotLicensedIntune'
+            'NotLicensedCustomerLockbox','NotAuthorized', 'NotLicensedIntune', 'NotConnectedAzureDevOps'
         )]
         [string] $SkippedBecause,
 

@@ -0,0 +1,17 @@
+Request access to Azure DevOps by e-mail notifications to administrators **should be** disabled.
+
+Rationale: Access control to Azure DevOps is to be a controlled process where access is granted and tracked.
+
+#### Remediation action:
+Disable the policy to stop these requests and notifications.
+1. Sign in to your organization.
+2. Choose Organization settings.
+3. Select Policies, locate the Request Access policy and toggle it to off.
+4. Provide the URL to your internal process for gaining access. Users see this URL in the error report when they try to access the organization or a project within the organization that they don't have permission to access.
+
+**Results:**
+When users try to access a project without the required permissions, the error message includes the request access URL. This link is shown on the error page to maintain confidentiality, regardless of whether the project exists.
+
+#### Related links
+
+* [Azure DevOps Security - Disable your organization's Request Access policy](https://go.microsoft.com/fwlink/?linkid=2113172)
@@ -0,0 +1,46 @@
+<#
+.SYNOPSIS
+    Returns a boolean depending on the configuration.
+
+.DESCRIPTION
+    Checks the status of the 'Request Access' policy in Azure DevOps to prevent users from requesting access to your organization or projects.
+    When this policy is enabled, users can request access, and administrators receive email notifications for review and approval.
+    Disabling the policy stops these requests and notifications, helping you control access more tightly.
+
+    https://go.microsoft.com/fwlink/?linkid=2113172
+
+.EXAMPLE
+    ```
+    Test-AzdoAllowRequestAccessToken
+    ```
+
+    Returns a boolean depending on the configuration.
+
+.LINK
+    https://maester.dev/docs/commands/Test-AzdoAllowRequestAccessToken
+#>
+
+function Test-AzdoAllowRequestAccessToken {
+    [CmdletBinding()]
+    [OutputType([bool])]
+    param()
+
+    if ($null -eq (Get-ADOPSConnection)['Organization']) {
+        Write-Verbose 'Not connected to Azure DevOps'
+        Add-MtTestResultDetail -SkippedBecause Custom -SkippedCustomReason 'Not connected to Azure DevOps'
+        return $null
+    }
+
+    $UserPolicies = Get-ADOPSOrganizationPolicy -PolicyCategory 'User' -Force
+    $Policy = $UserPolicies.policy | where-object -property name -eq 'Policy.AllowRequestAccessToken'
+    $result = $Policy.effectiveValue
+    if ($result) {
+        $resultMarkdown = "When enabled, this policy allows users to request access, triggering email notifications to administrators for review and approval."
+    } else {
+        $resultMarkdown = "Disabling the policy stops these requests and notifications."
+    }
+
+    Add-MtTestResultDetail -Result $resultMarkdown
+
+    return $result
+}
@@ -0,0 +1,17 @@
+Access to Azure DevOps **should be** a controlled process managed by the IAM team or the appropriate Azure DevOps administrator roles.
+
+Rationale: By default, all administrators can invite new users to their Azure DevOps organization. Disabling this policy prevents Team and Project Administrators from inviting new users.
+Project Collection Administrators (PCAs) can still add new users to the organization regardless of the policy status. Additionally, if a user is already a member of the organization, Project and Team Administrators can add that user to specific projects.
+
+#### Remediation action:
+Disable the policy to stop these invitations.
+1. Sign in to your organization.
+2. Choose Organization settings.
+3. Select Policies, locate the **Allow team and project administrators to invite new users** policy and toggle it to off.
+4. Now, only Project Collection Administrators can invite new users to Azure DevOps.
+
+> Project and Team Administrators can directly add users to their projects through the permissions blade. However, if they attempt to add users through the Add Users button located in the Organization settings > Users section, it's not visible to them. Adding a user directly through Project settings > Permissions doesn't result in the user appearing automatically in the Organization settings > Users list. For the user to be reflected in the Users list, they must sign in to the system.
+
+#### Related links
+
+* [Azure DevOps Security - Restrict administrators from inviting new users](https://aka.ms/azure-devops-invitations-policy)
@@ -0,0 +1,47 @@
+<#
+.SYNOPSIS
+    Returns a boolean depending on the configuration.
+
+.DESCRIPTION
+    By default, all administrators can invite new users to their Azure DevOps organization.
+    Disabling this policy prevents Team and Project Administrators from inviting new users or adding Entra groups.
+    However, Project Collection Administrators (PCAs) can still add new users and Entra groups to the organization regardless of the policy status.
+    Additionally, if a user is already a member of the organization, Project and Team Administrators can add that user to specific projects.
+
+    https://aka.ms/azure-devops-invitations-policy
+
+.EXAMPLE
+    ```
+    Test-AzdoAllowTeamAdminsInvitationsAccessToken
+    ```
+
+    Returns a boolean depending on the configuration.
+
+.LINK
+    https://maester.dev/docs/commands/Test-AzdoAllowTeamAdminsInvitationsAccessToken
+#>
+
+function Test-AzdoAllowTeamAdminsInvitationsAccessToken {
+    [CmdletBinding()]
+    [OutputType([bool])]
+    param()
+
+    if ($null -eq (Get-ADOPSConnection)['Organization']) {
+        Write-Verbose 'Not connected to Azure DevOps'
+        Add-MtTestResultDetail -SkippedBecause Custom -SkippedCustomReason 'Not connected to Azure DevOps'
+        return $null
+    }
+
+    $PrivacyPolicies = Get-ADOPSOrganizationPolicy -PolicyCategory 'User' -Force
+    $Policy = $PrivacyPolicies.policy | where-object -property name -eq 'Policy.AllowTeamAdminsInvitationsAccessToken'
+    $result = $Policy.effectiveValue
+    if ($result) {
+        $resultMarkdown = "Team and project administrators are allowed to invite new users"
+    } else {
+        $resultMarkdown = "Enrolling to your Azure DevOps organization should be a controlled process."
+    }
+
+    Add-MtTestResultDetail -Result $resultMarkdown
+
+    return $result
+}
@@ -0,0 +1,24 @@
+Externally sourced package versions **should be** manually approved for internal use to prevent malicious packages from a public registry being inadvertently consumed.
+
+Rationale: Previously, Azure Artifacts feeds presented package versions from all of its upstream sources. This includes package versions that were originally pushed to an Azure Artifacts feed (internally sourced) and package versions from common public repositories like npmjs.com, NuGet.org, Maven Central, and PyPI (externally sourced).
+
+Configure a policy for additional security for your private feeds by limiting access to externally sourced packages when internally sourced packages are already present. This change provides a new layer of protection and prevents malicious packages from a public registry being inadvertently consumed. It does not affect any package versions that are already in use or cached in your feed.
+
+#### Remediation action:
+
+Enable the policy to opt-in for additional protective behavior.
+
+1. Sign in to your organization.
+2. Choose Organization settings.
+3. Select policies under the security section
+4. In the security policies section, toggle on ‘Additional protections when using public package registries’
+
+**Results:**
+The security behavior applies:
+when an internally sourced version is already in your feed, or
+when consuming a package from your feed for the first time (i.e. it is not yet in your feed), and at least one of the versions available from an upstream is internally sourced.
+With the new behavior, any versions from the public registry will be blocked and not made available to download. You are able to configure the upstream behavior to allow externally sourced package versions if you choose to.
+
+#### Related links
+
+* [Microsoft Devblogs - Changes to Azure Artifacts Upstream Behavior](https://devblogs.microsoft.com/devops/changes-to-azure-artifact-upstream-behavior/)
@@ -0,0 +1,46 @@
+<#
+.SYNOPSIS
+    Returns a boolean depending on the configuration.
+
+.DESCRIPTION
+    Checks the policy for additional security for your private feeds by limiting access to externally sourced packages when internally sourced packages are already present.
+    This provides a new layer of security, which prevents malicious packages from a public registry being inadvertently consumed.
+    These changes will not affect any package versions that are already in use or cached in your feed.
+
+    https://devblogs.microsoft.com/devops/changes-to-azure-artifact-upstream-behavior
+
+.EXAMPLE
+    ```
+    Test-AzdoArtifactsExternalPackageProtectionToken
+    ```
+
+    Returns a boolean depending on the configuration.
+
+.LINK
+    https://maester.dev/docs/commands/Test-AzdoArtifactsExternalPackageProtectionToken
+#>
+
+function Test-AzdoArtifactsExternalPackageProtectionToken {
+    [CmdletBinding()]
+    [OutputType([bool])]
+    param()
+
+    if ($null -eq (Get-ADOPSConnection)['Organization']) {
+        Write-Verbose 'Not connected to Azure DevOps'
+        Add-MtTestResultDetail -SkippedBecause Custom -SkippedCustomReason 'Not connected to Azure DevOps'
+        return $null
+    }
+
+    $SecurityPolicies = Get-ADOPSOrganizationPolicy -PolicyCategory 'Security' -Force
+    $Policy = $SecurityPolicies.policy | where-object -property name -eq 'Policy.ArtifactsExternalPackageProtectionToken'
+    $result = $Policy.effectiveValue
+    if ($result) {
+        $resultMarkdown = "Your Azure DevOps tenant limits access to externally sourced packages when internally sourced packages are already present."
+    } else {
+        $resultMarkdown = "Your tenant should prefer to use internal source packages when present"
+    }
+
+    Add-MtTestResultDetail -Result $resultMarkdown
+
+    return $result
+}
@@ -0,0 +1,24 @@
+Audit logs **should be** retained according to your organization's needs and protected from purging.
+
+Rationale: Send auditing data to other Security Incident and Event Management (SIEM) tools and open new possibilities, such as the ability to trigger alerts for specific events, create views on auditing data, and perform anomaly detection. Setting up a stream also allows you to store more than 90-days of auditing data, which is the maximum amount of data that Azure DevOps keeps for your organizations.
+
+#### Remediation action:
+
+Create an audit stream, which sends data to other locations for further processing.
+
+1. Sign in to your organization.
+2. Choose Organization settings.
+3. Select Auditing.
+> If you don't see Auditing in Organization Settings, then auditing is not currently enabled for your organization. Someone in the organization owner or Project Collection Administrators (PCAs) group must enable Auditing in Organization Policies. You will then be able to see events on the Auditing page if you have the appropriate permissions.
+1. Go to the Streams tab, and then select New stream.
+2. Select the stream target that you want to configure, and then select from the following instructions to set up your stream target type.
+   1. Splunk
+   2. Event Grid
+   3. Azure Monitor Log
+
+**Results:**
+Audit streams represent a pipeline that flows audit events from your Azure DevOps organization to a stream target. At least every half hour, new audit events are bundled and streamed to your targets. 
+
+#### Related links
+
+* [Azure DevOps Security - Create audit streaming](https://learn.microsoft.com/en-us/azure/devops/organizations/audit/auditing-streaming?view=azure-devops)
@@ -0,0 +1,62 @@
+<#
+.SYNOPSIS
+    Returns a boolean depending on the configuration.
+
+.DESCRIPTION
+    Sends auditing data to Security Incident and Event Management (SIEM) tools and opens new possibilities,
+    such as the ability to trigger alerts for specific events, create views on auditing data, and perform
+    anomaly detection. Setting up a stream also allows you to store more than 90-days of auditing data,
+    which is the maximum amount of data that Azure DevOps keeps for your organizations.
+
+    https://learn.microsoft.com/en-us/azure/devops/organizations/audit/auditing-streaming?view=azure-devops
+
+.EXAMPLE
+    ```
+    Test-AzdoAuditStream
+    ```
+
+    Returns a boolean depending on the configuration.
+
+.LINK
+    https://maester.dev/docs/commands/Test-AzdoAuditStream
+#>
+
+function Test-AzdoAuditStream {
+    [CmdletBinding()]
+    [OutputType([bool])]
+    param()
+
+    if ($null -eq (Get-ADOPSConnection)['Organization']) {
+        Write-Verbose 'Not connected to Azure DevOps'
+        Add-MtTestResultDetail -SkippedBecause Custom -SkippedCustomReason 'Not connected to Azure DevOps'
+        return $null
+    }
+
+    $AuditStreams = Get-ADOPSAuditStreams -ErrorAction SilentlyContinue
+
+    if ($null -eq $AuditStreams) {
+        $Message = "Audit Streams was not found. This may be due to insufficient permissions or the Azure DevOps Organization is not backed by an Entra ID tenant.
+        Please see [Manage Audit Streams](https://learn.microsoft.com/en-us/azure/devops/organizations/audit/auditing-streaming?view=azure-devops#prerequisites)"
+        Write-Verbose $Message
+        Add-MtTestResultDetail -SkippedBecause Custom -SkippedCustomReason $Message
+        return $null
+    } else {
+        if ($AuditStreams) {
+            if ('Enabled' -in $AuditStreams.status) {
+                $resultMarkdown = "Audit logs have been configured for long-term storage and purge protection."
+                $result = $true
+            } else {
+                $resultMarkdown = "Audit Streams have been configured for long-term storage and purge protection but is not enabled."
+                $result = $false
+            }
+        } else {
+            $resultMarkdown = "Audit Streams have not been configured for long-term storage and purge protection."
+            $result = $false
+        }
+
+        Add-MtTestResultDetail -Result $resultMarkdown
+
+        return $result
+    }
+
+}
@@ -0,0 +1,35 @@
+Restrict creation of global Personal Access Tokens (PATs) **should be** enabled.
+
+#### Prerequisites
+
+- Your organization must be linked to a Microsoft Entra tenant.
+- You must be an Azure DevOps Administrator to configure tenant policies.
+
+#### Rationale
+
+Global PATs can be used across all accessible organizations. Restricting their creation ensures tokens are confined to a single org, enforcing least privilege and reducing cross-org exposure risk.
+
+#### Remediation action
+
+Enable the tenant policy to stop creation of global PATs.
+1. Sign in to your organization (https://dev.azure.com/{Your_Organization}).
+2. Select Organization settings (gear icon).
+3. Select Microsoft Entra, locate the "Restrict global personal access token creation" policy.
+4. Move the toggle to On.
+
+#### Allowlist and exceptions
+
+- Add Microsoft Entra users or groups to the allowlist to exempt them from the restriction.
+- Prefer groups over individual users to avoid identity residency problems.
+
+**Existing PATs:**
+
+Existing global PATs remain valid until they expire; the policy affects only newly created tokens.
+
+**Results:**
+
+When enabled, new PATs must be associated with a single Azure DevOps organization. Users not on the allowlist cannot create global tokens.
+
+
+#### Related links
+* [Learn - Restrict creation of global PATs (tenant policy)](https://learn.microsoft.com/en-us/azure/devops/organizations/accounts/manage-pats-with-policies-for-administrators?view=azure-devops#restrict-creation-of-global-pats-tenant-policy)