Test-MtCisPasswordExpiry: Only Check domains with isVerified: true to avoid false positives

[blindzero]

📑 Description

Test-MtCisPasswordExpiry was checking on PasswordValidityPeriodInDays and isManaged: true for domains.
With unverified domains this led to false positive errors, as unverified domains have PasswordValidityPeriodInDays: false, although the setting is globally applied in Microsoft 365 Admin Portal UI.

My assumption is that unverified domains can't be properly used in Microsoft 365 anyways and therefor should be excluded from this test. As soon as a domain is verified, the proper PasswordValidityPeriodInDays value from tenant configuration is applied (checked this with a new domain on our end).

Changes

$result filter was enriched with -and ($isVerified -eq $true)

Closes #1714

✅ Checks

• My pull request adheres to the code style of this project.
• My code requires changes to the documentation.
• I have updated the documentation as required.
• The build and unit tests pass after running /powershell/tests/pester.ps1 locally.

[codacy-production]

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

_{NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.}

[Mynster9361]

Although this is not listed in the CIS documentation for this test i believe this addition is needed to avoid false positives.

LGTM

[SamErde]

Thanks, @blindzero! Great catch!
Thanks for adding a review, @Mynster9361!

[Copilot]

Pull request overview

This PR updates the CIS control implementation for password expiry to avoid false positives by excluding unverified domains from evaluation when querying Microsoft Graph domain settings.

Changes:

• Filter Test-MtCisPasswordExpiry results to only include domains where isVerified is true.
• Minor Markdown formatting cleanup in the CIS guidance page.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File	Description
powershell/public/cis/Test-MtCisPasswordExpiry.ps1	Adds isVerified filtering to avoid flagging unverified domains as failing.
powershell/public/cis/Test-MtCisPasswordExpiry.md	Removes an extra blank/whitespace line in the guidance content.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[SamErde]

@copilot apply changes based on the comments in this thread

[blindzero]

@SamErde added safety net for string value of passwordExpiry value. Ready for review. Thx.

[Copilot]

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

[SamErde]

@copilot apply changes based on this feedback

[SamErde]

FYI, @blindzero.

[blindzero]

@SamErde good one...thanks. implemented skip result logic. All tests ✅