fix(data): rebadge ENTRA-SSPR-001 to MFA Registration Campaign semantics (closes #355)#397
Merged
Conversation
…ics (closes #355) Downstream collectors read Microsoft Graph /v1.0/policies/authenticationMethodsPolicy → registrationEnforcement.authenticationMethodsRegistrationCampaign for this CheckID, not SSPR enablement (despite the SSPR-prefixed name and CIS 5.2.4.1 mapping). Microsoft historically nested registration-campaign config under the SSPR policy object in Graph for legacy reasons; functionally it's MFA enrollment acceleration. Applied Option C from #355 (rename + unmap, preserving CheckID for backwards compat — full A-style split deferred to v1.0 cross-repo contract infrastructure where consumer notification is automated): - name: "Self service password reset enabled = All" -> "MFA Registration Campaign enabled to nudge users toward stronger methods" - category: SSPR -> AUTHMETHOD - rationale + impact: rewritten for Registration Campaign + AiTM/SIM-swap threat framing - references: now point at Microsoft Learn registration-campaign docs - cisM365ControlId 5.2.4.1 dropped (RegCampaign is not 5.2.4.1) CIS 5.2.4.1 coverage of actual SSPR enablement is now an explicit gap; future ENTRA-SSPR-002 fills it. Surfaced upstream by Galvnyz/M365-Assess#878. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Framework mapping count delta
Result: ✓ PASS — no framework mapping regressions detected. |
Content enrichment populationOverall (1105 checks): rationale 26.3% (291/1105) • impact 26.3% (291/1105) • references 26.3% (291/1105)
Informational only — does not gate the build. The hard release-gate for Critical/High enrichment lives in #281 (v3.2.0). |
Daren9m
added a commit
that referenced
this pull request
May 6, 2026
Establishes docs/adr/ as the home for durable architectural decisions, distinct from the sprint plans in docs/plans/ and the point-in-time inventories in docs/audits/. All five ADRs land at Status: Proposed and flip to Accepted when their implementing PR(s) merge. - 0001 adopt ADR convention (MADR-light, location, lifecycle) - 0002 portal-path vocabulary (Entra admin center allow/deny-list, Pester-enforced) - 0003 hasAutomatedCheck=true requires a documented mechanism (schema conditional; gated on a service-prefix-batched audit of the ~1,038 entries that currently claim automation without evidence) - 0004 portal-path source-of-truth precedence (CIS-mapped: SecFrame CSV at build time; non-CIS: manual + lastVerified) - 0005 coverage gaps without supported Graph API (file as hasAutomatedCheck=false with full mappings; resolves the ENTRA-SSPR-002 false-claim and the CIS M365 v6 5.2.4.1 gap PR #397 left behind) Motivated by docs/plans/399-sspr-research.md. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Daren9m
added a commit
that referenced
this pull request
May 7, 2026
…347 enrichment materialize Bundles three changes that all surface from a clean rebuild against SCF 2026.1 scf.db: 1. ENTRA-SSPR-002 hasAutomatedCheck: true -> false. The "SSPR enabled for admin accounts" check has been claiming automation despite no supported Microsoft Graph endpoint for the SSPR scope toggle (only the undocumented main.iam.ad.ext.azure.com internal API). Confirmed no collector exists in Galvnyz/M365-Assess; the related SSPR-001 collector self-emits 'Not auto-measurable via Microsoft Graph'. Flipped to false with notes documenting the gap. Stale parent path also corrected from 'Protection >' to 'Entra ID >' under the same touch. Cites ADR-0005 (coverage-gap policy) and ADR-0002 (portal path vocabulary). 2. New ENTRA-SSPR-003 covers CIS M365 v6 5.2.4.1 (All-users SSPR enablement) that PR #397 dropped from SSPR-001 during the MFA Registration Campaign rebadge. Filed as hasAutomatedCheck: false with the CIS mapping restored, per ADR-0005's rule for compliance-relevant controls without supported automation. 3. CIS M365 v6 phase-1 enrichment fields (sectionNumber, assessmentStatus, cisSafeguardsByVersion, defaultValue, references) materialize across 156 v6 entries. v3.4.0 shipped the ingestion infrastructure (#347) with a CHANGELOG note flagging a rebuild was needed; this commit completes that pending action. Tests: 377/377 Pester pass. Total checks 1105 -> 1106; manual checks 4 -> 6 (SSPR-002 flip + SSPR-003 add); automated 1101 -> 1100. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Closes #355. Surfaced upstream by Galvnyz/M365-Assess#878. The CheckID
ENTRA-SSPR-001had a name + CIS 5.2.4.1 mapping suggesting it measured Self-Service Password Reset enablement, but the Graph signal that downstream collectors actually read is the MFA Registration Campaign:These are different controls. Microsoft historically nested the registration-campaign config under the SSPR policy object in Graph for legacy reasons, but functionally it's MFA enrollment acceleration, not password reset. Result: any consumer that implements
ENTRA-SSPR-001ends up either (a) measuring the wrong setting under the SSPR label, or (b) leaving CIS 5.2.4.1 unimplemented. Both produce misleading reports.Approach: Option C from #355
The issue listed three options. Picking Option C (rename + unmap, preserving CheckID for backwards compatibility) because:
ENTRA-SSPR-001is referenced by downstream consumers (M365-Assess, Az-Assess, EZ-CMMC). A rename is a breaking change.What changed
nameEnsure 'Self service password reset enabled' is set to 'All'Ensure MFA Registration Campaign is enabled to nudge users toward stronger methodscategorySSPRAUTHMETHODcisM365ControlId5.2.4.1cisM365Profiles[E3-L1, E5-L1]frameworks.cis-m365-v6rationaleimpactreferencesimpactRationaleWhat didn't change
ENTRA-SSPR-001(Option C tradeoff: the SSPR-prefixed CheckID name is now technically misleading, deferred to a future rename under v1.0)Entra(correct)IAC-10.x(multifactor authentication / authentication management) — these still applyCIS 5.2.4.1 coverage gap
This PR explicitly leaves CIS M365 v6 §5.2.4.1 (real SSPR-enabled-for-All check) unmapped. A future
ENTRA-SSPR-002will measure actual SSPR enablement via the correct Graph endpoint. Filed in the audit-followup tracker for #375 (authentication methods) eventually.Files
data/scf-check-mapping.json— surgical edit toENTRA-SSPR-001entrydata/registry.json— surgical edit (mirrors scf-check-mapping change + dropsframeworks.cis-m365-v6)CHANGELOG.md—[Unreleased]/ Fixed entryTest plan
tests/registry-integrity.Tests.ps1— 43/43 pass locally (all checks resolve cleanly; the new data-quality: 24 of 180 CIS-mapped checks reference recommendation #s not in v6.0.1 (likely v6.0 stale) #352 gate from PR fix(data): reconcile 24 stale CIS M365 v6.0 recommendation IDs to v6.0.1 (closes #352) #396 is not on this branch but should pass on rebase)frameworksafter change: 12 frameworks remain mapped (cis-controls-v8, cmmc, fedramp, iso-27001, iso-27002, iso-27017, mitre-attack, nist-800-171, nist-800-53, nist-csf, pci-dss, soc2)Out of scope
ENTRA-SSPR-002for genuine SSPR enablement — separate issue, file once a Graph endpoint is identifiedENTRA-SSPR-001→ENTRA-AUTHMETHOD-REGCAMPAIGN-001(Option A) — deferred to v1.0 cross-repo contract bump infrastructure