MT.1020 - All Conditional Access policies are configured to exclude directory synchronization accounts or do not scope them.
Overview
The directory synchronization accounts are used to synchronize the on-premises directory with Entra ID. These accounts should be excluded from all conditional access policies scoped to all cloud apps and all users. Entra ID connect does not support multifactor authentication. Restrict access with these accounts to trusted networks.
Test Metadata
| Field | Value |
|---|---|
| Test ID | MT.1020 |
| Severity | High |
| Suite | Maester |
| Category | CA |
| PowerShell test | Test-MtCaExclusionForDirectorySyncAccount |
| Tags | CA, Maester, MT.1020 |
Source
- Pester test:
tests/Maester/Entra/Test-ConditionalAccessBaseline.Tests.ps1 - PowerShell source:
powershell/public/maester/entra/Test-MtCaExclusionForDirectorySyncAccount.ps1