microsoft · sandeepjha000 · Sep 19, 2025 · Sep 19, 2025 · Sep 19, 2025 · Sep 22, 2025
diff --git a/src/powershell/private/graph/Get-ZtAuthenticatorFeatureSettingTarget.ps1 b/src/powershell/private/graph/Get-ZtAuthenticatorFeatureSettingTarget.ps1
@@ -0,0 +1,38 @@
+function Get-ZtAuthenticatorFeatureSettingTarget {
+    <#
+    .SYNOPSIS
+    Retrieves the display name for an authenticator feature setting target.
+
+    .DESCRIPTION
+    This function translates authenticator feature setting target IDs into human-readable display names.
+    It handles special cases like 'all_users' and the null UUID for exclusions, and can resolve group names
+    for group-based targets.
+
+    .PARAMETER Target
+    The target object containing id and targetType properties.
+
+    .EXAMPLE
+    Get-ZtAuthenticatorFeatureSettingTarget -Target $includeTarget
+
+    .EXAMPLE
+    Get-ZtAuthenticatorFeatureSettingTarget -Target $excludeTarget
+    #>
+    [CmdletBinding()]
+    param(
+        [Parameter(Mandatory)]
+        [object]$Target
+    )
+
+    if ($Target.id -eq 'all_users') {
+        return "All users"
+    }
+    elseif ($Target.id -eq '00000000-0000-0000-0000-000000000000') {
+        return "No exclusions"
+    }
+    else {
+        if ($Target.targetType -eq 'group') {
+            $group = Invoke-ZtGraphRequest -RelativeUri "groups/$($Target.id)" -ApiVersion beta
+            "Group: $($group.displayName)"
+        }
+    }
+}
diff --git a/src/powershell/tests/Test-Assessment.21802.ps1 b/src/powershell/tests/Test-Assessment.21802.ps1
@@ -18,13 +18,14 @@ function Test-Assessment-21802 {
     [CmdletBinding()]
     param()
 
+
     Write-PSFMessage '🟦 Start' -Tag Test -Level VeryVerbose
 
-    $activity = "Checking Authenticator app shows sign-in context"
-    Write-ZtProgress -Activity $activity -Status "Getting authentication method policy"
+    $activity = 'Checking Authenticator app shows sign-in context'
+    Write-ZtProgress -Activity $activity -Status 'Getting authentication method policy'
 
     # Query Microsoft Authenticator authentication method configuration
-    $authenticatorConfig = Invoke-ZtGraphRequest -RelativeUri 'authenticationMethodsPolicy/authenticationMethodConfigurations/MicrosoftAuthenticator' -ApiVersion 'v1.0'
+    $authenticatorConfig = Invoke-ZtGraphRequest -RelativeUri 'authenticationMethodsPolicy/authenticationMethodConfigurations/MicrosoftAuthenticator' -ApiVersion 'beta'
     function Test-AuthenticatorFeatureSetting {
         [CmdletBinding()]
         param(
@@ -36,26 +37,6 @@ function Test-Assessment-21802 {
         $FeatureSetting.includeTarget.id -eq 'all_users' -and
         $FeatureSetting.excludeTarget.id -eq '00000000-0000-0000-0000-000000000000'
     }
-    function Get-AuthenticatorFeatureSettingTarget {
-        [CmdletBinding()]
-        param(
-            [Parameter(Mandatory)]
-            [object]$Target
-        )
-
-        if ($Target.id -eq 'all_users') {
-            return "All users"
-        }
-        elseif ($Target.id -eq '00000000-0000-0000-0000-000000000000') {
-            return "No exclusions"
-        }
-        else {
-            if ($Target.targetType -eq 'group') {
-                $group = Invoke-ZtGraphRequest -RelativeUri "groups/$($Target.id)" -ApiVersion 'v1.0'
-                "Group: $($group.displayName)"
-            }
-        }
-    }
 
     # Check if both app information and location information are properly configured
     $appInfoEnabled = Test-AuthenticatorFeatureSetting -FeatureSetting $authenticatorConfig.featureSettings.displayAppInformationRequiredState
@@ -69,13 +50,13 @@ function Test-Assessment-21802 {
         $testResultMarkdown = "Microsoft Authenticator notifications lack sign-in context.`n`n%TestResult%"
     }
 
-    if ($appInfoEnabled) {$appEmoji = "✅"} else {$appEmoji = "❌"}
-    if ($locationInfoEnabled) {$locationEmoji = "✅"} else {$locationEmoji = "❌"}
+    if ($appInfoEnabled) {$appEmoji = '✅'} else {$appEmoji = '❌'}
+    if ($locationInfoEnabled) {$locationEmoji = '✅'} else {$locationEmoji = '❌'}
 
     # Build the detailed sections of the markdown
 
     # Define variables to insert into the format string
-    $reportTitle = "Microsoft Authenticator settings"
+    $reportTitle = 'Microsoft Authenticator settings'
 
     # Create a here-string with format placeholders {0}, {1}, etc.
     $formatTemplate = @"
@@ -87,13 +68,13 @@ Feature Settings:
 
 $appEmoji **Application Name**
 - Status: $((Get-Culture).TextInfo.ToTitleCase($authenticatorConfig.featureSettings.displayAppInformationRequiredState.state.ToLower()))
-- Include Target: $(Get-AuthenticatorFeatureSettingTarget -Target $authenticatorConfig.featureSettings.displayAppInformationRequiredState.includeTarget)
-- Exclude Target: $(Get-AuthenticatorFeatureSettingTarget -Target $authenticatorConfig.featureSettings.displayAppInformationRequiredState.excludeTarget)
+- Include Target: $(Get-ztAuthenticatorFeatureSettingTarget -Target $authenticatorConfig.featureSettings.displayAppInformationRequiredState.includeTarget)
+- Exclude Target: $(Get-ztAuthenticatorFeatureSettingTarget -Target $authenticatorConfig.featureSettings.displayAppInformationRequiredState.excludeTarget)
 
 $locationEmoji **Geographic Location**
 - Status: $((Get-Culture).TextInfo.ToTitleCase($authenticatorConfig.featureSettings.displayLocationInformationRequiredState.state.ToLower()))
-- Include Target: $(Get-AuthenticatorFeatureSettingTarget -Target $authenticatorConfig.featureSettings.displayLocationInformationRequiredState.includeTarget)
-- Exclude Target: $(Get-AuthenticatorFeatureSettingTarget -Target $authenticatorConfig.featureSettings.displayLocationInformationRequiredState.excludeTarget)
+- Include Target: $(Get-ztAuthenticatorFeatureSettingTarget -Target $authenticatorConfig.featureSettings.displayLocationInformationRequiredState.includeTarget)
+- Exclude Target: $(Get-ztAuthenticatorFeatureSettingTarget -Target $authenticatorConfig.featureSettings.displayLocationInformationRequiredState.excludeTarget)
 
 "@
 
@@ -104,15 +85,9 @@ $locationEmoji **Geographic Location**
     $testResultMarkdown = $testResultMarkdown -replace "%TestResult%", $mdInfo
 
     $params = @{
-        TestId             = '21802'
-        Title              = 'Authenticator app shows sign-in context'
-        UserImpact         = 'Low'
-        Risk               = 'Medium'
-        ImplementationCost = 'Low'
-        AppliesTo          = 'Identity'
-        Tag                = 'Identity'
-        Status             = $passed
-        Result             = $testResultMarkdown
+        TestId = '21802'
+        Status = $passed
+        Result = $testResultMarkdown
     }
     Add-ZtTestResultDetail @params
 

diff --git a/src/powershell/tests/Test-Assessment.21838.md b/src/powershell/tests/Test-Assessment.21838.md
@@ -1,6 +1,10 @@
-...
+Enabling the security key authentication method in Microsoft Entra ID mitigates the risk of credential theft and unauthorized access by requiring hardware-backed, phishing-resistant authentication. If this best practice is not followed, threat actors can exploit weak or reused passwords, perform credential stuffing attacks, and escalate privileges through compromised accounts. The kill chain begins with reconnaissance where attackers gather information about user accounts, followed by credential harvesting through various techniques like social engineering or data breaches. Attackers then gain initial access using stolen credentials, move laterally within the network by exploiting trust relationships, and establish persistence to maintain long-term access. Without hardware-backed authentication like FIDO2 security keys, attackers can bypass basic password defenses and multi-factor authentication, increasing the likelihood of data exfiltration and business disruption. Security keys provide cryptographic proof of identity that is bound to the specific device and cannot be replicated or phished, effectively breaking the attack chain at the initial access stage. 
 
 **Remediation action**
 
+* [Enable passkey (FIDO2) authentication method](https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-enable-passkey-fido2#enable-passkey-fido2-authentication-method)
+
+* [Authentication method policy management](https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-methods-manage)
+
 <!--- Results --->
 %TestResult%
diff --git a/src/powershell/tests/Test-Assessment.21838.ps1 b/src/powershell/tests/Test-Assessment.21838.ps1
@@ -3,12 +3,12 @@
 
 #>
 
-function Test-Assessment-21838{
+function Test-Assessment-21838 {
     [ZtTest(
     	Category = 'Access control',
     	ImplementationCost = 'Low',
     	Pillar = 'Identity',
-    	RiskLevel = 'Low',
+    	RiskLevel = 'High',
     	SfiPillar = 'Protect identities and secrets',
     	TenantType = ('Workforce','External'),
     	TestId = 21838,
@@ -20,16 +20,52 @@ function Test-Assessment-21838{
 
     Write-PSFMessage '🟦 Start' -Tag Test -Level VeryVerbose
 
-    $activity = "Checking Security key authentication method enabled"
-    Write-ZtProgress -Activity $activity -Status "Getting policy"
+    $activity = 'Checking security key authentication method enabled'
+    Write-ZtProgress -Activity $activity -Status 'Getting FIDO2 authentication method policy'
 
-    $result = $false
-    $testResultMarkdown = "Planned for future release."
-    $passed = $result
+    # Query FIDO2 authentication method configuration
+    $fido2Config = Invoke-ZtGraphRequest -RelativeUri 'authenticationMethodsPolicy/authenticationMethodConfigurations/FIDO2' -ApiVersion beta
 
+    # Check if FIDO2 authentication method is enabled
+    $fido2Enabled = $fido2Config.state -eq 'enabled'
+
+    if ($fido2Enabled) {
+        $passed = $true
+        $testResultMarkdown = "Security key authentication method is enabled for your tenant, providing hardware-backed phishing-resistant authentication.`n`n%TestResult%"
+        $statusEmoji = '✅'
+    } else {
+        $passed = $false
+        $testResultMarkdown = "Security key authentication method is not enabled; users cannot register FIDO2 security keys for strong authentication.`n`n%TestResult%"
+        $statusEmoji = '❌'
+    }
+
+    # Build the detailed sections of the markdown
+    $reportTitle = 'FIDO2 security key authentication settings'
+
+    # Create a here-string with format placeholders {0}, {1}, etc.
+    $formatTemplate = @"
+
+## {0}
+
+$statusEmoji **FIDO2 authentication method**
+- Status: $((Get-Culture).TextInfo.ToTitleCase($fido2Config.state.ToLower()))
+- Include targets: $(if ($fido2Config.includeTargets -is [array] -and $fido2Config.includeTargets.Count -gt 0) { ($fido2Config.includeTargets | ForEach-Object { Get-ZtAuthenticatorFeatureSettingTarget -Target $_ }) -join ', ' } else { 'None' })
+- Exclude targets: $(if ($fido2Config.excludeTargets -is [array] -and $fido2Config.excludeTargets.Count -gt 0) { ($fido2Config.excludeTargets | ForEach-Object { Get-ZtAuthenticatorFeatureSettingTarget -Target $_ }) -join ', ' } else { 'None' })
+
+
+"@
+
+    # Format the template by replacing placeholders with values
+    $mdInfo = $formatTemplate -f $reportTitle
+
+    # Replace the placeholder with the detailed information
+    $testResultMarkdown = $testResultMarkdown -replace "%TestResult%", $mdInfo
+
+    $params = @{
+        TestId             = '21838'
+        Status             = $passed
+        Result             = $testResultMarkdown
+    }
+    Add-ZtTestResultDetail @params
 
-    Add-ZtTestResultDetail -TestId '21838' -Title "Security key authentication method enabled" `
-        -UserImpact Low -Risk Low -ImplementationCost Low `
-        -AppliesTo Identity -Tag Identity `
-        -Status $passed -Result $testResultMarkdown -SkippedBecause UnderConstruction
 }