This project, CA Optics, is an Azure AD Conditional Access Gap Analyzer designed for security administrators and architects. It identifies potential security gaps in complex Conditional Access policies that might not be apparent from sign-in logs, offering a more comprehensive security posture assessment.

How It Works

CA Optics analyzes Azure AD Conditional Access policies by generating and evaluating all possible permutations of policy conditions (users, apps, locations, device platforms, client apps, access controls). It uses a recursive search algorithm to build these permutations and identifies "gaps" where no policy terminates access for a given combination of conditions. The tool is opinionated, favoring an "exclude-based" Conditional Access design approach, where policies are applied broadly and then narrowed by exclusions.

Quick Start & Requirements

• Install: npm install within the cloned repository.
• Run: node ./ca/main.js with various flags (e.g., --mapping, --clearPolicyCache).
• Prerequisites: Node.js 14 LTS (Linux) or 16 LTS (Windows). Azure AD Security Reader role. Azure CLI is recommended for authentication but not strictly required.
• Network Access: graph.microsoft.com, login.microsoftonline.com, github.com, npmjs.com.
• Documentation: https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview

Highlighted Details

• Analyzes gaps not visible in sign-in logs.
• Supports analysis of policies targeting users, groups, roles, cloud apps, device platforms, locations, client apps, and access controls.
• Handles group nesting up to a certain depth for performance.
• Offers options to clear caches (--clearPolicyCache, --clearTokenCache, --clearMappingCache) for accurate, fresh scans.
• Can expand specific group memberships for detailed inspection (--expand).

Maintenance & Community

The project is archived and set to read-only due to shifting development priorities.

Licensing & Compatibility

The project uses MIT-licensed dependencies. The README does not explicitly state the license for the project itself, but it is hosted on GitHub under an MIT license.

Limitations & Caveats

The project is archived and no longer actively maintained. It does not support risk-based policies or legacy authentication by default (though legacy auth can be included via a flag). The tool assumes an "exclude-based" Conditional Access design; it may not be suitable for "include-based" designs. Input sanitization is not performed, and the tool is not intended for uncontrolled environments.