1664 update scubagear implementation for teams 5x policy sk

[skirkpatrickMSFT]

🗣 Description

This PR addresses issue 1664 regarding the implementation of the new Teams app policy settings in the Teams admin portal and allows users to utilize interactive authentication to review their app policy settings.

The settings for the Unified implementation of these settings are not currently available with the use of a registered application. This means interactive authentication needs to be used for pulling the newer version settings.

Updates to the baseline to accommodate the different settings. These highlight that legacy policies should not be modified if the settings had not been changed prior.

💭 Motivation and context

Application policy settings in the Teams Admin center moved to a new location in the portal. The settings are also pulled using a different cmdlet in the Teams PowerShell Module. This change to the code adds the -UseNewTeamsAppSettings Parameter to Scubagear to allow testing of the new settings when running in interactive mode. Updates to Rego were made to accommodate both the legacy settings as well as the new unified settings.

Closes #1664

🧪 Testing

CI Pipeline passed: https://github.com/cisagov/ScubaGear/actions/runs/19543826208
Smoke test passed: https://github.com/cisagov/ScubaGear/actions/runs/19577464417

Run in non-interactive mode without the new parameter to test functionality pulling and reporting legacy Teams App settings. This should function as usual.

Invoke-SCuBA -ProductNames teams -CertificateThumbprint LongAlphanumeric -AppID ID -Organization blah -OutPath "C:\Users\blah" -ConfigFilePath "C:\Blah"

Run Scubagear in interactive mode without the new parameter and it should pull legacy policies if you have them. (the policies are still available in API but not in the portal).

Invoke-SCuBA -ProductNames teams -Organization blah -OutPath "C:\Users\blah" -ConfigFilePath "C:\Blah"

Finally run Scubagear in interactive mode with the new parameter.

Invoke-SCuBA -ProductNames teams -UseNewTeamsAppSettings -Organization blah -OutPath "C:\Users\blah" -ConfigFilePath "C:\Blah"

Rego and export providers were modified to allow for testing.

✅ Pre-approval checklist

• This PR has an informative and human-readable title.
• PR targets the correct parent branch (e.g., main or release-name) for merge.
• Changes are limited to a single goal - eschew scope creep!
• Changes are sized such that they do not touch excessive number of files.
• All future TODOs are captured in issues, which are referenced in code comments.
• These code changes follow the ScubaGear content style guide.
• Related issues these changes resolve are linked preferably via closing keywords.
• All relevant type-of-change labels added.
• All relevant project fields are set.
• All relevant repo and/or project documentation updated to reflect these changes.
• Unit tests added/updated to cover PowerShell and Rego changes.
• Functional tests added/updated to cover PowerShell and Rego changes.
• All relevant functional tests passed.
• All automated checks (e.g., linting, static analysis, unit/smoke tests) passed.

✅ Pre-merge checklist

• PR passed smoke test check.

• Feature branch has been rebased against changes from parent branch, as needed

  Use Rebase branch button below or use this reference to rebase from the command line.

• Resolved all merge conflicts on branch

• Notified merge coordinator that PR is ready for merge via comment mention

• Demonstrate changes to the team for questions and comments.
  (Note: Only required for issues of size Medium or larger)

✅ Post-merge checklist

• Feature branch deleted after merge to clean up repository.
• Verified that all checks pass on parent branch (e.g., main or release-name) after merge.

[adhilto]

Not sure if this is in scope or should be addressed in a separate PR, but the implementation steps we have don't match what I'm currently seeing in the admin center. Take the steps for 5.1:

3.  In the upper right-hand corner select **Actions**
4.  Select **Org-wide app settings**.

I'm not seeing "Actions" in the upper right corner. I'm seeing "Org-wide app settings" displayed right off the bat. We might need to delete step 3.

Then for step 5:

5.  Under **Microsoft apps** > Select **On**

There is no "Microsoft apps" on this page at all. This is what I see:

Does that mean 5.1 is OBE?

[skirkpatrickMSFT]

I just spun up a brand new tenant.

May have to further investigate this with your tenant.

[skirkpatrickMSFT]

@adhilto How old is the tenant you are using? Do you still have the settings under permissions policies?

[skirkpatrickMSFT]

@adhilto Can you look in your portal and follow the v1 instructions? Let me know if you still have those in your portal. I added the v1 settings to the markdown in my branch.

[adhilto]

Some slight verbiage changes, but yes, I still have the old settings visible in the portal. It's a fairly old tenant. I went ahead and looked through a few of the tenants I have access to. 2 of them follow the old style and 1 of them matches the current implementation steps. I'd guess it depends on whether or not you had previously configured the legacy policies. Given that, we might want to have both sets of implementation steps. Or at least state somewhere that what they see in the admin center may differ if they previously configured the legacy policies.

[adhilto]

I'm having a hard time with the parameter. Even when I use it with interactive auth, I'm still getting the legacy check. I'm I doing something wrong?

[skirkpatrickMSFT]

HMMM. Not sure what is going on there. I used the same comand as you and I get the new settings.

[skirkpatrickMSFT]

@adhilto I removed ValidateNotNullOrEmpty from the parameter. Not sure that would resolve it but curious if it was affecting the use of the parameter. Everything still functions correctly on my side.

[adhilto]

Didn't help unfortunately. I even tested on a different tenant (the one that does show me the new settings in the admin center), same thing. Next step would probably be to see if anyone else can replicate this, or if it's somehow a just me thing.