fix: working and verbose confirmation included
This commit is contained in:
@@ -8,27 +8,32 @@ function Test-AdministrativeAccountCompliance {
|
|||||||
begin {
|
begin {
|
||||||
# The following conditions are checked:
|
# The following conditions are checked:
|
||||||
# Condition A: The administrative account is cloud-only (not synced).
|
# Condition A: The administrative account is cloud-only (not synced).
|
||||||
# Condition B: The account is assigned only valid licenses (e.g., Microsoft Entra ID P1 or P2).
|
# Condition B: The account is assigned a valid license (e.g., Microsoft Entra ID P1 or P2).
|
||||||
# Condition C: The administrative account does not have application assignments (only valid licenses are allowed).
|
# Condition C: The administrative account does not have any other application assignments (only valid licenses).
|
||||||
|
|
||||||
$validLicenses = @('AAD_PREMIUM', 'AAD_PREMIUM_P2')
|
$validLicenses = @('AAD_PREMIUM', 'AAD_PREMIUM_P2')
|
||||||
$recnum = "1.1.1"
|
$recnum = "1.1.1"
|
||||||
|
Write-Verbose "Starting Test-AdministrativeAccountCompliance with Rec: $recnum"
|
||||||
}
|
}
|
||||||
|
|
||||||
process {
|
process {
|
||||||
try {
|
try {
|
||||||
# Retrieve all admin roles
|
# Retrieve all admin roles
|
||||||
|
Write-Verbose "Retrieving all admin roles"
|
||||||
$adminRoles = Get-MgRoleManagementDirectoryRoleDefinition | Where-Object { $_.DisplayName -like "*Admin*" }
|
$adminRoles = Get-MgRoleManagementDirectoryRoleDefinition | Where-Object { $_.DisplayName -like "*Admin*" }
|
||||||
$adminRoleUsers = @()
|
$adminRoleUsers = @()
|
||||||
|
|
||||||
# Loop through each admin role to get role assignments and user details
|
# Loop through each admin role to get role assignments and user details
|
||||||
foreach ($role in $adminRoles) {
|
foreach ($role in $adminRoles) {
|
||||||
|
Write-Verbose "Processing role: $($role.DisplayName)"
|
||||||
$roleAssignments = Get-MgRoleManagementDirectoryRoleAssignment -Filter "roleDefinitionId eq '$($role.Id)'"
|
$roleAssignments = Get-MgRoleManagementDirectoryRoleAssignment -Filter "roleDefinitionId eq '$($role.Id)'"
|
||||||
|
|
||||||
foreach ($assignment in $roleAssignments) {
|
foreach ($assignment in $roleAssignments) {
|
||||||
|
Write-Verbose "Processing role assignment for principal ID: $($assignment.PrincipalId)"
|
||||||
# Get user details for each principal ID
|
# Get user details for each principal ID
|
||||||
$userDetails = Get-MgUser -UserId $assignment.PrincipalId -Property "DisplayName, UserPrincipalName, Id, OnPremisesSyncEnabled" -ErrorAction SilentlyContinue
|
$userDetails = Get-MgUser -UserId $assignment.PrincipalId -Property "DisplayName, UserPrincipalName, Id, OnPremisesSyncEnabled" -ErrorAction SilentlyContinue
|
||||||
if ($userDetails) {
|
if ($userDetails) {
|
||||||
|
Write-Verbose "Retrieved user details for: $($userDetails.UserPrincipalName)"
|
||||||
# Get user license details
|
# Get user license details
|
||||||
$licenses = Get-MgUserLicenseDetail -UserId $assignment.PrincipalId -ErrorAction SilentlyContinue
|
$licenses = Get-MgUserLicenseDetail -UserId $assignment.PrincipalId -ErrorAction SilentlyContinue
|
||||||
$licenseString = if ($licenses) { ($licenses.SkuPartNumber -join '|') } else { "No Licenses Found" }
|
$licenseString = if ($licenses) { ($licenses.SkuPartNumber -join '|') } else { "No Licenses Found" }
|
||||||
@@ -36,9 +41,15 @@ function Test-AdministrativeAccountCompliance {
|
|||||||
# Condition A: Check if the account is cloud-only
|
# Condition A: Check if the account is cloud-only
|
||||||
$cloudOnlyStatus = if ($userDetails.OnPremisesSyncEnabled) { "Fail" } else { "Pass" }
|
$cloudOnlyStatus = if ($userDetails.OnPremisesSyncEnabled) { "Fail" } else { "Pass" }
|
||||||
|
|
||||||
# Condition B and C: Check if the account has only valid licenses
|
# Condition B: Check if the account has valid licenses
|
||||||
$hasOnlyValidLicenses = ($licenses.SkuPartNumber | ForEach-Object { $validLicenses -contains $_ }) -and (($licenses.SkuPartNumber | ForEach-Object { $validLicenses -notcontains $_ }).Count -eq 0)
|
$hasValidLicense = $licenses.SkuPartNumber | ForEach-Object { $validLicenses -contains $_ }
|
||||||
$validLicensesStatus = if ($hasOnlyValidLicenses) { "Pass" } else { "Fail" }
|
$validLicensesStatus = if ($hasValidLicense) { "Pass" } else { "Fail" }
|
||||||
|
|
||||||
|
# Condition C: Check if the account has no other licenses
|
||||||
|
$hasInvalidLicense = $licenses.SkuPartNumber | ForEach-Object { $validLicenses -notcontains $_ }
|
||||||
|
$applicationAssignmentStatus = if ($hasInvalidLicense) { "Fail" } else { "Pass" }
|
||||||
|
|
||||||
|
Write-Verbose "User: $($userDetails.UserPrincipalName), Cloud-Only: $cloudOnlyStatus, Valid Licenses: $validLicensesStatus, Other Applications Assigned: $applicationAssignmentStatus"
|
||||||
|
|
||||||
# Collect user information
|
# Collect user information
|
||||||
$adminRoleUsers += [PSCustomObject]@{
|
$adminRoleUsers += [PSCustomObject]@{
|
||||||
@@ -49,13 +60,17 @@ function Test-AdministrativeAccountCompliance {
|
|||||||
Licenses = $licenseString
|
Licenses = $licenseString
|
||||||
CloudOnlyStatus = $cloudOnlyStatus
|
CloudOnlyStatus = $cloudOnlyStatus
|
||||||
ValidLicensesStatus = $validLicensesStatus
|
ValidLicensesStatus = $validLicensesStatus
|
||||||
ApplicationAssignmentStatus = $validLicensesStatus # Using the same status as ValidLicensesStatus for now
|
ApplicationAssignmentStatus = $applicationAssignmentStatus
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
else {
|
||||||
|
Write-Verbose "No user details found for principal ID: $($assignment.PrincipalId)"
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
# Group admin role users by UserName and collect unique roles and licenses
|
# Group admin role users by UserName and collect unique roles and licenses
|
||||||
|
Write-Verbose "Grouping admin role users by UserName"
|
||||||
$uniqueAdminRoleUsers = $adminRoleUsers | Group-Object -Property UserName | ForEach-Object {
|
$uniqueAdminRoleUsers = $adminRoleUsers | Group-Object -Property UserName | ForEach-Object {
|
||||||
$first = $_.Group | Select-Object -First 1
|
$first = $_.Group | Select-Object -First 1
|
||||||
$roles = ($_.Group.RoleName -join ', ')
|
$roles = ($_.Group.RoleName -join ', ')
|
||||||
@@ -64,26 +79,31 @@ function Test-AdministrativeAccountCompliance {
|
|||||||
$first | Select-Object UserName, UserId, HybridUser, @{Name = 'Roles'; Expression = { $roles } }, @{Name = 'Licenses'; Expression = { $licenses -join '|' } }, CloudOnlyStatus, ValidLicensesStatus, ApplicationAssignmentStatus
|
$first | Select-Object UserName, UserId, HybridUser, @{Name = 'Roles'; Expression = { $roles } }, @{Name = 'Licenses'; Expression = { $licenses -join '|' } }, CloudOnlyStatus, ValidLicensesStatus, ApplicationAssignmentStatus
|
||||||
}
|
}
|
||||||
|
|
||||||
# Identify non-compliant users based on conditions A and B
|
# Identify non-compliant users based on conditions A, B, and C
|
||||||
|
Write-Verbose "Identifying non-compliant users based on conditions"
|
||||||
$nonCompliantUsers = $uniqueAdminRoleUsers | Where-Object {
|
$nonCompliantUsers = $uniqueAdminRoleUsers | Where-Object {
|
||||||
$_.HybridUser -or # Fails Condition A
|
$_.HybridUser -or # Fails Condition A
|
||||||
$_.ValidLicensesStatus -eq "Fail" # Fails Condition B
|
$_.ValidLicensesStatus -eq "Fail" -or # Fails Condition B
|
||||||
|
$_.ApplicationAssignmentStatus -eq "Fail" # Fails Condition C
|
||||||
}
|
}
|
||||||
|
|
||||||
# Generate failure reasons
|
# Generate failure reasons
|
||||||
|
Write-Verbose "Generating failure reasons for non-compliant users"
|
||||||
$failureReasons = $nonCompliantUsers | ForEach-Object {
|
$failureReasons = $nonCompliantUsers | ForEach-Object {
|
||||||
"$($_.UserName)|$($_.Roles)|$($_.CloudOnlyStatus)|$($_.ValidLicensesStatus)|$($_.ApplicationAssignmentStatus)"
|
"$($_.UserName)|$($_.Roles)|$($_.CloudOnlyStatus)|$($_.ValidLicensesStatus)|$($_.ApplicationAssignmentStatus)"
|
||||||
}
|
}
|
||||||
$failureReasons = $failureReasons -join "`n"
|
$failureReasons = $failureReasons -join "`n"
|
||||||
$details = if ($nonCompliantUsers) {
|
$failureReason = if ($nonCompliantUsers) {
|
||||||
"Non-Compliant Accounts: $($nonCompliantUsers.Count)`nDetails:`n" + $failureReasons
|
"Non-Compliant Accounts: $($nonCompliantUsers.Count)"
|
||||||
} else {
|
} else {
|
||||||
"Compliant Accounts: $($uniqueAdminRoleUsers.Count)"
|
"Compliant Accounts: $($uniqueAdminRoleUsers.Count)"
|
||||||
}
|
}
|
||||||
|
|
||||||
$result = $nonCompliantUsers.Count -eq 0
|
$result = $nonCompliantUsers.Count -eq 0
|
||||||
$status = if ($result) { 'Pass' } else { 'Fail' }
|
$status = if ($result) { 'Pass' } else { 'Fail' }
|
||||||
$failureReason = if ($nonCompliantUsers) { "Non-compliant accounts: `nUsername | Roles | Cloud-Only Status | Valid Licenses Status | Application Assignment Status`n$failureReasons" } else { "N/A" }
|
$details = if ($nonCompliantUsers) { "Non-compliant accounts: `nUsername | Roles | Cloud-Only Status | Entra ID License Status | Other Applications Assigned Status`n$failureReasons" } else { "N/A" }
|
||||||
|
|
||||||
|
Write-Verbose "Assessment completed. Result: $status"
|
||||||
|
|
||||||
# Create the parameter splat
|
# Create the parameter splat
|
||||||
$params = @{
|
$params = @{
|
||||||
|
Reference in New Issue
Block a user