From 30c848e74dfaed622e24dd4b5366b9838cac9f3f Mon Sep 17 00:00:00 2001 From: DrIOS <58635327+DrIOSX@users.noreply.github.com> Date: Mon, 10 Jun 2024 09:42:17 -0500 Subject: [PATCH] fix: Revert script to oringinal for 1.1.1 --- .../Test-AdministrativeAccountCompliance.ps1 | 144 +++++++----------- 1 file changed, 57 insertions(+), 87 deletions(-) diff --git a/source/tests/Test-AdministrativeAccountCompliance.ps1 b/source/tests/Test-AdministrativeAccountCompliance.ps1 index 1b22bdb..21ab959 100644 --- a/source/tests/Test-AdministrativeAccountCompliance.ps1 +++ b/source/tests/Test-AdministrativeAccountCompliance.ps1 @@ -1,113 +1,83 @@ function Test-AdministrativeAccountCompliance { [CmdletBinding()] - [OutputType([CISAuditResult])] param ( + # Aligned # Parameters can be added if needed ) begin { + #. .\source\Classes\CISAuditResult.ps1 $validLicenses = @('AAD_PREMIUM', 'AAD_PREMIUM_P2') - $recnum = "1.1.1" } process { - try { - # Retrieve all necessary data outside the loops - $adminRoles = Get-MgRoleManagementDirectoryRoleDefinition | Where-Object { $_.DisplayName -like "*Admin*" } - $roleAssignments = Get-MgRoleManagementDirectoryRoleAssignment - $principalIds = $roleAssignments.PrincipalId | Select-Object -Unique + $adminRoles = Get-MgRoleManagementDirectoryRoleDefinition | Where-Object { $_.DisplayName -like "*Admin*" } + $adminRoleUsers = @() - # Fetch user details using filter - $userDetailsList = @{} - $licensesList = @{} + foreach ($role in $adminRoles) { + $roleAssignments = Get-MgRoleManagementDirectoryRoleAssignment -Filter "roleDefinitionId eq '$($role.Id)'" - $userDetails = Get-MgUser -Filter "id in ('$($principalIds -join "','")')" -Property "DisplayName, UserPrincipalName, Id, OnPremisesSyncEnabled" -ErrorAction SilentlyContinue - foreach ($user in $userDetails) { - $userDetailsList[$user.Id] = $user - } + foreach ($assignment in $roleAssignments) { + $userDetails = Get-MgUser -UserId $assignment.PrincipalId -Property "DisplayName, UserPrincipalName, Id, OnPremisesSyncEnabled" -ErrorAction SilentlyContinue + if ($userDetails) { + $licenses = Get-MgUserLicenseDetail -UserId $assignment.PrincipalId -ErrorAction SilentlyContinue + $licenseString = if ($licenses) { ($licenses.SkuPartNumber -join '|') } else { "No Licenses Found" } - # Fetch user licenses for each unique principal ID - foreach ($principalId in $principalIds) { - $licensesList[$principalId] = Get-MgUserLicenseDetail -UserId $principalId -ErrorAction SilentlyContinue - } - - $adminRoleUsers = @() - - foreach ($role in $adminRoles) { - foreach ($assignment in $roleAssignments | Where-Object { $_.RoleDefinitionId -eq $role.Id }) { - $userDetails = $userDetailsList[$assignment.PrincipalId] - if ($userDetails) { - $licenses = $licensesList[$assignment.PrincipalId] - $licenseString = if ($licenses) { ($licenses.SkuPartNumber -join '|') } else { "No Licenses Found" } - - $adminRoleUsers += [PSCustomObject]@{ - UserName = $userDetails.UserPrincipalName - RoleName = $role.DisplayName - UserId = $userDetails.Id - HybridUser = $userDetails.OnPremisesSyncEnabled - Licenses = $licenseString - } + $adminRoleUsers += [PSCustomObject]@{ + UserName = $userDetails.UserPrincipalName + RoleName = $role.DisplayName + UserId = $userDetails.Id + HybridUser = $userDetails.OnPremisesSyncEnabled + Licenses = $licenseString } } } - - $uniqueAdminRoleUsers = $adminRoleUsers | Group-Object -Property UserName | ForEach-Object { - $first = $_.Group | Select-Object -First 1 - $roles = ($_.Group.RoleName -join ', ') - $licenses = (($_.Group | Select-Object -ExpandProperty Licenses) -join ',').Split(',') | Select-Object -Unique - - $first | Select-Object UserName, UserId, HybridUser, @{Name = 'Roles'; Expression = { $roles } }, @{Name = 'Licenses'; Expression = { $licenses -join '|' } } - } - - $nonCompliantUsers = $uniqueAdminRoleUsers | Where-Object { - $_.HybridUser -or - -not ($_.Licenses -split '\|' | Where-Object { $validLicenses -contains $_ }) - } - - $failureReasons = $nonCompliantUsers | ForEach-Object { - $accountType = if ($_.HybridUser) { "Hybrid" } else { "Cloud-Only" } - $missingLicenses = $validLicenses | Where-Object { $_ -notin ($_.Licenses -split '\|') } - "$($_.UserName)|$($_.Roles)|$accountType|$($missingLicenses -join ',')" - } - $failureReasons = $failureReasons -join "`n" - - $details = if ($nonCompliantUsers) { - "Non-compliant accounts: `nUsername | Roles | HybridStatus | Missing Licence`n$failureReasons" - } else { - "Compliant Accounts: $($uniqueAdminRoleUsers.Count)" - } - - $failureReason = if ($nonCompliantUsers) { - "Non-Compliant Accounts: $($nonCompliantUsers.Count)`nDetails:`n" + ($nonCompliantUsers | ForEach-Object { $_.UserName }) -join "`n" - } else { - "N/A" - } - - $result = $nonCompliantUsers.Count -eq 0 - $status = if ($result) { 'Pass' } else { 'Fail' } - - $params = @{ - Rec = $recnum - Result = $result - Status = $status - Details = $details - FailureReason = $failureReason - } - - $auditResult = Initialize-CISAuditResult @params } - catch { - Write-Error "An error occurred during the test: $_" - $testDefinition = $script:TestDefinitionsObject | Where-Object { $_.Rec -eq $recnum } - $description = if ($testDefinition) { $testDefinition.RecDescription } else { "Description not found" } + $uniqueAdminRoleUsers = $adminRoleUsers | Group-Object -Property UserName | ForEach-Object { + $first = $_.Group | Select-Object -First 1 + $roles = ($_.Group.RoleName -join ', ') + $licenses = (($_.Group | Select-Object -ExpandProperty Licenses) -join ',').Split(',') | Select-Object -Unique - $script:FailedTests.Add([PSCustomObject]@{ Rec = $recnum; Description = $description; Error = $_ }) - - $auditResult = Initialize-CISAuditResult -Rec $recnum -Failure + $first | Select-Object UserName, UserId, HybridUser, @{Name = 'Roles'; Expression = { $roles } }, @{Name = 'Licenses'; Expression = { $licenses -join '|' } } } + + $nonCompliantUsers = $uniqueAdminRoleUsers | Where-Object { + $_.HybridUser -or + -not ($_.Licenses -split '\|' | Where-Object { $validLicenses -contains $_ }) + } + + $failureReasons = $nonCompliantUsers | ForEach-Object { + $accountType = if ($_.HybridUser) { "Hybrid" } else { "Cloud-Only" } + $missingLicenses = $validLicenses | Where-Object { $_ -notin ($_.Licenses -split '\|') } + "$($_.UserName)|$($_.Roles)|$accountType|Missing: $($missingLicenses -join ',')" + } + $failureReasons = $failureReasons -join "`n" + $details = if ($nonCompliantUsers) { + "Non-Compliant Accounts: $($nonCompliantUsers.Count)`nDetails:`n" + ($nonCompliantUsers | ForEach-Object { $_.UserName }) -join "`n" + } + else { + "Compliant Accounts: $($uniqueAdminRoleUsers.Count)" + } + + $result = $nonCompliantUsers.Count -eq 0 + $status = if ($result) { 'Pass' } else { 'Fail' } + $failureReason = if ($nonCompliantUsers) { "Non-compliant accounts: `nUsername | Roles | HybridStatus | Missing Licence`n$failureReasons" } else { "N/A" } + + # Create the parameter splat + $params = @{ + Rec = "1.1.1" + Result = $result + Status = $status + Details = $details + FailureReason = $failureReason + } + + $auditResult = Initialize-CISAuditResult @params } + end { + # Output the result return $auditResult } }