From 486e053dfbe63a9276bc131dd0d350f5564a6652 Mon Sep 17 00:00:00 2001
From: DrIOS <58635327+DrIOSX@users.noreply.github.com>
Date: Sun, 16 Jun 2024 14:12:12 -0500
Subject: [PATCH] fix: 1.1.1 admin pull

---
 source/Public/Get-AdminRoleUserLicense.ps1    | 45 ++++++++++---------
 .../Test-AdministrativeAccountCompliance.ps1  | 15 +++++--
 2 files changed, 35 insertions(+), 25 deletions(-)

diff --git a/source/Public/Get-AdminRoleUserLicense.ps1 b/source/Public/Get-AdminRoleUserLicense.ps1
index 9cd86c3..1af177a 100644
--- a/source/Public/Get-AdminRoleUserLicense.ps1
+++ b/source/Public/Get-AdminRoleUserLicense.ps1
@@ -25,7 +25,6 @@
     https://criticalsolutionsnetwork.github.io/M365FoundationsCISReport/#Get-AdminRoleUserLicense
 #>
 function Get-AdminRoleUserLicense {
-    # Set output type to System.Collections.ArrayList
     [OutputType([System.Collections.ArrayList])]
     [CmdletBinding()]
     param (
@@ -42,33 +41,37 @@ function Get-AdminRoleUserLicense {
         $userIds = [System.Collections.ArrayList]::new()
     }
 
-    Process {
-        $adminroles = Get-MgRoleManagementDirectoryRoleDefinition | Where-Object { $_.DisplayName -like "*Admin*" }
+    process {
+        Write-Verbose "Retrieving all admin roles"
+        $adminRoleNames = (Get-MgDirectoryRole | Where-Object { $null -ne $_.RoleTemplateId }).DisplayName
 
-        foreach ($role in $adminroles) {
-            $usersInRole = Get-MgRoleManagementDirectoryRoleAssignment -Filter "roleDefinitionId eq '$($role.Id)'"
+        Write-Verbose "Filtering admin roles"
+        $adminRoles = Get-MgRoleManagementDirectoryRoleDefinition | Where-Object { ($adminRoleNames -contains $_.DisplayName) -and ($_.DisplayName -ne "Directory Synchronization Accounts") }
 
-            foreach ($user in $usersInRole) {
-                $userDetails = Get-MgUser -UserId $user.PrincipalId -Property "DisplayName, UserPrincipalName, Id, onPremisesSyncEnabled" -ErrorAction SilentlyContinue
+        foreach ($role in $adminRoles) {
+            Write-Verbose "Processing role: $($role.DisplayName)"
+            $roleAssignments = Get-MgRoleManagementDirectoryRoleAssignment -Filter "roleDefinitionId eq '$($role.Id)'"
+
+            foreach ($assignment in $roleAssignments) {
+                Write-Verbose "Processing role assignment for principal ID: $($assignment.PrincipalId)"
+                $userDetails = Get-MgUser -UserId $assignment.PrincipalId -Property "DisplayName, UserPrincipalName, Id, OnPremisesSyncEnabled" -ErrorAction SilentlyContinue
 
                 if ($userDetails) {
-                    [void]($userIds.Add($user.PrincipalId))
-                    [void](
-                        $adminRoleUsers.Add(
-                            [PSCustomObject]@{
-                                RoleName          = $role.DisplayName
-                                UserName          = $userDetails.DisplayName
-                                UserPrincipalName = $userDetails.UserPrincipalName
-                                UserId            = $userDetails.Id
-                                HybridUser        = $userDetails.onPremisesSyncEnabled
-                                Licenses          = $null  # Initialize as $null
-                            }
-                        )
-                    )
+                    Write-Verbose "Retrieved user details for: $($userDetails.UserPrincipalName)"
+                    [void]($userIds.Add($userDetails.Id))
+                    [void]($adminRoleUsers.Add([PSCustomObject]@{
+                        RoleName          = $role.DisplayName
+                        UserName          = $userDetails.DisplayName
+                        UserPrincipalName = $userDetails.UserPrincipalName
+                        UserId            = $userDetails.Id
+                        HybridUser        = [bool]$userDetails.OnPremisesSyncEnabled
+                        Licenses          = $null  # Initialize as $null
+                    }))
                 }
             }
         }
 
+        Write-Verbose "Retrieving licenses for admin role users"
         foreach ($userId in $userIds.ToArray() | Select-Object -Unique) {
             $licenses = Get-MgUserLicenseDetail -UserId $userId -ErrorAction SilentlyContinue
             if ($licenses) {
@@ -80,7 +83,7 @@ function Get-AdminRoleUserLicense {
         }
     }
 
-    End {
+    end {
         Write-Host "Disconnecting from Microsoft Graph..." -ForegroundColor Green
         Disconnect-MgGraph | Out-Null
         return $adminRoleUsers
diff --git a/source/tests/Test-AdministrativeAccountCompliance.ps1 b/source/tests/Test-AdministrativeAccountCompliance.ps1
index 35dbe6f..e4644ad 100644
--- a/source/tests/Test-AdministrativeAccountCompliance.ps1
+++ b/source/tests/Test-AdministrativeAccountCompliance.ps1
@@ -20,7 +20,12 @@ function Test-AdministrativeAccountCompliance {
         try {
             # Retrieve all admin roles
             Write-Verbose "Retrieving all admin roles"
-            $adminRoles = Get-MgRoleManagementDirectoryRoleDefinition | Where-Object { $_.DisplayName -like "*Admin*" }
+            # Get the DisplayNames of all admin roles
+            $adminRoleNames = (Get-MgDirectoryRole | Where-Object { $null -ne $_.RoleTemplateId }).DisplayName
+
+            # Use the DisplayNames to filter the roles in Get-MgRoleManagementDirectoryRoleDefinition
+            $adminRoles = Get-MgRoleManagementDirectoryRoleDefinition | Where-Object { ($adminRoleNames -contains $_.DisplayName) -and ($_.DisplayName -ne "Directory Synchronization Accounts")}
+
             $adminRoleUsers = @()
 
             # Loop through each admin role to get role assignments and user details
@@ -47,9 +52,10 @@ function Test-AdministrativeAccountCompliance {
 
                         # Condition C: Check if the account has no other licenses
                         $hasInvalidLicense = $licenses.SkuPartNumber | ForEach-Object { $validLicenses -notcontains $_ }
+                        $invalidLicenses = $licenses.SkuPartNumber | Where-Object { $validLicenses -notcontains $_ }
                         $applicationAssignmentStatus = if ($hasInvalidLicense) { "Fail" } else { "Pass" }
 
-                        Write-Verbose "User: $($userDetails.UserPrincipalName), Cloud-Only: $cloudOnlyStatus, Valid Licenses: $validLicensesStatus, Other Applications Assigned: $applicationAssignmentStatus"
+                        Write-Verbose "User: $($userDetails.UserPrincipalName), Cloud-Only: $cloudOnlyStatus, Valid Licenses: $validLicensesStatus, Invalid Licenses: $($invalidLicenses -join ', ')"
 
                         # Collect user information
                         $adminRoleUsers += [PSCustomObject]@{
@@ -95,13 +101,14 @@ function Test-AdministrativeAccountCompliance {
             $failureReasons = $failureReasons -join "`n"
             $failureReason = if ($nonCompliantUsers) {
                 "Non-Compliant Accounts: $($nonCompliantUsers.Count)"
-            } else {
+            }
+            else {
                 "Compliant Accounts: $($uniqueAdminRoleUsers.Count)"
             }
 
             $result = $nonCompliantUsers.Count -eq 0
             $status = if ($result) { 'Pass' } else { 'Fail' }
-            $details = if ($nonCompliantUsers) { "Username | Roles | Cloud-Only Status | Entra ID License Status | Other Applications Assigned Status`n$failureReasons" } else { "N/A" }
+            $details = if ($nonCompliantUsers) { "Username | Roles | Cloud-Only Status | EntraID P1/P2 License Status | Other Applications Assigned Status`n$failureReasons" } else { "N/A" }
 
             Write-Verbose "Assessment completed. Result: $status"