vibecoding/M365FoundationsCISReport
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: 1.1.1 admin pull

Browse Source
This commit is contained in:
DrIOS
2024-06-16 14:12:12 -05:00
parent 6bace63c62
commit 486e053dfb
2 changed files with 35 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
source/Public/Get-AdminRoleUserLicense.ps1
View File

@@ -25,7 +25,6 @@
https://criticalsolutionsnetwork.github.io/M365FoundationsCISReport/#Get-AdminRoleUserLicense https://criticalsolutionsnetwork.github.io/M365FoundationsCISReport/#Get-AdminRoleUserLicense
#> #>
function Get-AdminRoleUserLicense { function Get-AdminRoleUserLicense {
# Set output type to System.Collections.ArrayList
[OutputType([System.Collections.ArrayList])] [OutputType([System.Collections.ArrayList])]
[CmdletBinding()] [CmdletBinding()]
param ( param (
@@ -42,33 +41,37 @@ function Get-AdminRoleUserLicense {
$userIds = [System.Collections.ArrayList]::new() $userIds = [System.Collections.ArrayList]::new()
} }
Process { process {
$adminroles = Get-MgRoleManagementDirectoryRoleDefinition | Where-Object { $_.DisplayName -like "*Admin*" } Write-Verbose "Retrieving all admin roles"
$adminRoleNames = (Get-MgDirectoryRole | Where-Object { $null -ne $_.RoleTemplateId }).DisplayName
foreach ($role in $adminroles) { Write-Verbose "Filtering admin roles"
$usersInRole = Get-MgRoleManagementDirectoryRoleAssignment -Filter "roleDefinitionId eq '$($role.Id)'" $adminRoles = Get-MgRoleManagementDirectoryRoleDefinition | Where-Object { ($adminRoleNames -contains $_.DisplayName) -and ($_.DisplayName -ne "Directory Synchronization Accounts") }
foreach ($user in $usersInRole) { foreach ($role in $adminRoles) {
$userDetails = Get-MgUser -UserId $user.PrincipalId -Property "DisplayName, UserPrincipalName, Id, onPremisesSyncEnabled" -ErrorAction SilentlyContinue Write-Verbose "Processing role: $($role.DisplayName)"
$roleAssignments = Get-MgRoleManagementDirectoryRoleAssignment -Filter "roleDefinitionId eq '$($role.Id)'"
foreach ($assignment in $roleAssignments) {
Write-Verbose "Processing role assignment for principal ID: $($assignment.PrincipalId)"
$userDetails = Get-MgUser -UserId $assignment.PrincipalId -Property "DisplayName, UserPrincipalName, Id, OnPremisesSyncEnabled" -ErrorAction SilentlyContinue
if ($userDetails) { if ($userDetails) {
[void]($userIds.Add($user.PrincipalId)) Write-Verbose "Retrieved user details for: $($userDetails.UserPrincipalName)"
[void]( [void]($userIds.Add($userDetails.Id))
$adminRoleUsers.Add( [void]($adminRoleUsers.Add([PSCustomObject]@{
[PSCustomObject]@{
RoleName = $role.DisplayName RoleName = $role.DisplayName
UserName = $userDetails.DisplayName UserName = $userDetails.DisplayName
UserPrincipalName = $userDetails.UserPrincipalName UserPrincipalName = $userDetails.UserPrincipalName
UserId = $userDetails.Id UserId = $userDetails.Id
HybridUser = $userDetails.onPremisesSyncEnabled HybridUser = [bool]$userDetails.OnPremisesSyncEnabled
Licenses = $null # Initialize as $null Licenses = $null # Initialize as $null
} }))
)
)
} }
} }
} }
Write-Verbose "Retrieving licenses for admin role users"
foreach ($userId in $userIds.ToArray() | Select-Object -Unique) { foreach ($userId in $userIds.ToArray() | Select-Object -Unique) {
$licenses = Get-MgUserLicenseDetail -UserId $userId -ErrorAction SilentlyContinue $licenses = Get-MgUserLicenseDetail -UserId $userId -ErrorAction SilentlyContinue
if ($licenses) { if ($licenses) {
@@ -80,7 +83,7 @@ function Get-AdminRoleUserLicense {
} }
} }
End { end {
Write-Host "Disconnecting from Microsoft Graph..." -ForegroundColor Green Write-Host "Disconnecting from Microsoft Graph..." -ForegroundColor Green
Disconnect-MgGraph | Out-Null Disconnect-MgGraph | Out-Null
return $adminRoleUsers return $adminRoleUsers

15
source/tests/Test-AdministrativeAccountCompliance.ps1
View File

@@ -20,7 +20,12 @@ function Test-AdministrativeAccountCompliance {
try { try {
# Retrieve all admin roles # Retrieve all admin roles
Write-Verbose "Retrieving all admin roles" Write-Verbose "Retrieving all admin roles"
$adminRoles = Get-MgRoleManagementDirectoryRoleDefinition | Where-Object { $_.DisplayName -like "*Admin*" } # Get the DisplayNames of all admin roles
$adminRoleNames = (Get-MgDirectoryRole | Where-Object { $null -ne $_.RoleTemplateId }).DisplayName
# Use the DisplayNames to filter the roles in Get-MgRoleManagementDirectoryRoleDefinition
$adminRoles = Get-MgRoleManagementDirectoryRoleDefinition | Where-Object { ($adminRoleNames -contains $_.DisplayName) -and ($_.DisplayName -ne "Directory Synchronization Accounts")}
$adminRoleUsers = @() $adminRoleUsers = @()
# Loop through each admin role to get role assignments and user details # Loop through each admin role to get role assignments and user details
@@ -47,9 +52,10 @@ function Test-AdministrativeAccountCompliance {
# Condition C: Check if the account has no other licenses # Condition C: Check if the account has no other licenses
$hasInvalidLicense = $licenses.SkuPartNumber | ForEach-Object { $validLicenses -notcontains $_ } $hasInvalidLicense = $licenses.SkuPartNumber | ForEach-Object { $validLicenses -notcontains $_ }
$invalidLicenses = $licenses.SkuPartNumber | Where-Object { $validLicenses -notcontains $_ }
$applicationAssignmentStatus = if ($hasInvalidLicense) { "Fail" } else { "Pass" } $applicationAssignmentStatus = if ($hasInvalidLicense) { "Fail" } else { "Pass" }
Write-Verbose "User: $($userDetails.UserPrincipalName), Cloud-Only: $cloudOnlyStatus, Valid Licenses: $validLicensesStatus, Other Applications Assigned: $applicationAssignmentStatus" Write-Verbose "User: $($userDetails.UserPrincipalName), Cloud-Only: $cloudOnlyStatus, Valid Licenses: $validLicensesStatus, Invalid Licenses: $($invalidLicenses -join ', ')"
# Collect user information # Collect user information
$adminRoleUsers += [PSCustomObject]@{ $adminRoleUsers += [PSCustomObject]@{
@@ -95,13 +101,14 @@ function Test-AdministrativeAccountCompliance {
$failureReasons = $failureReasons -join "`n" $failureReasons = $failureReasons -join "`n"
$failureReason = if ($nonCompliantUsers) { $failureReason = if ($nonCompliantUsers) {
"Non-Compliant Accounts: $($nonCompliantUsers.Count)" "Non-Compliant Accounts: $($nonCompliantUsers.Count)"
} else { }
else {
"Compliant Accounts: $($uniqueAdminRoleUsers.Count)" "Compliant Accounts: $($uniqueAdminRoleUsers.Count)"
} }
$result = $nonCompliantUsers.Count -eq 0 $result = $nonCompliantUsers.Count -eq 0
$status = if ($result) { 'Pass' } else { 'Fail' } $status = if ($result) { 'Pass' } else { 'Fail' }
$details = if ($nonCompliantUsers) { "Username | Roles | Cloud-Only Status | Entra ID License Status | Other Applications Assigned Status`n$failureReasons" } else { "N/A" } $details = if ($nonCompliantUsers) { "Username | Roles | Cloud-Only Status | EntraID P1/P2 License Status | Other Applications Assigned Status`n$failureReasons" } else { "N/A" }
Write-Verbose "Assessment completed. Result: $status" Write-Verbose "Assessment completed. Result: $status"