fix: update domain pw policy logic

2024-06-08 15:53:12 -05:00
parent db9b206ae3
commit 66536e34a7
3 changed files with 50 additions and 26 deletions
--- a/source/tests/Test-PasswordNeverExpirePolicy.ps1
+++ b/source/tests/Test-PasswordNeverExpirePolicy.ps1
@@ -2,9 +2,8 @@ function Test-PasswordNeverExpirePolicy {
    [CmdletBinding()]
    [OutputType([CISAuditResult])]
    param (
-        # Aligned
-        [Parameter(Mandatory)]
-        [string]$DomainName # DomainName parameter is now mandatory
+        [Parameter(Mandatory = $false)]
+        [string]$DomainName
    )

    begin {
@@ -12,33 +11,58 @@ function Test-PasswordNeverExpirePolicy {
        #. .\source\Classes\CISAuditResult.ps1
        # Initialization code, if needed
        $recnum = "1.3.1"
+        $overallResult = $true
+        $detailsList = @()
+        $failureReasonsList = @()
+
+        # Add headers for the details
+        $detailsList += "Domain|Validity Period|IsDefault"
    }

    process {
        try {
-            # 1.3.1 (L1) Ensure the 'Password expiration policy' is set to 'Set passwords to never expire'
-            # Pass if PasswordValidityPeriodInDays is 0. Fail otherwise.
-
-            # Retrieve password expiration policy
-            $passwordPolicy = Get-MgDomain -DomainId $DomainName | Select-Object -ExpandProperty PasswordValidityPeriodInDays
-
-            # Prepare failure reasons and details based on compliance
-            $failureReasons = if ($passwordPolicy -ne 0) {
-                "Password expiration is not set to never expire"
-            }
-            else {
-                "N/A"
+            # Retrieve all domains or a specific domain
+            $domains = if ($DomainName) {
+                Get-MgDomain -DomainId $DomainName
+            } else {
+                Get-MgDomain
            }

-            $details = "Validity Period: $passwordPolicy days"
+            foreach ($domain in $domains) {
+                $domainName = $domain.Id
+                $isDefault = $domain.IsDefault
+                # Retrieve password expiration policy
+                $passwordPolicy = $domain.PasswordValidityPeriodInDays
+
+                # Determine if the policy is compliant
+                $isCompliant = $passwordPolicy -eq 0
+                $overallResult = $overallResult -and $isCompliant
+
+                # Prepare failure reasons and details based on compliance
+                $failureReasons = if ($isCompliant) {
+                    "N/A"
+                } else {
+                    "Password expiration is not set to never expire for domain $domainName. Run the following command to remediate: `nUpdate-MgDomain -DomainId $domainName -PasswordValidityPeriodInDays 2147483647 -PasswordNotificationWindowInDays 30"
+                }
+
+                $details = "$domainName|$passwordPolicy days|$isDefault"
+
+                # Add details and failure reasons to the lists
+                $detailsList += $details
+                $failureReasonsList += $failureReasons
+            }
+
+            # Prepare the final failure reason and details
+            $finalFailureReason = $failureReasonsList -join "`n"
+            $finalDetails = $detailsList -join "`n"

            # Create and populate the CISAuditResult object
            $params = @{
                Rec           = $recnum
-                Result        = $passwordPolicy -eq 0
-                Status        = if ($passwordPolicy -eq 0) { "Pass" } else { "Fail" }
-                Details       = $details
-                FailureReason = $failureReasons
+                Result        = $overallResult
+                Status        = if ($overallResult) { "Pass" } else { "Fail" }
+                Details       = $finalDetails
+                FailureReason = $finalFailureReason
            }
            $auditResult = Initialize-CISAuditResult @params
        }