vibecoding/M365FoundationsCISReport
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: update domain pw policy logic

Browse Source
This commit is contained in:
DrIOS
2024-06-08 15:53:12 -05:00
parent db9b206ae3
commit 66536e34a7
3 changed files with 50 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
source/Private/Invoke-TestFunction.ps1
View File

@@ -3,7 +3,7 @@ function Invoke-TestFunction {
[Parameter(Mandatory = $true)] [Parameter(Mandatory = $true)]
[PSObject]$FunctionFile, [PSObject]$FunctionFile,
[Parameter(Mandatory = $true)] [Parameter(Mandatory = $false)]
[string]$DomainName [string]$DomainName
) )

10
source/Public/Invoke-M365SecurityAudit.ps1
View File

@@ -5,8 +5,8 @@
The Invoke-M365SecurityAudit cmdlet performs a comprehensive security audit based on the specified parameters. It allows auditing of various configurations and settings within a Microsoft 365 environment, such as compliance with CIS benchmarks. The Invoke-M365SecurityAudit cmdlet performs a comprehensive security audit based on the specified parameters. It allows auditing of various configurations and settings within a Microsoft 365 environment, such as compliance with CIS benchmarks.
.PARAMETER TenantAdminUrl .PARAMETER TenantAdminUrl
The URL of the tenant admin. This parameter is mandatory. The URL of the tenant admin. This parameter is mandatory.
.PARAMETER DomainName .PARAMETER M365DomainForPWPolicyTest
The domain name of the Microsoft 365 environment. This parameter is mandatory. The domain name of the Microsoft 365 environment to test. This parameter is not mandatory and by default it will pass/fail all found domains as a group if a specific domain is not specified.
.PARAMETER ELevel .PARAMETER ELevel
Specifies the E-Level (E3 or E5) for the audit. This parameter is optional and can be combined with the ProfileLevel parameter. Specifies the E-Level (E3 or E5) for the audit. This parameter is optional and can be combined with the ProfileLevel parameter.
.PARAMETER ProfileLevel .PARAMETER ProfileLevel
@@ -67,9 +67,9 @@ function Invoke-M365SecurityAudit {
[ValidatePattern('^https://[a-zA-Z0-9-]+-admin\.sharepoint\.com$')] [ValidatePattern('^https://[a-zA-Z0-9-]+-admin\.sharepoint\.com$')]
[string]$TenantAdminUrl, [string]$TenantAdminUrl,
[Parameter(Mandatory = $true, HelpMessage = "The domain name of your organization, e.g., 'example.com'.")] [Parameter(Mandatory = $false, HelpMessage = "Specify this to test only the default domain for password expiration policy when '1.3.1' is included in the tests to be run. The domain name of your organization, e.g., 'example.com'.")]
[ValidatePattern('^[a-zA-Z0-9-]+\.[a-zA-Z]{2,}$')] [ValidatePattern('^[a-zA-Z0-9-]+\.[a-zA-Z]{2,}$')]
[string]$DomainName, [string]$M365DomainForPWPolicyTest,
# E-Level with optional ProfileLevel selection # E-Level with optional ProfileLevel selection
[Parameter(Mandatory = $true, ParameterSetName = 'ELevelFilter')] [Parameter(Mandatory = $true, ParameterSetName = 'ELevelFilter')]
@@ -194,7 +194,7 @@ function Invoke-M365SecurityAudit {
Write-Progress -Activity "Executing Tests" -Status "Executing $($currentTestIndex) of $($totalTests): $($testFunction.Name)" -PercentComplete (($currentTestIndex / $totalTests) * 100) Write-Progress -Activity "Executing Tests" -Status "Executing $($currentTestIndex) of $($totalTests): $($testFunction.Name)" -PercentComplete (($currentTestIndex / $totalTests) * 100)
$functionName = $testFunction.BaseName $functionName = $testFunction.BaseName
if ($PSCmdlet.ShouldProcess($functionName, "Execute test")) { if ($PSCmdlet.ShouldProcess($functionName, "Execute test")) {
$auditResult = Invoke-TestFunction -FunctionFile $testFunction -DomainName $DomainName $auditResult = Invoke-TestFunction -FunctionFile $testFunction -DomainName $M365DomainForPWPolicyTest
# Add the result to the collection # Add the result to the collection
[void]$allAuditResults.Add($auditResult) [void]$allAuditResults.Add($auditResult)
} }

54
source/tests/Test-PasswordNeverExpirePolicy.ps1
View File

@@ -2,9 +2,8 @@ function Test-PasswordNeverExpirePolicy {
[CmdletBinding()] [CmdletBinding()]
[OutputType([CISAuditResult])] [OutputType([CISAuditResult])]
param ( param (
# Aligned [Parameter(Mandatory = $false)]
[Parameter(Mandatory)] [string]$DomainName
[string]$DomainName # DomainName parameter is now mandatory
) )
begin { begin {
@@ -12,33 +11,58 @@ function Test-PasswordNeverExpirePolicy {
#. .\source\Classes\CISAuditResult.ps1 #. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed # Initialization code, if needed
$recnum = "1.3.1" $recnum = "1.3.1"
$overallResult = $true
$detailsList = @()
$failureReasonsList = @()
# Add headers for the details
$detailsList += "Domain|Validity Period|IsDefault"
} }
process { process {
try { try {
# 1.3.1 (L1) Ensure the 'Password expiration policy' is set to 'Set passwords to never expire' # Retrieve all domains or a specific domain
# Pass if PasswordValidityPeriodInDays is 0. Fail otherwise. $domains = if ($DomainName) {
Get-MgDomain -DomainId $DomainName
} else {
Get-MgDomain
}
foreach ($domain in $domains) {
$domainName = $domain.Id
$isDefault = $domain.IsDefault
# Retrieve password expiration policy # Retrieve password expiration policy
$passwordPolicy = Get-MgDomain -DomainId $DomainName | Select-Object -ExpandProperty PasswordValidityPeriodInDays $passwordPolicy = $domain.PasswordValidityPeriodInDays
# Determine if the policy is compliant
$isCompliant = $passwordPolicy -eq 0
$overallResult = $overallResult -and $isCompliant
# Prepare failure reasons and details based on compliance # Prepare failure reasons and details based on compliance
$failureReasons = if ($passwordPolicy -ne 0) { $failureReasons = if ($isCompliant) {
"Password expiration is not set to never expire"
}
else {
"N/A" "N/A"
} else {
"Password expiration is not set to never expire for domain $domainName. Run the following command to remediate: `nUpdate-MgDomain -DomainId $domainName -PasswordValidityPeriodInDays 2147483647 -PasswordNotificationWindowInDays 30"
} }
$details = "Validity Period: $passwordPolicy days" $details = "$domainName|$passwordPolicy days|$isDefault"
# Add details and failure reasons to the lists
$detailsList += $details
$failureReasonsList += $failureReasons
}
# Prepare the final failure reason and details
$finalFailureReason = $failureReasonsList -join "`n"
$finalDetails = $detailsList -join "`n"
# Create and populate the CISAuditResult object # Create and populate the CISAuditResult object
$params = @{ $params = @{
Rec = $recnum Rec = $recnum
Result = $passwordPolicy -eq 0 Result = $overallResult
Status = if ($passwordPolicy -eq 0) { "Pass" } else { "Fail" } Status = if ($overallResult) { "Pass" } else { "Fail" }
Details = $details Details = $finalDetails
FailureReason = $failureReasons FailureReason = $finalFailureReason
} }
$auditResult = Initialize-CISAuditResult @params $auditResult = Initialize-CISAuditResult @params
} }