fix: Comments steps
This commit is contained in:
DrIOS
@@ -8,72 +8,95 @@ function Test-AdministrativeAccountCompliance {
|
|||||||
begin {
|
begin {
|
||||||
#. .\source\Classes\CISAuditResult.ps1
|
#. .\source\Classes\CISAuditResult.ps1
|
||||||
$validLicenses = @('AAD_PREMIUM', 'AAD_PREMIUM_P2')
|
$validLicenses = @('AAD_PREMIUM', 'AAD_PREMIUM_P2')
|
||||||
|
$recnum = "1.1.1"
|
||||||
}
|
}
|
||||||
|
|
||||||
process {
|
process {
|
||||||
$adminRoles = Get-MgRoleManagementDirectoryRoleDefinition | Where-Object { $_.DisplayName -like "*Admin*" }
|
try {
|
||||||
$adminRoleUsers = @()
|
# Retrieve all admin roles
|
||||||
|
$adminRoles = Get-MgRoleManagementDirectoryRoleDefinition | Where-Object { $_.DisplayName -like "*Admin*" }
|
||||||
|
$adminRoleUsers = @()
|
||||||
|
|
||||||
foreach ($role in $adminRoles) {
|
# Loop through each admin role to get role assignments and user details
|
||||||
$roleAssignments = Get-MgRoleManagementDirectoryRoleAssignment -Filter "roleDefinitionId eq '$($role.Id)'"
|
foreach ($role in $adminRoles) {
|
||||||
|
$roleAssignments = Get-MgRoleManagementDirectoryRoleAssignment -Filter "roleDefinitionId eq '$($role.Id)'"
|
||||||
|
|
||||||
foreach ($assignment in $roleAssignments) {
|
foreach ($assignment in $roleAssignments) {
|
||||||
$userDetails = Get-MgUser -UserId $assignment.PrincipalId -Property "DisplayName, UserPrincipalName, Id, OnPremisesSyncEnabled" -ErrorAction SilentlyContinue
|
# Get user details for each principal ID
|
||||||
if ($userDetails) {
|
$userDetails = Get-MgUser -UserId $assignment.PrincipalId -Property "DisplayName, UserPrincipalName, Id, OnPremisesSyncEnabled" -ErrorAction SilentlyContinue
|
||||||
$licenses = Get-MgUserLicenseDetail -UserId $assignment.PrincipalId -ErrorAction SilentlyContinue
|
if ($userDetails) {
|
||||||
$licenseString = if ($licenses) { ($licenses.SkuPartNumber -join '|') } else { "No Licenses Found" }
|
# Get user license details
|
||||||
|
$licenses = Get-MgUserLicenseDetail -UserId $assignment.PrincipalId -ErrorAction SilentlyContinue
|
||||||
|
$licenseString = if ($licenses) { ($licenses.SkuPartNumber -join '|') } else { "No Licenses Found" }
|
||||||
|
|
||||||
$adminRoleUsers += [PSCustomObject]@{
|
# Collect user information
|
||||||
UserName = $userDetails.UserPrincipalName
|
$adminRoleUsers += [PSCustomObject]@{
|
||||||
RoleName = $role.DisplayName
|
UserName = $userDetails.UserPrincipalName
|
||||||
UserId = $userDetails.Id
|
RoleName = $role.DisplayName
|
||||||
HybridUser = $userDetails.OnPremisesSyncEnabled
|
UserId = $userDetails.Id
|
||||||
Licenses = $licenseString
|
HybridUser = $userDetails.OnPremisesSyncEnabled
|
||||||
|
Licenses = $licenseString
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
|
||||||
|
|
||||||
$uniqueAdminRoleUsers = $adminRoleUsers | Group-Object -Property UserName | ForEach-Object {
|
# Group admin role users by UserName and collect unique roles and licenses
|
||||||
$first = $_.Group | Select-Object -First 1
|
$uniqueAdminRoleUsers = $adminRoleUsers | Group-Object -Property UserName | ForEach-Object {
|
||||||
$roles = ($_.Group.RoleName -join ', ')
|
$first = $_.Group | Select-Object -First 1
|
||||||
$licenses = (($_.Group | Select-Object -ExpandProperty Licenses) -join ',').Split(',') | Select-Object -Unique
|
$roles = ($_.Group.RoleName -join ', ')
|
||||||
|
$licenses = (($_.Group | Select-Object -ExpandProperty Licenses) -join ',').Split(',') | Select-Object -Unique
|
||||||
|
|
||||||
$first | Select-Object UserName, UserId, HybridUser, @{Name = 'Roles'; Expression = { $roles } }, @{Name = 'Licenses'; Expression = { $licenses -join '|' } }
|
$first | Select-Object UserName, UserId, HybridUser, @{Name = 'Roles'; Expression = { $roles } }, @{Name = 'Licenses'; Expression = { $licenses -join '|' } }
|
||||||
}
|
}
|
||||||
|
|
||||||
$nonCompliantUsers = $uniqueAdminRoleUsers | Where-Object {
|
# Identify non-compliant users
|
||||||
$_.HybridUser -or
|
$nonCompliantUsers = $uniqueAdminRoleUsers | Where-Object {
|
||||||
-not ($_.Licenses -split '\|' | Where-Object { $validLicenses -contains $_ })
|
# Condition A: The administrative account is not cloud-only (it is synced).
|
||||||
}
|
$_.HybridUser -or
|
||||||
|
# Condition B: The account is assigned a license associated with applications.
|
||||||
|
-not ($_.Licenses -split '\|' | Where-Object { $validLicenses -contains $_ })
|
||||||
|
}
|
||||||
|
|
||||||
$failureReasons = $nonCompliantUsers | ForEach-Object {
|
# Generate failure reasons
|
||||||
$accountType = if ($_.HybridUser) { "Hybrid" } else { "Cloud-Only" }
|
$failureReasons = $nonCompliantUsers | ForEach-Object {
|
||||||
$missingLicenses = $validLicenses | Where-Object { $_ -notin ($_.Licenses -split '\|') }
|
$accountType = if ($_.HybridUser) { "Hybrid" } else { "Cloud-Only" }
|
||||||
"$($_.UserName)|$($_.Roles)|$accountType|Missing: $($missingLicenses -join ',')"
|
$missingLicenses = $validLicenses | Where-Object { $_ -notin ($_.Licenses -split '\|') }
|
||||||
}
|
"$($_.UserName)|$($_.Roles)|$accountType|Missing: $($missingLicenses -join ',')"
|
||||||
$failureReasons = $failureReasons -join "`n"
|
}
|
||||||
$details = if ($nonCompliantUsers) {
|
$failureReasons = $failureReasons -join "`n"
|
||||||
"Non-Compliant Accounts: $($nonCompliantUsers.Count)`nDetails:`n" + ($nonCompliantUsers | ForEach-Object { $_.UserName }) -join "`n"
|
$details = if ($nonCompliantUsers) {
|
||||||
}
|
"Non-Compliant Accounts: $($nonCompliantUsers.Count)`nDetails:`n" + ($nonCompliantUsers | ForEach-Object { $_.UserName }) -join "`n"
|
||||||
else {
|
} else {
|
||||||
"Compliant Accounts: $($uniqueAdminRoleUsers.Count)"
|
"Compliant Accounts: $($uniqueAdminRoleUsers.Count)"
|
||||||
}
|
}
|
||||||
|
|
||||||
$result = $nonCompliantUsers.Count -eq 0
|
$result = $nonCompliantUsers.Count -eq 0
|
||||||
$status = if ($result) { 'Pass' } else { 'Fail' }
|
$status = if ($result) { 'Pass' } else { 'Fail' }
|
||||||
$failureReason = if ($nonCompliantUsers) { "Non-compliant accounts: `nUsername | Roles | HybridStatus | Missing Licence`n$failureReasons" } else { "N/A" }
|
$failureReason = if ($nonCompliantUsers) { "Non-compliant accounts: `nUsername | Roles | HybridStatus | Missing Licence`n$failureReasons" } else { "N/A" }
|
||||||
|
|
||||||
# Create the parameter splat
|
# Create the parameter splat
|
||||||
$params = @{
|
$params = @{
|
||||||
Rec = "1.1.1"
|
Rec = $recnum
|
||||||
Result = $result
|
Result = $result
|
||||||
Status = $status
|
Status = $status
|
||||||
Details = $details
|
Details = $details
|
||||||
FailureReason = $failureReason
|
FailureReason = $failureReason
|
||||||
|
}
|
||||||
|
|
||||||
|
$auditResult = Initialize-CISAuditResult @params
|
||||||
}
|
}
|
||||||
|
catch {
|
||||||
|
Write-Error "An error occurred during the test: $_"
|
||||||
|
|
||||||
$auditResult = Initialize-CISAuditResult @params
|
# Handle the error and create a failure result
|
||||||
|
$testDefinition = $script:TestDefinitionsObject | Where-Object { $_.Rec -eq $recnum }
|
||||||
|
$description = if ($testDefinition) { $testDefinition.RecDescription } else { "Description not found" }
|
||||||
|
|
||||||
|
$script:FailedTests.Add([PSCustomObject]@{ Rec = $recnum; Description = $description; Error = $_ })
|
||||||
|
|
||||||
|
$auditResult = Initialize-CISAuditResult -Rec $recnum -Failure
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
end {
|
end {
|
||||||
|
|||||||
Reference in New Issue
Block a user