vibecoding/M365FoundationsCISReport
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: Comments steps

Browse Source
This commit is contained in:
DrIOS
2024-06-10 09:56:42 -05:00
parent 30c848e74d
commit 6ed99dbacf
1 changed files with 72 additions and 49 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
source/tests/Test-AdministrativeAccountCompliance.ps1
View File

@@ -8,21 +8,28 @@ function Test-AdministrativeAccountCompliance {
begin {
#. .\source\Classes\CISAuditResult.ps1
$validLicenses = @('AAD_PREMIUM', 'AAD_PREMIUM_P2')
$recnum = "1.1.1"
}
process {
try {
# Retrieve all admin roles
$adminRoles = Get-MgRoleManagementDirectoryRoleDefinition | Where-Object { $_.DisplayName -like "*Admin*" }
$adminRoleUsers = @()
# Loop through each admin role to get role assignments and user details
foreach ($role in $adminRoles) {
$roleAssignments = Get-MgRoleManagementDirectoryRoleAssignment -Filter "roleDefinitionId eq '$($role.Id)'"
foreach ($assignment in $roleAssignments) {
# Get user details for each principal ID
$userDetails = Get-MgUser -UserId $assignment.PrincipalId -Property "DisplayName, UserPrincipalName, Id, OnPremisesSyncEnabled" -ErrorAction SilentlyContinue
if ($userDetails) {
# Get user license details
$licenses = Get-MgUserLicenseDetail -UserId $assignment.PrincipalId -ErrorAction SilentlyContinue
$licenseString = if ($licenses) { ($licenses.SkuPartNumber -join '|') } else { "No Licenses Found" }
# Collect user information
$adminRoleUsers += [PSCustomObject]@{
UserName = $userDetails.UserPrincipalName
RoleName = $role.DisplayName
@@ -34,6 +41,7 @@ function Test-AdministrativeAccountCompliance {
}
}
# Group admin role users by UserName and collect unique roles and licenses
$uniqueAdminRoleUsers = $adminRoleUsers | Group-Object -Property UserName | ForEach-Object {
$first = $_.Group | Select-Object -First 1
$roles = ($_.Group.RoleName -join ', ')
@@ -42,11 +50,15 @@ function Test-AdministrativeAccountCompliance {
$first | Select-Object UserName, UserId, HybridUser, @{Name = 'Roles'; Expression = { $roles } }, @{Name = 'Licenses'; Expression = { $licenses -join '|' } }
}
# Identify non-compliant users
$nonCompliantUsers = $uniqueAdminRoleUsers | Where-Object {
# Condition A: The administrative account is not cloud-only (it is synced).
$_.HybridUser -or
# Condition B: The account is assigned a license associated with applications.
-not ($_.Licenses -split '\|' | Where-Object { $validLicenses -contains $_ })
}
# Generate failure reasons
$failureReasons = $nonCompliantUsers | ForEach-Object {
$accountType = if ($_.HybridUser) { "Hybrid" } else { "Cloud-Only" }
$missingLicenses = $validLicenses | Where-Object { $_ -notin ($_.Licenses -split '\|') }
@@ -55,8 +67,7 @@ function Test-AdministrativeAccountCompliance {
$failureReasons = $failureReasons -join "`n"
$details = if ($nonCompliantUsers) {
"Non-Compliant Accounts: $($nonCompliantUsers.Count)`nDetails:`n" + ($nonCompliantUsers | ForEach-Object { $_.UserName }) -join "`n"
}
else {
} else {
"Compliant Accounts: $($uniqueAdminRoleUsers.Count)"
}
@@ -66,7 +77,7 @@ function Test-AdministrativeAccountCompliance {
# Create the parameter splat
$params = @{
Rec = "1.1.1"
Rec = $recnum
Result = $result
Status = $status
Details = $details
@@ -75,6 +86,18 @@ function Test-AdministrativeAccountCompliance {
$auditResult = Initialize-CISAuditResult @params
}
catch {
Write-Error "An error occurred during the test: $_"
# Handle the error and create a failure result
$testDefinition = $script:TestDefinitionsObject | Where-Object { $_.Rec -eq $recnum }
$description = if ($testDefinition) { $testDefinition.RecDescription } else { "Description not found" }
$script:FailedTests.Add([PSCustomObject]@{ Rec = $recnum; Description = $description; Error = $_ })
$auditResult = Initialize-CISAuditResult -Rec $recnum -Failure
}
}
end {
# Output the result