add: ApprovedFederatedDomains parameter for test 8.2.1
This commit is contained in:
DrIOS
@@ -2,8 +2,8 @@ function Test-TeamsExternalAccess {
|
||||
[CmdletBinding()]
|
||||
[OutputType([CISAuditResult])]
|
||||
param (
|
||||
# Aligned
|
||||
# Parameters can be defined here if needed
|
||||
[Parameter(Mandatory = $false, HelpMessage = "Specifies the approved federated domains for the audit. Accepts an array of allowed domain names.")]
|
||||
[string[]]$ApprovedFederatedDomains
|
||||
)
|
||||
|
||||
begin {
|
||||
@@ -23,33 +23,66 @@ function Test-TeamsExternalAccess {
|
||||
# - Condition A: The `AllowTeamsConsumer` setting is `False`.
|
||||
# - Condition B: The `AllowPublicUsers` setting is `False`.
|
||||
# - Condition C: The `AllowFederatedUsers` setting is `False` or, if `True`, the `AllowedDomains` contains only authorized domain names.
|
||||
#
|
||||
# Validate test for a fail:
|
||||
# - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
|
||||
# - Specific conditions to check:
|
||||
# - Condition A: The `AllowTeamsConsumer` setting is not `False`.
|
||||
# - Condition B: The `AllowPublicUsers` setting is not `False`.
|
||||
# - Condition C: The `AllowFederatedUsers` setting is `True` and the `AllowedDomains` contains unauthorized domain names or is not configured correctly.
|
||||
|
||||
# Connect to Teams PowerShell using Connect-MicrosoftTeams
|
||||
|
||||
# $externalAccessConfig Mock Object
|
||||
<#
|
||||
$externalAccessConfig = [PSCustomObject]@{
|
||||
Identity = 'Global'
|
||||
AllowedDomains = 'AllowAllKnownDomains'
|
||||
BlockedDomains = @()
|
||||
AllowFederatedUsers = $true
|
||||
AllowPublicUsers = $true
|
||||
AllowTeamsConsumer = $true
|
||||
AllowTeamsConsumerInbound = $true
|
||||
}
|
||||
$ApprovedFederatedDomains = @('msn.com', 'google.com')
|
||||
$externalAccessConfig = [PSCustomObject]@{
|
||||
Identity = 'Global'
|
||||
AllowedDomains = @('msn.com', 'google.com')
|
||||
BlockedDomains = @()
|
||||
AllowFederatedUsers = $true
|
||||
AllowPublicUsers = $false
|
||||
AllowTeamsConsumer = $false
|
||||
AllowTeamsConsumerInbound = $true
|
||||
}
|
||||
#>
|
||||
$externalAccessConfig = Get-CISMSTeamsOutput -Rec $recnum
|
||||
|
||||
# Testing
|
||||
#$externalAccessConfig.AllowedDomains = @("msn.com", "google.com")
|
||||
#$externalAccessConfig.AllowTeamsConsumer = $false
|
||||
#$externalAccessConfig.AllowPublicUsers = $false
|
||||
#$externalAccessConfig.AllowFederatedUsers = $true
|
||||
# The above is for testing and will be replaced with the actual values from the Teams PowerShell output in production.
|
||||
|
||||
$allowedDomainsLimited = $false
|
||||
if ($externalAccessConfig.AllowFederatedUsers -and $externalAccessConfig.AllowedDomains -and $externalAccessConfig.AllowedDomains.AllowedDomain.Count -gt 0) {
|
||||
$allowedDomainsLimited = $true
|
||||
$allowedDomainsMatch = $false
|
||||
$invalidDomains = @()
|
||||
|
||||
if ($externalAccessConfig.AllowFederatedUsers) {
|
||||
if ($externalAccessConfig.AllowedDomains -ne 'AllowAllKnownDomains' -and $externalAccessConfig.AllowedDomains.Count -gt 0) {
|
||||
$allowedDomainsLimited = $true
|
||||
if ($ApprovedFederatedDomains) {
|
||||
$invalidDomains = $externalAccessConfig.AllowedDomains | Where-Object { $_ -notin $ApprovedFederatedDomains }
|
||||
if ($invalidDomains.Count -eq 0) {
|
||||
$invalidDomains = "None"
|
||||
}
|
||||
$allowedDomainsMatch = $invalidDomains.Count -eq 0
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
# Check if the configurations are as recommended
|
||||
$isCompliant = -not $externalAccessConfig.AllowTeamsConsumer -and -not $externalAccessConfig.AllowPublicUsers -and (-not $externalAccessConfig.AllowFederatedUsers -or $allowedDomainsLimited)
|
||||
$isCompliant = -not $externalAccessConfig.AllowTeamsConsumer -and -not $externalAccessConfig.AllowPublicUsers -and (-not $externalAccessConfig.AllowFederatedUsers -or ($allowedDomainsLimited -and $allowedDomainsMatch))
|
||||
|
||||
# Create an instance of CISAuditResult and populate it
|
||||
$params = @{
|
||||
Rec = $recnum
|
||||
Result = $isCompliant
|
||||
Status = if ($isCompliant) { "Pass" } else { "Fail" }
|
||||
Details = "AllowTeamsConsumer: $($externalAccessConfig.AllowTeamsConsumer); AllowPublicUsers: $($externalAccessConfig.AllowPublicUsers); AllowFederatedUsers: $($externalAccessConfig.AllowFederatedUsers); AllowedDomains limited: $allowedDomainsLimited"
|
||||
FailureReason = if (-not $isCompliant) { "One or more external access configurations are not compliant." } else { "N/A" }
|
||||
Details = "AllowTeamsConsumer: $($externalAccessConfig.AllowTeamsConsumer); AllowPublicUsers: $($externalAccessConfig.AllowPublicUsers); AllowFederatedUsers: $($externalAccessConfig.AllowFederatedUsers); AllowedDomains limited: $allowedDomainsLimited; AllowedDomains match: $allowedDomainsMatch; Invalid Domains: $($invalidDomains -join ', ')"
|
||||
FailureReason = if (-not $isCompliant) { "One or more external access configurations are not compliant. Invalid domains found: $($invalidDomains -join ', ')" } else { "N/A" }
|
||||
}
|
||||
$auditResult = Initialize-CISAuditResult @params
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user