add: test and call for 1.1.4

2024-12-26 14:40:25 -06:00
parent 856bd0b8d8
commit 88f2566422
2 changed files with 81 additions and 4 deletions
--- a/source/Private/Get-CISMgOutput.ps1
+++ b/source/Private/Get-CISMgOutput.ps1
@@ -58,10 +58,6 @@ function Get-CISMgOutput {
                        return $AdminRoleAssignmentsAndUsers
                    }
                }
-                '1.1.4' {
-                    # 1.1.4 - MicrosoftGraphPlaceholder
-                    # Placeholder for Test-AdminAccountLicenses
-                }
                '1.1.3' {
                    # Test-GlobalAdminsCount
                    # Step: Retrieve global admin role
@@ -70,6 +66,32 @@ function Get-CISMgOutput {
                    $globalAdmins = Get-MgDirectoryRoleMember -DirectoryRoleId $globalAdminRole.Id
                    return $globalAdmins
                }
+                '1.1.4' {
+                    # 1.1.4 - MicrosoftGraphPlaceholder
+                    $DirectoryRoles = Get-MgDirectoryRole
+                    # Get privileged role IDs
+                    $PrivilegedRoles = $DirectoryRoles |
+                    Where-Object { $_.DisplayName -like '*Administrator*' -or $_.DisplayName -eq 'Global Reader' }
+                    # Get the members of these various roles
+                    $RoleMembers = $PrivilegedRoles | ForEach-Object { Get-MgDirectoryRoleMember -DirectoryRoleId $_.Id } |
+                    Select-Object Id -Unique
+                    # Retrieve details about the members in these roles
+                    $PrivilegedUsers = $RoleMembers | ForEach-Object {
+                        Get-MgUser -UserId $_.Id -Property UserPrincipalName, DisplayName, Id
+                    }
+                    $Report = [System.Collections.Generic.List[Object]]::new()
+                    foreach ($Admin in $PrivilegedUsers) {
+                        $License = $null
+                        $License = (Get-MgUserLicenseDetail -UserId $Admin.id).SkuPartNumber -join ', '
+                        $Object = [pscustomobject][ordered]@{
+                            DisplayName       = $Admin.DisplayName
+                            UserPrincipalName = $Admin.UserPrincipalName
+                            License           = $License
+                        }
+                        $Report.Add($Object)
+                    }
+                    return $Report
+                }
                '1.2.1' {
                    # Test-ManagedApprovedPublicGroups
                    $allGroups = Get-MgGroup -All | Where-Object { $_.Visibility -eq 'Public' } | Select-Object DisplayName, Visibility
--- a/source/tests/Test-AdminAccountLicenses.ps1
+++ b/source/tests/Test-AdminAccountLicenses.ps1
@@ -0,0 +1,55 @@
+function Test-AdminAccountLicenses {
+    [CmdletBinding()]
+    param ()
+    begin {
+        # The following conditions are checked:
+        # Condition A: The administrative account is cloud-only (not synced).
+        # Condition B: The account is assigned a valid license (e.g., Microsoft Entra ID P1 or P2).
+        # Condition C: The administrative account does not have any other application assignments (only valid licenses).
+        $validLicenses = @('AAD_PREMIUM', 'AAD_PREMIUM_P2')
+        $RecNum = "1.1.4"
+        Write-Verbose "Starting Test-AdministrativeAccountCompliance with Rec: $RecNum"
+    }
+    process {
+        try {
+            # Retrieve admin roles, assignments, and user details including licenses
+            Write-Verbose "Retrieving admin roles, assignments, and user details including licenses"
+            $Report = Get-CISMgOutput -Rec $RecNum
+            $NonCompliantUsers = $Report | Where-Object {$_.License -notin $validLicenses}
+            # Generate failure reasons
+            Write-Verbose "Generating failure reasons for non-compliant users"
+            $failureReasons = $nonCompliantUsers | ForEach-Object {
+                "$($_.DisplayName)|$($_.UserPrincipalName)|$(if ($_.License) {$_.License}else{"No licenses found"})"
+            }
+            $failureReasons = $failureReasons -join "`n"
+            $failureReason = if ($nonCompliantUsers) {
+                "Non-Compliant Accounts without only a singular P1 or P2 license and no others: $($nonCompliantUsers.Count)"
+            }
+            else {
+                "Compliant Accounts: $($uniqueAdminRoleUsers.Count)"
+            }
+            $result = $nonCompliantUsers.Count -eq 0
+            $status = if ($result) { 'Pass' } else { 'Fail' }
+            $details = if ($nonCompliantUsers) { "DisplayName | UserPrincipalName | License`n$failureReasons" } else { "N/A" }
+            Write-Verbose "Assessment completed. Result: $status"
+            # Create the parameter splat
+            $params = @{
+                Rec           = $RecNum
+                Result        = $result
+                Status        = $status
+                Details       = $details
+                FailureReason = $failureReason
+            }
+            $auditResult = Initialize-CISAuditResult @params
+        }
+        catch {
+            $LastError = $_
+            $auditResult = Get-TestError -LastError $LastError -RecNum $RecNum
+        }
+    }
+    end {
+        # Output the result
+        return $auditResult
+    }
+}
+ #   $validLicenses = @('AAD_PREMIUM', 'AAD_PREMIUM_P2')