diff --git a/CHANGELOG.md b/CHANGELOG.md index aaa5b22..87f5b60 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,12 @@ The format is based on and uses the types of changes according to [Keep a Change ## [Unreleased] +### Added + +- Added `Grant-M365SecurityAuditConsent` function to consent to the Microsoft Graph Powershell API for a user. + +## [0.1.15] - 2024-06-26 + ### Fixed - Fixed test 8.6.1 to include all of the following properties in it's checks and output: `ReportJunkToCustomizedAddress`, `ReportNotJunkToCustomizedAddress`, `ReportPhishToCustomizedAddress`,`ReportJunkAddresses`,`ReportNotJunkAddresses`,`ReportPhishAddresses`,`ReportChatMessageEnabled`,`ReportChatMessageToCustomizedAddressEnabled` diff --git a/README.md b/README.md index daa40ca..8e92751 100644 Binary files a/README.md and b/README.md differ diff --git a/docs/index.html b/docs/index.html index e8a93e4..27236b2 100644 Binary files a/docs/index.html and b/docs/index.html differ diff --git a/help/Export-M365SecurityAuditTable.md b/help/Export-M365SecurityAuditTable.md index 6afe3bf..a2a7ba0 100644 --- a/help/Export-M365SecurityAuditTable.md +++ b/help/Export-M365SecurityAuditTable.md @@ -1,4 +1,4 @@ ---- +--- external help file: M365FoundationsCISReport-help.xml Module Name: M365FoundationsCISReport online version: https://criticalsolutionsnetwork.github.io/M365FoundationsCISReport/#Export-M365SecurityAuditTable @@ -110,22 +110,6 @@ Accept pipeline input: False Accept wildcard characters: False ``` -### -OutputTestNumber -The test number to output as an object. -Valid values are "1.1.1", "1.3.1", "6.1.2", "6.1.3", "7.3.4". - -```yaml -Type: String -Parameter Sets: OutputObjectFromAuditResultsSingle, OutputObjectFromCsvSingle -Aliases: - -Required: True -Position: 2 -Default value: None -Accept pipeline input: False -Accept wildcard characters: False -``` - ### -ExportAllTests Switch to export all test results. @@ -141,6 +125,21 @@ Accept pipeline input: False Accept wildcard characters: False ``` +### -ExportOriginalTests +Switch to export the original audit results to a CSV file. + +```yaml +Type: SwitchParameter +Parameter Sets: ExportAllResultsFromAuditResults, ExportAllResultsFromCsv +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + ### -ExportPath The path where the CSV files will be exported. @@ -156,8 +155,8 @@ Accept pipeline input: False Accept wildcard characters: False ``` -### -ExportOriginalTests -Switch to export the original audit results to a CSV file. +### -ExportToExcel +Switch to export the results to an Excel file. ```yaml Type: SwitchParameter @@ -171,17 +170,18 @@ Accept pipeline input: False Accept wildcard characters: False ``` -### -ExportToExcel -Switch to export the results to an Excel file. +### -OutputTestNumber +The test number to output as an object. +Valid values are "1.1.1", "1.3.1", "6.1.2", "6.1.3", "7.3.4". ```yaml -Type: SwitchParameter -Parameter Sets: ExportAllResultsFromAuditResults, ExportAllResultsFromCsv +Type: String +Parameter Sets: OutputObjectFromAuditResultsSingle, OutputObjectFromCsvSingle Aliases: -Required: False -Position: Named -Default value: False +Required: True +Position: 2 +Default value: None Accept pipeline input: False Accept wildcard characters: False ``` diff --git a/help/Get-AdminRoleUserLicense.md b/help/Get-AdminRoleUserLicense.md index 629903e..22625bb 100644 --- a/help/Get-AdminRoleUserLicense.md +++ b/help/Get-AdminRoleUserLicense.md @@ -1,4 +1,4 @@ ---- +--- external help file: M365FoundationsCISReport-help.xml Module Name: M365FoundationsCISReport online version: https://criticalsolutionsnetwork.github.io/M365FoundationsCISReport/#Get-AdminRoleUserLicense @@ -38,6 +38,21 @@ This example retrieves all administrative role users along with their licenses w ## PARAMETERS +### -ProgressAction +{{ Fill ProgressAction Description }} + +```yaml +Type: ActionPreference +Parameter Sets: (All) +Aliases: proga + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + ### -SkipGraphConnection A switch parameter that, when set, skips the connection to Microsoft Graph if already established. This is useful for batch processing or when used within scripts where multiple calls are made and the connection is managed externally. @@ -54,21 +69,6 @@ Accept pipeline input: False Accept wildcard characters: False ``` -### -ProgressAction -{{ Fill ProgressAction Description }} - -```yaml -Type: ActionPreference -Parameter Sets: (All) -Aliases: proga - -Required: False -Position: Named -Default value: None -Accept pipeline input: False -Accept wildcard characters: False -``` - ### CommonParameters This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). diff --git a/help/Get-MFAStatus.md b/help/Get-MFAStatus.md index e5accc3..9e9b878 100644 --- a/help/Get-MFAStatus.md +++ b/help/Get-MFAStatus.md @@ -1,4 +1,4 @@ ---- +--- external help file: M365FoundationsCISReport-help.xml Module Name: M365FoundationsCISReport online version: https://criticalsolutionsnetwork.github.io/M365FoundationsCISReport/#Get-MFAStatus @@ -37,17 +37,16 @@ Retrieves the MFA status for the specified user with the UPN "example@domain.com ## PARAMETERS -### -UserId -The User Principal Name (UPN) of a specific user to retrieve MFA status for. -If not provided, the function retrieves MFA status for all users. +### -ProgressAction +{{ Fill ProgressAction Description }} ```yaml -Type: String +Type: ActionPreference Parameter Sets: (All) -Aliases: +Aliases: proga Required: False -Position: 1 +Position: Named Default value: None Accept pipeline input: False Accept wildcard characters: False @@ -68,16 +67,17 @@ Accept pipeline input: False Accept wildcard characters: False ``` -### -ProgressAction -{{ Fill ProgressAction Description }} +### -UserId +The User Principal Name (UPN) of a specific user to retrieve MFA status for. +If not provided, the function retrieves MFA status for all users. ```yaml -Type: ActionPreference +Type: String Parameter Sets: (All) -Aliases: proga +Aliases: Required: False -Position: Named +Position: 1 Default value: None Accept pipeline input: False Accept wildcard characters: False diff --git a/help/Grant-M365SecurityAuditConsent.md b/help/Grant-M365SecurityAuditConsent.md new file mode 100644 index 0000000..e2c864c --- /dev/null +++ b/help/Grant-M365SecurityAuditConsent.md @@ -0,0 +1,179 @@ +--- +external help file: M365FoundationsCISReport-help.xml +Module Name: M365FoundationsCISReport +online version: https://criticalsolutionsnetwork.github.io/M365FoundationsCISReport/#Grant-M365SecurityAuditConsent +schema: 2.0.0 +--- + +# Grant-M365SecurityAuditConsent + +## SYNOPSIS +Grants Microsoft Graph permissions for an auditor. + +## SYNTAX + +``` +Grant-M365SecurityAuditConsent [-UserPrincipalNameForConsent] [-SkipGraphConnection] + [-SkipModuleCheck] [-SuppressRevertOutput] [-DoNotDisconnect] [-ProgressAction ] [-WhatIf] + [-Confirm] [] +``` + +## DESCRIPTION +This function grants the specified Microsoft Graph permissions to a user, allowing the user to perform audits. +It connects to Microsoft Graph, checks if a service principal exists for the client application, creates it if it does not exist, and then grants the specified permissions. +Finally, it assigns the app to the user. + +## EXAMPLES + +### EXAMPLE 1 +``` +Grant-M365SecurityAuditConsent -UserPrincipalNameForConsent user@example.com +``` + +Grants Microsoft Graph permissions to user@example.com for the client application with the specified Application ID. + +### EXAMPLE 2 +``` +Grant-M365SecurityAuditConsent -UserPrincipalNameForConsent user@example.com -SkipGraphConnection +``` + +Grants Microsoft Graph permissions to user@example.com, skipping the connection to Microsoft Graph. + +## PARAMETERS + +### -DoNotDisconnect +If specified, does not disconnect from Microsoft Graph after granting consent. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ProgressAction +{{ Fill ProgressAction Description }} + +```yaml +Type: ActionPreference +Parameter Sets: (All) +Aliases: proga + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SkipGraphConnection +If specified, skips connecting to Microsoft Graph. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SkipModuleCheck +If specified, skips the check for the Microsoft.Graph module. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SuppressRevertOutput +If specified, suppresses the output of the revert commands. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -UserPrincipalNameForConsent +Specify the UPN of the user to grant consent for. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: True +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -Confirm +Prompts you for confirmation before running the cmdlet. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: cf + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WhatIf +Shows what would happen if the cmdlet runs. +The cmdlet is not run. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: wi + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +## OUTPUTS + +### System.Void +## NOTES +This function requires the Microsoft.Graph module version 2.4.0 or higher. + +## RELATED LINKS + +[https://criticalsolutionsnetwork.github.io/M365FoundationsCISReport/#Grant-M365SecurityAuditConsent](https://criticalsolutionsnetwork.github.io/M365FoundationsCISReport/#Grant-M365SecurityAuditConsent) + diff --git a/help/Invoke-M365SecurityAudit.md b/help/Invoke-M365SecurityAudit.md index 1ee9ffc..706ab6f 100644 --- a/help/Invoke-M365SecurityAudit.md +++ b/help/Invoke-M365SecurityAudit.md @@ -1,4 +1,4 @@ ---- +--- external help file: M365FoundationsCISReport-help.xml Module Name: M365FoundationsCISReport online version: https://criticalsolutionsnetwork.github.io/M365FoundationsCISReport/#Invoke-M365SecurityAudit @@ -164,34 +164,47 @@ What if: Performing the operation "Invoke-M365SecurityAudit" on target "Microsof ## PARAMETERS -### -TenantAdminUrl -The URL of the tenant admin. -If not specified, none of the SharePoint Online tests will run. +### -DoNotConfirmConnections +If specified, the cmdlet will not prompt for confirmation before proceeding with established connections and will disconnect from all of them. ```yaml -Type: String +Type: SwitchParameter Parameter Sets: (All) Aliases: Required: False Position: Named -Default value: None +Default value: False Accept pipeline input: False Accept wildcard characters: False ``` -### -M365DomainForPWPolicyTest -The domain name of the Microsoft 365 environment to test. -This parameter is not mandatory and by default it will pass/fail all found domains as a group if a specific domain is not specified. +### -DoNotConnect +If specified, the cmdlet will not establish a connection to Microsoft 365 services. ```yaml -Type: String +Type: SwitchParameter Parameter Sets: (All) Aliases: Required: False Position: Named -Default value: None +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -DoNotDisconnect +If specified, the cmdlet will not disconnect from Microsoft 365 services after execution. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False Accept pipeline input: False Accept wildcard characters: False ``` @@ -212,22 +225,6 @@ Accept pipeline input: False Accept wildcard characters: False ``` -### -ProfileLevel -Specifies the profile level (L1 or L2) for the audit. -This parameter is optional and can be combined with the ELevel parameter. - -```yaml -Type: String -Parameter Sets: ELevelFilter -Aliases: - -Required: True -Position: Named -Default value: None -Accept pipeline input: False -Accept wildcard characters: False -``` - ### -IncludeIG1 If specified, includes tests where IG1 is true. @@ -289,52 +286,22 @@ Accept pipeline input: False Accept wildcard characters: False ``` -### -SkipRecommendation -Specifies specific recommendations to exclude from the audit. -Accepts an array of recommendation numbers. +### -M365DomainForPWPolicyTest +The domain name of the Microsoft 365 environment to test. +This parameter is not mandatory and by default it will pass/fail all found domains as a group if a specific domain is not specified. ```yaml -Type: String[] -Parameter Sets: SkipRecFilter +Type: String +Parameter Sets: (All) Aliases: -Required: True +Required: False Position: Named Default value: None Accept pipeline input: False Accept wildcard characters: False ``` -### -DoNotConnect -If specified, the cmdlet will not establish a connection to Microsoft 365 services. - -```yaml -Type: SwitchParameter -Parameter Sets: (All) -Aliases: - -Required: False -Position: Named -Default value: False -Accept pipeline input: False -Accept wildcard characters: False -``` - -### -DoNotDisconnect -If specified, the cmdlet will not disconnect from Microsoft 365 services after execution. - -```yaml -Type: SwitchParameter -Parameter Sets: (All) -Aliases: - -Required: False -Position: Named -Default value: False -Accept pipeline input: False -Accept wildcard characters: False -``` - ### -NoModuleCheck If specified, the cmdlet will not check for the presence of required modules. @@ -350,29 +317,61 @@ Accept pipeline input: False Accept wildcard characters: False ``` -### -DoNotConfirmConnections -If specified, the cmdlet will not prompt for confirmation before proceeding with established connections and will disconnect from all of them. +### -ProfileLevel +Specifies the profile level (L1 or L2) for the audit. +This parameter is optional and can be combined with the ELevel parameter. ```yaml -Type: SwitchParameter -Parameter Sets: (All) +Type: String +Parameter Sets: ELevelFilter Aliases: -Required: False +Required: True Position: Named -Default value: False +Default value: None Accept pipeline input: False Accept wildcard characters: False ``` -### -WhatIf -Shows what would happen if the cmdlet runs. -The cmdlet is not run. +### -ProgressAction +{{ Fill ProgressAction Description }} ```yaml -Type: SwitchParameter +Type: ActionPreference Parameter Sets: (All) -Aliases: wi +Aliases: proga + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SkipRecommendation +Specifies specific recommendations to exclude from the audit. +Accepts an array of recommendation numbers. + +```yaml +Type: String[] +Parameter Sets: SkipRecFilter +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -TenantAdminUrl +The URL of the tenant admin. +If not specified, none of the SharePoint Online tests will run. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: Required: False Position: Named @@ -396,13 +395,14 @@ Accept pipeline input: False Accept wildcard characters: False ``` -### -ProgressAction -{{ Fill ProgressAction Description }} +### -WhatIf +Shows what would happen if the cmdlet runs. +The cmdlet is not run. ```yaml -Type: ActionPreference +Type: SwitchParameter Parameter Sets: (All) -Aliases: proga +Aliases: wi Required: False Position: Named diff --git a/help/Remove-RowsWithEmptyCSVStatus.md b/help/Remove-RowsWithEmptyCSVStatus.md index 8582a86..eca797b 100644 --- a/help/Remove-RowsWithEmptyCSVStatus.md +++ b/help/Remove-RowsWithEmptyCSVStatus.md @@ -1,4 +1,4 @@ ---- +--- external help file: M365FoundationsCISReport-help.xml Module Name: M365FoundationsCISReport online version: @@ -46,21 +46,6 @@ Accept pipeline input: False Accept wildcard characters: False ``` -### -WorksheetName -The name of the worksheet within the Excel file to be processed. - -```yaml -Type: String -Parameter Sets: (All) -Aliases: - -Required: True -Position: 2 -Default value: None -Accept pipeline input: False -Accept wildcard characters: False -``` - ### -ProgressAction {{ Fill ProgressAction Description }} @@ -76,6 +61,21 @@ Accept pipeline input: False Accept wildcard characters: False ``` +### -WorksheetName +The name of the worksheet within the Excel file to be processed. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: True +Position: 2 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + ### CommonParameters This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). diff --git a/help/Sync-CISExcelAndCsvData.md b/help/Sync-CISExcelAndCsvData.md index e412199..663e3e4 100644 --- a/help/Sync-CISExcelAndCsvData.md +++ b/help/Sync-CISExcelAndCsvData.md @@ -1,4 +1,4 @@ ---- +--- external help file: M365FoundationsCISReport-help.xml Module Name: M365FoundationsCISReport online version: https://criticalsolutionsnetwork.github.io/M365FoundationsCISReport/#Sync-CISExcelAndCsvData @@ -32,22 +32,6 @@ Updates the 'AuditData' worksheet in 'excel.xlsx' with data from 'data.csv', add ## PARAMETERS -### -ExcelPath -Specifies the path to the Excel file to be updated. -This parameter is mandatory. - -```yaml -Type: String -Parameter Sets: (All) -Aliases: - -Required: False -Position: 1 -Default value: None -Accept pipeline input: False -Accept wildcard characters: False -``` - ### -CsvPath Specifies the path to the CSV file containing new data. This parameter is mandatory. @@ -64,8 +48,8 @@ Accept pipeline input: False Accept wildcard characters: False ``` -### -SheetName -Specifies the name of the worksheet in the Excel file where data will be merged and updated. +### -ExcelPath +Specifies the path to the Excel file to be updated. This parameter is mandatory. ```yaml @@ -74,7 +58,7 @@ Parameter Sets: (All) Aliases: Required: False -Position: 3 +Position: 1 Default value: None Accept pipeline input: False Accept wildcard characters: False @@ -95,6 +79,22 @@ Accept pipeline input: False Accept wildcard characters: False ``` +### -SheetName +Specifies the name of the worksheet in the Excel file where data will be merged and updated. +This parameter is mandatory. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: 3 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + ### CommonParameters This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). diff --git a/help/about_M365FoundationsCISReport.md b/help/about_M365FoundationsCISReport.md index 6a2e671..709b089 100644 --- a/help/about_M365FoundationsCISReport.md +++ b/help/about_M365FoundationsCISReport.md @@ -33,6 +33,9 @@ Remove-RowsWithEmptyCSVStatus -FilePath "C:\Reports\Report.xlsx" -WorksheetName # Example 6: Synchronizing CIS benchmark data with audit results Sync-CISExcelAndCsvData -ExcelPath "path\to\excel.xlsx" -CsvPath "path\to\data.csv" -SheetName "Combined Profiles" + +# Example 7: Granting Microsoft Graph permissions to the auditor +Grant-M365SecurityAuditConsent -UserPrincipalNameForConsent 'user@example.com' ``` # NOTE diff --git a/helpers/Build-Help.ps1 b/helpers/Build-Help.ps1 index ef68208..ab6e3fe 100644 --- a/helpers/Build-Help.ps1 +++ b/helpers/Build-Help.ps1 @@ -4,7 +4,7 @@ Import-Module .\output\module\M365FoundationsCISReport\*\*.psd1 <# - $ver = "v0.1.14" + $ver = "v0.1.15" git checkout main git pull origin main git tag -a $ver -m "Release version $ver refactor Update" @@ -39,4 +39,26 @@ $parameters = @{ } Update-MarkdownHelpModule @parameters -Force Update-MarkdownHelpModule -Path ".\help" -RefreshModulePage -Force -New-ExternalHelp -Path ".\help" -OutputPath ".\source\en-US" -force \ No newline at end of file +New-ExternalHelp -Path ".\help" -OutputPath ".\source\en-US" -force + + + +# Install Secret Management +Install-Module -Name "Microsoft.PowerShell.SecretManagement", ` +"SecretManagement.JustinGrote.CredMan" -Scope CurrentUser + +# Register Vault +Register-SecretVault -Name ModuleBuildCreds -ModuleName ` +"SecretManagement.JustinGrote.CredMan" -ErrorAction Stop + + +Set-Secret -Name "GalleryApiToken" -Vault ModuleBuildCreds +Set-Secret -Name "GitHubToken" -Vault ModuleBuildCreds + + +$GalleryApiToken = Get-Secret -Name "GalleryApiToken" -Vault ModuleBuildCreds -AsPlainText +$GitHubToken = Get-Secret -Name "GitHubToken" -Vault ModuleBuildCreds -AsPlainText + + +$GalleryApiToken +$GitHubToken diff --git a/source/Public/Grant-M365SecurityAuditConsent.ps1 b/source/Public/Grant-M365SecurityAuditConsent.ps1 new file mode 100644 index 0000000..0b13d9c --- /dev/null +++ b/source/Public/Grant-M365SecurityAuditConsent.ps1 @@ -0,0 +1,182 @@ +<# + .SYNOPSIS + Grants Microsoft Graph permissions for an auditor. + .DESCRIPTION + This function grants the specified Microsoft Graph permissions to a user, allowing the user to perform audits. It connects to Microsoft Graph, checks if a service principal exists for the client application, creates it if it does not exist, and then grants the specified permissions. Finally, it assigns the app to the user. + .PARAMETER UserPrincipalNameForConsent + The UPN or ID of the user to grant consent for. + .PARAMETER SkipGraphConnection + If specified, skips connecting to Microsoft Graph. + .PARAMETER DoNotDisconnect + If specified, does not disconnect from Microsoft Graph after granting consent. + .PARAMETER SkipModuleCheck + If specified, skips the check for the Microsoft.Graph module. + .PARAMETER SuppressRevertOutput + If specified, suppresses the output of the revert commands. + .EXAMPLE + Grant-M365SecurityAuditConsent -UserPrincipalNameForConsent user@example.com + + Grants Microsoft Graph permissions to user@example.com for the client application with the specified Application ID. + .EXAMPLE + Grant-M365SecurityAuditConsent -UserPrincipalNameForConsent user@example.com -SkipGraphConnection + + Grants Microsoft Graph permissions to user@example.com, skipping the connection to Microsoft Graph. + .NOTES + This function requires the Microsoft.Graph module version 2.4.0 or higher. + .LINK + https://criticalsolutionsnetwork.github.io/M365FoundationsCISReport/#Grant-M365SecurityAuditConsent +#> +function Grant-M365SecurityAuditConsent { + [CmdletBinding( + SupportsShouldProcess = $true, + ConfirmImpact = 'High' + )] + [OutputType([void])] + param ( + [Parameter( + Mandatory = $true, + Position = 0, + ValueFromPipeline = $true, + ValueFromPipelineByPropertyName = $true, + HelpMessage = 'Specify the UPN of the user to grant consent for.' + )] + [ValidatePattern('^[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}$')] + [String]$UserPrincipalNameForConsent, + [Parameter( + Mandatory = $false, + HelpMessage = 'Skip connecting to Microsoft Graph.' + )] + [switch]$SkipGraphConnection, + [Parameter( + Mandatory = $false, + HelpMessage = 'Skip the check for the Microsoft.Graph module.' + )] + [switch]$SkipModuleCheck, + [Parameter( + Mandatory = $false, + HelpMessage = 'Suppress the output of the revert commands.' + )] + [switch]$SuppressRevertOutput, + [Parameter( + Mandatory = $false, + HelpMessage = 'Do not disconnect from Microsoft Graph after granting consent.' + )] + [switch]$DoNotDisconnect + ) + begin { + if (!($SkipModuleCheck)) { + Assert-ModuleAvailability -ModuleName Microsoft.Graph -RequiredVersion "2.4.0" + } + # Adjusted from: https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/grant-consent-single-user?pivots=msgraph-powershell + # Needed: A user account with a Privileged Role Administrator, Application Administrator, or Cloud Application Administrator + # The app for which consent is being granted. + $clientAppId = "14d82eec-204b-4c2f-b7e8-296a70dab67e" # Microsoft Graph PowerShell + # The API to which access will be granted. Microsoft Graph PowerShell makes API + # requests to the Microsoft Graph API, so we'll use that here. + $resourceAppId = "00000003-0000-0000-c000-000000000000" # Microsoft Graph API + # The permissions to grant. + $permissions = @("Directory.Read.All", "Domain.Read.All", "Policy.Read.All", "Organization.Read.All") + # The user on behalf of whom access will be granted. The app will be able to access + # the API on behalf of this user. + $userUpnOrId = $UserPrincipalNameForConsent + } + process { + try { + if (-not $SkipGraphConnection -and $PSCmdlet.ShouldProcess("Scopes: User.ReadBasic.All, Application.ReadWrite.All, DelegatedPermissionGrant.ReadWrite.All, AppRoleAssignment.ReadWrite.All", "Connect-MgGraph")) { + # Step 0. Connect to Microsoft Graph PowerShell. We need User.ReadBasic.All to get + # users' IDs, Application.ReadWrite.All to list and create service principals, + # DelegatedPermissionGrant.ReadWrite.All to create delegated permission grants, + # and AppRoleAssignment.ReadWrite.All to assign an app role. + # WARNING: These are high-privilege permissions! + Write-Host "Connecting to Microsoft Graph with scopes: User.ReadBasic.All, Application.ReadWrite.All, DelegatedPermissionGrant.ReadWrite.All, AppRoleAssignment.ReadWrite.All" -ForegroundColor Yellow + Connect-MgGraph -Scopes ("User.ReadBasic.All Application.ReadWrite.All " + "DelegatedPermissionGrant.ReadWrite.All " + "AppRoleAssignment.ReadWrite.All") -NoWelcome + $context = Get-MgContext + Write-Host "Connected to Microsoft Graph with user: $(($context.Account)) with the authtype `"$($context.AuthType)`" for the `"$($context.Environment)`" environment." -ForegroundColor Green + } + } + catch { + throw "Connection execution aborted: $_" + break + } + try { + if ($PSCmdlet.ShouldProcess("Create Microsoft Graph API service princial if not found", "New-MgServicePrincipal")) { + # Step 1. Check if a service principal exists for the client application. + # If one doesn't exist, create it. + $clientSp = Get-MgServicePrincipal -Filter "appId eq '$($clientAppId)'" -ErrorAction SilentlyContinue + if (-not $clientSp) { + Write-Host "Client service principal not found. Creating one." -ForegroundColor Yellow + $clientSp = New-MgServicePrincipal -AppId $clientAppId + } + $user = Get-MgUser -UserId $userUpnOrId + if (!($user)) { + throw "User with UPN or ID `"$userUpnOrId`" not found." + } + Write-Verbose "User: $($user.UserPrincipalName) Found!" + $resourceSp = Get-MgServicePrincipal -Filter "appId eq '$($resourceAppId)'" + $scopeToGrant = $permissions -join " " + $existingGrant = Get-MgOauth2PermissionGrant -Filter "clientId eq '$($clientSp.Id)' and principalId eq '$($user.Id)' and resourceId eq '$($resourceSp.Id)'" + } + if (-not $existingGrant -and $PSCmdlet.ShouldProcess("User: $userUpnOrId for Microsoft Graph PowerShell Scopes: $($permissions -join ', ')", "New-MgOauth2PermissionGrant: Granting Consent")) { + # Step 2. Create a delegated permission that grants the client app access to the + # API, on behalf of the user. + $grant = New-MgOauth2PermissionGrant -ResourceId $resourceSp.Id -Scope $scopeToGrant -ClientId $clientSp.Id -ConsentType "Principal" -PrincipalId $user.Id + Write-Host "Consent granted to user $($user.UserPrincipalName) for Microsoft Graph API with scopes: $((($grant.Scope) -split ' ') -join ', ')" -ForegroundColor Green + } + if ($existingGrant -and $PSCmdlet.ShouldProcess("Update existing Microsoft Graph permissions for user $userUpnOrId", "Update-MgOauth2PermissionGrant")) { + # Step 2. Update the existing permission grant with the new scopes. + Write-Host "Updating existing permission grant for user $($user.UserPrincipalName)." -ForegroundColor Yellow + $updatedGrant = Update-MgOauth2PermissionGrant -PermissionGrantId $existingGrant.Id -Scope $scopeToGrant -Confirm:$false + Write-Host "Updated permission grant with ID $($updatedGrant.Id) for scopes: $scopeToGrant" -ForegroundColor Green + } + if ($PSCmdlet.ShouldProcess("Assigning app to user $userUpnOrId", "New-MgServicePrincipalAppRoleAssignedTo")) { + # Step 3. Assign the app to the user. This ensures that the user can sign in if assignment + # is required, and ensures that the app shows up under the user's My Apps portal. + if ($clientSp.AppRoles | Where-Object { $_.AllowedMemberTypes -contains "User" }) { + Write-Warning "A default app role assignment cannot be created because the client application exposes user-assignable app roles. You must assign the user a specific app role for the app to be listed in the user's My Apps access panel." + } + else { + # The app role ID 00000000-0000-0000-0000-000000000000 is the default app role + # indicating that the app is assigned to the user, but not for any specific + # app role. + $assignment = New-MgServicePrincipalAppRoleAssignedTo -ServicePrincipalId $clientSp.Id -ResourceId $clientSp.Id -PrincipalId $user.Id -AppRoleId "00000000-0000-0000-0000-000000000000" + # $assignments = Get-MgServicePrincipalAppRoleAssignedTo -ServicePrincipalId $assignment.ResourceId -All -WhatIf + } + } + } + catch { + throw "An error occurred while granting consent:`n$_" + } + finally { + if (!($DoNotDisconnect) -and $PSCmdlet.ShouldProcess("Disconnect from Microsoft Graph", "Disconnect")) { + # Clean up sessions + Write-Host "Disconnecting from Microsoft Graph." -ForegroundColor Yellow + Disconnect-MgGraph | Out-Null + } + } + } + end { + if (-not $SuppressRevertOutput -and $PSCmdlet.ShouldProcess("Instructions to undo this change", "Generate Revert Commands")) { + <# + # Instructions to revert the changes made by this script + $resourceAppId = "00000003-0000-0000-c000-000000000000" + $clientAppId = "14d82eec-204b-4c2f-b7e8-296a70dab67e" + # Get the user object + #$user = Get-MgUser -UserId "user@example.com" + $resourceSp = Get-MgServicePrincipal -Filter "appId eq '$($resourceAppId)'" + # Get the service principal using $clientAppId + $clientSp = Get-MgServicePrincipal -Filter "appId eq '$($clientAppId)'" + $existingGrant = Get-MgOauth2PermissionGrant -Filter "clientId eq '$($clientSp.Id)' and principalId eq '$($user.Id)' and resourceId eq '$($resourceSp.Id)'" + # Get all app role assignments for the service principal + $appRoleAssignments = Get-MgServicePrincipalAppRoleAssignedTo -ServicePrincipalId $clientSp.Id -All + # At index of desired user assignment + Remove-MgServicePrincipalAppRoleAssignedTo -AppRoleAssignmentId $appRoleAssignments[1].Id -ServicePrincipalId $clientSp.Id + Remove-MgOAuth2PermissionGrant -OAuth2PermissionGrantId $existingGrant.Id + #> + Write-Host "App assigned to user $($assignment.PrincipalDisplayName) for $($assignment.ResourceDisplayName) at $($assignment.CreatedDateTime)." -ForegroundColor Green + Write-Host "If you made a mistake and would like to remove the assignement for `"$($user.UserPrincipalName)`", you can run the following:`n" -ForegroundColor Yellow + Write-Host "Connect-MgGraph -Scopes (`"User.ReadBasic.All Application.ReadWrite.All `" + `"DelegatedPermissionGrant.ReadWrite.All `" + `"AppRoleAssignment.ReadWrite.All`")" -ForegroundColor Cyan + Write-Host "Remove-MgServicePrincipalAppRoleAssignedTo -AppRoleAssignmentId `"$($assignment.Id)`" -ServicePrincipalId `"$($assignment.ResourceId)`"" -ForegroundColor Cyan + Write-Host "Remove-MgOAuth2PermissionGrant -OAuth2PermissionGrantId `"$($grant.Id)`"" -ForegroundColor Cyan + } + } +} diff --git a/source/en-US/M365FoundationsCISReport-help.xml b/source/en-US/M365FoundationsCISReport-help.xml index 9b00f7e..4ea02c5 100644 --- a/source/en-US/M365FoundationsCISReport-help.xml +++ b/source/en-US/M365FoundationsCISReport-help.xml @@ -77,6 +77,17 @@ None + + ExportOriginalTests + + Switch to export the original audit results to a CSV file. + + + SwitchParameter + + + False + ExportPath @@ -89,17 +100,6 @@ None - - ExportOriginalTests - - Switch to export the original audit results to a CSV file. - - - SwitchParameter - - - False - ExportToExcel @@ -188,6 +188,17 @@ None + + ExportOriginalTests + + Switch to export the original audit results to a CSV file. + + + SwitchParameter + + + False + ExportPath @@ -200,17 +211,6 @@ None - - ExportOriginalTests - - Switch to export the original audit results to a CSV file. - - - SwitchParameter - - - False - ExportToExcel @@ -261,18 +261,6 @@ None - - OutputTestNumber - - The test number to output as an object. Valid values are "1.1.1", "1.3.1", "6.1.2", "6.1.3", "7.3.4". - - String - - String - - - None - ExportAllTests @@ -285,6 +273,18 @@ False + + ExportOriginalTests + + Switch to export the original audit results to a CSV file. + + SwitchParameter + + SwitchParameter + + + False + ExportPath @@ -297,18 +297,6 @@ None - - ExportOriginalTests - - Switch to export the original audit results to a CSV file. - - SwitchParameter - - SwitchParameter - - - False - ExportToExcel @@ -321,6 +309,18 @@ False + + OutputTestNumber + + The test number to output as an object. Valid values are "1.1.1", "1.3.1", "6.1.2", "6.1.3", "7.3.4". + + String + + String + + + None + ProgressAction @@ -431,17 +431,6 @@ Get-AdminRoleUserLicense - - SkipGraphConnection - - A switch parameter that, when set, skips the connection to Microsoft Graph if already established. This is useful for batch processing or when used within scripts where multiple calls are made and the connection is managed externally. - - - SwitchParameter - - - False - ProgressAction @@ -454,21 +443,20 @@ None + + SkipGraphConnection + + A switch parameter that, when set, skips the connection to Microsoft Graph if already established. This is useful for batch processing or when used within scripts where multiple calls are made and the connection is managed externally. + + + SwitchParameter + + + False + - - SkipGraphConnection - - A switch parameter that, when set, skips the connection to Microsoft Graph if already established. This is useful for batch processing or when used within scripts where multiple calls are made and the connection is managed externally. - - SwitchParameter - - SwitchParameter - - - False - ProgressAction @@ -481,6 +469,18 @@ None + + SkipGraphConnection + + A switch parameter that, when set, skips the connection to Microsoft Graph if already established. This is useful for batch processing or when used within scripts where multiple calls are made and the connection is managed externally. + + SwitchParameter + + SwitchParameter + + + False + @@ -565,17 +565,6 @@ None - - SkipMSOLConnectionChecks - - {{ Fill SkipMSOLConnectionChecks Description }} - - - SwitchParameter - - - False - ProgressAction @@ -588,17 +577,28 @@ None + + SkipMSOLConnectionChecks + + {{ Fill SkipMSOLConnectionChecks Description }} + + + SwitchParameter + + + False + - - UserId + + ProgressAction - The User Principal Name (UPN) of a specific user to retrieve MFA status for. If not provided, the function retrieves MFA status for all users. + {{ Fill ProgressAction Description }} - String + ActionPreference - String + ActionPreference None @@ -615,14 +615,14 @@ False - - ProgressAction + + UserId - {{ Fill ProgressAction Description }} + The User Principal Name (UPN) of a specific user to retrieve MFA status for. If not provided, the function retrieves MFA status for all users. - ActionPreference + String - ActionPreference + String None @@ -733,6 +733,250 @@ Retrieves the MFA status for the specified user with the UPN "example@domain.com + + + Grant-M365SecurityAuditConsent + Grant + M365SecurityAuditConsent + + Grants Microsoft Graph permissions for an auditor. + + + + This function grants the specified Microsoft Graph permissions to a user, allowing the user to perform audits. It connects to Microsoft Graph, checks if a service principal exists for the client application, creates it if it does not exist, and then grants the specified permissions. Finally, it assigns the app to the user. + + + + Grant-M365SecurityAuditConsent + + UserPrincipalNameForConsent + + Specify the UPN of the user to grant consent for. + + String + + String + + + None + + + DoNotDisconnect + + If specified, does not disconnect from Microsoft Graph after granting consent. + + + SwitchParameter + + + False + + + ProgressAction + + {{ Fill ProgressAction Description }} + + ActionPreference + + ActionPreference + + + None + + + SkipGraphConnection + + If specified, skips connecting to Microsoft Graph. + + + SwitchParameter + + + False + + + SkipModuleCheck + + If specified, skips the check for the Microsoft.Graph module. + + + SwitchParameter + + + False + + + SuppressRevertOutput + + If specified, suppresses the output of the revert commands. + + + SwitchParameter + + + False + + + Confirm + + Prompts you for confirmation before running the cmdlet. + + + SwitchParameter + + + False + + + WhatIf + + Shows what would happen if the cmdlet runs. The cmdlet is not run. + + + SwitchParameter + + + False + + + + + + DoNotDisconnect + + If specified, does not disconnect from Microsoft Graph after granting consent. + + SwitchParameter + + SwitchParameter + + + False + + + ProgressAction + + {{ Fill ProgressAction Description }} + + ActionPreference + + ActionPreference + + + None + + + SkipGraphConnection + + If specified, skips connecting to Microsoft Graph. + + SwitchParameter + + SwitchParameter + + + False + + + SkipModuleCheck + + If specified, skips the check for the Microsoft.Graph module. + + SwitchParameter + + SwitchParameter + + + False + + + SuppressRevertOutput + + If specified, suppresses the output of the revert commands. + + SwitchParameter + + SwitchParameter + + + False + + + UserPrincipalNameForConsent + + Specify the UPN of the user to grant consent for. + + String + + String + + + None + + + Confirm + + Prompts you for confirmation before running the cmdlet. + + SwitchParameter + + SwitchParameter + + + False + + + WhatIf + + Shows what would happen if the cmdlet runs. The cmdlet is not run. + + SwitchParameter + + SwitchParameter + + + False + + + + + + + System.Void + + + + + + + + + This function requires the Microsoft.Graph module version 2.4.0 or higher. + + + + + -------------------------- EXAMPLE 1 -------------------------- + Grant-M365SecurityAuditConsent -UserPrincipalNameForConsent user@example.com + + Grants Microsoft Graph permissions to user@example.com for the client application with the specified Application ID. + + + + -------------------------- EXAMPLE 2 -------------------------- + Grant-M365SecurityAuditConsent -UserPrincipalNameForConsent user@example.com -SkipGraphConnection + + Grants Microsoft Graph permissions to user@example.com, skipping the connection to Microsoft Graph. + + + + + + https://criticalsolutionsnetwork.github.io/M365FoundationsCISReport/#Grant-M365SecurityAuditConsent + https://criticalsolutionsnetwork.github.io/M365FoundationsCISReport/#Grant-M365SecurityAuditConsent + + + Invoke-M365SecurityAudit @@ -749,28 +993,37 @@ Retrieves the MFA status for the specified user with the UPN "example@domain.com Invoke-M365SecurityAudit - TenantAdminUrl + DoNotConfirmConnections - The URL of the tenant admin. If not specified, none of the SharePoint Online tests will run. + If specified, the cmdlet will not prompt for confirmation before proceeding with established connections and will disconnect from all of them. - String - String + SwitchParameter - None + False - M365DomainForPWPolicyTest + DoNotConnect - The domain name of the Microsoft 365 environment to test. This parameter is not mandatory and by default it will pass/fail all found domains as a group if a specific domain is not specified. + If specified, the cmdlet will not establish a connection to Microsoft 365 services. - String - String + SwitchParameter - None + False + + + DoNotDisconnect + + If specified, the cmdlet will not disconnect from Microsoft 365 services after execution. + + + SwitchParameter + + + False ELevel @@ -784,6 +1037,29 @@ Retrieves the MFA status for the specified user with the UPN "example@domain.com None + + M365DomainForPWPolicyTest + + The domain name of the Microsoft 365 environment to test. This parameter is not mandatory and by default it will pass/fail all found domains as a group if a specific domain is not specified. + + String + + String + + + None + + + NoModuleCheck + + If specified, the cmdlet will not check for the presence of required modules. + + + SwitchParameter + + + False + ProfileLevel @@ -796,6 +1072,66 @@ Retrieves the MFA status for the specified user with the UPN "example@domain.com None + + ProgressAction + + {{ Fill ProgressAction Description }} + + ActionPreference + + ActionPreference + + + None + + + TenantAdminUrl + + The URL of the tenant admin. If not specified, none of the SharePoint Online tests will run. + + String + + String + + + None + + + Confirm + + Prompts you for confirmation before running the cmdlet. + + + SwitchParameter + + + False + + + WhatIf + + Shows what would happen if the cmdlet runs. The cmdlet is not run. + + + SwitchParameter + + + False + + + + Invoke-M365SecurityAudit + + DoNotConfirmConnections + + If specified, the cmdlet will not prompt for confirmation before proceeding with established connections and will disconnect from all of them. + + + SwitchParameter + + + False + DoNotConnect @@ -818,89 +1154,6 @@ Retrieves the MFA status for the specified user with the UPN "example@domain.com False - - NoModuleCheck - - If specified, the cmdlet will not check for the presence of required modules. - - - SwitchParameter - - - False - - - DoNotConfirmConnections - - If specified, the cmdlet will not prompt for confirmation before proceeding with established connections and will disconnect from all of them. - - - SwitchParameter - - - False - - - WhatIf - - Shows what would happen if the cmdlet runs. The cmdlet is not run. - - - SwitchParameter - - - False - - - Confirm - - Prompts you for confirmation before running the cmdlet. - - - SwitchParameter - - - False - - - ProgressAction - - {{ Fill ProgressAction Description }} - - ActionPreference - - ActionPreference - - - None - - - - Invoke-M365SecurityAudit - - TenantAdminUrl - - The URL of the tenant admin. If not specified, none of the SharePoint Online tests will run. - - String - - String - - - None - - - M365DomainForPWPolicyTest - - The domain name of the Microsoft 365 environment to test. This parameter is not mandatory and by default it will pass/fail all found domains as a group if a specific domain is not specified. - - String - - String - - - None - IncludeIG1 @@ -912,6 +1165,89 @@ Retrieves the MFA status for the specified user with the UPN "example@domain.com False + + M365DomainForPWPolicyTest + + The domain name of the Microsoft 365 environment to test. This parameter is not mandatory and by default it will pass/fail all found domains as a group if a specific domain is not specified. + + String + + String + + + None + + + NoModuleCheck + + If specified, the cmdlet will not check for the presence of required modules. + + + SwitchParameter + + + False + + + ProgressAction + + {{ Fill ProgressAction Description }} + + ActionPreference + + ActionPreference + + + None + + + TenantAdminUrl + + The URL of the tenant admin. If not specified, none of the SharePoint Online tests will run. + + String + + String + + + None + + + Confirm + + Prompts you for confirmation before running the cmdlet. + + + SwitchParameter + + + False + + + WhatIf + + Shows what would happen if the cmdlet runs. The cmdlet is not run. + + + SwitchParameter + + + False + + + + Invoke-M365SecurityAudit + + DoNotConfirmConnections + + If specified, the cmdlet will not prompt for confirmation before proceeding with established connections and will disconnect from all of them. + + + SwitchParameter + + + False + DoNotConnect @@ -934,89 +1270,6 @@ Retrieves the MFA status for the specified user with the UPN "example@domain.com False - - NoModuleCheck - - If specified, the cmdlet will not check for the presence of required modules. - - - SwitchParameter - - - False - - - DoNotConfirmConnections - - If specified, the cmdlet will not prompt for confirmation before proceeding with established connections and will disconnect from all of them. - - - SwitchParameter - - - False - - - WhatIf - - Shows what would happen if the cmdlet runs. The cmdlet is not run. - - - SwitchParameter - - - False - - - Confirm - - Prompts you for confirmation before running the cmdlet. - - - SwitchParameter - - - False - - - ProgressAction - - {{ Fill ProgressAction Description }} - - ActionPreference - - ActionPreference - - - None - - - - Invoke-M365SecurityAudit - - TenantAdminUrl - - The URL of the tenant admin. If not specified, none of the SharePoint Online tests will run. - - String - - String - - - None - - - M365DomainForPWPolicyTest - - The domain name of the Microsoft 365 environment to test. This parameter is not mandatory and by default it will pass/fail all found domains as a group if a specific domain is not specified. - - String - - String - - - None - IncludeIG2 @@ -1028,6 +1281,89 @@ Retrieves the MFA status for the specified user with the UPN "example@domain.com False + + M365DomainForPWPolicyTest + + The domain name of the Microsoft 365 environment to test. This parameter is not mandatory and by default it will pass/fail all found domains as a group if a specific domain is not specified. + + String + + String + + + None + + + NoModuleCheck + + If specified, the cmdlet will not check for the presence of required modules. + + + SwitchParameter + + + False + + + ProgressAction + + {{ Fill ProgressAction Description }} + + ActionPreference + + ActionPreference + + + None + + + TenantAdminUrl + + The URL of the tenant admin. If not specified, none of the SharePoint Online tests will run. + + String + + String + + + None + + + Confirm + + Prompts you for confirmation before running the cmdlet. + + + SwitchParameter + + + False + + + WhatIf + + Shows what would happen if the cmdlet runs. The cmdlet is not run. + + + SwitchParameter + + + False + + + + Invoke-M365SecurityAudit + + DoNotConfirmConnections + + If specified, the cmdlet will not prompt for confirmation before proceeding with established connections and will disconnect from all of them. + + + SwitchParameter + + + False + DoNotConnect @@ -1050,89 +1386,6 @@ Retrieves the MFA status for the specified user with the UPN "example@domain.com False - - NoModuleCheck - - If specified, the cmdlet will not check for the presence of required modules. - - - SwitchParameter - - - False - - - DoNotConfirmConnections - - If specified, the cmdlet will not prompt for confirmation before proceeding with established connections and will disconnect from all of them. - - - SwitchParameter - - - False - - - WhatIf - - Shows what would happen if the cmdlet runs. The cmdlet is not run. - - - SwitchParameter - - - False - - - Confirm - - Prompts you for confirmation before running the cmdlet. - - - SwitchParameter - - - False - - - ProgressAction - - {{ Fill ProgressAction Description }} - - ActionPreference - - ActionPreference - - - None - - - - Invoke-M365SecurityAudit - - TenantAdminUrl - - The URL of the tenant admin. If not specified, none of the SharePoint Online tests will run. - - String - - String - - - None - - - M365DomainForPWPolicyTest - - The domain name of the Microsoft 365 environment to test. This parameter is not mandatory and by default it will pass/fail all found domains as a group if a specific domain is not specified. - - String - - String - - - None - IncludeIG3 @@ -1144,6 +1397,89 @@ Retrieves the MFA status for the specified user with the UPN "example@domain.com False + + M365DomainForPWPolicyTest + + The domain name of the Microsoft 365 environment to test. This parameter is not mandatory and by default it will pass/fail all found domains as a group if a specific domain is not specified. + + String + + String + + + None + + + NoModuleCheck + + If specified, the cmdlet will not check for the presence of required modules. + + + SwitchParameter + + + False + + + ProgressAction + + {{ Fill ProgressAction Description }} + + ActionPreference + + ActionPreference + + + None + + + TenantAdminUrl + + The URL of the tenant admin. If not specified, none of the SharePoint Online tests will run. + + String + + String + + + None + + + Confirm + + Prompts you for confirmation before running the cmdlet. + + + SwitchParameter + + + False + + + WhatIf + + Shows what would happen if the cmdlet runs. The cmdlet is not run. + + + SwitchParameter + + + False + + + + Invoke-M365SecurityAudit + + DoNotConfirmConnections + + If specified, the cmdlet will not prompt for confirmation before proceeding with established connections and will disconnect from all of them. + + + SwitchParameter + + + False + DoNotConnect @@ -1166,89 +1502,6 @@ Retrieves the MFA status for the specified user with the UPN "example@domain.com False - - NoModuleCheck - - If specified, the cmdlet will not check for the presence of required modules. - - - SwitchParameter - - - False - - - DoNotConfirmConnections - - If specified, the cmdlet will not prompt for confirmation before proceeding with established connections and will disconnect from all of them. - - - SwitchParameter - - - False - - - WhatIf - - Shows what would happen if the cmdlet runs. The cmdlet is not run. - - - SwitchParameter - - - False - - - Confirm - - Prompts you for confirmation before running the cmdlet. - - - SwitchParameter - - - False - - - ProgressAction - - {{ Fill ProgressAction Description }} - - ActionPreference - - ActionPreference - - - None - - - - Invoke-M365SecurityAudit - - TenantAdminUrl - - The URL of the tenant admin. If not specified, none of the SharePoint Online tests will run. - - String - - String - - - None - - - M365DomainForPWPolicyTest - - The domain name of the Microsoft 365 environment to test. This parameter is not mandatory and by default it will pass/fail all found domains as a group if a specific domain is not specified. - - String - - String - - - None - IncludeRecommendation @@ -1261,6 +1514,89 @@ Retrieves the MFA status for the specified user with the UPN "example@domain.com None + + M365DomainForPWPolicyTest + + The domain name of the Microsoft 365 environment to test. This parameter is not mandatory and by default it will pass/fail all found domains as a group if a specific domain is not specified. + + String + + String + + + None + + + NoModuleCheck + + If specified, the cmdlet will not check for the presence of required modules. + + + SwitchParameter + + + False + + + ProgressAction + + {{ Fill ProgressAction Description }} + + ActionPreference + + ActionPreference + + + None + + + TenantAdminUrl + + The URL of the tenant admin. If not specified, none of the SharePoint Online tests will run. + + String + + String + + + None + + + Confirm + + Prompts you for confirmation before running the cmdlet. + + + SwitchParameter + + + False + + + WhatIf + + Shows what would happen if the cmdlet runs. The cmdlet is not run. + + + SwitchParameter + + + False + + + + Invoke-M365SecurityAudit + + DoNotConfirmConnections + + If specified, the cmdlet will not prompt for confirmation before proceeding with established connections and will disconnect from all of them. + + + SwitchParameter + + + False + DoNotConnect @@ -1283,6 +1619,18 @@ Retrieves the MFA status for the specified user with the UPN "example@domain.com False + + M365DomainForPWPolicyTest + + The domain name of the Microsoft 365 environment to test. This parameter is not mandatory and by default it will pass/fail all found domains as a group if a specific domain is not specified. + + String + + String + + + None + NoModuleCheck @@ -1294,39 +1642,6 @@ Retrieves the MFA status for the specified user with the UPN "example@domain.com False - - DoNotConfirmConnections - - If specified, the cmdlet will not prompt for confirmation before proceeding with established connections and will disconnect from all of them. - - - SwitchParameter - - - False - - - WhatIf - - Shows what would happen if the cmdlet runs. The cmdlet is not run. - - - SwitchParameter - - - False - - - Confirm - - Prompts you for confirmation before running the cmdlet. - - - SwitchParameter - - - False - ProgressAction @@ -1339,33 +1654,6 @@ Retrieves the MFA status for the specified user with the UPN "example@domain.com None - - - Invoke-M365SecurityAudit - - TenantAdminUrl - - The URL of the tenant admin. If not specified, none of the SharePoint Online tests will run. - - String - - String - - - None - - - M365DomainForPWPolicyTest - - The domain name of the Microsoft 365 environment to test. This parameter is not mandatory and by default it will pass/fail all found domains as a group if a specific domain is not specified. - - String - - String - - - None - SkipRecommendation @@ -1379,42 +1667,21 @@ Retrieves the MFA status for the specified user with the UPN "example@domain.com None - DoNotConnect + TenantAdminUrl - If specified, the cmdlet will not establish a connection to Microsoft 365 services. + The URL of the tenant admin. If not specified, none of the SharePoint Online tests will run. + String - SwitchParameter + String - False + None - - DoNotDisconnect + + Confirm - If specified, the cmdlet will not disconnect from Microsoft 365 services after execution. - - - SwitchParameter - - - False - - - NoModuleCheck - - If specified, the cmdlet will not check for the presence of required modules. - - - SwitchParameter - - - False - - - DoNotConfirmConnections - - If specified, the cmdlet will not prompt for confirmation before proceeding with established connections and will disconnect from all of them. + Prompts you for confirmation before running the cmdlet. SwitchParameter @@ -1433,55 +1700,44 @@ Retrieves the MFA status for the specified user with the UPN "example@domain.com False - - Confirm - - Prompts you for confirmation before running the cmdlet. - - - SwitchParameter - - - False - - - ProgressAction - - {{ Fill ProgressAction Description }} - - ActionPreference - - ActionPreference - - - None - - TenantAdminUrl + DoNotConfirmConnections - The URL of the tenant admin. If not specified, none of the SharePoint Online tests will run. + If specified, the cmdlet will not prompt for confirmation before proceeding with established connections and will disconnect from all of them. - String + SwitchParameter - String + SwitchParameter - None + False - M365DomainForPWPolicyTest + DoNotConnect - The domain name of the Microsoft 365 environment to test. This parameter is not mandatory and by default it will pass/fail all found domains as a group if a specific domain is not specified. + If specified, the cmdlet will not establish a connection to Microsoft 365 services. - String + SwitchParameter - String + SwitchParameter - None + False + + + DoNotDisconnect + + If specified, the cmdlet will not disconnect from Microsoft 365 services after execution. + + SwitchParameter + + SwitchParameter + + + False ELevel @@ -1495,18 +1751,6 @@ Retrieves the MFA status for the specified user with the UPN "example@domain.com None - - ProfileLevel - - Specifies the profile level (L1 or L2) for the audit. This parameter is optional and can be combined with the ELevel parameter. - - String - - String - - - None - IncludeIG1 @@ -1555,42 +1799,18 @@ Retrieves the MFA status for the specified user with the UPN "example@domain.com None - - SkipRecommendation + + M365DomainForPWPolicyTest - Specifies specific recommendations to exclude from the audit. Accepts an array of recommendation numbers. + The domain name of the Microsoft 365 environment to test. This parameter is not mandatory and by default it will pass/fail all found domains as a group if a specific domain is not specified. - String[] + String - String[] + String None - - DoNotConnect - - If specified, the cmdlet will not establish a connection to Microsoft 365 services. - - SwitchParameter - - SwitchParameter - - - False - - - DoNotDisconnect - - If specified, the cmdlet will not disconnect from Microsoft 365 services after execution. - - SwitchParameter - - SwitchParameter - - - False - NoModuleCheck @@ -1603,10 +1823,58 @@ Retrieves the MFA status for the specified user with the UPN "example@domain.com False - - DoNotConfirmConnections + + ProfileLevel - If specified, the cmdlet will not prompt for confirmation before proceeding with established connections and will disconnect from all of them. + Specifies the profile level (L1 or L2) for the audit. This parameter is optional and can be combined with the ELevel parameter. + + String + + String + + + None + + + ProgressAction + + {{ Fill ProgressAction Description }} + + ActionPreference + + ActionPreference + + + None + + + SkipRecommendation + + Specifies specific recommendations to exclude from the audit. Accepts an array of recommendation numbers. + + String[] + + String[] + + + None + + + TenantAdminUrl + + The URL of the tenant admin. If not specified, none of the SharePoint Online tests will run. + + String + + String + + + None + + + Confirm + + Prompts you for confirmation before running the cmdlet. SwitchParameter @@ -1627,30 +1895,6 @@ Retrieves the MFA status for the specified user with the UPN "example@domain.com False - - Confirm - - Prompts you for confirmation before running the cmdlet. - - SwitchParameter - - SwitchParameter - - - False - - - ProgressAction - - {{ Fill ProgressAction Description }} - - ActionPreference - - ActionPreference - - - None - @@ -1821,18 +2065,6 @@ PS> $auditResults | Export-Csv -Path "auditResults.csv" -NoTypeInformation None - - WorksheetName - - The name of the worksheet within the Excel file to be processed. - - String - - String - - - None - ProgressAction @@ -1845,6 +2077,18 @@ PS> $auditResults | Export-Csv -Path "auditResults.csv" -NoTypeInformation None + + WorksheetName + + The name of the worksheet within the Excel file to be processed. + + String + + String + + + None + @@ -1931,18 +2175,6 @@ This command imports data from the "Sheet1" worksheet in the "Report.xlsx" file, - - ExcelPath - - Specifies the path to the Excel file to be updated. This parameter is mandatory. - - String - - String - - - None - CsvPath @@ -1955,10 +2187,10 @@ This command imports data from the "Sheet1" worksheet in the "Report.xlsx" file, None - - SheetName + + ExcelPath - Specifies the name of the worksheet in the Excel file where data will be merged and updated. This parameter is mandatory. + Specifies the path to the Excel file to be updated. This parameter is mandatory. String @@ -1979,6 +2211,18 @@ This command imports data from the "Sheet1" worksheet in the "Report.xlsx" file, None + + SheetName + + Specifies the name of the worksheet in the Excel file where data will be merged and updated. This parameter is mandatory. + + String + + String + + + None + diff --git a/source/en-US/about_M365FoundationsCISReport.help.txt b/source/en-US/about_M365FoundationsCISReport.help.txt index 2dc01a1..c64914f 100644 --- a/source/en-US/about_M365FoundationsCISReport.help.txt +++ b/source/en-US/about_M365FoundationsCISReport.help.txt @@ -45,6 +45,9 @@ EXAMPLES # Example 6: Synchronizing CIS benchmark data with audit results Sync-CISExcelAndCsvData -ExcelPath "path\to\excel.xlsx" -CsvPath "path\to\data.csv" -SheetName "Combined Profiles" + + # Example 7: Granting Microsoft Graph permissions to the auditor + Grant-M365SecurityAuditConsent -UserPrincipalNameForConsent 'user@example.com' NOTE Ensure that you have the necessary permissions and administrative roles in diff --git a/tests/Unit/Public/Grant-M365SecurityAuditConsent.tests.ps1 b/tests/Unit/Public/Grant-M365SecurityAuditConsent.tests.ps1 new file mode 100644 index 0000000..5998a20 --- /dev/null +++ b/tests/Unit/Public/Grant-M365SecurityAuditConsent.tests.ps1 @@ -0,0 +1,71 @@ +BeforeAll { + $script:moduleName = '<% $PLASTER_PARAM_ModuleName %>' + + # If the module is not found, run the build task 'noop'. + if (-not (Get-Module -Name $script:moduleName -ListAvailable)) + { + # Redirect all streams to $null, except the error stream (stream 2) + & "$PSScriptRoot/../../build.ps1" -Tasks 'noop' 2>&1 4>&1 5>&1 6>&1 > $null + } + + # Re-import the module using force to get any code changes between runs. + Import-Module -Name $script:moduleName -Force -ErrorAction 'Stop' + + $PSDefaultParameterValues['InModuleScope:ModuleName'] = $script:moduleName + $PSDefaultParameterValues['Mock:ModuleName'] = $script:moduleName + $PSDefaultParameterValues['Should:ModuleName'] = $script:moduleName +} + +AfterAll { + $PSDefaultParameterValues.Remove('Mock:ModuleName') + $PSDefaultParameterValues.Remove('InModuleScope:ModuleName') + $PSDefaultParameterValues.Remove('Should:ModuleName') + + Remove-Module -Name $script:moduleName +} + +Describe Get-Something { + + Context 'Return values' { + BeforeEach { + $return = Get-Something -Data 'value' + } + + It 'Returns a single object' { + ($return | Measure-Object).Count | Should -Be 1 + } + + } + + Context 'Pipeline' { + It 'Accepts values from the pipeline by value' { + $return = 'value1', 'value2' | Get-Something + + $return[0] | Should -Be 'value1' + $return[1] | Should -Be 'value2' + } + + It 'Accepts value from the pipeline by property name' { + $return = 'value1', 'value2' | ForEach-Object { + [PSCustomObject]@{ + Data = $_ + OtherProperty = 'other' + } + } | Get-Something + + + $return[0] | Should -Be 'value1' + $return[1] | Should -Be 'value2' + } + } + + Context 'ShouldProcess' { + It 'Supports WhatIf' { + (Get-Command Get-Something).Parameters.ContainsKey('WhatIf') | Should -Be $true + { Get-Something -Data 'value' -WhatIf } | Should -Not -Throw + } + + + } +} +