From a4dce52825669168fc8ecf8522baa2b0f2b19a26 Mon Sep 17 00:00:00 2001 From: DrIOS <58635327+DrIOSX@users.noreply.github.com> Date: Mon, 15 Apr 2024 15:51:00 -0500 Subject: [PATCH] add: future changes to be committed --- helpers/Automation Candidates.md | 52 ++++++++++++++++++++++ helpers/Build-Help.ps1 | 4 +- source/Public/Get-AdminRoleUserLicense.ps1 | 52 ++++++++++++++++++++++ source/Public/Invoke-M365SecurityAudit.ps1 | 6 +-- 4 files changed, 110 insertions(+), 4 deletions(-) create mode 100644 helpers/Automation Candidates.md create mode 100644 source/Public/Get-AdminRoleUserLicense.ps1 diff --git a/helpers/Automation Candidates.md b/helpers/Automation Candidates.md new file mode 100644 index 0000000..1b3d262 --- /dev/null +++ b/helpers/Automation Candidates.md @@ -0,0 +1,52 @@ +# Automation Candidates + +## 5.1.1.1 (L1) Ensure Security Defaults is disabled on Azure Active Directory + +- `Connect-MgGraph -Scopes "Policy.Read.All"` +- `Get-MgPolicyIdentitySecurityDefaultEnforcementPolicy | ft IsEnabled` + +## 5.1.2.1 (L1) Ensure 'Per-user MFA' is disabled + +- `Connect-MsolService` +- Commands: + +```powershell +$UserList = Get-MsolUser -All | Where-Object { $_.UserType -eq 'Member' } +$Report = @() +foreach ($user in $UserList) { + $PerUserMFAState = $null + if ($user.StrongAuthenticationRequirements) { + $PerUserMFAState = $user.StrongAuthenticationRequirements.State + } + else { + $PerUserMFAState = 'Disabled' + } + $obj = [pscustomobject][ordered]@{ + UserPrincipalName = $User.UserPrincipalName + DisplayName = $User.DisplayName + PerUserMFAState = $PerUserMFAState + } + $Report += $obj +} +$Report +``` + +## 5.1.3.1 (L1) Ensure a dynamic group for guest users is created + +- `Connect-MgGraph -Scopes "Group.Read.All"` +- Commands: + +```powershell +$groups = Get-MgGroup | Where-Object { $_.GroupTypes -contains "DynamicMembership" } +$groups | ft DisplayName,GroupTypes,MembershipRule +``` + +## 6.1.4 (L1) Ensure 'AuditBypassEnabled' is not enabled on mailboxes + +- `Connect-ExchangeOnline` +- Commands: + +```powershell +$MBX = Get-MailboxAuditBypassAssociation -ResultSize unlimited +$MBX | where {$_.AuditBypassEnabled -eq $true} | Format-Table Name,AuditBypassEnabled +``` diff --git a/helpers/Build-Help.ps1 b/helpers/Build-Help.ps1 index 82e139f..a2d483b 100644 --- a/helpers/Build-Help.ps1 +++ b/helpers/Build-Help.ps1 @@ -12,4 +12,6 @@ Import-Module .\output\module\M365FoundationsCISReport\*\*.psd1 "Fix: PR #37" git push origin $ver # git tag -d $ver -#> \ No newline at end of file +#> + + diff --git a/source/Public/Get-AdminRoleUserLicense.ps1 b/source/Public/Get-AdminRoleUserLicense.ps1 new file mode 100644 index 0000000..d746dd9 --- /dev/null +++ b/source/Public/Get-AdminRoleUserLicense.ps1 @@ -0,0 +1,52 @@ +function Get-AdminRoleUserLicense { + [CmdletBinding()] + param ( + [Parameter(Mandatory = $false)] + [switch]$SkipGraphConnection + ) + + begin { + if (-not $SkipGraphConnection) { + Connect-MgGraph -Scopes "Directory.Read.All", "Domain.Read.All", "Policy.Read.All", "Organization.Read.All" -NoWelcome + } + + $adminRoleUsers = @() + $userIds = @() + } + Process { # Connect to Microsoft Graph if not skipping connection + + $adminroles = Get-MgRoleManagementDirectoryRoleDefinition | Where-Object { $_.DisplayName -like "*Admin*" } + + foreach ($role in $adminroles) { + $usersInRole = Get-MgRoleManagementDirectoryRoleAssignment -Filter "roleDefinitionId eq '$($role.Id)'" + + foreach ($user in $usersInRole) { + $userIds += $user.PrincipalId + $userDetails = Get-MgUser -UserId $user.PrincipalId -Property "DisplayName, UserPrincipalName, Id, onPremisesSyncEnabled" + + $adminRoleUsers += [PSCustomObject]@{ + RoleName = $role.DisplayName + UserName = $userDetails.DisplayName + UserPrincipalName = $userDetails.UserPrincipalName + UserId = $userDetails.Id + HybridUser = $userDetails.onPremisesSyncEnabled + Licenses = "" # Placeholder for licenses, to be filled later + } + } + } + + foreach ($userId in $userIds | Select-Object -Unique) { + $licenses = Get-MgUserLicenseDetail -UserId $userId + $licenseList = ($licenses.SkuPartNumber -join '|') + + $adminRoleUsers | Where-Object { $_.UserId -eq $userId } | ForEach-Object { + $_.Licenses = $licenseList + } + } + } + End { + Write-Host "Disconnecting from Microsoft Graph..." -ForegroundColor Green + Disconnect-MgGraph | Out-Null + return $adminRoleUsers + } +} \ No newline at end of file diff --git a/source/Public/Invoke-M365SecurityAudit.ps1 b/source/Public/Invoke-M365SecurityAudit.ps1 index 48f8c52..250f2b0 100644 --- a/source/Public/Invoke-M365SecurityAudit.ps1 +++ b/source/Public/Invoke-M365SecurityAudit.ps1 @@ -248,12 +248,12 @@ function Invoke-M365SecurityAudit { } End { - # Return all collected audit results - return $allAuditResults - # Check if the Disconnect switch is present if (!($DoNotDisconnect)) { # Clean up sessions Disconnect-M365Suite } + # Return all collected audit results + return $allAuditResults + # Check if the Disconnect switch is present } } \ No newline at end of file