add: future changes to be committed
This commit is contained in:
DrIOS
52
helpers/Automation Candidates.md
Normal file
52
helpers/Automation Candidates.md
Normal file
@@ -0,0 +1,52 @@
|
|||||||
|
# Automation Candidates
|
||||||
|
|
||||||
|
## 5.1.1.1 (L1) Ensure Security Defaults is disabled on Azure Active Directory
|
||||||
|
|
||||||
|
- `Connect-MgGraph -Scopes "Policy.Read.All"`
|
||||||
|
- `Get-MgPolicyIdentitySecurityDefaultEnforcementPolicy | ft IsEnabled`
|
||||||
|
|
||||||
|
## 5.1.2.1 (L1) Ensure 'Per-user MFA' is disabled
|
||||||
|
|
||||||
|
- `Connect-MsolService`
|
||||||
|
- Commands:
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
$UserList = Get-MsolUser -All | Where-Object { $_.UserType -eq 'Member' }
|
||||||
|
$Report = @()
|
||||||
|
foreach ($user in $UserList) {
|
||||||
|
$PerUserMFAState = $null
|
||||||
|
if ($user.StrongAuthenticationRequirements) {
|
||||||
|
$PerUserMFAState = $user.StrongAuthenticationRequirements.State
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
$PerUserMFAState = 'Disabled'
|
||||||
|
}
|
||||||
|
$obj = [pscustomobject][ordered]@{
|
||||||
|
UserPrincipalName = $User.UserPrincipalName
|
||||||
|
DisplayName = $User.DisplayName
|
||||||
|
PerUserMFAState = $PerUserMFAState
|
||||||
|
}
|
||||||
|
$Report += $obj
|
||||||
|
}
|
||||||
|
$Report
|
||||||
|
```
|
||||||
|
|
||||||
|
## 5.1.3.1 (L1) Ensure a dynamic group for guest users is created
|
||||||
|
|
||||||
|
- `Connect-MgGraph -Scopes "Group.Read.All"`
|
||||||
|
- Commands:
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
$groups = Get-MgGroup | Where-Object { $_.GroupTypes -contains "DynamicMembership" }
|
||||||
|
$groups | ft DisplayName,GroupTypes,MembershipRule
|
||||||
|
```
|
||||||
|
|
||||||
|
## 6.1.4 (L1) Ensure 'AuditBypassEnabled' is not enabled on mailboxes
|
||||||
|
|
||||||
|
- `Connect-ExchangeOnline`
|
||||||
|
- Commands:
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
$MBX = Get-MailboxAuditBypassAssociation -ResultSize unlimited
|
||||||
|
$MBX | where {$_.AuditBypassEnabled -eq $true} | Format-Table Name,AuditBypassEnabled
|
||||||
|
```
|
||||||
@@ -13,3 +13,5 @@ Import-Module .\output\module\M365FoundationsCISReport\*\*.psd1
|
|||||||
git push origin $ver
|
git push origin $ver
|
||||||
# git tag -d $ver
|
# git tag -d $ver
|
||||||
#>
|
#>
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
52
source/Public/Get-AdminRoleUserLicense.ps1
Normal file
52
source/Public/Get-AdminRoleUserLicense.ps1
Normal file
@@ -0,0 +1,52 @@
|
|||||||
|
function Get-AdminRoleUserLicense {
|
||||||
|
[CmdletBinding()]
|
||||||
|
param (
|
||||||
|
[Parameter(Mandatory = $false)]
|
||||||
|
[switch]$SkipGraphConnection
|
||||||
|
)
|
||||||
|
|
||||||
|
begin {
|
||||||
|
if (-not $SkipGraphConnection) {
|
||||||
|
Connect-MgGraph -Scopes "Directory.Read.All", "Domain.Read.All", "Policy.Read.All", "Organization.Read.All" -NoWelcome
|
||||||
|
}
|
||||||
|
|
||||||
|
$adminRoleUsers = @()
|
||||||
|
$userIds = @()
|
||||||
|
}
|
||||||
|
Process { # Connect to Microsoft Graph if not skipping connection
|
||||||
|
|
||||||
|
$adminroles = Get-MgRoleManagementDirectoryRoleDefinition | Where-Object { $_.DisplayName -like "*Admin*" }
|
||||||
|
|
||||||
|
foreach ($role in $adminroles) {
|
||||||
|
$usersInRole = Get-MgRoleManagementDirectoryRoleAssignment -Filter "roleDefinitionId eq '$($role.Id)'"
|
||||||
|
|
||||||
|
foreach ($user in $usersInRole) {
|
||||||
|
$userIds += $user.PrincipalId
|
||||||
|
$userDetails = Get-MgUser -UserId $user.PrincipalId -Property "DisplayName, UserPrincipalName, Id, onPremisesSyncEnabled"
|
||||||
|
|
||||||
|
$adminRoleUsers += [PSCustomObject]@{
|
||||||
|
RoleName = $role.DisplayName
|
||||||
|
UserName = $userDetails.DisplayName
|
||||||
|
UserPrincipalName = $userDetails.UserPrincipalName
|
||||||
|
UserId = $userDetails.Id
|
||||||
|
HybridUser = $userDetails.onPremisesSyncEnabled
|
||||||
|
Licenses = "" # Placeholder for licenses, to be filled later
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
foreach ($userId in $userIds | Select-Object -Unique) {
|
||||||
|
$licenses = Get-MgUserLicenseDetail -UserId $userId
|
||||||
|
$licenseList = ($licenses.SkuPartNumber -join '|')
|
||||||
|
|
||||||
|
$adminRoleUsers | Where-Object { $_.UserId -eq $userId } | ForEach-Object {
|
||||||
|
$_.Licenses = $licenseList
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
End {
|
||||||
|
Write-Host "Disconnecting from Microsoft Graph..." -ForegroundColor Green
|
||||||
|
Disconnect-MgGraph | Out-Null
|
||||||
|
return $adminRoleUsers
|
||||||
|
}
|
||||||
|
}
|
||||||
@@ -248,12 +248,12 @@ function Invoke-M365SecurityAudit {
|
|||||||
}
|
}
|
||||||
|
|
||||||
End {
|
End {
|
||||||
# Return all collected audit results
|
|
||||||
return $allAuditResults
|
|
||||||
# Check if the Disconnect switch is present
|
|
||||||
if (!($DoNotDisconnect)) {
|
if (!($DoNotDisconnect)) {
|
||||||
# Clean up sessions
|
# Clean up sessions
|
||||||
Disconnect-M365Suite
|
Disconnect-M365Suite
|
||||||
}
|
}
|
||||||
|
# Return all collected audit results
|
||||||
|
return $allAuditResults
|
||||||
|
# Check if the Disconnect switch is present
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
Reference in New Issue
Block a user