add: 1.1.1 test as automated and organized csv.

source/tests/Test-AdministrativeAccountCompliance .ps1

@@ -0,0 +1,69 @@
+function Test-AdministrativeAccountCompliance {
+    [CmdletBinding()]
+    param (
+        [switch]$SkipGraphConnection
+    )
+    begin {
+        #. C:\Temp\CISAuditResult.ps1
+        $validLicenses = @('AAD_PREMIUM', 'AAD_PREMIUM_P2')
+    }
+    process {
+        if (-not $SkipGraphConnection) {
+            Connect-MgGraph -Scopes "Directory.Read.All", "User.Read.All", "RoleManagement.Read.Directory" -NoWelcome
+        }
+        $adminRoles = Get-MgRoleManagementDirectoryRoleDefinition | Where-Object { $_.DisplayName -like "*Admin*" }
+        $adminRoleUsers = @()
+        foreach ($role in $adminRoles) {
+            $roleAssignments = Get-MgRoleManagementDirectoryRoleAssignment -Filter "roleDefinitionId eq '$($role.Id)'"
+            foreach ($assignment in $roleAssignments) {
+                $userDetails = Get-MgUser -UserId $assignment.PrincipalId -Property "DisplayName, UserPrincipalName, Id, OnPremisesSyncEnabled"
+                $licenses = (Get-MgUserLicenseDetail -UserId $assignment.PrincipalId).SkuPartNumber -join '|'
+                $adminRoleUsers += [PSCustomObject]@{
+                    UserName   = $userDetails.UserPrincipalName
+                    RoleName   = $role.DisplayName
+                    UserId     = $userDetails.Id
+                    HybridUser = $userDetails.OnPremisesSyncEnabled
+                    Licenses   = $licenses
+                }
+            }
+        }
+        $uniqueAdminRoleUsers = $adminRoleUsers | Group-Object -Property UserName | ForEach-Object {
+            $first = $_.Group | Select-Object -First 1
+            $roles = ($_.Group.RoleName -join ', ')
+            $licenses = (($_.Group | Select-Object -ExpandProperty Licenses) -join ',').Split(',') | Select-Object -Unique
+
+            $first | Select-Object UserName, UserId, HybridUser, @{Name = 'Roles'; Expression = { $roles } }, @{Name = 'Licenses'; Expression = { $licenses -join '|' } }
+        }
+        $nonCompliantUsers = $uniqueAdminRoleUsers | Where-Object {
+            $_.HybridUser -or
+            -not ($_.Licenses -split '\|' | Where-Object { $validLicenses -contains $_ })
+        }
+        $failureReasons = $nonCompliantUsers | ForEach-Object {
+            $accountType = if ($_.HybridUser) { "Hybrid" } else { "Cloud-Only" }
+            $missingLicenses = $validLicenses | Where-Object { $_ -notin ($_.Licenses -split '\|') }
+            "$($_.UserName)|$($_.Roles)|$accountType|Missing: $($missingLicenses -join ',')"
+        }
+        $failureReasons = $failureReasons -join "`n"
+
+        $auditResult = [CISAuditResult]::new()
+        $auditResult.Status = if ($nonCompliantUsers) { 'Fail' } else { 'Pass' }
+        $auditResult.ELevel = 'E3'
+        $auditResult.ProfileLevel = 'L1'
+        $auditResult.Rec = '1.1.1'
+        $auditResult.RecDescription = "Ensure Administrative accounts are separate and cloud-only"
+        $auditResult.CISControlVer = 'v8'
+        $auditResult.CISControl = "5.4"
+        $auditResult.CISDescription = "Restrict Administrator Privileges to Dedicated Administrator Accounts"
+        $auditResult.IG1 = $true
+        $auditResult.IG2 = $true
+        $auditResult.IG3 = $true
+        $auditResult.Result = $nonCompliantUsers.Count -eq 0
+        $auditResult.Details = "Compliant Accounts: $($uniqueAdminRoleUsers.Count - $nonCompliantUsers.Count); Non-Compliant Accounts: $($nonCompliantUsers.Count)"
+        $auditResult.FailureReason = if ($nonCompliantUsers) { "Non-compliant accounts: `nUsername | Roles | HybridStatus | Missing Licence`n$failureReasons" } else { "N/A" }
+    }
+
+    end {
+        # Output the result
+        return $auditResult
+    }
+}

source/tests/Test-AntiPhishingPolicy.ps1

@@ -11,6 +11,7 @@ function Test-AntiPhishingPolicy {
     }
 
     process {
+        # 2.1.7	Ensure that an anti-phishing policy has been created
 
         # Retrieve and validate the anti-phishing policies
         $antiPhishPolicies = Get-AntiPhishPolicy

source/tests/Test-BlockSharedMailboxSignIn.ps1

@@ -14,6 +14,7 @@ function Test-BlockSharedMailboxSignIn {
         # 1.2.2 (L1) Ensure sign-in to shared mailboxes is blocked
         # Pass if all shared mailboxes have AccountEnabled set to False.
         # Fail if any shared mailbox has AccountEnabled set to True.
+        # Review: Details property - Add verbosity.
 
         $MBX = Get-EXOMailbox -RecipientTypeDetails SharedMailbox
         $sharedMailboxDetails = $MBX | ForEach-Object { Get-AzureADUser -ObjectId $_.ExternalDirectoryObjectId }

source/tests/Test-IdentifyExternalEmail.ps1

@@ -13,6 +13,7 @@ function Test-IdentifyExternalEmail {
     process {
         # 6.2.3 (L1) Ensure email from external senders is identified
         # Requirement is to have external sender tagging enabled
+        # Review
 
         $externalInOutlook = Get-ExternalInOutlook
         $externalTaggingEnabled = ($externalInOutlook | ForEach-Object { $_.Enabled }) -contains $true

source/tests/Test-NotifyMalwareInternal.ps1

@@ -10,6 +10,8 @@ function Test-NotifyMalwareInternal {
     }
 
     process {
+        # 2.1.3 Ensure notifications for internal users sending malware is Enabled
+
         # Retrieve all 'Custom' malware filter policies and check notification settings
         $malwareNotifications = Get-MalwareFilterPolicy | Where-Object { $_.RecommendedPolicyType -eq 'Custom' }
         $policiesToReport = @()

source/tests/Test-SpamPolicyAdminNotify.ps1

@@ -10,6 +10,8 @@ function Test-SpamPolicyAdminNotify {
     }
 
     process {
+        # 2.1.6	Ensure Exchange Online Spam Policies are set to notify administrators
+
         # Get the default hosted outbound spam filter policy
         $hostedOutboundSpamFilterPolicy = Get-HostedOutboundSpamFilterPolicy | Where-Object { $_.IsDefault -eq $true }