vibecoding/M365FoundationsCISReport
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

change: refactor Get-CISSpoOutput to support application auth using Pnp Powershell

Browse Source
This commit is contained in:
DrIOS
2024-08-04 13:51:29 -05:00
parent 357f284d08
commit da968db3e2
2 changed files with 133 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

152
source/Private/Get-CISSpoOutput.ps1
View File

@@ -1,37 +1,150 @@
<#
.SYNOPSIS
Retrieves configuration settings from SharePoint Online or PnP based on the specified recommendation.
.DESCRIPTION
The Get-CISSpoOutput function retrieves specific configuration settings from SharePoint Online or PnP based on a recommendation number.
It dynamically switches between using SPO and PnP commands based on the provided authentication context.
.PARAMETER Rec
The recommendation number corresponding to the specific test to be run.
.INPUTS
None. You cannot pipe objects to this function.
.OUTPUTS
PSCustomObject
Returns configuration details for the specified recommendation.
.EXAMPLE
PS> Get-CISSpoOutput -Rec '7.2.1'
Retrieves the LegacyAuthProtocolsEnabled property from the SharePoint Online or PnP tenant.
#>
function Get-CISSpoOutput {
[cmdletBinding()]
[CmdletBinding()]
param(
[Parameter(Mandatory = $true)]
[Parameter(Mandatory = $true, HelpMessage = "The recommendation number corresponding to the specific test to be run.")]
[String]$Rec
)
begin {
if (($script:PnpAuth)) {
$UsePnP = $true
}
# Check if PnP should be used
$UsePnP = $script:PnpAuth
# Determine the prefix based on the switch
$prefix = if ($UsePnP) { "PnP" } else { "SPO" }
# Define a hashtable to map the function calls
$commandMap = @{
'7.2.1' = "Get-${prefix}Tenant | Select-Object -Property LegacyAuthProtocolsEnabled"
'7.2.2' = "Get-${prefix}Tenant | Select-Object EnableAzureADB2BIntegration"
'7.2.3' = "Get-${prefix}Tenant | Select-Object SharingCapability"
'7.2.4' = "Get-${prefix}Tenant | Select-Object OneDriveSharingCapability"
'7.2.5' = "Get-${prefix}Tenant | Select-Object PreventExternalUsersFromResharing"
'7.2.6' = "Get-${prefix}Tenant | Select-Object SharingDomainRestrictionMode, SharingAllowedDomainList"
'7.2.7' = "Get-${prefix}Tenant | Select-Object DefaultSharingLinkType"
'7.2.9' = "Get-${prefix}Tenant | Select-Object ExternalUserExpirationRequired, ExternalUserExpireInDays"
'7.2.10' = "Get-${prefix}Tenant | Select-Object EmailAttestationRequired, EmailAttestationReAuthDays"
'7.3.1' = "Get-${prefix}Tenant | Select-Object DisallowInfectedFileDownload"
'7.3.2' = "Get-${prefix}TenantSyncClientRestriction | Select-Object TenantRestrictionEnabled, AllowedDomainList"
'7.3.4' = if ($prefix -eq "SPO") {"Get-${prefix}Site -Limit All | Select-Object Title, Url, DenyAddAndCustomizePages"} else {"Get-${Prefix}TenantSite | Select-Object Title, Url, DenyAddAndCustomizePages"}
# Test-ModernAuthSharePoint.ps1
# 7.2.1 (L1) Ensure Legacy Authentication Protocols are disabled
# $SPOTenant Mock Object
'7.2.1' = {
Invoke-Command {
& "$((Get-Command -Name "Get-${prefix}Tenant").Name)"
} | Select-Object -Property LegacyAuthProtocolsEnabled
}
# Test-SharePointAADB2B.ps1
# 7.2.2 (L1) Ensure SharePoint and OneDrive integration with Azure AD B2B is enabled
# $SPOTenantAzureADB2B Mock Object
'7.2.2' = {
Invoke-Command {
& "$((Get-Command -Name "Get-${prefix}Tenant").Name)"
} | Select-Object -Property EnableAzureADB2BIntegration
}
# Test-RestrictExternalSharing.ps1
# 7.2.3 (L1) Ensure external content sharing is restricted
# Retrieve the SharingCapability setting for the SharePoint tenant
# $SPOTenantSharingCapability Mock Object
'7.2.3' = {
Invoke-Command {
& "$((Get-Command -Name "Get-${prefix}Tenant").Name)"
} | Select-Object -Property SharingCapability
}
# Test-OneDriveContentRestrictions.ps1
# 7.2.4 (L2) Ensure OneDrive content sharing is restricted
# $SPOTenant Mock Object
'7.2.4' = {
Invoke-Command {
if ($prefix -eq "SPO") {
& "$((Get-Command -Name "Get-${prefix}Tenant").Name)" | Select-Object -Property OneDriveSharingCapability
} else {
# Workaround until bugfix in PnP.PowerShell
& "$((Get-Command -Name "Get-${prefix}Tenant").Name)" | Select-Object -Property OneDriveLoopSharingCapability | Select-Object @{Name = "OneDriveSharingCapability"; Expression = { $_.OneDriveLoopSharingCapability }}
}
}
}
# Test-SharePointGuestsItemSharing.ps1
# 7.2.5 (L2) Ensure that SharePoint guest users cannot share items they don't own
# $SPOTenant Mock Object
'7.2.5' = {
Invoke-Command {
& "$((Get-Command -Name "Get-${prefix}Tenant").Name)"
} | Select-Object -Property PreventExternalUsersFromResharing
}
# Test-SharePointExternalSharingDomains.ps1
# 7.2.6 (L2) Ensure SharePoint external sharing is managed through domain whitelist/blacklists
# Add Authorized Domains?
# $SPOTenant Mock Object
'7.2.6' = {
Invoke-Command {
& "$((Get-Command -Name "Get-${prefix}Tenant").Name)"
} | Select-Object -Property SharingDomainRestrictionMode, SharingAllowedDomainList
}
# Test-LinkSharingRestrictions.ps1
# Retrieve link sharing configuration for SharePoint and OneDrive
# $SPOTenantLinkSharing Mock Object
'7.2.7' = {
Invoke-Command {
& "$((Get-Command -Name "Get-${prefix}Tenant").Name)"
} | Select-Object -Property DefaultSharingLinkType
}
# Test-GuestAccessExpiration.ps1
# Retrieve SharePoint tenant settings related to guest access expiration
# $SPOTenantGuestAccess Mock Object
'7.2.9' = {
Invoke-Command {
& "$((Get-Command -Name "Get-${prefix}Tenant").Name)"
} | Select-Object -Property ExternalUserExpirationRequired, ExternalUserExpireInDays
}
# Test-ReauthWithCode.ps1
# 7.2.10 (L1) Ensure reauthentication with verification code is restricted
# Retrieve reauthentication settings for SharePoint Online
# $SPOTenantReauthentication Mock Object
'7.2.10' = {
Invoke-Command {
& "$((Get-Command -Name "Get-${prefix}Tenant").Name)"
} | Select-Object -Property EmailAttestationRequired, EmailAttestationReAuthDays
}
# Test-DisallowInfectedFilesDownload.ps1
# Retrieve the SharePoint tenant configuration
# $SPOTenantDisallowInfectedFileDownload Mock Object
'7.3.1' = {
Invoke-Command {
& "$((Get-Command -Name "Get-${prefix}Tenant").Name)"
} | Select-Object -Property DisallowInfectedFileDownload
}
# Test-OneDriveSyncRestrictions.ps1
# Retrieve OneDrive sync client restriction settings
# Add isHybrid parameter?
# $SPOTenantSyncClientRestriction Mock Object
'7.3.2' = {
Invoke-Command {
& "$((Get-Command -Name "Get-${prefix}TenantSyncClientRestriction").Name)"
} | Select-Object -Property TenantRestrictionEnabled, AllowedDomainList
}
# Test-RestrictCustomScripts.ps1
# Retrieve all site collections and select necessary properties
# $SPOSitesCustomScript Mock Object
'7.3.4' = {
Invoke-Command {
if ($prefix -eq "SPO") {
& "$((Get-Command -Name "Get-${prefix}Site").Name)" -Limit All | Select-Object Title, Url, DenyAddAndCustomizePages
} else {
& "$((Get-Command -Name "Get-${prefix}TenantSite").Name)" | Select-Object Title, Url, DenyAddAndCustomizePages
}
}
}
}
}
process {
try {
Write-Verbose "Returning data for Rec: $Rec"
if ($commandMap.ContainsKey($Rec)) {
$command = $commandMap[$Rec]
$result = Invoke-Expression $command
# Invoke the script block associated with the command
$result = & $commandMap[$Rec] -ErrorAction Stop
return $result
}
else {
@@ -41,7 +154,6 @@ function Get-CISSpoOutput {
catch {
throw "Get-CISSpoOutput: `n$_"
}
}
end {
Write-Verbose "Finished processing for Rec: $Rec"

2
source/Private/Invoke-TestFunction.ps1
View File

@@ -33,7 +33,7 @@ function Invoke-TestFunction {
return $result
}
catch {
Write-Error "An error occurred during the test: $_"
Write-Error "An error occurred during the test $recnum`:: $_"
$script:FailedTests.Add([PSCustomObject]@{ Test = $functionName; Error = $_ })
# Call Initialize-CISAuditResult with error parameters