Compare commits
10 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
1240f74450 | ||
|
|
063124eef3 | ||
|
|
14f3889378 | ||
|
|
3790ec00de | ||
|
|
c1171ddca5 | ||
|
|
fc7c8ec88f | ||
|
|
2fc814205d | ||
|
|
7309925e89 | ||
|
|
5637855c8b | ||
|
|
ac98307ed1 |
18
CHANGELOG.md
18
CHANGELOG.md
@@ -6,6 +6,24 @@ The format is based on and uses the types of changes according to [Keep a Change
|
||||
|
||||
### Added
|
||||
|
||||
- Added hash and compress steps to `Export-M365SecurityAuditTable` function.
|
||||
|
||||
## [0.1.21] - 2024-07-01
|
||||
|
||||
### Fixed
|
||||
|
||||
- Formatting for MgGraph tests.
|
||||
|
||||
## [0.1.20] - 2024-06-30
|
||||
|
||||
### Fixed
|
||||
|
||||
- Fixed parameter validation for new parameters in `Invoke-M365SecurityAudit` function
|
||||
|
||||
## [0.1.19] - 2024-06-30
|
||||
|
||||
### Added
|
||||
|
||||
- Added `ApprovedCloudStorageProviders` parameter to `Invoke-M365SecurityAudit` to allow for testing of approved cloud storage providers for 8.1.1.
|
||||
- Added `ApprovedFederatedDomains` parameter to `Invoke-M365SecurityAudit` to allow for testing of approved federated domains for 8.5.1.
|
||||
|
||||
|
||||
BIN
docs/index.html
BIN
docs/index.html
Binary file not shown.
@@ -190,10 +190,11 @@ This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable
|
||||
|
||||
## INPUTS
|
||||
|
||||
### [CISAuditResult[]], [string]
|
||||
### [CISAuditResult[]] - An array of CISAuditResult objects.
|
||||
### [string] - A path to a CSV file.
|
||||
## OUTPUTS
|
||||
|
||||
### [PSCustomObject]
|
||||
### [PSCustomObject] - A custom object containing the path to the zip file and its hash.
|
||||
## NOTES
|
||||
|
||||
## RELATED LINKS
|
||||
|
||||
@@ -4,7 +4,7 @@ Import-Module .\output\module\M365FoundationsCISReport\*\*.psd1
|
||||
|
||||
|
||||
<#
|
||||
$ver = "v0.1.18"
|
||||
$ver = "v0.1.22"
|
||||
git checkout main
|
||||
git pull origin main
|
||||
git tag -a $ver -m "Release version $ver refactor Update"
|
||||
@@ -59,6 +59,5 @@ Set-Secret -Name "GitHubToken" -Vault ModuleBuildCreds
|
||||
$GalleryApiToken = Get-Secret -Name "GalleryApiToken" -Vault ModuleBuildCreds -AsPlainText
|
||||
$GitHubToken = Get-Secret -Name "GitHubToken" -Vault ModuleBuildCreds -AsPlainText
|
||||
|
||||
|
||||
$GalleryApiToken
|
||||
$GitHubToken
|
||||
@@ -42,10 +42,12 @@ function Get-CISMgOutput {
|
||||
switch ($rec) {
|
||||
'1.1.1' {
|
||||
# 1.1.1
|
||||
# Test-AdministrativeAccountCompliance
|
||||
$AdminRoleAssignmentsAndUsers = Get-AdminRoleUserAndAssignment
|
||||
return $AdminRoleAssignmentsAndUsers
|
||||
}
|
||||
'1.1.3' {
|
||||
# Test-GlobalAdminsCount
|
||||
# Step: Retrieve global admin role
|
||||
$globalAdminRole = Get-MgDirectoryRole -Filter "RoleTemplateId eq '62e90394-69f5-4237-9190-012177145e10'"
|
||||
# Step: Retrieve global admin members
|
||||
@@ -53,6 +55,7 @@ function Get-CISMgOutput {
|
||||
return $globalAdmins
|
||||
}
|
||||
'1.2.1' {
|
||||
# Test-ManagedApprovedPublicGroups
|
||||
$allGroups = Get-MgGroup -All | Where-Object { $_.Visibility -eq "Public" } | Select-Object DisplayName, Visibility
|
||||
return $allGroups
|
||||
}
|
||||
@@ -67,16 +70,19 @@ function Get-CISMgOutput {
|
||||
return $domains
|
||||
}
|
||||
'5.1.2.3' {
|
||||
# Test-RestrictTenantCreation
|
||||
# Retrieve the tenant creation policy
|
||||
$tenantCreationPolicy = (Get-MgPolicyAuthorizationPolicy).DefaultUserRolePermissions | Select-Object AllowedToCreateTenants
|
||||
return $tenantCreationPolicy
|
||||
}
|
||||
'5.1.8.1' {
|
||||
# Test-PasswordHashSync
|
||||
# Retrieve password hash sync status (Condition A and C)
|
||||
$passwordHashSync = Get-MgOrganization | Select-Object -ExpandProperty OnPremisesSyncEnabled
|
||||
return $passwordHashSync
|
||||
}
|
||||
'6.1.2' {
|
||||
# Test-MailboxAuditingE3
|
||||
$tenantSkus = Get-MgSubscribedSku -All
|
||||
$e3SkuPartNumber = "SPE_E3"
|
||||
$founde3Sku = $tenantSkus | Where-Object { $_.SkuPartNumber -eq $e3SkuPartNumber }
|
||||
@@ -89,6 +95,7 @@ function Get-CISMgOutput {
|
||||
}
|
||||
}
|
||||
'6.1.3' {
|
||||
# Test-MailboxAuditingE5
|
||||
$tenantSkus = Get-MgSubscribedSku -All
|
||||
$e5SkuPartNumber = "SPE_E5"
|
||||
$founde5Sku = $tenantSkus | Where-Object { $_.SkuPartNumber -eq $e5SkuPartNumber }
|
||||
|
||||
@@ -1,45 +1,50 @@
|
||||
<#
|
||||
.SYNOPSIS
|
||||
Exports M365 security audit results to a CSV file or outputs a specific test result as an object.
|
||||
Exports Microsoft 365 security audit results to CSV or Excel files and supports outputting specific test results as objects.
|
||||
.DESCRIPTION
|
||||
This function exports M365 security audit results from either an array of CISAuditResult objects or a CSV file.
|
||||
It can export all results to a specified path or output a specific test result as an object.
|
||||
The Export-M365SecurityAuditTable function exports Microsoft 365 security audit results from an array of CISAuditResult objects or a CSV file.
|
||||
It can export all results to a specified path, output a specific test result as an object, and includes options for exporting results to Excel.
|
||||
Additionally, it computes hashes for the exported files and includes them in the zip archive for verification purposes.
|
||||
.PARAMETER AuditResults
|
||||
An array of CISAuditResult objects containing the audit results.
|
||||
An array of CISAuditResult objects containing the audit results. This parameter is mandatory when exporting from audit results.
|
||||
.PARAMETER CsvPath
|
||||
The path to a CSV file containing the audit results.
|
||||
The path to a CSV file containing the audit results. This parameter is mandatory when exporting from a CSV file.
|
||||
.PARAMETER OutputTestNumber
|
||||
The test number to output as an object. Valid values are "1.1.1", "1.3.1", "6.1.2", "6.1.3", "7.3.4".
|
||||
The test number to output as an object. Valid values are "1.1.1", "1.3.1", "6.1.2", "6.1.3", "7.3.4". This parameter is used to output a specific test result.
|
||||
.PARAMETER ExportAllTests
|
||||
Switch to export all test results.
|
||||
Switch to export all test results. When specified, all test results are exported to the specified path.
|
||||
.PARAMETER ExportPath
|
||||
The path where the CSV files will be exported.
|
||||
The path where the CSV or Excel files will be exported. This parameter is mandatory when exporting all tests.
|
||||
.PARAMETER ExportOriginalTests
|
||||
Switch to export the original audit results to a CSV file.
|
||||
Switch to export the original audit results to a CSV file. When specified, the original test results are exported along with the processed results.
|
||||
.PARAMETER ExportToExcel
|
||||
Switch to export the results to an Excel file.
|
||||
Switch to export the results to an Excel file. When specified, results are exported in Excel format.
|
||||
.INPUTS
|
||||
[CISAuditResult[]], [string]
|
||||
[CISAuditResult[]] - An array of CISAuditResult objects.
|
||||
[string] - A path to a CSV file.
|
||||
.OUTPUTS
|
||||
[PSCustomObject]
|
||||
[PSCustomObject] - A custom object containing the path to the zip file and its hash.
|
||||
.EXAMPLE
|
||||
Export-M365SecurityAuditTable -AuditResults $object -OutputTestNumber 6.1.2
|
||||
# Output object for a single test number from audit results
|
||||
# Outputs the result of test number 6.1.2 from the provided audit results as an object.
|
||||
.EXAMPLE
|
||||
Export-M365SecurityAuditTable -ExportAllTests -AuditResults $object -ExportPath "C:\temp"
|
||||
# Export all results from audit results to the specified path
|
||||
# Exports all audit results to the specified path in CSV format.
|
||||
.EXAMPLE
|
||||
Export-M365SecurityAuditTable -CsvPath "C:\temp\auditresultstoday1.csv" -OutputTestNumber 6.1.2
|
||||
# Output object for a single test number from CSV
|
||||
# Outputs the result of test number 6.1.2 from the CSV file as an object.
|
||||
.EXAMPLE
|
||||
Export-M365SecurityAuditTable -ExportAllTests -CsvPath "C:\temp\auditresultstoday1.csv" -ExportPath "C:\temp"
|
||||
# Export all results from CSV to the specified path
|
||||
# Exports all audit results from the CSV file to the specified path in CSV format.
|
||||
.EXAMPLE
|
||||
Export-M365SecurityAuditTable -ExportAllTests -AuditResults $object -ExportPath "C:\temp" -ExportOriginalTests
|
||||
# Export all results from audit results to the specified path along with the original tests
|
||||
# Exports all audit results along with the original test results to the specified path in CSV format.
|
||||
.EXAMPLE
|
||||
Export-M365SecurityAuditTable -ExportAllTests -CsvPath "C:\temp\auditresultstoday1.csv" -ExportPath "C:\temp" -ExportOriginalTests
|
||||
# Export all results from CSV to the specified path along with the original tests
|
||||
# Exports all audit results from the CSV file along with the original test results to the specified path in CSV format.
|
||||
.EXAMPLE
|
||||
Export-M365SecurityAuditTable -ExportAllTests -AuditResults $object -ExportPath "C:\temp" -ExportToExcel
|
||||
# Exports all audit results to the specified path in Excel format.
|
||||
.LINK
|
||||
https://criticalsolutionsnetwork.github.io/M365FoundationsCISReport/#Export-M365SecurityAuditTable
|
||||
#>
|
||||
@@ -50,33 +55,29 @@ function Export-M365SecurityAuditTable {
|
||||
[Parameter(Mandatory = $true, Position = 1, ParameterSetName = "ExportAllResultsFromAuditResults")]
|
||||
[Parameter(Mandatory = $true, Position = 2, ParameterSetName = "OutputObjectFromAuditResultsSingle")]
|
||||
[CISAuditResult[]]$AuditResults,
|
||||
|
||||
[Parameter(Mandatory = $true, Position = 1, ParameterSetName = "ExportAllResultsFromCsv")]
|
||||
[Parameter(Mandatory = $true, Position = 2, ParameterSetName = "OutputObjectFromCsvSingle")]
|
||||
[ValidateScript({ (Test-Path $_) -and ((Get-Item $_).PSIsContainer -eq $false) })]
|
||||
[string]$CsvPath,
|
||||
|
||||
[Parameter(Mandatory = $true, Position = 1, ParameterSetName = "OutputObjectFromAuditResultsSingle")]
|
||||
[Parameter(Mandatory = $true, Position = 1, ParameterSetName = "OutputObjectFromCsvSingle")]
|
||||
[ValidateSet("1.1.1", "1.3.1", "6.1.2", "6.1.3", "7.3.4")]
|
||||
[string]$OutputTestNumber,
|
||||
|
||||
[Parameter(Mandatory = $false, Position = 0, ParameterSetName = "ExportAllResultsFromAuditResults")]
|
||||
[Parameter(Mandatory = $false, Position = 0, ParameterSetName = "ExportAllResultsFromCsv")]
|
||||
[switch]$ExportAllTests,
|
||||
|
||||
[Parameter(Mandatory = $true, ParameterSetName = "ExportAllResultsFromAuditResults")]
|
||||
[Parameter(Mandatory = $true, ParameterSetName = "ExportAllResultsFromCsv")]
|
||||
[string]$ExportPath,
|
||||
|
||||
[Parameter(Mandatory = $true, ParameterSetName = "ExportAllResultsFromAuditResults")]
|
||||
[Parameter(Mandatory = $true, ParameterSetName = "ExportAllResultsFromCsv")]
|
||||
[switch]$ExportOriginalTests,
|
||||
|
||||
[Parameter(Mandatory = $false, ParameterSetName = "ExportAllResultsFromAuditResults")]
|
||||
[Parameter(Mandatory = $false, ParameterSetName = "ExportAllResultsFromCsv")]
|
||||
[switch]$ExportToExcel
|
||||
)
|
||||
Begin {
|
||||
$createdFiles = @() # Initialize an array to keep track of created files
|
||||
if ($ExportToExcel) {
|
||||
Assert-ModuleAvailability -ModuleName ImportExcel -RequiredVersion "7.8.9"
|
||||
}
|
||||
@@ -92,22 +93,19 @@ function Export-M365SecurityAuditTable {
|
||||
Initialize-CISAuditResult @params
|
||||
}
|
||||
}
|
||||
|
||||
if ($ExportAllTests) {
|
||||
$TestNumbers = "1.1.1", "1.3.1", "6.1.2", "6.1.3", "7.3.4"
|
||||
}
|
||||
|
||||
$results = @()
|
||||
|
||||
$testsToProcess = if ($OutputTestNumber) { @($OutputTestNumber) } else { $TestNumbers }
|
||||
|
||||
}
|
||||
Process {
|
||||
foreach ($test in $testsToProcess) {
|
||||
$auditResult = $AuditResults | Where-Object { $_.Rec -eq $test }
|
||||
if (-not $auditResult) {
|
||||
Write-Information "No audit results found for the test number $test."
|
||||
continue
|
||||
}
|
||||
|
||||
switch ($test) {
|
||||
"6.1.2" {
|
||||
$details = $auditResult.Details
|
||||
@@ -117,7 +115,6 @@ function Export-M365SecurityAuditTable {
|
||||
else {
|
||||
$csv = $null
|
||||
}
|
||||
|
||||
if ($null -ne $csv) {
|
||||
foreach ($row in $csv) {
|
||||
$row.AdminActionsMissing = (Get-Action -AbbreviatedActions $row.AdminActionsMissing.Split(',') -ReverseActionType Admin | Where-Object { $_ -notin @("MailItemsAccessed", "Send") }) -join ','
|
||||
@@ -139,7 +136,6 @@ function Export-M365SecurityAuditTable {
|
||||
else {
|
||||
$csv = $null
|
||||
}
|
||||
|
||||
if ($null -ne $csv) {
|
||||
foreach ($row in $csv) {
|
||||
$row.AdminActionsMissing = (Get-Action -AbbreviatedActions $row.AdminActionsMissing.Split(',') -ReverseActionType Admin) -join ','
|
||||
@@ -160,11 +156,11 @@ function Export-M365SecurityAuditTable {
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
End {
|
||||
if ($ExportPath) {
|
||||
$timestamp = (Get-Date).ToString("yyyy.MM.dd_HH.mm.ss")
|
||||
$exportedTests = @()
|
||||
|
||||
foreach ($result in $results) {
|
||||
$testDef = $script:TestDefinitionsObject | Where-Object { $_.Rec -eq $result.TestNumber }
|
||||
if ($testDef) {
|
||||
@@ -177,9 +173,11 @@ function Export-M365SecurityAuditTable {
|
||||
if ($ExportToExcel) {
|
||||
$xlsxPath = [System.IO.Path]::ChangeExtension($fileName, '.xlsx')
|
||||
$result.Details | Export-Excel -Path $xlsxPath -WorksheetName Table -TableName Table -AutoSize -TableStyle Medium2
|
||||
$createdFiles += $xlsxPath # Add the created file to the array
|
||||
}
|
||||
else {
|
||||
$result.Details | Export-Csv -Path $fileName -NoTypeInformation
|
||||
$createdFiles += $fileName # Add the created file to the array
|
||||
}
|
||||
$exportedTests += $result.TestNumber
|
||||
}
|
||||
@@ -197,23 +195,52 @@ function Export-M365SecurityAuditTable {
|
||||
Write-Information "No specified tests were included in the export." -InformationAction Continue
|
||||
}
|
||||
}
|
||||
|
||||
if ($ExportOriginalTests) {
|
||||
# Define the test numbers to check
|
||||
$TestNumbersToCheck = "1.1.1", "1.3.1", "6.1.2", "6.1.3", "7.3.4"
|
||||
|
||||
# Check for large details and update the AuditResults array
|
||||
$updatedAuditResults = Get-ExceededLengthResultDetail -AuditResults $AuditResults -TestNumbersToCheck $TestNumbersToCheck -ExportedTests $exportedTests -DetailsLengthLimit 30000 -PreviewLineCount 25
|
||||
$originalFileName = "$ExportPath\$timestamp`_M365FoundationsAudit.csv"
|
||||
if ($ExportToExcel) {
|
||||
$xlsxPath = [System.IO.Path]::ChangeExtension($originalFileName, '.xlsx')
|
||||
$updatedAuditResults | Export-Excel -Path $xlsxPath -WorksheetName Table -TableName Table -AutoSize -TableStyle Medium2
|
||||
$createdFiles += $xlsxPath # Add the created file to the array
|
||||
}
|
||||
else {
|
||||
$updatedAuditResults | Export-Csv -Path $originalFileName -NoTypeInformation
|
||||
$createdFiles += $originalFileName # Add the created file to the array
|
||||
}
|
||||
}
|
||||
# Hash each file and add it to a dictionary
|
||||
# Hash each file and save the hashes to a text file
|
||||
$hashFilePath = "$ExportPath\$timestamp`_Hashes.txt"
|
||||
$fileHashes = @()
|
||||
foreach ($file in $createdFiles) {
|
||||
$hash = Get-FileHash -Path $file -Algorithm SHA256
|
||||
$fileHashes += "$($file): $($hash.Hash)"
|
||||
}
|
||||
$fileHashes | Set-Content -Path $hashFilePath
|
||||
$createdFiles += $hashFilePath # Add the hash file to the array
|
||||
|
||||
# Create a zip file and add all the created files
|
||||
$zipFilePath = "$ExportPath\$timestamp`_M365FoundationsAudit.zip"
|
||||
Compress-Archive -Path $createdFiles -DestinationPath $zipFilePath
|
||||
|
||||
# Remove the original files after they have been added to the zip
|
||||
foreach ($file in $createdFiles) {
|
||||
Remove-Item -Path $file -Force
|
||||
}
|
||||
|
||||
# Compute the hash for the zip file and rename it
|
||||
$zipHash = Get-FileHash -Path $zipFilePath -Algorithm SHA256
|
||||
$newZipFilePath = "$ExportPath\$timestamp`_M365FoundationsAudit_$($zipHash.Hash.Substring(0, 8)).zip"
|
||||
Rename-Item -Path $zipFilePath -NewName $newZipFilePath
|
||||
|
||||
# Output the zip file path with hash
|
||||
[PSCustomObject]@{
|
||||
ZipFilePath = $newZipFilePath
|
||||
}
|
||||
} # End of ExportPath
|
||||
elseif ($OutputTestNumber) {
|
||||
if ($results[0].Details) {
|
||||
return $results[0].Details
|
||||
@@ -225,4 +252,9 @@ function Export-M365SecurityAuditTable {
|
||||
else {
|
||||
Write-Error "No valid operation specified. Please provide valid parameters."
|
||||
}
|
||||
# Output the created files at the end
|
||||
#if ($createdFiles.Count -gt 0) {
|
||||
########### $createdFiles
|
||||
#}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -132,30 +132,23 @@ function Invoke-M365SecurityAudit {
|
||||
[Parameter(Mandatory = $false, HelpMessage = "The SharePoint tenant admin URL, which should end with '-admin.sharepoint.com'. If not specified none of the Sharepoint Online tests will run.")]
|
||||
[ValidatePattern('^https://[a-zA-Z0-9-]+-admin\.sharepoint\.com$')]
|
||||
[string]$TenantAdminUrl,
|
||||
|
||||
[Parameter(Mandatory = $false, HelpMessage = "Specify this to test only the default domain for password expiration and DKIM Config for tests '1.3.1' and 2.1.9. The domain name of your organization, e.g., 'example.com'.")]
|
||||
[ValidatePattern('^[a-zA-Z0-9-]+\.[a-zA-Z]{2,}$')]
|
||||
[string]$DomainName,
|
||||
|
||||
# E-Level with optional ProfileLevel selection
|
||||
[Parameter(Mandatory = $true, ParameterSetName = 'ELevelFilter', HelpMessage = "Specifies the E-Level (E3 or E5) for the audit.")]
|
||||
[ValidateSet('E3', 'E5')]
|
||||
[string]$ELevel,
|
||||
|
||||
[Parameter(Mandatory = $true, ParameterSetName = 'ELevelFilter', HelpMessage = "Specifies the profile level (L1 or L2) for the audit.")]
|
||||
[ValidateSet('L1', 'L2')]
|
||||
[string]$ProfileLevel,
|
||||
|
||||
# IG Filters, one at a time
|
||||
[Parameter(Mandatory = $true, ParameterSetName = 'IG1Filter', HelpMessage = "Includes tests where IG1 is true.")]
|
||||
[switch]$IncludeIG1,
|
||||
|
||||
[Parameter(Mandatory = $true, ParameterSetName = 'IG2Filter', HelpMessage = "Includes tests where IG2 is true.")]
|
||||
[switch]$IncludeIG2,
|
||||
|
||||
[Parameter(Mandatory = $true, ParameterSetName = 'IG3Filter', HelpMessage = "Includes tests where IG3 is true.")]
|
||||
[switch]$IncludeIG3,
|
||||
|
||||
# Inclusion of specific recommendation numbers
|
||||
[Parameter(Mandatory = $true, ParameterSetName = 'RecFilter', HelpMessage = "Specifies specific recommendations to include in the audit. Accepts an array of recommendation numbers.")]
|
||||
[ValidateSet(
|
||||
@@ -168,7 +161,6 @@ function Invoke-M365SecurityAudit {
|
||||
'8.5.7', '8.6.1'
|
||||
)]
|
||||
[string[]]$IncludeRecommendation,
|
||||
|
||||
# Exclusion of specific recommendation numbers
|
||||
[Parameter(Mandatory = $true, ParameterSetName = 'SkipRecFilter', HelpMessage = "Specifies specific recommendations to exclude from the audit. Accepts an array of recommendation numbers.")]
|
||||
[ValidateSet(
|
||||
@@ -181,26 +173,21 @@ function Invoke-M365SecurityAudit {
|
||||
'8.5.7', '8.6.1'
|
||||
)]
|
||||
[string[]]$SkipRecommendation,
|
||||
|
||||
# Common parameters for all parameter sets
|
||||
[Parameter(Mandatory = $false, HelpMessage = "Specifies the approved cloud storage providers for the audit. Accepts an array of cloud storage provider names.")]
|
||||
[ValidateSet(
|
||||
'GoogleDrive', 'ShareFile', 'Box', 'DropBox', 'Egnyte'
|
||||
)]
|
||||
[string[]]$ApprovedCloudStorageProviders = @(),
|
||||
|
||||
[Parameter(Mandatory = $false, HelpMessage = "Specifies the approved federated domains for the audit test 8.2.1. Accepts an array of allowed domain names.")]
|
||||
[ValidatePattern('^[a-zA-Z0-9-]+\.[a-zA-Z]{2,}$')]
|
||||
[string[]]$ApprovedFederatedDomains,
|
||||
|
||||
[Parameter(Mandatory = $false, HelpMessage = "Specifies that the cmdlet will not establish a connection to Microsoft 365 services.")]
|
||||
[switch]$DoNotConnect,
|
||||
|
||||
[Parameter(Mandatory = $false, HelpMessage = "Specifies that the cmdlet will not disconnect from Microsoft 365 services after execution.")]
|
||||
[switch]$DoNotDisconnect,
|
||||
|
||||
[Parameter(Mandatory = $false, HelpMessage = "Specifies that the cmdlet will not check for the presence of required modules.")]
|
||||
[switch]$NoModuleCheck,
|
||||
|
||||
[Parameter(Mandatory = $false, HelpMessage = "Specifies that the cmdlet will not prompt for confirmation before proceeding with established connections and will disconnect from all of them.")]
|
||||
[switch]$DoNotConfirmConnections
|
||||
)
|
||||
@@ -210,10 +197,8 @@ function Invoke-M365SecurityAudit {
|
||||
}
|
||||
# Ensure required modules are installed
|
||||
$requiredModules = Get-RequiredModule -AuditFunction
|
||||
|
||||
# Format the required modules list
|
||||
$requiredModulesFormatted = Format-RequiredModuleList -RequiredModules $requiredModules
|
||||
|
||||
# Check and install required modules if necessary
|
||||
if (!($NoModuleCheck) -and $PSCmdlet.ShouldProcess("Check for required modules: $requiredModulesFormatted", "Check")) {
|
||||
Write-Host "Checking for and installing required modules..." -ForegroundColor DarkMagenta
|
||||
@@ -221,13 +206,11 @@ function Invoke-M365SecurityAudit {
|
||||
Assert-ModuleAvailability -ModuleName $module.ModuleName -RequiredVersion $module.RequiredVersion -SubModules $module.SubModules
|
||||
}
|
||||
}
|
||||
|
||||
# Load test definitions from CSV
|
||||
$testDefinitionsPath = Join-Path -Path $PSScriptRoot -ChildPath "helper\TestDefinitions.csv"
|
||||
$testDefinitions = Import-Csv -Path $testDefinitionsPath
|
||||
# Load the Test Definitions into the script scope for use in other functions
|
||||
$script:TestDefinitionsObject = $testDefinitions
|
||||
|
||||
# Apply filters based on parameter sets
|
||||
$params = @{
|
||||
TestDefinitions = $testDefinitions
|
||||
@@ -256,17 +239,14 @@ function Invoke-M365SecurityAudit {
|
||||
# Initialize a collection to hold failed test details
|
||||
$script:FailedTests = [System.Collections.ArrayList]::new()
|
||||
} # End Begin
|
||||
|
||||
Process {
|
||||
$allAuditResults = [System.Collections.ArrayList]::new() # Initialize a collection to hold all results
|
||||
# Dynamically dot-source the test scripts
|
||||
$testsFolderPath = Join-Path -Path $PSScriptRoot -ChildPath "tests"
|
||||
$testFiles = Get-ChildItem -Path $testsFolderPath -Filter "Test-*.ps1" |
|
||||
Where-Object { $testsToLoad -contains $_.BaseName }
|
||||
|
||||
$totalTests = $testFiles.Count
|
||||
$currentTestIndex = 0
|
||||
|
||||
# Establishing connections if required
|
||||
try {
|
||||
$actualUniqueConnections = Get-UniqueConnection -Connections $requiredConnections
|
||||
@@ -279,8 +259,6 @@ function Invoke-M365SecurityAudit {
|
||||
Write-Host "Connection execution aborted: $_" -ForegroundColor Red
|
||||
break
|
||||
}
|
||||
|
||||
|
||||
try {
|
||||
Write-Host "A total of $($totalTests) tests were selected to run..." -ForegroundColor DarkMagenta
|
||||
# Import the test functions
|
||||
@@ -297,7 +275,6 @@ function Invoke-M365SecurityAudit {
|
||||
$script:FailedTests.Add([PSCustomObject]@{ Test = $_.Name; Error = $_ })
|
||||
}
|
||||
}
|
||||
|
||||
$currentTestIndex = 0
|
||||
# Execute each test function from the prepared list
|
||||
foreach ($testFunction in $testFiles) {
|
||||
@@ -330,7 +307,6 @@ function Invoke-M365SecurityAudit {
|
||||
# Return all collected audit results
|
||||
# Define the test numbers to check
|
||||
$TestNumbersToCheck = "1.1.1", "1.3.1", "6.1.2", "6.1.3", "7.3.4"
|
||||
|
||||
# Check for large details in the audit results
|
||||
$exceedingTests = Get-ExceededLengthResultDetail -AuditResults $allAuditResults -TestNumbersToCheck $TestNumbersToCheck -ReturnExceedingTestsOnly -DetailsLengthLimit 30000
|
||||
if ($exceedingTests.Count -gt 0) {
|
||||
@@ -342,6 +318,3 @@ function Invoke-M365SecurityAudit {
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -277,7 +277,15 @@
|
||||
<command:inputTypes>
|
||||
<command:inputType>
|
||||
<dev:type>
|
||||
<maml:name>[CISAuditResult[]], [string]</maml:name>
|
||||
<maml:name>[CISAuditResult[]] - An array of CISAuditResult objects.</maml:name>
|
||||
</dev:type>
|
||||
<maml:description>
|
||||
<maml:para></maml:para>
|
||||
</maml:description>
|
||||
</command:inputType>
|
||||
<command:inputType>
|
||||
<dev:type>
|
||||
<maml:name>[string] - A path to a CSV file.</maml:name>
|
||||
</dev:type>
|
||||
<maml:description>
|
||||
<maml:para></maml:para>
|
||||
@@ -287,7 +295,7 @@
|
||||
<command:returnValues>
|
||||
<command:returnValue>
|
||||
<dev:type>
|
||||
<maml:name>[PSCustomObject]</maml:name>
|
||||
<maml:name>[PSCustomObject] - A custom object containing the path to the zip file and its hash.</maml:name>
|
||||
</dev:type>
|
||||
<maml:description>
|
||||
<maml:para></maml:para>
|
||||
|
||||
@@ -1,7 +1,6 @@
|
||||
function Test-AdministrativeAccountCompliance {
|
||||
[CmdletBinding()]
|
||||
param ()
|
||||
|
||||
begin {
|
||||
# The following conditions are checked:
|
||||
# Condition A: The administrative account is cloud-only (not synced).
|
||||
@@ -11,16 +10,12 @@ function Test-AdministrativeAccountCompliance {
|
||||
$recnum = "1.1.1"
|
||||
Write-Verbose "Starting Test-AdministrativeAccountCompliance with Rec: $recnum"
|
||||
}
|
||||
|
||||
process {
|
||||
|
||||
try {
|
||||
# Retrieve admin roles, assignments, and user details including licenses
|
||||
Write-Verbose "Retrieving admin roles, assignments, and user details including licenses"
|
||||
$adminRoleAssignments = Get-CISMgOutput -Rec $recnum
|
||||
|
||||
$adminRoleUsers = @()
|
||||
|
||||
foreach ($roleName in $adminRoleAssignments.Keys) {
|
||||
$assignments = $adminRoleAssignments[$roleName]
|
||||
foreach ($assignment in $assignments) {
|
||||
@@ -29,21 +24,16 @@ function Test-AdministrativeAccountCompliance {
|
||||
$userPrincipalName = $userDetails.UserPrincipalName
|
||||
$licenses = $assignment.Licenses
|
||||
$licenseString = if ($licenses) { ($licenses.SkuPartNumber -join '|') } else { "No Licenses Found" }
|
||||
|
||||
# Condition A: Check if the account is cloud-only
|
||||
$cloudOnlyStatus = if ($userDetails.OnPremisesSyncEnabled) { "Fail" } else { "Pass" }
|
||||
|
||||
# Condition B: Check if the account has valid licenses
|
||||
$hasValidLicense = $licenses.SkuPartNumber | ForEach-Object { $validLicenses -contains $_ }
|
||||
$validLicensesStatus = if ($hasValidLicense) { "Pass" } else { "Fail" }
|
||||
|
||||
# Condition C: Check if the account has no other licenses
|
||||
$hasInvalidLicense = $licenses.SkuPartNumber | ForEach-Object { $validLicenses -notcontains $_ }
|
||||
$invalidLicenses = $licenses.SkuPartNumber | Where-Object { $validLicenses -notcontains $_ }
|
||||
$applicationAssignmentStatus = if ($hasInvalidLicense) { "Fail" } else { "Pass" }
|
||||
|
||||
Write-Verbose "User: $userPrincipalName, Cloud-Only: $cloudOnlyStatus, Valid Licenses: $validLicensesStatus, Invalid Licenses: $($invalidLicenses -join ', ')"
|
||||
|
||||
# Collect user information
|
||||
$adminRoleUsers += [PSCustomObject]@{
|
||||
UserName = $userPrincipalName
|
||||
@@ -57,17 +47,14 @@ function Test-AdministrativeAccountCompliance {
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
# Group admin role users by UserName and collect unique roles and licenses
|
||||
Write-Verbose "Grouping admin role users by UserName"
|
||||
$uniqueAdminRoleUsers = $adminRoleUsers | Group-Object -Property UserName | ForEach-Object {
|
||||
$first = $_.Group | Select-Object -First 1
|
||||
$roles = ($_.Group.RoleName -join ', ')
|
||||
$licenses = (($_.Group | Select-Object -ExpandProperty Licenses) -join ',').Split(',') | Select-Object -Unique
|
||||
|
||||
$first | Select-Object UserName, UserId, HybridUser, @{Name = 'Roles'; Expression = { $roles } }, @{Name = 'Licenses'; Expression = { $licenses -join '|' } }, CloudOnlyStatus, ValidLicensesStatus, ApplicationAssignmentStatus
|
||||
}
|
||||
|
||||
# Identify non-compliant users based on conditions A, B, and C
|
||||
Write-Verbose "Identifying non-compliant users based on conditions"
|
||||
$nonCompliantUsers = $uniqueAdminRoleUsers | Where-Object {
|
||||
@@ -75,7 +62,6 @@ function Test-AdministrativeAccountCompliance {
|
||||
$_.ValidLicensesStatus -eq "Fail" -or # Fails Condition B
|
||||
$_.ApplicationAssignmentStatus -eq "Fail" # Fails Condition C
|
||||
}
|
||||
|
||||
# Generate failure reasons
|
||||
Write-Verbose "Generating failure reasons for non-compliant users"
|
||||
$failureReasons = $nonCompliantUsers | ForEach-Object {
|
||||
@@ -88,13 +74,10 @@ function Test-AdministrativeAccountCompliance {
|
||||
else {
|
||||
"Compliant Accounts: $($uniqueAdminRoleUsers.Count)"
|
||||
}
|
||||
|
||||
$result = $nonCompliantUsers.Count -eq 0
|
||||
$status = if ($result) { 'Pass' } else { 'Fail' }
|
||||
$details = if ($nonCompliantUsers) { "Username | Roles | Cloud-Only Status | EntraID P1/P2 License Status | Other Applications Assigned Status`n$failureReasons" } else { "N/A" }
|
||||
|
||||
Write-Verbose "Assessment completed. Result: $status"
|
||||
|
||||
# Create the parameter splat
|
||||
$params = @{
|
||||
Rec = $recnum
|
||||
@@ -103,7 +86,6 @@ function Test-AdministrativeAccountCompliance {
|
||||
Details = $details
|
||||
FailureReason = $failureReason
|
||||
}
|
||||
|
||||
$auditResult = Initialize-CISAuditResult @params
|
||||
}
|
||||
catch {
|
||||
@@ -111,7 +93,6 @@ function Test-AdministrativeAccountCompliance {
|
||||
$auditResult = Get-TestError -LastError $LastError -recnum $recnum
|
||||
}
|
||||
}
|
||||
|
||||
end {
|
||||
# Output the result
|
||||
return $auditResult
|
||||
|
||||
@@ -4,7 +4,6 @@ function Test-GlobalAdminsCount {
|
||||
param (
|
||||
# Define your parameters here if needed
|
||||
)
|
||||
|
||||
begin {
|
||||
# Dot source the class script if necessary
|
||||
#. .\source\Classes\CISAuditResult.ps1
|
||||
@@ -23,23 +22,19 @@ function Test-GlobalAdminsCount {
|
||||
# - Condition A: The number of global admins is less than 2.
|
||||
# - Condition B: The number of global admins is more than 4.
|
||||
# - Condition C: Any discrepancies or errors in retrieving the list of global admin usernames.
|
||||
|
||||
# Initialization code, if needed
|
||||
$recnum = "1.1.3"
|
||||
Write-Verbose "Starting Test-GlobalAdminsCount with Rec: $recnum"
|
||||
}
|
||||
|
||||
process {
|
||||
try {
|
||||
$globalAdmins = Get-CISMgOutput -Rec $recnum
|
||||
|
||||
# Step: Count the number of global admins
|
||||
$globalAdminCount = $globalAdmins.Count
|
||||
|
||||
# Step: Retrieve and format the usernames of global admins
|
||||
$globalAdminUsernames = ($globalAdmins | ForEach-Object {
|
||||
"$($_.AdditionalProperties["displayName"]) ($($_.AdditionalProperties["userPrincipalName"]))"
|
||||
}) -join ', '
|
||||
|
||||
# Step: Determine failure reasons based on global admin count
|
||||
$failureReasons = if ($globalAdminCount -lt 2) {
|
||||
"Less than 2 global admins: $globalAdminUsernames"
|
||||
@@ -50,10 +45,8 @@ function Test-GlobalAdminsCount {
|
||||
else {
|
||||
"N/A"
|
||||
}
|
||||
|
||||
# Step: Prepare details for the audit result
|
||||
$details = "Count: $globalAdminCount; Users: $globalAdminUsernames"
|
||||
|
||||
# Step: Create and populate the CISAuditResult object
|
||||
$params = @{
|
||||
Rec = $recnum
|
||||
@@ -69,7 +62,6 @@ function Test-GlobalAdminsCount {
|
||||
$auditResult = Get-TestError -LastError $LastError -recnum $recnum
|
||||
}
|
||||
}
|
||||
|
||||
end {
|
||||
# Return the audit result
|
||||
return $auditResult
|
||||
|
||||
@@ -4,14 +4,12 @@ function Test-ManagedApprovedPublicGroups {
|
||||
param (
|
||||
# Parameters can be added if needed
|
||||
)
|
||||
|
||||
begin {
|
||||
# Dot source the class script if necessary
|
||||
#. .\source\Classes\CISAuditResult.ps1
|
||||
|
||||
# Initialization code, if needed
|
||||
$recnum = "1.2.1"
|
||||
|
||||
Write-Verbose "Starting Test-ManagedApprovedPublicGroups with Rec: $recnum"
|
||||
# Conditions for 1.2.1 (L2) Ensure that only organizationally managed/approved public groups exist (Automated)
|
||||
#
|
||||
# Validate test for a pass:
|
||||
@@ -26,12 +24,10 @@ function Test-ManagedApprovedPublicGroups {
|
||||
# - Condition A: One or more groups have the status 'Public' in the privacy column on the Active teams and groups page.
|
||||
# - Condition B: Using Microsoft Graph PowerShell, one or more groups return a status of 'Public' when checked.
|
||||
}
|
||||
|
||||
process {
|
||||
try {
|
||||
# Step: Retrieve all groups with visibility set to 'Public'
|
||||
$allGroups = Get-CISMgOutput -Rec $recnum
|
||||
|
||||
# Step: Determine failure reasons based on the presence of public groups
|
||||
$failureReasons = if ($null -ne $allGroups -and $allGroups.Count -gt 0) {
|
||||
"There are public groups present that are not organizationally managed/approved."
|
||||
@@ -39,7 +35,6 @@ function Test-ManagedApprovedPublicGroups {
|
||||
else {
|
||||
"N/A"
|
||||
}
|
||||
|
||||
# Step: Prepare details for the audit result
|
||||
$details = if ($null -eq $allGroups -or $allGroups.Count -eq 0) {
|
||||
"No public groups found."
|
||||
@@ -48,7 +43,6 @@ function Test-ManagedApprovedPublicGroups {
|
||||
$groupDetails = $allGroups | ForEach-Object { $_.DisplayName + " (" + $_.Visibility + ")" }
|
||||
"Public groups found: $($groupDetails -join ', ')"
|
||||
}
|
||||
|
||||
# Step: Create and populate the CISAuditResult object
|
||||
$params = @{
|
||||
Rec = $recnum
|
||||
@@ -64,7 +58,6 @@ function Test-ManagedApprovedPublicGroups {
|
||||
$auditResult = Get-TestError -LastError $LastError -recnum $recnum
|
||||
}
|
||||
}
|
||||
|
||||
end {
|
||||
# Return the audit result
|
||||
return $auditResult
|
||||
|
||||
@@ -5,7 +5,6 @@ function Test-PasswordHashSync {
|
||||
# Aligned
|
||||
# Parameters can be added if needed
|
||||
)
|
||||
|
||||
begin {
|
||||
# Conditions for 5.1.8.1 (L1) Ensure password hash sync is enabled for hybrid deployments
|
||||
#
|
||||
@@ -22,21 +21,18 @@ function Test-PasswordHashSync {
|
||||
# - Condition A: Password hash sync is not enabled in the Azure AD Connect tool on the on-premises server.
|
||||
# - Condition B: Password hash sync is not verified as enabled in the Azure AD Connect Sync section in the Microsoft Entra admin center.
|
||||
# - Condition C: Using Microsoft Graph PowerShell, the verification command returns no result indicating that password sync is not enabled for the on-premises AD.
|
||||
|
||||
# Dot source the class script if necessary
|
||||
#. .\source\Classes\CISAuditResult.ps1
|
||||
# Initialization code, if needed
|
||||
$recnum = "5.1.8.1"
|
||||
Write-Verbose "Starting Test-PasswordHashSync with Rec: $recnum"
|
||||
}
|
||||
|
||||
process {
|
||||
try {
|
||||
# 5.1.8.1 (L1) Ensure password hash sync is enabled for hybrid deployments
|
||||
|
||||
# Retrieve password hash sync status (Condition A and C)
|
||||
$passwordHashSync = Get-CISMgOutput -Rec $recnum
|
||||
$hashSyncResult = $passwordHashSync
|
||||
|
||||
# Prepare failure reasons and details based on compliance
|
||||
$failureReasons = if (-not $hashSyncResult) {
|
||||
"Password hash sync for hybrid deployments is not enabled"
|
||||
@@ -44,9 +40,7 @@ function Test-PasswordHashSync {
|
||||
else {
|
||||
"N/A"
|
||||
}
|
||||
|
||||
$details = "OnPremisesSyncEnabled: $($passwordHashSync)"
|
||||
|
||||
# Create and populate the CISAuditResult object
|
||||
$params = @{
|
||||
Rec = $recnum
|
||||
@@ -62,7 +56,6 @@ function Test-PasswordHashSync {
|
||||
$auditResult = Get-TestError -LastError $LastError -recnum $recnum
|
||||
}
|
||||
}
|
||||
|
||||
end {
|
||||
# Return the audit result
|
||||
return $auditResult
|
||||
|
||||
@@ -5,23 +5,19 @@ function Test-RestrictTenantCreation {
|
||||
# Aligned
|
||||
# Parameters can be added if needed
|
||||
)
|
||||
|
||||
begin {
|
||||
# Dot source the class script if necessary
|
||||
#. .\source\Classes\CISAuditResult.ps1
|
||||
|
||||
# Initialization code, if needed
|
||||
$recnum = "5.1.2.3"
|
||||
|
||||
Write-Verbose "Starting Test-RestrictTenantCreation with Rec: $recnum"
|
||||
<#
|
||||
Conditions for 5.1.2.3 (L1) Ensure 'Restrict non-admin users from creating tenants' is set to 'Yes'
|
||||
|
||||
Validate test for a pass:
|
||||
- Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
|
||||
- Specific conditions to check:
|
||||
- Condition A: Restrict non-admin users from creating tenants is set to 'Yes' in the Azure AD and Entra administration portal.
|
||||
- Condition B: Using PowerShell, the setting for restricting non-admin users from creating tenants is set to 'Yes'.
|
||||
|
||||
Validate test for a fail:
|
||||
- Confirm that the failure conditions in the automated test are consistent with the manual audit results.
|
||||
- Specific conditions to check:
|
||||
@@ -29,15 +25,12 @@ function Test-RestrictTenantCreation {
|
||||
- Condition B: Using PowerShell, the setting for restricting non-admin users from creating tenants is not set to 'Yes'.
|
||||
#>
|
||||
}
|
||||
|
||||
process {
|
||||
try {
|
||||
# 5.1.2.3 (L1) Ensure 'Restrict non-admin users from creating tenants' is set to 'Yes'
|
||||
|
||||
# Retrieve the tenant creation policy
|
||||
$tenantCreationPolicy = Get-CISMgOutput -Rec $recnum
|
||||
$tenantCreationResult = -not $tenantCreationPolicy.AllowedToCreateTenants
|
||||
|
||||
# Prepare failure reasons and details based on compliance
|
||||
$failureReasons = if ($tenantCreationResult) {
|
||||
"N/A"
|
||||
@@ -45,9 +38,7 @@ function Test-RestrictTenantCreation {
|
||||
else {
|
||||
"Non-admin users can create tenants"
|
||||
}
|
||||
|
||||
$details = "AllowedToCreateTenants: $($tenantCreationPolicy.AllowedToCreateTenants)"
|
||||
|
||||
# Create and populate the CISAuditResult object
|
||||
$params = @{
|
||||
Rec = $recnum
|
||||
@@ -63,7 +54,6 @@ function Test-RestrictTenantCreation {
|
||||
$auditResult = Get-TestError -LastError $LastError -recnum $recnum
|
||||
}
|
||||
}
|
||||
|
||||
end {
|
||||
# Return the audit result
|
||||
return $auditResult
|
||||
|
||||
Reference in New Issue
Block a user