vibecoding/M365FoundationsCISReport
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: vibecoding:v0.1.25
Branches Tags
vibecoding:main vibecoding:365-4.0.0-Update
vibecoding:v0.1.28 vibecoding:v0.1.27 vibecoding:v0.1.26 vibecoding:v0.1.25 vibecoding:v0.1.24 vibecoding:v0.1.23 vibecoding:v0.1.22 vibecoding:v0.1.21 vibecoding:v0.1.20 vibecoding:v0.1.19 vibecoding:v0.1.18 vibecoding:v0.1.17 vibecoding:v0.1.16 vibecoding:v0.1.15 vibecoding:v0.1.14 vibecoding:v0.1.13 vibecoding:v0.1.12 vibecoding:v0.1.11 vibecoding:v0.1.10 vibecoding:v0.1.9 vibecoding:v0.1.8 vibecoding:v0.1.7 vibecoding:v0.1.6 vibecoding:v0.1.5 vibecoding:v0.1.4 vibecoding:v0.1.3 vibecoding:v0.1.2 vibecoding:v0.1.1 vibecoding:v0.0.1 vibecoding:v0.1.0-preview0001
...
compare: vibecoding:365-4.0.0-Update
Branches Tags
vibecoding:365-4.0.0-Update vibecoding:main
vibecoding:v0.1.28 vibecoding:v0.1.27 vibecoding:v0.1.26 vibecoding:v0.1.25 vibecoding:v0.1.24 vibecoding:v0.1.23 vibecoding:v0.1.22 vibecoding:v0.1.21 vibecoding:v0.1.20 vibecoding:v0.1.19 vibecoding:v0.1.18 vibecoding:v0.1.17 vibecoding:v0.1.16 vibecoding:v0.1.15 vibecoding:v0.1.14 vibecoding:v0.1.13 vibecoding:v0.1.12 vibecoding:v0.1.11 vibecoding:v0.1.10 vibecoding:v0.1.9 vibecoding:v0.1.8 vibecoding:v0.1.7 vibecoding:v0.1.6 vibecoding:v0.1.5 vibecoding:v0.1.4 vibecoding:v0.1.3 vibecoding:v0.1.2 vibecoding:v0.1.1 vibecoding:v0.0.1 vibecoding:v0.1.0-preview0001

72 Commits
v0.1.25 ... 365-4.0.0-

Author SHA1 Message Date
DrIOS
55a4ec4bea add: Version number to test output 2025-04-21 11:57:40 -05:00
DrIOS
e2ab71f1a8 Fix: Update Help 2025-04-21 11:27:41 -05:00
DrIOS
118bb6f227 Fix: Export-M365SecurityAuditTable function 2025-04-21 11:19:43 -05:00
DrIOS
2a6aaffe2f Add: Get-TestDefinition function 2025-04-21 11:17:24 -05:00
DrIOS
4cbe2ada48 fix: formatting 2025-04-21 11:16:50 -05:00
DrIOS
9579a65f94 Add: Get-TestDefinition function 2025-04-21 11:16:10 -05:00
DrIOS
ac4d268eb8 test: test 2025-04-20 11:13:00 -05:00
DrIOS
00c06f7d25 fix: formatting 2025-04-19 19:51:38 -05:00
DrIOS
445c962af0 fix: pre test call 2025-04-19 19:33:22 -05:00
DrIOS
6cb086f8f1 fix: formatting 2025-04-19 19:22:25 -05:00
DrIOS
6098c26ce5 fix: Minimum version in module install 2025-04-19 19:20:20 -05:00
DrIOS
06a3ce57d1 fix: Formatting 2025-04-19 18:14:54 -05:00
DrIOS
62a0488ed5 fix: version type in assert module 2025-03-25 08:31:52 -05:00
DrIOS
2c339f8bc5 fix : changelog and formatting 2025-03-25 08:09:00 -05:00
DrIOS
e16c147e7d add: Adds new CSV for PowerShell commands and updates PnP update check handling 2025-03-23 15:39:50 -05:00
Doug Rios
3e4214c070 Merge branch 'main' into 365-4.0.0-Update 2025-03-23 15:34:35 -05:00
DrIOS
ee23b72db7 fix formatting 2025-03-15 10:52:54 -05:00
DrIOS
5a995c702f add: UpdateCheck variable off for pnp powershell. 2025-03-10 10:06:49 -05:00
Doug Rios
be0b6e0129 Merge pull request #156 from CriticalSolutionsNetwork/Bugfix--Fix-SPO-output-for-Get-SPOSite 
fix: Fix SPO output for Get-SPOSite
 2025-01-14 13:11:13 -06:00
DrIOS
642cdfe2ab fix: Fix SPO output for Get-SPOSite 2025-01-14 13:07:59 -06:00
Doug Rios
a8b76c7e16 Merge pull request #155 from CriticalSolutionsNetwork/Bugfix-Sharepoint-Online-Issue-from-EOY-2024 
Bugfix sharepoint online issue from eoy 2024
 2025-01-13 16:07:14 -06:00
DrIOS
fbf40fa98e add: method to avoid assembly already loaded error 2025-01-13 16:03:30 -06:00
DrIOS
f409e8a5f1 add: new method of verifying spo tenant for Connect-SPOService branch 2025-01-13 15:35:07 -06:00
DrIOS
c341279531 add: error handling to identify problematic step in connect function 2025-01-13 14:46:53 -06:00
DrIOS
6a8438bbe8 add: error handling to identify problematic step in connect function 2025-01-13 14:44:18 -06:00
DrIOS
d62e914de0 fix: 2.1.1 attachment filtering 2025-01-13 14:39:21 -06:00
DrIOS
e1ef81a249 fix: return when higest policy passes. 2024-12-30 13:52:34 -06:00
DrIOS
a0b524104d format: Line breaks 2024-12-30 13:45:28 -06:00
DrIOS
bd9978a494 fix: scope function and antiphishing policy comments 2024-12-27 15:22:40 -06:00
DrIOS
07ca126c1b format: comments for Get-PhishPolicyCompliance 2024-12-27 11:54:46 -06:00
DrIOS
f493eed7a0 format: Get-CISExoOutput comments 2024-12-27 11:46:08 -06:00
DrIOS
4e12eae6a9 add: Tests for 2.17 2024-12-27 11:05:28 -06:00
DrIOS
022dcde49b docs: update spellcheck 2024-12-27 10:33:24 -06:00
DrIOS
ef4bc4dcbd add: parameter validation updates and new public function 2024-12-26 16:06:11 -06:00
DrIOS
af17eb1c2e add: public function for gathering rec numbers 2024-12-26 15:58:02 -06:00
DrIOS
8fb2f1d9c8 Format: remove blank lines in Get-TestDefinitionsObject 2024-12-26 15:33:14 -06:00
DrIOS
88f2566422 add: test and call for 1.1.4 2024-12-26 14:40:25 -06:00
DrIOS
856bd0b8d8 aDD: warning for pnp.powershell and authobject usage 2024-12-26 14:06:52 -06:00
DrIOS
330f399b41 fix: added warning for subsequent runs when using auth object 2024-12-26 13:00:31 -06:00
DrIOS
ac5274d9f6 docs:update CHANGELOG 2024-12-26 10:47:53 -06:00
DrIOS
80c9c73c83 docs:update comment 2024-12-26 10:44:59 -06:00
DrIOS
d11ebf47a6 fix: pnp spo graph module load error 2024-12-26 10:44:02 -06:00
DrIOS
d9b8bf2941 format: update recnum to RecNum 2024-12-26 09:28:33 -06:00
DrIOS
391be439b0 add: formatting 2024-12-24 16:42:52 -06:00
DrIOS
5753ab8a4f add: Core logic to switch between versions 2024-12-24 15:51:03 -06:00
DrIOS
ca021695a4 add: Placeholders for test defs 2024-12-24 14:33:03 -06:00
DrIOS
fb7b543c6a add: TestDefinitions-v4.0.0.csv file 2024-12-24 13:37:08 -06:00
DrIOS
fdc20093ba docs: update help docs 2024-12-24 11:31:26 -06:00
DrIOS
87c635210d docs: Update Help 2024-08-04 16:03:14 -05:00
DrIOS
07592569b4 docs: Pull doc changes 2024-08-04 15:55:40 -05:00
Doug Rios
4b3a0b7505 Merge pull request #148 from CriticalSolutionsNetwork/Testing-Automations 
Testing automations
 2024-08-04 15:46:49 -05:00
DrIOS
042bf7b37c docs: update help docs 2024-08-04 15:44:12 -05:00
DrIOS
69ae64562f docs: update help docs 2024-08-04 15:40:50 -05:00
DrIOS
c64325e773 docs: update help docs 2024-08-04 15:34:28 -05:00
DrIOS
c341db53c5 docs: update help docs 2024-08-04 15:17:21 -05:00
DrIOS
2f5c653cc8 docs: Update CHANGELOG 2024-08-04 14:53:21 -05:00
DrIOS
00600123f3 docs: Update readme and html help 2024-08-04 14:50:58 -05:00
DrIOS
0cb1643341 docs: Update readme and html help 2024-08-04 14:47:45 -05:00
DrIOS
939980b087 docs: Update readme and html help 2024-08-04 14:29:42 -05:00
DrIOS
f375fdd5ef rename function 2024-08-04 14:13:35 -05:00
DrIOS
0ea930c708 rename function 2024-08-04 14:13:25 -05:00
Doug Rios
f9e3b5faed Merge pull request #149 from CriticalSolutionsNetwork/main 
Update README.md
 2024-08-04 13:56:38 -05:00
Doug Rios
4613d592d1 Update README.md 2024-08-04 13:54:55 -05:00
DrIOS
da968db3e2 change: refactor Get-CISSpoOutput to support application auth using Pnp Powershell 2024-08-04 13:51:29 -05:00
DrIOS
357f284d08 add: test number to error 2024-08-04 13:49:58 -05:00
DrIOS
9e3058add4 add: test number to Get-TestError output 2024-08-04 13:49:13 -05:00
DrIOS
d7d16ff0b5 add: App Authentication test 2024-08-03 18:52:46 -05:00
DrIOS
45eb961554 Fix: Vaugue parameter name 2024-08-03 11:43:42 -05:00
DrIOS
686e805f6a Fix: Vaugue parameter name 2024-08-03 11:42:59 -05:00
DrIOS
63edc13261 fix: Export original and all tests 2024-08-03 11:29:15 -05:00
DrIOS
9508130ddd fix: compatibility version 2024-08-03 11:28:46 -05:00
DrIOS
db73d755ed fix: Output suppression 2024-08-01 21:14:56 -05:00
105 changed files with 4702 additions and 2757 deletions
Expand all files Collapse all files

3
.gitignore vendored
View File

@@ -16,4 +16,5 @@ markdownissues.txt
node_modules
package-lock.json
Aligned.xlsx
test-gh1.ps1
test-gh1.ps1
ModdedModules/*

3
.vscode/settings.json vendored
View File

@@ -1,5 +1,6 @@
{
"cSpell.words": [
"Msol"
]
],
"azureAutomation.directory.basePath": "c:\\Users\\dougrios"
}

37
Book1.csv Normal file
View File

@@ -0,0 +1,37 @@
Product,Command
SharePoint,Get-SPOTenant
SharePoint,Get-SPOSite
SharePoint,Get-SPOTenantSyncClientRestriction
SharePoint,Get-PnPTenant
SharePoint,Get-PnPTenantSite
SharePoint,Get-PnPTenantSyncClientRestriction
Microsoft Graph,Get-MgDirectoryRole
Microsoft Graph,Get-MgDirectoryRoleMember
Microsoft Graph,Get-MgUser
Microsoft Graph,Get-MgGroup
Microsoft Graph,Get-MgDomain
Microsoft Graph,Get-MgOrganization
Microsoft Graph,Get-MgSubscribedSku
Microsoft Graph,Get-MgUserLicenseDetail
Teams,Get-CsTeamsClientConfiguration
Teams,Get-CsTeamsMeetingPolicy
Teams,Get-CsTenantFederationConfiguration
Teams,Get-CsTeamsMessagingPolicy
Exchange Online,Get-EXOMailbox
Exchange Online,Get-OrganizationConfig
Exchange Online,Get-SharingPolicy
Exchange Online,Get-RoleAssignmentPolicy
Exchange Online,Get-OwaMailboxPolicy
Exchange Online,Get-SafeLinksPolicy
Exchange Online,Get-SafeAttachmentPolicy
Exchange Online,Get-SafeAttachmentRule
Exchange Online,Get-MalwareFilterPolicy
Exchange Online,Get-HostedOutboundSpamFilterPolicy
Exchange Online,Get-AntiPhishPolicy
Exchange Online,Get-AntiPhishRule
Exchange Online,Get-DkimSigningConfig
Exchange Online,Get-TransportRule
Exchange Online,Get-ExternalInOutlook
Exchange Online,Get-AdminAuditLogConfig
Exchange Online,Get-AtpPolicyForO365
Exchange Online,Get-ReportSubmissionPolicy
1 Product Command
2 SharePoint Get-SPOTenant
3 SharePoint Get-SPOSite
4 SharePoint Get-SPOTenantSyncClientRestriction
5 SharePoint Get-PnPTenant
6 SharePoint Get-PnPTenantSite
7 SharePoint Get-PnPTenantSyncClientRestriction
8 Microsoft Graph Get-MgDirectoryRole
9 Microsoft Graph Get-MgDirectoryRoleMember
10 Microsoft Graph Get-MgUser
11 Microsoft Graph Get-MgGroup
12 Microsoft Graph Get-MgDomain
13 Microsoft Graph Get-MgOrganization
14 Microsoft Graph Get-MgSubscribedSku
15 Microsoft Graph Get-MgUserLicenseDetail
16 Teams Get-CsTeamsClientConfiguration
17 Teams Get-CsTeamsMeetingPolicy
18 Teams Get-CsTenantFederationConfiguration
19 Teams Get-CsTeamsMessagingPolicy
20 Exchange Online Get-EXOMailbox
21 Exchange Online Get-OrganizationConfig
22 Exchange Online Get-SharingPolicy
23 Exchange Online Get-RoleAssignmentPolicy
24 Exchange Online Get-OwaMailboxPolicy
25 Exchange Online Get-SafeLinksPolicy
26 Exchange Online Get-SafeAttachmentPolicy
27 Exchange Online Get-SafeAttachmentRule
28 Exchange Online Get-MalwareFilterPolicy
29 Exchange Online Get-HostedOutboundSpamFilterPolicy
30 Exchange Online Get-AntiPhishPolicy
31 Exchange Online Get-AntiPhishRule
32 Exchange Online Get-DkimSigningConfig
33 Exchange Online Get-TransportRule
34 Exchange Online Get-ExternalInOutlook
35 Exchange Online Get-AdminAuditLogConfig
36 Exchange Online Get-AtpPolicyForO365
37 Exchange Online Get-ReportSubmissionPolicy

57
CHANGELOG.md
View File

@@ -4,6 +4,63 @@ The format is based on and uses the types of changes according to [Keep a Change
## [Unreleased]
### Added
- TestDefinitions-v4.0.0.csv file to the helper folder for version choices.
- Link to App Authentication documentation in `New-M365SecurityAuditAuthObject` help file.
- Test Definition Placeholders
- Steps to function to account for new logic and create an updated test definition object when version 4.0.0 is selected.
- Test-AdministrativeAccountCompliance4 function for v4.0.0 rec# 1.1.1 test.
- Updated Get-CISMgOutput function to include the new test definition case for 1.1.1,1.1.4 and 2.1.7.
- Updated Get-CISExoOutput function to include the new test definition case for 2.1.7.
- New public function for generating version specific lists of recommendation numbers.
- Check in main public function to check for 4.0.0 rec numbers when 3.0.0 is selected as the M365 benchmark version.
- Rec numbers to include and exclude rec numbers for version 4.0.0 so the 'validate set' works correctly.
- Get-PhishPolicyCompliance and Get-ScopeOverlap private functions for 2.1.7 v4.
- Test-PhishPolicyCompliance4 function for 2.1.7 v4.
- Adds new CSV for PowerShell commands and updates PnP update check handling
- Introduces a new CSV file listing various PowerShell commands for different Microsoft services.
- Updates the `Invoke-M365SecurityAudit` script to temporarily disable PnP PowerShell update checks during execution and restores the original setting afterward.
- Pre-Test cmdlet call to `Get-MgGroup` to load the MgGraph assembly prior to running PnP PowerShell commands when using app authentication.
- Output Verbosity for test score.
- Get-TestDefinition private function for v4.0.0 to get the test definition for the test.
- CIS M365 Foundations version to output object to ensure tests display the version of the benchmark being used and for use in verifying the test definitions needed for the export function.
### Fixed
- Fixed Pnp PowerShell MgGraph assembly load error with workaround to load the MgGraph assembly as soon as it's imported with a call to Get-MgGroup.
- Phish policy test to return if highest priority policy conforms to the benchmark.
- Module assertion to check for minimum version of required modules.
- Module assertion to not import the module if it already exists.
- Fixed Export-M365SecurityAuditTable to ensure there are only 3 parameter sets: One for specific nested test output, one to export only nested tables, and one to export all tests along with options to export to CSV or Excel.
## [v0.1.28] - 2025-01-14
### Fixed
- Get-SPOSite command to return all but voided output for no code runs (Ex: PowerAutomate)
## [0.1.27] - 2025-01-13
### Added
- Added additional error handling to connect function to identify problematic steps when they occur.
- Added new method of verifying spo tenant for Connect-SPOService branch of connect function.
- Added method to avoid "assembly already loaded" error in PNP Powershell function on first run, subsequent runs in the same session will still throw the error.
## [0.1.26] - 2024-08-04
### Added
- Added `New-M365SecurityAuditAuthObject` function to create a new authentication object for the security audit for app-based authentication.
### Changed
- Changed authentication options to include parameter for authenticating with a certificate.
- Changed verbose output to ensure methods for suppressing all forms of output are available.
## [0.1.25] - 2024-07-23
### Fixed
- Fixed test 1.3.1 as notification window for password expiration is no longer required.

50
README copy.md
View File

@@ -1,5 +1,6 @@
# M365FoundationsCISReport Module
[![PSScriptAnalyzer](https://github.com/CriticalSolutionsNetwork/M365FoundationsCISReport/actions/workflows/powershell.yml/badge.svg)](https://github.com/CriticalSolutionsNetwork/M365FoundationsCISReport/actions/workflows/powershell.yml)
[![pages-build-deployment](https://github.com/CriticalSolutionsNetwork/M365FoundationsCISReport/actions/workflows/pages/pages-build-deployment/badge.svg)](https://github.com/CriticalSolutionsNetwork/M365FoundationsCISReport/actions/workflows/pages/pages-build-deployment)
## License
This PowerShell module is based on CIS benchmarks and is distributed under the Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License. This means:
@@ -17,19 +18,47 @@ For full license details, please visit [Creative Commons Attribution-NonCommerci
3. [Get-AdminRoleUserLicense](#Get-AdminRoleUserLicense)
4. [Get-MFAStatus](#Get-MFAStatus)
5. [Grant-M365SecurityAuditConsent](#Grant-M365SecurityAuditConsent)
6. [Remove-RowsWithEmptyCSVStatus](#Remove-RowsWithEmptyCSVStatus)
7. [Sync-CISExcelAndCsvData](#Sync-CISExcelAndCsvData)
6. [New-M365SecurityAuditAuthObject](#New-M365SecurityAuditAuthObject)
7. [Remove-RowsWithEmptyCSVStatus](#Remove-RowsWithEmptyCSVStatus)
8. [Sync-CISExcelAndCsvData](#Sync-CISExcelAndCsvData)
## Invoke-M365SecurityAudit
## Module Dependencies
The `M365FoundationsCISReport` module relies on several other PowerShell modules to perform its operations. The default run ensures these modules are installed with the specified versions. Use -NoModuleCheck to skip this step if you have installed the required modules previously and would like to suppress any output for automated runs.
### Minimum Required Modules for Audit Functions
Default modules used for audit functions:
- **ExchangeOnlineManagement**
- Required Version: `3.3.0`
- **Microsoft.Graph**
- Required Version: `2.4.0`
- **PnP.PowerShell** (Optional, if PnP App authentication is used for SharePoint Online)
- Required Version: `2.5.0`
- **Microsoft.Online.SharePoint.PowerShell** (If PnP authentication is not used (Default) )
- Required Version: `16.0.24009.12000`
- **MicrosoftTeams**
- Required Version: `5.5.0`
- **ImportExcel** (If importing or exporting Excel files)
- Required Version: `7.8.9`
# EXAMPLES
```powershell
# Example 1: Performing a security audit based on CIS benchmarks
$auditResults = Invoke-M365SecurityAudit -TenantAdminUrl "https://contoso-admin.sharepoint.com"
$auditResults = Invoke-M365SecurityAudit -TenantAdminUrl "https://contoso-admin.sharepoint.com" -DomainName "contoso.com" -ApprovedCloudStorageProviders "DropBox" -ApprovedFederatedDomains "northwind.com"
# Suppressed output for automated runs
$auditResults = Invoke-M365SecurityAudit -TenantAdminUrl "https://contoso-admin.sharepoint.com" -NoModuleCheck -NoModuleCheck -DoNotConfirmConnections -Confirm:$false
# Example 2: Exporting a security audit and it's nested tables to zipped CSV files
Export-M365SecurityAuditTable -AuditResults $auditResults -ExportPath "C:\temp" -ExportOriginalTests -ExportAllTests
Export-M365SecurityAuditTable -AuditResults $auditResults -ExportPath "C:\temp"
# Output Ex: 2024.07.07_14.55.55_M365FoundationsAudit_368B2E2F.zip
# Example 3: Retrieving licenses for users in administrative roles
@@ -46,6 +75,15 @@ Sync-CISExcelAndCsvData -ExcelPath "path\to\excel.xlsx" -CsvPath "path\to\data.c
# Example 7: Granting Microsoft Graph permissions to the auditor
Grant-M365SecurityAuditConsent -UserPrincipalNameForConsent 'user@example.com'
# Example 8: (PowerShell 7.x Only) Creating a new authentication object for the security audit for app-based authentication.
$authParams = New-M365SecurityAuditAuthObject `
-ClientCertThumbPrint "ABCDEF1234567890ABCDEF1234567890ABCDEF12" `
-ClientId "12345678-1234-1234-1234-123456789012" `
-TenantId "12345678-1234-1234-1234-123456789012" `
-OnMicrosoftUrl "yourcompany.onmicrosoft.com" `
-SpAdminUrl "https://yourcompany-admin.sharepoint.com"
Invoke-M365SecurityAudit -AuthParams $authParams -TenantAdminUrl "https://yourcompany-admin.sharepoint.com"
```
# NOTE
@@ -57,4 +95,4 @@ If you encounter any issues while using the cmdlets, ensure that your environmen
# SEE ALSO
- [CIS Benchmarks](https://www.cisecurity.org/cis-benchmarks/)
- [Microsoft 365 Security Documentation](https://docs.microsoft.com/en-us/microsoft-365/security/)
- [PowerShell Documentation](https://docs.microsoft.com/en-us/powershell/)
- [PowerShell Documentation](https://docs.microsoft.com/en-us/powershell/)

BIN
README.md
View File

Binary file not shown.

BIN
docs/index.html
View File

Binary file not shown.

176
help/Export-M365SecurityAuditTable.md
View File

@@ -1,4 +1,4 @@
---
---
external help file: M365FoundationsCISReport-help.xml
Module Name: M365FoundationsCISReport
online version: https://criticalsolutionsnetwork.github.io/M365FoundationsCISReport/#Export-M365SecurityAuditTable
@@ -12,29 +12,25 @@ Exports M365 security audit results to a CSV file or outputs a specific test res
## SYNTAX
### OutputObjectFromAuditResultsSingle
### DefaultExport (Default)
```
Export-M365SecurityAuditTable [-AuditResults] <CISAuditResult[]> [-OutputTestNumber] <String>
Export-M365SecurityAuditTable -AuditResults <PSObject[]> -ExportPath <String> [-ExportToExcel]
[-Prefix <String>] [-ProgressAction <ActionPreference>] [-WhatIf] [-Confirm] [<CommonParameters>]
```
### SingleObject
```
Export-M365SecurityAuditTable -AuditResults <PSObject[]> -OutputTestNumber <String>
[-ProgressAction <ActionPreference>] [-WhatIf] [-Confirm] [<CommonParameters>]
```
### OnlyExportNestedTables
```
Export-M365SecurityAuditTable -AuditResults <PSObject[]> -ExportPath <String> [-ExportToExcel]
[-Prefix <String>] [-OnlyExportNestedTables] [-ProgressAction <ActionPreference>] [-WhatIf] [-Confirm]
[<CommonParameters>]
```
### ExportAllResultsFromAuditResults
```
Export-M365SecurityAuditTable [-AuditResults] <CISAuditResult[]> [-ExportAllTests] -ExportPath <String>
[-ExportOriginalTests] [-ExportToExcel] [<CommonParameters>]
```
### OutputObjectFromCsvSingle
```
Export-M365SecurityAuditTable [-CsvPath] <String> [-OutputTestNumber] <String> [<CommonParameters>]
```
### ExportAllResultsFromCsv
```
Export-M365SecurityAuditTable [-CsvPath] <String> [-ExportAllTests] -ExportPath <String> [-ExportOriginalTests]
[-ExportToExcel] [<CommonParameters>]
```
## DESCRIPTION
This function exports M365 security audit results from either an array of CISAuditResult objects or a CSV file.
It can export all results to a specified path or output a specific test result as an object.
@@ -83,58 +79,13 @@ Export-M365SecurityAuditTable -ExportAllTests -CsvPath "C:\temp\auditresultstoda
An array of CISAuditResult objects containing the audit results.
```yaml
Type: CISAuditResult[]
Parameter Sets: OutputObjectFromAuditResultsSingle, ExportAllResultsFromAuditResults
Aliases:
Required: True
Position: 3
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
```
### -CsvPath
The path to a CSV file containing the audit results.
```yaml
Type: String
Parameter Sets: OutputObjectFromCsvSingle, ExportAllResultsFromCsv
Aliases:
Required: True
Position: 3
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
```
### -ExportAllTests
Switch to export all test results.
```yaml
Type: SwitchParameter
Parameter Sets: ExportAllResultsFromAuditResults, ExportAllResultsFromCsv
Aliases:
Required: False
Position: 1
Default value: False
Accept pipeline input: False
Accept wildcard characters: False
```
### -ExportOriginalTests
Switch to export the original audit results to a CSV file.
```yaml
Type: SwitchParameter
Parameter Sets: ExportAllResultsFromAuditResults, ExportAllResultsFromCsv
Type: PSObject[]
Parameter Sets: (All)
Aliases:
Required: True
Position: Named
Default value: False
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
```
@@ -144,7 +95,7 @@ The path where the CSV files will be exported.
```yaml
Type: String
Parameter Sets: ExportAllResultsFromAuditResults, ExportAllResultsFromCsv
Parameter Sets: DefaultExport, OnlyExportNestedTables
Aliases:
Required: True
@@ -159,7 +110,7 @@ Switch to export the results to an Excel file.
```yaml
Type: SwitchParameter
Parameter Sets: ExportAllResultsFromAuditResults, ExportAllResultsFromCsv
Parameter Sets: DefaultExport, OnlyExportNestedTables
Aliases:
Required: False
@@ -169,17 +120,96 @@ Accept pipeline input: False
Accept wildcard characters: False
```
### -Prefix
Add Prefix to filename after date when outputting to excel or csv.
Validate that the count of letters in the prefix is less than 5.
```yaml
Type: String
Parameter Sets: DefaultExport, OnlyExportNestedTables
Aliases:
Required: False
Position: Named
Default value: Corp
Accept pipeline input: False
Accept wildcard characters: False
```
### -OnlyExportNestedTables
───────────────────────────────────────────────────────────────────────────
2) OnlyExportNestedTables: nested tables only into ZIP
-AuditResults, -ExportPath, -OnlyExportNestedTables
───────────────────────────────────────────────────────────────────────────
```yaml
Type: SwitchParameter
Parameter Sets: OnlyExportNestedTables
Aliases:
Required: True
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False
```
### -OutputTestNumber
The test number to output as an object.
Valid values are "1.1.1", "1.3.1", "6.1.2", "6.1.3", "7.3.4".
```yaml
Type: String
Parameter Sets: OutputObjectFromAuditResultsSingle, OutputObjectFromCsvSingle
Parameter Sets: SingleObject
Aliases:
Required: True
Position: 2
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
```
### -WhatIf
Shows what would happen if the cmdlet runs. The cmdlet is not run.
```yaml
Type: SwitchParameter
Parameter Sets: (All)
Aliases: wi
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
```
### -Confirm
Prompts you for confirmation before running the cmdlet.
```yaml
Type: SwitchParameter
Parameter Sets: (All)
Aliases: cf
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
```
### -ProgressAction
{{ Fill ProgressAction Description }}
```yaml
Type: ActionPreference
Parameter Sets: (All)
Aliases: proga
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
@@ -191,7 +221,7 @@ This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable
## INPUTS
### [CISAuditResult[]] - An array of CISAuditResult objects.
### [string] - A path to a CSV file.
### [string] - A path to a CSV file.
## OUTPUTS
### [PSCustomObject] - A custom object containing the path to the zip file and its hash.

21
help/Get-AdminRoleUserLicense.md
View File

@@ -1,4 +1,4 @@
---
---
external help file: M365FoundationsCISReport-help.xml
Module Name: M365FoundationsCISReport
online version: https://criticalsolutionsnetwork.github.io/M365FoundationsCISReport/#Get-AdminRoleUserLicense
@@ -13,7 +13,7 @@ Retrieves user licenses and roles for administrative accounts from Microsoft 365
## SYNTAX
```
Get-AdminRoleUserLicense [-SkipGraphConnection] [<CommonParameters>]
Get-AdminRoleUserLicense [-SkipGraphConnection] [-ProgressAction <ActionPreference>] [<CommonParameters>]
```
## DESCRIPTION
@@ -54,6 +54,21 @@ Accept pipeline input: False
Accept wildcard characters: False
```
### -ProgressAction
{{ Fill ProgressAction Description }}
```yaml
Type: ActionPreference
Parameter Sets: (All)
Aliases: proga
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
```
### CommonParameters
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216).
@@ -63,7 +78,7 @@ This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable
## OUTPUTS
### PSCustomObject
### Returns a custom object for each user with administrative roles that includes the following properties: RoleName, UserName, UserPrincipalName, UserId, HybridUser, and Licenses.
### Returns a custom object for each user with administrative roles that includes the following properties: RoleName, UserName, UserPrincipalName, UserId, HybridUser, and Licenses.
## NOTES
Creation Date: 2024-04-15
Purpose/Change: Initial function development to support Microsoft 365 administrative role auditing.

61
help/Get-M365SecurityAuditRecNumberList.md Normal file
View File

@@ -0,0 +1,61 @@
---
external help file: M365FoundationsCISReport-help.xml
Module Name: M365FoundationsCISReport
online version:
schema: 2.0.0
---
# Get-M365SecurityAuditRecNumberList
## SYNOPSIS
{{ Fill in the Synopsis }}
## SYNTAX
```
Get-M365SecurityAuditRecNumberList [[-Version] <String>] [<CommonParameters>]
```
## DESCRIPTION
{{ Fill in the Description }}
## EXAMPLES
### Example 1
```powershell
PS C:\> {{ Add example code here }}
```
{{ Add example description here }}
## PARAMETERS
### -Version
{{ Fill Version Description }}
```yaml
Type: String
Parameter Sets: (All)
Aliases:
Accepted values: 3.0.0, 4.0.0
Required: False
Position: 0
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
```
### CommonParameters
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216).
## INPUTS
### None
## OUTPUTS
### System.Object
## NOTES
## RELATED LINKS

66
help/Get-MFAStatus.md
View File

@@ -1,4 +1,4 @@
---
---
external help file: M365FoundationsCISReport-help.xml
Module Name: M365FoundationsCISReport
online version: https://criticalsolutionsnetwork.github.io/M365FoundationsCISReport/#Get-MFAStatus
@@ -13,7 +13,8 @@ Retrieves the MFA (Multi-Factor Authentication) status for Azure Active Director
## SYNTAX
```
Get-MFAStatus [[-UserId] <String>] [-SkipMSOLConnectionChecks] [<CommonParameters>]
Get-MFAStatus [[-UserId] <String>] [-SkipMSOLConnectionChecks] [-ProgressAction <ActionPreference>]
[<CommonParameters>]
```
## DESCRIPTION
@@ -36,21 +37,6 @@ Retrieves the MFA status for the specified user with the UPN "example@domain.com
## PARAMETERS
### -SkipMSOLConnectionChecks
{{ Fill SkipMSOLConnectionChecks Description }}
```yaml
Type: SwitchParameter
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False
```
### -UserId
The User Principal Name (UPN) of a specific user to retrieve MFA status for.
If not provided, the function retrieves MFA status for all users.
@@ -67,6 +53,36 @@ Accept pipeline input: False
Accept wildcard characters: False
```
### -SkipMSOLConnectionChecks
{{ Fill SkipMSOLConnectionChecks Description }}
```yaml
Type: SwitchParameter
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False
```
### -ProgressAction
{{ Fill ProgressAction Description }}
```yaml
Type: ActionPreference
Parameter Sets: (All)
Aliases: proga
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
```
### CommonParameters
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216).
@@ -75,14 +91,14 @@ This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable
## OUTPUTS
### System.Object
### Returns a sorted list of custom objects containing the following properties:
### - UserPrincipalName
### - DisplayName
### - MFAState
### - MFADefaultMethod
### - MFAPhoneNumber
### - PrimarySMTP
### - Aliases
### Returns a sorted list of custom objects containing the following properties:
### - UserPrincipalName
### - DisplayName
### - MFAState
### - MFADefaultMethod
### - MFAPhoneNumber
### - PrimarySMTP
### - Aliases
## NOTES
The function requires the MSOL module to be installed and connected to your tenant.
Ensure that you have the necessary permissions to read user and MFA status information.

56
help/Grant-M365SecurityAuditConsent.md
View File

@@ -1,4 +1,4 @@
---
---
external help file: M365FoundationsCISReport-help.xml
Module Name: M365FoundationsCISReport
online version: https://criticalsolutionsnetwork.github.io/M365FoundationsCISReport/#Grant-M365SecurityAuditConsent
@@ -14,7 +14,8 @@ Grants Microsoft Graph permissions for an auditor.
```
Grant-M365SecurityAuditConsent [-UserPrincipalNameForConsent] <String> [-SkipGraphConnection]
[-SkipModuleCheck] [-SuppressRevertOutput] [-DoNotDisconnect] [-WhatIf] [-Confirm] [<CommonParameters>]
[-SkipModuleCheck] [-SuppressRevertOutput] [-DoNotDisconnect] [-ProgressAction <ActionPreference>] [-WhatIf]
[-Confirm] [<CommonParameters>]
```
## DESCRIPTION
@@ -40,18 +41,18 @@ Grants Microsoft Graph permissions to user@example.com, skipping the connection
## PARAMETERS
### -DoNotDisconnect
If specified, does not disconnect from Microsoft Graph after granting consent.
### -UserPrincipalNameForConsent
Specify the UPN of the user to grant consent for.
```yaml
Type: SwitchParameter
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: False
Accept pipeline input: False
Required: True
Position: 1
Default value: None
Accept pipeline input: True (ByPropertyName, ByValue)
Accept wildcard characters: False
```
@@ -100,18 +101,34 @@ Accept pipeline input: False
Accept wildcard characters: False
```
### -UserPrincipalNameForConsent
Specify the UPN of the user to grant consent for.
### -DoNotDisconnect
If specified, does not disconnect from Microsoft Graph after granting consent.
```yaml
Type: String
Type: SwitchParameter
Parameter Sets: (All)
Aliases:
Required: True
Position: 1
Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False
```
### -WhatIf
Shows what would happen if the cmdlet runs.
The cmdlet is not run.
```yaml
Type: SwitchParameter
Parameter Sets: (All)
Aliases: wi
Required: False
Position: Named
Default value: None
Accept pipeline input: True (ByPropertyName, ByValue)
Accept pipeline input: False
Accept wildcard characters: False
```
@@ -130,14 +147,13 @@ Accept pipeline input: False
Accept wildcard characters: False
```
### -WhatIf
Shows what would happen if the cmdlet runs.
The cmdlet is not run.
### -ProgressAction
{{ Fill ProgressAction Description }}
```yaml
Type: SwitchParameter
Type: ActionPreference
Parameter Sets: (All)
Aliases: wi
Aliases: proga
Required: False
Position: Named

276
help/Invoke-M365SecurityAudit.md
View File

@@ -1,4 +1,4 @@
---
---
external help file: M365FoundationsCISReport-help.xml
Module Name: M365FoundationsCISReport
online version: https://criticalsolutionsnetwork.github.io/M365FoundationsCISReport/#Invoke-M365SecurityAudit
@@ -16,50 +16,57 @@ Invokes a security audit for Microsoft 365 environments.
```
Invoke-M365SecurityAudit [-TenantAdminUrl <String>] [-DomainName <String>]
[-ApprovedCloudStorageProviders <String[]>] [-ApprovedFederatedDomains <String[]>] [-DoNotConnect]
[-DoNotDisconnect] [-NoModuleCheck] [-DoNotConfirmConnections] [-WhatIf] [-Confirm] [<CommonParameters>]
[-DoNotDisconnect] [-NoModuleCheck] [-DoNotConfirmConnections] [-AuthParams <CISAuthenticationParameters>]
[-Version <String>] [-ProgressAction <ActionPreference>] [-WhatIf] [-Confirm] [<CommonParameters>]
```
### ELevelFilter
```
Invoke-M365SecurityAudit [-TenantAdminUrl <String>] [-DomainName <String>] -ELevel <String>
-ProfileLevel <String> [-ApprovedCloudStorageProviders <String[]>] [-ApprovedFederatedDomains <String[]>]
[-DoNotConnect] [-DoNotDisconnect] [-NoModuleCheck] [-DoNotConfirmConnections] [-WhatIf] [-Confirm]
[<CommonParameters>]
[-DoNotConnect] [-DoNotDisconnect] [-NoModuleCheck] [-DoNotConfirmConnections]
[-AuthParams <CISAuthenticationParameters>] [-Version <String>] [-ProgressAction <ActionPreference>] [-WhatIf]
[-Confirm] [<CommonParameters>]
```
### IG1Filter
```
Invoke-M365SecurityAudit [-TenantAdminUrl <String>] [-DomainName <String>] [-IncludeIG1]
[-ApprovedCloudStorageProviders <String[]>] [-ApprovedFederatedDomains <String[]>] [-DoNotConnect]
[-DoNotDisconnect] [-NoModuleCheck] [-DoNotConfirmConnections] [-WhatIf] [-Confirm] [<CommonParameters>]
[-DoNotDisconnect] [-NoModuleCheck] [-DoNotConfirmConnections] [-AuthParams <CISAuthenticationParameters>]
[-Version <String>] [-ProgressAction <ActionPreference>] [-WhatIf] [-Confirm] [<CommonParameters>]
```
### IG2Filter
```
Invoke-M365SecurityAudit [-TenantAdminUrl <String>] [-DomainName <String>] [-IncludeIG2]
[-ApprovedCloudStorageProviders <String[]>] [-ApprovedFederatedDomains <String[]>] [-DoNotConnect]
[-DoNotDisconnect] [-NoModuleCheck] [-DoNotConfirmConnections] [-WhatIf] [-Confirm] [<CommonParameters>]
[-DoNotDisconnect] [-NoModuleCheck] [-DoNotConfirmConnections] [-AuthParams <CISAuthenticationParameters>]
[-Version <String>] [-ProgressAction <ActionPreference>] [-WhatIf] [-Confirm] [<CommonParameters>]
```
### IG3Filter
```
Invoke-M365SecurityAudit [-TenantAdminUrl <String>] [-DomainName <String>] [-IncludeIG3]
[-ApprovedCloudStorageProviders <String[]>] [-ApprovedFederatedDomains <String[]>] [-DoNotConnect]
[-DoNotDisconnect] [-NoModuleCheck] [-DoNotConfirmConnections] [-WhatIf] [-Confirm] [<CommonParameters>]
[-DoNotDisconnect] [-NoModuleCheck] [-DoNotConfirmConnections] [-AuthParams <CISAuthenticationParameters>]
[-Version <String>] [-ProgressAction <ActionPreference>] [-WhatIf] [-Confirm] [<CommonParameters>]
```
### RecFilter
```
Invoke-M365SecurityAudit [-TenantAdminUrl <String>] [-DomainName <String>] -IncludeRecommendation <String[]>
[-ApprovedCloudStorageProviders <String[]>] [-ApprovedFederatedDomains <String[]>] [-DoNotConnect]
[-DoNotDisconnect] [-NoModuleCheck] [-DoNotConfirmConnections] [-WhatIf] [-Confirm] [<CommonParameters>]
[-DoNotDisconnect] [-NoModuleCheck] [-DoNotConfirmConnections] [-AuthParams <CISAuthenticationParameters>]
[-Version <String>] [-ProgressAction <ActionPreference>] [-WhatIf] [-Confirm] [<CommonParameters>]
```
### SkipRecFilter
```
Invoke-M365SecurityAudit [-TenantAdminUrl <String>] [-DomainName <String>] -SkipRecommendation <String[]>
[-ApprovedCloudStorageProviders <String[]>] [-ApprovedFederatedDomains <String[]>] [-DoNotConnect]
[-DoNotDisconnect] [-NoModuleCheck] [-DoNotConfirmConnections] [-WhatIf] [-Confirm] [<CommonParameters>]
[-DoNotDisconnect] [-NoModuleCheck] [-DoNotConfirmConnections] [-AuthParams <CISAuthenticationParameters>]
[-Version <String>] [-ProgressAction <ActionPreference>] [-WhatIf] [-Confirm] [<CommonParameters>]
```
## DESCRIPTION
@@ -165,26 +172,12 @@ What if: Performing the operation "Invoke-M365SecurityAudit" on target "Microsof
## PARAMETERS
### -ApprovedCloudStorageProviders
Specifies the approved cloud storage providers for the audit. Accepts an array of cloud storage provider names.
### -TenantAdminUrl
The URL of the tenant admin.
If not specified, none of the SharePoint Online tests will run.
```yaml
Type: String[]
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: @()
Accept pipeline input: False
Accept wildcard characters: False
```
### -ApprovedFederatedDomains
Specifies the approved federated domains for the audit test 8.2.1. Accepts an array of allowed domain names.
```yaml
Type: String[]
Type: String
Parameter Sets: (All)
Aliases:
@@ -210,51 +203,6 @@ Accept pipeline input: False
Accept wildcard characters: False
```
### -DoNotConfirmConnections
If specified, the cmdlet will not prompt for confirmation before proceeding with established connections and will disconnect from all of them.
```yaml
Type: SwitchParameter
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False
```
### -DoNotConnect
If specified, the cmdlet will not establish a connection to Microsoft 365 services.
```yaml
Type: SwitchParameter
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False
```
### -DoNotDisconnect
If specified, the cmdlet will not disconnect from Microsoft 365 services after execution.
```yaml
Type: SwitchParameter
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False
```
### -ELevel
Specifies the E-Level (E3 or E5) for the audit.
This parameter is optional and can be combined with the ProfileLevel parameter.
@@ -271,6 +219,22 @@ Accept pipeline input: False
Accept wildcard characters: False
```
### -ProfileLevel
Specifies the profile level (L1 or L2) for the audit.
This parameter is optional and can be combined with the ELevel parameter.
```yaml
Type: String
Parameter Sets: ELevelFilter
Aliases:
Required: True
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
```
### -IncludeIG1
If specified, includes tests where IG1 is true.
@@ -332,37 +296,6 @@ Accept pipeline input: False
Accept wildcard characters: False
```
### -NoModuleCheck
If specified, the cmdlet will not check for the presence of required modules.
```yaml
Type: SwitchParameter
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False
```
### -ProfileLevel
Specifies the profile level (L1 or L2) for the audit.
This parameter is optional and can be combined with the ELevel parameter.
```yaml
Type: String
Parameter Sets: ELevelFilter
Aliases:
Required: True
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
```
### -SkipRecommendation
Specifies specific recommendations to exclude from the audit.
Accepts an array of recommendation numbers.
@@ -379,15 +312,135 @@ Accept pipeline input: False
Accept wildcard characters: False
```
### -TenantAdminUrl
The URL of the tenant admin.
If not specified, none of the SharePoint Online tests will run.
### -ApprovedCloudStorageProviders
Specifies the approved cloud storage providers for the audit. Accepts an array of cloud storage provider names.
```yaml
Type: String[]
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: @()
Accept pipeline input: False
Accept wildcard characters: False
```
### -ApprovedFederatedDomains
Specifies the approved federated domains for the audit test 8.2.1. Accepts an array of allowed domain names.
```yaml
Type: String[]
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
```
### -DoNotConnect
If specified, the cmdlet will not establish a connection to Microsoft 365 services.
```yaml
Type: SwitchParameter
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False
```
### -DoNotDisconnect
If specified, the cmdlet will not disconnect from Microsoft 365 services after execution.
```yaml
Type: SwitchParameter
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False
```
### -NoModuleCheck
If specified, the cmdlet will not check for the presence of required modules.
```yaml
Type: SwitchParameter
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False
```
### -DoNotConfirmConnections
If specified, the cmdlet will not prompt for confirmation before proceeding with established connections and will disconnect from all of them.
```yaml
Type: SwitchParameter
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False
```
### -AuthParams
Specifies an authentication object containing parameters for application-based authentication. If provided, this will be used for connecting to services.
```yaml
Type: CISAuthenticationParameters
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
```
### -Version
Specifies the CIS benchmark definitions version to use. Default is 4.0.0. Valid values are "3.0.0" or "4.0.0".
```yaml
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: 4.0.0
Accept pipeline input: False
Accept wildcard characters: False
```
### -WhatIf
Shows what would happen if the cmdlet runs.
The cmdlet is not run.
```yaml
Type: SwitchParameter
Parameter Sets: (All)
Aliases: wi
Required: False
Position: Named
Default value: None
@@ -410,14 +463,13 @@ Accept pipeline input: False
Accept wildcard characters: False
```
### -WhatIf
Shows what would happen if the cmdlet runs.
The cmdlet is not run.
### -ProgressAction
{{ Fill ProgressAction Description }}
```yaml
Type: SwitchParameter
Type: ActionPreference
Parameter Sets: (All)
Aliases: wi
Aliases: proga
Required: False
Position: Named
@@ -435,7 +487,7 @@ This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable
## OUTPUTS
### CISAuditResult[]
### The cmdlet returns an array of CISAuditResult objects representing the results of the security audit.
### The cmdlet returns an array of CISAuditResult objects representing the results of the security audit.
## NOTES
- This module is based on CIS benchmarks.
- Governed by the Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

22
help/M365FoundationsCISReport.md
View File

@@ -1,4 +1,4 @@
---
---
Module Name: M365FoundationsCISReport
Module Guid: 0d064bfb-d1ce-484b-a173-993b55984dc9
Download Help Link: {{Please enter Link manually}}
@@ -11,24 +11,30 @@ Locale: en-US
The `M365FoundationsCISReport` module provides a set of cmdlets to audit and report on the security compliance of Microsoft 365 environments based on CIS (Center for Internet Security) benchmarks. It enables administrators to generate detailed reports, sync data with CIS Excel sheets, and perform security audits to ensure compliance.
## M365FoundationsCISReport Cmdlets
### [Export-M365SecurityAuditTable](Export-M365SecurityAuditTable)
### [Export-M365SecurityAuditTable](Export-M365SecurityAuditTable.md)
Exports M365 security audit results to a CSV file or outputs a specific test result as an object.
### [Get-AdminRoleUserLicense](Get-AdminRoleUserLicense)
### [Get-AdminRoleUserLicense](Get-AdminRoleUserLicense.md)
Retrieves user licenses and roles for administrative accounts from Microsoft 365 via the Graph API.
### [Get-MFAStatus](Get-MFAStatus)
### [Get-M365SecurityAuditRecNumberList](Get-M365SecurityAuditRecNumberList.md)
{{ Fill in the Synopsis }}
### [Get-MFAStatus](Get-MFAStatus.md)
Retrieves the MFA (Multi-Factor Authentication) status for Azure Active Directory users.
### [Grant-M365SecurityAuditConsent](Grant-M365SecurityAuditConsent)
### [Grant-M365SecurityAuditConsent](Grant-M365SecurityAuditConsent.md)
Grants Microsoft Graph permissions for an auditor.
### [Invoke-M365SecurityAudit](Invoke-M365SecurityAudit)
### [Invoke-M365SecurityAudit](Invoke-M365SecurityAudit.md)
Invokes a security audit for Microsoft 365 environments.
### [Remove-RowsWithEmptyCSVStatus](Remove-RowsWithEmptyCSVStatus)
### [New-M365SecurityAuditAuthObject](New-M365SecurityAuditAuthObject.md)
Creates a new CISAuthenticationParameters object for Microsoft 365 authentication.
### [Remove-RowsWithEmptyCSVStatus](Remove-RowsWithEmptyCSVStatus.md)
Removes rows from an Excel worksheet where the 'CSV_Status' column is empty and saves the result to a new file.
### [Sync-CISExcelAndCsvData](Sync-CISExcelAndCsvData)
### [Sync-CISExcelAndCsvData](Sync-CISExcelAndCsvData.md)
Synchronizes and updates data in an Excel worksheet with new information from a CSV file, including audit dates.

149
help/New-M365SecurityAuditAuthObject.md Normal file
View File

@@ -0,0 +1,149 @@
---
external help file: M365FoundationsCISReport-help.xml
Module Name: M365FoundationsCISReport
online version:
schema: 2.0.0
---
# New-M365SecurityAuditAuthObject
## SYNOPSIS
Creates a new CISAuthenticationParameters object for Microsoft 365 authentication.
## SYNTAX
```
New-M365SecurityAuditAuthObject [-ClientCertThumbPrint] <String> [-ClientId] <String> [-TenantId] <String>
[-OnMicrosoftUrl] <String> [-SpAdminUrl] <String> [-ProgressAction <ActionPreference>] [<CommonParameters>]
```
## DESCRIPTION
The New-M365SecurityAuditAuthObject function constructs a new CISAuthenticationParameters object
containing the necessary credentials and URLs for authenticating to various Microsoft 365 services.
It validates input parameters to ensure they conform to expected formats and length requirements.
An app registration in Azure AD with the required permissions to EXO, SPO, MSTeams and MgGraph is needed.
## EXAMPLES
### EXAMPLE 1
```
$authParams = New-M365SecurityAuditAuthObject -ClientCertThumbPrint "ABCDEF1234567890ABCDEF1234567890ABCDEF12" `
-ClientId "12345678-1234-1234-1234-123456789012" `
-TenantId "12345678-1234-1234-1234-123456789012" `
-OnMicrosoftUrl "yourcompany.onmicrosoft.com" `
-SpAdminUrl "https://yourcompany-admin.sharepoint.com"
Creates a new CISAuthenticationParameters object with the specified credentials and URLs, validating each parameter's format and length.
```
## PARAMETERS
### -ClientCertThumbPrint
The thumbprint of the client certificate used for authentication.
It must be a 40-character hexadecimal string.
This certificate is used to authenticate the application in Azure AD.
```yaml
Type: String
Parameter Sets: (All)
Aliases:
Required: True
Position: 1
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
```
### -ClientId
The Client ID (Application ID) of the Azure AD application.
It must be a valid GUID format.
```yaml
Type: String
Parameter Sets: (All)
Aliases:
Required: True
Position: 2
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
```
### -TenantId
The Tenant ID of the Azure AD directory.
It must be a valid GUID format representing your Microsoft 365 tenant.
```yaml
Type: String
Parameter Sets: (All)
Aliases:
Required: True
Position: 3
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
```
### -OnMicrosoftUrl
The URL of your onmicrosoft.com domain.
It should be in the format 'example.onmicrosoft.com'.
```yaml
Type: String
Parameter Sets: (All)
Aliases:
Required: True
Position: 4
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
```
### -SpAdminUrl
The SharePoint admin URL, which should end with '-admin.sharepoint.com'.
This URL is used for connecting to SharePoint Online.
```yaml
Type: String
Parameter Sets: (All)
Aliases:
Required: True
Position: 5
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
```
### -ProgressAction
{{ Fill ProgressAction Description }}
```yaml
Type: ActionPreference
Parameter Sets: (All)
Aliases: proga
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
```
### CommonParameters
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216).
## INPUTS
### None. You cannot pipe objects to this function.
## OUTPUTS
### CISAuthenticationParameters
### The function returns an instance of the CISAuthenticationParameters class containing the authentication details.
## NOTES
Requires PowerShell 7.0 or later.
## RELATED LINKS

20
help/Remove-RowsWithEmptyCSVStatus.md
View File

@@ -1,4 +1,4 @@
---
---
external help file: M365FoundationsCISReport-help.xml
Module Name: M365FoundationsCISReport
online version:
@@ -13,7 +13,8 @@ Removes rows from an Excel worksheet where the 'CSV_Status' column is empty and
## SYNTAX
```
Remove-RowsWithEmptyCSVStatus [-FilePath] <String> [-WorksheetName] <String> [<CommonParameters>]
Remove-RowsWithEmptyCSVStatus [-FilePath] <String> [-WorksheetName] <String>
[-ProgressAction <ActionPreference>] [<CommonParameters>]
```
## DESCRIPTION
@@ -60,6 +61,21 @@ Accept pipeline input: False
Accept wildcard characters: False
```
### -ProgressAction
{{ Fill ProgressAction Description }}
```yaml
Type: ActionPreference
Parameter Sets: (All)
Aliases: proga
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
```
### CommonParameters
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216).

53
help/Sync-CISExcelAndCsvData.md
View File

@@ -1,4 +1,4 @@
---
---
external help file: M365FoundationsCISReport-help.xml
Module Name: M365FoundationsCISReport
online version: https://criticalsolutionsnetwork.github.io/M365FoundationsCISReport/#Sync-CISExcelAndCsvData
@@ -14,7 +14,7 @@ Synchronizes and updates data in an Excel worksheet with new information from a
```
Sync-CISExcelAndCsvData [[-ExcelPath] <String>] [[-CsvPath] <String>] [[-SheetName] <String>]
[<CommonParameters>]
[-ProgressAction <ActionPreference>] [<CommonParameters>]
```
## DESCRIPTION
@@ -32,22 +32,6 @@ Updates the 'AuditData' worksheet in 'excel.xlsx' with data from 'data.csv', add
## PARAMETERS
### -CsvPath
Specifies the path to the CSV file containing new data.
This parameter is mandatory.
```yaml
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: 2
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
```
### -ExcelPath
Specifies the path to the Excel file to be updated.
This parameter is mandatory.
@@ -64,6 +48,22 @@ Accept pipeline input: False
Accept wildcard characters: False
```
### -CsvPath
Specifies the path to the CSV file containing new data.
This parameter is mandatory.
```yaml
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: 2
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
```
### -SheetName
Specifies the name of the worksheet in the Excel file where data will be merged and updated.
This parameter is mandatory.
@@ -80,13 +80,28 @@ Accept pipeline input: False
Accept wildcard characters: False
```
### -ProgressAction
{{ Fill ProgressAction Description }}
```yaml
Type: ActionPreference
Parameter Sets: (All)
Aliases: proga
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
```
### CommonParameters
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216).
## INPUTS
### System.String
### The function accepts strings for file paths and worksheet names.
### The function accepts strings for file paths and worksheet names.
## OUTPUTS
### None

10
help/about_M365FoundationsCISReport.md
View File

@@ -21,7 +21,7 @@ $auditResults = Invoke-M365SecurityAudit -TenantAdminUrl "https://contoso-admin.
$auditResults = Invoke-M365SecurityAudit -TenantAdminUrl "https://contoso-admin.sharepoint.com" -DomainName "contoso.com" -ApprovedCloudStorageProviders "DropBox" -ApprovedFederatedDomains "northwind.com"
# Example 2: Exporting a security audit and it's nested tables to zipped CSV files
Export-M365SecurityAuditTable -AuditResults $auditResults -ExportPath "C:\temp" -ExportOriginalTests -ExportAllTests
Export-M365SecurityAuditTable -AuditResults $auditResults -ExportPath "C:\temp"
# Output Ex: 2024.07.07_14.55.55_M365FoundationsAudit_368B2E2F.zip
# Example 3: Retrieving licenses for users in administrative roles
@@ -38,6 +38,14 @@ Sync-CISExcelAndCsvData -ExcelPath "path\to\excel.xlsx" -CsvPath "path\to\data.c
# Example 7: Granting Microsoft Graph permissions to the auditor
Grant-M365SecurityAuditConsent -UserPrincipalNameForConsent 'user@example.com'
# Example 8: (PowerShell 7.x Only) Creating a new authentication object for the security audit for app-based authentication.
$authParams = New-M365SecurityAuditAuthObject -ClientCertThumbPrint "ABCDEF1234567890ABCDEF1234567890ABCDEF12" `
-ClientId "12345678-1234-1234-1234-123456789012" `
-TenantId "12345678-1234-1234-1234-123456789012" `
-OnMicrosoftUrl "yourcompany.onmicrosoft.com" `
-SpAdminUrl "https://yourcompany-admin.sharepoint.com"
Invoke-M365SecurityAudit -AuthParams $authParams -TenantAdminUrl "https://yourcompany-admin.sharepoint.com"
```
# NOTE

10
helpers/Build-Help.ps1
View File

@@ -1,14 +1,14 @@
Import-Module .\output\module\M365FoundationsCISReport\*\*.psd1
. .\source\Classes\CISAuditResult.ps1
.\helpers\psDoc-master\src\psDoc.ps1 -moduleName M365FoundationsCISReport -outputDir docs -template ".\helpers\psDoc-master\src\out-html-template.ps1"
.\helpers\psDoc-master\src\psDoc.ps1 -moduleName M365FoundationsCISReport -outputDir ".\" -template ".\helpers\psDoc-master\src\out-markdown-template.ps1" -fileName ".\README.md" -
.\helpers\psDoc-master\src\psDoc.ps1 -moduleName M365FoundationsCISReport -outputDir ".\" -template ".\helpers\psDoc-master\src\out-markdown-template.ps1" -fileName ".\README.md"
<#
$ver = "v0.1.24"
$ver = "v0.1.28"
git checkout main
git pull origin main
git tag -a $ver -m "Release version $ver refactor Update"
git tag -a $ver -m "Release version $ver bugfix Update"
git push origin $ver
"Fix: PR #37"
git push origin $ver
@@ -53,8 +53,8 @@ Register-SecretVault -Name ModuleBuildCreds -ModuleName `
"SecretManagement.JustinGrote.CredMan" -ErrorAction Stop
Set-Secret -Name "GalleryApiToken" -Vault ModuleBuildCreds
Set-Secret -Name "GitHubToken" -Vault ModuleBuildCreds
#Set-Secret -Name "GalleryApiToken" -Vault ModuleBuildCreds
#Set-Secret -Name "GitHubToken" -Vault ModuleBuildCreds
$GalleryApiToken = Get-Secret -Name "GalleryApiToken" -Vault ModuleBuildCreds -AsPlainText

1
source/Classes/CISAuditResult.ps1
View File

@@ -1,4 +1,5 @@
class CISAuditResult {
[string]$M365AuditVersion
[string]$Status
[string]$ELevel
[string]$ProfileLevel

43
source/Classes/CISAuthenticationParameters.ps1 Normal file
View File

@@ -0,0 +1,43 @@
class CISAuthenticationParameters {
[string]$ClientCertThumbPrint
[string]$ClientId
[string]$TenantId
[string]$OnMicrosoftUrl
[string]$SpAdminUrl
# Constructor with validation
CISAuthenticationParameters(
[string]$ClientCertThumbPrint,
[string]$ClientId,
[string]$TenantId,
[string]$OnMicrosoftUrl,
[string]$SpAdminUrl
) {
# Validate ClientCertThumbPrint
if (-not $ClientCertThumbPrint -or $ClientCertThumbPrint.Length -ne 40 -or $ClientCertThumbPrint -notmatch '^[0-9a-fA-F]{40}$') {
throw [ArgumentException]::new("ClientCertThumbPrint must be a 40-character hexadecimal string.")
}
# Validate ClientId
if (-not $ClientId -or $ClientId -notmatch '^[0-9a-fA-F\-]{36}$') {
throw [ArgumentException]::new("ClientId must be a valid GUID in the format 'XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX'.")
}
# Validate TenantId
if (-not $TenantId -or $TenantId -notmatch '^[0-9a-fA-F\-]{36}$') {
throw [ArgumentException]::new("TenantId must be a valid GUID in the format 'XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX'.")
}
# Validate OnMicrosoftUrl
if (-not $OnMicrosoftUrl -or $OnMicrosoftUrl -notmatch '^[a-zA-Z0-9]+\.onmicrosoft\.com$') {
throw [ArgumentException]::new("OnMicrosoftUrl must be in the format 'example.onmicrosoft.com'.")
}
# Validate SpAdminUrl
if (-not $SpAdminUrl -or $SpAdminUrl -notmatch '^https:\/\/[a-zA-Z0-9\-]+\-admin\.sharepoint\.com$') {
throw [ArgumentException]::new("SpAdminUrl must be in the format 'https://[name]-admin.sharepoint.com'.")
}
# Assign validated properties
$this.ClientCertThumbPrint = $ClientCertThumbPrint
$this.ClientId = $ClientId
$this.TenantId = $TenantId
$this.OnMicrosoftUrl = $OnMicrosoftUrl
$this.SpAdminUrl = $SpAdminUrl
}
}

4
source/M365FoundationsCISReport.psd1
View File

@@ -33,7 +33,7 @@ Copyright = '(c) 2024 Douglas S. Rios (DrIOSx). All rights reserved.'
Description = 'Automated assessment of 50 CIS 365 Foundations v3.0.0 benchmark.'
# Minimum version of the Windows PowerShell engine required by this module
PowerShellVersion = '5.0'
# PowerShellVersion = '5.1'
# Name of the Windows PowerShell host required by this module
# PowerShellHostName = ''
@@ -51,7 +51,7 @@ PowerShellVersion = '5.0'
# ProcessorArchitecture = ''
# Modules that must be imported into the global environment prior to importing this module
RequiredModules = @()
# RequiredModules = @()
# Assemblies that must be loaded prior to importing this module
# RequiredAssemblies = @()

84
source/Private/Assert-ModuleAvailability.ps1
View File

@@ -1,37 +1,69 @@
function Assert-ModuleAvailability {
[CmdletBinding()]
[OutputType([void]) ]
param(
[string]$ModuleName,
[string]$RequiredVersion,
[string[]]$SubModules = @()
)
try {
$module = Get-Module -ListAvailable -Name $ModuleName | Where-Object { $_.Version -ge [version]$RequiredVersion }
if ($null -eq $module) {
Write-Host "Installing $ModuleName module..." -ForegroundColor Yellow
Install-Module -Name $ModuleName -RequiredVersion $RequiredVersion -Force -AllowClobber -Scope CurrentUser | Out-Null
process {
# If $script:PnpAuth = $true, check for powershell version 7.x or higher or throw error
if ($script:PnpAuth -and $PSVersionTable.PSVersion.Major -lt 7) {
throw 'PnP.PowerShell module requires PowerShell 7.x or higher.'
}
elseif ($module.Version -lt [version]$RequiredVersion) {
Write-Host "Updating $ModuleName module to required version..." -ForegroundColor Yellow
Update-Module -Name $ModuleName -RequiredVersion $RequiredVersion -Force | Out-Null
}
else {
Write-Host "$ModuleName module is already at required version or newer." -ForegroundColor Gray
}
if ($SubModules.Count -gt 0) {
foreach ($subModule in $SubModules) {
Write-Host "Importing submodule $ModuleName.$subModule..." -ForegroundColor DarkGray
Import-Module -Name "$ModuleName.$subModule" -RequiredVersion $RequiredVersion -ErrorAction Stop | Out-Null
try {
switch ($ModuleName) {
'Microsoft.Graph' {
if ($SubModules.Count -eq 0) { throw 'SubModules cannot be empty for Microsoft.Graph module.' }
try {
foreach ($subModule in $SubModules) {
if (Get-Module -Name "$ModuleName.$subModule" -ListAvailable -ErrorAction SilentlyContinue) {
Write-Verbose "Submodule $ModuleName.$subModule already loaded."
}
else {
Write-Verbose "Importing submodule $ModuleName.$subModule..."
Import-Module "$ModuleName.$subModule" -MinimumVersion $RequiredVersion -ErrorAction Stop | Out-Null
}
}
# Loading assembly to avoid conflict with other modules
Get-MgGroup -Top 1 -ErrorAction SilentlyContinue | Out-Null
}
catch [System.IO.FileNotFoundException] {
# Write the error class in verbose
Write-Verbose "Error importing submodule $ModuleName.$subModule`: $($_.Exception.GetType().FullName)"
Write-Verbose "Submodule $ModuleName.$subModule not found. Installing the module..."
foreach ($subModule in $SubModules) {
Write-Verbose "Installing submodule $ModuleName.$subModule..."
Install-Module -Name "$ModuleName.$subModule" -MinimumVersion $RequiredVersion -Force -AllowClobber -Scope CurrentUser | Out-Null
Write-Verbose "Successfully installed $ModuleName.$subModule module."
}
# Loading assembly to avoid conflict with other modules
Get-MgGroup -Top 1 -ErrorAction SilentlyContinue | Out-Null
}
}
default {
if (Get-Module -Name $ModuleName -ListAvailable -ErrorAction SilentlyContinue) {
Write-Verbose "$ModuleName module already loaded."
return
}
$module = Import-Module $ModuleName -PassThru -ErrorAction SilentlyContinue | Where-Object { $_.Version -ge $RequiredVersion }
if ($null -eq $module) {
Write-Verbose "Installing $ModuleName module..."
Install-Module -Name $ModuleName -MinimumVersion $RequiredVersion -Force -AllowClobber -Scope CurrentUser | Out-Null
}
elseif ($module.Version -lt $RequiredVersion) {
Write-Verbose "Updating $ModuleName module to required version..."
Update-Module -Name $ModuleName -MinimumVersion $RequiredVersion -Force | Out-Null
}
else {
Write-Verbose "$ModuleName module is already at required version or newer."
}
}
}
} else {
Write-Host "Importing module $ModuleName..." -ForegroundColor DarkGray
Import-Module -Name $ModuleName -RequiredVersion $RequiredVersion -ErrorAction Stop -WarningAction SilentlyContinue | Out-Null
}
catch {
Write-Verbose 'Assert-ModuleAvailability Error:'
throw $_.Exception.Message
}
}
catch {
Write-Warning "An error occurred with module $ModuleName`: $_"
}
}
}

197
source/Private/Connect-M365Suite.ps1
View File

@@ -3,120 +3,143 @@ function Connect-M365Suite {
[CmdletBinding()]
param (
[Parameter(Mandatory = $false)]
[string]$TenantAdminUrl,
[Parameter(Mandatory)]
[string[]]$RequiredConnections,
[string]
$TenantAdminUrl,
[Parameter(Mandatory = $false)]
[switch]$SkipConfirmation
[CISAuthenticationParameters]
$AuthParams,
[Parameter(Mandatory)]
[string[]]
$RequiredConnections,
[Parameter(Mandatory = $false)]
[switch]
$SkipConfirmation
)
$VerbosePreference = "SilentlyContinue"
$VerbosePreference = if ($SkipConfirmation) { 'SilentlyContinue' } else { 'Continue' }
$tenantInfo = @()
$connectedServices = @()
try {
if ($RequiredConnections -contains "AzureAD" -or $RequiredConnections -contains "AzureAD | EXO" -or $RequiredConnections -contains "AzureAD | EXO | Microsoft Graph") {
Write-Host "Connecting to Azure Active Directory..." -ForegroundColor Yellow
Connect-AzureAD -WarningAction SilentlyContinue | Out-Null
$tenantDetails = Get-AzureADTenantDetail -WarningAction SilentlyContinue
$tenantInfo += [PSCustomObject]@{
Service = "Azure Active Directory"
TenantName = $tenantDetails.DisplayName
TenantID = $tenantDetails.ObjectId
}
$connectedServices += "AzureAD"
Write-Host "Successfully connected to Azure Active Directory." -ForegroundColor Green
}
if ($RequiredConnections -contains "Microsoft Graph" -or $RequiredConnections -contains "EXO | Microsoft Graph") {
Write-Host "Connecting to Microsoft Graph with scopes: Directory.Read.All, Domain.Read.All, Policy.Read.All, Organization.Read.All" -ForegroundColor Yellow
if ($RequiredConnections -contains 'Microsoft Graph' -or $RequiredConnections -contains 'EXO | Microsoft Graph') {
try {
Connect-MgGraph -Scopes "Directory.Read.All", "Domain.Read.All", "Policy.Read.All", "Organization.Read.All" -NoWelcome | Out-Null
Write-Verbose 'Connecting to Microsoft Graph...'
if ($AuthParams) {
Connect-MgGraph -CertificateThumbprint $AuthParams.ClientCertThumbPrint -AppId $AuthParams.ClientId -TenantId $AuthParams.TenantId -NoWelcome | Out-Null
}
else {
Connect-MgGraph -Scopes 'Directory.Read.All', 'Domain.Read.All', 'Policy.Read.All', 'Organization.Read.All' -NoWelcome | Out-Null
}
$graphOrgDetails = Get-MgOrganization
$tenantInfo += [PSCustomObject]@{
Service = "Microsoft Graph"
Service = 'Microsoft Graph'
TenantName = $graphOrgDetails.DisplayName
TenantID = $graphOrgDetails.Id
TenantID = $graphOrgDetails.Id
}
$connectedServices += "Microsoft Graph"
Write-Host "Successfully connected to Microsoft Graph with specified scopes." -ForegroundColor Green
$connectedServices += 'Microsoft Graph'
Write-Verbose 'Successfully connected to Microsoft Graph.'
}
catch {
Write-Host "Failed to connect to MgGraph, attempting device auth." -ForegroundColor Yellow
Connect-MgGraph -Scopes "Directory.Read.All", "Domain.Read.All", "Policy.Read.All", "Organization.Read.All" -UseDeviceCode -NoWelcome | Out-Null
$graphOrgDetails = Get-MgOrganization
$tenantInfo += [PSCustomObject]@{
Service = "Microsoft Graph"
TenantName = $graphOrgDetails.DisplayName
TenantID = $graphOrgDetails.Id
throw "Failed to connect to Microsoft Graph: $($_.Exception.Message)"
}
}
if ($RequiredConnections -contains 'EXO' -or $RequiredConnections -contains 'AzureAD | EXO' -or $RequiredConnections -contains 'Microsoft Teams | EXO' -or $RequiredConnections -contains 'EXO | Microsoft Graph') {
try {
Write-Verbose 'Connecting to Exchange Online...'
if ($AuthParams) {
Connect-ExchangeOnline -AppId $AuthParams.ClientId -CertificateThumbprint $AuthParams.ClientCertThumbPrint -Organization $AuthParams.OnMicrosoftUrl -ShowBanner:$false | Out-Null
}
$connectedServices += "Microsoft Graph"
Write-Host "Successfully connected to Microsoft Graph with specified scopes." -ForegroundColor Green
else {
Connect-ExchangeOnline -ShowBanner:$false | Out-Null
}
$exoTenant = (Get-OrganizationConfig).Identity
$tenantInfo += [PSCustomObject]@{
Service = 'Exchange Online'
TenantName = $exoTenant
TenantID = 'N/A'
}
$connectedServices += 'EXO'
Write-Verbose 'Successfully connected to Exchange Online.'
}
catch {
throw "Failed to connect to Exchange Online: $($_.Exception.Message)"
}
}
if ($RequiredConnections -contains "EXO" -or $RequiredConnections -contains "AzureAD | EXO" -or $RequiredConnections -contains "Microsoft Teams | EXO" -or $RequiredConnections -contains "EXO | Microsoft Graph") {
Write-Host "Connecting to Exchange Online..." -ForegroundColor Yellow
Connect-ExchangeOnline -ShowBanner:$false | Out-Null
$exoTenant = (Get-OrganizationConfig).Identity
$tenantInfo += [PSCustomObject]@{
Service = "Exchange Online"
TenantName = $exoTenant
TenantID = "N/A"
if ($RequiredConnections -contains 'SPO') {
try {
Write-Verbose 'Connecting to SharePoint Online...'
if ($AuthParams) {
Connect-PnPOnline -Url $AuthParams.SpAdminUrl -ClientId $AuthParams.ClientId -Tenant $AuthParams.OnMicrosoftUrl -Thumbprint $AuthParams.ClientCertThumbPrint | Out-Null
}
else {
Connect-SPOService -Url $TenantAdminUrl | Out-Null
}
$tenantName = if ($AuthParams) {
(Get-PnPSite).Url
}
else {
# Returns the first site base URL from the tenant
# Suppress output from Get-SPOSite for powerautomate to avoid errors
[void]($sites = Get-SPOSite -Limit All)
# Get the URL from the first site collection
$url = $sites[0].Url
# Use regex to extract the base URL up to the .com portion
$baseUrl = [regex]::Match($url, 'https://[^/]+.com').Value
# Output the base URL
$baseUrl
}
$tenantInfo += [PSCustomObject]@{
Service = 'SharePoint Online'
TenantName = $tenantName
}
$connectedServices += 'SPO'
Write-Verbose 'Successfully connected to SharePoint Online.'
}
$connectedServices += "EXO"
Write-Host "Successfully connected to Exchange Online." -ForegroundColor Green
}
if ($RequiredConnections -contains "SPO") {
Write-Host "Connecting to SharePoint Online..." -ForegroundColor Yellow
Connect-SPOService -Url $TenantAdminUrl | Out-Null
$spoContext = Get-SPOCrossTenantHostUrl
$tenantName = Get-UrlLine -Output $spoContext
$tenantInfo += [PSCustomObject]@{
Service = "SharePoint Online"
TenantName = $tenantName
catch {
throw "Failed to connect to SharePoint Online: $($_.Exception.Message)"
}
$connectedServices += "SPO"
Write-Host "Successfully connected to SharePoint Online." -ForegroundColor Green
}
if ($RequiredConnections -contains "Microsoft Teams" -or $RequiredConnections -contains "Microsoft Teams | EXO") {
Write-Host "Connecting to Microsoft Teams..." -ForegroundColor Yellow
Connect-MicrosoftTeams | Out-Null
$teamsTenantDetails = Get-CsTenant
$tenantInfo += [PSCustomObject]@{
Service = "Microsoft Teams"
TenantName = $teamsTenantDetails.DisplayName
TenantID = $teamsTenantDetails.TenantId
if ($RequiredConnections -contains 'Microsoft Teams' -or $RequiredConnections -contains 'Microsoft Teams | EXO') {
try {
Write-Verbose 'Connecting to Microsoft Teams...'
if ($AuthParams) {
Connect-MicrosoftTeams -TenantId $AuthParams.TenantId -CertificateThumbprint $AuthParams.ClientCertThumbPrint -ApplicationId $AuthParams.ClientId | Out-Null
}
else {
Connect-MicrosoftTeams | Out-Null
}
$teamsTenantDetails = Get-CsTenant
$tenantInfo += [PSCustomObject]@{
Service = 'Microsoft Teams'
TenantName = $teamsTenantDetails.DisplayName
TenantID = $teamsTenantDetails.TenantId
}
$connectedServices += 'Microsoft Teams'
Write-Verbose 'Successfully connected to Microsoft Teams.'
}
catch {
throw "Failed to connect to Microsoft Teams: $($_.Exception.Message)"
}
$connectedServices += "Microsoft Teams"
Write-Host "Successfully connected to Microsoft Teams." -ForegroundColor Green
}
# Display tenant information and confirm with the user
if (-not $SkipConfirmation) {
Write-Host "Connected to the following tenants:" -ForegroundColor Yellow
Write-Verbose 'Connected to the following tenants:'
foreach ($tenant in $tenantInfo) {
Write-Host "Service: $($tenant.Service)" -ForegroundColor Cyan
Write-Host "Tenant Context: $($tenant.TenantName)`n" -ForegroundColor Green
#Write-Host "Tenant ID: $($tenant.TenantID)"
Write-Verbose "Service: $($tenant.Service) | Tenant: $($tenant.TenantName)"
}
if ($script:PnpAuth) {
Write-Warning "`n!!!!!!!!!!!!Important!!!!!!!!!!!!!!`nIf you use the auth object, you may need to kill the current session before subsequent runs`nas the PNP.Powershell module has conflicts with MgGraph authentication modules!`n!!!!!!!!!!!!Important!!!!!!!!!!!!!!"
}
$confirmation = Read-Host "Do you want to proceed with these connections? (Y/N)"
if ($confirmation -notlike 'Y') {
Write-Host "Connection setup aborted by user." -ForegroundColor Red
if ($confirmation -notLike 'Y') {
Write-Verbose "Connection setup aborted by user."
Disconnect-M365Suite -RequiredConnections $connectedServices
throw "User aborted connection setup."
throw 'User aborted connection setup.'
}
}
}
catch {
$VerbosePreference = "Continue"
Write-Host "There was an error establishing one or more connections: $_" -ForegroundColor Red
throw $_
$VerbosePreference = 'Continue'
throw "Connection failed: $($_.Exception.Message)"
}
$VerbosePreference = "Continue"
}
finally {
$VerbosePreference = 'Continue'
}
}

21
source/Private/Disconnect-M365Suite.ps1
View File

@@ -8,7 +8,7 @@ function Disconnect-M365Suite {
# Clean up sessions
try {
if ($RequiredConnections -contains "EXO" -or $RequiredConnections -contains "AzureAD | EXO" -or $RequiredConnections -contains "Microsoft Teams | EXO") {
Write-Host "Disconnecting from Exchange Online..." -ForegroundColor Green
Write-Verbose "Disconnecting from Exchange Online..."
Disconnect-ExchangeOnline -Confirm:$false | Out-Null
}
}
@@ -18,7 +18,7 @@ function Disconnect-M365Suite {
try {
if ($RequiredConnections -contains "AzureAD" -or $RequiredConnections -contains "AzureAD | EXO") {
Write-Host "Disconnecting from Azure AD..." -ForegroundColor Green
Write-Verbose "Disconnecting from Azure AD..."
Disconnect-AzureAD | Out-Null
}
}
@@ -28,7 +28,7 @@ function Disconnect-M365Suite {
try {
if ($RequiredConnections -contains "Microsoft Graph") {
Write-Host "Disconnecting from Microsoft Graph..." -ForegroundColor Green
Write-Verbose "Disconnecting from Microsoft Graph..."
Disconnect-MgGraph | Out-Null
}
}
@@ -38,8 +38,14 @@ function Disconnect-M365Suite {
try {
if ($RequiredConnections -contains "SPO") {
Write-Host "Disconnecting from SharePoint Online..." -ForegroundColor Green
Disconnect-SPOService | Out-Null
if (($script:PnpAuth)) {
Write-Verbose "Disconnecting from PnPOnline..."
Disconnect-PnPOnline | Out-Null
}
else {
Write-Verbose "Disconnecting from SharePoint Online..."
Disconnect-SPOService | Out-Null
}
}
}
catch {
@@ -48,13 +54,12 @@ function Disconnect-M365Suite {
try {
if ($RequiredConnections -contains "Microsoft Teams" -or $RequiredConnections -contains "Microsoft Teams | EXO") {
Write-Host "Disconnecting from Microsoft Teams..." -ForegroundColor Green
Write-Verbose "Disconnecting from Microsoft Teams..."
Disconnect-MicrosoftTeams | Out-Null
}
}
catch {
Write-Warning "Failed to disconnect from Microsoft Teams: $_"
}
Write-Host "All necessary sessions have been disconnected." -ForegroundColor Green
Write-Verbose "All necessary sessions have been disconnected."
}

12
source/Private/Get-AdminRoleUserAndAssignment.ps1
View File

@@ -1,27 +1,20 @@
function Get-AdminRoleUserAndAssignment {
[CmdletBinding()]
param ()
$result = @{}
# Get the DisplayNames of all admin roles
$adminRoleNames = (Get-MgDirectoryRole | Where-Object { $null -ne $_.RoleTemplateId }).DisplayName
# Get Admin Roles
$adminRoles = Get-MgRoleManagementDirectoryRoleDefinition | Where-Object { ($adminRoleNames -contains $_.DisplayName) -and ($_.DisplayName -ne "Directory Synchronization Accounts") }
$adminRoles = Get-MgRoleManagementDirectoryRoleDefinition | Where-Object { ($adminRoleNames -contains $_.DisplayName) -and ($_.DisplayName -ne 'Directory Synchronization Accounts') }
foreach ($role in $adminRoles) {
Write-Verbose "Processing role: $($role.DisplayName)"
$roleAssignments = Get-MgRoleManagementDirectoryRoleAssignment -Filter "roleDefinitionId eq '$($role.Id)'"
foreach ($assignment in $roleAssignments) {
Write-Verbose "Processing role assignment for principal ID: $($assignment.PrincipalId)"
$userDetails = Get-MgUser -UserId $assignment.PrincipalId -Property "DisplayName, UserPrincipalName, Id, OnPremisesSyncEnabled" -ErrorAction SilentlyContinue
$userDetails = Get-MgUser -UserId $assignment.PrincipalId -Property 'DisplayName, UserPrincipalName, Id, OnPremisesSyncEnabled' -ErrorAction SilentlyContinue
if ($userDetails) {
Write-Verbose "Retrieved user details for: $($userDetails.UserPrincipalName)"
$licenses = Get-MgUserLicenseDetail -UserId $assignment.PrincipalId -ErrorAction SilentlyContinue
if (-not $result[$role.DisplayName]) {
$result[$role.DisplayName] = @()
}
@@ -33,6 +26,5 @@ function Get-AdminRoleUserAndAssignment {
}
}
}
return $result
}

878
source/Private/Get-CISExoOutput.ps1
View File

@@ -46,437 +46,495 @@ function Get-CISExoOutput {
#>
}
process {
Write-Verbose "Get-CISExoOutput: Retuning data for Rec: $Rec"
switch ($Rec) {
'1.2.2' {
# Test-BlockSharedMailboxSignIn.ps1
$MBX = Get-EXOMailbox -RecipientTypeDetails SharedMailbox
# [object[]]
# $MBX mock object:
<#
$MBX = @(
[PSCustomObject]@{
UserPrincipalName = "SMBuser1@domain.com"
ExternalDirectoryObjectId = "123e4567-e89b-12d3-a456-426614174000"
},
[PSCustomObject]@{
UserPrincipalName = "SMBuser2@domain.com"
ExternalDirectoryObjectId = "987e6543-21ba-12d3-a456-426614174000"
},
[PSCustomObject]@{
UserPrincipalName = "SMBuser3@domain.com"
ExternalDirectoryObjectId = "abcddcba-98fe-76dc-a456-426614174000"
}
)
#>
return $MBX.ExternalDirectoryObjectId
}
'1.3.3' {
# Test-ExternalSharingCalendars.ps1
# Step: Retrieve sharing policies related to calendar sharing
# $sharingPolicies Mock Object
<#
$sharingPolicies = [PSCustomObject]@{
Name = "Default Sharing Policy"
Domains = @("Anonymous:CalendarSharingFreeBusySimple")
Enabled = $true
Default = $true
}
#>
$sharingPolicies = Get-SharingPolicy | Where-Object { $_.Domains -like '*CalendarSharing*' }
# [psobject[]]
return $sharingPolicies
}
'1.3.6' {
# Test-CustomerLockbox.ps1
# Step: Retrieve the organization configuration (Condition C: Pass/Fail)
# $orgConfig Mock Object:
<#
# return $orgConfig
$orgConfig = [PSCustomObject]@{
CustomerLockBoxEnabled = $true
}
#>
$orgConfig = Get-OrganizationConfig | Select-Object CustomerLockBoxEnabled
$customerLockboxEnabled = $orgConfig.CustomerLockBoxEnabled
# [bool]
return $customerLockboxEnabled
}
'2.1.1' {
# Test-SafeLinksOfficeApps.ps1
if (Get-Command Get-SafeLinksPolicy -ErrorAction SilentlyContinue) {
# 2.1.1 (L2) Ensure Safe Links for Office Applications is Enabled
# Retrieve all Safe Links policies
# $policies Mock Object:
try {
Write-Verbose "Get-CISExoOutput: Retuning data for Rec: $Rec"
switch ($Rec) {
'1.2.2' {
# Test-BlockSharedMailboxSignIn.ps1
$MBX = Get-EXOMailbox -RecipientTypeDetails SharedMailbox
# [object[]]
# $MBX mock object:
<#
$policies = @(
$MBX = @(
[PSCustomObject]@{
Name = "PolicyOne"
EnableSafeLinksForEmail = $true
EnableSafeLinksForTeams = $true
EnableSafeLinksForOffice = $true
TrackClicks = $true
AllowClickThrough = $false
UserPrincipalName = "SMBuser1@domain.com"
ExternalDirectoryObjectId = "123e4567-e89b-12d3-a456-426614174000"
},
[PSCustomObject]@{
Name = "PolicyTwo"
EnableSafeLinksForEmail = $true
EnableSafeLinksForTeams = $true
EnableSafeLinksForOffice = $true
TrackClicks = $true
AllowClickThrough = $true
UserPrincipalName = "SMBuser2@domain.com"
ExternalDirectoryObjectId = "987e6543-21ba-12d3-a456-426614174000"
},
[PSCustomObject]@{
Name = "PolicyThree"
EnableSafeLinksForEmail = $true
EnableSafeLinksForTeams = $true
EnableSafeLinksForOffice = $true
TrackClicks = $true
AllowClickThrough = $false
UserPrincipalName = "SMBuser3@domain.com"
ExternalDirectoryObjectId = "abcddcba-98fe-76dc-a456-426614174000"
}
)
#>
$policies = Get-SafeLinksPolicy
# Initialize the details collection
$misconfiguredDetails = @()
foreach ($policy in $policies) {
# Get the detailed configuration of each policy
$policyDetails = $policy #Get-SafeLinksPolicy -Identity $policy.Name
# Check each required property and record failures
# Condition A: Checking policy settings
$failures = @()
if ($policyDetails.EnableSafeLinksForEmail -ne $true) { $failures += "EnableSafeLinksForEmail: False" } # Email: On
if ($policyDetails.EnableSafeLinksForTeams -ne $true) { $failures += "EnableSafeLinksForTeams: False" } # Teams: On
if ($policyDetails.EnableSafeLinksForOffice -ne $true) { $failures += "EnableSafeLinksForOffice: False" } # Office 365 Apps: On
if ($policyDetails.TrackClicks -ne $true) { $failures += "TrackClicks: False" } # Click protection settings: On
if ($policyDetails.AllowClickThrough -ne $false) { $failures += "AllowClickThrough: True" } # Do not track when users click safe links: Off
# Only add details for policies that have misconfigurations
if ($failures.Count -gt 0) {
$misconfiguredDetails += "Policy: $($policy.Name); Failures: $($failures -join ', ')"
}
}
# [object[]]
return $misconfiguredDetails
return $MBX.ExternalDirectoryObjectId
}
else {
return 1
}
}
'2.1.2' {
# Test-CommonAttachmentFilter.ps1
# 2.1.2 (L1) Ensure the Common Attachment Types Filter is enabled
# Condition A: The Common Attachment Types Filter is enabled in the Microsoft 365 Security & Compliance Center.
# Condition B: Using Exchange Online PowerShell, verify that the `EnableFileFilter` property of the default malware filter policy is set to `True`.
# Retrieve the attachment filter policy
# $attachmentFilter Mock Object
<#
$attachmentFilter = [PSCustomObject]@{
EnableFileFilter = $true
}
#>
$attachmentFilter = Get-MalwareFilterPolicy -Identity Default | Select-Object EnableFileFilter
$result = $attachmentFilter.EnableFileFilter
# [bool]
return $result
}
'2.1.3' {
# Test-NotifyMalwareInternal.ps1
# 2.1.3 Ensure notifications for internal users sending malware is Enabled
# Retrieve all 'Custom' malware filter policies and check notification settings
# $malwareNotifications Mock Object
<#
$malwareNotifications = @(
[PSCustomObject]@{
Identity = "Default"
EnableInternalSenderAdminNotifications = $true
RecommendedPolicyType = "Custom"
},
[PSCustomObject]@{
Identity = "Anti-malware-Policy"
EnableInternalSenderAdminNotifications = $true
RecommendedPolicyType = "Custom"
}
)
#>
$malwareNotifications = Get-MalwareFilterPolicy | Where-Object { $_.RecommendedPolicyType -eq 'Custom' }
# [object[]]
return $malwareNotifications
}
'2.1.4' {
# Test-SafeAttachmentsPolicy.ps1
if (Get-Command Get-SafeAttachmentPolicy -ErrorAction SilentlyContinue) {
# Retrieve all Safe Attachment policies where Enable is set to True
# Check if ErrorAction needed below
# $safeAttachmentPolicies Mock Object:
'1.3.3' {
# Test-ExternalSharingCalendars.ps1
# Step: Retrieve sharing policies related to calendar sharing
# $sharingPolicies Mock Object
<#
$safeAttachmentPolicies = @(
[PSCustomObject]@{
Policy = "Strict Preset Security Policy"
Action = "Block"
QuarantineTag = "AdminOnlyAccessPolicy"
Redirect = $false
Enabled = $true
}
)
$sharingPolicies = [PSCustomObject]@{
Name = "Default Sharing Policy"
Domains = @("Anonymous:CalendarSharingFreeBusySimple")
Enabled = $true
Default = $true
}
#>
$safeAttachmentPolicies = Get-SafeAttachmentPolicy -ErrorAction SilentlyContinue | Where-Object { $_.Enable -eq $true }
$safeAttachmentRules = Get-SafeAttachmentRule
# [object[]]
return $safeAttachmentPolicies, $safeAttachmentRules
else {
return 1,1
}
}
}
'2.1.5' {
# Test-SafeAttachmentsTeams.ps1
if (Get-Command Get-AtpPolicyForO365 -ErrorAction SilentlyContinue) {
# 2.1.5 (L2) Ensure Safe Attachments for SharePoint, OneDrive, and Microsoft Teams is Enabled
# Retrieve the ATP policies for Office 365 and check Safe Attachments settings
$atpPolicies = Get-AtpPolicyForO365
# Check if the required ATP policies are enabled
# $atpPolicyResult Mock Object:
<#
$atpPolicyResult = @(
[PSCustomObject]@{
Name = "Default"
EnableATPForSPOTeamsODB = $true
EnableSafeDocs = $true
AllowSafeDocsOpen = $false
}
)
#>
$atpPolicyResult = $atpPolicies | Where-Object {
$_.EnableATPForSPOTeamsODB -eq $true -and
$_.EnableSafeDocs -eq $true -and
$_.AllowSafeDocsOpen -eq $false
}
$sharingPolicies = Get-SharingPolicy | Where-Object { $_.Domains -like '*CalendarSharing*' }
# [psobject[]]
return $atpPolicyResult
return $sharingPolicies
}
else {
return 1
}
}
'2.1.6' {
# Test-SpamPolicyAdminNotify.ps1
# Retrieve the hosted outbound spam filter policies
# $spamPolicies Mock Object:
<#
# Mock data representing multiple spam filter policies
$spamPolicies = @(
[PSCustomObject]@{
Name = "Default"
IsDefault = $true
NotifyOutboundSpam = $true
BccSuspiciousOutboundMail = $true
NotifyOutboundSpamRecipients = "admin@example.com"
BccSuspiciousOutboundAdditionalRecipients = "bccadmin@example.com"
},
[PSCustomObject]@{
Name = "Custom Policy 1"
IsDefault = $false
NotifyOutboundSpam = $false
BccSuspiciousOutboundMail = $true
NotifyOutboundSpamRecipients = ""
BccSuspiciousOutboundAdditionalRecipients = ""
},
[PSCustomObject]@{
Name = "Custom Policy 2"
IsDefault = $false
NotifyOutboundSpam = $true
BccSuspiciousOutboundMail = $false
NotifyOutboundSpamRecipients = "notify@example.com"
BccSuspiciousOutboundAdditionalRecipients = "bccnotify@example.com"
'1.3.6' {
# Test-CustomerLockbox.ps1
# Step: Retrieve the organization configuration (Condition C: Pass/Fail)
# $orgConfig Mock Object:
<#
# return $orgConfig
$orgConfig = [PSCustomObject]@{
CustomerLockBoxEnabled = $true
}
)
#>
$spamPolicies = Get-HostedOutboundSpamFilterPolicy
return $spamPolicies
}
'2.1.7' {
# Test-AntiPhishingPolicy.ps1
<#
$antiPhishPolicies = @(
[PSCustomObject]@{
Identity = "Strict Preset Security Policy"
Enabled = $true
PhishThresholdLevel = 4
EnableMailboxIntelligenceProtection = $true
EnableMailboxIntelligence = $true
EnableSpoofIntelligence = $true
TargetedUsersToProtect = "John Doe;jdoe@contoso.net, Jane Does;janedoe@contoso.net"
},
[PSCustomObject]@{
Identity = "Office365 AntiPhish Default"
Enabled = $true
PhishThresholdLevel = 2
EnableMailboxIntelligenceProtection = $true
EnableMailboxIntelligence = $true
EnableSpoofIntelligence = $true
TargetedUsersToProtect = $null # Assuming it targets all users as it's the default
},
[PSCustomObject]@{
Identity = "Admin"
Enabled = $true
PhishThresholdLevel = 2
EnableMailboxIntelligenceProtection = $true
EnableMailboxIntelligence = $true
EnableSpoofIntelligence = $true
TargetedUsersToProtect = $null # Assuming it targets all users
},
[PSCustomObject]@{
Identity = "Standard Preset Security Policy"
Enabled = $true
PhishThresholdLevel = 3
EnableMailboxIntelligenceProtection = $true
EnableMailboxIntelligence = $true
EnableSpoofIntelligence = $true
TargetedUsersToProtect = $null # Assuming it targets all users
}
)
#>
$antiPhishPolicies = Get-AntiPhishPolicy
return $antiPhishPolicies
}
'2.1.9' {
# Test-EnableDKIM.ps1
# 2.1.9 (L1) Ensure DKIM is enabled for all Exchange Online Domains
# Retrieve DKIM configuration for all domains
$dkimConfig = Get-DkimSigningConfig | Select-Object Domain, Enabled
# [object[]]
return $dkimConfig
}
'3.1.1' {
# Test-AuditLogSearch.ps1
# 3.1.1 (L1) Ensure Microsoft 365 audit log search is Enabled
# Retrieve the audit log configuration
$auditLogConfig = Get-AdminAuditLogConfig | Select-Object UnifiedAuditLogIngestionEnabled
#
$auditLogResult = $auditLogConfig.UnifiedAuditLogIngestionEnabled
# [bool]
return $auditLogResult
}
'6.1.1' {
# Test-AuditDisabledFalse.ps1
# 6.1.1 (L1) Ensure 'AuditDisabled' organizationally is set to 'False'
# Retrieve the AuditDisabled configuration (Condition B)
$auditDisabledConfig = Get-OrganizationConfig | Select-Object AuditDisabled
# [bool]
$auditNotDisabled = -not $auditDisabledConfig.AuditDisabled
return $auditNotDisabled
}
'6.1.2' {
# Test-MailboxAuditingE3.ps1
$mailboxes = Get-EXOMailbox -PropertySets Audit
# [object[]]
return $mailboxes
}
'6.1.3' {
# Test-MailboxAuditingE5.ps1
$mailboxes = Get-EXOMailbox -PropertySets Audit
# [object[]]
return $mailboxes
}
'6.2.1' {
# Test-BlockMailForwarding.ps1
# 6.2.1 (L1) Ensure all forms of mail forwarding are blocked and/or disabled
# Step 1: Retrieve the transport rules that redirect messages
$transportRules = Get-TransportRule | Where-Object { $null -ne $_.RedirectMessageTo }
if ($null -eq $transportRules) {
$transportRules = 1
#>
$orgConfig = Get-OrganizationConfig | Select-Object CustomerLockBoxEnabled
$customerLockboxEnabled = $orgConfig.CustomerLockBoxEnabled
# [bool]
return $customerLockboxEnabled
}
# Step 2: Check all anti-spam outbound policies
$outboundSpamPolicies = Get-HostedOutboundSpamFilterPolicy
$nonCompliantSpamPolicies = $outboundSpamPolicies | Where-Object { $_.AutoForwardingMode -ne 'Off' }
return $transportRules, $nonCompliantSpamPolicies
}
'6.2.2' {
# Test-NoWhitelistDomains.ps1
# 6.2.2 (L1) Ensure mail transport rules do not whitelist specific domains
# Retrieve transport rules that whitelist specific domains
# Condition A: Checking for transport rules that whitelist specific domains
# [object[]]
$whitelistedRules = Get-TransportRule | Where-Object { $_.SetSCL -eq -1 -and $null -ne $_.SenderDomainIs }
return $whitelistedRules
}
'6.2.3' {
# Test-IdentifyExternalEmail.ps1
# 6.2.3 (L1) Ensure email from external senders is identified
# Retrieve external sender tagging configuration
# [object[]]
$externalInOutlook = Get-ExternalInOutlook
return $externalInOutlook
}
'6.3.1' {
# Test-RestrictOutlookAddins.ps1
# 6.3.1 (L2) Ensure users installing Outlook add-ins is not allowed
$customPolicyFailures = @()
# Check all mailboxes for custom policies with unallowed add-ins
$roleAssignmentPolicies = Get-EXOMailbox | Select-Object -Unique RoleAssignmentPolicy
if ($roleAssignmentPolicies.RoleAssignmentPolicy) {
foreach ($policy in $roleAssignmentPolicies) {
if ($policy.RoleAssignmentPolicy) {
$rolePolicyDetails = Get-RoleAssignmentPolicy -Identity $policy.RoleAssignmentPolicy
$foundRoles = $rolePolicyDetails.AssignedRoles | Where-Object { $_ -in $relevantRoles }
# Condition B: Using PowerShell, verify that MyCustomApps, MyMarketplaceApps, and MyReadWriteMailboxApps are not assigned to users.
if ($foundRoles) {
$customPolicyFailures += "Policy: $($policy.RoleAssignmentPolicy): Roles: $($foundRoles -join ', ')"
'2.1.1' {
# Test-SafeLinksOfficeApps.ps1
if (Get-Command Get-SafeLinksPolicy -ErrorAction SilentlyContinue) {
# 2.1.1 (L2) Ensure Safe Links for Office Applications is Enabled
# Retrieve all Safe Links policies
# $policies Mock Object:
<#
$policies = @(
[PSCustomObject]@{
Name = "PolicyOne"
EnableSafeLinksForEmail = $true
EnableSafeLinksForTeams = $true
EnableSafeLinksForOffice = $true
TrackClicks = $true
AllowClickThrough = $false
},
[PSCustomObject]@{
Name = "PolicyTwo"
EnableSafeLinksForEmail = $true
EnableSafeLinksForTeams = $true
EnableSafeLinksForOffice = $true
TrackClicks = $true
AllowClickThrough = $true
},
[PSCustomObject]@{
Name = "PolicyThree"
EnableSafeLinksForEmail = $true
EnableSafeLinksForTeams = $true
EnableSafeLinksForOffice = $true
TrackClicks = $true
AllowClickThrough = $false
}
)
#>
$policies = Get-SafeLinksPolicy
# Initialize the details collection
$misconfiguredDetails = @()
foreach ($policy in $policies) {
# Get the detailed configuration of each policy
$policyDetails = $policy #Get-SafeLinksPolicy -Identity $policy.Name
# Check each required property and record failures
# Condition A: Checking policy settings
$failures = @()
if ($policyDetails.EnableSafeLinksForEmail -ne $true) { $failures += 'EnableSafeLinksForEmail: False' } # Email: On
if ($policyDetails.EnableSafeLinksForTeams -ne $true) { $failures += 'EnableSafeLinksForTeams: False' } # Teams: On
if ($policyDetails.EnableSafeLinksForOffice -ne $true) { $failures += 'EnableSafeLinksForOffice: False' } # Office 365 Apps: On
if ($policyDetails.TrackClicks -ne $true) { $failures += 'TrackClicks: False' } # Click protection settings: On
if ($policyDetails.AllowClickThrough -ne $false) { $failures += 'AllowClickThrough: True' } # Do not track when users click safe links: Off
# Only add details for policies that have misconfigurations
if ($failures.Count -gt 0) {
$misconfiguredDetails += "Policy: $($policy.Name); Failures: $($failures -join ', ')"
}
}
# [object[]]
return $misconfiguredDetails
}
else {
return 1
}
}
'2.1.2' {
# Test-CommonAttachmentFilter.ps1
# 2.1.2 (L1) Ensure the Common Attachment Types Filter is enabled
# Condition A: The Common Attachment Types Filter is enabled in the Microsoft 365 Security & Compliance Center.
# Condition B: Using Exchange Online PowerShell, verify that the `EnableFileFilter` property of the default malware filter policy is set to `True`.
# Retrieve the attachment filter policy
# $attachmentFilter Mock Object
<#
$attachmentFilter = [PSCustomObject]@{
EnableFileFilter = $true
}
#>
$attachmentFilter = Get-MalwareFilterPolicy -Identity Default | Select-Object EnableFileFilter
$result = $attachmentFilter.EnableFileFilter
# [bool]
return $result
}
'2.1.3' {
# Test-NotifyMalwareInternal.ps1
# 2.1.3 Ensure notifications for internal users sending malware is Enabled
# Retrieve all 'Custom' malware filter policies and check notification settings
# $malwareNotifications Mock Object
<#
$malwareNotifications = @(
[PSCustomObject]@{
Identity = "Default"
EnableInternalSenderAdminNotifications = $true
RecommendedPolicyType = "Custom"
},
[PSCustomObject]@{
Identity = "Anti-malware-Policy"
EnableInternalSenderAdminNotifications = $true
RecommendedPolicyType = "Custom"
}
)
#>
$malwareNotifications = Get-MalwareFilterPolicy | Where-Object { $_.RecommendedPolicyType -eq 'Custom' }
# [object[]]
return $malwareNotifications
}
'2.1.4' {
# Test-SafeAttachmentsPolicy.ps1
if (Get-Command Get-SafeAttachmentPolicy -ErrorAction SilentlyContinue) {
# Retrieve all Safe Attachment policies where Enable is set to True
# Check if ErrorAction needed below
# $safeAttachmentPolicies Mock Object:
<#
$safeAttachmentPolicies = @(
[PSCustomObject]@{
Policy = "Strict Preset Security Policy"
Action = "Block"
QuarantineTag = "AdminOnlyAccessPolicy"
Redirect = $false
Enabled = $true
}
)
#>
$safeAttachmentPolicies = Get-SafeAttachmentPolicy -ErrorAction SilentlyContinue | Where-Object { $_.Enable -eq $true }
$safeAttachmentRules = Get-SafeAttachmentRule
# [object[]]
return $safeAttachmentPolicies, $safeAttachmentRules
else {
return 1, 1
}
}
}
'2.1.5' {
# Test-SafeAttachmentsTeams.ps1
if (Get-Command Get-AtpPolicyForO365 -ErrorAction SilentlyContinue) {
# 2.1.5 (L2) Ensure Safe Attachments for SharePoint, OneDrive, and Microsoft Teams is Enabled
# Retrieve the ATP policies for Office 365 and check Safe Attachments settings
$atpPolicies = Get-AtpPolicyForO365
# Check if the required ATP policies are enabled
# $atpPolicyResult Mock Object:
<#
$atpPolicyResult = @(
[PSCustomObject]@{
Name = "Default"
EnableATPForSPOTeamsODB = $true
EnableSafeDocs = $true
AllowSafeDocsOpen = $false
}
)
#>
$atpPolicyResult = $atpPolicies | Where-Object {
$_.EnableATPForSPOTeamsODB -eq $true -and
$_.EnableSafeDocs -eq $true -and
$_.AllowSafeDocsOpen -eq $false
}
# [psobject[]]
return $atpPolicyResult
}
else {
return 1
}
}
'2.1.6' {
# Test-SpamPolicyAdminNotify.ps1
# Retrieve the hosted outbound spam filter policies
<#
# Mock data representing multiple spam filter policies
$spamPolicies = @(
[PSCustomObject]@{
Name = "Default"
IsDefault = $true
NotifyOutboundSpam = $true
BccSuspiciousOutboundMail = $true
NotifyOutboundSpamRecipients = "admin@example.com"
BccSuspiciousOutboundAdditionalRecipients = "bccadmin@example.com"
},
[PSCustomObject]@{
Name = "Custom Policy 1"
IsDefault = $false
NotifyOutboundSpam = $false
BccSuspiciousOutboundMail = $true
NotifyOutboundSpamRecipients = ""
BccSuspiciousOutboundAdditionalRecipients = ""
},
[PSCustomObject]@{
Name = "Custom Policy 2"
IsDefault = $false
NotifyOutboundSpam = $true
BccSuspiciousOutboundMail = $false
NotifyOutboundSpamRecipients = "notify@example.com"
BccSuspiciousOutboundAdditionalRecipients = "bccnotify@example.com"
}
)
#>
$spamPolicies = Get-HostedOutboundSpamFilterPolicy
return $spamPolicies
}
'2.1.7' {
# v4 needs same info.
# Test-AntiPhishingPolicy.ps1
<#
$antiPhishPolicies = @(
[PSCustomObject]@{
Identity = "Strict Preset Security Policy"
Enabled = $true
PhishThresholdLevel = 4
EnableMailboxIntelligenceProtection = $true
EnableMailboxIntelligence = $true
EnableSpoofIntelligence = $true
TargetedUsersToProtect = "John Doe;jdoe@contoso.net, Jane Does;janedoe@contoso.net"
},
[PSCustomObject]@{
Identity = "Office365 AntiPhish Default"
Enabled = $true
PhishThresholdLevel = 2
EnableMailboxIntelligenceProtection = $true
EnableMailboxIntelligence = $true
EnableSpoofIntelligence = $true
TargetedUsersToProtect = $null # Assuming it targets all users as it's the default
},
[PSCustomObject]@{
Identity = "Admin"
Enabled = $true
PhishThresholdLevel = 2
EnableMailboxIntelligenceProtection = $true
EnableMailboxIntelligence = $true
EnableSpoofIntelligence = $true
TargetedUsersToProtect = $null # Assuming it targets all users
},
[PSCustomObject]@{
Identity = "Standard Preset Security Policy"
Enabled = $true
PhishThresholdLevel = 3
EnableMailboxIntelligenceProtection = $true
EnableMailboxIntelligence = $true
EnableSpoofIntelligence = $true
TargetedUsersToProtect = $null # Assuming it targets all users
}
)
#>
$antiPhishPolicies = Get-AntiPhishPolicy
if ($script:Version400) {
Write-Verbose 'Retrieving associated AntiPhishRules...'
$antiPhishRules = Get-AntiPhishRule
return $antiPhishPolicies, $antiPhishRules
}
else {
return $antiPhishPolicies
}
}
'2.1.9' {
# Test-EnableDKIM.ps1
# 2.1.9 (L1) Ensure DKIM is enabled for all Exchange Online Domains
# Retrieve DKIM configuration for all domains
$dkimConfig = Get-DkimSigningConfig | Select-Object Domain, Enabled
# [object[]]
return $dkimConfig
}
'2.1.11' {
# Test-CommonAttachmentFilter.ps1 for Comprehensive Attachment Filtering
Write-Verbose 'Retrieving Malware Filter Policies, Rules, and Extensions for 2.1.11...'
# Retrieve all malware filter policies
$malwarePolicies = Get-MalwareFilterPolicy
# Retrieve all malware filter rules
$malwareRules = Get-MalwareFilterRule
# Predefined list of L2 extensions from the benchmark
$L2Extensions = @(
'7z', 'a3x', 'ace', 'ade', 'adp', 'ani', 'app', 'appinstaller',
'applescript', 'application', 'appref-ms', 'appx', 'appxbundle', 'arj',
'asd', 'asx', 'bas', 'bat', 'bgi', 'bz2', 'cab', 'chm', 'cmd', 'com',
'cpl', 'crt', 'cs', 'csh', 'daa', 'dbf', 'dcr', 'deb',
'desktopthemepackfile', 'dex', 'diagcab', 'dif', 'dir', 'dll', 'dmg',
'doc', 'docm', 'dot', 'dotm', 'elf', 'eml', 'exe', 'fxp', 'gadget', 'gz',
'hlp', 'hta', 'htc', 'htm', 'htm', 'html', 'html', 'hwpx', 'ics', 'img',
'inf', 'ins', 'iqy', 'iso', 'isp', 'jar', 'jnlp', 'js', 'jse', 'kext',
'ksh', 'lha', 'lib', 'library-ms', 'lnk', 'lzh', 'macho', 'mam', 'mda',
'mdb', 'mde', 'mdt', 'mdw', 'mdz', 'mht', 'mhtml', 'mof', 'msc', 'msi',
'msix', 'msp', 'msrcincident', 'mst', 'ocx', 'odt', 'ops', 'oxps', 'pcd',
'pif', 'plg', 'pot', 'potm', 'ppa', 'ppam', 'ppkg', 'pps', 'ppsm', 'ppt',
'pptm', 'prf', 'prg', 'ps1', 'ps11', 'ps11xml', 'ps1xml', 'ps2',
'ps2xml', 'psc1', 'psc2', 'pub', 'py', 'pyc', 'pyo', 'pyw', 'pyz',
'pyzw', 'rar', 'reg', 'rev', 'rtf', 'scf', 'scpt', 'scr', 'sct',
'searchConnector-ms', 'service', 'settingcontent-ms', 'sh', 'shb', 'shs',
'shtm', 'shtml', 'sldm', 'slk', 'so', 'spl', 'stm', 'svg', 'swf', 'sys',
'tar', 'theme', 'themepack', 'timer', 'uif', 'url', 'uue', 'vb', 'vbe',
'vbs', 'vhd', 'vhdx', 'vxd', 'wbk', 'website', 'wim', 'wiz', 'ws', 'wsc',
'wsf', 'wsh', 'xla', 'xlam', 'xlc', 'xll', 'xlm', 'xls', 'xlsb', 'xlsm',
'xlt', 'xltm', 'xlw', 'xnk', 'xps', 'xsl', 'xz', 'z'
)
# Return all required objects for evaluation
return $malwarePolicies, $malwareRules, $L2Extensions
}
'2.1.12' {
# Placeholder - Test-ConnectionFilterIPAllowList
}
'2.1.13' {
# Placeholder - Test-ConnectionFilterSafeList
}
'2.1.14' {
# Placeholder - Test-InboundAntiSpamPolicies
}
'3.1.1' {
# Test-AuditLogSearch.ps1
# 3.1.1 (L1) Ensure Microsoft 365 audit log search is Enabled
# Retrieve the audit log configuration
$auditLogConfig = Get-AdminAuditLogConfig | Select-Object UnifiedAuditLogIngestionEnabled
#
$auditLogResult = $auditLogConfig.UnifiedAuditLogIngestionEnabled
# [bool]
return $auditLogResult
}
'6.1.1' {
# Test-AuditDisabledFalse.ps1
# 6.1.1 (L1) Ensure 'AuditDisabled' organizationally is set to 'False'
# Retrieve the AuditDisabled configuration (Condition B)
$auditDisabledConfig = Get-OrganizationConfig | Select-Object AuditDisabled
# [bool]
$auditNotDisabled = -not $auditDisabledConfig.AuditDisabled
return $auditNotDisabled
}
'6.1.2' {
# Test-MailboxAuditingE3.ps1
$mailboxes = Get-EXOMailbox -PropertySets Audit
# [object[]]
return $mailboxes
}
'6.1.3' {
# Test-MailboxAuditingE5.ps1
$mailboxes = Get-EXOMailbox -PropertySets Audit
# [object[]]
return $mailboxes
}
'6.1.4' {
# Placeholder - Test-AuditBypassEnabled
}
'6.2.1' {
# Test-BlockMailForwarding.ps1
# 6.2.1 (L1) Ensure all forms of mail forwarding are blocked and/or disabled
# Step 1: Retrieve the transport rules that redirect messages
$transportRules = Get-TransportRule | Where-Object { $null -ne $_.RedirectMessageTo }
if ($null -eq $transportRules) {
$transportRules = 1
}
# Step 2: Check all anti-spam outbound policies
$outboundSpamPolicies = Get-HostedOutboundSpamFilterPolicy
$nonCompliantSpamPolicies = $outboundSpamPolicies | Where-Object { $_.AutoForwardingMode -ne 'Off' }
return $transportRules, $nonCompliantSpamPolicies
}
'6.2.2' {
# Test-NoWhitelistDomains.ps1
# 6.2.2 (L1) Ensure mail transport rules do not whitelist specific domains
# Retrieve transport rules that whitelist specific domains
# Condition A: Checking for transport rules that whitelist specific domains
# [object[]]
$whitelistedRules = Get-TransportRule | Where-Object { $_.SetSCL -eq -1 -and $null -ne $_.SenderDomainIs }
return $whitelistedRules
}
'6.2.3' {
# Test-IdentifyExternalEmail.ps1
# 6.2.3 (L1) Ensure email from external senders is identified
# Retrieve external sender tagging configuration
# [object[]]
$externalInOutlook = Get-ExternalInOutlook
return $externalInOutlook
}
'6.3.1' {
# Test-RestrictOutlookAddins.ps1
# 6.3.1 (L2) Ensure users installing Outlook add-ins is not allowed
$customPolicyFailures = @()
# Check all mailboxes for custom policies with unallowed add-ins
$roleAssignmentPolicies = Get-EXOMailbox | Select-Object -Unique RoleAssignmentPolicy
if ($roleAssignmentPolicies.RoleAssignmentPolicy) {
foreach ($policy in $roleAssignmentPolicies) {
if ($policy.RoleAssignmentPolicy) {
$rolePolicyDetails = Get-RoleAssignmentPolicy -Identity $policy.RoleAssignmentPolicy
$foundRoles = $rolePolicyDetails.AssignedRoles | Where-Object { $_ -in $relevantRoles }
# Condition B: Using PowerShell, verify that MyCustomApps, MyMarketplaceApps, and MyReadWriteMailboxApps are not assigned to users.
if ($foundRoles) {
$customPolicyFailures += "Policy: $($policy.RoleAssignmentPolicy): Roles: $($foundRoles -join ', ')"
}
}
}
}
# Check Default Role Assignment Policy
$defaultPolicy = Get-RoleAssignmentPolicy 'Default Role Assignment Policy'
return $customPolicyFailures, $defaultPolicy
}
# Check Default Role Assignment Policy
$defaultPolicy = Get-RoleAssignmentPolicy "Default Role Assignment Policy"
return $customPolicyFailures, $defaultPolicy
'6.5.1' {
# Test-ModernAuthExchangeOnline.ps1
# Ensuring the ExchangeOnlineManagement module is available
# 6.5.1 (L1) Ensure modern authentication for Exchange Online is enabled
# Check modern authentication setting in Exchange Online configuration (Condition A and B)
$orgConfig = Get-OrganizationConfig | Select-Object -Property Name, OAuth2ClientProfileEnabled
return $orgConfig
}
'6.5.2' {
# Test-MailTipsEnabled.ps1
# 6.5.2 (L2) Ensure MailTips are enabled for end users
# Retrieve organization configuration for MailTips settings
# [object]
$orgConfig = Get-OrganizationConfig | Select-Object MailTipsAllTipsEnabled, MailTipsExternalRecipientsTipsEnabled, MailTipsGroupMetricsEnabled, MailTipsLargeAudienceThreshold
return $orgConfig
}
'6.5.3' {
# Test-RestrictStorageProvidersOutlook.ps1
# 6.5.3 (L2) Ensure additional storage providers are restricted in Outlook on the web
# Retrieve all OwaMailbox policies
# [object[]]
$owaPolicies = Get-OwaMailboxPolicy
return $owaPolicies
}
'8.6.1' {
# Test-ReportSecurityInTeams.ps1
# 8.6.1 (L1) Ensure users can report security concerns in Teams
# Retrieve the necessary settings for Teams and Exchange Online
# Condition B: Verify that 'Monitor reported messages in Microsoft Teams' is checked in the Microsoft 365 Defender portal.
# Condition C: Ensure the 'Send reported messages to' setting in the Microsoft 365 Defender portal is set to 'My reporting mailbox only' with the correct report email addresses.
# $ReportSubmissionPolicy Mock Object
<#
$ReportSubmissionPolicy = [PSCustomObject]@{
ReportJunkToCustomizedAddress = $true
ReportNotJunkToCustomizedAddress = $true
ReportPhishToCustomizedAddress = $true
ReportJunkAddresses = @('security@example.com')
ReportNotJunkAddresses = @('security@example.com')
ReportPhishAddresses = @('security@example.com')
ReportChatMessageEnabled = $false
ReportChatMessageToCustomizedAddressEnabled = $false
}
#>
$ReportSubmissionPolicy = Get-ReportSubmissionPolicy | Select-Object -Property ReportJunkToCustomizedAddress, ReportNotJunkToCustomizedAddress, ReportPhishToCustomizedAddress, ReportJunkAddresses, ReportNotJunkAddresses, ReportPhishAddresses, ReportChatMessageEnabled, ReportChatMessageToCustomizedAddressEnabled
return $ReportSubmissionPolicy
}
default { throw "No match found for test: $Rec" }
}
'6.5.1' {
# Test-ModernAuthExchangeOnline.ps1
# Ensuring the ExchangeOnlineManagement module is available
# 6.5.1 (L1) Ensure modern authentication for Exchange Online is enabled
# Check modern authentication setting in Exchange Online configuration (Condition A and B)
$orgConfig = Get-OrganizationConfig | Select-Object -Property Name, OAuth2ClientProfileEnabled
return $orgConfig
}
'6.5.2' {
# Test-MailTipsEnabled.ps1
# 6.5.2 (L2) Ensure MailTips are enabled for end users
# Retrieve organization configuration for MailTips settings
# [object]
$orgConfig = Get-OrganizationConfig | Select-Object MailTipsAllTipsEnabled, MailTipsExternalRecipientsTipsEnabled, MailTipsGroupMetricsEnabled, MailTipsLargeAudienceThreshold
return $orgConfig
}
'6.5.3' {
# Test-RestrictStorageProvidersOutlook.ps1
# 6.5.3 (L2) Ensure additional storage providers are restricted in Outlook on the web
# Retrieve all OwaMailbox policies
# [object[]]
$owaPolicies = Get-OwaMailboxPolicy
return $owaPolicies
}
'8.6.1' {
# Test-ReportSecurityInTeams.ps1
# 8.6.1 (L1) Ensure users can report security concerns in Teams
# Retrieve the necessary settings for Teams and Exchange Online
# Condition B: Verify that 'Monitor reported messages in Microsoft Teams' is checked in the Microsoft 365 Defender portal.
# Condition C: Ensure the 'Send reported messages to' setting in the Microsoft 365 Defender portal is set to 'My reporting mailbox only' with the correct report email addresses.
# $ReportSubmissionPolicy Mock Object
<#
$ReportSubmissionPolicy = [PSCustomObject]@{
ReportJunkToCustomizedAddress = $true
ReportNotJunkToCustomizedAddress = $true
ReportPhishToCustomizedAddress = $true
ReportJunkAddresses = @('security@example.com')
ReportNotJunkAddresses = @('security@example.com')
ReportPhishAddresses = @('security@example.com')
ReportChatMessageEnabled = $false
ReportChatMessageToCustomizedAddressEnabled = $false
}
#>
$ReportSubmissionPolicy = Get-ReportSubmissionPolicy | Select-Object -Property ReportJunkToCustomizedAddress, ReportNotJunkToCustomizedAddress, ReportPhishToCustomizedAddress, ReportJunkAddresses, ReportNotJunkAddresses, ReportPhishAddresses, ReportChatMessageEnabled, ReportChatMessageToCustomizedAddressEnabled
return $ReportSubmissionPolicy
}
default { throw "No match found for test: $Rec" }
}
catch {
throw "Get-CISExoOutput: `n$_"
}
}
end {

577
source/Private/Get-CISMSTeamsOutput.ps1
View File

@@ -34,296 +34,301 @@ function Get-CISMSTeamsOutput {
#>
}
process {
Write-Verbose "Get-CISMSTeamsOutput: Retuning data for Rec: $Rec"
switch ($Rec) {
'8.1.1' {
# Test-TeamsExternalFileSharing.ps1
# 8.1.1 (L2) Ensure external file sharing in Teams is enabled for only approved cloud storage services
# Connect to Teams PowerShell using Connect-MicrosoftTeams
try {
Write-Verbose "Get-CISMSTeamsOutput: Retuning data for Rec: $Rec"
switch ($Rec) {
'8.1.1' {
# Test-TeamsExternalFileSharing.ps1
# 8.1.1 (L2) Ensure external file sharing in Teams is enabled for only approved cloud storage services
# Connect to Teams PowerShell using Connect-MicrosoftTeams
# Condition A: The `AllowDropbox` setting is set to `False`.
# Condition B: The `AllowBox` setting is set to `False`.
# Condition C: The `AllowGoogleDrive` setting is set to `False`.
# Condition D: The `AllowShareFile` setting is set to `False`.
# Condition E: The `AllowEgnyte` setting is set to `False`.
# Condition A: The `AllowDropbox` setting is set to `False`.
# Condition B: The `AllowBox` setting is set to `False`.
# Condition C: The `AllowGoogleDrive` setting is set to `False`.
# Condition D: The `AllowShareFile` setting is set to `False`.
# Condition E: The `AllowEgnyte` setting is set to `False`.
# Assuming that 'approvedProviders' is a list of approved cloud storage service names
# This list must be defined according to your organization's approved cloud storage services
# Add option for approved providers.
$clientConfig = Get-CsTeamsClientConfiguration
return $clientConfig
}
'8.1.2' {
# Test-BlockChannelEmails.ps1
# 8.1.2 (L1) Ensure users can't send emails to a channel email address
#
# Validate test for a pass:
# - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
# - Specific conditions to check:
# - Condition A: The `AllowEmailIntoChannel` setting in Teams is set to `False`.
# - Condition B: The setting `Users can send emails to a channel email address` is set to `Off` in the Teams admin center.
# - Condition C: Verification using PowerShell confirms that the `AllowEmailIntoChannel` setting is disabled.
#
# Validate test for a fail:
# - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
# - Specific conditions to check:
# - Condition A: The `AllowEmailIntoChannel` setting in Teams is not set to `False`.
# - Condition B: The setting `Users can send emails to a channel email address` is not set to `Off` in the Teams admin center.
# - Condition C: Verification using PowerShell indicates that the `AllowEmailIntoChannel` setting is enabled.
# Assuming that 'approvedProviders' is a list of approved cloud storage service names
# This list must be defined according to your organization's approved cloud storage services
# Add option for approved providers.
$clientConfig = Get-CsTeamsClientConfiguration
return $clientConfig
}
'8.1.2' {
# Test-BlockChannelEmails.ps1
# 8.1.2 (L1) Ensure users can't send emails to a channel email address
#
# Validate test for a pass:
# - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
# - Specific conditions to check:
# - Condition A: The `AllowEmailIntoChannel` setting in Teams is set to `False`.
# - Condition B: The setting `Users can send emails to a channel email address` is set to `Off` in the Teams admin center.
# - Condition C: Verification using PowerShell confirms that the `AllowEmailIntoChannel` setting is disabled.
#
# Validate test for a fail:
# - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
# - Specific conditions to check:
# - Condition A: The `AllowEmailIntoChannel` setting in Teams is not set to `False`.
# - Condition B: The setting `Users can send emails to a channel email address` is not set to `Off` in the Teams admin center.
# - Condition C: Verification using PowerShell indicates that the `AllowEmailIntoChannel` setting is enabled.
# Retrieve Teams client configuration
$teamsClientConfig = Get-CsTeamsClientConfiguration -Identity Global
return $teamsClientConfig
# Retrieve Teams client configuration
$teamsClientConfig = Get-CsTeamsClientConfiguration -Identity Global
return $teamsClientConfig
}
'8.2.1' {
# Test-TeamsExternalAccess.ps1
# 8.2.1 (L1) Ensure 'external access' is restricted in the Teams admin center
#
# Validate test for a pass:
# - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
# - Specific conditions to check:
# - Condition A: The `AllowTeamsConsumer` setting is `False`.
# - Condition B: The `AllowPublicUsers` setting is `False`.
# - Condition C: The `AllowFederatedUsers` setting is `False` or, if `True`, the `AllowedDomains` contains only authorized domain names.
#
# Validate test for a fail:
# - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
# - Specific conditions to check:
# - Condition A: The `AllowTeamsConsumer` setting is not `False`.
# - Condition B: The `AllowPublicUsers` setting is not `False`.
# - Condition C: The `AllowFederatedUsers` setting is `True` and the `AllowedDomains` contains unauthorized domain names or is not configured correctly.
# Connect to Teams PowerShell using Connect-MicrosoftTeams
# $externalAccessConfig Mock Object
<#
$externalAccessConfig = [PSCustomObject]@{
Identity = 'Global'
AllowedDomains = 'AllowAllKnownDomains'
BlockedDomains = @()
AllowFederatedUsers = $true
AllowPublicUsers = $true
AllowTeamsConsumer = $true
AllowTeamsConsumerInbound = $true
}
$ApprovedFederatedDomains = @('msn.com', 'google.com')
$externalAccessConfig = [PSCustomObject]@{
Identity = 'Global'
AllowedDomains = @('msn.com', 'google.com')
BlockedDomains = @()
AllowFederatedUsers = $true
AllowPublicUsers = $false
AllowTeamsConsumer = $false
AllowTeamsConsumerInbound = $true
}
#>
$externalAccessConfig = Get-CsTenantFederationConfiguration
return $externalAccessConfig
}
'8.5.1' {
# Test-NoAnonymousMeetingJoin.ps1
# 8.5.1 (L2) Ensure anonymous users can't join a meeting
#
# Validate test for a pass:
# - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
# - Specific conditions to check:
# - Condition A: `AllowAnonymousUsersToJoinMeeting` is set to `False`.
# - Condition B: Verification using the UI confirms that `Anonymous users can join a meeting` is set to `Off` in the Global meeting policy.
# - Condition C: PowerShell command output indicates that anonymous users are not allowed to join meetings.
#
# Validate test for a fail:
# - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
# - Specific conditions to check:
# - Condition A: `AllowAnonymousUsersToJoinMeeting` is not set to `False`.
# - Condition B: Verification using the UI shows that `Anonymous users can join a meeting` is not set to `Off` in the Global meeting policy.
# - Condition C: PowerShell command output indicates that anonymous users are allowed to join meetings.
# Connect to Teams PowerShell using Connect-MicrosoftTeams
# $teamsMeetingPolicy Mock Object
<#
$teamsMeetingPolicy = [PSCustomObject]@{
AllowAnonymousUsersToJoinMeeting = $true
}
#>
$teamsMeetingPolicy = Get-CsTeamsMeetingPolicy -Identity Global
return $teamsMeetingPolicy
}
'8.5.2' {
# Test-NoAnonymousMeetingStart.ps1
# 8.5.2 (L1) Ensure anonymous users and dial-in callers can't start a meeting
#
# Validate test for a pass:
# - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
# - Specific conditions to check:
# - Condition A: The `AllowAnonymousUsersToStartMeeting` setting in the Teams admin center is set to `False`.
# - Condition B: The setting for anonymous users and dial-in callers starting a meeting is configured to ensure they must wait in the lobby.
# - Condition C: Verification using the UI confirms that the setting `Anonymous users and dial-in callers can start a meeting` is set to `Off`.
#
# Validate test for a fail:
# - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
# - Specific conditions to check:
# - Condition A: The `AllowAnonymousUsersToStartMeeting` setting in the Teams admin center is not set to `False`.
# - Condition B: The setting for anonymous users and dial-in callers starting a meeting allows them to bypass the lobby.
# - Condition C: Verification using the UI indicates that the setting `Anonymous users and dial-in callers can start a meeting` is not set to `Off`.
# Connect to Teams PowerShell using Connect-MicrosoftTeams
# $CsTeamsMeetingPolicyAnonymous Mock Object
<#
$CsTeamsMeetingPolicyAnonymous = [PSCustomObject]@{
AllowAnonymousUsersToStartMeeting = $true
}
#>
# Retrieve the Teams meeting policy for the global scope and check if anonymous users can start meetings
$CsTeamsMeetingPolicyAnonymous = Get-CsTeamsMeetingPolicy -Identity Global | Select-Object -Property AllowAnonymousUsersToStartMeeting
return $CsTeamsMeetingPolicyAnonymous
}
'8.5.3' {
# Test-OrgOnlyBypassLobby.ps1
# 8.5.3 (L1) Ensure only people in my org can bypass the lobby
#
# Validate test for a pass:
# - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
# - Specific conditions to check:
# - Condition A: The `AutoAdmittedUsers` setting in the Teams meeting policy is set to `EveryoneInCompanyExcludingGuests`.
# - Condition B: The setting for "Who can bypass the lobby" is configured to "People in my org" using the UI.
# - Condition C: Verification using the Microsoft Teams admin center confirms that the meeting join & lobby settings are configured as recommended.
#
# Validate test for a fail:
# - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
# - Specific conditions to check:
# - Condition A: The `AutoAdmittedUsers` setting in the Teams meeting policy is not set to `EveryoneInCompanyExcludingGuests`.
# - Condition B: The setting for "Who can bypass the lobby" is not configured to "People in my org" using the UI.
# - Condition C: Verification using the Microsoft Teams admin center indicates that the meeting join & lobby settings are not configured as recommended.
# Connect to Teams PowerShell using Connect-MicrosoftTeams
# Retrieve the Teams meeting policy for lobby bypass settings
# $CsTeamsMeetingPolicyLobby Mock Object
<#
$CsTeamsMeetingPolicyLobby = [PSCustomObject]@{
AutoAdmittedUsers = "OrganizerOnly"
}
#>
$CsTeamsMeetingPolicyLobby = Get-CsTeamsMeetingPolicy -Identity Global | Select-Object -Property AutoAdmittedUsers
return $CsTeamsMeetingPolicyLobby
}
'8.5.4' {
# Test-DialInBypassLobby.ps1
# 8.5.4 (L1) Ensure users dialing in can't bypass the lobby
#
# Validate test for a pass:
# - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
# - Specific conditions to check:
# - Condition A: The `AllowPSTNUsersToBypassLobby` setting in the Global Teams meeting policy is set to `False`.
# - Condition B: Verification using the UI in the Microsoft Teams admin center confirms that "People dialing in can't bypass the lobby" is set to `Off`.
# - Condition C: Ensure that individuals who dial in by phone must wait in the lobby until admitted by a meeting organizer, co-organizer, or presenter.
#
# Validate test for a fail:
# - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
# - Specific conditions to check:
# - Condition A: The `AllowPSTNUsersToBypassLobby` setting in the Global Teams meeting policy is not set to `False`.
# - Condition B: Verification using the UI in the Microsoft Teams admin center shows that "People dialing in can't bypass the lobby" is not set to `Off`.
# - Condition C: Individuals who dial in by phone are able to join the meeting directly without waiting in the lobby.
# Retrieve Teams meeting policy for PSTN users
# $CsTeamsMeetingPolicyPSTN Mock Object
<#
$CsTeamsMeetingPolicyPSTN = [PSCustomObject]@{
AllowPSTNUsersToBypassLobby = $true
}
#>
$CsTeamsMeetingPolicyPSTN = Get-CsTeamsMeetingPolicy -Identity Global | Select-Object -Property AllowPSTNUsersToBypassLobby
return $CsTeamsMeetingPolicyPSTN
}
'8.5.5' {
# Test-MeetingChatNoAnonymous.ps1
# 8.5.5 (L2) Ensure meeting chat does not allow anonymous users
#
# Validate test for a pass:
# - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
# - Specific conditions to check:
# - Condition A: The `MeetingChatEnabledType` setting in Teams is set to `EnabledExceptAnonymous`.
# - Condition B: The setting for meeting chat is configured to allow chat for everyone except anonymous users.
# - Condition C: Verification using the Teams Admin Center confirms that the meeting chat settings are configured as recommended.
#
# Validate test for a fail:
# - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
# - Specific conditions to check:
# - Condition A: The `MeetingChatEnabledType` setting in Teams is not set to `EnabledExceptAnonymous`.
# - Condition B: The setting for meeting chat allows chat for anonymous users.
# - Condition C: Verification using the Teams Admin Center indicates that the meeting chat settings are not configured as recommended.
# Retrieve the Teams meeting policy for meeting chat
# $CsTeamsMeetingPolicyChat Mock Object
<#
$CsTeamsMeetingPolicyChat = [PSCustomObject]@{
MeetingChatEnabledType = "Enabled"
}
#>
$CsTeamsMeetingPolicyChat = Get-CsTeamsMeetingPolicy -Identity Global | Select-Object -Property MeetingChatEnabledType
return $CsTeamsMeetingPolicyChat
}
'8.5.6' {
# Test-OrganizersPresent.ps1
# 8.5.6 (L2) Ensure only organizers and co-organizers can present
#
# Validate test for a pass:
# - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
# - Specific conditions to check:
# - Condition A: The `DesignatedPresenterRoleMode` setting in the Teams meeting policy is set to `OrganizerOnlyUserOverride`.
# - Condition B: Verification using the Teams admin center confirms that the setting "Who can present" is configured to "Only organizers and co-organizers".
# - Condition C: Verification using PowerShell confirms that the `DesignatedPresenterRoleMode` is set to `OrganizerOnlyUserOverride`.
#
# Validate test for a fail:
# - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
# - Specific conditions to check:
# - Condition A: The `DesignatedPresenterRoleMode` setting in the Teams meeting policy is not set to `OrganizerOnlyUserOverride`.
# - Condition B: Verification using the Teams admin center indicates that the setting "Who can present" is not configured to "Only organizers and co-organizers".
# - Condition C: Verification using PowerShell indicates that the `DesignatedPresenterRoleMode` is not set to `OrganizerOnlyUserOverride`.
# Retrieve the Teams meeting policy for presenters
# $CsTeamsMeetingPolicyPresenters Mock Object
<#
$CsTeamsMeetingPolicyPresenters = [PSCustomObject]@{
DesignatedPresenterRoleMode = "Enabled"
}
#>
$CsTeamsMeetingPolicyPresenters = Get-CsTeamsMeetingPolicy -Identity Global | Select-Object -Property DesignatedPresenterRoleMode
return $CsTeamsMeetingPolicyPresenters
}
'8.5.7' {
# Test-ExternalNoControl.ps1
# 8.5.7 (L1) Ensure external participants can't give or request control
#
# Validate test for a pass:
# - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
# - Specific conditions to check:
# - Condition A: Ensure the `AllowExternalParticipantGiveRequestControl` setting in Teams is set to `False`.
# - Condition B: The setting is verified through the Microsoft Teams admin center or via PowerShell command.
# - Condition C: Verification using the UI confirms that external participants are unable to give or request control.
#
# Validate test for a fail:
# - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
# - Specific conditions to check:
# - Condition A: The `AllowExternalParticipantGiveRequestControl` setting in Teams is not set to `False`.
# - Condition B: The setting is verified through the Microsoft Teams admin center or via PowerShell command.
# - Condition C: Verification using the UI indicates that external participants can give or request control.
# Retrieve Teams meeting policy for external participant control
# $CsTeamsMeetingPolicyControl Mock Object
<#
$CsTeamsMeetingPolicyControl = [PSCustomObject]@{
AllowExternalParticipantGiveRequestControl = $true
}
#>
$CsTeamsMeetingPolicyControl = Get-CsTeamsMeetingPolicy -Identity Global | Select-Object -Property AllowExternalParticipantGiveRequestControl
return $CsTeamsMeetingPolicyControl
}
'8.6.1' {
# Test-ReportSecurityInTeams.ps1
# 8.6.1 (L1) Ensure users can report security concerns in Teams
# Retrieve the necessary settings for Teams and Exchange Online
# Condition A: Ensure the 'Report a security concern' setting in the Teams admin center is set to 'On'.
# $CsTeamsMessagingPolicy Mock Object
<#
$CsTeamsMessagingPolicy = [PSCustomObject]@{
AllowSecurityEndUserReporting = $true
}
#>
$CsTeamsMessagingPolicy = Get-CsTeamsMessagingPolicy -Identity Global | Select-Object -Property AllowSecurityEndUserReporting
return $CsTeamsMessagingPolicy
}
default { throw "No match found for test: $Rec" }
}
'8.2.1' {
# Test-TeamsExternalAccess.ps1
# 8.2.1 (L1) Ensure 'external access' is restricted in the Teams admin center
#
# Validate test for a pass:
# - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
# - Specific conditions to check:
# - Condition A: The `AllowTeamsConsumer` setting is `False`.
# - Condition B: The `AllowPublicUsers` setting is `False`.
# - Condition C: The `AllowFederatedUsers` setting is `False` or, if `True`, the `AllowedDomains` contains only authorized domain names.
#
# Validate test for a fail:
# - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
# - Specific conditions to check:
# - Condition A: The `AllowTeamsConsumer` setting is not `False`.
# - Condition B: The `AllowPublicUsers` setting is not `False`.
# - Condition C: The `AllowFederatedUsers` setting is `True` and the `AllowedDomains` contains unauthorized domain names or is not configured correctly.
# Connect to Teams PowerShell using Connect-MicrosoftTeams
# $externalAccessConfig Mock Object
<#
$externalAccessConfig = [PSCustomObject]@{
Identity = 'Global'
AllowedDomains = 'AllowAllKnownDomains'
BlockedDomains = @()
AllowFederatedUsers = $true
AllowPublicUsers = $true
AllowTeamsConsumer = $true
AllowTeamsConsumerInbound = $true
}
$ApprovedFederatedDomains = @('msn.com', 'google.com')
$externalAccessConfig = [PSCustomObject]@{
Identity = 'Global'
AllowedDomains = @('msn.com', 'google.com')
BlockedDomains = @()
AllowFederatedUsers = $true
AllowPublicUsers = $false
AllowTeamsConsumer = $false
AllowTeamsConsumerInbound = $true
}
#>
$externalAccessConfig = Get-CsTenantFederationConfiguration
return $externalAccessConfig
}
'8.5.1' {
# Test-NoAnonymousMeetingJoin.ps1
# 8.5.1 (L2) Ensure anonymous users can't join a meeting
#
# Validate test for a pass:
# - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
# - Specific conditions to check:
# - Condition A: `AllowAnonymousUsersToJoinMeeting` is set to `False`.
# - Condition B: Verification using the UI confirms that `Anonymous users can join a meeting` is set to `Off` in the Global meeting policy.
# - Condition C: PowerShell command output indicates that anonymous users are not allowed to join meetings.
#
# Validate test for a fail:
# - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
# - Specific conditions to check:
# - Condition A: `AllowAnonymousUsersToJoinMeeting` is not set to `False`.
# - Condition B: Verification using the UI shows that `Anonymous users can join a meeting` is not set to `Off` in the Global meeting policy.
# - Condition C: PowerShell command output indicates that anonymous users are allowed to join meetings.
# Connect to Teams PowerShell using Connect-MicrosoftTeams
# $teamsMeetingPolicy Mock Object
<#
$teamsMeetingPolicy = [PSCustomObject]@{
AllowAnonymousUsersToJoinMeeting = $true
}
#>
$teamsMeetingPolicy = Get-CsTeamsMeetingPolicy -Identity Global
return $teamsMeetingPolicy
}
'8.5.2' {
# Test-NoAnonymousMeetingStart.ps1
# 8.5.2 (L1) Ensure anonymous users and dial-in callers can't start a meeting
#
# Validate test for a pass:
# - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
# - Specific conditions to check:
# - Condition A: The `AllowAnonymousUsersToStartMeeting` setting in the Teams admin center is set to `False`.
# - Condition B: The setting for anonymous users and dial-in callers starting a meeting is configured to ensure they must wait in the lobby.
# - Condition C: Verification using the UI confirms that the setting `Anonymous users and dial-in callers can start a meeting` is set to `Off`.
#
# Validate test for a fail:
# - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
# - Specific conditions to check:
# - Condition A: The `AllowAnonymousUsersToStartMeeting` setting in the Teams admin center is not set to `False`.
# - Condition B: The setting for anonymous users and dial-in callers starting a meeting allows them to bypass the lobby.
# - Condition C: Verification using the UI indicates that the setting `Anonymous users and dial-in callers can start a meeting` is not set to `Off`.
# Connect to Teams PowerShell using Connect-MicrosoftTeams
# $CsTeamsMeetingPolicyAnonymous Mock Object
<#
$CsTeamsMeetingPolicyAnonymous = [PSCustomObject]@{
AllowAnonymousUsersToStartMeeting = $true
}
#>
# Retrieve the Teams meeting policy for the global scope and check if anonymous users can start meetings
$CsTeamsMeetingPolicyAnonymous = Get-CsTeamsMeetingPolicy -Identity Global | Select-Object -Property AllowAnonymousUsersToStartMeeting
return $CsTeamsMeetingPolicyAnonymous
}
'8.5.3' {
# Test-OrgOnlyBypassLobby.ps1
# 8.5.3 (L1) Ensure only people in my org can bypass the lobby
#
# Validate test for a pass:
# - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
# - Specific conditions to check:
# - Condition A: The `AutoAdmittedUsers` setting in the Teams meeting policy is set to `EveryoneInCompanyExcludingGuests`.
# - Condition B: The setting for "Who can bypass the lobby" is configured to "People in my org" using the UI.
# - Condition C: Verification using the Microsoft Teams admin center confirms that the meeting join & lobby settings are configured as recommended.
#
# Validate test for a fail:
# - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
# - Specific conditions to check:
# - Condition A: The `AutoAdmittedUsers` setting in the Teams meeting policy is not set to `EveryoneInCompanyExcludingGuests`.
# - Condition B: The setting for "Who can bypass the lobby" is not configured to "People in my org" using the UI.
# - Condition C: Verification using the Microsoft Teams admin center indicates that the meeting join & lobby settings are not configured as recommended.
# Connect to Teams PowerShell using Connect-MicrosoftTeams
# Retrieve the Teams meeting policy for lobby bypass settings
# $CsTeamsMeetingPolicyLobby Mock Object
<#
$CsTeamsMeetingPolicyLobby = [PSCustomObject]@{
AutoAdmittedUsers = "OrganizerOnly"
}
#>
$CsTeamsMeetingPolicyLobby = Get-CsTeamsMeetingPolicy -Identity Global | Select-Object -Property AutoAdmittedUsers
return $CsTeamsMeetingPolicyLobby
}
'8.5.4' {
# Test-DialInBypassLobby.ps1
# 8.5.4 (L1) Ensure users dialing in can't bypass the lobby
#
# Validate test for a pass:
# - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
# - Specific conditions to check:
# - Condition A: The `AllowPSTNUsersToBypassLobby` setting in the Global Teams meeting policy is set to `False`.
# - Condition B: Verification using the UI in the Microsoft Teams admin center confirms that "People dialing in can't bypass the lobby" is set to `Off`.
# - Condition C: Ensure that individuals who dial in by phone must wait in the lobby until admitted by a meeting organizer, co-organizer, or presenter.
#
# Validate test for a fail:
# - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
# - Specific conditions to check:
# - Condition A: The `AllowPSTNUsersToBypassLobby` setting in the Global Teams meeting policy is not set to `False`.
# - Condition B: Verification using the UI in the Microsoft Teams admin center shows that "People dialing in can't bypass the lobby" is not set to `Off`.
# - Condition C: Individuals who dial in by phone are able to join the meeting directly without waiting in the lobby.
# Retrieve Teams meeting policy for PSTN users
# $CsTeamsMeetingPolicyPSTN Mock Object
<#
$CsTeamsMeetingPolicyPSTN = [PSCustomObject]@{
AllowPSTNUsersToBypassLobby = $true
}
#>
$CsTeamsMeetingPolicyPSTN = Get-CsTeamsMeetingPolicy -Identity Global | Select-Object -Property AllowPSTNUsersToBypassLobby
return $CsTeamsMeetingPolicyPSTN
}
'8.5.5' {
# Test-MeetingChatNoAnonymous.ps1
# 8.5.5 (L2) Ensure meeting chat does not allow anonymous users
#
# Validate test for a pass:
# - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
# - Specific conditions to check:
# - Condition A: The `MeetingChatEnabledType` setting in Teams is set to `EnabledExceptAnonymous`.
# - Condition B: The setting for meeting chat is configured to allow chat for everyone except anonymous users.
# - Condition C: Verification using the Teams Admin Center confirms that the meeting chat settings are configured as recommended.
#
# Validate test for a fail:
# - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
# - Specific conditions to check:
# - Condition A: The `MeetingChatEnabledType` setting in Teams is not set to `EnabledExceptAnonymous`.
# - Condition B: The setting for meeting chat allows chat for anonymous users.
# - Condition C: Verification using the Teams Admin Center indicates that the meeting chat settings are not configured as recommended.
# Retrieve the Teams meeting policy for meeting chat
# $CsTeamsMeetingPolicyChat Mock Object
<#
$CsTeamsMeetingPolicyChat = [PSCustomObject]@{
MeetingChatEnabledType = "Enabled"
}
#>
$CsTeamsMeetingPolicyChat = Get-CsTeamsMeetingPolicy -Identity Global | Select-Object -Property MeetingChatEnabledType
return $CsTeamsMeetingPolicyChat
}
'8.5.6' {
# Test-OrganizersPresent.ps1
# 8.5.6 (L2) Ensure only organizers and co-organizers can present
#
# Validate test for a pass:
# - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
# - Specific conditions to check:
# - Condition A: The `DesignatedPresenterRoleMode` setting in the Teams meeting policy is set to `OrganizerOnlyUserOverride`.
# - Condition B: Verification using the Teams admin center confirms that the setting "Who can present" is configured to "Only organizers and co-organizers".
# - Condition C: Verification using PowerShell confirms that the `DesignatedPresenterRoleMode` is set to `OrganizerOnlyUserOverride`.
#
# Validate test for a fail:
# - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
# - Specific conditions to check:
# - Condition A: The `DesignatedPresenterRoleMode` setting in the Teams meeting policy is not set to `OrganizerOnlyUserOverride`.
# - Condition B: Verification using the Teams admin center indicates that the setting "Who can present" is not configured to "Only organizers and co-organizers".
# - Condition C: Verification using PowerShell indicates that the `DesignatedPresenterRoleMode` is not set to `OrganizerOnlyUserOverride`.
# Retrieve the Teams meeting policy for presenters
# $CsTeamsMeetingPolicyPresenters Mock Object
<#
$CsTeamsMeetingPolicyPresenters = [PSCustomObject]@{
DesignatedPresenterRoleMode = "Enabled"
}
#>
$CsTeamsMeetingPolicyPresenters = Get-CsTeamsMeetingPolicy -Identity Global | Select-Object -Property DesignatedPresenterRoleMode
return $CsTeamsMeetingPolicyPresenters
}
'8.5.7' {
# Test-ExternalNoControl.ps1
# 8.5.7 (L1) Ensure external participants can't give or request control
#
# Validate test for a pass:
# - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
# - Specific conditions to check:
# - Condition A: Ensure the `AllowExternalParticipantGiveRequestControl` setting in Teams is set to `False`.
# - Condition B: The setting is verified through the Microsoft Teams admin center or via PowerShell command.
# - Condition C: Verification using the UI confirms that external participants are unable to give or request control.
#
# Validate test for a fail:
# - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
# - Specific conditions to check:
# - Condition A: The `AllowExternalParticipantGiveRequestControl` setting in Teams is not set to `False`.
# - Condition B: The setting is verified through the Microsoft Teams admin center or via PowerShell command.
# - Condition C: Verification using the UI indicates that external participants can give or request control.
# Retrieve Teams meeting policy for external participant control
# $CsTeamsMeetingPolicyControl Mock Object
<#
$CsTeamsMeetingPolicyControl = [PSCustomObject]@{
AllowExternalParticipantGiveRequestControl = $true
}
#>
$CsTeamsMeetingPolicyControl = Get-CsTeamsMeetingPolicy -Identity Global | Select-Object -Property AllowExternalParticipantGiveRequestControl
return $CsTeamsMeetingPolicyControl
}
'8.6.1' {
# Test-ReportSecurityInTeams.ps1
# 8.6.1 (L1) Ensure users can report security concerns in Teams
# Retrieve the necessary settings for Teams and Exchange Online
# Condition A: Ensure the 'Report a security concern' setting in the Teams admin center is set to 'On'.
# $CsTeamsMessagingPolicy Mock Object
<#
$CsTeamsMessagingPolicy = [PSCustomObject]@{
AllowSecurityEndUserReporting = $true
}
#>
$CsTeamsMessagingPolicy = Get-CsTeamsMessagingPolicy -Identity Global | Select-Object -Property AllowSecurityEndUserReporting
return $CsTeamsMessagingPolicy
}
default { throw "No match found for test: $Rec" }
}
catch {
throw "Get-CISMSTeamsOutput: `n$_"
}
}
end {

192
source/Private/Get-CISMgOutput.ps1
View File

@@ -2,13 +2,10 @@ function Get-CISMgOutput {
<#
.SYNOPSIS
This is a sample Private function only visible within the module.
.DESCRIPTION
This sample function is not exported to the module and only return the data passed as parameter.
.EXAMPLE
$null = Get-CISMgOutput -PrivateData 'NOTHING TO SEE HERE'
.PARAMETER PrivateData
The PrivateData parameter is what will be returned without transformation.
@@ -20,7 +17,6 @@ function Get-CISMgOutput {
[Parameter(Mandatory = $false)]
[String]$DomainName
)
begin {
# Begin Block #
# Tests
@@ -34,84 +30,134 @@ function Get-CISMgOutput {
6.1.2
6.1.3
# Test number array
$testNumbers = @('1.1.1', '1.1.3', '1.2.1', '1.3.1', '5.1.2.3', '5.1.8.1', '6.1.2', '6.1.3')
$testNumbers = @('1.1.1', '1.1.1-v4', '1.1.3', '1.2.1', '1.3.1', '5.1.2.3', '5.1.8.1', '6.1.2', '6.1.3', '1.1.4')
#>
}
process {
Write-Verbose "Get-CISMgOutput: Retuning data for Rec: $Rec"
switch ($rec) {
'1.1.1' {
# 1.1.1
# Test-AdministrativeAccountCompliance
$AdminRoleAssignmentsAndUsers = Get-AdminRoleUserAndAssignment
return $AdminRoleAssignmentsAndUsers
}
'1.1.3' {
# Test-GlobalAdminsCount
# Step: Retrieve global admin role
$globalAdminRole = Get-MgDirectoryRole -Filter "RoleTemplateId eq '62e90394-69f5-4237-9190-012177145e10'"
# Step: Retrieve global admin members
$globalAdmins = Get-MgDirectoryRoleMember -DirectoryRoleId $globalAdminRole.Id
return $globalAdmins
}
'1.2.1' {
# Test-ManagedApprovedPublicGroups
$allGroups = Get-MgGroup -All | Where-Object { $_.Visibility -eq "Public" } | Select-Object DisplayName, Visibility
return $allGroups
}
'1.3.1' {
# Test-PasswordNeverExpirePolicy.ps1
$domains = if ($DomainName) {
Get-MgDomain -DomainId $DomainName
try {
Write-Verbose "Get-CISMgOutput: Returning data for Rec: $Rec"
switch ($rec) {
'1.1.1' {
if ($script:Version400) {
$DirectoryRoles = Get-MgDirectoryRole
# Get privileged role IDs
$PrivilegedRoles = $DirectoryRoles | Where-Object {
$_.DisplayName -like '*Administrator*' -or $_.DisplayName -eq 'Global Reader'
}
# Get the members of these various roles
$RoleMembers = $PrivilegedRoles | ForEach-Object { Get-MgDirectoryRoleMember -DirectoryRoleId $_.Id } |
Select-Object Id -Unique
$PrivilegedUsers = $RoleMembers | ForEach-Object {
Get-MgUser -UserId $_.Id -Property UserPrincipalName, DisplayName, Id, OnPremisesSyncEnabled
}
return $PrivilegedUsers
}
else {
# Test-AdministrativeAccountCompliance
$AdminRoleAssignmentsAndUsers = Get-AdminRoleUserAndAssignment
return $AdminRoleAssignmentsAndUsers
}
}
else {
Get-MgDomain
'1.1.3' {
# Test-GlobalAdminsCount
# Step: Retrieve global admin role
$globalAdminRole = Get-MgDirectoryRole -Filter "RoleTemplateId eq '62e90394-69f5-4237-9190-012177145e10'"
# Step: Retrieve global admin members
$globalAdmins = Get-MgDirectoryRoleMember -DirectoryRoleId $globalAdminRole.Id
return $globalAdmins
}
return $domains
}
'5.1.2.3' {
# Test-RestrictTenantCreation
# Retrieve the tenant creation policy
$tenantCreationPolicy = (Get-MgPolicyAuthorizationPolicy).DefaultUserRolePermissions | Select-Object AllowedToCreateTenants
return $tenantCreationPolicy
}
'5.1.8.1' {
# Test-PasswordHashSync
# Retrieve password hash sync status (Condition A and C)
$passwordHashSync = Get-MgOrganization | Select-Object -ExpandProperty OnPremisesSyncEnabled
return $passwordHashSync
}
'6.1.2' {
# Test-MailboxAuditingE3
$tenantSkus = Get-MgSubscribedSku -All
$e3SkuPartNumber = "SPE_E3"
$founde3Sku = $tenantSkus | Where-Object { $_.SkuPartNumber -eq $e3SkuPartNumber }
if ($founde3Sku.Count -ne 0) {
$allE3Users = Get-MgUser -Filter "assignedLicenses/any(x:x/skuId eq $($founde3Sku.SkuId) )" -All
return $allE3Users
'1.1.4' {
# 1.1.4 - MicrosoftGraphPlaceholder
$DirectoryRoles = Get-MgDirectoryRole
# Get privileged role IDs
$PrivilegedRoles = $DirectoryRoles |
Where-Object { $_.DisplayName -like '*Administrator*' -or $_.DisplayName -eq 'Global Reader' }
# Get the members of these various roles
$RoleMembers = $PrivilegedRoles | ForEach-Object { Get-MgDirectoryRoleMember -DirectoryRoleId $_.Id } |
Select-Object Id -Unique
# Retrieve details about the members in these roles
$PrivilegedUsers = $RoleMembers | ForEach-Object {
Get-MgUser -UserId $_.Id -Property UserPrincipalName, DisplayName, Id
}
$Report = [System.Collections.Generic.List[Object]]::new()
foreach ($Admin in $PrivilegedUsers) {
$License = $null
$License = (Get-MgUserLicenseDetail -UserId $Admin.id).SkuPartNumber -join ', '
$Object = [pscustomobject][ordered]@{
DisplayName = $Admin.DisplayName
UserPrincipalName = $Admin.UserPrincipalName
License = $License
}
$Report.Add($Object)
}
return $Report
}
else {
return $null
'1.2.1' {
# Test-ManagedApprovedPublicGroups
$allGroups = Get-MgGroup -All | Where-Object { $_.Visibility -eq 'Public' } | Select-Object DisplayName, Visibility
return $allGroups
}
'1.2.2' {
# Test-BlockSharedMailboxSignIn.ps1
$users = Get-MgUser
return $users
}
'1.3.1' {
# Test-PasswordNeverExpirePolicy.ps1
$domains = if ($DomainName) {
Get-MgDomain -DomainId $DomainName
}
else {
Get-MgDomain
}
return $domains
}
'5.1.2.3' {
# Test-RestrictTenantCreation
# Retrieve the tenant creation policy
$tenantCreationPolicy = (Get-MgPolicyAuthorizationPolicy).DefaultUserRolePermissions | Select-Object AllowedToCreateTenants
return $tenantCreationPolicy
}
'5.1.8.1' {
# Test-PasswordHashSync
# Retrieve password hash sync status (Condition A and C)
$passwordHashSync = Get-MgOrganization | Select-Object -ExpandProperty OnPremisesSyncEnabled
return $passwordHashSync
}
'6.1.2' {
# Test-MailboxAuditingE3
$tenantSKUs = Get-MgSubscribedSku -All
$e3SkuPartNumber = 'SPE_E3'
$foundE3Sku = $tenantSKUs | Where-Object { $_.SkuPartNumber -eq $e3SkuPartNumber }
if ($foundE3Sku.Count -ne 0) {
$allE3Users = Get-MgUser -Filter "assignedLicenses/any(x:x/skuId eq $($foundE3Sku.SkuId) )" -All
return $allE3Users
}
else {
return $null
}
}
'6.1.3' {
# Test-MailboxAuditingE5
$tenantSKUs = Get-MgSubscribedSku -All
$e5SkuPartNumber = 'SPE_E5'
$foundE5Sku = $tenantSKUs | Where-Object { $_.SkuPartNumber -eq $e5SkuPartNumber }
if ($foundE5Sku.Count -ne 0) {
$allE5Users = Get-MgUser -Filter "assignedLicenses/any(x:x/skuId eq $($foundE5Sku.SkuId) )" -All
return $allE5Users
}
else {
return $null
}
}
default { throw "No match found for test: $Rec" }
}
'6.1.3' {
# Test-MailboxAuditingE5
$tenantSkus = Get-MgSubscribedSku -All
$e5SkuPartNumber = "SPE_E5"
$founde5Sku = $tenantSkus | Where-Object { $_.SkuPartNumber -eq $e5SkuPartNumber }
if ($founde5Sku.Count -ne 0) {
$allE5Users = Get-MgUser -Filter "assignedLicenses/any(x:x/skuId eq $($founde5Sku.SkuId) )" -All
return $allE5Users
}
else {
return $null
}
}
default { throw "No match found for test: $Rec" }
}
catch {
throw "Get-CISMgOutput: `n$_"
}
}
end {
Write-Verbose "Retuning data for Rec: $Rec"
Write-Verbose "Returning data for Rec: $Rec"
}
} # end function Get-CISMgOutput
} # end function Get-CISMgOutput

325
source/Private/Get-CISSpoOutput.ps1
View File

@@ -1,200 +1,161 @@
<#
.SYNOPSIS
This is a sample Private function only visible within the module.
Retrieves configuration settings from SharePoint Online or PnP based on the specified recommendation.
.DESCRIPTION
This sample function is not exported to the module and only return the data passed as parameter.
The Get-CISSpoOutput function retrieves specific configuration settings from SharePoint Online or PnP based on a recommendation number.
It dynamically switches between using SPO and PnP commands based on the provided authentication context.
.PARAMETER Rec
The recommendation number corresponding to the specific test to be run.
.INPUTS
None. You cannot pipe objects to this function.
.OUTPUTS
PSCustomObject
Returns configuration details for the specified recommendation.
.EXAMPLE
$null = Get-CISSpoOutput -PrivateData 'NOTHING TO SEE HERE'
.PARAMETER PrivateData
The PrivateData parameter is what will be returned without transformation.
PS> Get-CISSpoOutput -Rec '7.2.1'
Retrieves the LegacyAuthProtocolsEnabled property from the SharePoint Online or PnP tenant.
#>
function Get-CISSpoOutput {
[cmdletBinding()]
[CmdletBinding()]
param(
[Parameter(Mandatory = $true)]
[Parameter(Mandatory = $true, HelpMessage = "The recommendation number corresponding to the specific test to be run.")]
[String]$Rec
)
begin {
# Begin Block #
<#
# Tests
7.2.1
7.2.2
7.2.3
7.2.4
7.2.5
7.2.6
7.2.7
7.2.9
7.2.10
7.3.1
7.3.2
7.3.4
# Test number array
$testNumbers = @('7.2.1', '7.2.2', '7.2.3', '7.2.4', '7.2.5', '7.2.6', '7.2.7', '7.2.9', '7.2.10', '7.3.1', '7.3.2', '7.3.4')
#>
# Check if PnP should be used
$UsePnP = $script:PnpAuth
# Determine the prefix based on the switch
$prefix = if ($UsePnP) { "PnP" } else { "SPO" }
# Define a hashtable to map the function calls
$commandMap = @{
# Test-ModernAuthSharePoint.ps1
# 7.2.1 (L1) Ensure Legacy Authentication Protocols are disabled
# $SPOTenant Mock Object
'7.2.1' = {
Invoke-Command {
& "$((Get-Command -Name "Get-${prefix}Tenant").Name)"
} | Select-Object -Property LegacyAuthProtocolsEnabled
}
# Test-SharePointAADB2B.ps1
# 7.2.2 (L1) Ensure SharePoint and OneDrive integration with Azure AD B2B is enabled
# $SPOTenantAzureADB2B Mock Object
'7.2.2' = {
Invoke-Command {
& "$((Get-Command -Name "Get-${prefix}Tenant").Name)"
} | Select-Object -Property EnableAzureADB2BIntegration
}
# Test-RestrictExternalSharing.ps1
# 7.2.3 (L1) Ensure external content sharing is restricted
# Retrieve the SharingCapability setting for the SharePoint tenant
# $SPOTenantSharingCapability Mock Object
'7.2.3' = {
Invoke-Command {
& "$((Get-Command -Name "Get-${prefix}Tenant").Name)"
} | Select-Object -Property SharingCapability
}
# Test-OneDriveContentRestrictions.ps1
# 7.2.4 (L2) Ensure OneDrive content sharing is restricted
# $SPOTenant Mock Object
'7.2.4' = {
Invoke-Command {
if ($prefix -eq "SPO") {
& "$((Get-Command -Name "Get-${prefix}Tenant").Name)" | Select-Object -Property OneDriveSharingCapability
} else {
# Workaround until bugfix in PnP.PowerShell
& "$((Get-Command -Name "Get-${prefix}Tenant").Name)" | Select-Object -Property OneDriveLoopSharingCapability | Select-Object @{Name = "OneDriveSharingCapability"; Expression = { $_.OneDriveLoopSharingCapability }}
}
}
}
# Test-SharePointGuestsItemSharing.ps1
# 7.2.5 (L2) Ensure that SharePoint guest users cannot share items they don't own
# $SPOTenant Mock Object
'7.2.5' = {
Invoke-Command {
& "$((Get-Command -Name "Get-${prefix}Tenant").Name)"
} | Select-Object -Property PreventExternalUsersFromResharing
}
# Test-SharePointExternalSharingDomains.ps1
# 7.2.6 (L2) Ensure SharePoint external sharing is managed through domain whitelist/blacklists
# Add Authorized Domains?
# $SPOTenant Mock Object
'7.2.6' = {
Invoke-Command {
& "$((Get-Command -Name "Get-${prefix}Tenant").Name)"
} | Select-Object -Property SharingDomainRestrictionMode, SharingAllowedDomainList
}
# Test-LinkSharingRestrictions.ps1
# Retrieve link sharing configuration for SharePoint and OneDrive
# $SPOTenantLinkSharing Mock Object
'7.2.7' = {
Invoke-Command {
& "$((Get-Command -Name "Get-${prefix}Tenant").Name)"
} | Select-Object -Property DefaultSharingLinkType
}
# Test-GuestAccessExpiration.ps1
# Retrieve SharePoint tenant settings related to guest access expiration
# $SPOTenantGuestAccess Mock Object
'7.2.9' = {
Invoke-Command {
& "$((Get-Command -Name "Get-${prefix}Tenant").Name)"
} | Select-Object -Property ExternalUserExpirationRequired, ExternalUserExpireInDays
}
# Test-ReauthWithCode.ps1
# 7.2.10 (L1) Ensure reauthentication with verification code is restricted
# Retrieve reauthentication settings for SharePoint Online
# $SPOTenantReauthentication Mock Object
'7.2.10' = {
Invoke-Command {
& "$((Get-Command -Name "Get-${prefix}Tenant").Name)"
} | Select-Object -Property EmailAttestationRequired, EmailAttestationReAuthDays
}
# Test-DisallowInfectedFilesDownload.ps1
# Retrieve the SharePoint tenant configuration
# $SPOTenantDisallowInfectedFileDownload Mock Object
'7.3.1' = {
Invoke-Command {
& "$((Get-Command -Name "Get-${prefix}Tenant").Name)"
} | Select-Object -Property DisallowInfectedFileDownload
}
# Test-OneDriveSyncRestrictions.ps1
# Retrieve OneDrive sync client restriction settings
# Add isHybrid parameter?
# $SPOTenantSyncClientRestriction Mock Object
'7.3.2' = {
Invoke-Command {
& "$((Get-Command -Name "Get-${prefix}TenantSyncClientRestriction").Name)"
} | Select-Object -Property TenantRestrictionEnabled, AllowedDomainList
}
# Test-RestrictCustomScripts.ps1
# Retrieve all site collections and select necessary properties
# $SPOSitesCustomScript Mock Object
'7.3.4' = {
Invoke-Command {
if ($prefix -eq "SPO") {
& "$((Get-Command -Name "Get-${prefix}Site").Name)" -Limit All | Select-Object Title, Url, DenyAddAndCustomizePages
} else {
& "$((Get-Command -Name "Get-${prefix}TenantSite").Name)" | Select-Object Title, Url, DenyAddAndCustomizePages
}
}
}
}
}
process {
Write-Verbose "Retuning data for Rec: $Rec"
switch ($Rec) {
'7.2.1' {
# Test-ModernAuthSharePoint.ps1
# $SPOTenant Mock Object
<#
$SPOTenant = [PSCustomObject]@{
LegacyAuthProtocolsEnabled = $true
}
#>
$SPOTenant = Get-SPOTenant | Select-Object -Property LegacyAuthProtocolsEnabled
return $SPOTenant
try {
Write-Verbose "Returning data for Rec: $Rec"
if ($commandMap.ContainsKey($Rec)) {
# Invoke the script block associated with the command
$result = & $commandMap[$Rec] -ErrorAction Stop
return $result
}
'7.2.2' {
# Test-SharePointAADB2B.ps1
# 7.2.2 (L1) Ensure SharePoint and OneDrive integration with Azure AD B2B is enabled
# $SPOTenantAzureADB2B Mock Object
<#
$SPOTenantAzureADB2B = [PSCustomObject]@{
EnableAzureADB2BIntegration = $false
}
#>
$SPOTenantAzureADB2B = Get-SPOTenant | Select-Object EnableAzureADB2BIntegration
return $SPOTenantAzureADB2B
else {
throw "No match found for test: $Rec"
}
'7.2.3' {
# Test-RestrictExternalSharing.ps1
# 7.2.3 (L1) Ensure external content sharing is restricted
# Retrieve the SharingCapability setting for the SharePoint tenant
# $SPOTenantSharingCapability Mock Object
<#
$SPOTenantSharingCapability = [PSCustomObject]@{
SharingCapability = "ExternalUserAndGuestSharing"
}
#>
$SPOTenantSharingCapability = Get-SPOTenant | Select-Object SharingCapability
return $SPOTenantSharingCapability
}
'7.2.4' {
# Test-OneDriveContentRestrictions.ps1
# 7.2.4 (L2) Ensure OneDrive content sharing is restricted
# $SPOTenant Mock Object
<#
$SPOTenant = [PSCustomObject]@{
OneDriveSharingCapability = "ExternalUserAndGuestSharing"
}
#>
$SPOTenant = Get-SPOTenant | Select-Object OneDriveSharingCapability
return $SPOTenant
}
'7.2.5' {
# Test-SharePointGuestsItemSharing.ps1
# 7.2.5 (L2) Ensure that SharePoint guest users cannot share items they don't own
# $SPOTenant Mock Object
<#
$SPOTenant = [PSCustomObject]@{
PreventExternalUsersFromResharing = $false
}
#>
$SPOTenant = Get-SPOTenant | Select-Object PreventExternalUsersFromResharing
return $SPOTenant
}
'7.2.6' {
# Test-SharePointExternalSharingDomains.ps1
# 7.2.6 (L2) Ensure SharePoint external sharing is managed through domain whitelist/blacklists
# Add Authorized Domains?
# $SPOTenant Mock Object
<#
$SPOTenant = [PSCustomObject]@{
SharingDomainRestrictionMode = "AllowList"
SharingAllowedDomainList = "domain1.com", "domain2.com"
}
#>
$SPOTenant = Get-SPOTenant | Select-Object SharingDomainRestrictionMode, SharingAllowedDomainList
return $SPOTenant
}
'7.2.7' {
# Test-LinkSharingRestrictions.ps1
# Retrieve link sharing configuration for SharePoint and OneDrive
# $SPOTenantLinkSharing Mock Object
<#
$$SPOTenantLinkSharing = [PSCustomObject]@{
DefaultSharingLinkType = "Direct"
}
#>
$SPOTenantLinkSharing = Get-SPOTenant | Select-Object DefaultSharingLinkType
return $SPOTenantLinkSharing
}
'7.2.9' {
# Test-GuestAccessExpiration.ps1
# Retrieve SharePoint tenant settings related to guest access expiration
# $SPOTenantGuestAccess Mock Object
<#
$SPOTenantGuestAccess = [PSCustomObject]@{
ExternalUserExpirationRequired = "$false"
ExternalUserExpireInDays = "60"
}
#>
$SPOTenantGuestAccess = Get-SPOTenant | Select-Object ExternalUserExpirationRequired, ExternalUserExpireInDays
return $SPOTenantGuestAccess
}
'7.2.10' {
# Test-ReauthWithCode.ps1
# 7.2.10 (L1) Ensure reauthentication with verification code is restricted
# Retrieve reauthentication settings for SharePoint Online
# $SPOTenantReauthentication Mock Object
<#
$SPOTenantReauthentication = [PSCustomObject]@{
EmailAttestationRequired = "$false"
EmailAttestationReAuthDays = "30"
}
#>
$SPOTenantReauthentication = Get-SPOTenant | Select-Object EmailAttestationRequired, EmailAttestationReAuthDays
return $SPOTenantReauthentication
}
'7.3.1' {
# Test-DisallowInfectedFilesDownload.ps1
# Retrieve the SharePoint tenant configuration
# $SPOTenantDisallowInfectedFileDownload Mock Object
<#
$SPOTenantDisallowInfectedFileDownload = [PSCustomObject]@{
DisallowInfectedFileDownload = $false
}
#>
$SPOTenantDisallowInfectedFileDownload = Get-SPOTenant | Select-Object DisallowInfectedFileDownload
return $SPOTenantDisallowInfectedFileDownload
}
'7.3.2' {
# Test-OneDriveSyncRestrictions.ps1
# Retrieve OneDrive sync client restriction settings
# Add isHybrid paramter?
# $SPOTenantSyncClientRestriction Mock Object
<#
$SPOTenantSyncClientRestriction = [PSCustomObject]@{
TenantRestrictionEnabled = $true
AllowedDomainList = "786548DD-877B-4760-A749-6B1EFBC1190A", "877564FF-877B-4760-A749-6B1EFBC1190A"
}
#>
$SPOTenantSyncClientRestriction = Get-SPOTenantSyncClientRestriction | Select-Object TenantRestrictionEnabled, AllowedDomainList
return $SPOTenantSyncClientRestriction
}
'7.3.4' {
# Test-RestrictCustomScripts.ps1
# Retrieve all site collections and select necessary properties
# $SPOSitesCustomScript Mock Object
<#
$SPOSitesCustomScript = [PSCustomObject]@{
Title = "Site Collection 1"
Url = "https://contoso.sharepoint.com/sites/site1"
DenyAddAndCustomizePages = "Enabled"
}
#>
$SPOSitesCustomScript = Get-SPOSite -Limit All | Select-Object Title, Url, DenyAddAndCustomizePages
return $SPOSitesCustomScript
}
default { throw "No match found for test: $Rec" }
}
catch {
throw "Get-CISSpoOutput: `n$_"
}
}
end {
Write-Verbose "Retuning data for Rec: $Rec"
Write-Verbose "Finished processing for Rec: $Rec"
}
} # end function Get-CISMSTeamsOutput
}

57
source/Private/Get-PhishPolicyCompliance.ps1 Normal file
View File

@@ -0,0 +1,57 @@
function Get-PhishPolicyCompliance {
[CmdletBinding()]
param (
[Parameter(Mandatory = $true)]
[PSCustomObject]$Policy
)
Write-Verbose "Starting compliance evaluation for policy: $($Policy.Name)"
# Define the compliance criteria for an anti-phishing policy
$complianceCriteria = @{
Enabled = $true # Policy must be enabled
EnableTargetedUserProtection = $true # Targeted user protection must be enabled
EnableOrganizationDomainsProtection = $true # Organization domains protection must be enabled
EnableMailboxIntelligence = $true # Mailbox intelligence must be enabled
EnableMailboxIntelligenceProtection = $true # Mailbox intelligence protection must be enabled
EnableSpoofIntelligence = $true # Spoof intelligence must be enabled
TargetedUserProtectionAction = 'Quarantine' # Actions for targeted user protection must be 'Quarantine'
TargetedDomainProtectionAction = 'Quarantine' # Actions for targeted domain protection must be 'Quarantine'
MailboxIntelligenceProtectionAction = 'Quarantine' # Actions for mailbox intelligence protection must be 'Quarantine'
EnableFirstContactSafetyTips = $true # First contact safety tips must be enabled
EnableSimilarUsersSafetyTips = $true # Similar users safety tips must be enabled
EnableSimilarDomainsSafetyTips = $true # Similar domains safety tips must be enabled
EnableUnusualCharactersSafetyTips = $true # Unusual characters safety tips must be enabled
HonorDmarcPolicy = $true # Honor DMARC policy must be enabled
}
# Initialize compliance state and a list to track non-compliance reasons
$isCompliant = $true
$nonCompliantReasons = @()
Write-Verbose "Evaluating compliance criteria for policy: $($Policy.Name)"
# Iterate through the compliance criteria and check each property of the policy
foreach ($key in $complianceCriteria.Keys) {
Write-Verbose "Checking $key`: Expected $($complianceCriteria[$key])"
if ($Policy.PSObject.Properties[$key] -and $Policy.$key -ne $complianceCriteria[$key]) {
Write-Verbose "Non-compliance detected for $key. Found $($Policy.$key)"
$isCompliant = $false # Mark as non-compliant if the value doesn't match
$nonCompliantReasons += "$key`: Expected $($complianceCriteria[$key]), Found $($Policy.$key)" # Record the discrepancy
} else {
Write-Verbose "$key is compliant."
}
}
# Special case: Ensure PhishThresholdLevel is at least 3
Write-Verbose "Checking PhishThresholdLevel: Expected at least 3"
if ($Policy.PSObject.Properties['PhishThresholdLevel'] -and $Policy.PhishThresholdLevel -lt 3) {
Write-Verbose "Non-compliance detected for PhishThresholdLevel. Found $($Policy.PhishThresholdLevel)"
$isCompliant = $false # Mark as non-compliant if threshold is below 3
$nonCompliantReasons += "PhishThresholdLevel: Expected at least 3, Found $($Policy.PhishThresholdLevel)" # Record the issue
} else {
Write-Verbose "PhishThresholdLevel is compliant."
}
# Log the reasons for non-compliance if the policy is not compliant
if (-not $isCompliant) {
Write-Verbose "Policy $($Policy.Name) is not compliant. Reasons: $($nonCompliantReasons -join '; ')"
} else {
Write-Verbose "Policy $($Policy.Name) is fully compliant."
}
# Return whether the policy is compliant
return $isCompliant
}

25
source/Private/Get-RequiredModule.ps1
View File

@@ -4,20 +4,27 @@ function Get-RequiredModule {
param (
[Parameter(Mandatory = $true, ParameterSetName = 'AuditFunction')]
[switch]$AuditFunction,
[Parameter(Mandatory = $true, ParameterSetName = 'SyncFunction')]
[switch]$SyncFunction
)
switch ($PSCmdlet.ParameterSetName) {
'AuditFunction' {
return @(
@{ ModuleName = "ExchangeOnlineManagement"; RequiredVersion = "3.3.0"; SubModules = @() },
@{ ModuleName = "AzureAD"; RequiredVersion = "2.0.2.182"; SubModules = @() },
@{ ModuleName = "Microsoft.Graph"; RequiredVersion = "2.4.0"; SubModules = @("Groups", "DeviceManagement", "Users", "Identity.DirectoryManagement", "Identity.SignIns") },
@{ ModuleName = "Microsoft.Online.SharePoint.PowerShell"; RequiredVersion = "16.0.24009.12000"; SubModules = @() },
@{ ModuleName = "MicrosoftTeams"; RequiredVersion = "5.5.0"; SubModules = @() }
)
if (($script:PnpAuth)) {
return @(
@{ ModuleName = "ExchangeOnlineManagement"; RequiredVersion = "3.3.0"; SubModules = @() },
@{ ModuleName = "Microsoft.Graph"; RequiredVersion = "2.4.0"; SubModules = @("DeviceManagement", "Users", "Identity.DirectoryManagement", "Identity.SignIns") },
@{ ModuleName = "PnP.PowerShell"; RequiredVersion = "2.5.0"; SubModules = @() },
@{ ModuleName = "MicrosoftTeams"; RequiredVersion = "5.5.0"; SubModules = @() }
)
}
else {
return @(
@{ ModuleName = "ExchangeOnlineManagement"; RequiredVersion = "3.3.0"; SubModules = @() },
@{ ModuleName = "Microsoft.Graph"; RequiredVersion = "2.4.0"; SubModules = @("DeviceManagement", "Users", "Identity.DirectoryManagement", "Identity.SignIns") },
@{ ModuleName = "Microsoft.Online.SharePoint.PowerShell"; RequiredVersion = "16.0.24009.12000"; SubModules = @() },
@{ ModuleName = "MicrosoftTeams"; RequiredVersion = "5.5.0"; SubModules = @() }
)
}
}
'SyncFunction' {
return @(

57
source/Private/Get-ScopeOverlap.ps1 Normal file
View File

@@ -0,0 +1,57 @@
function Get-ScopeOverlap {
[CmdletBinding()]
param (
[Parameter(Mandatory = $true)]
[PSCustomObject]$Policy,
[Parameter(Mandatory = $true)]
[PSCustomObject[]]$OtherPolicies
)
Write-Verbose "Checking for scope overlap with policy: $($Policy.Name)..."
$overlapDetected = $false
$overlappingDetails = @()
# Extract the correct scope properties for the current policy
$policyScope = @{
Users = $Policy.TargetedUsersToProtect
Domains = $Policy.TargetedDomainsToProtect
}
# Log the current policy's scope
foreach ($key in $policyScope.Keys) {
Write-Verbose "Policy $($Policy.Name) $key scope: $($policyScope[$key] -join ', ')"
}
# Compare with the scope of other policies
foreach ($otherPolicy in $OtherPolicies) {
if ($null -ne $otherPolicy) {
# Extract the correct scope properties for the other policy
$otherScope = @{
Users = $otherPolicy.TargetedUsersToProtect
Domains = $otherPolicy.TargetedDomainsToProtect
}
# Log the other policy's scope
Write-Verbose "Comparing with policy: $($otherPolicy.Name)..."
foreach ($key in $otherScope.Keys) {
Write-Verbose "$($otherPolicy.Name) $key scope: $($otherScope[$key] -join ', ')"
}
# Compare scopes (intersection) and detect overlap
foreach ($key in $policyScope.Keys) {
$overlap = $policyScope[$key] | Where-Object { $otherScope[$key] -contains $_ }
if ($overlap) {
$overlapDetected = $true
$overlappingDetails += "Overlap detected in $key between $($Policy.Name) and $($otherPolicy.Name): $($overlap -join ', ')"
Write-Verbose "Overlap detected in $key`: $($overlap -join ', ')"
} else {
Write-Verbose "No overlap detected for $key between $($Policy.Name) and $($otherPolicy.Name)."
}
}
}
}
# Provide a clear summary of overlapping details
if ($overlapDetected) {
Write-Verbose "Summary of overlaps for policy $($Policy.Name):"
foreach ($detail in $overlappingDetails) {
Write-Verbose " $detail"
}
} else {
Write-Verbose "No overlapping entities found for policy $($Policy.Name)."
}
return $overlapDetected
}

28
source/Private/Get-TestDefinition.ps1 Normal file
View File

@@ -0,0 +1,28 @@
function Get-TestDefinition {
param (
[string]$Version
)
# Load test definitions from CSV
$testDefinitionsPath = Join-Path -Path $PSScriptRoot -ChildPath 'helper\TestDefinitions.csv'
$testDefinitions = Import-Csv -Path $testDefinitionsPath
# ################ Check for $Version -eq '4.0.0' ################
if ($Version -eq '4.0.0') {
$script:Version400 = $true
$testDefinitionsV4Path = Join-Path -Path $PSScriptRoot -ChildPath 'helper\TestDefinitions-v4.0.0.csv'
$testDefinitionsV4 = Import-Csv -Path $testDefinitionsV4Path
# Merge the definitions, prioritizing version 4.0.0
$mergedDefinitions = @{ }
foreach ($test in $testDefinitions) {
$mergedDefinitions[$test.Rec] = $test
}
foreach ($testV4 in $testDefinitionsV4) {
$mergedDefinitions[$testV4.Rec] = $testV4 # Overwrite if Rec exists
}
# Convert back to an array
$testDefinitions = $mergedDefinitions.Values
Write-Verbose "Total tests after merging: $(($testDefinitions).Count)"
$overwrittenTests = $testDefinitionsV4 | Where-Object { $testDefinitions[$_.Rec] }
Write-Verbose "Overwritten tests: $($overwrittenTests.Rec -join ', ')"
}
return $testDefinitions
}

2
source/Private/Get-TestDefinitionsObject.ps1
View File

@@ -15,7 +15,6 @@ function Get-TestDefinitionsObject {
)
Write-Verbose "Initial test definitions count: $($TestDefinitions.Count)"
switch ($ParameterSetName) {
'ELevelFilter' {
Write-Verbose "Applying ELevelFilter"
@@ -59,7 +58,6 @@ function Get-TestDefinitionsObject {
$TestDefinitions = $TestDefinitions | Where-Object { $SkipRecommendation -notcontains $_.Rec }
}
}
Write-Verbose "Filtered test definitions count: $($TestDefinitions.Count)"
return $TestDefinitions
}

10
source/Private/Get-TestError.ps1
View File

@@ -19,15 +19,15 @@ function Get-TestError {
[cmdletBinding()]
param (
$LastError,
$recnum
$RecNum
)
# Retrieve the description from the test definitions
$testDefinition = $script:TestDefinitionsObject | Where-Object { $_.Rec -eq $recnum }
$testDefinition = $script:TestDefinitionsObject | Where-Object { $_.Rec -eq $RecNum }
$description = if ($testDefinition) { $testDefinition.RecDescription } else { "Description not found" }
$script:FailedTests.Add([PSCustomObject]@{ Rec = $recnum; Description = $description; Error = $LastError })
$script:FailedTests.Add([PSCustomObject]@{ Rec = $RecNum; Description = $description; Error = $LastError })
# Call Initialize-CISAuditResult with error parameters
$auditResult = Initialize-CISAuditResult -Rec $recnum -Failure
Write-Verbose "An error occurred during the test: `n$LastError" -Verbose
$auditResult = Initialize-CISAuditResult -Rec $RecNum -Failure
Write-Verbose "An error occurred during the test $RecNum`: `n$LastError" -Verbose
return $auditResult
}

5
source/Private/Get-UniqueConnection.ps1
View File

@@ -8,10 +8,7 @@ function Get-UniqueConnection {
$uniqueConnections = @()
if ($Connections -contains "AzureAD" -or $Connections -contains "AzureAD | EXO" -or $Connections -contains "AzureAD | EXO | Microsoft Graph") {
$uniqueConnections += "AzureAD"
}
if ($Connections -contains "Microsoft Graph" -or $Connections -contains "AzureAD | EXO | Microsoft Graph") {
if ($Connections -contains "Microsoft Graph" -or $Connections -contains "AzureAD | EXO | Microsoft Graph" -or $Connections -contains "EXO | Microsoft Graph") {
$uniqueConnections += "Microsoft Graph"
}
if ($Connections -contains "EXO" -or $Connections -contains "AzureAD | EXO" -or $Connections -contains "Microsoft Teams | EXO" -or $Connections -contains "AzureAD | EXO | Microsoft Graph") {

3
source/Private/Initialize-CISAuditResult.ps1
View File

@@ -20,7 +20,7 @@ function Initialize-CISAuditResult {
[Parameter(ParameterSetName = 'Error')]
[switch]$Failure
)
$M365AuditVersion = $Script:CISVersion
# Import the test definitions CSV file
$testDefinitions = $script:TestDefinitionsObject
@@ -45,6 +45,7 @@ function Initialize-CISAuditResult {
$auditResult.Automated = [bool]::Parse($testDefinition.Automated)
$auditResult.Connection = $testDefinition.Connection
$auditResult.CISControlVer = 'v8'
$auditResult.M365AuditVersion = $M365AuditVersion
if ($PSCmdlet.ParameterSetName -eq 'Full') {
$auditResult.Result = $Result

16
source/Private/Invoke-TestFunction.ps1
View File

@@ -1,5 +1,5 @@
function Invoke-TestFunction {
[OutputType([CISAuditResult[]])]
[OutputType([CISAuditResult])]
param (
[Parameter(Mandatory = $true)]
[PSObject]$FunctionFile,
@@ -10,10 +10,8 @@ function Invoke-TestFunction {
[Parameter(Mandatory = $false)]
[string[]]$ApprovedFederatedDomains
)
$functionName = $FunctionFile.BaseName
$functionCmd = Get-Command -Name $functionName
# Check if the test function needs DomainName parameter
$paramList = @{}
if ('DomainName' -in $functionCmd.Parameters.Keys) {
@@ -25,17 +23,21 @@ function Invoke-TestFunction {
if ('ApprovedFederatedDomains' -in $functionCmd.Parameters.Keys) {
$paramList.ApprovedFederatedDomains = $ApprovedFederatedDomains
}
# Use splatting to pass parameters
Write-Verbose "Running $functionName..."
# Version-aware logging
if ($script:Version400) {
Write-Verbose "Running $functionName (Version: 4.0.0)..."
}
else {
Write-Verbose "Running $functionName (Version: 3.0.0)..."
}
try {
$result = & $functionName @paramList
# Assuming each function returns an array of CISAuditResult or a single CISAuditResult
return $result
}
catch {
Write-Error "An error occurred during the test: $_"
Write-Error "An error occurred during the test $RecNum`: $_"
$script:FailedTests.Add([PSCustomObject]@{ Test = $functionName; Error = $_ })
# Call Initialize-CISAuditResult with error parameters
$auditResult = Initialize-CISAuditResult -Rec $functionName -Failure
return $auditResult

10
source/Private/Measure-AuditResult.ps1
View File

@@ -18,15 +18,15 @@ function Measure-AuditResult {
$passPercentage = if ($totalTests -eq 0) { 0 } else { [math]::Round(($passedTests / $totalTests) * 100, 2) }
# Display the pass percentage to the user
Write-Host "Audit completed. $passedTests out of $totalTests tests passed." -ForegroundColor Cyan
Write-Host "Your passing percentage is $passPercentage%." -ForegroundColor Magenta
Write-Verbose "Audit completed. $passedTests out of $totalTests tests passed."
Write-Verbose "Your passing percentage is $passPercentage%."
# Display details of failed tests
if ($FailedTests.Count -gt 0) {
Write-Host "The following tests failed to complete:" -ForegroundColor Red
Write-Verbose "The following tests failed to complete:"
foreach ($failedTest in $FailedTests) {
Write-Host "Test: $($failedTest.Test)" -ForegroundColor Yellow
Write-Host "Error: $($failedTest.Error)" -ForegroundColor Yellow
Write-Verbose "Test: $($failedTest.Test)"
Write-Verbose "Error: $($failedTest.Error)"
}
}
}

357
source/Public/Export-M365SecurityAuditTable.ps1
View File

@@ -1,228 +1,201 @@
<#
.SYNOPSIS
Exports Microsoft 365 security audit results to CSV or Excel files and supports outputting specific test results as objects.
Export Microsoft 365 CIS audit results into CSV/Excel and package with hashes.
.DESCRIPTION
The Export-M365SecurityAuditTable function exports Microsoft 365 security audit results from an array of CISAuditResult objects or a CSV file.
It can export all results to a specified path, output a specific test result as an object, and includes options for exporting results to Excel.
Additionally, it computes hashes for the exported files and includes them in the zip archive for verification purposes.
Export-M365SecurityAuditTable processes an array of CISAuditResult objects, exporting per-test nested tables
and/or a full audit summary (with oversized fields truncated) to CSV or Excel. All output files are
hashed (SHA256) and bundled into a ZIP archive whose filename includes a short hash for integrity.
.PARAMETER AuditResults
An array of CISAuditResult objects containing the audit results. This parameter is mandatory when exporting from audit results.
.PARAMETER CsvPath
The path to a CSV file containing the audit results. This parameter is mandatory when exporting from a CSV file.
.PARAMETER OutputTestNumber
The test number to output as an object. Valid values are "1.1.1", "1.3.1", "6.1.2", "6.1.3", "7.3.4". This parameter is used to output a specific test result.
.PARAMETER ExportAllTests
Switch to export all test results. When specified, all test results are exported to the specified path.
An array of PSCustomObject (CISAuditResult) objects containing the audit results to export or query.
.PARAMETER ExportPath
The path where the CSV or Excel files will be exported. This parameter is mandatory when exporting all tests.
.PARAMETER ExportOriginalTests
Switch to export the original audit results to a CSV file. When specified, the original test results are exported along with the processed results.
Path to the directory where CSV/Excel files and the final ZIP archive will be placed. Required for
any file-based export (DefaultExport or OnlyExportNestedTables).
.PARAMETER ExportToExcel
Switch to export the results to an Excel file. When specified, results are exported in Excel format.
Switch to export files in Excel (.xlsx) format instead of CSV. Requires the ImportExcel module.
.PARAMETER Prefix
A short prefix (05 characters, default 'Corp') appended to the summary audit filename and hashes.
.PARAMETER OnlyExportNestedTables
Switch to export only the per-test nested tables to files, skipping the full audit summary.
.PARAMETER OutputTestNumber
Specify one test number (valid values: '1.1.1','1.3.1','6.1.2','6.1.3','7.3.4') to return that tests
details in-memory as objects without writing any files.
.INPUTS
[CISAuditResult[]] - An array of CISAuditResult objects.
[string] - A path to a CSV file.
System.Object[] (array of CISAuditResult PSCustomObjects)
.OUTPUTS
[PSCustomObject] - A custom object containing the path to the zip file and its hash.
PSCustomObject with property ZipFilePath indicating the final ZIP archive location, or raw test details
when using -OutputTestNumber.
.EXAMPLE
Export-M365SecurityAuditTable -AuditResults $object -OutputTestNumber 6.1.2
# Outputs the result of test number 6.1.2 from the provided audit results as an object.
# Return details for test 6.1.2
Export-M365SecurityAuditTable -AuditResults $audits -OutputTestNumber 6.1.2
.EXAMPLE
Export-M365SecurityAuditTable -ExportAllTests -AuditResults $object -ExportPath "C:\temp"
# Exports all audit results to the specified path in CSV format.
# Full export (nested tables + summary) to CSV
Export-M365SecurityAuditTable -AuditResults $audits -ExportPath "C:\temp"
.EXAMPLE
Export-M365SecurityAuditTable -CsvPath "C:\temp\auditresultstoday1.csv" -OutputTestNumber 6.1.2
# Outputs the result of test number 6.1.2 from the CSV file as an object.
# Only export nested tables to Excel
Export-M365SecurityAuditTable -AuditResults $audits -ExportPath "C:\temp" -OnlyExportNestedTables -ExportToExcel
.EXAMPLE
Export-M365SecurityAuditTable -ExportAllTests -CsvPath "C:\temp\auditresultstoday1.csv" -ExportPath "C:\temp"
# Exports all audit results from the CSV file to the specified path in CSV format.
.EXAMPLE
Export-M365SecurityAuditTable -ExportAllTests -AuditResults $object -ExportPath "C:\temp" -ExportOriginalTests
# Exports all audit results along with the original test results to the specified path in CSV format.
.EXAMPLE
Export-M365SecurityAuditTable -ExportAllTests -CsvPath "C:\temp\auditresultstoday1.csv" -ExportPath "C:\temp" -ExportOriginalTests
# Exports all audit results from the CSV file along with the original test results to the specified path in CSV format.
.EXAMPLE
Export-M365SecurityAuditTable -ExportAllTests -AuditResults $object -ExportPath "C:\temp" -ExportToExcel
# Exports all audit results to the specified path in Excel format.
# Custom prefix for filenames
Export-M365SecurityAuditTable -AuditResults $audits -ExportPath "C:\temp" -Prefix Dev
.LINK
https://criticalsolutionsnetwork.github.io/M365FoundationsCISReport/#Export-M365SecurityAuditTable
#>
function Export-M365SecurityAuditTable {
[CmdletBinding()]
[CmdletBinding(
DefaultParameterSetName = 'DefaultExport',
SupportsShouldProcess,
ConfirmImpact = 'High'
)]
[OutputType([PSCustomObject])]
param (
[Parameter(Mandatory = $true, Position = 1, ParameterSetName = "ExportAllResultsFromAuditResults")]
[Parameter(Mandatory = $true, Position = 2, ParameterSetName = "OutputObjectFromAuditResultsSingle")]
[CISAuditResult[]]$AuditResults,
[Parameter(Mandatory = $true, Position = 1, ParameterSetName = "ExportAllResultsFromCsv")]
[Parameter(Mandatory = $true, Position = 2, ParameterSetName = "OutputObjectFromCsvSingle")]
[ValidateScript({ (Test-Path $_) -and ((Get-Item $_).PSIsContainer -eq $false) })]
[string]$CsvPath,
[Parameter(Mandatory = $true, Position = 1, ParameterSetName = "OutputObjectFromAuditResultsSingle")]
[Parameter(Mandatory = $true, Position = 1, ParameterSetName = "OutputObjectFromCsvSingle")]
[ValidateSet("1.1.1", "1.3.1", "6.1.2", "6.1.3", "7.3.4")]
[string]$OutputTestNumber,
[Parameter(Mandatory = $false, Position = 0, ParameterSetName = "ExportAllResultsFromAuditResults")]
[Parameter(Mandatory = $false, Position = 0, ParameterSetName = "ExportAllResultsFromCsv")]
[switch]$ExportAllTests,
[Parameter(Mandatory = $true, ParameterSetName = "ExportAllResultsFromAuditResults")]
[Parameter(Mandatory = $true, ParameterSetName = "ExportAllResultsFromCsv")]
[string]$ExportPath,
[Parameter(Mandatory = $true, ParameterSetName = "ExportAllResultsFromAuditResults")]
[Parameter(Mandatory = $true, ParameterSetName = "ExportAllResultsFromCsv")]
[switch]$ExportOriginalTests,
[Parameter(Mandatory = $false, ParameterSetName = "ExportAllResultsFromAuditResults")]
[Parameter(Mandatory = $false, ParameterSetName = "ExportAllResultsFromCsv")]
[switch]$ExportToExcel
param(
#───────────────────────────────────────────────────────────────────────────
# 1) DefaultExport: full audit export (nested tables + summary) into ZIP
# -AuditResults, -ExportPath, [-ExportToExcel], [-Prefix]
#───────────────────────────────────────────────────────────────────────────
[Parameter(Mandatory, ParameterSetName = 'DefaultExport')]
[Parameter(Mandatory, ParameterSetName = 'OnlyExportNestedTables')]
[Parameter(Mandatory, ParameterSetName = 'SingleObject')]
[psobject[]]
$AuditResults,
[Parameter(Mandatory, ParameterSetName = 'DefaultExport')]
[Parameter(Mandatory, ParameterSetName = 'OnlyExportNestedTables')]
[string]
$ExportPath,
[Parameter(ParameterSetName = 'DefaultExport')]
[Parameter(ParameterSetName = 'OnlyExportNestedTables')]
[switch]
$ExportToExcel,
[Parameter(ParameterSetName = 'DefaultExport')]
[Parameter(ParameterSetName = 'OnlyExportNestedTables')]
[ValidateLength(0,5)]
[string]
$Prefix = 'Corp',
#───────────────────────────────────────────────────────────────────────────
# 2) OnlyExportNestedTables: nested tables only into ZIP
# -AuditResults, -ExportPath, -OnlyExportNestedTables
#───────────────────────────────────────────────────────────────────────────
[Parameter(Mandatory, ParameterSetName = 'OnlyExportNestedTables')]
[switch]
$OnlyExportNestedTables,
#───────────────────────────────────────────────────────────────────────────
# 3) SingleObject: in-memory output of one tests details
# -AuditResults, -OutputTestNumber
#───────────────────────────────────────────────────────────────────────────
[Parameter(Mandatory, ParameterSetName = 'SingleObject')]
[ValidateSet('1.1.1','1.3.1','6.1.2','6.1.3','7.3.4')]
[string]
$OutputTestNumber
)
Begin {
$createdFiles = @() # Initialize an array to keep track of created files
# Load v4.0 definitions
$AuditResults[0].M365AuditVersion
$script:TestDefinitionsObject = Get-TestDefinition -Version $Version
# Ensure Excel support if requested
if ($ExportToExcel) {
Assert-ModuleAvailability -ModuleName ImportExcel -RequiredVersion "7.8.9"
Assert-ModuleAvailability -ModuleName ImportExcel -RequiredVersion '7.8.9'
}
if ($PSCmdlet.ParameterSetName -like "ExportAllResultsFromCsv" -or $PSCmdlet.ParameterSetName -eq "OutputObjectFromCsvSingle") {
$AuditResults = Import-Csv -Path $CsvPath | ForEach-Object {
$params = @{
Rec = $_.Rec
Result = [bool]$_.Result
Status = $_.Status
Details = $_.Details
FailureReason = $_.FailureReason
}
Initialize-CISAuditResult @params
}
# Tests producing nested tables
$nestedTests = '1.1.1','1.3.1','6.1.2','6.1.3','7.3.4'
# Initialize collections
$results = @()
$createdFiles = [System.Collections.Generic.List[string]]::new()
# Determine which tests to process
if ($PSCmdlet.ParameterSetName -eq 'SingleObject') {
$testsToProcess = @($OutputTestNumber)
} else {
$testsToProcess = $nestedTests
}
if ($ExportAllTests) {
$TestNumbers = "1.1.1", "1.3.1", "6.1.2", "6.1.3", "7.3.4"
}
$results = @()
$testsToProcess = if ($OutputTestNumber) { @($OutputTestNumber) } else { $TestNumbers }
}
Process {
foreach ($test in $testsToProcess) {
$auditResult = $AuditResults | Where-Object { $_.Rec -eq $test }
if (-not $auditResult) {
Write-Information "No audit results found for the test number $test."
continue
}
$item = $AuditResults | Where-Object Rec -EQ $test
if (-not $item) { continue }
switch ($test) {
"6.1.2" {
$details = $auditResult.Details
$newObjectDetails = Get-AuditMailboxDetail -Details $details -Version '6.1.2'
$results += [PSCustomObject]@{ TestNumber = $test; Details = $newObjectDetails }
}
"6.1.3" {
$details = $auditResult.Details
$newObjectDetails = Get-AuditMailboxDetail -Details $details -Version '6.1.3'
$results += [PSCustomObject]@{ TestNumber = $test; Details = $newObjectDetails }
}
Default {
$details = $auditResult.Details
$csv = $details | ConvertFrom-Csv -Delimiter '|'
$results += [PSCustomObject]@{ TestNumber = $test; Details = $csv }
}
'6.1.2' { $parsed = Get-AuditMailboxDetail -Details $item.Details -Version '6.1.2' }
'6.1.3' { $parsed = Get-AuditMailboxDetail -Details $item.Details -Version '6.1.3' }
Default { $parsed = $item.Details | ConvertFrom-Csv -Delimiter '|' }
}
$results += [PSCustomObject]@{ TestNumber = $test; Details = $parsed }
}
}
End {
if ($ExportPath) {
$timestamp = (Get-Date).ToString("yyyy.MM.dd_HH.mm.ss")
$exportedTests = @()
foreach ($result in $results) {
$testDef = $script:TestDefinitionsObject | Where-Object { $_.Rec -eq $result.TestNumber }
if ($testDef) {
$fileName = "$ExportPath\$($timestamp)_$($result.TestNumber).$($testDef.TestFileName -replace '\.ps1$').csv"
if ($result.Details.Count -eq 0) {
Write-Information "No results found for test number $($result.TestNumber)." -InformationAction Continue
}
else {
if (($result.Details -ne "No M365 E3 licenses found.") -and ($result.Details -ne "No M365 E5 licenses found.")) {
if ($ExportToExcel) {
$xlsxPath = [System.IO.Path]::ChangeExtension($fileName, '.xlsx')
$result.Details | Export-Excel -Path $xlsxPath -WorksheetName Table -TableName Table -AutoSize -TableStyle Medium2
$createdFiles += $xlsxPath # Add the created file to the array
}
else {
$result.Details | Export-Csv -Path $fileName -NoTypeInformation
$createdFiles += $fileName # Add the created file to the array
}
$exportedTests += $result.TestNumber
}
}
}
}
if ($exportedTests.Count -gt 0) {
Write-Information "The following tests were exported: $($exportedTests -join ', ')" -InformationAction Continue
}
else {
if ($ExportOriginalTests) {
Write-Information "Full audit results exported however, none of the following tests had exports: `n1.1.1, 1.3.1, 6.1.2, 6.1.3, 7.3.4" -InformationAction Continue
}
else {
Write-Information "No specified tests were included in the export." -InformationAction Continue
}
}
if ($ExportOriginalTests) {
# Define the test numbers to check
$TestNumbersToCheck = "1.1.1", "1.3.1", "6.1.2", "6.1.3", "7.3.4"
# Check for large details and update the AuditResults array
$updatedAuditResults = Get-ExceededLengthResultDetail -AuditResults $AuditResults -TestNumbersToCheck $TestNumbersToCheck -ExportedTests $exportedTests -DetailsLengthLimit 30000 -PreviewLineCount 25
$originalFileName = "$ExportPath\$timestamp`_M365FoundationsAudit.csv"
if ($ExportToExcel) {
$xlsxPath = [System.IO.Path]::ChangeExtension($originalFileName, '.xlsx')
$updatedAuditResults | Export-Excel -Path $xlsxPath -WorksheetName Table -TableName Table -AutoSize -TableStyle Medium2
$createdFiles += $xlsxPath # Add the created file to the array
}
else {
$updatedAuditResults | Export-Csv -Path $originalFileName -NoTypeInformation
$createdFiles += $originalFileName # Add the created file to the array
}
}
# Hash each file and add it to a dictionary
# Hash each file and save the hashes to a text file
$hashFilePath = "$ExportPath\$timestamp`_Hashes.txt"
$fileHashes = @()
foreach ($file in $createdFiles) {
$hash = Get-FileHash -Path $file -Algorithm SHA256
$fileHashes += "$($file): $($hash.Hash)"
}
$fileHashes | Set-Content -Path $hashFilePath
$createdFiles += $hashFilePath # Add the hash file to the array
# Create a zip file and add all the created files
$zipFilePath = "$ExportPath\$timestamp`_M365FoundationsAudit.zip"
Compress-Archive -Path $createdFiles -DestinationPath $zipFilePath
# Remove the original files after they have been added to the zip
foreach ($file in $createdFiles) {
Remove-Item -Path $file -Force
}
# Compute the hash for the zip file and rename it
$zipHash = Get-FileHash -Path $zipFilePath -Algorithm SHA256
$newZipFilePath = "$ExportPath\$timestamp`_M365FoundationsAudit_$($zipHash.Hash.Substring(0, 8)).zip"
Rename-Item -Path $zipFilePath -NewName $newZipFilePath
# Output the zip file path with hash
[PSCustomObject]@{
ZipFilePath = $newZipFilePath
}
} # End of ExportPath
elseif ($OutputTestNumber) {
if ($results[0].Details) {
#--- SingleObject: return in-memory details ---
if ($PSCmdlet.ParameterSetName -eq 'SingleObject') {
if ($results.Count -and $results[0].Details) {
return $results[0].Details
}
else {
Write-Information "No results found for test number $($OutputTestNumber)." -InformationAction Continue
throw "No results found for test $OutputTestNumber."
}
#--- File export: DefaultExport or OnlyExportNestedTables ---
if (-not $ExportPath) {
throw 'ExportPath is required for file export.'
}
if ($PSCmdlet.ShouldProcess($ExportPath, 'Export and archive audit results')) {
# Ensure directory
if (-not (Test-Path $ExportPath)) { New-Item -Path $ExportPath -ItemType Directory -Force | Out-Null }
$timestamp = (Get-Date).ToString('yyyy.MM.dd_HH.mm.ss')
$exportedTests = @()
# Always truncate large details before writing files
Write-Verbose 'Truncating oversized details...'
$truncatedAudit = Get-ExceededLengthResultDetail `
-AuditResults $AuditResults `
-TestNumbersToCheck $nestedTests `
-ExportedTests $exportedTests `
-DetailsLengthLimit 30000 `
-PreviewLineCount 25
#--- Export nested tables ---
Write-Verbose "[$($PSCmdlet.ParameterSetName)] exporting nested table CSV/XLSX..."
foreach ($entry in $results) {
if (-not $entry.Details) { continue }
$name = "$timestamp`_$($entry.TestNumber)"
$csv = Join-Path $ExportPath "$name.csv"
if ($ExportToExcel) {
$xlsx = [IO.Path]::ChangeExtension($csv, '.xlsx')
$entry.Details | Export-Excel -Path $xlsx -WorksheetName Table -TableName Table -AutoSize -TableStyle Medium2
$createdFiles.Add($xlsx)
} else {
$entry.Details | Export-Csv -Path $csv -NoTypeInformation
$createdFiles.Add($csv)
}
$exportedTests += $entry.TestNumber
}
if ($exportedTests.Count) {
Write-Information "Exported nested tables: $($exportedTests -join ', ')"
} elseif ($OnlyExportNestedTables) {
Write-Warning 'No nested data to export.'
}
#--- Summary export (DefaultExport only) ---
if ($PSCmdlet.ParameterSetName -eq 'DefaultExport') {
Write-Verbose 'Exporting full summary with truncated details...'
$base = "${timestamp}_${Prefix}-M365FoundationsAudit"
$out = Join-Path $ExportPath "$base.csv"
if ($ExportToExcel) {
$xlsx = [IO.Path]::ChangeExtension($out, '.xlsx')
$truncatedAudit | select-object * | Export-Excel -Path $xlsx -WorksheetName Table -TableName Table -AutoSize -TableStyle Medium2
$createdFiles.Add($xlsx)
} else {
Write-Verbose "Exporting to Path: $out"
$truncatedAudit | select-object * | Export-Csv -Path $out -NoTypeInformation
$createdFiles.Add($out)
}
Write-Information 'Exported summary of all audit results.'
}
#--- Hash & ZIP ---
Write-Verbose 'Computing file hashes...'
$hashFile = Join-Path $ExportPath "$timestamp`_${Prefix}-Hashes.txt"
$createdFiles | ForEach-Object {
$h = Get-FileHash -Path $_ -Algorithm SHA256
"$([IO.Path]::GetFileName($_)): $($h.Hash)"
} | Set-Content -Path $hashFile
$createdFiles.Add($hashFile)
Write-Verbose 'Creating ZIP archive...'
$zip = Join-Path $ExportPath "$timestamp`_${Prefix}-M365FoundationsAudit.zip"
Compress-Archive -Path $createdFiles -DestinationPath $zip -Force
$createdFiles | Remove-Item -Force
# Rename to include short hash
$zHash = Get-FileHash -Path $zip -Algorithm SHA256
$final = Join-Path $ExportPath ("$timestamp`_${Prefix}-M365FoundationsAudit_$($zHash.Hash.Substring(0,8)).zip")
Rename-Item -Path $zip -NewName (Split-Path $final -Leaf)
return [PSCustomObject]@{ ZipFilePath = $final }
}
else {
Write-Error "No valid operation specified. Please provide valid parameters."
}
# Output the created files at the end
#if ($createdFiles.Count -gt 0) {
########### $createdFiles
#}
}
}

2
source/Public/Get-AdminRoleUserLicense.ps1
View File

@@ -34,7 +34,7 @@ function Get-AdminRoleUserLicense {
begin {
if (-not $SkipGraphConnection) {
Connect-MgGraph -Scopes "Directory.Read.All", "Domain.Read.All", "Policy.Read.All", "Organization.Read.All" -NoWelcome
Connect-MgGraph -Scopes "Directory.Read.All", "Domain.Read.All", "Policy.Read.All", "Organization.Read.All" | Out-Null
}
$adminRoleUsers = [System.Collections.ArrayList]::new()

29
source/Public/Get-M365SecurityAuditRecNumberList.ps1 Normal file
View File

@@ -0,0 +1,29 @@
function Get-M365SecurityAuditRecNumberList {
param (
[ValidateSet('3.0.0', '4.0.0')]
[string]$Version
)
switch ($Version) {
'3.0.0' {
# Define the Rec numbers for version 3.0.0
$recNumbers_3_0_0 = @(
'1.1.1', '1.1.3', '1.2.1', '1.2.2', '1.3.1', '1.3.3', '1.3.6', '2.1.1', '2.1.2', '2.1.3', '2.1.4', '2.1.5', '2.1.6', '2.1.7', '2.1.9',
'3.1.1', '5.1.2.3', '5.1.8.1', '6.1.1', '6.1.2', '6.1.3', '6.2.1', '6.2.2', '6.2.3', '6.3.1', '6.5.1', '6.5.2', '6.5.3', '7.2.1',
'7.2.2', '7.2.3', '7.2.4', '7.2.5', '7.2.6', '7.2.7', '7.2.9', '7.2.10', '7.3.1', '7.3.2', '7.3.4', '8.1.1', '8.1.2', '8.2.1',
'8.5.1', '8.5.2', '8.5.3', '8.5.4', '8.5.5', '8.5.6', '8.5.7', '8.6.1'
)
return $recNumbers_3_0_0
}
'4.0.0' {
# Define the Rec numbers for version 4.0.0
$recNumbers_4_0_0 = @(
'1.1.1', '1.1.3', '1.1.4', '1.2.1', '1.2.2', '1.3.1', '1.3.3', '1.3.6', '2.1.1', '2.1.11', '2.1.12', '2.1.13', '2.1.14', '2.1.2',
'2.1.3', '2.1.4', '2.1.5', '2.1.6', '2.1.7', '2.1.9', '3.1.1', '5.1.2.3', '5.1.8.1', '6.1.1', '6.1.2', '6.1.3', '6.1.4', '6.2.1',
'6.2.2', '6.2.3', '6.3.1', '6.5.1', '6.5.2', '6.5.3', '7.2.1', '7.2.10', '7.2.2', '7.2.3', '7.2.4', '7.2.5', '7.2.6', '7.2.7',
'7.2.9', '7.3.1', '7.3.2', '7.3.4', '8.1.1', '8.1.2', '8.2.1', '8.5.1', '8.5.2', '8.5.3', '8.5.4', '8.5.5', '8.5.6', '8.5.7',
'8.6.1'
)
return $recNumbers_4_0_0
}
}
}

403
source/Public/Invoke-M365SecurityAudit.ps1
View File

@@ -1,228 +1,202 @@
<#
.SYNOPSIS
Invokes a security audit for Microsoft 365 environments.
Perform a CISaligned security audit of a Microsoft365 tenant.
.DESCRIPTION
The Invoke-M365SecurityAudit cmdlet performs a comprehensive security audit based on the specified parameters.
It allows auditing of various configurations and settings within a Microsoft 365 environment in alignment with CIS benchmarks designated "Automatic".
Invoke-M365SecurityAudit runs a series of CIS benchmark tests (v3.0.0 or v4.0.0) against your
Microsoft365 environment. You can filter by domain, license level (E3/E5), profile level (L1/L2),
IG levels, include or skip specific recommendations, and supply appbased credentials.
Results are returned as an array of CISAuditResult objects.
.PARAMETER TenantAdminUrl
The URL of the tenant admin. If not specified, none of the SharePoint Online tests will run.
The SharePoint admin URL (e.g. https://contoso-admin.sharepoint.com). If omitted, SPO tests are skipped.
.PARAMETER DomainName
The domain name of the Microsoft 365 environment to test. It is optional and will trigger various tests to run only for the specified domain.
Tests Affected: 2.1.9/Test-EnableDKIM, 1.3.1/Test-PasswordNeverExpirePolicy, 2.1.4/Test-SafeAttachmentsPolicy
Limit domainspecific tests (1.3.1, 2.1.9) to this domain (e.g. “contoso.com”).
.PARAMETER ELevel
Specifies the E-Level (E3 or E5) for the audit. This parameter is optional and can be combined with the ProfileLevel parameter.
License audit level (E3 or E5”). Requires -ProfileLevel to also be specified.
.PARAMETER ProfileLevel
Specifies the profile level (L1 or L2) for the audit. This parameter is mandatory, but only when ELevel is selected. Otherwise it is not required.
CIS profile level (L1 or L2”). Mandatory when -ELevel is used.
.PARAMETER IncludeIG1
If specified, includes tests where IG1 is true.
Include IG1only tests in the audit.
.PARAMETER IncludeIG2
If specified, includes tests where IG2 is true.
Include IG2only tests in the audit.
.PARAMETER IncludeIG3
If specified, includes tests where IG3 is true.
Include IG3only tests in the audit.
.PARAMETER IncludeRecommendation
Specifies specific recommendations to include in the audit. Accepts an array of recommendation numbers.
An array of specific recommendation IDs to include (e.g. '1.1.3','2.1.1').
.PARAMETER SkipRecommendation
Specifies specific recommendations to exclude from the audit. Accepts an array of recommendation numbers.
An array of specific recommendation IDs to exclude.
.PARAMETER ApprovedCloudStorageProviders
Specifies the approved cloud storage providers for the audit. Accepts an array of cloud storage provider names for test 8.1.1/Test-TeamsExternalFileSharing.
Acceptable values: 'GoogleDrive', 'ShareFile', 'Box', 'DropBox', 'Egnyte'
For test8.1.1, list allowed storage providers (GoogleDrive,Box,ShareFile,DropBox,Egnyte).
.PARAMETER ApprovedFederatedDomains
Specifies the approved federated domains for the audit test 8.2.1/Test-TeamsExternalAccess. Accepts an array of allowed domain names.
Additional Tests may include this parameter in the future.
For test8.2.1, list allowed federated domains (e.g. 'microsoft.com').
.PARAMETER DoNotConnect
If specified, the cmdlet will not establish a connection to Microsoft 365 services.
Skip connecting to Microsoft365 services; you must have an existing session.
.PARAMETER DoNotDisconnect
If specified, the cmdlet will not disconnect from Microsoft 365 services after execution.
Skip disconnecting from Microsoft365 services at the end.
.PARAMETER NoModuleCheck
If specified, the cmdlet will not check for the presence of required modules.
Skip installing/checking required PowerShell modules.
.PARAMETER DoNotConfirmConnections
If specified, the cmdlet will not prompt for confirmation before proceeding with established connections and will disconnect from all of them.
.EXAMPLE
PS> Invoke-M365SecurityAudit
Performs a security audit using default parameters.
Output:
Status : Fail
ELevel : E3
ProfileLevel: L1
Connection : Microsoft Graph
Rec : 1.1.1
Result : False
Details : Non-compliant accounts:
Username | Roles | HybridStatus | Missing Licence
user1@domain.com| Global Administrator | Cloud-Only | AAD_PREMIUM
user2@domain.com| Global Administrator | Hybrid | AAD_PREMIUM, AAD_PREMIUM_P2
FailureReason: Non-Compliant Accounts: 2
.EXAMPLE
PS> Invoke-M365SecurityAudit -TenantAdminUrl "https://contoso-admin.sharepoint.com" -DomainName "contoso.com" -ELevel "E5" -ProfileLevel "L1"
Performs a security audit for the E5 level and L1 profile in the specified Microsoft 365 environment.
Output:
Status : Fail
ELevel : E5
ProfileLevel: L1
Connection : Microsoft Graph
Rec : 1.1.1
Result : False
Details : Non-compliant accounts:
Username | Roles | HybridStatus | Missing Licence
user1@domain.com| Global Administrator | Cloud-Only | AAD_PREMIUM
user2@domain.com| Global Administrator | Hybrid | AAD_PREMIUM, AAD_PREMIUM_P2
FailureReason: Non-Compliant Accounts: 2
.EXAMPLE
PS> Invoke-M365SecurityAudit -TenantAdminUrl "https://contoso-admin.sharepoint.com" -DomainName "contoso.com" -IncludeIG1
Performs an audit including all tests where IG1 is true.
Output:
Status : Fail
ELevel : E3
ProfileLevel: L1
Connection : Microsoft Graph
Rec : 1.1.1
Result : False
Details : Non-compliant accounts:
Username | Roles | HybridStatus | Missing Licence
user1@domain.com| Global Administrator | Cloud-Only | AAD_PREMIUM
user2@domain.com| Global Administrator | Hybrid | AAD_PREMIUM, AAD_PREMIUM_P2
FailureReason: Non-Compliant Accounts: 2
.EXAMPLE
PS> Invoke-M365SecurityAudit -TenantAdminUrl "https://contoso-admin.sharepoint.com" -DomainName "contoso.com" -SkipRecommendation '1.1.3', '2.1.1'
Performs an audit while excluding specific recommendations 1.1.3 and 2.1.1.
Output:
Status : Fail
ELevel : E3
ProfileLevel: L1
Connection : Microsoft Graph
Rec : 1.1.1
Result : False
Details : Non-compliant accounts:
Username | Roles | HybridStatus | Missing Licence
user1@domain.com| Global Administrator | Cloud-Only | AAD_PREMIUM
user2@domain.com| Global Administrator | Hybrid | AAD_PREMIUM, AAD_PREMIUM_P2
FailureReason: Non-Compliant Accounts: 2
.EXAMPLE
PS> $auditResults = Invoke-M365SecurityAudit -TenantAdminUrl "https://contoso-admin.sharepoint.com" -DomainName "contoso.com"
PS> Export-M365SecurityAuditTable -AuditResults $auditResults -ExportPath "C:\temp" -ExportOriginalTests -ExportAllTests
Or:
PS> $auditResults | Export-Csv -Path "auditResults.csv" -NoTypeInformation
Captures the audit results into a variable and exports them to a CSV file (Nested tables will be truncated).
Output:
CISAuditResult[]
auditResults.csv
.EXAMPLE
PS> Invoke-M365SecurityAudit -WhatIf
Displays what would happen if the cmdlet is run without actually performing the audit.
Output:
What if: Performing the operation "Invoke-M365SecurityAudit" on target "Microsoft 365 environment".
When connecting, do not prompt for “Proceed?” before authenticating.
.PARAMETER AuthParams
A CISAuthenticationParameters object for certificatebased app authentication.
.PARAMETER Version
CIS definitions version (“3.0.0” or “4.0.0”; default “4.0.0”).
.INPUTS
None. You cannot pipe objects to Invoke-M365SecurityAudit.
None; this cmdlet does not accept pipeline input.
.OUTPUTS
CISAuditResult[]
The cmdlet returns an array of CISAuditResult objects representing the results of the security audit.
.NOTES
- This module is based on CIS benchmarks.
- Governed by the Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
- Commercial use is not permitted. This module cannot be sold or used for commercial purposes.
- Modifications and sharing are allowed under the same license.
- For full license details, visit: https://creativecommons.org/licenses/by-nc-sa/4.0/deed.en
- Register for CIS Benchmarks at: https://www.cisecurity.org/cis-benchmarks
CISAuditResult[] — an array of PSCustomObjects representing each tests outcome.
.EXAMPLE
# Quick audit with defaults (v4.0.0)
Invoke-M365SecurityAudit
.EXAMPLE
# Audit E5, level L1, for a single domain:
Invoke-M365SecurityAudit -TenantAdminUrl 'https://contoso-admin.sharepoint.com' `
-DomainName 'contoso.com' -ELevel E5 -ProfileLevel L1
.EXAMPLE
# Only include specific recommendations:
Invoke-M365SecurityAudit -IncludeRecommendation '1.1.3','2.1.1'
.EXAMPLE
# Apponly auth + skip confirmation:
$auth = New-M365SecurityAuditAuthObject -ClientId ... -ClientCertThumbPrint ...
Invoke-M365SecurityAudit -AuthParams $auth -DoNotConfirmConnections
.LINK
https://criticalsolutionsnetwork.github.io/M365FoundationsCISReport/#Invoke-M365SecurityAudit
#>
function Invoke-M365SecurityAudit {
[CmdletBinding(SupportsShouldProcess = $true, DefaultParameterSetName = 'Default')]
# Add confirm to high
[CmdletBinding(SupportsShouldProcess = $true, ConfirmImpact = 'High' , DefaultParameterSetName = 'Default')]
[OutputType([CISAuditResult[]])]
param (
[Parameter(Mandatory = $false, HelpMessage = "The SharePoint tenant admin URL, which should end with '-admin.sharepoint.com'. If not specified none of the Sharepoint Online tests will run.")]
[ValidatePattern('^https://[a-zA-Z0-9-]+-admin\.sharepoint\.com$')]
[string]$TenantAdminUrl,
[string]
$TenantAdminUrl,
[Parameter(Mandatory = $false, HelpMessage = "Specify this to test only the default domain for password expiration and DKIM Config for tests '1.3.1' and 2.1.9. The domain name of your organization, e.g., 'example.com'.")]
[ValidatePattern('^[a-zA-Z0-9-]+\.[a-zA-Z]{2,}$')]
[string]$DomainName,
[string]
$DomainName,
# E-Level with optional ProfileLevel selection
[Parameter(Mandatory = $true, ParameterSetName = 'ELevelFilter', HelpMessage = "Specifies the E-Level (E3 or E5) for the audit.")]
[Parameter(Mandatory = $true, ParameterSetName = 'ELevelFilter', HelpMessage = 'Specifies the E-Level (E3 or E5) for the audit.')]
[ValidateSet('E3', 'E5')]
[string]$ELevel,
[Parameter(Mandatory = $true, ParameterSetName = 'ELevelFilter', HelpMessage = "Specifies the profile level (L1 or L2) for the audit.")]
[string]
$ELevel,
[Parameter(Mandatory = $true, ParameterSetName = 'ELevelFilter', HelpMessage = 'Specifies the profile level (L1 or L2) for the audit.')]
[ValidateSet('L1', 'L2')]
[string]$ProfileLevel,
[string]
$ProfileLevel,
# IG Filters, one at a time
[Parameter(Mandatory = $true, ParameterSetName = 'IG1Filter', HelpMessage = "Includes tests where IG1 is true.")]
[switch]$IncludeIG1,
[Parameter(Mandatory = $true, ParameterSetName = 'IG2Filter', HelpMessage = "Includes tests where IG2 is true.")]
[switch]$IncludeIG2,
[Parameter(Mandatory = $true, ParameterSetName = 'IG3Filter', HelpMessage = "Includes tests where IG3 is true.")]
[switch]$IncludeIG3,
[Parameter(Mandatory = $true, ParameterSetName = 'IG1Filter', HelpMessage = 'Includes tests where IG1 is true.')]
[switch]
$IncludeIG1,
[Parameter(Mandatory = $true, ParameterSetName = 'IG2Filter', HelpMessage = 'Includes tests where IG2 is true.')]
[switch]
$IncludeIG2,
[Parameter(Mandatory = $true, ParameterSetName = 'IG3Filter', HelpMessage = 'Includes tests where IG3 is true.')]
[switch]
$IncludeIG3,
# Inclusion of specific recommendation numbers
[Parameter(Mandatory = $true, ParameterSetName = 'RecFilter', HelpMessage = "Specifies specific recommendations to include in the audit. Accepts an array of recommendation numbers.")]
[Parameter(Mandatory = $true, ParameterSetName = 'RecFilter', HelpMessage = 'Specifies specific recommendations to include in the audit. Accepts an array of recommendation numbers.')]
[ValidateSet(
'1.1.1', '1.1.3', '1.2.1', '1.2.2', '1.3.1', '1.3.3', '1.3.6', '2.1.1', '2.1.2', `
'2.1.3', '2.1.4', '2.1.5', '2.1.6', '2.1.7', '2.1.9', '3.1.1', '5.1.2.3', `
'5.1.8.1', '6.1.1', '6.1.2', '6.1.3', '6.2.1', '6.2.2', '6.2.3', '6.3.1', `
'6.5.1', '6.5.2', '6.5.3', '7.2.1', '7.2.10', '7.2.2', '7.2.3', '7.2.4', `
'7.2.5', '7.2.6', '7.2.7', '7.2.9', '7.3.1', '7.3.2', '7.3.4', '8.1.1', `
'8.1.2', '8.2.1', '8.5.1', '8.5.2', '8.5.3', '8.5.4', '8.5.5', '8.5.6', `
'1.1.1', '1.1.3', '1.1.4', '1.2.1', '1.2.2', '1.3.1', '1.3.3', '1.3.6', '2.1.1', '2.1.2', `
'2.1.3', '2.1.4', '2.1.5', '2.1.6', '2.1.7', '2.1.9', '2.1.11', '2.1.12', '2.1.13', `
'2.1.14', '3.1.1', '5.1.2.3', '5.1.8.1', '6.1.1', '6.1.2', '6.1.3', '6.1.4', '6.2.1', `
'6.2.2', '6.2.3', '6.3.1', '6.5.1', '6.5.2', '6.5.3', '7.2.1', '7.2.10', '7.2.2', `
'7.2.3', '7.2.4', '7.2.5', '7.2.6', '7.2.7', '7.2.9', '7.3.1', '7.3.2', '7.3.4', `
'8.1.1', '8.1.2', '8.2.1', '8.5.1', '8.5.2', '8.5.3', '8.5.4', '8.5.5', '8.5.6', `
'8.5.7', '8.6.1'
)]
[string[]]$IncludeRecommendation,
[string[]]
$IncludeRecommendation,
# Exclusion of specific recommendation numbers
[Parameter(Mandatory = $true, ParameterSetName = 'SkipRecFilter', HelpMessage = "Specifies specific recommendations to exclude from the audit. Accepts an array of recommendation numbers.")]
[Parameter(Mandatory = $true, ParameterSetName = 'SkipRecFilter', HelpMessage = 'Specifies specific recommendations to exclude from the audit. Accepts an array of recommendation numbers.')]
[ValidateSet(
'1.1.1', '1.1.3', '1.2.1', '1.2.2', '1.3.1', '1.3.3', '1.3.6', '2.1.1', '2.1.2', `
'2.1.3', '2.1.4', '2.1.5', '2.1.6', '2.1.7', '2.1.9', '3.1.1', '5.1.2.3', `
'5.1.8.1', '6.1.1', '6.1.2', '6.1.3', '6.2.1', '6.2.2', '6.2.3', '6.3.1', `
'6.5.1', '6.5.2', '6.5.3', '7.2.1', '7.2.10', '7.2.2', '7.2.3', '7.2.4', `
'7.2.5', '7.2.6', '7.2.7', '7.2.9', '7.3.1', '7.3.2', '7.3.4', '8.1.1', `
'8.1.2', '8.2.1', '8.5.1', '8.5.2', '8.5.3', '8.5.4', '8.5.5', '8.5.6', `
'1.1.1', '1.1.3', '1.1.4', '1.2.1', '1.2.2', '1.3.1', '1.3.3', '1.3.6', '2.1.1', '2.1.2', `
'2.1.3', '2.1.4', '2.1.5', '2.1.6', '2.1.7', '2.1.9', '2.1.11', '2.1.12', '2.1.13', `
'2.1.14', '3.1.1', '5.1.2.3', '5.1.8.1', '6.1.1', '6.1.2', '6.1.3', '6.1.4', '6.2.1', `
'6.2.2', '6.2.3', '6.3.1', '6.5.1', '6.5.2', '6.5.3', '7.2.1', '7.2.10', '7.2.2', `
'7.2.3', '7.2.4', '7.2.5', '7.2.6', '7.2.7', '7.2.9', '7.3.1', '7.3.2', '7.3.4', `
'8.1.1', '8.1.2', '8.2.1', '8.5.1', '8.5.2', '8.5.3', '8.5.4', '8.5.5', '8.5.6', `
'8.5.7', '8.6.1'
)]
[string[]]$SkipRecommendation,
[string[]]
$SkipRecommendation,
# Common parameters for all parameter sets
[Parameter(Mandatory = $false, HelpMessage = "Specifies the approved cloud storage providers for the audit. Accepts an array of cloud storage provider names.")]
[Parameter(Mandatory = $false, HelpMessage = 'Specifies the approved cloud storage providers for the audit. Accepts an array of cloud storage provider names.')]
[ValidateSet(
'GoogleDrive', 'ShareFile', 'Box', 'DropBox', 'Egnyte'
)]
[string[]]$ApprovedCloudStorageProviders = @(),
[Parameter(Mandatory = $false, HelpMessage = "Specifies the approved federated domains for the audit test 8.2.1. Accepts an array of allowed domain names.")]
[string[]]
$ApprovedCloudStorageProviders = @(),
[Parameter(Mandatory = $false, HelpMessage = 'Specifies the approved federated domains for the audit test 8.2.1. Accepts an array of allowed domain names.')]
[ValidatePattern('^[a-zA-Z0-9-]+\.[a-zA-Z]{2,}$')]
[string[]]$ApprovedFederatedDomains,
[Parameter(Mandatory = $false, HelpMessage = "Specifies that the cmdlet will not establish a connection to Microsoft 365 services.")]
[switch]$DoNotConnect,
[Parameter(Mandatory = $false, HelpMessage = "Specifies that the cmdlet will not disconnect from Microsoft 365 services after execution.")]
[switch]$DoNotDisconnect,
[Parameter(Mandatory = $false, HelpMessage = "Specifies that the cmdlet will not check for the presence of required modules.")]
[switch]$NoModuleCheck,
[Parameter(Mandatory = $false, HelpMessage = "Specifies that the cmdlet will not prompt for confirmation before proceeding with established connections and will disconnect from all of them.")]
[switch]$DoNotConfirmConnections
[string[]]
$ApprovedFederatedDomains,
[Parameter(Mandatory = $false, HelpMessage = 'Specifies that the cmdlet will not establish a connection to Microsoft 365 services.')]
[switch]
$DoNotConnect,
[Parameter(Mandatory = $false, HelpMessage = 'Specifies that the cmdlet will not disconnect from Microsoft 365 services after execution.')]
[switch]
$DoNotDisconnect,
[Parameter(Mandatory = $false, HelpMessage = 'Specifies that the cmdlet will not check for the presence of required modules.')]
[switch]
$NoModuleCheck,
[Parameter(Mandatory = $false, HelpMessage = 'Specifies that the cmdlet will not prompt for confirmation before proceeding with established connections and will disconnect from all of them.')]
[switch]
$DoNotConfirmConnections,
[Parameter(Mandatory = $false, HelpMessage = 'Specifies an authentication object containing parameters for application-based authentication.')]
[CISAuthenticationParameters]
$AuthParams,
[Parameter(Mandatory = $false, HelpMessage = "Specifies the CIS benchmark definitions version to use. Default is 4.0.0. Valid values are '3.0.0' or '4.0.0'.")]
[ValidateSet('3.0.0', '4.0.0')]
[string]
$Version = '4.0.0'
)
Begin {
begin {
if ($script:MaximumFunctionCount -lt 8192) {
Write-Verbose "Setting the `$script:MaximumFunctionCount to 8192 for the test run." -Verbose
Write-Verbose "Setting the `$script:MaximumFunctionCount to 8192 for the test run."
$script:MaximumFunctionCount = 8192
}
if ($AuthParams) {
$script:PnpAuth = $true
$defaultPNPUpdateCheck = $env:PNPPOWERSHELL_UPDATECHECK
$env:PNPPOWERSHELL_UPDATECHECK = 'Off'
}
# Check for 4.0.0 specific tests when in 3.0.0 mode
# Test variables for testing 3.0.0 specific tests for included 4.0.0 tests
$recNumbersToCheck = @('1.1.4', '2.1.11', '2.1.12', '2.1.13', '2.1.14', '6.1.4')
# $IncludeRecommendation = '1.1.1','1.1.4'
# $Version = '3.0.0'
if ($IncludeRecommendation) {
if ($Version -ne '4.0.0') {
$foundRecNumbers = @()
foreach ($rec in $recNumbersToCheck) {
if ($IncludeRecommendation -contains $rec) {
$foundRecNumbers += $rec
}
}
if ($foundRecNumbers.Count -gt 0) {
throw "Check the '-IncludeRecommendation' parameter. The following test numbers are not available in the 3.0.0 version: $($foundRecNumbers -join ', ')"
}
}
}
# Ensure required modules are installed
$requiredModules = Get-RequiredModule -AuditFunction
# Format the required modules list
$requiredModulesFormatted = Format-RequiredModuleList -RequiredModules $requiredModules
# Check and install required modules if necessary
if (!($NoModuleCheck) -and $PSCmdlet.ShouldProcess("Check for required modules: $requiredModulesFormatted", "Check")) {
Write-Host "Checking for and installing required modules..." -ForegroundColor DarkMagenta
if (!($NoModuleCheck) -and $PSCmdlet.ShouldProcess("Install Modules: $requiredModulesFormatted", 'Assert-ModuleAvailability')) {
Write-Information 'Checking for and installing required modules...'
foreach ($module in $requiredModules) {
Assert-ModuleAvailability -ModuleName $module.ModuleName -RequiredVersion $module.RequiredVersion -SubModules $module.SubModules
}
}
# Load test definitions from CSV
$testDefinitionsPath = Join-Path -Path $PSScriptRoot -ChildPath "helper\TestDefinitions.csv"
$testDefinitions = Import-Csv -Path $testDefinitionsPath
elseif ($script:PnpAuth = $true) {
# Ensure MgGraph assemblies are loaded prior to running PnP cmdlets
Get-MgGroup -Top 1 -ErrorAction SilentlyContinue | Out-Null
}
$Script:CISVersion = $Version
# Call the function to load and merge test definitions
$testDefinitions = Get-TestDefinition -Version $Version
# Load the Test Definitions into the script scope for use in other functions
$script:TestDefinitionsObject = $testDefinitions
# Apply filters based on parameter sets
@@ -242,7 +216,7 @@ function Invoke-M365SecurityAudit {
$requiredConnections = $requiredConnections | Where-Object { $_ -ne 'SPO' }
$testDefinitions = $testDefinitions | Where-Object { $_.Connection -ne 'SPO' }
if ($null -eq $testDefinitions) {
throw "No tests to run as no SharePoint Online tests are available."
throw 'No tests to run as no SharePoint Online tests are available.'
}
}
}
@@ -253,82 +227,83 @@ function Invoke-M365SecurityAudit {
# Initialize a collection to hold failed test details
$script:FailedTests = [System.Collections.ArrayList]::new()
} # End Begin
Process {
process {
$allAuditResults = [System.Collections.ArrayList]::new() # Initialize a collection to hold all results
# Dynamically dot-source the test scripts
$testsFolderPath = Join-Path -Path $PSScriptRoot -ChildPath "tests"
$testFiles = Get-ChildItem -Path $testsFolderPath -Filter "Test-*.ps1" |
$testsFolderPath = Join-Path -Path $PSScriptRoot -ChildPath 'tests'
$testFiles = Get-ChildItem -Path $testsFolderPath -Filter 'Test-*.ps1' |
Where-Object { $testsToLoad -contains $_.BaseName }
$totalTests = $testFiles.Count
$currentTestIndex = 0
# Establishing connections if required
try {
$actualUniqueConnections = Get-UniqueConnection -Connections $requiredConnections
if (!($DoNotConnect) -and $PSCmdlet.ShouldProcess("Establish connections to Microsoft 365 services: $($actualUniqueConnections -join ', ')", "Connect")) {
Write-Host "Establishing connections to Microsoft 365 services: $($actualUniqueConnections -join ', ')" -ForegroundColor DarkMagenta
Connect-M365Suite -TenantAdminUrl $TenantAdminUrl -RequiredConnections $requiredConnections -SkipConfirmation:$DoNotConfirmConnections
if (!($DoNotConnect) -and $PSCmdlet.ShouldProcess("Establish connections to Microsoft 365 services: $($actualUniqueConnections -join ', ')", 'Connect')) {
Write-Information "Establishing connections to Microsoft 365 services: $($actualUniqueConnections -join ', ')"
Connect-M365Suite -TenantAdminUrl $TenantAdminUrl -RequiredConnections $requiredConnections -SkipConfirmation:$DoNotConfirmConnections -AuthParams $AuthParams
}
}
catch {
Write-Host "Connection execution aborted: $_" -ForegroundColor Red
break
throw "Connection execution aborted: $_"
}
}
end {
try {
Write-Host "A total of $($totalTests) tests were selected to run..." -ForegroundColor DarkMagenta
# Import the test functions
$testFiles | ForEach-Object {
$currentTestIndex++
Write-Progress -Activity "Loading Test Scripts" -Status "Loading $($currentTestIndex) of $($totalTests): $($_.Name)" -PercentComplete (($currentTestIndex / $totalTests) * 100)
Try {
# Dot source the test function
. $_.FullName
if ($PSCmdlet.ShouldProcess("Measure and display audit results for $($totalTests) tests", 'Measure')) {
Write-Information "A total of $($totalTests) tests were selected to run..."
# Import the test functions
$testFiles | ForEach-Object {
$currentTestIndex++
Write-Progress -Activity 'Loading Test Scripts' -Status "Loading $($currentTestIndex) of $($totalTests): $($_.Name)" -PercentComplete (($currentTestIndex / $totalTests) * 100)
try {
# Dot source the test function
. $_.FullName
}
catch {
# Log the error and add the test to the failed tests collection
Write-Verbose "Failed to load test function $($_.Name): $_"
$script:FailedTests.Add([PSCustomObject]@{ Test = $_.Name; Error = $_ })
}
}
Catch {
# Log the error and add the test to the failed tests collection
Write-Verbose "Failed to load test function $($_.Name): $_" -Verbose
$script:FailedTests.Add([PSCustomObject]@{ Test = $_.Name; Error = $_ })
}
}
$currentTestIndex = 0
# Execute each test function from the prepared list
foreach ($testFunction in $testFiles) {
$currentTestIndex++
Write-Progress -Activity "Executing Tests" -Status "Executing $($currentTestIndex) of $($totalTests): $($testFunction.Name)" -PercentComplete (($currentTestIndex / $totalTests) * 100)
$functionName = $testFunction.BaseName
if ($PSCmdlet.ShouldProcess($functionName, "Execute test")) {
$currentTestIndex = 0
# Execute each test function from the prepared list
foreach ($testFunction in $testFiles) {
$currentTestIndex++
Write-Progress -Activity 'Executing Tests' -Status "Executing $($currentTestIndex) of $($totalTests): $($testFunction.Name)" -PercentComplete (($currentTestIndex / $totalTests) * 100)
$functionName = $testFunction.BaseName
Write-Information "Executing test function: $functionName"
$auditResult = Invoke-TestFunction -FunctionFile $testFunction -DomainName $DomainName -ApprovedCloudStorageProviders $ApprovedCloudStorageProviders -ApprovedFederatedDomains $ApprovedFederatedDomains
# Add the result to the collection
[void]$allAuditResults.Add($auditResult)
}
# Call the private function to calculate and display results
Measure-AuditResult -AllAuditResults $allAuditResults -FailedTests $script:FailedTests
# Return all collected audit results
# Define the test numbers to check
$TestNumbersToCheck = '1.1.1', '1.3.1', '6.1.2', '6.1.3', '7.3.4'
# Check for large details in the audit results
$exceedingTests = Get-ExceededLengthResultDetail -AuditResults $allAuditResults -TestNumbersToCheck $TestNumbersToCheck -ReturnExceedingTestsOnly -DetailsLengthLimit 30000
if ($exceedingTests.Count -gt 0) {
Write-Information "The following tests exceeded the details length limit: $($exceedingTests -join ', ')"
Write-Information "( Assuming the results were instantiated. Ex: `$object = invoke-M365SecurityAudit )`nUse the following command and adjust as necessary to view the full details of the test results:"
Write-Information "Export-M365SecurityAuditTable -ExportAllTests -AuditResults `$object -ExportPath `"C:\temp`" -ExportOriginalTests"
}
# return $allAuditResults.ToArray() | Sort-Object -Property Rec
# TODO Check if this fixes export-table.
return $allAuditResults | Sort-Object -Property Rec
}
}
catch {
# Log the error and add the test to the failed tests collection
Write-Verbose "Invoke-M365SecurityAudit: Failed to load test function $($_.Name): $_" -Verbose
throw "Failed to execute test function $($testFunction.Name): $_"
$script:FailedTests.Add([PSCustomObject]@{ Test = $_.Name; Error = $_ })
}
finally {
if (!($DoNotDisconnect) -and $PSCmdlet.ShouldProcess("Disconnect from Microsoft 365 services: $($actualUniqueConnections -join ', ')", "Disconnect")) {
$env:PNPPOWERSHELL_UPDATECHECK = $defaultPNPUpdateCheck
if (!($DoNotDisconnect) -and $PSCmdlet.ShouldProcess("Disconnect from Microsoft 365 services: $($actualUniqueConnections -join ', ')", 'Disconnect')) {
# Clean up sessions
Disconnect-M365Suite -RequiredConnections $requiredConnections
}
}
}
End {
if ($PSCmdlet.ShouldProcess("Measure and display audit results for $($totalTests) tests", "Measure")) {
# Call the private function to calculate and display results
Measure-AuditResult -AllAuditResults $allAuditResults -FailedTests $script:FailedTests
# Return all collected audit results
# Define the test numbers to check
$TestNumbersToCheck = "1.1.1", "1.3.1", "6.1.2", "6.1.3", "7.3.4"
# Check for large details in the audit results
$exceedingTests = Get-ExceededLengthResultDetail -AuditResults $allAuditResults -TestNumbersToCheck $TestNumbersToCheck -ReturnExceedingTestsOnly -DetailsLengthLimit 30000
if ($exceedingTests.Count -gt 0) {
Write-Information "The following tests exceeded the details length limit: $($exceedingTests -join ', ')" -InformationAction Continue
Write-Host "(Assuming the results were instantiated. Ex: `$object = invoke-M365SecurityAudit) Use the following command and adjust as neccesary to view the full details of the test results:" -ForegroundColor DarkCyan
Write-Host "Export-M365SecurityAuditTable -ExportAllTests -AuditResults `$object -ExportPath `"C:\temp`" -ExportOriginalTests" -ForegroundColor Green
}
return $allAuditResults.ToArray() | Sort-Object -Property Rec
}
}
}

65
source/Public/New-M365SecurityAuditAuthObject.ps1 Normal file
View File

@@ -0,0 +1,65 @@
<#
.SYNOPSIS
Creates a new CISAuthenticationParameters object for Microsoft 365 authentication.
.DESCRIPTION
The New-M365SecurityAuditAuthObject function constructs a new CISAuthenticationParameters object
containing the necessary credentials and URLs for authenticating to various Microsoft 365 services.
It validates input parameters to ensure they conform to expected formats and length requirements.
An app registration in Azure AD with the required permissions to EXO, SPO, MSTeams and MgGraph is needed.
.PARAMETER ClientCertThumbPrint
The thumbprint of the client certificate used for authentication. It must be a 40-character hexadecimal string.
This certificate is used to authenticate the application in Azure AD.
.PARAMETER ClientId
The Client ID (Application ID) of the Azure AD application. It must be a valid GUID format.
.PARAMETER TenantId
The Tenant ID of the Azure AD directory. It must be a valid GUID format representing your Microsoft 365 tenant.
.PARAMETER OnMicrosoftUrl
The URL of your onmicrosoft.com domain. It should be in the format 'example.onmicrosoft.com'.
.PARAMETER SpAdminUrl
The SharePoint admin URL, which should end with '-admin.sharepoint.com'. This URL is used for connecting to SharePoint Online.
.INPUTS
None. You cannot pipe objects to this function.
.OUTPUTS
CISAuthenticationParameters
The function returns an instance of the CISAuthenticationParameters class containing the authentication details.
.EXAMPLE
PS> $authParams = New-M365SecurityAuditAuthObject -ClientCertThumbPrint "ABCDEF1234567890ABCDEF1234567890ABCDEF12" `
-ClientId "12345678-1234-1234-1234-123456789012" `
-TenantId "12345678-1234-1234-1234-123456789012" `
-OnMicrosoftUrl "yourcompany.onmicrosoft.com" `
-SpAdminUrl "https://yourcompany-admin.sharepoint.com"
Creates a new CISAuthenticationParameters object with the specified credentials and URLs, validating each parameter's format and length.
.NOTES
Requires PowerShell 7.0 or later.
https://learn.microsoft.com/en-us/powershell/exchange/app-only-auth-powershell-v2?view=exchange-ps
#>
function New-M365SecurityAuditAuthObject {
[CmdletBinding()]
[OutputType([CISAuthenticationParameters])]
param(
[Parameter(Mandatory = $true, HelpMessage = "The 40-character hexadecimal thumbprint of the client certificate.")]
[ValidatePattern("^[0-9a-fA-F]{40}$")] # Regex for a valid thumbprint format
[ValidateLength(40, 40)] # Enforce exact length
[string]$ClientCertThumbPrint,
[Parameter(Mandatory = $true, HelpMessage = "The Client ID (GUID format) of the Azure AD application.")]
[ValidatePattern("^[0-9a-fA-F\-]{36}$")] # Regex for a valid GUID
[string]$ClientId,
[Parameter(Mandatory = $true, HelpMessage = "The Tenant ID (GUID format) of the Azure AD directory.")]
[ValidatePattern("^[0-9a-fA-F\-]{36}$")] # Regex for a valid GUID
[string]$TenantId,
[Parameter(Mandatory = $true, HelpMessage = "The onmicrosoft.com domain URL (e.g., 'example.onmicrosoft.com').")]
[ValidatePattern("^[a-zA-Z0-9]+\.onmicrosoft\.com$")] # Regex for a valid onmicrosoft.com URL
[string]$OnMicrosoftUrl,
[Parameter(Mandatory = $true, HelpMessage = "The SharePoint admin URL ending with '-admin.sharepoint.com'.")]
[ValidatePattern("^https:\/\/[a-zA-Z0-9\-]+\-admin\.sharepoint\.com$")] # Regex for a valid SharePoint admin URL
[string]$SpAdminUrl
)
# Create and return the authentication parameters object
return [CISAuthenticationParameters]::new(
$ClientCertThumbPrint,
$ClientId,
$TenantId,
$OnMicrosoftUrl,
$SpAdminUrl
)
}

2097
source/en-US/M365FoundationsCISReport-help.xml
View File

File diff suppressed because it is too large Load Diff

10
source/en-US/about_M365FoundationsCISReport.help.txt
View File

@@ -33,7 +33,7 @@ EXAMPLES
$auditResults = Invoke-M365SecurityAudit -TenantAdminUrl "https://contoso-admin.sharepoint.com" -DomainName "contoso.com" -ApprovedCloudStorageProviders "DropBox" -ApprovedFederatedDomains "northwind.com"
# Example 2: Exporting a security audit and it's nested tables to zipped CSV files
Export-M365SecurityAuditTable -AuditResults $auditResults -ExportPath "C:\temp" -ExportOriginalTests -ExportAllTests
Export-M365SecurityAuditTable -AuditResults $auditResults -ExportPath "C:\temp"
# Output Ex: 2024.07.07_14.55.55_M365FoundationsAudit_368B2E2F.zip
# Example 3: Retrieving licenses for users in administrative roles
@@ -50,6 +50,14 @@ EXAMPLES
# Example 7: Granting Microsoft Graph permissions to the auditor
Grant-M365SecurityAuditConsent -UserPrincipalNameForConsent 'user@example.com'
# Example 8: (PowerShell 7.x Only) Creating a new authentication object for the security audit for app-based authentication.
$authParams = New-M365SecurityAuditAuthObject -ClientCertThumbPrint "ABCDEF1234567890ABCDEF1234567890ABCDEF12" `
-ClientId "12345678-1234-1234-1234-123456789012" `
-TenantId "12345678-1234-1234-1234-123456789012" `
-OnMicrosoftUrl "yourcompany.onmicrosoft.com" `
-SpAdminUrl "https://yourcompany-admin.sharepoint.com"
Invoke-M365SecurityAudit -AuthParams $authParams -TenantAdminUrl "https://yourcompany-admin.sharepoint.com"
NOTE
Ensure that you have the necessary permissions and administrative roles in

9
source/helper/TestDefinitions-v4.0.0.csv Normal file
View File

@@ -0,0 +1,9 @@
Index,TestFileName,Rec,RecDescription,ELevel,ProfileLevel,CISControl,CISDescription,IG1,IG2,IG3,Automated,Connection
1,Test-AdministrativeAccountCompliance4.ps1,1.1.1,Ensure Administrative accounts are cloud-only,E3,L1,5.4,Restrict Administrator Privileges to Dedicated Administrator Accounts,TRUE,TRUE,TRUE,TRUE,Microsoft Graph
2,Test-AdminAccountLicenses.ps1,1.1.4,Ensure administrative accounts use licenses with a reduced application footprint,E3,L1,5.4,Restrict Administrator Privileges to Dedicated Administrator Accounts,TRUE,TRUE,TRUE,TRUE,Microsoft Graph
3,Test-AntiPhishingPolicy4.ps1,2.1.7,Ensure that an anti-phishing policy has been created,E5,L2,9.7,Deploy and Maintain Email Server Anti-Malware Protections,FALSE,FALSE,TRUE,TRUE,EXO
4,Test-AttachmentFiltering.ps1,2.1.11,Ensure comprehensive attachment filtering is applied,E3,L2,9.6,Block unnecessary file types attempting to enter the enterprises email gateway,FALSE,TRUE,TRUE,TRUE,EXO
5,Test-ConnectionFilterIPAllowList.ps1,2.1.12,Ensure the connection filter IP allow list is not used,E3,L1,9.7,Deploy and Maintain Email Server Anti-Malware Protections,FALSE,FALSE,TRUE,TRUE,EXO
6,Test-ConnectionFilterSafeList.ps1,2.1.13,Ensure the connection filter safe list is off,E3,L1,9.7,Deploy and Maintain Email Server Anti-Malware Protections,FALSE,FALSE,TRUE,TRUE,EXO
7,Test-InboundAntiSpamPolicies.ps1,2.1.14,Ensure inbound anti-spam policies do not contain allowed domains,E3,L1,9.7,Deploy and Maintain Email Server Anti-Malware Protections,FALSE,FALSE,TRUE,TRUE,EXO
8,Test-AuditBypassEnabled.ps1,6.1.4,Ensure 'AuditBypassEnabled' is not enabled on mailboxes,E3,L1,8.5,"Configure detailed audit logging for enterprise assets containing sensitive data. Include event source, date, username, timestamp, source addresses, destination addresses, and other useful elements that could assist in a forensic investigation",FALSE,TRUE,TRUE,TRUE,EXO
1 Index TestFileName Rec RecDescription ELevel ProfileLevel CISControl CISDescription IG1 IG2 IG3 Automated Connection
2 1 Test-AdministrativeAccountCompliance4.ps1 1.1.1 Ensure Administrative accounts are cloud-only E3 L1 5.4 Restrict Administrator Privileges to Dedicated Administrator Accounts TRUE TRUE TRUE TRUE Microsoft Graph
3 2 Test-AdminAccountLicenses.ps1 1.1.4 Ensure administrative accounts use licenses with a reduced application footprint E3 L1 5.4 Restrict Administrator Privileges to Dedicated Administrator Accounts TRUE TRUE TRUE TRUE Microsoft Graph
4 3 Test-AntiPhishingPolicy4.ps1 2.1.7 Ensure that an anti-phishing policy has been created E5 L2 9.7 Deploy and Maintain Email Server Anti-Malware Protections FALSE FALSE TRUE TRUE EXO
5 4 Test-AttachmentFiltering.ps1 2.1.11 Ensure comprehensive attachment filtering is applied E3 L2 9.6 Block unnecessary file types attempting to enter the enterprise’s email gateway FALSE TRUE TRUE TRUE EXO
6 5 Test-ConnectionFilterIPAllowList.ps1 2.1.12 Ensure the connection filter IP allow list is not used E3 L1 9.7 Deploy and Maintain Email Server Anti-Malware Protections FALSE FALSE TRUE TRUE EXO
7 6 Test-ConnectionFilterSafeList.ps1 2.1.13 Ensure the connection filter safe list is off E3 L1 9.7 Deploy and Maintain Email Server Anti-Malware Protections FALSE FALSE TRUE TRUE EXO
8 7 Test-InboundAntiSpamPolicies.ps1 2.1.14 Ensure inbound anti-spam policies do not contain allowed domains E3 L1 9.7 Deploy and Maintain Email Server Anti-Malware Protections FALSE FALSE TRUE TRUE EXO
9 8 Test-AuditBypassEnabled.ps1 6.1.4 Ensure 'AuditBypassEnabled' is not enabled on mailboxes E3 L1 8.5 Configure detailed audit logging for enterprise assets containing sensitive data. Include event source, date, username, timestamp, source addresses, destination addresses, and other useful elements that could assist in a forensic investigation FALSE TRUE TRUE TRUE EXO

2
source/helper/TestDefinitions.csv
View File

@@ -2,7 +2,7 @@
1,Test-AdministrativeAccountCompliance.ps1,1.1.1,Ensure Administrative accounts are separate and cloud-only,E3,L1,5.4,Restrict Administrator Privileges to Dedicated Administrator Accounts,TRUE,TRUE,TRUE,FALSE,Microsoft Graph
2,Test-GlobalAdminsCount.ps1,1.1.3,Ensure that between two and four global admins are designated,E3,L1,5.1,Establish and Maintain an Inventory of Accounts,TRUE,TRUE,TRUE,TRUE,Microsoft Graph
3,Test-ManagedApprovedPublicGroups.ps1,1.2.1,Ensure that only organizationally managed/approved public groups exist,E3,L2,3.3,Configure Data Access Control Lists,TRUE,TRUE,TRUE,TRUE,Microsoft Graph
4,Test-BlockSharedMailboxSignIn.ps1,1.2.2,Ensure sign-in to shared mailboxes is blocked,E3,L1,0,Explicitly Not Mapped,FALSE,FALSE,FALSE,TRUE,AzureAD | EXO
4,Test-BlockSharedMailboxSignIn.ps1,1.2.2,Ensure sign-in to shared mailboxes is blocked,E3,L1,0,Explicitly Not Mapped,FALSE,FALSE,FALSE,TRUE,EXO | Microsoft Graph
5,Test-PasswordNeverExpirePolicy.ps1,1.3.1,Ensure the 'Password expiration policy' is set to 'Set passwords to never expire',E3,L1,5.2,Use Unique Passwords,TRUE,TRUE,TRUE,TRUE,Microsoft Graph
6,Test-ExternalSharingCalendars.ps1,1.3.3,Ensure 'External sharing' of calendars is not available,E3,L2,4.8,Uninstall or Disable Unnecessary Services on Enterprise Assets and Software,FALSE,TRUE,TRUE,TRUE,EXO
7,Test-CustomerLockbox.ps1,1.3.6,Ensure the customer lockbox feature is enabled,E5,L2,0,Explicitly Not Mapped,FALSE,FALSE,FALSE,TRUE,EXO
1 Index TestFileName Rec RecDescription ELevel ProfileLevel CISControl CISDescription IG1 IG2 IG3 Automated Connection
2 1 Test-AdministrativeAccountCompliance.ps1 1.1.1 Ensure Administrative accounts are separate and cloud-only E3 L1 5.4 Restrict Administrator Privileges to Dedicated Administrator Accounts TRUE TRUE TRUE FALSE Microsoft Graph
3 2 Test-GlobalAdminsCount.ps1 1.1.3 Ensure that between two and four global admins are designated E3 L1 5.1 Establish and Maintain an Inventory of Accounts TRUE TRUE TRUE TRUE Microsoft Graph
4 3 Test-ManagedApprovedPublicGroups.ps1 1.2.1 Ensure that only organizationally managed/approved public groups exist E3 L2 3.3 Configure Data Access Control Lists TRUE TRUE TRUE TRUE Microsoft Graph
5 4 Test-BlockSharedMailboxSignIn.ps1 1.2.2 Ensure sign-in to shared mailboxes is blocked E3 L1 0 Explicitly Not Mapped FALSE FALSE FALSE TRUE AzureAD | EXO EXO | Microsoft Graph
6 5 Test-PasswordNeverExpirePolicy.ps1 1.3.1 Ensure the 'Password expiration policy' is set to 'Set passwords to never expire' E3 L1 5.2 Use Unique Passwords TRUE TRUE TRUE TRUE Microsoft Graph
7 6 Test-ExternalSharingCalendars.ps1 1.3.3 Ensure 'External sharing' of calendars is not available E3 L2 4.8 Uninstall or Disable Unnecessary Services on Enterprise Assets and Software FALSE TRUE TRUE TRUE EXO
8 7 Test-CustomerLockbox.ps1 1.3.6 Ensure the customer lockbox feature is enabled E5 L2 0 Explicitly Not Mapped FALSE FALSE FALSE TRUE EXO

55
source/tests/Test-AdminAccountLicenses.ps1 Normal file
View File

@@ -0,0 +1,55 @@
function Test-AdminAccountLicenses {
[CmdletBinding()]
param ()
begin {
# The following conditions are checked:
# Condition A: The administrative account is cloud-only (not synced).
# Condition B: The account is assigned a valid license (e.g., Microsoft Entra ID P1 or P2).
# Condition C: The administrative account does not have any other application assignments (only valid licenses).
$validLicenses = @('AAD_PREMIUM', 'AAD_PREMIUM_P2')
$RecNum = '1.1.4'
Write-Verbose "Starting Test-AdministrativeAccountCompliance with Rec: $RecNum"
}
process {
try {
# Retrieve admin roles, assignments, and user details including licenses
Write-Verbose 'Retrieving admin roles, assignments, and user details including licenses'
$Report = Get-CISMgOutput -Rec $RecNum
$NonCompliantUsers = $Report | Where-Object { $_.License -notin $validLicenses }
# Generate failure reasons
Write-Verbose 'Generating failure reasons for non-compliant users'
$failureReasons = $nonCompliantUsers | ForEach-Object {
"$($_.DisplayName)|$($_.UserPrincipalName)|$(if ($_.License) {$_.License}else{'No licenses found'})"
}
$failureReasons = $failureReasons -join "`n"
$failureReason = if ($nonCompliantUsers) {
"Non-Compliant Accounts without only a singular P1 or P2 license and no others: $($nonCompliantUsers.Count)"
}
else {
"Compliant Accounts: $($uniqueAdminRoleUsers.Count)"
}
$result = $nonCompliantUsers.Count -eq 0
$status = if ($result) { 'Pass' } else { 'Fail' }
$details = if ($nonCompliantUsers) { "DisplayName | UserPrincipalName | License`n$failureReasons" } else { 'N/A' }
Write-Verbose "Assessment completed. Result: $status"
# Create the parameter splat
$params = @{
Rec = $RecNum
Result = $result
Status = $status
Details = $details
FailureReason = $failureReason
}
$auditResult = Initialize-CISAuditResult @params
}
catch {
$LastError = $_
$auditResult = Get-TestError -LastError $LastError -RecNum $RecNum
}
}
end {
# Output the result
return $auditResult
}
}
# $validLicenses = @('AAD_PREMIUM', 'AAD_PREMIUM_P2')

10
source/tests/Test-AdministrativeAccountCompliance.ps1
View File

@@ -7,14 +7,14 @@ function Test-AdministrativeAccountCompliance {
# Condition B: The account is assigned a valid license (e.g., Microsoft Entra ID P1 or P2).
# Condition C: The administrative account does not have any other application assignments (only valid licenses).
$validLicenses = @('AAD_PREMIUM', 'AAD_PREMIUM_P2')
$recnum = "1.1.1"
Write-Verbose "Starting Test-AdministrativeAccountCompliance with Rec: $recnum"
$RecNum = "1.1.1"
Write-Verbose "Starting Test-AdministrativeAccountCompliance with Rec: $RecNum"
}
process {
try {
# Retrieve admin roles, assignments, and user details including licenses
Write-Verbose "Retrieving admin roles, assignments, and user details including licenses"
$adminRoleAssignments = Get-CISMgOutput -Rec $recnum
$adminRoleAssignments = Get-CISMgOutput -Rec $RecNum
$adminRoleUsers = @()
foreach ($roleName in $adminRoleAssignments.Keys) {
$assignments = $adminRoleAssignments[$roleName]
@@ -80,7 +80,7 @@ function Test-AdministrativeAccountCompliance {
Write-Verbose "Assessment completed. Result: $status"
# Create the parameter splat
$params = @{
Rec = $recnum
Rec = $RecNum
Result = $result
Status = $status
Details = $details
@@ -90,7 +90,7 @@ function Test-AdministrativeAccountCompliance {
}
catch {
$LastError = $_
$auditResult = Get-TestError -LastError $LastError -recnum $recnum
$auditResult = Get-TestError -LastError $LastError -RecNum $RecNum
}
}
end {

51
source/tests/Test-AdministrativeAccountCompliance4.ps1 Normal file
View File

@@ -0,0 +1,51 @@
function Test-AdministrativeAccountCompliance4 {
[CmdletBinding()]
param ()
begin {
$RecNum = "1.1.1"
Write-Verbose "Starting Test-AdministrativeAccountCompliance4 for Rec: $RecNum"
}
process {
try {
# Retrieve privileged users with OnPremisesSyncEnabled
Write-Verbose "Retrieving data for privileged users"
$PrivilegedUsers = Get-CISMgOutput -Rec $RecNum
# Filter for users with OnPremisesSyncEnabled
$NonCompliantUsers = $PrivilegedUsers | Where-Object { $_.OnPremisesSyncEnabled -eq $true }
if ($NonCompliantUsers.Count -gt 0) {
Write-Verbose "Non-compliant users found: $($NonCompliantUsers.Count)"
# Generate pipe-delimited failure table as plain text
$Header = "DisplayName|UserPrincipalName|OnPremisesSyncEnabled"
$FailureRows = $NonCompliantUsers | ForEach-Object {
"$($_.DisplayName)|$($_.UserPrincipalName)|$($_.OnPremisesSyncEnabled)"
}
$Details = "$Header`n$($FailureRows -join "`n")"
$Status = "Fail"
$FailureReason = "Non-compliant accounts detected: $($NonCompliantUsers.Count)"
}
else {
Write-Verbose "All accounts are compliant."
$Details = "N/A"
$Status = "Pass"
$FailureReason = "All administrative accounts are cloud-only."
}
# Prepare audit result
$Params = @{
Rec = $RecNum
Result = ($NonCompliantUsers.Count -eq 0)
Status = $Status
Details = $Details
FailureReason = $FailureReason
}
$AuditResult = Initialize-CISAuditResult @Params
}
catch {
Write-Error "Error during compliance check: $_"
$AuditResult = Get-TestError -LastError $_ -RecNum $RecNum
}
}
end {
# Output result
return $AuditResult
}
}

12
source/tests/Test-AntiPhishingPolicy.ps1
View File

@@ -3,8 +3,8 @@ function Test-AntiPhishingPolicy {
[OutputType([CISAuditResult])]
param ()
begin {
$recnum = "2.1.7"
Write-Verbose "Running Test-AntiPhishingPolicy for $recnum..."
$RecNum = "2.1.7"
Write-Verbose "Running Test-AntiPhishingPolicy for $RecNum..."
#. .\source\Classes\CISAuditResult.ps1
<#
Conditions for 2.1.7 (L1) Ensure robust anti-phishing policies are enforced
@@ -26,7 +26,7 @@ function Test-AntiPhishingPolicy {
# Step 1: Retrieve all anti-phishing policies
#$VerbosePreference = "Continue"
Write-Verbose "Retrieving all anti-phishing policies..."
$antiPhishPolicies = Get-CISExoOutput -Rec $recnum
$antiPhishPolicies = Get-CISExoOutput -Rec $RecNum
# Step 2: Initialize variables to track compliance and details
$compliantPolicy = $null
$details = @()
@@ -205,7 +205,7 @@ function Test-AntiPhishingPolicy {
#$VerbosePreference = "SilentlyContinue"
# Prepare the parameters for the audit result
$params = @{
Rec = $recnum
Rec = $RecNum
Result = $isOverallCompliant
Status = if ($isOverallCompliant) { "Pass" } else { "Fail" }
Details = $resultDetails
@@ -215,8 +215,8 @@ function Test-AntiPhishingPolicy {
$auditResult = Initialize-CISAuditResult @params
}
catch {
Write-Error "An error occurred during the test: $_"
$auditResult = Get-TestError -LastError $_ -recnum $recnum
Write-Error "An error occurred during the test $RecNum`:: $_"
$auditResult = Get-TestError -LastError $_ -RecNum $RecNum
}
}
end {

120
source/tests/Test-AntiPhishingPolicy4.ps1 Normal file
View File

@@ -0,0 +1,120 @@
function Test-AntiPhishingPolicy4 {
[CmdletBinding()]
[OutputType([CISAuditResult])]
param ()
begin {
# Set the record number and start the process
$RecNum = '2.1.7'
Write-Verbose "Running Test-AntiPhishingPolicy4 for $RecNum..."
}
process {
try {
# Step 1: Retrieve all anti-phishing policies and rules
Write-Verbose 'Retrieving all anti-phishing policies and rules...'
$antiPhishPolicies, $antiPhishRules = Get-CISExoOutput -Rec $RecNum
if ($null -eq $antiPhishPolicies -or $antiPhishPolicies.Count -eq 0) {
throw 'No Anti-Phishing policies found.'
}
# Initialize lists to track compliant and non-compliant policies and reasons for failures
$compliantPolicies = @()
$failureReasons = @()
$nonCompliantPolicies = @()
# Step 2: Evaluate strict and standard preset policies
Write-Verbose 'Evaluating strict and standard preset policies...'
$strictPolicy = $antiPhishPolicies | Where-Object { $_.Name -eq 'Strict Preset Security Policy' }
$standardPolicy = $antiPhishPolicies | Where-Object { $_.Name -eq 'Standard Preset Security Policy' }
$strictStandardCompliant = $false
foreach ($policy in @($strictPolicy, $standardPolicy)) {
if ($null -ne $policy) {
# Check if the Strict or Standard policy is compliant
$isCompliant = Get-PhishPolicyCompliance -policy $policy
if ($isCompliant) {
$strictStandardCompliant = $true
$compliantPolicies += $policy.Name
Write-Verbose "Compliant policy found: $($policy.Name). Ending evaluation."
return Initialize-CISAuditResult -Rec $RecNum -Result $true -Status 'Pass' -Details "Compliant Policies: $($policy.Name)" -FailureReason 'None'
} else {
$nonCompliantPolicies += $policy.Name
}
}
}
# Step 3: Evaluate custom policies if strict and standard are not compliant
if (-not $strictStandardCompliant) {
Write-Verbose 'Evaluating custom policies for compliance...'
# Filter custom policies using $antiPhishRules to exclude default, strict, and standard
$customPolicies = $antiPhishPolicies | Where-Object { $antiPhishRules.AntiPhishPolicy -contains $_.Name -and $_.Name -notin @('Strict Preset Security Policy', 'Standard Preset Security Policy', 'Office365 AntiPhish Default') }
$customPolicies = $customPolicies | Sort-Object -Property { $antiPhishRules | Where-Object { $_.AntiPhishPolicy -eq $_.Name } | Select-Object -ExpandProperty Priority }
foreach ($policy in $customPolicies) {
# Check for scope overlap between custom policies and strict/standard policies
$scopeOverlap = Get-ScopeOverlap -Policy $policy -OtherPolicies @($strictPolicy, $standardPolicy)
if ($scopeOverlap) {
$failureReasons += "Custom policy $($policy.Name) overlaps with strict or standard preset policies."
$nonCompliantPolicies += $policy.Name
} else {
# Check if the custom policy is compliant
$isCompliant = Get-PhishPolicyCompliance -policy $policy
if ($isCompliant) {
$compliantPolicies += $policy.Name
Write-Verbose "Compliant custom policy found: $($policy.Name). Ending evaluation."
return Initialize-CISAuditResult -Rec $RecNum -Result $true -Status 'Pass' -Details "Compliant Policies: $($policy.Name)" -FailureReason 'None'
} else {
$nonCompliantPolicies += $policy.Name
}
}
}
}
# Step 4: Evaluate the default policy if no compliant custom, strict, or standard policies
if ($compliantPolicies.Count -eq 0) {
Write-Verbose 'Evaluating default policy for compliance...'
$defaultPolicy = $antiPhishPolicies | Where-Object { $_.Name -eq 'Office365 AntiPhish Default' }
if ($null -ne $defaultPolicy) {
# Check for scope overlap between the default policy and other policies
$scopeOverlap = Get-ScopeOverlap -Policy $defaultPolicy -OtherPolicies @($strictPolicy, $standardPolicy, $customPolicies)
if ($scopeOverlap) {
$failureReasons += "Default policy overlaps with other scoped policies."
$nonCompliantPolicies += $defaultPolicy.Name
} else {
# Check if the default policy is compliant
$isCompliant = Get-PhishPolicyCompliance -policy $defaultPolicy
if ($isCompliant) {
$compliantPolicies += $defaultPolicy.Name
Write-Verbose "Compliant default policy found: $($defaultPolicy.Name)."
return Initialize-CISAuditResult -Rec $RecNum -Result $true -Status 'Pass' -Details "Compliant Policies: $($defaultPolicy.Name)" -FailureReason 'None'
} else {
$nonCompliantPolicies += $defaultPolicy.Name
}
}
}
}
# Step 5: Determine overall compliance
$isOverallCompliant = ($compliantPolicies.Count -gt 0) -and ($failureReasons.Count -eq 0)
# Step 6: Prepare result details
$resultDetails = if ($isOverallCompliant) {
# Prepare details for compliant policies
"Compliant Policies: $($compliantPolicies -join ', ')"
}
else {
# Prepare details for non-compliant policies and reasons
"Non-Compliant Policies: $($nonCompliantPolicies -join ', ')`nFailure Reasons:`n" + ($failureReasons -join "`n")
}
# Step 7: Prepare the audit result object
$params = @{
Rec = $RecNum
Result = $isOverallCompliant
Status = if ($isOverallCompliant) { 'Pass' } else { 'Fail' }
Details = $resultDetails
FailureReason = if (-not $isOverallCompliant) { $failureReasons -join "`n" } else { 'None' }
}
$auditResult = Initialize-CISAuditResult @params
}
catch {
# Handle errors and return the error result
Write-Error "An error occurred during the test $RecNum`: $_"
$auditResult = Get-TestError -LastError $_ -RecNum $RecNum
}
}
end {
# Return the audit result object
return $auditResult
}
}

72
source/tests/Test-AttachmentFiltering.ps1 Normal file
View File

@@ -0,0 +1,72 @@
function Test-AttachmentFiltering {
[CmdletBinding()]
param ()
begin {
# Record the recommendation number and log the test start
$RecNum = "2.1.11" # Recommendation for attachment filtering
Write-Verbose "Starting Test-AttachmentFiltering with Rec: $RecNum"
}
process {
try {
# Step 1: Retrieve data needed for compliance check
Write-Verbose "Retrieving malware policies, rules, and extensions for compliance evaluation..."
$malwarePolicies, $malwareRules, $L2Extensions = Get-CISExoOutput -Rec $RecNum
# Initialize compliance tracking
$compliantPolicyFound = $false
$failureReasons = @()
$details = @()
# Step 2: Check each malware policy for compliance
Write-Verbose "Evaluating each malware filter policy..."
foreach ($policy in $malwarePolicies) {
# Check if the policy enables the file filter
if (-not $policy.EnableFileFilter) {
$failureReasons += "Policy $($policy.Identity) has file filtering disabled."
continue
}
# Check if the number of extensions exceeds the minimum threshold (120)
if ($policy.FileTypes.Count -le 120) {
$failureReasons += "Policy $($policy.Identity) does not include the minimum number of extensions (120)."
continue
}
# Check for missing extensions from the L2 benchmark
$missingExtensions = $L2Extensions | Where-Object { -not $policy.FileTypes.Contains($_) }
if ($missingExtensions.Count -gt 0) {
$failureReasons += "Policy $($policy.Identity) is missing extensions: $($missingExtensions -join ', ')."
} else {
# Policy is compliant if it passes all checks
$compliantPolicyFound = $true
$details += "Compliant Policy Found: $($policy.Identity)"
# Break out of the loop since we only need one compliant policy
break
}
}
# Step 3: Determine overall compliance
$isCompliant = $compliantPolicyFound
# Step 4: Prepare result details
if ($isCompliant) {
$resultDetails = $details -join "`n"
} else {
$resultDetails = "Non-Compliant Policies:`n$($failureReasons -join '`n')"
}
# Step 5: Create the audit result
$params = @{
Rec = $RecNum
Result = $isCompliant
Status = if ($isCompliant) { 'Pass' } else { 'Fail' }
Details = $resultDetails
FailureReason = if (-not $isCompliant) { $failureReasons -join "`n" } else { 'None' }
}
$auditResult = Initialize-CISAuditResult @params
}
catch {
# Handle errors and return the error result
$LastError = $_
Write-Error "An error occurred during Test-AttachmentFiltering: $($LastError.Exception.Message)"
$auditResult = Get-TestError -LastError $LastError -RecNum $RecNum
}
}
end {
# Return the audit result
return $auditResult
}
}

10
source/tests/Test-AuditDisabledFalse.ps1
View File

@@ -24,14 +24,14 @@ function Test-AuditDisabledFalse {
# - Condition B: Using PowerShell, the `AuditDisabled` property in the organization's configuration is set to `True`.
# - Condition C: Mailbox auditing is not enabled by default at the organizational level.
# Initialization code, if needed
$recnum = "6.1.1"
Write-Verbose "Running Test-AuditDisabledFalse for $recnum..."
$RecNum = "6.1.1"
Write-Verbose "Running Test-AuditDisabledFalse for $RecNum..."
}
process {
try {
# 6.1.1 (L1) Ensure 'AuditDisabled' organizationally is set to 'False'
# Retrieve the AuditDisabled configuration (Condition B)
$auditNotDisabled = Get-CISExoOutput -Rec $recnum
$auditNotDisabled = Get-CISExoOutput -Rec $RecNum
# Prepare failure reasons and details based on compliance
$failureReasons = if (-not $auditNotDisabled) {
"AuditDisabled is set to True" # Condition A Fail
@@ -47,7 +47,7 @@ function Test-AuditDisabledFalse {
}
# Create and populate the CISAuditResult object
$params = @{
Rec = $recnum
Rec = $RecNum
Result = $auditNotDisabled
Status = if ($auditNotDisabled) { "Pass" } else { "Fail" }
Details = $details
@@ -57,7 +57,7 @@ function Test-AuditDisabledFalse {
}
catch {
$LastError = $_
$auditResult = Get-TestError -LastError $LastError -recnum $recnum
$auditResult = Get-TestError -LastError $LastError -RecNum $RecNum
}
}
end {

10
source/tests/Test-AuditLogSearch.ps1
View File

@@ -9,8 +9,8 @@ function Test-AuditLogSearch {
# Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed
$recnum = "3.1.1"
Write-Verbose "Running Test-AuditLogSearch for $recnum..."
$RecNum = "3.1.1"
Write-Verbose "Running Test-AuditLogSearch for $RecNum..."
<#
Conditions for 3.1.1 (L1) Ensure Microsoft 365 audit log search is Enabled
Validate test for a pass:
@@ -30,7 +30,7 @@ function Test-AuditLogSearch {
process {
try {
# 3.1.1 (L1) Ensure Microsoft 365 audit log search is Enabled
$auditLogResult = Get-CISExoOutput -Rec $recnum
$auditLogResult = Get-CISExoOutput -Rec $RecNum
# Prepare failure reasons and details based on compliance
$failureReasons = if (-not $auditLogResult) {
# Condition A (Fail): Audit log search is not enabled in the Microsoft Purview compliance portal
@@ -48,7 +48,7 @@ function Test-AuditLogSearch {
}
# Create and populate the CISAuditResult object
$params = @{
Rec = $recnum
Rec = $RecNum
Result = $auditLogResult
Status = if ($auditLogResult) { "Pass" } else { "Fail" }
Details = $details
@@ -58,7 +58,7 @@ function Test-AuditLogSearch {
}
catch {
$LastError = $_
$auditResult = Get-TestError -LastError $LastError -recnum $recnum
$auditResult = Get-TestError -LastError $LastError -RecNum $RecNum
}
}
end {

10
source/tests/Test-BlockChannelEmails.ps1
View File

@@ -9,8 +9,8 @@ function Test-BlockChannelEmails {
# Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed
$recnum = "8.1.2"
Write-Verbose "Running Test-BlockChannelEmails for $recnum..."
$RecNum = "8.1.2"
Write-Verbose "Running Test-BlockChannelEmails for $RecNum..."
}
process {
try {
@@ -30,7 +30,7 @@ function Test-BlockChannelEmails {
# - Condition B: The setting `Users can send emails to a channel email address` is not set to `Off` in the Teams admin center.
# - Condition C: Verification using PowerShell indicates that the `AllowEmailIntoChannel` setting is enabled.
# Retrieve Teams client configuration
$teamsClientConfig = Get-CISMSTeamsOutput -Rec $recnum
$teamsClientConfig = Get-CISMSTeamsOutput -Rec $RecNum
$allowEmailIntoChannel = $teamsClientConfig.AllowEmailIntoChannel
# Prepare failure reasons and details based on compliance
$failureReasons = if ($allowEmailIntoChannel) {
@@ -47,7 +47,7 @@ function Test-BlockChannelEmails {
}
# Create and populate the CISAuditResult object
$params = @{
Rec = $recnum
Rec = $RecNum
Result = -not $allowEmailIntoChannel
Status = if (-not $allowEmailIntoChannel) { "Pass" } else { "Fail" }
Details = $details
@@ -57,7 +57,7 @@ function Test-BlockChannelEmails {
}
catch {
$LastError = $_
$auditResult = Get-TestError -LastError $LastError -recnum $recnum
$auditResult = Get-TestError -LastError $LastError -RecNum $RecNum
}
}
end {

10
source/tests/Test-BlockMailForwarding.ps1
View File

@@ -8,8 +8,8 @@ function Test-BlockMailForwarding {
# Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed
$recnum = "6.2.1"
Write-Verbose "Running Test-BlockMailForwarding for $recnum..."
$RecNum = "6.2.1"
Write-Verbose "Running Test-BlockMailForwarding for $RecNum..."
<#
Conditions for 6.2.1 (L1) Ensure all forms of mail forwarding are blocked and/or disabled
Validate test for a pass:
@@ -30,7 +30,7 @@ function Test-BlockMailForwarding {
try {
# 6.2.1 (L1) Ensure all forms of mail forwarding are blocked and/or disabled
# Step 1: Retrieve the transport rules that redirect messages
$transportRules,$nonCompliantSpamPolicies = Get-CISExoOutput -Rec $recnum
$transportRules,$nonCompliantSpamPolicies = Get-CISExoOutput -Rec $RecNum
$transportForwardingBlocked = $transportRules.Count -eq 0
# Step 2: Check all anti-spam outbound policies
$nonCompliantSpamPoliciesArray = @($nonCompliantSpamPolicies)
@@ -67,7 +67,7 @@ function Test-BlockMailForwarding {
}
# Populate the audit result
$params = @{
Rec = $recnum
Rec = $RecNum
Result = $forwardingBlocked
Status = if ($forwardingBlocked) { "Pass" } else { "Fail" }
Details = $details
@@ -77,7 +77,7 @@ function Test-BlockMailForwarding {
}
catch {
$LastError = $_
$auditResult = Get-TestError -LastError $LastError -recnum $recnum
$auditResult = Get-TestError -LastError $LastError -RecNum $RecNum
}
}
end {

14
source/tests/Test-BlockSharedMailboxSignIn.ps1
View File

@@ -9,8 +9,8 @@ function Test-BlockSharedMailboxSignIn {
# Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed
$recnum = "1.2.2"
Write-Verbose "Running Test-BlockSharedMailboxSignIn for $recnum..."
$RecNum = "1.2.2"
Write-Verbose "Running Test-BlockSharedMailboxSignIn for $RecNum..."
# Conditions for 1.2.2 (L1) Ensure sign-in to shared mailboxes is blocked
#
# Validate test for a pass:
@@ -36,7 +36,7 @@ function Test-BlockSharedMailboxSignIn {
"abcddcba-98fe-76dc-a456-426614174000"
)
#>
$objectids = Get-CISExoOutput -Rec $recnum
$objectids = Get-CISExoOutput -Rec $RecNum
# Step: Retrieve user details from Azure AD
# $users Mock Object
<#
@@ -58,9 +58,9 @@ function Test-BlockSharedMailboxSignIn {
}
)
#>
$users = Get-CISAadOutput -Rec $recnum
$users = Get-CISMgOutput -Rec $RecNum
# Step: Retrieve details of shared mailboxes from Azure AD (Condition B: Pass/Fail)
$sharedMailboxDetails = $users | Where-Object {$_.objectid -in $objectids}
$sharedMailboxDetails = $users | Where-Object {$_.id -in $objectids}
# Step: Identify enabled mailboxes (Condition B: Pass/Fail)
$enabledMailboxes = $sharedMailboxDetails | Where-Object { $_.AccountEnabled } | ForEach-Object { $_.DisplayName }
$allBlocked = $enabledMailboxes.Count -eq 0
@@ -80,7 +80,7 @@ function Test-BlockSharedMailboxSignIn {
}
# Step: Create and populate the CISAuditResult object
$params = @{
Rec = $recnum
Rec = $RecNum
Result = $allBlocked # Pass: Condition A, Condition B
Status = if ($allBlocked) { "Pass" } else { "Fail" }
Details = $details
@@ -90,7 +90,7 @@ function Test-BlockSharedMailboxSignIn {
}
catch {
$LastError = $_
$auditResult = Get-TestError -LastError $LastError -recnum $recnum
$auditResult = Get-TestError -LastError $LastError -RecNum $RecNum
}
}
end {

10
source/tests/Test-CommonAttachmentFilter.ps1
View File

@@ -24,8 +24,8 @@ function Test-CommonAttachmentFilter {
# Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed
$recnum = "2.1.2"
Write-Verbose "Running Test-CommonAttachmentFilter for $recnum..."
$RecNum = "2.1.2"
Write-Verbose "Running Test-CommonAttachmentFilter for $RecNum..."
}
process {
try {
@@ -35,7 +35,7 @@ function Test-CommonAttachmentFilter {
# Retrieve the attachment filter policy
# $result Mock Object
# $result = $true
$result = Get-CISExoOutput -Rec $recnum
$result = Get-CISExoOutput -Rec $RecNum
# Prepare failure reasons and details based on compliance
$failureReasons = if (-not $result) {
# Condition A: The Common Attachment Types Filter is not enabled in the Microsoft 365 Security & Compliance Center.
@@ -53,7 +53,7 @@ function Test-CommonAttachmentFilter {
}
# Create and populate the CISAuditResult object
$params = @{
Rec = $recnum
Rec = $RecNum
Result = $result
Status = if ($result) { "Pass" } else { "Fail" }
Details = $details
@@ -63,7 +63,7 @@ function Test-CommonAttachmentFilter {
}
catch {
$LastError = $_
$auditResult = Get-TestError -LastError $LastError -recnum $recnum
$auditResult = Get-TestError -LastError $LastError -RecNum $RecNum
}
}
end {

10
source/tests/Test-CustomerLockbox.ps1
View File

@@ -11,8 +11,8 @@ function Test-CustomerLockbox {
#. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed
$recnum = "1.3.6"
Write-Verbose "Running Test-CustomerLockbox for $recnum..."
$RecNum = "1.3.6"
Write-Verbose "Running Test-CustomerLockbox for $RecNum..."
# Conditions for 1.3.6 (L2) Ensure the customer lockbox feature is enabled (Automated)
#
# Validate test for a pass:
@@ -34,7 +34,7 @@ function Test-CustomerLockbox {
# Step: Retrieve the organization configuration (Condition C: Pass/Fail)
# $customerLockboxEnabled Mock Object
# $customerLockboxEnabled = $true
$customerLockboxEnabled = Get-CISExoOutput -Rec $recnum
$customerLockboxEnabled = Get-CISExoOutput -Rec $RecNum
# Step: Prepare failure reasons and details based on compliance (Condition A, B, & C: Fail)
$failureReasons = if (-not $customerLockboxEnabled) {
"Customer lockbox feature is not enabled."
@@ -51,7 +51,7 @@ function Test-CustomerLockbox {
}
# Step: Create and populate the CISAuditResult object
$params = @{
Rec = $recnum
Rec = $RecNum
Result = $customerLockboxEnabled
Status = if ($customerLockboxEnabled) { "Pass" } else { "Fail" }
Details = $details
@@ -61,7 +61,7 @@ function Test-CustomerLockbox {
}
catch {
$LastError = $_
$auditResult = Get-TestError -LastError $LastError -recnum $recnum
$auditResult = Get-TestError -LastError $LastError -RecNum $RecNum
}
}
end {

10
source/tests/Test-DialInBypassLobby.ps1
View File

@@ -9,8 +9,8 @@ function Test-DialInBypassLobby {
# Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed
$recnum = "8.5.4"
Write-Verbose "Running Test-DialInBypassLobby for $recnum..."
$RecNum = "8.5.4"
Write-Verbose "Running Test-DialInBypassLobby for $RecNum..."
}
process {
try {
@@ -36,7 +36,7 @@ function Test-DialInBypassLobby {
AllowPSTNUsersToBypassLobby = $true
}
#>
$CsTeamsMeetingPolicyPSTN = Get-CISMSTeamsOutput -Rec $recnum
$CsTeamsMeetingPolicyPSTN = Get-CISMSTeamsOutput -Rec $RecNum
$PSTNBypassDisabled = -not $CsTeamsMeetingPolicyPSTN.AllowPSTNUsersToBypassLobby
# Prepare failure reasons and details based on compliance
$failureReasons = if (-not $PSTNBypassDisabled) {
@@ -53,7 +53,7 @@ function Test-DialInBypassLobby {
}
# Create and populate the CISAuditResult object
$params = @{
Rec = $recnum
Rec = $RecNum
Result = $PSTNBypassDisabled
Status = if ($PSTNBypassDisabled) { "Pass" } else { "Fail" }
Details = $details
@@ -63,7 +63,7 @@ function Test-DialInBypassLobby {
}
catch {
$LastError = $_
$auditResult = Get-TestError -LastError $LastError -recnum $recnum
$auditResult = Get-TestError -LastError $LastError -RecNum $RecNum
}
}
end {

10
source/tests/Test-DisallowInfectedFilesDownload.ps1
View File

@@ -9,8 +9,8 @@ function Test-DisallowInfectedFilesDownload {
# Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed
$recnum = "7.3.1"
Write-Verbose "Running Test-DisallowInfectedFilesDownload for $recnum..."
$RecNum = "7.3.1"
Write-Verbose "Running Test-DisallowInfectedFilesDownload for $RecNum..."
}
process {
try {
@@ -36,7 +36,7 @@ function Test-DisallowInfectedFilesDownload {
DisallowInfectedFileDownload = $false
}
#>
$SPOTenantDisallowInfectedFileDownload = Get-CISSpoOutput -Rec $recnum
$SPOTenantDisallowInfectedFileDownload = Get-CISSpoOutput -Rec $RecNum
# Condition A: The `DisallowInfectedFileDownload` setting is set to `True`
$isDisallowInfectedFileDownloadEnabled = $SPOTenantDisallowInfectedFileDownload.DisallowInfectedFileDownload
# Prepare failure reasons and details based on compliance
@@ -55,7 +55,7 @@ function Test-DisallowInfectedFilesDownload {
}
# Create and populate the CISAuditResult object
$params = @{
Rec = $recnum
Rec = $RecNum
Result = $isDisallowInfectedFileDownloadEnabled
Status = if ($isDisallowInfectedFileDownloadEnabled) { "Pass" } else { "Fail" }
Details = $details
@@ -65,7 +65,7 @@ function Test-DisallowInfectedFilesDownload {
}
catch {
$LastError = $_
$auditResult = Get-TestError -LastError $LastError -recnum $recnum
$auditResult = Get-TestError -LastError $LastError -RecNum $RecNum
}
}
end {

10
source/tests/Test-EnableDKIM.ps1
View File

@@ -10,8 +10,8 @@ function Test-EnableDKIM {
# Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed
$recnum = "2.1.9"
Write-Verbose "Running Test-EnableDKIM for $recnum..."
$RecNum = "2.1.9"
Write-Verbose "Running Test-EnableDKIM for $RecNum..."
<#
Conditions for 2.1.9 (L1) Ensure DKIM is enabled for all Exchange Online Domains (Automated)
Validate test for a pass:
@@ -30,7 +30,7 @@ function Test-EnableDKIM {
try {
# 2.1.9 (L1) Ensure DKIM is enabled for all Exchange Online Domains
# Retrieve DKIM configuration for all domains
$dkimConfig = Get-CISExoOutput -Rec $recnum
$dkimConfig = Get-CISExoOutput -Rec $RecNum
if (-not $DomainName) {
$dkimResult = ($dkimConfig | ForEach-Object { $_.Enabled }) -notcontains $false
$dkimFailedDomains = $dkimConfig | Where-Object { -not $_.Enabled } | ForEach-Object { $_.Domain }
@@ -62,7 +62,7 @@ function Test-EnableDKIM {
}
# Create and populate the CISAuditResult object
$params = @{
Rec = $recnum
Rec = $RecNum
Result = $dkimResult
Status = if ($dkimResult) { "Pass" } else { "Fail" }
Details = $details
@@ -72,7 +72,7 @@ function Test-EnableDKIM {
}
catch {
$LastError = $_
$auditResult = Get-TestError -LastError $LastError -recnum $recnum
$auditResult = Get-TestError -LastError $LastError -RecNum $RecNum
}
}
end {

10
source/tests/Test-ExternalNoControl.ps1
View File

@@ -9,8 +9,8 @@ function Test-ExternalNoControl {
# Dot source the class script if necessary
# . .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed
$recnum = "8.5.7"
Write-Verbose "Running Test-ExternalNoControl for $recnum..."
$RecNum = "8.5.7"
Write-Verbose "Running Test-ExternalNoControl for $RecNum..."
}
process {
try {
@@ -36,7 +36,7 @@ function Test-ExternalNoControl {
AllowExternalParticipantGiveRequestControl = $true
}
#>
$CsTeamsMeetingPolicyControl = Get-CISMSTeamsOutput -Rec $recnum
$CsTeamsMeetingPolicyControl = Get-CISMSTeamsOutput -Rec $RecNum
# Check if external participants can give or request control
$externalControlRestricted = -not $CsTeamsMeetingPolicyControl.AllowExternalParticipantGiveRequestControl
# Prepare failure reasons and details based on compliance
@@ -54,7 +54,7 @@ function Test-ExternalNoControl {
}
# Create and populate the CISAuditResult object
$params = @{
Rec = $recnum
Rec = $RecNum
Result = $externalControlRestricted
Status = if ($externalControlRestricted) { "Pass" } else { "Fail" }
Details = $details
@@ -64,7 +64,7 @@ function Test-ExternalNoControl {
}
catch {
$LastError = $_
$auditResult = Get-TestError -LastError $LastError -recnum $recnum
$auditResult = Get-TestError -LastError $LastError -RecNum $RecNum
}
}
end {

8
source/tests/Test-ExternalSharingCalendars.ps1
View File

@@ -11,7 +11,7 @@ function Test-ExternalSharingCalendars {
#. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed
$recnum = "1.3.3"
$RecNum = "1.3.3"
# Conditions for 1.3.3 (L2) Ensure 'External sharing' of calendars is not available (Automated)
#
@@ -31,7 +31,7 @@ function Test-ExternalSharingCalendars {
process {
try {
# Step: Retrieve sharing policies related to calendar sharing
$sharingPolicies = Get-CISExoOutput -Rec $recnum
$sharingPolicies = Get-CISExoOutput -Rec $RecNum
# Step (Condition A & B: Pass/Fail): Check if calendar sharing is disabled in all applicable policies
$isExternalSharingDisabled = $true
@@ -85,7 +85,7 @@ foreach ($mailbox in $mailboxes) {
# Step: Create and populate the CISAuditResult object
$params = @{
Rec = $recnum
Rec = $RecNum
Result = $isExternalSharingDisabled
Status = if ($isExternalSharingDisabled) { "Pass" } else { "Fail" }
Details = $details
@@ -95,7 +95,7 @@ foreach ($mailbox in $mailboxes) {
}
catch {
$LastError = $_
$auditResult = Get-TestError -LastError $LastError -recnum $recnum
$auditResult = Get-TestError -LastError $LastError -RecNum $RecNum
}
}

10
source/tests/Test-GlobalAdminsCount.ps1
View File

@@ -23,12 +23,12 @@ function Test-GlobalAdminsCount {
# - Condition B: The number of global admins is more than 4.
# - Condition C: Any discrepancies or errors in retrieving the list of global admin usernames.
# Initialization code, if needed
$recnum = "1.1.3"
Write-Verbose "Starting Test-GlobalAdminsCount with Rec: $recnum"
$RecNum = "1.1.3"
Write-Verbose "Starting Test-GlobalAdminsCount with Rec: $RecNum"
}
process {
try {
$globalAdmins = Get-CISMgOutput -Rec $recnum
$globalAdmins = Get-CISMgOutput -Rec $RecNum
# Step: Count the number of global admins
$globalAdminCount = $globalAdmins.Count
# Step: Retrieve and format the usernames of global admins
@@ -49,7 +49,7 @@ function Test-GlobalAdminsCount {
$details = "Count: $globalAdminCount; Users: $globalAdminUsernames"
# Step: Create and populate the CISAuditResult object
$params = @{
Rec = $recnum
Rec = $RecNum
Result = $globalAdminCount -ge 2 -and $globalAdminCount -le 4
Status = if ($globalAdminCount -ge 2 -and $globalAdminCount -le 4) { "Pass" } else { "Fail" }
Details = $details
@@ -59,7 +59,7 @@ function Test-GlobalAdminsCount {
}
catch {
$LastError = $_
$auditResult = Get-TestError -LastError $LastError -recnum $recnum
$auditResult = Get-TestError -LastError $LastError -RecNum $RecNum
}
}
end {

10
source/tests/Test-GuestAccessExpiration.ps1
View File

@@ -9,8 +9,8 @@ function Test-GuestAccessExpiration {
# Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed
$recnum = "7.2.9"
Write-Verbose "Running Test-GuestAccessExpiration for $recnum..."
$RecNum = "7.2.9"
Write-Verbose "Running Test-GuestAccessExpiration for $RecNum..."
}
process {
try {
@@ -37,7 +37,7 @@ function Test-GuestAccessExpiration {
ExternalUserExpireInDays = "60"
}
#>
$SPOTenantGuestAccess = Get-CISSpoOutput -Rec $recnum
$SPOTenantGuestAccess = Get-CISSpoOutput -Rec $RecNum
$isGuestAccessExpirationConfiguredCorrectly = $SPOTenantGuestAccess.ExternalUserExpirationRequired -and $SPOTenantGuestAccess.ExternalUserExpireInDays -le 30
# Prepare failure reasons and details based on compliance
$failureReasons = if (-not $isGuestAccessExpirationConfiguredCorrectly) {
@@ -50,7 +50,7 @@ function Test-GuestAccessExpiration {
$details = "ExternalUserExpirationRequired: $($SPOTenantGuestAccess.ExternalUserExpirationRequired); ExternalUserExpireInDays: $($SPOTenantGuestAccess.ExternalUserExpireInDays)"
# Create and populate the CISAuditResult object
$params = @{
Rec = $recnum
Rec = $RecNum
Result = $isGuestAccessExpirationConfiguredCorrectly
Status = if ($isGuestAccessExpirationConfiguredCorrectly) { "Pass" } else { "Fail" }
Details = $details
@@ -60,7 +60,7 @@ function Test-GuestAccessExpiration {
}
catch {
$LastError = $_
$auditResult = Get-TestError -LastError $LastError -recnum $recnum
$auditResult = Get-TestError -LastError $LastError -RecNum $RecNum
}
}
end {

6
source/tests/Test-GuestUsersBiweeklyReview.ps1
View File

@@ -11,7 +11,7 @@ function Test-GuestUsersBiweeklyReview {
#. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed
$recnum = "1.1.4"
$RecNum = "1.1.4"
}
process {
@@ -41,7 +41,7 @@ function Test-GuestUsersBiweeklyReview {
# Create and populate the CISAuditResult object
$params = @{
Rec = $recnum
Rec = $RecNum
Result = -not $guestUsers
Status = if ($guestUsers) { "Fail" } else { "Pass" }
Details = $details
@@ -51,7 +51,7 @@ function Test-GuestUsersBiweeklyReview {
}
catch {
$LastError = $_
$auditResult = Get-TestError -LastError $LastError -recnum $recnum
$auditResult = Get-TestError -LastError $LastError -RecNum $RecNum
}
}

10
source/tests/Test-IdentifyExternalEmail.ps1
View File

@@ -10,8 +10,8 @@ function Test-IdentifyExternalEmail {
# Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed
$recnum = "6.2.3"
Write-Verbose "Running Test-IdentifyExternalEmail for $recnum..."
$RecNum = "6.2.3"
Write-Verbose "Running Test-IdentifyExternalEmail for $RecNum..."
# Conditions for 6.2.3 (L1) Ensure email from external senders is identified
#
# Validate test for a pass:
@@ -32,7 +32,7 @@ function Test-IdentifyExternalEmail {
try {
# 6.2.3 (L1) Ensure email from external senders is identified
# Retrieve external sender tagging configuration
$externalInOutlook = Get-CISExoOutput -Rec $recnum
$externalInOutlook = Get-CISExoOutput -Rec $RecNum
$externalTaggingEnabled = ($externalInOutlook | ForEach-Object { $_.Enabled }) -contains $true
# Prepare failure reasons and details based on compliance
$failureReasons = if (-not $externalTaggingEnabled) {
@@ -46,7 +46,7 @@ function Test-IdentifyExternalEmail {
$details = "Enabled: $($externalTaggingEnabled); AllowList: $($externalInOutlook.AllowList)"
# Create and populate the CISAuditResult object
$params = @{
Rec = $recnum
Rec = $RecNum
Result = $externalTaggingEnabled
Status = if ($externalTaggingEnabled) { "Pass" } else { "Fail" }
Details = $details
@@ -56,7 +56,7 @@ function Test-IdentifyExternalEmail {
}
catch {
$LastError = $_
$auditResult = Get-TestError -LastError $LastError -recnum $recnum
$auditResult = Get-TestError -LastError $LastError -RecNum $RecNum
}
}
end {

10
source/tests/Test-LinkSharingRestrictions.ps1
View File

@@ -10,8 +10,8 @@ function Test-LinkSharingRestrictions {
# Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed
$recnum = "7.2.7"
Write-Verbose "Running Test-LinkSharingRestrictions for $recnum..."
$RecNum = "7.2.7"
Write-Verbose "Running Test-LinkSharingRestrictions for $RecNum..."
}
process {
try {
@@ -37,7 +37,7 @@ function Test-LinkSharingRestrictions {
DefaultSharingLinkType = "Direct"
}
#>
$SPOTenantLinkSharing = Get-CISSpoOutput -Rec $recnum
$SPOTenantLinkSharing = Get-CISSpoOutput -Rec $RecNum
$isLinkSharingRestricted = $SPOTenantLinkSharing.DefaultSharingLinkType -eq 'Direct' # Or 'SpecificPeople' as per the recommendation
# Prepare failure reasons and details based on compliance
$failureReasons = if (-not $isLinkSharingRestricted) {
@@ -50,7 +50,7 @@ function Test-LinkSharingRestrictions {
$details = "DefaultSharingLinkType: $($SPOTenantLinkSharing.DefaultSharingLinkType)"
# Create and populate the CISAuditResult object
$params = @{
Rec = $recnum
Rec = $RecNum
Result = $isLinkSharingRestricted
Status = if ($isLinkSharingRestricted) { "Pass" } else { "Fail" }
Details = $details
@@ -60,7 +60,7 @@ function Test-LinkSharingRestrictions {
}
catch {
$LastError = $_
$auditResult = Get-TestError -LastError $LastError -recnum $recnum
$auditResult = Get-TestError -LastError $LastError -RecNum $RecNum
}
}
end {

10
source/tests/Test-MailTipsEnabled.ps1
View File

@@ -9,8 +9,8 @@ function Test-MailTipsEnabled {
# Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed
$recnum = "6.5.2"
Write-Verbose "Running Test-MailTipsEnabled for $recnum..."
$RecNum = "6.5.2"
Write-Verbose "Running Test-MailTipsEnabled for $RecNum..."
# Conditions for 6.5.2 (L2) Ensure MailTips are enabled for end users
#
# Validate test for a pass:
@@ -33,7 +33,7 @@ function Test-MailTipsEnabled {
try {
# 6.5.2 (L2) Ensure MailTips are enabled for end users
# Retrieve organization configuration for MailTips settings
$orgConfig = Get-CISExoOutput -Rec $recnum
$orgConfig = Get-CISExoOutput -Rec $RecNum
# Check the MailTips settings (Conditions A, B, C, D)
$allTipsEnabled = $orgConfig.MailTipsAllTipsEnabled -and $orgConfig.MailTipsGroupMetricsEnabled -and $orgConfig.MailTipsLargeAudienceThreshold -eq 25
$externalRecipientsTipsEnabled = $orgConfig.MailTipsExternalRecipientsTipsEnabled
@@ -52,7 +52,7 @@ function Test-MailTipsEnabled {
}
# Create and populate the CISAuditResult object
$params = @{
Rec = $recnum
Rec = $RecNum
Result = $allTipsEnabled -and $externalRecipientsTipsEnabled
Status = if ($allTipsEnabled -and $externalRecipientsTipsEnabled) { "Pass" } else { "Fail" }
Details = $details
@@ -62,7 +62,7 @@ function Test-MailTipsEnabled {
}
catch {
$LastError = $_
$auditResult = Get-TestError -LastError $LastError -recnum $recnum
$auditResult = Get-TestError -LastError $LastError -RecNum $RecNum
}
}
end {

22
source/tests/Test-MailboxAuditingE3.ps1
View File

@@ -24,8 +24,8 @@ function Test-MailboxAuditingE3 {
#>
# Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1
$recnum = "6.1.2"
$version = $recnum
$RecNum = "6.1.2"
$version = $RecNum
$actionDictionaries = Get-Action -Dictionaries -Version $version
# E3 specific actions
$AdminActions = $actionDictionaries.AdminActions.Keys
@@ -33,13 +33,13 @@ function Test-MailboxAuditingE3 {
$OwnerActions = $actionDictionaries.OwnerActions.Keys
$allFailures = @()
Write-Verbose "Running Test-MailboxAuditingE3 for $recnum..."
$allUsers = Get-CISMgOutput -Rec $recnum
Write-Verbose "Running Test-MailboxAuditingE3 for $RecNum..."
$allUsers = Get-CISMgOutput -Rec $RecNum
$processedUsers = @{} # Dictionary to track processed users
}
process {
if ($null -ne $allUsers) {
$mailboxes = Get-CISExoOutput -Rec $recnum
$mailboxes = Get-CISExoOutput -Rec $RecNum
try {
foreach ($user in $allUsers) {
if ($processedUsers.ContainsKey($user.UserPrincipalName)) {
@@ -92,7 +92,7 @@ function Test-MailboxAuditingE3 {
}
# Populate the audit result
$params = @{
Rec = $recnum
Rec = $RecNum
Result = $allFailures.Count -eq 0
Status = if ($allFailures.Count -eq 0) { "Pass" } else { "Fail" }
Details = $details
@@ -101,18 +101,18 @@ function Test-MailboxAuditingE3 {
$auditResult = Initialize-CISAuditResult @params
}
catch {
Write-Error "An error occurred during the test: $_"
Write-Error "An error occurred during the test $RecNum`:: $_"
# Retrieve the description from the test definitions
$testDefinition = $script:TestDefinitionsObject | Where-Object { $_.Rec -eq $recnum }
$testDefinition = $script:TestDefinitionsObject | Where-Object { $_.Rec -eq $RecNum }
$description = if ($testDefinition) { $testDefinition.RecDescription } else { "Description not found" }
$script:FailedTests.Add([PSCustomObject]@{ Rec = $recnum; Description = $description; Error = $_ })
$script:FailedTests.Add([PSCustomObject]@{ Rec = $RecNum; Description = $description; Error = $_ })
# Call Initialize-CISAuditResult with error parameters
$auditResult = Initialize-CISAuditResult -Rec $recnum -Failure
$auditResult = Initialize-CISAuditResult -Rec $RecNum -Failure
}
}
else {
$params = @{
Rec = $recnum
Rec = $RecNum
Result = $false
Status = "Fail"
Details = "No M365 E3 licenses found."

22
source/tests/Test-MailboxAuditingE5.ps1
View File

@@ -24,20 +24,20 @@ function Test-MailboxAuditingE5 {
# - Condition B: AuditAdmin actions do not include all of the following: ApplyRecord, Create, HardDelete, MailItemsAccessed, MoveToDeletedItems, Send, SendAs, SendOnBehalf, SoftDelete, Update, UpdateCalendarDelegation, UpdateFolderPermissions, UpdateInboxRules.
# - Condition C: AuditDelegate actions do not include all of the following: ApplyRecord, Create, HardDelete, MailItemsAccessed, MoveToDeletedItems, SendAs, SendOnBehalf, SoftDelete, Update, UpdateFolderPermissions, UpdateInboxRules.
# - Condition D: AuditOwner actions do not include all of the following: ApplyRecord, HardDelete, MailItemsAccessed, MoveToDeletedItems, Send, SoftDelete, Update, UpdateCalendarDelegation, UpdateFolderPermissions, UpdateInboxRules.
$recnum = "6.1.3"
$version = $recnum
$RecNum = "6.1.3"
$version = $RecNum
$actionDictionaries = Get-Action -Dictionaries -Version $version
$AdminActions = $actionDictionaries.AdminActions.Keys
$DelegateActions = $actionDictionaries.DelegateActions.Keys
$OwnerActions = $actionDictionaries.OwnerActions.Keys
$allFailures = @()
$processedUsers = @{}
Write-Verbose "Running Test-MailboxAuditingE5 for $recnum..."
$allUsers = Get-CISMgOutput -Rec $recnum
Write-Verbose "Running Test-MailboxAuditingE5 for $RecNum..."
$allUsers = Get-CISMgOutput -Rec $RecNum
}
process {
if ($null -ne $allUsers) {
$mailboxes = Get-CISExoOutput -Rec $recnum
$mailboxes = Get-CISExoOutput -Rec $RecNum
try {
foreach ($user in $allUsers) {
if ($processedUsers.ContainsKey($user.UserPrincipalName)) {
@@ -94,7 +94,7 @@ function Test-MailboxAuditingE5 {
# $details = Initialize-LargeTestTable -lineCount 3000 # Adjust the lineCount to exceed 32,000 characters
# Populate the audit result
$params = @{
Rec = $recnum
Rec = $RecNum
Result = $allFailures.Count -eq 0
Status = if ($allFailures.Count -eq 0) { "Pass" } else { "Fail" }
Details = $details
@@ -103,18 +103,18 @@ function Test-MailboxAuditingE5 {
$auditResult = Initialize-CISAuditResult @params
}
catch {
Write-Error "An error occurred during the test: $_"
Write-Error "An error occurred during the test $RecNum`:: $_"
# Retrieve the description from the test definitions
$testDefinition = $script:TestDefinitionsObject | Where-Object { $_.Rec -eq $recnum }
$testDefinition = $script:TestDefinitionsObject | Where-Object { $_.Rec -eq $RecNum }
$description = if ($testDefinition) { $testDefinition.RecDescription } else { "Description not found" }
$script:FailedTests.Add([PSCustomObject]@{ Rec = $recnum; Description = $description; Error = $_ })
$script:FailedTests.Add([PSCustomObject]@{ Rec = $RecNum; Description = $description; Error = $_ })
# Call Initialize-CISAuditResult with error parameters
$auditResult = Initialize-CISAuditResult -Rec $recnum -Failure
$auditResult = Initialize-CISAuditResult -Rec $RecNum -Failure
}
}
else {
$params = @{
Rec = $recnum
Rec = $RecNum
Result = $false
Status = "Fail"
Details = "No M365 E5 licenses found."

10
source/tests/Test-ManagedApprovedPublicGroups.ps1
View File

@@ -8,8 +8,8 @@ function Test-ManagedApprovedPublicGroups {
# Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed
$recnum = "1.2.1"
Write-Verbose "Starting Test-ManagedApprovedPublicGroups with Rec: $recnum"
$RecNum = "1.2.1"
Write-Verbose "Starting Test-ManagedApprovedPublicGroups with Rec: $RecNum"
# Conditions for 1.2.1 (L2) Ensure that only organizationally managed/approved public groups exist (Automated)
#
# Validate test for a pass:
@@ -27,7 +27,7 @@ function Test-ManagedApprovedPublicGroups {
process {
try {
# Step: Retrieve all groups with visibility set to 'Public'
$allGroups = Get-CISMgOutput -Rec $recnum
$allGroups = Get-CISMgOutput -Rec $RecNum
# Step: Determine failure reasons based on the presence of public groups
$failureReasons = if ($null -ne $allGroups -and $allGroups.Count -gt 0) {
"There are public groups present that are not organizationally managed/approved."
@@ -45,7 +45,7 @@ function Test-ManagedApprovedPublicGroups {
}
# Step: Create and populate the CISAuditResult object
$params = @{
Rec = $recnum
Rec = $RecNum
Result = $null -eq $allGroups -or $allGroups.Count -eq 0
Status = if ($null -eq $allGroups -or $allGroups.Count -eq 0) { "Pass" } else { "Fail" }
Details = $details
@@ -55,7 +55,7 @@ function Test-ManagedApprovedPublicGroups {
}
catch {
$LastError = $_
$auditResult = Get-TestError -LastError $LastError -recnum $recnum
$auditResult = Get-TestError -LastError $LastError -RecNum $RecNum
}
}
end {

10
source/tests/Test-MeetingChatNoAnonymous.ps1
View File

@@ -9,8 +9,8 @@ function Test-MeetingChatNoAnonymous {
# Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed
$recnum = "8.5.5"
Write-Verbose "Running Test-MeetingChatNoAnonymous for $recnum..."
$RecNum = "8.5.5"
Write-Verbose "Running Test-MeetingChatNoAnonymous for $RecNum..."
}
process {
try {
@@ -36,7 +36,7 @@ function Test-MeetingChatNoAnonymous {
MeetingChatEnabledType = "Enabled"
}
#>
$CsTeamsMeetingPolicyChat = Get-CISMSTeamsOutput -Rec $recnum
$CsTeamsMeetingPolicyChat = Get-CISMSTeamsOutput -Rec $RecNum
# Condition A: Check if the MeetingChatEnabledType is set to 'EnabledExceptAnonymous'
$chatAnonDisabled = $CsTeamsMeetingPolicyChat.MeetingChatEnabledType -eq 'EnabledExceptAnonymous'
# Prepare failure reasons and details based on compliance
@@ -49,7 +49,7 @@ function Test-MeetingChatNoAnonymous {
$details = "MeetingChatEnabledType is set to $($CsTeamsMeetingPolicyChat.MeetingChatEnabledType)"
# Create and populate the CISAuditResult object
$params = @{
Rec = $recnum
Rec = $RecNum
Result = $chatAnonDisabled
Status = if ($chatAnonDisabled) { "Pass" } else { "Fail" }
Details = $details
@@ -59,7 +59,7 @@ function Test-MeetingChatNoAnonymous {
}
catch {
$LastError = $_
$auditResult = Get-TestError -LastError $LastError -recnum $recnum
$auditResult = Get-TestError -LastError $LastError -RecNum $RecNum
}
}
end {

10
source/tests/Test-ModernAuthExchangeOnline.ps1
View File

@@ -23,14 +23,14 @@ function Test-ModernAuthExchangeOnline {
# - Condition A: Modern authentication for Exchange Online is not enabled.
# - Condition B: Exchange Online clients do not use modern authentication to log in to Microsoft 365 mailboxes.
# - Condition C: Users of older email clients, such as Outlook 2013 and Outlook 2016, are still able to authenticate to Exchange using Basic Authentication.
$recnum = "6.5.1"
Write-Verbose "Running Test-ModernAuthExchangeOnline for $recnum..."
$RecNum = "6.5.1"
Write-Verbose "Running Test-ModernAuthExchangeOnline for $RecNum..."
}
process {
try {
# 6.5.1 (L1) Ensure modern authentication for Exchange Online is enabled
# Check modern authentication setting in Exchange Online configuration (Condition A and B)
$orgConfig = Get-CISExoOutput -Rec $recnum
$orgConfig = Get-CISExoOutput -Rec $RecNum
# Prepare failure reasons and details based on compliance
$failureReasons = if (-not $orgConfig.OAuth2ClientProfileEnabled) {
"Modern authentication is disabled"
@@ -42,7 +42,7 @@ function Test-ModernAuthExchangeOnline {
$details = "OAuth2ClientProfileEnabled: $($orgConfig.OAuth2ClientProfileEnabled) for Organization: $($orgConfig.Name)"
# Create and populate the CISAuditResult object
$params = @{
Rec = $recnum
Rec = $RecNum
Result = $orgConfig.OAuth2ClientProfileEnabled
Status = if ($orgConfig.OAuth2ClientProfileEnabled) { "Pass" } else { "Fail" }
Details = $details
@@ -52,7 +52,7 @@ function Test-ModernAuthExchangeOnline {
}
catch {
$LastError = $_
$auditResult = Get-TestError -LastError $LastError -recnum $recnum
$auditResult = Get-TestError -LastError $LastError -RecNum $RecNum
}
}
end {

10
source/tests/Test-ModernAuthSharePoint.ps1
View File

@@ -11,8 +11,8 @@ function Test-ModernAuthSharePoint {
#. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed
$recnum = "7.2.1"
Write-Verbose "Running Test-ModernAuthSharePoint for $recnum..."
$RecNum = "7.2.1"
Write-Verbose "Running Test-ModernAuthSharePoint for $RecNum..."
<#
# Conditions for 7.2.1 (L1) Ensure modern authentication for SharePoint applications is required
## Validate test for a pass:
@@ -36,7 +36,7 @@ function Test-ModernAuthSharePoint {
LegacyAuthProtocolsEnabled = $true
}
#>
$SPOTenant = Get-CISSpoOutput -Rec $recnum
$SPOTenant = Get-CISSpoOutput -Rec $RecNum
$modernAuthForSPRequired = -not $SPOTenant.LegacyAuthProtocolsEnabled
# Prepare failure reasons and details based on compliance
$failureReasons = if (-not $modernAuthForSPRequired) {
@@ -48,7 +48,7 @@ function Test-ModernAuthSharePoint {
$details = "LegacyAuthProtocolsEnabled: $($SPOTenant.LegacyAuthProtocolsEnabled)" # Details for Condition B
# Create and populate the CISAuditResult object
$params = @{
Rec = $recnum
Rec = $RecNum
Result = $modernAuthForSPRequired
Status = if ($modernAuthForSPRequired) { "Pass" } else { "Fail" }
Details = $details
@@ -58,7 +58,7 @@ function Test-ModernAuthSharePoint {
}
catch {
$LastError = $_
$auditResult = Get-TestError -LastError $LastError -recnum $recnum
$auditResult = Get-TestError -LastError $LastError -RecNum $RecNum
}
}
end {

10
source/tests/Test-NoAnonymousMeetingJoin.ps1
View File

@@ -9,8 +9,8 @@ function Test-NoAnonymousMeetingJoin {
# Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed
$recnum = "8.5.1"
Write-Verbose "Running Test-NoAnonymousMeetingJoin for $recnum..."
$RecNum = "8.5.1"
Write-Verbose "Running Test-NoAnonymousMeetingJoin for $RecNum..."
}
process {
try {
@@ -36,7 +36,7 @@ function Test-NoAnonymousMeetingJoin {
AllowAnonymousUsersToJoinMeeting = $true
}
#>
$teamsMeetingPolicy = Get-CISMSTeamsOutput -Rec $recnum
$teamsMeetingPolicy = Get-CISMSTeamsOutput -Rec $RecNum
$allowAnonymousUsersToJoinMeeting = $teamsMeetingPolicy.AllowAnonymousUsersToJoinMeeting
# Prepare failure reasons and details based on compliance
$failureReasons = if ($allowAnonymousUsersToJoinMeeting) {
@@ -48,7 +48,7 @@ function Test-NoAnonymousMeetingJoin {
$details = "AllowAnonymousUsersToJoinMeeting is set to $allowAnonymousUsersToJoinMeeting"
# Create and populate the CISAuditResult object
$params = @{
Rec = $recnum
Rec = $RecNum
Result = -not $allowAnonymousUsersToJoinMeeting
Status = if (-not $allowAnonymousUsersToJoinMeeting) { "Pass" } else { "Fail" }
Details = $details
@@ -58,7 +58,7 @@ function Test-NoAnonymousMeetingJoin {
}
catch {
$LastError = $_
$auditResult = Get-TestError -LastError $LastError -recnum $recnum
$auditResult = Get-TestError -LastError $LastError -RecNum $RecNum
}
}
end {

10
source/tests/Test-NoAnonymousMeetingStart.ps1
View File

@@ -9,8 +9,8 @@ function Test-NoAnonymousMeetingStart {
# Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed
$recnum = "8.5.2"
Write-Verbose "Running Test-NoAnonymousMeetingStart for $recnum..."
$RecNum = "8.5.2"
Write-Verbose "Running Test-NoAnonymousMeetingStart for $RecNum..."
}
process {
try {
@@ -31,7 +31,7 @@ function Test-NoAnonymousMeetingStart {
# - Condition C: Verification using the UI indicates that the setting `Anonymous users and dial-in callers can start a meeting` is not set to `Off`.
# Connect to Teams PowerShell using Connect-MicrosoftTeams
# Retrieve the Teams meeting policy for the global scope and check if anonymous users can start meetings
$CsTeamsMeetingPolicyAnonymous = Get-CISMSTeamsOutput -Rec $recnum
$CsTeamsMeetingPolicyAnonymous = Get-CISMSTeamsOutput -Rec $RecNum
$anonymousStartDisabled = -not $CsTeamsMeetingPolicyAnonymous.AllowAnonymousUsersToStartMeeting
# Prepare failure reasons and details based on compliance
$failureReasons = if ($anonymousStartDisabled) {
@@ -43,7 +43,7 @@ function Test-NoAnonymousMeetingStart {
$details = "AllowAnonymousUsersToStartMeeting is set to $($CsTeamsMeetingPolicyAnonymous.AllowAnonymousUsersToStartMeeting)" # Condition C
# Create and populate the CISAuditResult object
$params = @{
Rec = $recnum
Rec = $RecNum
Result = $anonymousStartDisabled
Status = if ($anonymousStartDisabled) { "Pass" } else { "Fail" }
Details = $details
@@ -53,7 +53,7 @@ function Test-NoAnonymousMeetingStart {
}
catch {
$LastError = $_
$auditResult = Get-TestError -LastError $LastError -recnum $recnum
$auditResult = Get-TestError -LastError $LastError -RecNum $RecNum
}
}
end {

10
source/tests/Test-NoWhitelistDomains.ps1
View File

@@ -9,8 +9,8 @@ function Test-NoWhitelistDomains {
# Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed
$recnum = "6.2.2"
Write-Verbose "Running Test-NoWhitelistDomains for $recnum..."
$RecNum = "6.2.2"
Write-Verbose "Running Test-NoWhitelistDomains for $RecNum..."
<#
Conditions for 6.2.2 (L1) Ensure mail transport rules do not whitelist specific domains (Automated)
Validate test for a pass:
@@ -32,7 +32,7 @@ function Test-NoWhitelistDomains {
# 6.2.2 (L1) Ensure mail transport rules do not whitelist specific domains
# Retrieve transport rules that whitelist specific domains
# Condition A: Checking for transport rules that whitelist specific domains
$whitelistedRules = Get-CISExoOutput -Rec $recnum
$whitelistedRules = Get-CISExoOutput -Rec $RecNum
# Prepare failure reasons and details based on compliance
# Condition B: Prepare failure reasons based on the presence of whitelisted rules
$failureReasons = if ($whitelistedRules) {
@@ -51,7 +51,7 @@ function Test-NoWhitelistDomains {
}
# Create and populate the CISAuditResult object
$params = @{
Rec = $recnum
Rec = $RecNum
Result = -not $whitelistedRules
Status = if ($whitelistedRules) { "Fail" } else { "Pass" }
Details = $details
@@ -61,7 +61,7 @@ function Test-NoWhitelistDomains {
}
catch {
$LastError = $_
$auditResult = Get-TestError -LastError $LastError -recnum $recnum
$auditResult = Get-TestError -LastError $LastError -RecNum $RecNum
}
}
end {

10
source/tests/Test-NotifyMalwareInternal.ps1
View File

@@ -24,8 +24,8 @@ function Test-NotifyMalwareInternal {
# Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed
$recnum = "2.1.3"
Write-Verbose "Running Test-NotifyMalwareInternal for $recnum..."
$RecNum = "2.1.3"
Write-Verbose "Running Test-NotifyMalwareInternal for $RecNum..."
}
process {
try {
@@ -47,7 +47,7 @@ function Test-NotifyMalwareInternal {
}
)
#>
$malwareNotifications = Get-CISExoOutput -Rec $recnum
$malwareNotifications = Get-CISExoOutput -Rec $RecNum
# Condition B: Using PowerShell, the `NotifyInternal` property in the anti-malware policy is set to `True` and includes at least one valid email address for notifications.
$policiesToReport = @()
foreach ($policy in $malwareNotifications) {
@@ -73,7 +73,7 @@ function Test-NotifyMalwareInternal {
}
# Create and populate the CISAuditResult object
$params = @{
Rec = $recnum
Rec = $RecNum
Result = $result
Status = if ($result) { "Pass" } else { "Fail" }
Details = $details
@@ -83,7 +83,7 @@ function Test-NotifyMalwareInternal {
}
catch {
$LastError = $_
$auditResult = Get-TestError -LastError $LastError -recnum $recnum
$auditResult = Get-TestError -LastError $LastError -RecNum $RecNum
}
}
end {

10
source/tests/Test-OneDriveContentRestrictions.ps1
View File

@@ -24,8 +24,8 @@ function Test-OneDriveContentRestrictions {
# Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed
$recnum = "7.2.4"
Write-Verbose "Running Test-OneDriveContentRestrictions for $recnum..."
$RecNum = "7.2.4"
Write-Verbose "Running Test-OneDriveContentRestrictions for $RecNum..."
}
process {
try {
@@ -37,7 +37,7 @@ function Test-OneDriveContentRestrictions {
OneDriveSharingCapability = "ExternalUserAndGuestSharing"
}
#>
$SPOTenant = Get-CISSpoOutput -Rec $recnum
$SPOTenant = Get-CISSpoOutput -Rec $RecNum
$isOneDriveSharingRestricted = $SPOTenant.OneDriveSharingCapability -eq 'Disabled'
# Prepare failure reasons and details based on compliance
$failureReasons = if (-not $isOneDriveSharingRestricted) {
@@ -55,7 +55,7 @@ function Test-OneDriveContentRestrictions {
}
# Create and populate the CISAuditResult object
$params = @{
Rec = $recnum
Rec = $RecNum
Result = $isOneDriveSharingRestricted
Status = if ($isOneDriveSharingRestricted) { "Pass" } else { "Fail" }
Details = $details
@@ -65,7 +65,7 @@ function Test-OneDriveContentRestrictions {
}
catch {
$LastError = $_
$auditResult = Get-TestError -LastError $LastError -recnum $recnum
$auditResult = Get-TestError -LastError $LastError -RecNum $RecNum
}
}
end {

10
source/tests/Test-OneDriveSyncRestrictions.ps1
View File

@@ -9,8 +9,8 @@ function Test-OneDriveSyncRestrictions {
# Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed
$recnum = "7.3.2"
Write-Verbose "Running Test-OneDriveSyncRestrictions for $recnum..."
$RecNum = "7.3.2"
Write-Verbose "Running Test-OneDriveSyncRestrictions for $RecNum..."
}
process {
try {
@@ -30,7 +30,7 @@ function Test-OneDriveSyncRestrictions {
# - Condition B: "TenantRestrictionEnabled" is set to False.
# - Condition C: "AllowedDomainList" does not contain the trusted domain GUIDs from the on-premises environment.
# Retrieve OneDrive sync client restriction settings
$SPOTenantSyncClientRestriction = Get-CISSpoOutput -Rec $recnum
$SPOTenantSyncClientRestriction = Get-CISSpoOutput -Rec $RecNum
$isSyncRestricted = $SPOTenantSyncClientRestriction.TenantRestrictionEnabled -and $SPOTenantSyncClientRestriction.AllowedDomainList
# Condition A: Check if TenantRestrictionEnabled is True
# Condition B: Ensure AllowedDomainList contains trusted domains GUIDs
@@ -52,7 +52,7 @@ function Test-OneDriveSyncRestrictions {
}
# Create and populate the CISAuditResult object
$params = @{
Rec = $recnum
Rec = $RecNum
Result = $isSyncRestricted
Status = if ($isSyncRestricted) { "Pass" } else { "Fail" }
Details = $details
@@ -62,7 +62,7 @@ function Test-OneDriveSyncRestrictions {
}
catch {
$LastError = $_
$auditResult = Get-TestError -LastError $LastError -recnum $recnum
$auditResult = Get-TestError -LastError $LastError -RecNum $RecNum
}
}
end {

10
source/tests/Test-OrgOnlyBypassLobby.ps1
View File

@@ -9,8 +9,8 @@ function Test-OrgOnlyBypassLobby {
# Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed
$recnum = "8.5.3"
Write-Verbose "Running Test-OrgOnlyBypassLobby for $recnum..."
$RecNum = "8.5.3"
Write-Verbose "Running Test-OrgOnlyBypassLobby for $RecNum..."
}
process {
try {
@@ -31,7 +31,7 @@ function Test-OrgOnlyBypassLobby {
# - Condition C: Verification using the Microsoft Teams admin center indicates that the meeting join & lobby settings are not configured as recommended.
# Connect to Teams PowerShell using Connect-MicrosoftTeams
# Retrieve the Teams meeting policy for lobby bypass settings
$CsTeamsMeetingPolicyLobby = Get-CISMSTeamsOutput -Rec $recnum
$CsTeamsMeetingPolicyLobby = Get-CISMSTeamsOutput -Rec $RecNum
$lobbyBypassRestricted = $CsTeamsMeetingPolicyLobby.AutoAdmittedUsers -eq 'EveryoneInCompanyExcludingGuests'
# Prepare failure reasons and details based on compliance
$failureReasons = if (-not $lobbyBypassRestricted) {
@@ -49,7 +49,7 @@ function Test-OrgOnlyBypassLobby {
}
# Create and populate the CISAuditResult object
$params = @{
Rec = $recnum
Rec = $RecNum
Result = $lobbyBypassRestricted
Status = if ($lobbyBypassRestricted) { "Pass" } else { "Fail" }
Details = $details
@@ -59,7 +59,7 @@ function Test-OrgOnlyBypassLobby {
}
catch {
$LastError = $_
$auditResult = Get-TestError -LastError $LastError -recnum $recnum
$auditResult = Get-TestError -LastError $LastError -RecNum $RecNum
}
}
end {

10
source/tests/Test-OrganizersPresent.ps1
View File

@@ -9,8 +9,8 @@ function Test-OrganizersPresent {
# Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed
$recnum = "8.5.6"
Write-Verbose "Running Test-OrganizersPresent for $recnum..."
$RecNum = "8.5.6"
Write-Verbose "Running Test-OrganizersPresent for $RecNum..."
}
process {
try {
@@ -36,7 +36,7 @@ function Test-OrganizersPresent {
DesignatedPresenterRoleMode = "Enabled"
}
#>
$CsTeamsMeetingPolicyPresenters = Get-CISMSTeamsOutput -Rec $recnum
$CsTeamsMeetingPolicyPresenters = Get-CISMSTeamsOutput -Rec $RecNum
$presenterRoleRestricted = $CsTeamsMeetingPolicyPresenters.DesignatedPresenterRoleMode -eq 'OrganizerOnlyUserOverride'
# Prepare failure reasons and details based on compliance
$failureReasons = if (-not $presenterRoleRestricted) {
@@ -53,7 +53,7 @@ function Test-OrganizersPresent {
}
# Create and populate the CISAuditResult object
$params = @{
Rec = $recnum
Rec = $RecNum
Result = $presenterRoleRestricted
Status = if ($presenterRoleRestricted) { "Pass" } else { "Fail" }
Details = $details
@@ -63,7 +63,7 @@ function Test-OrganizersPresent {
}
catch {
$LastError = $_
$auditResult = Get-TestError -LastError $LastError -recnum $recnum
$auditResult = Get-TestError -LastError $LastError -RecNum $RecNum
}
}
end {

10
source/tests/Test-PasswordHashSync.ps1
View File

@@ -24,14 +24,14 @@ function Test-PasswordHashSync {
# Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed
$recnum = "5.1.8.1"
Write-Verbose "Starting Test-PasswordHashSync with Rec: $recnum"
$RecNum = "5.1.8.1"
Write-Verbose "Starting Test-PasswordHashSync with Rec: $RecNum"
}
process {
try {
# 5.1.8.1 (L1) Ensure password hash sync is enabled for hybrid deployments
# Retrieve password hash sync status (Condition A and C)
$passwordHashSync = Get-CISMgOutput -Rec $recnum
$passwordHashSync = Get-CISMgOutput -Rec $RecNum
$hashSyncResult = $passwordHashSync
# Prepare failure reasons and details based on compliance
$failureReasons = if (-not $hashSyncResult) {
@@ -43,7 +43,7 @@ function Test-PasswordHashSync {
$details = "OnPremisesSyncEnabled: $($passwordHashSync)"
# Create and populate the CISAuditResult object
$params = @{
Rec = $recnum
Rec = $RecNum
Result = $hashSyncResult
Status = if ($hashSyncResult) { "Pass" } else { "Fail" }
Details = $details
@@ -53,7 +53,7 @@ function Test-PasswordHashSync {
}
catch {
$LastError = $_
$auditResult = Get-TestError -LastError $LastError -recnum $recnum
$auditResult = Get-TestError -LastError $LastError -RecNum $RecNum
}
}
end {

8
source/tests/Test-PasswordNeverExpirePolicy.ps1
View File

@@ -11,7 +11,7 @@ function Test-PasswordNeverExpirePolicy {
# Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed
$recnum = "1.3.1"
$RecNum = "1.3.1"
$overallResult = $true
$detailsList = @()
$failureReasonsList = @()
@@ -39,7 +39,7 @@ function Test-PasswordNeverExpirePolicy {
process {
try {
# Step: Retrieve all domains or a specific domain
$domains = Get-CISMgOutput -Rec $recnum -DomainName $DomainName
$domains = Get-CISMgOutput -Rec $RecNum -DomainName $DomainName
foreach ($domain in $domains) {
$domainName = $domain.Id
$isDefault = $domain.IsDefault
@@ -68,7 +68,7 @@ function Test-PasswordNeverExpirePolicy {
$finalDetails = $detailsList -join "`n"
# Step: Create and populate the CISAuditResult object
$params = @{
Rec = $recnum
Rec = $RecNum
Result = $overallResult
Status = if ($overallResult) { "Pass" } else { "Fail" }
Details = $finalDetails
@@ -78,7 +78,7 @@ function Test-PasswordNeverExpirePolicy {
}
catch {
$LastError = $_
$auditResult = Get-TestError -LastError $LastError -recnum $recnum
$auditResult = Get-TestError -LastError $LastError -RecNum $RecNum
}
}
end {

10
source/tests/Test-ReauthWithCode.ps1
View File

@@ -24,8 +24,8 @@ function Test-ReauthWithCode {
# Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed
$recnum = "7.2.10"
Write-Verbose "Running Test-ReauthWithCode for $recnum..."
$RecNum = "7.2.10"
Write-Verbose "Running Test-ReauthWithCode for $RecNum..."
}
process {
try {
@@ -38,7 +38,7 @@ function Test-ReauthWithCode {
EmailAttestationReAuthDays = "30"
}
#>
$SPOTenantReauthentication = Get-CISSpoOutput -Rec $recnum
$SPOTenantReauthentication = Get-CISSpoOutput -Rec $RecNum
$isReauthenticationRestricted = $SPOTenantReauthentication.EmailAttestationRequired -and $SPOTenantReauthentication.EmailAttestationReAuthDays -le 15
# Prepare failure reasons and details based on compliance
$failureReasons = if (-not $isReauthenticationRestricted) {
@@ -51,7 +51,7 @@ function Test-ReauthWithCode {
$details = "EmailAttestationRequired: $($SPOTenantReauthentication.EmailAttestationRequired); EmailAttestationReAuthDays: $($SPOTenantReauthentication.EmailAttestationReAuthDays)"
# Create and populate the CISAuditResult object
$params = @{
Rec = $recnum
Rec = $RecNum
Result = $isReauthenticationRestricted
Status = if ($isReauthenticationRestricted) { "Pass" } else { "Fail" }
Details = $details
@@ -61,7 +61,7 @@ function Test-ReauthWithCode {
}
catch {
$LastError = $_
$auditResult = Get-TestError -LastError $LastError -recnum $recnum
$auditResult = Get-TestError -LastError $LastError -RecNum $RecNum
}
}
end {

12
source/tests/Test-ReportSecurityInTeams.ps1
View File

@@ -9,8 +9,8 @@ function Test-ReportSecurityInTeams {
# Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed
$recnum = "8.6.1"
Write-Verbose "Running Test-ReportSecurityInTeams for $recnum..."
$RecNum = "8.6.1"
Write-Verbose "Running Test-ReportSecurityInTeams for $RecNum..."
}
process {
try {
@@ -24,7 +24,7 @@ function Test-ReportSecurityInTeams {
AllowSecurityEndUserReporting = $true
}
#>
$CsTeamsMessagingPolicy = Get-CISMSTeamsOutput -Rec $recnum
$CsTeamsMessagingPolicy = Get-CISMSTeamsOutput -Rec $RecNum
# Condition B: Verify that 'Monitor reported messages in Microsoft Teams' is checked in the Microsoft 365 Defender portal.
# Condition C: Ensure the 'Send reported messages to' setting in the Microsoft 365 Defender portal is set to 'My reporting mailbox only' with the correct report email addresses.
# $ReportSubmissionPolicy Mock Object
@@ -40,7 +40,7 @@ function Test-ReportSecurityInTeams {
ReportChatMessageToCustomizedAddressEnabled = $false
}
#>
$ReportSubmissionPolicy = Get-CISExoOutput -Rec $recnum
$ReportSubmissionPolicy = Get-CISExoOutput -Rec $RecNum
# Check if all the required settings are enabled
$securityReportEnabled = $CsTeamsMessagingPolicy.AllowSecurityEndUserReporting -and
$ReportSubmissionPolicy.ReportJunkToCustomizedAddress -and
@@ -92,7 +92,7 @@ ReportChatMessageToCustomizedAddressEnabled: True
}
# Create and populate the CISAuditResult object
$params = @{
Rec = $recnum
Rec = $RecNum
Result = $securityReportEnabled
Status = if ($securityReportEnabled) { "Pass" } else { "Fail" }
Details = $details
@@ -102,7 +102,7 @@ ReportChatMessageToCustomizedAddressEnabled: True
}
catch {
$LastError = $_
$auditResult = Get-TestError -LastError $LastError -recnum $recnum
$auditResult = Get-TestError -LastError $LastError -RecNum $RecNum
}
}
end {

10
source/tests/Test-RestrictCustomScripts.ps1
View File

@@ -8,8 +8,8 @@ function Test-RestrictCustomScripts {
# Dot source the class script if necessary
# . .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed
$recnum = "7.3.4"
Write-Verbose "Running Test-RestrictCustomScripts for $recnum..."
$RecNum = "7.3.4"
Write-Verbose "Running Test-RestrictCustomScripts for $RecNum..."
}
process {
try {
@@ -37,7 +37,7 @@ function Test-RestrictCustomScripts {
DenyAddAndCustomizePages = "Enabled"
}
#>
$SPOSitesCustomScript = Get-CISSpoOutput -Rec $recnum
$SPOSitesCustomScript = Get-CISSpoOutput -Rec $RecNum
# Process URLs to replace 'sharepoint.com' with '<SPUrl>'
$processedUrls = $SPOSitesCustomScript | ForEach-Object {
$_.Url = $_.Url -replace 'sharepoint\.com', '<SPUrl>'
@@ -99,7 +99,7 @@ function Test-RestrictCustomScripts {
}
# Create and populate the CISAuditResult object
$params = @{
Rec = $recnum
Rec = $RecNum
Result = $complianceResult
Status = if ($complianceResult) { "Pass" } else { "Fail" }
Details = $details
@@ -109,7 +109,7 @@ function Test-RestrictCustomScripts {
}
catch {
$LastError = $_
$auditResult = Get-TestError -LastError $LastError -recnum $recnum
$auditResult = Get-TestError -LastError $LastError -RecNum $RecNum
}
}

10
source/tests/Test-RestrictExternalSharing.ps1
View File

@@ -24,8 +24,8 @@ function Test-RestrictExternalSharing {
# Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed
$recnum = "7.2.3"
Write-Verbose "Running Test-RestrictExternalSharing for $recnum..."
$RecNum = "7.2.3"
Write-Verbose "Running Test-RestrictExternalSharing for $RecNum..."
}
process {
try {
@@ -36,7 +36,7 @@ function Test-RestrictExternalSharing {
SharingCapability = "ExternalUserAndGuestSharing"
}
#>
$SPOTenantSharingCapability = Get-CISSpoOutput -Rec $recnum
$SPOTenantSharingCapability = Get-CISSpoOutput -Rec $RecNum
$isRestricted = $SPOTenantSharingCapability.SharingCapability -in @('ExternalUserSharingOnly', 'ExistingExternalUserSharingOnly', 'Disabled')
# Prepare failure reasons and details based on compliance
# Condition B: Using PowerShell, the SharingCapability property for the SharePoint tenant is set to "ExternalUserSharingOnly", "ExistingExternalUserSharingOnly", or "Disabled".
@@ -54,7 +54,7 @@ function Test-RestrictExternalSharing {
$details = "SharingCapability: $($SPOTenantSharingCapability.SharingCapability)"
# Create and populate the CISAuditResult object
$params = @{
Rec = $recnum
Rec = $RecNum
Result = $isRestricted
Status = if ($isRestricted) { "Pass" } else { "Fail" }
Details = $details
@@ -64,7 +64,7 @@ function Test-RestrictExternalSharing {
}
catch {
$LastError = $_
$auditResult = Get-TestError -LastError $LastError -recnum $recnum
$auditResult = Get-TestError -LastError $LastError -RecNum $RecNum
}
}
end {

10
source/tests/Test-RestrictOutlookAddins.ps1
View File

@@ -11,8 +11,8 @@ function Test-RestrictOutlookAddins {
# Initialization code
$defaultPolicyFailureDetails = @()
$relevantRoles = @('My Custom Apps', 'My Marketplace Apps', 'My ReadWriteMailbox Apps')
$recnum = "6.3.1"
Write-Verbose "Running Test-RestrictOutlookAddins for $recnum..."
$RecNum = "6.3.1"
Write-Verbose "Running Test-RestrictOutlookAddins for $RecNum..."
# Conditions for 6.3.1 (L2) Ensure users installing Outlook add-ins is not allowed
#
# Validate test for a pass:
@@ -32,7 +32,7 @@ function Test-RestrictOutlookAddins {
# 6.3.1 (L2) Ensure users installing Outlook add-ins is not allowed
# Check all mailboxes for custom policies with unallowed add-ins
# Check Default Role Assignment Policy
$customPolicyFailures, $defaultPolicy = Get-CISExoOutput -Rec $recnum
$customPolicyFailures, $defaultPolicy = Get-CISExoOutput -Rec $RecNum
$defaultPolicyRoles = $defaultPolicy.AssignedRoles | Where-Object { $_ -in $relevantRoles }
# Condition A: Verify that the roles MyCustomApps, MyMarketplaceApps, and MyReadWriteMailboxApps are unchecked under Other roles.
if ($defaultPolicyRoles) {
@@ -58,7 +58,7 @@ function Test-RestrictOutlookAddins {
$isCompliant = -not ($customPolicyFailures -or $defaultPolicyFailureDetails)
# Create and populate the CISAuditResult object
$params = @{
Rec = $recnum
Rec = $RecNum
Result = $isCompliant
Status = if ($isCompliant) { "Pass" } else { "Fail" }
Details = $detailsString
@@ -68,7 +68,7 @@ function Test-RestrictOutlookAddins {
}
catch {
$LastError = $_
$auditResult = Get-TestError -LastError $LastError -recnum $recnum
$auditResult = Get-TestError -LastError $LastError -RecNum $RecNum
}
}
end {

10
source/tests/Test-RestrictStorageProvidersOutlook.ps1
View File

@@ -24,14 +24,14 @@ function Test-RestrictStorageProvidersOutlook {
# Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed
$recnum = "6.5.3"
Write-Verbose "Running Test-RestrictStorageProvidersOutlook for $recnum..."
$RecNum = "6.5.3"
Write-Verbose "Running Test-RestrictStorageProvidersOutlook for $RecNum..."
}
process {
try {
# 6.5.3 (L2) Ensure additional storage providers are restricted in Outlook on the web
# Retrieve all OwaMailbox policies
$owaPolicies = Get-CISExoOutput -Rec $recnum
$owaPolicies = Get-CISExoOutput -Rec $RecNum
# Condition A: Check if AdditionalStorageProvidersAvailable is set to False
$nonCompliantPolicies = $owaPolicies | Where-Object { $_.AdditionalStorageProvidersAvailable }
# Determine compliance
@@ -51,7 +51,7 @@ function Test-RestrictStorageProvidersOutlook {
}
# Create and populate the CISAuditResult object
$params = @{
Rec = $recnum
Rec = $RecNum
Result = $allPoliciesRestricted
Status = if ($allPoliciesRestricted) { "Pass" } else { "Fail" }
Details = $details
@@ -61,7 +61,7 @@ function Test-RestrictStorageProvidersOutlook {
}
catch {
$LastError = $_
$auditResult = Get-TestError -LastError $LastError -recnum $recnum
$auditResult = Get-TestError -LastError $LastError -RecNum $RecNum
}
}
end {

10
source/tests/Test-RestrictTenantCreation.ps1
View File

@@ -9,8 +9,8 @@ function Test-RestrictTenantCreation {
# Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed
$recnum = "5.1.2.3"
Write-Verbose "Starting Test-RestrictTenantCreation with Rec: $recnum"
$RecNum = "5.1.2.3"
Write-Verbose "Starting Test-RestrictTenantCreation with Rec: $RecNum"
<#
Conditions for 5.1.2.3 (L1) Ensure 'Restrict non-admin users from creating tenants' is set to 'Yes'
Validate test for a pass:
@@ -29,7 +29,7 @@ function Test-RestrictTenantCreation {
try {
# 5.1.2.3 (L1) Ensure 'Restrict non-admin users from creating tenants' is set to 'Yes'
# Retrieve the tenant creation policy
$tenantCreationPolicy = Get-CISMgOutput -Rec $recnum
$tenantCreationPolicy = Get-CISMgOutput -Rec $RecNum
$tenantCreationResult = -not $tenantCreationPolicy.AllowedToCreateTenants
# Prepare failure reasons and details based on compliance
$failureReasons = if ($tenantCreationResult) {
@@ -41,7 +41,7 @@ function Test-RestrictTenantCreation {
$details = "AllowedToCreateTenants: $($tenantCreationPolicy.AllowedToCreateTenants)"
# Create and populate the CISAuditResult object
$params = @{
Rec = $recnum
Rec = $RecNum
Result = $tenantCreationResult
Status = if ($tenantCreationResult) { "Pass" } else { "Fail" }
Details = $details
@@ -51,7 +51,7 @@ function Test-RestrictTenantCreation {
}
catch {
$LastError = $_
$auditResult = Get-TestError -LastError $LastError -recnum $recnum
$auditResult = Get-TestError -LastError $LastError -RecNum $RecNum
}
}
end {

18
source/tests/Test-SafeAttachmentsPolicy.ps1
View File

@@ -6,8 +6,8 @@ function Test-SafeAttachmentsPolicy {
[string]$DomainName
)
begin {
$recnum = "2.1.4"
Write-Verbose "Running Test-SafeAttachmentsPolicy for $recnum..."
$RecNum = "2.1.4"
Write-Verbose "Running Test-SafeAttachmentsPolicy for $RecNum..."
<#
Conditions for 2.1.4 (L2) Ensure Safe Attachments policy is enabled:
Validate test for a pass:
@@ -36,7 +36,7 @@ function Test-SafeAttachmentsPolicy {
}
)
#>
$safeAttachmentPolicies, $safeAttachmentRules = Get-CISExoOutput -Rec $recnum
$safeAttachmentPolicies, $safeAttachmentRules = Get-CISExoOutput -Rec $RecNum
$safeAttachmentPolicies = $safeAttachmentPolicies | Where-Object { $_.Identity -in $safeAttachmentRules.SafeAttachmentPolicy }
if ($safeAttachmentPolicies -ne 1) {
try {
@@ -81,7 +81,7 @@ function Test-SafeAttachmentsPolicy {
$failureReasonsString = ($failureReasons -join "`n")
# Create and populate the CISAuditResult object
$params = @{
Rec = $recnum
Rec = $RecNum
Result = $result
Status = if ($result) { "Pass" } else { "Fail" }
Details = $detailsString
@@ -90,18 +90,18 @@ function Test-SafeAttachmentsPolicy {
$auditResult = Initialize-CISAuditResult @params
}
catch {
Write-Error "An error occurred during the test: $_"
Write-Error "An error occurred during the test $RecNum`:: $_"
# Retrieve the description from the test definitions
$testDefinition = $script:TestDefinitionsObject | Where-Object { $_.Rec -eq $recnum }
$testDefinition = $script:TestDefinitionsObject | Where-Object { $_.Rec -eq $RecNum }
$description = if ($testDefinition) { $testDefinition.RecDescription } else { "Description not found" }
$script:FailedTests.Add([PSCustomObject]@{ Rec = $recnum; Description = $description; Error = $_ })
$script:FailedTests.Add([PSCustomObject]@{ Rec = $RecNum; Description = $description; Error = $_ })
# Call Initialize-CISAuditResult with error parameters
$auditResult = Initialize-CISAuditResult -Rec $recnum -Failure
$auditResult = Initialize-CISAuditResult -Rec $RecNum -Failure
}
}
else {
$params = @{
Rec = $recnum
Rec = $RecNum
Result = $false
Status = "Fail"
Details = "No Safe Attachments policies found."

18
source/tests/Test-SafeAttachmentsTeams.ps1
View File

@@ -24,8 +24,8 @@ function Test-SafeAttachmentsTeams {
# - Condition B: Safe Attachments for OneDrive is not enabled.
# - Condition C: Safe Attachments for Microsoft Teams is not enabled.
# Initialization code, if needed
$recnum = "2.1.5"
Write-Verbose "Running Test-SafeAttachmentsTeams for $recnum..."
$RecNum = "2.1.5"
Write-Verbose "Running Test-SafeAttachmentsTeams for $RecNum..."
}
process {
# $atpPolicyResult Mock Object
@@ -39,7 +39,7 @@ function Test-SafeAttachmentsTeams {
}
)
#>
$atpPolicyResult = Get-CISExoOutput -Rec $recnum
$atpPolicyResult = Get-CISExoOutput -Rec $RecNum
if ($atpPolicyResult -ne 1) {
try {
# Condition A: Check Safe Attachments for SharePoint
@@ -79,7 +79,7 @@ AllowSafeDocsOpen: $($_.AllowSafeDocsOpen)
}
# Create and populate the CISAuditResult object
$params = @{
Rec = $recnum
Rec = $RecNum
Result = $result
Status = if ($result) { "Pass" } else { "Fail" }
Details = $details
@@ -88,18 +88,18 @@ AllowSafeDocsOpen: $($_.AllowSafeDocsOpen)
$auditResult = Initialize-CISAuditResult @params
}
catch {
Write-Error "An error occurred during the test: $_"
Write-Error "An error occurred during the test $RecNum`:: $_"
# Retrieve the description from the test definitions
$testDefinition = $script:TestDefinitionsObject | Where-Object { $_.Rec -eq $recnum }
$testDefinition = $script:TestDefinitionsObject | Where-Object { $_.Rec -eq $RecNum }
$description = if ($testDefinition) { $testDefinition.RecDescription } else { "Description not found" }
$script:FailedTests.Add([PSCustomObject]@{ Rec = $recnum; Description = $description; Error = $_ })
$script:FailedTests.Add([PSCustomObject]@{ Rec = $RecNum; Description = $description; Error = $_ })
# Call Initialize-CISAuditResult with error parameters
$auditResult = Initialize-CISAuditResult -Rec $recnum -Failure
$auditResult = Initialize-CISAuditResult -Rec $RecNum -Failure
}
}
else {
$params = @{
Rec = $recnum
Rec = $RecNum
Result = $false
Status = "Fail"
Details = "No M365 E5 licenses found."

18
source/tests/Test-SafeLinksOfficeApps.ps1
View File

@@ -9,8 +9,8 @@ function Test-SafeLinksOfficeApps {
# Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed
$recnum = "2.1.1"
Write-Verbose "Running Test-SafeLinksOfficeApps for $recnum..."
$RecNum = "2.1.1"
Write-Verbose "Running Test-SafeLinksOfficeApps for $RecNum..."
<#
Conditions for 2.1.1 (L2) Ensure Safe Links for Office Applications is Enabled
Validate test for a pass:
@@ -38,7 +38,7 @@ function Test-SafeLinksOfficeApps {
process {
# 2.1.1 (L2) Ensure Safe Links for Office Applications is Enabled
# Retrieve all Safe Links policies
$misconfiguredDetails = Get-CISExoOutput -Rec $recnum
$misconfiguredDetails = Get-CISExoOutput -Rec $RecNum
# Misconfigured details returns 1 if EXO Commands needed for the test are not available
if ($misconfiguredDetails -ne 1) {
try {
@@ -49,7 +49,7 @@ function Test-SafeLinksOfficeApps {
$failureReasons = if ($result) { "N/A" } else { "The following Safe Links policies settings do not meet the recommended configuration: $($misconfiguredDetails -join ' | ')" }
# Create and populate the CISAuditResult object
$params = @{
Rec = $recnum
Rec = $RecNum
Result = $result
Status = if ($result) { "Pass" } else { "Fail" }
Details = $details
@@ -58,18 +58,18 @@ function Test-SafeLinksOfficeApps {
$auditResult = Initialize-CISAuditResult @params
}
catch {
Write-Error "An error occurred during the test: $_"
Write-Error "An error occurred during the test $RecNum`:: $_"
# Retrieve the description from the test definitions
$testDefinition = $script:TestDefinitionsObject | Where-Object { $_.Rec -eq $recnum }
$testDefinition = $script:TestDefinitionsObject | Where-Object { $_.Rec -eq $RecNum }
$description = if ($testDefinition) { $testDefinition.RecDescription } else { "Description not found" }
$script:FailedTests.Add([PSCustomObject]@{ Rec = $recnum; Description = $description; Error = $_ })
$script:FailedTests.Add([PSCustomObject]@{ Rec = $RecNum; Description = $description; Error = $_ })
# Call Initialize-CISAuditResult with error parameters
$auditResult = Initialize-CISAuditResult -Rec $recnum -Failure
$auditResult = Initialize-CISAuditResult -Rec $RecNum -Failure
}
}
else {
$params = @{
Rec = $recnum
Rec = $RecNum
Result = $false
Status = "Fail"
Details = "No M365 E5 licenses found."

10
source/tests/Test-SharePointAADB2B.ps1
View File

@@ -24,8 +24,8 @@ function Test-SharePointAADB2B {
# Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed
$recnum = "7.2.2"
Write-Verbose "Running Test-SharePointAADB2B for $recnum..."
$RecNum = "7.2.2"
Write-Verbose "Running Test-SharePointAADB2B for $RecNum..."
}
process {
try {
@@ -36,10 +36,10 @@ function Test-SharePointAADB2B {
EnableAzureADB2BIntegration = $false
}
#>
$SPOTenantAzureADB2B = Get-CISSpoOutput -Rec $recnum
$SPOTenantAzureADB2B = Get-CISSpoOutput -Rec $RecNum
# Populate the auditResult object with the required properties
$params = @{
Rec = $recnum
Rec = $RecNum
Result = $SPOTenantAzureADB2B.EnableAzureADB2BIntegration
Status = if ($SPOTenantAzureADB2B.EnableAzureADB2BIntegration) { "Pass" } else { "Fail" }
Details = "EnableAzureADB2BIntegration: $($SPOTenantAzureADB2B.EnableAzureADB2BIntegration)"
@@ -49,7 +49,7 @@ function Test-SharePointAADB2B {
}
catch {
$LastError = $_
$auditResult = Get-TestError -LastError $LastError -recnum $recnum
$auditResult = Get-TestError -LastError $LastError -RecNum $RecNum
}
}
end {

Some files were not shown because too many files have changed in this diff Show More