M365FoundationsCISReport/source/tests/Test-RestrictCustomScripts.ps1

function Test-RestrictCustomScripts {
    [CmdletBinding()]
    param (
        # Aligned
        # Define your parameters here if needed
    )

    begin {
        # Dot source the class script if necessary
        #. .\source\Classes\CISAuditResult.ps1
        # Initialization code, if needed
    }

    process {
        # 7.3.4 (L1) Ensure custom script execution is restricted on site collections

        # Retrieve all site collections and select necessary properties
        $SPOSitesCustomScript = Get-SPOSite -Limit All | Select-Object Title, Url, DenyAddAndCustomizePages

        # Find sites where custom scripts are allowed (DenyAddAndCustomizePages is not 'Enabled')
        $customScriptAllowedSites = $SPOSitesCustomScript | Where-Object { $_.DenyAddAndCustomizePages -ne 'Enabled' }

        # Compliance is true if no sites allow custom scripts
        $complianceResult = $customScriptAllowedSites.Count -eq 0

        # Gather details for non-compliant sites (where custom scripts are allowed)
        $nonCompliantSiteDetails = $customScriptAllowedSites | ForEach-Object {
            "$($_.Title) ($($_.Url)): Custom Script Allowed"
        }

        # Prepare failure reasons and details based on compliance
        $failureReasons = if (-not $complianceResult) {
            "The following site collections allow custom script execution: " + ($nonCompliantSiteDetails -join "; ")
        }
        else {
            "N/A"
        }

        $details = if ($complianceResult) {
            "All site collections have custom script execution restricted"
        }
        else {
            $nonCompliantSiteDetails -join "; "
        }

        # Create and populate the CISAuditResult object
        $params = @{
            Rec            = "7.3.4"
            Result         = $complianceResult
            Status         = if ($complianceResult) { "Pass" } else { "Fail" }
            Details        = $details
            FailureReason  = $failureReasons
            RecDescription = "Ensure custom script execution is restricted on site collections"
            CISControl     = "2.7"
            CISDescription = "Allowlist Authorized Scripts"
        }
        $auditResult = Initialize-CISAuditResult @params
    }

    end {
        # Return auditResult
        return $auditResult
    }
}