M365FoundationsCISReport/source/tests/Test-AdministrativeAccountCompliance.ps1

function Test-AdministrativeAccountCompliance {
    [CmdletBinding()]
    param ()
    begin {
        # The following conditions are checked:
        # Condition A: The administrative account is cloud-only (not synced).
        # Condition B: The account is assigned a valid license (e.g., Microsoft Entra ID P1 or P2).
        # Condition C: The administrative account does not have any other application assignments (only valid licenses).
        $validLicenses = @('AAD_PREMIUM', 'AAD_PREMIUM_P2')
        $RecNum = "1.1.1"
        Write-Verbose "Starting Test-AdministrativeAccountCompliance with Rec: $RecNum"
    }
    process {
        try {
            # Retrieve admin roles, assignments, and user details including licenses
            Write-Verbose "Retrieving admin roles, assignments, and user details including licenses"
            $adminRoleAssignments = Get-CISMgOutput -Rec $RecNum
            $adminRoleUsers = @()
            foreach ($roleName in $adminRoleAssignments.Keys) {
                $assignments = $adminRoleAssignments[$roleName]
                foreach ($assignment in $assignments) {
                    $userDetails = $assignment.UserDetails
                    $userId = $userDetails.Id
                    $userPrincipalName = $userDetails.UserPrincipalName
                    $licenses = $assignment.Licenses
                    $licenseString = if ($licenses) { ($licenses.SkuPartNumber -join '|') } else { "No Licenses Found" }
                    # Condition A: Check if the account is cloud-only
                    $cloudOnlyStatus = if ($userDetails.OnPremisesSyncEnabled) { "Fail" } else { "Pass" }
                    # Condition B: Check if the account has valid licenses
                    $hasValidLicense = $licenses.SkuPartNumber | ForEach-Object { $validLicenses -contains $_ }
                    $validLicensesStatus = if ($hasValidLicense) { "Pass" } else { "Fail" }
                    # Condition C: Check if the account has no other licenses
                    $hasInvalidLicense = $licenses.SkuPartNumber | ForEach-Object { $validLicenses -notcontains $_ }
                    $invalidLicenses = $licenses.SkuPartNumber | Where-Object { $validLicenses -notcontains $_ }
                    $applicationAssignmentStatus = if ($hasInvalidLicense) { "Fail" } else { "Pass" }
                    Write-Verbose "User: $userPrincipalName, Cloud-Only: $cloudOnlyStatus, Valid Licenses: $validLicensesStatus, Invalid Licenses: $($invalidLicenses -join ', ')"
                    # Collect user information
                    $adminRoleUsers += [PSCustomObject]@{
                        UserName                    = $userPrincipalName
                        RoleName                    = $roleName
                        UserId                      = $userId
                        HybridUser                  = $userDetails.OnPremisesSyncEnabled
                        Licenses                    = $licenseString
                        CloudOnlyStatus             = $cloudOnlyStatus
                        ValidLicensesStatus         = $validLicensesStatus
                        ApplicationAssignmentStatus = $applicationAssignmentStatus
                    }
                }
            }
            # Group admin role users by UserName and collect unique roles and licenses
            Write-Verbose "Grouping admin role users by UserName"
            $uniqueAdminRoleUsers = $adminRoleUsers | Group-Object -Property UserName | ForEach-Object {
                $first = $_.Group | Select-Object -First 1
                $roles = ($_.Group.RoleName -join ', ')
                $licenses = (($_.Group | Select-Object -ExpandProperty Licenses) -join ',').Split(',') | Select-Object -Unique
                $first | Select-Object UserName, UserId, HybridUser, @{Name = 'Roles'; Expression = { $roles } }, @{Name = 'Licenses'; Expression = { $licenses -join '|' } }, CloudOnlyStatus, ValidLicensesStatus, ApplicationAssignmentStatus
            }
            # Identify non-compliant users based on conditions A, B, and C
            Write-Verbose "Identifying non-compliant users based on conditions"
            $nonCompliantUsers = $uniqueAdminRoleUsers | Where-Object {
                $_.HybridUser -or # Fails Condition A
                $_.ValidLicensesStatus -eq "Fail" -or # Fails Condition B
                $_.ApplicationAssignmentStatus -eq "Fail" # Fails Condition C
            }
            # Generate failure reasons
            Write-Verbose "Generating failure reasons for non-compliant users"
            $failureReasons = $nonCompliantUsers | ForEach-Object {
                "$($_.UserName)|$($_.Roles)|$($_.CloudOnlyStatus)|$($_.ValidLicensesStatus)|$($_.ApplicationAssignmentStatus)"
            }
            $failureReasons = $failureReasons -join "`n"
            $failureReason = if ($nonCompliantUsers) {
                "Non-Compliant Accounts: $($nonCompliantUsers.Count)"
            }
            else {
                "Compliant Accounts: $($uniqueAdminRoleUsers.Count)"
            }
            $result = $nonCompliantUsers.Count -eq 0
            $status = if ($result) { 'Pass' } else { 'Fail' }
            $details = if ($nonCompliantUsers) { "Username | Roles | Cloud-Only Status | EntraID P1/P2 License Status | Other Applications Assigned Status`n$failureReasons" } else { "N/A" }
            Write-Verbose "Assessment completed. Result: $status"
            # Create the parameter splat
            $params = @{
                Rec           = $RecNum
                Result        = $result
                Status        = $status
                Details       = $details
                FailureReason = $failureReason
            }
            $auditResult = Initialize-CISAuditResult @params
        }
        catch {
            $LastError = $_
            $auditResult = Get-TestError -LastError $LastError -RecNum $RecNum
        }
    }
    end {
        # Output the result
        return $auditResult
    }
}