63 lines
3.0 KiB
PowerShell
63 lines
3.0 KiB
PowerShell
function Test-ModernAuthExchangeOnline {
|
|
[CmdletBinding()]
|
|
[OutputType([CISAuditResult])]
|
|
param (
|
|
# Aligned
|
|
# Define your parameters here
|
|
)
|
|
begin {
|
|
# Dot source the class script if necessary
|
|
#. .\source\Classes\CISAuditResult.ps1
|
|
# Conditions for 6.5.1 (L1) Ensure modern authentication for Exchange Online is enabled
|
|
#
|
|
# Validate test for a pass:
|
|
# - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
|
|
# - Specific conditions to check:
|
|
# - Condition A: Modern authentication for Exchange Online is enabled.
|
|
# - Condition B: Exchange Online clients use modern authentication to log in to Microsoft 365 mailboxes.
|
|
# - Condition C: Users of older email clients, such as Outlook 2013 and Outlook 2016, are no longer able to authenticate to Exchange using Basic Authentication.
|
|
#
|
|
# Validate test for a fail:
|
|
# - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
|
|
# - Specific conditions to check:
|
|
# - Condition A: Modern authentication for Exchange Online is not enabled.
|
|
# - Condition B: Exchange Online clients do not use modern authentication to log in to Microsoft 365 mailboxes.
|
|
# - Condition C: Users of older email clients, such as Outlook 2013 and Outlook 2016, are still able to authenticate to Exchange using Basic Authentication.
|
|
$RecNum = "6.5.1"
|
|
Write-Verbose "Running Test-ModernAuthExchangeOnline for $RecNum..."
|
|
}
|
|
process {
|
|
try {
|
|
# 6.5.1 (L1) Ensure modern authentication for Exchange Online is enabled
|
|
# Check modern authentication setting in Exchange Online configuration (Condition A and B)
|
|
$orgConfig = Get-CISExoOutput -Rec $RecNum
|
|
# Prepare failure reasons and details based on compliance
|
|
$failureReasons = if (-not $orgConfig.OAuth2ClientProfileEnabled) {
|
|
"Modern authentication is disabled"
|
|
}
|
|
else {
|
|
"N/A"
|
|
}
|
|
# Details include the current setting (Condition A and B)
|
|
$details = "OAuth2ClientProfileEnabled: $($orgConfig.OAuth2ClientProfileEnabled) for Organization: $($orgConfig.Name)"
|
|
# Create and populate the CISAuditResult object
|
|
$params = @{
|
|
Rec = $RecNum
|
|
Result = $orgConfig.OAuth2ClientProfileEnabled
|
|
Status = if ($orgConfig.OAuth2ClientProfileEnabled) { "Pass" } else { "Fail" }
|
|
Details = $details
|
|
FailureReason = $failureReasons
|
|
}
|
|
$auditResult = Initialize-CISAuditResult @params
|
|
}
|
|
catch {
|
|
$LastError = $_
|
|
$auditResult = Get-TestError -LastError $LastError -RecNum $RecNum
|
|
}
|
|
}
|
|
end {
|
|
# Return the audit result
|
|
return $auditResult
|
|
}
|
|
}
|