Src/Private/Get-AbrIntuneSecurityBaselines.ps1
|
function Get-AbrIntuneSecurityBaselines { <# .SYNOPSIS Documents Intune Security Baselines and Endpoint Security policies. .DESCRIPTION Collects and reports on: - Security Baseline profiles (MDM Security Baseline, Defender for Endpoint, etc.) - Per-profile assignment and compliance state .NOTES Version: 0.1.0 Author: Pai Wei Sing #> [CmdletBinding()] param ( [Parameter(Position = 0, Mandatory)] [string]$TenantId ) begin { Write-PScriboMessage -Message "Collecting Intune Security Baselines for $TenantId." Show-AbrDebugExecutionTime -Start -TitleMessage 'Security Baselines' } process { Section -Style Heading2 'Security Baselines' { Paragraph "The following section documents Security Baseline profiles configured in tenant $TenantId." BlankLine try { Write-Host " - Retrieving security baseline templates..." # /beta required -- deviceManagement/intents is beta-only $BaselineIntentsResp = Invoke-MgGraphRequest -Method GET ` -Uri "$($script:GraphEndpoint)/beta/deviceManagement/intents?`$expand=assignments" ` -ErrorAction SilentlyContinue $BaselineIntents = $BaselineIntentsResp.value if ($BaselineIntents -and @($BaselineIntents).Count -gt 0) { $BaselineObj = [System.Collections.ArrayList]::new() foreach ($Intent in ($BaselineIntents | Sort-Object displayName)) { $assignResolved = Resolve-IntuneAssignments -Assignments $Intent.assignments -CheckMemberCount:$script:CheckEmptyGroups $AssignedTo = $assignResolved.AssignmentSummary $scopeTagStr = if ($script:ResolveScopeTagNames -and $Intent.roleScopeTagIds) { Get-IntuneScopeTagNames -ScopeTagIds $Intent.roleScopeTagIds } else { 'Default' } $baselineInObj = [ordered] @{ 'Baseline Name' = $Intent.displayName 'Template ID' = if ($Intent.templateId) { $Intent.templateId } else { '--' } 'Is Assigned' = ($Intent.isAssigned -eq $true) 'Included Groups' = $assignResolved.IncludedGroups 'Excluded Groups' = if ($script:ShowExcludedGroups) { $assignResolved.ExcludedGroups } else { $null } 'Scope Tags' = $scopeTagStr 'Last Modified' = if ($Intent.lastModifiedDateTime) { ([datetime]$Intent.lastModifiedDateTime).ToString('yyyy-MM-dd') } else { '--' } } $BaselineObj.Add([pscustomobject](ConvertTo-HashToYN $baselineInObj)) | Out-Null } $null = (& { if ($HealthCheck.Intune.SecurityBaselines) { $null = ($BaselineObj | Where-Object { $_.'Included Groups' -eq '--' } | Set-Style -Style Warning | Out-Null) } }) $BaselineTableParams = @{ Name = "Security Baseline Profiles - $TenantId"; ColumnWidths = 24, 18, 9, 22, 12, 8, 7 } if ($Report.ShowTableCaptions) { $BaselineTableParams['Caption'] = "- $($BaselineTableParams.Name)" } $BaselineObj | Table @BaselineTableParams if (Get-IntuneBackupSectionEnabled -SectionKey 'SecurityBaselines') { $script:BackupData['SecurityBaselines'] = $BaselineIntents } if (Get-IntuneExcelSheetEnabled -SheetKey 'SecurityBaselines') { $script:ExcelSheets['Security Baselines'] = $BaselineObj } $null = ($script:TotalSecurityBaselines = @($BaselineIntents).Count) } else { Paragraph "No Security Baseline profiles found in tenant $TenantId." } } catch { if (Test-AbrGraphForbidden -ErrorRecord $_) { Write-AbrPermissionError -Section 'Security Baselines' -RequiredRole 'Intune Service Administrator or Global Administrator' } else { Write-AbrSectionError -Section 'Security Baselines' -Message "$($_.Exception.Message)" } } } } end { Show-AbrDebugExecutionTime -End -TitleMessage 'Security Baselines' } } |