Framework/Core/SVT/AAD/AAD.Tenant.ps1

Set-StrictMode -Version Latest 
class Tenant: SVTBase
{    
    hidden [PSObject] $AADPermissions;

    hidden [PSObject] $CASettings;
    hidden [PSObject] $AdminMFASettings;
    hidden [PSObject] $B2BSettings;
    hidden [PSObject] $MFASettings;
    hidden [PSObject] $SSPRSettings;
    hidden [PSObject] $EnterpriseAppSettings;
    hidden [PSObject] $MFABypassList;
    hidden [PSObject] $AuthNPasswordPolicySettings;
    #static [int] $RecommendedMaxDevicePerUserLimit = 20;
    hidden [PSObject] $DeviceSettings;

    hidden static [PSObject] $TenantDetails;
    hidden static [bool] $isOnPremisesSyncEnabled = $false;

    Tenant([string] $tenantId, [SVTResource] $svtResource): Base($tenantId, $svtResource) 
    {
        $this.GetAADSettings()
    }

    hidden GetAADSettings()
    {
        $this.PublishCustomMessage("`r`nQuerying tenant API endpoints. This may take a few seconds...`r`nYou may see error messages in case you don't have access to all APIs.");

        if ([Tenant]::TenantDetails -eq $null)
        {
            [Tenant]::TenantDetails = Get-MgOrganization
            [Tenant]::isOnPremisesSyncEnabled = [Tenant]::TenantDetails.OnPremisesSyncEnabled
        }

        if ($this.AADPermissions -eq $null)
        {
            $this.AADPermissions = [WebRequestHelper]::InvokeAADAPI("/api/Permissions")
        }

        if ($this.CASettings -eq $null)
        {
            $this.CASettings = [WebRequestHelper]::InvokeAADAPI("/api/PasswordReset/PasswordResetPolicies")
        }

        if ($this.AdminMFASettings -eq $null)
        {
            $this.AdminMFASettings = [WebRequestHelper]::InvokeAADAPI("/api/BaselinePolicies/RequireMfaForAdmins")
        }

        if ($this.MFASettings -eq $null)
        {
            $this.MFASettings = [WebRequestHelper]::InvokeAADAPI("/api/MultiFactorAuthentication/TenantModel")
        }

        if ($this.B2BSettings -eq $null)
        {
            $this.B2BSettings = [WebRequestHelper]::InvokeAADAPI("/api/Directories/B2BDirectoryProperties")
        }

        if ($this.DeviceSettings -eq $null)
        {
            $this.DeviceSettings = [WebRequestHelper]::InvokeAADAPI("/api/DeviceSetting")
        }

        if ($this.MFABypassList -eq $null)
        {
            $this.MFABypassList = [WebRequestHelper]::InvokeAADAPI("/api/MultifactorAuthentication/BypassedUser")
        }


        if ($this.SSPRSettings -eq $null)
        {
            $this.SSPRSettings = [WebRequestHelper]::InvokeAADAPI("/api/PasswordReset/PasswordResetPolicies")
        }
            
        if ($this.AuthNPasswordPolicySettings -eq $null) 
        {
            $this.AuthNPasswordPolicySettings = [WebRequestHelper]::InvokeAADAPI("/api/AuthenticationMethods/PasswordPolicy")
        }
    
        if ($this.EnterpriseAppSettings -eq $null)
        {
            $this.EnterpriseAppSettings = [WebRequestHelper]::InvokeAADAPI("/api/EnterpriseApplications/UserSettings")
        }

        if ([Tenant]::TenantDetails -eq $null -or
            $this.AADPermissions -eq $null -or 
            $this.CASettings -eq $null -or
            $this.AdminMFASettings -eq $null -or
            $this.MFASettings -eq $null -or
            $this.B2BSettings -eq $null -or
            $this.DeviceSettings -eq $null -or
            $this.MFABypassList -eq $null -or
            $this.SSPRSettings -eq $null -or
            $this.AuthNPasswordPolicySettings -eq $null -or
            $this.EnterpriseAppSettings -eq $null
        )
        {
            Write-Host -ForegroundColor Yellow "`nYou may not have sufficient permission to evaluate all controls.`nStatus for controls that could not be evaluated will show as 'Manual' in the report."
        }
    }
    static [bool] IsDirectorySyncEnabled()
    {
        #We need to check this because it may not get set if tenant controls are not being scanned.
        if ([Tenant]::TenantDetails -eq $null)
        {
            [Tenant]::TenantDetails = Get-MgOrganization
            [Tenant]::isOnPremisesSyncEnabled = [Tenant]::TenantDetails.OnPremisesSyncEnabled
        }
        return [Tenant]::isOnPremisesSyncEnabled
    }

    [ControlItem[]] ApplyServiceFilters([ControlItem[]] $controls)
    {
        if($controls.Count -eq 0)
        {
            return $controls;
        }

        $result = $controls;

        $sspr = $this.CASettings

        #If we definitively determine that SSPR is not enabled for this tenant, exclude SSPR-specific controls
        if ($sspr -ne $null -and $sspr.EnablementType -eq 0)
        {
            $result = $result | Where-Object {$_.Tags -notcontains "SSPR"}
        }

        return $result;
    }
    
    hidden [ControlResult] CheckTenantSecurityContactInfoIsSet([ControlResult] $controlResult)
    {
        $td = [Tenant]::TenantDetails

        $result = $false
        $missing = ""
        try {
            #Check that at least 1 email and at least 1 phone number are set.
            $bEmail = ($td.SecurityComplianceNotificationMails.Count -gt 0 -and -not [string]::IsNullOrEmpty($td.SecurityComplianceNotificationMails[0]))
            $bPhone = ($td.SecurityComplianceNotificationPhones.Count -gt 0 -and -not [string]::IsNullOrEmpty($td.SecurityComplianceNotificationPhones[0]))
            if ($bEmail -and $bPhone )
            {
                $result = $true
            }
            else {
                $missing = if (-not $bEmail) {"`n`tSecurityComplianceNotificationMails "} else {""} 
                $missing += if (-not $bPhone) {"`n`tSecurityComplianceNotificationPhone"} else {""}
            }
        }
        catch {
            $controlResult.AddMessage([VerificationResult]::Error, [MessageData]::new("Error reading Security Compliance Notification settings. Perhaps your AAD SKU does not support them."));
        }

        if ($result -eq $false)
        {
            $controlResult.AddMessage([VerificationResult]::Failed,
                                    [MessageData]::new("Security compliance notification are not correctly set for the tenant."));
            $controlResult.AddMessage("The following are missing: $missing")
        }
        else
        {
            $controlResult.AddMessage([VerificationResult]::Passed,
                                        [MessageData]::new("Security compliance notification phone/email are both set as expected."));
        }

        return $controlResult;
    }

    hidden [ControlResult] CheckCustomBannedPasswordConfig([ControlResult] $controlResult)
    {
        
        $pps = $this.AuthNPasswordPolicySettings

        if ($pps -eq $null)
        {
            $controlResult.AddMessage([VerificationResult]::Manual,
                [MessageData]::new("Unable to evaluate control. You may not have sufficient permission"));
        }
        elseif($pps.enforceCustomBannedPasswords -eq $false -or ($pps.customBannedPasswords | Measure-Object).Count -eq 0) #Custom banned passwords not used?
        {
            $controlResult.AddMessage([VerificationResult]::Failed,
                                        [MessageData]::new("Custom banned passwords setting is disabled or banned password list is empty."));
        }
        else
        {
            $controlResult.AddMessage([VerificationResult]::Passed,
                                        [MessageData]::new("Custom banned passwords are enabled and list is correctly configured."));
        }
        return $controlResult;
    }

    hidden [ControlResult] CheckOnPremBannedPasswordsEnforced([ControlResult] $controlResult)
    {
        $pps = $this.AuthNPasswordPolicySettings

        if ($pps -eq $null)
        {
            $controlResult.AddMessage([VerificationResult]::Manual,
                [MessageData]::new("Unable to evaluate control. You may not have sufficient permission"));
        }
        elseif($pps.enableBannedPasswordCheckOnPremises -eq $false -or $pps.bannedPasswordCheckOnPremisesMode -ne 1) #Check on-prem enforcement of banned passwords
        {
                $controlResult.AddMessage([VerificationResult]::Failed,
                                        [MessageData]::new("Banned passwords check is not enabled for on-prem or mode is not set to 'Enforced'."));
        }
        else
        {
            $controlResult.AddMessage([VerificationResult]::Passed,
                                        [MessageData]::new("Banned passwords check is correctly enabled with mode set to 'Enforced'."));
        }
        return $controlResult;
    }

    hidden [ControlResult] CheckGuestsHaveLimitedAccess([ControlResult] $controlResult)
    {
        $b2b = $this.B2BSettings

        if ($b2b -eq $null)
        {
            $controlResult.AddMessage([VerificationResult]::Manual,
                [MessageData]::new("Unable to evaluate control. You may not have sufficient permission"));
        }
        elseif($b2b.restrictDirectoryAccess -ne $true) #Guests permissions are limited?
        {
                $controlResult.AddMessage([VerificationResult]::Failed,
                                        [MessageData]::new("Guest account directory permissions are not restricted."));
        }
        else
        {
            $controlResult.AddMessage([VerificationResult]::Passed,
                                        [MessageData]::new("Guest account permissions are restricted."));
        }
        return $controlResult;
    }

    hidden [ControlResult] CheckGuestsIfCanInvite([ControlResult] $controlResult)
    {
        $b2b = $this.B2BSettings
        if ($b2b -eq $null)
        {
            $controlResult.AddMessage([VerificationResult]::Manual,
                [MessageData]::new("Unable to evaluate control. You may not have sufficient permission"));
        }
        elseif($b2b.limitedAccessCanAddExternalUsers -eq $true) #Guests can invite?
        {
                $controlResult.AddMessage([VerificationResult]::Failed,
                                        [MessageData]::new("Guest have privilege to invite other guests."));
        }
        else
        {
            $controlResult.AddMessage([VerificationResult]::Passed,
                                        [MessageData]::new("Guest do not have the privilege to invite other guests."));
        }
        return $controlResult;
    }

    hidden [ControlResult] CheckBaselineMFAPolicyForAdmins([ControlResult] $controlResult)
    {
        $adminSettings = $this.AdminMFASettings
        if ($adminSettings -eq $null)
        {
            $controlResult.AddMessage([VerificationResult]::Manual,
                [MessageData]::new("Unable to evaluate control. You may not have sufficient permission"));
        }
        elseif($adminSettings.enable -eq $false -or $adminSettings.state -eq  0)
        {
            $controlResult.AddMessage([VerificationResult]::Failed,
                                        [MessageData]::new("MFA is set as 'not required' for admin accounts."));
        }
        else
        {
            $controlResult.AddMessage([VerificationResult]::Passed,
                                        [MessageData]::new("MFA is set as 'required' for admin accounts."));
        }
        return $controlResult;
    }

    hidden [ControlResult] MFACheckUsersCanNotifyFraud([ControlResult] $controlResult)
    {
        $mfa = $this.MFASettings
        if ($mfa -eq $null)
        {
            $controlResult.AddMessage([VerificationResult]::Manual,
                [MessageData]::new("Unable to evaluate control. You may not have sufficient permission"));
        }
        elseif($mfa.enableFraudAlert -eq $true) #Users can notify about fraud
        {
            $controlResult.AddMessage([VerificationResult]::Passed,
                                [MessageData]::new("Users have the permission to raise fraud alerts."));
        }
        else
        {
            $controlResult.AddMessage([VerificationResult]::Failed,
                               [MessageData]::new("Users do not have the permission to raise fraud alerts."));

        }
        return $controlResult;
    }

    hidden [ControlResult] MFAReviewBypassedUsers([ControlResult] $controlResult)
    {
        $bp = $this.MFABypassList
        if ($bp -eq $null)
        {
            $controlResult.AddMessage([VerificationResult]::Manual,
                [MessageData]::new("Unable to evaluate control. You may not have sufficient permission")); #BUGBUG: Empty BP list case?
        }
        elseif($bp.Count -eq 0) #No users on bypass list
        {
            $controlResult.AddMessage([VerificationResult]::Passed,
                                [MessageData]::new("No users found on the MFA bypass list."));
        }
        else
        {
            $bpUsers = @()
            $bp | % {$bpUsers += $_.Username}
            $bpUsersList = $bpUsers -join ", "
            $controlResult.AddMessage([VerificationResult]::Verify,
                               [MessageData]::new("Found the following users on MFA bypass list. Please review.`n`t $bpUsersList" ));

        }
        return $controlResult;
    }


    hidden [ControlResult] CheckUserPermissionsToCreateApps([ControlResult] $controlResult)
    {
        $aadPerms = $this.AADPermissions
        if ($aadPerms -eq $null)
        {
            $controlResult.AddMessage([VerificationResult]::Manual,
                                [MessageData]::new("Unable to evaluate control. You may not have sufficient permission"));
        }
        elseif ($aadPerms.allowedActions.application.Contains('create')) #has to match case
        {
            $controlResult.AddMessage([VerificationResult]::Failed,
                                [MessageData]::new("Regular users have privilege to create new apps."));
        }
        else
        {
            $controlResult.AddMessage([VerificationResult]::Passed,
                                [MessageData]::new("Regular users do not have privilege to create new apps."));
        }
        
        return $controlResult;
    }

    hidden [ControlResult] CheckEnoughGlobalAdmins([ControlResult] $controlResult)
    {

        $ca = Get-MgDirectoryRole -Filter "DisplayName eq 'Company Administrator'"
        $rm = @()

        try 
        {
            $rm = @(Get-MgDirectoryRoleMember -ObjectId $ca.ObjectId)
        }
        catch 
        {
            $rm = $null
        }
        
        $recommendedMinGlobalAdmins = $this.ControlSettings.Tenant.RecommendedMinGlobalAdmins
        if ($rm -eq $null)
        {
            $controlResult.AddMessage([VerificationResult]::Manual,
                                [MessageData]::new("Unable to evaluate control. You may not have sufficient permission"));
        }
        elseif ($rm.Count -le $recommendedMinGlobalAdmins) 
        {
            $controlResult.AddMessage([VerificationResult]::Failed,
                                [MessageData]::new("Only [$($rm.Count)] global administrator(s) found."));
        }
        else
        {
            $controlResult.AddMessage([VerificationResult]::Passed,
                                [MessageData]::new("Found [$($rm.Count)] global administrators."));
        }
        return $controlResult;
    }

    hidden [ControlResult] CheckNoGuestsInGlobalAdminRole([ControlResult] $controlResult)
    {
        #TODO: Move this to common/.ctor similar to API calls.
        #TODO: Expand this to other privileged roles (Security Admin, etc. - see AccountHelper)
        #TODO: This and other RBAC checks should cover PIM-eligible members.
        $ca = Get-MgDirectoryRole -Filter "DisplayName eq 'Company Administrator'"
        $rm = @()

        try 
        {
            $rm = @(Get-MgDirectoryRoleMember -ObjectId $ca.ObjectId)
        }
        catch 
        {
            $rm = $null
        }
        
        if ($rm -eq $null)
        {
            $controlResult.AddMessage([VerificationResult]::Manual,
                                [MessageData]::new("Unable to evaluate control. You may not have sufficient permission"));
        }
        else
        {
            $foundGuests = $false
            $guests = @()
            
            $rm | % {if ($_.ObjectType -eq 'User' -and $_.UserType -eq 'Guest') {$foundGuests = $true; $guests += "$($_.DisplayName) ($($_.ObjectId))"}}
            $guestList = $guests -join "`n`t"
            if ($foundGuests)
            {
                $controlResult.AddMessage([VerificationResult]::Failed,
                                    [MessageData]::new("Found the following 'Guest' users in Global Admin role: `n`t$guestList."));
            }
            else
            {
                $controlResult.AddMessage([VerificationResult]::Passed,
                                    [MessageData]::new("Did not find any 'Guest' member in Global Admin role."));
            }
        }
        return $controlResult;
    }

    
    hidden [ControlResult] CheckTenantDataAccessForApps([ControlResult] $controlResult)
    {
        $eas = $this.EnterpriseAppSettings

        if ($eas -eq $null)
        {
            $controlResult.AddMessage([VerificationResult]::Manual,
                [MessageData]::new("Unable to evaluate control. You may not have sufficient permission")); #BUGBUG: Empty BP list case?
        }
        elseif($eas.usersCanAllowAppsToAccessData -eq $true) #Users can approve apps to access tenant data
        {
            $controlResult.AddMessage([VerificationResult]::Failed,
                                [MessageData]::new("Users are permitted to approve app access to tenant data without admin consent."));
        }
        else
        {
            $controlResult.AddMessage([VerificationResult]::Passed,
                               [MessageData]::new("Users are not permitted to approve app access to tenant data without admin consent." ));

        }
        return $controlResult;
    }


    hidden [ControlResult] CheckUserPermissionToInviteGuests([ControlResult] $controlResult)
    {
        $aadPerms = $this.AADPermissions

        if ($aadPerms -eq $null)
        {
            $controlResult.AddMessage([VerificationResult]::Manual,
                [MessageData]::new("Unable to evaluate control. You may not have sufficient permission"));
        }
        elseif($aadPerms.allowedActions.user.Contains('inviteguest')) #has to match case
        {
            $controlResult.AddMessage([VerificationResult]::Failed,
                                        [MessageData]::new("Regular users have privilege to invite guests."));
        }
        else
        {
            $controlResult.AddMessage([VerificationResult]::Passed,
                                        [MessageData]::new("Regular users do not have privilege to invite guests."));
        }
        return $controlResult;
    }

    hidden [ControlResult] CheckMinQuestionsForSSPR([ControlResult] $controlResult)
    {
        $sspr = $this.CASettings
        if ($sspr -eq $null)
        {
            $controlResult.AddMessage([VerificationResult]::Manual,
                [MessageData]::new("Unable to evaluate control. You may not have sufficient permission"));
        }
        elseif ($sspr.numberOfQuestionsToReset -lt 3)
        {
            $controlResult.AddMessage([VerificationResult]::Failed,
                                        [MessageData]::new("Found that less than 3 questions are required for password reset."));
        }
        else
        {
            $controlResult.AddMessage([VerificationResult]::Passed,
                                        [MessageData]::new("Found that 3 or more questions are required for password reset."));
        }
        return $controlResult;
    }

    hidden [ControlResult] CheckUserNotificationUponSSPR([ControlResult] $controlResult)
    {
        $sspr = $this.CASettings
        if ($sspr -eq $null)
        {
            $controlResult.AddMessage([VerificationResult]::Manual,
                [MessageData]::new("Unable to evaluate control. You may not have sufficient permission"));
        }
        elseif($sspr.notifyUsersOnPasswordReset -ne $true)
        {
            $controlResult.AddMessage([VerificationResult]::Failed,
                                        [MessageData]::new("User notification not configured for password resets."));
        }
        else
        {
            $controlResult.AddMessage([VerificationResult]::Passed,
                                        [MessageData]::new("User notification is configured for password resets."));
        }
        return $controlResult;
    }

    hidden [ControlResult] CheckAdminNotificationUponSSPR([ControlResult] $controlResult)
    {
        $sspr = $this.CASettings
        if ($sspr -eq $null)
        {
            $controlResult.AddMessage([VerificationResult]::Manual,
                [MessageData]::new("Unable to evaluate control. You may not have sufficient permission"));
        }
        elseif($sspr.notifyOnAdminPasswordReset -ne $true)
        {
            $controlResult.AddMessage([VerificationResult]::Failed,
                                        [MessageData]::new("Notification to all admins not configured for admin password resets."));
        }
        else
        {
            $controlResult.AddMessage([VerificationResult]::Passed,
                                        [MessageData]::new("Notification to all admins is configured for admin password resets."));
        }
        return $controlResult;
    }

    

    hidden [ControlResult] SSPRMinAuthNMethodsRequired([ControlResult] $controlResult)
    {
        $sspr = $this.SSPRSettings
        $minAuthNMethodsRequired = $this.ControlSettings.Tenant.SSPRMinAuthNMethodsRequired
        if ($sspr -eq $null)
        {
            $controlResult.AddMessage([VerificationResult]::Manual,
                [MessageData]::new("Unable to evaluate control. You may not have sufficient permission")); #BUGBUG: Empty BP list case?
        }
        elseif($sspr.numberOfAuthenticationMethodsRequired -ge $minAuthNMethodsRequired)
        {
            $controlResult.AddMessage([VerificationResult]::Passed,
                                [MessageData]::new("More than one authentication methods are required to reset password."));
        }
        else
        {
            $controlResult.AddMessage([VerificationResult]::Failed,
                               [MessageData]::new("Ensure that at least two methods are required during a self-service password reset." ));

        }
        return $controlResult;
    }

    hidden [ControlResult] CheckRequireMFAForJoin([ControlResult] $controlResult)
    {
        $ds = $this.DeviceSettings

        if ($ds -eq $null)
        {
            $controlResult.AddMessage([VerificationResult]::Manual,
                            [MessageData]::new("Unable to evaluate control. You may not have sufficient permission"));           
        }
        else
        {
            if (-not $ds.requireMfaSetting)
            {
                    $controlResult.AddMessage([VerificationResult]::Failed,
                                            [MessageData]::new("Please enable MFA as a requirement for joining devices to the tenant."));
            }
            else
            {
                $controlResult.AddMessage([VerificationResult]::Passed,
                                            [MessageData]::new("MFA is enabled as a requirement for joining new devices to the tenant."));
            }
        }
        return $controlResult;
    }

    hidden [ControlResult] CheckMaxDeviceLimitSet([ControlResult] $controlResult)
    {
        $ds = $this.DeviceSettings

        if ($ds -eq $null)
        {
            $controlResult.AddMessage([VerificationResult]::Manual,
                                [MessageData]::new("Unable to evaluate control. You may not have sufficient permission"));           
        }
        else
        {
            $recommendedMaxDevicePerUserLimit = $this.ControlSettings.Tenant.RecommendedMaxDevicePerUserLimit
            if ($ds.maxDeviceNumberPerUserSetting -gt $recommendedMaxDevicePerUserLimit)
            {
                    $controlResult.AddMessage([VerificationResult]::Failed,
                                            [MessageData]::new("Max device per user limit is not set or too high. Recommended: ["+ $recommendedMaxDevicePerUserLimit + "]."));
            }
            else
            {
                $controlResult.AddMessage([VerificationResult]::Passed,
                                            [MessageData]::new("Max device per user limit is set at [$($ds.maxDeviceNumberPerUserSetting)]."));
            }
        }
        return $controlResult;
    }

    hidden [ControlResult] CheckPrivacyContactIsValid([ControlResult] $controlResult)
    {
        $td = [Tenant]::TenantDetails

        $ret = $false
        $msg = "No privacy profile configured for tenant."

        if ( ($td.PrivacyProfile | Measure-Object).Count -ne 0 )
        {
            if (-not [String]::IsNullOrEmpty($td.privacyProfile.contactEmail)) 
            {
                $privacyContact = $td.privacyProfile.contactEmail
                $pcUser = $null
                try 
                {
                    $pcUser = Get-AzureAdUser -ObjectId $privacyContact
                }
                catch 
                {
                    #Filter-based searches do not 'throw', they just return $null if not found.
                    $pcUser = Get-AzureADUser -Filter "UserPrincipalName eq '$privacyContact'"

                    if ($pcUser -eq $null)
                    {
                        $pcUser = Get-AzureADUser -Filter "Mail eq '$privacyContact'"
                    }
                    #TODO: worth another try? $pcUser = Get-AzureAdUser -SearchString ($privacyContact.Substring(0,$privacyContact.IndexOf('@')))
                }        
                
                if ($pcUser -eq $null) 
                {   
                    $msg ="Could not resolve privacy contact setting to an actual user: [$privacyContact]"
                }
                else
                {
                    #PCM "Checking if User: $($pcUser.DisplayName) is member"
                    if (-not ($pcUser.AccountEnabled -and $pcUser.UserType -eq 'Member')) 
                    {
                        $msg = "User [$($pcUser.DisplayName) ($privacyContact)] set as the privacy contact is either disabled or a non-member (i.e., guest) user."
                    }
                    else 
                    {
                        $ret = $true #only success point in the method.
                        $msg = "Found valid (non-guest) privacy contact set as user: [$($pcUser.DisplayName) ($privacyContact)]."
                    }
                }
            }
        }

        if ($ret -eq $false)
        {
                $controlResult.AddMessage([VerificationResult]::Failed,
                                        [MessageData]::new($msg));
        }
        else
        {
            $controlResult.AddMessage([VerificationResult]::Passed,
                                        [MessageData]::new($msg));
        }
        return $controlResult;
    }

    hidden [ControlResult] CheckPrivacyStatementIsValid([ControlResult] $controlResult)
    {
        $td = [Tenant]::TenantDetails

        if ( ($td.PrivacyProfile | Measure-Object).Count -eq 0 -or 
            [String]::IsNullOrEmpty($td.privacyProfile.statementUrl) -or 
            (-not ($td.privacyProfile.statementUrl -match [Constants]::RegExForValidURL))
        ) 
        {
        
            $controlResult.AddMessage([VerificationResult]::Failed,
                                [MessageData]::new("Privacy profile is incorrectly configured."));
        }
        else
        {
            $controlResult.AddMessage([VerificationResult]::Passed,
                                [MessageData]::new("Privacy profile is correctly configured. Privacy Statement URL: [$($td.privacyProfile.statementUrl)]"));
        }
        return $controlResult;
    }
}#class