Devolutions.CIEM

0.2.1

Checks/Azure/Test-EntraPolicyGuestInviteOnlyForAdminRole.ps1

function Test-EntraPolicyGuestInviteOnlyForAdminRole {
    <#
    .SYNOPSIS
        Tests if guest invitations are restricted to admin roles.

    .DESCRIPTION
        This check verifies that the authorization policy setting 'allowInvitesFrom'
        is set to 'adminsAndGuestInviters' or 'none', restricting who can invite
        guest users to the organization.

        Valid values for allowInvitesFrom:
        - none: No one can invite guests
        - adminsAndGuestInviters: Only admins and users with Guest Inviter role
        - adminsGuestInvitersAndAllMembers: All members and above
        - everyone: Anyone including guests

    .PARAMETER CheckMetadata
        Hashtable containing check metadata including id and severity.

    .EXAMPLE
        Test-EntraPolicyGuestInviteOnlyForAdminRoles -CheckMetadata $metadata
    #>
    [CmdletBinding()]
    [OutputType([PSCustomObject[]])]
    param(
        [Parameter(Mandatory)]
        [hashtable]$CheckMetadata
    )

    $ErrorActionPreference = 'Stop'

    # Check if Authorization Policy data is available
    if (-not $script:EntraService.AuthorizationPolicy) {
        $findingParams = @{
            CheckMetadata  = $CheckMetadata
            Status         = 'SKIPPED'
            StatusExtended = 'Unable to retrieve authorization policy - missing permissions'
            ResourceId     = 'N/A'
            ResourceName   = 'Authorization Policy'
        }
        New-CIEMFinding @findingParams
    }
    else {
        # Authorization policy can be returned as an array, get the first item
        $authPolicy = if ($script:EntraService.AuthorizationPolicy -is [array]) {
            $script:EntraService.AuthorizationPolicy | Select-Object -First 1
        }
        else {
            $script:EntraService.AuthorizationPolicy
        }

        # Check the allowInvitesFrom setting
        $allowInvitesFrom = $authPolicy.allowInvitesFrom

        # Acceptable values are 'none' or 'adminsAndGuestInviters'
        $acceptableValues = @('none', 'adminsAndGuestInviters')

        if ($allowInvitesFrom -in $acceptableValues) {
            $findingParams = @{
                CheckMetadata  = $CheckMetadata
                Status         = 'PASS'
                StatusExtended = "Guest invite restrictions are properly configured. Current setting: '$allowInvitesFrom' - only users with admin roles can invite guest users."
                ResourceId     = $authPolicy.id
                ResourceName   = 'Authorization Policy'
            }
            New-CIEMFinding @findingParams
        }
        else {
            $findingParams = @{
                CheckMetadata  = $CheckMetadata
                Status         = 'FAIL'
                StatusExtended = "Guest invite restrictions are too permissive. Current setting: '$allowInvitesFrom'. Should be 'adminsAndGuestInviters' or 'none' to restrict guest invitations to admin roles only."
                ResourceId     = $authPolicy.id
                ResourceName   = 'Authorization Policy'
            }
            New-CIEMFinding @findingParams
        }
    }
}