Entra/Get-EntraTouConfig.ps1
|
<# .SYNOPSIS Evaluates whether Terms of Use agreement policies are configured in Entra ID. .DESCRIPTION Checks whether at least one Terms of Use (ToU) agreement policy exists in Entra ID and is active. This satisfies the CMMC requirement for privacy and security notices before granting system access. Requires an active Microsoft Graph connection with Agreement.Read.All permission. .PARAMETER OutputPath Optional path to export results as CSV. If not specified, results are returned to the pipeline. .EXAMPLE PS> .\Entra\Get-EntraTouConfig.ps1 Displays Terms of Use evaluation results. .EXAMPLE PS> .\Entra\Get-EntraTouConfig.ps1 -OutputPath '.\entra-tou-config.csv' Exports the evaluation to CSV. .NOTES Author: Daren9m CMMC: AC.L2-3.1.9 — Privacy and Security Notices #> [CmdletBinding()] param( [Parameter()] [ValidateNotNullOrEmpty()] [string]$OutputPath ) $ErrorActionPreference = 'Stop' $_scriptDir = if ($MyInvocation.MyCommand.Path) { Split-Path -Parent $MyInvocation.MyCommand.Path } else { $PSScriptRoot } . (Join-Path -Path $_scriptDir -ChildPath '..\Common\SecurityConfigHelper.ps1') $ctx = Initialize-SecurityConfig $settings = $ctx.Settings $checkIdCounter = $ctx.CheckIdCounter function Add-Setting { param( [string]$Category, [string]$Setting, [string]$CurrentValue, [string]$RecommendedValue, [string]$Status, [string]$CheckId = '', [string]$Remediation = '' ) $p = @{ Settings = $settings CheckIdCounter = $checkIdCounter Category = $Category Setting = $Setting CurrentValue = $CurrentValue RecommendedValue = $RecommendedValue Status = $Status CheckId = $CheckId Remediation = $Remediation } Add-SecuritySetting @p } # ------------------------------------------------------------------ # 1. Check for Terms of Use agreements # ------------------------------------------------------------------ try { Write-Verbose 'Checking for Terms of Use agreements...' $graphParams = @{ Method = 'GET' Uri = '/v1.0/agreements' ErrorAction = 'Stop' } $agreements = Invoke-MgGraphRequest @graphParams $agreementList = @() if ($agreements -and $agreements['value']) { $agreementList = @($agreements['value']) } $agreementCount = $agreementList.Count $activeAgreements = @($agreementList | Where-Object { $_['isViewingBeforeAcceptanceRequired'] -eq $true }) $status = if ($activeAgreements.Count -gt 0) { 'Pass' } elseif ($agreementCount -gt 0) { 'Warning' } else { 'Fail' } $currentValue = switch ($status) { 'Pass' { "$($activeAgreements.Count) agreement(s) with acceptance required before viewing" } 'Warning' { "Agreement exists but acceptance not required before viewing" } default { 'No agreements configured' } } $settingParams = @{ Category = 'Terms of Use' Setting = 'Terms of Use Agreement Policy' CurrentValue = $currentValue RecommendedValue = 'At least one Terms of Use agreement with isViewingBeforeAcceptanceRequired = true' Status = $status CheckId = 'ENTRA-TOU-001' Remediation = 'Entra admin center > Identity Governance > Terms of use. Verify agreements have "Require users to expand the terms of use" enabled and are assigned via Conditional Access policies.' } Add-Setting @settingParams } catch { if ($_.Exception.Message -match '403|Forbidden|Authorization') { $settingParams = @{ Category = 'Terms of Use' Setting = 'Terms of Use Agreement Policy' CurrentValue = 'Insufficient permissions' RecommendedValue = 'At least one Terms of Use agreement configured and assigned' Status = 'Review' CheckId = 'ENTRA-TOU-001' Remediation = 'Requires Agreement.Read.All permission.' } Add-Setting @settingParams } else { Write-Warning "Could not check Terms of Use configuration: $_" } } # ------------------------------------------------------------------ # Output results # ------------------------------------------------------------------ Export-SecurityConfigReport -Settings $settings -OutputPath $OutputPath -ServiceLabel 'Entra ToU' |