NLBaselineCA

1.0.0

Public/Get-NLBaselineCAPolicyDetails.ps1

function Get-NLBaselineCAPolicyDetails {
    <#
    .SYNOPSIS
    Get detailed information about Conditional Access policies
     
    .DESCRIPTION
    Retrieves detailed information about Conditional Access policies including admin roles,
    guest configurations, and other policy details.
     
    .EXAMPLE
    Get-NLBaselineCAPolicyDetails
    Get-NLBaselineCAPolicyDetails -PolicyType Guest
    Get-NLBaselineCAPolicyDetails -PolicyType AdminRoles
    #>
    
    [CmdletBinding()]
    param(
        [Parameter(Mandatory = $false)]
        [ValidateSet('All', 'Guest', 'AdminRoles')]
        [string]$PolicyType = 'All'
    )
    
    try {
        # Check connection
        $context = Get-MgContext -ErrorAction SilentlyContinue
        if (-not $context -or -not $context.TenantId) {
            Write-Host "Not connected to Microsoft 365. Connecting..." -ForegroundColor Yellow
            Write-Host ""
            $connection = Connect-NLBaselineCA
            if (-not $connection) {
                Write-Error "Cannot connect to Microsoft 365"
                return
            }
            $context = Get-MgContext
        }
        
        Write-Host "Retrieving Conditional Access policies..." -ForegroundColor Yellow
        $policies = Get-AllConditionalAccessPolicies
        
        if (-not $policies) {
            Write-Warning "No policies retrieved from Microsoft Graph"
            return @()
        }
        
        Write-Host "Processing $($policies.Count) policies..." -ForegroundColor Gray
        Write-Host ""
        
        $formattedPolicies = @()
        foreach ($policy in $policies) {
            # Build the admin roles status
            $adminRolesStatus = @()
            if ($PolicyType -in @('All', 'AdminRoles')) {
                if ($policy.Conditions.Users.IncludeRoles -and $policy.Conditions.Users.IncludeRoles.Count -gt 0) {
                    $adminRolesStatus += "Include: $($policy.Conditions.Users.IncludeRoles.Count) roles"
                }
                
                if ($policy.Conditions.Users.ExcludeRoles -and $policy.Conditions.Users.ExcludeRoles.Count -gt 0) {
                    $adminRolesStatus += "Exclude: $($policy.Conditions.Users.ExcludeRoles.Count) roles"
                }
            }
            
            # Build the guest status
            $guestStatus = @()
            if ($PolicyType -in @('All', 'Guest')) {
                if ($policy.Conditions.Users.IncludeGuestsOrExternalUsers) {
                    $guestStatus += "Include: Guest/External Users"
                }
                
                if ($policy.Conditions.Users.ExcludeGuestsOrExternalUsers) {
                    $guestStatus += "Exclude: Guest/External Users"
                }
            }
            
            # Format status strings
            $currentAdminRoles = if ($adminRolesStatus.Count -gt 0) {
                $adminRolesStatus -join ' | '
            } else {
                "No admin roles configured"
            }
            
            $currentGuestStatus = if ($guestStatus.Count -gt 0) {
                $guestStatus -join ' | '
            } else {
                "No guest configuration"
            }
            
            # Create output object based on PolicyType
            $outputObject = [ordered]@{
                DisplayName = $policy.DisplayName
                Id         = $policy.Id
                State      = $policy.State
            }
            
            # Add type-specific properties based on PolicyType
            switch ($PolicyType) {
                'All' {
                    $outputObject['CurrentAdminRoles'] = $currentAdminRoles
                    $outputObject['CurrentGuestStatus'] = $currentGuestStatus
                }
                'Guest' {
                    $outputObject['CurrentGuestStatus'] = $currentGuestStatus
                }
                'AdminRoles' {
                    $outputObject['CurrentAdminRoles'] = $currentAdminRoles
                }
            }
            
            $formattedPolicies += [PSCustomObject]$outputObject
        }
        
        # Display results
        Write-Host "========================================" -ForegroundColor Cyan
        Write-Host " POLICY DETAILS" -ForegroundColor Cyan
        Write-Host "========================================" -ForegroundColor Cyan
        Write-Host ""
        
        $formattedPolicies | Format-Table -AutoSize
        
        # Save to file
        $moduleConfigPath = Get-ConfigPath
        if (Test-Path $moduleConfigPath) {
            $moduleConfig = Get-Content $moduleConfigPath | ConvertFrom-Json
            $storagePath = $moduleConfig.StoragePath
            
            if (Test-Path $storagePath) {
                $reportPath = Join-Path $storagePath "PolicyDetails"
                if (-not (Test-Path $reportPath)) {
                    New-Item -Path $reportPath -ItemType Directory -Force | Out-Null
                }
                
                $timestamp = Get-Date -Format "yyyyMMdd-HHmmss"
                $reportFile = Join-Path $reportPath "policy-details-$PolicyType-$timestamp.json"
                $reportFileCsv = Join-Path $reportPath "policy-details-$PolicyType-$timestamp.csv"
                
                $formattedPolicies | ConvertTo-Json -Depth 10 | Out-File -FilePath $reportFile -Encoding UTF8
                $formattedPolicies | Export-Csv -Path $reportFileCsv -NoTypeInformation -Encoding UTF8
                
                Write-Host ""
                Write-Host "Report saved:" -ForegroundColor Green
                Write-Host " JSON: $reportFile" -ForegroundColor White
                Write-Host " CSV: $reportFileCsv" -ForegroundColor White
                Write-Host ""
            }
        }
        
        return $formattedPolicies
    }
    catch {
        Write-Error "Failed to retrieve or process Conditional Access Policies: $_"
        return @()
    }
}