Public/Get-GkCrossTenantAccess.ps1
|
function Get-GkCrossTenantAccess { <# .SYNOPSIS Report cross-tenant access (B2B) settings: the default policy and any partner overrides. .DESCRIPTION Reads GET /policies/crossTenantAccessPolicy/default and /partners, and emits one row for the default plus one per configured partner, summarizing the inbound trust settings (whether MFA, compliant-device, and hybrid-joined claims from the partner are trusted). Requires Policy.Read.All. (Full identity-synchronization detail needs a higher role and is not surfaced here.) .PARAMETER AsReport Add a ReportGeneratedUtc column. .EXAMPLE Get-GkCrossTenantAccess The default cross-tenant policy and any partner-specific configurations. .EXAMPLE Get-GkCrossTenantAccess | Where-Object { $_.Scope -ne 'Default' } Only partner-specific overrides. .EXAMPLE Get-GkCrossTenantAccess -AsReport | Export-Csv .\cross-tenant.csv -NoTypeInformation .OUTPUTS PSGraphKit.CrossTenantAccess #> [CmdletBinding()] [OutputType('PSGraphKit.CrossTenantAccess')] param( [switch] $AsReport ) begin { Test-GkConnection -FunctionName 'Get-GkCrossTenantAccess' | Out-Null $now = [datetime]::UtcNow } process { $rows = [System.Collections.Generic.List[object]]::new() $default = Invoke-GkGraphRequest -Raw -Uri '/policies/crossTenantAccessPolicy/default' -CallerFunction 'Get-GkCrossTenantAccess' if ($default) { $rows.Add(@{ Item = $default; Scope = 'Default'; IsServiceDefault = [bool](Get-GkDictValue $default 'isServiceDefault') }) } foreach ($p in (Invoke-GkGraphRequest -Uri '/policies/crossTenantAccessPolicy/partners' -CallerFunction 'Get-GkCrossTenantAccess')) { $rows.Add(@{ Item = $p; Scope = [string](Get-GkDictValue $p 'tenantId'); IsServiceDefault = $null }) } foreach ($r in $rows) { $trust = Get-GkDictValue $r.Item 'inboundTrust' $obj = [ordered]@{ PSTypeName = 'PSGraphKit.CrossTenantAccess' Scope = $r.Scope IsServiceDefault = $r.IsServiceDefault TrustMfa = [bool](Get-GkDictValue $trust 'isMfaAccepted') TrustCompliantDevice = [bool](Get-GkDictValue $trust 'isCompliantDeviceAccepted') TrustHybridJoinedDevice = [bool](Get-GkDictValue $trust 'isHybridAzureADJoinedDeviceAccepted') Id = [string](Get-GkDictValue $r.Item 'tenantId') } if ($AsReport) { $obj['ReportGeneratedUtc'] = $now } [pscustomobject]$obj } } } |