Public/Get-GkExternalCollaborationSetting.ps1

function Get-GkExternalCollaborationSetting {
    <#
    .SYNOPSIS
        Report the tenant's external-collaboration and default-user-permission settings.

    .DESCRIPTION
        Reads GET /policies/authorizationPolicy and returns a single object summarizing who can
        invite guests (allowInvitesFrom), the permission level guests get (guestUserRoleId mapped to
        a friendly name), and the default permissions granted to member users (create apps, create
        security groups, read other users, ...). These are common assessment findings.

        Requires the Policy.Read.All scope.

    .PARAMETER AsReport
        Add a ReportGeneratedUtc column.

    .EXAMPLE
        Get-GkExternalCollaborationSetting

        The tenant's guest-invite and default-user-permission posture.

    .EXAMPLE
        Get-GkExternalCollaborationSetting | Select-Object AllowInvitesFrom, GuestUserRole, DefaultUserCanCreateApps

        The high-risk knobs.

    .EXAMPLE
        Get-GkExternalCollaborationSetting -AsReport | Export-Csv .\external-collab.csv -NoTypeInformation

    .OUTPUTS
        PSGraphKit.ExternalCollaborationSetting
    #>

    [CmdletBinding()]
    [OutputType('PSGraphKit.ExternalCollaborationSetting')]
    param(
        [switch] $AsReport
    )

    begin {
        Test-GkConnection -FunctionName 'Get-GkExternalCollaborationSetting' | Out-Null
        $now = [datetime]::UtcNow
        # Well-known guest user role template IDs.
        $guestRoleNames = @{
            'a0b1b346-4d3e-4e8b-98f8-753987be4970' = 'User (same as member)'
            '10dae51f-b6af-4016-8d66-8c2a99b929b3' = 'Guest User (default)'
            '2af84b1e-32c8-42b7-82bc-daa82404023b' = 'Restricted Guest User'
        }
    }

    process {
        $p = Invoke-GkGraphRequest -Raw -Uri '/policies/authorizationPolicy' -CallerFunction 'Get-GkExternalCollaborationSetting'
        $defaults = Get-GkDictValue $p 'defaultUserRolePermissions'
        $guestRoleId = [string](Get-GkDictValue $p 'guestUserRoleId')

        $obj = [ordered]@{
            PSTypeName                       = 'PSGraphKit.ExternalCollaborationSetting'
            AllowInvitesFrom                 = [string](Get-GkDictValue $p 'allowInvitesFrom')
            GuestUserRole                    = if ($guestRoleNames.ContainsKey($guestRoleId)) { $guestRoleNames[$guestRoleId] } else { $guestRoleId }
            AllowEmailVerifiedUsersToJoin    = [bool](Get-GkDictValue $p 'allowEmailVerifiedUsersToJoinOrganization')
            AllowUserConsentForApps          = [bool](Get-GkDictValue $p 'allowUserConsentForRiskyApps')
            DefaultUserCanCreateApps         = [bool](Get-GkDictValue $defaults 'allowedToCreateApps')
            DefaultUserCanCreateSecurityGroups = [bool](Get-GkDictValue $defaults 'allowedToCreateSecurityGroups')
            DefaultUserCanReadOtherUsers     = [bool](Get-GkDictValue $defaults 'allowedToReadOtherUsers')
            GuestUserRoleId                  = $guestRoleId
        }
        if ($AsReport) { $obj['ReportGeneratedUtc'] = $now }
        [pscustomobject]$obj
    }
}