SHELL/1.1.1.ps1
|
$CheckId = "1.1.1" $Title = "Ensure Administrative accounts are cloud-only" try { $DirectoryRoles = Get-MgDirectoryRole $PrivilegedRoles = $DirectoryRoles | Where-Object { $_.DisplayName -like "*Administrator*" -or $_.DisplayName -eq "Global Reader" } $RoleMembers = $PrivilegedRoles | ForEach-Object { Get-MgDirectoryRoleMember -DirectoryRoleId $_.Id } | Select-Object -ExpandProperty Id -Unique $PrivilegedUsers = $RoleMembers | ForEach-Object { Get-MgUser -UserId $_ -Property UserPrincipalName,DisplayName,Id,OnPremisesSyncEnabled } $SyncedAdmins = $PrivilegedUsers | Where-Object { $_.OnPremisesSyncEnabled -eq $true } | Select-Object DisplayName,UserPrincipalName,OnPremisesSyncEnabled $Pass = @($SyncedAdmins).Count -eq 0 [pscustomobject]@{ CheckId = $CheckId Title = $Title Status = if ($Pass) { "PASS" } else { "FAIL" } Pass = $Pass Evidence = [pscustomobject]@{ PrivilegedUserCount = @($PrivilegedUsers).Count SyncedAdmins = @($SyncedAdmins) } Error = $null Timestamp = Get-Date } } catch { [pscustomobject]@{ CheckId = $CheckId Title = $Title Status = "ERROR" Pass = $null Evidence = $null Error = $_.Exception.Message Timestamp = Get-Date } } |