SHELL/5.1.2.3.ps1
|
$CheckId = "5.1.2.3" $Title = "Ensure 'Restrict non-admin users from creating tenants' is set to 'Yes'" $Level = "L1" $BenchmarkType = "Automated" $AuditCommands = @( '(Get-MgPolicyAuthorizationPolicy).DefaultUserRolePermissions | Select-Object AllowedToCreateTenants' ) function Get-AllowedToCreateTenantsValue { param( [Parameter(Mandatory = $true)] [object]$AuthorizationPolicy ) $DefaultPerms = $AuthorizationPolicy.DefaultUserRolePermissions if ($null -ne $DefaultPerms) { if ($null -ne $DefaultPerms.PSObject -and $null -ne $DefaultPerms.PSObject.Properties['AllowedToCreateTenants']) { return $DefaultPerms.AllowedToCreateTenants } if ($DefaultPerms -is [System.Collections.IDictionary]) { if ($DefaultPerms.Contains('AllowedToCreateTenants')) { return $DefaultPerms['AllowedToCreateTenants'] } if ($DefaultPerms.Contains('allowedToCreateTenants')) { return $DefaultPerms['allowedToCreateTenants'] } } } if ($null -ne $AuthorizationPolicy.PSObject.Properties['AdditionalProperties']) { $Additional = $AuthorizationPolicy.AdditionalProperties if ($Additional -is [System.Collections.IDictionary] -and $Additional.Contains('defaultUserRolePermissions')) { $Inner = $Additional['defaultUserRolePermissions'] if ($Inner -is [System.Collections.IDictionary]) { if ($Inner.Contains('allowedToCreateTenants')) { return $Inner['allowedToCreateTenants'] } if ($Inner.Contains('AllowedToCreateTenants')) { return $Inner['AllowedToCreateTenants'] } } } } return $null } try { if (-not (Get-Command -Name Get-MgPolicyAuthorizationPolicy -ErrorAction SilentlyContinue)) { [pscustomobject]@{ CheckId = $CheckId Title = $Title Level = $Level BenchmarkType = $BenchmarkType Status = "ERROR" Pass = $null Evidence = [pscustomobject]@{ AuditCommands = $AuditCommands SourceDocument = "CIS_Microsoft_365_Foundations_Benchmark_v6.0.1" } Error = "Get-MgPolicyAuthorizationPolicy cmdlet is unavailable in the current session." Timestamp = Get-Date } return } $AuthPolicy = Get-MgPolicyAuthorizationPolicy if ($null -eq $AuthPolicy) { [pscustomobject]@{ CheckId = $CheckId Title = $Title Level = $Level BenchmarkType = $BenchmarkType Status = "ERROR" Pass = $null Evidence = [pscustomobject]@{ AuditCommands = $AuditCommands SourceDocument = "CIS_Microsoft_365_Foundations_Benchmark_v6.0.1" } Error = "Get-MgPolicyAuthorizationPolicy returned no result." Timestamp = Get-Date } return } $AllowedToCreateTenantsRaw = Get-AllowedToCreateTenantsValue -AuthorizationPolicy $AuthPolicy if ($null -eq $AllowedToCreateTenantsRaw) { [pscustomobject]@{ CheckId = $CheckId Title = $Title Level = $Level BenchmarkType = $BenchmarkType Status = "ERROR" Pass = $null Evidence = [pscustomobject]@{ AuditCommands = $AuditCommands AuthorizationPolicy = $AuthPolicy SourceDocument = "CIS_Microsoft_365_Foundations_Benchmark_v6.0.1" } Error = "AllowedToCreateTenants value was not found in DefaultUserRolePermissions." Timestamp = Get-Date } return } $AllowedToCreateTenants = [bool]$AllowedToCreateTenantsRaw $Pass = ($AllowedToCreateTenants -eq $false) [pscustomobject]@{ CheckId = $CheckId Title = $Title Level = $Level BenchmarkType = $BenchmarkType Status = if ($Pass) { "PASS" } else { "FAIL" } Pass = $Pass Evidence = [pscustomobject]@{ AuditCommands = $AuditCommands AllowedToCreateTenants = $AllowedToCreateTenants RawAllowedToCreateTenants = $AllowedToCreateTenantsRaw RecommendedState = "AllowedToCreateTenants = False" SourceDocument = "CIS_Microsoft_365_Foundations_Benchmark_v6.0.1" } Error = if ($Pass) { $null } else { "AllowedToCreateTenants is True (non-admin users can create tenants)." } Timestamp = Get-Date } } catch { [pscustomobject]@{ CheckId = $CheckId Title = $Title Level = $Level BenchmarkType = $BenchmarkType Status = "ERROR" Pass = $null Evidence = [pscustomobject]@{ AuditCommands = $AuditCommands SourceDocument = "CIS_Microsoft_365_Foundations_Benchmark_v6.0.1" } Error = $_.Exception.Message Timestamp = Get-Date } } |