SHELL/5.1.2.4.ps1
|
$CheckId = "5.1.2.4" $Title = "Ensure access to the Entra admin center is restricted" $Level = "L1" $BenchmarkType = "Manual" $AuditCommands = @( "Invoke-MgGraphRequest -Method GET -Uri 'https://graph.microsoft.com/beta/policies/authorizationPolicy'", "Evaluate defaultUserRolePermissions.allowedToReadOtherUsers" ) function Get-PropValue { param( [AllowNull()]$Object, [string]$Name ) if ($null -eq $Object) { return $null } if ($Object -is [System.Collections.IDictionary]) { foreach ($Key in $Object.Keys) { if ([string]$Key -ieq $Name) { return $Object[$Key] } } } if ($Object.PSObject -and $Object.PSObject.Properties) { foreach ($Property in $Object.PSObject.Properties) { if ([string]$Property.Name -ieq $Name) { return $Property.Value } } } return $null } try { $AuthPolicy = $null try { $AuthPolicy = Get-MgPolicyAuthorizationPolicy -ErrorAction Stop } catch { $AuthPolicy = Invoke-MgGraphRequest -Method GET -Uri "https://graph.microsoft.com/beta/policies/authorizationPolicy" -ErrorAction Stop } $DefaultPerms = Get-PropValue -Object $AuthPolicy -Name "defaultUserRolePermissions" if ($null -eq $DefaultPerms) { $Additional = Get-PropValue -Object $AuthPolicy -Name "AdditionalProperties" $DefaultPerms = Get-PropValue -Object $Additional -Name "defaultUserRolePermissions" } $AllowedToReadOtherUsers = Get-PropValue -Object $DefaultPerms -Name "allowedToReadOtherUsers" if ($null -eq $AllowedToReadOtherUsers) { $AllowedToReadOtherUsers = Get-PropValue -Object $DefaultPerms -Name "AllowedToReadOtherUsers" } if ($null -eq $AllowedToReadOtherUsers) { [pscustomobject]@{ CheckId = $CheckId Title = $Title Level = $Level BenchmarkType = $BenchmarkType Status = "FAIL" Pass = $false Evidence = [pscustomobject]@{ AuditCommands = $AuditCommands AuthorizationPolicy = $AuthPolicy SourceDocument = "CIS_Microsoft_365_Foundations_Benchmark_v6.0.1" } Error = "Could not read defaultUserRolePermissions.allowedToReadOtherUsers from authorization policy response." Timestamp = Get-Date } return } $Pass = ([bool]$AllowedToReadOtherUsers -eq $false) $Status = if ($Pass) { "PASS" } else { "FAIL" } [pscustomobject]@{ CheckId = $CheckId Title = $Title Level = $Level BenchmarkType = $BenchmarkType Status = $Status Pass = $Pass Evidence = [pscustomobject]@{ AuditCommands = $AuditCommands AllowedToReadOtherUsers = [bool]$AllowedToReadOtherUsers SourceDocument = "CIS_Microsoft_365_Foundations_Benchmark_v6.0.1" } Error = if ($Pass) { $null } else { "Non-admin users can access Entra admin center related user information." } Timestamp = Get-Date } } catch { [pscustomobject]@{ CheckId = $CheckId Title = $Title Level = $Level BenchmarkType = $BenchmarkType Status = "ERROR" Pass = $null Evidence = [pscustomobject]@{ AuditCommands = $AuditCommands SourceDocument = "CIS_Microsoft_365_Foundations_Benchmark_v6.0.1" } Error = $_.Exception.Message Timestamp = Get-Date } } |