SHELL/5.1.2.5.ps1
|
$CheckId = "5.1.2.5" $Title = "Ensure the option to remain signed in is hidden" $Level = "L2" $BenchmarkType = "Manual" $AuditCommands = @( "Invoke-MgGraphRequest -Method GET -Uri 'https://graph.microsoft.com/beta/organization/{id}/branding'", "Invoke-MgGraphRequest -Method GET -Uri 'https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies'" ) function Get-PropValue { param( [AllowNull()]$Object, [string]$Name ) if ($null -eq $Object) { return $null } if ($Object -is [System.Collections.IDictionary]) { foreach ($Key in $Object.Keys) { if ([string]$Key -ieq $Name) { return $Object[$Key] } } } if ($Object.PSObject -and $Object.PSObject.Properties) { foreach ($Property in $Object.PSObject.Properties) { if ([string]$Property.Name -ieq $Name) { return $Property.Value } } } return $null } function Test-PolicyTargetsAllUsers { param([AllowNull()]$Policy) $Conditions = Get-PropValue -Object $Policy -Name "conditions" $Users = Get-PropValue -Object $Conditions -Name "users" $IncludeUsers = @(Get-PropValue -Object $Users -Name "includeUsers") return (@($IncludeUsers | Where-Object { [string]$_ -eq "All" }).Count -gt 0) } try { $Org = Get-MgOrganization -ErrorAction Stop | Select-Object -First 1 if (-not $Org) { throw "No organization object returned." } $KmsiHidden = $false $Detail = $null try { $Branding = Invoke-MgGraphRequest -Method GET -Uri "https://graph.microsoft.com/beta/organization/$($Org.Id)/branding" -ErrorAction Stop $Visibility = Get-PropValue -Object $Branding -Name "loginPageTextVisibilitySettings" $IsKmsiHidden = Get-PropValue -Object $Visibility -Name "isKmsiHidden" if ($IsKmsiHidden -eq $true) { $KmsiHidden = $true $Detail = "KMSI is hidden in organization branding settings." } } catch { } $PersistentPolicies = @() if (-not $KmsiHidden) { try { $CAPolicies = @(Get-MgIdentityConditionalAccessPolicy -All -ErrorAction Stop) $PersistentPolicies = @($CAPolicies | Where-Object { $_.State -eq "enabled" -and (Test-PolicyTargetsAllUsers -Policy $_) -and ($_.SessionControls.PersistentBrowser.IsEnabled -eq $true) -and ([string]$_.SessionControls.PersistentBrowser.Mode -eq "never") }) if ($PersistentPolicies.Count -gt 0) { $KmsiHidden = $true $PolicyNames = @($PersistentPolicies | ForEach-Object { $_.DisplayName } | Where-Object { $_ }) $Detail = "Persistent browser session disabled via Conditional Access policies: $($PolicyNames -join ', ')" } } catch { } } $Pass = $KmsiHidden $Status = if ($Pass) { "PASS" } else { "FAIL" } [pscustomobject]@{ CheckId = $CheckId Title = $Title Level = $Level BenchmarkType = $BenchmarkType Status = $Status Pass = $Pass Evidence = [pscustomobject]@{ AuditCommands = $AuditCommands KmsiHidden = $KmsiHidden BrandingOrCAPolicyEvidence = $Detail PersistentBrowserCAPolicyCount = @($PersistentPolicies).Count PersistentBrowserCAPolicies = @($PersistentPolicies | Select-Object DisplayName, State) SourceDocument = "CIS_Microsoft_365_Foundations_Benchmark_v6.0.1" } Error = if ($Pass) { $null } else { "Could not confirm that the 'stay signed in' option is hidden." } Timestamp = Get-Date } } catch { [pscustomobject]@{ CheckId = $CheckId Title = $Title Level = $Level BenchmarkType = $BenchmarkType Status = "MANUAL_REVIEW" Pass = $null Evidence = [pscustomobject]@{ AuditCommands = $AuditCommands SourceDocument = "CIS_Microsoft_365_Foundations_Benchmark_v6.0.1" } Error = "Unable to evaluate automatically: $($_.Exception.Message)" Timestamp = Get-Date } } |