SHELL/5.1.3.2.ps1
|
$CheckId = "5.1.3.2" $Title = "Ensure users cannot create security groups" $Level = "L1" $BenchmarkType = "Automated" $AuditCommands = @( '(Get-MgPolicyAuthorizationPolicy).DefaultUserRolePermissions | Format-List AllowedToCreateSecurityGroups' ) function Get-AllowedToCreateSecurityGroupsValue { param( [Parameter(Mandatory = $true)] [object]$AuthorizationPolicy ) $DefaultPerms = $AuthorizationPolicy.DefaultUserRolePermissions if ($null -ne $DefaultPerms) { if ($null -ne $DefaultPerms.PSObject -and $null -ne $DefaultPerms.PSObject.Properties['AllowedToCreateSecurityGroups']) { return $DefaultPerms.AllowedToCreateSecurityGroups } if ($DefaultPerms -is [System.Collections.IDictionary]) { if ($DefaultPerms.Contains('AllowedToCreateSecurityGroups')) { return $DefaultPerms['AllowedToCreateSecurityGroups'] } if ($DefaultPerms.Contains('allowedToCreateSecurityGroups')) { return $DefaultPerms['allowedToCreateSecurityGroups'] } } } if ($null -ne $AuthorizationPolicy.PSObject.Properties['AdditionalProperties']) { $Additional = $AuthorizationPolicy.AdditionalProperties if ($Additional -is [System.Collections.IDictionary] -and $Additional.Contains('defaultUserRolePermissions')) { $Inner = $Additional['defaultUserRolePermissions'] if ($Inner -is [System.Collections.IDictionary]) { if ($Inner.Contains('allowedToCreateSecurityGroups')) { return $Inner['allowedToCreateSecurityGroups'] } if ($Inner.Contains('AllowedToCreateSecurityGroups')) { return $Inner['AllowedToCreateSecurityGroups'] } } } } return $null } try { if (-not (Get-Command -Name Get-MgPolicyAuthorizationPolicy -ErrorAction SilentlyContinue)) { [pscustomobject]@{ CheckId = $CheckId Title = $Title Level = $Level BenchmarkType = $BenchmarkType Status = "ERROR" Pass = $null Evidence = [pscustomobject]@{ AuditCommands = $AuditCommands SourceDocument = "CIS_Microsoft_365_Foundations_Benchmark_v6.0.1" } Error = "Get-MgPolicyAuthorizationPolicy cmdlet is unavailable in the current session." Timestamp = Get-Date } return } $AuthPolicy = Get-MgPolicyAuthorizationPolicy if ($null -eq $AuthPolicy) { [pscustomobject]@{ CheckId = $CheckId Title = $Title Level = $Level BenchmarkType = $BenchmarkType Status = "ERROR" Pass = $null Evidence = [pscustomobject]@{ AuditCommands = $AuditCommands SourceDocument = "CIS_Microsoft_365_Foundations_Benchmark_v6.0.1" } Error = "Get-MgPolicyAuthorizationPolicy returned no result." Timestamp = Get-Date } return } $AllowedRaw = Get-AllowedToCreateSecurityGroupsValue -AuthorizationPolicy $AuthPolicy if ($null -eq $AllowedRaw) { [pscustomobject]@{ CheckId = $CheckId Title = $Title Level = $Level BenchmarkType = $BenchmarkType Status = "ERROR" Pass = $null Evidence = [pscustomobject]@{ AuditCommands = $AuditCommands AuthorizationPolicy = $AuthPolicy SourceDocument = "CIS_Microsoft_365_Foundations_Benchmark_v6.0.1" } Error = "AllowedToCreateSecurityGroups value was not found in DefaultUserRolePermissions." Timestamp = Get-Date } return } $Allowed = [bool]$AllowedRaw $Pass = ($Allowed -eq $false) [pscustomobject]@{ CheckId = $CheckId Title = $Title Level = $Level BenchmarkType = $BenchmarkType Status = if ($Pass) { "PASS" } else { "FAIL" } Pass = $Pass Evidence = [pscustomobject]@{ AuditCommands = $AuditCommands AllowedToCreateSecurityGroups = $Allowed RawAllowedToCreateSecurityGroups = $AllowedRaw RecommendedState = "AllowedToCreateSecurityGroups = False" SourceDocument = "CIS_Microsoft_365_Foundations_Benchmark_v6.0.1" } Error = if ($Pass) { $null } else { "AllowedToCreateSecurityGroups is True (users can create security groups)." } Timestamp = Get-Date } } catch { [pscustomobject]@{ CheckId = $CheckId Title = $Title Level = $Level BenchmarkType = $BenchmarkType Status = "ERROR" Pass = $null Evidence = [pscustomobject]@{ AuditCommands = $AuditCommands SourceDocument = "CIS_Microsoft_365_Foundations_Benchmark_v6.0.1" } Error = $_.Exception.Message Timestamp = Get-Date } } |