ROOTM365

1.0.1

SHELL/5.1.4.1.ps1

$CheckId = "5.1.4.1"
$Title = "Ensure the ability to join devices to Entra is restricted"

function Get-NestedValue {
    param(
        [Parameter(Mandatory = $true)][object]$InputObject,
        [Parameter(Mandatory = $true)][string[]]$Path
    )

    $Current = $InputObject
    foreach ($Segment in $Path) {
        if ($null -eq $Current) {
            return $null
        }

        if ($Current -is [System.Collections.IDictionary]) {
            if ($Current.Contains($Segment)) {
                $Current = $Current[$Segment]
            }
            else {
                return $null
            }
        }
        else {
            $Prop = $Current.PSObject.Properties[$Segment]
            if ($null -eq $Prop) {
                return $null
            }
            $Current = $Prop.Value
        }
    }
    return $Current
}

$Uri = "https://graph.microsoft.com/beta/policies/deviceRegistrationPolicy"

try {
    $Policy = Invoke-MgGraphRequest -Method GET -Uri $Uri
    $AllowedToJoin = Get-NestedValue -InputObject $Policy -Path @("azureADJoin", "allowedToJoin")
    $AllowedToJoinType = Get-NestedValue -InputObject $Policy -Path @("azureADJoin", "allowedToJoin", "@odata.type")

    if ([string]::IsNullOrWhiteSpace([string]$AllowedToJoinType)) {
        [pscustomobject]@{
            CheckId   = $CheckId
            Title     = $Title
            Status    = "MANUAL_REVIEW"
            Pass      = $null
            Evidence  = [pscustomobject]@{
                Uri            = $Uri
                allowedToJoin  = $AllowedToJoin
                ReviewAction   = "Verify allowedToJoin is set to Selected or None."
            }
            Error     = "Could not determine azureADJoin.allowedToJoin.@odata.type."
            Timestamp = Get-Date
        }
    }
    else {
        $CompliantTypes = @(
            "#microsoft.graph.enumeratedDeviceRegistrationMembership",
            "#microsoft.graph.noDeviceRegistrationMembership"
        )
        $Pass = $AllowedToJoinType -in $CompliantTypes

        [pscustomobject]@{
            CheckId   = $CheckId
            Title     = $Title
            Status    = if ($Pass) { "PASS" } else { "FAIL" }
            Pass      = $Pass
            Evidence  = [pscustomobject]@{
                Uri                   = $Uri
                AllowedToJoinType     = $AllowedToJoinType
                AllowedToJoin         = $AllowedToJoin
                CompliantTypes        = $CompliantTypes
            }
            Error     = $null
            Timestamp = Get-Date
        }
    }
}
catch {
    $Message = $_.Exception.Message
    $IsPermissionIssue = $Message -match "(?i)forbidden|insufficient|authorization|access denied"

    [pscustomobject]@{
        CheckId   = $CheckId
        Title     = $Title
        Status    = if ($IsPermissionIssue) { "MANUAL_REVIEW" } else { "ERROR" }
        Pass      = $null
        Evidence  = [pscustomobject]@{
            Uri                   = $Uri
            RequiredGraphScope    = "Policy.Read.DeviceConfiguration"
            ReviewAction          = "Verify allowedToJoin type is enumeratedDeviceRegistrationMembership (Selected) or noDeviceRegistrationMembership (None)."
        }
        Error     = $Message
        Timestamp = Get-Date
    }
}