SHELL/5.1.5.2.ps1
|
$CheckId = "5.1.5.2" $Title = "Ensure the admin consent workflow is enabled" $Level = "L1" $BenchmarkType = "Automated" $AuditCommands = @( 'Get-MgPolicyAdminConsentRequestPolicy | Format-List IsEnabled,NotifyReviewers,RemindersEnabled' ) try { if (-not (Get-Command -Name Get-MgPolicyAdminConsentRequestPolicy -ErrorAction SilentlyContinue)) { [pscustomobject]@{ CheckId = $CheckId Title = $Title Level = $Level BenchmarkType = $BenchmarkType Status = "ERROR" Pass = $null Evidence = [pscustomobject]@{ AuditCommands = $AuditCommands SourceDocument = "CIS_Microsoft_365_Foundations_Benchmark_v6.0.1" } Error = "Get-MgPolicyAdminConsentRequestPolicy cmdlet is unavailable in the current session." Timestamp = Get-Date } return } $Policy = Get-MgPolicyAdminConsentRequestPolicy if ($null -eq $Policy) { [pscustomobject]@{ CheckId = $CheckId Title = $Title Level = $Level BenchmarkType = $BenchmarkType Status = "ERROR" Pass = $null Evidence = [pscustomobject]@{ AuditCommands = $AuditCommands SourceDocument = "CIS_Microsoft_365_Foundations_Benchmark_v6.0.1" } Error = "Get-MgPolicyAdminConsentRequestPolicy returned no result." Timestamp = Get-Date } return } $IsEnabled = if ($null -ne $Policy.PSObject.Properties['IsEnabled']) { [bool]$Policy.IsEnabled } else { $null } $NotifyReviewers = if ($null -ne $Policy.PSObject.Properties['NotifyReviewers']) { [bool]$Policy.NotifyReviewers } else { $null } $RemindersEnabled = if ($null -ne $Policy.PSObject.Properties['RemindersEnabled']) { [bool]$Policy.RemindersEnabled } else { $null } if ($null -eq $IsEnabled) { [pscustomobject]@{ CheckId = $CheckId Title = $Title Level = $Level BenchmarkType = $BenchmarkType Status = "ERROR" Pass = $null Evidence = [pscustomobject]@{ AuditCommands = $AuditCommands RawPolicy = $Policy SourceDocument = "CIS_Microsoft_365_Foundations_Benchmark_v6.0.1" } Error = "IsEnabled value was not found in admin consent request policy." Timestamp = Get-Date } return } $Pass = ($IsEnabled -eq $true) [pscustomobject]@{ CheckId = $CheckId Title = $Title Level = $Level BenchmarkType = $BenchmarkType Status = if ($Pass) { "PASS" } else { "FAIL" } Pass = $Pass Evidence = [pscustomobject]@{ AuditCommands = $AuditCommands IsEnabled = $IsEnabled NotifyReviewers = $NotifyReviewers RemindersEnabled = $RemindersEnabled RecommendedState = "IsEnabled = True" SourceDocument = "CIS_Microsoft_365_Foundations_Benchmark_v6.0.1" } Error = if ($Pass) { $null } else { "Admin consent workflow is disabled (IsEnabled = False)." } Timestamp = Get-Date } } catch { [pscustomobject]@{ CheckId = $CheckId Title = $Title Level = $Level BenchmarkType = $BenchmarkType Status = "ERROR" Pass = $null Evidence = [pscustomobject]@{ AuditCommands = $AuditCommands SourceDocument = "CIS_Microsoft_365_Foundations_Benchmark_v6.0.1" } Error = $_.Exception.Message Timestamp = Get-Date } } |