SHELL/5.2.2.5.ps1
|
$CheckId = "5.2.2.5" $Title = "Ensure 'Phishing-resistant MFA strength' is required for Administrators" $Level = "L2" $BenchmarkType = "Automated" $HelperPath = Join-Path $PSScriptRoot "helpers\ca_policy_helpers.ps1" try { if (-not (Test-Path $HelperPath)) { throw "Required helper file not found: $HelperPath" } . $HelperPath $ApprovedStrengthIds = @([string]$env:ROOT365_PHISHING_RESISTANT_AUTH_STRENGTH_IDS -split '[,; ]+' | ForEach-Object { $_.Trim() } | Where-Object { $_ }) $Policies = @(Get-Root365CaPoliciesNormalized) if ($Policies.Count -eq 0) { [pscustomobject]@{ CheckId = $CheckId Title = $Title Level = $Level BenchmarkType = $BenchmarkType Status = "FAIL" Pass = $false Evidence = [pscustomobject]@{ HelperPath = $HelperPath ConditionalAccessPolicyCount = 0 SourceDocument = "CIS_Microsoft_365_Foundations_Benchmark_v6.0.1" } Error = "No Conditional Access policies were returned." Timestamp = Get-Date } return } $EnabledPolicies = @($Policies | Where-Object { $_.IsEnabled }) $MatchedPolicies = @( $EnabledPolicies | Where-Object { $AuthName = [string]$_.AuthenticationStrengthDisplayName $AuthId = [string]$_.AuthenticationStrengthId $PhishingResistantMatch = ($AuthName -match '(?i)phishing') -or ($AuthName -match '(?i)fido') -or ($AuthId -in $ApprovedStrengthIds) ($_.IncludeRoles.Count -gt 0) -and (Test-Root365ContainsValue -Collection $_.IncludeApplications -Expected "All") -and $PhishingResistantMatch } ) $Pass = $MatchedPolicies.Count -gt 0 $Status = if ($Pass) { "PASS" } else { "FAIL" } [pscustomobject]@{ CheckId = $CheckId Title = $Title Level = $Level BenchmarkType = $BenchmarkType Status = $Status Pass = $Pass Evidence = [pscustomobject]@{ ConditionalAccessPolicyCount = $Policies.Count EnabledPolicyCount = $EnabledPolicies.Count MatchedPolicyCount = $MatchedPolicies.Count ApprovedStrengthIds = $ApprovedStrengthIds ApprovedStrengthIdsSource = "Environment variable ROOT365_PHISHING_RESISTANT_AUTH_STRENGTH_IDS" MatchedPolicies = @(Get-Root365CaPolicyEvidenceSummary -Policies $MatchedPolicies) ComplianceCriteria = "Enabled CA policy targets admin roles/all resources and requires phishing-resistant authentication strength." SourceDocument = "CIS_Microsoft_365_Foundations_Benchmark_v6.0.1" } Error = if ($Pass) { $null } else { "No enabled Conditional Access policy was found that requires phishing-resistant authentication strength for administrative roles." } Timestamp = Get-Date } } catch { [pscustomobject]@{ CheckId = $CheckId Title = $Title Level = $Level BenchmarkType = $BenchmarkType Status = "ERROR" Pass = $null Evidence = [pscustomobject]@{ HelperPath = $HelperPath SourceDocument = "CIS_Microsoft_365_Foundations_Benchmark_v6.0.1" } Error = $_.Exception.Message Timestamp = Get-Date } } |