SHELL/5.2.2.6.ps1
|
$CheckId = "5.2.2.6" $Title = "Enable Identity Protection user risk policies" $Level = "L1" $BenchmarkType = "Automated" $HelperPath = Join-Path $PSScriptRoot "helpers\ca_policy_helpers.ps1" try { if (-not (Test-Path $HelperPath)) { throw "Required helper file not found: $HelperPath" } . $HelperPath $Policies = @(Get-Root365CaPoliciesNormalized) if ($Policies.Count -eq 0) { [pscustomobject]@{ CheckId = $CheckId Title = $Title Level = $Level BenchmarkType = $BenchmarkType Status = "FAIL" Pass = $false Evidence = [pscustomobject]@{ HelperPath = $HelperPath ConditionalAccessPolicyCount = 0 SourceDocument = "CIS_Microsoft_365_Foundations_Benchmark_v6.0.1" } Error = "No Conditional Access policies were returned." Timestamp = Get-Date } return } $EnabledPolicies = @($Policies | Where-Object { $_.IsEnabled }) $MatchedPolicies = @( $EnabledPolicies | Where-Object { $GrantHasPasswordChange = Test-Root365ContainsValue -Collection $_.GrantBuiltInControls -Expected "passwordChange" $GrantHasMfaOrStrength = (Test-Root365ContainsValue -Collection $_.GrantBuiltInControls -Expected "mfa") -or -not [string]::IsNullOrWhiteSpace([string]$_.AuthenticationStrengthId) -or -not [string]::IsNullOrWhiteSpace([string]$_.AuthenticationStrengthDisplayName) (Test-Root365ContainsValue -Collection $_.IncludeUsers -Expected "All") -and (Test-Root365ContainsValue -Collection $_.IncludeApplications -Expected "All") -and (Test-Root365ContainsValue -Collection $_.UserRiskLevels -Expected "high") -and $GrantHasPasswordChange -and $GrantHasMfaOrStrength -and (Test-Root365SignInFrequencyEveryTime -Policy $_) } ) $Pass = $MatchedPolicies.Count -gt 0 $Status = if ($Pass) { "PASS" } else { "FAIL" } [pscustomobject]@{ CheckId = $CheckId Title = $Title Level = $Level BenchmarkType = $BenchmarkType Status = $Status Pass = $Pass Evidence = [pscustomobject]@{ ConditionalAccessPolicyCount = $Policies.Count EnabledPolicyCount = $EnabledPolicies.Count MatchedPolicyCount = $MatchedPolicies.Count MatchedPolicies = @(Get-Root365CaPolicyEvidenceSummary -Policies $MatchedPolicies) ComplianceCriteria = "Enabled CA policy targets all users/all resources, user risk High, requires password change and MFA/auth strength, and sign-in frequency Every time." SourceDocument = "CIS_Microsoft_365_Foundations_Benchmark_v6.0.1" } Error = if ($Pass) { $null } else { "No enabled user-risk Conditional Access policy matched the required CIS conditions (High user risk, password change, MFA/auth strength, every-time sign-in frequency)." } Timestamp = Get-Date } } catch { [pscustomobject]@{ CheckId = $CheckId Title = $Title Level = $Level BenchmarkType = $BenchmarkType Status = "ERROR" Pass = $null Evidence = [pscustomobject]@{ HelperPath = $HelperPath SourceDocument = "CIS_Microsoft_365_Foundations_Benchmark_v6.0.1" } Error = $_.Exception.Message Timestamp = Get-Date } } |