ROOTM365

1.0.1

SHELL/5.2.2.7.ps1

                                $CheckId = "5.2.2.7"

$Title = "Enable Identity Protection sign-in risk policies"

$Level = "L1"

$BenchmarkType = "Automated"

$HelperPath = Join-Path $PSScriptRoot "helpers\ca_policy_helpers.ps1"

try {

    if (-not (Test-Path $HelperPath)) {

        throw "Required helper file not found: $HelperPath"

    }

    . $HelperPath

    $Policies = @(Get-Root365CaPoliciesNormalized)

    if ($Policies.Count -eq 0) {

        [pscustomobject]@{

            CheckId = $CheckId

            Title = $Title

            Level = $Level

            BenchmarkType = $BenchmarkType

            Status = "FAIL"

            Pass = $false

            Evidence = [pscustomobject]@{

                HelperPath = $HelperPath

                ConditionalAccessPolicyCount = 0

                SourceDocument = "CIS_Microsoft_365_Foundations_Benchmark_v6.0.1"

            }

            Error = "No Conditional Access policies were returned."

            Timestamp = Get-Date

        }

        return

    }

    $EnabledPolicies = @($Policies | Where-Object { $_.IsEnabled })

    $MatchedPolicies = @(

        $EnabledPolicies | Where-Object {

            $GrantHasMfaOrStrength =

                (Test-Root365ContainsValue -Collection $_.GrantBuiltInControls -Expected "mfa") -or

                -not [string]::IsNullOrWhiteSpace([string]$_.AuthenticationStrengthId) -or

                -not [string]::IsNullOrWhiteSpace([string]$_.AuthenticationStrengthDisplayName)

            (Test-Root365ContainsValue -Collection $_.IncludeUsers -Expected "All") -and

            (Test-Root365ContainsValue -Collection $_.IncludeApplications -Expected "All") -and

            (Test-Root365ContainsAllValues -Collection $_.SignInRiskLevels -ExpectedValues @("medium", "high")) -and

            $GrantHasMfaOrStrength -and

            (Test-Root365SignInFrequencyEveryTime -Policy $_)

        }

    )

    $Pass = $MatchedPolicies.Count -gt 0

    $Status = if ($Pass) { "PASS" } else { "FAIL" }

    [pscustomobject]@{

        CheckId = $CheckId

        Title = $Title

        Level = $Level

        BenchmarkType = $BenchmarkType

        Status = $Status

        Pass = $Pass

        Evidence = [pscustomobject]@{

            ConditionalAccessPolicyCount = $Policies.Count

            EnabledPolicyCount = $EnabledPolicies.Count

            MatchedPolicyCount = $MatchedPolicies.Count

            MatchedPolicies = @(Get-Root365CaPolicyEvidenceSummary -Policies $MatchedPolicies)

            ComplianceCriteria = "Enabled CA policy targets all users/all resources, sign-in risk Medium+High, requires MFA/auth strength, and sign-in frequency Every time."

            SourceDocument = "CIS_Microsoft_365_Foundations_Benchmark_v6.0.1"

        }

        Error = if ($Pass) { $null } else { "No enabled sign-in-risk Conditional Access policy matched the required CIS conditions (Medium/High risk, MFA/auth strength, every-time sign-in frequency)." }

        Timestamp = Get-Date

    }

}

catch {

    [pscustomobject]@{

        CheckId = $CheckId

        Title = $Title

        Level = $Level

        BenchmarkType = $BenchmarkType

        Status = "ERROR"

        Pass = $null

        Evidence = [pscustomobject]@{

            HelperPath = $HelperPath

            SourceDocument = "CIS_Microsoft_365_Foundations_Benchmark_v6.0.1"

        }

        Error = $_.Exception.Message

        Timestamp = Get-Date

    }

}