SHELL/5.2.3.4.ps1
|
$CheckId = "5.2.3.4" $Title = "Ensure all member users are 'MFA capable'" $Level = "L1" $BenchmarkType = "Automated" try { $NonCompliantUsers = @(Get-MgReportAuthenticationMethodUserRegistrationDetail -Filter "isMfaCapable eq false and userType eq 'Member'" -All -ErrorAction Stop) $Pass = $NonCompliantUsers.Count -eq 0 $Status = if ($Pass) { "PASS" } else { "FAIL" } [pscustomobject]@{ CheckId = $CheckId Title = $Title Level = $Level BenchmarkType = $BenchmarkType Status = $Status Pass = $Pass Evidence = [pscustomobject]@{ NonCompliantMemberUserCount = $NonCompliantUsers.Count NonCompliantMemberUsers = @( $NonCompliantUsers | Select-Object UserPrincipalName, UserType, IsMfaCapable, IsAdmin | Sort-Object UserPrincipalName ) SourceDocument = "CIS_Microsoft_365_Foundations_Benchmark_v6.0.1" } Error = if ($Pass) { $null } else { "One or more member users are not MFA capable." } Timestamp = Get-Date } } catch { [pscustomobject]@{ CheckId = $CheckId Title = $Title Level = $Level BenchmarkType = $BenchmarkType Status = "ERROR" Pass = $null Evidence = [pscustomobject]@{ SourceDocument = "CIS_Microsoft_365_Foundations_Benchmark_v6.0.1" } Error = $_.Exception.Message Timestamp = Get-Date } } |