SHELL/5.2.3.7.ps1
|
$CheckId = "5.2.3.7" $Title = "Ensure the email OTP authentication method is disabled" $Level = "L2" $BenchmarkType = "Automated" function Get-ConfigState { param( [AllowNull()]$Config ) if ($null -eq $Config) { return $null } if ($Config.PSObject.Properties.Match("State").Count -gt 0) { return [string]$Config.State } if ($Config.PSObject.Properties.Match("state").Count -gt 0) { return [string]$Config.state } if ($Config.PSObject.Properties.Match("AdditionalProperties").Count -gt 0 -and $Config.AdditionalProperties) { foreach ($Key in $Config.AdditionalProperties.Keys) { if ([string]$Key -ieq "state") { return [string]$Config.AdditionalProperties[$Key] } } } return $null } try { $Policy = Get-MgPolicyAuthenticationMethodPolicy -ErrorAction Stop $Configurations = @($Policy.AuthenticationMethodConfigurations) $EmailConfig = $Configurations | Where-Object { $_.Id -eq "Email" } | Select-Object -First 1 $EmailState = Get-ConfigState -Config $EmailConfig $EmailDisabled = ($EmailState -match '^(?i:disabled)$') $Pass = $EmailDisabled $Status = if ($Pass) { "PASS" } else { "FAIL" } [pscustomobject]@{ CheckId = $CheckId Title = $Title Level = $Level BenchmarkType = $BenchmarkType Status = $Status Pass = $Pass Evidence = [pscustomobject]@{ EmailState = $EmailState EmailDisabled = $EmailDisabled SourceDocument = "CIS_Microsoft_365_Foundations_Benchmark_v6.0.1" } Error = if ($Pass) { $null } else { "Email OTP authentication method must be disabled." } Timestamp = Get-Date } } catch { [pscustomobject]@{ CheckId = $CheckId Title = $Title Level = $Level BenchmarkType = $BenchmarkType Status = "ERROR" Pass = $null Evidence = [pscustomobject]@{ SourceDocument = "CIS_Microsoft_365_Foundations_Benchmark_v6.0.1" } Error = $_.Exception.Message Timestamp = Get-Date } } |