-
Notifications
You must be signed in to change notification settings - Fork 239
/
Copy pathgraph-idauthpolicy-get.ps1
162 lines (147 loc) · 9.37 KB
/
graph-idauthpolicy-get.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
param(
[switch]$debug = $false, ## if -debug parameter don't prompt for input
[switch]$prompt = $false ## if -prompt parameter used user prompted for input
)
<#CIAOPS
Script provided as is. Use at own risk. No guarantees or warranty provided.
Description - Read and report Identity authorization policy best practices using Graph requests
Source -
Prerequisites = 1
1. Ensure the MS Graph module is installed
#>
## Variables
$systemmessagecolor = "cyan"
$processmessagecolor = "green"
$errormessagecolor = "red"
$warningmessagecolor = "yellow"
function entra-settings() {
# https://learn.microsoft.com/en-us/graph/api/authorizationpolicy-get?view=graph-rest-1.0
# Application Permissions = Policy.Read.All, Policy.ReadWrite.Authorization
$policyUrl = "https://graph.microsoft.com/beta/policies/authorizationPolicy"
write-host -ForegroundColor Gray -backgroundcolor blue "`nGet Entra Auth policy"
write-host -ForegroundColor Gray -backgroundcolor blue "---------------------"
$request = Invoke-MgGraphRequest -Uri $policyUrl -Method GET
if ($request.value.blockMsolPowerShell -notmatch $bpsettings.blockMsolPowerShell) {
write-host -foregroundcolor $errormessagecolor "- Block MSOL PowerShell =", $request.value.blockMsolPowerShell
}
else {
write-host -foregroundcolor $processmessagecolor "- Block MSOL PowerShell =", $request.value.blockMsolPowerShell
}
if ($request.value.allowinvitesfrom -notmatch $bpsettings.allowinvitesfrom) {
write-host -foregroundcolor $errormessagecolor "- Allow invites from =", $request.value.allowinvitesfrom
}
else {
write-host -foregroundcolor $processmessagecolor "- Allow invites from =", $request.value.allowinvitesfrom
}
# https://learn.microsoft.com/en-us/entra/identity/users/directory-self-service-signup
if ($request.value.allowedToSignUpEmailBasedSubscriptions -notmatch $bpsettings.allowedToSignUpEmailBasedSubscriptions) {
write-host -foregroundcolor $errormessagecolor "- Allowed to sign up to email based subscriptions =", $request.value.allowedToSignUpEmailBasedSubscriptions
}
else {
write-host -foregroundcolor $processmessagecolor "- Allowed to sign up to email based subscription =", $request.value.allowedToSignUpEmailBasedSubscriptions
}
# https://learn.microsoft.com/en-us/entra/identity/users/directory-self-service-signup
if ($request.value.allowEmailVerifiedUsersToJoinOrganization -notmatch $bpsettings.allowEmailVerifiedUsersToJoinOrganization) {
write-host -foregroundcolor $errormessagecolor "- Allow email verified users to join organization =", $request.value.allowEmailVerifiedUsersToJoinOrganization
}
else {
write-host -foregroundcolor $processmessagecolor "- Allow email verified users to join organization =", $request.value.allowEmailVerifiedUsersToJoinOrganization
}
if ($request.value.allowedToUseSSPR -notmatch $bpsettings.allowedToUseSSPR) {
write-host -foregroundcolor $errormessagecolor "- Allow Self Service Password Reset (SSPR) =", $request.value.allowedToUseSSPR
}
else {
write-host -foregroundcolor $processmessagecolor "- Allow Self Service Password Reset (SSPR) =", $request.value.allowedToUseSSPR
}
if ($request.value.allowUserConsentForRiskyApps -notmatch $bpsettings.allowUserConsentForRiskyApps) {
write-host -foregroundcolor $errormessagecolor "- Allow user consent for risky apps =", $request.value.allowUserConsentForRiskyApps
}
else {
write-host -foregroundcolor $processmessagecolor "- Allow user consent for risk apps =", $request.value.allowUserConsentForRiskyApps
}
# This setting corresponds to the Restrict non-admin users from creating tenants setting in the User settings menu in the Microsoft Entra admin center.
if ($request.value.defaultuserrolepermissions.allowedToCreateTenants -notmatch $bpsettings.defaultuserrolepermissions.allowedToCreateTenants) {
write-host -foregroundcolor $errormessagecolor "- Users can create Entra tenants =", $request.value.defaultuserrolepermissions.allowedToCreateTenants
}
else {
write-host -foregroundcolor $processmessagecolor "- Users can create Entra tenants =", $request.value.defaultuserrolepermissions.allowedToCreateTenants
}
# This setting corresponds to the Users can register applications setting in the User settings menu in the Microsoft Entra admin center.
if ($request.value.defaultuserrolepermissions.allowedToCreateApps -notmatch $bpsettings.defaultuserrolepermissions.allowedToCreateApps) {
write-host -foregroundcolor $errormessagecolor "- Users can create apps =", $request.value.defaultuserrolepermissions.allowedToCreateApps
}
else {
write-host -foregroundcolor $processmessagecolor "- Users can create apps =", $request.value.defaultuserrolepermissions.allowedToCreateApps
}
# This setting corresponds to the following menus in the Microsoft Entra admin center:
# The Users can create security groups in Microsoft Entra admin centers, API or PowerShell setting in the Group settings menu.
# Users can create security groups setting in the User settings menu.
if ($request.value.defaultuserrolepermissions.allowedToCreateSecurityGroups -notmatch $bpsettings.defaultuserrolepermissions.allowedToCreateSecurityGroups) {
write-host -foregroundcolor $errormessagecolor "- Users can create security groups =", $request.value.defaultuserrolepermissions.allowedToCreateSecurityGroups
}
else {
write-host -foregroundcolor $processmessagecolor "- Users can security group =", $request.value.defaultuserrolepermissions.allowedToCreateSecurityGroups
}
if ($request.value.defaultuserrolepermissions.allowedToReadOtherUsers -notmatch $bpsettings.defaultuserrolepermissions.allowedToReadOtherUsers) {
write-host -foregroundcolor $processmessagecolor "- Users can read other users =", $request.value.defaultuserrolepermissions.allowedToReadOtherUsers
}
else {
write-host -foregroundcolor $errormessagecolor "- Users can read other users =", $request.value.defaultuserrolepermissions.allowedToReadOtherUsers
}
if ($request.value.defaultuserrolepermissions.allowedToReadBitlockerKeysForOwnedDevice -notmatch $bpsettings.defaultuserrolepermissions.allowedToReadBitlockerKeysForOwnedDevice) {
write-host -foregroundcolor $errormessagecolor "- Users can read Bitlocker Keys for their own devices =", $request.value.defaultuserrolepermissions.allowedToReadBitlockerKeysForOwnedDevice
}
else {
write-host -foregroundcolor $processmessagecolor "- Users can read Bitlocker Keys for their own devices =", $request.value.defaultuserrolepermissions.allowedToReadBitlockerKeysForOwnedDevice
}
# https://learn.microsoft.com/en-us/graph/api/resources/defaultuserrolepermissions?view=graph-rest-1.0
# permissionGrantPoliciesAssigned
}
function entra-auth-methods() {
$policyUrl = "https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy"
write-host -ForegroundColor Gray -backgroundcolor blue "`nGet Entra authentication methods policy"
write-host -ForegroundColor Gray -backgroundcolor blue "---------------------------------------"
$request = Invoke-MgGraphRequest -Uri $policyUrl -Method GET
write-host "- Identity authentication methods"
$i = 0
foreach ($method in $request.authenticationMethodConfigurations.id) {
write-host " ", $method, "=", $request.authenticationMethodConfigurations.state[$i++]
}
}
if ($debug) {
# create a log file of process if option enabled
write-host "Script activity logged at .\graph-idauthpolicy-get.txt"
start-transcript ".\graph-idauthpolicy-get.txt" | Out-Null ## Log file created in parent directory that is overwritten on each run
}
Clear-Host
write-host -foregroundcolor $systemmessagecolor "Graph Identity Authorization Best Practice get script - Started`n"
write-host -foregroundcolor $processmessagecolor "Connect to MS Graph"
connect-mggraph -scopes "Policy.ReadWrite.Authorization", "Policy.Read.All", "Policy.ReadWrite.AuthenticationMethod" | Out-Null
$graphcontext = Get-MgContext
write-host -foregroundcolor $processmessagecolor "Connected account =", $graphcontext.Account
if ($prompt) {
do {
$response = read-host -Prompt "`nIs this correct? [Y/N]"
} until (-not [string]::isnullorempty($response))
if ($response -ne "Y" -and $response -ne "y") {
Disconnect-MgGraph | Out-Null
write-host -foregroundcolor $warningmessagecolor "[001] Disconnected from current Graph environment. Re-run script to login to desired environment"
exit 1
}
}
write-host -ForegroundColor $processmessagecolor "Get Identity Authorization Best Practice policy from CIAOPS Best Practice repo"
$asrbpurl = "https://raw.githubusercontent.com/directorcia/bp/main/EntraID/authorization.json"
try {
$query = invoke-webrequest -method GET -ContentType "application/json" -uri $asrbpurl -UseBasicParsing
}
catch {
Write-Host -ForegroundColor $errormessagecolor "[003]", $_.Exception.Message
}
$bpsettings = $query.content | ConvertFrom-Json
entra-settings
entra-auth-methods
write-host -foregroundcolor $processmessagecolor "Disconnect any existing Graph sessions"
write-host -foregroundcolor $systemmessagecolor "`nGraph Best Practice get script - Finished"
if ($debug) {
Stop-Transcript | Out-Null
}