Skip to content

Commit

Permalink
update
Browse files Browse the repository at this point in the history
  • Loading branch information
dutt0 committed Dec 17, 2024
1 parent db7b0f4 commit bc968e3
Showing 1 changed file with 7 additions and 66 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -40,15 +40,15 @@ function Test-BreakGlassAccounts {
[String] $SecondBreakGlassUPNUrl = $("/users/" + $SecondBreakGlassUPN + "?$" + "select=userPrincipalName,id,userType")

# Validate two BG accounts exist
if($FirstBreakGlassUPN -eq "" -or $SecondBreakGlassUPN -eq ""){
if($FirstBreakGlassUPN -eq "" -and $SecondBreakGlassUPN -eq ""){
$IsCompliant = $false
$PsObject = [PSCustomObject]@{
ComplianceStatus = $IsCompliant
ControlName = $ControlName
ItemName = $ItemName
Comments = $msgTable.isNotCompliant + " " + $msgTable.bgAccountNotExist
ReportTime = $ReportTime
itsgcode = $itsgcode
itsgcode = $itsgcode
}
}
elseif(($FirstBreakGlassUPN -ne "" -or $SecondBreakGlassUPN -ne "") -and $FirstBreakGlassUPN -eq $SecondBreakGlassUPN){
Expand All @@ -59,69 +59,11 @@ function Test-BreakGlassAccounts {
ItemName = $ItemName
Comments = $msgTable.isNotCompliant + " " + $msgTable.bgAccountNotExist
ReportTime = $ReportTime
itsgcode = $itsgcode
itsgcode = $itsgcode
}
}
else{
# Validate listed BG accounts as members
$FirstBreakGlassAcct = [PSCustomObject]@{
UserPrincipalName = $FirstBreakGlassUPN
apiUrl = $FirstBreakGlassUPNUrl
ComplianceStatus = $false
}
$SecondBreakGlassAcct = [PSCustomObject]@{
UserPrincipalName = $SecondBreakGlassUPN
apiUrl = $SecondBreakGlassUPNUrl
ComplianceStatus = $false
}

# get 1st break glass account
try {
$urlPath = $FirstBreakGlassAcct.apiUrl
$response = Invoke-GraphQuery -urlPath $urlPath -ErrorAction Stop

$data = $response.Content

if ($data.userType -eq "Member") {
$FirstBreakGlassAcct.ComplianceStatus = $true
}
}
catch {
$ErrorList.Add("Failed to call Microsoft Graph REST API at URL '$urlPath'; returned error message: $_")
Write-Warning "Error: Failed to call Microsoft Graph REST API at URL '$urlPath'; returned error message: $_"
}

# get 2nd break glass account
try {
$urlPath = $SecondBreakGlassAcct.apiURL
$response = Invoke-GraphQuery -urlPath $urlPath -ErrorAction Stop

$data = $response.Content

if ($data.userType -eq "Member") {
$SecondBreakGlassAcct.ComplianceStatus = $true
}
}
catch {
$ErrorList.Add("Failed to call Microsoft Graph REST API at URL '$urlPath'; returned error message: $_")
Write-Warning "Error: Failed to call Microsoft Graph REST API at URL '$urlPath'; returned error message: $_"
}

# compliance status
$IsCompliant = $FirstBreakGlassAcct.ComplianceStatus -and $SecondBreakGlassAcct.ComplianceStatus
Write-Host "step 1 validate listed BG accounts compliance status: $IsCompliant"
# if not compliant
if(-not $IsCompliant){
$PsObject = [PSCustomObject]@{
ComplianceStatus = $IsCompliant
ControlName = $ControlName
ItemName = $ItemName
Comments = $msgTable.isNotCompliant + " " + $msgTable.bgAccountNotExist
ReportTime = $ReportTime
itsgcode = $itsgcode
}
}
else{

# # Validate BG account Sign-in activity

# Parse LAW Resource ID
Expand All @@ -142,12 +84,12 @@ function Test-BreakGlassAccounts {
you have permissions to the subscription, the ID is correct, and that it exists in this tenant; returned error message: $_"
}

# Validate singnIns log is enabled
# Validate signIn log is enabled
try {
# logs to check
$SignInLogs = @('SignInLogs')

#Retrieve diagnostic settings to check for logs
# Retrieve diagnostic settings to check for logs
$diagnosticSettings = get-AADDiagnosticSettings
$matchingSetting = $diagnosticSettings | Where-Object { $_.properties.workspaceId -eq $LAWResourceId } | Select-Object -First 1

Expand All @@ -164,7 +106,6 @@ function Test-BreakGlassAccounts {
$IsCompliant = $false
$Comments += $msgTable.signInlogsNotCollected + " Missing logs: $($missingSignInLogs -join ', ')"
}

}
catch {
if ($_.Exception.Message -like "*ResourceNotFound*") {
Expand Down Expand Up @@ -235,7 +176,7 @@ function Test-BreakGlassAccounts {
itsgcode = $itsgcode
}
}
}

}

# Conditionally add the Profile field based on the feature flag
Expand Down

0 comments on commit bc968e3

Please sign in to comment.