Anderson.MS365.SecAudit.psm1
<#PSScriptInfo .VERSION 0.1.6 .GUID 5448812b-bb0d-4d06-a4c4-2d3290a87e10 .AUTHOR Anderson Matters, LLC .COMPANYNAME Anderson Matters, LLC .COPYRIGHT .TAGS .LICENSEURI .PROJECTURI .ICONURI .EXTERNALMODULEDEPENDENCIES .REQUIREDSCRIPTS .EXTERNALSCRIPTDEPENDENCIES .RELEASENOTES #> <# .DESCRIPTION Aggretor Beta #> <# .SYNOPSIS .DESCRIPTION Long description .EXAMPLE An example .NOTES General notes #># <# .SYNOPSIS .DESCRIPTION Long description .EXAMPLE An example .NOTES General notes #> #Global Variables #Create the StrongAuthenticationRequirement object for Disable $mfa = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement $mfa = @($mfa) #Create the StrongAuthenticationRequirement object for Enable $mfa_enable = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement $mfa_enable.RelyingParty = "*" $mfa_enable = @($mfa_enable) #Create the StrongAuthenticationRequirement object for Enforced $mfa_enforced = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement $mfa_enforced.RelyingParty = "*" $mfa_enforced.State = "Enforced" $mfa_enforced = @($mfa_enforced) ####Initiate Connection to Microsoft365## function Connect-M365Session { #Data Collection $AzureAD = Get-Module AzureAD $MSOLService = Get-Module MSOnline $EXOnlineManagement = Get-Module ExchangeOnlineManagement #Hot Initialization try { #Check, Install, Import if ($null -eq $AzureAD) { Write-Host "Installing AzureAD PS Module..." -BackgroundColor Yellow -ForegroundColor Black Install-Module -Name AzureAD Import-Module -Name AzureAD } #Check, Install, Import if ($null -eq $MSOLService) { Write-Host "Installing MSOL PS Module..." -BackgroundColor Yellow -ForegroundColor Black Install-Module MSOnline Import-Module MSOnline } #Check, Install, Import if ($null -eq $EXOnlineManagement) { Write-Host "Installing MS Exchange PS Module..." -BackgroundColor Yellow -ForegroundColor Black Install-Module ExchangeOnlineManagement Import-Module ExchangeOnlineManagement } } catch { "Administrator rights are required to install modules." } #Collect Primary Credentials try { $username = Read-Host -Prompt "Username for Tenant" } catch { } #Connect to Tennant try { Connect-IPPSSession -UserPrincipalName $username -ConnectionUri https://ps.protection.outlook.com/powershell-liveid/ Connect-AzureAD Connect-MsolService } catch { } } ###################Retrieval Functions############### function Get-ExchangeHealth { #Collect Values within Exchange $dns_domain = Get-MsolDomain $unified_audit_log = Get-AdminAuditLogConfig $exchange_mailbox_protocols = Get-CASMailbox | Where-Object { $_.PopEnabled -eq 1 -or $_.ImapEnabled -eq 1 } $smtpauth = Get-TransportConfig #Dns Check $dns_domain | ForEach-Object { if ($_.Name -notlike "*onmicrosoft.com*") { $dns_record_check_mx = Resolve-DnsName -Name $_.Name -Type MX $dns_record_check_spf = Resolve-DnsName -Name $_.Name -Type TXT | Where-Object strings -like *spf* #$dns_record_check_dkim.Strings #$dns_record_check_dmarc.Strings Write-Host "Domain DNS:" $_.Name -ForegroundColor Green Write-Host "MX Record(s):" $dns_record_check_mx.NameExchange -ForegroundColor Blue Write-Host "SPF Record:" $dns_record_check_spf.Strings -ForegroundColor Blue } } if ($unified_audit_log.UnifiedAuditLogIngestionEnabled) { $color = "Green" } else { $color = "Red" } Write-Host "Unified Logging: "$unified_audit_log.UnifiedAuditLogIngestionEnabled -ForegroundColor $color $exchange_mailbox_protocols | ForEach-Object { if ($_.PopEnabled -eq 1 -or $_.ImapEnabled -eq 1) { $color = "Red" } else { $color = "Green" } Write-Host $_.Name "PopEnabled:" $_.PopEnabled "ImapEnabled:" $_.ImapEnabled -ForegroundColor $color } if ($smtpauth.SmtpClientAuthenticationDisabled) { $color = "Green" } else { $color = "Red" } Write-Host "Mailbox SMTP Client Authentication Disabled Globally: " $smtpauth.SmtpClientAuthenticationDisabled -ForegroundColor $color } function Set-ExchangeBestPratices { #Apply Exchange Online Best Practices #Disabling IMAP and POP for all future mailboxes Get-CASMailboxPlan -Filter {ImapEnabled -eq "true" -or PopEnabled -eq "true" } | Set-CASMailboxPlan -ImapEnabled $false -PopEnabled $false #Disabling IMAP and POP for all existing mailboxes Get-CASMailbox -Filter {ImapEnabled -eq "true" -or PopEnabled -eq "true" } | Select-Object @{n = "Identity"; e = {$_.primarysmtpaddress}} | Set-CASMailbox -ImapEnabled $false -PopEnabled $false #Disable SMTP Client Authentication Set-TransportConfig -SmtpClientAuthenticationDisabled $true } function Get-MsolHealth { #Data Collection Local Variables $organization_config = Get-OrganizationConfig $msol_users = Get-User $msol_roles = Get-MsolRole #List memebers of MSOL roles $msol_roles | ForEach-Object { $role_details = Get-MsolRoleMember -RoleObjectId $_.ObjectID if ($role_details) { Write-Host $_.Name Write-Host $role_details.DisplayName -ForegroundColor Yellow } else { #Do nothing } } #Modern Authentication Enabled if ($organization_config.OAuth2ClientProfileEnabled) { $color = "Green" } else { $color = "Red" } Write-Host "Modern Authentication:"$organization_config.OAuth2ClientProfileEnabled -ForegroundColor $color #MFA Status of Users Write-Host "MFA Users / MFS Status" -BackgroundColor Blue Get-MFAStatus -All 1 #List Intergrated Apps ## #Check for customer lockbox #Check for Remote PowerShell $msol_users | ForEach-Object { if ($_.RemotePowerShellEnabled) { $color = "Red" } else { $color = "Green" } Write-Host "Remote Powershell is" $_.RemotePowerShellEnabled "for" $_.Name -ForegroundColor $color } } function Set-MsolBestPractices { $msol_users = Get-User $msol_roles = Get-MsolRole #Collect Users that are Administrators $msol_roles | ForEach-Object {$role_details = Get-MsolRoleMember -RoleObjectId $_.ObjectID $role_details | ForEach-Object { if($msol_roles_store -notlike $_.EmailAddress) { $msol_roles_store += $_.EmailAddress } } } Write-Host $msol_roles_store #Disable Remote Powershell for Non-Admin $msol_users | ForEach-Object { if ($msol_roles_store | Select-String -Pattern $_.UserPrincipalName) { #Remote Powershell Enabled Write-Host "Powershell Remains Enabled for" $_.UserPrincipalName -ForegroundColor Yellow } else { if ($_.RemotePowerShellEnabled -eq $false) { #Skip if PowerShell is Disabled } else { #Disable Remote PowerShell Write-Host "#Set-User -Identity $_.UserPrincipalName -RemotePowerShellEnabled $false" -ForegroundColor Green } } <# $msol_roles | ForEach-Object {$role_details = Get-MsolRoleMember -RoleObjectId $_.ObjectID if ($role_details.EmailAddress -contains $_.UserPrincipalName) { # $powershell_stays_enabled = 1 } else { #Disable Remote Powershell #Write-Host "Set-User" "-Identity" $msol_user_if_varb "-RemotePowerShellEnabled $false" } #$role_details #Start-Sleep if($powershell_stays_enabled) { Write-Host "PowerShell will remain for" $_.DisplayName } } #> } } function Get-AzureHealth { } function Set-AzureBestPractices { } ############MFA Managment Functions############ function Get-MFAStatus { param( [Parameter(Mandatory = $false)] [string]$Username, #Office365 Username "Form of an email" [string]$GroupName, #Office365 Group "Form of an email" [bool]$All #All Users "Form of an email" ) if ($Username) { $user = Get-MsolUser -UserPrincipalName $Username if ($null -eq $user.StrongAuthenticationRequirements.state) { Write-Host $user.userprincipalname $user.StrongAuthenticationRequirements.state -ForegroundColor Red } if ($user.StrongAuthenticationRequirements.state -eq "Enabled") { Write-Host $user.userprincipalname $user.StrongAuthenticationRequirements.state -ForegroundColor Yellow } if ($user.StrongAuthenticationRequirements.state -eq "Enforced") { Write-Host $user.userprincipalname $user.StrongAuthenticationRequirements.state -ForegroundColor Green } } if ($GroupName) { $group = Get-DistributionGroup -Identity $GroupName Get-MsolGroupMember -GroupObjectId $group.ExternalDirectoryObjectId | ForEach-Object { $user = Get-MsolUser -UserPrincipalName $_.emailaddress if ($user.StrongAuthenticationRequirements.state -eq "Disabled") { Write-Host $user.userprincipalname $user.StrongAuthenticationRequirements.state -ForegroundColor Red } if ($user.StrongAuthenticationRequirements.state -eq "Enabled") { Write-Host $user.userprincipalname $user.StrongAuthenticationRequirements.state -ForegroundColor Yellow } if ($user.StrongAuthenticationRequirements.state -eq "Enforced") { Write-Host $user.userprincipalname $user.StrongAuthenticationRequirements.state -ForegroundColor Green } } } if ($All) { $user = Get-MsolUser | Where-Object IsLicensed -EQ 1 $user | ForEach-Object { if ($null -eq $_.StrongAuthenticationRequirements.state) { Write-Host $_.userprincipalname $_.StrongAuthenticationRequirements.state "Disabled" -ForegroundColor Red } if ($_.StrongAuthenticationRequirements.state -eq "Enabled") { Write-Host $_.userprincipalname $_.StrongAuthenticationRequirements.state -ForegroundColor Yellow } if ($_.StrongAuthenticationRequirements.state -eq "Enforced") { Write-Host $_.userprincipalname $_.StrongAuthenticationRequirements.state -ForegroundColor Green } } } } function Set-MFAStatus { param( [Parameter(Mandatory = $false)] [string]$Username, #Office365 Username "Form of an email" [string]$GroupName, #Office365 Group "Form of an email" [Bool]$Enable, #Enables MFA on user or group 1 = On, 0 = Off [Bool]$Enforced, #Enforces MFA on user or group 1 = On, 0 = Off [Bool]$Disable #Disables MFA on user or group 1 = On, 0 = Off ) if ($Username) { if ($Enable -eq $true) { $mfa = @() Set-MsolUser -UserPrincipalName $Username -StrongAuthenticationRequirements $mfa Set-MsolUser -UserPrincipalName $Username -StrongAuthenticationRequirements $mfa_enable Get-MFAStatus -Username $Username } if ($Enforced -eq $true) { $mfa = @() Set-MsolUser -UserPrincipalName $Username -StrongAuthenticationRequirements $mfa Set-MsolUser -UserPrincipalName $Username -StrongAuthenticationRequirements $mfa_enforced Get-MFAStatus -Username $Username } if ($Disable -eq $true) { $mfa = @() Set-MsolUser -UserPrincipalName $Username -StrongAuthenticationRequirements $mfa Get-MFAStatus -Username $Username } } if ($GroupName) { if ($Enable -eq $true) { $mfa = @() $group = Get-DistributionGroup -Identity $GroupName Get-MsolGroupMember -GroupObjectId $group.ExternalDirectoryObjectId | ForEach-Object { Set-MsolUser -UserPrincipalName $_.emailaddress -StrongAuthenticationRequirements $mfa Set-MsolUser -UserPrincipalName $_.emailaddress -StrongAuthenticationRequirements $mfa_enable Get-MFAStatus -Username $_.emailaddress } } if ($Enforced -eq $true) { $mfa = @() $group = Get-DistributionGroup -Identity $GroupName Get-MsolGroupMember -GroupObjectId $group.ExternalDirectoryObjectId | ForEach-Object { Set-MsolUser -UserPrincipalName $_.emailaddress -StrongAuthenticationRequirements $mfa Set-MsolUser -UserPrincipalName $_.emailaddress -StrongAuthenticationRequirements $mfa_enforced Get-MFAStatus -Username $_.emailaddress } } if ($Disable -eq $true) { $mfa = @() $group = Get-DistributionGroup -Identity $GroupName Get-MsolGroupMember -GroupObjectId $group.ExternalDirectoryObjectId | ForEach-Object { Set-MsolUser -UserPrincipalName $_.emailaddress -StrongAuthenticationRequirements $mfa Get-MFAStatus -Username $_.emailaddress } } } } Export-ModuleMember -Function * -Alias * |