Framework/Core/SVT/AAD/AAD.Group.ps1
Set-StrictMode -Version Latest class Group: SVTBase { hidden [PSObject] $ResourceObject; Group([string] $tenantId, [SVTResource] $svtResource): Base($tenantId, $svtResource) { $objId = $svtResource.ResourceId $this.ResourceObject = Get-AzureADGroup -ObjectId $objId } hidden [PSObject] GetResourceObject() { return $this.ResourceObject; } hidden [ControlResult] CheckGroupsIsSecurityEnabled([ControlResult] $controlResult) { $g = $this.GetResourceObject() if($g.SecurityEnabled -eq $false) { $controlResult.AddMessage([VerificationResult]::Failed, [MessageData]::new("Group object is not security enabled.")); } else { $controlResult.AddMessage([VerificationResult]::Passed, [MessageData]::new("Group object is security enabled.")); } return $controlResult; } hidden [ControlResult] CheckGroupHasNonGuestOwner([ControlResult] $controlResult) { $g = $this.GetResourceObject() $go = [array] (Get-AzureADGroupOwner -ObjectId $g.ObjectId) #TODO: may need more logic (e.g., can Groups or SPNs be 'Group Owners'?) $ret = $false if ($go -ne $null -and $go.Count -ne 0) { $go | % { $o = $_ if ($o.ObjectType -eq 'User' -and $o.UserType -ne 'Guest') { $ret = $true #Pass only if we find at least one non-Guest user } } } else { #Group has no owners...fail! $ret = $false } if ($ret -eq $true) { $controlResult.AddMessage([VerificationResult]::Passed, [MessageData]::new("Found at least one non-guest owner for group: $($g.DisplayName).")); } else { $controlResult.AddMessage([VerificationResult]::Failed, [MessageData]::new("Did not find at least one non-guest owner for group: $($g.DisplayName).")); } return $controlResult; } } |