private/review/defender/audit/Invoke-ReviewDefenderNonGlobalAdminRoleAssignment.ps1

function Invoke-ReviewDefenderNonGlobalAdminRoleAssignment
{
    <#
    .SYNOPSIS
        Review non-global administrator role group assignments.
    .DESCRIPTION
        Returns review object.
    .NOTES
        Requires the following modules:
        - ExchangeOnlineManagement
    .EXAMPLE
        Invoke-ReviewDefenderNonGlobalAdminRoleAssignment;
    #>


    [cmdletbinding()]
    param
    (
    )

    BEGIN
    {
        # Write progress.
        Write-Progress -Activity $MyInvocation.MyCommand -Status 'Running' -CurrentOperation $MyInvocation.MyCommand.Name -PercentComplete -1 -SecondsRemaining -1;

        # Search between the following dates.
        $startDate = ((Get-Date).AddDays(-7)).ToUniversalTime().ToString('yyyy/MM/dd HH:mm:ss', [CultureInfo]::InvariantCulture);
        $endDate = (Get-Date).ToUniversalTime().ToString('yyyy/MM/dd HH:mm:ss', [CultureInfo]::InvariantCulture);

        # Operations to monitor.
        $operations = @(
            'Add member to role.',
            'Remove member from role.'
        );
    }
    PROCESS
    {
        # Write to log.
        Write-CustomLog -Category 'Microsoft Defender' -Subcategory 'Audit' -Message ("Getting non-global administrator role group assignments with start date '{0}' and end date '{1}'" -f $startDate, $endDate) -Level Verbose;

        # Search in the audit log.
        $auditLogs = Search-UnifiedAuditLog -StartDate $startDate -EndDate $endDate -Operations $operations;
    }
    END
    {
        # Bool for review flag.
        [bool]$reviewFlag = $false;

        # If review flag should be set.
        if ($auditLogs.Count -gt 0)
        {
            # Should be reviewed.
            $reviewFlag = $true;
        }

        # Create new review object to return.
        [Review]$review = [Review]::new();

        # Add to object.
        $review.Id = '8104752c-9e07-4a61-99a1-7161a792d76e';
        $review.Category = 'Microsoft 365 Defender';
        $review.Subcategory = 'Audit';
        $review.Title = 'Ensure non-global administrator role group assignments are reviewed at least weekly';
        $review.Data = $auditLogs | Select-Object RecordType, CreationDate, UserIds, Operations, Identity;
        $review.Review = $reviewFlag;

        # Print result.
        $review.PrintResult();

        # Write progress.
        #Write-Progress -Activity $MyInvocation.MyCommand -Status 'Completed' -CurrentOperation $MyInvocation.MyCommand.Name -Completed;

        # Return object.
        return $review;
    }
}