private/review/defender/settings/Invoke-ReviewDefenderPriorityAccountProtectionConfig.ps1
function Invoke-ReviewDefenderPriorityAccountProtectionConfig { <# .SYNOPSIS Review that priority account protection is enabled and configured. .DESCRIPTION Returns review object. .NOTES Requires the following modules: - ExchangeOnlineManagement .EXAMPLE Invoke-ReviewDefenderPriorityAccountProtectionConfig; #> [cmdletbinding()] param ( ) BEGIN { # Write progress. Write-Progress -Activity $MyInvocation.MyCommand -Status 'Running' -CurrentOperation $MyInvocation.MyCommand.Name -PercentComplete -1 -SecondsRemaining -1; # Write to log. Write-CustomLog -Category 'Microsoft Defender' -Subcategory 'Settings' -Message 'Getting email tenant settings' -Level Verbose; # Get the current email tenant settings. $emailTenantSettings = Get-EmailTenantSettings; # Get all priority users. $allUsers = Get-EntraIdUserPriority; # Get all alert policies. $protectionAlertPolicies = Get-ProtectionAlert; # Boolean to track if the tenant is configured for priority account protection. [bool]$validConfig = $false; [bool]$validAllUsers = $false; [bool]$validPolicy = $false; } PROCESS { # If protection setting is disabled. if ($true -eq $emailTenantSettings.EnablePriorityAccountProtection) { # Set valid config to false. $validConfig = $true; } # If is no user protected. if ($null -ne $allUsers) { # Set valid config to false. $validAllUsers = $true; } # Foreach protection alert policy. foreach ($protectionAlertPolicy in $protectionAlertPolicies) { # Booleans for settings. [bool]$validFilter = $false; [bool]$validThreatType = $false; [bool]$validRecipientTags = $false; [bool]$validMode = $false; [bool]$validDisabled = $false; # If the filter include "inbound" and "priority account". if ($protectionAlertPolicy.Filter -like "*(Mail.Direction -eq 'Inbound')*" -and $protectionAlertPolicy.Filter -like "*(Mail.Recipients.Tags -like 'Priority account')*") { # Set valid filter to true. $validFilter = $true; } # If threat type is malware. if ($protectionAlertPolicy.ThreatType -eq 'Malware') { # Set valid to true. $validThreatType = $true; } # Recipient tags is "priority account". if ($protectionAlertPolicy.RecipientTags -eq 'Priority account') { # Set valid to true. $validRecipientTags = $true; } # If mode is enforce. if ($protectionAlertPolicy.Mode -eq 'Enforce') { # Set valid to true. $validMode = $true; } # If disabled is false. if ($protectionAlertPolicy.Disabled -eq $false) { # Set valid to true. $validDisabled = $true; } # If all settings are valid. if ($validFilter -eq $true -and $validThreatType -eq $true -and $validRecipientTags -eq $true -and $validMode -eq $true -and $validDisabled -eq $true) { # Set valid config to true. $validPolicy = $true; # Break out of loop. break; } } # Add object. $settings = [PSCustomObject]@{ 'PriorityAccountProtectionEnabled' = $validConfig; 'PriorityAccountUsersExist' = $validAllUsers; 'PriorityAccountProtectionPolicyExist' = $validPolicy; }; } END { # Bool for review flag. [bool]$reviewFlag = $false; # If review flag should be set. if ($false -eq $settings.PriorityAccountProtectionEnabled -or $false -eq $settings.PriorityAccountUsersExist -or $false -eq $settings.PriorityAccountProtectionPolicyExist) { # Should be reviewed. $reviewFlag = $true; } # Create new review object to return. [Review]$review = [Review]::new(); # Add to object. $review.Id = '749ee441-71ea-4261-86da-1f1081c65bb3'; $review.Category = 'Microsoft 365 Defender'; $review.Subcategory = 'Settings'; $review.Title = 'Ensure Priority account protection is enabled and configured'; $review.Data = $settings; $review.Review = $reviewFlag; # Print result. $review.PrintResult(); # Write progress. #Write-Progress -Activity $MyInvocation.MyCommand -Status 'Completed' -CurrentOperation $MyInvocation.MyCommand.Name -Completed; # Return object. return $review; } } |