private/review/entra/protection/authenticationmethods/Invoke-ReviewEntraAuthMethodCustomPasswordListEnforced.ps1
function Invoke-ReviewEntraAuthMethodCustomPasswordListEnforced { <# .SYNOPSIS If custom banned passwords lists are used. .DESCRIPTION Returns review object. .EXAMPLE Invoke-ReviewEntraAuthMethodCustomPasswordListEnforced; #> [cmdletbinding()] param ( ) BEGIN { # Write progress. Write-Progress -Activity $MyInvocation.MyCommand -Status 'Running' -CurrentOperation $MyInvocation.MyCommand.Name -PercentComplete -1 -SecondsRemaining -1; # URI. $uri = 'https://main.iam.ad.ext.azure.com/api/AuthenticationMethods/PasswordPolicy'; # Valid configuration. [bool]$valid = $true; } PROCESS { # Write to log. Write-CustomLog -Category 'Entra' -Subcategory 'Authentication Methods' -Message ('Getting password policies') -Level Verbose; # Invoke Entra ID API. $passwordPolicy = Invoke-EntraIdIamApi -Uri $uri -Method Get; # if custom passwords is not enforced. if ($false -eq $passwordPolicy.enforceCustomBannedPasswords) { # Set valid configuration to false. $valid = $false; } # If there is custom banned passwords. if ($null -eq $passwordPolicy.customBannedPasswords) { # Set valid configuration to false. $valid = $false; } # Write to log. Write-CustomLog -Category 'Entra' -Subcategory 'Authentication Methods' -Message ("Policy for custom banned passwords is '{0}'" -f $passwordPolicy.enforceCustomBannedPasswords) -Level Verbose; Write-CustomLog -Category 'Entra' -Subcategory 'Authentication Methods' -Message ('Found {0} passwords that is banned' -f $passwordPolicy.customBannedPasswords.Count) -Level Verbose; } END { # Bool for review flag. [bool]$reviewFlag = $false; # If review flag should be set. if ($false -eq $valid) { # Should be reviewed. $reviewFlag = $true; } # Create new review object to return. [Review]$review = [Review]::new(); # Add to object. $review.Id = 'bb23f25a-0c03-4607-a232-ef8902a0a899'; $review.Category = 'Microsoft Entra Admin Center'; $review.Subcategory = 'Protection'; $review.Title = 'Ensure custom banned passwords lists are used'; $review.Data = [PSCustomObject]@{ Enabled = $passwordPolicy.enforceCustomBannedPasswords; }; $review.Review = $reviewFlag; # Print result. $review.PrintResult(); # Write progress. #Write-Progress -Activity $MyInvocation.MyCommand -Status 'Completed' -CurrentOperation $MyInvocation.MyCommand.Name -Completed; # Return object. return $review; } } |