private/review/entra/identitygovernance/Invoke-ReviewEntraAccessReviewGuestUser.ps1
function Invoke-ReviewEntraAccessReviewGuestUser { <# .SYNOPSIS If 'Access reviews' for Guest Users are configured. .DESCRIPTION Returns review object.. .EXAMPLE Invoke-ReviewEntraAccessReviewGuestUser; #> [cmdletbinding()] param ( ) BEGIN { # Get directory id. $directoryId = (Get-AzContext).Tenant.Id; # URI. $uri = ('https://api.accessreviews.identitygovernance.azure.com/accessReviews/v2.0/approvalWorkflowProviders/D5EC9F3B-324E-4F8A-AF55-B69EDD48ECBE/requests?$count=true&$orderby=createdDateTime%20desc&$skip=0&$top=10&$select=id,businessFlowId,decisionsCriteria,reviewedEntity,businessFlowTemplateId,policy,settings,errors,displayName,status,createdDateTime&$filter=((customDataProvider%20eq%20null))&x-tenantid={0}' -f $directoryId); # Bool for valid access review configuration. [bool]$valid = $false; } PROCESS { # Invoke the API. $accessReviews = Invoke-EntraIdAccessReviewApi -Uri $uri -Method 'GET'; # Foreach access review. foreach ($accessReview in $accessReviews.value) { # Bool for valid access review. [bool]$guestOnly = $false; [bool]$reviewersNotGuest = $true; [bool]$reviewSchedule = $true; [bool]$autoApply = $true; [bool]$reviewerRemoveNoRespond = $true; # Construct URI for the access reviewers. $accessReviewersUri = ('https://api.accessreviews.identitygovernance.azure.com/accessReviews/v2.0/approvalWorkflowProviders/D5EC9F3B-324E-4F8A-AF55-B69EDD48ECBE/requests/{0}?x-tenantid={1}' -f $accessReview.id, $directoryId); # Invoke the API. $accessReviewers = Invoke-EntraIdAccessReviewApi -Uri $accessReviewersUri -Method 'GET'; # Foreach reviewer. foreach ($accessReviewer in $accessReviewers.policy.decisionMakerCriteria) { # Get user from Entra ID. $user = Get-MgUser -UserId $accessReviewer.userId -Property UserType -ErrorAction SilentlyContinue; # If user is a guest. if ($user.UserType -eq 'Guest') { # Write to log. Write-Log -Category 'Entra' -Subcategory 'Identity Governance' -Message ('User "{0}" is a guest' -f $accessReviewer.userId) -Level Debug; # Set guest only to true. $reviewersNotGuest = $false; } } # Foreach decision criteria. foreach ($decisionCriteria in $accessReview.decisionsCriteria) { # If decision criteria is guest. if ($decisionCriteria.guestUsersOnly -eq $true) { # Write to log. Write-Log -Category 'Entra' -Subcategory 'Identity Governance' -Message ('Scope is set to "Guests Only"') -Level Debug; # Set guest only to true. $guestOnly = $true; } } # If review recurrence is not at least monthly or weekly if ($accessReview.settings.recurrenceSettings.recurrenceType -ne 'monthly' -and $accessReview.settings.recurrenceSettings.recurrenceType -ne 'Weekly') { # Write to log. Write-Log -Category 'Entra' -Subcategory 'Identity Governance' -Message ('Review schedule recurrence is not monthly or weekly') -Level Debug; # Set review schedule to false. $reviewSchedule = $false; } # If the access review end date is never. if ($accessReview.settings.recurrenceSettings.recurrenceEndType -ne 'never') { # Write to log. Write-Log -Category 'Entra' -Subcategory 'Identity Governance' -Message ('Review schedule end time is not set to "Never"') -Level Debug; # Set review schedule to false. $reviewSchedule = $false; } # If auto apply is not enabled. if ($accessReview.settings.autoApplyReviewResultsEnabled -eq $false) { # Write to log. Write-Log -Category 'Entra' -Subcategory 'Identity Governance' -Message ('Auto apply results to resource is not set') -Level Debug; # Set review schedule to false. $reviewSchedule = $false; } # If reviewers don't respond is not set to automatically remove access. if ($accessReview.settings.autoReviewSettings.notReviewedResult -ne 'Deny') { # Write to log. Write-Log -Category 'Entra' -Subcategory 'Identity Governance' -Message ("If reviewers don't respond is not automatically set to remove access") -Level Debug; # Set auto apply to false. $reviewerRemoveNoRespond = $false; } # If the conditions are met. if ($guestOnly -eq $true -and $reviewersNotGuest -eq $true -and $reviewSchedule -eq $true -and $autoApply -eq $true -and $reviewerRemoveNoRespond -eq $true) { # Write to log. Write-Log -Category 'Entra' -Subcategory 'Identity Governance' -Message ('Access reviews for Guest Users are configured correct') -Level Debug; # Set valid to true. $valid = $true; # Break the loop. break; } } } END { # Bool for review flag. [bool]$reviewFlag = $false; # If review flag should be set. if ($false -eq $valid) { # Should be reviewed. $reviewFlag = $true; } # Create new review object to return. [Review]$review = [Review]::new(); # Add to object. $review.Id = '03a57762-4613-47fc-835d-5a5c3d0dbe61'; $review.Category = 'Microsoft Entra Admin Center'; $review.Subcategory = 'Identity Governance'; $review.Title = "Ensure 'Access reviews' for Guest Users are configured"; $review.Data = $valid; $review.Review = $reviewFlag; # Print result. $review.PrintResult(); # Return object. return $review; } } |