maester icon indicating copy to clipboard operation
maester copied to clipboard
verified publisher icon maester365

Enhance emergency access logic

Open f-bader opened this issue 1 year ago • 2 comments

Enhance emergency access logic

  • Specify the emergency access account upn or group (by id/by upn/by group name)
  • Exclude a certain policy (by name/by id)

f-bader avatar Jan 05 '24 07:01 f-bader

Added emergency account detection to function Get-MTUser

f-bader avatar Apr 01 '24 19:04 f-bader

If no users or groups are excluded from any conditional access, the MT.1005 test will automatically detect every user and group in the tenant, as the variable $ExcludedUserObjectGUID and $ExcludedGroupObjectGUID are empty, thus no value is assigned to $CheckId

$CheckId = $ExcludedGroupObjectGUID
$EmergencyAccessUUIDType = "group"
if ($ExcludedUsers -gt $ExcludedGroups) {
    $EmergencyAccessUUIDType = "user"
    $CheckId = $ExcludedUserObjectGUID
}

Which means that the following will query the Microsoft Graph "groups/" resource without an ID.

if ($EmergencyAccessUUIDType -eq "user") {
    $DisplayName = Invoke-MtGraphRequest -RelativeUri "users/$CheckId" -Select displayName | Select-Object -ExpandProperty displayName
} else {
    $DisplayName = Invoke-MtGraphRequest -RelativeUri "groups/$CheckId" -Select displayName | Select-Object -ExpandProperty displayName
}

tdcthosc avatar Apr 23 '24 08:04 tdcthosc