improvements bpa and access check

DChorn-ANS · Aug 15, 2023 · 21c7016 · 21c7016
1 parent 76cb1ce
commit 21c7016
Show file tree

Hide file tree

Showing 3 changed files with 51 additions and 31 deletions.
diff --git a/BestPracticeAnalyser_All/run.ps1 b/BestPracticeAnalyser_All/run.ps1
@@ -73,42 +73,39 @@ $AddRow = foreach ($Template in $templates) {
         catch {
             Write-Host "Error getting $($field.Name) in $($field.api) for $($TenantName.displayName) with GUID $($TenantName.customerId). Error: $($_.Exception.Message)"
             Write-LogMessage -API "BPA" -tenant $tenant -message "Error getting $($field.Name) for $($TenantName.displayName) with GUID $($TenantName.customerId). Error: $($_.Exception.Message)" -sev Error
-            $fieldinfo = $null
-        }
-        switch ($field.StoreAs) {
-            "bool" {
-                if ($field.ExtractFields.Count -gt 1) {
-                    Write-LogMessage  -API "BPA" -tenant $tenant -message "The BPA only supports 1 field for a bool. $($field.ExtractFields.Count) fields were specified." -sev Error
-                    break
-                }
-                if ($FieldInfo.$($field.ExtractFields) -eq $null) { $FieldInfo.$($field.ExtractFields) = $false }
-                if ($field.Condition) {
-                    $operator = $field.condition.operator
-                    $value = $($field.condition.value)
-                    Write-Host "$FieldInfo.$($field.ExtractFields) -$operator $value"
-                    if (Invoke-Expression "$FieldInfo.$($field.ExtractFields) -$operator $value") {
-                        $fieldInfo = $true
-                    }
-                    else {
-                        $fieldInfo = $false
+            $fieldinfo = "FAILED"
+            $field.StoreAs = "string"
+        } 
+        try {
+            switch -Wildcard ($field.StoreAs) {
+                "*bool" {
+                    if ($field.ExtractFields.Count -gt 1) {
+                        Write-LogMessage  -API "BPA" -tenant $tenant -message "The BPA only supports 1 field for a bool. $($field.ExtractFields.Count) fields were specified." -sev Error
+                        break
                     }
+                    if ($null -eq $FieldInfo.$($field.ExtractFields)) { $FieldInfo = $false }
+
+                    $Result.Add($field.Name, [bool]$FieldInfo.$($field.ExtractFields))
+                }
+                "JSON" {
+                    if ($FieldInfo -eq $null) { $JsonString = '{}' } else { $JsonString = (ConvertTo-Json -Depth 15 -InputObject $FieldInfo) }
+                    $Result.Add($field.Name, $JSONString)
+                }
+                "string" {
+                    $Result.Add($field.Name, [string]$FieldInfo)
                 }
-                $Result.Add($field.Name, [bool]$FieldInfo.$($field.ExtractFields))
-            }
-            "JSON" {
-                if ($FieldInfo -eq $null) { $JsonString = '{}' } else { $JsonString = (ConvertTo-Json -Depth 15 -InputObject $FieldInfo) }
-                $Result.Add($field.Name, $JSONString)
-            }
-            "string" {
-                $Result.Add($field.Name, [string]$FieldInfo)
             }
         }
+        catch {
+            Write-LogMessage -API "BPA" -tenant $tenant -message "Error storing $($field.Name) for $($TenantName.displayName) with GUID $($TenantName.customerId). Error: $($_.Exception.Message)" -sev Error
+            $Result.Add($field.Name, "FAILED")
+        }
 
     }
 
     if ($Result) {
         try {
-            Add-AzDataTableEntity @Table -Entity $Result
+            Add-AzDataTableEntity @Table -Entity $Result -Force
         }
         catch {
             Write-LogMessage -API "BPA" -tenant $tenant -message "Error getting saving data for $($template.Name) - $($TenantName.customerId). Error: $($_.Exception.Message)" -sev Error

diff --git a/ExecAccessChecks/run.ps1 b/ExecAccessChecks/run.ps1
@@ -126,18 +126,41 @@ if ($Request.query.Tenants -eq 'true') {
     if (!$Tenants) { $results = 'Could not load the tenants list from cache. Please run permissions check first, or visit the tenants page.' }
     $results = foreach ($tenant in $Tenants) {
         try {
-            $token = New-GraphGetRequest -uri 'https://graph.microsoft.com/v1.0/Organization' -tenantid $tenant
+            $ExpectedRoles = @(
+                @{ Name = "Application Administrator"; Id = "9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3" },
+                @{ Name = "User Administrator"; Id = "fe930be7-5e62-47db-91af-98c3a49a38b1" },
+                @{ Name = "Intune Administrator"; Id = "3a2c62db-5318-420d-8d74-23affee5d9d5" },
+                @{ Name = "Exchange Administrator"; Id = "29232cdf-9323-42fd-ade2-1d097af3e4de" },
+                @{ Name = "Security Administrator"; Id = "194ae4cb-b126-40b2-bd5b-6091b380977d" },
+                @{ Name = "Cloud App Security Administrator"; Id = "158c047a-c907-4556-b7ef-446551a6b5f7" },
+                @{ Name = "Cloud Device Administrator"; Id = "7698a772-787b-4ac8-901f-60d6b08affd2" },
+                @{ Name = "Teams Administrator"; Id = "69091246-20e8-4a56-aa4d-066075b2a7a8" },
+                @{ Name = "Sharepoint Administrator"; Id = "f28a1f50-f6e7-4571-818b-6a12f2af6b6c" },
+                @{ Name = "Authentication Policy Administrator"; Id = "0526716b-113d-4c15-b2c8-68e3c22b9f80" },
+                @{ Name = "Privileged Role Administrator"; Id = "e8611ab8-c189-46e8-94e1-60213ab1f814" },
+                @{ Name = "Privileged Authentication Administrator"; Id = "7be44c8a-adaf-4e2a-84d6-ab2649e08a13" }
+            )
+            $GDAPRoles = foreach ($RoleId in $ExpectedRoles) {
+                $Role = (New-graphGetRequest -uri "https://graph.microsoft.com/beta/roleManagement/directory/roleAssignments?`$filter=roleDefinitionId eq '$($RoleId.id)'&`$expand=principal" -tenantid $tenant).principal | Where-Object -Property organizationId -EQ $ENV:tenantid
+                if (!$role) { 
+                    "$($RoleId.Name) "
+                    $AddedText = "but potentially missing GDAP roles"
+                }
+            }
+
             @{
                 TenantName = "$($Tenant)"
-                Status     = 'Successfully connected' 
+                Status     = "Successfully connected $($AddedText)"
+                GDAP       = $GDAPRoles
             }
             Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $tenant -message 'Tenant access check executed successfully' -Sev 'Info'
 
         }
         catch {
             @{
                 TenantName = "$($tenant)"
-                Status     = "Failed to connect to: $(Get-NormalizedError -message $_.Exception.Message)" 
+                Status     = "Failed to connect: $(Get-NormalizedError -message $_.Exception.Message)"
+                GDAP       = ''
             }
             Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $tenant -message "Tenant access check failed: $(Get-NormalizedError -message $_) " -Sev 'Error'
 

diff --git a/ListBPA/run.ps1 b/ListBPA/run.ps1
@@ -23,7 +23,7 @@ $Data = (Get-AzDataTableEntity @Table -Filter "RowKey eq '$NAME'") | ForEach-Obj
     $row = $_
     $JSONFields | ForEach-Object {
         $jsonContent = $row.$_
-        if ($jsonContent -ne $null) {
+        if ($jsonContent -ne $null -and $jsonContent -ne "FAILED") {
             $row.$_ = $jsonContent | ConvertFrom-Json -Depth 15
         }
     }