functions/Tenant/Get-HawkTenantEDiscoveryConfiguration.ps1
Function Get-HawkTenantEDiscoveryConfiguration { <# .SYNOPSIS Looks for users that have e-discovery rights. Find any roles that have access to key edisocovery cmdlets and output the users who have those rights .DESCRIPTION Searches for all roles that have e-discovery cmdlets. Searches for all users / groups that have access to those roles. .OUTPUTS File: EDiscoveryRoles.csv Path: \ Description: All roles that have access to the New-MailboxSearch and Search-Mailbox cmdlets File: EDiscoveryRoles.xml Path: \XML Description: All roles that have access to the New-MailboxSearch and Search-Mailbox cmdlets as CLI XML File: EDiscoveryRoleAssignments.csv Path: \ Description: All users that are assigned one of the discovered roles File: EDiscoveryRoleAssignments.xml Path: \XML Description: All users that are assigned one of the discovered roles as CLI XML .EXAMPLE Get-HawkTenantEDiscoveryConfiguration Runs the cmdlet against the current logged in tenant and outputs ediscovery information #> Test-EXOConnection Send-AIEvent -Event "CmdRun" Out-LogFile "Gathering Tenant information about E-Discovery Configuration" -action # Nulling our our role arrays [array]$Roles = $null [array]$RoleAssignements = $null # Look for E-Discovery Roles and who they might be assigned to $EDiscoveryCmdlets = "New-MailboxSearch", "Search-Mailbox" # Find any roles that have these critical ediscovery cmdlets in them # Bad actors with sufficient rights could have created new roles so we search for them Foreach ($cmdlet in $EDiscoveryCmdlets) { [array]$Roles = $Roles + (Get-ManagementRoleEntry ("*\" + $cmdlet)) } # Select just the unique entries based on role name $UniqueRoles = Select-UniqueObject -ObjectArray $Roles -Property Role Out-LogFile ("Found " + $UniqueRoles.count + " Roles with E-Discovery Rights") $UniqueRoles | Out-MultipleFileType -FilePrefix "EDiscoveryRoles" -csv -xml -json # Get everyone who is assigned one of these roles Foreach ($Role in $UniqueRoles) { [array]$RoleAssignements = $RoleAssignements + (Get-ManagementRoleAssignment -Role $Role.role -Delegating $false) } Out-LogFile ("Found " + $RoleAssignements.count + " Role Assignements for these Roles") $RoleAssignements | Out-MultipleFileType -FilePreFix "EDiscoveryRoleAssignments" -csv -xml -json } |