tests/Test-TeamsExternalAccess.ps1

function Test-TeamsExternalAccess {
    [CmdletBinding()]
    [OutputType([CISAuditResult])]
    param (
        [Parameter(Mandatory = $false, HelpMessage = "Specifies the approved federated domains for the audit. Accepts an array of allowed domain names.")]
        [string[]]$ApprovedFederatedDomains
    )
    begin {
        # Dot source the class script if necessary
        # . .\source\Classes\CISAuditResult.ps1
        # Initialization code, if needed
        $recnum = "8.2.1"
        Write-Verbose "Running Test-TeamsExternalAccess for $recnum..."
    }
    process {
        try {
            # 8.2.1 (L1) Ensure 'external access' is restricted in the Teams admin center
            #
            # Validate test for a pass:
            # - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
            # - Specific conditions to check:
            # - Condition A: The `AllowTeamsConsumer` setting is `False`.
            # - Condition B: The `AllowPublicUsers` setting is `False`.
            # - Condition C: The `AllowFederatedUsers` setting is `False` or, if `True`, the `AllowedDomains` contains only authorized domain names.
            # Connect to Teams PowerShell using Connect-MicrosoftTeams
            # $externalAccessConfig Mock Object
            <#
                $externalAccessConfig = [PSCustomObject]@{
                    Identity = 'Global'
                    AllowedDomains = 'AllowAllKnownDomains'
                    BlockedDomains = @()
                    AllowFederatedUsers = $true
                    AllowPublicUsers = $true
                    AllowTeamsConsumer = $true
                    AllowTeamsConsumerInbound = $true
                }
                $ApprovedFederatedDomains = @('msn.com', 'google.com')
                $externalAccessConfig = [PSCustomObject]@{
                    Identity = 'Global'
                    AllowedDomains = @('msn.com', 'google.com')
                    BlockedDomains = @()
                    AllowFederatedUsers = $true
                    AllowPublicUsers = $false
                    AllowTeamsConsumer = $false
                    AllowTeamsConsumerInbound = $true
                }
            #>

            $externalAccessConfig = Get-CISMSTeamsOutput -Rec $recnum
            # Testing
            #$externalAccessConfig.AllowedDomains = @("msn.com", "google.com")
            #$externalAccessConfig.AllowTeamsConsumer = $false
            #$externalAccessConfig.AllowPublicUsers = $false
            #$externalAccessConfig.AllowFederatedUsers = $true
            # The above is for testing and will be replaced with the actual values from the Teams PowerShell output in production.
            $allowedDomainsLimited = $false
            $allowedDomainsMatch = $false
            $invalidDomains = @()
            if ($externalAccessConfig.AllowFederatedUsers) {
                if ($externalAccessConfig.AllowedDomains -ne 'AllowAllKnownDomains' -and $externalAccessConfig.AllowedDomains.Count -gt 0) {
                    $allowedDomainsLimited = $true
                    if ($ApprovedFederatedDomains) {
                        $invalidDomains = $externalAccessConfig.AllowedDomains | Where-Object { $_ -notin $ApprovedFederatedDomains }
                        if ($invalidDomains.Count -eq 0) {
                            $invalidDomains = "None"
                        }
                        $allowedDomainsMatch = $invalidDomains.Count -eq 0
                    }
                }
            }
            # Check if the configurations are as recommended
            $isCompliant = -not $externalAccessConfig.AllowTeamsConsumer -and -not $externalAccessConfig.AllowPublicUsers -and (-not $externalAccessConfig.AllowFederatedUsers -or ($allowedDomainsLimited -and $allowedDomainsMatch))
            # Create an instance of CISAuditResult and populate it
            $params = @{
                Rec           = $recnum
                Result        = $isCompliant
                Status        = if ($isCompliant) { "Pass" } else { "Fail" }
                Details       = "AllowTeamsConsumer: $($externalAccessConfig.AllowTeamsConsumer); AllowPublicUsers: $($externalAccessConfig.AllowPublicUsers); AllowFederatedUsers: $($externalAccessConfig.AllowFederatedUsers); AllowedDomains limited: $allowedDomainsLimited; AllowedDomains match: $allowedDomainsMatch; Invalid Domains: $($invalidDomains -join ', ')"
                FailureReason = if (-not $isCompliant) { "One or more external access configurations are not compliant. Invalid domains found: $($invalidDomains -join ', ')" } else { "N/A" }
            }
            $auditResult = Initialize-CISAuditResult @params
        }
        catch {
            $LastError = $_
            $auditResult = Get-TestError -LastError $LastError -recnum $recnum
        }
    }
    end {
        # Return auditResult
        return $auditResult
    }
}