tests/Test-PasswordNeverExpirePolicy.ps1
|
function Test-PasswordNeverExpirePolicy { [CmdletBinding()] [OutputType([CISAuditResult])] param ( [Parameter(Mandatory = $false)] [string]$DomainName ) begin { # .TODO add supported services to output details. ({Email, OfficeCommunicationsOnline, Intune}) # Dot source the class script if necessary #. .\source\Classes\CISAuditResult.ps1 # Initialization code, if needed $recnum = "1.3.1" $overallResult = $true $detailsList = @() $failureReasonsList = @() # Add headers for the details $detailsList += "Domain|Validity Period|Notification Window|IsDefault" # Conditions for 1.3.1 (L1) Ensure the 'Password expiration policy' is set to 'Set passwords to never expire (recommended)' # # Validate test for a pass: # - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark. # - Specific conditions to check: # - Condition A: Password expiration policy is set to "Set passwords to never expire" in the Microsoft 365 admin center. # - Condition B: Using Microsoft Graph PowerShell, the `PasswordPolicies` property for all users is set to `DisablePasswordExpiration`. # - Condition C: Notification window for password expiration is set to 30 days. # # Validate test for a fail: # - Confirm that the failure conditions in the automated test are consistent with the manual audit results. # - Specific conditions to check: # - Condition A: Password expiration policy is not set to "Set passwords to never expire" in the Microsoft 365 admin center. # - Condition B: Using Microsoft Graph PowerShell, the `PasswordPolicies` property for one or more users is not set to `DisablePasswordExpiration`. # - Condition C: Notification window for password expiration is not set to 30 days. } process { try { # Step: Retrieve all domains or a specific domain $domains = Get-CISMgOutput -Rec $recnum -DomainName $DomainName foreach ($domain in $domains) { $domainName = $domain.Id $isDefault = $domain.IsDefault # Step (Condition C): Determine if the notification window is set to 30 days $notificationWindow = $domain.PasswordNotificationWindowInDays $notificationPolIsCompliant = $notificationWindow -eq 30 # Step (Condition A): Retrieve password expiration policy $passwordPolicy = $domain.PasswordValidityPeriodInDays $pwPolIsCompliant = $passwordPolicy -eq 2147483647 # Step (Condition A & B): Determine if the policy is compliant $overallResult = $overallResult -and $notificationPolIsCompliant -and $pwPolIsCompliant # Step (Condition A & B): Prepare failure reasons and details based on compliance $failureReasons = if ($notificationPolIsCompliant -and $pwPolIsCompliant) { "N/A" } else { "Password expiration is not set to never expire or notification window is not set to 30 days for domain $domainName. Run the following command to remediate: `nUpdate-MgDomain -DomainId $domainName -PasswordValidityPeriodInDays 2147483647 -PasswordNotificationWindowInDays 30`n" } $details = "$domainName|$passwordPolicy days|$notificationWindow days|$isDefault" # Add details and failure reasons to the lists $detailsList += $details $failureReasonsList += $failureReasons } # Prepare the final failure reason and details $finalFailureReason = $failureReasonsList -join "`n" $finalDetails = $detailsList -join "`n" # Step: Create and populate the CISAuditResult object $params = @{ Rec = $recnum Result = $overallResult Status = if ($overallResult) { "Pass" } else { "Fail" } Details = $finalDetails FailureReason = $finalFailureReason } $auditResult = Initialize-CISAuditResult @params } catch { $LastError = $_ $auditResult = Get-TestError -LastError $LastError -recnum $recnum } } end { # Return the audit result return $auditResult } } |