M365FoundationsCISReport

0.1.26

tests/Test-ReauthWithCode.ps1

                                function Test-ReauthWithCode {

    [CmdletBinding()]

    [OutputType([CISAuditResult])]

    param (

        # Aligned

        # Define your parameters here

    )

    begin {

        <#

        Conditions for 7.2.10 (L1) Ensure reauthentication with verification code is restricted

        #

        # Validate test for a pass:

        # - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.

        # - Specific conditions to check:

        #   - Condition A: The `EmailAttestationRequired` property is set to `True`.

        #   - Condition B: The `EmailAttestationReAuthDays` property is set to `15` or less.

        #

        # Validate test for a fail:

        # - Confirm that the failure conditions in the automated test are consistent with the manual audit results.

        # - Specific conditions to check:

        #   - Condition A: The `EmailAttestationRequired` property is set to `False`.

        #   - Condition B: The `EmailAttestationReAuthDays` property is set to more than `15`.

        #>

        # Dot source the class script if necessary

        #. .\source\Classes\CISAuditResult.ps1

        # Initialization code, if needed

        $recnum = "7.2.10"

        Write-Verbose "Running Test-ReauthWithCode for $recnum..."

    }

    process {

        try {

            # 7.2.10 (L1) Ensure reauthentication with verification code is restricted

            # Retrieve reauthentication settings for SharePoint Online

            # $SPOTenantReauthentication Mock Object

            <#

                $SPOTenantReauthentication = [PSCustomObject]@{

                    EmailAttestationRequired                    = "$false"

                    EmailAttestationReAuthDays                  = "30"

                }

            #>

            $SPOTenantReauthentication = Get-CISSpoOutput -Rec $recnum

            $isReauthenticationRestricted = $SPOTenantReauthentication.EmailAttestationRequired -and $SPOTenantReauthentication.EmailAttestationReAuthDays -le 15

            # Prepare failure reasons and details based on compliance

            $failureReasons = if (-not $isReauthenticationRestricted) {

                "Reauthentication with verification code does not require reauthentication within 15 days or less. To remediate this setting, use the Set-SPOTenant command:`n" + `

                "Set-SPOTenant -EmailAttestationRequired `$true -EmailAttestationReAuthDays 15"

            }

            else {

                "N/A"

            }

            $details = "EmailAttestationRequired: $($SPOTenantReauthentication.EmailAttestationRequired); EmailAttestationReAuthDays: $($SPOTenantReauthentication.EmailAttestationReAuthDays)"

            # Create and populate the CISAuditResult object

            $params = @{

                Rec           = $recnum

                Result        = $isReauthenticationRestricted

                Status        = if ($isReauthenticationRestricted) { "Pass" } else { "Fail" }

                Details       = $details

                FailureReason = $failureReasons

            }

            $auditResult = Initialize-CISAuditResult @params

        }

        catch {

            $LastError = $_

            $auditResult = Get-TestError -LastError $LastError -recnum $recnum

        }

    }

    end {

        # Return auditResult

        return $auditResult

    }

}