Merge pull request #16 from maester365/CAWhatIf

Conditional Access WhatIf
maester365 · Jan 4, 2024 · b89c299 · b89c299
2 parents 2037bb9 + 7247cb5
commit b89c299
Show file tree

Hide file tree

Showing 2 changed files with 163 additions and 81 deletions.
diff --git a/src/Maester.psd1 b/src/Maester.psd1
@@ -8,127 +8,127 @@
 
 @{
 
-# Script module or binary module file associated with this manifest.
-RootModule = 'Maester.psm1'
+    # Script module or binary module file associated with this manifest.
+    RootModule           = 'Maester.psm1'
 
-# Version number of this module.
-ModuleVersion = '0.0.7'
+    # Version number of this module.
+    ModuleVersion        = '0.0.7'
 
-# Supported PSEditions
-CompatiblePSEditions = 'Core', 'Desktop'
+    # Supported PSEditions
+    CompatiblePSEditions = 'Core', 'Desktop'
 
-# ID used to uniquely identify this module
-GUID = '502a7fe7-b1ae-4bf5-98db-00831b14ed6f'
+    # ID used to uniquely identify this module
+    GUID                 = '502a7fe7-b1ae-4bf5-98db-00831b14ed6f'
 
-# Author of this module
-Author = 'Microsoft Identity'
+    # Author of this module
+    Author               = 'Microsoft Identity'
 
-# Company or vendor of this module
-CompanyName = 'Microsoft Corporation'
+    # Company or vendor of this module
+    CompanyName          = 'Microsoft Corporation'
 
-# Copyright statement for this module
-Copyright = 'Microsoft Corporation. All rights reserved.'
+    # Copyright statement for this module
+    Copyright            = 'Microsoft Corporation. All rights reserved.'
 
-# Description of the functionality provided by this module
-Description = 'This cmdlets in this module help you write Pester tests for your Microsoft 365 tenant configuration.'
+    # Description of the functionality provided by this module
+    Description          = 'This cmdlets in this module help you write Pester tests for your Microsoft 365 tenant configuration.'
 
-# Minimum version of the PowerShell engine required by this module
-PowerShellVersion = '5.1'
+    # Minimum version of the PowerShell engine required by this module
+    PowerShellVersion    = '5.1'
 
-# Name of the PowerShell host required by this module
-# PowerShellHostName = ''
+    # Name of the PowerShell host required by this module
+    # PowerShellHostName = ''
 
-# Minimum version of the PowerShell host required by this module
-# PowerShellHostVersion = ''
+    # Minimum version of the PowerShell host required by this module
+    # PowerShellHostVersion = ''
 
-# Minimum version of Microsoft .NET Framework required by this module. This prerequisite is valid for the PowerShell Desktop edition only.
-# DotNetFrameworkVersion = ''
+    # Minimum version of Microsoft .NET Framework required by this module. This prerequisite is valid for the PowerShell Desktop edition only.
+    # DotNetFrameworkVersion = ''
 
-# Minimum version of the common language runtime (CLR) required by this module. This prerequisite is valid for the PowerShell Desktop edition only.
-# ClrVersion = ''
+    # Minimum version of the common language runtime (CLR) required by this module. This prerequisite is valid for the PowerShell Desktop edition only.
+    # ClrVersion = ''
 
-# Processor architecture (None, X86, Amd64) required by this module
-# ProcessorArchitecture = ''
+    # Processor architecture (None, X86, Amd64) required by this module
+    # ProcessorArchitecture = ''
 
-# Modules that must be imported into the global environment prior to importing this module
-RequiredModules = @(@{ModuleName = 'Microsoft.Graph.Authentication'; GUID = '883916f2-9184-46ee-b1f8-b6a2fb784cee'; ModuleVersion = '2.2.0'; })
+    # Modules that must be imported into the global environment prior to importing this module
+    RequiredModules      = @(@{ModuleName = 'Microsoft.Graph.Authentication'; GUID = '883916f2-9184-46ee-b1f8-b6a2fb784cee'; ModuleVersion = '2.2.0'; })
 
-# Assemblies that must be loaded prior to importing this module
-# RequiredAssemblies = @()
+    # Assemblies that must be loaded prior to importing this module
+    # RequiredAssemblies = @()
 
-# Script files (.ps1) that are run in the caller's environment prior to importing this module.
-# ScriptsToProcess = @()
+    # Script files (.ps1) that are run in the caller's environment prior to importing this module.
+    # ScriptsToProcess = @()
 
-# Type files (.ps1xml) to be loaded when importing this module
-# TypesToProcess = @()
+    # Type files (.ps1xml) to be loaded when importing this module
+    # TypesToProcess = @()
 
-# Format files (.ps1xml) to be loaded when importing this module
-# FormatsToProcess = @()
+    # Format files (.ps1xml) to be loaded when importing this module
+    # FormatsToProcess = @()
 
-# Modules to import as nested modules of the module specified in RootModule/ModuleToProcess
-NestedModules = @()
+    # Modules to import as nested modules of the module specified in RootModule/ModuleToProcess
+    NestedModules        = @()
 
-# Functions to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no functions to export.
-FunctionsToExport = 'Get-MtConditionalAccessPolicies', 
-               'Test-MtAppManagementPolicyEnabled', 'Test-MtCaAllAppsExists', 
-               'Test-MtCaDeviceComplianceExists'
+    # Functions to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no functions to export.
+    FunctionsToExport    = 'Get-MtConditionalAccessPolicies',
+    'Test-MtAppManagementPolicyEnabled', 'Test-MtCaAllAppsExists',
+    'Test-MtCaDeviceComplianceExists', 'Test-MtConditionalAccessWhatIf'
 
-# Cmdlets to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no cmdlets to export.
-CmdletsToExport = @()
+    # Cmdlets to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no cmdlets to export.
+    CmdletsToExport      = @()
 
-# Variables to export from this module
-# VariablesToExport = @()
+    # Variables to export from this module
+    # VariablesToExport = @()
 
-# Aliases to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no aliases to export.
-AliasesToExport = @()
+    # Aliases to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no aliases to export.
+    AliasesToExport      = @()
 
-# DSC resources to export from this module
-# DscResourcesToExport = @()
+    # DSC resources to export from this module
+    # DscResourcesToExport = @()
 
-# List of all modules packaged with this module
-# ModuleList = @()
+    # List of all modules packaged with this module
+    # ModuleList = @()
 
-# List of all files packaged with this module
-# FileList = @()
+    # List of all files packaged with this module
+    # FileList = @()
 
-# Private data to pass to the module specified in RootModule/ModuleToProcess. This may also contain a PSData hashtable with additional module metadata used by PowerShell.
-PrivateData = @{
+    # Private data to pass to the module specified in RootModule/ModuleToProcess. This may also contain a PSData hashtable with additional module metadata used by PowerShell.
+    PrivateData          = @{
 
-    PSData = @{
+        PSData = @{
 
-        # Tags applied to this module. These help with module discovery in online galleries.
-        Tags = 'Microsoft','365','Cloud','Test','Pester','Entra','AzureAD','Automation','Regression','DevOps'
+            # Tags applied to this module. These help with module discovery in online galleries.
+            Tags       = 'Microsoft', '365', 'Cloud', 'Test', 'Pester', 'Entra', 'AzureAD', 'Automation', 'Regression', 'DevOps'
 
-        # A URL to the license for this module.
-        LicenseUri = 'https://raw.githubusercontent.com/microsoft/maester/main/LICENSE'
+            # A URL to the license for this module.
+            LicenseUri = 'https://raw.githubusercontent.com/microsoft/maester/main/LICENSE'
 
-        # A URL to the main website for this project.
-        ProjectUri = 'https://github.com/microsoft/maester'
+            # A URL to the main website for this project.
+            ProjectUri = 'https://github.com/microsoft/maester'
 
-        # A URL to an icon representing this module.
-        # IconUri = ''
+            # A URL to an icon representing this module.
+            # IconUri = ''
 
-        # ReleaseNotes of this module
-        # ReleaseNotes = ''
+            # ReleaseNotes of this module
+            # ReleaseNotes = ''
 
-        # Prerelease string of this module
-        # Prerelease = ''
+            # Prerelease string of this module
+            # Prerelease = ''
 
-        # Flag to indicate whether the module requires explicit user acceptance for install/update/save
-        # RequireLicenseAcceptance = $false
+            # Flag to indicate whether the module requires explicit user acceptance for install/update/save
+            # RequireLicenseAcceptance = $false
 
-        # External dependent modules of this module
-        # ExternalModuleDependencies = @()
+            # External dependent modules of this module
+            # ExternalModuleDependencies = @()
 
-    } # End of PSData hashtable
+        } # End of PSData hashtable
 
- } # End of PrivateData hashtable
+    } # End of PrivateData hashtable
 
-# HelpInfo URI of this module
-# HelpInfoURI = ''
+    # HelpInfo URI of this module
+    # HelpInfoURI = ''
 
-# Default prefix for commands exported from this module. Override the default prefix using Import-Module -Prefix.
-# DefaultCommandPrefix = ''
+    # Default prefix for commands exported from this module. Override the default prefix using Import-Module -Prefix.
+    # DefaultCommandPrefix = ''
 
 }
 
diff --git a/src/public/Test-MtConditionalAccessWhatIf.ps1 b/src/public/Test-MtConditionalAccessWhatIf.ps1
@@ -0,0 +1,82 @@
+function Test-MtConditionalAccessWhatIf {
+    [CmdletBinding(DefaultParameterSetName = 'ApplicationBasedCA')]
+    [OutputType([object])]
+    param (
+        # The UserId to test the Conditional Acccess policie with
+        [Parameter(ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true, Position = 0, Mandatory)]
+        [string]$UserId,
+
+        # The applications that should be tested Default: All
+        [Parameter(ValueFromPipelineByPropertyName = $true, ParameterSetName = "ApplicationBasedCA")]
+        [string[]]$IncludeApplications = "All",
+
+        # The user action that should be tested. Default: registerOrJoinDevices
+        [Parameter(ValueFromPipelineByPropertyName = $true, ParameterSetName = "UserActionBasedCA")]
+        [ValidateSet("registerOrJoinDevices", "registerSecurityInformation")]
+        [string[]]$UserAction = "registerOrJoinDevices",
+
+        # The device platform that should be tested. Default: windows
+        [Parameter(ValueFromPipelineByPropertyName = $true)]
+        [ValidateSet("Android", "iOS", "windows", "windowsPhone", "macOS", "linux")]
+        [string]$DevicePlatform = "windows",
+
+        # The client app used by the user. Default: all
+        [Parameter(ValueFromPipelineByPropertyName = $true)]
+        [ValidateSet("all", "browser", "mobileAppsAndDesktopClients", "exchangeActiveSync", "easSupported", "other")]
+        [string]$ClientAppType = "all",
+
+        # The sign in risk level of the user sign-in. Default: None
+        [Parameter(ValueFromPipelineByPropertyName = $true)]
+        [ValidateSet("None", "Low", "Medium", "High")]
+        [string]$SignInRiskLevel = "None",
+
+        # The user risk level of the user signing in. Default: None
+        [Parameter(ValueFromPipelineByPropertyName = $true)]
+        [ValidateSet("None", "Low", "Medium", "High")]
+        $UserRiskLevel = "None"
+    )
+
+    process {
+        # Definition of conditional access
+        if ($PSCmdlet.ParameterSetName -eq "UserActionBasedCA") {
+            $CAContext = @{
+                "@odata.type" = "#microsoft.graph.whatIfUserActionContext"
+                "userAction"  = $UserAction
+            }
+        } else {
+            $CAContext = @{
+                "@odata.type"         = "#microsoft.graph.whatIfApplicationContext"
+                "includeApplications" = @(
+                    $IncludeApplications
+                )
+            }
+        }
+
+        $ConditionalAccessWhatIfDefinition = @{
+            "conditionalAccessWhatIfSubject"    = @{
+                "@odata.type" = "#microsoft.graph.userSubject"
+                "userId"      = "$userId"
+            }
+            "conditionalAccessContext"          = $CAContext
+            "conditionalAccessWhatIfConditions" = @{
+                "signInRiskLevel" = $SignInRiskLevel
+                "clientAppType"   = $ClientAppType
+                "devicePlatform"  = $DevicePlatform
+            }
+        }
+
+        Write-Verbose ( $ConditionalAccessWhatIfDefinition | ConvertTo-Json -Depth 99 -Compress )
+
+        try {
+            $ConditionalAccessWhatIfResult = Invoke-MgGraphRequest -Method POST -Uri "https://graph.microsoft.com/beta/identity/conditionalAccess/evaluate" -Body ( $ConditionalAccessWhatIfDefinition | ConvertTo-Json -Depth 99 -Compress ) | Select-Object -ExpandProperty value
+            # Output raw result for debugging
+            Write-Verbose ( $ConditionalAccessWhatIfResult | ConvertTo-Json -Depth 99 | Out-String )
+            # Filter out policies that do not apply
+            $ConditionalAccessWhatIfResult = $ConditionalAccessWhatIfResult | Where-Object { $_.policyApplies -eq $true }
+            # Output filtered results
+            return $ConditionalAccessWhatIfResult
+        } catch {
+            Write-Error $_.Exception.Message
+        }
+    }
+}