diff --git a/Config/AXE-TENANT-TEST.BPATemplate.json b/Config/AXE-TENANT-TEST.BPATemplate.json new file mode 100644 index 000000000000..348cd1e4d5dd --- /dev/null +++ b/Config/AXE-TENANT-TEST.BPATemplate.json @@ -0,0 +1,528 @@ +{ + "name": "AXE Best Practices Test - Tenant", + "style": "Tenant", + "Fields": [ + { + "name": "PasswordNeverExpires", + "API": "Graph", + "URL": "https://graph.microsoft.com/beta/domains", + "ExtractFields": [ + "passwordValidityPeriodInDays" + ], + "where": "$_.passwordValidityPeriodInDays -eq 2147483647", + "StoreAs": "bool", + "FrontendFields": [ + { + "name": "Passwords Never Expire", + "desc": "Check if the passwords never expire for all users", + "value": "PasswordNeverExpires", + "formatter": "bool" + } + ] + }, + { + "name": "MicrosoftAuthenticatorEnabled", + "API": "Graph", + "URL": "https://graph.microsoft.com/beta/policies/authenticationmethodspolicy/authenticationMethodConfigurations/microsoftAuthenticator", + "ExtractFields": [ + "State" + ], + "where": "$_.State -eq 'Enabled'", + "StoreAs": "bool", + "FrontendFields": [ + { + "name": "MFA: Microsoft Authenticator Enabled", + "desc": "Check if Microsoft Authenticator is enabled for MFA", + "value": "MicrosoftAuthenticatorEnabled", + "formatter": "bool" + } + ] + }, + { + "name": "SoftwareOATHEnabled", + "API": "Graph", + "URL": "https://graph.microsoft.com/beta/policies/authenticationmethodspolicy/authenticationMethodConfigurations/softwareOath", + "ExtractFields": [ + "State" + ], + "where": "$_.State -eq 'Enabled'", + "StoreAs": "bool", + "FrontendFields": [ + { + "name": "MFA: Software OATH Enabled", + "desc": "Check if Software OATH is enabled for MFA", + "value": "SoftwareOATHEnabled", + "formatter": "bool" + } + ] + }, + { + "name": "TAPEnabled", + "API": "Graph", + "URL": "https://graph.microsoft.com/beta/policies/authenticationmethodspolicy/authenticationMethodConfigurations/TemporaryAccessPass", + "ExtractFields": [ + "State" + ], + "where": "$_.State -eq 'Enabled'", + "StoreAs": "bool", + "FrontendFields": [ + { + "name": "MFA: Temporary Access Pass Enabled", + "desc": "Check if Temporary Access Pass is enabled for MFA", + "value": "TAPEnabled", + "formatter": "bool" + } + ] + }, + { + "name": "FIDO2Enabled", + "API": "Graph", + "URL": "https://graph.microsoft.com/beta/policies/authenticationmethodspolicy/authenticationMethodConfigurations/fido2", + "ExtractFields": [ + "State" + ], + "where": "$_.State -eq 'Enabled'", + "StoreAs": "bool", + "FrontendFields": [ + { + "name": "MFA: FIDO2 Enabled", + "desc": "Check if FIDO2 is enabled for MFA", + "value": "FIDO2Enabled", + "formatter": "bool" + } + ] + }, + { + "name": "voiceEnabled", + "API": "Graph", + "URL": "https://graph.microsoft.com/beta/policies/authenticationmethodspolicy/authenticationMethodConfigurations/voice", + "ExtractFields": [ + "State" + ], + "where": "$_.State -eq 'Enabled'", + "StoreAs": "bool", + "FrontendFields": [ + { + "name": "MFA: Voice Authentication Disabled", + "desc": "Check if Voice is disabled for MFA", + "value": "voiceEnabled", + "formatter": "reverseBool" + } + ] + }, + { + "name": "SMSEnabled", + "API": "Graph", + "URL": "https://graph.microsoft.com/beta/policies/authenticationmethodspolicy/authenticationMethodConfigurations/sms", + "ExtractFields": [ + "State" + ], + "where": "$_.State -eq 'Enabled'", + "StoreAs": "bool", + "FrontendFields": [ + { + "name": "MFA: SMS Authentication Disabled", + "desc": "Check if SMS is disabled for MFA", + "value": "SMSEnabled", + "formatter": "reverseBool" + } + ] + }, + { + "name": "EmailEnabled", + "API": "Graph", + "URL": "https://graph.microsoft.com/beta/policies/authenticationmethodspolicy/authenticationMethodConfigurations/email", + "ExtractFields": [ + "State" + ], + "where": "$_.State -eq 'Enabled'", + "StoreAs": "bool", + "FrontendFields": [ + { + "name": "MFA: Email Disabled", + "desc": "Check if Email is disabled for MFA", + "value": "EmailEnabled", + "formatter": "reverseBool" + } + ] + }, + { + "name": "SecureDefaultState", + "API": "Graph", + "URL": "https://graph.microsoft.com/beta/policies/identitySecurityDefaultsEnforcementPolicy?$select=isEnabled", + "ExtractFields": [ + "IsEnabled" + ], + "StoreAs": "bool", + "FrontendFields": [ + { + "name": "Security Defaults Enabled", + "desc": "Check if Security Defaults are enabled. If using Conditional Access, this should be disabled.", + "value": "SecureDefaultState", + "formatter": "bool" + } + ] + }, + { + "name": "userRegistrationDetails", + "API": "Graph", + "URL": "https://graph.microsoft.com/beta/reports/authenticationMethods/userRegistrationDetails", + "ExtractFields": [ + "userDisplayName", + "isAdmin", + "isMFARegistered", + "defaultMFAMethod" + ], + "StoreAs": "JSON", + "FrontendFields": [ + { + "name": "MFA User Registration Details", + "desc": "Check if users are registered for MFA", + "value": "userRegistrationDetails", + "formatter": "table" + } + ] + }, + { + "name": "OAuthAppConsentDisabled", + "API": "Graph", + "URL": "https://graph.microsoft.com/v1.0/policies/authorizationPolicy?$select=defaultUserRolePermissions", + "ExtractFields": [ + "defaultUserRolePermissions" + ], + "where": "@('ManagePermissionGrantsForSelf.microsoft-user-default-legacy', 'ManagePermissionGrantsForSelf.microsoft-user-default-low') -notin $_.defaultUserRolePermissions.permissionGrantPoliciesAssigned", + "StoreAs": "bool", + "FrontendFields": [ + { + "name": "Enterprise App consent disabled", + "desc": "Check if users can self-service consent to apps", + "value": "OAuthAppConsentDisabled", + "formatter": "bool" + } + ] + }, + { + "name": "AllowedToCreateTenants", + "API": "Graph", + "URL": "https://graph.microsoft.com/v1.0/policies/authorizationPolicy?$select=defaultUserRolePermissions", + "ExtractFields": [ + "defaultUserRolePermissions" + ], + "where": "$_.defaultUserRolePermissions.allowedToCreateTenants -eq $true", + "StoreAs": "bool", + "FrontendFields": [ + { + "name": "Tenant Creation Disabled", + "desc": "Check if users are allowed to create tenants", + "value": "AllowedToCreateTenants", + "formatter": "reverseBool" + } + ] + }, + { + "name": "BasicAuthDisabled", + "API": "Exchange", + "Command": "Get-TransportConfig", + "ExtractFields": [ + "SmtpClientAuthenticationDisabled" + ], + "StoreAs": "bool", + "FrontendFields": [ + { + "name": "SMTP Basic Auth Disabled", + "desc": "Check if SMTP Basic Authentication is disabled for Exchange Online", + "value": "BasicAuthDisabled", + "formatter": "bool" + } + ] + }, + { + "name": "MailboxesWithBasicAuthEnabled", + "API": "Exchange", + "Command": "Get-CASMailbox", + "Parameters": { + "ResultSize": "Unlimited" + }, + "where": "$_.SmtpClientAuthenticationDisabled -eq $false", + "ExtractFields": [ + "DisplayName", + "PrimarySmtpAddress", + "SmtpClientAuthenticationDisabled" + ], + "StoreAs": "JSON", + "FrontendFields": [ + { + "name": "Mail: SMTP Basic Auth Enabled", + "desc": "Check if SMTP Basic Authentication is enabled for any mailbox", + "formatter": "table", + "value": "MailboxesWithBasicAuthEnabled" + } + ] + }, + { + "name": "MessageCopyforSentAsDisabled", + "API": "Exchange", + "Command": "Get-Mailbox", + "Parameters": { + "RecipientTypeDetails": [ + "SharedMailbox", + "UserMailbox" + ] + }, + "where": "$_.MessageCopyForSentAsEnabled -eq $false", + "ExtractFields": [ + "DisplayName", + "PrimarySmtpAddress", + "messageCopyForSentAsEnabled" + ], + "StoreAs": "JSON", + "FrontendFields": [ + { + "name": "Mail: Message Copy for Sent-As Disabled", + "desc": "Check if Message Copy for Sent-As is disabled for any mailbox", + "formatter": "table", + "value": "MessageCopyforSentAsDisabled" + } + ] + }, + { + "name": "SharedMailboxeswithenabledusers", + "API": "Exchange", + "Command": "Get-Mailbox", + "Parameters": { + "RecipientTypeDetails": "SharedMailbox" + }, + "where": "$_.accountDisabled -eq $false", + "ExtractFields": [ + "userprincipalname", + "accountDisabled" + ], + "StoreAs": "JSON", + "FrontendFields": [ + { + "name": "Shared Mailboxes with enabled users", + "desc": "Check if any shared mailbox has an enabled user", + "formatter": "table", + "value": "SharedMailboxeswithenabledusers" + } + ] + }, + { + "name": "SharepointSettings", + "API": "Graph", + "URL": "https://graph.microsoft.com/beta/admin/sharepoint/settings", + "Parameters": { + "asApp": "True" + }, + "ExtractFields": [ + "isResharingByExternalUsersEnabled", + "isUnmanagedSyncAppForTenantRestricted", + "isSiteCreationEnabled", + "isSiteCreationUIEnabled", + "tenantDefaultTimezone", + "isRequireAcceptingUserToMatchInvitedUserEnabled", + "isLegacyAuthProtocolsEnabled" + ], + "StoreAs": "JSON", + "FrontendFields": [ + { + "name": "Guest resharing disabled", + "desc": "Check if SharePoint resharing by external users is disabled", + "value": "SharepointSettings.isResharingByExternalUsersEnabled", + "formatter": "reverseBool" + }, + { + "name": "Disable sync from unmanaged devices", + "desc": "Check if document library sync from unmanaged devices is disabled", + "value": "SharepointSettings.isUnmanagedSyncAppForTenantRestricted", + "formatter": "bool" + }, + { + "name": "Site creation disabled", + "desc": "Check if SharePoint site creation is disabled for all users", + "value": "SharepointSettings.isSiteCreationEnabled", + "formatter": "reverseBool" + }, + { + "name": "Site creation UI disabled", + "desc": "Check if SharePoint site creation UI is disabled for all users", + "value": "SharepointSettings.isSiteCreationUIEnabled", + "formatter": "reverseBool" + }, + { + "name": "Default SharePoint timezone", + "desc": "Check the default timezone for SharePoint sites", + "value": "SharepointSettings.tenantDefaultTimezone", + "formatter": "string" + }, + { + "name": "Require accepting user to match invited user", + "desc": "Check if users are required to accept the invitation to match the invited user", + "value": "SharepointSettings.isRequireAcceptingUserToMatchInvitedUserEnabled", + "formatter": "bool" + }, + { + "name": "Legacy SharePoint auth protocols disabled", + "desc": "Check if legacy authentication protocols are disabled", + "value": "SharepointSettings.isLegacyAuthProtocolsEnabled", + "formatter": "reverseBool" + } + ] + }, + { + "name": "SharePointSyncSettings", + "API": "CIPPFunction", + "Command": "Get-CIPPSPOTenant", + "Parameters": {}, + "ExtractFields": [ + "OneDriveAddShortcutButtonDisabled", + "HideSyncButtonOnDocLib" + ], + "StoreAs": "JSON", + "FrontendFields": [ + { + "name": "Add shortcut button disabled", + "desc": "Check if the add shortcut button is disabled for OneDrive", + "value": "SharePointSyncSettings.OneDriveAddShortcutButtonDisabled", + "formatter": "bool" + }, + { + "name": "Sync button shown", + "desc": "Check if the Sync button is shown for document libraries", + "value": "SharePointSyncSettings.HideSyncButtonOnDocLib", + "formatter": "reverseBool" + } + ] + }, + { + "name": "SharepointAnonymousSharingEnabled", + "API": "Graph", + "URL": "https://graph.microsoft.com/beta/admin/sharepoint/settings", + "where": "$_.sharingCapability -eq 'ExternalUserAndGuestSharing'", + "Parameters": { + "asApp": "True" + }, + "ExtractFields": [ + "sharingCapability" + ], + "StoreAs": "bool", + "FrontendFields": [ + { + "name": "Anonymous link sharing disabled", + "desc": "Check if anonymous sharing is disabled for SharePoint and OneDrive", + "value": "SharepointAnonymousSharingEnabled", + "formatter": "reverseBool" + } + ] + }, + { + "name": "LAPS", + "API": "Graph", + "URL": "https://graph.microsoft.com/v1.0/policies/deviceRegistrationPolicy?$select=localAdminPassword", + "ExtractFields": [ + "localAdminPassword" + ], + "StoreAs": "JSON", + "FrontendFields": [ + { + "name": "LAPS enabled", + "desc": "Check if Local Admin Password Solution is enabled", + "value": "LAPS.IsEnabled", + "formatter": "bool" + } + ] + }, + { + "name": "SecurityGroupCreationAllowed", + "API": "Graph", + "URL": "https://graph.microsoft.com/beta/policies/authorizationPolicy/?$select=defaultUserRolePermissions", + "ExtractFields": [ + "defaultUserRolePermissions" + ], + "StoreAs": "JSON", + "FrontendFields": [ + { + "name": "Security Group Creation Disabled", + "desc": "Check if users are allowed to create security groups", + "value": "SecurityGroupCreationAllowed.allowedToCreateSecurityGroups", + "formatter": "reverseBool" + } + ] + }, + { + "name": "BreakGlassAccount", + "API": "Graph", + "URL": "https://graph.microsoft.com/beta/users?$filter=startswith(displayName,'BreakGlass ')&$select=displayName", + "where": "$_.count -eq 1", + "FrontendFields": [ + { + "name": "BreakGlass Account", + "desc": "Check if there is a BreakGlass account in the tenant", + "value": "BreakGlassAccount", + "formatter": "bool" + } + ] + }, + { + "name": "adminRoles", + "API": "Graph", + "URL": "https://graph.microsoft.com/v1.0/directoryRoles?$expand=members($select=displayName)&$select=displayName", + "ExtractFields": [ + "displayName", + "members" + ], + "StoreAs": "JSON", + "FrontendFields": [ + { + "name": "Admin Roles", + "desc": "Check the admin roles in the tenant", + "value": "adminRoles", + "formatter": "table" + } + ] + }, + { + "name": "Unusedlicenses", + "API": "CIPPFunction", + "Command": "Get-CIPPLicenseOverview", + "ExtractFields": [ + "License", + "TotalLicenses", + "availableUnits", + "CountUsed" + ], + "StoreAs": "JSON", + "where": "$_.availableUnits -gt 0", + "FrontendFields": [ + { + "name": "Unused licenses", + "desc": "Check if there are any unused licenses", + "formatter": "table", + "value": "Unusedlicenses" + } + ] + }, + { + "name": "CurrentSecureScore", + "API": "Graph", + "URL": "https://graph.microsoft.com/beta/security/secureScores?$top=1", + "Parameters": { + "Nopagination": true + }, + "ExtractFields": [ + "currentScore", + "maxScore" + ], + "StoreAs": "JSON", + "FrontendFields": [ + { + "name": "Current Secure Score", + "desc": "Check the current secure score for the tenant", + "value": "CurrentSecureScore.currentScore / CurrentSecureScore.maxScore * 100", + "formatter": "math", + "showAs": "percentage" + } + ] + } + ] +} \ No newline at end of file diff --git a/Config/AXE-TENANT.BPATemplate.json b/Config/AXE-TENANT.BPATemplate.json index 69bbcd44a71a..82e46ffe7abf 100644 --- a/Config/AXE-TENANT.BPATemplate.json +++ b/Config/AXE-TENANT.BPATemplate.json @@ -149,7 +149,7 @@ { "name": "SecureDefaultState", "API": "Graph", - "URL": "https://graph.microsoft.com/beta/policies/identitySecurityDefaultsEnforcementPolicy", + "URL": "https://graph.microsoft.com/beta/policies/identitySecurityDefaultsEnforcementPolicy?$select=isEnabled", "ExtractFields": [ "IsEnabled" ], @@ -382,7 +382,7 @@ "FrontendFields": [ { "name": "Add shortcut button disabled", - "desc": "Check if the 'Add shortcut' button is disabled for OneDrive", + "desc": "Check if the add shortcut button is disabled for OneDrive", "value": "SharePointSyncSettings.OneDriveAddShortcutButtonDisabled", "formatter": "bool" }, @@ -416,7 +416,7 @@ ] }, { - "name": "LAPSEnabled", + "name": "LAPS", "API": "Graph", "URL": "https://graph.microsoft.com/v1.0/policies/deviceRegistrationPolicy?$select=localAdminPassword", "ExtractFields": [ @@ -425,9 +425,9 @@ "StoreAs": "JSON", "FrontendFields": [ { - "name": "LAPS: Enabled", + "name": "LAPS enabled", "desc": "Check if Local Admin Password Solution is enabled", - "value": "LAPSEnabled.IsEnabled", + "value": "LAPS.IsEnabled", "formatter": "bool" } ]