Framework/Core/SVT/AzureDevOps/AzureDevOps.Organization.ps1
Set-StrictMode -Version Latest class Organization: SVTBase { [PSObject] $ServiceEndPointsObj = $null [PSObject] $OrgPolicyObj = $null Organization([string] $subscriptionId, [SVTResource] $svtResource): Base($subscriptionId,$svtResource) { $this.GetOrgPolicyObject() } GetOrgPolicyObject() { $apiURL = "https://{0}.vsaex.visualstudio.com/_apis/Contribution/dataProviders/query?api-version=5.0-preview.1" -f $($this.SubscriptionContext.SubscriptionName); $orgUrl = "https://{0}.visualstudio.com" -f $($this.SubscriptionContext.SubscriptionName); $inputbody = "{'contributionIds':['ms.vss-org-web.collection-admin-policy-data-provider'],'context':{'properties':{'sourcePage':{'url':'$orgUrl/_settings/policy','routeId':'ms.vss-admin-web.collection-admin-hub-route','routeValues':{'adminPivot':'policy','controller':'ContributedPage','action':'Execute'}}}}}" | ConvertFrom-Json $responseObj = [WebRequestHelper]::InvokePostWebRequest($apiURL,$inputbody); if([Helpers]::CheckMember($responseObj,"data") -and $responseObj.data.'ms.vss-org-web.collection-admin-policy-data-provider') { $this.OrgPolicyObj = $responseObj.data.'ms.vss-org-web.collection-admin-policy-data-provider'.policies } } hidden [ControlResult] CheckAADConfiguration([ControlResult] $controlResult) { $apiURL = "https://{0}.visualstudio.com/_apis/Contribution/HierarchyQuery?api-version=5.0-preview.1" -f $($this.SubscriptionContext.SubscriptionName); $inputbody = '{"contributionIds":["ms.vss-tfs-web.enterprise-navigation-data-provider"],"dataProviderContext":{"properties":{}}}' | ConvertFrom-Json $responseObj = [WebRequestHelper]::InvokePostWebRequest($apiURL,$inputbody); if([Helpers]::CheckMember($responseObj,"dataProviders") -and $responseObj.dataProviders.'ms.vss-tfs-web.enterprise-navigation-data-provider' -and $responseObj.dataProviders.'ms.vss-tfs-web.enterprise-navigation-data-provider'.name) { $controlResult.AddMessage([VerificationResult]::Passed, "AAD is configured ($($responseObj.dataProviders.'ms.vss-tfs-web.enterprise-navigation-data-provider'.name)) on Org"); } else { $controlResult.AddMessage([VerificationResult]::Failed, "AAD is not configured on Organization"); } return $controlResult } hidden [ControlResult] CheckAltAuthSettings([ControlResult] $controlResult) { if([Helpers]::CheckMember($this.OrgPolicyObj,"applicationConnection")) { $altAuthObj = $this.OrgPolicyObj.applicationConnection | Where-Object {$_.Policy.Name -eq "Policy.DisallowBasicAuthentication"} if(($altAuthObj | Measure-Object).Count -gt 0) { if($altAuthObj.policy.effectiveValue -eq $false ) { $controlResult.AddMessage([VerificationResult]::Passed, "Alternate authentication is disabled on Organization"); } else { $controlResult.AddMessage([VerificationResult]::Failed, "Alternate authentication is enabled on Organization"); } } } return $controlResult } hidden [ControlResult] CheckExternalUserPolicy([ControlResult] $controlResult) { if([Helpers]::CheckMember($this.OrgPolicyObj,"security")) { $guestAuthObj = $this.OrgPolicyObj.security | Where-Object {$_.Policy.Name -eq "Policy.DisallowAadGuestUserAccess"} if(($guestAuthObj | Measure-Object).Count -gt 0) { if($guestAuthObj.policy.effectiveValue -eq $false ) { $controlResult.AddMessage([VerificationResult]::Passed, "External guest access is disabled on Organization"); } else { $controlResult.AddMessage([VerificationResult]::Failed, "External guest access enabled on Organization"); } } } return $controlResult } hidden [ControlResult] CheckPublicProjectPolicy([ControlResult] $controlResult) { if([Helpers]::CheckMember($this.OrgPolicyObj,"security")) { $guestAuthObj = $this.OrgPolicyObj.security | Where-Object {$_.Policy.Name -eq "Policy.AllowAnonymousAccess"} if(($guestAuthObj | Measure-Object).Count -gt 0) { if($guestAuthObj.policy.effectiveValue -eq $false ) { $controlResult.AddMessage([VerificationResult]::Passed, "Public projects are disabled on Organization"); } else { $controlResult.AddMessage([VerificationResult]::Failed, "Public projects are enabled on Organization"); } } } return $controlResult } hidden [ControlResult] ValidateInstalledExtensions([ControlResult] $controlResult) { $apiURL = "https://extmgmt.dev.azure.com/{0}/_apis/extensionmanagement/installedextensions?api-version=4.1-preview.1" -f $($this.SubscriptionContext.SubscriptionName); $responseObj = [WebRequestHelper]::InvokeGetWebRequest($apiURL); if(($responseObj | Measure-Object).Count -gt 0 ) { $controlResult.AddMessage("No. of extensions installed:" + $responseObj.Count) $extensionList = $responseObj | Select-Object extensionName,publisherId,publisherName,version $controlResult.AddMessage([VerificationResult]::Verify, "Verify below installed extensions",$extensionList); } else { $controlResult.AddMessage([VerificationResult]::Passed, "No extensions found"); } return $controlResult } hidden [ControlResult] CheckGuestIdentities([ControlResult] $controlResult) { $apiURL = "https://{0}.vsaex.visualstudio.com/_apis/UserEntitlements?top=100&filter=userType+eq+%27guest%27&api-version=5.0-preview.2" -f $($this.SubscriptionContext.SubscriptionName); $responseObj = [WebRequestHelper]::InvokeGetWebRequest($apiURL); if([Helpers]::CheckMember($responseObj,"members")) { if(($responseObj.members | Measure-Object).Count -gt 0) { $controlResult.AddMessage("No. of guest identities present:" + $responseObj.members.Count) $extensionList = $responseObj.members | Select-Object @{Name="IdenityType"; Expression = {$_.user.subjectKind}},@{Name="DisplayName"; Expression = {$_.user.displayName}}, @{Name="MailAddress"; Expression = {$_.user.mailAddress}},@{Name="AccessLevel"; Expression = {$_.accessLevel.licenseDisplayName}},@{Name="LastAccessedDate"; Expression = {$_.lastAccessedDate}} $controlResult.AddMessage([VerificationResult]::Verify, "Verify below guest identities",$extensionList); } else { $controlResult.AddMessage([VerificationResult]::Passed, "No guest identities found"); } } return $controlResult } hidden [ControlResult] CheckExtensionManagers([ControlResult] $controlResult) { $apiURL = "https://{0}.extmgmt.visualstudio.com/_apis/securityroles/scopes/ems.manage.ui/roleassignments/resources/ems-ui" -f $($this.SubscriptionContext.SubscriptionName); $responseObj = [WebRequestHelper]::InvokeGetWebRequest($apiURL); if(($responseObj | Measure-Object).Count -gt 0 ) { $controlResult.AddMessage("No. of extension managers present:" + $responseObj.Count) $extentionManagerList = $responseObj | Select-Object @{Name="IdentityName"; Expression = {$_.identity.displayName}},@{Name="Role"; Expression = {$_.role.displayName}} $controlResult.AddMessage([VerificationResult]::Verify, "Verify below extension managers",$extentionManagerList); } else { $controlResult.AddMessage([VerificationResult]::Passed, "No extension manager found"); } return $controlResult } } |