Merge pull request KelvinTegelaar#1741 from MWG-Logan/ga-list-alert

Add Get-CIPPAlertGlobalAdminAllowList function and tests

Author: KelvinTegelaar

Modules/CIPPCore/Public/Alerts/Get-CIPPAlertGlobalAdminAllowList.ps1

@@ -0,0 +1,84 @@
+function Get-CIPPAlertGlobalAdminAllowList {
+    <#
+    .FUNCTIONALITY
+        Entrypoint
+    #>
+    [CmdletBinding()]
+    param (
+        [Parameter(Mandatory = $false)]
+        [Alias('input')]
+        $InputValue,
+        $TenantFilter
+    )
+    try {
+        $AllowedAdmins = @()
+        $AlertEachAdmin = $false
+        if ($InputValue -is [hashtable] -or $InputValue -is [pscustomobject]) {
+            $AlertEachAdmin = [bool]($InputValue['AlertEachAdmin'])
+            $ApprovedValue = if ($InputValue.ContainsKey('ApprovedGlobalAdmins') -or ($InputValue.PSObject.Properties.Name -contains 'ApprovedGlobalAdmins')) {
+                $InputValue['ApprovedGlobalAdmins']
+            } else {
+                $null
+            }
+            $InputValue = $ApprovedValue
+        }
+        if ($null -ne $InputValue) {
+            if ($InputValue -is [string]) {
+                $AllowedAdmins = $InputValue -split ',' | ForEach-Object { $_.Trim() } | Where-Object { $_ }
+            } elseif ($InputValue -is [System.Collections.IEnumerable]) {
+                $AllowedAdmins = $InputValue | ForEach-Object { $_.ToString().Trim() } | Where-Object { $_ }
+            } else {
+                $AllowedAdmins = @("$InputValue")
+            }
+        }
+        $AllowedLookup = $AllowedAdmins | ForEach-Object { $_.ToLowerInvariant() } | Select-Object -Unique
+
+        if (-not $AllowedLookup -or $AllowedLookup.Count -eq 0) {
+            return
+        }
+
+        $GlobalAdmins = New-GraphGetRequest -uri "https://graph.microsoft.com/v1.0/directoryRoles/roleTemplateId=62e90394-69f5-4237-9190-012177145e10/members?`$select=id,displayName,userPrincipalName" -tenantid $TenantFilter -AsApp $true -ErrorAction Stop | Where-Object {
+            $_.'@odata.type' -eq '#microsoft.graph.user' -and $_.displayName -ne 'On-Premises Directory Synchronization Service Account'
+        }
+
+        $UnapprovedAdmins = foreach ($admin in $GlobalAdmins) {
+            if ([string]::IsNullOrWhiteSpace($admin.userPrincipalName)) { continue }
+            $UpnPrefix = ($admin.userPrincipalName -split '@')[0].ToLowerInvariant()
+            if ($AllowedLookup -notcontains $UpnPrefix) {
+                [PSCustomObject]@{
+                    Admin      = $admin
+                    UpnPrefix  = $UpnPrefix
+                }
+            }
+        }
+
+        if ($UnapprovedAdmins) {
+            if ($AlertEachAdmin) {
+                $AlertData = foreach ($item in $UnapprovedAdmins) {
+                    $admin = $item.Admin
+                    $UpnPrefix = $item.UpnPrefix
+                    [PSCustomObject]@{
+                        Message           = "$($admin.userPrincipalName) has Global Administrator role but is not in the approved allow list (prefix '$UpnPrefix')."
+                        DisplayName       = $admin.displayName
+                        UserPrincipalName = $admin.userPrincipalName
+                        Id                = $admin.id
+                        AllowedList       = if ($AllowedAdmins) { $AllowedAdmins -join ', ' } else { 'Not provided' }
+                        Tenant            = $TenantFilter
+                    }
+                }
+            } else {
+                $NonCompliantUpns = @($UnapprovedAdmins.Admin.userPrincipalName)
+                $AlertData = @([PSCustomObject]@{
+                        Message            = "Found $($NonCompliantUpns.Count) Global Administrator account(s) not in the approved allow list."
+                        NonCompliantUsers  = $NonCompliantUpns
+                        ApprovedPrefixes   = if ($AllowedAdmins) { $AllowedAdmins -join ', ' } else { 'Not provided' }
+                        Tenant             = $TenantFilter
+                    })
+            }
+
+            Write-AlertTrace -cmdletName $MyInvocation.MyCommand -tenantFilter $TenantFilter -data $AlertData
+        }
+    } catch {
+        Write-AlertMessage -tenant $TenantFilter -message "Failed to check approved Global Admins: $(Get-NormalizedError -message $_.Exception.Message)"
+    }
+}

Tests/Alerts/Get-CIPPAlertGlobalAdminAllowList.Tests.ps1

@@ -0,0 +1,106 @@
+# Pester tests for Get-CIPPAlertGlobalAdminAllowList
+# Verifies prefix-based allow list handling and alert emission
+
+BeforeAll {
+    $RepoRoot = Split-Path -Parent (Split-Path -Parent (Split-Path -Parent $PSCommandPath))
+    $AlertPath = Join-Path $RepoRoot 'Modules/CIPPCore/Public/Alerts/Get-CIPPAlertGlobalAdminAllowList.ps1'
+
+    # Provide minimal stubs so Mock has commands to replace during tests
+    function New-GraphGetRequest { param($uri, $tenantid, $AsApp) }
+    function Write-AlertTrace { param($cmdletName, $tenantFilter, $data) }
+    function Write-AlertMessage { param($tenant, $message) }
+    function Get-NormalizedError { param($message) $message }
+
+    . $AlertPath
+}
+
+Describe 'Get-CIPPAlertGlobalAdminAllowList' {
+    BeforeEach {
+        $script:CapturedData = $null
+        $script:CapturedTenant = $null
+        $script:CapturedErrorMessage = $null
+
+        Mock -CommandName New-GraphGetRequest -MockWith {
+            @(
+                [pscustomobject]@{
+                    '@odata.type'       = '#microsoft.graph.user'
+                    displayName         = 'Allowed Admin'
+                    userPrincipalName   = '[email protected]'
+                    id                  = 'id-allowed'
+                },
+                [pscustomobject]@{
+                    '@odata.type'       = '#microsoft.graph.user'
+                    displayName         = 'Unapproved Admin'
+                    userPrincipalName   = '[email protected]'
+                    id                  = 'id-unapproved'
+                }
+            )
+        }
+
+        Mock -CommandName Write-AlertTrace -MockWith {
+            param($cmdletName, $tenantFilter, $data)
+            $script:CapturedData = $data
+            $script:CapturedTenant = $tenantFilter
+        }
+
+        Mock -CommandName Write-AlertMessage -MockWith {
+            param($tenant, $message)
+            $script:CapturedErrorMessage = $message
+        }
+    }
+
+    It 'emits per-admin alerts when AlertEachAdmin is true' {
+        $allowInput = @{ ApprovedGlobalAdmins = 'breakglass'; AlertEachAdmin = $true }
+
+        Get-CIPPAlertGlobalAdminAllowList -TenantFilter 'contoso.onmicrosoft.com' -InputValue $allowInput
+
+        $CapturedData | Should -Not -BeNullOrEmpty
+        $CapturedData.UserPrincipalName | Should -Contain '[email protected]'
+        $CapturedData.UserPrincipalName | Should -Not -Contain '[email protected]'
+        $CapturedTenant | Should -Be 'contoso.onmicrosoft.com'
+    }
+
+    It 'emits single aggregated alert when AlertEachAdmin is false (default)' {
+        Get-CIPPAlertGlobalAdminAllowList -TenantFilter 'contoso.onmicrosoft.com' -InputValue 'breakglass'
+
+        $CapturedData | Should -Not -BeNullOrEmpty
+        $CapturedData.Count | Should -Be 1
+        $CapturedData[0].NonCompliantUsers | Should -Contain '[email protected]'
+        $CapturedData[0].NonCompliantUsers | Should -Not -Contain '[email protected]'
+    }
+
+    It 'emits single aggregated alert when AlertEachAdmin is explicitly false via input object' {
+        $allowInput = @{ ApprovedGlobalAdmins = 'breakglass'; AlertEachAdmin = $false }
+
+        Get-CIPPAlertGlobalAdminAllowList -TenantFilter 'contoso.onmicrosoft.com' -InputValue $allowInput
+
+        $CapturedData | Should -Not -BeNullOrEmpty
+        $CapturedData.Count | Should -Be 1
+        $CapturedData[0].NonCompliantUsers | Should -Contain '[email protected]'
+        $CapturedData[0].NonCompliantUsers | Should -Not -Contain '[email protected]'
+    }
+
+    It 'suppresses alert when UPN prefix is approved (comma separated list)' {
+        $allowInput = @{ ApprovedGlobalAdmins = 'breakglass,otheradmin'; AlertEachAdmin = $true }
+        Get-CIPPAlertGlobalAdminAllowList -TenantFilter 'contoso.onmicrosoft.com' -InputValue $allowInput
+
+        $CapturedData | Should -BeNullOrEmpty
+    }
+
+    It 'accepts ApprovedGlobalAdmins property when provided as hashtable' {
+        $allowInput = @{ ApprovedGlobalAdmins = 'breakglass,otheradmin' }
+        Get-CIPPAlertGlobalAdminAllowList -TenantFilter 'contoso.onmicrosoft.com' -InputValue $allowInput
+
+        $CapturedData | Should -BeNullOrEmpty
+    }
+
+    It 'writes alert message when Graph call fails' {
+        Mock -CommandName New-GraphGetRequest -MockWith { throw 'Graph failure' } -Verifiable
+
+        Get-CIPPAlertGlobalAdminAllowList -TenantFilter 'contoso.onmicrosoft.com' -InputValue 'breakglass'
+
+        $CapturedData | Should -BeNullOrEmpty
+        $CapturedErrorMessage | Should -Match 'Failed to check approved Global Admins'
+        $CapturedErrorMessage | Should -Match 'Graph failure'
+    }
+}