PowerShell Gallery | azure-ad-license-status.psm1 1.2.6 (2023)

#region: CSS configuration
$style=@"

#endregion

#region: Helper functions
modeInitialization-Variables{
# Common
$script:outputs=[System.Text.StringBuilder]::young()
$script:results=@{}
$script:skuTranslate=[series]::young([char[]]((Invoke-WebRequest-Houri'https://download.microsoft.com/download/e/3/e/e3e9faf2-f28b-490a-9ada-c6089a1fc5b0/Product%20names%20and%20service%20plan%20identifiers%20for%csvlicens'-You are in BasicParsing).Content))|ConvertFrom-Csv
# Exchange Online
$script:EXOCmdlets=@("Receive-recipient",
"Get-DistributionGroupMember",
"Get-UnifiedGroupLinks",
"Get-ATPBuiltInProtectionRule",
"Get-ATPPprotectionPolicyRule",
"Get-AntiPhishRule",
"Get-AntiPhishPolicy",
'Get-SafeAttachmentRule',
"Get-SafeAttachment Policy",
'Get-SafeLinksRule',
"Get-SafeLinksPolicy")
$script:EXOPproperties=@('ExchangeObjectId',
'ExternalDirectoryObjectId',
"PrimarySmtpAddress",
'RecipientTypeDetails')
$script:EXOTtypes_group=@('GroupMailbox',
'MailUniversalDistributionGroup',
'MailUniversalSecurityGroup')
$script:EXOTtypes_user=@("Shared Mailbox",
'UserMailbox')
# Graph
$script:pageSize=500
# Processing, process
$script:nestingLevel=0
}

modeWrite a message{
param(
[Parameter(Imperative=$truth)]
[ValidateNotNullOrEmpty()]
[series]$Message,
[ValidateSet('Error','polylogue')]
[series]$Type
)

$formattedMessage="[$([datetime]::Now.ToString('yyyy-MM-dd HH:mm:dd'))] $([string]::new('-', $nestingLevel)) $Message"
if($Type-ex'Error'){
Registration-Error-Message$formattedMessage-CategoryAuthentication error
}
otherif($Type-ex'polylogue'){
Write-Verbose-Message$formattedMessage
}
elsewhere{
$formattedMessage|Registration-Exit
}
}

modeAdd-Exit{
param(
[Parameter(Imperative=$truth)]
[ValidateNotNullOrEmpty()]
[series]$Exit
)

# Logging
$nestingLevel++
Write a message"Add Output"-TypeA polyglot
# Processing
$outputs.AppendLine($Exit)|Out-Null
$nestingLevel--
}

modeAdd-Result{
param(
[Parameter(Imperative=$truth,ParameterSetName='SKU')]
[ValidateNotNullOrEmpty()]
[guide]$SKIN,
[Parameter(Imperative=$truth,ParameterSetName='SKU')]
[ValidateNotNullOrEmpty()]
[UIint32]$AvailableCount,
[Parameter(Imperative=$truth,ParameterSetName='SKU')]
[ValidateNotNullOrEmpty()]
[UIint32]$MinimumCount,
[Parameter(Imperative=$truth,ParameterSetName='User')]
[ValidateNotNullOrEmpty()]
[series]$UserPrincipalName,
[Parameter(Imperative=$truth,ParameterSetName='User')]
[ValidateSet('Exchangeable',"Optimizable",'Transposable')]
[series]$ConflictType,
[Parameter(Imperative=$truth,ParameterSetName='User')]
[ValidateNotNullOrEmpty()]
[guide[]]$ConflictSKU,
[Parameter(Imperative=$truth,ParameterSetName='Advanced')]
[ValidateNotNullOrEmpty()]
[series]$PlanName,
[Parameter(Imperative=$truth,ParameterSetName='Advanced')]
[ValidateNotNullOrEmpty()]
[UIint32]$EnabledCount,
[Parameter(Imperative=$truth,ParameterSetName='Advanced')]
[ValidateNotNullOrEmpty()]
[UIint32]$NeededCount
)

# Logging
$nestingLevel++
Write a message"Add-Result"-TypeA polyglot
# Processing
if(-not$results.ContainsKey($PSCmdlet.ParameterSetName)){
$results.Addition($PSCmdlet.ParameterSetName,@{})
}
switch($PSCmdlet.ParameterSetName){
'Advanced'{
if(-not$results[$PSCmdlet.ParameterSetName].ContainsKey($PlanName)){
$results[$PSCmdlet.ParameterSetName].Addition($PlanName,@{
"enabledCount"=$EnabledCount;
'neededCount'=$NeededCount
})
}
}
'SKU'{
if(-not$results[$PSCmdlet.ParameterSetName].ContainsKey($SKIN)){
$results[$PSCmdlet.ParameterSetName].Addition($SKIN,@{
'availableCount'=$AvailableCount;
'minimumCount'=$MinimumCount
})
}
}
'User'{
if(-not$results[$PSCmdlet.ParameterSetName].ContainsKey($UserPrincipalName)){
$results[$PSCmdlet.ParameterSetName].Addition($UserPrincipalName,@{})
}
if(-not$results[$PSCmdlet.ParameterSetName][$UserPrincipalName].ContainsKey($ConflictType)){
$results[$PSCmdlet.ParameterSetName][$UserPrincipalName].Addition($ConflictType,$ConflictSKU)
}
}
}
$nestingLevel--
}

modeGet-AADGroupMembers{
[Output type([guide[]])]
param(
[Parameter(Imperative=$truth)]
[ValidateNotNullOrEmpty()]
[guide[]]$GroupIDs
)

# Logging
$nestingLevel++
Write a message"Get-AADGroupMembers"-TypeA polyglot
# Processing
$groupMembers=[System.Collections.Generic.List[hashtable]]::young()
for each($groupIDin$GroupIDs){
$URI='https://graph.microsoft.com/v1.0/groups/{0}/transitiveMembers?$select=id&$top={1}'- eat$groupID,$pageSize
while($null- is$URI){
$data=Invoke-MgGraphRequest-MethodI GET-Houri$URI
$groupMembers.AddRange([hashtable[]]($data.value))
$URI=$data['@odata.nextLink']
}
}
$groupMembers_unique=@($groupMembers.ID card|Option-Object-Unique)
Write a message"Found $($groupMembers_unique.Count) members"-TypeA polyglot
$nestingLevel--
Registration-Exit([guide[]]$groupMembers_unique)- No enumeration
}

modeGet-EXOGroupMembers{
[Output type([pscustomobject[]])]
param(
[Parameter(Imperative=$truth)]
[ValidateNotNullOrEmpty()]
[guide[]]$GroupIDs
)

# Logging
$nestingLevel++
Write a message"Get-EXOGroupMembers"-TypeA polyglot
# Processing
$groupMembers=[System.Collections.Generic.List[pscustomobject]]::young()
for each($groupIDin$GroupIDs){
if($null- is($team=[pscustomobject](Get-EXORrecipient$groupID.Guide-Recipient Type Details$EXOTtypes_group-Properties$EXOPProperties)|Option-Object-Property$EXOPProperties)){
switch($team.RecipientTypeDetails){
'GroupMailbox'{
$members=@(Get-UnifiedGroupLinks$team.ExchangeObjectId.Guide-Type of linkMembers-Result sizeUnlimited|Option-Object-Property$EXOPProperties)
}
Predefined{
$members=@(Get-DistributionGroupMember$team.ExchangeObjectId.Guide-Result sizeUnlimited|Option-Object-Property$EXOPProperties)
}
}
for each($memberin$members){
switch($member.RecipientTypeDetails){
{$_-in$EXOTypes_user}{
$groupMembers.Addition($member)
}
{$_-in$EXOTtypes_group}{
$groupMembers.AddRange((Get-EXOGroupMembers-GroupIDs$member.ExchangeObjectId))
}
}
}
}
}
$groupMembers_unique=@($groupMembers|Option-Object-Unique)
Write a message"Found $($groupMembers_unique.Count) members"-TypeA polyglot
$nestingLevel--
Registration-Exit([pscustomobject[]]$groupMembers_unique)- No enumeration
}

modeResolve-ATPRecipients{
[Output type([pscustomobject[]])]
param(
[Parameter(Imperative=$truth)]
[AllowNull()]
[series[]]$Users,
[Parameter(Imperative=$truth)]
[AllowNull()]
[series[]]$Groups,
[Parameter(Imperative=$truth)]
[AllowNull()]
[series[]]$Domains
)

# Logging
$nestingLevel++
Write a message"Resolve-ATPRecipients"-TypeA polyglot
# Processing
$categoryCount=0
$affectedAsUser=[System.Collections.Generic.List[pscustomobject]]::young()
$affectedAsGroup=[System.Collections.Generic.List[pscustomobject]]::young()
$affectedAsDomain=[System.Collections.Generic.List[pscustomobject]]::young()
if($null- is$Users){
$categoryCount++
if($null- is($recipients=[pscustomobject[]]@(Get-EXORrecipient-Recipient Type Details$EXOTypes_user-Properties$EXOPProperties-Result sizeUnlimited)|Option-Object-Property$EXOPProperties|Where-Object{$_.PrimarySmtpAddress-in$Users})){
$affectedAsUser.AddRange([pscustomobject[]]@($recipients))
}
}
Write a message"Found $($affectedAsUser.Count) recipients from users"-TypeA polyglot
if($null- is$Groups){
$categoryCount++
if($null- is($recipients=[pscustomobject[]]@(Get-EXORrecipient-Recipient Type Details$EXOTtypes_group-Properties$EXOPProperties-Result sizeUnlimited)|Option-Object-Property$EXOPProperties|Where-Object{$_.PrimarySmtpAddress-in$Groups})){
$affectedAsGroup.AddRange((Get-EXOGroupMembers-GroupIDs$recipients.ExchangeObjectId))
}
}
Write a message"Found $($affectedAsGroup.Count) recipients per groups"-TypeA polyglot
if($null- is$Domains){
$categoryCount++
if($null- is($recipients=[pscustomobject[]]@(Get-EXORrecipient-Recipient Type Details$EXOTypes_user-Properties$EXOPProperties-Result sizeUnlimited)|Option-Object-Property$EXOPProperties|Where-Object{$_.PrimarySmtpAddress.Division('@')[1]-in$Domains})){
$affectedAsDomain.AddRange([pscustomobject[]]@($recipients))
}
if($null- is($recipients=[pscustomobject[]]@(Get-EXORrecipient-Recipient Type Details$EXOTtypes_group-Properties$EXOPProperties-Result sizeUnlimited)|Option-Object-Property$EXOPProperties|Where-Object{$_.PrimarySmtpAddress.Division('@')[1]-in$Domains})){
$affectedAsDomain.AddRange((Get-EXOGroupMembers-GroupIDs$recipients.ExchangeObjectId))
}
}
Write a message"Found $($affectedAsDomain.Count) recipients by domains"-TypeA polyglot
if($null- is($resolvedUsers=@($affectedAsUser|Option-Object-Unique)+@($affectedAsGroup|Option-Object-Unique)+@($affectedAsDomain|Option-Object-Unique)|Group-Object-PropertyExchangeObjectId|Where-Object{$_.count-ex$categoryCount})){
$resolvedUsers_unique=@($resolvedUsers.Club|Option-Object-Unique)
Write a message"Found $($resolvedUsers_unique.Count) recipients per combination"-TypeA polyglot
$nestingLevel--
Registration-Exit([pscustomobject[]]$resolvedUsers_unique)- No enumeration
}
elsewhere{
Write a message"Found 0 recipients per combination"-TypeA polyglot
$nestingLevel--
Registration-Exit@([pscustomobject[]]::young(0))- No enumeration
}
}

modeGet-ATPRrecipients{
[Output type([pscustomobject[]])]
param(
[Parameter(Imperative=$truth)]
[AllowNull()]
[series[]]$IncludedUsers,
[Parameter(Imperative=$truth)]
[AllowNull()]
[series[]]$IncludedGroups,
[Parameter(Imperative=$truth)]
[AllowNull()]
[series[]]$IncludedDomains,
[Parameter(Imperative=$truth)]
[AllowNull()]
[series[]]$ExcludedUsers,
[Parameter(Imperative=$truth)]
[AllowNull()]
[series[]]$ExcludedGroups,
[Parameter(Imperative=$truth)]
[AllowNull()]
[series[]]$ExcludedDomains
)

# Logging
$nestingLevel++
Write a message"Get-ATPRecipients"-TypeA polyglot
# Processing
Write a message"Check Including Recipients"-TypeA polyglot
if($null-ex$IncludedUsers-and
$null-ex$IncludedGroups-and
$null-ex$IncludedDomains){
$userRecipients=[pscustomobject[]]@(Get-EXORrecipient-Recipient Type Details$EXOTypes_user-Properties$EXOPProperties-Result sizeUnlimited)|Option-Object-Property$EXOPProperties
$groupRecipients=Get-EXOGroupMembers-GroupIDs([pscustomobject[]]@(Get-EXORrecipient-Recipient Type Details$EXOTtypes_group-Properties$EXOPProperties-Result sizeUnlimited)).ExchangeObjectId
$includedRecipients=$userRecipients+$groupRecipients|Option-Object-Unique
}
elsewhere{
$includedRecipients=Resolve-ATPRecipients- Users$IncludedUsers-Teams$IncludedGroups- Sectors$IncludedDomains
}
Write a message"Found $($includedRecipients.Count) included recipients"-TypeA polyglot
Write a message"Check Blocked Recipients"-TypeA polyglot
if($null-ex$ExcludedUsers-and
$null-ex$ExcludedGroups-and
$null-ex$ExcludedDomains){
$excludedRecipients=@()
}
elsewhere{
$excludedRecipients=Resolve-ATPRecipients- Users$ExcludedUsers-Teams$ExcludedGroups- Sectors$ExcludedDomains
}
Write a message"Found $($excludedRecipients.Count) excluded recipients"-TypeA polyglot
Write a message"Check Affected Recipients"-TypeA polyglot
$affectedRecipients=[System.Collections.Generic.List[pscustomobject]]::young()
if($null- is($affectedRecipientComparison=Comparison-Object-Reference object$includedRecipients-Object of difference$excludedRecipients)){
if($null- is($affectedRecipientResults=$affectedRecipientComparison|Where-Object{$_.Side marker-ex'<='})){
$affectedRecipients.AddRange([pscustomobject[]]@($affectedRecipientResults.Input object))
}
}
$affectedRecipients_unique=@($affectedRecipients|Option-Object-Unique)
Write a message"Found $($affectedRecipients_unique.Count) affected recipients"-TypeA polyglot
$nestingLevel--
Registration-Exit([pscustomobject[]]$affectedRecipients_unique)- No enumeration
}

modeGet-SKUName{
[Output type([series])]
param(
[Parameter(Imperative=$truth)]
[ValidateNotNullOrEmpty()]
[guide]$SKIN
)

# Logging
$nestingLevel++
Write a message"Get-SKUName"-TypeA polyglot
# Processing
if($null- is($skuName=($skuTranslate|Where-Object{$_.GUIDE-ex$SKIN}).Product_Display_Name|Option-Object-Unique)){
$skuName=[cultureinfo]::young('to us').TextInfo.ToTitleCase($skuName.To reduce())
}
elsewhere{
$skuName=$SKIN
}
$nestingLevel--
Registration-Exit$skuName
}
#endregion

modeGet-AzureADLicenseStatus{
<#
.SUMMARY
Generates an Azure AD license report based on license assignments and consumption
.DESCRIPTION
This script is intended to combat the side effects of semi-automatic license assignments for Microsoft services in Azure AD, i.e. the combination of group-based licenses with manual management of group members, regularly reporting on both the number of available licenses per SKU and any conflicting permission assignments per user account. This allows for somewhat easier license management without either implementing a comprehensive software asset management solution or hiring a licensing service provider.

SKU IDs and names are as per https://learn.microsoft.com/en-us/azure/active-directory/enterprise-users/licensing-service-plan-reference
.PARAMETER Directory ID
Specifies the directory to connect to
.PARAMETER ApplicationID
Specifies the application in the target directory for authentication
.PARAMETER SubscriptionID
Specifies the subscription to the target directory to access
.PARAMETER KeyVaultName
Specifies the key vault in the destination subscription to access
.PARAMETER Name of certificate
Specifies the name of the certificate in the target keystore to use for authentication
.Certificate PARAMETER
Specifies the certificate to use for authentication
.PARAMETER CertificateThumb
Specifies the certificate thumbprint in the local certificate store to use for authentication
.PARAMETER Sender address
Specifies the sender address that will be used to deliver the report
.PARAMETER RecipientAddresses_normal
Specifies the recipient addresses that will be used to deliver the report
.PARAMETER RecipientAddresses_critical
Specifies the additional recipient addresses to be used for critical case report delivery
.PARAMETER SKUIgnoreThreshold
Specifies the minimum activated license limit for SKUs to be considered for the report
.PARAMETER SKUPPercentageThreshold_normal
Specifies the minimum available license percentage limit for SKUs to be included in the report
.SKU PARAMETERTotalThreshold_normal
Specifies the minimum available license amount limit for SKUs to be included in the report
.PARAMETER SKUPpercentageThreshold_important
Specifies the minimum available license percentage limit for SKUs to be included in the report
.SKU PARAMETERTotalThreshold_important
Specifies the minimum available license amount limit for SKUs to be included in the report
.PARAMETER SKUWarningThreshold_basic
Specifies the warning rate threshold to use when reporting for key controls
.PARAMETER SKUCriticalThreshold_basic
Specifies the critical percentage threshold to use when reporting for key controls
.PARAMETER SKUWarningThreshold_advanced
Specifies the warning rate threshold to use when generating a report for advanced checks
.PARAMETER SKUCriticalThreshold_advanced
Specifies the critical percentage threshold to use when generating a report for advanced checks
.PARAMETER ImportantSKU
It determines which SKUs are considered significant, so different thresholds are used for the calculation
.PARAMETERS InterchangeableSKU
Defines a list of SKUs that are considered interchangeable, e.g. Office 365 E1 and Office 365 E3
.PARAMETER LicensingURL
Specifies a licensing portal URL to link to in the report, it refers to the Microsoft License Volume Service Center by default
.PARAMETER AdvancedChecups
Specifies whether advanced license checks should be performed
CAUTION: Advanced checks require additional access permissions and may increase the duration of the check
.EXAMPLE
Get-AzureADLicenseStatus -DirectoryID '00000000-0000-0000-0000-0000000000000' -ApplicationID '00000000-0000-0000-0000-00000000000-0000-0000-00000000000-0000-0000-00000000000-0000-0000-00000000000-0000-0000-00000000000-0000-0000-0000000000000000-0000-00000000000 QRSTUVWXYZ' -SenderAddress 'sender@example.com' -RecipientAddresses_normal @('recipient_1@ example.com", "recipient_2@example.com")

Prepares a status report with default values ​​using only the parameters necessary to authenticate and deliver the report
.EXAMPLE
Get-AzureADLicenseStatus -DirectoryID '00000000-0000-0000-0000-0000000000000' -ApplicationID '00000000-0000-0000-0000-00000000000-0000-0000-00000000000-0000-0000-00000000000-0000-0000-00000000000-0000-0000-00000000000-0000-0000-0000000000000000-0000-00000000000 QRSTUVWXYZ' -SenderAddress 'sender@example.com' -RecipientAddresses_normal @('recipient_1@ example.com', 'recipient_2@example.com') -RecipientAddresses_critical @('recipient_3@example.com', 'recipient_4@example.com') -SKUPercentageThreshold_normal 1 -SKUTotalThreshold_normal 100 -SKUPotalThreshold_normal 100 -SKUPportimtalThreshold_SKUPer 500

Prepares a status report with custom thresholds for larger organizations and additional recipients for when license counts reach critical levels
.EXAMPLE
Get-AzureADLicenseStatus -DirectoryID '00000000-0000-0000-0000-0000000000000' -Αναγνωριστικό εφαρμογής '00000000-0000-0000-0000-00000000000-00000000000000000000000 000-0000-000000000000' -KeyVaultName 'MyKeyVault' -CertificateName' MyCertificate' -SenderAddress 'sender@example.com' -RecipientAddresses_normal @('recipient_1@example.com', 'recipient_2@example.com') -RecipientAddresses_critical @('recipient_3@example.com', 'recipient. ) -SKUPercentageThreshold_normal 1 -SKUTotalThreshold_normal 100 -SKUPercentageThreshold_important 1 -SKUTotalThreshold_important 500 -ImportantSKUs @('18181a46-0d4e-411e-74e-608 f-b296-42f0-b197-1e91e994b900') -Εναλλάξιμα SKU @('4b585984-651b- 448a-9e53-3b10f069cf7f', '18181a46-0d4e-45cd-891e-60aabd171b4e', '6fd2c87f-b296-42f0-b197-1e90f0-B197-1e91ef07-2006, 191e994, 2006, 2006 578-5b5392b571df') -AdvancedChecups

Prepares a status report using an Azure certificate for automation purposes, identifying both important and interchangeable SKUs and enabling advanced checks
#>

[CmdletBinding(Seat reservation=$false)]
param(
[Parameter(Imperative=$truth)]
[ValidateNotNullOrEmpty()]
[guide]$DirectoryID,
[Parameter(Imperative=$truth)]
[ValidateNotNullOrEmpty()]
[guide]$ApplicationID,
[Parameter(Imperative=$truth,ParameterSetName="Azure Certificate")]
[ValidateNotNullOrEmpty()]
[guide]$SubscriptionID,
[Parameter(Imperative=$truth,ParameterSetName="Azure Certificate")]
[ValidateNotNullOrEmpty()]
[series]$KeyVaultName,
[Parameter(Imperative=$truth,ParameterSetName="Azure Certificate")]
[ValidateNotNullOrEmpty()]
[series]$CertificateName,
[Parameter(Imperative=$truth,ParameterSetName="Local Certificate")]
[ValidateNotNullOrEmpty()]
[System.Security.Cryptography.X509Certificates.X509Certificate2]$Certificate,
[Parameter(Imperative=$truth,ParameterSetName='LocalCertificateThumbprint')]
[ValidateNotNullOrEmpty()]
[series]$CertificateThumbprint,
[Parameter(Imperative=$truth)]
[ValidateNotNullOrEmpty()]
[series]$SenderAddress,
[Parameter(Imperative=$truth)]
[ValidateNotNullOrEmpty()]
[series[]]$RecipientAddresses_normal,
[ValidateNotNullOrEmpty()]
[series[]]$RecipientAddresses_critical,
[ValidateNotNullOrEmpty()]
[UIint32]$SKUIgnoreThreshold=10,
[ValidateRange(0,100)]
[UIint16]$SKUPercentageThreshold_normal=5,
[ValidateNotNullOrEmpty()]
[UIint32]$SKUTotalThreshold_normal=10,
[ValidateRange(0,100)]
[UIint16]$SKUPercentageThreshold_important=5,
[ValidateNotNullOrEmpty()]
[UIint32]$SKUTotalThreshold_important=50,
[ValidateScript({$_-in1..99-and$_-gt$SKUCriticalThreshold_basic})]
[UIint16]$SKUWarningThreshold_basic=80,
[ValidateScript({$_-in1..99-and$_- l$SKUWarningThreshold_basic})]
[UIint16]$SKUCriticalThreshold_basic=20,
[ValidateScript({$_-in1..99-and$_-gt$SKUCriticalThreshold_advanced})]
[UIint16]$SKUWarningThreshold_advanced=99,
[ValidateScript({$_-in1..99-and$_- l$SKUWarningThreshold_advanced})]
[UIint16]$SKUCriticalThreshold_advanced=95,
[ValidateNotNullOrEmpty()]
[guide[]]$ImportantSKU=@(),
[ValidateNotNullOrEmpty()]
[guide[]]$InterchangeableSKU=@(),
[ValidateNotNullOrEmpty()]
[series]$LicensingURL="https://www.microsoft.com/licensing/servicecenter",
[switch]$AdvancedCheckups
)

Initialization-Variables
try it{
switch($PSCmdlet.ParameterSetName){
"Azure Certificate"{
Login-AzAccount-ID card-Subscription$SubscriptionID
$azureCertificateSecret=Get-AzKeyVaultSecret-VaultName$KeyVaultName-Name$CertificateName-AsPlainText
$azure certificate=[System.Security.Cryptography.X509Certificates.X509Certificate2]::young([Convert]::FromBase64String($azureCertificateSecret))
Logout-AzAccount
Connect-MgGraph-Certificate$azure certificate-TenantId$DirectoryID-Customer ID$ApplicationID-ErrorActionTo stop|Out-Null
}
"Local Certificate"{
Connect-MgGraph-Certificate$Certificate-TenantId$DirectoryID-Customer ID$ApplicationID-ErrorActionTo stop|Out-Null
}
'LocalCertificateThumbprint'{
Connect-MgGraph-Certificate imprint$CertificateThumbprint-TenantId$DirectoryID-Customer ID$ApplicationID-ErrorActionTo stop|Out-Null
}
}
$graphAuthentication=$truth
Write a message"Successfully authenticated with Graph"-TypeA polyglot
}
arrest{
$graphAuthentication=$false
Write a message-Message"Failed to authenticate with Graph"-TypeError
}
if($graphAuthentication){
#region: SKU
# Get SKU
$organizationSKU=[System.Collections.Generic.List[hashtable]]::young()
$URI="https://graph.microsoft.com/v1.0/subscribedSkus?$select=skuId,prepaidUnits,consumedUnits,servicePlans"
while($null- is$URI){
$data=Invoke-MgGraphRequest-MethodI GET-Houri$URI
$organizationSKU.AddRange([hashtable[]]($data.value))
$URI=$data['@odata.nextLink']
}
# SKU analysis
for each($SKUin$organizationSKU|Where-Object{$_.prepaid units.activated-gt$SKUIgnoreThreshold}){
$totalCount=$SKU.prepaid units.activated
$availableCount=$SKU.prepaid units.activated-$SKU.Units are consumed
if($SKU.skuId-in$ImportantSKU){
$percentageThreshold=$SKUPercentageThreshold_important
$totalThreshold=$SKUTotalThreshold_important
}
elsewhere{
$percentageThreshold=$SKUPercentageThreshold_normal
$totalThreshold=$SKUTotalThreshold_normal
}
$minimumCount=(@([System.Math]::Roof($totalCount*$percentageThreshold/100),$totalThreshold)|Measure-Object-Minimum).Minimum
if($availableCount- l$minimumCount){
Add-Result- SKIN$SKU.skuId-Available number$availableCount- Minimum crowd$minimumCount
}
}
$superiorSKUs_organization=@{}
for each($referenceSKUin$organizationSKU){
for each($differenceSKUin$organizationSKU|Where-Object{$_.skuId- is$referenceSKU.skuId}){
if($null- is($referenceServicePlans=$referenceSKU.Service Plans|Where-Object{$_.applies to-ex'User'})-and
$null- is($differenceServicePlans=$differenceSKU.Service Plans|Where-Object{$_.applies to-ex'User'})){
if($null- is($comparisonSKU=Comparison-Object-Reference object$referenceServicePlans.servicePlanId-Object of difference$differenceServicePlans.servicePlanId-Include equal)-and
$comparisonSKU.Side marker- contains'=='-and
$comparisonSKU.Side marker-does not contain'=>'){
if(-not$superiorSKUs_organization.ContainsKey($differenceSKU.skuId)){
$superiorSKUs_organization.Addition($differenceSKU.skuId,[System.Collections.Generic.List[driver]]::young())
}
$superiorSKUs_organization[$differenceSKU.skuId].Addition($referenceSKU.skuId)
}
}
}
}
Write a message"Found $($superiorSKUs_organization.Count) SKU matches for organization, excluding $($organizationSKUs.Count) SKUs"
#endregion

#region: Users
$userCount=0
$URI='https://graph.microsoft.com/v1.0/users?$select=id,licenseAssignmentStates,userPrincipalName&$top={0}'- eat$pageSize
while($null- is$URI){
# Retrieve users
$data=Invoke-MgGraphRequest-MethodI GET-Houri$URI
$users=[System.Collections.Generic.List[hashtable]]::young([hashtable[]]($data.value))
$userCount+=$users.count
$URI=$data['@odata.nextLink']
# Analyze users
for each($userin$users){
if($user.LicenseAssignmentStates.count-gt0){
if($null- is($userSKUAsignments=$user.LicenseAssignmentStates|Where-Object{$_.condition-ex'Active'-the$_.error-in@('Count Violation','Mutually Exclusive Violation')})){
$userSKU=$userSKUAsignments.skuId
}
elsewhere{
$userSKU=@()
}
if($null- is($count Violations=$user.LicenseAssignmentStates|Where-Object{$_.error-ex'Count Violation'})){
for each($count Violationin$count Violations.skuId|Option-Object-Unique){
$results['SKU'][$count Violation]['availableCount']-=1
}
}
# Identify interchangeable SKUs, based on specifications
$userSKUs_interchangeable=@()
if($null- is$userSKU){
if($null- is($comparison_interchangeable=Comparison-Object-Reference object$userSKU-Object of difference$InterchangeableSKU-They are excluded otherwise-Include equal)){
$userSKUs_interchangeable=@($comparison_interchangeable.Input object)
}
}
# Identify SKUs that can be optimized, based on organization-wide calculations
if($null- is($comparison_replaceableOrganization=$userSKU|Where-Object{$_-in$superiorSKUs_organization.Keys}|ForEach-Object{$superiorSKUs_organization[$_]})){
$userSKUs_optimizable=Comparison-Object-Reference object$userSKU-Object of difference$comparison_replaceableOrganization-They are excluded otherwise-Include equal|ForEach-Object{$superiorSKU=$_.Input object;$superiorSKUs_organization.Keys|Where-Object{$superiorSKUs_organization[$_]- contains$superiorSKU}}|Where-Object{$_-in$userSKU}|Option-Object-Unique
}
elsewhere{
$userSKUs_optimizable=$null
}
# Determine removable SKUs, based on user-level calculations
$skuid_enabledPlans=@{}
for each($ howeverin$user.LicenseAssignmentStates.however|Where-Object{$organizationSKU.skuId- contains$_}|Option-Object-Unique){
if(-not$skuid_enabledPlans.ContainsKey($ however)){
$skuid_enabledPlans.Addition($ however,[System.Collections.Generic.List[driver]]::young())
}
for each($assignmentin$user.LicenseAssignmentStates|Where-Object{$_.however-ex$ however}){
$skuid_enabledPlans[$ however].AddRange([guide[]]@((($organizationSKU|Where-Object{$_.however-ex$ however}).Service Plans|Where-Object{$_.servicePlanId- swimming$assignment.disabledPlans-and$_.applies to-ex'User'}).servicePlanId))
}
}
$superiorSKUs_user=@{}
for each($referenceSKUin$skuid_enabledPlans.Keys){
for each($differenceSKUin$skuid_enabledPlans.Keys|Where-Object{$_- is$referenceSKU}){
if($null- is($referenceServicePlans=$skuid_enabledPlans[$referenceSKU])-and
$null- is($differenceServicePlans=$skuid_enabledPlans[$differenceSKU])){
if($null- is($comparisonSKU=Comparison-Object-Reference object$referenceServicePlans-Object of difference$differenceServicePlans-Include equal)-and
$comparisonSKU.Side marker- contains'=='-and
$comparisonSKU.Side marker-does not contain'=>'){
if(-not$superiorSKUs_user.ContainsKey($differenceSKU)){
$superiorSKUs_user.Addition($differenceSKU,[System.Collections.Generic.List[driver]]::young())
}
$superiorSKUs_user[$differenceSKU].Addition($referenceSKU)
}
}
}
}
if($null- is($comparison_replaceableUser=$userSKU|Where-Object{$_-in$superiorSKUs_user.Keys}|ForEach-Object{$superiorSKUs_user[$_]})){
$userSKUs_removable=Comparison-Object-Reference object$userSKU-Object of difference$comparison_replaceableUser-They are excluded otherwise-Include equal|ForEach-Object{$superiorSKU=$_.Input object;$superiorSKUs_user.Keys|Where-Object{$superiorSKUs_user[$_]- contains$superiorSKU}}|Where-Object{$_-in$userSKU}|Option-Object-Unique
}
elsewhere{
$userSKUs_removable=$null
}
# Add results
if($userSKUs_interchangeable.count-gt1){
Write a message"Found $($userSKUs_interchangeable.Count) interchangeable SKUs for user $($user.userPrincipalName)"
Add-Result-UserPrincipalName$user.userPrincipalName-ConflictTypeExchangeable-ConflictSKU$userSKUs_interchangeable
}
if($null- is$userSKUs_optimizable){
Write a message"Found $(@($userSKUs_optimizable).Count) optimizeable SKUs for user $($user.userPrincipalName)"
Add-Result-UserPrincipalName$user.userPrincipalName-ConflictTypeOptimizeable-ConflictSKU$userSKUs_optimizable
}
if($null- is$userSKUs_removable){
Write a message"Found $(@($userSKUs_removable).Count) removable SKUs for user $($user.userPrincipalName)"
Add-Result-UserPrincipalName$user.userPrincipalName-ConflictTypeTransposable-ConflictSKU$userSKUs_removable
}
}
}
}
Write a message"Analyze $userCount users"
#endregion

#region: Advanced
if($AdvancedCheckups){
$AADP1Users=[System.Collections.Generic.List[driver]]::young()
$AADP2 Users=[System.Collections.Generic.List[driver]]::young()
$ATPUsers=[System.Collections.Generic.List[driver]]::young()
# Azure AD P1 based on groups using dynamic user subscription
$dynamicGroupCount=0
$URI='https://graph.microsoft.com/v1.0/groups?$filter=groupTypes/any(x:x eq ''DynamicMembership'')&$select=id,membershipRule&$top={0}'- eat$pageSize
while($null- is$URI){
# Retrieve dynamic groups
$data=Invoke-MgGraphRequest-MethodI GET-Houri$URI
$dynamicGroups=[System.Collections.Generic.List[hashtable]]::young([hashtable[]]($data.value))
$dynamicGroupCount+=$dynamicGroups.count
$URI=$data['@odata.nextLink']
# Analyze dynamic groups
if($null- is($dynamicUserGroups=$dynamicGroups|Where-Object{$_.Membership rule-like'*user.*'})){
$AADP1Users.AddRange((Get-AADGroupMembers-GroupIDs$dynamicUserGroups.ID card))
}
}
Write a message"Analyze dynamic groups $dynamicGroupCount"
# Azure AD P1 based applications that use group-based delegation
$applicationCount=0
$URI='https://graph.microsoft.com/v1.0/servicePrincipals?$filter=accountEnabled eq true και appRoleAssignmentRequired eq true και servicePrincipalType eq ''Application''&$top={0}&$count=true'- eat$pageSize
while($null- is$URI){
# Recover applications
$data=Invoke-MgGraphRequest-MethodI GET-Houri$URI-Heads@{'Consistency Level'='contingent'}
$apps=[System.Collections.Generic.List[hashtable]]::young([hashtable[]]($data.value))
$applicationCount+=$apps.count
$URI=$data['@odata.nextLink']
# Analyze applications
for each($applicationin$apps){
$applicationData=Invoke-MgGraphRequest-MethodI GET-Houri('https://graph.microsoft.com/v1.0/servicePrincipals/{0}?$expand=appRoleAssignedTo&$select=id,appRoleAssignedTo'- eat$application.ID card)
if($null- is($applicationGroups=$applicationData.appRoleAssignedTo|Where-Object{$_.Mr. Press-ex'Club'})){
$AADP1Users.AddRange((Get-AADGroupMembers-GroupIDs$applicationGroups.principalId))
}
}
}
Write a message"$applicationCount analyzed applications"
# Azure AD P1/P2 based on users covered by Conditional Access
$CAAADP1Policies=[System.Collections.Generic.List[driver]]::young()
$CAAADP2Policies=[System.Collections.Generic.List[driver]]::young()
$conditionalAccessPolicyCount=0
$URI='https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies?$select=id,conditions,state'
while($null- is$URI){
# Retrieve conditional access policies
$data=Invoke-MgGraphRequest-MethodI GET-Houri$URI
$conditionalAccessPolicies=[System.Collections.Generic.List[hashtable]]::young([hashtable[]]($data.value))
$conditionalAccessPolicyCount+=$conditionalAccessPolicies.count
$URI=$data['@odata.nextLink']
# Analyze conditional access policies
if($null- is($CAPolicies=$conditionalAccessPolicies|Where-Object{$_.condition-ex"activated"-and$_.conditions.userRiskLevels.count-ex0-and$_.conditions.signInRiskLevels.count-ex0})){
$CAAADP1Policies.AddRange([guide[]]$CAPolicies.ID card)
}
if($null- is($CAPolicies=$conditionalAccessPolicies|Where-Object{$_.condition-ex"activated"-and($_.conditions.userRiskLevels.count-gt0-the$_.conditions.signInRiskLevels.count-gt0)})){
$CAAADP2Policies.AddRange([guide[]]$CAPolicies.ID card)
}
}
Write a message"Found $(@($CAAADP1Policies).Count) conditional access policies from $conditionalAccessPolicyCount policies"
Write a message"Found $(@($CAAADP2Policies).Count) risk-based conditional access policies, from $conditionalAccessPolicyCount policies"
$CAAADP1Users=[System.Collections.Generic.List[driver]]::young()
$CAAADP2Users=[System.Collections.Generic.List[driver]]::young()
$signInCount=0
$today=[date time]::Today
if(($today.Day of the WEEK-[System.DayOfWeek]::Friday)- l1){
$secondTimespanEnd=$today.AddDays(-($today.Day of the WEEK-[System.DayOfWeek]::Friday+7))
}
elsewhere{
$secondTimespanEnd=$today.AddDays(-($today.Day of the WEEK-[System.DayOfWeek]::Friday))
}
$secondTimespanStart=$secondTimespanEnd.AddDays(-4)
$firstTimespanEnd=$secondTimespanEnd.AddDays(-14)
$firstTimespanStart=$secondTimespanEnd.AddDays(-18)
$URI='https://graph.microsoft.com/v1.0/auditLogs/signIns?$filter=(conditionalAccessStatus eq ''success'' or conditionalAccessStatus eq ''failure'') and ((createdDateTime ge {0} and createdDateTime le {1}) or (createdDateTime ge {2} and createdDateTime le {3}))&$top={4}'- eat$firstTimespanStart.ToString('yyyy-MM-ddT12:00:00H'),$firstTimespanEnd.ToString('yyyy-MM-ddT12:00:00H'),$secondTimespanStart.ToString('yyyy-MM-ddT12:00:00H'),$secondTimespanEnd.ToString('yyyy-MM-ddT12:00:00H'),$pageSize
while($null- is$URI){
# Retrieve conditional access links
$data=Invoke-MgGraphRequest-MethodI GET-Houri$URI
$signIns=[System.Collections.Generic.List[hashtable]]::young([hashtable[]]($data.value))
$signInCount+=$signIns.count
$URI=$data['@odata.nextLink']
# Parse conditional access connections
for each($signInin$signIns){
if($null- is($appliedCAPolicies=$signIn.Conditional Access Policies applied|Where-Object{$_.result-in@('success','failure')})){
if($null- is$CAAADP1Policies){
if($null- is(Comparison-Object-Reference object$appliedCAPolicies.ID card-Object of difference$CAAADP1Policies-They are excluded otherwise-Include equal)){
$CAAADP1Users.Addition($signIn.user ID)
}
}
if($null- is$CAAADP2Policies){
if($null- is(Comparison-Object-Reference object$appliedCAPolicies.ID card-Object of difference$CAAADP2Policies-They are excluded otherwise-Include equal)){
$CAAADP2Users.Addition($signIn.user ID)
}
}
}
}
}
Write a message"Found $(@($CAAADP1Users | Select-Object -Unique).Count) users with basic conditional access logins, based on $signInCount logins"
Write a message"Found $(@($CAAADP2Users | Select-Object -Unique).Count) users with risk-based conditional access logins, based on $signInCount logins"
$AADP1Users.AddRange([guide[]]@($CAAADP1Users|Option-Object-Unique))
$AADP2 Users.AddRange([guide[]]@($CAAADP2Users|Option-Object-Unique))
Subtraction-Variable'CAAADP1Policies','CAAADP2Policies','CAAADP1 Users','CAAADP2Users'-Power
# Azure AD P2 based on users in Privileged Identity Management scope
$eligibleRoleMembers=[System.Collections.Generic.List[hashtable]]::young()
$URI="https://graph.microsoft.com/v1.0/roleManagement/directory/roleEligibilitySchedules?$select=principalId,scheduleInfo"
while($null- is$URI){
$data=Invoke-MgGraphRequest-MethodI GET-Houri$URI
$eligibleRoleMembers.AddRange([hashtable[]]($data.value))
$URI=$data['@odata.nextLink']
}
if($eligibleRoleMembers.count-gt0){
if($null- is($actuallyEligibleRoleMembers=$eligibleRoleMembers|Where-Object{$_.schedule Information.startDateTime- The[date time]::Today-and($_.schedule Information.expiry.endDateTime-ge[date time]::Today-the$_.schedule Information.expiry.type-ex'No expiration')})){
$AADP2 Users.AddRange([guide[]]@($actuallyEligibleRoleMembers.principalId))
}
}
Write a message"Resolved $($eligibleRoleMembers.Count) eligible role assignments"
# Defender for Office 365 P1/P2 based on https://learn.microsoft.com/office365/servicedescriptions/office-365-advanced-threat-protection-service-description#licensing-terms
$orgDomain=(Invoke-MgGraphRequest-MethodI GET-Houri"https://graph.microsoft.com/v1.0/organization?$select=verifiedDomains").value.verified domains|Where-Object{$_.is Initial-ex$truth}
try it{
switch($PSCmdlet.ParameterSetName){
"Azure Certificate"{
Connect-ExchangeOnline-AppId$ApplicationID-Certificate$azure certificate-Organization$orgDomain.name-CommandName$EXOCmdlets-ShowBanner:$false-ErrorActionTo stop
}
"Local Certificate"{
Connect-ExchangeOnline-AppId$ApplicationID-Certificate$Certificate-Organization$orgDomain.name-CommandName$EXOCmdlets-ShowBanner:$false-ErrorActionTo stop
}
'LocalCertificateThumbprint'{
Connect-ExchangeOnline-AppId$ApplicationID-Certificate imprint$CertificateThumbprint-Organization$orgDomain.name-CommandName$EXOCmdlets-ShowBanner:$false-ErrorActionTo stop
}
}
$exchangeAuthentication=$truth
Write a message"Authentication success with Exchange Online"-TypeA polyglot
}
arrest{
$exchangeAuthentication=$false
Write a message-Message"Authentication with Exchange Online failed"-TypeError
}
if($exchangeAuthentication){
if($null- is(Comparison-Object-Reference object$organizationSKU.Service Plans.servicePlanId-Object of difference@('f20fedf3-f3c3-43c3-8267-2bfdd51c0939','8e0c0a52-6a6c-4d40-8370-dd62790dcd70')-They are excluded otherwise-Include equal)){
# Protected mailboxes
if($null- is($organizationSKU|Where-Object{@($_.Service Plans.servicePlanId)- contains'8e0c0a52-6a6c-4d40-8370-dd62790dcd70'})){
$ATPvariant="DfOP2"
Write a message"Defender tenant specified for Office P2"
if($null- is($recipients=[pscustomobject[]]@(Get-EXORrecipient-Recipient Type Details$EXOTypes_user-Properties$EXOPProperties-Result sizeUnlimited)|Option-Object-Property$EXOPProperties)){
$ATPUsers.AddRange([guide[]]@($recipients.ExternalDirectoryObjectId))
Write a message"Found $($recipients.Count) affected/protected recipients"
}
}
elsewhere{
$ATPvariant="DfOP1"
Write a message"Found a Defender tenant for Office P1"
# Order of precedence according to https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/preset-security-policies?view=o365-worldwide#order-of-precedence- for -predefined-security-policies-and-other-policies
$matchedRecipients=[System.Collections.Generic.List[driver]]::young()
# Handle strict protection rules
if($null- is($strictProtectionRule=Get-ATPPprotectionPolicyRule-ID card"Strict predefined security policy"-ConditionEnabled-ErrorActionSilently Continue)){
Write a message"Strict ATP Rule"
if($null- is($recipients=Get-ATPRrecipients-IncludedUsers$strictProtectionRule.They are shipped-Included groups$strictProtectionRule.SentToMemberOf-IncludedDomains$strictProtectionRule.RecipientDomainIs-ExcludedUsers$strictProtectionRule.Unless Shipped-Excluded Groups$strictProtectionRule.Unless SentToMemberOf-ExcludedDomains$strictProtectionRule.ExceptIfRecipientDomainIs|Where-Object{$_.ExternalDirectoryObjectId- swimming$matchedRecipients})){
$matchedRecipients.AddRange([guide[]]@($recipients.ExternalDirectoryObjectId))
$ATPUsers.AddRange([guide[]]@($recipients.ExternalDirectoryObjectId))
Write a message"Found $($recipients.Count) affected/protected recipients"
}
}
# Handle standard protection rule
if($null- is($standardProtectionRule=Get-ATPPprotectionPolicyRule-ID card"Standard Default Security Policy"-ConditionEnabled-ErrorActionSilently Continue)){
Write a message"ATP Standard Rule"
if($null- is($recipients=Get-ATPRrecipients-IncludedUsers$standardProtectionRule.They are shipped-Included groups$standardProtectionRule.SentToMemberOf-IncludedDomains$standardProtectionRule.RecipientDomainIs-ExcludedUsers$standardProtectionRule.Unless Shipped-Excluded Groups$standardProtectionRule.Unless SentToMemberOf-ExcludedDomains$standardProtectionRule.ExceptIfRecipientDomainIs|Where-Object{$_.ExternalDirectoryObjectId- swimming$matchedRecipients})){
$matchedRecipients.AddRange([guide[]]@($recipients.ExternalDirectoryObjectId))
$ATPUsers.AddRange([guide[]]@($recipients.ExternalDirectoryObjectId))
Write a message"Found $($recipients.Count) affected/protected recipients"
}
}
# Handle custom protection rules
for each($customAntiPhishPolicyinGet-AntiPhishPolicy|Where-Object{$_.ID card- is"Office 365 AntiPhish Default"-and$_.RecommendedPolicyType- swimming@('Role model','Strict')}){
if(($customAntiPhishRule=Get-AntiPhishRule|Where-Object{$_.AntiPhishPolicy-ex$customAntiPhishPolicy.ID card}).condition-ex'Enabled'){
Write a message"Custom ATP Anti-Phishing Policy "$($customAntiPhishPolicy.Name)""
if($null- is($recipients=Get-ATPRrecipients-IncludedUsers$customAntiPhishRule.They are shipped-Included groups$customAntiPhishRule.SentToMemberOf-IncludedDomains$customAntiPhishRule.RecipientDomainIs-ExcludedUsers$customAntiPhishRule.Unless Shipped-Excluded Groups$customAntiPhishRule.Unless SentToMemberOf-ExcludedDomains$customAntiPhishRule.ExceptIfRecipientDomainIs|Where-Object{$_.ExternalDirectoryObjectId- swimming$matchedRecipients})){
$matchedRecipients.AddRange([guide[]]@($recipients.ExternalDirectoryObjectId))
if($customAntiPhishPolicy.Enabled){
$ATPUsers.AddRange([guide[]]@($recipients.ExternalDirectoryObjectId))
Write a message"Found $($recipients.Count) affected, $($recipients.Count) protected recipients"
}
elsewhere{
Write a message"Found $($recipients.Count) affected, 0 protected recipients"
}
}
}
}
for each($customSafeAttachmentPolicyinGet-SafeAttachment Policy|Where-Object{$_.IsBuiltInProtection-ex$false-and$_.RecommendedPolicyType- swimming@('Role model','Strict')}){
if(($customSafeAttachmentRule=Get-SafeAttachmentRule|Where-Object{$_.SafeAttachmentPolicy-ex$customSafeAttachmentPolicy.ID card}).condition-ex'Enabled'){
Write a message"Custom ATP Safe Attachment Policy "$($customSafeAttachmentPolicy.Name)""
if($null- is($recipients=Get-ATPRrecipients-IncludedUsers$customSafeAttachmentRule.They are shipped-Included groups$customSafeAttachmentRule.SentToMemberOf-IncludedDomains$customSafeAttachmentRule.RecipientDomainIs-ExcludedUsers$customSafeAttachmentRule.Unless Shipped-Excluded Groups$customSafeAttachmentRule.Unless SentToMemberOf-ExcludedDomains$customSafeAttachmentRule.ExceptIfRecipientDomainIs|Where-Object{$_.ExternalDirectoryObjectId- swimming$matchedRecipients})){
$matchedRecipients.AddRange([guide[]]@($recipients.ExternalDirectoryObjectId))
if($customSafeAttachmentPolicy.allow){
$ATPUsers.AddRange([guide[]]@($recipients.ExternalDirectoryObjectId))
Write a message"Found $($recipients.Count) affected, $($recipients.Count) protected recipients"
}
elsewhere{
Write a message"Found $($recipients.Count) affected, 0 protected recipients"
}
}
}
}
for each($customSafeLinksPolicyinGet-SafeLinksPolicy|Where-Object{$_.IsBuiltInProtection-ex$false-and$_.RecommendedPolicyType- swimming@('Role model','Strict')}){
if(($customSafeLinksRule=Get-SafeLinksRule|Where-Object{$_.SafeLinksPolicy-ex$customSafeLinksPolicy.ID card}).condition-ex'Enabled'){
Write a message"ATP Custom Safe Links Policy "$($customSafeLinksPolicy.Name)""
if($null- is($recipients=Get-ATPRrecipients-IncludedUsers$customSafeLinksRule.They are shipped-Included groups$customSafeLinksRule.SentToMemberOf-IncludedDomains$customSafeLinksRule.RecipientDomainIs-ExcludedUsers$customSafeLinksRule.Unless Shipped-Excluded Groups$customSafeLinksRule.Unless SentToMemberOf-ExcludedDomains$customSafeLinksRule.ExceptIfRecipientDomainIs|Where-Object{$_.ExternalDirectoryObjectId- swimming$matchedRecipients})){
$matchedRecipients.AddRange([guide[]]@($recipients.ExternalDirectoryObjectId))
if($customSafeLinksPolicy.EnableSafeLinksForEmail-the$customSafeLinksPolicy.EnableSafeLinksForOffice-the$customSafeLinksPolicy.EnableSafeLinksForTeams){
$ATPUsers.AddRange([guide[]]@($recipients.ExternalDirectoryObjectId))
Write a message"Found $($recipients.Count) affected, $($recipients.Count) protected recipients"
}
elsewhere{
Write a message"Found $($recipients.Count) affected, 0 protected recipients"
}
}
}
}
# Handle built-in protection rule
Write a message"Built-in ATP Rule"
$builtinProtectionRule=Get-ATPBuiltInProtectionRule
if($null- is($recipients=Get-ATPRrecipients-IncludedUsers$builtinProtectionRule.They are shipped-Included groups$builtinProtectionRule.SentToMemberOf-IncludedDomains$builtinProtectionRule.RecipientDomainIs-ExcludedUsers$builtinProtectionRule.Unless Shipped-Excluded Groups$builtinProtectionRule.Unless SentToMemberOf-ExcludedDomains$builtinProtectionRule.ExceptIfRecipientDomainIs|Where-Object{$_.ExternalDirectoryObjectId- swimming$matchedRecipients})){
$matchedRecipients.AddRange([guide[]]@($recipients.ExternalDirectoryObjectId))
$ATPUsers.AddRange([guide[]]@($recipients.ExternalDirectoryObjectId))
Write a message"Found $($recipients.Count) affected/protected recipients"
}
}
}
elsewhere{
$ATPvariant='EEA'
Write a message"Exchange Online Protection tenant specified"
}
Disconnect-ExchangeOnline-Confirm:$false
}
# Add results
if($AADP1Users.count-gt0){
if($null- is($AADP1SKU=@($organizationSKU|Where-Object{@($_.Service Plans.servicePlanId)- contains'41781fb2-bc02-4b7c-bd55-b576c07bb09d'}))){
$AADP1Permissions=($AADP1SKU.prepaid units.activated|Measure-Object-Sum).sum
}
elsewhere{
$AADP1Permissions=0
}
$neededCount=($AADP1Users|Option-Object-Unique).count
Write a message"Found $neededCount needed, $AADP1Licenses activated AADP1 licenses"
if($AADP1Permissions- l$neededCount){
Add-Result-Design name'Azure Active Directory Premium P1'-EnabledCount$AADP1Permissions-NeededCount$neededCount
}
}
if($AADP2 Users.count-gt0){
if($null- is($AADP2SKU=@($organizationSKU|Where-Object{@($_.Service Plans.servicePlanId)- contains'eec0eb4f-6444-4f95-aba0-50c24d67f998'}))){
$AADP2 Permissions=($AADP2SKU.prepaid units.activated|Measure-Object-Sum).sum
}
elsewhere{
$AADP2 Permissions=0
}
$neededCount=($AADP2 Users|Option-Object-Unique).count
Write a message"Found $neededCount needed, $AADP2Licenses activated AADP2 licenses"
if($AADP2 Permissions- l$neededCount){
Add-Result-Design name'Azure Active Directory Premium P2'-EnabledCount$AADP2 Permissions-NeededCount$neededCount
}
}
if($ATPUsers.count-gt0){
$neededCount=($ATPUsers|Option-Object-Unique).count
switch($ATPvariant){
"DfOP1"{
$ATPSKA=@($organizationSKU|Where-Object{@($_.Service Plans.servicePlanId)- contains'f20fedf3-f3c3-43c3-8267-2bfdd51c0939'})
$ATPLicenses=($ATPSKA.prepaid units.activated|Measure-Object-Sum).sum
Write a message"Found $neededCount needed, $ATPLicenses activated DfOP2 licenses"
if($ATPLicenses- l$neededCount){
Add-Result-Design name"Microsoft Defender for Office 365 P1"-EnabledCount$ATPLicenses-NeededCount$neededCount
}
}
"DfOP2"{
$ATPSKA=@($organizationSKU|Where-Object{@($_.Service Plans.servicePlanId)- contains'8e0c0a52-6a6c-4d40-8370-dd62790dcd70'})
$ATPLicenses=($ATPSKA.prepaid units.activated|Measure-Object-Sum).sum
Write a message"Found $neededCount needed, $ATPLicenses activated DfOP2 licenses"
if($ATPLicenses- l$neededCount){
Add-Result-Design name"Microsoft Defender for Office 365 P2"-EnabledCount$ATPLicenses-NeededCount$neededCount
}
}
}
}
}
#endregion