microsoft / compliancepartnerworkshops Goto Github PK

View Code? Open in Web Editor NEW

17.0 5.0 12.0 24.53 MB

Scripts and resources to support the Compliance Build-Intent engagements at https://aka.ms/mci/workshops

License: MIT License

PowerShell 100.00%

compliance mci purview workshop microsoft

compliancepartnerworkshops's Introduction

Project

Scripts and Files to support the Compliance Partner Build Intent Engagements.

EngagementPOEReport

Use the Engagement POE Report as part of the Data Security Engagement. Please see the delivery guide on how to use the output as part of the Proof of execution. The most recent version is 3.0 (published Jan 2024). This most recent version moves to a universal date format and is updated to support the most recent version of the Exchange Powershell Module with REST support (Required to connect to security and compliance powershell as of Nov 2023).

V3.0 updates -Transition from Microsoft Graph Powershell to Exchange Online Powershell -Signed Script (the file should have 549 lines including trailing blank line after digital signature) -- A zip file version of the script is also available in the repository (EngagementPOEReport.zip)

Current issues or limitations

Current version has only been tested against Commercial Office 365 tenants. If you need to connect to a GCC or Regional(China / Germany) Tenant, please update the powershell connection strings inside the code

ComplianceActivationAssessment

Use the ComplianceActivationAssesment.ps1 file as part of the Protect and Govern Sensitive Data Activator Follow the instructions in the workshop guide run the script and include the output of the report as part of your final results for your customer

Current Issues and Limitations

The ComplianceActivationAssessment Report has only been tested against Commercial Office 365 Tenants. If you need to connect to a GCC or Regional(China / Germany) Tenant, please update the powershell connection strings inside the code
Scripts have only been tested against English/Unicode lanuguages
License Friendly Names MAY not exist for non commercial license SKUs

#WorkshopPOEReport

Use the workshoppoereport.ps1 file as part of the Protect and Govern Sensitive Data Activator Follow the instructions in the workshop guide run the script and include the output of the report as part of your final results for your customer

###Current Issues and Limitations:

The WorkshopPOE Report only works against Commercial Office 365 Tenants. If you need to connect to a GCC or Regional(China / Germany) Tenant, please update the powershell connection strings inside the code
The WorkshopPOE Report currently uses the AzureAD powershell Module. It will be updated to GraphAPI in a future version
Scripts have only been tested against English/Unicode lanuguages

ComplianceEnvrionmentPrep

Use the complianceenvriomentprep.ps1 file as part of the Mitigate Complinace and Prviacy Risks Activator Follow the instructions in the workshop guide and run the script to prepare the isolated Microsoft 365 Developer Tenant.

Current Issues and Limitations:

The ComplianceEnvriomentPrep script is designed to be used against tenants that are provisioned as part of the Microsoft 365 Developer Subscription. It has not been tested against other Microsoft 365 envrioments
use the startup switch '-debug' to enable basic logging and get an output of information logged to the screen
Scripts have only been tested against English/Unicode lanuguages

Other Files

The additional files in this repository are developed for the Mitigate Compliance and Privacy Risks Activator. Please refer to the engagement master delivery guide on how to leverage them

Rulepack.xml - Custom sensitive information type rule pack
DeleteFileFlow.zip - Power Automate Flow
FileCopyFlow.zip - Power Automate Flow
FileCreationFlow.zip - Power Automate Flow
Mark8.zip - Sample files

Contributing

This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.opensource.microsoft.com.

When you submit a pull request, a CLA bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., status check, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA.

This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact [email protected] with any additional questions or comments.

Trademarks

This project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft trademarks or logos is subject to and must follow Microsoft's Trademark & Brand Guidelines. Use of Microsoft trademarks or logos in modified versions of this project must not cause confusion or imply Microsoft sponsorship. Any use of third-party trademarks or logos are subject to those third-party's policies.

compliancepartnerworkshops's People

Contributors

Stargazers

Watchers

Forkers

ecampuslearning yarkane burakmercan aprediendo meinbits eslaminspire mrboogiee seanpm2001 kennyb7322 guden ferenike l2g2h

compliancepartnerworkshops's Issues

Start-Process $outputfile is not allowed with a limited user on MacOS

Start-Process $outputfile is not allowed with a limited user on MacOS:

Start-Process: /Users/<user>/CompliancePartnerWorkshops/ComplianceActivationAssessment.ps1:700
Line |
 700 |  Start-Process $outputfile
     |  ~~~~~~~~~~~~~~~~~~~~~~~~~
     | An error occurred trying to start process '/Users/<user>/CompliancePartnerWorkshops/ActivationReport_2023022344.html' with working directory
     | '/Users/<user>/CompliancePartnerWorkshops'. Permission denied

ClientId              : <clientid>
TenantId              : <tenantid>
CertificateThumbprint :
Scopes                : {Directory.AccessAsUser.All, Directory.Read.All, openid, Organization.Read.All…}
AuthType              : Delegated
AuthProviderType      : InteractiveAuthenticationProvider
CertificateName       :
Account               : user@domain.com
AppName               : Microsoft Graph PowerShell
ContextScope          : CurrentUser
Certificate           :
PSHostVersion         : 7.3.2
ClientTimeout         : 00:05:00

Get-MGUserLicenseReport doesn't work on non-Windows OS-es

Probably should get fixed with the new Graph modules that are currently being built but Get-MGUserLicenseReport fails on non-Windows OS-es with the following errors (aside that, it should probably be reported in another repo, but it affects your script):

Join-Path: Cannot bind argument to parameter 'Path' because it is null.
Out-File: Cannot bind argument to parameter 'FilePath' because it is null.
Join-Path: /Users/<user>/.local/share/powershell/Modules/MSOLLicenseManagement/3.0.4/Cmdlet/Get-MGUserLicenseReport.ps1:210
Line |
 210 |          $RootPath = Join-path $env:LOCALAPPDATA ("License_Report_" +  …
     |                                ~~~~~~~~~~~~~~~~~
     | Cannot bind argument to parameter 'Path' because it is null.

Module not working with disabled WinRM Basic Authentication

Hi,

customer of mine has disabled WinRM Basic Authentication on their clients via Group Policy, therefore trying to do a Connect-IPPSSession does not connect with error:

Connecting to Security & Compliance Center. Please logon in the new window
WARNING: Please note that you can only use above 9 new EXO cmdlets (the one with *-EXO* naming pattern).You can't use other cmdlets as we couldn't establish a Remote PowerShell session as bas
ic auth is disabled in your client machine. To enable Basic Auth, please check instruction here https://docs.microsoft.com/en-us/powershell/exchange/exchange-online-powershell-v2?view=exchang
e-ps#prerequisites-for-the-exo-v2-module
Create Powershell Session is failed using OAuth
At C:\Program Files\WindowsPowerShell\Modules\ExchangeOnlineManagement\3.1.0\netFramework\ExchangeOnlineManagement.psm1:733 char:21
+                     throw $_.Exception;
+                     ~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: (:) [], Exception
    + FullyQualifiedErrorId : Create Powershell Session is failed using OAuth

Based on the current documentation (afaik) LearnWebSite - there is currently no way around this even with the V3 ExchangePowerShell Module.

Is there any way to run this compliance report without enabling basic authentication?

BG Christoph

$env:LOCALAPPDATA doesn't exist on non-Windows OS-es

ComplianceActivationAssessment.ps1 doesn't work on non-Windows OS-es due to $env:LOCALAPPDATA not being valid outside of Windows Operating Systems

Bibliotecas ComplianceActivationAssessment.ps1 não identificadas

Ao executar o script ComplianceActivationAssessment.ps1 as bibliotecas não estão sendo reconhecidas porque elas foram descontinuadas. Estou entregando o Workshops Usage Protect and Govern Sensitive data e o Usage Mitigate Compliance and Privacy Risks. Preciso, por gentileza, do script atualizado ou o caminho para download das bibliotecas.

Error Connecting to Remote Server

HI,
When attempting to run the script, we are getting the following error:
Connecting to remote server nam10b.ps.compliance.protection.outlook.com failed with the following error message : For more information, see the about_Remote_Troubleshooting Help topic.
At C:\Program Files\WindowsPowerShell\Modules\ExchangeOnlineManagement\3.1.0\netFramework\ExchangeOnlineManagement.psm1:733 char:21

```
                throw $_.Exception;
```
```
                ~~~~~~~~~~~~~~~~~~
```
- CategoryInfo : ResourceUnavailable: (:) [], ParentContainsErrorRecordException
- FullyQualifiedErrorId : System.Management.Automation.Remoting.PSRemotingDataStructureException

We are correctly logging into the 0365 and authenticating with MFA. Can you verify that the code is still correct?

Several bugs / problems in EngagementPOEReports.ps1

Given that this script is provided from Microsoft to partners to be run on customer's sites, I (representing a customer) am somewhat disappointed, as I had to fix the script before it was able to give the intended results. Some of it was certainly due to the fact that I generally use StrictMode enabled, but it would be good form to prepare for that, I think. (Or at least check for or explicitly disable StrictMode during the script run).

We have been using version 3.0 of the script.

The script is gathering ALL compliance searches (and DLP policies) in the tenant. Given that the MS engagement provides naming conventions for those objects created during the engagement, it should be easy to filter for them. The other existing searches etc. are of no concern to Microsoft and should not be part of the report.
Around line 246, a variable $coveredsits is used that is defined nowhere. With StrictMode enabled, the whole $itemtable and consequently the $POEChart cannot be created because of that, even though the rest of the data is there.
Around line 290, the variables $IsMacOS and $IsLinux also are nowhere defined (I assume they will not magically be set to true on a Mac or Linux system?), so again, with StrictMode enabled, the whole if / then fails, and one has to find and open the created HTML report manually.
"Section 2" of the script, around line 230, seems a little illogical: First you get all Compliance searches into $search, and in the next line, when going through these searches, you again get them one by one from the API, when the objects are already in the array. Especially given that Get-ComplianceSearch is not really fast, this is quite unnecessary.

I hope this helps in improving the script, so it can run more smoothly for future engagements.

Best regards
Sascha Seipp

Differences in reports

What is the difference between the WorkshopPOEReport script and the EngagementPOEReport script? they have the same synopsis