PingCastleCloud 1.0.0.0

Author: vletoux

Analyzer/Analyzer.cs

@@ -336,6 +336,16 @@ private void AnalyzePolicies()
                     ExtractNetworkPolicy(policy);
                 }
             }
+
+            var ms = new MicrosoftGraph(new PRTCredential());
+            var authorizationPolicies = ms.GetAuthorizationPolicy();
+            if (authorizationPolicies != null && authorizationPolicies.Count > 0)
+            {
+                var authorizationPolicy = authorizationPolicies[0];
+                data.PolicyGuestUserRoleId = authorizationPolicy.guestUserRoleId;
+                data.PolicyAllowEmailVerifiedUsersToJoinOrganization = authorizationPolicy.allowEmailVerifiedUsersToJoinOrganization;
+            }
+
         }
 
         private void ExtractNetworkPolicy(GraphAPI.PolicyResponse policy)

Data/HealthCheckCloudData.cs

@@ -332,6 +332,10 @@ public class HealthCheckCloudData : JsonSerialization<HealthCheckCloudData>
         public bool UsersPermissionToCreateLOBAppsEnabled { get; set; }
         public bool UsersPermissionToReadOtherUsersEnabled { get; set; }
         public bool UsersPermissionToUserConsentToAppEnabled { get; set; }
+
+        public string PolicyGuestUserRoleId { get; set; }
+        public bool? PolicyAllowEmailVerifiedUsersToJoinOrganization { get; set; }
+
         public List<HealthCheckCloudDataForwardingMailboxes> ForwardingMailboxes { get; set; }
         public int GlobalScore { get; set; }
         public int MaturityLevel { get; set; }

PingCastleCloud.csproj

@@ -92,6 +92,10 @@
     <Compile Include="RESTServices\Azure\ProvisioningApi.cs" />
     <Compile Include="RESTServices\RESTClientBase.cs" />
     <Compile Include="Credentials\CertificateCredential.cs" />
+    <Compile Include="Rules\GuestUserAccessRestriction2.cs" />
+    <Compile Include="Rules\GuestUserAccessRestriction1.cs" />
+    <Compile Include="Rules\UserRegisterApplications.cs" />
+    <Compile Include="Rules\UserConsentCompanyData.cs" />
     <Compile Include="Rules\ADConnectVersion1.cs" />
     <Compile Include="Tokens\ChallengeResponse.cs" />
     <Compile Include="Tokens\CookieManager.cs" />
@@ -109,11 +113,6 @@
     <Compile Include="Rules\CustomRulesSettings.cs" />
     <Compile Include="Rules\RuleAttribute.cs" />
     <Compile Include="Rules\RuleBase.cs" />
-    <Compile Include="Rules\RuleDescription.Designer.cs">
-      <AutoGen>True</AutoGen>
-      <DesignTime>True</DesignTime>
-      <DependentUpon>RuleDescription.resx</DependentUpon>
-    </Compile>
     <Compile Include="Rules\RuleSet.cs" />
     <Compile Include="Tasks.cs" />
     <Compile Include="Template\TemplateManager.cs" />
@@ -126,8 +125,6 @@
   </ItemGroup>
   <ItemGroup>
     <EmbeddedResource Include="Rules\RuleDescription.resx">
-      <Generator>ResXFileCodeGenerator</Generator>
-      <LastGenOutput>RuleDescription.Designer.cs</LastGenOutput>
       <SubType>Designer</SubType>
     </EmbeddedResource>
     <EmbeddedResource Include="UI\AuthenticationDialog.resx">

Program.cs

@@ -219,7 +219,7 @@ private bool CheckCertificate()
             return true;
         }
 
-        const string basicEditionLicense = "PC2H4sIAAAAAAAEAO29B2AcSZYlJi9tynt/SvVK1+B0oQiAYBMk2JBAEOzBiM3mkuwdaUcjKasqgcplVmVdZhZAzO2dvPfee++999577733ujudTif33/8/XGZkAWz2zkrayZ4hgKrIHz9+fB8/In7NX+PX+DV+A/r/r/F7/nf/y/E/+m//mr82/drS/5/9GvWvkdN/6a9x+mvMfo2CPit+jerXWNLf1a9xTv++pL+Xv8bFr3Hya2S/RkPfltx279cY/xq7v8YO/btDf23T/19Q+5Z+ntPPmn5O6eeC/svprynByOjN9NdYE4z81wAaf9Cv8Wv8Gr/G7/Sn/jb/yh/67+R/SvL3/a9/4R/9F/9j//m/+uf+bqtf8J/8wskf80v+gu/+1v/e3/3yfzj9hf/ZF//HL/v9/vzf/S/O/ozf/2/9q17/y3/Qt36/v+Uf+11+q8e/8f/RFn/E3/vb/cPlT/1P//Cf9OPlP3H4Z/57v8bf/M9s/aK/47f6w7df/BG/8t/8U/6sp//Cf/pbfvVPfHr4t/yVP/hXfvvZr//X/zWXf0b7r/8rf9K/+Auyv+uf+XP+mfkf+ff+c7/L/wNcbrwUFAEAAA==";
+        const string basicEditionLicense = "PC2H4sIAAAAAAAEAO29B2AcSZYlJi9tynt/SvVK1+B0oQiAYBMk2JBAEOzBiM3mkuwdaUcjKasqgcplVmVdZhZAzO2dvPfee++999577733ujudTif33/8/XGZkAWz2zkrayZ4hgKrIHz9+fB8/In7NX+PX+DV+A/r/r/F7/g/Lf+v1v/Nr/tr068/Q/5/9GvWvkdN/6a9x+mvMfo3i12jp/9WvsaS/q1/jnP59SX8vf42LX+Pk18h+jYa+LantCf1b/Rprap/+Gru/xvjX2OH/p7/GNv3/BX3T0s9z+lnTzyn9XNB/Of01JVgZvZvSu82vkf8aQOcP+jV+jV/j1/7Ff9N/9i//Br/Hm3/37/on/4Lf+w/+k/+Kv+M/+c/+xeR//DP++U/+qn/iP9j/Lf62v/Ojv+DP+Wf/x//wJ37v5W99/p/+dn/WP/BPFP/323/wL/grR3/H3/e3PTj7p3+T13/er9y5m/0+f8PlH3v36X/76u5f9OS3/GP+9v/58tWf9E//Le2v8Ut/WfK3/FH/+O/wj/4F9/+gf+lP/1+//D9//7/uv/iVZ82f8zv9Cb/rn/0n/xl/8m/y2/+1v+/fOBv9Of8Pw8+pIRwBAAA=";
         string _serialNumber;
         public string GetSerialNumber()
         {

RESTServices/Azure/MicrosoftGraph.cs

@@ -16,7 +16,7 @@
 
 namespace PingCastleCloud.RESTServices
 {
-    [AzureService("535fb089-9ff3-47b6-9bfb-4f1264799865", "https://graph.microsoft.com")]
+    [AzureService("1b730954-1685-4b74-9bfd-dac224a7b894", "https://graph.microsoft.com")]
     public class MicrosoftGraph : RESTClientBase<MicrosoftGraph>, IAzureService
     {
         public MicrosoftGraph(IAzureCredential credential) : base(credential)
@@ -32,15 +32,45 @@ protected override string BuidEndPoint(string function, string optionalQuery)
             return builder.ToString();
         }
 
-        public string GetMe()
+        public GraphAPI.User GetMe()
         {
-            return CallEndPoint<string>("me");
+            return CallEndPoint<GraphAPI.User>("me");
+        }
+
+        public List<AuthorizationPolicy> GetAuthorizationPolicy()
+        {
+            return CallEndPointWithPaggingAsync<object, AuthorizationPolicy>("policies/authorizationPolicy", null).GetAwaiter().GetResult();
         }
 
         // message=Insufficient privileges to complete the operation.
         public string GetTenantRelationships(string tenantId)
         {
             return CallEndPoint<string>("tenantRelationships/findTenantInformationByTenantId(tenantId='" + tenantId + "')");
         }
+
+        public class AuthorizationPolicy
+        {
+            public string id { get; set; }
+            public string allowInvitesFrom { get; set; }
+            public bool allowedToSignUpEmailBasedSubscriptions { get; set; }
+            public bool allowedToUseSSPR { get; set; }
+            public bool allowEmailVerifiedUsersToJoinOrganization { get; set; }
+            public bool blockMsolPowerShell { get; set; }
+            public string description { get; set; }
+            public string displayName { get; set; }
+            public List<object> enabledPreviewFeatures { get; set; }
+            public string guestUserRoleId { get; set; }
+            public List<string> permissionGrantPolicyIdsAssignedToDefaultUserRole { get; set; }
+            public UserRolePermissions defaultUserRolePermissions { get; set; }
+        }
+
+        public class UserRolePermissions
+        {
+            public bool allowedToCreateApps { get; set; }
+            public bool allowedToCreateSecurityGroups { get; set; }
+            public bool allowedToCreateTenants { get; set; }
+            public bool allowedToReadBitlockerKeysForOwnedDevice { get; set; }
+            public bool allowedToReadOtherUsers { get; set; }
+        }
     }
 }

Rules/GuestUserAccessRestriction1.cs

@@ -0,0 +1,31 @@
+//
+// Copyright (c) Vincent LE TOUX for Ping Castle. All rights reserved.
+// https://www.pingcastle.com
+//
+// Licensed under the Non-Profit OSL. See LICENSE file in the project root for full license information.
+//
+using PingCastleCloud.Data;
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Text;
+using System.Threading.Tasks;
+
+namespace PingCastleCloud.Rules
+{
+    [RuleModel("GuestUserAccessRestriction1")]
+    [RuleComputation(RuleComputationType.TriggerOnPresence, 25)]
+    [RuleMaturityLevel(1)]
+    public class GuestUserAccessRestriction1 : RuleBase
+    {
+        protected override int? AnalyzeDataNew(HealthCheckCloudData healthCheckCloudData)
+        {
+            if (string.Equals(healthCheckCloudData.PolicyGuestUserRoleId, "a0b1b346-4d3e-4e8b-98f8-753987be4970", StringComparison.OrdinalIgnoreCase))
+            {
+                AddRawDetail(healthCheckCloudData.PolicyGuestUserRoleId);
+            }
+            return null;
+        }
+
+    }
+}

Rules/GuestUserAccessRestriction2.cs

@@ -0,0 +1,31 @@
+//
+// Copyright (c) Vincent LE TOUX for Ping Castle. All rights reserved.
+// https://www.pingcastle.com
+//
+// Licensed under the Non-Profit OSL. See LICENSE file in the project root for full license information.
+//
+using PingCastleCloud.Data;
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Text;
+using System.Threading.Tasks;
+
+namespace PingCastleCloud.Rules
+{
+    [RuleModel("GuestUserAccessRestriction2")]
+    [RuleComputation(RuleComputationType.TriggerOnPresence, 0)]
+    [RuleMaturityLevel(4)]
+    public class GuestUserAccessRestriction2 : RuleBase
+    {
+        protected override int? AnalyzeDataNew(HealthCheckCloudData healthCheckCloudData)
+        {
+            if (string.Equals(healthCheckCloudData.PolicyGuestUserRoleId, "10dae51f-b6af-4016-8d66-8c2a99b929b3", StringComparison.OrdinalIgnoreCase))
+            {
+                AddRawDetail(healthCheckCloudData.PolicyGuestUserRoleId);
+            }
+            return null;
+        }
+
+    }
+}