Merge pull request #27 from AzureAD/preview

Promote Preview to Prod

.gitignore

@@ -328,3 +328,4 @@ ASALocalRun/
 
 # MFractors (Xamarin productivity tool) working folder 
 .mfractor/
+.DS_Store

Launch-PSModule.ps1

@@ -26,7 +26,9 @@ else {
         param ([string]$ModulePath, [scriptblock]$PostImportScriptBlock)
         ## Force WindowsPowerShell to load correct version of built-in modules when launched from PowerShell 6+
         if ($PSVersionTable.PSEdition -eq 'Desktop') { Import-Module 'Microsoft.PowerShell.Management', 'Microsoft.PowerShell.Utility', 'CimCmdlets' -MaximumVersion 5.9.9.9 }
-        Import-Module $ModulePath -PassThru
+        Import-Module $ModulePath -PassThru -ArgumentList @{
+            'ai.instrumentationKey' = 'f7c43a96-9493-41e3-ad62-4320f5835ce2'
+        }
         Invoke-Command -ScriptBlock $PostImportScriptBlock -NoNewScope
     }
     $strScriptBlock = 'Invoke-Command -ScriptBlock {{ {0} }} -ArgumentList {1}, {{ {2} }}' -f $ScriptBlock, $ModuleManifestPath, $PostImportScriptBlock

build/Update-PSModuleManifest.ps1

@@ -34,7 +34,7 @@ $paramUpdateModuleManifest['AliasesToExport'] = $ModuleManifest.AliasesToExport
 [System.IO.DirectoryInfo] $ModuleOutputDirectoryInfo = $ModuleManifestFileInfo.Directory
 
 ## Get Module Output FileList
-$ModuleFileListFileInfo = Get-ChildItem $ModuleOutputDirectoryInfo.FullName -Recurse -File -Exclude '*.dll'
+$ModuleFileListFileInfo = Get-ChildItem $ModuleOutputDirectoryInfo.FullName -Recurse -File
 $ModuleRequiredAssembliesFileInfo = $ModuleFileListFileInfo | Where-Object Extension -eq '.dll'
 
 ## Get Paths Relative to Module Base Directory
@@ -51,8 +51,6 @@ if (!$SkipRequiredAssemblies -and $ModuleRequiredAssembliesFileInfo) {
 (Get-Content $ModuleManifestFileInfo.FullName -Raw) -replace "(?s)RequiredAssemblies\ =\ @\([^)]*\)", "# RequiredAssemblies = @()" | Set-Content $ModuleManifestFileInfo.FullName
 (Get-Content $ModuleManifestFileInfo.FullName -Raw) -replace "(?s)FileList\ =\ @\([^)]*\)", "# FileList = @()" | Set-Content $ModuleManifestFileInfo.FullName
 
-Install-Module MSAL.PS -Force -SkipPublisherCheck -Repository PSGallery -AcceptLicense
-
 ## Install Module Dependencies
 foreach ($Module in $ModuleManifest.RequiredModules) {
     if ($Module -is [hashtable]) { $ModuleName = $Module.ModuleName }

build/azure-pipelines/azure-pipelines-cd.yml

@@ -15,7 +15,7 @@ parameters:
 - name: vmImage
   displayName: 'Pool Image'
   type: string
-  default: windows-latest
+  default: ubuntu-latest
   values:
   - windows-latest
   - ubuntu-latest
@@ -41,6 +41,8 @@ stages:
   - job: Prepare
     variables:
       skipComponentGovernanceDetection: true
+    pool:
+      vmImage: 'windows-latest'
     steps:
     #- checkout: none
     - download: CI

build/azure-pipelines/azure-pipelines-ci.yml

@@ -5,7 +5,7 @@ parameters:
 - name: vmImage
   displayName: 'Pool Image'
   type: string
-  default: 'windows-latest'
+  default: 'ubuntu-latest'
   values:
   - windows-latest
   - ubuntu-latest

src/AzureADAssessment.psd1

@@ -50,7 +50,7 @@ PowerShellVersion = '5.1'
 
 # Modules that must be imported into the global environment prior to importing this module
 RequiredModules = @(
-    @{ ModuleName = 'MSAL.PS'; Guid = 'c765c957-c730-4520-9c36-6a522e35d60b'; ModuleVersion = '4.10.0.1' }
+    @{ ModuleName = 'MSAL.PS'; Guid = 'c765c957-c730-4520-9c36-6a522e35d60b'; ModuleVersion = '4.36.1.2' }
     #@{ ModuleName = 'Microsoft.Graph.Authentication'; Guid = '883916f2-9184-46ee-b1f8-b6a2fb784cee'; ModuleVersion = '1.1.0' }
     #@{ ModuleName = 'AzureAD'; Guid = 'd60c0004-962d-4dfb-8d28-5707572ffd00'; ModuleVersion = '2.0.0.55' }
 )
@@ -77,7 +77,10 @@ NestedModules = @(
     '.\internal\ConvertFrom-Base64String.ps1'
     '.\internal\ConvertFrom-QueryString.ps1'
     '.\internal\ConvertTo-QueryString.ps1'
+    '.\internal\Expand-GroupTransitiveMembership.ps1'
     '.\internal\Expand-JsonWebTokenPayload.ps1'
+    '.\internal\Expand-MsGraphRelationship.ps1'
+    '.\internal\Expand-ODataId.ps1'
     '.\internal\Export-Config.ps1'
     '.\internal\Export-EventLog.ps1'
     '.\internal\Export-JsonArray.ps1'
@@ -86,6 +89,7 @@ NestedModules = @(
     '.\internal\Format-Csv.ps1'
     '.\internal\Get-AadObjectById.ps1'
     '.\internal\Get-ObjectPropertyValue.ps1'
+    '.\internal\Get-SpreadsheetJson.ps1'
     '.\internal\Import-Config.ps1'
     '.\internal\New-AadReferencedIdCache.ps1'
     '.\internal\New-AppInsightsTelemetry.ps1'
@@ -100,6 +104,7 @@ NestedModules = @(
     '.\internal\Write-AppInsightsException.ps1'
     '.\internal\Write-AppInsightsRequest.ps1'
     '.\internal\Write-AppInsightsTrace.ps1'
+    '.\internal\Write-RecommendationsReport.ps1'
     '.\AzureADAssessmentPortable.psm1'
     '.\Complete-AADAssessmentReports.ps1'
     '.\Connect-AADAssessment.ps1'
@@ -112,6 +117,10 @@ NestedModules = @(
     '.\Get-AADAssessConsentGrantReport.ps1'
     '.\Get-AADAssessNotificationEmailsReport.ps1'
     '.\Invoke-AADAssessmentDataCollection.ps1'
+    '.\New-AADAssessmentRecommendations.ps1'
+    '.\Export-AADASsessmentRecommendations.ps1'
+    '.\Import-AADAssessmentEvidence.ps1'
+    '.\analysis\AccessManagement\AuthenticationExperience\Test-AADAssessmentEmailOtp.ps1'
 )
 
 # Functions to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no functions to export.
@@ -134,6 +143,9 @@ FunctionsToExport = @(
     'Get-AADAssessAppProxyConnectorLog'
     'Get-AADAssessPasswordWritebackAgentLog'
     'Get-MsGraphResults'
+    'New-AADAssessmentRecommendations'
+    'Export-AADAssessmentRecommendations'
+    'Test-AADAssessmentEmailOtp'
 )
 
 # Cmdlets to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no cmdlets to export.

src/AzureADAssessment.psm1

@@ -28,7 +28,7 @@ if ($PSBoundParameters.ContainsKey('ModuleConfiguration')) { Set-Config $ModuleC
 ## Initialize Module Variables
 $script:ConnectState = @{
     ClientApplication = $null
-    CloudEnvironment  = $null
+    CloudEnvironment  = 'Global'
     MsGraphToken      = $null
     AadGraphToken     = $null
 }
@@ -56,6 +56,20 @@ $script:mapMgEnvironmentToAzureEnvironment = @{
     'USGov'    = 'AzureUSGovernment'
     'USGovDoD' = 'AzureUsGovernment'
 }
+$script:mapMgEnvironmentToAadRedirectUri = @{
+    'Global'   = 'https://login.microsoftonline.com/common/oauth2/nativeclient'
+    'China'    = 'https://login.partner.microsoftonline.cn/common/oauth2/nativeclient'
+    'Germany'  = 'https://login.microsoftonline.com/common/oauth2/nativeclient'
+    'USGov'    = 'https://login.microsoftonline.us/common/oauth2/nativeclient'
+    'USGovDoD' = 'https://login.microsoftonline.us/common/oauth2/nativeclient'
+}
+$script:mapMgEnvironmentToMgEndpoint = @{
+    'Global'   = 'https://graph.microsoft.com/'
+    'China'    = 'https://microsoftgraph.chinacloudapi.cn/'
+    'Germany'  = 'https://graph.microsoft.de/'
+    'USGov'    = 'https://graph.microsoft.us/'
+    'USGovDoD' = 'https://dod-graph.microsoft.us/'
+}
 
 ## Initialize Application Insights for Anonymous Telemetry
 $script:AppInsightsRuntimeState = [PSCustomObject]@{
@@ -71,6 +85,14 @@ if (!$script:ModuleConfig.'ai.disabled') {
     Export-Config -Path 'AppInsightsState.json' -InputObject $script:AppInsightsState -IgnoreDefaultValues $null
 }
 
+## HashArray with already read evidence
+$script:Evidences =  @{
+    'Tenant' = @{} # tenant files 
+    'AADC' = @{} # aadconnect files indexed by server name
+    'ADFS' = @{} # ADFS files indexed by server name
+    'AADAP' = @{} # AAD Proxy Agent files indexed by server name
+}
+
 #Future
 #Get PIM data
 #Get Secure Score

src/Complete-AADAssessmentReports.ps1

@@ -22,24 +22,33 @@ function Complete-AADAssessmentReports {
         [string] $OutputDirectory = (Join-Path $env:SystemDrive 'AzureADAssessment'),
         # Skip copying data and PowerBI dashboards to "C:\AzureADAssessment\PowerBI"
         [Parameter(Mandatory = $false)]
-        [switch] $SkipPowerBIWorkingDirectory
+        [switch] $SkipPowerBIWorkingDirectory,
+        # Includes the new recommendations report in the output
+        [Parameter(Mandatory = $false)]
+        [switch] $IncludeRecommendations,
+        # Path to the spreadsheet with the interview answers
+        [Parameter(Mandatory = $false)]
+        [string] $InterviewSpreadsheetPath
     )
 
     Start-AppInsightsRequest $MyInvocation.MyCommand.Name
     try {
-
-        if (!$script:ConnectState.MsGraphToken) {
-            #Connect-AADAssessment
-            if (!$script:ConnectState.ClientApplication) {
-                $script:ConnectState.ClientApplication = New-MsalClientApplication -ClientId $script:ModuleConfig.'aad.clientId' -ErrorAction Stop
-                $script:ConnectState.CloudEnvironment = 'Global'
+        ## Return Immediately when Telemetry is Disabled
+        if(!($script:ModuleConfig.'ai.disabled'))
+        {
+            if (!$script:ConnectState.MsGraphToken) {
+                #Connect-AADAssessment
+                if (!$script:ConnectState.ClientApplication) {
+                    $script:ConnectState.ClientApplication = New-MsalClientApplication -ClientId $script:ModuleConfig.'aad.clientId' -ErrorAction Stop
+                    $script:ConnectState.CloudEnvironment = 'Global'
+                }
+                $CorrelationId = New-Guid
+                if ($script:AppInsightsRuntimeState.OperationStack.Count -gt 0) {
+                    $CorrelationId = $script:AppInsightsRuntimeState.OperationStack.Peek().Id
+                }
+                ## Authenticate with Lightweight Consent
+                $script:ConnectState.MsGraphToken = Get-MsalToken -PublicClientApplication $script:ConnectState.ClientApplication -Scopes 'openid' -UseEmbeddedWebView:$true -CorrelationId $CorrelationId -Verbose:$false -ErrorAction Stop
             }
-            $CorrelationId = New-Guid
-            if ($script:AppInsightsRuntimeState.OperationStack.Count -gt 0) {
-                $CorrelationId = $script:AppInsightsRuntimeState.OperationStack.Peek().Id
-            }
-            ## Authenticate with Lightweight Consent
-            $script:ConnectState.MsGraphToken = Get-MsalToken -PublicClientApplication $script:ConnectState.ClientApplication -Scopes 'openid' -UseEmbeddedWebView:$true -CorrelationId $CorrelationId -Verbose:$false -ErrorAction Stop
         }
 
         if ($MyInvocation.CommandOrigin -eq 'Runspace') {
@@ -73,13 +82,19 @@ function Complete-AADAssessmentReports {
             Remove-Item -Path (Join-Path $OutputDirectoryAAD "*") -Include "*Data.xml" -ErrorAction Ignore
         }
 
+        ## Generate Recommendations
+        if($IncludeRecommendations) {
+            Write-Progress -Id 0 -Activity ('Microsoft Azure AD Assessment Complete Reports - {0}' -f $AssessmentDetail.AssessmentTenantDomain) -Status 'Generating Recommendations' -PercentComplete 30
+            New-AADAssessmentRecommendations -Path $OutputDirectory -OutputDirectory $OutputDirectory -InterviewSpreadsheetPath $InterviewSpreadsheetPath -SkipExpand
+        }
+
         ## Report Complete
         Write-AppInsightsEvent 'AAD Assessment Report Generation Complete' -OverrideProperties -Properties @{
             AssessmentId       = $AssessmentDetail.AssessmentId
             AssessmentVersion  = $AssessmentDetail.AssessmentVersion
             AssessmentTenantId = $AssessmentDetail.AssessmentTenantId
-            AssessorTenantId   = if ($script:ConnectState.MsGraphToken.Account) { $script:ConnectState.MsGraphToken.Account.HomeAccountId.TenantId } else { Expand-JsonWebTokenPayload $script:ConnectState.MsGraphToken.AccessToken | Select-Object -ExpandProperty tid }
-            AssessorUserId     = if ($script:ConnectState.MsGraphToken.Account -and $script:ConnectState.MsGraphToken.Account.HomeAccountId.TenantId -in ('72f988bf-86f1-41af-91ab-2d7cd011db47', 'cc7d0b33-84c6-4368-a879-2e47139b7b1f')) { $script:ConnectState.MsGraphToken.Account.HomeAccountId.ObjectId }
+            AssessorTenantId   = if ((Get-ObjectPropertyValue $script:ConnectState.MsGraphToken 'Account') -and $script:ConnectState.MsGraphToken.Account) { $script:ConnectState.MsGraphToken.Account.HomeAccountId.TenantId } else { if (Get-ObjectPropertyValue $script:ConnectState.MsGraphToken 'AccessToken') { Expand-JsonWebTokenPayload $script:ConnectState.MsGraphToken.AccessToken | Select-Object -ExpandProperty tid } }
+            AssessorUserId     = if ((Get-ObjectPropertyValue $script:ConnectState.MsGraphToken 'Account') -and $script:ConnectState.MsGraphToken.Account -and $script:ConnectState.MsGraphToken.Account.HomeAccountId.TenantId -in ('72f988bf-86f1-41af-91ab-2d7cd011db47', 'cc7d0b33-84c6-4368-a879-2e47139b7b1f')) { $script:ConnectState.MsGraphToken.Account.HomeAccountId.ObjectId }
         }
 
         ## Rename

src/Connect-AADAssessment.ps1

@@ -53,8 +53,7 @@ function Connect-AADAssessment {
                 break
             }
             'PublicClient' {
-                #$script:ConnectState.ClientApplication = New-MsalClientApplication -ClientId $ClientId -TenantId $TenantId -AzureCloudInstance $script:mapMgEnvironmentToAzureCloudInstance[$CloudEnvironment] -RedirectUri 'http://localhost'
-                $script:ConnectState.ClientApplication = New-MsalClientApplication -ClientId $ClientId -TenantId $TenantId -AzureCloudInstance $script:mapMgEnvironmentToAzureCloudInstance[$CloudEnvironment] #-RedirectUri 'urn:ietf:wg:oauth:2.0:oob'
+                $script:ConnectState.ClientApplication = New-MsalClientApplication -ClientId $ClientId -TenantId $TenantId -AzureCloudInstance $script:mapMgEnvironmentToAzureCloudInstance[$CloudEnvironment] -RedirectUri $script:mapMgEnvironmentToAadRedirectUri[$CloudEnvironment]
                 break
             }
             'ConfidentialClientCertificate' {