🧹 improve ms365 resources (#2821)

* ⭐️ Add new ms365 teams and exchange online resources Signed-off-by: Preslav <[email protected]> * Update providers/ms365/resources/ms365.lr Co-authored-by: Letha <[email protected]> * Update providers/ms365/resources/ms365.lr Co-authored-by: Letha <[email protected]> * Update providers/ms365/resources/ms365.lr Co-authored-by: Letha <[email protected]> * Update providers/ms365/resources/ms365.lr Co-authored-by: Letha <[email protected]> * Update providers/ms365/resources/ms365.lr Co-authored-by: Letha <[email protected]> * Update providers/ms365/resources/ms365.lr Co-authored-by: Letha <[email protected]> --------- Signed-off-by: Preslav <[email protected]> Co-authored-by: Letha <[email protected]>
mondoohq · Dec 15, 2023 · b2dc839 · b2dc839
1 parent edaf7d9
commit b2dc839
Show file tree

Hide file tree

Showing 6 changed files with 628 additions and 20 deletions.
diff --git a/providers/ms365/connection/exchange_report.go b/providers/ms365/connection/exchange_report.go
@@ -41,6 +41,8 @@ $Mailbox = (Get-Mailbox -ResultSize Unlimited)
 $AtpPolicyForO365 = (Get-AtpPolicyForO365)
 $SharingPolicy = (Get-SharingPolicy)
 $RoleAssignmentPolicy = (Get-RoleAssignmentPolicy)
+$ExternalInOutlook = (Get-ExternalInOutlook)
+
 
 $exchangeOnline = New-Object PSObject
 Add-Member -InputObject $exchangeOnline -MemberType NoteProperty -Name MalwareFilterPolicy -Value @($MalwareFilterPolicy)
@@ -60,6 +62,8 @@ Add-Member -InputObject $exchangeOnline -MemberType NoteProperty -Name Mailbox -
 Add-Member -InputObject $exchangeOnline -MemberType NoteProperty -Name AtpPolicyForO365 -Value @($AtpPolicyForO365)
 Add-Member -InputObject $exchangeOnline -MemberType NoteProperty -Name SharingPolicy -Value @($SharingPolicy)
 Add-Member -InputObject $exchangeOnline -MemberType NoteProperty -Name RoleAssignmentPolicy -Value @($RoleAssignmentPolicy)
+Add-Member -InputObject $exchangeOnline -MemberType NoteProperty -Name ExternalInOutlook -Value @($ExternalInOutlook)
+
 
 Disconnect-ExchangeOnline -Confirm:$false
 
@@ -123,21 +127,28 @@ func (c *Ms365Connection) getReport(outlookToken, organization string) (*Exchang
 }
 
 type ExchangeOnlineReport struct {
-	MalwareFilterPolicy            []interface{} `json:"MalwareFilterPolicy"`
-	HostedOutboundSpamFilterPolicy []interface{} `json:"HostedOutboundSpamFilterPolicy"`
-	TransportRule                  []interface{} `json:"TransportRule"`
-	RemoteDomain                   []interface{} `json:"RemoteDomain"`
-	SafeLinksPolicy                []interface{} `json:"SafeLinksPolicy"`
-	SafeAttachmentPolicy           []interface{} `json:"SafeAttachmentPolicy"`
-	OrganizationConfig             interface{}   `json:"OrganizationConfig"`
-	AuthenticationPolicy           interface{}   `json:"AuthenticationPolicy"`
-	AntiPhishPolicy                []interface{} `json:"AntiPhishPolicy"`
-	DkimSigningConfig              interface{}   `json:"DkimSigningConfig"`
-	OwaMailboxPolicy               interface{}   `json:"OwaMailboxPolicy"`
-	AdminAuditLogConfig            interface{}   `json:"AdminAuditLogConfig"`
-	PhishFilterPolicy              []interface{} `json:"PhishFilterPolicy"`
-	Mailbox                        []interface{} `json:"Mailbox"`
-	AtpPolicyForO365               []interface{} `json:"AtpPolicyForO365"`
-	SharingPolicy                  []interface{} `json:"SharingPolicy"`
-	RoleAssignmentPolicy           []interface{} `json:"RoleAssignmentPolicy"`
+	MalwareFilterPolicy            []interface{}     `json:"MalwareFilterPolicy"`
+	HostedOutboundSpamFilterPolicy []interface{}     `json:"HostedOutboundSpamFilterPolicy"`
+	TransportRule                  []interface{}     `json:"TransportRule"`
+	RemoteDomain                   []interface{}     `json:"RemoteDomain"`
+	SafeLinksPolicy                []interface{}     `json:"SafeLinksPolicy"`
+	SafeAttachmentPolicy           []interface{}     `json:"SafeAttachmentPolicy"`
+	OrganizationConfig             interface{}       `json:"OrganizationConfig"`
+	AuthenticationPolicy           interface{}       `json:"AuthenticationPolicy"`
+	AntiPhishPolicy                []interface{}     `json:"AntiPhishPolicy"`
+	DkimSigningConfig              interface{}       `json:"DkimSigningConfig"`
+	OwaMailboxPolicy               interface{}       `json:"OwaMailboxPolicy"`
+	AdminAuditLogConfig            interface{}       `json:"AdminAuditLogConfig"`
+	PhishFilterPolicy              []interface{}     `json:"PhishFilterPolicy"`
+	Mailbox                        []interface{}     `json:"Mailbox"`
+	AtpPolicyForO365               []interface{}     `json:"AtpPolicyForO365"`
+	SharingPolicy                  []interface{}     `json:"SharingPolicy"`
+	RoleAssignmentPolicy           []interface{}     `json:"RoleAssignmentPolicy"`
+	ExternalInOutlook              []*ExternalSender `json:"ExternalInOutlook"`
+}
+
+type ExternalSender struct {
+	Identity  string   `json:"Identity"`
+	Enabled   bool     `json:"Enabled"`
+	AllowList []string `json:"AllowList"`
 }
diff --git a/providers/ms365/connection/teams_report.go b/providers/ms365/connection/teams_report.go
@@ -24,12 +24,15 @@ Import-Module MicrosoftTeams
 Connect-MicrosoftTeams -AccessTokens @("$graphToken", "$teamsToken")
 
 $CsTeamsClientConfiguration = (Get-CsTeamsClientConfiguration)
+$CsTenantFederationConfiguration = (Get-CsTenantFederationConfiguration)
+$CsTeamsMeetingPolicy = (Get-CsTeamsMeetingPolicy -Identity Global)
 
 $msteams = New-Object PSObject
 Add-Member -InputObject $msteams -MemberType NoteProperty -Name CsTeamsClientConfiguration -Value $CsTeamsClientConfiguration
+Add-Member -InputObject $msteams -MemberType NoteProperty -Name CsTenantFederationConfiguration -Value $CsTenantFederationConfiguration
+Add-Member -InputObject $msteams -MemberType NoteProperty -Name CsTeamsMeetingPolicy -Value $CsTeamsMeetingPolicy
 
 Disconnect-MicrosoftTeams -Confirm:$false
-
 ConvertTo-Json -Depth 4 $msteams
 `
 
@@ -98,5 +101,32 @@ func (c *Ms365Connection) getTeamsReport(accessToken, teamsToken string) (*MsTea
 }
 
 type MsTeamsReport struct {
-	CsTeamsClientConfiguration interface{} `json:"CsTeamsClientConfiguration"`
+	CsTeamsClientConfiguration      interface{}                      `json:"CsTeamsClientConfiguration"`
+	CsTenantFederationConfiguration *CsTenantFederationConfiguration `json:"CsTenantFederationConfiguration"`
+	CsTeamsMeetingPolicy            *CsTeamsMeetingPolicy            `json:"CsTeamsMeetingPolicy"`
+}
+
+type CsTenantFederationConfiguration struct {
+	Identity                                    string `json:"Identity"`
+	AllowFederatedUsers                         bool   `json:"AllowFederatedUsers"`
+	AllowPublicUsers                            bool   `json:"AllowPublicUsers"`
+	AllowTeamsConsumer                          bool   `json:"AllowTeamsConsumer"`
+	AllowTeamsConsumerInbound                   bool   `json:"AllowTeamsConsumerInbound"`
+	TreatDiscoveredPartnersAsUnverified         bool   `json:"TreatDiscoveredPartnersAsUnverified"`
+	SharedSipAddressSpace                       bool   `json:"SharedSipAddressSpace"`
+	RestrictTeamsConsumerToExternalUserProfiles bool   `json:"RestrictTeamsConsumerToExternalUserProfiles"`
+	// TODO: we need to figure out how to get this right when using Convert-ToJson
+	// it currently comes back as an empty json object {} but the pwsh cmdlet spits out a string-looking value
+	AllowedDomains interface{} `json:"AllowedDomains"`
+	BlockedDomains interface{} `json:"BlockedDomains"`
+}
+
+type CsTeamsMeetingPolicy struct {
+	AllowAnonymousUsersToJoinMeeting           bool   `json:"AllowFederatedUsers"`
+	AllowAnonymousUsersToStartMeeting          bool   `json:"AllowAnonymousUsersToStartMeeting"`
+	AutoAdmittedUsers                          string `json:"AutoAdmittedUsers"`
+	AllowPSTNUsersToBypassLobby                bool   `json:"AllowPSTNUsersToBypassLobby"`
+	MeetingChatEnabledType                     string `json:"MeetingChatEnabledType"`
+	DesignatedPresenterRoleMode                string `json:"DesignatedPresenterRoleMode"`
+	AllowExternalParticipantGiveRequestControl bool   `json:"AllowExternalParticipantGiveRequestControl"`
 }
diff --git a/providers/ms365/resources/ms365.go b/providers/ms365/resources/ms365.go
@@ -17,6 +17,10 @@ import (
 	"go.mondoo.com/cnquery/v9/types"
 )
 
+func (m *mqlMs365ExchangeonlineExternalSender) id() (string, error) {
+	return m.Identity.Data, nil
+}
+
 func initMs365Exchangeonline(runtime *plugin.Runtime, args map[string]*llx.RawData) (map[string]*llx.RawData, plugin.Resource, error) {
 	conn := runtime.Connection.(*connection.Ms365Connection)
 	ctx := context.Background()
@@ -61,6 +65,20 @@ func initMs365Exchangeonline(runtime *plugin.Runtime, args map[string]*llx.RawDa
 	sharingPolicy, _ := convert.JsonToDictSlice(report.SharingPolicy)
 	roleAssignmentPolicy, _ := convert.JsonToDictSlice(report.RoleAssignmentPolicy)
 
+	externalInOutlook := []interface{}{}
+	for _, e := range report.ExternalInOutlook {
+		mql, err := CreateResource(runtime, "ms365.exchangeonline.externalSender",
+			map[string]*llx.RawData{
+				"identity":  llx.StringData(e.Identity),
+				"enabled":   llx.BoolData(e.Enabled),
+				"allowList": llx.ArrayData(llx.TArr2Raw(e.AllowList), types.Any),
+			})
+		if err != nil {
+			return args, nil, err
+		}
+
+		externalInOutlook = append(externalInOutlook, mql)
+	}
 	args["malwareFilterPolicy"] = llx.ArrayData(malwareFilterPolicy, types.Any)
 	args["hostedOutboundSpamFilterPolicy"] = llx.ArrayData(hostedOutboundSpamFilterPolicy, types.Any)
 	args["transportRule"] = llx.ArrayData(transportRule, types.Any)
@@ -78,6 +96,7 @@ func initMs365Exchangeonline(runtime *plugin.Runtime, args map[string]*llx.RawDa
 	args["atpPolicyForO365"] = llx.ArrayData(atpPolicyForO365, types.Any)
 	args["sharingPolicy"] = llx.ArrayData(sharingPolicy, types.Any)
 	args["roleAssignmentPolicy"] = llx.ArrayData(roleAssignmentPolicy, types.Any)
+	args["externalInOutlook"] = llx.ArrayData(externalInOutlook, types.ResourceLike)
 
 	return args, nil, nil
 }
@@ -139,5 +158,41 @@ func initMs365Teams(runtime *plugin.Runtime, args map[string]*llx.RawData) (map[
 	csTeamsClientConfiguration, _ := convert.JsonToDict(report.CsTeamsClientConfiguration)
 	args["csTeamsClientConfiguration"] = llx.DictData(csTeamsClientConfiguration)
 
+	tenantConfig := report.CsTenantFederationConfiguration
+	teamsPolicy := report.CsTeamsMeetingPolicy
+	tenantConfigBlockedDomains, _ := convert.JsonToDict(tenantConfig.BlockedDomains)
+
+	mqlTenantConfig, err := CreateResource(runtime, "ms365.teams.tenantFederationConfig",
+		map[string]*llx.RawData{
+			"identity":                                    llx.StringData(tenantConfig.Identity),
+			"blockedDomains":                              llx.DictData(tenantConfigBlockedDomains),
+			"allowFederatedUsers":                         llx.BoolData(tenantConfig.AllowFederatedUsers),
+			"allowPublicUsers":                            llx.BoolData(tenantConfig.AllowPublicUsers),
+			"allowTeamsConsumer":                          llx.BoolData(tenantConfig.AllowTeamsConsumer),
+			"allowTeamsConsumerInbound":                   llx.BoolData(tenantConfig.AllowTeamsConsumerInbound),
+			"treatDiscoveredPartnersAsUnverified":         llx.BoolData(tenantConfig.TreatDiscoveredPartnersAsUnverified),
+			"sharedSipAddressSpace":                       llx.BoolData(tenantConfig.SharedSipAddressSpace),
+			"restrictTeamsConsumerToExternalUserProfiles": llx.BoolData(tenantConfig.RestrictTeamsConsumerToExternalUserProfiles),
+		})
+	if err != nil {
+		return args, nil, err
+	}
+	mqlTeamsPolicy, err := CreateResource(runtime, "ms365.teams.teamsMeetingPolicyConfig",
+		map[string]*llx.RawData{
+			"allowAnonymousUsersToJoinMeeting":           llx.BoolData(teamsPolicy.AllowAnonymousUsersToJoinMeeting),
+			"allowAnonymousUsersToStartMeeting":          llx.BoolData(teamsPolicy.AllowAnonymousUsersToStartMeeting),
+			"autoAdmittedUsers":                          llx.StringData(teamsPolicy.AutoAdmittedUsers),
+			"allowPSTNUsersToBypassLobby":                llx.BoolData(teamsPolicy.AllowPSTNUsersToBypassLobby),
+			"meetingChatEnabledType":                     llx.StringData(teamsPolicy.MeetingChatEnabledType),
+			"designatedPresenterRoleMode":                llx.StringData(teamsPolicy.DesignatedPresenterRoleMode),
+			"allowExternalParticipantGiveRequestControl": llx.BoolData(teamsPolicy.AllowExternalParticipantGiveRequestControl),
+		})
+	if err != nil {
+		return args, nil, err
+	}
+
+	args["csTenantFederationConfiguration"] = llx.ResourceData(mqlTenantConfig, mqlTenantConfig.MqlName())
+	args["csTeamsMeetingPolicy"] = llx.ResourceData(mqlTeamsPolicy, mqlTeamsPolicy.MqlName())
+
 	return args, nil, nil
 }
diff --git a/providers/ms365/resources/ms365.lr b/providers/ms365/resources/ms365.lr
@@ -378,6 +378,18 @@ ms365.exchangeonline {
   sharingPolicy []dict
   // List of role assignment policies
   roleAssignmentPolicy []dict
+  // List of external sender configurations
+  externalInOutlook []ms365.exchangeonline.externalSender
+}
+
+// Microsoft 365 ExchangeOnline ExternalSender
+private ms365.exchangeonline.externalSender {
+  // The identity of the external sender
+  identity string
+  // The list of specified senders that do not receive the External icon in the area of subject line
+  allowList []string
+  // Whether the feature is enabled
+  enabled bool
 }
 
 // Microsoft 365 SharePoint Online
@@ -392,4 +404,48 @@ ms365.sharepointonline {
 ms365.teams {
   // CS Teams client configuration
   csTeamsClientConfiguration dict
+  // CS Teams tenant federated configuration
+  csTenantFederationConfiguration ms365.teams.tenantFederationConfig
+  // CS Teams meeting policy configuration
+  csTeamsMeetingPolicy ms365.teams.teamsMeetingPolicyConfig
+}
+
+// Microsoft 365 Teams tenant federation configuration
+private ms365.teams.tenantFederationConfig {
+  // ID of the collection of tenant federation configuration settings
+  identity string
+  // Blocked domains
+  blockedDomains dict
+  // Whether federated users are allowed
+  allowFederatedUsers bool
+  // Whether public users are allowed
+  allowPublicUsers bool
+  // Whether to allow external Teams consumers 
+  allowTeamsConsumer bool
+  // Whether to allow inbound communication with external Teams consumers
+  allowTeamsConsumerInbound bool
+  // Whether to treat discovered partners as unverified
+  treatDiscoveredPartnersAsUnverified bool
+  // Whether shared SIP address space is enabled
+  sharedSipAddressSpace bool
+  // Whether to restrict Teams consumer to external user profiles
+  restrictTeamsConsumerToExternalUserProfiles bool
+}
+
+// Teams meeting policy configuration
+private ms365.teams.teamsMeetingPolicyConfig {
+  // Whether anonymous users are allowed to join
+  allowAnonymousUsersToJoinMeeting bool
+  // Whether anonymous users are allowed to start the meeting
+  allowAnonymousUsersToStartMeeting bool
+  // Who can bypass the lobby
+  autoAdmittedUsers string
+  // Whether public switched telephone network (PSTN) users can bypass the lobby
+  allowPSTNUsersToBypassLobby bool
+  // Whether meeting chat is enabled
+  meetingChatEnabledType string
+  // Designated presenter role mode
+  designatedPresenterRoleMode string
+  // Whether external participants can give or request control of the meeting
+  allowExternalParticipantGiveRequestControl bool
 }