Privileged Rol Admin Approval

<# .SYNOPSIS Privileged Role Admin Approval .DESCRIPTION Verifies PIM role assignments require admin approval .NOTES NL Baseline v2.0 Requires: Azure AD Premium P2 and PIM configuration #> #Requires -Version 5.1 #Requires -Modules Microsoft.Graph [CmdletBinding()] param([switch]$Monitoring) $ErrorActionPreference = 'Stop' Write-Host "`n========================================" -ForegroundColor Cyan Write-Host "Privileged Role Admin Approval" -ForegroundColor Cyan Write-Host "========================================`n" -ForegroundColor Cyan function Invoke-Monitoring { try { Connect-MgGraph -Scopes "PrivilegedAccess.Read.AzureAD", "RoleManagement.Read.All" -ErrorAction Stop -NoWelcome try { $pimPolicies = Invoke-MgGraphRequest -Method GET -Uri "https://graph.microsoft.com/beta/policies/roleManagementPolicies" -ErrorAction Stop $result = @{ totalPolicies = 0; requireApproval = 0; policies = @() } if ($pimPolicies -and $pimPolicies.value) { $result.totalPolicies = $pimPolicies.value.Count foreach ($policy in $pimPolicies.value) { $rules = $policy.rules | Where-Object { $_.ruleType -eq 'RoleManagementPolicyApprovalRule' } if ($rules -and $rules.setting.isApprovalRequired -eq $true) { $result.requireApproval++ $result.policies += $policy.displayName Write-Host " [OK] APPROVAL REQUIRED: $($policy.displayName)" -ForegroundColor Green } } } Write-Host "`n Summary:" -ForegroundColor Cyan Write-Host " PIM Policies: $($result.totalPolicies)" -ForegroundColor White Write-Host " Requiring Approval: $($result.requireApproval)" -ForegroundColor $( if ($result.requireApproval -gt 0) { 'Green' }else { 'Yellow' } ) Write-Host "`n Approval Benefits:" -ForegroundColor Cyan Write-Host " • Prevents unauthorized privilege escalation" -ForegroundColor Gray Write-Host " • Adds oversight to role activation" -ForegroundColor Gray Write-Host " • Improves security governance" -ForegroundColor Gray Write-Host "`n ⚠️ Requires: Azure AD Premium P2 and PIM" -ForegroundColor Yellow if ($result.requireApproval -gt 0) { Write-Host "`n[OK] COMPLIANT - Admin approval required" -ForegroundColor Green exit 0 } else { Write-Host "`n[FAIL] NON-COMPLIANT - No approval required!" -ForegroundColor Red Write-Host "Configure in: Azure AD > Privileged Identity Management" -ForegroundColor Yellow exit 1 } } catch { Write-Host " ⚠️ PIM not available (requires Premium P2)" -ForegroundColor Yellow exit 0 } } catch { Write-Host "ERROR: $_" -ForegroundColor Red exit 2 } } try { if ($Monitoring) { Invoke-Monitoring } else { Write-Host "Use: -Monitoring" -ForegroundColor Yellow } } catch { throw } finally { Write-Host "`n========================================`n" -ForegroundColor Cyan } function Invoke-Remediation { <# .SYNOPSIS Herstelt de configuratie naar de gewenste staat .DESCRIPTION Dit is een monitoring-only control, remediation delegeert naar monitoring #> [CmdletBinding()] param() Write-Host "[INFO] Dit is een monitoring-only control" -ForegroundColor Yellow Write-Host "[INFO] Running monitoring check..." -ForegroundColor Cyan Invoke-Monitoring }