Script Error with specific .JSON file about 365inspect HOT 10 CLOSED

1. I will look at the inspectors if there is anything wrong with them.
2. All inspectors that I used are custom written, based on CIS standards.
3. The incorrect blank returns might be because of multi object values or incorrect return values. I will check every inspector I made and will come back to this when I have the results :)
4. I will use the ToString() value then to parse output to a string object instead of multiple objects that will cause an error. When I have this covered I again will come back with a new reply below.
   I think the example code will come in handy. Thank you.

from 365inspect.

{
	"FindingName": "[VULNERABLE] - Tenant contains users without MFA. Considering enabling MFA for all users.",
	"Description": "No Exchange Online Transport Rules are in place to block email auto-forwarding. Cyber adversaries often configure compromised Office 365 accounts to forward emails to external persons. It is therefore advisable to configure an Exchange transport rule that blocks auto forwarded emails.",
	"Remediation": "Navigate to portal.azure.com > Azure Active Directory > Enterprise Applications > Security > Conditional Access > New Policy > 2. Cloud apps or action > All cloud apps (and don't exclude any apps) > 3. Assignments > Users and groups > Include > select All users (and do not exclude any user) > 4. Access Controls > Grant > Require multi-factor authentication (and nothing else) > Conditions > Client Apps > Configure (Yes) > Explicitly select Browser, Mobile apps and desktop clients, Modern authentication clients, Exchange ActiveSync clients, and Other clients. > 5. Leave all other conditions blank and make sure the policy is enabled and proceed creating the policy. ",
	"Impact": "High",
	"AffectedObjects": "",
	"References": [
		{
			"Url": "CIS_Microsoft_365_Foundations_Benchmark_v1.4.0.pdf",
			"Text": "(L2) Ensure multifactor authentication is enabled for all users in all roles (Manual)"
		}
	]
}

from 365inspect.

Update: about the .json script. It seems that the .json and file itself has some issues. So I have excluded that Inspector.

But the other error MethodCount does keep appearing. I cannot find out why it is erroring all the time.

from 365inspect.

Can you provide the ps1 script that accompanies this json?
That error is usually due to the PowerShell script returning a multi-part value.

from 365inspect.

I solved that issue with Line 172 char 32. This was related to a .ps1 but the other one I can't seem to find where the other error is related to.

from 365inspect.

Cannot find an overload for "Replace" and the argument count: "2".
At line:184 char:5
+ ...             $affected_object_html += $templates.AffectedObjectsTempla ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodException
    + FullyQualifiedErrorId : MethodCountCouldNotFindBest

Line:
$affected_object_html += $templates.AffectedObjectsTemplate.Replace("{{AFFECTED_OBJECT}}", $affected_object)

from 365inspect.

This is due to the script trying to parse a multi-valued object returned from the PowerShell script. You would need to specify an element to return for the json file to parse it correctly. If you can post the relevant PowerShell, I can help you determine why the error is occurring.

The json you posted looks like you are duplicating checks for MFA also. The two inspectors included that assess MFA check for the existence of Conditional Access Policies that enforce MFA, and if none are found, will assess the values of Per-User MFA configurations.

function Inspect-UsersWithNoMFAConfigured {
	$conditionalAccess = Get-AzureADMSConditionalAccessPolicy

	$flag = $false
	
	Foreach ($policy in $conditionalAccess) {
		If (($policy.conditions.users.includeusers -eq "All") -and ($policy.grantcontrols.builtincontrols -like "Mfa")){
			$flag = $true
		}
	}

	If (!$flag){
		$unenabled_users = (Get-MsolUser -All | Where-Object {($_.isLicensed -eq $true) -and ($_.StrongAuthenticationMethods.Count -eq 0) -and ($_.BlockCredential -eq $False) -and ($_.StrongAuthenticationRequirements.State -NE "Enforced")}).UserPrincipalName
		
		If ($unenabled_users -ne 0) {
			return $unenabled_users.count
		}
	}
		
	return $null
}

return Inspect-UsersWithNoMFAConfigured

Specifically, this section:

$conditionalAccess = Get-AzureADMSConditionalAccessPolicy

	$flag = $false
	
	Foreach ($policy in $conditionalAccess) {
		If (($policy.conditions.users.includeusers -eq "All") -and ($policy.grantcontrols.builtincontrols -like "Mfa")){
			$flag = $true
		}
	}

from 365inspect.

Yes, I think there are more multi-valued objects in scripts that I've written. The problem is that when I removed the MFA script the error was still there. It did go through all the inspectors. I also stumbled upon the following as I said in an earlier submitted issue:

• First item is duplicate, but the difference between those items is that one does have an affected object and the other one is empty. The rest of the text is all the same. Screenshot: Duplicate First Entry
• Some items do display as vulnerable objects but do not display any data. (This is also due the scripts that might not return correct data. I have to look at this what data it might return or if it does return data at all).
• Some Affected objects do display incorrect data. This is due an issue I need to look upon myself. Could be caused by a wrong return.

Cannot find an overload for "Replace" and the argument count: "2".
At line:184 char:5
+ ...             $affected_object_html += $templates.AffectedObjectsTempla ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodException
    + FullyQualifiedErrorId : MethodCountCouldNotFindBest

This error indeed is causes by multiple objects that are being returned to 'affected-objects', but isn't there a way to return those multiple object into one object to mitigate this error. If not I will try to do a trial-on-error at the scripts to see what the problem is.

from 365inspect.

The duplicate first entry is something that I cannot replicate to observe, and as stated in that thread, will vary depending on what finding is returned. I would need to know what your specific finding is and any relevant screenshots or code supplied to determine a fix.
Items lacking any returned data would also need to be accompanied by relevant screenshots or code - are these the included inspectors or custom written scripts that are causing the blank returns?
Same question for the incorrectly returned data - included scripts or custom written?

The multi-valued items would need to be exported to an output file. The way that the parser works isn't designed to handle large data sets with multi-part arrays. The design of the tool was intended to give the reviewer a quick glance at configuration issues with supporting data over a certain size being output into a file for review. If you wish to return information into the report as it is currently written, you'd need to select a value, or select a few different values and output to string.

Something like this would work:

$data = @()
Foreach ($result in $findings){
     $data += "$($result.Property1), $($result.Property2)"
}
Return $data

There are several examples of such output in the included inspectors.

from 365inspect.

Since the issues raised are with custom work scripts, and not the tool or provided inspectors, I'm going to close this out.

from 365inspect.