Voorwaardelijke Toegang Device Platforms

<# .SYNOPSIS Conditional Access - Device Platform Controls .DESCRIPTION Checks if Conditional Access policies include device platform conditions. Allows different security controls for Windows, macOS, iOS, Android. .NOTES Filename: conditional-access-device-platforms.ps1 Author: Nederlandse Baseline voor Veilige Cloud .EXAMPLE .\conditional-access-device-platforms.ps1 -Monitoring Check if platform-based CA policies exist #> #Requires -Version 5.1 #Requires -Modules Microsoft.Graph [CmdletBinding()] param( [Parameter(Mandatory = $false)] [switch]$Monitoring ) $ErrorActionPreference = 'Stop' Write-Host "`n========================================" -ForegroundColor Cyan Write-Host "Conditional Access - Device Platforms" -ForegroundColor Cyan Write-Host "========================================`n" -ForegroundColor Cyan function Invoke-Monitoring { <# .SYNOPSIS Checks for platform-based Conditional Access policies #> try { Write-Host "Connecting to Microsoft Graph..." -ForegroundColor Gray Connect-MgGraph -Scopes "Policy.Read.All" -ErrorAction Stop -NoWelcome Write-Host "Checking Conditional Access policies..." -ForegroundColor Gray $policies = Invoke-MgGraphRequest -Method GET ` -Uri "https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies" $result = @{ isCompliant = $false totalPolicies = $policies.value.Count platformPolicies = 0 policyDetails = @() } foreach ($policy in $policies.value) { if ($policy.conditions.platforms -and $policy.state -eq 'enabled') { $result.platformPolicies++ $result.isCompliant = $true $platforms = $policy.conditions.platforms.includePlatforms -join ', ' Write-Host " [OK] PLATFORM POLICY: $($policy.displayName)" -ForegroundColor Green Write-Host " Platforms: $platforms" -ForegroundColor Cyan Write-Host " Controls: $($policy.grantControls.builtInControls -join ', ')" -ForegroundColor Cyan $result.policyDetails += @{ Name = $policy.displayName Platforms = $platforms } } } Write-Host "`n Total CA policies: $($result.totalPolicies)" -ForegroundColor Cyan Write-Host " Platform-based policies: $($result.platformPolicies)" -ForegroundColor $( if ($result.platformPolicies -gt 0) { 'Green' } else { 'Yellow' } ) if ($result.platformPolicies -eq 0) { Write-Host "`n 💡 Consider platform-based policies for:" -ForegroundColor Cyan Write-Host " • Blocking legacy platforms" -ForegroundColor Gray Write-Host " • Different controls for mobile vs desktop" -ForegroundColor Gray Write-Host " • Requiring compliant devices per platform" -ForegroundColor Gray } if ($result.isCompliant) { Write-Host "`n[OK] COMPLIANT - Platform controls configured" -ForegroundColor Green exit 0 } else { Write-Host "`n⚠️ NO PLATFORM-BASED POLICIES" -ForegroundColor Yellow Write-Host "Consider adding platform-specific controls" -ForegroundColor Cyan exit 1 } } catch { Write-Host "`n[FAIL] ERROR: $_" -ForegroundColor Red exit 2 } } try { if ($Monitoring) { Invoke-Monitoring } else { Write-Host "Use: -Monitoring" -ForegroundColor Yellow Write-Host "`nPlatform-based policies allow granular control:" -ForegroundColor Cyan Write-Host " • Block Windows 7/8 (legacy)" -ForegroundColor Gray Write-Host " • Require app protection on mobile" -ForegroundColor Gray Write-Host " • Different MFA for different platforms" -ForegroundColor Gray } } catch { throw } finally { Write-Host "`n========================================`n" -ForegroundColor Cyan } function Invoke-Remediation { <# .SYNOPSIS Herstelt de configuratie naar de gewenste staat .DESCRIPTION Dit is een monitoring-only control, remediation delegeert naar monitoring #> [CmdletBinding()] param() Write-Host "[INFO] Dit is een monitoring-only control" -ForegroundColor Yellow Write-Host "[INFO] Running monitoring check..." -ForegroundColor Cyan Invoke-Monitoring }