Password Hash Sync Ingeschakeld

<# .SYNOPSIS Password Hash Sync Enabled .DESCRIPTION Checks if Password Hash Synchronization is enabled. PHS provides backup authentication and enables security features like leaked credential detection. .NOTES Filename: password-hash-sync-enabled.ps1 Author: Nederlandse Baseline voor Veilige Cloud .EXAMPLE .\password-hash-sync-enabled.ps1 -Monitoring Check if Password Hash Sync is enabled #> #Requires -Version 5.1 #Requires -Modules Microsoft.Graph [CmdletBinding()] param( [Parameter(Mandatory = $false)] [switch]$Monitoring ) $ErrorActionPreference = 'Stop' Write-Host "`n========================================" -ForegroundColor Cyan Write-Host "Password Hash Sync Enabled" -ForegroundColor Cyan Write-Host "========================================`n" -ForegroundColor Cyan function Invoke-Monitoring { try { Write-Host "Connecting to Microsoft Graph..." -ForegroundColor Gray Connect-MgGraph -Scopes "Organization.Read.All" -ErrorAction Stop -NoWelcome Write-Host "Checking directory synchronization..." -ForegroundColor Gray $org = Invoke-MgGraphRequest -Method GET ` -Uri "https://graph.microsoft.com/v1.0/organization" $onPremisesSyncEnabled = $org.value[0].onPremisesSyncEnabled if ($null -eq $onPremisesSyncEnabled) { Write-Host "`n⚠️ Cloud-only tenant (no on-premises AD)" -ForegroundColor Yellow Write-Host "Password Hash Sync not applicable" -ForegroundColor Cyan exit 0 } if ($onPremisesSyncEnabled -eq $true) { Write-Host " [OK] Directory sync: ENABLED" -ForegroundColor Green Write-Host "`n⚠️ Checking if Password Hash Sync is enabled requires:" -ForegroundColor Yellow Write-Host " 1. Check Azure AD Connect server" -ForegroundColor Gray Write-Host " 2. Run: Get-ADSyncScheduler" -ForegroundColor Gray Write-Host " 3. Verify PasswordSync is in SyncCycleEnabled" -ForegroundColor Gray Write-Host "`nOr check in Azure Portal:" -ForegroundColor Cyan Write-Host " Azure AD > Azure AD Connect > Password hash sync: On" -ForegroundColor Gray Write-Host "`n⚠️ Manual verification required" -ForegroundColor Yellow exit 0 } else { Write-Host " [FAIL] Directory sync: DISABLED" -ForegroundColor Red Write-Host "`n[FAIL] NON-COMPLIANT" -ForegroundColor Red exit 1 } } catch { Write-Host "`n[FAIL] ERROR: $_" -ForegroundColor Red exit 2 } } try { if ($Monitoring) { Invoke-Monitoring } else { Write-Host "Use: -Monitoring" -ForegroundColor Yellow Write-Host "`nNote: Password Hash Sync is configured on Azure AD Connect server" -ForegroundColor Cyan } } catch { throw } finally { Write-Host "`n========================================`n" -ForegroundColor Cyan } function Invoke-Remediation { <# .SYNOPSIS Herstelt de configuratie naar de gewenste staat .DESCRIPTION Dit is een monitoring-only control, remediation delegeert naar monitoring #> [CmdletBinding()] param() Write-Host "[INFO] Dit is een monitoring-only control" -ForegroundColor Yellow Write-Host "[INFO] Running monitoring check..." -ForegroundColor Cyan Invoke-Monitoring }