Added StackTrace multiple locations in source code to assist when tro…

…ubleshooting (#1468) * stacktrace added to TryCommand and select locations in AAD provider * added stacktrace to connection, defender, exo, powerplatform, teams. fixed stacktrace with aad, commandtracker * added stacktrace to Orchestrator, Invoke-Rego and fixed broken unit test for ConvertTo-ResultsCsv * Apply suggestions from code review Same stack trace formatting change, many places Co-authored-by: Addam Schroll <[email protected]> * Added try/catch and stacktrace to Compare-ProductList * Revert "Added try/catch and stacktrace to Compare-ProductList" This reverts commit b769fb3. --------- Co-authored-by: Thom Neale <[email protected]> Co-authored-by: Addam Schroll <[email protected]> Co-authored-by: thom neale <[email protected]>
cisagov · Jan 22, 2025 · b12ca53 · b12ca53
1 parent 889e582
commit b12ca53
Showing 1 changed file with 31 additions and 32 deletions.
diff --git a/PowerShell/ScubaGear/Modules/Providers/ExportAADProvider.psm1 b/PowerShell/ScubaGear/Modules/Providers/ExportAADProvider.psm1
@@ -259,33 +259,31 @@ function Get-PrivilegedUser {
         $M365Environment
     )
 
-    try {
-        # A hashtable of privileged users
-        $PrivilegedUsers = @{}
-        $PrivilegedRoles = [ScubaConfig]::ScubaDefault('DefaultPrivilegedRoles')
-        # Get a list of the Id values for the privileged roles in the list above.
-        # The Id value is passed to other cmdlets to construct a list of users assigned to privileged roles.
-        $AADRoles = Get-MgBetaDirectoryRole -All -ErrorAction Stop | Where-Object { $_.DisplayName -in $PrivilegedRoles }
-
-        # Construct a list of privileged users based on the Active role assignments
-        foreach ($Role in $AADRoles) {
+    # A hashtable of privileged users
+    $PrivilegedUsers = @{}
+    $PrivilegedRoles = [ScubaConfig]::ScubaDefault('DefaultPrivilegedRoles')
+    # Get a list of the Id values for the privileged roles in the list above.
+    # The Id value is passed to other cmdlets to construct a list of users assigned to privileged roles.
+    $AADRoles = Get-MgBetaDirectoryRole -All -ErrorAction Stop | Where-Object { $_.DisplayName -in $PrivilegedRoles }
 
-            # Get a list of all the users and groups Actively assigned to this role
-            $UsersAssignedRole = Get-MgBetaDirectoryRoleMember -All -ErrorAction Stop -DirectoryRoleId $Role.Id
+    # Construct a list of privileged users based on the Active role assignments
+    foreach ($Role in $AADRoles) {
 
-            foreach ($User in $UsersAssignedRole) {
-                $Objecttype = $User.AdditionalProperties."@odata.type" -replace "#microsoft.graph."
+        # Get a list of all the users and groups Actively assigned to this role
+        $UsersAssignedRole = Get-MgBetaDirectoryRoleMember -All -ErrorAction Stop -DirectoryRoleId $Role.Id
 
-                if ($Objecttype -eq "user") {
-                    LoadObjectDataIntoPrivilegedUserHashtable -RoleName $Role.DisplayName -PrivilegedUsers $PrivilegedUsers -ObjectId $User.Id -TenantHasPremiumLicense $TenantHasPremiumLicense -M365Environment $M365Environment -Objecttype "user"
-                }
-                elseif ($Objecttype -eq "group") {
-                    # In this context $User.Id is a group identifier
-                    $GroupId = $User.Id
+        foreach ($User in $UsersAssignedRole) {
+            $Objecttype = $User.AdditionalProperties."@odata.type" -replace "#microsoft.graph."
 
-                    # Process all of the group members that are transitively assigned to the current role as Active via group membership
-                    LoadObjectDataIntoPrivilegedUserHashtable -RoleName $Role.DisplayName -PrivilegedUsers $PrivilegedUsers -ObjectId $GroupId -TenantHasPremiumLicense $TenantHasPremiumLicense -M365Environment $M365Environment -Objecttype "group"
-                }
+            if ($Objecttype -eq "user") {
+                LoadObjectDataIntoPrivilegedUserHashtable -RoleName $Role.DisplayName -PrivilegedUsers $PrivilegedUsers -ObjectId $User.Id -TenantHasPremiumLicense $TenantHasPremiumLicense -M365Environment $M365Environment -Objecttype "user"
+            }
+            elseif ($Objecttype -eq "group") {
+                # In this context $User.Id is a group identifier
+                $GroupId = $User.Id
+
+                # Process all of the group members that are transitively assigned to the current role as Active via group membership
+                LoadObjectDataIntoPrivilegedUserHashtable -RoleName $Role.DisplayName -PrivilegedUsers $PrivilegedUsers -ObjectId $GroupId -TenantHasPremiumLicense $TenantHasPremiumLicense -M365Environment $M365Environment -Objecttype "group"
             }
         }
 
@@ -315,6 +313,7 @@ function Get-PrivilegedUser {
         Write-Warning "Stack trace: $($_.ScriptStackTrace)"
         throw $_
     }
+
     $PrivilegedUsers
 }
 
@@ -760,16 +759,16 @@ function Get-PrivilegedRole {
     # The RoleTemplateId value is passed to other cmdlets to retrieve role/group security configuration rules and user/group assignments.
     $PrivilegedRoleArray = Get-MgBetaDirectoryRoleTemplate -All -ErrorAction Stop | Where-Object { $_.DisplayName -in $PrivilegedRoles } | Select-Object "DisplayName", @{Name='RoleTemplateId'; Expression={$_.Id}}
 
-        # If the tenant has the premium license then you can access the PIM service to get the role configuration policies and the active role assigments
-        if ($TenantHasPremiumLicense) {
-            # Clear the cache of already processed PIM groups because this is a static variable
-            [GroupTypeCache]::CheckedGroups.Clear()
+    # If the tenant has the premium license then you can access the PIM service to get the role configuration policies and the active role assigments
+    if ($TenantHasPremiumLicense) {
+        # Clear the cache of already processed PIM groups because this is a static variable
+        [GroupTypeCache]::CheckedGroups.Clear()
 
-            # Get ALL the roles and users actively assigned to them
-            $graphArgs = @{
-                "commandlet" = "Get-MgBetaRoleManagementDirectoryRoleAssignmentScheduleInstance"
-                "M365Environment" = $M365Environment }
-            $AllRoleAssignments = Invoke-GraphDirectly @graphArgs
+        # Get ALL the roles and users actively assigned to them
+        $graphArgs = @{
+            "commandlet" = "Get-MgBetaRoleManagementDirectoryRoleAssignmentScheduleInstance"
+            "M365Environment" = $M365Environment }
+        $AllRoleAssignments = Invoke-GraphDirectly @graphArgs
 
         # Each of the helper functions below add configuration settings (aka rules) to the role array.
         # Get the PIM configurations for the roles