Skip to content

Security: yourlastnamesoundslikeatypeofpasta/PowerShell

Security

docs/security.md

Security Review Checklist

This document summarizes the key security aspects of the PowerShell modules contained in this repository.

Roles Required

Command/Module Required Roles
SupportTools general commands (e.g., Add-UserToGroup, CleanupGroupMembership) Microsoft 365 Group Administrator and Graph permissions (Group.ReadWrite.All)
Exchange commands (e.g., Set-SharedMailboxAutoReply) Exchange Online Administrator
SharePointTools cleanup/reporting functions SharePoint Tenant Admin or Site Collection Administrator for the target site
ServiceDeskTools ticket functions Service Desk account with rights to create and update incidents via API

APIs and Services

  • Microsoft Graph – user and group management (Add-UserToGroup, CleanupGroupMembership).
  • PnP.PowerShell / SharePoint REST – site cleanup, reports and file uploads (Invoke-ArchiveCleanup, Get-SPToolsLibraryReport, etc.).
  • Service Desk REST API – create and update tickets (New-SDTicket, Set-SDTicket).
  • Exchange Online – mailbox automation (Set-SharedMailboxAutoReply).
  • Windows Event Log – local log queries (Get-FailedLogin).

Audit Trails

  • Commands call Write-STLog which writes to $env:ST_LOG_PATH or ~/SupportToolsLogs/supporttools.log.
  • Structured events can be recorded via Write-STRichLog and Write-STTelemetryEvent in ~/SupportToolsTelemetry/telemetry.jsonl when telemetry is enabled.
  • Scripts like Submit-SystemInfoTicket optionally start a transcript log file for additional auditing.
  • Actions performed through SharePoint or Exchange are also captured in their respective tenant audit logs when enabled.

Risks of Misuse

  • Cleanup functions (Invoke-ArchiveCleanup, Invoke-FileVersionCleanup) permanently delete data if misconfigured.
  • Group and mailbox commands modify tenant resources and may expose information if run with excessive privileges.
  • API tokens stored in environment variables should be protected to prevent unauthorized access.
  • Always review scripts before execution and run test mode (-Simulate or -ChaosMode switches where available) in non‑production environments first.

Script Signing

All PowerShell files can be signed with the provided Sign-RepositoryFiles.ps1 script. The script scans the src and scripts folders for .ps1, .psm1, and .psd1 files and applies Set-AuthenticodeSignature to each file. Supply the code-signing certificate using the -CertificatePath parameter or set the ST_SIGN_CERT_PATH environment variable.

$env:ST_SIGN_CERT_PATH = 'C:\certs\internal.pfx'
./scripts/Sign-RepositoryFiles.ps1

There aren't any published security advisories