Confirm-PacOwner: adding $null check for description. (#456)

Azure · Jan 22, 2024 · cc761ab · cc761ab
1 parent 0a851ef
commit cc761ab
Showing 1 changed file with 17 additions and 15 deletions.
diff --git a/Scripts/Helpers/Confirm-PacOwner.ps1 b/Scripts/Helpers/Confirm-PacOwner.ps1
@@ -19,21 +19,23 @@ function Confirm-PacOwner {
     if ($null -eq $metadata -or $null -eq $metadata.pacOwnerId) {
         $kind = $PolicyResource.kind
         if ($kind -eq "policyassignments" -and $Scope.StartsWith("/subscriptions/")) {
-            $definitionIdParts = Split-AzPolicyResourceId -Id $properties.policyDefinitionId
-            if ($definitionIdParts.scopeType -eq "builtin") {
-                # Check if the owner is a special case, either managed by DfC's "Security Policies" or one of the "Defender Plans"
-                # This didcult due to inconsistent naming and createdBy users.
-                # At present, the only way to identify these is by string comparing the description field. This is not ideal.
-                #   "Security Policies" (e.g., MCSB, NIST, ...) use a description "This object has been generated by Microsoft Defender for Cloud. To make changes, navigate to the security policies management page.",
-                #   "Defender Plans" (e.g., Servers, App Service, Databases, ...) use a description srtaing with "This policy assignment was automatically created by "
-                $description = $properties.description
-                if ($description.StartsWith("This object has been generated by ")) {
-                    $ManagedByCounters.dfcSecurityPolicies += 1
-                    return "managedByDfcSecurityPolicies"
-                }
-                elseif ($description.StartsWith("This policy assignment was automatically created by ")) {
-                    $ManagedByCounters.dfcDefenderPlans += 1
-                    return "managedByDfcDefenderPlans"
+            $description = $properties.description
+            if ($null -ne $description) {
+                $definitionIdParts = Split-AzPolicyResourceId -Id $properties.policyDefinitionId
+                if ($definitionIdParts.scopeType -eq "builtin") {
+                    # Check if the owner is a special case, either managed by DfC's "Security Policies" or one of the "Defender Plans"
+                    # This didcult due to inconsistent naming and createdBy users.
+                    # At present, the only way to identify these is by string comparing the description field. This is not ideal.
+                    #   "Security Policies" (e.g., MCSB, NIST, ...) use a description "This object has been generated by Microsoft Defender for Cloud. To make changes, navigate to the security policies management page.",
+                    #   "Defender Plans" (e.g., Servers, App Service, Databases, ...) use a description srtaing with "This policy assignment was automatically created by "
+                    if ($description.StartsWith("This object has been generated by ")) {
+                        $ManagedByCounters.dfcSecurityPolicies += 1
+                        return "managedByDfcSecurityPolicies"
+                    }
+                    elseif ($description.StartsWith("This policy assignment was automatically created by ")) {
+                        $ManagedByCounters.dfcDefenderPlans += 1
+                        return "managedByDfcDefenderPlans"
+                    }
                 }
             }
         }