ToInclude.ps1
@@ -1,121 +0,0 @@ function Set-ModernAuthenticationBaseline { try { Write-Host -ForegroundColor Yello "Modern Authentication for Exchange Online is stronly recommended." Set-OrganizationConfig -OAuth2ClientProfileEnabled $true Write-Host -ForegroundColor Yello "Modern Authentication is now enabled" } catch { Write-Host -ForegroundColor Yellow "Make your have are connected to Exchange Online" $_ } } ################################################# ## BLOCK BASIC AUTH ################################################# if ($OrgConfig.DefaultAuthenticationPolicy -eq $null -or $OrgConfig.DefaultAuthenticationPolicy -eq "") { Write-Host Write-Host -ForegroundColor $MessageColor "There is no default authentication policy in place" Write-Host -ForegroundColor $MessageColor "NOTE: You don't need one if you are using Security Defaults or Conditional Access" $AuthAnswer = Read-Host "Would you like to block legacy authentication using an authentication policy? Type Y or N and press Enter to continue" if ($AuthAnswer -eq "y" -or $AuthAnswer -eq "yes") { $PolicyName = "Block Basic Auth" $CheckPolicy = Get-AuthenticationPolicy | Where-Object {$_.Name -contains $PolicyName} if (!$CheckPolicy) { New-AuthenticationPolicy -Name $PolicyName Write-Host Write-Host -ForegroundColor $MessageColor "Block Basic Auth policy has been created" } else { Write-Host Write-Host -ForegroundColor $MessageColor "Block Basic Auth policy already exists" } Set-OrganizationConfig -DefaultAuthenticationPolicy $PolicyName Write-Host Write-Host -ForegroundColor $MessageColor "Block Basic Auth has been set as the default authentication policy for the organization; to create exceptions to this policy, please see the comments included at the end of this script." Write-Host } else { Write-Host Write-Host -ForegroundColor $AssessmentColor "Block Basic Auth will not be set as the default authentication policy." Write-Host } } else { Write-Host Write-Host -ForegroundColor $AssessmentColor "There is already a default policy in place. No changes will be made. Your default authentication policy is:" Write-Host $OrgConfig.DefaultAuthenticationPolicy Write-Host } ################################################# ## DISABLE AUTOMATIC FORWARDING ################################################# $RemoteDomainDefault = Get-RemoteDomain Default if ($RemoteDomainDefault.AutoForwardEnabled) { Write-Host Write-Host -ForegroundColor $AssessmentColor "Auto-forwarding to remote domains is currently allowed." Write-Host $Answer = Read-Host "Do you want to block auto-forwarding to remote domains? Type Y or N and press Enter to continue" if ($Answer -eq 'y' -or $Answer -eq 'yes') { ## DENY AUTOFORWARD ON THE DEFAULT REMOTE DOMAIN (*) Set-RemoteDomain Default -AutoForwardEnabled $false <# This section is optional ## ALSO DENY AUTO-FORWARDING FROM MAILBOX RULES VIA TRANSPORT RULE WITH REJECTION MESSAGE $TransportRuleName = "External Forward Block" $rejectMessageText = "Mail forwarding to external domains is not permitted. If you have questions, please contact support." $ExternalForwardRule = Get-TransportRule | Where-Object {$_.Identity -contains $TransportRuleName} if (!$ExternalForwardRule) { Write-Output "External Forward Block rule not found, creating rule..." New-TransportRule -name $TransportRuleName -Priority 1 -SentToScope NotInOrganization -MessageTypeMatches AutoForward -RejectMessageEnhancedStatusCode 5.7.1 -RejectMessageReasonText $rejectMessageText } else {Write-Output "External forward block rule already exists."} #> Write-Host Write-Host -ForegroundColor $MessageColor "Auto-forwarding to remote domains is now disabled" } else { Write-Host Write-Host -ForegroundColor $AssessmentColor "Auto-forwarding to remote domains will not be disabled" } <# This section is optional ## EXPORT LIST OF FORWARDERS TO CSV Write-Host $Answer2 = Read-Host "Do you want to export to CSV a list of mailboxes that might be impacted by disabling auto-forward to remote domains? Type Y or N and press Enter to continue" if ($Answer2 -eq 'y' -or $Answer2 -eq 'yes') { ## Collect existing mailbox forwarding into CSV files at C:\temp\DomainName-MailboxForwarding.csv and DomainName-InboxRules.csv Write-Host Write-Host -ForegroundColor $AssessmentColor "Exporting known mailbox forwarders and inbox rules that auto-forward" $DefaultDomainName = Get-AcceptedDomain | Where-Object Default -EQ True Get-Mailbox -ResultSize Unlimited -Filter {(RecipientTypeDetails -ne "DiscoveryMailbox") -and ((ForwardingSmtpAddress -ne $null) -or (ForwardingAddress -ne $null))} | Select Identity,ForwardingSmtpAddress,ForwardingAddress | Export-Csv c:\temp\$DefaultDomainName-MailboxForwarding.csv -append foreach ($a in (Get-Mailbox -ResultSize Unlimited |select PrimarySMTPAddress)) {Get-InboxRule -Mailbox $a.PrimarySMTPAddress | ?{($_.ForwardTo -ne $null) -or ($_.ForwardAsAttachmentTo -ne $null) -or ($_.DeleteMessage -eq $true) -or ($_.RedirectTo -ne $null)} |select Name,Identity,ForwardTo,ForwardAsAttachmentTo, RedirectTo, DeleteMessage | Export-Csv c:\temp\$DefaultDomainName-InboxRules.csv -append } Write-Host Write-Host -ForegroundColor $AssessmentColor "After running this script, check the CSV files under C:\temp for a list of mail users who may be affected by disabling the ability to auto-forward messages to external domains" } else { Write-Host Write-Host -ForegroundColor $MessageColor "Run the script again if you wish to export auto-forwarding mailboxes and inbox rules" } #> } else { Write-Host Write-Host -ForegroundColor $MessageColor "Auto-forwarding to remote domains is already disabled" } ################################################# ## SET RETAIN DELETED ITEMS TO 30 DAYS ## ANY SUBSCRIPTION ################################################# Write-Host $CurrentRetention = (Get-Mailbox -ResultSize Unlimited).RetainDeletedItemsFor Write-Host -ForegroundColor $AssessmentColor "Current retention limit (in days and number of mailboxes):" $CurrentRetention | group | select name, count | ft $Answer = Read-Host "Would you like to enforce the maximum allowed value of 30 days retention of deleted items for all mailboxes? Type Y or N and press Enter to continue" if ($Answer -eq 'y' -or $Answer -eq 'yes') { Get-Mailbox -ResultSize Unlimited | Set-Mailbox -RetainDeletedItemsFor 30 Get-MailboxPlan | Set-MailboxPlan -RetainDeletedItemsFor 30 Write-Host Write-Host -ForegroundColor $MessageColor "Deleted items will be retained for the maximum of 30 days for all mailboxes" } else { Write-Host Write-Host -ForegroundColor $AssessmentColor "The deleted items retention value has not been modified on any mailboxes" } |