public/cis/Test-MtCisThirdPartyAndCustomApps.ps1
|
<#
.SYNOPSIS Ensure all or a majority of third-party and custom apps are blocked .DESCRIPTION Ensure all or a majority of third-party and custom apps are blocked CIS Microsoft 365 Foundations Benchmark v5.0.0 .EXAMPLE Test-MtCisThirdPartyAndCustomApps Returns true if all or a majority of third-party and custom apps are blocked .LINK https://mycorp.dev/docs/commands/Test-MtCisThirdPartyAndCustomApps #> function Test-MtCisThirdPartyAndCustomApps { [CmdletBinding()] [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseSingularNouns', '', Justification = 'This test checks multiple types of apps.')] [OutputType([bool])] param() if (-not (Test-MtConnection Teams)) { Add-MtTestResultDetail -SkippedBecause NotConnectedTeams return $null } Write-Verbose "Test-MtCisThirdPartyAndCustomApps: Checking if all or a majority of third-party and custom apps are blocked" $return = $true try { $appPermPolicy = Get-CsTeamsAppPermissionPolicy -Identity Global $passResult = "✅ Pass" $failResult = "❌ Fail" $result = "| Policy | Value | Status |`n" $result += "| --- | --- | --- |`n" if (($appPermPolicy.DefaultCatalogAppsType -eq "BlockedAppList") -and (-not $appPermPolicy.DefaultCatalogApps)) { # Microsoft apps $result += "| Microsoft apps | Allow all apps | $passResult |`n" } elseif (($appPermPolicy.DefaultCatalogAppsType -eq "AllowedAppList") -and ($appPermPolicy.DefaultCatalogApps)) { $result += "| Microsoft apps | Allow specific apps and block all others | $passResult |`n" $return = $false } elseif (($appPermPolicy.DefaultCatalogAppsType -eq "BlockedAppList") -and ($appPermPolicy.DefaultCatalogApps)) { $result += "| Microsoft apps | Block specific apps and allow all others | $failResult |`n" } else { $result += "| Microsoft apps | Block all apps | $failResult |`n" $return = $false } if (($appPermPolicy.GlobalCatalogAppsType -eq "BlockedAppList") -and (-not $appPermPolicy.GlobalCatalogApps)) { # Third-party apps $result += "| Third-party apps | Allow all apps | $failResult |`n" $return = $false } elseif (($appPermPolicy.GlobalCatalogAppsType -eq "AllowedAppList") -and ($appPermPolicy.GlobalCatalogApps)) { $result += "| Third-party apps | Allow specific apps and block all others | $passResult |`n" } elseif (($appPermPolicy.GlobalCatalogAppsType -eq "BlockedAppList") -and ($appPermPolicy.GlobalCatalogApps)) { $result += "| Third-party apps | Block specific apps and allow all others | $failResult |`n" $return = $false } else { $result += "| Third-party apps | Block all apps | $passResult |`n" } if (($appPermPolicy.PrivateCatalogAppsType -eq "BlockedAppList") -and (-not $appPermPolicy.PrivateCatalogApps)) { # Custom apps $result += "| Custom apps | Allow all apps | $failResult |`n" $return = $false } elseif (($appPermPolicy.PrivateCatalogAppsType -eq "AllowedAppList") -and ($appPermPolicy.PrivateCatalogApps)) { $result += "| Custom apps | Allow specific apps and block all others | $passResult |`n" } elseif (($appPermPolicy.PrivateCatalogAppsType -eq "BlockedAppList") -and ($appPermPolicy.PrivateCatalogApps)) { $result += "| Custom apps | Block specific apps and allow all others | $failResult |`n" $return = $false } else { $result += "| Custom apps | Block all apps | $passResult |`n" } if ($return) { $testResultMarkdown = "Well done. All or a majority of third-party and custom apps are blocked.`n`n%TestResult%" } else { $testResultMarkdown = "All or a majority of third-party or custom apps are allowed.`n`n%TestResult%" } $testResultMarkdown = $testResultMarkdown -replace "%TestResult%", $result Add-MtTestResultDetail -Result $testResultMarkdown } catch { $return = $false Write-Error $_.Exception.Message } return $return } |