SHELL/1.3.4.ps1
|
$CheckId = "1.3.4" $Title = "Ensure 'User owned apps and services' is restricted" $Uri = "https://graph.microsoft.com/beta/admin/appsAndServices/settings" try { $Settings = Invoke-MgGraphRequest -Method GET -Uri $Uri $OfficeStoreEnabled = [bool]$Settings.isOfficeStoreEnabled $TrialsEnabled = [bool]$Settings.isAppAndServicesTrialEnabled $Pass = (-not $OfficeStoreEnabled) -and (-not $TrialsEnabled) [pscustomobject]@{ CheckId = $CheckId Title = $Title Status = if ($Pass) { "PASS" } else { "FAIL" } Pass = $Pass Evidence = [pscustomobject]@{ Uri = $Uri isOfficeStoreEnabled = $OfficeStoreEnabled isAppAndServicesTrialEnabled = $TrialsEnabled RecommendedState = "Both values should be False." } Error = $null Timestamp = Get-Date } } catch { $Message = $_.Exception.Message $IsPermissionIssue = $Message -match "(?i)forbidden|insufficient|authorization|access denied" [pscustomobject]@{ CheckId = $CheckId Title = $Title Status = if ($IsPermissionIssue) { "MANUAL_REVIEW" } else { "ERROR" } Pass = $null Evidence = [pscustomobject]@{ Uri = $Uri RequiredGraphScope = "OrgSettings-AppsAndServices.Read.All" ReviewAction = "Verify isOfficeStoreEnabled and isAppAndServicesTrialEnabled are both False." } Error = $Message Timestamp = Get-Date } } |