SHELL/3.2.2.ps1
|
$CheckId = "3.2.2" $Title = "Ensure DLP policies are enabled for Microsoft Teams" $Level = "L1" $BenchmarkType = "Automated" try { # Ensure connection exists (optional safety check) if (-not (Get-Command Get-DlpCompliancePolicy -ErrorAction SilentlyContinue)) { Connect-IPPSSession -ErrorAction Stop } # Step 1 & 2: Get DLP policies $DlpPolicy = Get-DlpCompliancePolicy -ErrorAction Stop # Step 3: Filter policies that include Teams $TeamsPolicies = $DlpPolicy | Where-Object { $_.Workload -match "Teams" } if (-not $TeamsPolicies) { $Status = "FAIL" $Pass = $false $Finding = "No DLP policies found that include Microsoft Teams." } else { $NonCompliantPolicies = @() foreach ($Policy in $TeamsPolicies) { $ModeCheck = $Policy.Mode -eq "Enable" $TeamsLocationCheck = $Policy.TeamsLocation -match "All" # Modify permitted exceptions if your org allows specific ones $AllowedExceptions = @() $ExceptionCheck = ( -not $Policy.TeamsLocationException -or ($Policy.TeamsLocationException | Where-Object { $_ -notin $AllowedExceptions }).Count -eq 0 ) if (-not ($ModeCheck -and $TeamsLocationCheck -and $ExceptionCheck)) { $NonCompliantPolicies += $Policy } } if ($NonCompliantPolicies.Count -gt 0) { $Status = "FAIL" $Pass = $false $Finding = "One or more Teams DLP policies are not properly configured." } else { $Status = "PASS" $Pass = $true $Finding = "All Teams DLP policies are properly configured." } } # Output object [pscustomobject]@{ CheckId = $CheckId Title = $Title Level = $Level Status = $Status Pass = $Pass Evidence = [pscustomobject]@{ TeamsPolicies = $TeamsPolicies | Select-Object Name, Mode, TeamsLocation, TeamsLocationException SourceDocument = "CIS_Microsoft_365_Foundations_Benchmark_v6.0.1" } Error = $null Timestamp = Get-Date } } catch { [pscustomobject]@{ CheckId = $CheckId Title = $Title Level = $Level Status = "ERROR" Pass = $null Evidence = $null Error = $_.Exception.Message Timestamp = Get-Date } } |