SHELL/5.1.2.2.ps1
|
$CheckId = "5.1.2.2" $Title = "Ensure third party integrated applications are not allowed" $Level = "L2" $BenchmarkType = "Automated" $AuditCommands = @( '(Get-MgPolicyAuthorizationPolicy).DefaultUserRolePermissions | Format-List AllowedToCreateApps' ) function Get-AllowedToCreateAppsValue { param( [Parameter(Mandatory = $true)] [object]$AuthorizationPolicy ) $DefaultPerms = $AuthorizationPolicy.DefaultUserRolePermissions if ($null -ne $DefaultPerms) { if ($null -ne $DefaultPerms.PSObject -and $null -ne $DefaultPerms.PSObject.Properties['AllowedToCreateApps']) { return $DefaultPerms.AllowedToCreateApps } if ($DefaultPerms -is [System.Collections.IDictionary]) { if ($DefaultPerms.Contains('AllowedToCreateApps')) { return $DefaultPerms['AllowedToCreateApps'] } if ($DefaultPerms.Contains('allowedToCreateApps')) { return $DefaultPerms['allowedToCreateApps'] } } } if ($null -ne $AuthorizationPolicy.PSObject.Properties['AdditionalProperties']) { $Additional = $AuthorizationPolicy.AdditionalProperties if ($Additional -is [System.Collections.IDictionary] -and $Additional.Contains('defaultUserRolePermissions')) { $Inner = $Additional['defaultUserRolePermissions'] if ($Inner -is [System.Collections.IDictionary]) { if ($Inner.Contains('allowedToCreateApps')) { return $Inner['allowedToCreateApps'] } if ($Inner.Contains('AllowedToCreateApps')) { return $Inner['AllowedToCreateApps'] } } } } return $null } try { if (-not (Get-Command -Name Get-MgPolicyAuthorizationPolicy -ErrorAction SilentlyContinue)) { [pscustomobject]@{ CheckId = $CheckId Title = $Title Level = $Level BenchmarkType = $BenchmarkType Status = "ERROR" Pass = $null Evidence = [pscustomobject]@{ AuditCommands = $AuditCommands SourceDocument = "CIS_Microsoft_365_Foundations_Benchmark_v6.0.1" } Error = "Get-MgPolicyAuthorizationPolicy cmdlet is unavailable in the current session." Timestamp = Get-Date } return } $AuthPolicy = Get-MgPolicyAuthorizationPolicy if ($null -eq $AuthPolicy) { [pscustomobject]@{ CheckId = $CheckId Title = $Title Level = $Level BenchmarkType = $BenchmarkType Status = "ERROR" Pass = $null Evidence = [pscustomobject]@{ AuditCommands = $AuditCommands SourceDocument = "CIS_Microsoft_365_Foundations_Benchmark_v6.0.1" } Error = "Get-MgPolicyAuthorizationPolicy returned no result." Timestamp = Get-Date } return } $AllowedToCreateAppsRaw = Get-AllowedToCreateAppsValue -AuthorizationPolicy $AuthPolicy if ($null -eq $AllowedToCreateAppsRaw) { [pscustomobject]@{ CheckId = $CheckId Title = $Title Level = $Level BenchmarkType = $BenchmarkType Status = "ERROR" Pass = $null Evidence = [pscustomobject]@{ AuditCommands = $AuditCommands AuthorizationPolicy = $AuthPolicy SourceDocument = "CIS_Microsoft_365_Foundations_Benchmark_v6.0.1" } Error = "AllowedToCreateApps value was not found in DefaultUserRolePermissions." Timestamp = Get-Date } return } $AllowedToCreateApps = [bool]$AllowedToCreateAppsRaw $Pass = ($AllowedToCreateApps -eq $false) [pscustomobject]@{ CheckId = $CheckId Title = $Title Level = $Level BenchmarkType = $BenchmarkType Status = if ($Pass) { "PASS" } else { "FAIL" } Pass = $Pass Evidence = [pscustomobject]@{ AuditCommands = $AuditCommands AllowedToCreateApps = $AllowedToCreateApps RawAllowedToCreateApps = $AllowedToCreateAppsRaw RecommendedState = "AllowedToCreateApps = False" SourceDocument = "CIS_Microsoft_365_Foundations_Benchmark_v6.0.1" } Error = if ($Pass) { $null } else { "AllowedToCreateApps is True (users can register applications)." } Timestamp = Get-Date } } catch { [pscustomobject]@{ CheckId = $CheckId Title = $Title Level = $Level BenchmarkType = $BenchmarkType Status = "ERROR" Pass = $null Evidence = [pscustomobject]@{ AuditCommands = $AuditCommands SourceDocument = "CIS_Microsoft_365_Foundations_Benchmark_v6.0.1" } Error = $_.Exception.Message Timestamp = Get-Date } } |