SHELL/5.1.2.6.ps1
|
$CheckId = "5.1.2.6" $Title = "Ensure 'LinkedIn account connections' is disabled" $Level = "L2" $BenchmarkType = "Manual" $AuditCommands = @( "Invoke-MgGraphRequest -Method GET -Uri 'https://graph.microsoft.com/beta/organization/{id}/settings/microsoftApplicationDataAccess'", "Evaluate isLinkedInAccountConnectionsAllowed" ) function Get-PropValue { param( [AllowNull()]$Object, [string]$Name ) if ($null -eq $Object) { return $null } if ($Object -is [System.Collections.IDictionary]) { foreach ($Key in $Object.Keys) { if ([string]$Key -ieq $Name) { return $Object[$Key] } } } if ($Object.PSObject -and $Object.PSObject.Properties) { foreach ($Property in $Object.PSObject.Properties) { if ([string]$Property.Name -ieq $Name) { return $Property.Value } } } return $null } try { $Org = Get-MgOrganization -ErrorAction Stop | Select-Object -First 1 if (-not $Org) { throw "No organization object returned." } $LinkedInSettings = $null try { $LinkedInSettings = Invoke-MgGraphRequest -Method GET -Uri "https://graph.microsoft.com/beta/organization/$($Org.Id)/settings/microsoftApplicationDataAccess" -ErrorAction Stop } catch { $LinkedInSettings = $null } $Allowed = $null if ($LinkedInSettings) { foreach ($PropertyName in @( "isLinkedInAccountConnectionsAllowed", "isLinkedInEnabled", "linkedInAccountConnectionsEnabled", "allowLinkedInConnections" )) { $Allowed = Get-PropValue -Object $LinkedInSettings -Name $PropertyName if ($null -ne $Allowed) { break } } } if ($null -eq $Allowed) { try { $AuthPolicy = Get-MgPolicyAuthorizationPolicy -ErrorAction Stop $DefaultPerms = Get-PropValue -Object $AuthPolicy -Name "defaultUserRolePermissions" if ($null -eq $DefaultPerms) { $DefaultPerms = Get-PropValue -Object (Get-PropValue -Object $AuthPolicy -Name "AdditionalProperties") -Name "defaultUserRolePermissions" } foreach ($PropertyName in @("allowedToUseLinkedIn", "AllowedToUseLinkedIn")) { $Allowed = Get-PropValue -Object $DefaultPerms -Name $PropertyName if ($null -ne $Allowed) { break } } } catch { } } if ($null -eq $Allowed) { [pscustomobject]@{ CheckId = $CheckId Title = $Title Level = $Level BenchmarkType = $BenchmarkType Status = "FAIL" Pass = $false Evidence = [pscustomobject]@{ AuditCommands = $AuditCommands LinkedInSettings = $LinkedInSettings SourceDocument = "CIS_Microsoft_365_Foundations_Benchmark_v6.0.1" } Error = "Could not identify a LinkedIn account connection setting in Graph responses." Timestamp = Get-Date } return } $Pass = ([bool]$Allowed -eq $false) $Status = if ($Pass) { "PASS" } else { "FAIL" } [pscustomobject]@{ CheckId = $CheckId Title = $Title Level = $Level BenchmarkType = $BenchmarkType Status = $Status Pass = $Pass Evidence = [pscustomobject]@{ AuditCommands = $AuditCommands IsLinkedInAccountConnectionsAllowed = [bool]$Allowed SourceDocument = "CIS_Microsoft_365_Foundations_Benchmark_v6.0.1" } Error = if ($Pass) { $null } else { "LinkedIn account connections are enabled." } Timestamp = Get-Date } } catch { [pscustomobject]@{ CheckId = $CheckId Title = $Title Level = $Level BenchmarkType = $BenchmarkType Status = "ERROR" Pass = $null Evidence = [pscustomobject]@{ AuditCommands = $AuditCommands SourceDocument = "CIS_Microsoft_365_Foundations_Benchmark_v6.0.1" } Error = $_.Exception.Message Timestamp = Get-Date } } |