SHELL/5.1.5.1.ps1
|
$CheckId = "5.1.5.1" $Title = "Ensure user consent to apps accessing company data on their behalf is not allowed" $Level = "L2" $BenchmarkType = "Automated" $AuditCommands = @( '(Get-MgPolicyAuthorizationPolicy).DefaultUserRolePermissions | Select-Object -ExpandProperty PermissionGrantPoliciesAssigned' ) function Get-PermissionGrantPoliciesAssigned { param( [Parameter(Mandatory = $true)] [object]$AuthorizationPolicy ) $DefaultPerms = $AuthorizationPolicy.DefaultUserRolePermissions if ($null -ne $DefaultPerms) { if ($null -ne $DefaultPerms.PSObject -and $null -ne $DefaultPerms.PSObject.Properties['PermissionGrantPoliciesAssigned']) { return @($DefaultPerms.PermissionGrantPoliciesAssigned) } if ($DefaultPerms -is [System.Collections.IDictionary]) { if ($DefaultPerms.Contains('PermissionGrantPoliciesAssigned')) { return @($DefaultPerms['PermissionGrantPoliciesAssigned']) } if ($DefaultPerms.Contains('permissionGrantPoliciesAssigned')) { return @($DefaultPerms['permissionGrantPoliciesAssigned']) } } } if ($null -ne $AuthorizationPolicy.PSObject.Properties['AdditionalProperties']) { $Additional = $AuthorizationPolicy.AdditionalProperties if ($Additional -is [System.Collections.IDictionary] -and $Additional.Contains('defaultUserRolePermissions')) { $Inner = $Additional['defaultUserRolePermissions'] if ($Inner -is [System.Collections.IDictionary]) { if ($Inner.Contains('permissionGrantPoliciesAssigned')) { return @($Inner['permissionGrantPoliciesAssigned']) } if ($Inner.Contains('PermissionGrantPoliciesAssigned')) { return @($Inner['PermissionGrantPoliciesAssigned']) } } } } return $null } try { if (-not (Get-Command -Name Get-MgPolicyAuthorizationPolicy -ErrorAction SilentlyContinue)) { [pscustomobject]@{ CheckId = $CheckId Title = $Title Level = $Level BenchmarkType = $BenchmarkType Status = "ERROR" Pass = $null Evidence = [pscustomobject]@{ AuditCommands = $AuditCommands SourceDocument = "CIS_Microsoft_365_Foundations_Benchmark_v6.0.1" } Error = "Get-MgPolicyAuthorizationPolicy cmdlet is unavailable in the current session." Timestamp = Get-Date } return } $AuthPolicy = Get-MgPolicyAuthorizationPolicy if ($null -eq $AuthPolicy) { [pscustomobject]@{ CheckId = $CheckId Title = $Title Level = $Level BenchmarkType = $BenchmarkType Status = "ERROR" Pass = $null Evidence = [pscustomobject]@{ AuditCommands = $AuditCommands SourceDocument = "CIS_Microsoft_365_Foundations_Benchmark_v6.0.1" } Error = "Get-MgPolicyAuthorizationPolicy returned no result." Timestamp = Get-Date } return } $AssignedRaw = Get-PermissionGrantPoliciesAssigned -AuthorizationPolicy $AuthPolicy if ($null -eq $AssignedRaw) { [pscustomobject]@{ CheckId = $CheckId Title = $Title Level = $Level BenchmarkType = $BenchmarkType Status = "ERROR" Pass = $null Evidence = [pscustomobject]@{ AuditCommands = $AuditCommands AuthorizationPolicy = $AuthPolicy SourceDocument = "CIS_Microsoft_365_Foundations_Benchmark_v6.0.1" } Error = "PermissionGrantPoliciesAssigned was not found in DefaultUserRolePermissions." Timestamp = Get-Date } return } $Assigned = @($AssignedRaw | ForEach-Object { ([string]$_).Trim() } | Where-Object { -not [string]::IsNullOrWhiteSpace($_) }) $BlockedValues = @( 'ManagePermissionGrantsForSelf.microsoft-user-default-low', 'ManagePermissionGrantsForSelf.microsoft-user-default-legacy' ) $PresentBlockedValues = @($Assigned | Where-Object { $_ -in $BlockedValues }) $Pass = @($PresentBlockedValues).Count -eq 0 [pscustomobject]@{ CheckId = $CheckId Title = $Title Level = $Level BenchmarkType = $BenchmarkType Status = if ($Pass) { "PASS" } else { "FAIL" } Pass = $Pass Evidence = [pscustomobject]@{ AuditCommands = $AuditCommands PermissionGrantPoliciesAssigned = @($Assigned) DisallowedPolicyValues = @($BlockedValues) DisallowedValuesFound = @($PresentBlockedValues) SourceDocument = "CIS_Microsoft_365_Foundations_Benchmark_v6.0.1" } Error = if ($Pass) { $null } else { "Disallowed self-consent permission grant policy is assigned." } Timestamp = Get-Date } } catch { [pscustomobject]@{ CheckId = $CheckId Title = $Title Level = $Level BenchmarkType = $BenchmarkType Status = "ERROR" Pass = $null Evidence = [pscustomobject]@{ AuditCommands = $AuditCommands SourceDocument = "CIS_Microsoft_365_Foundations_Benchmark_v6.0.1" } Error = $_.Exception.Message Timestamp = Get-Date } } |