ROOTM365

1.0.1

SHELL/5.1.6.2.ps1

                                $CheckId = "5.1.6.2"

$Title = "Ensure that guest user access is restricted"

$Level = "L1"

$BenchmarkType = "Automated"

$AuditCommands = @(

    'Get-MgPolicyAuthorizationPolicy | Format-List GuestUserRoleId'

)

try {

    if (-not (Get-Command -Name Get-MgPolicyAuthorizationPolicy -ErrorAction SilentlyContinue)) {

        [pscustomobject]@{

            CheckId = $CheckId

            Title = $Title

            Level = $Level

            BenchmarkType = $BenchmarkType

            Status = "ERROR"

            Pass = $null

            Evidence = [pscustomobject]@{

                AuditCommands = $AuditCommands

                SourceDocument = "CIS_Microsoft_365_Foundations_Benchmark_v6.0.1"

            }

            Error = "Get-MgPolicyAuthorizationPolicy cmdlet is unavailable in the current session."

            Timestamp = Get-Date

        }

        return

    }

    $Policy = Get-MgPolicyAuthorizationPolicy

    if ($null -eq $Policy) {

        [pscustomobject]@{

            CheckId = $CheckId

            Title = $Title

            Level = $Level

            BenchmarkType = $BenchmarkType

            Status = "ERROR"

            Pass = $null

            Evidence = [pscustomobject]@{

                AuditCommands = $AuditCommands

                SourceDocument = "CIS_Microsoft_365_Foundations_Benchmark_v6.0.1"

            }

            Error = "Get-MgPolicyAuthorizationPolicy returned no result."

            Timestamp = Get-Date

        }

        return

    }

    $GuestUserRoleId = [string]$Policy.GuestUserRoleId

    if ([string]::IsNullOrWhiteSpace($GuestUserRoleId)) {

        [pscustomobject]@{

            CheckId = $CheckId

            Title = $Title

            Level = $Level

            BenchmarkType = $BenchmarkType

            Status = "ERROR"

            Pass = $null

            Evidence = [pscustomobject]@{

                AuditCommands = $AuditCommands

                RawPolicy = $Policy

                SourceDocument = "CIS_Microsoft_365_Foundations_Benchmark_v6.0.1"

            }

            Error = "GuestUserRoleId value was not found."

            Timestamp = Get-Date

        }

        return

    }

    $CompliantValues = @(

        '10dae51f-b6af-4016-8d66-8c2a99b929b3',

        '2af84b1e-32c8-42b7-82bc-daa82404023b'

    )

    $Pass = $GuestUserRoleId -in $CompliantValues

    [pscustomobject]@{

        CheckId = $CheckId

        Title = $Title

        Level = $Level

        BenchmarkType = $BenchmarkType

        Status = if ($Pass) { "PASS" } else { "FAIL" }

        Pass = $Pass

        Evidence = [pscustomobject]@{

            AuditCommands = $AuditCommands

            GuestUserRoleId = $GuestUserRoleId

            CompliantValues = @($CompliantValues)

            SourceDocument = "CIS_Microsoft_365_Foundations_Benchmark_v6.0.1"

        }

        Error = if ($Pass) { $null } else { "GuestUserRoleId is not set to the limited or most restrictive guest access role." }

        Timestamp = Get-Date

    }

}

catch {

    [pscustomobject]@{

        CheckId = $CheckId

        Title = $Title

        Level = $Level

        BenchmarkType = $BenchmarkType

        Status = "ERROR"

        Pass = $null

        Evidence = [pscustomobject]@{

            AuditCommands = $AuditCommands

            SourceDocument = "CIS_Microsoft_365_Foundations_Benchmark_v6.0.1"

        }

        Error = $_.Exception.Message

        Timestamp = Get-Date

    }

}