ROOTM365

1.0.1

SHELL/5.1.6.3.ps1

                                $CheckId = "5.1.6.3"

$Title = "Ensure guest user invitations are limited to the Guest Inviter role"

$Level = "L2"

$BenchmarkType = "Automated"

$AuditCommands = @(

    'Get-MgPolicyAuthorizationPolicy | Format-List AllowInvitesFrom'

)

try {

    if (-not (Get-Command -Name Get-MgPolicyAuthorizationPolicy -ErrorAction SilentlyContinue)) {

        [pscustomobject]@{

            CheckId = $CheckId

            Title = $Title

            Level = $Level

            BenchmarkType = $BenchmarkType

            Status = "ERROR"

            Pass = $null

            Evidence = [pscustomobject]@{

                AuditCommands = $AuditCommands

                SourceDocument = "CIS_Microsoft_365_Foundations_Benchmark_v6.0.1"

            }

            Error = "Get-MgPolicyAuthorizationPolicy cmdlet is unavailable in the current session."

            Timestamp = Get-Date

        }

        return

    }

    $Policy = Get-MgPolicyAuthorizationPolicy

    if ($null -eq $Policy) {

        [pscustomobject]@{

            CheckId = $CheckId

            Title = $Title

            Level = $Level

            BenchmarkType = $BenchmarkType

            Status = "ERROR"

            Pass = $null

            Evidence = [pscustomobject]@{

                AuditCommands = $AuditCommands

                SourceDocument = "CIS_Microsoft_365_Foundations_Benchmark_v6.0.1"

            }

            Error = "Get-MgPolicyAuthorizationPolicy returned no result."

            Timestamp = Get-Date

        }

        return

    }

    $AllowInvitesFrom = [string]$Policy.AllowInvitesFrom

    if ([string]::IsNullOrWhiteSpace($AllowInvitesFrom)) {

        [pscustomobject]@{

            CheckId = $CheckId

            Title = $Title

            Level = $Level

            BenchmarkType = $BenchmarkType

            Status = "ERROR"

            Pass = $null

            Evidence = [pscustomobject]@{

                AuditCommands = $AuditCommands

                RawPolicy = $Policy

                SourceDocument = "CIS_Microsoft_365_Foundations_Benchmark_v6.0.1"

            }

            Error = "AllowInvitesFrom value was not found."

            Timestamp = Get-Date

        }

        return

    }

    # adminsAndGuestInviters is recommended; none is more restrictive and also acceptable.

    $CompliantValues = @('adminsAndGuestInviters', 'none')

    $Pass = $AllowInvitesFrom -in $CompliantValues

    [pscustomobject]@{

        CheckId = $CheckId

        Title = $Title

        Level = $Level

        BenchmarkType = $BenchmarkType

        Status = if ($Pass) { "PASS" } else { "FAIL" }

        Pass = $Pass

        Evidence = [pscustomobject]@{

            AuditCommands = $AuditCommands

            AllowInvitesFrom = $AllowInvitesFrom

            CompliantValues = @($CompliantValues)

            SourceDocument = "CIS_Microsoft_365_Foundations_Benchmark_v6.0.1"

        }

        Error = if ($Pass) { $null } else { "AllowInvitesFrom is less restrictive than adminsAndGuestInviters." }

        Timestamp = Get-Date

    }

}

catch {

    [pscustomobject]@{

        CheckId = $CheckId

        Title = $Title

        Level = $Level

        BenchmarkType = $BenchmarkType

        Status = "ERROR"

        Pass = $null

        Evidence = [pscustomobject]@{

            AuditCommands = $AuditCommands

            SourceDocument = "CIS_Microsoft_365_Foundations_Benchmark_v6.0.1"

        }

        Error = $_.Exception.Message

        Timestamp = Get-Date

    }

}