ROOTM365

1.0.1

SHELL/6.3.1.ps1

                                $CheckId = "6.3.1"

$Title = "Ensure users installing Outlook add-ins is not allowed"

$Level = "L2"

$BenchmarkType = "Automated"

$DisallowedRoles = @(

    "My Custom Apps",

    "My Marketplace Apps",

    "My ReadWriteMailbox Apps"

)

try {

    $AssignedPolicies = @(

        Get-EXOMailbox -PropertySets Policy -ResultSize Unlimited -ErrorAction Stop |

            Select-Object -ExpandProperty RoleAssignmentPolicy -Unique

    )

    if ($AssignedPolicies.Count -eq 0) {

        [pscustomobject]@{

            CheckId = $CheckId

            Title = $Title

            Level = $Level

            BenchmarkType = $BenchmarkType

            Status = "ERROR"

            Pass = $null

            Evidence = [pscustomobject]@{

                AssignedPolicyCount = 0

                SourceDocument = "CIS_Microsoft_365_Foundations_Benchmark_v6.0.1"

            }

            Error = "No role assignment policies were returned from mailbox data."

            Timestamp = Get-Date

        }

        return

    }

    $PolicyReport = foreach ($PolicyName in $AssignedPolicies) {

        $RolePolicy = Get-RoleAssignmentPolicy -Identity $PolicyName -ErrorAction Stop

        $FailingRoles = @($RolePolicy.AssignedRoles | Where-Object { $DisallowedRoles -contains $_ })

        [pscustomobject]@{

            Identity = [string]$RolePolicy.Identity

            FailingRoles = $FailingRoles

            IsCompliant = ($FailingRoles.Count -eq 0)

        }

    }

    $NonCompliantPolicies = @($PolicyReport | Where-Object { -not $_.IsCompliant })

    $Pass = $NonCompliantPolicies.Count -eq 0

    $Status = if ($Pass) { "PASS" } else { "FAIL" }

    [pscustomobject]@{

        CheckId = $CheckId

        Title = $Title

        Level = $Level

        BenchmarkType = $BenchmarkType

        Status = $Status

        Pass = $Pass

        Evidence = [pscustomobject]@{

            DisallowedRoles = $DisallowedRoles

            AssignedPolicyCount = $AssignedPolicies.Count

            PolicyReport = $PolicyReport

            NonCompliantPolicyCount = $NonCompliantPolicies.Count

            SourceDocument = "CIS_Microsoft_365_Foundations_Benchmark_v6.0.1"

        }

        Error = if ($Pass) { $null } else { "One or more role assignment policies still include disallowed Outlook add-in roles." }

        Timestamp = Get-Date

    }

}

catch {

    [pscustomobject]@{

        CheckId = $CheckId

        Title = $Title

        Level = $Level

        BenchmarkType = $BenchmarkType

        Status = "ERROR"

        Pass = $null

        Evidence = [pscustomobject]@{

            DisallowedRoles = $DisallowedRoles

            SourceDocument = "CIS_Microsoft_365_Foundations_Benchmark_v6.0.1"

        }

        Error = $_.Exception.Message

        Timestamp = Get-Date

    }

}