SHELL/7.2.8.ps1
|
$CheckId = "7.2.8" $Title = "Ensure external sharing is restricted by security group" $Level = "L2" $BenchmarkType = "Manual" $AuditCommands = @( "Get-SPOTenant", "Evaluate GuestSharingGroupAllowListInTenantByPrincipalIdentity" ) try { if (-not (Get-Command -Name Get-SPOTenant -ErrorAction SilentlyContinue)) { [pscustomobject]@{ CheckId = $CheckId Title = $Title Level = $Level BenchmarkType = $BenchmarkType Status = "ERROR" Pass = $null Evidence = [pscustomobject]@{ AuditCommands = $AuditCommands SourceDocument = "CIS_Microsoft_365_Foundations_Benchmark_v6.0.1" } Error = "Get-SPOTenant cmdlet is unavailable." Timestamp = Get-Date } return } $SPOTenant = Get-SPOTenant -ErrorAction Stop $AllowList = [string]$SPOTenant.GuestSharingGroupAllowListInTenantByPrincipalIdentity $Pass = -not [string]::IsNullOrWhiteSpace($AllowList) $Status = if ($Pass) { "PASS" } else { "FAIL" } [pscustomobject]@{ CheckId = $CheckId Title = $Title Level = $Level BenchmarkType = $BenchmarkType Status = $Status Pass = $Pass Evidence = [pscustomobject]@{ AuditCommands = $AuditCommands GuestSharingGroupAllowListInTenantByPrincipalIdentity = $AllowList SourceDocument = "CIS_Microsoft_365_Foundations_Benchmark_v6.0.1" } Error = if ($Pass) { $null } else { "External sharing is not restricted to specific security groups." } Timestamp = Get-Date } } catch { [pscustomobject]@{ CheckId = $CheckId Title = $Title Level = $Level BenchmarkType = $BenchmarkType Status = "ERROR" Pass = $null Evidence = [pscustomobject]@{ AuditCommands = $AuditCommands SourceDocument = "CIS_Microsoft_365_Foundations_Benchmark_v6.0.1" } Error = $_.Exception.Message Timestamp = Get-Date } } |