SHELL/7.3.2.ps1
|
$CheckId = "7.3.2" $Title = "Ensure OneDrive sync is restricted for unmanaged devices" $Level = "L2" $BenchmarkType = "Automated" try { $SyncRestriction = Get-SPOTenantSyncClientRestriction -ErrorAction Stop $TenantRestrictionEnabled = [bool]$SyncRestriction.TenantRestrictionEnabled $AllowedDomainListRaw = [string]$SyncRestriction.AllowedDomainList $AllowedDomainGuids = @($AllowedDomainListRaw -split '[,;\s]+' | ForEach-Object { $_.Trim() } | Where-Object { $_ }) $Pass = $TenantRestrictionEnabled -and ($AllowedDomainGuids.Count -gt 0) $Status = if ($Pass) { "PASS" } else { "FAIL" } [pscustomobject]@{ CheckId = $CheckId Title = $Title Level = $Level BenchmarkType = $BenchmarkType Status = $Status Pass = $Pass Evidence = [pscustomobject]@{ TenantRestrictionEnabled = $TenantRestrictionEnabled AllowedDomainList = $AllowedDomainListRaw AllowedDomainGuidCount = $AllowedDomainGuids.Count AllowedDomainGuids = $AllowedDomainGuids SourceDocument = "CIS_Microsoft_365_Foundations_Benchmark_v6.0.1" } Error = if ($Pass) { $null } else { "TenantRestrictionEnabled must be True and AllowedDomainList must contain trusted domain GUIDs." } Timestamp = Get-Date } } catch { [pscustomobject]@{ CheckId = $CheckId Title = $Title Level = $Level BenchmarkType = $BenchmarkType Status = "ERROR" Pass = $null Evidence = [pscustomobject]@{ SourceDocument = "CIS_Microsoft_365_Foundations_Benchmark_v6.0.1" } Error = $_.Exception.Message Timestamp = Get-Date } } |