ROOTM365

1.0.1

SHELL/8.4.1.ps1

                                $CheckId = "8.4.1"

$Title = "Ensure app permission policies are configured"

$Level = "L1"

$BenchmarkType = "Manual"

$AuditCommands = @(

    "Get-CsTeamsAppPermissionPolicy",

    "Evaluate GlobalCatalogAppsType and PrivateCatalogAppsType for Global policy"

)

try {

    if (-not (Get-Command -Name Get-CsTeamsAppPermissionPolicy -ErrorAction SilentlyContinue)) {

        [pscustomobject]@{

            CheckId = $CheckId

            Title = $Title

            Level = $Level

            BenchmarkType = $BenchmarkType

            Status = "ERROR"

            Pass = $null

            Evidence = [pscustomobject]@{

                AuditCommands = $AuditCommands

                SourceDocument = "CIS_Microsoft_365_Foundations_Benchmark_v6.0.1"

            }

            Error = "Get-CsTeamsAppPermissionPolicy cmdlet is unavailable."

            Timestamp = Get-Date

        }

        return

    }

    $Policies = @(Get-CsTeamsAppPermissionPolicy -ErrorAction Stop)

    $GlobalPolicy = @($Policies | Where-Object { $_.Identity -eq "Global" } | Select-Object -First 1)

    if ($GlobalPolicy.Count -eq 0) {

        [pscustomobject]@{

            CheckId = $CheckId

            Title = $Title

            Level = $Level

            BenchmarkType = $BenchmarkType

            Status = "FAIL"

            Pass = $false

            Evidence = [pscustomobject]@{

                AuditCommands = $AuditCommands

                PolicyCount = $Policies.Count

                SourceDocument = "CIS_Microsoft_365_Foundations_Benchmark_v6.0.1"

            }

            Error = "Global Teams app permission policy was not found."

            Timestamp = Get-Date

        }

        return

    }

    $Policy = $GlobalPolicy[0]

    $ThirdPartyType = [string]$Policy.GlobalCatalogAppsType

    $CustomType = [string]$Policy.PrivateCatalogAppsType

    $ThirdPartyRestricted = $ThirdPartyType -in @("BlockedAppList", "AllowedAppList")

    $CustomAppsRestricted = $CustomType -in @("BlockedAppList", "AllowedAppList")

    $Pass = ($ThirdPartyRestricted -or $CustomAppsRestricted)

    [pscustomobject]@{

        CheckId = $CheckId

        Title = $Title

        Level = $Level

        BenchmarkType = $BenchmarkType

        Status = if ($Pass) { "PASS" } else { "FAIL" }

        Pass = $Pass

        Evidence = [pscustomobject]@{

            AuditCommands = $AuditCommands

            GlobalCatalogAppsType = $ThirdPartyType

            PrivateCatalogAppsType = $CustomType

            ThirdPartyRestricted = $ThirdPartyRestricted

            CustomAppsRestricted = $CustomAppsRestricted

            SourceDocument = "CIS_Microsoft_365_Foundations_Benchmark_v6.0.1"

        }

        Error = if ($Pass) { $null } else { "Teams app permission policy is too permissive for third-party and custom apps." }

        Timestamp = Get-Date

    }

}

catch {

    [pscustomobject]@{

        CheckId = $CheckId

        Title = $Title

        Level = $Level

        BenchmarkType = $BenchmarkType

        Status = "ERROR"

        Pass = $null

        Evidence = [pscustomobject]@{

            AuditCommands = $AuditCommands

            SourceDocument = "CIS_Microsoft_365_Foundations_Benchmark_v6.0.1"

        }

        Error = $_.Exception.Message

        Timestamp = Get-Date

    }

}