diff --git a/build/Update-CommandReference.ps1 b/build/Update-CommandReference.ps1 index 6b809e368..d114787bc 100644 --- a/build/Update-CommandReference.ps1 +++ b/build/Update-CommandReference.ps1 @@ -16,7 +16,7 @@ $commandsIndexFile = "./website/docs/commands/readme.md" $readmeContent = Get-Content $commandsIndexFile # Backup the readme.md since it will be deleted by New-DocusaurusHelp # Get all the filenames in the ./powershell/internal folder without the extension -$internalCommands = Get-ChildItem @("./powershell/internal","./powershell/internal/orca") -Filter *.ps1 | ForEach-Object { $_.BaseName } +$internalCommands = Get-ChildItem @("./powershell/internal", "./powershell/internal/orca") -Filter *.ps1 | ForEach-Object { $_.BaseName } New-DocusaurusHelp -Module ./powershell/Maester.psm1 -DocsFolder ./website/docs -NoPlaceHolderExamples -EditUrl https://github.com/maester365/maester/blob/main/powershell/public/ -Exclude $internalCommands # Update the markdown to include the synopsis as description so it can be displayed correctly in the doc links. @@ -31,3 +31,23 @@ foreach ($file in $cmdMarkdownFiles) { } Set-Content $commandsIndexFile $readmeContent # Restore the readme content + +# Sync generated command files to all versioned doc folders +$versionedDocsRoot = "./website/versioned_docs" +if (Test-Path $versionedDocsRoot) { + $sourceCommands = "./website/docs/commands" + $versionFolders = Get-ChildItem $versionedDocsRoot -Directory + foreach ($versionFolder in $versionFolders) { + $targetCommands = Join-Path $versionFolder.FullName "commands" + if (Test-Path $targetCommands) { + $sourceFiles = Get-ChildItem $sourceCommands -Filter *.mdx + foreach ($sourceFile in $sourceFiles) { + $targetFile = Join-Path $targetCommands $sourceFile.Name + if (-not (Test-Path $targetFile)) { + Copy-Item $sourceFile.FullName $targetFile + Write-Verbose "Copied $($sourceFile.Name) to $($versionFolder.Name)" + } + } + } + } +} diff --git a/powershell/Maester.psd1 b/powershell/Maester.psd1 index e2dc8200f..fe548ec4c 100644 --- a/powershell/Maester.psd1 +++ b/powershell/Maester.psd1 @@ -108,7 +108,7 @@ 'Test-MtCaSecureSecurityInfoRegistration', 'Test-MtCaWIFBlockLegacyAuthentication', 'Test-MtCis365PublicGroup', 'Test-MtCisAdminConsentWorkflowEnabled', 'Test-MtCisAuditLogSearch', 'Test-MtCisAttachmentFilter', 'Test-MtCisAttachmentFilterComprehensive', 'Test-MtCisCalendarSharing', 'Test-MtCisCloudAdmin', 'Test-MtCisCreateTenantDisallowed', - 'Test-MtCisCommunicateWithUnmanagedTeamsUsers', 'Test-MtCisConnectionFilterSafeList', 'Test-MtCisCustomerLockBox', 'Test-MtCisDevicesWithoutCompliancePolicyMarked', + 'Test-MtCisCommunicateWithUnmanagedTeamsUsers', 'Test-MtCisCommunicateInitiateExternalTeamsUsers', 'Test-MtCisConnectionFilterSafeList', 'Test-MtCisCustomerLockBox', 'Test-MtCisDevicesWithoutCompliancePolicyMarked', 'Test-MtCisDkim', 'Test-MtCisEnsureGuestAccessRestricted', 'Test-MtCisEnsureGuestUserDynamicGroup', 'Test-MtCisEnsureUserConsentToAppsDisallowed', 'Test-MtCisFormsPhishingProtectionEnabled', 'Test-MtCisGlobalAdminCount', 'Test-MtCisHostedConnectionFilterPolicy', 'Test-MtCisInternalMalwareNotification', 'Test-MtCisOutboundSpamFilterPolicy', 'Test-MtCisPasswordExpiry', 'Test-MtCisSafeAntiPhishingPolicy', 'Test-MtCisSafeAttachment', 'Test-MtCisSafeAttachmentsAtpPolicy', diff --git a/powershell/public/cis/Test-MtCis365PublicGroup.md b/powershell/public/cis/Test-MtCis365PublicGroup.md index 8f32c8177..fbb764ca2 100644 --- a/powershell/public/cis/Test-MtCis365PublicGroup.md +++ b/powershell/public/cis/Test-MtCis365PublicGroup.md @@ -1,8 +1,23 @@ 1.2.1 (L2) Ensure that only organizationally managed/approved public groups exist -Microsoft 365 Groups is the foundational membership service that drives all teamwork across Microsoft 365. With Microsoft 365 Groups, you can give a group of people access to a collection of shared resources. While there are several different group types this recommendation concerns Microsoft 365 Groups. +Microsoft 365 Groups is the foundational membership service that drives all teamwork across Microsoft 365. With Microsoft 365 Groups, you can give a group of people access to a collection of shared resources. When a new group is created in the +Administration panel, the default privacy value of the group is "Public". (In this case, ‘public’ means accessible to the identities within the organization without requiring group owner authorization to join.) +Ensure that Microsoft 365 Groups are set to **Private** in the Administration panel. -Ensure that only organizationally managed and approved public groups exist. +>Note: Although there are several different group types, this recommendation concerns Microsoft 365 Groups specifically. + +#### Rationale + +If group privacy is not controlled, any user may access sensitive information, depending on the group they try to access. +When the privacy value of a group is set to "Public," users may access data related to this group (e.g. SharePoint) via three methods: +1. The Azure Portal: Users can add themselves to the public group via the Azure Portal; however, administrators are notified when users access the Portal. +2. Access Requests: Users can request to join the group via the Groups application in the Access Panel. This provides the user with immediate access to the group, even though they are required to send a message to the group owner when +requesting to join. +3. SharePoint URL: Users can directly access a group via its SharePoint URL, which is usually guessable and can be found in the Groups application within the Access Panel. + +#### Impact + +If the recommendation is applied, group owners could receive more access requests than usual, especially regarding groups originally meant to be public. #### Remediation action: @@ -16,7 +31,9 @@ To enable only organizationally managed/approved public groups exist: #### Related links * [Microsoft 365 Admin Center](https://admin.microsoft.com) -* [CIS Microsoft 365 Foundations Benchmark v5.0.0 - Page 36](https://www.cisecurity.org/benchmark/microsoft_365) +* [Set up self-service group management in Microsoft Entra ID](https://learn.microsoft.com/en-us/entra/identity/users/groups-self-service-management) +* [Compare types of groups in Microsoft 365](https://learn.microsoft.com/en-us/microsoft-365/admin/create-groups/compare-groups?view=o365-worldwide) +* [CIS Microsoft 365 Foundations Benchmark v6.0.1 - Page 36](https://www.cisecurity.org/benchmark/microsoft_365) %TestResult% \ No newline at end of file diff --git a/powershell/public/cis/Test-MtCis365PublicGroup.ps1 b/powershell/public/cis/Test-MtCis365PublicGroup.ps1 index 0a769c21d..a4b1760fb 100644 --- a/powershell/public/cis/Test-MtCis365PublicGroup.ps1 +++ b/powershell/public/cis/Test-MtCis365PublicGroup.ps1 @@ -5,7 +5,7 @@ .DESCRIPTION Ensure that only organizationally managed and approved public groups exist - CIS Microsoft 365 Foundations Benchmark v5.0.0 + CIS Microsoft 365 Foundations Benchmark v6.0.1 .EXAMPLE Test-MtCis365PublicGroup diff --git a/powershell/public/cis/Test-MtCisAdminConsentWorkflowEnabled.md b/powershell/public/cis/Test-MtCisAdminConsentWorkflowEnabled.md index 770ffca7f..59125746f 100644 --- a/powershell/public/cis/Test-MtCisAdminConsentWorkflowEnabled.md +++ b/powershell/public/cis/Test-MtCisAdminConsentWorkflowEnabled.md @@ -1,11 +1,18 @@ 5.1.5.2 (L1) Ensure the admin consent workflow is enabled -**Rationale:** +The admin consent workflow gives admins a secure way to grant access to applications that require admin approval. When a user tries to access an application but is unable to provide consent, they can send a request for admin approval. The request is sent via email to admins who have been designated as reviewers. A reviewer takes action on the request, and the user is notified of the action. + +#### Rationale + The admin consent workflow (Preview) gives admins a secure way to grant access to applications that require admin approval. When a user tries to access an application but is unable to provide consent, they can send a request for admin approval. The request is sent via email to admins who have been designated as reviewers. A reviewer acts on the request, and the user is notified of the action. +#### Impact + +To approve requests, a reviewer must be a global administrator, cloud application administrator, or application administrator. The reviewer must already have one of these admin roles assigned; simply designating them as a reviewer doesn't elevate their privileges. + #### Remediation action: -1. Navigate to Microsoft Entra ID admin center [https://entra.microsoft.com](https://entra.microsoft.com). +1. Navigate to [Microsoft Entra ID admin center](https://entra.microsoft.com). 2. Under **Entra ID** select **Enterprise apps** 3. Under **Security** select **Consent and permissions** 4. Under **Manage** select **Admin consent settings** @@ -14,8 +21,9 @@ The admin consent workflow (Preview) gives admins a secure way to grant access t #### Related links -* [Microsoft Entra admin center | Enterprise apps | Consent and permissions | Admin consent settings](https://entra.microsoft.com/#view/Microsoft_AAD_IAM/ConsentPoliciesMenuBlade/~/AdminConsentSettings) -* [CIS Microsoft 365 Foundations Benchmark v5.0.0 - Page 187](https://www.cisecurity.org/benchmark/microsoft_365) +* [Microsoft Entra ID admin center](https://entra.microsoft.com) +* [Configure the admin consent workflow](https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/configure-admin-consent-workflow) +* [CIS Microsoft 365 Foundations Benchmark v6.0.1 - Page 214](https://www.cisecurity.org/benchmark/microsoft_365) %TestResult% \ No newline at end of file diff --git a/powershell/public/cis/Test-MtCisAdminConsentWorkflowEnabled.ps1 b/powershell/public/cis/Test-MtCisAdminConsentWorkflowEnabled.ps1 index 66468daad..ecb410c04 100644 --- a/powershell/public/cis/Test-MtCisAdminConsentWorkflowEnabled.ps1 +++ b/powershell/public/cis/Test-MtCisAdminConsentWorkflowEnabled.ps1 @@ -1,20 +1,20 @@ -<# -.SYNOPSIS - Checks if the admin consent workflow is enabled - -.DESCRIPTION - The admin consent workflow should be enabled. - CIS Microsoft 365 Foundations Benchmark v5.0.0 - -.EXAMPLE - Test-MtCisAdminConsentWorkflowEnabled - - Returns true if admin consent workflow is enabled - -.LINK - https://maester.dev/docs/commands/Test-MtCisAdminConsentWorkflowEnabled -#> -function Test-MtCisAdminConsentWorkflowEnabled { +function Test-MtCisAdminConsentWorkflowEnabled { + <# + .SYNOPSIS + Checks if the admin consent workflow is enabled + + .DESCRIPTION + The admin consent workflow should be enabled. + CIS Microsoft 365 Foundations Benchmark v6.0.1 + + .EXAMPLE + Test-MtCisAdminConsentWorkflowEnabled + + Returns true if admin consent workflow is enabled + + .LINK + https://maester.dev/docs/commands/Test-MtCisAdminConsentWorkflowEnabled + #> [CmdletBinding()] [OutputType([bool])] param() @@ -35,7 +35,8 @@ function Test-MtCisAdminConsentWorkflowEnabled { if ($testResult) { $testResultMarkdown = "Well done. Your tenant settings comply with CIS recommendations.`n`n%TestResult%" - } else { + } + else { $testResultMarkdown = "Your tenant settings do not comply with CIS recommendations.`n`n%TestResult%" } @@ -44,7 +45,8 @@ function Test-MtCisAdminConsentWorkflowEnabled { if ($checkAdminConsentWorkflowEnabled) { $checkAdminConsentWorkflowEnabledResult = '✅ Pass' - } else { + } + else { $checkAdminConsentWorkflowEnabledResult = '❌ Fail' } @@ -54,7 +56,8 @@ function Test-MtCisAdminConsentWorkflowEnabled { Add-MtTestResultDetail -Result $testResultMarkdown return $testResult - } catch { + } + catch { Add-MtTestResultDetail -SkippedBecause Error -SkippedError $_ return $null } diff --git a/powershell/public/cis/Test-MtCisAttachmentFilter.md b/powershell/public/cis/Test-MtCisAttachmentFilter.md index 917dd73d6..bdaa3e91d 100644 --- a/powershell/public/cis/Test-MtCisAttachmentFilter.md +++ b/powershell/public/cis/Test-MtCisAttachmentFilter.md @@ -1,22 +1,41 @@ 2.1.2 (L1) Ensure the Common Attachment Types Filter is enabled -**Rationale:** +The Common Attachment Types Filter lets a user block known and custom malicious file types from being attached to emails. + +#### Rationale + Blocking known malicious file types can help prevent malware-infested files from infecting a host. +#### Impact + +Blocking common malicious file types should not cause an impact in modern computing environments. + #### Remediation action: To enable the Common Attachment Types Filter: -1. Navigate to Microsoft 365 Defender [https://security.microsoft.com](https://security.microsoft.com). +1. Navigate to [Microsoft 365 Defender](https://security.microsoft.com). 2. Click to expand **Email & collaboration** select **Policies & rules**. 3. On the Policies & rules page select **Threat policies**. 4. Under polices select **Anti-malware** and click on the **Default (Default)** policy. 5. On the Policy page that appears on the right hand pane scroll to the bottom and click on **Edit protection settings**, check the **Enable the common attachments filter**. 6. Click Save. +##### PowerShell + +1. Connect to Exchange Online using `Connect-ExchangeOnline`. +2. Run the following Exchange Online PowerShell command: +```powershell +Set-MalwareFilterPolicy -Identity Default -EnableFileFilter $true +``` + +>Note: Audit and Remediation guidance may focus on the Default policy however, if a Custom Policy exists in the organization's tenant, then ensure the setting is set as outlined in the highest priority policy listed. + #### Related links * [Microsoft 365 Defender](https://security.microsoft.com) -* [CIS Microsoft 365 Foundations Benchmark v5.0.0 - Page 74](https://www.cisecurity.org/benchmark/microsoft_365) +* [Get-MalwareFilterPolicy](https://learn.microsoft.com/en-us/powershell/module/exchangepowershell/get-malwarefilterpolicy?view=exchange-ps) +* [Configure anti-malware policies for cloud mailboxes](https://learn.microsoft.com/en-us/defender-office-365/anti-malware-policies-configure?view=o365-worldwide) +* [CIS Microsoft 365 Foundations Benchmark v6.0.1 - Page 78](https://www.cisecurity.org/benchmark/microsoft_365) %TestResult% \ No newline at end of file diff --git a/powershell/public/cis/Test-MtCisAttachmentFilter.ps1 b/powershell/public/cis/Test-MtCisAttachmentFilter.ps1 index 2e07cb0eb..3b22062bc 100644 --- a/powershell/public/cis/Test-MtCisAttachmentFilter.ps1 +++ b/powershell/public/cis/Test-MtCisAttachmentFilter.ps1 @@ -5,7 +5,7 @@ .DESCRIPTION The common attachment types filter should be enabled - CIS Microsoft 365 Foundations Benchmark v5.0.0 + CIS Microsoft 365 Foundations Benchmark v6.0.1 .EXAMPLE Test-MtCisAttachmentFilter diff --git a/powershell/public/cis/Test-MtCisAttachmentFilterComprehensive.md b/powershell/public/cis/Test-MtCisAttachmentFilterComprehensive.md index fb71fbd25..cc97455ab 100644 --- a/powershell/public/cis/Test-MtCisAttachmentFilterComprehensive.md +++ b/powershell/public/cis/Test-MtCisAttachmentFilterComprehensive.md @@ -1,24 +1,32 @@ 2.1.11 (L2) Ensure comprehensive attachment filtering is applied -**Rationale:** -Blocking known malicious file types can help prevent malware-infested files from infecting a host or performing other malicious attacks such as phishing and data extraction. Defining a comprehensive list of attachments can help protect against additional unknown and known threats. +The Common Attachment Types Filter lets a user block known and custom malicious file types from being attached to emails. The policy provided by Microsoft covers 53 extensions, and an additional custom list of extensions can be defined. +The list of 184 extensions provided in this recommendation is comprehensive but not exhaustive. + +#### Rationale + +Blocking known malicious file types can help prevent malware-infested files from infecting a host or performing other malicious attacks such as phishing and data extraction. +Defining a comprehensive list of attachments can help protect against additional unknown and known threats. Many legacy file formats, binary files and compressed files have been used as delivery mechanisms for malicious software. Organizations can protect themselves from Business E-mail Compromise (BEC) by allow-listing only the file types relevant to their line of business and blocking all others. + +#### Impact + +For file types that are business necessary users will need to use other organizationally approved methods to transfer blocked extension types between business partners. #### Remediation action: To implement a new policy containing a comprehensive list of extensions: -1. Connect to Exchange Online using Connect-ExchangeOnline. -2. Run the following script: +1. Connect to Exchange Online using `Connect-ExchangeOnline`. +2. Run the following script after editing **InternalSenderAdminAddress**: ``` # Create an attachment policy and associated rule. The rule is # intentionally disabled allowing the org to enable it when ready $Policy = @{ - Name = "CIS L2 Attachment Policy" - EnableFileFilter = $true - ZapEnabled = $true + Name = "CIS L2 Attachment Policy" + EnableFileFilter = $true + ZapEnabled = $true EnableInternalSenderAdminNotifications = $true - InternalSenderAdminAddress = 'admin@contoso.com' # Change this. + InternalSenderAdminAddress = 'admin@contoso.com' # Change this. } - $L2Extensions = @( "7z", "a3x", "ace", "ade", "adp", "ani", "app", "appinstaller", "applescript", "application", "appref-ms", "appx", "appxbundle", "arj", @@ -26,7 +34,7 @@ $L2Extensions = @( "cpl", "crt", "cs", "csh", "daa", "dbf", "dcr", "deb", "desktopthemepackfile", "dex", "diagcab", "dif", "dir", "dll", "dmg", "doc", "docm", "dot", "dotm", "elf", "eml", "exe", "fxp", "gadget", "gz", - "hlp", "hta", "htc", "htm", "htm", "html", "html", "hwpx", "ics", "img", + "hlp", "hta", "htc", "htm", "html", "hwpx", "ics", "img", "inf", "ins", "iqy", "iso", "isp", "jar", "jnlp", "js", "jse", "kext", "ksh", "lha", "lib", "library-ms", "lnk", "lzh", "macho", "mam", "mda", "mdb", "mde", "mdt", "mdw", "mdz", "mht", "mhtml", "mof", "msc", "msi", @@ -40,21 +48,18 @@ $L2Extensions = @( "tar", "theme", "themepack", "timer", "uif", "url", "uue", "vb", "vbe", "vbs", "vhd", "vhdx", "vxd", "wbk", "website", "wim", "wiz", "ws", "wsc", "wsf", "wsh", "xla", "xlam", "xlc", "xll", "xlm", "xls", "xlsb", "xlsm", - "xlt", "xltm", "xlw", "xml", "xnk", "xps", "xsl", "xz", "z" + "xlt", "xltm", "xlw", "xnk", "xps", "xsl", "xz", "z" ) - # Create the policy New-MalwareFilterPolicy @Policy -FileTypes $L2Extensions - # Create the rule for all accepted domains $Rule = @{ - Name = $Policy.Name - Enabled = $false + Name = $Policy.Name + Enabled = $false MalwareFilterPolicy = $Policy.Name - RecipientDomainIs = (Get-AcceptedDomain).Name - Priority = 0 + RecipientDomainIs = (Get-AcceptedDomain).Name + Priority = 0 } - New-MalwareFilterRule @Rule ``` 3. When prepared enable the rule either through the UI or PowerShell. @@ -62,7 +67,10 @@ New-MalwareFilterRule @Rule #### Related links * [Microsoft 365 Defender](https://security.microsoft.com) -* [CIS Microsoft 365 Foundations Benchmark v5.0.0 - Page 109](https://www.cisecurity.org/benchmark/microsoft_365) +* [Get-MalwareFilterPolicy](https://learn.microsoft.com/en-us/powershell/module/exchangepowershell/get-malwarefilterpolicy?view=exchange-ps) +* [Configure anti-malware policies for cloud mailboxes](https://learn.microsoft.com/en-us/defender-office-365/anti-malware-policies-configure?view=o365-worldwide) +* [File format reference for Word, Excel, and PowerPoint](https://learn.microsoft.com/en-us/office/compatibility/office-file-format-reference) +* [CIS Microsoft 365 Foundations Benchmark v6.0.1 - Page 109](https://www.cisecurity.org/benchmark/microsoft_365) %TestResult% \ No newline at end of file diff --git a/powershell/public/cis/Test-MtCisAttachmentFilterComprehensive.ps1 b/powershell/public/cis/Test-MtCisAttachmentFilterComprehensive.ps1 index 7be4c967d..a8fc64e10 100644 --- a/powershell/public/cis/Test-MtCisAttachmentFilterComprehensive.ps1 +++ b/powershell/public/cis/Test-MtCisAttachmentFilterComprehensive.ps1 @@ -5,7 +5,7 @@ .DESCRIPTION The common attachment types filter should be comprehensive - CIS Microsoft 365 Foundations Benchmark v5.0.0 + CIS Microsoft 365 Foundations Benchmark v6.0.1 .EXAMPLE Test-MtCisAttachmentFilterComprehensive @@ -35,7 +35,7 @@ 'cpl', 'crt', 'cs', 'csh', 'daa', 'dbf', 'dcr', 'deb', 'desktopthemepackfile', 'dex', 'diagcab', 'dif', 'dir', 'dll', 'dmg', 'doc', 'docm', 'dot', 'dotm', 'elf', 'eml', 'exe', 'fxp', 'gadget', 'gz', - 'hlp', 'hta', 'htc', 'htm', 'htm', 'html', 'html', 'hwpx', 'ics', 'img', + 'hlp', 'hta', 'htc', 'htm', 'html', 'hwpx', 'ics', 'img', 'inf', 'ins', 'iqy', 'iso', 'isp', 'jar', 'jnlp', 'js', 'jse', 'kext', 'ksh', 'lha', 'lib', 'library-ms', 'lnk', 'lzh', 'macho', 'mam', 'mda', 'mdb', 'mde', 'mdt', 'mdw', 'mdz', 'mht', 'mhtml', 'mof', 'msc', 'msi', @@ -49,7 +49,7 @@ 'tar', 'theme', 'themepack', 'timer', 'uif', 'url', 'uue', 'vb', 'vbe', 'vbs', 'vhd', 'vhdx', 'vxd', 'wbk', 'website', 'wim', 'wiz', 'ws', 'wsc', 'wsf', 'wsh', 'xla', 'xlam', 'xlc', 'xll', 'xlm', 'xls', 'xlsb', 'xlsm', - 'xlt', 'xltm', 'xlw', 'xml', 'xnk', 'xps', 'xsl', 'xz', 'z' + 'xlt', 'xltm', 'xlw', 'xnk', 'xps', 'xsl', 'xz', 'z' ) # Duplicate the array, so we are left with a list of extensions missing at the end diff --git a/powershell/public/cis/Test-MtCisAuditLogSearch.md b/powershell/public/cis/Test-MtCisAuditLogSearch.md index d6211eb0f..0fd7fb2d6 100644 --- a/powershell/public/cis/Test-MtCisAuditLogSearch.md +++ b/powershell/public/cis/Test-MtCisAuditLogSearch.md @@ -1,21 +1,33 @@ 3.1.1 (L1) Ensure Microsoft 365 audit log search is Enabled -**Rationale:** -Enabling audit log search in the Microsoft Purview compliance portal can help organizations improve their security posture, meet regulatory compliance requirements, respond to security incidents, and gain valuable operational insights. +When audit log search is enabled in the Microsoft Purview compliance portal, user and admin activity within the organization is recorded in the audit log and retained for 180 days by default. However, some organizations may prefer to use a third-party security information and event management (SIEM) application to access their auditing data. In this scenario, a global admin can choose to turn off audit log search in Microsoft 365. + +#### Rationale + +Enabling audit log search in the Microsoft Purview compliance portal can help organizations improve their security posture, meet regulatory compliance requirements, respond to security incidents, and gain valuable operational insights #### Remediation action: -To enable audit log search: -1. Navigate to [Microsoft Purview Audit Search](https://purview.microsoft.com/audit/auditsearch). -2. Select **Audit** to open the audit search. -3. Click **Start recording user and admin activity** next to the information warning at the top. +1. Navigate to [Microsoft 365 Purview](https://purview.microsoft.com). +2. Select **Solutions** and then **Audit** to open the audit search. +3. Click blue bar **Start recording user and admin activity**. 4. Click **Yes** on the dialog box to confirm. +##### PowerShell + +1. Connect to Exchange Online using `Connect-ExchangeOnline`. +2. Run the following PowerShell command: +```powershell +Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true +``` + #### Related links -* [Microsoft 365 Defender](https://security.microsoft.com) -* [CIS Microsoft 365 Foundations Benchmark v5.0.0 - Page 143](https://www.cisecurity.org/benchmark/microsoft_365) -* [Turn auditing on or off | Microsoft Learn](https://learn.microsoft.com/en-us/purview/audit-log-enable-disable) +* [Microsoft 365 Purview](https://purview.microsoft.com) +* [CIS Microsoft 365 Foundations Benchmark v6.0.1 - Page 149](https://www.cisecurity.org/benchmark/microsoft_365) +* [Turn auditing on or off](https://learn.microsoft.com/en-us/purview/audit-log-enable-disable?view=o365-worldwide&tabs=microsoft-purview-portal) +* [Set-AdminAuditLogConfig](https://learn.microsoft.com/en-us/powershell/module/exchangepowershell/set-adminauditlogconfig?view=exchange-ps) +* [Verify the auditing status for your organization](https://learn.microsoft.com/en-us/purview/audit-log-enable-disable?view=o365-worldwide&tabs=microsoft-purview-portal#verify-the-auditing-status-for-your-organization) %TestResult% \ No newline at end of file diff --git a/powershell/public/cis/Test-MtCisAuditLogSearch.ps1 b/powershell/public/cis/Test-MtCisAuditLogSearch.ps1 index f413f497b..4ea478dc5 100644 --- a/powershell/public/cis/Test-MtCisAuditLogSearch.ps1 +++ b/powershell/public/cis/Test-MtCisAuditLogSearch.ps1 @@ -5,7 +5,7 @@ .DESCRIPTION Microsoft 365 audit log search should be enabled - CIS Microsoft 365 Foundations Benchmark v5.0.0 + CIS Microsoft 365 Foundations Benchmark v6.0.1 .EXAMPLE Test-MtCisAuditLogSearch diff --git a/powershell/public/cis/Test-MtCisCalendarSharing.md b/powershell/public/cis/Test-MtCisCalendarSharing.md index 90d657026..e0416e47c 100644 --- a/powershell/public/cis/Test-MtCisCalendarSharing.md +++ b/powershell/public/cis/Test-MtCisCalendarSharing.md @@ -1,21 +1,38 @@ 1.3.3 (L2) Ensure 'External sharing' of calendars is not available +External calendar sharing allows an administrator to enable the ability for users to share calendars with anyone outside of the organization. Outside users will be sent a URL that can be used to view the calendar. + +#### Rationale + Attackers often spend time learning about organizations before launching an attack. Publicly available calendars can help attackers understand organizational relationships and determine when specific users may be more vulnerable to an attack, such as when they are traveling. +#### Impact + +This functionality is not widely used. As a result, it is unlikely that implementation of this setting will cause an impact to most users. Users that do utilize this functionality are likely to experience a minor inconvenience when scheduling meetings or synchronizing calendars with people outside the tenant. + #### Remediation action: To remediate using the UI: 1. Navigate to Microsoft 365 admin center [https://admin.microsoft.com](https://admin.microsoft.com). 2. Click to expand **Settings** select **Org settings**. 3. In the **Services** section click **Calendar**. -4. Uncheck **Let your users share their calendars with people outside of -your organization who have Office 365 or Exchange**. +4. Uncheck **Let your users share their calendars with people outside of your organization who have Office 365 or Exchange**. 5. Click **Save**. +##### PowerShell + +1. Connect to Exchange Online using `Connect-ExchangeOnline`. +2. Run the following Exchange Online PowerShell command: +```powershell +Set-SharingPolicy -Identity "Default Sharing Policy" -Enabled $False +``` + + #### Related links * [Microsoft 365 Admin Center](https://admin.microsoft.com) -* [CIS Microsoft 365 Foundations Benchmark v5.0.0 - Page 52](https://www.cisecurity.org/benchmark/microsoft_365) +* [Share Microsoft 365 calendars with people outside your organization](https://learn.microsoft.com/en-us/microsoft-365/admin/manage/share-calendars-with-external-users?view=o365-worldwide) +* [CIS Microsoft 365 Foundations Benchmark v6.0.1 - Page 53](https://www.cisecurity.org/benchmark/microsoft_365) %TestResult% \ No newline at end of file diff --git a/powershell/public/cis/Test-MtCisCalendarSharing.ps1 b/powershell/public/cis/Test-MtCisCalendarSharing.ps1 index 722134ca6..d47c81231 100644 --- a/powershell/public/cis/Test-MtCisCalendarSharing.ps1 +++ b/powershell/public/cis/Test-MtCisCalendarSharing.ps1 @@ -5,7 +5,7 @@ .DESCRIPTION Calendar details SHALL NOT be shared with all domains. - CIS Microsoft 365 Foundations Benchmark v5.0.0 + CIS Microsoft 365 Foundations Benchmark v6.0.1 .EXAMPLE Test-MtCisCalendarSharing diff --git a/powershell/public/cis/Test-MtCisCloudAdmin.md b/powershell/public/cis/Test-MtCisCloudAdmin.md index 291e4dd35..a737eaac5 100644 --- a/powershell/public/cis/Test-MtCisCloudAdmin.md +++ b/powershell/public/cis/Test-MtCisCloudAdmin.md @@ -1,25 +1,30 @@ 1.1.1 (L1) Ensure Administrative accounts are cloud-only -Administrative accounts are special privileged accounts that could have varying levels of access to data, users, and settings. Regular user accounts should never be utilized for administrative tasks and care should be taken, in the case of a hybrid environment, to keep Administrative accounts separated from on-prem accounts. Administrative accounts should not have applications assigned so that they have no access to potentially vulnerable services (EX. email, Teams, SharePoint, etc.) and only access to perform tasks as needed for administrative purposes. +Administrative accounts are special privileged accounts that could have varying levels of access to data, users, and settings. Regular user accounts should never be utilized for administrative tasks and care should be taken, in the case of a hybrid environment, to keep administrative accounts separate from on-prem accounts. Administrative accounts should not have applications assigned so that they have no access to potentially vulnerable services (EX. email, Teams, SharePoint, etc.) and only access to perform tasks as needed for administrative purposes. **Ensure administrative accounts are not On-premises sync enabled.** + +#### Rationale + +In a hybrid environment, having separate accounts will help ensure that in the event of a breach in the cloud, that the breach does not affect the on-prem environment and vice versa. + +#### Impact + +Administrative users will need to utilize login/logout functionality to switch accounts when performing administrative tasks, which means they will not benefit from SSO. This will require a migration process from the 'daily driver' account to a dedicated admin account. Once the new admin account is created, permission sets should be migrated from the 'daily driver' account to the new admin account. This includes both M365 and Azure RBAC roles. Failure to migrate Azure RBAC roles could prevent an admin from seeing their subscriptions/resources while using their admin account. + #### Remediation action: -To created licensed, separate Administrative accounts for Administrative users: -1. Navigate to Microsoft 365 admin center [https://admin.microsoft.com](https://admin.microsoft.com). -2. Click to expand **Users** select **Active users** -3. Click **Add a user**. -4. Fill out the appropriate fields for Name, user, etc. -5. When prompted to assign licenses select as needed **Microsoft Entra ID P1** or -**Microsoft Entra ID P2**, then click **Next**. -6. Under the **Option settings** screen you may choose from several types of -Administrative access roles. Choose **Admin center access** followed by the -appropriate role then click **Next**. -7. Select **Finish adding**. +Remediation will require first identifying the privileged accounts that are synced from onpremises and then creating a new cloud-only account for that user. Once a replacement account is established, the hybrid account should have its role reduced to that of a nonprivileged user or removed depending on the need. + #### Related links * [Microsoft 365 Admin Center](https://admin.microsoft.com) -* [CIS Microsoft 365 Foundations Benchmark v 4.0.0 - Page 20](https://www.cisecurity.org/benchmark/microsoft_365) +* [Add users and assign licenses in Microsoft 365](https://learn.microsoft.com/en-us/microsoft-365/admin/add-users/add-users?view=o365-worldwide) +* [Step 2. Protect your Microsoft 365 privileged accounts](https://learn.microsoft.com/en-us/microsoft-365/enterprise/protect-your-global-administrator-accounts?view=o365-worldwide) +* [9. Use cloud native accounts for Microsoft Entra roles](https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/best-practices#9-use-cloud-native-accounts-for-microsoft-entra-roles) +* [What is Microsoft Entra?](https://learn.microsoft.com/en-us/entra/fundamentals/what-is-entra) +* [Microsoft Entra built-in roles](https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference) +* [CIS Microsoft 365 Foundations Benchmark v6.0.1 - Page 20](https://www.cisecurity.org/benchmark/microsoft_365) %TestResult% \ No newline at end of file diff --git a/powershell/public/cis/Test-MtCisCloudAdmin.ps1 b/powershell/public/cis/Test-MtCisCloudAdmin.ps1 index aed5d2bb7..45f0d3ca1 100644 --- a/powershell/public/cis/Test-MtCisCloudAdmin.ps1 +++ b/powershell/public/cis/Test-MtCisCloudAdmin.ps1 @@ -5,7 +5,7 @@ .DESCRIPTION Ensure Administrative accounts are cloud-only - CIS Microsoft 365 Foundations Benchmark v5.0.0 + CIS Microsoft 365 Foundations Benchmark v6.0.1 .EXAMPLE Test-MtCisCloudAdmin diff --git a/powershell/public/cis/Test-MtCisCommunicateInitiateExternalTeamsUsers.md b/powershell/public/cis/Test-MtCisCommunicateInitiateExternalTeamsUsers.md new file mode 100644 index 000000000..6e23d9c71 --- /dev/null +++ b/powershell/public/cis/Test-MtCisCommunicateInitiateExternalTeamsUsers.md @@ -0,0 +1,58 @@ +8.2.3 (L1) Ensure external Teams users cannot initiate conversations + +This setting prevents external users who are not managed by an organization from initiating contact with users in the protected organization. The recommended state is to uncheck **External users with Teams accounts not managed by an organization can contact users in my organization**. + +>Note: Disabling this setting is used as an additional stop gap for the previous setting which disables communication with unmanaged Teams users entirely. If an organization chooses to have an exception to (L1) Ensure communication with unmanaged Teams users is disabled they can do so while also disabling the ability for the same group of users to initiate contact. Disabling communication entirely will also disable the ability for unmanaged users to initiate contact. + +#### Rationale + +Allowing users to communicate with unmanaged Teams users presents a potential security threat as little effort is required by threat actors to gain access to a trial or free Microsoft Teams account. + +Some real-world attacks and exploits delivered via Teams over external access channels include: +* DarkGate malware +* Social engineering / Phishing attacks by "Midnight Blizzard" +* GIFShell +* Username enumeration + +#### Impact + +The impact of disabling this is very low. +Organizations may choose to create additional policies for specific groups that need to communicate with unmanaged external users. + +>Note: Chats and meetings with external unmanaged Teams users isn't available in GCC, GCC High, or DOD deployments, or in private cloud environments. + +#### Remediation action: + +To remediate using the UI: +1. Navigate to [Microsoft 365 Teams Admin Center](https://admin.teams.microsoft.com). +2. Click to expand **Users** select **External access**. +3. Select the **Policies** tab +4. Click on the **Global (Org-wide default)** policy. +5. Locate the parent setting **People in my organization can communicate with unmanaged Teams accounts**. +6. Uncheck **External users with Teams accounts not managed by an organization can contact users in my organization**. +7. Click **Save**. + +>Note: If People in my organization can communicate with unmanaged Teams accounts is already set to Off then this setting will not be visible and will satisfy the requirements of this recommendation. + + +##### PowerShell + +1. Connect to Teams PowerShell using `Connect-MicrosoftTeams`. +2. Run the following command: +```powershell +Set-CsExternalAccessPolicy -Identity Global -EnableTeamsConsumerInbound $false +``` + +>Note: Configuring the organization settings to block inbound communication is also in compliance with this control. + + +#### Related links + +* [Microsoft 365 Teams Admin Center](https://admin.teams.microsoft.com) +* [IT Admins - Manage external meetings and chat with people and organizations using Microsoft identities](https://learn.microsoft.com/en-us/microsoftteams/trusted-organizations-external-meetings-chat?tabs=organization-settings) +* [Midnight Blizzard conducts targeted social engineering over Microsoft Teams](https://www.microsoft.com/en-us/security/blog/2023/08/02/midnight-blizzard-conducts-targeted-social-engineering-over-microsoft-teams/) +* [GIFShell Attack Lets Hackers Create Reverse Shell through Microsoft Teams GIFs](https://www.bitdefender.com/en-us/blog/hotforsecurity/gifshell-attack-lets-hackers-create-reverse-shell-through-microsoft-teams-gifs) +* [CIS Microsoft 365 Foundations Benchmark v6.0.1 - Page 416](https://www.cisecurity.org/benchmark/microsoft_365) + + +%TestResult% \ No newline at end of file diff --git a/powershell/public/cis/Test-MtCisCommunicateInitiateExternalTeamsUsers.ps1 b/powershell/public/cis/Test-MtCisCommunicateInitiateExternalTeamsUsers.ps1 new file mode 100644 index 000000000..b1d9cb99c --- /dev/null +++ b/powershell/public/cis/Test-MtCisCommunicateInitiateExternalTeamsUsers.ps1 @@ -0,0 +1,49 @@ +function Test-MtCisCommunicateInitiateExternalTeamsUsers { + <# + .SYNOPSIS + Ensure external Teams users cannot initiate conversations + + .DESCRIPTION + External Teams users cannot initiate conversations + CIS Microsoft 365 Foundations Benchmark v6.0.1 + + .EXAMPLE + Test-MtCisCommunicateInitiateExternalTeamsUsers + + Returns true if external Teams users cannot initiate conversations + + .LINK + https://maester.dev/docs/commands/Test-MtCisCommunicateInitiateExternalTeamsUsers + #> + [CmdletBinding()] + [OutputType([bool])] + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseSingularNouns', '', Justification = 'This test checks multiple users.')] + param() + + if (-not (Test-MtConnection Teams)) { + Add-MtTestResultDetail -SkippedBecause NotConnectedTeams + return $null + } + + Write-Verbose 'Test-MtCisCommunicateInitiateExternalTeamsUsers: Checking if external unmanaged Teams users cannot initiate conversations' + + try { + $AllowTeamsConsumerInbound = Get-CsTenantFederationConfiguration | Select-Object -ExpandProperty AllowTeamsConsumerInbound + if ($AllowTeamsConsumerInbound -eq $false) { + Add-MtTestResultDetail -Result 'Well done. External unmanaged Teams users cannot initiate conversations.' + return $true + } else { + $ExternalAccessPolicy = Get-CsExternalAccessPolicy -Identity Global + if ($ExternalAccessPolicy.EnableTeamsConsumerInbound -eq $false) { + Add-MtTestResultDetail -Result 'Well done. External unmanaged Teams users cannot initiate conversations.' + return $true + } else { + Add-MtTestResultDetail -Result 'External unmanaged Teams users can initiate conversations.' + return $false + } + } + } catch { + Add-MtTestResultDetail -SkippedBecause Error -SkippedError $_ + return $null + } +} diff --git a/powershell/public/cis/Test-MtCisCommunicateWithUnmanagedTeamsUsers.md b/powershell/public/cis/Test-MtCisCommunicateWithUnmanagedTeamsUsers.md index d061506d6..9ead79077 100644 --- a/powershell/public/cis/Test-MtCisCommunicateWithUnmanagedTeamsUsers.md +++ b/powershell/public/cis/Test-MtCisCommunicateWithUnmanagedTeamsUsers.md @@ -1,49 +1,52 @@ -8.2.2 (L1) Ensure communication with unmanaged Teams users is disabled & 8.2.3 (L1) Ensure external Teams users cannot initiate conversations +8.2.2 (L1) Ensure communication with unmanaged Teams users is disabled -This test checks if the communication with unmanaged Teams users is disabled . +This policy setting controls chats and meetings with external unmanaged Teams users (those not managed by an organization, such as Microsoft Teams (free)). -8.2.2 (L1):\ -This policy setting controls chats and meetings with external unmanaged Teams users (those not managed by an organization, such as Microsoft Teams (free)) +The recommended state is: **People in my organization can communicate with unmanaged Teams accounts set to Off**. -Rationale:\ -Allowing users to communicate with unmanaged Teams users presents a potential security threat as little effort is required by threat actors to gain access to a trial or free Microsoft Teams account. +#### Rationale -8.2.3 (L1):\ -This setting prevents external users who are not managed by an organization from initiating contact with users in the protected organization. -Note: Disabling this setting is used as an additional stop gap for the previous setting which disables communication with unmanaged Teams users entirely. If an organization chooses to have an exception to (L1) Ensure communication with unmanaged Teams users is disabled they can do so while also disabling the ability for the same group of users to initiate contact. Disabling communication entirely will also disable the ability for unmanaged users to initiate contact. +Allowing users to communicate with unmanaged Teams users presents a potential security threat as little effort is required by threat actors to gain access to a trial or free Microsoft Teams account. Some real-world attacks and exploits delivered via Teams over external access channels include: +* DarkGate malware +* Social engineering / Phishing attacks by "Midnight Blizzard" +* GIFShell +* Username enumeration -Rationale:\ -Allowing users to communicate with unmanaged Teams users presents a potential security threat as little effort is required by threat actors to gain access to a trial or free Microsoft Teams account. +#### Impact + +Users will be unable to communicate with Teams users who are not managed by an organization. Organizations may choose create additional policies for specific groups needing to communicating with unmanaged external users. + +>Note: The settings that govern chats and meetings with external unmanaged Teams users aren't available in GCC, GCC High, or DOD deployments, or in private cloud environments #### Remediation action: -To change communication with unmanaged Teams users using the UI: -1. Navigate to **Microsoft Teams admin center** [https://admin.teams.microsoft.com](https://admin.teams.microsoft.com). +To remediate using the UI: +1. Navigate to [Microsoft 365 Teams Admin Center](https://admin.teams.microsoft.com). 2. Click to expand **Users** select **External access**. -3. Scroll to **Teams accounts not managed by an organization**. -4. Set **People in my organization can communicate with Teams users whose accounts aren't managed by an organization** to **Off**. -5. Uncheck **External users with Teams accounts not managed by an organization can contact users in my organization**. - - If **People in my organization can communicate with Teams users whose accounts aren't managed by an organization** is already set to **Off** then this setting will not be visible and can be considered to be in a passing state. -6. Click **Save** - -To change communication with unmanaged Teams users using PowerShell: -1. Connect to Teams using **Connect-MicrosoftTeams**. -2. Run following PowerShell Command: -``` -Set-CsTenantFederationConfiguration -AllowTeamsConsumer $false -Set-CsTenantFederationConfiguration -AllowTeamsConsumerInbound $false +3. Select the **Policies** tab +4. Click on the **Global (Org-wide default)** policy. +5. Set **People in my organization can communicate with unmanaged Teams accounts** to **Off**. +6. Click **Save**. + + +##### PowerShell + +1. Connect to Teams PowerShell using `Connect-MicrosoftTeams`. +2. Run the following command: +```powershell +Set-CsExternalAccessPolicy -Identity Global -EnableTeamsConsumerAccess $false ``` +>Note: Configuring the organization settings to block communication is also in compliance with this control. + + #### Related links -* [Microsoft 365 Admin Center](https://admin.microsoft.com) -* [Microsoft Teams Admin Center](https://admin.teams.microsoft.com). -* [Manage external meetings and chat with people and organizations using Microsoft identities](https://learn.microsoft.com/en-us/microsoftteams/trusted-organizations-external-meetings-chat?tabs=organization-settings) -* [CIS Microsoft 365 Foundations Benchmark v5.0.0 - Page 378 - 384](https://www.cisecurity.org/benchmark/microsoft_365) -* [CISA MS.TEAMS.2.2v1](https://github.com/cisagov/ScubaGear/blob/main/PowerShell/ScubaGear/baselines/teams.md#msteams22v1) -* [DarkGate malware delivered via Microsoft Teams - detection and response](https://levelblue.com/blogs/security-essentials/darkgate-malware-delivered-via-microsoft-teams-detection-and-response) +* [Microsoft 365 Teams Admin Center](https://admin.teams.microsoft.com) +* [IT Admins - Manage external meetings and chat with people and organizations using Microsoft identities](https://learn.microsoft.com/en-us/microsoftteams/trusted-organizations-external-meetings-chat?tabs=organization-settings) * [Midnight Blizzard conducts targeted social engineering over Microsoft Teams](https://www.microsoft.com/en-us/security/blog/2023/08/02/midnight-blizzard-conducts-targeted-social-engineering-over-microsoft-teams/) * [GIFShell Attack Lets Hackers Create Reverse Shell through Microsoft Teams GIFs](https://www.bitdefender.com/en-us/blog/hotforsecurity/gifshell-attack-lets-hackers-create-reverse-shell-through-microsoft-teams-gifs) +* [CIS Microsoft 365 Foundations Benchmark v6.0.1 - Page 413](https://www.cisecurity.org/benchmark/microsoft_365) %TestResult% \ No newline at end of file diff --git a/powershell/public/cis/Test-MtCisCommunicateWithUnmanagedTeamsUsers.ps1 b/powershell/public/cis/Test-MtCisCommunicateWithUnmanagedTeamsUsers.ps1 index c0f1115e9..02b8bed5e 100644 --- a/powershell/public/cis/Test-MtCisCommunicateWithUnmanagedTeamsUsers.ps1 +++ b/powershell/public/cis/Test-MtCisCommunicateWithUnmanagedTeamsUsers.ps1 @@ -5,7 +5,7 @@ .DESCRIPTION Communication with unmanaged Teams users is disabled - CIS Microsoft 365 Foundations Benchmark v5.0.0 + CIS Microsoft 365 Foundations Benchmark v6.0.1 .EXAMPLE Test-MtCisCommunicateWithUnmanagedTeamsUsers @@ -29,13 +29,18 @@ try { $AllowTeamsConsumer = Get-CsTenantFederationConfiguration | Select-Object -ExpandProperty AllowTeamsConsumer - $AllowTeamsConsumerInbound = Get-CsTenantFederationConfiguration | Select-Object -ExpandProperty AllowTeamsConsumerInbound - if (($AllowTeamsConsumer -eq $false -and $AllowTeamsConsumerInbound -eq $false) -or ($AllowTeamsConsumer -eq $false -and $AllowTeamsConsumerInbound -eq $true)) { + if ($AllowTeamsConsumer -eq $false) { Add-MtTestResultDetail -Result 'Well done. Communication with unmanaged Teams users is disabled.' return $true } else { - Add-MtTestResultDetail -Result 'Communication with unmanaged Teams users is enabled.' - return $false + $ExternalAccessPolicy = Get-CsExternalAccessPolicy -Identity Global + if ($ExternalAccessPolicy.EnableTeamsConsumerAccess -eq $false) { + Add-MtTestResultDetail -Result 'Well done. Communication with unmanaged Teams users is disabled.' + return $true + } else { + Add-MtTestResultDetail -Result 'Communication with unmanaged Teams users is enabled.' + return $false + } } } catch { Add-MtTestResultDetail -SkippedBecause Error -SkippedError $_ diff --git a/powershell/public/cis/Test-MtCisConnectionFilterSafeList.md b/powershell/public/cis/Test-MtCisConnectionFilterSafeList.md index 3c4f865d7..1cbdb58c7 100644 --- a/powershell/public/cis/Test-MtCisConnectionFilterSafeList.md +++ b/powershell/public/cis/Test-MtCisConnectionFilterSafeList.md @@ -1,21 +1,40 @@ 2.1.13 (L1) Ensure the connection filter safe list is off -**Rationale:** +In Microsoft 365 organizations with Exchange Online mailboxes or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, connection filtering and the default connection filter policy identify good or bad source email servers by IP addresses. The key components of the default connection filter policy are IP Allow List, IP Block List and Safe list. The safe list is a pre-configured allow list that is dynamically updated by Microsoft. The recommended safe list state is: Off or False + +#### Rationale + Without additional verification like mail flow rules, email from sources in the IP Allow List skips spam filtering and sender authentication (SPF, DKIM, DMARC) checks. This method creates a high risk of attackers successfully delivering email to the Inbox that would otherwise be filtered. Messages that are determined to be malware or high confidence phishing are filtered. The safe list is managed dynamically by Microsoft, and administrators do not have visibility into which sender are included. Incoming messages from email servers on the safe list bypass spam filtering. +#### Impact + +This is the default behavior. IP Allow lists may reduce false positives, however, this benefit is outweighed by the importance of a policy which scans all messages regardless of the origin. This supports the principle of zero trust. + #### Remediation action: -To remove IPs from the allow list: -1. Navigate to Microsoft 365 Defender [https://security.microsoft.com](https://security.microsoft.com). -2. Click to expand **Email & collaboration** select **Policies & rules** > **Threat policies**. -3. Under policies select **Anti-spam**. +1. Navigate to [Microsoft 365 Defender](https://security.microsoft.com). +2. Click to expand **Email & collaboration** select **Policies & rules**> **Threat policies**. +3. Under Policies select **Anti-spam**. 4. Click on the **Connection filter policy (Default)**. -5. Ensure Safe list is Off. +5. Click **Edit connection filter policy**. +6. Uncheck **Turn on safe list**. +7. Click **Save**. + +##### PowerShell + +1. Connect to Exchange Online using `Connect-ExchangeOnline`. +2. Run the following PowerShell command: +```powershell +Set-HostedConnectionFilterPolicy -Identity Default -EnableSafeList $false +``` #### Related links * [Microsoft 365 Defender](https://security.microsoft.com) -* [CIS Microsoft 365 Foundations Benchmark v5.0.0 - Page 116](https://www.cisecurity.org/benchmark/microsoft_365) +* [Configure connection filtering in cloud organizations](https://learn.microsoft.com/en-us/defender-office-365/connection-filter-policies-configure) +* [Create sender allowlists for cloud mailboxes](https://learn.microsoft.com/en-us/defender-office-365/create-safe-sender-lists-in-office-365#use-the-ip-allow-list) +* [When user and organization settings conflict](https://learn.microsoft.com/en-us/defender-office-365/how-policies-and-protections-are-combined#user-and-tenant-settings-conflict) +* [CIS Microsoft 365 Foundations Benchmark v6.0.1 - Page 119](https://www.cisecurity.org/benchmark/microsoft_365) %TestResult% \ No newline at end of file diff --git a/powershell/public/cis/Test-MtCisConnectionFilterSafeList.ps1 b/powershell/public/cis/Test-MtCisConnectionFilterSafeList.ps1 index ccb97313b..3280d717c 100644 --- a/powershell/public/cis/Test-MtCisConnectionFilterSafeList.ps1 +++ b/powershell/public/cis/Test-MtCisConnectionFilterSafeList.ps1 @@ -5,7 +5,7 @@ .DESCRIPTION The connection filter should not have the safe list enabled - CIS Microsoft 365 Foundations Benchmark v5.0.0 + CIS Microsoft 365 Foundations Benchmark v6.0.1 .EXAMPLE Test-MtCisConnectionFilterSafeList diff --git a/powershell/public/cis/Test-MtCisCreateTenantDisallowed.md b/powershell/public/cis/Test-MtCisCreateTenantDisallowed.md index 29ceadd09..bfed9b719 100644 --- a/powershell/public/cis/Test-MtCisCreateTenantDisallowed.md +++ b/powershell/public/cis/Test-MtCisCreateTenantDisallowed.md @@ -1,21 +1,36 @@ 5.1.2.3 (L1) Ensure 'Restrict non-admin users from creating tenants' is set to 'Yes' -**Rationale:** -Restricting tenant creation prevents unauthorized or uncontrolled deployment of resources and ensures that the organization retains control over its infrastructure. -User generation of shadow IT could lead to multiple, disjointed environments that can make it difficult for IT to manage and secure the organization's data, especially if other users in the organization began using these tenants for business purposes under the misunderstanding that they were secured by the organization's security team. +Non-privileged users can create tenants in the Microsoft Entra ID and Microsoft Entra administration portal under "Manage tenant". The creation of a tenant is recorded in the Audit log as category "DirectoryManagement" and activity "Create Company". By default, the user who creates a Microsoft Entra tenant is automatically assigned the Global Administrator role. The newly created tenant doesn't inherit any settings or configurations. + +#### Rationale + +Restricting tenant creation prevents unauthorized or uncontrolled deployment of resources and ensures that the organization retains control over its infrastructure. User generation of shadow IT could lead to multiple, disjointed environments that can make it difficult for IT to manage and secure the organization's data, especially if other users in the organization began using these tenants for business purposes under the misunderstanding that they were secured by the organization's security team. + +#### Impact + +Non-admin users will need to contact I.T. if they have a valid reason to create a tenant. #### Remediation action: -1. Navigate to Microsoft 365 Entra admin center [https://entra.microsoft.com](https://entra.microsoft.com). -2. Click to expand **Identity** select **Users**. -3. Click **User settings** -4. Set **Restrict non-admin users from creating tenants** to **Yes** -5. Click Save. +1. Navigate to [Microsoft 365 Entra admin center](https://entra.microsoft.com). +2. Click to expand **Entra ID** > **Users** > **User settings**. +3. Set **Restrict non-admin users from creating tenants** to **Yes** then **Save**. + +##### PowerShell + +1. Connect to Microsoft Graph using `Connect-MgGraph -Scopes "Policy.ReadWrite.Authorization"` +2. Run the following commands: +```powershell +# Create hashtable and update the auth policy +$params = @{ AllowedToCreateTenants = $false } +Update-MgPolicyAuthorizationPolicy -DefaultUserRolePermissions $params +``` #### Related links -* [Microsoft Entra admin center | Users | User settings](https://entra.microsoft.com/#view/Microsoft_AAD_UsersAndTenants/UserManagementMenuBlade/~/UserSettings/menuId/) -* [CIS Microsoft 365 Foundations Benchmark v5.0.0 - Page 167](https://www.cisecurity.org/benchmark/microsoft_365) +* [Microsoft 365 Entra admin center](https://entra.microsoft.com) +* [Restrict member users' default permissions](https://learn.microsoft.com/en-us/entra/fundamentals/users-default-permissions#restrict-member-users-default-permissions) +* [CIS Microsoft 365 Foundations Benchmark v6.0.1 - Page 175](https://www.cisecurity.org/benchmark/microsoft_365) %TestResult% \ No newline at end of file diff --git a/powershell/public/cis/Test-MtCisCreateTenantDisallowed.ps1 b/powershell/public/cis/Test-MtCisCreateTenantDisallowed.ps1 index edabb5f6c..704d7d982 100644 --- a/powershell/public/cis/Test-MtCisCreateTenantDisallowed.ps1 +++ b/powershell/public/cis/Test-MtCisCreateTenantDisallowed.ps1 @@ -1,20 +1,20 @@ -<# -.SYNOPSIS - Checks if non-admin users are restricted from creating tenants - -.DESCRIPTION - Non-admin users should be restricted from creating tenants. - CIS Microsoft 365 Foundations Benchmark v5.0.0 - -.EXAMPLE - Test-MtCisCreateTenantDisallowed - - Returns true if non-admin users are restricted from creating tenants. - -.LINK - https://maester.dev/docs/commands/Test-MtCisCreateTenantDisallowed -#> -function Test-MtCisCreateTenantDisallowed { +function Test-MtCisCreateTenantDisallowed { + <# + .SYNOPSIS + Checks if non-admin users are restricted from creating tenants + + .DESCRIPTION + Non-admin users should be restricted from creating tenants. + CIS Microsoft 365 Foundations Benchmark v6.0.1 + + .EXAMPLE + Test-MtCisCreateTenantDisallowed + + Returns true if non-admin users are restricted from creating tenants. + + .LINK + https://maester.dev/docs/commands/Test-MtCisCreateTenantDisallowed + #> [CmdletBinding()] [OutputType([bool])] param() @@ -35,7 +35,8 @@ function Test-MtCisCreateTenantDisallowed { if ($testResult) { $testResultMarkdown = "Well done. Your tenant settings comply with CIS recommendations.`n`n%TestResult%" - } else { + } + else { $testResultMarkdown = "Your tenant settings do not comply with CIS recommendations.`n`n%TestResult%" } @@ -44,7 +45,8 @@ function Test-MtCisCreateTenantDisallowed { if ($checkAllowedToCreateTenants) { $checkAllowedToCreateTenantsResult = '✅ Pass' - } else { + } + else { $checkAllowedToCreateTenantsResult = '❌ Fail' } @@ -54,7 +56,8 @@ function Test-MtCisCreateTenantDisallowed { Add-MtTestResultDetail -Result $testResultMarkdown return $testResult - } catch { + } + catch { Add-MtTestResultDetail -SkippedBecause Error -SkippedError $_ return $null } diff --git a/powershell/public/cis/Test-MtCisCustomerLockBox.md b/powershell/public/cis/Test-MtCisCustomerLockBox.md index c1e34c271..ea49018e8 100644 --- a/powershell/public/cis/Test-MtCisCustomerLockBox.md +++ b/powershell/public/cis/Test-MtCisCustomerLockBox.md @@ -1,8 +1,14 @@ 1.3.6 (L2) Ensure the customer lockbox feature is enabled -Customer Lockbox is a security feature that provides an additional layer of control and transparency to customer data in Microsoft 365. Enabling this feature protects organizational data against data spillage and exfiltration. +Customer Lockbox is a security feature that provides an additional layer of control and transparency to customer data in Microsoft 365. It offers an approval process for Microsoft support personnel to access organization data and creates an audited trail to meet compliance requirements. -Test implementation checks Exchange Online service only. +#### Rationale + +Enabling this feature protects organizational data against data spillage and exfiltration. + +#### Impact + +Administrators will need to grant Microsoft access to the tenant environment prior to a Microsoft engineer accessing the environment for support or troubleshooting. #### Remediation action: @@ -14,10 +20,19 @@ To enable the Customer Lockbox feature: 5. Check the box **Require approval for all data access requests**. 6. Click **Save**. +##### PowerShell + +1. Connect to Exchange Online using `Connect-ExchangeOnline`. +2. Run the following PowerShell command: +```powershell +Set-OrganizationConfig -CustomerLockBoxEnabled $true +``` + #### Related links * [Microsoft 365 Admin Center](https://admin.microsoft.com) -* [CIS Microsoft 365 Foundations Benchmark v5.0.0 - Page 60](https://www.cisecurity.org/benchmark/microsoft_365) +* [Turn Customer Lockbox requests on or off](https://learn.microsoft.com/en-us/purview/customer-lockbox-requests#turn-customer-lockbox-requests-on-or-off) +* [CIS Microsoft 365 Foundations Benchmark v6.0.1 - Page 61](https://www.cisecurity.org/benchmark/microsoft_365) %TestResult% \ No newline at end of file diff --git a/powershell/public/cis/Test-MtCisCustomerLockBox.ps1 b/powershell/public/cis/Test-MtCisCustomerLockBox.ps1 index 1da22a261..800c00807 100644 --- a/powershell/public/cis/Test-MtCisCustomerLockBox.ps1 +++ b/powershell/public/cis/Test-MtCisCustomerLockBox.ps1 @@ -5,7 +5,7 @@ .DESCRIPTION The customer lockbox feature should be enabled - CIS Microsoft 365 Foundations Benchmark v5.0.0 + CIS Microsoft 365 Foundations Benchmark v6.0.1 .EXAMPLE Test-MtCisCustomerLockBox diff --git a/powershell/public/cis/Test-MtCisDevicesWithoutCompliancePolicyMarked.md b/powershell/public/cis/Test-MtCisDevicesWithoutCompliancePolicyMarked.md index efe77dddb..dc179f338 100644 --- a/powershell/public/cis/Test-MtCisDevicesWithoutCompliancePolicyMarked.md +++ b/powershell/public/cis/Test-MtCisDevicesWithoutCompliancePolicyMarked.md @@ -1,20 +1,48 @@ 4.1 (L2) Ensure devices without a compliance policy are marked 'not compliant' -**Rationale:** -Implementing this setting is a first step in adopting compliance policies for devices. -When used in together with Conditional Access policies the attack surface can be reduced by forcing an action to be taken for non-compliant devices. +Compliance policies are sets of rules and conditions that are used to evaluate the configuration of managed devices. These policies can help secure organizational data and resources from devices that don't meet those configuration requirements. Managed devices must satisfy the conditions you set in your policies to be considered compliant by Intune. When combined with conditional access, this allows more control over how non-compliant devices are treated. + +The recommended state is **Mark devices with no compliance policy assigned as** **Not compliant** + +#### Rationale + +Implementing this setting is a first step in adopting compliance policies for devices. When used in together with Conditional Access policies the attack surface can be reduced by forcing an action to be taken for non-compliant devices. + +>Note: This section does not focus on which compliance policies to use, only that an organization should adopt and enforce them to their needs. + +#### Impact + +Any devices without a compliance policy will be marked not compliant. Care should be taken to first deploy any new compliance policies with a Conditional Access (CA) policy that is in the Report-only state. After the environment's device compliance is better understood it is then appropriate to finally align with **Mark devices with no compliance policy assigned as** and enable any CA policies that enforce actions based on device compliance. + +If a mature environment already has an existing device compliance CA policy and a large number of devices without an assigned compliance policy, this could cause disruption as those devices would then be suddenly considered not compliant. + #### Remediation action: -1. Navigate to Microsoft Intune admin center [https://intune.microsoft.com](https://intune.microsoft.com). +1. Navigate to [Microsoft Intune admin center](https://intune.microsoft.com). 2. Click on **Devices** and then under **Managed devices** on **Compliance**. 3. Click **Compliance settings**. 4. Ensure **Mark devices with no compliance policy assigned as** set to **Not compliant** +#### PowerShell + +1. Connect to Microsoft Graph using `Connect-MgGraph -Scopes "DeviceManagementConfiguration.ReadWrite.All"` +2. Run the following commands: +```powershell +$Uri = 'https://graph.microsoft.com/v1.0/deviceManagement' +$Body = @{ + settings = @{ + secureByDefault = $true + } +} | ConvertTo-Json +Invoke-MgGraphRequest -Uri $Uri -Method PATCH -Body $Body +``` + #### Related links -* [Microsoft Intune Admin Center | Devices | Compliance](https://intune.microsoft.com/#view/Microsoft_Intune_DeviceSettings/DevicesMenu/~/compliance) -* [CIS Microsoft 365 Foundations Benchmark v5.0.0 - Page 156](https://www.cisecurity.org/benchmark/microsoft_365) +* [Microsoft Intune admin center](https://intune.microsoft.com) +* [Use compliance policies to set rules for devices you manage with Intune](https://learn.microsoft.com/en-us/intune/intune-service/protect/device-compliance-get-started) +* [CIS Microsoft 365 Foundations Benchmark v6.0.1 - Page 162](https://www.cisecurity.org/benchmark/microsoft_365) %TestResult% \ No newline at end of file diff --git a/powershell/public/cis/Test-MtCisDevicesWithoutCompliancePolicyMarked.ps1 b/powershell/public/cis/Test-MtCisDevicesWithoutCompliancePolicyMarked.ps1 index bc68a77a1..f260ebcc6 100644 --- a/powershell/public/cis/Test-MtCisDevicesWithoutCompliancePolicyMarked.ps1 +++ b/powershell/public/cis/Test-MtCisDevicesWithoutCompliancePolicyMarked.ps1 @@ -1,20 +1,20 @@ -<# -.SYNOPSIS - Checks if devices without a compliance policy assigned are marked "not compliant". - -.DESCRIPTION - Devices without a compliance policy assigned should be marked "not compliant". - CIS Microsoft 365 Foundations Benchmark v5.0.0 - -.EXAMPLE - Test-MtCisDevicesWithoutCompliancePolicyMarked - - Returns true if devices without a compliance policy assigned are marked "not compliant". - -.LINK - https://maester.dev/docs/commands/Test-MtCisDevicesWithoutCompliancePolicyMarked -#> -function Test-MtCisDevicesWithoutCompliancePolicyMarked { +function Test-MtCisDevicesWithoutCompliancePolicyMarked { + <# + .SYNOPSIS + Checks if devices without a compliance policy assigned are marked "not compliant". + + .DESCRIPTION + Devices without a compliance policy assigned should be marked "not compliant". + CIS Microsoft 365 Foundations Benchmark v6.0.1 + + .EXAMPLE + Test-MtCisDevicesWithoutCompliancePolicyMarked + + Returns true if devices without a compliance policy assigned are marked "not compliant". + + .LINK + https://maester.dev/docs/commands/Test-MtCisDevicesWithoutCompliancePolicyMarked + #> [CmdletBinding()] [OutputType([bool])] param() @@ -35,7 +35,8 @@ function Test-MtCisDevicesWithoutCompliancePolicyMarked { if ($testResult) { $testResultMarkdown = "Well done. Your tenant settings comply with CIS recommendations.`n`n%TestResult%" - } else { + } + else { $testResultMarkdown = "Your tenant settings do not comply with CIS recommendations.`n`n%TestResult%" } @@ -44,7 +45,8 @@ function Test-MtCisDevicesWithoutCompliancePolicyMarked { if ($checkSecureByDefault) { $checkSecureByDefaultResult = '✅ Pass' - } else { + } + else { $checkSecureByDefaultResult = '❌ Fail' } @@ -53,7 +55,8 @@ function Test-MtCisDevicesWithoutCompliancePolicyMarked { Add-MtTestResultDetail -Result $testResultMarkdown return $testResult - } catch { + } + catch { Add-MtTestResultDetail -SkippedBecause Error -SkippedError $_ return $null } diff --git a/powershell/public/cis/Test-MtCisDkim.md b/powershell/public/cis/Test-MtCisDkim.md index 625718c6d..0de7b6c2f 100644 --- a/powershell/public/cis/Test-MtCisDkim.md +++ b/powershell/public/cis/Test-MtCisDkim.md @@ -1,22 +1,58 @@ 2.1.9 (L1) Ensure that DKIM is enabled for all Exchange Online Domains -Description: DKIM lets an organization add a digital signature to outbound email messages in the message header. +DKIM is one of the trio of Authentication methods (SPF, DKIM and DMARC) that help prevent attackers from sending messages that look like they come from your domain. DKIM lets an organization add a digital signature to outbound email messages in the message header. When DKIM is configured, the organization authorizes it's domain to associate, or sign, its name to an email message using cryptographic authentication. Email systems that get email from this domain can use a digital signature to help verify whether incoming email is legitimate. Use of DKIM in addition to SPF and DMARC to help prevent malicious actors using spoofing techniques from sending messages that look like they are coming from your domain. + +#### Rationale + +By enabling DKIM with Office 365, messages that are sent from Exchange Online will be cryptographically signed. This will allow the receiving email system to validate that the messages were generated by a server that the organization authorized and not being spoofed. + +#### Impact + +There should be no impact of setting up DKIM however, organizations should ensure appropriate setup to ensure continuous mail-flow. #### Remediation action: -To enable DKIM: +To remediate using a DNS Provider: + +1. For each accepted domain in Exchange Online, two DNS entries are required. +```txt +Host name: selector1._domainkey +Points to address or value: selector1-._domainkey. +TTL: 3600 +Host name: selector2._domainkey +Points to address or value: selector2-._domainkey. +TTL: 3600 +``` + +For Office 365, the selectors will always be **selector1** or **selector2**. + +domainGUID is the same as the domainGUID in the customized MX record for your custom domain that appears before mail.protection.outlook.com. For example, in the following MX record for the domain contoso.com, the domainGUID is contoso-com: +```txt +contoso.com. 3600 IN MX 5 contoso-com.mail.protection.outlook.com +``` + +The initial domain is the domain that you used when you signed up for Office 365. Initial domains always end with on.microsoft.com. + +1. After the DNS records are created, enable DKIM signing in Defender. +2. Navigate to [Microsoft 365 Defender](https://security.microsoft.com) +3. Expand **Email & collaboration** > **Policies & rules** > **Threat policies**. +4. Under **Rules** section click **Email authentication settings**. +5. Select **DKIM** +6. Click on each domain and click **Enable** next to **Sign messages for this domain with DKIM signature**. + +Final remediation step using the Exchange Online PowerShell Module: -1. Navigate to Microsoft 365 Defender [https://security.microsoft.com](https://security.microsoft.com) -2. Under **Email & collaboration** select **Policies & rules** then **Threat policies** -3. Under the **Rules** section click **Email authentication settings** -4. Select **DKIM** -5. Click on each domain and confirm that **Sign messages for this domain with DKIM signatures** is **Enabled** -6. A status of **Not signing DKIM signatures for this domain** is an audit fail. +1. Connect to Exchange Online service using `Connect-ExchangeOnline`. +2. Run the following Exchange Online PowerShell command: +```powershell +Set-DkimSigningConfig -Identity < domainName > -Enabled $True +``` #### Related links * [Microsoft 365 Defender](https://security.microsoft.com) -* [CIS Microsoft 365 Foundations Benchmark v5.0.0 - Page 98](https://www.cisecurity.org/benchmark/microsoft_365) +* [Set up DKIM to sign mail from your cloud domain](https://learn.microsoft.com/en-us/defender-office-365/email-authentication-dkim-configure?view=o365-worldwide) +* [CIS Microsoft 365 Foundations Benchmark v6.0.1 - Page 102](https://www.cisecurity.org/benchmark/microsoft_365) %TestResult% \ No newline at end of file diff --git a/powershell/public/cis/Test-MtCisDkim.ps1 b/powershell/public/cis/Test-MtCisDkim.ps1 index d4230777e..3fbf57653 100644 --- a/powershell/public/cis/Test-MtCisDkim.ps1 +++ b/powershell/public/cis/Test-MtCisDkim.ps1 @@ -5,7 +5,7 @@ .DESCRIPTION DKIM SHOULD be enabled for all domains. - CIS Microsoft 365 Foundations Benchmark v5.0.0 + CIS Microsoft 365 Foundations Benchmark v6.0.1 .EXAMPLE Test-MtCisDkim diff --git a/powershell/public/cis/Test-MtCisEnsureGuestAccessRestricted.md b/powershell/public/cis/Test-MtCisEnsureGuestAccessRestricted.md index 4171c9b83..d7c6c7b57 100644 --- a/powershell/public/cis/Test-MtCisEnsureGuestAccessRestricted.md +++ b/powershell/public/cis/Test-MtCisEnsureGuestAccessRestricted.md @@ -1,22 +1,53 @@ 5.1.6.2 (L1) Ensure that guest user access is restricted -**Rationale:** +Microsoft Entra ID, part of Microsoft Entra, allows you to restrict what external guest users can see in their organization in Microsoft Entra ID. Guest users are set to a limited permission level by default in Microsoft Entra ID, while the default for member users is the full set of user permissions. + +These directory level permissions are enforced across Microsoft Entra services including Microsoft Graph, PowerShell v2, the Azure portal, and My Apps portal. Microsoft 365 services leveraging Microsoft 365 groups for collaboration scenarios are also affected, specifically Outlook, Microsoft Teams, and SharePoint. They do not override the SharePoint or Microsoft Teams guest settings. + +The recommended state is at least **Guest users have limited access to properties and memberships of directory objects** or more restrictive. + +#### Rationale + By limiting guest access to the most restrictive state this helps prevent malicious group and user object enumeration in the Microsoft 365 environment. This first step, known as reconnaissance in The Cyber Kill Chain, is often conducted by attackers prior to more advanced targeted attacks. +#### Impact + +The default is Guest users have limited access to properties and memberships of directory objects. + +When using the 'most restrictive' setting, guests will only be able to access their own profiles and will not be allowed to see other users' profiles, groups, or group memberships. + +There are some known issues with Yammer that will prevent guests that are signed in from leaving the group. + #### Remediation action: -1. Navigate to Microsoft Entra ID admin center [https://entra.microsoft.com](https://entra.microsoft.com). -2. Under **Entra ID** select **External Identities** -3. Select **External collaboration settings** -4. Under **Guest user access** set **Guest user access restrictions** to one of the following: - - **Guest users have limited access to properties and memberships of directory objects** - - **Guest user access is restricted to properties and memberships of their own directory objects (most restrictive)** -5. Click Save. +1. Navigate to [Microsoft Entra ID admin center](https://entra.microsoft.com). +2. Click to expand **Entra ID** > **External Identities** select **External collaboration settings**. +3. Under **Guest user access** set **Guest user access restrictions** to one of the following: +* State: **Guest users have limited access to properties and memberships of directory objects** +* State: **Guest user access is restricted to properties and memberships of their own directory objects (most restrictive)** + +##### PowerShell + +1. Connect to Microsoft Graph using Connect-MgGraph -Scopes "Policy.ReadWrite.Authorization" +2. Run the following command to set the guest user access restrictions to default: +```powershell +# Guest users have limited access to properties and memberships of directory objects +Update-MgPolicyAuthorizationPolicy -GuestUserRoleId '10dae51f-b6af-4016-8d66-8c2a99b929b3' +``` +3. Or, run the following command to set it to the "most restrictive": +```powershell +# Guest user access is restricted to properties and memberships of their own directory objects (most restrictive) +Update-MgPolicyAuthorizationPolicy -GuestUserRoleId '2af84b1e-32c8-42b7-82bcdaa82404023b' +``` + +>Note: Either setting allows for a passing state. #### Related links -* [Microsoft 365 Entra Admin Center | External Identities | External collaboration settings](https://entra.microsoft.com/#view/Microsoft_AAD_IAM/CompanyRelationshipsMenuBlade/~/Settings/menuId/ExternalIdentitiesGettingStarted) -* [CIS Microsoft 365 Foundations Benchmark v5.0.0 - Page 193](https://www.cisecurity.org/benchmark/microsoft_365) +* [Microsoft Entra ID admin center](https://entra.microsoft.com) +* [Restrict guest access permissions in Microsoft Entra ID](https://learn.microsoft.com/en-us/entra/identity/users/users-restrict-guest-permissions) +* [Cyber Kill Chain](https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html) +* [CIS Microsoft 365 Foundations Benchmark v6.0.1 - Page 221](https://www.cisecurity.org/benchmark/microsoft_365) %TestResult% \ No newline at end of file diff --git a/powershell/public/cis/Test-MtCisEnsureGuestAccessRestricted.ps1 b/powershell/public/cis/Test-MtCisEnsureGuestAccessRestricted.ps1 index 18e8b3ae6..491418f66 100644 --- a/powershell/public/cis/Test-MtCisEnsureGuestAccessRestricted.ps1 +++ b/powershell/public/cis/Test-MtCisEnsureGuestAccessRestricted.ps1 @@ -1,20 +1,20 @@ -<# -.SYNOPSIS - Checks if guest user access is restricted. - -.DESCRIPTION - Guest user access should be restricted to only necessary resources. - CIS Microsoft 365 Foundations Benchmark v5.0.0 - -.EXAMPLE - Test-MtCisEnsureGuestAccessRestricted - - Returns true if guest user access is restricted. - -.LINK - https://maester.dev/docs/commands/Test-MtCisEnsureGuestAccessRestricted -#> -function Test-MtCisEnsureGuestAccessRestricted { +function Test-MtCisEnsureGuestAccessRestricted { + <# + .SYNOPSIS + Checks if guest user access is restricted. + + .DESCRIPTION + Guest user access should be restricted to only necessary resources. + CIS Microsoft 365 Foundations Benchmark v6.0.1 + + .EXAMPLE + Test-MtCisEnsureGuestAccessRestricted + + Returns true if guest user access is restricted. + + .LINK + https://maester.dev/docs/commands/Test-MtCisEnsureGuestAccessRestricted + #> [CmdletBinding()] [OutputType([bool])] param() @@ -32,13 +32,15 @@ function Test-MtCisEnsureGuestAccessRestricted { if ($testResult) { $testResultMarkdown = "Well done. Your tenant settings comply with CIS recommendations." - } else { + } + else { $testResultMarkdown = "Your tenant settings do not comply with CIS recommendations." } Add-MtTestResultDetail -Result $testResultMarkdown return $testResult - } catch { + } + catch { Add-MtTestResultDetail -SkippedBecause Error -SkippedError $_ return $null } diff --git a/powershell/public/cis/Test-MtCisEnsureGuestUserDynamicGroup.md b/powershell/public/cis/Test-MtCisEnsureGuestUserDynamicGroup.md index b53ded280..461a25357 100644 --- a/powershell/public/cis/Test-MtCisEnsureGuestUserDynamicGroup.md +++ b/powershell/public/cis/Test-MtCisEnsureGuestUserDynamicGroup.md @@ -1,12 +1,18 @@ 5.1.3.1 (L1) Ensure a dynamic group for guest users is created -**Rationale:** +A dynamic group is a dynamic configuration of security group membership for Microsoft Entra ID. Administrators can set rules to populate groups that are created in Entra ID based on user attributes (such as userType, department, or country/region). Members can be automatically added to or removed from a security group based on their attributes. + +The recommended state is to create a dynamic group that includes guest accounts. + +#### Rationale + Dynamic groups allow for an automated method to assign group membership. + Guest user accounts will be automatically added to this group and through this existing conditional access rules, access controls and other security measures will ensure that new guest accounts are restricted in the same manner as existing guest accounts. #### Remediation action: -1. Navigate to Microsoft 365 Entra admin center [https://entra.microsoft.com](https://entra.microsoft.com). +1. Navigate to [Microsoft 365 Entra admin center](https://entra.microsoft.com). 2. Click to expand **Identity** select **Groups**. 3. Click **All groups** 4. Select **New group** and assign the following values: @@ -18,10 +24,30 @@ Guest user accounts will be automatically added to this group and through this e 7. Enter `(user.userType -eq "Guest")` 8. Click **OK** and **Save**. +##### PowerShell + +1. Connect to Microsoft Graph using `Connect-MgGraph -Scopes "Group.ReadWrite.All"` +2. In the script below edit DisplayName and MailNickname as needed and run: +```powershell +$params = @{ + DisplayName = "Dynamic Guest Group" + MailNickname = "DynGuestUsers" + MailEnabled = $false + SecurityEnabled = $true + GroupTypes = "DynamicMembership" + MembershipRule = '(user.userType -eq "Guest")' + MembershipRuleProcessingState = "On" +} +New-MgGroup @params +``` + #### Related links -* [Microsoft 365 Entra admin center | Groups](https://entra.microsoft.com/#view/Microsoft_AAD_IAM/GroupsManagementMenuBlade/~/Overview/menuId/Overview) -* [CIS Microsoft 365 Foundations Benchmark v5.0.0 - Page 179](https://www.cisecurity.org/benchmark/microsoft_365) +* [Microsoft 365 Entra admin center](https://entra.microsoft.com) +* [Create or update a dynamic membership group in Microsoft Entra ID](https://learn.microsoft.com/en-us/entra/identity/users/groups-create-rule) +* [Manage rules for dynamic membership groups in Microsoft Entra ID](https://learn.microsoft.com/en-us/entra/identity/users/groups-dynamic-membership) +* [Create and manage dynamic membership groups for B2B collaboration in Microsoft Entra External ID](https://learn.microsoft.com/en-us/entra/external-id/use-dynamic-groups) +* [CIS Microsoft 365 Foundations Benchmark v6.0.1 - Page 185](https://www.cisecurity.org/benchmark/microsoft_365) %TestResult% \ No newline at end of file diff --git a/powershell/public/cis/Test-MtCisEnsureGuestUserDynamicGroup.ps1 b/powershell/public/cis/Test-MtCisEnsureGuestUserDynamicGroup.ps1 index 71d911ad0..9e5cd7a58 100644 --- a/powershell/public/cis/Test-MtCisEnsureGuestUserDynamicGroup.ps1 +++ b/powershell/public/cis/Test-MtCisEnsureGuestUserDynamicGroup.ps1 @@ -1,20 +1,20 @@ -<# -.SYNOPSIS - Checks if minimum one dynamic group exists with a membership rule targeting guest users. - -.DESCRIPTION - There should be minimum one dynamic group with a membership rule targeting guest users to ensure that guest users are easily identifiable and can be managed effectively. - CIS Microsoft 365 Foundations Benchmark v5.0.0 - -.EXAMPLE - Test-MtCisEnsureGuestUserDynamicGroup - - Returns true if a group with a membership rule targeting guest users exists. - -.LINK - https://maester.dev/docs/commands/Test-MtCisEnsureGuestUserDynamicGroup -#> -function Test-MtCisEnsureGuestUserDynamicGroup { +function Test-MtCisEnsureGuestUserDynamicGroup { + <# + .SYNOPSIS + Checks if minimum one dynamic group exists with a membership rule targeting guest users. + + .DESCRIPTION + There should be minimum one dynamic group with a membership rule targeting guest users to ensure that guest users are easily identifiable and can be managed effectively. + CIS Microsoft 365 Foundations Benchmark v6.0.1 + + .EXAMPLE + Test-MtCisEnsureGuestUserDynamicGroup + + Returns true if a group with a membership rule targeting guest users exists. + + .LINK + https://maester.dev/docs/commands/Test-MtCisEnsureGuestUserDynamicGroup + #> [CmdletBinding()] [OutputType([bool])] param() @@ -35,13 +35,15 @@ function Test-MtCisEnsureGuestUserDynamicGroup { if ($testResult) { $testResultMarkdown = "Well done. Your tenant settings comply with CIS recommendations.`n`n%TestResult%" - } else { + } + else { $testResultMarkdown = "Your tenant settings do not comply with CIS recommendations.`n`n%TestResult%" } Add-MtTestResultDetail -Result $testResultMarkdown -GraphObjects $checkGuestUserGroup -GraphObjectType Groups return $testResult - } catch { + } + catch { Add-MtTestResultDetail -SkippedBecause Error -SkippedError $_ return $null } diff --git a/powershell/public/cis/Test-MtCisEnsureUserConsentToAppsDisallowed.md b/powershell/public/cis/Test-MtCisEnsureUserConsentToAppsDisallowed.md index 418a31c34..aad4903ec 100644 --- a/powershell/public/cis/Test-MtCisEnsureUserConsentToAppsDisallowed.md +++ b/powershell/public/cis/Test-MtCisEnsureUserConsentToAppsDisallowed.md @@ -1,20 +1,28 @@ 5.1.5.1 (L2) Ensure user consent to apps accessing company data on their behalf is not allowed -**Rationale:** +Control when end users and group owners are allowed to grant consent to applications, and when they will be required to request administrator review and approval. Allowing users to grant apps access to data helps them acquire useful applications and be productive but can represent a risk in some situations if it's not monitored and controlled carefully. + +#### Rationale + Attackers commonly use custom applications to trick users into granting them access to company data. Restricting user consent mitigates this risk and helps to reduce the threat-surface. +#### Impact + +If user consent is disabled, previous consent grants will still be honored but all future consent operations must be performed by an administrator. Tenant-wide admin consent can be requested by users through an integrated administrator consent request workflow or through organizational support processes + #### Remediation action: -1. Navigate to Microsoft 365 Entra admin center [https://entra.microsoft.com](https://entra.microsoft.com). -2. Click to expand **Entra ID** select **Enterprise apps**. -3. Under **Security** click **Consent and permissions** -4. Under **User consent settings** select **Do not allow user consent**. -5. Click **Save** +1. Navigate to [Microsoft 365 Entra admin center](https://entra.microsoft.com). +2. Click to expand **Entra ID** and select **Enterprise apps**. +3. Under **Security** select **Consent and permissions** > **User consent settings**. +4. Under **User consent for applications** select **Do not allow user consent**. +5. Click the **Save** option at the top of the window. #### Related links -* [Microsoft 365 Entra admin center | Enterprise apps | Consent and permissions | User consent settings](https://entra.microsoft.com/#view/Microsoft_AAD_IAM/ConsentPoliciesMenuBlade/~/UserSettings) -* [CIS Microsoft 365 Foundations Benchmark v5.0.0 - Page 184](https://www.cisecurity.org/benchmark/microsoft_365) +* [Microsoft 365 Entra admin center](https://entra.microsoft.com) +* [Configure how users consent to applications](https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/configure-user-consent?pivots=portal) +* [CIS Microsoft 365 Foundations Benchmark v6.0.1 - Page 211](https://www.cisecurity.org/benchmark/microsoft_365) %TestResult% \ No newline at end of file diff --git a/powershell/public/cis/Test-MtCisEnsureUserConsentToAppsDisallowed.ps1 b/powershell/public/cis/Test-MtCisEnsureUserConsentToAppsDisallowed.ps1 index 2aa963373..2f0779b45 100644 --- a/powershell/public/cis/Test-MtCisEnsureUserConsentToAppsDisallowed.ps1 +++ b/powershell/public/cis/Test-MtCisEnsureUserConsentToAppsDisallowed.ps1 @@ -1,20 +1,20 @@ -<# -.SYNOPSIS - Checks if user consent to applications is disallowed. - -.DESCRIPTION - Users should not be allowed to consent to applications. - CIS Microsoft 365 Foundations Benchmark v5.0.0 - -.EXAMPLE - Test-MtCisEnsureUserConsentToAppsDisallowed - - Returns true if users are not allowed to consent to applications. - -.LINK - https://maester.dev/docs/commands/Test-MtCisEnsureUserConsentToAppsDisallowed -#> -function Test-MtCisEnsureUserConsentToAppsDisallowed { +function Test-MtCisEnsureUserConsentToAppsDisallowed { + <# + .SYNOPSIS + Checks if user consent to applications is disallowed. + + .DESCRIPTION + Users should not be allowed to consent to applications. + CIS Microsoft 365 Foundations Benchmark v6.0.1 + + .EXAMPLE + Test-MtCisEnsureUserConsentToAppsDisallowed + + Returns true if users are not allowed to consent to applications. + + .LINK + https://maester.dev/docs/commands/Test-MtCisEnsureUserConsentToAppsDisallowed + #> [CmdletBinding()] [OutputType([bool])] param() @@ -33,7 +33,8 @@ function Test-MtCisEnsureUserConsentToAppsDisallowed { if ($testResult) { $testResultMarkdown = "Well done. Your tenant settings comply with CIS recommendations.`n`n%TestResult%" - } else { + } + else { $testResultMarkdown = "Your tenant settings do not comply with CIS recommendations.`n`n%TestResult%" } @@ -42,7 +43,8 @@ function Test-MtCisEnsureUserConsentToAppsDisallowed { if ($testResult) { $checkResult = '✅ Pass' - } else { + } + else { $checkResult = '❌ Fail' } @@ -52,7 +54,8 @@ function Test-MtCisEnsureUserConsentToAppsDisallowed { Add-MtTestResultDetail -Result $testResultMarkdown return $testResult - } catch { + } + catch { Add-MtTestResultDetail -SkippedBecause Error -SkippedError $_ return $null } diff --git a/powershell/public/cis/Test-MtCisFormsPhishingProtectionEnabled.md b/powershell/public/cis/Test-MtCisFormsPhishingProtectionEnabled.md index 21ed747f8..8e74d43da 100644 --- a/powershell/public/cis/Test-MtCisFormsPhishingProtectionEnabled.md +++ b/powershell/public/cis/Test-MtCisFormsPhishingProtectionEnabled.md @@ -1,20 +1,39 @@ 1.3.5 (L1) Ensure internal phishing protection for Forms is enabled -**Rationale:** +Microsoft Forms can be used for phishing attacks by asking personal or sensitive information and collecting the results. Microsoft 365 has built-in protection that will proactively scan for phishing attempt in forms such personal information request. + +#### Rationale + Enabling internal phishing protection for Microsoft Forms will prevent attackers using forms for phishing attacks by asking personal or other sensitive information and URLs. +#### Impact + +If potential phishing was detected, the form will be temporarily blocked and cannot be distributed, and response collection will not happen until it is unblocked by the administrator or keywords were removed by the creator. + #### Remediation action: -1. Navigate to Microsoft 365 admin center [https://admin.microsoft.com](https://admin.microsoft.com). +1. Navigate to [Microsoft 365 admin center](https://admin.microsoft.com). 2. Click to expand **Settings** select **Org settings**. 3. In **Services** select **Microsoft Forms** 4. Enable **Add internal phishing protection** under **Phishing protection** 5. Click Save. +##### PowerShell + +1. Connect to the Microsoft Graph service using `Connect-MgGraph -Scopes "OrgSettings-AppsAndServices.ReadWrite.All"`. +2. Run the following Microsoft Graph PowerShell commands: +```powershell +$uri = 'https://graph.microsoft.com/beta/admin/forms/settings' +$body = @{ "isInOrgFormsPhishingScanEnabled" = $true } | ConvertTo-Json +Invoke-MgGraphRequest -Method PATCH -Uri $uri -Body $body +``` + #### Related links -* [Microsoft 365 admin center | Settings | Org settings | Microsoft Forms](https://admin.cloud.microsoft/?#/Settings/Services/:/Settings/L1/OfficeForms) -* [CIS Microsoft 365 Foundations Benchmark v5.0.0 - Page 57](https://www.cisecurity.org/benchmark/microsoft_365) +* [Microsoft 365 admin center](https://admin.microsoft.com) +* [Administrator settings for Microsoft Forms](https://learn.microsoft.com/en-us/microsoft-forms/administrator-settings-microsoft-forms) +* [Review and unblock forms or users detected and blocked for potential phishing](https://learn.microsoft.com/en-us/microsoft-forms/review-unblock-forms-users-detected-blocked-potential-phishing) +* [CIS Microsoft 365 Foundations Benchmark v6.0.1 - Page 59](https://www.cisecurity.org/benchmark/microsoft_365) %TestResult% \ No newline at end of file diff --git a/powershell/public/cis/Test-MtCisFormsPhishingProtectionEnabled.ps1 b/powershell/public/cis/Test-MtCisFormsPhishingProtectionEnabled.ps1 index bc6b16b63..9302238db 100644 --- a/powershell/public/cis/Test-MtCisFormsPhishingProtectionEnabled.ps1 +++ b/powershell/public/cis/Test-MtCisFormsPhishingProtectionEnabled.ps1 @@ -1,20 +1,20 @@ -<# -.SYNOPSIS - Checks if the internal phishing protection for Microsoft Forms is enabled. - -.DESCRIPTION - The internal phishing protection for Microsoft Forms should be enabled. - CIS Microsoft 365 Foundations Benchmark v5.0.0 - -.EXAMPLE - Test-MtCisFormsPhishingProtectionEnabled - - Returns true if the internal phishing protection for Microsoft Forms is enabled. - -.LINK - https://maester.dev/docs/commands/Test-MtCisFormsPhishingProtectionEnabled -#> -function Test-MtCisFormsPhishingProtectionEnabled { +function Test-MtCisFormsPhishingProtectionEnabled { + <# + .SYNOPSIS + Checks if the internal phishing protection for Microsoft Forms is enabled. + + .DESCRIPTION + The internal phishing protection for Microsoft Forms should be enabled. + CIS Microsoft 365 Foundations Benchmark v6.0.1 + + .EXAMPLE + Test-MtCisFormsPhishingProtectionEnabled + + Returns true if the internal phishing protection for Microsoft Forms is enabled. + + .LINK + https://maester.dev/docs/commands/Test-MtCisFormsPhishingProtectionEnabled + #> [CmdletBinding()] [OutputType([bool])] param() @@ -26,7 +26,7 @@ function Test-MtCisFormsPhishingProtectionEnabled { $scopes = (Get-MgContext).Scopes $permissionMissing = "OrgSettings-Forms.Read.All" -notin $scopes - if($permissionMissing){ + if ($permissionMissing) { Add-MtTestResultDetail -SkippedBecause Custom -SkippedCustomReason "Missing Scope OrgSettings-Forms.Read.All" return $null } @@ -42,7 +42,8 @@ function Test-MtCisFormsPhishingProtectionEnabled { if ($testResult) { $testResultMarkdown = "Well done. Your tenant settings comply with CIS recommendations.`n`n%TestResult%" - } else { + } + else { $testResultMarkdown = "Your tenant settings do not comply with CIS recommendations.`n`n%TestResult%" } @@ -51,7 +52,8 @@ function Test-MtCisFormsPhishingProtectionEnabled { if ($CheckIsInOrgFormsPhishingScanEnabled) { $CheckIsInOrgFormsPhishingScanEnabledResult = '✅ Pass' - } else { + } + else { $CheckIsInOrgFormsPhishingScanEnabledResult = '❌ Fail' } @@ -61,7 +63,8 @@ function Test-MtCisFormsPhishingProtectionEnabled { Add-MtTestResultDetail -Result $testResultMarkdown return $testResult - } catch { + } + catch { Add-MtTestResultDetail -SkippedBecause Error -SkippedError $_ return $null } diff --git a/powershell/public/cis/Test-MtCisGlobalAdminCount.md b/powershell/public/cis/Test-MtCisGlobalAdminCount.md index 82a0904e5..d7d6f7fe8 100644 --- a/powershell/public/cis/Test-MtCisGlobalAdminCount.md +++ b/powershell/public/cis/Test-MtCisGlobalAdminCount.md @@ -1,6 +1,15 @@ 1.1.3 (L1) Ensure that between two and four global admins are designated -More than one global administrator should be designated so a single admin can be monitored and to provide redundancy should a single admin leave an organization. Additionally, there should be no more than four global admins set for any tenant. Ideally global administrators will have no licenses assigned to them. +Between two and four global administrators should be designated in the tenant. Ideally, these accounts will not have licenses assigned to them which supports additional controls found in this benchmark. + +#### Rationale + +If there is only one global administrator, they could perform malicious activities without being detected by another admin. Designating multiple global administrators eliminates this risk and ensures redundancy if the sole remaining global administrator leaves the organization. However, to minimize the attack surface, there should be no more than four global admins set for any tenant. A large number of global admins increases the likelihood of a successful account breach by an external attacker. + +#### Impact + +The potential impact associated with ensuring compliance with this requirement is dependent upon the current number of global administrators configured in the tenant. If there is only one global administrator in a tenant, an additional global administrator will need to be identified and configured. If there are more than four global administrators, a review of role requirements for current global administrators will be required to identify which of the users require global administrator access. + #### Remediation action: @@ -25,7 +34,10 @@ To remove Global Admins: #### Related links * [Microsoft 365 Admin Center](https://admin.microsoft.com) -* [CIS Microsoft 365 Foundations Benchmark v5.0.0 - Page 28](https://www.cisecurity.org/benchmark/microsoft_365) +* [Get-MgDirectoryRole](https://learn.microsoft.com/en-us/powershell/module/microsoft.graph.identity.directorymanagement/get-mgdirectoryrole?view=graph-powershell-1.0) +* [All roles](https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference#all-roles) +* [5. Limit the number of Global Administrators to less than 5](https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/best-practices#5-limit-the-number-of-global-administrators-to-less-than-5) +* [CIS Microsoft 365 Foundations Benchmark v6.0.1 - Page 27](https://www.cisecurity.org/benchmark/microsoft_365) %TestResult% \ No newline at end of file diff --git a/powershell/public/cis/Test-MtCisGlobalAdminCount.ps1 b/powershell/public/cis/Test-MtCisGlobalAdminCount.ps1 index 5493a783f..961340fd7 100644 --- a/powershell/public/cis/Test-MtCisGlobalAdminCount.ps1 +++ b/powershell/public/cis/Test-MtCisGlobalAdminCount.ps1 @@ -5,7 +5,7 @@ .DESCRIPTION A minimum of two users and a maximum of four users SHALL be provisioned with the Global Administrator role. - CIS Microsoft 365 Foundations Benchmark v5.0.0 + CIS Microsoft 365 Foundations Benchmark v6.0.1 .EXAMPLE Test-MtCisGlobalAdminCount diff --git a/powershell/public/cis/Test-MtCisHostedConnectionFilterPolicy.md b/powershell/public/cis/Test-MtCisHostedConnectionFilterPolicy.md index fb179bda3..e791183ca 100644 --- a/powershell/public/cis/Test-MtCisHostedConnectionFilterPolicy.md +++ b/powershell/public/cis/Test-MtCisHostedConnectionFilterPolicy.md @@ -1,12 +1,20 @@ 2.1.12 (L1) Ensure the connection filter IP allow list is not used -**Rationale:** +In Microsoft 365 organizations with Exchange Online mailboxes or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, connection filtering and the default connection filter policy identify good or bad source email servers by IP addresses. The key components of the default connection filter policy are IP Allow List, IP Block List and Safe list. +The recommended state is **IP Allow List** empty or undefined. + +#### Rationale + Without additional verification like mail flow rules, email from sources in the IP Allow List skips spam filtering and sender authentication (SPF, DKIM, DMARC) checks. This method creates a high risk of attackers successfully delivering email to the Inbox that would otherwise be filtered. Messages that are determined to be malware or high confidence phishing are filtered. +#### Impact + +This is the default behavior. IP Allow lists may reduce false positives, however, this benefit is outweighed by the importance of a policy which scans all messages regardless of the origin. This supports the principle of zero trust. + #### Remediation action: To remove IPs from the allow list: -1. Navigate to Microsoft 365 Defender [https://security.microsoft.com](https://security.microsoft.com). +1. Navigate to [Microsoft 365 Defender](https://security.microsoft.com). 2. Click to expand **Email & collaboration** select **Policies & rules** > **Threat policies**. 3. Under policies select **Anti-spam**. 4. Click on the **Connection filter policy (Default)**. @@ -14,10 +22,21 @@ To remove IPs from the allow list: 6. Remove any IP entries from **Always allow messages from the following IP addresses or address range:**. 7. Click **Save**. +##### PowerShell + +1. Connect to Exchange Online using `Connect-ExchangeOnline`. +2. Run the following PowerShell command: +```powershell +Set-HostedConnectionFilterPolicy -Identity Default -IPAllowList @{} +``` + #### Related links * [Microsoft 365 Defender](https://security.microsoft.com) -* [CIS Microsoft 365 Foundations Benchmark v5.0.0 - Page 113](https://www.cisecurity.org/benchmark/microsoft_365) +* [Configure connection filtering in cloud organizations](https://learn.microsoft.com/en-us/defender-office-365/connection-filter-policies-configure) +* [Create sender allowlists for cloud mailboxes](https://learn.microsoft.com/en-us/defender-office-365/create-safe-sender-lists-in-office-365#use-the-ip-allow-list) +* [When user and organization settings conflict](https://learn.microsoft.com/en-us/defender-office-365/how-policies-and-protections-are-combined#user-and-tenant-settings-conflict) +* [CIS Microsoft 365 Foundations Benchmark v6.0.1 - Page 116](https://www.cisecurity.org/benchmark/microsoft_365) %TestResult% \ No newline at end of file diff --git a/powershell/public/cis/Test-MtCisHostedConnectionFilterPolicy.ps1 b/powershell/public/cis/Test-MtCisHostedConnectionFilterPolicy.ps1 index d4877eb42..a9edeba77 100644 --- a/powershell/public/cis/Test-MtCisHostedConnectionFilterPolicy.ps1 +++ b/powershell/public/cis/Test-MtCisHostedConnectionFilterPolicy.ps1 @@ -5,7 +5,7 @@ .DESCRIPTION The connection filter should not have allow listed IPs - CIS Microsoft 365 Foundations Benchmark v5.0.0 + CIS Microsoft 365 Foundations Benchmark v6.0.1 .EXAMPLE Test-MtCisHostedConnectionFilterPolicy diff --git a/powershell/public/cis/Test-MtCisInternalMalwareNotification.md b/powershell/public/cis/Test-MtCisInternalMalwareNotification.md index e673adbb0..5cc58b259 100644 --- a/powershell/public/cis/Test-MtCisInternalMalwareNotification.md +++ b/powershell/public/cis/Test-MtCisInternalMalwareNotification.md @@ -1,8 +1,17 @@ 2.1.3 (L1) Ensure notifications for internal users sending malware is Enabled -**Rationale:** +Exchange Online Protection (EOP) is Microsoft's cloud-based filtering service that protects organizations against spam, malware, and other email threats. EOP is included in all Microsoft 365 organizations with Exchange Online mailboxes. + +EOP uses flexible anti-malware policies for malware protection settings. These policies can be set to notify Admins of malicious activity. + +#### Rationale + This setting alerts administrators that an internal user sent a message that contained malware. This may indicate an account or machine compromise that would need to be investigated. +#### Impact + +Notification of account with potential issues should not have an impact on the user + #### Remediation action: To enable notifications for internal users sending malware: @@ -14,10 +23,22 @@ To enable notifications for internal users sending malware: 6. Click on **Edit protection settings** and change the settings for **Notify an admin about undelivered messages from internal senders** to **On** and enter the email address of the administrator who should be notified under **Administrator email address**. 7. Click Save. +##### PowerShell + +1. Connect to Exchange Online using `Connect-ExchangeOnline`. +2. Run the following command: +```powershell +Set-MalwareFilterPolicy -Identity '{Identity Name}' -EnableInternalSenderAdminNotifications $True -InternalSenderAdminAddress {admin@domain1.com} +``` + +>Note: Audit and Remediation guidance may focus on the Default policy however, if a Custom Policy exists in the organization's tenant, then ensure the setting is set as outlined in the highest priority policy listed. + #### Related links * [Microsoft 365 Defender](https://security.microsoft.com) -* [CIS Microsoft 365 Foundations Benchmark v5.0.0 - Page 77](https://www.cisecurity.org/benchmark/microsoft_365) +* [Anti-malware protection for cloud mailboxes](https://learn.microsoft.com/en-us/defender-office-365/anti-malware-protection-about) +* [Configure anti-malware policies for cloud mailboxes](https://learn.microsoft.com/en-us/defender-office-365/anti-malware-policies-configure) +* [CIS Microsoft 365 Foundations Benchmark v6.0.1 - Page 81](https://www.cisecurity.org/benchmark/microsoft_365) %TestResult% \ No newline at end of file diff --git a/powershell/public/cis/Test-MtCisInternalMalwareNotification.ps1 b/powershell/public/cis/Test-MtCisInternalMalwareNotification.ps1 index e61f760c8..63e298bbf 100644 --- a/powershell/public/cis/Test-MtCisInternalMalwareNotification.ps1 +++ b/powershell/public/cis/Test-MtCisInternalMalwareNotification.ps1 @@ -5,7 +5,7 @@ .DESCRIPTION Notifications for internal users sending malware should be enabled, and an administrator email set - CIS Microsoft 365 Foundations Benchmark v5.0.0 + CIS Microsoft 365 Foundations Benchmark v6.0.1 .EXAMPLE Test-MtCisInternalMalwareNotification diff --git a/powershell/public/cis/Test-MtCisOutboundSpamFilterPolicy.md b/powershell/public/cis/Test-MtCisOutboundSpamFilterPolicy.md index ee071c29d..cbc243aff 100644 --- a/powershell/public/cis/Test-MtCisOutboundSpamFilterPolicy.md +++ b/powershell/public/cis/Test-MtCisOutboundSpamFilterPolicy.md @@ -1,6 +1,14 @@ 2.1.6 (L1) Ensure Exchange Online Spam Policies are set to notify administrators -Description: Configure Exchange Online Spam Policies to copy emails and notify someone when a sender in the organization has been blocked for sending spam emails. +In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, email messages are automatically protected against spam (junk email) by EOP. Configure Exchange Online Spam Policies to copy emails and notify someone when a sender in the organization has been blocked for sending spam emails. + +#### Rationale + +A blocked account is a good indication that the account in question has been breached, and an attacker is using it to send spam emails to other people. + +#### Impact + +Notification of users that have been blocked should not cause an impact to the user. #### Remediation action: @@ -15,10 +23,23 @@ To set the Exchange Online Spam Policies: 7. Check **Notify these users and groups if a sender is blocked due to sending outbound spam** then enter the desired email addresses. 8. Click **Save**. +##### PowerShell + +1. Connect to Exchange Online using `Connect-ExchangeOnline`. +2. Run the following PowerShell command: +```powershell +$BccEmailAddress = @("") +$NotifyEmailAddress = @("") +Set-HostedOutboundSpamFilterPolicy -Identity Default -BccSuspiciousOutboundAdditionalRecipients $BccEmailAddress -BccSuspiciousOutboundMail $true -NotifyOutboundSpam $true -NotifyOutboundSpamRecipients $NotifyEmailAddress +``` + +>Note: Audit and Remediation guidance may focus on the Default policy however, if a Custom Policy exists in the organization's tenant, then ensure the setting is set as outlined in the highest priority policy listed. + #### Related links * [Microsoft 365 Defender](https://security.microsoft.com) -* [CIS Microsoft 365 Foundations Benchmark v5.0.0 - Page 86](https://www.cisecurity.org/benchmark/microsoft_365) +* [Outbound spam protection for cloud mailboxes](https://learn.microsoft.com/en-us/defender-office-365/outbound-spam-protection-about) +* [CIS Microsoft 365 Foundations Benchmark v6.0.1 - Page 91](https://www.cisecurity.org/benchmark/microsoft_365) %TestResult% \ No newline at end of file diff --git a/powershell/public/cis/Test-MtCisOutboundSpamFilterPolicy.ps1 b/powershell/public/cis/Test-MtCisOutboundSpamFilterPolicy.ps1 index 1fa60c1d8..2cd9c07ad 100644 --- a/powershell/public/cis/Test-MtCisOutboundSpamFilterPolicy.ps1 +++ b/powershell/public/cis/Test-MtCisOutboundSpamFilterPolicy.ps1 @@ -5,7 +5,7 @@ .DESCRIPTION Ensure Exchange Online Spam Policies are set to notify administrators - CIS Microsoft 365 Foundations Benchmark v5.0.0 + CIS Microsoft 365 Foundations Benchmark v6.0.1 .EXAMPLE Test-MtCisOutboundSpamFilterPolicy diff --git a/powershell/public/cis/Test-MtCisPasswordExpiry.md b/powershell/public/cis/Test-MtCisPasswordExpiry.md index 7a42ad4f6..c57148b15 100644 --- a/powershell/public/cis/Test-MtCisPasswordExpiry.md +++ b/powershell/public/cis/Test-MtCisPasswordExpiry.md @@ -1,20 +1,43 @@ 1.3.1 (L1) Ensure the 'Password expiration policy' is set to 'Set passwords to never expire (recommended)' -Organizations such as NIST and Microsoft have updated their password policy recommendations to not arbitrarily require users to change their passwords after a specific amount of time, unless there is evidence that the password is compromised, or the user forgot it. +Microsoft cloud-only accounts have a pre-defined password policy that cannot be changed. The only items that can change are the number of days until a password expires and whether or not passwords expire at all. + +#### Rationale + +Organizations such as NIST and Microsoft have updated their password policy recommendations to not arbitrarily require users to change their passwords after a specific amount of time, unless there is evidence that the password is compromised, or the user forgot it. They suggest this even for single factor (Password Only) use cases, with a reasoning that forcing arbitrary password changes on users actually make the passwords less secure. Other recommendations within this Benchmark suggest the use of MFA authentication for at least critical accounts (at minimum), which makes password expiration even less useful as well as password protection for Entra ID. + +#### Impact + +When setting passwords not to expire it is important to have other controls in place to supplement this setting. See below for related recommendations and user guidance. +* Ban common passwords. +* Educate users to not reuse organization passwords anywhere else. +* Enforce Multi-Factor Authentication registration for all users. + #### Remediation action: To set Office 365 passwords are set to never expire: -1. Navigate to Microsoft 365 admin center [https://admin.microsoft.com](https://admin.microsoft.com). +1. Navigate to [Microsoft 365 admin center](https://admin.microsoft.com). 2. Click to expand **Settings** select **Org Settings**. 3. Click on **Security & privacy**. 4. Check the **Set passwords to never expire (recommended)** box. 5. Click **Save**. +##### PowerShell + +1. Connect to the Microsoft Graph service using `Connect-MgGraph -Scopes "Domain.ReadWrite.All"`. +2. Run the following Microsoft Graph PowerShell command: +```powershell +Update-MgDomain -DomainId -PasswordValidityPeriodInDays 2147483647 +``` + #### Related links * [Microsoft 365 Admin Center](https://admin.microsoft.com) -* [CIS Microsoft 365 Foundations Benchmark v5.0.0 - Page 43](https://www.cisecurity.org/benchmark/microsoft_365) +* [NIST Special Publication 800-63B](https://pages.nist.gov/800-63-3/sp800-63b.html) +* [CIS Password Policy Guide](https://www.cisecurity.org/insights/white-papers/cis-password-policy-guide) +* [Password policy recommendations for Microsoft 365 passwords](https://learn.microsoft.com/en-us/microsoft-365/admin/misc/password-policy-recommendations?view=o365-worldwide) +* [CIS Microsoft 365 Foundations Benchmark v6.0.1 - Page 43](https://www.cisecurity.org/benchmark/microsoft_365) %TestResult% \ No newline at end of file diff --git a/powershell/public/cis/Test-MtCisPasswordExpiry.ps1 b/powershell/public/cis/Test-MtCisPasswordExpiry.ps1 index e9f891222..8af471fb4 100644 --- a/powershell/public/cis/Test-MtCisPasswordExpiry.ps1 +++ b/powershell/public/cis/Test-MtCisPasswordExpiry.ps1 @@ -5,7 +5,7 @@ .DESCRIPTION Passwords should not be set to expire - CIS Microsoft 365 Foundations Benchmark v5.0.0 + CIS Microsoft 365 Foundations Benchmark v6.0.1 .EXAMPLE Test-MtCisPasswordExpiry diff --git a/powershell/public/cis/Test-MtCisSafeAntiPhishingPolicy.md b/powershell/public/cis/Test-MtCisSafeAntiPhishingPolicy.md index f245326b6..4a1a8592a 100644 --- a/powershell/public/cis/Test-MtCisSafeAntiPhishingPolicy.md +++ b/powershell/public/cis/Test-MtCisSafeAntiPhishingPolicy.md @@ -1,22 +1,83 @@ 2.1.7 (L1) Ensure that an anti-phishing policy has been created -Description: Set up anti-phishing polices to increase this protection, for example by refining -settings to better detect and prevent impersonation and spoofing attacks. +By default, Office 365 includes built-in features that help protect users from phishing attacks. Set up anti-phishing polices to increase this protection, for example by refining settings to better detect and prevent impersonation and spoofing attacks. The default policy applies to all users within the organization and is a single view to fine-tune antiphishing protection. Custom policies can be created and configured for specific users, groups or domains within the organization and will take precedence over the default policy for the scoped users. + +#### Rationale + +Protects users from phishing attacks (like impersonation and spoofing) and uses safety tips to warn users about potentially harmful messages. + +#### Impact + +Mailboxes that are used for support systems such as helpdesk and billing systems send mail to internal users and are often not suitable candidates for impersonation protection. Care should be taken to ensure that these systems are excluded from Impersonation Protection. #### Remediation action: -To enable Safe Attachments for SharePoint, OneDrive, and Microsoft Teams: +1. Navigate to [Microsoft 365 Defender](https://security.microsoft.com) +2. Click to expand **Email & collaboration** select **Policies & rules** +3. Select **Threat policies**. +4. Under Policies select **Anti-phishing** and click **Create**. +5. Name the policy, continuing and clicking **Next** as needed: +* Add **Groups** and/or **Domains** that contain a majority of the organization. +* Set **Phishing email threshold** to **3 - More Aggressive** +* Check **Enable users to protect** and add up to 350 users. +* Check **Enable domains to protect** and check **Include domains I own**. +* Check **Enable mailbox intelligence (Recommended)**. +* Check **Enable Intelligence for impersonation protection (Recommended)**. +* Check **Enable spoof intelligence (Recommended)**. +1. Under Actions configure the following: +* Set **If a message is detected as user impersonation to Quarantine the message**. +* Set **If a message is detected as domain impersonation to Quarantine the message**. +* Set **If Mailbox Intelligence detects an impersonated user to Quarantine the message**. +* Leave **Honor DMARC record policy when the message is detected as spoof** checked. +* Check **Show first contact safety tip (Recommended)**. +* Check **Show user impersonation safety tip**. +* Check **Show domain impersonation safety tip**. +* Check **Show user impersonation unusual characters safety tip**. +1. Finally click **Next** and **Submit** the policy. + +>Note: DefaultFullAccessWithNotificationPolicy is suggested but not required. Users will be notified that impersonation emails are in the Quarantine + +##### PowerShell + +1. Connect to Exchange Online service using `Connect-ExchangeOnline`. +2. Run the following Exchange Online PowerShell script to create an AntiPhish policy: +```powershell +# Create the Policy +$params = @{ + Name = "CIS AntiPhish Policy" + PhishThresholdLevel = 3 + EnableTargetedUserProtection = $true + EnableOrganizationDomainsProtection = $true + EnableMailboxIntelligence = $true + EnableMailboxIntelligenceProtection = $true + EnableSpoofIntelligence = $true + TargetedUserProtectionAction = 'Quarantine' + TargetedDomainProtectionAction = 'Quarantine' + MailboxIntelligenceProtectionAction = 'Quarantine' + TargetedUserQuarantineTag = 'DefaultFullAccessWithNotificationPolicy' + MailboxIntelligenceQuarantineTag = 'DefaultFullAccessWithNotificationPolicy' + TargetedDomainQuarantineTag = 'DefaultFullAccessWithNotificationPolicy' + EnableFirstContactSafetyTips = $true + EnableSimilarUsersSafetyTips = $true + EnableSimilarDomainsSafetyTips = $true + EnableUnusualCharactersSafetyTips = $true + HonorDmarcPolicy = $true +} +New-AntiPhishPolicy @params +# Create the rule for all users in all valid domains and associate with Policy +New-AntiPhishRule -Name $params.Name -AntiPhishPolicy $params.Name -RecipientDomainIs (Get-AcceptedDomain).Name -Priority 0 +``` +3. The new policy can be edited in the UI or via PowerShell. + +>Note: Remediation guidance is intended to help create a qualifying AntiPhish policy that meets the recommended criteria while protecting the majority of the organization. It's understood some individual user exceptions may exist or exceptions for the entire policy if another product acts as a similar control. -1. Navigate to Microsoft 365 Defender [https://security.microsoft.com](https://security.microsoft.com) -2. Under **Email & collaboration** select **Policies & rules** -3. Select **Threat policies** then **Anti-Phishing** -4. Select the **Office365 AntiPhish Default (Default)** policy and click **Edit protection settings** -5. Set the **Phishing email threshold** to at least **2 - Aggressive**. #### Related links * [Microsoft 365 Defender](https://security.microsoft.com) -* [CIS Microsoft 365 Foundations Benchmark v5.0.0 - Page 91](https://www.cisecurity.org/benchmark/microsoft_365) +* [Anti-phishing protection in cloud organizations](https://learn.microsoft.com/en-us/defender-office-365/anti-phishing-protection-about) +* [Configure anti-phishing policies for all cloud mailboxes](https://learn.microsoft.com/en-us/defender-office-365/anti-phishing-policies-eop-configure) +* [CIS Microsoft 365 Foundations Benchmark v6.0.1 - Page 94](https://www.cisecurity.org/benchmark/microsoft_365) %TestResult% \ No newline at end of file diff --git a/powershell/public/cis/Test-MtCisSafeAntiPhishingPolicy.ps1 b/powershell/public/cis/Test-MtCisSafeAntiPhishingPolicy.ps1 index dd102845f..a73d9334c 100644 --- a/powershell/public/cis/Test-MtCisSafeAntiPhishingPolicy.ps1 +++ b/powershell/public/cis/Test-MtCisSafeAntiPhishingPolicy.ps1 @@ -5,7 +5,7 @@ .DESCRIPTION The anti-phishing policy should be enabled, and the settings for PhishThresholdLevel, EnableMailboxIntelligenceProtection, EnableMailboxIntelligence, EnableSpoofIntelligence controls match CIS recommendations - CIS Microsoft 365 Foundations Benchmark v5.0.0 + CIS Microsoft 365 Foundations Benchmark v6.0.1 .EXAMPLE Test-MtCisSafeAntiPhishingPolicy diff --git a/powershell/public/cis/Test-MtCisSafeAttachment.md b/powershell/public/cis/Test-MtCisSafeAttachment.md index 4fdbe69e2..8fa3efa91 100644 --- a/powershell/public/cis/Test-MtCisSafeAttachment.md +++ b/powershell/public/cis/Test-MtCisSafeAttachment.md @@ -1,12 +1,19 @@ 2.1.4 (L2) Ensure Safe Attachments policy is enabled -**Rationale:** +The Safe Attachments policy helps protect users from malware in email attachments by scanning attachments for viruses, malware, and other malicious content. When an email attachment is received by a user, Safe Attachments will scan the attachment in a secure environment and provide a verdict on whether the attachment is safe or not. + +#### Rationale + Enabling Safe Attachments policy helps protect against malware threats in email attachments by analyzing suspicious attachments in a secure, cloud-based environment before they are delivered to the user's inbox. This provides an additional layer of security and can prevent new or unseen types of malware from infiltrating the organization's network. +#### Impact + +Delivery of email with attachments may be delayed while scanning is occurring + #### Remediation action: To enable the Safe Attachments policy: -1. Navigate to Microsoft 365 Defender [https://security.microsoft.com](https://security.microsoft.com). +1. Navigate to [Microsoft 365 Defender](https://security.microsoft.com). 2. Click to expand **E-mail & Collaboration** select **Policies & rules**. 3. On the Policies & rules page select **Threat policies**. 4. Under **Policies** select **Safe Attachments**. @@ -18,10 +25,28 @@ To enable the Safe Attachments policy: 10. Leave **Enable redirect** unchecked. 11. Click **Next** and finally **Submit**. +##### PowerShell + +1. Connect to Exchange Online using `Connect-ExchangeOnline`. +2. To change an existing policy modify the example below and run the following PowerShell command: +```powershell +Set-SafeAttachmentPolicy -Identity 'Example policy' -Action 'Block' -QuarantineTag 'AdminOnlyAccessPolicy' -Enable $true +``` +3. Or, edit and run the below example to create a new safe attachments policy. +```powershell +New-SafeAttachmentPolicy -Name "CIS 2.1.4" -Enable $true -Action 'Block' -QuarantineTag 'AdminOnlyAccessPolicy' + +New-SafeAttachmentRule -Name "CIS 2.1.4 Rule" -SafeAttachmentPolicy "CIS 2.1.4" -RecipientDomainIs 'exampledomain[.]com' +``` + +>Note: Policy targets such as users and domains should include domains, or groups that provide coverage for a majority of users in the organization. Different inclusion and exclusion use cases are not covered in the benchmark. + #### Related links * [Microsoft 365 Defender](https://security.microsoft.com) -* [CIS Microsoft 365 Foundations Benchmark v5.0.0 - Page 80](https://www.cisecurity.org/benchmark/microsoft_365) +* [Safe Attachments in Microsoft Defender for Office 365](https://learn.microsoft.com/en-us/defender-office-365/safe-attachments-about) +* [Set up Safe Attachments policies in Microsoft Defender for Office 365](https://learn.microsoft.com/en-us/defender-office-365/safe-attachments-policies-configure) +* [CIS Microsoft 365 Foundations Benchmark v6.0.1 - Page 84](https://www.cisecurity.org/benchmark/microsoft_365) %TestResult% \ No newline at end of file diff --git a/powershell/public/cis/Test-MtCisSafeAttachment.ps1 b/powershell/public/cis/Test-MtCisSafeAttachment.ps1 index e5b59f601..b8932cbbb 100644 --- a/powershell/public/cis/Test-MtCisSafeAttachment.ps1 +++ b/powershell/public/cis/Test-MtCisSafeAttachment.ps1 @@ -5,7 +5,7 @@ .DESCRIPTION The Safe Attachments policy is enabled - CIS Microsoft 365 Foundations Benchmark v5.0.0 + CIS Microsoft 365 Foundations Benchmark v6.0.1 .EXAMPLE Test-MtCisSafeAttachment diff --git a/powershell/public/cis/Test-MtCisSafeAttachmentsAtpPolicy.md b/powershell/public/cis/Test-MtCisSafeAttachmentsAtpPolicy.md index f025c3672..1c443450c 100644 --- a/powershell/public/cis/Test-MtCisSafeAttachmentsAtpPolicy.md +++ b/powershell/public/cis/Test-MtCisSafeAttachmentsAtpPolicy.md @@ -1,6 +1,15 @@ 2.1.5 (L2) Ensure Safe Attachments for SharePoint, OneDrive, and Microsoft Teams is Enabled -Description: Safe Attachments for SharePoint, OneDrive, and Microsoft Teams scans these services for malicious files. +Safe Attachments for SharePoint, OneDrive, and Microsoft Teams scans these services for malicious files. + +#### Rationale + +Safe Attachments for SharePoint, OneDrive, and Microsoft Teams protect organizations from inadvertently sharing malicious files. When a malicious file is detected that file is blocked so that no one can open, copy, move, or share it until further actions are taken by the organization's security team. + +#### Impact + +Impact associated with Safe Attachments is minimal, and equivalent to impact associated with anti-virus scanners in an environment. + #### Remediation action: @@ -15,10 +24,19 @@ To enable Safe Attachments for SharePoint, OneDrive, and Microsoft Teams: 7. Click to **Disable Allow people to click through Protected View even if Safe Documents identified the file as malicious** 8. Click **Save**. +##### PowerShell + +1. Connect to Exchange Online using `Connect-ExchangeOnline`. +2. Run the following PowerShell command: +```powershell +Set-AtpPolicyForO365 -EnableATPForSPOTeamsODB $true -EnableSafeDocs $true -AllowSafeDocsOpen $false +``` + #### Related links * [Microsoft 365 Defender](https://security.microsoft.com) -* [CIS Microsoft 365 Foundations Benchmark v5.0.0 - Page 83](https://www.cisecurity.org/benchmark/microsoft_365) +* [Safe Attachments for SharePoint, OneDrive, and Microsoft Teams](https://learn.microsoft.com/en-us/defender-office-365/safe-attachments-for-spo-odfb-teams-about) +* [CIS Microsoft 365 Foundations Benchmark v6.0.1 - Page 88](https://www.cisecurity.org/benchmark/microsoft_365) %TestResult% \ No newline at end of file diff --git a/powershell/public/cis/Test-MtCisSafeAttachmentsAtpPolicy.ps1 b/powershell/public/cis/Test-MtCisSafeAttachmentsAtpPolicy.ps1 index 33b5bf243..9d5d9da4f 100644 --- a/powershell/public/cis/Test-MtCisSafeAttachmentsAtpPolicy.ps1 +++ b/powershell/public/cis/Test-MtCisSafeAttachmentsAtpPolicy.ps1 @@ -5,7 +5,7 @@ .DESCRIPTION Safe Attachments for SharePoint, OneDrive, and Microsoft Teams should be enabled - CIS Microsoft 365 Foundations Benchmark v5.0.0 + CIS Microsoft 365 Foundations Benchmark v6.0.1 .EXAMPLE Test-MtCisSafeAttachmentsAtpPolicy diff --git a/powershell/public/cis/Test-MtCisSafeLink.md b/powershell/public/cis/Test-MtCisSafeLink.md index d1e01612e..ebde47c3c 100644 --- a/powershell/public/cis/Test-MtCisSafeLink.md +++ b/powershell/public/cis/Test-MtCisSafeLink.md @@ -1,7 +1,17 @@ 2.1.1 (L2) Ensure Safe Links for Office Applications is Enabled +Enabling Safe Links policy for Office applications allows URL's that exist inside of Office documents and email applications opened by Office, Office Online and Office mobile to be processed against Defender for Office time-of-click verification and rewritten if required. + +>Note: E5 Licensing includes a number of Built-in Protection policies. When auditing policies note which policy you are viewing, and keep in mind CIS recommendations often extend the Default or Built-in Policies provided by MS. In order to Pass the highest priority policy must match all settings recommended. + +#### Rationale + Safe Links for Office applications extends phishing protection to documents and emails that contain hyperlinks, even after they have been delivered to a user. +#### Impact + +User impact associated with this change is minor - users may experience a very short delay when clicking on URLs in Office documents before being directed to the requested site. Users should be informed of the change as, in the event a link is unsafe and blocked, they will receive a message that it has been blocked. + #### Remediation action: To create a Safe Links policy: @@ -11,7 +21,7 @@ To create a Safe Links policy: 3. Select **Threat policies** then **Safe Links** 4. Click on **+Create** 5. Name the policy then click **Next** -6. In Domains select all valid domains for the organization and Next +6. In **Domains** select all valid domains for the organization and **Next** 7. Ensure the following **URL & click protection settings** are defined: **Email** @@ -31,12 +41,42 @@ To create a Safe Links policy: * Checked: **Track user clicks** * Unchecked: **Let users click through the original URL** * There is no recommendation for organization branding -8. Click **Next** twice and finally Submit. +8. Click **Next** twice and finally **Submit**. + + +##### PowerShell + +1. Connect using `Connect-ExchangeOnline`. +2. Run the following PowerShell script to create a policy at highest priority that will apply to all valid domains on the tenant: + +```powershell +# Create the Policy +$params = @{ + Name = "CIS SafeLinks Policy" + EnableSafeLinksForEmail = $true + EnableSafeLinksForTeams = $true + EnableSafeLinksForOffice = $true + TrackClicks = $true + AllowClickThrough = $false + ScanUrls = $true + EnableForInternalSenders = $true + DeliverMessageAfterScan = $true + DisableUrlRewrite = $false + +} +New-SafeLinksPolicy @params +# Create the rule for all users in all valid domains and associate with Policy +New-SafeLinksRule -Name "CIS SafeLinks" -SafeLinksPolicy "CIS SafeLinks Policy" -RecipientDomainIs (Get-AcceptedDomain).Name -Priority 0 + +``` #### Related links * [Microsoft 365 Admin Center](https://admin.microsoft.com) -* [CIS Microsoft 365 Foundations Benchmark v5.0.0 - Page 70](https://www.cisecurity.org/benchmark/microsoft_365) +* [Set-SafeLinksPolicy](https://learn.microsoft.com/en-us/powershell/module/exchangepowershell/set-safelinkspolicy?view=exchange-ps) +* [Set up Safe Links policies in Microsoft Defender for Office 365](https://learn.microsoft.com/en-us/defender-office-365/safe-links-policies-configure?view=o365-worldwide) +* [Preset security policies in cloud organizations](https://learn.microsoft.com/en-us/defender-office-365/preset-security-policies?view=o365-worldwide) +* [CIS Microsoft 365 Foundations Benchmark v6.0.1 - Page 73](https://www.cisecurity.org/benchmark/microsoft_365) %TestResult% \ No newline at end of file diff --git a/powershell/public/cis/Test-MtCisSafeLink.ps1 b/powershell/public/cis/Test-MtCisSafeLink.ps1 index b4376ac69..ffee1aa97 100644 --- a/powershell/public/cis/Test-MtCisSafeLink.ps1 +++ b/powershell/public/cis/Test-MtCisSafeLink.ps1 @@ -5,7 +5,7 @@ .DESCRIPTION Safe links should be enabled for office applications (Exchange Teams Office 365 Apps) - CIS Microsoft 365 Foundations Benchmark v5.0.0 + CIS Microsoft 365 Foundations Benchmark v6.0.1 .EXAMPLE Test-MtCisSafeLink diff --git a/powershell/public/cis/Test-MtCisSharedMailboxSignIn.md b/powershell/public/cis/Test-MtCisSharedMailboxSignIn.md index b93db9c87..589b0f746 100644 --- a/powershell/public/cis/Test-MtCisSharedMailboxSignIn.md +++ b/powershell/public/cis/Test-MtCisSharedMailboxSignIn.md @@ -1,6 +1,11 @@ 1.2.2 (L1) Ensure sign-in to shared mailboxes is blocked -The intent of the shared mailbox is the only allow delegated access from other mailboxes. An admin could reset the password, or an attacker could potentially gain access to the shared mailbox allowing the direct sign-in to the shared mailbox and subsequently the sending of email from a sender that does not have a unique identity. To prevent this, block sign-in for the account that is associated with the shared mailbox. +Shared mailboxes are used when multiple people need access to the same mailbox, such as a company information or support email address, reception desk, or other function that might be shared by multiple people. Users with permissions to the group mailbox can send as or send on behalf of the mailbox email address if the administrator has given that user permissions to do that. This is particularly useful for help and support mailboxes because users can send +emails from "Contoso Support" or "Building A Reception Desk." Shared mailboxes are created with a corresponding user account using a system generated password that is unknown at the time of creation. The recommended state is **Sign in blocked** for **Shared mailboxes**. + +#### Rationale + +The intent of the shared mailbox is the only allow delegated access from other mailboxes. An admin could reset the password, or an attacker could potentially gain access to the shared mailbox allowing the direct sign-in to the shared mailbox and subsequently the sending of email from a sender that does not have a unique identity. To prevent this, block sign-in for the account that is associated with the shared mailbox #### Remediation action: @@ -10,13 +15,31 @@ Block sign-in to shared mailboxes in the UI: 3. Take note of all shared mailboxes. 4. Click to expand **Users** and select **Active users**. 5. Select a shared mailbox account to open its properties pane and then select **Block sign-in**. -6. Check the box for Block this user from signing in. +6. Check the box for **Block this user from signing in.** 7. Repeat for any additional shared mailboxes. +##### PowerShell + +1. Connect to Microsoft Graph using `Connect-MgGraph -Scopes "User.ReadWrite.All"` +2. Connect to Exchange Online using `Connect-ExchangeOnline`. +3. To disable sign-in for a single account: +```powershell +$MBX = Get-EXOMailbox -Identity TestUser@example.com +Update-MgUser -UserId $MBX.ExternalDirectoryObjectId -AccountEnabled:$false +``` +3. The following will block sign-in to all Shared Mailboxes. +```powershell +$MBX = Get-EXOMailbox -RecipientTypeDetails SharedMailbox +$MBX | ForEach-Object { Update-MgUser -UserId $_.ExternalDirectoryObjectId -AccountEnabled:$false } +``` + #### Related links * [Microsoft 365 Admin Center](https://admin.microsoft.com) -* [CIS Microsoft 365 Foundations Benchmark v5.0.0 - Page 39](https://www.cisecurity.org/benchmark/microsoft_365) +* [About shared mailboxes in Microsoft 365](https://learn.microsoft.com/en-us/microsoft-365/admin/email/about-shared-mailboxes?view=o365-worldwide) +* [Create a shared mailbox](https://learn.microsoft.com/en-us/microsoft-365/admin/email/create-a-shared-mailbox?view=o365-worldwide#block-sign-in-for-the-shared-mailbox-account) +* [Block Microsoft 365 user accounts with PowerShell](https://learn.microsoft.com/en-us/microsoft-365/enterprise/block-user-accounts-with-microsoft-365-powershell?view=o365-worldwide#block-individual-user-accounts) +* [CIS Microsoft 365 Foundations Benchmark v6.0.1 - Page 39](https://www.cisecurity.org/benchmark/microsoft_365) %TestResult% diff --git a/powershell/public/cis/Test-MtCisSharedMailboxSignIn.ps1 b/powershell/public/cis/Test-MtCisSharedMailboxSignIn.ps1 index f9cbf0354..0d03b27a7 100644 --- a/powershell/public/cis/Test-MtCisSharedMailboxSignIn.ps1 +++ b/powershell/public/cis/Test-MtCisSharedMailboxSignIn.ps1 @@ -5,7 +5,7 @@ .DESCRIPTION Ensure Sign ins are blocked for shared mailboxes. - CIS Microsoft 365 Foundations Benchmark v5.0.0 + CIS Microsoft 365 Foundations Benchmark v6.0.1 .EXAMPLE Test-MtCisSharedMailboxSignIn @@ -32,7 +32,8 @@ try { Write-Verbose 'Getting all shared mailboxes' $sharedMailboxes = Get-MtExo -Request EXOSharedMailbox -ErrorAction Stop - } catch { + } + catch { Add-MtTestResultDetail -SkippedBecause Error -SkippedError $_ return $null } @@ -44,7 +45,7 @@ try { Write-Verbose 'For each mailbox get mailbox and AccountEnabled status' - $mgUsers = Invoke-MtGraphRequest -RelativeUri "users" -UniqueId @($sharedMailboxes.ExternalDirectoryObjectId) -Select id,displayName,userPrincipalName,accountEnabled + $mgUsers = Invoke-MtGraphRequest -RelativeUri "users" -UniqueId @($sharedMailboxes.ExternalDirectoryObjectId) -Select id, displayName, userPrincipalName, accountEnabled $mailboxDetails = foreach ($mgUser in $mgUsers) { $mgUser | Select-Object DisplayName, UserPrincipalName, AccountEnabled } @@ -56,7 +57,8 @@ $testResult = if ($resultCount -eq 0) { $true } else { $false } if ($testResult) { $testResultMarkdown = "Well done. Your tenant has no shared mailboxes with sign-in enabled:`n`n%TestResult%" - } else { + } + else { $testResultMarkdown = "Your tenant has $(($result | Measure-Object).Count) shared mailboxes with sign-in enabled:`n`n%TestResult%" } @@ -73,7 +75,8 @@ Add-MtTestResultDetail -Result $testResultMarkdown return $testResult - } catch { + } + catch { Add-MtTestResultDetail -SkippedBecause Error -SkippedError $_ return $null } diff --git a/powershell/public/cis/Test-MtCisTeamsLobbyBypass.md b/powershell/public/cis/Test-MtCisTeamsLobbyBypass.md index b91cad040..5e932cc21 100644 --- a/powershell/public/cis/Test-MtCisTeamsLobbyBypass.md +++ b/powershell/public/cis/Test-MtCisTeamsLobbyBypass.md @@ -1,36 +1,42 @@ 8.5.3 (L1) Ensure only people in my org can bypass the lobby -This test checks if the Global (Org-wide default) meeting policy is configured to only bypass the lobby for 'Peoply in my org'. - This policy setting controls who can join a meeting directly and who must wait in the lobby until they're admitted by an organizer, co-organizer, or presenter of the meeting. -Rationale:\ +The recommended state is **People who were invited** or more restrictive. + +#### Rationale + For meetings that could contain sensitive information, it is best to allow the meeting organizer to vet anyone not directly sent an invite before admitting them to the meeting. This will also prevent the anonymous user from using the meeting link to have meetings at unscheduled times. +#### Impact + +Individuals who are not part of the organization will have to wait in the lobby until they're admitted by an organizer, co-organizer, or presenter of the meeting. + +Any individual who dials into the meeting regardless of status will also have to wait in the lobby. This includes internal users who are considered unauthenticated when dialing in. + #### Remediation action: -To change who can bypass the lobby using the UI: -1. Navigate to [Microsoft Teams admin center](https://admin.teams.microsoft.com). -2. Click to expand **Meetings** select **Meeting policies**. -3. Click **Global (Org-wide default)**. -4. Seach for **Meeting join & lobby**. -5. Set **Who can bypass the lobby** to **People in my org**. -6. Click **Save**. - -To change who can bypass the lobby using PowerShell: -1. Connect to Teams using **Connect-MicrosoftTeams**. -2. Run following PowerShell Command: -``` -Set-CsTeamsMeetingPolicy -Identity Global -AutoAdmittedUsers "EveryoneInCompanyExcludingGuests" +1. Navigate to [Microsoft Teams Admin Center](https://admin.teams.microsoft.com). +2. Select **Settings & policies** > **Global (Org-wide default) settings**. +3. Select **Meetings** to open the **meeting settings** section. +4. Under meeting join & lobby set **Who can bypass the lobby** to **People who were invited** or a more restrictive value: **People in my org, Only organizers and co-organizers**. + +##### PowerShell + +1. Connect to Teams PowerShell using `Connect-MicrosoftTeams`. +2. Run the following command to set the recommended state: +```powershell +Set-CsTeamsMeetingPolicy -Identity Global -AutoAdmittedUsers "InvitedUsers" ``` +>Note: More restrictive values EveryoneInCompanyExcludingGuests or OrganizerOnly are also in compliance. + #### Related links -* [Microsoft 365 Admin Center](https://admin.microsoft.com) * [Microsoft Teams Admin Center](https://admin.teams.microsoft.com). * [Overview of lobby settings and policies](https://learn.microsoft.com/en-us/microsoftteams/who-can-bypass-meeting-lobby#overview-of-lobby-settings-and-policies) -* [CIS Microsoft 365 Foundations Benchmark v5.0.0 - Page 400](https://www.cisecurity.org/benchmark/microsoft_365) -* [CISA MS.TEAMS.1.4v1](https://github.com/cisagov/ScubaGear/blob/main/PowerShell/ScubaGear/baselines/teams.md#msteams14v1) +* [Set-CsTeamsMeetingPolicy](https://learn.microsoft.com/en-us/powershell/module/microsoftteams/set-csteamsmeetingpolicy?view=teams-ps&viewFallbackFrom=skype-ps) +* [CIS Microsoft 365 Foundations Benchmark v6.0.1 - Page 434](https://www.cisecurity.org/benchmark/microsoft_365) %TestResult% \ No newline at end of file diff --git a/powershell/public/cis/Test-MtCisTeamsLobbyBypass.ps1 b/powershell/public/cis/Test-MtCisTeamsLobbyBypass.ps1 index c045e8084..3c8a968f3 100644 --- a/powershell/public/cis/Test-MtCisTeamsLobbyBypass.ps1 +++ b/powershell/public/cis/Test-MtCisTeamsLobbyBypass.ps1 @@ -5,7 +5,7 @@ .DESCRIPTION Only people in my org can bypass the lobby - CIS Microsoft 365 Foundations Benchmark v5.0.0 + CIS Microsoft 365 Foundations Benchmark v6.0.1 .EXAMPLE Test-MtCisTeamsLobbyBypass @@ -27,8 +27,8 @@ Write-Verbose 'Test-MtCisTeamsLobbyBypass: Testing if only people in my org can bypass the lobby' try { $TeamsMeetingPolicy = Get-CsTeamsMeetingPolicy -Identity Global | Select-Object -ExpandProperty AutoAdmittedUsers - if ($TeamsMeetingPolicy -eq 'EveryoneInCompanyExcludingGuests') { - Add-MtTestResultDetail -Result 'Well done. Only people in your org (excluding guests) can bypass the lobby.' + if ($TeamsMeetingPolicy -eq 'InvitedUsers' -or $TeamsMeetingPolicy -eq 'EveryoneInCompanyExcludingGuests' -or $TeamsMeetingPolicy -eq 'OrganizerOnly') { + Add-MtTestResultDetail -Result 'Well done. Only people in your org can bypass the lobby.' return $true } else { Add-MtTestResultDetail -Result "Following people can bypass your lobby: '$($TeamsMeetingPolicy)'." diff --git a/powershell/public/cis/Test-MtCisTeamsReportSecurityConcerns.md b/powershell/public/cis/Test-MtCisTeamsReportSecurityConcerns.md index 964072153..bdba287fd 100644 --- a/powershell/public/cis/Test-MtCisTeamsReportSecurityConcerns.md +++ b/powershell/public/cis/Test-MtCisTeamsReportSecurityConcerns.md @@ -1,42 +1,49 @@ 8.6.1 (L1) Ensure users can report security concerns in Teams -User reporting settings allow a user to report a message as malicious for further analysis. This recommendation is composed of 3 different settings and all be configured to pass: -* In the Teams admin center: On by default and controls whether users are able to report messages from Teams. When this setting is turned off, users can't report messages within Teams, so the corresponding setting in the Microsoft 365 Defender portal is irrelevant. -* In the Microsoft 365 Defender portal: On by default for new tenants. Existing tenants need to enable it. If user reporting of messages is turned on in the Teams admin center, it also needs to be turned on the Defender portal for user reported messages to show up correctly on the User reported tab on the Submissions page. -* Defender - Report message destinations: This applies to more than just Microsoft Teams and allows for an organization to keep their reports contained. Due to how the parameters are configured on the backend it is included in this assessment as a requirement. +User reporting settings allow a user to report a message as malicious for further analysis. This recommendation is composed of 3 different settings and all be configured to pass: +* **In the Teams admin center:** On by default and controls whether users are able to report messages from Teams. When this setting is turned off, users can't report messages within Teams, so the corresponding setting in the Microsoft 365 Defender portal is irrelevant. +* **In the Microsoft 365 Defender portal:** On by default for new tenants. Existing tenants need to enable it. If user reporting of messages is turned on in the Teams admin center, it also needs to be turned on the Defender portal for user reported messages to show up correctly on the User reported tab on the Submissions page. +* **Defender - Report message destinations:** This applies to more than just Microsoft Teams and allows for an organization to keep their reports contained. Due to how the parameters are configured on the backend it is included in this assessment as a requirement. + +#### Rationale -Rationale:\ Users will be able to more quickly and systematically alert administrators of suspicious malicious messages within Teams. The content of these messages may be sensitive in nature and therefore should be kept within the organization and not shared with Microsoft without first consulting company policy. -Note:\ -- The reported message remains visible to the user in the Teams client. -- Users can report the same message multiple times. -- The message sender isn't notified that messages were reported. +>Note +>* The reported message remains visible to the user in the Teams client. +>* Users can report the same message multiple times. +>* The message sender isn't notified that messages were reported. + +#### Impact +Enabling message reporting has an impact beyond just addressing security concerns. When users of the platform report a message, the content could include messages that are threatening or harassing in nature, possibly stemming from colleagues. +Due to this the security staff responsible for reviewing and acting on these reports should be equipped with the skills to discern and appropriately direct such messages to the relevant departments, such as Human Resources (HR). #### Remediation action: -To change report security concerns settings using the UI: -1. Navigate to [Microsoft Teams admin center](https://admin.teams.microsoft.com). -2. Click to expand **Messaging** select **Messaging policies**. -3. Click **Global (Org-wide default)**. +1. Navigate to [Microsoft Teams Admin Center](https://admin.teams.microsoft.com). +2. Select **Settings & policies** > **Global (Org-wide default) settings**. +3. Select **Messaging** to open the **messaging settings** section. 4. Set **Report a security concern** to **On**. -5. Next, navigate to [Microsoft 365 Defender](https://security.microsoft.com/) +5. Next, navigate to [Microsoft 365 Defender](https://security.microsoft.com). 6. Click on **Settings** > **Email & collaboration** > **User reported settings**. 7. Scroll to **Microsoft Teams**. 8. Check **Monitor reported messages in Microsoft Teams** and **Save**. 9. Set **Send reported messages to:** to **My reporting mailbox only** with reports configured to be sent to authorized staff. -To change who can bypass the lobby using PowerShell: -1. Connect to Teams using **Connect-MicrosoftTeams**. -2. Connecto to ExchangeOnline using **Connect-ExchangeOnline**. -3. To configure the Teams reporting policy run the following PowerShell command: -``` +##### PowerShell + +1. Connect to Teams PowerShell using `Connect-MicrosoftTeams`. +2. Connect to Exchange Online PowerShell using `Connect-ExchangeOnline`. +3. Run the following cmdlet: +```powershell Set-CsTeamsMessagingPolicy -Identity Global -AllowSecurityEndUserReporting $true ``` -4. To configure the Defender reporting policy, edit and run following commands: -``` -$socmail = "soc@contoso.com" # Change this. + +4. To configure the Defender reporting policies, edit and run this script: + +```powershell +$usersub = "userreportedmessages@fabrikam.com" # Change this. $params = @{ Identity = "DefaultReportSubmissionPolicy" EnableReportToMicrosoft = $false @@ -45,20 +52,21 @@ $params = @{ ReportJunkToCustomizedAddress = $true ReportNotJunkToCustomizedAddress = $true ReportPhishToCustomizedAddress = $true - ReportJunkAddresses = $socmail - ReportNotJunkAddresses = $socmail - ReportPhishAddresses = $socmail + ReportJunkAddresses = $usersub + ReportNotJunkAddresses = $usersub + ReportPhishAddresses = $usersub } Set-ReportSubmissionPolicy @params -New-ReportSubmissionRule -Name DefaultReportSubmissionRule -ReportSubmissionPolicy DefaultReportSubmissionPolicy -SentTo $socmail -``` +New-ReportSubmissionRule -Name DefaultReportSubmissionRule -ReportSubmissionPolicy DefaultReportSubmissionPolicy -SentTo $usersub +``` #### Related links -* [Microsoft 365 Admin Center](https://admin.microsoft.com) -* [Microsoft Teams Admin Center](https://admin.teams.microsoft.com). -* [CIS Microsoft 365 Foundations Benchmark v5.0.0 - Page 420](https://www.cisecurity.org/benchmark/microsoft_365) +* [Microsoft Teams Admin Center](https://admin.teams.microsoft.com) +* [Microsoft 365 Defender](https://security.microsoft.com) +* [User reported settings in Microsoft Teams](https://learn.microsoft.com/en-us/defender-office-365/submissions-teams?view=o365-worldwide) +* [CIS Microsoft 365 Foundations Benchmark v6.0.1 - Page 451](https://www.cisecurity.org/benchmark/microsoft_365) %TestResult% \ No newline at end of file diff --git a/powershell/public/cis/Test-MtCisTeamsReportSecurityConcerns.ps1 b/powershell/public/cis/Test-MtCisTeamsReportSecurityConcerns.ps1 index 2bfc56e5e..a7012f47a 100644 --- a/powershell/public/cis/Test-MtCisTeamsReportSecurityConcerns.ps1 +++ b/powershell/public/cis/Test-MtCisTeamsReportSecurityConcerns.ps1 @@ -5,7 +5,7 @@ .DESCRIPTION Report security concerns in Teams only to internal destination - CIS Microsoft 365 Foundations Benchmark v5.0.0 + CIS Microsoft 365 Foundations Benchmark v6.0.1 .EXAMPLE Test-MtCisTeamsReportSecurityConcerns diff --git a/powershell/public/cis/Test-MtCisThirdPartyAndCustomApps.md b/powershell/public/cis/Test-MtCisThirdPartyAndCustomApps.md index 02f3f8538..5a5b4a74d 100644 --- a/powershell/public/cis/Test-MtCisThirdPartyAndCustomApps.md +++ b/powershell/public/cis/Test-MtCisThirdPartyAndCustomApps.md @@ -1,47 +1,31 @@ 8.4.1 (L1) Ensure app permission policies are configured -This test checks if the usage of third-party and custom apps are disabled. - This policy setting controls which class of apps are available for users to install. -Rationale:\ -Allowing users to install third-party or unverified apps poses a potential risk of introducing malicious software to the environment. - -#### Remediation action: - -> **NOTE:** Previously, this could be managed from the Permission policies under Teams apps in the Teams admin portal. The Permission policies now redirects you to the Manage Apps page. You can manage apps there now using the `Org-wide app settings` under _Actions_, but it's easier to remediate the recommended settings using PowerShell. - -##### PowerShell +#### Rationale -To change app permission policies using PowerShell +Allowing users to install third-party or unverified apps poses a potential risk of introducing malicious software to the environment. -```powershell -# This cmdlet requires the MicrosoftTeams PowerShell module -# Make sure you're connected to Microsoft Teams using the Connect-MicrosoftTeams cmdlet before executing +#### Impact -## Enable all Microsoft Apps and Disable Third-party and Custom Apps -Set-CsTeamsAppPermissionPolicy -Identity Global -DefaultCatalogAppsType BlockedAppList -DefaultCatalogApps @() -GlobalCatalogAppsType AllowedAppList -GlobalCatalogApps @() -PrivateCatalogAppsType AllowedAppList -PrivateCatalogApps @() -``` +Users will only be able to install approved classes of apps. -##### Microsoft Teams Admin Center +#### Remediation action: -To change app permission policies using the UI: -1. Navigate to **Microsoft Teams admin center** [https://admin.teams.microsoft.com](https://admin.teams.microsoft.com). -2. Click to expand **Teams Apps** [Teams apps | Teams admin center](https://admin.teams.microsoft.com/policies/manage-apps) -3. Under **Actions**, select **Org-wide app settings** +1. Navigate to [Microsoft Teams Admin Center](https://admin.teams.microsoft.com). +2. Click to expand **Teams apps** select **Manage apps**. +3. In the upper right click **Actions** > ***Org-wide app settings***. 4. For **Microsoft apps** set **Let users install and use available apps by default** to **On** or less permissive. 5. For **Third-party apps** set **Let users install and use available apps by default** to **Off**. 6. For **Custom apps** set **Let users install and use available apps by default** to **Off**. 7. For **Custom apps** set **Let users interact with custom apps in preview** to **Off**. -8. Click **Save**. #### Related links -* [Microsoft 365 Admin Center](https://admin.microsoft.com) * [Microsoft Teams Admin Center](https://admin.teams.microsoft.com). -* [CIS Microsoft 365 Foundations Benchmark v5.0.0 - Page 391](https://www.cisecurity.org/benchmark/microsoft_365) -* [CISA MS.TEAMS.5.2v1](https://github.com/cisagov/ScubaGear/blob/main/PowerShell/ScubaGear/baselines/teams.md#msteams52v1) -* [CISA MS.TEAMS.5.3v1](https://github.com/cisagov/ScubaGear/blob/main/PowerShell/ScubaGear/baselines/teams.md#msteams53v1) +* [Use app centric management to manage access to apps](https://learn.microsoft.com/en-us/microsoftteams/app-centric-management) +* [Disabling non-Microsoft and custom apps](https://learn.microsoft.com/en-us/defender-office-365/step-by-step-guides/reducing-attack-surface-in-microsoft-teams?view=o365-worldwide#disabling-third-party--custom-apps) +* [CIS Microsoft 365 Foundations Benchmark v6.0.1 - Page 425](https://www.cisecurity.org/benchmark/microsoft_365) %TestResult% \ No newline at end of file diff --git a/powershell/public/cis/Test-MtCisThirdPartyAndCustomApps.ps1 b/powershell/public/cis/Test-MtCisThirdPartyAndCustomApps.ps1 index d1289ea5f..c01686fda 100644 --- a/powershell/public/cis/Test-MtCisThirdPartyAndCustomApps.ps1 +++ b/powershell/public/cis/Test-MtCisThirdPartyAndCustomApps.ps1 @@ -5,7 +5,7 @@ .DESCRIPTION Ensure all or a majority of third-party and custom apps are blocked - CIS Microsoft 365 Foundations Benchmark v5.0.0 + CIS Microsoft 365 Foundations Benchmark v6.0.1 .EXAMPLE Test-MtCisThirdPartyAndCustomApps diff --git a/powershell/public/cis/Test-MtCisThirdPartyApplicationsDisallowed.md b/powershell/public/cis/Test-MtCisThirdPartyApplicationsDisallowed.md index 058d6656d..c2f63625e 100644 --- a/powershell/public/cis/Test-MtCisThirdPartyApplicationsDisallowed.md +++ b/powershell/public/cis/Test-MtCisThirdPartyApplicationsDisallowed.md @@ -1,21 +1,36 @@ 5.1.2.2 (L2) Ensure third party integrated applications are not allowed -**Rationale:** -Third-party integrated applications connection to services should be disabled unless there is a very clear value and robust security controls are in place. -While there are legitimate uses, attackers can grant access from breached accounts to third party applications to exfiltrate data from your tenancy without having to maintain the breached account. +App registration allows users to register custom-developed applications for use within the directory. + +#### Rationale + +Third-party integrated applications connection to services should be disabled unless there is a very clear value and robust security controls are in place. While there are legitimate uses, attackers can grant access from breached accounts to third party applications to exfiltrate data from your tenancy without having to maintain the breached account. + +#### Impact + +The implementation of this change will impact both end users and administrators. End users will not be able to integrate third-party applications that they may wish to use. Administrators are likely to receive requests from end users to grant them permission to the necessary third-party applications. #### Remediation action: -1. Navigate to Microsoft 365 Entra admin center [https://entra.microsoft.com](https://entra.microsoft.com). -2. Click to expand **Entra ID** select **Users**. -3. Click **User settings** -4. Set **Users can register applications** to **No** -5. Click Save. +1. Navigate to [Microsoft 365 Entra admin center](https://entra.microsoft.com). +2. Click to expand **Entra ID** > **Users** select **Users settings**. +3. Set **Users can register applications** to **No**. +4. Click **Save**. + +##### PowerShell + +1. Connect to Microsoft Graph using `Connect-MgGraph -Scopes "Policy.ReadWrite.Authorization"` +2. Run the following commands: +```powershell +$param = @{ AllowedToCreateApps = "$false" } +Update-MgPolicyAuthorizationPolicy -DefaultUserRolePermissions $param +``` #### Related links -* [Microsoft 365 Entra admin Center | Users | User settings](https://entra.microsoft.com/#view/Microsoft_AAD_UsersAndTenants/UserManagementMenuBlade/~/UserSettings/menuId/) -* [CIS Microsoft 365 Foundations Benchmark v5.0.0 - Page 167](https://www.cisecurity.org/benchmark/microsoft_365) +* [Microsoft 365 Entra admin center](https://entra.microsoft.com) +* [How and why applications are added to Microsoft Entra ID](https://learn.microsoft.com/en-us/entra/identity-platform/how-applications-are-added) +* [CIS Microsoft 365 Foundations Benchmark v6.0.1 - Page 173](https://www.cisecurity.org/benchmark/microsoft_365) %TestResult% \ No newline at end of file diff --git a/powershell/public/cis/Test-MtCisThirdPartyApplicationsDisallowed.ps1 b/powershell/public/cis/Test-MtCisThirdPartyApplicationsDisallowed.ps1 index 303af6965..0e4f25664 100644 --- a/powershell/public/cis/Test-MtCisThirdPartyApplicationsDisallowed.ps1 +++ b/powershell/public/cis/Test-MtCisThirdPartyApplicationsDisallowed.ps1 @@ -1,20 +1,20 @@ -<# -.SYNOPSIS - Checks if users are not allowed to register applications. - -.DESCRIPTION - Users should not be allowed to register applications in the tenant. - CIS Microsoft 365 Foundations Benchmark v5.0.0 - -.EXAMPLE - Test-MtCisThirdPartyApplicationsDisallowed - - Returns true if users are not allowed to register applications in the tenant. - -.LINK - https://maester.dev/docs/commands/Test-MtCisThirdPartyApplicationsDisallowed -#> -function Test-MtCisThirdPartyApplicationsDisallowed { +function Test-MtCisThirdPartyApplicationsDisallowed { + <# + .SYNOPSIS + Checks if users are not allowed to register applications. + + .DESCRIPTION + Users should not be allowed to register applications in the tenant. + CIS Microsoft 365 Foundations Benchmark v6.0.1 + + .EXAMPLE + Test-MtCisThirdPartyApplicationsDisallowed + + Returns true if users are not allowed to register applications in the tenant. + + .LINK + https://maester.dev/docs/commands/Test-MtCisThirdPartyApplicationsDisallowed + #> [CmdletBinding()] [OutputType([bool])] param() @@ -35,7 +35,8 @@ function Test-MtCisThirdPartyApplicationsDisallowed { if ($testResult) { $testResultMarkdown = "Well done. Your tenant settings comply with CIS recommendations.`n`n%TestResult%" - } else { + } + else { $testResultMarkdown = "Your tenant settings do not comply with CIS recommendations.`n`n%TestResult%" } @@ -44,7 +45,8 @@ function Test-MtCisThirdPartyApplicationsDisallowed { if ($checkAllowedToCreateApps) { $checkAllowedToCreateAppsResult = '✅ Pass' - } else { + } + else { $checkAllowedToCreateAppsResult = '❌ Fail' } @@ -54,7 +56,8 @@ function Test-MtCisThirdPartyApplicationsDisallowed { Add-MtTestResultDetail -Result $testResultMarkdown return $testResult - } catch { + } + catch { Add-MtTestResultDetail -SkippedBecause Error -SkippedError $_ return $null } diff --git a/powershell/public/cis/Test-MtCisThirdPartyFileSharing.md b/powershell/public/cis/Test-MtCisThirdPartyFileSharing.md index ed0cde844..6ffc21754 100644 --- a/powershell/public/cis/Test-MtCisThirdPartyFileSharing.md +++ b/powershell/public/cis/Test-MtCisThirdPartyFileSharing.md @@ -1,44 +1,48 @@ 8.1.1 (L2) Ensure external file sharing in Teams is enabled for only approved cloud storage services -This test checks if the third-party cloud services are disabled. -- DropBox -- Box -- Google Drive -- Citrix Files -- Egnyte - Microsoft Teams enables collaboration via file sharing. This file sharing is conducted within Teams, using SharePoint Online, by default; however, third-party cloud services are allowed as well. -Rationale:\ -Ensuring that only authorized cloud storage providers are accessible from Teams will help to dissuade the use of non-approved storage providers +>Note: Skype for business is deprecated as of July 31, 2021 although these settings may still be valid for a period of time. See the link in the references section for more information. + +#### Rationale + +Ensuring that only authorized cloud storage providers are accessible from Teams will +help to dissuade the use of non-approved storage providers. + +#### Impact + +The impact associated with this change is highly dependent upon current practices in the tenant. If users do not use other storage providers, then minimal impact is likely. However, if users do regularly utilize providers outside of the tenant this will affect their ability to continue to do so. #### Remediation action: To change third-party cloud services using the UI: 1. Navigate to **Microsoft Teams admin center** [https://admin.teams.microsoft.com](https://admin.teams.microsoft.com). -2. Click to expand **Teams** select **Teams settings**. -3. Scroll to **Files**. -4. Set any unauthorized provider to **Off**. +2. Select **Settings & policies > Global (Org-wide default) settings.** +3. Click **Teams** to open the **Teams settings** section. +4. Under files set storages providers to **Off** unless they have first been authorized by the organization. To change third-party cloud services using PowerShell: 1. Connect to Teams using **Connect-MicrosoftTeams**. -2. Run following PowerShell Command: +2. Run the following PowerShell command to disable external providers that are not authorized. (the example disables Citrix Files, DropBox, Box, Google Drive and Egnyte) + ``` -$storageParams = @{ - AllowDropBox = $false - AllowBox = $false +$Params = @{ + Identity = 'Global' AllowGoogleDrive = $false AllowShareFile = $false + AllowBox = $false + AllowDropBox = $false AllowEgnyte = $false } -Set-CsTeamsClientConfiguration @storageParams +Set-CsTeamsClientConfiguration @Params ``` #### Related links * [Microsoft 365 Admin Center](https://admin.microsoft.com) * [Microsoft Teams Admin Center](https://admin.teams.microsoft.com). -* [CIS Microsoft 365 Foundations Benchmark v5.0.0 - Page 369](https://www.cisecurity.org/benchmark/microsoft_365) +* [Manage Teams with Microsoft Teams PowerShell](https://learn.microsoft.com/en-us/microsoftteams/teams-powershell-managing-teams) +* [CIS Microsoft 365 Foundations Benchmark v6.0.1 - Page 401](https://www.cisecurity.org/benchmark/microsoft_365) %TestResult% \ No newline at end of file diff --git a/powershell/public/cis/Test-MtCisThirdPartyFileSharing.ps1 b/powershell/public/cis/Test-MtCisThirdPartyFileSharing.ps1 index 3c85ede17..7f035c1d6 100644 --- a/powershell/public/cis/Test-MtCisThirdPartyFileSharing.ps1 +++ b/powershell/public/cis/Test-MtCisThirdPartyFileSharing.ps1 @@ -5,7 +5,7 @@ .DESCRIPTION Ensure third-party file sharing cloud services in Teams are disabled - CIS Microsoft 365 Foundations Benchmark v5.0.0 + CIS Microsoft 365 Foundations Benchmark v6.0.1 .EXAMPLE Test-MtCisThirdPartyFileSharing @@ -28,7 +28,7 @@ try { $return = $true - $thirdPartyCloudServices = Get-CsTeamsClientConfiguration | Select-Object AllowDropbox, AllowBox, AllowGoogleDrive, AllowShareFile, AllowEgnyte + $thirdPartyCloudServices = Get-CsTeamsClientConfiguration -Identity Global | Select-Object AllowDropbox, AllowBox, AllowGoogleDrive, AllowShareFile, AllowEgnyte $passResult = '✅ Pass' $failResult = '❌ Fail' diff --git a/powershell/public/cis/Test-MtCisThirdPartyStorageServicesRestricted.md b/powershell/public/cis/Test-MtCisThirdPartyStorageServicesRestricted.md index 15ff4ae8c..89de40deb 100644 --- a/powershell/public/cis/Test-MtCisThirdPartyStorageServicesRestricted.md +++ b/powershell/public/cis/Test-MtCisThirdPartyStorageServicesRestricted.md @@ -1,20 +1,40 @@ 1.3.7 (L2) Ensure 'third-party storage services' are restricted in 'Microsoft 365 on the web' -**Rationale:** +Third-party storage can be enabled for users in Microsoft 365, allowing them to store and share documents using services such as Dropbox, alongside OneDrive and team sites. + +Ensure **Microsoft 365 on the web** third-party storage services are restricted. + +#### Rationale + By using external storage services an organization may increase the risk of data breaches and unauthorized access to confidential information. Additionally, third-party services may not adhere to the same security standards as the organization, making it difficult to maintain data privacy and security. +#### Impact + +Impact associated with this change is highly dependent upon current practices in the tenant. If users do not use other storage providers, then minimal impact is likely. However, if users do regularly utilize providers outside of the tenant this will affect their ability to continue to do so. + #### Remediation action: -1. Navigate to Microsoft 365 admin center [https://admin.microsoft.com](https://admin.microsoft.com). -2. Click to expand **Settings** select **Org settings**. -3. In **Services** select **Microsoft 365 on the web** -4. Uncheck **Let users open files stored in third-party storage services in Microsoft 365 on the web** -5. Click Save. +1. Navigate to [Microsoft 365 admin center](https://admin.microsoft.com) +2. Go to **Settings** > **Org Settings** > **Services** > **Microsoft 365 on the web** +3. Uncheck **Let users open files stored in third-party storage services in Microsoft 365 on the web** + +##### PowerShell + +1. Connect to Microsoft Graph using `Connect-MgGraph -Scopes "Application.ReadWrite.All"` +2. Run the following script: +```powershell +$SP = Get-MgServicePrincipal -Filter "appId eq 'c1f33bc0-bdb4-4248-ba9b096807ddb43e'" +# If the service principal doesn't exist then create it first. +if (-not $SP) { + $SP = New-MgServicePrincipal -AppId "c1f33bc0-bdb4-4248-ba9b096807ddb43e" +} +Update-MgServicePrincipal -ServicePrincipalId $SP.Id -AccountEnabled:$false +``` #### Related links -* [Microsoft 365 admin center | Settings | Org settings | Microsoft 365 on the web](https://admin.cloud.microsoft/?#/Settings/Services/:/Settings/L1/OfficeOnline) -* [CIS Microsoft 365 Foundations Benchmark v5.0.0 - Page 61](https://www.cisecurity.org/benchmark/microsoft_365) +* [Microsoft 365 admin center](https://admin.microsoft.com) +* [CIS Microsoft 365 Foundations Benchmark v6.0.1 - Page 63](https://www.cisecurity.org/benchmark/microsoft_365) %TestResult% \ No newline at end of file diff --git a/powershell/public/cis/Test-MtCisThirdPartyStorageServicesRestricted.ps1 b/powershell/public/cis/Test-MtCisThirdPartyStorageServicesRestricted.ps1 index ef208e6e2..bc84047c0 100644 --- a/powershell/public/cis/Test-MtCisThirdPartyStorageServicesRestricted.ps1 +++ b/powershell/public/cis/Test-MtCisThirdPartyStorageServicesRestricted.ps1 @@ -1,20 +1,20 @@ -<# -.SYNOPSIS - Checks if users are restricted to store and share files in third-party storage services in Microsoft 365 on the web. - -.DESCRIPTION - Users should be restricted to store and share files in third-party storage services in Microsoft 365 on the web. - CIS Microsoft 365 Foundations Benchmark v5.0.0 - -.EXAMPLE - Test-MtCisThirdPartyStorageServicesRestricted - - Returns true if users are restricted to store and share files in third-party storage services in Microsoft 365 on the web. - -.LINK - https://maester.dev/docs/commands/Test-MtCisThirdPartyStorageServicesRestricted -#> -function Test-MtCisThirdPartyStorageServicesRestricted { +function Test-MtCisThirdPartyStorageServicesRestricted { + <# + .SYNOPSIS + Checks if users are restricted to store and share files in third-party storage services in Microsoft 365 on the web. + + .DESCRIPTION + Users should be restricted to store and share files in third-party storage services in Microsoft 365 on the web. + CIS Microsoft 365 Foundations Benchmark v6.0.1 + + .EXAMPLE + Test-MtCisThirdPartyStorageServicesRestricted + + Returns true if users are restricted to store and share files in third-party storage services in Microsoft 365 on the web. + + .LINK + https://maester.dev/docs/commands/Test-MtCisThirdPartyStorageServicesRestricted + #> [CmdletBinding()] [OutputType([bool])] param() @@ -32,16 +32,19 @@ function Test-MtCisThirdPartyStorageServicesRestricted { if ($ServicePrincipal) { if ($ServicePrincipal.accountEnabled) { $testResult = $false - } else { + } + else { $testResult = $true } - } else { + } + else { $testResult = $false } if ($testResult) { $testResultMarkdown = "Well done. Your tenant settings comply with CIS recommendations.`n`n%TestResult%" - } else { + } + else { $testResultMarkdown = "Your tenant settings do not comply with CIS recommendations.`n`n%TestResult%" } @@ -50,7 +53,8 @@ function Test-MtCisThirdPartyStorageServicesRestricted { if ($testResult) { $ThirdPartyStorageResult = '✅ Pass' - } else { + } + else { $ThirdPartyStorageResult = '❌ Fail' } @@ -60,7 +64,8 @@ function Test-MtCisThirdPartyStorageServicesRestricted { Add-MtTestResultDetail -Result $testResultMarkdown return $testResult - } catch { + } + catch { Add-MtTestResultDetail -SkippedBecause Error -SkippedError $_ return $null } diff --git a/powershell/public/cis/Test-MtCisUserOwnedAppsRestricted.md b/powershell/public/cis/Test-MtCisUserOwnedAppsRestricted.md index d197cf69b..0c91638c5 100644 --- a/powershell/public/cis/Test-MtCisUserOwnedAppsRestricted.md +++ b/powershell/public/cis/Test-MtCisUserOwnedAppsRestricted.md @@ -1,22 +1,49 @@ 1.3.4 (L1) Ensure 'User owned apps and services' is restricted -**Rationale:** +By default, users can install add-ins in their Microsoft Word, Excel, and PowerPoint applications, allowing data access within the application. + +Do not allow users to install add-ins in Word, Excel, or PowerPoint. + +#### Rationale + Attackers commonly use vulnerable and custom-built add-ins to access data in user applications. + While allowing users to install add-ins by themselves does allow them to easily acquire useful add-ins that integrate with Microsoft applications, it can represent a risk if not used and monitored carefully. + Disable future user's ability to install add-ins in Microsoft Word, Excel, or PowerPoint helps reduce your threat-surface and mitigate this risk. +#### Impact + +Implementation of this change will impact both end users and administrators. End users will not be able to install add-ins that they may want to install. + #### Remediation action: -1. Navigate to Microsoft 365 admin center [https://admin.microsoft.com](https://admin.microsoft.com). +1. Navigate to [Microsoft 365 admin center](https://admin.microsoft.com). 2. Click to expand **Settings** select **Org settings**. 3. In **Services** select **User owned apps and services.** 4. Uncheck **Let users access the Office Store** and **Let users start trials on behalf of your organization** -5. Click Save. +5. Click **Save**. + +##### PowerShell + +1. Connect to the Microsoft Graph service using `Connect-MgGraph -Scopes "OrgSettings-AppsAndServices.ReadWrite.All"`. +2. Run the following Microsoft Graph PowerShell commands: +```powershell +$uri = "https://graph.microsoft.com/beta/admin/appsAndServices" +$body = @{ + "Settings" = @{ + "isAppAndServicesTrialEnabled" = $false + "isOfficeStoreEnabled" = $false + } +} | ConvertTo-Json +Invoke-MgGraphRequest -Method PATCH -Uri $uri -Body $body +``` #### Related links -* [Microsoft 365 admin center | Settings | Org settings | User owned apps and services](https://admin.cloud.microsoft/?#/Settings/Services/:/Settings/L1/Store) -* [CIS Microsoft 365 Foundations Benchmark v5.0.0 - Page 54](https://www.cisecurity.org/benchmark/microsoft_365) +* [Microsoft 365 admin center](https://admin.microsoft.com) +* [Manage add-ins in the Microsoft 365 admin center](https://learn.microsoft.com/en-us/microsoft-365/admin/manage/manage-addins-in-the-admin-center?view=o365-worldwide&tabs=word-excel-powerpoint#manage-add-in-downloads-by-turning-onoff-the-office-store-across-all-apps-except-outlook) +* [CIS Microsoft 365 Foundations Benchmark v6.0.1 - Page 56](https://www.cisecurity.org/benchmark/microsoft_365) %TestResult% \ No newline at end of file diff --git a/powershell/public/cis/Test-MtCisUserOwnedAppsRestricted.ps1 b/powershell/public/cis/Test-MtCisUserOwnedAppsRestricted.ps1 index 67be38f23..6be0a6161 100644 --- a/powershell/public/cis/Test-MtCisUserOwnedAppsRestricted.ps1 +++ b/powershell/public/cis/Test-MtCisUserOwnedAppsRestricted.ps1 @@ -1,20 +1,20 @@ -<# -.SYNOPSIS +function Test-MtCisUserOwnedAppsRestricted { + <# + .SYNOPSIS Checks if users are restricted to install add-ins from the Office Store and start trials on behalf of the organization. -.DESCRIPTION + .DESCRIPTION Users should be restricted to install add-ins from the Office Store and start trials on behalf of the organization. - CIS Microsoft 365 Foundations Benchmark v5.0.0 + CIS Microsoft 365 Foundations Benchmark v6.0.1 -.EXAMPLE + .EXAMPLE Test-MtCisUserOwnedAppsRestricted Returns true if users cannot install add-ins from the Office Store and start trials on behalf of the organization. -.LINK + .LINK https://maester.dev/docs/commands/Test-MtCisUserOwnedAppsRestricted -#> -function Test-MtCisUserOwnedAppsRestricted { + #> [CmdletBinding()] [OutputType([bool])] param() @@ -26,7 +26,7 @@ function Test-MtCisUserOwnedAppsRestricted { $scopes = (Get-MgContext).Scopes $permissionMissing = "OrgSettings-AppsAndServices.Read.All" -notin $scopes - if($permissionMissing){ + if ($permissionMissing) { Add-MtTestResultDetail -SkippedBecause Custom -SkippedCustomReason "Missing Scope OrgSettings-AppsAndServices.Read.All" return $null } @@ -43,7 +43,8 @@ function Test-MtCisUserOwnedAppsRestricted { if ($testResult) { $testResultMarkdown = "Well done. Your tenant settings comply with CIS recommendations.`n`n%TestResult%" - } else { + } + else { $testResultMarkdown = "Your tenant settings do not comply with CIS recommendations.`n`n%TestResult%" } @@ -52,13 +53,15 @@ function Test-MtCisUserOwnedAppsRestricted { if ($CheckIsOfficeStoreEnabled) { $CheckIsOfficeStoreEnabledResult = '✅ Pass' - } else { + } + else { $CheckIsOfficeStoreEnabledResult = '❌ Fail' } if ($CheckIsAppAndServicesTrialEnabled) { $CheckIsAppAndServicesTrialEnabledResult = '✅ Pass' - } else { + } + else { $CheckIsAppAndServicesTrialEnabledResult = '❌ Fail' } @@ -69,7 +72,8 @@ function Test-MtCisUserOwnedAppsRestricted { Add-MtTestResultDetail -Result $testResultMarkdown return $testResult - } catch { + } + catch { Add-MtTestResultDetail -SkippedBecause Error -SkippedError $_ return $null } diff --git a/powershell/public/cis/Test-MtCisWeakAuthenticationMethodsDisabled.md b/powershell/public/cis/Test-MtCisWeakAuthenticationMethodsDisabled.md index 44720e19e..3cd81bdb1 100644 --- a/powershell/public/cis/Test-MtCisWeakAuthenticationMethodsDisabled.md +++ b/powershell/public/cis/Test-MtCisWeakAuthenticationMethodsDisabled.md @@ -1,19 +1,54 @@ 5.2.3.5 (L1) Ensure weak authentication methods are disabled -**Rationale:** +Authentication methods support a wide variety of scenarios for signing in to Microsoft 365 resources. Some of these methods are inherently more secure than others but require more investment in time to get users enrolled and operational. + +SMS and Voice Call rely on telephony carrier communication methods to deliver the authenticating factor. + +The recommended state is to Disable these methods: +* SMS +* Voice Call + +#### Rationale + +Traditional MFA methods such as SMS codes, email-based OTPs, and push notifications are becoming less effective against today’s attackers. Sophisticated phishing campaigns have demonstrated that second factors can be intercepted or spoofed. Attackers now exploit social engineering, man-in-the-middle tactics, and user fatigue (e.g., MFA bombing) to bypass these mechanisms. These risks are amplified in distributed, cloud-first organizations with hybrid workforces and varied device ecosystems. + The SMS and Voice call methods are vulnerable to SIM swapping which could allow an attacker to gain access to your Microsoft 365 account. +#### Impact + +There may be increased administrative overhead in adopting more secure authentication methods depending on the maturity of the organization. + #### Remediation action: -1. Navigate to Microsoft Entra ID admin center [https://entra.microsoft.com](https://entra.microsoft.com). -2. Under **Entra ID** select **Authentication methods** -3. Under **Manage** select **Policies** -4. Ensure that **SMS**, **Voice call** and **Email OTP** are disabled +1. Navigate to [Microsoft Entra admin center](https://entra.microsoft.com). +2. Click to expand **Entra ID** > **Authentication methods** +3. Select **Policies**. +4. Inspect each method that is out of compliance and remediate: +* Click on the method to open it. +* Change the **Enable** toggle to the off position. +* Click **Save**. + +>Note: If the save button remains greyed out after toggling a method off, then first turn it back on and then change the position of the Target selection (all users or select groups). Turn the method off again and save. This was observed to be a bug in the UI at the time this document was published. + +##### PowerShell + +1. Connect to Graph using `Connect-MgGraph -Scopes "Policy.ReadWrite.AuthenticationMethod"` +2. Run the following to disable these two authentication methods: +```powershell +$params = @( + @{ Id = "Sms"; State = "disabled" }, + @{ Id = "Voice"; State = "disabled" } +) +Update-MgPolicyAuthenticationMethodPolicy -AuthenticationMethodConfigurations $params +``` #### Related links -* [Microsoft 365 Entra admin Center | Authentication methods | Policies](https://entra.microsoft.com/#view/Microsoft_AAD_IAM/AuthenticationMethodsMenuBlade/~/AdminAuthMethods/fromNav/) -* [CIS Microsoft 365 Foundations Benchmark v5.0.0 - Page 259](https://www.cisecurity.org/benchmark/microsoft_365) +* [Microsoft Entra admin center](https://entra.microsoft.com) +* [Manage authentication methods for Microsoft Entra ID](https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-methods-manage) +* [Context and problem](https://learn.microsoft.com/en-us/security/zero-trust/sfi/phishing-resistant-mfa#context-and-problem) +* [What is SIM swapping & how does the hijacking scam work?](https://www.microsoft.com/en-us/microsoft-365-life-hacks/privacy-and-safety/what-is-sim-swapping) +* [CIS Microsoft 365 Foundations Benchmark v6.0.1 - Page 288](https://www.cisecurity.org/benchmark/microsoft_365) %TestResult% \ No newline at end of file diff --git a/powershell/public/cis/Test-MtCisWeakAuthenticationMethodsDisabled.ps1 b/powershell/public/cis/Test-MtCisWeakAuthenticationMethodsDisabled.ps1 index 3682db166..a3ccac491 100644 --- a/powershell/public/cis/Test-MtCisWeakAuthenticationMethodsDisabled.ps1 +++ b/powershell/public/cis/Test-MtCisWeakAuthenticationMethodsDisabled.ps1 @@ -1,20 +1,20 @@ -<# -.SYNOPSIS - Checks if weak authentication methods (SMS, voice call, email OTP) are disabled in the tenant. - -.DESCRIPTION - Weak authentication methods such as SMS, voice call, and email OTP should be disabled. - CIS Microsoft 365 Foundations Benchmark v5.0.0 - -.EXAMPLE - Test-MtCisWeakAuthenticationMethodsDisabled - - Returns true if weak authentication methods are disabled. - -.LINK - https://maester.dev/docs/commands/Test-MtCisWeakAuthenticationMethodsDisabled -#> -function Test-MtCisWeakAuthenticationMethodsDisabled { +function Test-MtCisWeakAuthenticationMethodsDisabled { + <# + .SYNOPSIS + Checks if weak authentication methods (SMS, voice call, email OTP) are disabled in the tenant. + + .DESCRIPTION + Weak authentication methods such as SMS, voice call, and email OTP should be disabled. + CIS Microsoft 365 Foundations Benchmark v6.0.1 + + .EXAMPLE + Test-MtCisWeakAuthenticationMethodsDisabled + + Returns true if weak authentication methods are disabled. + + .LINK + https://maester.dev/docs/commands/Test-MtCisWeakAuthenticationMethodsDisabled + #> [CmdletBinding()] [OutputType([bool])] param() @@ -37,7 +37,8 @@ function Test-MtCisWeakAuthenticationMethodsDisabled { if ($testResult) { $testResultMarkdown = "Well done. Your tenant settings comply with CIS recommendations.`n`n%TestResult%" - } else { + } + else { $testResultMarkdown = "Your tenant settings do not comply with CIS recommendations.`n`n%TestResult%" } @@ -46,19 +47,22 @@ function Test-MtCisWeakAuthenticationMethodsDisabled { if ($checkSms) { $checkSmsResult = '✅ Pass' - } else { + } + else { $checkSmsResult = '❌ Fail' } if ($checkVoice) { $checkVoiceResult = '✅ Pass' - } else { + } + else { $checkVoiceResult = '❌ Fail' } if ($checkEmail) { $checkEmailResult = '✅ Pass' - } else { + } + else { $checkEmailResult = '❌ Fail' } @@ -70,7 +74,8 @@ function Test-MtCisWeakAuthenticationMethodsDisabled { Add-MtTestResultDetail -Result $testResultMarkdown return $testResult - } catch { + } + catch { Add-MtTestResultDetail -SkippedBecause Error -SkippedError $_ return $null } diff --git a/powershell/public/cis/Test-MtCisZAP.md b/powershell/public/cis/Test-MtCisZAP.md index c236d3590..c312612ca 100644 --- a/powershell/public/cis/Test-MtCisZAP.md +++ b/powershell/public/cis/Test-MtCisZAP.md @@ -1,19 +1,37 @@ 2.4.4 (L1) Ensure Zero-hour auto purge for Microsoft Teams is on -**Rationale:** -ZAP is intended to protect users that have received zero-day malware messages or content that is weaponized after being delivered to users. It does this by continually monitoring spam and malware signatures taking automated retroactive action on messages that have already been delivered. +Zero-hour auto purge (ZAP) is a protection feature that retroactively detects and neutralizes malware and high confidence phishing. When ZAP for Teams protection blocks a message, the message is blocked for everyone in the chat. The initial block happens right after delivery, but ZAP occurs up to 48 hours after delivery. + +#### Rationale + +ZAP is intended to protect users that have received zero-day malware messages or content that is weaponized after being delivered to users. It does this by continually monitoring spam and malware signatures taking automated retroactive action on messages that have already been delivered. + +#### Impact + +As with any anti-malware or anti-phishing product, false positives may occur #### Remediation action: To enable Zero-hour auto purge for Microsoft Teams: -1. Navigate to Microsoft 365 Defender [https://security.microsoft.com](https://security.microsoft.com) -2. Click to expand **Settings** > **Email & collaboration** > **Microsoft Teams protection** +1. Navigate to [Microsoft 365 Defender](https://security.microsoft.com) +2. Click to expand **System** select **Settings** > **Email & collaboration** > **Microsoft Teams protection** 3. Set **Zero-hour auto purge (ZAP)** to **On (Default)**. +##### PowerShell + +1. Connect to Exchange Online using `Connect-ExchangeOnline`. +2. Run the following cmdlet: +```powershell +Set-TeamsProtectionPolicy -Identity "Teams Protection Policy" -ZapEnabled $true +``` + + #### Related links * [Microsoft 365 Admin Center](https://admin.microsoft.com) -* [CIS Microsoft 365 Foundations Benchmark v5.0.0 - Page 138](https://www.cisecurity.org/benchmark/microsoft_365) +* [Zero-hour auto purge (ZAP) in Microsoft Teams](https://learn.microsoft.com/en-us/defender-office-365/zero-hour-auto-purge?view=o365-worldwide#zero-hour-auto-purge-zap-in-microsoft-teams) +* [Configure ZAP for Teams protection in Defender for Office 365](https://learn.microsoft.com/en-us/defender-office-365/mdo-support-teams-about?view=o365-worldwide#configure-zap-for-teams-protection-in-defender-for-office-365-plan-2) +* [CIS Microsoft 365 Foundations Benchmark v6.0.1 - Page 145](https://www.cisecurity.org/benchmark/microsoft_365) %TestResult% \ No newline at end of file diff --git a/powershell/public/cis/Test-MtCisZAP.ps1 b/powershell/public/cis/Test-MtCisZAP.ps1 index 8e59c4a57..ccd5f525c 100644 --- a/powershell/public/cis/Test-MtCisZAP.ps1 +++ b/powershell/public/cis/Test-MtCisZAP.ps1 @@ -5,7 +5,7 @@ .DESCRIPTION Zero-hour auto purge (ZAP) should be enabled for Microsoft Teams - CIS Microsoft 365 Foundations Benchmark v5.0.0 + CIS Microsoft 365 Foundations Benchmark v6.0.1 .EXAMPLE Test-MtCisZAP diff --git a/tests/cis/Test-MtCis365PublicGroup.Tests.ps1 b/tests/cis/Test-MtCis365PublicGroup.Tests.ps1 index dd783b21e..97e7b5ca3 100644 --- a/tests/cis/Test-MtCis365PublicGroup.Tests.ps1 +++ b/tests/cis/Test-MtCis365PublicGroup.Tests.ps1 @@ -1,4 +1,4 @@ -Describe "CIS" -Tag "CIS.M365.1.2.1", "L2", "CIS E3 Level 2", "CIS E3", "CIS", "CIS M365 v5.0.0" { +Describe "CIS" -Tag "CIS.M365.1.2.1", "L2", "CIS E3 Level 2", "CIS E3", "CIS", "CIS M365 v6.0.1" { It "CIS.M365.1.2.1: Ensure that only organizationally managed/approved public groups exist" { $result = Test-MtCis365PublicGroup diff --git a/tests/cis/Test-MtCisAdminConsentWorkflowEnabled.Tests.ps1 b/tests/cis/Test-MtCisAdminConsentWorkflowEnabled.Tests.ps1 index a2c5ceab2..7c768c218 100644 --- a/tests/cis/Test-MtCisAdminConsentWorkflowEnabled.Tests.ps1 +++ b/tests/cis/Test-MtCisAdminConsentWorkflowEnabled.Tests.ps1 @@ -1,4 +1,4 @@ -Describe "CIS" -Tag "CIS.M365.5.1.5.2", "L1", "CIS E3 Level 1", "CIS E3", "CIS E5 Level 1", "CIS E5", "CIS", "Security", "CIS M365 v5.0.0" { +Describe "CIS" -Tag "CIS.M365.5.1.5.2", "L1", "CIS E3 Level 1", "CIS E3", "CIS E5 Level 1", "CIS E5", "CIS", "Security", "CIS M365 v6.0.1" { It "CIS.M365.5.1.5.2: Ensure the admin consent workflow is enabled" { $result = Test-MtCisAdminConsentWorkflowEnabled diff --git a/tests/cis/Test-MtCisAttachmentFilter.Tests.ps1 b/tests/cis/Test-MtCisAttachmentFilter.Tests.ps1 index 7b15ced53..54cec7d2c 100644 --- a/tests/cis/Test-MtCisAttachmentFilter.Tests.ps1 +++ b/tests/cis/Test-MtCisAttachmentFilter.Tests.ps1 @@ -1,4 +1,4 @@ -Describe "CIS" -Tag "CIS.M365.2.1.2", "L1", "CIS E3 Level 1", "CIS E3", "CIS", "CIS M365 v5.0.0" { +Describe "CIS" -Tag "CIS.M365.2.1.2", "L1", "CIS E3 Level 1", "CIS E3", "CIS", "CIS M365 v6.0.1" { It "CIS.M365.2.1.2: Ensure the Common Attachment Types Filter is enabled (Only Checks Default Policy)" { $result = Test-MtCisAttachmentFilter diff --git a/tests/cis/Test-MtCisAttachmentFilterComprehensive.Tests.ps1 b/tests/cis/Test-MtCisAttachmentFilterComprehensive.Tests.ps1 index 9ee2b5742..c4f146089 100644 --- a/tests/cis/Test-MtCisAttachmentFilterComprehensive.Tests.ps1 +++ b/tests/cis/Test-MtCisAttachmentFilterComprehensive.Tests.ps1 @@ -1,4 +1,4 @@ -Describe "CIS" -Tag "CIS.M365.2.1.11", "L2", "CIS E3 Level 2", "CIS E3", "CIS", "CIS M365 v5.0.0" { +Describe "CIS" -Tag "CIS.M365.2.1.11", "L2", "CIS E3 Level 2", "CIS E3", "CIS", "CIS M365 v6.0.1" { It "CIS.M365.2.1.11: Ensure comprehensive attachment filtering is applied" { $result = Test-MtCisAttachmentFilterComprehensive diff --git a/tests/cis/Test-MtCisAuditLogSearch.Tests.ps1 b/tests/cis/Test-MtCisAuditLogSearch.Tests.ps1 index e0ffd53f9..88fda5fbc 100644 --- a/tests/cis/Test-MtCisAuditLogSearch.Tests.ps1 +++ b/tests/cis/Test-MtCisAuditLogSearch.Tests.ps1 @@ -1,4 +1,4 @@ -Describe "CIS" -Tag "CIS.M365.3.1.1", "L1", "CIS E3 Level 1", "CIS E3", "CIS", "CIS M365 v5.0.0" { +Describe "CIS" -Tag "CIS.M365.3.1.1", "L1", "CIS E3 Level 1", "CIS E3", "CIS", "CIS M365 v6.0.1" { It "CIS.M365.3.1.1: Ensure Microsoft 365 audit log search is Enabled" { $result = Test-MtCisAuditLogSearch diff --git a/tests/cis/Test-MtCisCalendarSharing.Tests.ps1 b/tests/cis/Test-MtCisCalendarSharing.Tests.ps1 index 8280385ef..2a31f7207 100644 --- a/tests/cis/Test-MtCisCalendarSharing.Tests.ps1 +++ b/tests/cis/Test-MtCisCalendarSharing.Tests.ps1 @@ -1,4 +1,4 @@ -Describe "CIS" -Tag "CIS.M365.1.3.3", "L2", "CIS E3 Level 2", "CIS E3", "CIS", "CIS M365 v5.0.0" { +Describe "CIS" -Tag "CIS.M365.1.3.3", "L2", "CIS E3 Level 2", "CIS E3", "CIS", "CIS M365 v6.0.1" { It "CIS.M365.1.3.3: Ensure 'External sharing' of calendars is not available" { $result = Test-MtCisCalendarSharing diff --git a/tests/cis/Test-MtCisCloudAdmin.Tests.ps1 b/tests/cis/Test-MtCisCloudAdmin.Tests.ps1 index 3c47daa50..1660d6c88 100644 --- a/tests/cis/Test-MtCisCloudAdmin.Tests.ps1 +++ b/tests/cis/Test-MtCisCloudAdmin.Tests.ps1 @@ -1,4 +1,4 @@ -Describe "CIS" -Tag "CIS.M365.1.1.1", "L1", "CIS E3 Level 1", "CIS E3", "CIS", "CIS M365 v5.0.0" { +Describe "CIS" -Tag "CIS.M365.1.1.1", "L1", "CIS E3 Level 1", "CIS E3", "CIS", "CIS M365 v6.0.1" { It "CIS.M365.1.1.1: Ensure Administrative accounts are cloud-only" { $result = Test-MtCisCloudAdmin diff --git a/tests/cis/Test-MtCisCommunicateInitiateExternalTeamsUsers.Tests.ps1 b/tests/cis/Test-MtCisCommunicateInitiateExternalTeamsUsers.Tests.ps1 new file mode 100644 index 000000000..020c591dc --- /dev/null +++ b/tests/cis/Test-MtCisCommunicateInitiateExternalTeamsUsers.Tests.ps1 @@ -0,0 +1,10 @@ +Describe "CIS" -Tag "CIS.M365.8.2.3", "CIS", "CIS M365 v6.0.1" { + It "CIS.M365.8.2.3: Ensure external Teams users cannot initiate conversations" -Tag "CIS.M365.8.2.3", "CIS E3 Level 1" { + + $result = Test-MtCisCommunicateInitiateExternalTeamsUsers + + if ($null -ne $result) { + $result | Should -Be $true -Because "External Teams users cannot initiate conversations." + } + } +} diff --git a/tests/cis/Test-MtCisCommunicateWithUnmanagedTeamsUsers.Tests.ps1 b/tests/cis/Test-MtCisCommunicateWithUnmanagedTeamsUsers.Tests.ps1 index b546237c0..c1a450016 100644 --- a/tests/cis/Test-MtCisCommunicateWithUnmanagedTeamsUsers.Tests.ps1 +++ b/tests/cis/Test-MtCisCommunicateWithUnmanagedTeamsUsers.Tests.ps1 @@ -1,4 +1,4 @@ -Describe "CIS" -Tag "CIS.M365.8.2.2", "CIS", "CIS M365 v5.0.0" { +Describe "CIS" -Tag "CIS.M365.8.2.2", "CIS", "CIS M365 v6.0.1" { It "CIS.M365.8.2.2: Ensure communication with unmanaged Teams users is disabled" -Tag "CIS.M365.8.2.2", "CIS E3 Level 1" { $result = Test-MtCisCommunicateWithUnmanagedTeamsUsers diff --git a/tests/cis/Test-MtCisConnectionFilterSafeList.Tests.ps1 b/tests/cis/Test-MtCisConnectionFilterSafeList.Tests.ps1 index 44a7c87d6..a5562639f 100644 --- a/tests/cis/Test-MtCisConnectionFilterSafeList.Tests.ps1 +++ b/tests/cis/Test-MtCisConnectionFilterSafeList.Tests.ps1 @@ -1,4 +1,4 @@ -Describe "CIS" -Tag "CIS.M365.2.1.13", "L1", "CIS E3 Level 1", "CIS E3", "CIS", "CIS M365 v5.0.0" { +Describe "CIS" -Tag "CIS.M365.2.1.13", "L1", "CIS E3 Level 1", "CIS E3", "CIS", "CIS M365 v6.0.1" { It "CIS.M365.2.1.13: Ensure the connection filter safe list is off (Only Checks Default Policy)" { $result = Test-MtCisConnectionFilterSafeList diff --git a/tests/cis/Test-MtCisCreateTenantDisallowed.Tests.ps1 b/tests/cis/Test-MtCisCreateTenantDisallowed.Tests.ps1 index 18d91e243..563f74681 100644 --- a/tests/cis/Test-MtCisCreateTenantDisallowed.Tests.ps1 +++ b/tests/cis/Test-MtCisCreateTenantDisallowed.Tests.ps1 @@ -1,4 +1,4 @@ -Describe "CIS" -Tag "CIS.M365.5.1.2.3", "L1", "CIS E3 Level 1", "CIS E3", "CIS E5 Level 1", "CIS E5", "CIS", "Security", "CIS M365 v5.0.0" { +Describe "CIS" -Tag "CIS.M365.5.1.2.3", "L1", "CIS E3 Level 1", "CIS E3", "CIS E5 Level 1", "CIS E5", "CIS", "Security", "CIS M365 v6.0.1" { It "CIS.M365.5.1.2.3: Ensure 'Restrict non-admin users from creating tenants' is set to 'Yes'" { $result = Test-MtCisCreateTenantDisallowed diff --git a/tests/cis/Test-MtCisCustomerLockBox.Tests.ps1 b/tests/cis/Test-MtCisCustomerLockBox.Tests.ps1 index ee2a71979..1197ceb03 100644 --- a/tests/cis/Test-MtCisCustomerLockBox.Tests.ps1 +++ b/tests/cis/Test-MtCisCustomerLockBox.Tests.ps1 @@ -4,13 +4,14 @@ BeforeDiscovery { if ($null -eq $CustomerLockboxPlan) { Add-MtTestResultDetail -SkippedBecause NotLicensedCustomerLockbox } - } catch { + } + catch { Add-MtTestResultDetail -SkippedBecause NotConnectedGraph return $null } } -Describe 'CIS' -Tag 'CIS.M365.1.3.6', 'L2', 'CIS E5 Level 2', 'CIS E5', 'CIS', 'CIS M365 v5.0.0' { +Describe 'CIS' -Tag 'CIS.M365.1.3.6', 'L2', 'CIS E5 Level 2', 'CIS E5', 'CIS', 'CIS M365 v6.0.1' { It "CIS.M365.1.3.6: Ensure the customer lockbox feature is enabled" { $result = Test-MtCisCustomerLockBox diff --git a/tests/cis/Test-MtCisDevicesWithoutCompliancePolicyMarked.Tests.ps1 b/tests/cis/Test-MtCisDevicesWithoutCompliancePolicyMarked.Tests.ps1 index 3111c972c..06c64c225 100644 --- a/tests/cis/Test-MtCisDevicesWithoutCompliancePolicyMarked.Tests.ps1 +++ b/tests/cis/Test-MtCisDevicesWithoutCompliancePolicyMarked.Tests.ps1 @@ -1,4 +1,4 @@ -Describe "CIS" -Tag "CIS.M365.4.1", "L2", "CIS E3 Level 2", "CIS E3", "CIS E5 Level 2", "CIS E5", "CIS", "Security", "CIS M365 v5.0.0" { +Describe "CIS" -Tag "CIS.M365.4.1", "L2", "CIS E3 Level 2", "CIS E3", "CIS E5 Level 2", "CIS E5", "CIS", "Security", "CIS M365 v6.0.1" { It "CIS.M365.4.1: Ensure devices without a compliance policy are marked 'not compliant'" { $result = Test-MtCisDevicesWithoutCompliancePolicyMarked diff --git a/tests/cis/Test-MtCisDkim.Tests.ps1 b/tests/cis/Test-MtCisDkim.Tests.ps1 index 48ad15b24..1d38006c7 100644 --- a/tests/cis/Test-MtCisDkim.Tests.ps1 +++ b/tests/cis/Test-MtCisDkim.Tests.ps1 @@ -1,4 +1,4 @@ -Describe "CIS" -Tag "CIS.M365.2.1.9", "L1", "CIS E3 Level 1", "CIS E3", "CIS", "CIS M365 v5.0.0" { +Describe "CIS" -Tag "CIS.M365.2.1.9", "L1", "CIS E3 Level 1", "CIS E3", "CIS", "CIS M365 v6.0.1" { It "CIS.M365.2.1.9: Ensure that DKIM is enabled for all Exchange Online Domains" { $result = Test-MtCisDkim diff --git a/tests/cis/Test-MtCisEnsureGuestAccessRestricted.Tests.ps1 b/tests/cis/Test-MtCisEnsureGuestAccessRestricted.Tests.ps1 index 3056d1f6a..92485b804 100644 --- a/tests/cis/Test-MtCisEnsureGuestAccessRestricted.Tests.ps1 +++ b/tests/cis/Test-MtCisEnsureGuestAccessRestricted.Tests.ps1 @@ -1,4 +1,4 @@ -Describe "CIS" -Tag "CIS.M365.5.1.6.2", "L1", "CIS E3 Level 1", "CIS E3", "CIS E5 Level 1", "CIS E5", "CIS", "Security", "CIS M365 v5.0.0" { +Describe "CIS" -Tag "CIS.M365.5.1.6.2", "L1", "CIS E3 Level 1", "CIS E3", "CIS E5 Level 1", "CIS E5", "CIS", "Security", "CIS M365 v6.0.1" { It "CIS.M365.5.1.6.2: Ensure that guest user access is restricted" { $result = Test-MtCisEnsureGuestAccessRestricted diff --git a/tests/cis/Test-MtCisEnsureGuestUserDynamicGroup.Tests.ps1 b/tests/cis/Test-MtCisEnsureGuestUserDynamicGroup.Tests.ps1 index a6c1ade09..98bd724e5 100644 --- a/tests/cis/Test-MtCisEnsureGuestUserDynamicGroup.Tests.ps1 +++ b/tests/cis/Test-MtCisEnsureGuestUserDynamicGroup.Tests.ps1 @@ -1,4 +1,4 @@ -Describe "CIS" -Tag "CIS.M365.5.1.3.1", "L1", "CIS E3 Level 1", "CIS E3", "CIS E5 Level 1", "CIS E5", "CIS", "Security", "CIS M365 v5.0.0" { +Describe "CIS" -Tag "CIS.M365.5.1.3.1", "L1", "CIS E3 Level 1", "CIS E3", "CIS E5 Level 1", "CIS E5", "CIS", "Security", "CIS M365 v6.0.1" { It "CIS.M365.5.1.3.1: Ensure a dynamic group for guest users is created" { $result = Test-MtCisEnsureGuestUserDynamicGroup diff --git a/tests/cis/Test-MtCisEnsureUserConsentToAppsDisallowed.Tests.ps1 b/tests/cis/Test-MtCisEnsureUserConsentToAppsDisallowed.Tests.ps1 index 0a462da34..98a4df24a 100644 --- a/tests/cis/Test-MtCisEnsureUserConsentToAppsDisallowed.Tests.ps1 +++ b/tests/cis/Test-MtCisEnsureUserConsentToAppsDisallowed.Tests.ps1 @@ -1,4 +1,4 @@ -Describe "CIS" -Tag "CIS.M365.5.1.5.1", "L2", "CIS E3 Level 2", "CIS E3", "CIS E5 Level 2", "CIS E5", "CIS", "Security", "CIS M365 v5.0.0" { +Describe "CIS" -Tag "CIS.M365.5.1.5.1", "L2", "CIS E3 Level 2", "CIS E3", "CIS E5 Level 2", "CIS E5", "CIS", "Security", "CIS M365 v6.0.1" { It "CIS.M365.5.1.5.1: Ensure user consent to apps accessing company data on their behalf is not allowed" { $result = Test-MtCisEnsureUserConsentToAppsDisallowed diff --git a/tests/cis/Test-MtCisFormsPhishingProtectionEnabled.Tests.ps1 b/tests/cis/Test-MtCisFormsPhishingProtectionEnabled.Tests.ps1 index c9a8479a2..25a4fa2bb 100644 --- a/tests/cis/Test-MtCisFormsPhishingProtectionEnabled.Tests.ps1 +++ b/tests/cis/Test-MtCisFormsPhishingProtectionEnabled.Tests.ps1 @@ -1,4 +1,4 @@ -Describe "CIS" -Tag "CIS.M365.1.3.5", "L1", "CIS E3 Level 1", "CIS E3", "CIS E5 Level 1", "CIS E5", "CIS", "Security", "CIS M365 v5.0.0" { +Describe "CIS" -Tag "CIS.M365.1.3.5", "L1", "CIS E3 Level 1", "CIS E3", "CIS E5 Level 1", "CIS E5", "CIS", "Security", "CIS M365 v6.0.1" { It "CIS.M365.1.3.5: Ensure internal phishing protection for Forms is enabled" { $result = Test-MtCisFormsPhishingProtectionEnabled diff --git a/tests/cis/Test-MtCisGlobalAdminCount.Tests.ps1 b/tests/cis/Test-MtCisGlobalAdminCount.Tests.ps1 index 237c8a6c4..ca8e209f2 100644 --- a/tests/cis/Test-MtCisGlobalAdminCount.Tests.ps1 +++ b/tests/cis/Test-MtCisGlobalAdminCount.Tests.ps1 @@ -1,4 +1,4 @@ -Describe "CIS" -Tag "CIS.M365.1.1.3", "L1", "CIS E3 Level 1", "CIS E3", "CIS", "CIS M365 v5.0.0" { +Describe "CIS" -Tag "CIS.M365.1.1.3", "L1", "CIS E3 Level 1", "CIS E3", "CIS", "CIS M365 v6.0.1" { It "CIS.M365.1.1.3: Ensure that between two and four global admins are designated" { $result = Test-MtCisGlobalAdminCount diff --git a/tests/cis/Test-MtCisHostedConnectionFilterPolicy.Tests.ps1 b/tests/cis/Test-MtCisHostedConnectionFilterPolicy.Tests.ps1 index 230fa09e5..e9c518feb 100644 --- a/tests/cis/Test-MtCisHostedConnectionFilterPolicy.Tests.ps1 +++ b/tests/cis/Test-MtCisHostedConnectionFilterPolicy.Tests.ps1 @@ -1,4 +1,4 @@ -Describe "CIS" -Tag "CIS.M365.2.1.12", "L1", "CIS E3 Level 1", "CIS E3", "CIS", "CIS M365 v5.0.0" { +Describe "CIS" -Tag "CIS.M365.2.1.12", "L1", "CIS E3 Level 1", "CIS E3", "CIS", "CIS M365 v6.0.1" { It "CIS.M365.2.1.12: Ensure the connection filter IP allow list is not used (Only Checks Default Policy)" { $result = Test-MtCisHostedConnectionFilterPolicy diff --git a/tests/cis/Test-MtCisInternalMalwareNotification.Tests.ps1 b/tests/cis/Test-MtCisInternalMalwareNotification.Tests.ps1 index b539b7b5a..16ddca869 100644 --- a/tests/cis/Test-MtCisInternalMalwareNotification.Tests.ps1 +++ b/tests/cis/Test-MtCisInternalMalwareNotification.Tests.ps1 @@ -1,4 +1,4 @@ -Describe "CIS" -Tag "CIS.M365.2.1.3", "L1", "CIS E3 Level 1", "CIS E3", "CIS", "CIS M365 v5.0.0" { +Describe "CIS" -Tag "CIS.M365.2.1.3", "L1", "CIS E3 Level 1", "CIS E3", "CIS", "CIS M365 v6.0.1" { It "CIS.M365.2.1.3: Ensure notifications for internal users sending malware is Enabled (Only Checks Default Policy)" { $result = Test-MtCisInternalMalwareNotification diff --git a/tests/cis/Test-MtCisOutboundSpamFilterPolicy.Tests.ps1 b/tests/cis/Test-MtCisOutboundSpamFilterPolicy.Tests.ps1 index 91fecea5b..585249c67 100644 --- a/tests/cis/Test-MtCisOutboundSpamFilterPolicy.Tests.ps1 +++ b/tests/cis/Test-MtCisOutboundSpamFilterPolicy.Tests.ps1 @@ -1,4 +1,4 @@ -Describe "CIS" -Tag "CIS.M365.2.1.6", "L1", "CIS E3 Level 1", "CIS E3", "CIS", "CIS M365 v5.0.0" { +Describe "CIS" -Tag "CIS.M365.2.1.6", "L1", "CIS E3 Level 1", "CIS E3", "CIS", "CIS M365 v6.0.1" { It "CIS.M365.2.1.6: Ensure Exchange Online Spam Policies are set to notify administrators (Only Checks Default Policy)" { $result = Test-MtCisOutboundSpamFilterPolicy diff --git a/tests/cis/Test-MtCisPasswordExpiry.Tests.ps1 b/tests/cis/Test-MtCisPasswordExpiry.Tests.ps1 index 1ef30abe3..a6050c3d5 100644 --- a/tests/cis/Test-MtCisPasswordExpiry.Tests.ps1 +++ b/tests/cis/Test-MtCisPasswordExpiry.Tests.ps1 @@ -1,4 +1,4 @@ -Describe "CIS" -Tag "CIS.M365.1.3.1", "L1", "CIS E3 Level 1", "CIS E3", "CIS", "CIS M365 v5.0.0" { +Describe "CIS" -Tag "CIS.M365.1.3.1", "L1", "CIS E3 Level 1", "CIS E3", "CIS", "CIS M365 v6.0.1" { It "CIS.M365.1.3.1: Ensure the 'Password expiration policy' is set to 'Set passwords to never expire (recommended)'" { $result = Test-MtCisPasswordExpiry diff --git a/tests/cis/Test-MtCisSafeAntiPhishingPolicy.Tests.ps1 b/tests/cis/Test-MtCisSafeAntiPhishingPolicy.Tests.ps1 index 74687a234..f06fa1232 100644 --- a/tests/cis/Test-MtCisSafeAntiPhishingPolicy.Tests.ps1 +++ b/tests/cis/Test-MtCisSafeAntiPhishingPolicy.Tests.ps1 @@ -1,4 +1,4 @@ -Describe "CIS" -Tag "CIS.M365.2.1.7", "L1", "CIS E5 Level 1", "CIS E5", "CIS", "CIS M365 v5.0.0" { +Describe "CIS" -Tag "CIS.M365.2.1.7", "L1", "CIS E5 Level 1", "CIS E5", "CIS", "CIS M365 v6.0.1" { It "CIS.M365.2.1.7: Ensure that an anti-phishing policy has been created (Only Checks Default Policy)" { $result = Test-MtCisSafeAntiPhishingPolicy diff --git a/tests/cis/Test-MtCisSafeAttachment.Tests.ps1 b/tests/cis/Test-MtCisSafeAttachment.Tests.ps1 index 9cbdf3705..bd807fa8e 100644 --- a/tests/cis/Test-MtCisSafeAttachment.Tests.ps1 +++ b/tests/cis/Test-MtCisSafeAttachment.Tests.ps1 @@ -1,4 +1,4 @@ -Describe "CIS" -Tag "CIS.M365.2.1.4", "L2", "CIS E5 Level 2", "CIS E5", "CIS", "CIS M365 v5.0.0" { +Describe "CIS" -Tag "CIS.M365.2.1.4", "L2", "CIS E5 Level 2", "CIS E5", "CIS", "CIS M365 v6.0.1" { It "CIS.M365.2.1.4: Ensure Safe Attachments policy is enabled (Only Checks Default Policy)" { $result = Test-MtCisSafeAttachment diff --git a/tests/cis/Test-MtCisSafeAttachmentsAtpPolicy.Tests.ps1 b/tests/cis/Test-MtCisSafeAttachmentsAtpPolicy.Tests.ps1 index 882f68550..4ae14ccc3 100644 --- a/tests/cis/Test-MtCisSafeAttachmentsAtpPolicy.Tests.ps1 +++ b/tests/cis/Test-MtCisSafeAttachmentsAtpPolicy.Tests.ps1 @@ -1,4 +1,4 @@ -Describe "CIS" -Tag "CIS.M365.2.1.5", "L2", "CIS E5 Level 2", "CIS E5", "CIS", "CIS M365 v5.0.0" { +Describe "CIS" -Tag "CIS.M365.2.1.5", "L2", "CIS E5 Level 2", "CIS E5", "CIS", "CIS M365 v6.0.1" { It "CIS.M365.2.1.5: Ensure Safe Attachments for SharePoint, OneDrive, and Microsoft Teams is Enabled" { $result = Test-MtCisSafeAttachmentsAtpPolicy diff --git a/tests/cis/Test-MtCisSafeLink.Tests.ps1 b/tests/cis/Test-MtCisSafeLink.Tests.ps1 index d0ed3b92a..67c8f4238 100644 --- a/tests/cis/Test-MtCisSafeLink.Tests.ps1 +++ b/tests/cis/Test-MtCisSafeLink.Tests.ps1 @@ -1,4 +1,4 @@ -Describe "CIS" -Tag "CIS.M365.2.1.1", "L2", "CIS E5 Level 2", "CIS E5", "CIS", "CIS M365 v5.0.0" { +Describe "CIS" -Tag "CIS.M365.2.1.1", "L2", "CIS E5 Level 2", "CIS E5", "CIS", "CIS M365 v6.0.1" { It "CIS.M365.2.1.1: Ensure Safe Links for Office Applications is Enabled (Only Checks Priority 0 Policy)" { $result = Test-MtCisSafeLink diff --git a/tests/cis/Test-MtCisSharedMailboxSignIn.Tests.ps1 b/tests/cis/Test-MtCisSharedMailboxSignIn.Tests.ps1 index 5ca74a6e4..bd3e9e603 100644 --- a/tests/cis/Test-MtCisSharedMailboxSignIn.Tests.ps1 +++ b/tests/cis/Test-MtCisSharedMailboxSignIn.Tests.ps1 @@ -1,4 +1,4 @@ -Describe "CIS" -Tag "CIS.M365.1.2.2", "L1", "CIS E3 Level 1", "CIS E3", "CIS", "CIS M365 v5.0.0" { +Describe "CIS" -Tag "CIS.M365.1.2.2", "L1", "CIS E3 Level 1", "CIS E3", "CIS", "CIS M365 v6.0.1" { It "CIS.M365.1.2.2: Ensure sign-in to shared mailboxes is blocked" { $result = Test-MtCisSharedMailboxSignIn diff --git a/tests/cis/Test-MtCisTeamsLobbyBypass.Tests.ps1 b/tests/cis/Test-MtCisTeamsLobbyBypass.Tests.ps1 index 1938138c8..c208eaf87 100644 --- a/tests/cis/Test-MtCisTeamsLobbyBypass.Tests.ps1 +++ b/tests/cis/Test-MtCisTeamsLobbyBypass.Tests.ps1 @@ -1,4 +1,4 @@ -Describe "CIS" -Tag "CIS.M365.8.5.3", "L1", "CIS E3 Level 1", "CIS E3", "CIS", "CIS M365 v5.0.0" { +Describe "CIS" -Tag "CIS.M365.8.5.3", "L1", "CIS E3 Level 1", "CIS E3", "CIS", "CIS M365 v6.0.1" { It "CIS.M365.8.5.3: Ensure only people in my org can bypass the lobby" { $result = Test-MtCisTeamsLobbyBypass diff --git a/tests/cis/Test-MtCisTeamsReportSecurityConcerns.Tests.ps1 b/tests/cis/Test-MtCisTeamsReportSecurityConcerns.Tests.ps1 index 16b713340..311b2f844 100644 --- a/tests/cis/Test-MtCisTeamsReportSecurityConcerns.Tests.ps1 +++ b/tests/cis/Test-MtCisTeamsReportSecurityConcerns.Tests.ps1 @@ -1,4 +1,4 @@ -Describe "CIS" -Tag "CIS.M365.8.6.1", "L1", "CIS E3 Level 1", "CIS E3", "CIS", "CIS M365 v5.0.0" { +Describe "CIS" -Tag "CIS.M365.8.6.1", "L1", "CIS E3 Level 1", "CIS E3", "CIS", "CIS M365 v6.0.1" { It "CIS.M365.8.6.1: Ensure users can report security concerns in Teams to internal destination" { $result = Test-MtCisTeamsReportSecurityConcerns diff --git a/tests/cis/Test-MtCisThirdPartyAndCustomApps.Tests.ps1 b/tests/cis/Test-MtCisThirdPartyAndCustomApps.Tests.ps1 index bb8713ed2..c698875f8 100644 --- a/tests/cis/Test-MtCisThirdPartyAndCustomApps.Tests.ps1 +++ b/tests/cis/Test-MtCisThirdPartyAndCustomApps.Tests.ps1 @@ -1,4 +1,4 @@ -Describe "CIS" -Tag "CIS", "CIS M365 v5.0.0" { +Describe "CIS" -Tag "CIS", "CIS M365 v6.0.1" { It "CIS.M365.8.4.1: Ensure all or a majority of third-party and custom apps are blocked" -Tag "CIS.M365.8.4.1", "CIS E3 Level 1" { $result = Test-MtCisThirdPartyAndCustomApps diff --git a/tests/cis/Test-MtCisThirdPartyApplicationsDisallowed.Tests.ps1 b/tests/cis/Test-MtCisThirdPartyApplicationsDisallowed.Tests.ps1 index d88d03fda..7ee212057 100644 --- a/tests/cis/Test-MtCisThirdPartyApplicationsDisallowed.Tests.ps1 +++ b/tests/cis/Test-MtCisThirdPartyApplicationsDisallowed.Tests.ps1 @@ -1,4 +1,4 @@ -Describe "CIS" -Tag "CIS.M365.5.1.2.2", "L2", "CIS E3 Level 2", "CIS E3", "CIS E5 Level 2", "CIS E5", "CIS", "Security", "CIS M365 v5.0.0" { +Describe "CIS" -Tag "CIS.M365.5.1.2.2", "L2", "CIS E3 Level 2", "CIS E3", "CIS E5 Level 2", "CIS E5", "CIS", "Security", "CIS M365 v6.0.1" { It "CIS.M365.5.1.2.2: Ensure third party integrated applications are not allowed" { $result = Test-MtCisThirdPartyApplicationsDisallowed diff --git a/tests/cis/Test-MtCisThirdPartyFileSharing.Tests.ps1 b/tests/cis/Test-MtCisThirdPartyFileSharing.Tests.ps1 index 56e54007e..0f9c2e9b3 100644 --- a/tests/cis/Test-MtCisThirdPartyFileSharing.Tests.ps1 +++ b/tests/cis/Test-MtCisThirdPartyFileSharing.Tests.ps1 @@ -1,4 +1,4 @@ -Describe "CIS" -Tag "CIS", "CIS M365 v5.0.0" { +Describe "CIS" -Tag "CIS", "CIS M365 v6.0.1" { It "CIS.M365.8.1.1: Ensure external file sharing in Teams is enabled for only approved cloud storage services" -Tag "CIS.M365.8.1.1", "CIS E3 Level 2" { $result = Test-MtCisThirdPartyFileSharing diff --git a/tests/cis/Test-MtCisThirdPartyStorageServicesRestricted.Tests.ps1 b/tests/cis/Test-MtCisThirdPartyStorageServicesRestricted.Tests.ps1 index c74ddde12..c6320b3aa 100644 --- a/tests/cis/Test-MtCisThirdPartyStorageServicesRestricted.Tests.ps1 +++ b/tests/cis/Test-MtCisThirdPartyStorageServicesRestricted.Tests.ps1 @@ -1,4 +1,4 @@ -Describe "CIS" -Tag "CIS.M365.1.3.7", "L2", "CIS E3 Level 2", "CIS E3", "CIS E5 Level 2", "CIS E5", "CIS", "Security", "CIS M365 v5.0.0" { +Describe "CIS" -Tag "CIS.M365.1.3.7", "L2", "CIS E3 Level 2", "CIS E3", "CIS E5 Level 2", "CIS E5", "CIS", "Security", "CIS M365 v6.0.1" { It "CIS.M365.1.3.7: Ensure 'third-party storage services' are restricted in 'Microsoft 365 on the web'" { $result = Test-MtCisThirdPartyStorageServicesRestricted diff --git a/tests/cis/Test-MtCisUserOwnedAppsRestricted.Tests.ps1 b/tests/cis/Test-MtCisUserOwnedAppsRestricted.Tests.ps1 index 7ec1e86fb..ef72c6b50 100644 --- a/tests/cis/Test-MtCisUserOwnedAppsRestricted.Tests.ps1 +++ b/tests/cis/Test-MtCisUserOwnedAppsRestricted.Tests.ps1 @@ -1,4 +1,4 @@ -Describe "CIS" -Tag "CIS.M365.1.3.4", "L1", "CIS E3 Level 1", "CIS E3", "CIS E5 Level 1", "CIS E5", "CIS", "Security", "CIS M365 v5.0.0" { +Describe "CIS" -Tag "CIS.M365.1.3.4", "L1", "CIS E3 Level 1", "CIS E3", "CIS E5 Level 1", "CIS E5", "CIS", "Security", "CIS M365 v6.0.1" { It "CIS.M365.1.3.4: Ensure 'User owned apps and services' is restricted" { $result = Test-MtCisUserOwnedAppsRestricted diff --git a/tests/cis/Test-MtCisWeakAuthenticationMethodsDisabled.Tests.ps1 b/tests/cis/Test-MtCisWeakAuthenticationMethodsDisabled.Tests.ps1 index 52c2eb60f..03b947966 100644 --- a/tests/cis/Test-MtCisWeakAuthenticationMethodsDisabled.Tests.ps1 +++ b/tests/cis/Test-MtCisWeakAuthenticationMethodsDisabled.Tests.ps1 @@ -1,4 +1,4 @@ -Describe "CIS" -Tag "CIS.M365.5.2.3.5", "L1", "CIS E3 Level 1", "CIS E3", "CIS E5 Level 1", "CIS E5", "CIS", "Security", "CIS M365 v5.0.0" { +Describe "CIS" -Tag "CIS.M365.5.2.3.5", "L1", "CIS E3 Level 1", "CIS E3", "CIS E5 Level 1", "CIS E5", "CIS", "Security", "CIS M365 v6.0.1" { It "CIS.M365.5.2.3.5: Ensure weak authentication methods are disabled" { $result = Test-MtCisWeakAuthenticationMethodsDisabled diff --git a/tests/cis/Test-MtCisZAP.Tests.ps1 b/tests/cis/Test-MtCisZAP.Tests.ps1 index b88725cfe..899a9eb0f 100644 --- a/tests/cis/Test-MtCisZAP.Tests.ps1 +++ b/tests/cis/Test-MtCisZAP.Tests.ps1 @@ -1,4 +1,4 @@ -Describe "CIS" -Tag "CIS.M365.2.4.4", "L1", "CIS E5 Level 1", "CIS E5", "CIS", "CIS M365 v5.0.0" { +Describe "CIS" -Tag "CIS.M365.2.4.4", "L1", "CIS E5 Level 1", "CIS E5", "CIS", "CIS M365 v6.0.1" { It "CIS.M365.2.4.4: Ensure Zero-hour auto purge for Microsoft Teams is on (Only Checks ZAP is enabled)" { $result = Test-MtCisZAP diff --git a/website/versioned_docs/version-2.0.0/tests/cis/readme.md b/website/versioned_docs/version-2.0.0/tests/cis/readme.md index e12517f3f..b3ac0513e 100644 --- a/website/versioned_docs/version-2.0.0/tests/cis/readme.md +++ b/website/versioned_docs/version-2.0.0/tests/cis/readme.md @@ -9,7 +9,7 @@ description: Implementation of CIS Microsoft 365 Foundations Benchmark Controls ## Overview -The tests in this section verifies that a Microsoft 365 tenant's configuration conforms to the [CIS Microsoft 365 Foundations Benchmark](https://www.cisecurity.org/benchmark/microsoft_365) recommendations (v5.0.0). +The tests in this section verify that a Microsoft 365 tenant's configuration conforms to the [CIS Microsoft 365 Foundations Benchmark](https://www.cisecurity.org/benchmark/microsoft_365) recommendations (v6.0.1). The CIS published material is shared for these tests as it aligns with their licensing of [CC BY-NC-SA 4.0](https://www.cisecurity.org/terms-and-conditions-table-of-contents). @@ -29,135 +29,147 @@ N/A below refers to review checks which cannot be automated. Obsolete below refers to a check which is no longer valid or required. ::: -| Cmdlet Name | CIS Recommendation ID | -| - | - | -| [Test-MtCisCloudAdmin](/docs/commands/Test-MtCisCloudAdmin) | 1.1.1 (L1) Ensure Administrative accounts are cloud-only | -| TBD | 1.1.2 (L1) Ensure two emergency access accounts have been defined | -| [Test-MtCisGlobalAdminCount](/docs/commands/) | 1.1.3 (L1) Ensure that between two and four global admins are designated | -| TBD | 1.1.4 (L1) Ensure administrative accounts use licenses with a reduced application footprint | -| [Test-MtCis365PublicGroup](/docs/commands/) | 1.2.1 (L2) Ensure that only organizationally managed/approved public groups exist | -| [Test-MtCisSharedMailboxSignIn](/docs/commands/) | 1.2.2 (L1) Ensure sign-in to shared mailboxes is blocked | -| [Test-MtCisPasswordExpiry](/docs/commands/) | 1.3.1 (L1) Ensure the 'Password expiration policy' is set to 'Set passwords to never expire (recommended)' | -| TBD | 1.3.2 (L1) Ensure 'Idle session timeout' is set to '3 hours (or less)' for unmanaged devices | -| [Test-MtCisCalendarSharing](/docs/commands/) | 1.3.3 (L2) Ensure 'External sharing' of calendars is not available | -| TBD (MT.1041) | 1.3.4 (L1) Ensure 'User owned apps and services' is restricted | -| TBD | 1.3.5 (L1) Ensure internal phishing protection for Forms is enabled | -| [Test-MtCisCustomerLockBox](/docs/commands/) | 1.3.6 (L2) Ensure the customer lockbox feature is enabled | -| TBD (MT.1040) | 1.3.7 (L2) Ensure 'third-party storage services' are restricted in 'Microsoft 365 on the web' | -| TBD | 1.3.8 (L2) Ensure that Sways cannot be shared with people outside of your organization | -| [Test-MtCisSafeLink](/docs/commands/) | 2.1.1 (L2) Ensure Safe Links for Office Applications is Enabled | -| [Test-MtCisAttachmentFilter](/docs/commands/) | 2.1.2 (L1) Ensure the Common Attachment Types Filter is enabled | -| [Test-MtCisInternalMalwareNotification](/docs/commands/) | 2.1.3 (L1) Ensure notifications for internal users sending malware is Enabled | -| [Test-MtCisSafeAttachment](/docs/commands/) | 2.1.4 (L2) Ensure Safe Attachments policy is enabled | -| [Test-MtCisSafeAttachmentsAtpPolicy](/docs/commands/) | 2.1.5 (L2) Ensure Safe Attachments for SharePoint, OneDrive, and Microsoft Teams is Enabled | -| [Test-MtCisOutboundSpamFilterPolicy](/docs/commands/) | 2.1.6 (L1) Ensure Exchange Online Spam Policies are set to notify administrators | -| [Test-MtCisSafeAntiPhishingPolicy](/docs/commands/) | 2.1.7 (L1) Ensure that an anti-phishing policy has been created | -| TBD | 2.1.8 (L1) Ensure that SPF records are published for all Exchange Domains | -| [Test-MtCisDkim](/docs/commands/) | 2.1.9 (L1) Ensure that DKIM is enabled for all Exchange Online Domains | -| TBD | 2.1.10 (L1) Ensure DMARC Records for all Exchange Online domains are published | -| [Test-MtCisAttachmentFilterComprehensive](/docs/commands/) | | 2.1.11 (L2) Ensure comprehensive attachment filtering is applied | -| [Test-MtCisHostedConnectionFilterPolicy](/docs/commands/) | 2.1.12 (L1) Ensure the connection filter IP allow list is not used | -| [Test-MtCisConnectionFilterSafeList](/docs/commands/) | 2.1.13 (L1) Ensure the connection filter safe list is off | -| TBD | 2.1.14 (L1) Ensure inbound anti-spam policies do not contain allowed domains | -| TBD | 2.4.1 (L1) Ensure Priority account protection is enabled and configured | -| TBD | 2.4.2 (L1) Ensure Priority accounts have 'Strict protection' presets applied | -| TBD | 2.4.3 (L2) Ensure Microsoft Defender for Cloud Apps is enabled and configured | -| [Test-MtCisZAP](/docs/commands/) | 2.4.4 (L1) Ensure Zero-hour auto purge for Microsoft Teams is on | -| [Test-MtCisAuditLogSearch](/docs/commands/) | 3.1.1 (L1) Ensure Microsoft 365 audit log search is Enabled | -| TBD | 3.2.1 (L1) Ensure DLP policies are enabled | -| TBD | 3.2.2 (L1) Ensure DLP policies are enabled for Microsoft Teams | -| TBD | 3.3.1 (L1) Ensure Information Protection sensitivity label policies are published | -| TBD | 4.1 (L2) Ensure devices without a compliance policy are marked 'not compliant' | -| TBD | 4.2 (L2) Ensure device enrollment for personally owned devices is blocked by default | -| TBD | 5.1.2.1 (L1) Ensure 'Per-user MFA' is disabled | -| TBD | 5.1.2.2 (L2) Ensure third party integrated applications are not allowed | -| TBD | 5.1.2.3 (L1) Ensure 'Restrict non-admin users from creating tenants' is set to 'Yes' | -| TBD | 5.1.2.4 (L1) Ensure access to the Entra admin center is restricted | -| TBD | 5.1.2.5 (L2) Ensure the option to remain signed in is hidden | -| TBD | 5.1.2.6 (L2) Ensure 'LinkedIn account connections' is disabled | -| TBD | 5.1.3.1 (L1) Ensure a dynamic group for guest users is created | -| TBD | 5.1.5.1 (L2) Ensure user consent to apps accessing company data on their behalf is not allowed | -| TBD | 5.1.5.2 (L1) Ensure the admin consent workflow is enabled | -| TBD | 5.1.6.1 (L2) Ensure that collaboration invitations are sent to allowed domains only | -| TBD | 5.1.6.2 (L1) Ensure that guest user access is restricted | -| TBD | 5.1.6.3 (L2) Ensure guest user invitations are limited to the Guest Inviter role | -| TBD | 5.1.8.1 (L1) Ensure that password hash sync is enabled for hybrid deployments | -| TBD | 5.2.2.1 (L1) Ensure multifactor authentication is enabled for all users in administrative roles | -| TBD | 5.2.2.2 (L1) Ensure multifactor authentication is enabled for all users | -| TBD | 5.2.2.3 (L1) Enable Conditional Access policies to block legacy authentication | -| TBD | 5.2.2.4 (L1) Ensure Sign-in frequency is enabled and browser sessions are not persistent for Administrative users | -| TBD | 5.2.2.5 (L2) Ensure 'Phishing-resistant MFA strength' is required for Administrators | -| TBD | 5.2.2.6 (L1) Enable Identity Protection user risk policies | -| TBD | 5.2.2.7 (L1) Enable Identity Protection sign-in risk policies | -| TBD | 5.2.2.8 (L2) Ensure 'sign-in risk' is blocked for medium and high risk | -| TBD | 5.2.2.9 (L1) Ensure a managed device is required for authentication | -| TBD | 5.2.2.10 (L1) Ensure a managed device is required for MFA registration | -| TBD | 5.2.2.11 (L1) Ensure sign-in frequency for Intune Enrollment is set to 'Every time'| -| TBD | 5.2.2.12 (L1) Ensure the device code sign-in flow is blocked | -| TBD | 5.2.3.1 (L1) Ensure Microsoft Authenticator is configured to protect against MFA fatigue | -| TBD | 5.2.3.2 (L1) Ensure custom banned passwords lists are used | -| TBD | 5.2.3.3 (L1) Ensure password protection is enabled for on-prem Active Directory | -| TBD | 5.2.3.4 (L1) Ensure all member users are 'MFA capable' | -| TBD | 5.2.3.5 (L1) Ensure weak authentication methods are disabled | -| TBD | 5.2.3.6 (L1) Ensure system-preferred multifactor authentication is enabled | -| TBD | 5.2.4.1 (L1) Ensure 'Self service password reset enabled' is set to 'All' | -| TBD | 5.3.1 (L2) Ensure 'Privileged Identity Management' is used to manage roles | -| TBD | 5.3.2 (L1) Ensure 'Access reviews' for Guest Users are configured | -| TBD | 5.3.3 (L1) Ensure 'Access reviews' for privileged roles are configured | -| TBD | 5.3.4 (L1) Ensure approval is required for Global Administrator role activation | -| TBD | 5.3.5 (L1) Ensure approval is required for Privileged Role Administrator activation | -| TBD | 6.1.1 (L1) Ensure 'AuditDisabled' organizationally is set to 'False' | -| TBD | 6.1.2 (L1) Ensure mailbox audit actions are configured | -| TBD | 6.1.3 (L1) Ensure 'AuditBypassEnabled' is not enabled on mailboxes | -| TBD | 6.2.1 (L1) Ensure all forms of mail forwarding are blocked and/or disabled | -| TBD | 6.2.2 (L1) Ensure mail transport rules do not whitelist specific domains | -| TBD | 6.2.3 (L1) Ensure email from external senders is identified | -| TBD | 6.3.1 (L2) Ensure users installing Outlook add-ins is not allowed | -| TBD | 6.5.1 (L1) Ensure modern authentication for Exchange Online is enabled | -| TBD | 6.5.2 (L1) Ensure MailTips are enabled for end users | -| TBD | 6.5.3 (L2) Ensure additional storage providers are restricted in Outlook on the web | -| TBD | 6.5.4 (L1) Ensure SMTP AUTH is disabled | -| TBD | 7.2.1 (L1) Ensure modern authentication for SharePoint applications is required | -| TBD | 7.2.2 (L1) Ensure SharePoint and OneDrive integration with Azure AD B2B is enabled | -| TBD | 7.2.3 (L1) Ensure external content sharing is restricted | -| TBD | 7.2.4 (L2) Ensure OneDrive content sharing is restricted | -| TBD | 7.2.5 (L2) Ensure that SharePoint guest users cannot share items they don't own | -| TBD | 7.2.6 (L2) Ensure SharePoint external sharing is managed through domain whitelist/blacklists | -| TBD | 7.2.7 (L1) Ensure link sharing is restricted in SharePoint and OneDrive | -| TBD | 7.2.8 (L2) Ensure external sharing is restricted by security group | -| TBD | 7.2.9 (L1) Ensure guest access to a site or OneDrive will expire automatically | -| TBD | 7.2.10 (L1) Ensure reauthentication with verification code is restricted | -| TBD | 7.2.11 (L1) Ensure the SharePoint default sharing link permission is set | -| TBD | 7.3.1 (L2) Ensure Office 365 SharePoint infected files are disallowed for download | -| TBD | 7.3.2 (L2) Ensure OneDrive sync is restricted for unmanaged devices | -| TBD | 7.3.3 (L1) Ensure custom script execution is restricted on personal sites | -| TBD | 7.3.4 (L1) Ensure custom script execution is restricted on site collections | -| [Test-MtCisThirdPartyFileSharing](/docs/commands/) | 8.1.1 (L2) Ensure external file sharing in Teams is enabled for only approved cloud storage services | -| TBD | 8.1.2 (L1) Ensure users can't send emails to a channel email address | -| TBD | 8.2.1 (L2) Ensure external domains are restricted in the Teams admin center | -| [Test-MtCisCommunicateWithUnmanagedTeamsUsers](/docs/commands/) | 8.2.2 (L1) Ensure communication with unmanaged Teams users is disabled | -| [Test-MtCisCommunicateWithUnmanagedTeamsUsers](/docs/commands/) | 8.2.3 (L1) Ensure external Teams users cannot initiate conversations | -| Obsolete | 8.2.4 (L1) Ensure communication with Skype users is disabled | -| [Test-MtCisThirdPartyAndCustomApps](/docs/commands/) | 8.4.1 (L1) Ensure app permission policies are configured | -| TBD | 8.5.1 (L2) Ensure anonymous users can't join a meeting | -| TBD | 8.5.2 (L1) Ensure anonymous users and dial-in callers can't start a meeting | -| [Test-MtCisTeamsLobbyBypass](/docs/commands/) | 8.5.3 (L1) Ensure only people in my org can bypass the lobby | -| TBD | 8.5.4 (L1) Ensure users dialing in can't bypass the lobby | -| TBD | 8.5.5 (L2) Ensure meeting chat does not allow anonymous users | -| TBD | 8.5.6 (L2) Ensure only organizers and co-organizers can present | -| TBD | 8.5.7 (L1) Ensure external participants can't give or request control | -| TBD | 8.5.8 (L2) Ensure external meeting chat is off | -| TBD | 8.5.9 (L2) Ensure meeting recording is off by default | -| [Test-MtCisTeamsReportSecurityConcerns](/docs/commands/) | 8.6.1 (L1) Ensure users can report security concerns in Teams | -| TBD | 9.1.1 (L1) Ensure guest user access is restricted | -| TBD | 9.1.2 (L1) Ensure external user invitations are restricted | -| TBD | 9.1.3 (L1) Ensure guest access to content is restricted | -| TBD | 9.1.4 (L1) Ensure 'Publish to web' is restricted | -| TBD | 9.1.5 (L2) Ensure 'Interact with and share R and Python' visuals is 'Disabled' | -| TBD | 9.1.6 (L1) Ensure 'Allow users to apply sensitivity labels for content' is 'Enabled' | -| TBD | 9.1.7 (L1) Ensure shareable links are restricted | -| TBD | 9.1.8 (L1) Ensure enabling of external data sharing is restricted | -| TBD | 9.1.9 (L1) Ensure 'Block ResourceKey Authentication' is 'Enabled' | -| TBD | 9.1.10 (L1) Ensure access to APIs by Service Principals is restricted | -| TBD | 9.1.11 (L1) Ensure Service Principals cannot create and use profiles | - +| Cmdlet Name | CIS Recommendation ID | +| ----------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------- | +| [Test-MtCisCloudAdmin](/docs/commands/Test-MtCisCloudAdmin) | 1.1.1 (L1) Ensure Administrative accounts are cloud-only | +| TBD | 1.1.2 (L1) Ensure two emergency access accounts have been defined | +| [Test-MtCisGlobalAdminCount](/docs/commands/Test-MtCisGlobalAdminCount) | 1.1.3 (L1) Ensure that between two and four global admins are designated | +| TBD | 1.1.4 (L1) Ensure administrative accounts use licenses with a reduced application footprint | +| [Test-MtCis365PublicGroup](/docs/commands/Test-MtCis365PublicGroup) | 1.2.1 (L2) Ensure that only organizationally managed/approved public groups exist | +| [Test-MtCisSharedMailboxSignIn](/docs/commands/Test-MtCisSharedMailboxSignIn) | 1.2.2 (L1) Ensure sign-in to shared mailboxes is blocked | +| [Test-MtCisPasswordExpiry](/docs/commands/Test-MtCisPasswordExpiry) | 1.3.1 (L1) Ensure the 'Password expiration policy' is set to 'Set passwords to never expire (recommended)' | +| TBD | 1.3.2 (L1) Ensure 'Idle session timeout' is set to '3 hours (or less)' for unmanaged devices | +| [Test-MtCisCalendarSharing](/docs/commands/Test-MtCisCalendarSharing) | 1.3.3 (L2) Ensure 'External sharing' of calendars is not available | +| [Test-MtCisUserOwnedAppsRestricted](/docs/commands/Test-MtCisUserOwnedAppsRestricted) | 1.3.4 (L1) Ensure 'User owned apps and services' is restricted | +| [Test-MtCisFormsPhishingProtectionEnabled](/docs/commands/Test-MtCisFormsPhishingProtectionEnabled) | 1.3.5 (L1) Ensure internal phishing protection for Forms is enabled | +| [Test-MtCisCustomerLockBox](/docs/commands/Test-MtCisCustomerLockBox) | 1.3.6 (L2) Ensure the customer lockbox feature is enabled | +| [Test-MtCisThirdPartyStorageServicesRestricted](/docs/commands/Test-MtCisThirdPartyStorageServicesRestricted) | 1.3.7 (L2) Ensure 'third-party storage services' are restricted in 'Microsoft 365 on the web' | +| TBD | 1.3.8 (L2) Ensure that Sways cannot be shared with people outside of your organization | +| TBD | 1.3.9 (L1) Ensure shared bookings pages are restricted to select users | +| [Test-MtCisSafeLink](/docs/commands/Test-MtCisSafeLink) | 2.1.1 (L2) Ensure Safe Links for Office Applications is Enabled | +| [Test-MtCisAttachmentFilter](/docs/commands/Test-MtCisAttachmentFilter) | 2.1.2 (L1) Ensure the Common Attachment Types Filter is enabled | +| [Test-MtCisInternalMalwareNotification](/docs/commands/Test-MtCisInternalMalwareNotification) | 2.1.3 (L1) Ensure notifications for internal users sending malware is Enabled | +| [Test-MtCisSafeAttachment](/docs/commands/Test-MtCisSafeAttachment) | 2.1.4 (L2) Ensure Safe Attachments policy is enabled | +| [Test-MtCisSafeAttachmentsAtpPolicy](/docs/commands/Test-MtCisSafeAttachmentsAtpPolicy) | 2.1.5 (L2) Ensure Safe Attachments for SharePoint, OneDrive, and Microsoft Teams is Enabled | +| [Test-MtCisOutboundSpamFilterPolicy](/docs/commands/Test-MtCisOutboundSpamFilterPolicy) | 2.1.6 (L1) Ensure Exchange Online Spam Policies are set to notify administrators | +| [Test-MtCisSafeAntiPhishingPolicy](/docs/commands/Test-MtCisSafeAntiPhishingPolicy) | 2.1.7 (L1) Ensure that an anti-phishing policy has been created | +| TBD | 2.1.8 (L1) Ensure that SPF records are published for all Exchange Domains | +| [Test-MtCisDkim](/docs/commands/Test-MtCisDkim) | 2.1.9 (L1) Ensure that DKIM is enabled for all Exchange Online Domains | +| TBD | 2.1.10 (L1) Ensure DMARC Records for all Exchange Online domains are published | +| [Test-MtCisAttachmentFilterComprehensive](/docs/commands/Test-MtCisAttachmentFilterComprehensive) | 2.1.11 (L2) Ensure comprehensive attachment filtering is applied | +| [Test-MtCisHostedConnectionFilterPolicy](/docs/commands/Test-MtCisHostedConnectionFilterPolicy) | 2.1.12 (L1) Ensure the connection filter IP allow list is not used | +| [Test-MtCisConnectionFilterSafeList](/docs/commands/Test-MtCisConnectionFilterSafeList) | 2.1.13 (L1) Ensure the connection filter safe list is off | +| TBD | 2.1.14 (L1) Ensure inbound anti-spam policies do not contain allowed domains | +| TBD | 2.1.15 (L1) Ensure outbound anti-spam message limits are in place | +| TBD | 2.2.1 (L1) Ensure emergency access account activity is monitored | +| TBD | 2.4.1 (L1) Ensure Priority account protection is enabled and configured | +| TBD | 2.4.2 (L1) Ensure Priority accounts have 'Strict protection' presets applied | +| TBD | 2.4.3 (L2) Ensure Microsoft Defender for Cloud Apps is enabled and configured | +| [Test-MtCisZAP](/docs/commands/Test-MtCisZAP) | 2.4.4 (L1) Ensure Zero-hour auto purge for Microsoft Teams is on | +| [Test-MtCisAuditLogSearch](/docs/commands/Test-MtCisAuditLogSearch) | 3.1.1 (L1) Ensure Microsoft 365 audit log search is Enabled | +| TBD | 3.2.1 (L1) Ensure DLP policies are enabled | +| TBD | 3.2.2 (L1) Ensure DLP policies are enabled for Microsoft Teams | +| TBD | 3.3.1 (L1) Ensure Information Protection sensitivity label policies are published | +| [Test-MtCisDevicesWithoutCompliancePolicyMarked](/docs/commands/Test-MtCisDevicesWithoutCompliancePolicyMarked) | 4.1 (L2) Ensure devices without a compliance policy are marked 'not compliant' | +| TBD | 4.2 (L2) Ensure device enrollment for personally owned devices is blocked by default | +| TBD | 5.1.2.1 (L1) Ensure 'Per-user MFA' is disabled | +| [Test-MtCisThirdPartyApplicationsDisallowed](/docs/commands/Test-MtCisThirdPartyApplicationsDisallowed) | 5.1.2.2 (L2) Ensure third party integrated applications are not allowed | +| [Test-MtCisCreateTenantDisallowed](/docs/commands/Test-MtCisCreateTenantDisallowed) | 5.1.2.3 (L1) Ensure 'Restrict non-admin users from creating tenants' is set to 'Yes' | +| TBD | 5.1.2.4 (L1) Ensure access to the Entra admin center is restricted | +| TBD | 5.1.2.5 (L2) Ensure the option to remain signed in is hidden | +| TBD | 5.1.2.6 (L2) Ensure 'LinkedIn account connections' is disabled | +| [Test-MtCisEnsureGuestUserDynamicGroup](/docs/commands/Test-MtCisEnsureGuestUserDynamicGroup) | 5.1.3.1 (L1) Ensure a dynamic group for guest users is created | +| TBD | 5.1.3.2 (L1) Ensure users cannot create security groups | +| TBD | 5.1.4.1 (L2) Ensure the ability to join devices to Entra is restricted | +| TBD | 5.1.4.2 (L1) Ensure the maximum number of devices per user is limited | +| TBD | 5.1.4.3 (L1) Ensure the GA role is not added as a local administrator during Entra join | +| TBD | 5.1.4.4 (L1) Ensure local administrator assignment is limited during Entra join | +| TBD | 5.1.4.5 (L1) Ensure Local Administrator Password Solution is enabled | +| TBD | 5.1.4.6 (L2) Ensure users are restricted from recovering BitLocker keys | +| [Test-MtCisEnsureUserConsentToAppsDisallowed](/docs/commands/Test-MtCisEnsureUserConsentToAppsDisallowed) | 5.1.5.1 (L2) Ensure user consent to apps accessing company data on their behalf is not allowed | +| [Test-MtCisAdminConsentWorkflowEnabled](/docs/commands/Test-MtCisAdminConsentWorkflowEnabled) | 5.1.5.2 (L1) Ensure the admin consent workflow is enabled | +| TBD | 5.1.6.1 (L2) Ensure that collaboration invitations are sent to allowed domains only | +| [Test-MtCisEnsureGuestAccessRestricted](/docs/commands/Test-MtCisEnsureGuestAccessRestricted) | 5.1.6.2 (L1) Ensure that guest user access is restricted | +| TBD | 5.1.6.3 (L2) Ensure guest user invitations are limited to the Guest Inviter role | +| TBD | 5.1.8.1 (L1) Ensure that password hash sync is enabled for hybrid deployments | +| TBD | 5.2.2.1 (L1) Ensure multifactor authentication is enabled for all users in administrative roles | +| TBD | 5.2.2.2 (L1) Ensure multifactor authentication is enabled for all users | +| TBD | 5.2.2.3 (L1) Enable Conditional Access policies to block legacy authentication | +| TBD | 5.2.2.4 (L1) Ensure Sign-in frequency is enabled and browser sessions are not persistent for Administrative users | +| TBD | 5.2.2.5 (L2) Ensure 'Phishing-resistant MFA strength' is required for Administrators | +| TBD | 5.2.2.6 (L1) Enable Identity Protection user risk policies | +| TBD | 5.2.2.7 (L1) Enable Identity Protection sign-in risk policies | +| TBD | 5.2.2.8 (L2) Ensure 'sign-in risk' is blocked for medium and high risk | +| TBD | 5.2.2.9 (L1) Ensure a managed device is required for authentication | +| TBD | 5.2.2.10 (L1) Ensure a managed device is required for MFA registration | +| TBD | 5.2.2.11 (L1) Ensure sign-in frequency for Intune Enrollment is set to 'Every time' | +| TBD | 5.2.2.12 (L1) Ensure the device code sign-in flow is blocked | +| TBD | 5.2.3.1 (L1) Ensure Microsoft Authenticator is configured to protect against MFA fatigue | +| TBD | 5.2.3.2 (L1) Ensure custom banned passwords lists are used | +| TBD | 5.2.3.3 (L1) Ensure password protection is enabled for on-prem Active Directory | +| TBD | 5.2.3.4 (L1) Ensure all member users are 'MFA capable' | +| [Test-MtCisWeakAuthenticationMethodsDisabled](/docs/commands/Test-MtCisWeakAuthenticationMethodsDisabled) | 5.2.3.5 (L1) Ensure weak authentication methods are disabled | +| TBD | 5.2.3.6 (L1) Ensure system-preferred multifactor authentication is enabled | +| TBD | 5.2.3.7 (L2) Ensure the email OTP authentication method is disabled | +| TBD | 5.2.4.1 (L1) Ensure 'Self service password reset enabled' is set to 'All' | +| TBD | 5.3.1 (L2) Ensure 'Privileged Identity Management' is used to manage roles | +| TBD | 5.3.2 (L1) Ensure 'Access reviews' for Guest Users are configured | +| TBD | 5.3.3 (L1) Ensure 'Access reviews' for privileged roles are configured | +| TBD | 5.3.4 (L1) Ensure approval is required for Global Administrator role activation | +| TBD | 5.3.5 (L1) Ensure approval is required for Privileged Role Administrator activation | +| TBD | 6.1.1 (L1) Ensure 'AuditDisabled' organizationally is set to 'False' | +| TBD | 6.1.2 (L1) Ensure mailbox audit actions are configured | +| TBD | 6.1.3 (L1) Ensure 'AuditBypassEnabled' is not enabled on mailboxes | +| TBD | 6.2.1 (L1) Ensure all forms of mail forwarding are blocked and/or disabled | +| TBD | 6.2.2 (L1) Ensure mail transport rules do not whitelist specific domains | +| TBD | 6.2.3 (L1) Ensure email from external senders is identified | +| TBD | 6.3.1 (L2) Ensure users installing Outlook add-ins is not allowed | +| TBD | 6.5.1 (L1) Ensure modern authentication for Exchange Online is enabled | +| TBD | 6.5.2 (L1) Ensure MailTips are enabled for end users | +| TBD | 6.5.3 (L2) Ensure additional storage providers are restricted in Outlook on the web | +| TBD | 6.5.4 (L1) Ensure SMTP AUTH is disabled | +| TBD | 6.5.5 (L2) Ensure Direct Send submissions are rejected | +| TBD | 7.2.1 (L1) Ensure modern authentication for SharePoint applications is required | +| TBD | 7.2.2 (L1) Ensure SharePoint and OneDrive integration with Azure AD B2B is enabled | +| TBD | 7.2.3 (L1) Ensure external content sharing is restricted | +| TBD | 7.2.4 (L2) Ensure OneDrive content sharing is restricted | +| TBD | 7.2.5 (L2) Ensure that SharePoint guest users cannot share items they don't own | +| TBD | 7.2.6 (L2) Ensure SharePoint external sharing is restricted | +| TBD | 7.2.7 (L1) Ensure link sharing is restricted in SharePoint and OneDrive | +| TBD | 7.2.8 (L2) Ensure external sharing is restricted by security group | +| TBD | 7.2.9 (L1) Ensure guest access to a site or OneDrive will expire automatically | +| TBD | 7.2.10 (L1) Ensure reauthentication with verification code is restricted | +| TBD | 7.2.11 (L1) Ensure the SharePoint default sharing link permission is set | +| TBD | 7.3.1 (L2) Ensure Office 365 SharePoint infected files are disallowed for download | +| TBD | 7.3.2 (L2) Ensure OneDrive sync is restricted for unmanaged devices | +| Obsolete | 7.3.3 (L1) Ensure custom script execution is restricted on personal sites - Setting now unavailable in SharePoint | +| Obsolete | 7.3.4 (L1) Ensure custom script execution is restricted on site collections - Property is automatically disabled by MS after 24 hours | +| [Test-MtCisThirdPartyFileSharing](/docs/commands/Test-MtCisThirdPartyFileSharing) | 8.1.1 (L2) Ensure external file sharing in Teams is enabled for only approved cloud storage services | +| TBD | 8.1.2 (L1) Ensure users can't send emails to a channel email address | +| TBD | 8.2.1 (L2) Ensure external domains are restricted in the Teams admin center | +| [Test-MtCisCommunicateWithUnmanagedTeamsUsers](/docs/commands/Test-MtCisCommunicateWithUnmanagedTeamsUsers) | 8.2.2 (L1) Ensure communication with unmanaged Teams users is disabled | +| [Test-MtCisCommunicateInitiateExternalTeamsUsers](/docs/commands/Test-MtCisCommunicateInitiateExternalTeamsUsers) | 8.2.3 (L1) Ensure external Teams users cannot initiate conversations | +| TBD | 8.2.4 (L1) Ensure the organization cannot communicate with accounts in trial Teams tenants | +| [Test-MtCisThirdPartyAndCustomApps](/docs/commands/Test-MtCisThirdPartyAndCustomApps) | 8.4.1 (L1) Ensure app permission policies are configured | +| TBD | 8.5.1 (L2) Ensure anonymous users can't join a meeting | +| TBD | 8.5.2 (L1) Ensure anonymous users and dial-in callers can't start a meeting | +| [Test-MtCisTeamsLobbyBypass](/docs/commands/Test-MtCisTeamsLobbyBypass) | 8.5.3 (L1) Ensure only people in my org can bypass the lobby | +| TBD | 8.5.4 (L1) Ensure users dialing in can't bypass the lobby | +| TBD | 8.5.5 (L2) Ensure meeting chat does not allow anonymous users | +| TBD | 8.5.6 (L2) Ensure only organizers and co-organizers can present | +| TBD | 8.5.7 (L1) Ensure external participants can't give or request control | +| TBD | 8.5.8 (L2) Ensure external meeting chat is off | +| TBD | 8.5.9 (L2) Ensure meeting recording is off by default | +| [Test-MtCisTeamsReportSecurityConcerns](/docs/commands/Test-MtCisTeamsReportSecurityConcerns) | 8.6.1 (L1) Ensure users can report security concerns in Teams | +| TBD | 9.1.1 (L1) Ensure guest user access is restricted | +| TBD | 9.1.2 (L1) Ensure external user invitations are restricted | +| TBD | 9.1.3 (L1) Ensure guest access to content is restricted | +| TBD | 9.1.4 (L1) Ensure 'Publish to web' is restricted | +| TBD | 9.1.5 (L2) Ensure 'Interact with and share R and Python' visuals is 'Disabled' | +| TBD | 9.1.6 (L1) Ensure 'Allow users to apply sensitivity labels for content' is 'Enabled' | +| TBD | 9.1.7 (L1) Ensure shareable links are restricted | +| TBD | 9.1.8 (L1) Ensure enabling of external data sharing is restricted | +| TBD | 9.1.9 (L1) Ensure 'Block ResourceKey Authentication' is 'Enabled' | +| TBD | 9.1.10 (L1) Ensure access to APIs by Service Principals is restricted | +| TBD | 9.1.11 (L1) Ensure Service Principals cannot create and use profiles | +| TBD | 9.1.12 (L1) Ensure service principals ability to create workspaces, connections and deployment pipelines is restricted |