vibecoding/M365FoundationsCISReport
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

add: Get-ExoOutput function and updated tests

Browse Source
This commit is contained in:
DrIOS
2024-06-23 14:28:51 -05:00
parent 90c5b95f35
commit 381b8ebeb8
20 changed files with 239 additions and 79 deletions
Download Patch File Download Diff File Expand all files Collapse all files

235
source/Private/Get-ExoOutput.ps1
View File

@@ -23,6 +23,33 @@ function Get-ExoOutput {
begin { begin {
# Begin Block # # Begin Block #
<#
1.2.2
1.3.3
1.3.6
2.1.1
2.1.2
2.1.3
2.1.4
2.1.5
2.1.6
2.1.7
2.1.9
3.1.1
6.1.1
6.1.2
6.1.3
6.2.1
6.2.2
6.2.3
6.3.1
6.5.1
6.5.2
6.5.3
8.6.1
$testNumbers = @('1.2.2', '1.3.3', '1.3.6', '2.1.1', '2.1.2', '2.1.3', '2.1.4', '2.1.5', '2.1.6', '2.1.7', '2.1.9', '3.1.1', '6.1.1', '6.1.2', '6.1.3', '6.2.1', '6.2.2', '6.2.3', '6.3.1', '6.5.1', '6.5.2', '6.5.3', '8.6.1')
#>
} }
process { process {
switch ($Rec) { switch ($Rec) {
@@ -94,25 +121,195 @@ function Get-ExoOutput {
# [bool] # [bool]
return $result return $result
} }
'2.1.3' { Write-Output "Matched 2.1.3" } '2.1.3' {
'2.1.4' { Write-Output "Matched 2.1.4" } # Test-NotifyMalwareInternal.ps1
'2.1.5' { Write-Output "Matched 2.1.5" } # 2.1.3 Ensure notifications for internal users sending malware is Enabled
'2.1.6' { Write-Output "Matched 2.1.6" }
'2.1.7' { Write-Output "Matched 2.1.7" } # Retrieve all 'Custom' malware filter policies and check notification settings
'2.1.9' { Write-Output "Matched 2.1.9" } $malwareNotifications = Get-MalwareFilterPolicy | Where-Object { $_.RecommendedPolicyType -eq 'Custom' }
'3.1.1' { Write-Output "Matched 3.1.1" } # [object[]]
'6.1.1' { Write-Output "Matched 6.1.1" } return $malwareNotifications
'6.1.2' { Write-Output "Matched 6.1.2" } }
'6.1.3' { Write-Output "Matched 6.1.3" } '2.1.4' {
'6.2.1' { Write-Output "Matched 6.2.1" } # Test-SafeAttachmentsPolicy.ps1
'6.2.2' { Write-Output "Matched 6.2.2" } if (Get-Command Get-SafeAttachmentPolicy -ErrorAction SilentlyContinue) {
'6.2.3' { Write-Output "Matched 6.2.3" } # Retrieve all Safe Attachment policies where Enable is set to True
'6.3.1' { Write-Output "Matched 6.3.1" } # Check if ErrorAction needed below
'6.5.1' { Write-Output "Matched 6.5.1" } $safeAttachmentPolicies = Get-SafeAttachmentPolicy -ErrorAction SilentlyContinue | Where-Object { $_.Enable -eq $true }
'6.5.2' { Write-Output "Matched 6.5.2" } # [object[]]
'6.5.3' { Write-Output "Matched 6.5.3" } return $safeAttachmentPolicies
'8.6.1' { Write-Output "Matched 8.6.1" } else {
default { Write-Output "No match found" } return 1
}
}
}
'2.1.5' {
# Test-SafeAttachmentsTeams.ps1
if (Get-Command Get-AtpPolicyForO365 -ErrorAction SilentlyContinue) {
# 2.1.5 (L2) Ensure Safe Attachments for SharePoint, OneDrive, and Microsoft Teams is Enabled
# Retrieve the ATP policies for Office 365 and check Safe Attachments settings
$atpPolicies = Get-AtpPolicyForO365
# Check if the required ATP policies are enabled
$atpPolicyResult = $atpPolicies | Where-Object {
$_.EnableATPForSPOTeamsODB -eq $true -and
$_.EnableSafeDocs -eq $true -and
$_.AllowSafeDocsOpen -eq $false
}
# [psobject[]]
return $atpPolicyResult
}
else {
return 1
}
}
'2.1.6' {
# Test-SpamPolicyAdminNotify.ps1
# Retrieve the default hosted outbound spam filter policy
$hostedOutboundSpamFilterPolicy = Get-HostedOutboundSpamFilterPolicy | Where-Object { $_.IsDefault -eq $true }
return $hostedOutboundSpamFilterPolicy
}
'2.1.7' {
# Test-AntiPhishingPolicy.ps1
# Condition A: Ensure that an anti-phishing policy has been created
$antiPhishPolicies = Get-AntiPhishPolicy
return $antiPhishPolicies
}
'2.1.9' {
# Test-EnableDKIM.ps1
# 2.1.9 (L1) Ensure DKIM is enabled for all Exchange Online Domains
# Retrieve DKIM configuration for all domains
$dkimConfig = Get-DkimSigningConfig | Select-Object Domain, Enabled
# [object[]]
return $dkimConfig
}
'3.1.1' {
# Test-AuditLogSearch.ps1
# 3.1.1 (L1) Ensure Microsoft 365 audit log search is Enabled
# Retrieve the audit log configuration
$auditLogConfig = Get-AdminAuditLogConfig | Select-Object UnifiedAuditLogIngestionEnabled
#
$auditLogResult = $auditLogConfig.UnifiedAuditLogIngestionEnabled
# [bool]
return $auditLogResult
}
'6.1.1' {
# Test-AuditDisabledFalse.ps1
# 6.1.1 (L1) Ensure 'AuditDisabled' organizationally is set to 'False'
# Retrieve the AuditDisabled configuration (Condition B)
$auditDisabledConfig = Get-OrganizationConfig | Select-Object AuditDisabled
# [bool]
$auditNotDisabled = -not $auditDisabledConfig.AuditDisabled
return $auditNotDisabled
}
'6.1.2' {
# Test-MailboxAuditingE3.ps1
$mailboxes = Get-EXOMailbox -PropertySets Audit
# [object[]]
return $mailboxes
}
'6.1.3' {
# Test-MailboxAuditingE5.ps1
$mailboxes = Get-EXOMailbox -PropertySets Audit
# [object[]]
return $mailboxes
}
'6.2.1' {
# Test-BlockMailForwarding.ps1
# 6.2.1 (L1) Ensure all forms of mail forwarding are blocked and/or disabled
# Step 1: Retrieve the transport rules that redirect messages
$transportRules = Get-TransportRule | Where-Object { $null -ne $_.RedirectMessageTo }
if ($null -eq $transportRules) {
$transportRules = 1
}
# Step 2: Check all anti-spam outbound policies
$outboundSpamPolicies = Get-HostedOutboundSpamFilterPolicy
$nonCompliantSpamPolicies = $outboundSpamPolicies | Where-Object { $_.AutoForwardingMode -ne 'Off' }
return $transportRules, $nonCompliantSpamPolicies
}
'6.2.2' {
# Test-NoWhitelistDomains.ps1
# 6.2.2 (L1) Ensure mail transport rules do not whitelist specific domains
# Retrieve transport rules that whitelist specific domains
# Condition A: Checking for transport rules that whitelist specific domains
# [object[]]
$whitelistedRules = Get-TransportRule | Where-Object { $_.SetSCL -eq -1 -and $null -ne $_.SenderDomainIs }
return $whitelistedRules
}
'6.2.3' {
# Test-IdentifyExternalEmail.ps1
# 6.2.3 (L1) Ensure email from external senders is identified
# Retrieve external sender tagging configuration
# [object[]]
$externalInOutlook = Get-ExternalInOutlook
return $externalInOutlook
}
'6.3.1' {
# Test-RestrictOutlookAddins.ps1
# 6.3.1 (L2) Ensure users installing Outlook add-ins is not allowed
$customPolicyFailures = @()
# Check all mailboxes for custom policies with unallowed add-ins
$roleAssignmentPolicies = Get-EXOMailbox | Select-Object -Unique RoleAssignmentPolicy
if ($roleAssignmentPolicies.RoleAssignmentPolicy) {
foreach ($policy in $roleAssignmentPolicies) {
if ($policy.RoleAssignmentPolicy) {
$rolePolicyDetails = Get-RoleAssignmentPolicy -Identity $policy.RoleAssignmentPolicy
$foundRoles = $rolePolicyDetails.AssignedRoles | Where-Object { $_ -in $relevantRoles }
# Condition B: Using PowerShell, verify that MyCustomApps, MyMarketplaceApps, and MyReadWriteMailboxApps are not assigned to users.
if ($foundRoles) {
$customPolicyFailures += "Policy: $($policy.RoleAssignmentPolicy): Roles: $($foundRoles -join ', ')"
}
}
}
}
# Check Default Role Assignment Policy
$defaultPolicy = Get-RoleAssignmentPolicy "Default Role Assignment Policy"
return $customPolicyFailures, $defaultPolicy
}
'6.5.1' {
# Test-ModernAuthExchangeOnline.ps1
# Ensuring the ExchangeOnlineManagement module is available
# 6.5.1 (L1) Ensure modern authentication for Exchange Online is enabled
# Check modern authentication setting in Exchange Online configuration (Condition A and B)
$orgConfig = Get-OrganizationConfig | Select-Object -Property Name, OAuth2ClientProfileEnabled
return $orgConfig
}
'6.5.2' {
# Test-MailTipsEnabled.ps1
# 6.5.2 (L2) Ensure MailTips are enabled for end users
# Retrieve organization configuration for MailTips settings
# [object]
$orgConfig = Get-OrganizationConfig | Select-Object MailTipsAllTipsEnabled, MailTipsExternalRecipientsTipsEnabled, MailTipsGroupMetricsEnabled, MailTipsLargeAudienceThreshold
return $orgConfig
}
'6.5.3' {
# Test-RestrictStorageProvidersOutlook.ps1
# 6.5.3 (L2) Ensure additional storage providers are restricted in Outlook on the web
# Retrieve all OwaMailbox policies
# [object[]]
$owaPolicies = Get-OwaMailboxPolicy
return $owaPolicies
}
'8.6.1' {
# Test-ReportSecurityInTeams.ps1
# 8.6.1 (L1) Ensure users can report security concerns in Teams
# Retrieve the necessary settings for Teams and Exchange Online
# Condition B: Verify that 'Monitor reported messages in Microsoft Teams' is checked in the Microsoft 365 Defender portal.
# Condition C: Ensure the 'Send reported messages to' setting in the Microsoft 365 Defender portal is set to 'My reporting mailbox only' with the correct report email addresses.
$ReportSubmissionPolicy = Get-ReportSubmissionPolicy | Select-Object -Property ReportJunkToCustomizedAddress, ReportNotJunkToCustomizedAddress, ReportPhishToCustomizedAddress, ReportChatMessageToCustomizedAddressEnabled
return $ReportSubmissionPolicy
}
default { throw "No match found for test: $Rec" }
} }
} }
end { end {

2
source/tests/Test-AntiPhishingPolicy.ps1
View File

@@ -34,7 +34,7 @@ function Test-AntiPhishingPolicy {
try { try {
# Condition A: Ensure that an anti-phishing policy has been created # Condition A: Ensure that an anti-phishing policy has been created
$antiPhishPolicies = Get-AntiPhishPolicy $antiPhishPolicies = Get-ExoOutput -Rec $recnum
# Condition B: Verify the anti-phishing policy settings using PowerShell # Condition B: Verify the anti-phishing policy settings using PowerShell
$validatedPolicies = $antiPhishPolicies | Where-Object { $validatedPolicies = $antiPhishPolicies | Where-Object {

3
source/tests/Test-AuditDisabledFalse.ps1
View File

@@ -35,8 +35,7 @@ function Test-AuditDisabledFalse {
# 6.1.1 (L1) Ensure 'AuditDisabled' organizationally is set to 'False' # 6.1.1 (L1) Ensure 'AuditDisabled' organizationally is set to 'False'
# Retrieve the AuditDisabled configuration (Condition B) # Retrieve the AuditDisabled configuration (Condition B)
$auditDisabledConfig = Get-OrganizationConfig | Select-Object AuditDisabled $auditNotDisabled = Get-ExoOutput -Rec $recnum
$auditNotDisabled = -not $auditDisabledConfig.AuditDisabled
# Prepare failure reasons and details based on compliance # Prepare failure reasons and details based on compliance
$failureReasons = if (-not $auditNotDisabled) { $failureReasons = if (-not $auditNotDisabled) {

4
source/tests/Test-AuditLogSearch.ps1
View File

@@ -36,9 +36,7 @@ function Test-AuditLogSearch {
try { try {
# 3.1.1 (L1) Ensure Microsoft 365 audit log search is Enabled # 3.1.1 (L1) Ensure Microsoft 365 audit log search is Enabled
# Retrieve the audit log configuration $auditLogResult = Get-ExoOutput -Rec $recnum
$auditLogConfig = Get-AdminAuditLogConfig | Select-Object UnifiedAuditLogIngestionEnabled
$auditLogResult = $auditLogConfig.UnifiedAuditLogIngestionEnabled
# Prepare failure reasons and details based on compliance # Prepare failure reasons and details based on compliance
$failureReasons = if (-not $auditLogResult) { $failureReasons = if (-not $auditLogResult) {

6
source/tests/Test-BlockMailForwarding.ps1
View File

@@ -35,12 +35,10 @@ function Test-BlockMailForwarding {
# 6.2.1 (L1) Ensure all forms of mail forwarding are blocked and/or disabled # 6.2.1 (L1) Ensure all forms of mail forwarding are blocked and/or disabled
# Step 1: Retrieve the transport rules that redirect messages # Step 1: Retrieve the transport rules that redirect messages
$transportRules = Get-TransportRule | Where-Object { $null -ne $_.RedirectMessageTo } $transportRules,$nonCompliantSpamPolicies = Get-ExoOutput -Rec $recnum
$transportForwardingBlocked = $transportRules.Count -eq 0 $transportForwardingBlocked = $transportRules.Count -eq 0
# Step 2: Check all anti-spam outbound policies # Step 2: Check all anti-spam outbound policies
$outboundSpamPolicies = Get-HostedOutboundSpamFilterPolicy
$nonCompliantSpamPolicies = $outboundSpamPolicies | Where-Object { $_.AutoForwardingMode -ne 'Off' }
$nonCompliantSpamPoliciesArray = @($nonCompliantSpamPolicies) $nonCompliantSpamPoliciesArray = @($nonCompliantSpamPolicies)
$spamForwardingBlocked = $nonCompliantSpamPoliciesArray.Count -eq 0 $spamForwardingBlocked = $nonCompliantSpamPoliciesArray.Count -eq 0
@@ -51,7 +49,7 @@ function Test-BlockMailForwarding {
$failureReasons = @() $failureReasons = @()
$details = @() $details = @()
if ($transportRules.Count -gt 0) { if ($transportRules -ne 1) {
# Fail Condition A # Fail Condition A
$failureReasons += "Mail forwarding rules found: $($transportRules.Name -join ', ')" $failureReasons += "Mail forwarding rules found: $($transportRules.Name -join ', ')"
$details += "Transport Rules Details:`nRule Name|Redirects To" $details += "Transport Rules Details:`nRule Name|Redirects To"

3
source/tests/Test-CommonAttachmentFilter.ps1
View File

@@ -38,8 +38,7 @@ function Test-CommonAttachmentFilter {
# Condition B: Using Exchange Online PowerShell, verify that the `EnableFileFilter` property of the default malware filter policy is set to `True`. # Condition B: Using Exchange Online PowerShell, verify that the `EnableFileFilter` property of the default malware filter policy is set to `True`.
# Retrieve the attachment filter policy # Retrieve the attachment filter policy
$attachmentFilter = Get-MalwareFilterPolicy -Identity Default | Select-Object EnableFileFilter $result = Get-ExoOutput -Rec $recnum
$result = $attachmentFilter.EnableFileFilter
# Prepare failure reasons and details based on compliance # Prepare failure reasons and details based on compliance
$failureReasons = if (-not $result) { $failureReasons = if (-not $result) {

2
source/tests/Test-EnableDKIM.ps1
View File

@@ -36,7 +36,7 @@ function Test-EnableDKIM {
# 2.1.9 (L1) Ensure DKIM is enabled for all Exchange Online Domains # 2.1.9 (L1) Ensure DKIM is enabled for all Exchange Online Domains
# Retrieve DKIM configuration for all domains # Retrieve DKIM configuration for all domains
$dkimConfig = Get-DkimSigningConfig | Select-Object Domain, Enabled $dkimConfig = Get-ExoOutput -Rec $recnum
$dkimResult = ($dkimConfig | ForEach-Object { $_.Enabled }) -notcontains $false $dkimResult = ($dkimConfig | ForEach-Object { $_.Enabled }) -notcontains $false
$dkimFailedDomains = $dkimConfig | Where-Object { -not $_.Enabled } | ForEach-Object { $_.Domain } $dkimFailedDomains = $dkimConfig | Where-Object { -not $_.Enabled } | ForEach-Object { $_.Domain }

2
source/tests/Test-IdentifyExternalEmail.ps1
View File

@@ -36,7 +36,7 @@ function Test-IdentifyExternalEmail {
# 6.2.3 (L1) Ensure email from external senders is identified # 6.2.3 (L1) Ensure email from external senders is identified
# Retrieve external sender tagging configuration # Retrieve external sender tagging configuration
$externalInOutlook = Get-ExternalInOutlook $externalInOutlook = Get-ExoOutput -Rec $recnum
$externalTaggingEnabled = ($externalInOutlook | ForEach-Object { $_.Enabled }) -contains $true $externalTaggingEnabled = ($externalInOutlook | ForEach-Object { $_.Enabled }) -contains $true
# Prepare failure reasons and details based on compliance # Prepare failure reasons and details based on compliance

2
source/tests/Test-MailTipsEnabled.ps1
View File

@@ -38,7 +38,7 @@ function Test-MailTipsEnabled {
# 6.5.2 (L2) Ensure MailTips are enabled for end users # 6.5.2 (L2) Ensure MailTips are enabled for end users
# Retrieve organization configuration for MailTips settings # Retrieve organization configuration for MailTips settings
$orgConfig = Get-OrganizationConfig | Select-Object MailTipsAllTipsEnabled, MailTipsExternalRecipientsTipsEnabled, MailTipsGroupMetricsEnabled, MailTipsLargeAudienceThreshold $orgConfig = Get-ExoOutput -Rec $recnum
# Check the MailTips settings (Conditions A, B, C, D) # Check the MailTips settings (Conditions A, B, C, D)
$allTipsEnabled = $orgConfig.MailTipsAllTipsEnabled -and $orgConfig.MailTipsGroupMetricsEnabled -and $orgConfig.MailTipsLargeAudienceThreshold -eq 25 $allTipsEnabled = $orgConfig.MailTipsAllTipsEnabled -and $orgConfig.MailTipsGroupMetricsEnabled -and $orgConfig.MailTipsLargeAudienceThreshold -eq 25

2
source/tests/Test-MailboxAuditingE3.ps1
View File

@@ -45,7 +45,7 @@ function Test-MailboxAuditingE3 {
process { process {
if ($null -ne $allUsers) { if ($null -ne $allUsers) {
$mailboxes = Get-EXOMailbox -PropertySets Audit $mailboxes = Get-ExoOutput -Rec $recnum
try { try {
foreach ($user in $allUsers) { foreach ($user in $allUsers) {
if ($processedUsers.ContainsKey($user.UserPrincipalName)) { if ($processedUsers.ContainsKey($user.UserPrincipalName)) {

2
source/tests/Test-MailboxAuditingE5.ps1
View File

@@ -40,7 +40,7 @@ function Test-MailboxAuditingE5 {
process { process {
if ($null -ne $allUsers) { if ($null -ne $allUsers) {
$mailboxes = Get-EXOMailbox -PropertySets Audit $mailboxes = Get-ExoOutput -Rec $recnum
try { try {
foreach ($user in $allUsers) { foreach ($user in $allUsers) {
if ($processedUsers.ContainsKey($user.UserPrincipalName)) { if ($processedUsers.ContainsKey($user.UserPrincipalName)) {

4
source/tests/Test-ModernAuthExchangeOnline.ps1
View File

@@ -31,12 +31,10 @@ function Test-ModernAuthExchangeOnline {
process { process {
try { try {
# Ensuring the ExchangeOnlineManagement module is available
# 6.5.1 (L1) Ensure modern authentication for Exchange Online is enabled # 6.5.1 (L1) Ensure modern authentication for Exchange Online is enabled
# Check modern authentication setting in Exchange Online configuration (Condition A and B) # Check modern authentication setting in Exchange Online configuration (Condition A and B)
$orgConfig = Get-OrganizationConfig | Select-Object -Property Name, OAuth2ClientProfileEnabled $orgConfig = Get-ExoOutput -Rec $recnum
# Prepare failure reasons and details based on compliance # Prepare failure reasons and details based on compliance
$failureReasons = if (-not $orgConfig.OAuth2ClientProfileEnabled) { $failureReasons = if (-not $orgConfig.OAuth2ClientProfileEnabled) {

3
source/tests/Test-NoWhitelistDomains.ps1
View File

@@ -38,8 +38,7 @@ function Test-NoWhitelistDomains {
# Retrieve transport rules that whitelist specific domains # Retrieve transport rules that whitelist specific domains
# Condition A: Checking for transport rules that whitelist specific domains # Condition A: Checking for transport rules that whitelist specific domains
$whitelistedRules = Get-TransportRule | Where-Object { $_.SetSCL -eq -1 -and $null -ne $_.SenderDomainIs } $whitelistedRules = Get-ExoOutput -Rec $recnum
# Prepare failure reasons and details based on compliance # Prepare failure reasons and details based on compliance
# Condition B: Prepare failure reasons based on the presence of whitelisted rules # Condition B: Prepare failure reasons based on the presence of whitelisted rules
$failureReasons = if ($whitelistedRules) { $failureReasons = if ($whitelistedRules) {

2
source/tests/Test-NotifyMalwareInternal.ps1
View File

@@ -34,7 +34,7 @@ function Test-NotifyMalwareInternal {
# 2.1.3 Ensure notifications for internal users sending malware is Enabled # 2.1.3 Ensure notifications for internal users sending malware is Enabled
# Retrieve all 'Custom' malware filter policies and check notification settings # Retrieve all 'Custom' malware filter policies and check notification settings
$malwareNotifications = Get-MalwareFilterPolicy | Where-Object { $_.RecommendedPolicyType -eq 'Custom' } $malwareNotifications = Get-ExoOutput -Rec $recnum
# Condition B: Using PowerShell, the `NotifyInternal` property in the anti-malware policy is set to `True` and includes at least one valid email address for notifications. # Condition B: Using PowerShell, the `NotifyInternal` property in the anti-malware policy is set to `True` and includes at least one valid email address for notifications.
$policiesToReport = @() $policiesToReport = @()

5
source/tests/Test-ReportSecurityInTeams.ps1
View File

@@ -16,16 +16,15 @@ function Test-ReportSecurityInTeams {
process { process {
try { try {
# Test-ReportSecurityInTeams.ps1
# 8.6.1 (L1) Ensure users can report security concerns in Teams # 8.6.1 (L1) Ensure users can report security concerns in Teams
# Retrieve the necessary settings for Teams and Exchange Online # Retrieve the necessary settings for Teams and Exchange Online
# Condition A: Ensure the 'Report a security concern' setting in the Teams admin center is set to 'On'. # Condition A: Ensure the 'Report a security concern' setting in the Teams admin center is set to 'On'.
$CsTeamsMessagingPolicy = Get-CsTeamsMessagingPolicy -Identity Global | Select-Object -Property AllowSecurityEndUserReporting $CsTeamsMessagingPolicy = Get-CsTeamsMessagingPolicy -Identity Global | Select-Object -Property AllowSecurityEndUserReporting
# Condition B: Verify that 'Monitor reported messages in Microsoft Teams' is checked in the Microsoft 365 Defender portal. # Condition B: Verify that 'Monitor reported messages in Microsoft Teams' is checked in the Microsoft 365 Defender portal.
# Condition C: Ensure the 'Send reported messages to' setting in the Microsoft 365 Defender portal is set to 'My reporting mailbox only' with the correct report email addresses. # Condition C: Ensure the 'Send reported messages to' setting in the Microsoft 365 Defender portal is set to 'My reporting mailbox only' with the correct report email addresses.
$ReportSubmissionPolicy = Get-ReportSubmissionPolicy | Select-Object -Property ReportJunkToCustomizedAddress, ReportNotJunkToCustomizedAddress, ReportPhishToCustomizedAddress, ReportChatMessageToCustomizedAddressEnabled $ReportSubmissionPolicy = Get-ExoOutput -Rec $recnum
# Check if all the required settings are enabled # Check if all the required settings are enabled
$securityReportEnabled = $CsTeamsMessagingPolicy.AllowSecurityEndUserReporting -and $securityReportEnabled = $CsTeamsMessagingPolicy.AllowSecurityEndUserReporting -and
$ReportSubmissionPolicy.ReportJunkToCustomizedAddress -and $ReportSubmissionPolicy.ReportJunkToCustomizedAddress -and

19
source/tests/Test-RestrictOutlookAddins.ps1
View File

@@ -11,7 +11,6 @@ function Test-RestrictOutlookAddins {
#. .\source\Classes\CISAuditResult.ps1 #. .\source\Classes\CISAuditResult.ps1
# Initialization code # Initialization code
$customPolicyFailures = @()
$defaultPolicyFailureDetails = @() $defaultPolicyFailureDetails = @()
$relevantRoles = @('My Custom Apps', 'My Marketplace Apps', 'My ReadWriteMailbox Apps') $relevantRoles = @('My Custom Apps', 'My Marketplace Apps', 'My ReadWriteMailbox Apps')
$recnum = "6.3.1" $recnum = "6.3.1"
@@ -36,24 +35,8 @@ function Test-RestrictOutlookAddins {
# 6.3.1 (L2) Ensure users installing Outlook add-ins is not allowed # 6.3.1 (L2) Ensure users installing Outlook add-ins is not allowed
# Check all mailboxes for custom policies with unallowed add-ins # Check all mailboxes for custom policies with unallowed add-ins
$roleAssignmentPolicies = Get-EXOMailbox | Select-Object -Unique RoleAssignmentPolicy
if ($roleAssignmentPolicies.RoleAssignmentPolicy) {
foreach ($policy in $roleAssignmentPolicies) {
if ($policy.RoleAssignmentPolicy) {
$rolePolicyDetails = Get-RoleAssignmentPolicy -Identity $policy.RoleAssignmentPolicy
$foundRoles = $rolePolicyDetails.AssignedRoles | Where-Object { $_ -in $relevantRoles }
# Condition B: Using PowerShell, verify that MyCustomApps, MyMarketplaceApps, and MyReadWriteMailboxApps are not assigned to users.
if ($foundRoles) {
$customPolicyFailures += "Policy: $($policy.RoleAssignmentPolicy): Roles: $($foundRoles -join ', ')"
}
}
}
}
# Check Default Role Assignment Policy # Check Default Role Assignment Policy
$defaultPolicy = Get-RoleAssignmentPolicy "Default Role Assignment Policy" $customPolicyFailures, $defaultPolicy = Get-ExoOutput -Rec $recnum
$defaultPolicyRoles = $defaultPolicy.AssignedRoles | Where-Object { $_ -in $relevantRoles } $defaultPolicyRoles = $defaultPolicy.AssignedRoles | Where-Object { $_ -in $relevantRoles }
# Condition A: Verify that the roles MyCustomApps, MyMarketplaceApps, and MyReadWriteMailboxApps are unchecked under Other roles. # Condition A: Verify that the roles MyCustomApps, MyMarketplaceApps, and MyReadWriteMailboxApps are unchecked under Other roles.

2
source/tests/Test-RestrictStorageProvidersOutlook.ps1
View File

@@ -34,7 +34,7 @@ function Test-RestrictStorageProvidersOutlook {
# 6.5.3 (L2) Ensure additional storage providers are restricted in Outlook on the web # 6.5.3 (L2) Ensure additional storage providers are restricted in Outlook on the web
# Retrieve all OwaMailbox policies # Retrieve all OwaMailbox policies
$owaPolicies = Get-OwaMailboxPolicy $owaPolicies = Get-ExoOutput -Rec $recnum
# Condition A: Check if AdditionalStorageProvidersAvailable is set to False # Condition A: Check if AdditionalStorageProvidersAvailable is set to False
$nonCompliantPolicies = $owaPolicies | Where-Object { $_.AdditionalStorageProvidersAvailable } $nonCompliantPolicies = $owaPolicies | Where-Object { $_.AdditionalStorageProvidersAvailable }

5
source/tests/Test-SafeAttachmentsPolicy.ps1
View File

@@ -28,10 +28,9 @@ function Test-SafeAttachmentsPolicy {
} }
process { process {
if (Get-Command Get-SafeAttachmentPolicy -ErrorAction SilentlyContinue) { $safeAttachmentPolicies = Get-ExoOutput -Rec $recnum
if ($safeAttachmentPolicies -ne 1) {
try { try {
# Retrieve all Safe Attachment policies where Enable is set to True
$safeAttachmentPolicies = Get-SafeAttachmentPolicy -ErrorAction SilentlyContinue | Where-Object { $_.Enable -eq $true }
# Check if any Safe Attachments policy is enabled (Condition A) # Check if any Safe Attachments policy is enabled (Condition A)
$result = $null -ne $safeAttachmentPolicies -and $safeAttachmentPolicies.Count -gt 0 $result = $null -ne $safeAttachmentPolicies -and $safeAttachmentPolicies.Count -gt 0

13
source/tests/Test-SafeAttachmentsTeams.ps1
View File

@@ -31,18 +31,9 @@ function Test-SafeAttachmentsTeams {
} }
process { process {
if (Get-Command Get-AtpPolicyForO365 -ErrorAction SilentlyContinue) { $atpPolicyResult = Get-ExoOutput -Rec $recnum
if ($atpPolicyResult -ne 1) {
try { try {
# 2.1.5 (L2) Ensure Safe Attachments for SharePoint, OneDrive, and Microsoft Teams is Enabled
# Retrieve the ATP policies for Office 365 and check Safe Attachments settings
$atpPolicies = Get-AtpPolicyForO365
# Check if the required ATP policies are enabled
$atpPolicyResult = $atpPolicies | Where-Object {
$_.EnableATPForSPOTeamsODB -eq $true -and
$_.EnableSafeDocs -eq $true -and
$_.AllowSafeDocsOpen -eq $false
}
# Condition A: Check Safe Attachments for SharePoint # Condition A: Check Safe Attachments for SharePoint
# Condition B: Check Safe Attachments for OneDrive # Condition B: Check Safe Attachments for OneDrive
# Condition C: Check Safe Attachments for Microsoft Teams # Condition C: Check Safe Attachments for Microsoft Teams

2
source/tests/Test-SpamPolicyAdminNotify.ps1
View File

@@ -38,7 +38,7 @@ function Test-SpamPolicyAdminNotify {
# 2.1.6 Ensure Exchange Online Spam Policies are set to notify administrators # 2.1.6 Ensure Exchange Online Spam Policies are set to notify administrators
# Retrieve the default hosted outbound spam filter policy # Retrieve the default hosted outbound spam filter policy
$hostedOutboundSpamFilterPolicy = Get-HostedOutboundSpamFilterPolicy | Where-Object { $_.IsDefault -eq $true } $hostedOutboundSpamFilterPolicy = Get-ExoOutput -Rec $recnum
# Check if both settings are enabled (Condition A and Condition B for pass) # Check if both settings are enabled (Condition A and Condition B for pass)
$bccSuspiciousOutboundMailEnabled = $hostedOutboundSpamFilterPolicy.BccSuspiciousOutboundMail $bccSuspiciousOutboundMailEnabled = $hostedOutboundSpamFilterPolicy.BccSuspiciousOutboundMail