add: Get-CISMSTeamsOutput function and updated respective tests
This commit is contained in:
@@ -1,32 +1,278 @@
|
|||||||
function Get-CISMSTeamsOutput
|
<#
|
||||||
{
|
|
||||||
<#
|
|
||||||
.SYNOPSIS
|
.SYNOPSIS
|
||||||
This is a sample Private function only visible within the module.
|
This is a sample Private function only visible within the module.
|
||||||
|
|
||||||
.DESCRIPTION
|
.DESCRIPTION
|
||||||
This sample function is not exported to the module and only return the data passed as parameter.
|
This sample function is not exported to the module and only return the data passed as parameter.
|
||||||
|
|
||||||
.EXAMPLE
|
.EXAMPLE
|
||||||
$null = Get-MSTeamsOutput -PrivateData 'NOTHING TO SEE HERE'
|
$null = Get-CISMSTeamsOutput -PrivateData 'NOTHING TO SEE HERE'
|
||||||
|
|
||||||
.PARAMETER PrivateData
|
.PARAMETER PrivateData
|
||||||
The PrivateData parameter is what will be returned without transformation.
|
The PrivateData parameter is what will be returned without transformation.
|
||||||
|
#>
|
||||||
#>
|
function Get-CISMSTeamsOutput {
|
||||||
[cmdletBinding()]
|
[cmdletBinding()]
|
||||||
[OutputType([string])]
|
[OutputType([string])]
|
||||||
param
|
param(
|
||||||
(
|
[Parameter(Mandatory = $true)]
|
||||||
[Parameter()]
|
|
||||||
[String]
|
[String]
|
||||||
$PrivateData
|
$Rec
|
||||||
)
|
)
|
||||||
|
begin {
|
||||||
process
|
# Begin Block #
|
||||||
{
|
<#
|
||||||
Write-Output $PrivateData
|
# Tests
|
||||||
|
8.1.1
|
||||||
|
8.1.2
|
||||||
|
8.2.1
|
||||||
|
8.5.1
|
||||||
|
8.5.2
|
||||||
|
8.5.3
|
||||||
|
8.5.4
|
||||||
|
8.5.5
|
||||||
|
8.5.6
|
||||||
|
8.5.7
|
||||||
|
8.6.1
|
||||||
|
# Test number array
|
||||||
|
$testNumbers = @('8.1.1', '8.1.2', '8.2.1', '8.5.1', '8.5.2', '8.5.3', '8.5.4', '8.5.5', '8.5.6', '8.5.7', '8.6.1')
|
||||||
|
#>
|
||||||
}
|
}
|
||||||
|
process {
|
||||||
|
switch ($Rec) {
|
||||||
|
'8.1.1' {
|
||||||
|
# Test-TeamsExternalFileSharing.ps1
|
||||||
|
# 8.1.1 (L2) Ensure external file sharing in Teams is enabled for only approved cloud storage services
|
||||||
|
# Connect to Teams PowerShell using Connect-MicrosoftTeams
|
||||||
|
|
||||||
}
|
# Condition A: The `AllowDropbox` setting is set to `False`.
|
||||||
|
# Condition B: The `AllowBox` setting is set to `False`.
|
||||||
|
# Condition C: The `AllowGoogleDrive` setting is set to `False`.
|
||||||
|
# Condition D: The `AllowShareFile` setting is set to `False`.
|
||||||
|
# Condition E: The `AllowEgnyte` setting is set to `False`.
|
||||||
|
|
||||||
|
# Assuming that 'approvedProviders' is a list of approved cloud storage service names
|
||||||
|
# This list must be defined according to your organization's approved cloud storage services
|
||||||
|
$clientConfig = Get-CsTeamsClientConfiguration
|
||||||
|
return $clientConfig
|
||||||
|
}
|
||||||
|
'8.1.2' {
|
||||||
|
# Test-BlockChannelEmails.ps1
|
||||||
|
# 8.1.2 (L1) Ensure users can't send emails to a channel email address
|
||||||
|
#
|
||||||
|
# Validate test for a pass:
|
||||||
|
# - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
|
||||||
|
# - Specific conditions to check:
|
||||||
|
# - Condition A: The `AllowEmailIntoChannel` setting in Teams is set to `False`.
|
||||||
|
# - Condition B: The setting `Users can send emails to a channel email address` is set to `Off` in the Teams admin center.
|
||||||
|
# - Condition C: Verification using PowerShell confirms that the `AllowEmailIntoChannel` setting is disabled.
|
||||||
|
#
|
||||||
|
# Validate test for a fail:
|
||||||
|
# - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
|
||||||
|
# - Specific conditions to check:
|
||||||
|
# - Condition A: The `AllowEmailIntoChannel` setting in Teams is not set to `False`.
|
||||||
|
# - Condition B: The setting `Users can send emails to a channel email address` is not set to `Off` in the Teams admin center.
|
||||||
|
# - Condition C: Verification using PowerShell indicates that the `AllowEmailIntoChannel` setting is enabled.
|
||||||
|
|
||||||
|
# Retrieve Teams client configuration
|
||||||
|
$teamsClientConfig = Get-CsTeamsClientConfiguration -Identity Global
|
||||||
|
return $teamsClientConfig
|
||||||
|
}
|
||||||
|
'8.2.1' {
|
||||||
|
# Test-TeamsExternalAccess.ps1
|
||||||
|
# 8.2.1 (L1) Ensure 'external access' is restricted in the Teams admin center
|
||||||
|
#
|
||||||
|
# Validate test for a pass:
|
||||||
|
# - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
|
||||||
|
# - Specific conditions to check:
|
||||||
|
# - Condition A: The `AllowTeamsConsumer` setting is `False`.
|
||||||
|
# - Condition B: The `AllowPublicUsers` setting is `False`.
|
||||||
|
# - Condition C: The `AllowFederatedUsers` setting is `False` or, if `True`, the `AllowedDomains` contains only authorized domain names.
|
||||||
|
#
|
||||||
|
# Validate test for a fail:
|
||||||
|
# - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
|
||||||
|
# - Specific conditions to check:
|
||||||
|
# - Condition A: The `AllowTeamsConsumer` setting is not `False`.
|
||||||
|
# - Condition B: The `AllowPublicUsers` setting is not `False`.
|
||||||
|
# - Condition C: The `AllowFederatedUsers` setting is `True` and the `AllowedDomains` contains unauthorized domain names or is not configured correctly.
|
||||||
|
|
||||||
|
# Connect to Teams PowerShell using Connect-MicrosoftTeams
|
||||||
|
|
||||||
|
$externalAccessConfig = Get-CsTenantFederationConfiguration
|
||||||
|
return $externalAccessConfig
|
||||||
|
}
|
||||||
|
'8.5.1' {
|
||||||
|
# Test-NoAnonymousMeetingJoin.ps1
|
||||||
|
# 8.5.1 (L2) Ensure anonymous users can't join a meeting
|
||||||
|
#
|
||||||
|
# Validate test for a pass:
|
||||||
|
# - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
|
||||||
|
# - Specific conditions to check:
|
||||||
|
# - Condition A: `AllowAnonymousUsersToJoinMeeting` is set to `False`.
|
||||||
|
# - Condition B: Verification using the UI confirms that `Anonymous users can join a meeting` is set to `Off` in the Global meeting policy.
|
||||||
|
# - Condition C: PowerShell command output indicates that anonymous users are not allowed to join meetings.
|
||||||
|
#
|
||||||
|
# Validate test for a fail:
|
||||||
|
# - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
|
||||||
|
# - Specific conditions to check:
|
||||||
|
# - Condition A: `AllowAnonymousUsersToJoinMeeting` is not set to `False`.
|
||||||
|
# - Condition B: Verification using the UI shows that `Anonymous users can join a meeting` is not set to `Off` in the Global meeting policy.
|
||||||
|
# - Condition C: PowerShell command output indicates that anonymous users are allowed to join meetings.
|
||||||
|
|
||||||
|
# Connect to Teams PowerShell using Connect-MicrosoftTeams
|
||||||
|
|
||||||
|
$teamsMeetingPolicy = Get-CsTeamsMeetingPolicy -Identity Global
|
||||||
|
return $teamsMeetingPolicy
|
||||||
|
}
|
||||||
|
'8.5.2' {
|
||||||
|
# Test-NoAnonymousMeetingStart.ps1
|
||||||
|
# 8.5.2 (L1) Ensure anonymous users and dial-in callers can't start a meeting
|
||||||
|
#
|
||||||
|
# Validate test for a pass:
|
||||||
|
# - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
|
||||||
|
# - Specific conditions to check:
|
||||||
|
# - Condition A: The `AllowAnonymousUsersToStartMeeting` setting in the Teams admin center is set to `False`.
|
||||||
|
# - Condition B: The setting for anonymous users and dial-in callers starting a meeting is configured to ensure they must wait in the lobby.
|
||||||
|
# - Condition C: Verification using the UI confirms that the setting `Anonymous users and dial-in callers can start a meeting` is set to `Off`.
|
||||||
|
#
|
||||||
|
# Validate test for a fail:
|
||||||
|
# - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
|
||||||
|
# - Specific conditions to check:
|
||||||
|
# - Condition A: The `AllowAnonymousUsersToStartMeeting` setting in the Teams admin center is not set to `False`.
|
||||||
|
# - Condition B: The setting for anonymous users and dial-in callers starting a meeting allows them to bypass the lobby.
|
||||||
|
# - Condition C: Verification using the UI indicates that the setting `Anonymous users and dial-in callers can start a meeting` is not set to `Off`.
|
||||||
|
|
||||||
|
# Connect to Teams PowerShell using Connect-MicrosoftTeams
|
||||||
|
|
||||||
|
# Retrieve the Teams meeting policy for the global scope and check if anonymous users can start meetings
|
||||||
|
$CsTeamsMeetingPolicyAnonymous = Get-CsTeamsMeetingPolicy -Identity Global | Select-Object -Property AllowAnonymousUsersToStartMeeting
|
||||||
|
return $CsTeamsMeetingPolicyAnonymous
|
||||||
|
}
|
||||||
|
'8.5.3' {
|
||||||
|
# Test-OrgOnlyBypassLobby.ps1
|
||||||
|
# 8.5.3 (L1) Ensure only people in my org can bypass the lobby
|
||||||
|
#
|
||||||
|
# Validate test for a pass:
|
||||||
|
# - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
|
||||||
|
# - Specific conditions to check:
|
||||||
|
# - Condition A: The `AutoAdmittedUsers` setting in the Teams meeting policy is set to `EveryoneInCompanyExcludingGuests`.
|
||||||
|
# - Condition B: The setting for "Who can bypass the lobby" is configured to "People in my org" using the UI.
|
||||||
|
# - Condition C: Verification using the Microsoft Teams admin center confirms that the meeting join & lobby settings are configured as recommended.
|
||||||
|
#
|
||||||
|
# Validate test for a fail:
|
||||||
|
# - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
|
||||||
|
# - Specific conditions to check:
|
||||||
|
# - Condition A: The `AutoAdmittedUsers` setting in the Teams meeting policy is not set to `EveryoneInCompanyExcludingGuests`.
|
||||||
|
# - Condition B: The setting for "Who can bypass the lobby" is not configured to "People in my org" using the UI.
|
||||||
|
# - Condition C: Verification using the Microsoft Teams admin center indicates that the meeting join & lobby settings are not configured as recommended.
|
||||||
|
|
||||||
|
# Connect to Teams PowerShell using Connect-MicrosoftTeams
|
||||||
|
|
||||||
|
# Retrieve the Teams meeting policy for lobby bypass settings
|
||||||
|
$CsTeamsMeetingPolicyLobby = Get-CsTeamsMeetingPolicy -Identity Global | Select-Object -Property AutoAdmittedUsers
|
||||||
|
return $CsTeamsMeetingPolicyLobby
|
||||||
|
}
|
||||||
|
'8.5.4' {
|
||||||
|
# Test-DialInBypassLobby.ps1
|
||||||
|
# 8.5.4 (L1) Ensure users dialing in can't bypass the lobby
|
||||||
|
#
|
||||||
|
# Validate test for a pass:
|
||||||
|
# - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
|
||||||
|
# - Specific conditions to check:
|
||||||
|
# - Condition A: The `AllowPSTNUsersToBypassLobby` setting in the Global Teams meeting policy is set to `False`.
|
||||||
|
# - Condition B: Verification using the UI in the Microsoft Teams admin center confirms that "People dialing in can't bypass the lobby" is set to `Off`.
|
||||||
|
# - Condition C: Ensure that individuals who dial in by phone must wait in the lobby until admitted by a meeting organizer, co-organizer, or presenter.
|
||||||
|
#
|
||||||
|
# Validate test for a fail:
|
||||||
|
# - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
|
||||||
|
# - Specific conditions to check:
|
||||||
|
# - Condition A: The `AllowPSTNUsersToBypassLobby` setting in the Global Teams meeting policy is not set to `False`.
|
||||||
|
# - Condition B: Verification using the UI in the Microsoft Teams admin center shows that "People dialing in can't bypass the lobby" is not set to `Off`.
|
||||||
|
# - Condition C: Individuals who dial in by phone are able to join the meeting directly without waiting in the lobby.
|
||||||
|
|
||||||
|
# Retrieve Teams meeting policy for PSTN users
|
||||||
|
$CsTeamsMeetingPolicyPSTN = Get-CsTeamsMeetingPolicy -Identity Global | Select-Object -Property AllowPSTNUsersToBypassLobby
|
||||||
|
return $CsTeamsMeetingPolicyPSTN
|
||||||
|
}
|
||||||
|
'8.5.5' {
|
||||||
|
# Test-MeetingChatNoAnonymous.ps1
|
||||||
|
# 8.5.5 (L2) Ensure meeting chat does not allow anonymous users
|
||||||
|
#
|
||||||
|
# Validate test for a pass:
|
||||||
|
# - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
|
||||||
|
# - Specific conditions to check:
|
||||||
|
# - Condition A: The `MeetingChatEnabledType` setting in Teams is set to `EnabledExceptAnonymous`.
|
||||||
|
# - Condition B: The setting for meeting chat is configured to allow chat for everyone except anonymous users.
|
||||||
|
# - Condition C: Verification using the Teams Admin Center confirms that the meeting chat settings are configured as recommended.
|
||||||
|
#
|
||||||
|
# Validate test for a fail:
|
||||||
|
# - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
|
||||||
|
# - Specific conditions to check:
|
||||||
|
# - Condition A: The `MeetingChatEnabledType` setting in Teams is not set to `EnabledExceptAnonymous`.
|
||||||
|
# - Condition B: The setting for meeting chat allows chat for anonymous users.
|
||||||
|
# - Condition C: Verification using the Teams Admin Center indicates that the meeting chat settings are not configured as recommended.
|
||||||
|
|
||||||
|
# Retrieve the Teams meeting policy for meeting chat
|
||||||
|
$CsTeamsMeetingPolicyChat = Get-CsTeamsMeetingPolicy -Identity Global | Select-Object -Property MeetingChatEnabledType
|
||||||
|
return $CsTeamsMeetingPolicyChat
|
||||||
|
}
|
||||||
|
'8.5.6' {
|
||||||
|
# Test-OrganizersPresent.ps1
|
||||||
|
# 8.5.6 (L2) Ensure only organizers and co-organizers can present
|
||||||
|
#
|
||||||
|
# Validate test for a pass:
|
||||||
|
# - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
|
||||||
|
# - Specific conditions to check:
|
||||||
|
# - Condition A: The `DesignatedPresenterRoleMode` setting in the Teams meeting policy is set to `OrganizerOnlyUserOverride`.
|
||||||
|
# - Condition B: Verification using the Teams admin center confirms that the setting "Who can present" is configured to "Only organizers and co-organizers".
|
||||||
|
# - Condition C: Verification using PowerShell confirms that the `DesignatedPresenterRoleMode` is set to `OrganizerOnlyUserOverride`.
|
||||||
|
#
|
||||||
|
# Validate test for a fail:
|
||||||
|
# - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
|
||||||
|
# - Specific conditions to check:
|
||||||
|
# - Condition A: The `DesignatedPresenterRoleMode` setting in the Teams meeting policy is not set to `OrganizerOnlyUserOverride`.
|
||||||
|
# - Condition B: Verification using the Teams admin center indicates that the setting "Who can present" is not configured to "Only organizers and co-organizers".
|
||||||
|
# - Condition C: Verification using PowerShell indicates that the `DesignatedPresenterRoleMode` is not set to `OrganizerOnlyUserOverride`.
|
||||||
|
|
||||||
|
# Retrieve the Teams meeting policy for presenters
|
||||||
|
$CsTeamsMeetingPolicyPresenters = Get-CsTeamsMeetingPolicy -Identity Global | Select-Object -Property DesignatedPresenterRoleMode
|
||||||
|
return $CsTeamsMeetingPolicyPresenters
|
||||||
|
}
|
||||||
|
'8.5.7' {
|
||||||
|
# Test-ExternalNoControl.ps1
|
||||||
|
# 8.5.7 (L1) Ensure external participants can't give or request control
|
||||||
|
#
|
||||||
|
# Validate test for a pass:
|
||||||
|
# - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
|
||||||
|
# - Specific conditions to check:
|
||||||
|
# - Condition A: Ensure the `AllowExternalParticipantGiveRequestControl` setting in Teams is set to `False`.
|
||||||
|
# - Condition B: The setting is verified through the Microsoft Teams admin center or via PowerShell command.
|
||||||
|
# - Condition C: Verification using the UI confirms that external participants are unable to give or request control.
|
||||||
|
#
|
||||||
|
# Validate test for a fail:
|
||||||
|
# - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
|
||||||
|
# - Specific conditions to check:
|
||||||
|
# - Condition A: The `AllowExternalParticipantGiveRequestControl` setting in Teams is not set to `False`.
|
||||||
|
# - Condition B: The setting is verified through the Microsoft Teams admin center or via PowerShell command.
|
||||||
|
# - Condition C: Verification using the UI indicates that external participants can give or request control.
|
||||||
|
|
||||||
|
# Retrieve Teams meeting policy for external participant control
|
||||||
|
$CsTeamsMeetingPolicyControl = Get-CsTeamsMeetingPolicy -Identity Global | Select-Object -Property AllowExternalParticipantGiveRequestControl
|
||||||
|
return $CsTeamsMeetingPolicyControl
|
||||||
|
}
|
||||||
|
'8.6.1' {
|
||||||
|
# Test-ReportSecurityInTeams.ps1
|
||||||
|
# 8.6.1 (L1) Ensure users can report security concerns in Teams
|
||||||
|
|
||||||
|
# Retrieve the necessary settings for Teams and Exchange Online
|
||||||
|
# Condition A: Ensure the 'Report a security concern' setting in the Teams admin center is set to 'On'.
|
||||||
|
$CsTeamsMessagingPolicy = Get-CsTeamsMessagingPolicy -Identity Global | Select-Object -Property AllowSecurityEndUserReporting
|
||||||
|
return $CsTeamsMessagingPolicy
|
||||||
|
}
|
||||||
|
default {
|
||||||
|
Write-Output "No matching action found"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
end {
|
||||||
|
Write-Verbose "Retuning data for Rec: $Rec"
|
||||||
|
}
|
||||||
|
} # end function Get-CISMSTeamsOutput
|
||||||
|
|
||||||
|
@@ -33,7 +33,7 @@ function Test-BlockChannelEmails {
|
|||||||
# - Condition C: Verification using PowerShell indicates that the `AllowEmailIntoChannel` setting is enabled.
|
# - Condition C: Verification using PowerShell indicates that the `AllowEmailIntoChannel` setting is enabled.
|
||||||
|
|
||||||
# Retrieve Teams client configuration
|
# Retrieve Teams client configuration
|
||||||
$teamsClientConfig = Get-CsTeamsClientConfiguration -Identity Global
|
$teamsClientConfig = Get-CISMSTeamsOutput -Rec $recnum
|
||||||
$allowEmailIntoChannel = $teamsClientConfig.AllowEmailIntoChannel
|
$allowEmailIntoChannel = $teamsClientConfig.AllowEmailIntoChannel
|
||||||
|
|
||||||
# Prepare failure reasons and details based on compliance
|
# Prepare failure reasons and details based on compliance
|
||||||
|
@@ -33,7 +33,7 @@ function Test-DialInBypassLobby {
|
|||||||
# - Condition C: Individuals who dial in by phone are able to join the meeting directly without waiting in the lobby.
|
# - Condition C: Individuals who dial in by phone are able to join the meeting directly without waiting in the lobby.
|
||||||
|
|
||||||
# Retrieve Teams meeting policy for PSTN users
|
# Retrieve Teams meeting policy for PSTN users
|
||||||
$CsTeamsMeetingPolicyPSTN = Get-CsTeamsMeetingPolicy -Identity Global | Select-Object -Property AllowPSTNUsersToBypassLobby
|
$CsTeamsMeetingPolicyPSTN = Get-CISMSTeamsOutput -Rec $recnum
|
||||||
$PSTNBypassDisabled = -not $CsTeamsMeetingPolicyPSTN.AllowPSTNUsersToBypassLobby
|
$PSTNBypassDisabled = -not $CsTeamsMeetingPolicyPSTN.AllowPSTNUsersToBypassLobby
|
||||||
|
|
||||||
# Prepare failure reasons and details based on compliance
|
# Prepare failure reasons and details based on compliance
|
||||||
|
@@ -34,7 +34,8 @@ function Test-ExternalNoControl {
|
|||||||
# - Condition C: Verification using the UI indicates that external participants can give or request control.
|
# - Condition C: Verification using the UI indicates that external participants can give or request control.
|
||||||
|
|
||||||
# Retrieve Teams meeting policy for external participant control
|
# Retrieve Teams meeting policy for external participant control
|
||||||
$CsTeamsMeetingPolicyControl = Get-CsTeamsMeetingPolicy -Identity Global | Select-Object -Property AllowExternalParticipantGiveRequestControl
|
$CsTeamsMeetingPolicyControl = Get-CISMSTeamsOutput -Rec $recnum
|
||||||
|
# Check if external participants can give or request control
|
||||||
$externalControlRestricted = -not $CsTeamsMeetingPolicyControl.AllowExternalParticipantGiveRequestControl
|
$externalControlRestricted = -not $CsTeamsMeetingPolicyControl.AllowExternalParticipantGiveRequestControl
|
||||||
|
|
||||||
# Prepare failure reasons and details based on compliance
|
# Prepare failure reasons and details based on compliance
|
||||||
|
@@ -32,7 +32,7 @@ function Test-MeetingChatNoAnonymous {
|
|||||||
# - Condition C: Verification using the Teams Admin Center indicates that the meeting chat settings are not configured as recommended.
|
# - Condition C: Verification using the Teams Admin Center indicates that the meeting chat settings are not configured as recommended.
|
||||||
|
|
||||||
# Retrieve the Teams meeting policy for meeting chat
|
# Retrieve the Teams meeting policy for meeting chat
|
||||||
$CsTeamsMeetingPolicyChat = Get-CsTeamsMeetingPolicy -Identity Global | Select-Object -Property MeetingChatEnabledType
|
$CsTeamsMeetingPolicyChat = Get-CISMSTeamsOutput -Rec $recnum
|
||||||
# Condition A: Check if the MeetingChatEnabledType is set to 'EnabledExceptAnonymous'
|
# Condition A: Check if the MeetingChatEnabledType is set to 'EnabledExceptAnonymous'
|
||||||
$chatAnonDisabled = $CsTeamsMeetingPolicyChat.MeetingChatEnabledType -eq 'EnabledExceptAnonymous'
|
$chatAnonDisabled = $CsTeamsMeetingPolicyChat.MeetingChatEnabledType -eq 'EnabledExceptAnonymous'
|
||||||
|
|
||||||
|
@@ -33,7 +33,7 @@ function Test-NoAnonymousMeetingJoin {
|
|||||||
|
|
||||||
# Connect to Teams PowerShell using Connect-MicrosoftTeams
|
# Connect to Teams PowerShell using Connect-MicrosoftTeams
|
||||||
|
|
||||||
$teamsMeetingPolicy = Get-CsTeamsMeetingPolicy -Identity Global
|
$teamsMeetingPolicy = Get-CISMSTeamsOutput -Rec $recnum
|
||||||
$allowAnonymousUsersToJoinMeeting = $teamsMeetingPolicy.AllowAnonymousUsersToJoinMeeting
|
$allowAnonymousUsersToJoinMeeting = $teamsMeetingPolicy.AllowAnonymousUsersToJoinMeeting
|
||||||
|
|
||||||
# Prepare failure reasons and details based on compliance
|
# Prepare failure reasons and details based on compliance
|
||||||
|
@@ -34,7 +34,7 @@ function Test-NoAnonymousMeetingStart {
|
|||||||
# Connect to Teams PowerShell using Connect-MicrosoftTeams
|
# Connect to Teams PowerShell using Connect-MicrosoftTeams
|
||||||
|
|
||||||
# Retrieve the Teams meeting policy for the global scope and check if anonymous users can start meetings
|
# Retrieve the Teams meeting policy for the global scope and check if anonymous users can start meetings
|
||||||
$CsTeamsMeetingPolicyAnonymous = Get-CsTeamsMeetingPolicy -Identity Global | Select-Object -Property AllowAnonymousUsersToStartMeeting
|
$CsTeamsMeetingPolicyAnonymous = Get-CISMSTeamsOutput -Rec $recnum
|
||||||
$anonymousStartDisabled = -not $CsTeamsMeetingPolicyAnonymous.AllowAnonymousUsersToStartMeeting
|
$anonymousStartDisabled = -not $CsTeamsMeetingPolicyAnonymous.AllowAnonymousUsersToStartMeeting
|
||||||
|
|
||||||
# Prepare failure reasons and details based on compliance
|
# Prepare failure reasons and details based on compliance
|
||||||
|
@@ -34,7 +34,7 @@ function Test-OrgOnlyBypassLobby {
|
|||||||
# Connect to Teams PowerShell using Connect-MicrosoftTeams
|
# Connect to Teams PowerShell using Connect-MicrosoftTeams
|
||||||
|
|
||||||
# Retrieve the Teams meeting policy for lobby bypass settings
|
# Retrieve the Teams meeting policy for lobby bypass settings
|
||||||
$CsTeamsMeetingPolicyLobby = Get-CsTeamsMeetingPolicy -Identity Global | Select-Object -Property AutoAdmittedUsers
|
$CsTeamsMeetingPolicyLobby = Get-CISMSTeamsOutput -Rec $recnum
|
||||||
$lobbyBypassRestricted = $CsTeamsMeetingPolicyLobby.AutoAdmittedUsers -eq 'EveryoneInCompanyExcludingGuests'
|
$lobbyBypassRestricted = $CsTeamsMeetingPolicyLobby.AutoAdmittedUsers -eq 'EveryoneInCompanyExcludingGuests'
|
||||||
|
|
||||||
# Prepare failure reasons and details based on compliance
|
# Prepare failure reasons and details based on compliance
|
||||||
|
@@ -32,7 +32,7 @@ function Test-OrganizersPresent {
|
|||||||
# - Condition C: Verification using PowerShell indicates that the `DesignatedPresenterRoleMode` is not set to `OrganizerOnlyUserOverride`.
|
# - Condition C: Verification using PowerShell indicates that the `DesignatedPresenterRoleMode` is not set to `OrganizerOnlyUserOverride`.
|
||||||
|
|
||||||
# Retrieve the Teams meeting policy for presenters
|
# Retrieve the Teams meeting policy for presenters
|
||||||
$CsTeamsMeetingPolicyPresenters = Get-CsTeamsMeetingPolicy -Identity Global | Select-Object -Property DesignatedPresenterRoleMode
|
$CsTeamsMeetingPolicyPresenters = Get-CISMSTeamsOutput -Rec $recnum
|
||||||
$presenterRoleRestricted = $CsTeamsMeetingPolicyPresenters.DesignatedPresenterRoleMode -eq 'OrganizerOnlyUserOverride'
|
$presenterRoleRestricted = $CsTeamsMeetingPolicyPresenters.DesignatedPresenterRoleMode -eq 'OrganizerOnlyUserOverride'
|
||||||
|
|
||||||
# Prepare failure reasons and details based on compliance
|
# Prepare failure reasons and details based on compliance
|
||||||
|
@@ -21,7 +21,7 @@ function Test-ReportSecurityInTeams {
|
|||||||
|
|
||||||
# Retrieve the necessary settings for Teams and Exchange Online
|
# Retrieve the necessary settings for Teams and Exchange Online
|
||||||
# Condition A: Ensure the 'Report a security concern' setting in the Teams admin center is set to 'On'.
|
# Condition A: Ensure the 'Report a security concern' setting in the Teams admin center is set to 'On'.
|
||||||
$CsTeamsMessagingPolicy = Get-CsTeamsMessagingPolicy -Identity Global | Select-Object -Property AllowSecurityEndUserReporting
|
$CsTeamsMessagingPolicy = Get-CISMSTeamsOutput -Rec $recnum
|
||||||
# Condition B: Verify that 'Monitor reported messages in Microsoft Teams' is checked in the Microsoft 365 Defender portal.
|
# Condition B: Verify that 'Monitor reported messages in Microsoft Teams' is checked in the Microsoft 365 Defender portal.
|
||||||
# Condition C: Ensure the 'Send reported messages to' setting in the Microsoft 365 Defender portal is set to 'My reporting mailbox only' with the correct report email addresses.
|
# Condition C: Ensure the 'Send reported messages to' setting in the Microsoft 365 Defender portal is set to 'My reporting mailbox only' with the correct report email addresses.
|
||||||
$ReportSubmissionPolicy = Get-CISExoOutput -Rec $recnum
|
$ReportSubmissionPolicy = Get-CISExoOutput -Rec $recnum
|
||||||
|
@@ -10,8 +10,6 @@ function Test-TeamsExternalAccess {
|
|||||||
# Dot source the class script if necessary
|
# Dot source the class script if necessary
|
||||||
# . .\source\Classes\CISAuditResult.ps1
|
# . .\source\Classes\CISAuditResult.ps1
|
||||||
# Initialization code, if needed
|
# Initialization code, if needed
|
||||||
|
|
||||||
$auditResult = [CISAuditResult]::new()
|
|
||||||
$recnum = "8.2.1"
|
$recnum = "8.2.1"
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -35,7 +33,7 @@ function Test-TeamsExternalAccess {
|
|||||||
|
|
||||||
# Connect to Teams PowerShell using Connect-MicrosoftTeams
|
# Connect to Teams PowerShell using Connect-MicrosoftTeams
|
||||||
|
|
||||||
$externalAccessConfig = Get-CsTenantFederationConfiguration
|
$externalAccessConfig = Get-CISMSTeamsOutput -Rec $recnum
|
||||||
|
|
||||||
$allowedDomainsLimited = $false
|
$allowedDomainsLimited = $false
|
||||||
if ($externalAccessConfig.AllowFederatedUsers -and $externalAccessConfig.AllowedDomains -and $externalAccessConfig.AllowedDomains.AllowedDomain.Count -gt 0) {
|
if ($externalAccessConfig.AllowFederatedUsers -and $externalAccessConfig.AllowedDomains -and $externalAccessConfig.AllowedDomains.AllowedDomain.Count -gt 0) {
|
||||||
|
@@ -26,9 +26,8 @@ function Test-TeamsExternalFileSharing {
|
|||||||
|
|
||||||
# Assuming that 'approvedProviders' is a list of approved cloud storage service names
|
# Assuming that 'approvedProviders' is a list of approved cloud storage service names
|
||||||
# This list must be defined according to your organization's approved cloud storage services
|
# This list must be defined according to your organization's approved cloud storage services
|
||||||
|
$clientConfig = Get-CISMSTeamsOutput -Rec $recnum
|
||||||
$approvedProviders = @("AllowDropBox", "AllowBox", "AllowGoogleDrive", "AllowShareFile", "AllowEgnyte")
|
$approvedProviders = @("AllowDropBox", "AllowBox", "AllowGoogleDrive", "AllowShareFile", "AllowEgnyte")
|
||||||
$clientConfig = Get-CsTeamsClientConfiguration
|
|
||||||
|
|
||||||
$isCompliant = $true
|
$isCompliant = $true
|
||||||
$nonCompliantProviders = @()
|
$nonCompliantProviders = @()
|
||||||
|
|
||||||
|
Reference in New Issue
Block a user