vibecoding/M365FoundationsCISReport
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #134 from CriticalSolutionsNetwork/133-formatting-ms-teams

Browse Source 
133 formatting ms teams
This commit is contained in:
Doug Rios
2024-06-30 12:43:43 -05:00
committed by GitHub
parent 8157f7dc84 0da06288f1
commit a6121a1273
22 changed files with 494 additions and 149 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
CHANGELOG.md
View File

@@ -6,6 +6,17 @@ The format is based on and uses the types of changes according to [Keep a Change
### Added ### Added
- Added `ApprovedCloudStorageProviders` parameter to `Invoke-M365SecurityAudit` to allow for testing of approved cloud storage providers for 8.1.1.
- Added `ApprovedFederatedDomains` parameter to `Invoke-M365SecurityAudit` to allow for testing of approved federated domains for 8.5.1.
### Fixed
- Fixed various MSTeams tests to be more accurate and include more properties in the output.
## [0.1.18] - 2024-06-29
### Added
- Added `Get-PhishPolicyDetail` and `Test-PhishPolicyCompliance` private functions to help test for phishing policy compliance. - Added `Get-PhishPolicyDetail` and `Test-PhishPolicyCompliance` private functions to help test for phishing policy compliance.
### Fixed ### Fixed
@@ -16,8 +27,6 @@ The format is based on and uses the types of changes according to [Keep a Change
- Changed main function parameter for Domain to `DomainName`. - Changed main function parameter for Domain to `DomainName`.
## [0.1.17] - 2024-06-28 ## [0.1.17] - 2024-06-28
### Fixed ### Fixed

BIN
README.md
View File

Binary file not shown.

BIN
docs/index.html
View File

Binary file not shown.

57
help/Invoke-M365SecurityAudit.md
View File

@@ -14,47 +14,52 @@ Invokes a security audit for Microsoft 365 environments.
### Default (Default) ### Default (Default)
``` ```
Invoke-M365SecurityAudit [-TenantAdminUrl <String>] [-DomainName <String>] [-DoNotConnect] [-DoNotDisconnect] Invoke-M365SecurityAudit [-TenantAdminUrl <String>] [-DomainName <String>]
[-NoModuleCheck] [-DoNotConfirmConnections] [-WhatIf] [-Confirm] [<CommonParameters>] [-ApprovedCloudStorageProviders <String[]>] [-ApprovedFederatedDomains <String[]>] [-DoNotConnect]
[-DoNotDisconnect] [-NoModuleCheck] [-DoNotConfirmConnections] [-WhatIf] [-Confirm] [<CommonParameters>]
``` ```
### ELevelFilter ### ELevelFilter
``` ```
Invoke-M365SecurityAudit [-TenantAdminUrl <String>] [-DomainName <String>] -ELevel <String> Invoke-M365SecurityAudit [-TenantAdminUrl <String>] [-DomainName <String>] -ELevel <String>
-ProfileLevel <String> [-DoNotConnect] [-DoNotDisconnect] [-NoModuleCheck] [-DoNotConfirmConnections] -ProfileLevel <String> [-ApprovedCloudStorageProviders <String[]>] [-ApprovedFederatedDomains <String[]>]
[-WhatIf] [-Confirm] [<CommonParameters>] [-DoNotConnect] [-DoNotDisconnect] [-NoModuleCheck] [-DoNotConfirmConnections] [-WhatIf] [-Confirm]
[<CommonParameters>]
``` ```
### IG1Filter ### IG1Filter
``` ```
Invoke-M365SecurityAudit [-TenantAdminUrl <String>] [-DomainName <String>] [-IncludeIG1] [-DoNotConnect] Invoke-M365SecurityAudit [-TenantAdminUrl <String>] [-DomainName <String>] [-IncludeIG1]
[-ApprovedCloudStorageProviders <String[]>] [-ApprovedFederatedDomains <String[]>] [-DoNotConnect]
[-DoNotDisconnect] [-NoModuleCheck] [-DoNotConfirmConnections] [-WhatIf] [-Confirm] [<CommonParameters>] [-DoNotDisconnect] [-NoModuleCheck] [-DoNotConfirmConnections] [-WhatIf] [-Confirm] [<CommonParameters>]
``` ```
### IG2Filter ### IG2Filter
``` ```
Invoke-M365SecurityAudit [-TenantAdminUrl <String>] [-DomainName <String>] [-IncludeIG2] [-DoNotConnect] Invoke-M365SecurityAudit [-TenantAdminUrl <String>] [-DomainName <String>] [-IncludeIG2]
[-ApprovedCloudStorageProviders <String[]>] [-ApprovedFederatedDomains <String[]>] [-DoNotConnect]
[-DoNotDisconnect] [-NoModuleCheck] [-DoNotConfirmConnections] [-WhatIf] [-Confirm] [<CommonParameters>] [-DoNotDisconnect] [-NoModuleCheck] [-DoNotConfirmConnections] [-WhatIf] [-Confirm] [<CommonParameters>]
``` ```
### IG3Filter ### IG3Filter
``` ```
Invoke-M365SecurityAudit [-TenantAdminUrl <String>] [-DomainName <String>] [-IncludeIG3] [-DoNotConnect] Invoke-M365SecurityAudit [-TenantAdminUrl <String>] [-DomainName <String>] [-IncludeIG3]
[-ApprovedCloudStorageProviders <String[]>] [-ApprovedFederatedDomains <String[]>] [-DoNotConnect]
[-DoNotDisconnect] [-NoModuleCheck] [-DoNotConfirmConnections] [-WhatIf] [-Confirm] [<CommonParameters>] [-DoNotDisconnect] [-NoModuleCheck] [-DoNotConfirmConnections] [-WhatIf] [-Confirm] [<CommonParameters>]
``` ```
### RecFilter ### RecFilter
``` ```
Invoke-M365SecurityAudit [-TenantAdminUrl <String>] [-DomainName <String>] -IncludeRecommendation <String[]> Invoke-M365SecurityAudit [-TenantAdminUrl <String>] [-DomainName <String>] -IncludeRecommendation <String[]>
[-DoNotConnect] [-DoNotDisconnect] [-NoModuleCheck] [-DoNotConfirmConnections] [-WhatIf] [-Confirm] [-ApprovedCloudStorageProviders <String[]>] [-ApprovedFederatedDomains <String[]>] [-DoNotConnect]
[<CommonParameters>] [-DoNotDisconnect] [-NoModuleCheck] [-DoNotConfirmConnections] [-WhatIf] [-Confirm] [<CommonParameters>]
``` ```
### SkipRecFilter ### SkipRecFilter
``` ```
Invoke-M365SecurityAudit [-TenantAdminUrl <String>] [-DomainName <String>] -SkipRecommendation <String[]> Invoke-M365SecurityAudit [-TenantAdminUrl <String>] [-DomainName <String>] -SkipRecommendation <String[]>
[-DoNotConnect] [-DoNotDisconnect] [-NoModuleCheck] [-DoNotConfirmConnections] [-WhatIf] [-Confirm] [-ApprovedCloudStorageProviders <String[]>] [-ApprovedFederatedDomains <String[]>] [-DoNotConnect]
[<CommonParameters>] [-DoNotDisconnect] [-NoModuleCheck] [-DoNotConfirmConnections] [-WhatIf] [-Confirm] [<CommonParameters>]
``` ```
## DESCRIPTION ## DESCRIPTION
@@ -300,6 +305,36 @@ Accept pipeline input: False
Accept wildcard characters: False Accept wildcard characters: False
``` ```
### -ApprovedCloudStorageProviders
Specifies the approved cloud storage providers for the audit. Accepts an array of cloud storage provider names.
```yaml
Type: String[]
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: @()
Accept pipeline input: False
Accept wildcard characters: False
```
### -ApprovedFederatedDomains
Specifies the approved federated domains for the audit test 8.2.1. Accepts an array of allowed domain names.
```yaml
Type: String[]
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
```
### -DoNotConnect ### -DoNotConnect
If specified, the cmdlet will not establish a connection to Microsoft 365 services. If specified, the cmdlet will not establish a connection to Microsoft 365 services.

14
help/M365FoundationsCISReport.md
View File

@@ -11,24 +11,24 @@ Locale: en-US
The `M365FoundationsCISReport` module provides a set of cmdlets to audit and report on the security compliance of Microsoft 365 environments based on CIS (Center for Internet Security) benchmarks. It enables administrators to generate detailed reports, sync data with CIS Excel sheets, and perform security audits to ensure compliance. The `M365FoundationsCISReport` module provides a set of cmdlets to audit and report on the security compliance of Microsoft 365 environments based on CIS (Center for Internet Security) benchmarks. It enables administrators to generate detailed reports, sync data with CIS Excel sheets, and perform security audits to ensure compliance.
## M365FoundationsCISReport Cmdlets ## M365FoundationsCISReport Cmdlets
### [Export-M365SecurityAuditTable](Export-M365SecurityAuditTable.md) ### [Export-M365SecurityAuditTable](Export-M365SecurityAuditTable)
Exports M365 security audit results to a CSV file or outputs a specific test result as an object. Exports M365 security audit results to a CSV file or outputs a specific test result as an object.
### [Get-AdminRoleUserLicense](Get-AdminRoleUserLicense.md) ### [Get-AdminRoleUserLicense](Get-AdminRoleUserLicense)
Retrieves user licenses and roles for administrative accounts from Microsoft 365 via the Graph API. Retrieves user licenses and roles for administrative accounts from Microsoft 365 via the Graph API.
### [Get-MFAStatus](Get-MFAStatus.md) ### [Get-MFAStatus](Get-MFAStatus)
Retrieves the MFA (Multi-Factor Authentication) status for Azure Active Directory users. Retrieves the MFA (Multi-Factor Authentication) status for Azure Active Directory users.
### [Grant-M365SecurityAuditConsent](Grant-M365SecurityAuditConsent.md) ### [Grant-M365SecurityAuditConsent](Grant-M365SecurityAuditConsent)
Grants Microsoft Graph permissions for an auditor. Grants Microsoft Graph permissions for an auditor.
### [Invoke-M365SecurityAudit](Invoke-M365SecurityAudit.md) ### [Invoke-M365SecurityAudit](Invoke-M365SecurityAudit)
Invokes a security audit for Microsoft 365 environments. Invokes a security audit for Microsoft 365 environments.
### [Remove-RowsWithEmptyCSVStatus](Remove-RowsWithEmptyCSVStatus.md) ### [Remove-RowsWithEmptyCSVStatus](Remove-RowsWithEmptyCSVStatus)
Removes rows from an Excel worksheet where the 'CSV_Status' column is empty and saves the result to a new file. Removes rows from an Excel worksheet where the 'CSV_Status' column is empty and saves the result to a new file.
### [Sync-CISExcelAndCsvData](Sync-CISExcelAndCsvData.md) ### [Sync-CISExcelAndCsvData](Sync-CISExcelAndCsvData)
Synchronizes and updates data in an Excel worksheet with new information from a CSV file, including audit dates. Synchronizes and updates data in an Excel worksheet with new information from a CSV file, including audit dates.

2
helpers/Build-Help.ps1
View File

@@ -4,7 +4,7 @@ Import-Module .\output\module\M365FoundationsCISReport\*\*.psd1
<# <#
$ver = "v0.1.16" $ver = "v0.1.18"
git checkout main git checkout main
git pull origin main git pull origin main
git tag -a $ver -m "Release version $ver refactor Update" git tag -a $ver -m "Release version $ver refactor Update"

13
source/Private/Get-CISExoOutput.ps1
View File

@@ -513,6 +513,19 @@ function Get-CISExoOutput {
# Retrieve the necessary settings for Teams and Exchange Online # Retrieve the necessary settings for Teams and Exchange Online
# Condition B: Verify that 'Monitor reported messages in Microsoft Teams' is checked in the Microsoft 365 Defender portal. # Condition B: Verify that 'Monitor reported messages in Microsoft Teams' is checked in the Microsoft 365 Defender portal.
# Condition C: Ensure the 'Send reported messages to' setting in the Microsoft 365 Defender portal is set to 'My reporting mailbox only' with the correct report email addresses. # Condition C: Ensure the 'Send reported messages to' setting in the Microsoft 365 Defender portal is set to 'My reporting mailbox only' with the correct report email addresses.
# $ReportSubmissionPolicy Mock Object
<#
$ReportSubmissionPolicy = [PSCustomObject]@{
ReportJunkToCustomizedAddress = $true
ReportNotJunkToCustomizedAddress = $true
ReportPhishToCustomizedAddress = $true
ReportJunkAddresses = @('security@example.com')
ReportNotJunkAddresses = @('security@example.com')
ReportPhishAddresses = @('security@example.com')
ReportChatMessageEnabled = $false
ReportChatMessageToCustomizedAddressEnabled = $false
}
#>
$ReportSubmissionPolicy = Get-ReportSubmissionPolicy | Select-Object -Property ReportJunkToCustomizedAddress, ReportNotJunkToCustomizedAddress, ReportPhishToCustomizedAddress, ReportJunkAddresses, ReportNotJunkAddresses, ReportPhishAddresses, ReportChatMessageEnabled, ReportChatMessageToCustomizedAddressEnabled $ReportSubmissionPolicy = Get-ReportSubmissionPolicy | Select-Object -Property ReportJunkToCustomizedAddress, ReportNotJunkToCustomizedAddress, ReportPhishToCustomizedAddress, ReportJunkAddresses, ReportNotJunkAddresses, ReportPhishAddresses, ReportChatMessageEnabled, ReportChatMessageToCustomizedAddressEnabled
return $ReportSubmissionPolicy return $ReportSubmissionPolicy
} }

84
source/Private/Get-CISMSTeamsOutput.ps1
View File

@@ -49,6 +49,7 @@ function Get-CISMSTeamsOutput {
# Assuming that 'approvedProviders' is a list of approved cloud storage service names # Assuming that 'approvedProviders' is a list of approved cloud storage service names
# This list must be defined according to your organization's approved cloud storage services # This list must be defined according to your organization's approved cloud storage services
# Add option for approved providers.
$clientConfig = Get-CsTeamsClientConfiguration $clientConfig = Get-CsTeamsClientConfiguration
return $clientConfig return $clientConfig
} }
@@ -91,9 +92,29 @@ function Get-CISMSTeamsOutput {
# - Condition A: The `AllowTeamsConsumer` setting is not `False`. # - Condition A: The `AllowTeamsConsumer` setting is not `False`.
# - Condition B: The `AllowPublicUsers` setting is not `False`. # - Condition B: The `AllowPublicUsers` setting is not `False`.
# - Condition C: The `AllowFederatedUsers` setting is `True` and the `AllowedDomains` contains unauthorized domain names or is not configured correctly. # - Condition C: The `AllowFederatedUsers` setting is `True` and the `AllowedDomains` contains unauthorized domain names or is not configured correctly.
# Connect to Teams PowerShell using Connect-MicrosoftTeams # Connect to Teams PowerShell using Connect-MicrosoftTeams
# $externalAccessConfig Mock Object
<#
$externalAccessConfig = [PSCustomObject]@{
Identity = 'Global'
AllowedDomains = 'AllowAllKnownDomains'
BlockedDomains = @()
AllowFederatedUsers = $true
AllowPublicUsers = $true
AllowTeamsConsumer = $true
AllowTeamsConsumerInbound = $true
}
$ApprovedFederatedDomains = @('msn.com', 'google.com')
$externalAccessConfig = [PSCustomObject]@{
Identity = 'Global'
AllowedDomains = @('msn.com', 'google.com')
BlockedDomains = @()
AllowFederatedUsers = $true
AllowPublicUsers = $false
AllowTeamsConsumer = $false
AllowTeamsConsumerInbound = $true
}
#>
$externalAccessConfig = Get-CsTenantFederationConfiguration $externalAccessConfig = Get-CsTenantFederationConfiguration
return $externalAccessConfig return $externalAccessConfig
} }
@@ -114,9 +135,13 @@ function Get-CISMSTeamsOutput {
# - Condition A: `AllowAnonymousUsersToJoinMeeting` is not set to `False`. # - Condition A: `AllowAnonymousUsersToJoinMeeting` is not set to `False`.
# - Condition B: Verification using the UI shows that `Anonymous users can join a meeting` is not set to `Off` in the Global meeting policy. # - Condition B: Verification using the UI shows that `Anonymous users can join a meeting` is not set to `Off` in the Global meeting policy.
# - Condition C: PowerShell command output indicates that anonymous users are allowed to join meetings. # - Condition C: PowerShell command output indicates that anonymous users are allowed to join meetings.
# Connect to Teams PowerShell using Connect-MicrosoftTeams # Connect to Teams PowerShell using Connect-MicrosoftTeams
# $teamsMeetingPolicy Mock Object
<#
$teamsMeetingPolicy = [PSCustomObject]@{
AllowAnonymousUsersToJoinMeeting = $true
}
#>
$teamsMeetingPolicy = Get-CsTeamsMeetingPolicy -Identity Global $teamsMeetingPolicy = Get-CsTeamsMeetingPolicy -Identity Global
return $teamsMeetingPolicy return $teamsMeetingPolicy
} }
@@ -137,9 +162,13 @@ function Get-CISMSTeamsOutput {
# - Condition A: The `AllowAnonymousUsersToStartMeeting` setting in the Teams admin center is not set to `False`. # - Condition A: The `AllowAnonymousUsersToStartMeeting` setting in the Teams admin center is not set to `False`.
# - Condition B: The setting for anonymous users and dial-in callers starting a meeting allows them to bypass the lobby. # - Condition B: The setting for anonymous users and dial-in callers starting a meeting allows them to bypass the lobby.
# - Condition C: Verification using the UI indicates that the setting `Anonymous users and dial-in callers can start a meeting` is not set to `Off`. # - Condition C: Verification using the UI indicates that the setting `Anonymous users and dial-in callers can start a meeting` is not set to `Off`.
# Connect to Teams PowerShell using Connect-MicrosoftTeams # Connect to Teams PowerShell using Connect-MicrosoftTeams
# $CsTeamsMeetingPolicyAnonymous Mock Object
<#
$CsTeamsMeetingPolicyAnonymous = [PSCustomObject]@{
AllowAnonymousUsersToStartMeeting = $true
}
#>
# Retrieve the Teams meeting policy for the global scope and check if anonymous users can start meetings # Retrieve the Teams meeting policy for the global scope and check if anonymous users can start meetings
$CsTeamsMeetingPolicyAnonymous = Get-CsTeamsMeetingPolicy -Identity Global | Select-Object -Property AllowAnonymousUsersToStartMeeting $CsTeamsMeetingPolicyAnonymous = Get-CsTeamsMeetingPolicy -Identity Global | Select-Object -Property AllowAnonymousUsersToStartMeeting
return $CsTeamsMeetingPolicyAnonymous return $CsTeamsMeetingPolicyAnonymous
@@ -161,10 +190,14 @@ function Get-CISMSTeamsOutput {
# - Condition A: The `AutoAdmittedUsers` setting in the Teams meeting policy is not set to `EveryoneInCompanyExcludingGuests`. # - Condition A: The `AutoAdmittedUsers` setting in the Teams meeting policy is not set to `EveryoneInCompanyExcludingGuests`.
# - Condition B: The setting for "Who can bypass the lobby" is not configured to "People in my org" using the UI. # - Condition B: The setting for "Who can bypass the lobby" is not configured to "People in my org" using the UI.
# - Condition C: Verification using the Microsoft Teams admin center indicates that the meeting join & lobby settings are not configured as recommended. # - Condition C: Verification using the Microsoft Teams admin center indicates that the meeting join & lobby settings are not configured as recommended.
# Connect to Teams PowerShell using Connect-MicrosoftTeams # Connect to Teams PowerShell using Connect-MicrosoftTeams
# Retrieve the Teams meeting policy for lobby bypass settings # Retrieve the Teams meeting policy for lobby bypass settings
# $CsTeamsMeetingPolicyLobby Mock Object
<#
$CsTeamsMeetingPolicyLobby = [PSCustomObject]@{
AutoAdmittedUsers = "OrganizerOnly"
}
#>
$CsTeamsMeetingPolicyLobby = Get-CsTeamsMeetingPolicy -Identity Global | Select-Object -Property AutoAdmittedUsers $CsTeamsMeetingPolicyLobby = Get-CsTeamsMeetingPolicy -Identity Global | Select-Object -Property AutoAdmittedUsers
return $CsTeamsMeetingPolicyLobby return $CsTeamsMeetingPolicyLobby
} }
@@ -185,8 +218,13 @@ function Get-CISMSTeamsOutput {
# - Condition A: The `AllowPSTNUsersToBypassLobby` setting in the Global Teams meeting policy is not set to `False`. # - Condition A: The `AllowPSTNUsersToBypassLobby` setting in the Global Teams meeting policy is not set to `False`.
# - Condition B: Verification using the UI in the Microsoft Teams admin center shows that "People dialing in can't bypass the lobby" is not set to `Off`. # - Condition B: Verification using the UI in the Microsoft Teams admin center shows that "People dialing in can't bypass the lobby" is not set to `Off`.
# - Condition C: Individuals who dial in by phone are able to join the meeting directly without waiting in the lobby. # - Condition C: Individuals who dial in by phone are able to join the meeting directly without waiting in the lobby.
# Retrieve Teams meeting policy for PSTN users # Retrieve Teams meeting policy for PSTN users
# $CsTeamsMeetingPolicyPSTN Mock Object
<#
$CsTeamsMeetingPolicyPSTN = [PSCustomObject]@{
AllowPSTNUsersToBypassLobby = $true
}
#>
$CsTeamsMeetingPolicyPSTN = Get-CsTeamsMeetingPolicy -Identity Global | Select-Object -Property AllowPSTNUsersToBypassLobby $CsTeamsMeetingPolicyPSTN = Get-CsTeamsMeetingPolicy -Identity Global | Select-Object -Property AllowPSTNUsersToBypassLobby
return $CsTeamsMeetingPolicyPSTN return $CsTeamsMeetingPolicyPSTN
} }
@@ -207,8 +245,13 @@ function Get-CISMSTeamsOutput {
# - Condition A: The `MeetingChatEnabledType` setting in Teams is not set to `EnabledExceptAnonymous`. # - Condition A: The `MeetingChatEnabledType` setting in Teams is not set to `EnabledExceptAnonymous`.
# - Condition B: The setting for meeting chat allows chat for anonymous users. # - Condition B: The setting for meeting chat allows chat for anonymous users.
# - Condition C: Verification using the Teams Admin Center indicates that the meeting chat settings are not configured as recommended. # - Condition C: Verification using the Teams Admin Center indicates that the meeting chat settings are not configured as recommended.
# Retrieve the Teams meeting policy for meeting chat # Retrieve the Teams meeting policy for meeting chat
# $CsTeamsMeetingPolicyChat Mock Object
<#
$CsTeamsMeetingPolicyChat = [PSCustomObject]@{
MeetingChatEnabledType = "Enabled"
}
#>
$CsTeamsMeetingPolicyChat = Get-CsTeamsMeetingPolicy -Identity Global | Select-Object -Property MeetingChatEnabledType $CsTeamsMeetingPolicyChat = Get-CsTeamsMeetingPolicy -Identity Global | Select-Object -Property MeetingChatEnabledType
return $CsTeamsMeetingPolicyChat return $CsTeamsMeetingPolicyChat
} }
@@ -229,8 +272,13 @@ function Get-CISMSTeamsOutput {
# - Condition A: The `DesignatedPresenterRoleMode` setting in the Teams meeting policy is not set to `OrganizerOnlyUserOverride`. # - Condition A: The `DesignatedPresenterRoleMode` setting in the Teams meeting policy is not set to `OrganizerOnlyUserOverride`.
# - Condition B: Verification using the Teams admin center indicates that the setting "Who can present" is not configured to "Only organizers and co-organizers". # - Condition B: Verification using the Teams admin center indicates that the setting "Who can present" is not configured to "Only organizers and co-organizers".
# - Condition C: Verification using PowerShell indicates that the `DesignatedPresenterRoleMode` is not set to `OrganizerOnlyUserOverride`. # - Condition C: Verification using PowerShell indicates that the `DesignatedPresenterRoleMode` is not set to `OrganizerOnlyUserOverride`.
# Retrieve the Teams meeting policy for presenters # Retrieve the Teams meeting policy for presenters
# $CsTeamsMeetingPolicyPresenters Mock Object
<#
$CsTeamsMeetingPolicyPresenters = [PSCustomObject]@{
DesignatedPresenterRoleMode = "Enabled"
}
#>
$CsTeamsMeetingPolicyPresenters = Get-CsTeamsMeetingPolicy -Identity Global | Select-Object -Property DesignatedPresenterRoleMode $CsTeamsMeetingPolicyPresenters = Get-CsTeamsMeetingPolicy -Identity Global | Select-Object -Property DesignatedPresenterRoleMode
return $CsTeamsMeetingPolicyPresenters return $CsTeamsMeetingPolicyPresenters
} }
@@ -251,17 +299,27 @@ function Get-CISMSTeamsOutput {
# - Condition A: The `AllowExternalParticipantGiveRequestControl` setting in Teams is not set to `False`. # - Condition A: The `AllowExternalParticipantGiveRequestControl` setting in Teams is not set to `False`.
# - Condition B: The setting is verified through the Microsoft Teams admin center or via PowerShell command. # - Condition B: The setting is verified through the Microsoft Teams admin center or via PowerShell command.
# - Condition C: Verification using the UI indicates that external participants can give or request control. # - Condition C: Verification using the UI indicates that external participants can give or request control.
# Retrieve Teams meeting policy for external participant control # Retrieve Teams meeting policy for external participant control
# $CsTeamsMeetingPolicyControl Mock Object
<#
$CsTeamsMeetingPolicyControl = [PSCustomObject]@{
AllowExternalParticipantGiveRequestControl = $true
}
#>
$CsTeamsMeetingPolicyControl = Get-CsTeamsMeetingPolicy -Identity Global | Select-Object -Property AllowExternalParticipantGiveRequestControl $CsTeamsMeetingPolicyControl = Get-CsTeamsMeetingPolicy -Identity Global | Select-Object -Property AllowExternalParticipantGiveRequestControl
return $CsTeamsMeetingPolicyControl return $CsTeamsMeetingPolicyControl
} }
'8.6.1' { '8.6.1' {
# Test-ReportSecurityInTeams.ps1 # Test-ReportSecurityInTeams.ps1
# 8.6.1 (L1) Ensure users can report security concerns in Teams # 8.6.1 (L1) Ensure users can report security concerns in Teams
# Retrieve the necessary settings for Teams and Exchange Online # Retrieve the necessary settings for Teams and Exchange Online
# Condition A: Ensure the 'Report a security concern' setting in the Teams admin center is set to 'On'. # Condition A: Ensure the 'Report a security concern' setting in the Teams admin center is set to 'On'.
# $CsTeamsMessagingPolicy Mock Object
<#
$CsTeamsMessagingPolicy = [PSCustomObject]@{
AllowSecurityEndUserReporting = $true
}
#>
$CsTeamsMessagingPolicy = Get-CsTeamsMessagingPolicy -Identity Global | Select-Object -Property AllowSecurityEndUserReporting $CsTeamsMessagingPolicy = Get-CsTeamsMessagingPolicy -Identity Global | Select-Object -Property AllowSecurityEndUserReporting
return $CsTeamsMessagingPolicy return $CsTeamsMessagingPolicy
} }

14
source/Private/Invoke-TestFunction.ps1
View File

@@ -3,9 +3,12 @@ function Invoke-TestFunction {
param ( param (
[Parameter(Mandatory = $true)] [Parameter(Mandatory = $true)]
[PSObject]$FunctionFile, [PSObject]$FunctionFile,
[Parameter(Mandatory = $false)] [Parameter(Mandatory = $false)]
[string]$DomainName [string]$DomainName,
[Parameter(Mandatory = $false)]
[string[]]$ApprovedCloudStorageProviders,
[Parameter(Mandatory = $false)]
[string[]]$ApprovedFederatedDomains
) )
$functionName = $FunctionFile.BaseName $functionName = $FunctionFile.BaseName
@@ -16,7 +19,12 @@ function Invoke-TestFunction {
if ('DomainName' -in $functionCmd.Parameters.Keys) { if ('DomainName' -in $functionCmd.Parameters.Keys) {
$paramList.DomainName = $DomainName $paramList.DomainName = $DomainName
} }
if ('ApprovedCloudStorageProviders' -in $functionCmd.Parameters.Keys) {
$paramList.ApprovedCloudStorageProviders = $ApprovedCloudStorageProviders
}
if ('ApprovedFederatedDomains' -in $functionCmd.Parameters.Keys) {
$paramList.ApprovedFederatedDomains = $ApprovedFederatedDomains
}
# Use splatting to pass parameters # Use splatting to pass parameters
Write-Verbose "Running $functionName..." Write-Verbose "Running $functionName..."
try { try {

39
source/Public/Invoke-M365SecurityAudit.ps1
View File

@@ -21,6 +21,10 @@
Specifies specific recommendations to include in the audit. Accepts an array of recommendation numbers. Specifies specific recommendations to include in the audit. Accepts an array of recommendation numbers.
.PARAMETER SkipRecommendation .PARAMETER SkipRecommendation
Specifies specific recommendations to exclude from the audit. Accepts an array of recommendation numbers. Specifies specific recommendations to exclude from the audit. Accepts an array of recommendation numbers.
.PARAMETER ApprovedCloudStorageProviders
Specifies the approved cloud storage providers for the audit. Accepts an array of cloud storage provider names.
.PARAMETER ApprovedFederatedDomains
Specifies the approved federated domains for the audit test 8.2.1. Accepts an array of allowed domain names.
.PARAMETER DoNotConnect .PARAMETER DoNotConnect
If specified, the cmdlet will not establish a connection to Microsoft 365 services. If specified, the cmdlet will not establish a connection to Microsoft 365 services.
.PARAMETER DoNotDisconnect .PARAMETER DoNotDisconnect
@@ -129,31 +133,31 @@ function Invoke-M365SecurityAudit {
[ValidatePattern('^https://[a-zA-Z0-9-]+-admin\.sharepoint\.com$')] [ValidatePattern('^https://[a-zA-Z0-9-]+-admin\.sharepoint\.com$')]
[string]$TenantAdminUrl, [string]$TenantAdminUrl,
[Parameter(Mandatory = $false, HelpMessage = "Specify this to test only the default domain for password expiration policy when '1.3.1' is included in the tests to be run. The domain name of your organization, e.g., 'example.com'.")] [Parameter(Mandatory = $false, HelpMessage = "Specify this to test only the default domain for password expiration and DKIM Config for tests '1.3.1' and 2.1.9. The domain name of your organization, e.g., 'example.com'.")]
[ValidatePattern('^[a-zA-Z0-9-]+\.[a-zA-Z]{2,}$')] [ValidatePattern('^[a-zA-Z0-9-]+\.[a-zA-Z]{2,}$')]
[string]$DomainName, [string]$DomainName,
# E-Level with optional ProfileLevel selection # E-Level with optional ProfileLevel selection
[Parameter(Mandatory = $true, ParameterSetName = 'ELevelFilter')] [Parameter(Mandatory = $true, ParameterSetName = 'ELevelFilter', HelpMessage = "Specifies the E-Level (E3 or E5) for the audit.")]
[ValidateSet('E3', 'E5')] [ValidateSet('E3', 'E5')]
[string]$ELevel, [string]$ELevel,
[Parameter(Mandatory = $true, ParameterSetName = 'ELevelFilter')] [Parameter(Mandatory = $true, ParameterSetName = 'ELevelFilter', HelpMessage = "Specifies the profile level (L1 or L2) for the audit.")]
[ValidateSet('L1', 'L2')] [ValidateSet('L1', 'L2')]
[string]$ProfileLevel, [string]$ProfileLevel,
# IG Filters, one at a time # IG Filters, one at a time
[Parameter(Mandatory = $true, ParameterSetName = 'IG1Filter')] [Parameter(Mandatory = $true, ParameterSetName = 'IG1Filter', HelpMessage = "Includes tests where IG1 is true.")]
[switch]$IncludeIG1, [switch]$IncludeIG1,
[Parameter(Mandatory = $true, ParameterSetName = 'IG2Filter')] [Parameter(Mandatory = $true, ParameterSetName = 'IG2Filter', HelpMessage = "Includes tests where IG2 is true.")]
[switch]$IncludeIG2, [switch]$IncludeIG2,
[Parameter(Mandatory = $true, ParameterSetName = 'IG3Filter')] [Parameter(Mandatory = $true, ParameterSetName = 'IG3Filter', HelpMessage = "Includes tests where IG3 is true.")]
[switch]$IncludeIG3, [switch]$IncludeIG3,
# Inclusion of specific recommendation numbers # Inclusion of specific recommendation numbers
[Parameter(Mandatory = $true, ParameterSetName = 'RecFilter')] [Parameter(Mandatory = $true, ParameterSetName = 'RecFilter', HelpMessage = "Specifies specific recommendations to include in the audit. Accepts an array of recommendation numbers.")]
[ValidateSet( [ValidateSet(
'1.1.1', '1.1.3', '1.2.1', '1.2.2', '1.3.1', '1.3.3', '1.3.6', '2.1.1', '2.1.2', ` '1.1.1', '1.1.3', '1.2.1', '1.2.2', '1.3.1', '1.3.3', '1.3.6', '2.1.1', '2.1.2', `
'2.1.3', '2.1.4', '2.1.5', '2.1.6', '2.1.7', '2.1.9', '3.1.1', '5.1.2.3', ` '2.1.3', '2.1.4', '2.1.5', '2.1.6', '2.1.7', '2.1.9', '3.1.1', '5.1.2.3', `
@@ -166,7 +170,7 @@ function Invoke-M365SecurityAudit {
[string[]]$IncludeRecommendation, [string[]]$IncludeRecommendation,
# Exclusion of specific recommendation numbers # Exclusion of specific recommendation numbers
[Parameter(Mandatory = $true, ParameterSetName = 'SkipRecFilter')] [Parameter(Mandatory = $true, ParameterSetName = 'SkipRecFilter', HelpMessage = "Specifies specific recommendations to exclude from the audit. Accepts an array of recommendation numbers.")]
[ValidateSet( [ValidateSet(
'1.1.1', '1.1.3', '1.2.1', '1.2.2', '1.3.1', '1.3.3', '1.3.6', '2.1.1', '2.1.2', ` '1.1.1', '1.1.3', '1.2.1', '1.2.2', '1.3.1', '1.3.3', '1.3.6', '2.1.1', '2.1.2', `
'2.1.3', '2.1.4', '2.1.5', '2.1.6', '2.1.7', '2.1.9', '3.1.1', '5.1.2.3', ` '2.1.3', '2.1.4', '2.1.5', '2.1.6', '2.1.7', '2.1.9', '3.1.1', '5.1.2.3', `
@@ -179,12 +183,27 @@ function Invoke-M365SecurityAudit {
[string[]]$SkipRecommendation, [string[]]$SkipRecommendation,
# Common parameters for all parameter sets # Common parameters for all parameter sets
[Parameter(Mandatory = $false, HelpMessage = "Specifies the approved cloud storage providers for the audit. Accepts an array of cloud storage provider names.")]
[ValidateSet(
'GoogleDrive', 'ShareFile', 'Box', 'DropBox', 'Egnyte'
)]
[string[]]$ApprovedCloudStorageProviders = @(),
[Parameter(Mandatory = $false, HelpMessage = "Specifies the approved federated domains for the audit test 8.2.1. Accepts an array of allowed domain names.")]
[string[]]$ApprovedFederatedDomains,
[Parameter(Mandatory = $false, HelpMessage = "Specifies that the cmdlet will not establish a connection to Microsoft 365 services.")]
[switch]$DoNotConnect, [switch]$DoNotConnect,
[Parameter(Mandatory = $false, HelpMessage = "Specifies that the cmdlet will not disconnect from Microsoft 365 services after execution.")]
[switch]$DoNotDisconnect, [switch]$DoNotDisconnect,
[Parameter(Mandatory = $false, HelpMessage = "Specifies that the cmdlet will not check for the presence of required modules.")]
[switch]$NoModuleCheck, [switch]$NoModuleCheck,
[Parameter(Mandatory = $false, HelpMessage = "Specifies that the cmdlet will not prompt for confirmation before proceeding with established connections and will disconnect from all of them.")]
[switch]$DoNotConfirmConnections [switch]$DoNotConfirmConnections
) )
Begin { Begin {
if ($script:MaximumFunctionCount -lt 8192) { if ($script:MaximumFunctionCount -lt 8192) {
$script:MaximumFunctionCount = 8192 $script:MaximumFunctionCount = 8192
@@ -286,7 +305,7 @@ function Invoke-M365SecurityAudit {
Write-Progress -Activity "Executing Tests" -Status "Executing $($currentTestIndex) of $($totalTests): $($testFunction.Name)" -PercentComplete (($currentTestIndex / $totalTests) * 100) Write-Progress -Activity "Executing Tests" -Status "Executing $($currentTestIndex) of $($totalTests): $($testFunction.Name)" -PercentComplete (($currentTestIndex / $totalTests) * 100)
$functionName = $testFunction.BaseName $functionName = $testFunction.BaseName
if ($PSCmdlet.ShouldProcess($functionName, "Execute test")) { if ($PSCmdlet.ShouldProcess($functionName, "Execute test")) {
$auditResult = Invoke-TestFunction -FunctionFile $testFunction -DomainName $DomainName $auditResult = Invoke-TestFunction -FunctionFile $testFunction -DomainName $DomainName -ApprovedCloudStorageProviders $ApprovedCloudStorageProviders -ApprovedFederatedDomains $ApprovedFederatedDomains
# Add the result to the collection # Add the result to the collection
[void]$allAuditResults.Add($auditResult) [void]$allAuditResults.Add($auditResult)
} }

168
source/en-US/M365FoundationsCISReport-help.xml
View File

@@ -908,6 +908,30 @@ Retrieves the MFA status for the specified user with the UPN "example@domain.com
</dev:type> </dev:type>
<dev:defaultValue>None</dev:defaultValue> <dev:defaultValue>None</dev:defaultValue>
</command:parameter> </command:parameter>
<command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none">
<maml:name>ApprovedCloudStorageProviders</maml:name>
<maml:description>
<maml:para>Specifies the approved cloud storage providers for the audit. Accepts an array of cloud storage provider names.</maml:para>
</maml:description>
<command:parameterValue required="true" variableLength="false">String[]</command:parameterValue>
<dev:type>
<maml:name>String[]</maml:name>
<maml:uri />
</dev:type>
<dev:defaultValue>@()</dev:defaultValue>
</command:parameter>
<command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none">
<maml:name>ApprovedFederatedDomains</maml:name>
<maml:description>
<maml:para>Specifies the approved federated domains for the audit test 8.2.1. Accepts an array of allowed domain names.</maml:para>
</maml:description>
<command:parameterValue required="true" variableLength="false">String[]</command:parameterValue>
<dev:type>
<maml:name>String[]</maml:name>
<maml:uri />
</dev:type>
<dev:defaultValue>None</dev:defaultValue>
</command:parameter>
<command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none">
<maml:name>DoNotConnect</maml:name> <maml:name>DoNotConnect</maml:name>
<maml:description> <maml:description>
@@ -1012,6 +1036,30 @@ Retrieves the MFA status for the specified user with the UPN "example@domain.com
</dev:type> </dev:type>
<dev:defaultValue>False</dev:defaultValue> <dev:defaultValue>False</dev:defaultValue>
</command:parameter> </command:parameter>
<command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none">
<maml:name>ApprovedCloudStorageProviders</maml:name>
<maml:description>
<maml:para>Specifies the approved cloud storage providers for the audit. Accepts an array of cloud storage provider names.</maml:para>
</maml:description>
<command:parameterValue required="true" variableLength="false">String[]</command:parameterValue>
<dev:type>
<maml:name>String[]</maml:name>
<maml:uri />
</dev:type>
<dev:defaultValue>@()</dev:defaultValue>
</command:parameter>
<command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none">
<maml:name>ApprovedFederatedDomains</maml:name>
<maml:description>
<maml:para>Specifies the approved federated domains for the audit test 8.2.1. Accepts an array of allowed domain names.</maml:para>
</maml:description>
<command:parameterValue required="true" variableLength="false">String[]</command:parameterValue>
<dev:type>
<maml:name>String[]</maml:name>
<maml:uri />
</dev:type>
<dev:defaultValue>None</dev:defaultValue>
</command:parameter>
<command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none">
<maml:name>DoNotConnect</maml:name> <maml:name>DoNotConnect</maml:name>
<maml:description> <maml:description>
@@ -1116,6 +1164,30 @@ Retrieves the MFA status for the specified user with the UPN "example@domain.com
</dev:type> </dev:type>
<dev:defaultValue>False</dev:defaultValue> <dev:defaultValue>False</dev:defaultValue>
</command:parameter> </command:parameter>
<command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none">
<maml:name>ApprovedCloudStorageProviders</maml:name>
<maml:description>
<maml:para>Specifies the approved cloud storage providers for the audit. Accepts an array of cloud storage provider names.</maml:para>
</maml:description>
<command:parameterValue required="true" variableLength="false">String[]</command:parameterValue>
<dev:type>
<maml:name>String[]</maml:name>
<maml:uri />
</dev:type>
<dev:defaultValue>@()</dev:defaultValue>
</command:parameter>
<command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none">
<maml:name>ApprovedFederatedDomains</maml:name>
<maml:description>
<maml:para>Specifies the approved federated domains for the audit test 8.2.1. Accepts an array of allowed domain names.</maml:para>
</maml:description>
<command:parameterValue required="true" variableLength="false">String[]</command:parameterValue>
<dev:type>
<maml:name>String[]</maml:name>
<maml:uri />
</dev:type>
<dev:defaultValue>None</dev:defaultValue>
</command:parameter>
<command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none">
<maml:name>DoNotConnect</maml:name> <maml:name>DoNotConnect</maml:name>
<maml:description> <maml:description>
@@ -1220,6 +1292,30 @@ Retrieves the MFA status for the specified user with the UPN "example@domain.com
</dev:type> </dev:type>
<dev:defaultValue>False</dev:defaultValue> <dev:defaultValue>False</dev:defaultValue>
</command:parameter> </command:parameter>
<command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none">
<maml:name>ApprovedCloudStorageProviders</maml:name>
<maml:description>
<maml:para>Specifies the approved cloud storage providers for the audit. Accepts an array of cloud storage provider names.</maml:para>
</maml:description>
<command:parameterValue required="true" variableLength="false">String[]</command:parameterValue>
<dev:type>
<maml:name>String[]</maml:name>
<maml:uri />
</dev:type>
<dev:defaultValue>@()</dev:defaultValue>
</command:parameter>
<command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none">
<maml:name>ApprovedFederatedDomains</maml:name>
<maml:description>
<maml:para>Specifies the approved federated domains for the audit test 8.2.1. Accepts an array of allowed domain names.</maml:para>
</maml:description>
<command:parameterValue required="true" variableLength="false">String[]</command:parameterValue>
<dev:type>
<maml:name>String[]</maml:name>
<maml:uri />
</dev:type>
<dev:defaultValue>None</dev:defaultValue>
</command:parameter>
<command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none">
<maml:name>DoNotConnect</maml:name> <maml:name>DoNotConnect</maml:name>
<maml:description> <maml:description>
@@ -1325,6 +1421,30 @@ Retrieves the MFA status for the specified user with the UPN "example@domain.com
</dev:type> </dev:type>
<dev:defaultValue>None</dev:defaultValue> <dev:defaultValue>None</dev:defaultValue>
</command:parameter> </command:parameter>
<command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none">
<maml:name>ApprovedCloudStorageProviders</maml:name>
<maml:description>
<maml:para>Specifies the approved cloud storage providers for the audit. Accepts an array of cloud storage provider names.</maml:para>
</maml:description>
<command:parameterValue required="true" variableLength="false">String[]</command:parameterValue>
<dev:type>
<maml:name>String[]</maml:name>
<maml:uri />
</dev:type>
<dev:defaultValue>@()</dev:defaultValue>
</command:parameter>
<command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none">
<maml:name>ApprovedFederatedDomains</maml:name>
<maml:description>
<maml:para>Specifies the approved federated domains for the audit test 8.2.1. Accepts an array of allowed domain names.</maml:para>
</maml:description>
<command:parameterValue required="true" variableLength="false">String[]</command:parameterValue>
<dev:type>
<maml:name>String[]</maml:name>
<maml:uri />
</dev:type>
<dev:defaultValue>None</dev:defaultValue>
</command:parameter>
<command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none">
<maml:name>DoNotConnect</maml:name> <maml:name>DoNotConnect</maml:name>
<maml:description> <maml:description>
@@ -1430,6 +1550,30 @@ Retrieves the MFA status for the specified user with the UPN "example@domain.com
</dev:type> </dev:type>
<dev:defaultValue>None</dev:defaultValue> <dev:defaultValue>None</dev:defaultValue>
</command:parameter> </command:parameter>
<command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none">
<maml:name>ApprovedCloudStorageProviders</maml:name>
<maml:description>
<maml:para>Specifies the approved cloud storage providers for the audit. Accepts an array of cloud storage provider names.</maml:para>
</maml:description>
<command:parameterValue required="true" variableLength="false">String[]</command:parameterValue>
<dev:type>
<maml:name>String[]</maml:name>
<maml:uri />
</dev:type>
<dev:defaultValue>@()</dev:defaultValue>
</command:parameter>
<command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none">
<maml:name>ApprovedFederatedDomains</maml:name>
<maml:description>
<maml:para>Specifies the approved federated domains for the audit test 8.2.1. Accepts an array of allowed domain names.</maml:para>
</maml:description>
<command:parameterValue required="true" variableLength="false">String[]</command:parameterValue>
<dev:type>
<maml:name>String[]</maml:name>
<maml:uri />
</dev:type>
<dev:defaultValue>None</dev:defaultValue>
</command:parameter>
<command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none">
<maml:name>DoNotConnect</maml:name> <maml:name>DoNotConnect</maml:name>
<maml:description> <maml:description>
@@ -1607,6 +1751,30 @@ Retrieves the MFA status for the specified user with the UPN "example@domain.com
</dev:type> </dev:type>
<dev:defaultValue>None</dev:defaultValue> <dev:defaultValue>None</dev:defaultValue>
</command:parameter> </command:parameter>
<command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none">
<maml:name>ApprovedCloudStorageProviders</maml:name>
<maml:description>
<maml:para>Specifies the approved cloud storage providers for the audit. Accepts an array of cloud storage provider names.</maml:para>
</maml:description>
<command:parameterValue required="true" variableLength="false">String[]</command:parameterValue>
<dev:type>
<maml:name>String[]</maml:name>
<maml:uri />
</dev:type>
<dev:defaultValue>@()</dev:defaultValue>
</command:parameter>
<command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none">
<maml:name>ApprovedFederatedDomains</maml:name>
<maml:description>
<maml:para>Specifies the approved federated domains for the audit test 8.2.1. Accepts an array of allowed domain names.</maml:para>
</maml:description>
<command:parameterValue required="true" variableLength="false">String[]</command:parameterValue>
<dev:type>
<maml:name>String[]</maml:name>
<maml:uri />
</dev:type>
<dev:defaultValue>None</dev:defaultValue>
</command:parameter>
<command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none"> <command:parameter required="false" variableLength="true" globbing="false" pipelineInput="False" position="named" aliases="none">
<maml:name>DoNotConnect</maml:name> <maml:name>DoNotConnect</maml:name>
<maml:description> <maml:description>

9
source/tests/Test-BlockChannelEmails.ps1
View File

@@ -5,16 +5,14 @@ function Test-BlockChannelEmails {
# Aligned # Aligned
# Parameters can be added here if needed # Parameters can be added here if needed
) )
begin { begin {
# Dot source the class script if necessary # Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1 #. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed # Initialization code, if needed
$recnum = "8.1.2" $recnum = "8.1.2"
Write-Verbose "Running Test-BlockChannelEmails for $recnum..."
} }
process { process {
try { try {
# 8.1.2 (L1) Ensure users can't send emails to a channel email address # 8.1.2 (L1) Ensure users can't send emails to a channel email address
# #
@@ -31,11 +29,9 @@ function Test-BlockChannelEmails {
# - Condition A: The `AllowEmailIntoChannel` setting in Teams is not set to `False`. # - Condition A: The `AllowEmailIntoChannel` setting in Teams is not set to `False`.
# - Condition B: The setting `Users can send emails to a channel email address` is not set to `Off` in the Teams admin center. # - Condition B: The setting `Users can send emails to a channel email address` is not set to `Off` in the Teams admin center.
# - Condition C: Verification using PowerShell indicates that the `AllowEmailIntoChannel` setting is enabled. # - Condition C: Verification using PowerShell indicates that the `AllowEmailIntoChannel` setting is enabled.
# Retrieve Teams client configuration # Retrieve Teams client configuration
$teamsClientConfig = Get-CISMSTeamsOutput -Rec $recnum $teamsClientConfig = Get-CISMSTeamsOutput -Rec $recnum
$allowEmailIntoChannel = $teamsClientConfig.AllowEmailIntoChannel $allowEmailIntoChannel = $teamsClientConfig.AllowEmailIntoChannel
# Prepare failure reasons and details based on compliance # Prepare failure reasons and details based on compliance
$failureReasons = if ($allowEmailIntoChannel) { $failureReasons = if ($allowEmailIntoChannel) {
"Emails can be sent to a channel email address" # Condition A Fail: AllowEmailIntoChannel is True "Emails can be sent to a channel email address" # Condition A Fail: AllowEmailIntoChannel is True
@@ -43,14 +39,12 @@ function Test-BlockChannelEmails {
else { else {
"N/A" # Condition A Pass: AllowEmailIntoChannel is False "N/A" # Condition A Pass: AllowEmailIntoChannel is False
} }
$details = if ($allowEmailIntoChannel) { $details = if ($allowEmailIntoChannel) {
"AllowEmailIntoChannel is set to True" # Condition B Fail: Emails are allowed "AllowEmailIntoChannel is set to True" # Condition B Fail: Emails are allowed
} }
else { else {
"AllowEmailIntoChannel is set to False" # Condition B Pass: Emails are blocked "AllowEmailIntoChannel is set to False" # Condition B Pass: Emails are blocked
} }
# Create and populate the CISAuditResult object # Create and populate the CISAuditResult object
$params = @{ $params = @{
Rec = $recnum Rec = $recnum
@@ -66,7 +60,6 @@ function Test-BlockChannelEmails {
$auditResult = Get-TestError -LastError $LastError -recnum $recnum $auditResult = Get-TestError -LastError $LastError -recnum $recnum
} }
} }
end { end {
# Return the audit result # Return the audit result
return $auditResult return $auditResult

15
source/tests/Test-DialInBypassLobby.ps1
View File

@@ -5,16 +5,14 @@ function Test-DialInBypassLobby {
# Aligned # Aligned
# Parameters can be defined here if needed # Parameters can be defined here if needed
) )
begin { begin {
# Dot source the class script if necessary # Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1 #. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed # Initialization code, if needed
$recnum = "8.5.4" $recnum = "8.5.4"
Write-Verbose "Running Test-DialInBypassLobby for $recnum..."
} }
process { process {
try { try {
# 8.5.4 (L1) Ensure users dialing in can't bypass the lobby # 8.5.4 (L1) Ensure users dialing in can't bypass the lobby
# #
@@ -31,11 +29,15 @@ function Test-DialInBypassLobby {
# - Condition A: The `AllowPSTNUsersToBypassLobby` setting in the Global Teams meeting policy is not set to `False`. # - Condition A: The `AllowPSTNUsersToBypassLobby` setting in the Global Teams meeting policy is not set to `False`.
# - Condition B: Verification using the UI in the Microsoft Teams admin center shows that "People dialing in can't bypass the lobby" is not set to `Off`. # - Condition B: Verification using the UI in the Microsoft Teams admin center shows that "People dialing in can't bypass the lobby" is not set to `Off`.
# - Condition C: Individuals who dial in by phone are able to join the meeting directly without waiting in the lobby. # - Condition C: Individuals who dial in by phone are able to join the meeting directly without waiting in the lobby.
# Retrieve Teams meeting policy for PSTN users # Retrieve Teams meeting policy for PSTN users
# $CsTeamsMeetingPolicyPSTN Mock Object
<#
$CsTeamsMeetingPolicyPSTN = [PSCustomObject]@{
AllowPSTNUsersToBypassLobby = $true
}
#>
$CsTeamsMeetingPolicyPSTN = Get-CISMSTeamsOutput -Rec $recnum $CsTeamsMeetingPolicyPSTN = Get-CISMSTeamsOutput -Rec $recnum
$PSTNBypassDisabled = -not $CsTeamsMeetingPolicyPSTN.AllowPSTNUsersToBypassLobby $PSTNBypassDisabled = -not $CsTeamsMeetingPolicyPSTN.AllowPSTNUsersToBypassLobby
# Prepare failure reasons and details based on compliance # Prepare failure reasons and details based on compliance
$failureReasons = if (-not $PSTNBypassDisabled) { $failureReasons = if (-not $PSTNBypassDisabled) {
"Users dialing in can bypass the lobby" "Users dialing in can bypass the lobby"
@@ -43,14 +45,12 @@ function Test-DialInBypassLobby {
else { else {
"N/A" "N/A"
} }
$details = if ($PSTNBypassDisabled) { $details = if ($PSTNBypassDisabled) {
"AllowPSTNUsersToBypassLobby is set to False" "AllowPSTNUsersToBypassLobby is set to False"
} }
else { else {
"AllowPSTNUsersToBypassLobby is set to True" "AllowPSTNUsersToBypassLobby is set to True"
} }
# Create and populate the CISAuditResult object # Create and populate the CISAuditResult object
$params = @{ $params = @{
Rec = $recnum Rec = $recnum
@@ -66,7 +66,6 @@ function Test-DialInBypassLobby {
$auditResult = Get-TestError -LastError $LastError -recnum $recnum $auditResult = Get-TestError -LastError $LastError -recnum $recnum
} }
} }
end { end {
# Return the audit result # Return the audit result
return $auditResult return $auditResult

16
source/tests/Test-ExternalNoControl.ps1
View File

@@ -5,17 +5,14 @@ function Test-ExternalNoControl {
# Aligned # Aligned
# Parameters can be defined here if needed # Parameters can be defined here if needed
) )
begin { begin {
# Dot source the class script if necessary # Dot source the class script if necessary
# . .\source\Classes\CISAuditResult.ps1 # . .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed # Initialization code, if needed
$recnum = "8.5.7" $recnum = "8.5.7"
Write-Verbose "Running Test-ExternalNoControl for $recnum..."
} }
process { process {
try { try {
# 8.5.7 (L1) Ensure external participants can't give or request control # 8.5.7 (L1) Ensure external participants can't give or request control
# #
@@ -32,12 +29,16 @@ function Test-ExternalNoControl {
# - Condition A: The `AllowExternalParticipantGiveRequestControl` setting in Teams is not set to `False`. # - Condition A: The `AllowExternalParticipantGiveRequestControl` setting in Teams is not set to `False`.
# - Condition B: The setting is verified through the Microsoft Teams admin center or via PowerShell command. # - Condition B: The setting is verified through the Microsoft Teams admin center or via PowerShell command.
# - Condition C: Verification using the UI indicates that external participants can give or request control. # - Condition C: Verification using the UI indicates that external participants can give or request control.
# Retrieve Teams meeting policy for external participant control # Retrieve Teams meeting policy for external participant control
# $CsTeamsMeetingPolicyControl Mock Object
<#
$CsTeamsMeetingPolicyControl = [PSCustomObject]@{
AllowExternalParticipantGiveRequestControl = $true
}
#>
$CsTeamsMeetingPolicyControl = Get-CISMSTeamsOutput -Rec $recnum $CsTeamsMeetingPolicyControl = Get-CISMSTeamsOutput -Rec $recnum
# Check if external participants can give or request control # Check if external participants can give or request control
$externalControlRestricted = -not $CsTeamsMeetingPolicyControl.AllowExternalParticipantGiveRequestControl $externalControlRestricted = -not $CsTeamsMeetingPolicyControl.AllowExternalParticipantGiveRequestControl
# Prepare failure reasons and details based on compliance # Prepare failure reasons and details based on compliance
$failureReasons = if (-not $externalControlRestricted) { $failureReasons = if (-not $externalControlRestricted) {
"External participants can give or request control" "External participants can give or request control"
@@ -45,14 +46,12 @@ function Test-ExternalNoControl {
else { else {
"N/A" "N/A"
} }
$details = if ($externalControlRestricted) { $details = if ($externalControlRestricted) {
"AllowExternalParticipantGiveRequestControl is set to False" "AllowExternalParticipantGiveRequestControl is set to False"
} }
else { else {
"AllowExternalParticipantGiveRequestControl is set to True" "AllowExternalParticipantGiveRequestControl is set to True"
} }
# Create and populate the CISAuditResult object # Create and populate the CISAuditResult object
$params = @{ $params = @{
Rec = $recnum Rec = $recnum
@@ -68,7 +67,6 @@ function Test-ExternalNoControl {
$auditResult = Get-TestError -LastError $LastError -recnum $recnum $auditResult = Get-TestError -LastError $LastError -recnum $recnum
} }
} }
end { end {
# Return the audit result # Return the audit result
return $auditResult return $auditResult

16
source/tests/Test-MeetingChatNoAnonymous.ps1
View File

@@ -5,14 +5,13 @@ function Test-MeetingChatNoAnonymous {
# Aligned # Aligned
# Parameters can be defined here if needed # Parameters can be defined here if needed
) )
begin { begin {
# Dot source the class script if necessary # Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1 #. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed # Initialization code, if needed
$recnum = "8.5.5" $recnum = "8.5.5"
Write-Verbose "Running Test-MeetingChatNoAnonymous for $recnum..."
} }
process { process {
try { try {
# 8.5.5 (L2) Ensure meeting chat does not allow anonymous users # 8.5.5 (L2) Ensure meeting chat does not allow anonymous users
@@ -30,22 +29,24 @@ function Test-MeetingChatNoAnonymous {
# - Condition A: The `MeetingChatEnabledType` setting in Teams is not set to `EnabledExceptAnonymous`. # - Condition A: The `MeetingChatEnabledType` setting in Teams is not set to `EnabledExceptAnonymous`.
# - Condition B: The setting for meeting chat allows chat for anonymous users. # - Condition B: The setting for meeting chat allows chat for anonymous users.
# - Condition C: Verification using the Teams Admin Center indicates that the meeting chat settings are not configured as recommended. # - Condition C: Verification using the Teams Admin Center indicates that the meeting chat settings are not configured as recommended.
# Retrieve the Teams meeting policy for meeting chat # Retrieve the Teams meeting policy for meeting chat
# $CsTeamsMeetingPolicyChat Mock Object
<#
$CsTeamsMeetingPolicyChat = [PSCustomObject]@{
MeetingChatEnabledType = "Enabled"
}
#>
$CsTeamsMeetingPolicyChat = Get-CISMSTeamsOutput -Rec $recnum $CsTeamsMeetingPolicyChat = Get-CISMSTeamsOutput -Rec $recnum
# Condition A: Check if the MeetingChatEnabledType is set to 'EnabledExceptAnonymous' # Condition A: Check if the MeetingChatEnabledType is set to 'EnabledExceptAnonymous'
$chatAnonDisabled = $CsTeamsMeetingPolicyChat.MeetingChatEnabledType -eq 'EnabledExceptAnonymous' $chatAnonDisabled = $CsTeamsMeetingPolicyChat.MeetingChatEnabledType -eq 'EnabledExceptAnonymous'
# Prepare failure reasons and details based on compliance # Prepare failure reasons and details based on compliance
$failureReasons = if ($chatAnonDisabled) { $failureReasons = if ($chatAnonDisabled) {
"N/A" "N/A"
} }
else { else {
"Meeting chat allows anonymous users" "Meeting chat allows anonymous users. User the following command to remediate:`nSet-CsTeamsMeetingPolicy -Identity Global -MeetingChatEnabledType `"EnabledExceptAnonymous`""
} }
$details = "MeetingChatEnabledType is set to $($CsTeamsMeetingPolicyChat.MeetingChatEnabledType)" $details = "MeetingChatEnabledType is set to $($CsTeamsMeetingPolicyChat.MeetingChatEnabledType)"
# Create and populate the CISAuditResult object # Create and populate the CISAuditResult object
$params = @{ $params = @{
Rec = $recnum Rec = $recnum
@@ -61,7 +62,6 @@ function Test-MeetingChatNoAnonymous {
$auditResult = Get-TestError -LastError $LastError -recnum $recnum $auditResult = Get-TestError -LastError $LastError -recnum $recnum
} }
} }
end { end {
# Return the audit result # Return the audit result
return $auditResult return $auditResult

17
source/tests/Test-NoAnonymousMeetingJoin.ps1
View File

@@ -5,14 +5,13 @@ function Test-NoAnonymousMeetingJoin {
# Aligned # Aligned
# Parameters can be defined here if needed # Parameters can be defined here if needed
) )
begin { begin {
# Dot source the class script if necessary # Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1 #. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed # Initialization code, if needed
$recnum = "8.5.1" $recnum = "8.5.1"
Write-Verbose "Running Test-NoAnonymousMeetingJoin for $recnum..."
} }
process { process {
try { try {
# 8.5.1 (L2) Ensure anonymous users can't join a meeting # 8.5.1 (L2) Ensure anonymous users can't join a meeting
@@ -30,22 +29,23 @@ function Test-NoAnonymousMeetingJoin {
# - Condition A: `AllowAnonymousUsersToJoinMeeting` is not set to `False`. # - Condition A: `AllowAnonymousUsersToJoinMeeting` is not set to `False`.
# - Condition B: Verification using the UI shows that `Anonymous users can join a meeting` is not set to `Off` in the Global meeting policy. # - Condition B: Verification using the UI shows that `Anonymous users can join a meeting` is not set to `Off` in the Global meeting policy.
# - Condition C: PowerShell command output indicates that anonymous users are allowed to join meetings. # - Condition C: PowerShell command output indicates that anonymous users are allowed to join meetings.
# Connect to Teams PowerShell using Connect-MicrosoftTeams # Connect to Teams PowerShell using Connect-MicrosoftTeams
# $teamsMeetingPolicy Mock Object
<#
$teamsMeetingPolicy = [PSCustomObject]@{
AllowAnonymousUsersToJoinMeeting = $true
}
#>
$teamsMeetingPolicy = Get-CISMSTeamsOutput -Rec $recnum $teamsMeetingPolicy = Get-CISMSTeamsOutput -Rec $recnum
$allowAnonymousUsersToJoinMeeting = $teamsMeetingPolicy.AllowAnonymousUsersToJoinMeeting $allowAnonymousUsersToJoinMeeting = $teamsMeetingPolicy.AllowAnonymousUsersToJoinMeeting
# Prepare failure reasons and details based on compliance # Prepare failure reasons and details based on compliance
$failureReasons = if ($allowAnonymousUsersToJoinMeeting) { $failureReasons = if ($allowAnonymousUsersToJoinMeeting) {
"Anonymous users are allowed to join meetings" "Anonymous users are allowed to join meetings, remediate with the following command if needed:`nSet-CsTeamsMeetingPolicy -Identity Global -AllowAnonymousUsersToJoinMeeting `$false"
} }
else { else {
"N/A" "N/A"
} }
$details = "AllowAnonymousUsersToJoinMeeting is set to $allowAnonymousUsersToJoinMeeting" $details = "AllowAnonymousUsersToJoinMeeting is set to $allowAnonymousUsersToJoinMeeting"
# Create and populate the CISAuditResult object # Create and populate the CISAuditResult object
$params = @{ $params = @{
Rec = $recnum Rec = $recnum
@@ -61,7 +61,6 @@ function Test-NoAnonymousMeetingJoin {
$auditResult = Get-TestError -LastError $LastError -recnum $recnum $auditResult = Get-TestError -LastError $LastError -recnum $recnum
} }
} }
end { end {
# Return the audit result # Return the audit result
return $auditResult return $auditResult

9
source/tests/Test-NoAnonymousMeetingStart.ps1
View File

@@ -5,14 +5,13 @@ function Test-NoAnonymousMeetingStart {
# Aligned # Aligned
# Parameters can be defined here if needed # Parameters can be defined here if needed
) )
begin { begin {
# Dot source the class script if necessary # Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1 #. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed # Initialization code, if needed
$recnum = "8.5.2" $recnum = "8.5.2"
Write-Verbose "Running Test-NoAnonymousMeetingStart for $recnum..."
} }
process { process {
try { try {
# 8.5.2 (L1) Ensure anonymous users and dial-in callers can't start a meeting # 8.5.2 (L1) Ensure anonymous users and dial-in callers can't start a meeting
@@ -30,13 +29,10 @@ function Test-NoAnonymousMeetingStart {
# - Condition A: The `AllowAnonymousUsersToStartMeeting` setting in the Teams admin center is not set to `False`. # - Condition A: The `AllowAnonymousUsersToStartMeeting` setting in the Teams admin center is not set to `False`.
# - Condition B: The setting for anonymous users and dial-in callers starting a meeting allows them to bypass the lobby. # - Condition B: The setting for anonymous users and dial-in callers starting a meeting allows them to bypass the lobby.
# - Condition C: Verification using the UI indicates that the setting `Anonymous users and dial-in callers can start a meeting` is not set to `Off`. # - Condition C: Verification using the UI indicates that the setting `Anonymous users and dial-in callers can start a meeting` is not set to `Off`.
# Connect to Teams PowerShell using Connect-MicrosoftTeams # Connect to Teams PowerShell using Connect-MicrosoftTeams
# Retrieve the Teams meeting policy for the global scope and check if anonymous users can start meetings # Retrieve the Teams meeting policy for the global scope and check if anonymous users can start meetings
$CsTeamsMeetingPolicyAnonymous = Get-CISMSTeamsOutput -Rec $recnum $CsTeamsMeetingPolicyAnonymous = Get-CISMSTeamsOutput -Rec $recnum
$anonymousStartDisabled = -not $CsTeamsMeetingPolicyAnonymous.AllowAnonymousUsersToStartMeeting $anonymousStartDisabled = -not $CsTeamsMeetingPolicyAnonymous.AllowAnonymousUsersToStartMeeting
# Prepare failure reasons and details based on compliance # Prepare failure reasons and details based on compliance
$failureReasons = if ($anonymousStartDisabled) { $failureReasons = if ($anonymousStartDisabled) {
"N/A" "N/A"
@@ -44,9 +40,7 @@ function Test-NoAnonymousMeetingStart {
else { else {
"Anonymous users and dial-in callers can start a meeting" # Condition A and B "Anonymous users and dial-in callers can start a meeting" # Condition A and B
} }
$details = "AllowAnonymousUsersToStartMeeting is set to $($CsTeamsMeetingPolicyAnonymous.AllowAnonymousUsersToStartMeeting)" # Condition C $details = "AllowAnonymousUsersToStartMeeting is set to $($CsTeamsMeetingPolicyAnonymous.AllowAnonymousUsersToStartMeeting)" # Condition C
# Create and populate the CISAuditResult object # Create and populate the CISAuditResult object
$params = @{ $params = @{
Rec = $recnum Rec = $recnum
@@ -62,7 +56,6 @@ function Test-NoAnonymousMeetingStart {
$auditResult = Get-TestError -LastError $LastError -recnum $recnum $auditResult = Get-TestError -LastError $LastError -recnum $recnum
} }
} }
end { end {
# Return the audit result # Return the audit result
return $auditResult return $auditResult

11
source/tests/Test-OrgOnlyBypassLobby.ps1
View File

@@ -5,14 +5,13 @@ function Test-OrgOnlyBypassLobby {
# Aligned # Aligned
# Parameters can be defined here if needed # Parameters can be defined here if needed
) )
begin { begin {
# Dot source the class script if necessary # Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1 #. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed # Initialization code, if needed
$recnum = "8.5.3" $recnum = "8.5.3"
Write-Verbose "Running Test-OrgOnlyBypassLobby for $recnum..."
} }
process { process {
try { try {
# 8.5.3 (L1) Ensure only people in my org can bypass the lobby # 8.5.3 (L1) Ensure only people in my org can bypass the lobby
@@ -30,28 +29,23 @@ function Test-OrgOnlyBypassLobby {
# - Condition A: The `AutoAdmittedUsers` setting in the Teams meeting policy is not set to `EveryoneInCompanyExcludingGuests`. # - Condition A: The `AutoAdmittedUsers` setting in the Teams meeting policy is not set to `EveryoneInCompanyExcludingGuests`.
# - Condition B: The setting for "Who can bypass the lobby" is not configured to "People in my org" using the UI. # - Condition B: The setting for "Who can bypass the lobby" is not configured to "People in my org" using the UI.
# - Condition C: Verification using the Microsoft Teams admin center indicates that the meeting join & lobby settings are not configured as recommended. # - Condition C: Verification using the Microsoft Teams admin center indicates that the meeting join & lobby settings are not configured as recommended.
# Connect to Teams PowerShell using Connect-MicrosoftTeams # Connect to Teams PowerShell using Connect-MicrosoftTeams
# Retrieve the Teams meeting policy for lobby bypass settings # Retrieve the Teams meeting policy for lobby bypass settings
$CsTeamsMeetingPolicyLobby = Get-CISMSTeamsOutput -Rec $recnum $CsTeamsMeetingPolicyLobby = Get-CISMSTeamsOutput -Rec $recnum
$lobbyBypassRestricted = $CsTeamsMeetingPolicyLobby.AutoAdmittedUsers -eq 'EveryoneInCompanyExcludingGuests' $lobbyBypassRestricted = $CsTeamsMeetingPolicyLobby.AutoAdmittedUsers -eq 'EveryoneInCompanyExcludingGuests'
# Prepare failure reasons and details based on compliance # Prepare failure reasons and details based on compliance
$failureReasons = if (-not $lobbyBypassRestricted) { $failureReasons = if (-not $lobbyBypassRestricted) {
# Condition C: Verification using the Microsoft Teams admin center indicates that the meeting join & lobby settings are not configured as recommended. # Condition C: Verification using the Microsoft Teams admin center indicates that the meeting join & lobby settings are not configured as recommended.
"AutoAdmittedUsers is set to $($CsTeamsMeetingPolicyLobby.AutoAdmittedUsers)" "AutoAdmittedUsers is set to $($CsTeamsMeetingPolicyLobby.AutoAdmittedUsers)"
}else { }else {
"N/A" "N/A"
} }
$details = if ($lobbyBypassRestricted) { $details = if ($lobbyBypassRestricted) {
# Condition B: The setting for "Who can bypass the lobby" is configured to "People in my org" using the UI. # Condition B: The setting for "Who can bypass the lobby" is configured to "People in my org" using the UI.
"Only people in the organization can bypass the lobby." "Only people in the organization can bypass the lobby."
}else { }else {
# Condition A: The `AutoAdmittedUsers` setting in the Teams meeting policy is not set to `EveryoneInCompanyExcludingGuests`. # Condition A: The `AutoAdmittedUsers` setting in the Teams meeting policy is not set to `EveryoneInCompanyExcludingGuests`.
"External participants can bypass the lobby" "AutoAdmittedUsers is not set to EveryoneInCompanyExcludingGuests"
} }
# Create and populate the CISAuditResult object # Create and populate the CISAuditResult object
$params = @{ $params = @{
@@ -68,7 +62,6 @@ function Test-OrgOnlyBypassLobby {
$auditResult = Get-TestError -LastError $LastError -recnum $recnum $auditResult = Get-TestError -LastError $LastError -recnum $recnum
} }
} }
end { end {
# Return the audit result # Return the audit result
return $auditResult return $auditResult

16
source/tests/Test-OrganizersPresent.ps1
View File

@@ -5,14 +5,13 @@ function Test-OrganizersPresent {
# Aligned # Aligned
# Parameters can be defined here if needed # Parameters can be defined here if needed
) )
begin { begin {
# Dot source the class script if necessary # Dot source the class script if necessary
#. .\source\Classes\CISAuditResult.ps1 #. .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed # Initialization code, if needed
$recnum = "8.5.6" $recnum = "8.5.6"
Write-Verbose "Running Test-OrganizersPresent for $recnum..."
} }
process { process {
try { try {
# 8.5.6 (L2) Ensure only organizers and co-organizers can present # 8.5.6 (L2) Ensure only organizers and co-organizers can present
@@ -30,26 +29,28 @@ function Test-OrganizersPresent {
# - Condition A: The `DesignatedPresenterRoleMode` setting in the Teams meeting policy is not set to `OrganizerOnlyUserOverride`. # - Condition A: The `DesignatedPresenterRoleMode` setting in the Teams meeting policy is not set to `OrganizerOnlyUserOverride`.
# - Condition B: Verification using the Teams admin center indicates that the setting "Who can present" is not configured to "Only organizers and co-organizers". # - Condition B: Verification using the Teams admin center indicates that the setting "Who can present" is not configured to "Only organizers and co-organizers".
# - Condition C: Verification using PowerShell indicates that the `DesignatedPresenterRoleMode` is not set to `OrganizerOnlyUserOverride`. # - Condition C: Verification using PowerShell indicates that the `DesignatedPresenterRoleMode` is not set to `OrganizerOnlyUserOverride`.
# Retrieve the Teams meeting policy for presenters # Retrieve the Teams meeting policy for presenters
# $CsTeamsMeetingPolicyPresenters Mock Object
<#
$CsTeamsMeetingPolicyPresenters = [PSCustomObject]@{
DesignatedPresenterRoleMode = "Enabled"
}
#>
$CsTeamsMeetingPolicyPresenters = Get-CISMSTeamsOutput -Rec $recnum $CsTeamsMeetingPolicyPresenters = Get-CISMSTeamsOutput -Rec $recnum
$presenterRoleRestricted = $CsTeamsMeetingPolicyPresenters.DesignatedPresenterRoleMode -eq 'OrganizerOnlyUserOverride' $presenterRoleRestricted = $CsTeamsMeetingPolicyPresenters.DesignatedPresenterRoleMode -eq 'OrganizerOnlyUserOverride'
# Prepare failure reasons and details based on compliance # Prepare failure reasons and details based on compliance
$failureReasons = if (-not $presenterRoleRestricted) { $failureReasons = if (-not $presenterRoleRestricted) {
"Others besides organizers and co-organizers can present" "Others besides organizers and co-organizers can present. Use the following command to remediate:`nSet-CsTeamsMeetingPolicy -Identity Global -DesignatedPresenterRoleMode `"OrganizerOnlyUserOverride`""
} }
else { else {
"N/A" "N/A"
} }
$details = if ($presenterRoleRestricted) { $details = if ($presenterRoleRestricted) {
"Only organizers and co-organizers can present." "Only organizers and co-organizers can present."
} }
else { else {
"DesignatedPresenterRoleMode is set to $($CsTeamsMeetingPolicyPresenters.DesignatedPresenterRoleMode)" "DesignatedPresenterRoleMode is set to $($CsTeamsMeetingPolicyPresenters.DesignatedPresenterRoleMode)"
} }
# Create and populate the CISAuditResult object # Create and populate the CISAuditResult object
$params = @{ $params = @{
Rec = $recnum Rec = $recnum
@@ -65,7 +66,6 @@ function Test-OrganizersPresent {
$auditResult = Get-TestError -LastError $LastError -recnum $recnum $auditResult = Get-TestError -LastError $LastError -recnum $recnum
} }
} }
end { end {
# Return the audit result # Return the audit result
return $auditResult return $auditResult

19
source/tests/Test-ReportSecurityInTeams.ps1
View File

@@ -18,9 +18,28 @@ function Test-ReportSecurityInTeams {
# 8.6.1 (L1) Ensure users can report security concerns in Teams # 8.6.1 (L1) Ensure users can report security concerns in Teams
# Retrieve the necessary settings for Teams and Exchange Online # Retrieve the necessary settings for Teams and Exchange Online
# Condition A: Ensure the 'Report a security concern' setting in the Teams admin center is set to 'On'. # Condition A: Ensure the 'Report a security concern' setting in the Teams admin center is set to 'On'.
# $CsTeamsMessagingPolicy Mock Object
<#
$CsTeamsMessagingPolicy = [PSCustomObject]@{
AllowSecurityEndUserReporting = $true
}
#>
$CsTeamsMessagingPolicy = Get-CISMSTeamsOutput -Rec $recnum $CsTeamsMessagingPolicy = Get-CISMSTeamsOutput -Rec $recnum
# Condition B: Verify that 'Monitor reported messages in Microsoft Teams' is checked in the Microsoft 365 Defender portal. # Condition B: Verify that 'Monitor reported messages in Microsoft Teams' is checked in the Microsoft 365 Defender portal.
# Condition C: Ensure the 'Send reported messages to' setting in the Microsoft 365 Defender portal is set to 'My reporting mailbox only' with the correct report email addresses. # Condition C: Ensure the 'Send reported messages to' setting in the Microsoft 365 Defender portal is set to 'My reporting mailbox only' with the correct report email addresses.
# $ReportSubmissionPolicy Mock Object
<#
$ReportSubmissionPolicy = [PSCustomObject]@{
ReportJunkToCustomizedAddress = $true
ReportNotJunkToCustomizedAddress = $true
ReportPhishToCustomizedAddress = $true
ReportJunkAddresses = @('security@example.com')
ReportNotJunkAddresses = @('security@example.com')
ReportPhishAddresses = @('security@example.com')
ReportChatMessageEnabled = $false
ReportChatMessageToCustomizedAddressEnabled = $false
}
#>
$ReportSubmissionPolicy = Get-CISExoOutput -Rec $recnum $ReportSubmissionPolicy = Get-CISExoOutput -Rec $recnum
# Check if all the required settings are enabled # Check if all the required settings are enabled
$securityReportEnabled = $CsTeamsMessagingPolicy.AllowSecurityEndUserReporting -and $securityReportEnabled = $CsTeamsMessagingPolicy.AllowSecurityEndUserReporting -and

73
source/tests/Test-TeamsExternalAccess.ps1
View File

@@ -2,17 +2,16 @@ function Test-TeamsExternalAccess {
[CmdletBinding()] [CmdletBinding()]
[OutputType([CISAuditResult])] [OutputType([CISAuditResult])]
param ( param (
# Aligned [Parameter(Mandatory = $false, HelpMessage = "Specifies the approved federated domains for the audit. Accepts an array of allowed domain names.")]
# Parameters can be defined here if needed [string[]]$ApprovedFederatedDomains
) )
begin { begin {
# Dot source the class script if necessary # Dot source the class script if necessary
# . .\source\Classes\CISAuditResult.ps1 # . .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed # Initialization code, if needed
$recnum = "8.2.1" $recnum = "8.2.1"
Write-Verbose "Running Test-TeamsExternalAccess for $recnum..."
} }
process { process {
try { try {
# 8.2.1 (L1) Ensure 'external access' is restricted in the Teams admin center # 8.2.1 (L1) Ensure 'external access' is restricted in the Teams admin center
@@ -23,33 +22,60 @@ function Test-TeamsExternalAccess {
# - Condition A: The `AllowTeamsConsumer` setting is `False`. # - Condition A: The `AllowTeamsConsumer` setting is `False`.
# - Condition B: The `AllowPublicUsers` setting is `False`. # - Condition B: The `AllowPublicUsers` setting is `False`.
# - Condition C: The `AllowFederatedUsers` setting is `False` or, if `True`, the `AllowedDomains` contains only authorized domain names. # - Condition C: The `AllowFederatedUsers` setting is `False` or, if `True`, the `AllowedDomains` contains only authorized domain names.
#
# Validate test for a fail:
# - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
# - Specific conditions to check:
# - Condition A: The `AllowTeamsConsumer` setting is not `False`.
# - Condition B: The `AllowPublicUsers` setting is not `False`.
# - Condition C: The `AllowFederatedUsers` setting is `True` and the `AllowedDomains` contains unauthorized domain names or is not configured correctly.
# Connect to Teams PowerShell using Connect-MicrosoftTeams # Connect to Teams PowerShell using Connect-MicrosoftTeams
# $externalAccessConfig Mock Object
$externalAccessConfig = Get-CISMSTeamsOutput -Rec $recnum <#
$externalAccessConfig = [PSCustomObject]@{
$allowedDomainsLimited = $false Identity = 'Global'
if ($externalAccessConfig.AllowFederatedUsers -and $externalAccessConfig.AllowedDomains -and $externalAccessConfig.AllowedDomains.AllowedDomain.Count -gt 0) { AllowedDomains = 'AllowAllKnownDomains'
$allowedDomainsLimited = $true BlockedDomains = @()
AllowFederatedUsers = $true
AllowPublicUsers = $true
AllowTeamsConsumer = $true
AllowTeamsConsumerInbound = $true
}
$ApprovedFederatedDomains = @('msn.com', 'google.com')
$externalAccessConfig = [PSCustomObject]@{
Identity = 'Global'
AllowedDomains = @('msn.com', 'google.com')
BlockedDomains = @()
AllowFederatedUsers = $true
AllowPublicUsers = $false
AllowTeamsConsumer = $false
AllowTeamsConsumerInbound = $true
}
#>
$externalAccessConfig = Get-CISMSTeamsOutput -Rec $recnum
# Testing
#$externalAccessConfig.AllowedDomains = @("msn.com", "google.com")
#$externalAccessConfig.AllowTeamsConsumer = $false
#$externalAccessConfig.AllowPublicUsers = $false
#$externalAccessConfig.AllowFederatedUsers = $true
# The above is for testing and will be replaced with the actual values from the Teams PowerShell output in production.
$allowedDomainsLimited = $false
$allowedDomainsMatch = $false
$invalidDomains = @()
if ($externalAccessConfig.AllowFederatedUsers) {
if ($externalAccessConfig.AllowedDomains -ne 'AllowAllKnownDomains' -and $externalAccessConfig.AllowedDomains.Count -gt 0) {
$allowedDomainsLimited = $true
if ($ApprovedFederatedDomains) {
$invalidDomains = $externalAccessConfig.AllowedDomains | Where-Object { $_ -notin $ApprovedFederatedDomains }
if ($invalidDomains.Count -eq 0) {
$invalidDomains = "None"
}
$allowedDomainsMatch = $invalidDomains.Count -eq 0
}
}
} }
# Check if the configurations are as recommended # Check if the configurations are as recommended
$isCompliant = -not $externalAccessConfig.AllowTeamsConsumer -and -not $externalAccessConfig.AllowPublicUsers -and (-not $externalAccessConfig.AllowFederatedUsers -or $allowedDomainsLimited) $isCompliant = -not $externalAccessConfig.AllowTeamsConsumer -and -not $externalAccessConfig.AllowPublicUsers -and (-not $externalAccessConfig.AllowFederatedUsers -or ($allowedDomainsLimited -and $allowedDomainsMatch))
# Create an instance of CISAuditResult and populate it # Create an instance of CISAuditResult and populate it
$params = @{ $params = @{
Rec = $recnum Rec = $recnum
Result = $isCompliant Result = $isCompliant
Status = if ($isCompliant) { "Pass" } else { "Fail" } Status = if ($isCompliant) { "Pass" } else { "Fail" }
Details = "AllowTeamsConsumer: $($externalAccessConfig.AllowTeamsConsumer); AllowPublicUsers: $($externalAccessConfig.AllowPublicUsers); AllowFederatedUsers: $($externalAccessConfig.AllowFederatedUsers); AllowedDomains limited: $allowedDomainsLimited" Details = "AllowTeamsConsumer: $($externalAccessConfig.AllowTeamsConsumer); AllowPublicUsers: $($externalAccessConfig.AllowPublicUsers); AllowFederatedUsers: $($externalAccessConfig.AllowFederatedUsers); AllowedDomains limited: $allowedDomainsLimited; AllowedDomains match: $allowedDomainsMatch; Invalid Domains: $($invalidDomains -join ', ')"
FailureReason = if (-not $isCompliant) { "One or more external access configurations are not compliant." } else { "N/A" } FailureReason = if (-not $isCompliant) { "One or more external access configurations are not compliant. Invalid domains found: $($invalidDomains -join ', ')" } else { "N/A" }
} }
$auditResult = Initialize-CISAuditResult @params $auditResult = Initialize-CISAuditResult @params
} }
@@ -58,7 +84,6 @@ function Test-TeamsExternalAccess {
$auditResult = Get-TestError -LastError $LastError -recnum $recnum $auditResult = Get-TestError -LastError $LastError -recnum $recnum
} }
} }
end { end {
# Return auditResult # Return auditResult
return $auditResult return $auditResult

42
source/tests/Test-TeamsExternalFileSharing.ps1
View File

@@ -2,48 +2,65 @@ function Test-TeamsExternalFileSharing {
[CmdletBinding()] [CmdletBinding()]
[OutputType([CISAuditResult])] [OutputType([CISAuditResult])]
param ( param (
# Aligned [Parameter(Mandatory = $false)]
# Parameters can be added here if needed [string[]]$ApprovedCloudStorageProviders
) )
begin { begin {
# Dot source the class script if necessary # Dot source the class script if necessary
# . .\source\Classes\CISAuditResult.ps1 # . .\source\Classes\CISAuditResult.ps1
# Initialization code, if needed # Initialization code, if needed
$recnum = "8.1.1" $recnum = "8.1.1"
Write-Verbose "Running Test-TeamsExternalFileSharing for $recnum..."
} }
process { process {
try { try {
# 8.1.1 (L2) Ensure external file sharing in Teams is enabled for only approved cloud storage services # 8.1.1 (L2) Ensure external file sharing in Teams is enabled for only approved cloud storage services
# Connect to Teams PowerShell using Connect-MicrosoftTeams # Connect to Teams PowerShell using Connect-MicrosoftTeams
# Condition A: The `AllowDropbox` setting is set to `False`. # Condition A: The `AllowDropbox` setting is set to `False`.
# Condition B: The `AllowBox` setting is set to `False`. # Condition B: The `AllowBox` setting is set to `False`.
# Condition C: The `AllowGoogleDrive` setting is set to `False`. # Condition C: The `AllowGoogleDrive` setting is set to `False`.
# Condition D: The `AllowShareFile` setting is set to `False`. # Condition D: The `AllowShareFile` setting is set to `False`.
# Condition E: The `AllowEgnyte` setting is set to `False`. # Condition E: The `AllowEgnyte` setting is set to `False`.
# Assuming that 'approvedProviders' is a list of approved cloud storage service names # Assuming that 'approvedProviders' is a list of approved cloud storage service names
# This list must be defined according to your organization's approved cloud storage services # This list must be defined according to your organization's approved cloud storage services
# Retrieve the current Teams client configuration
$clientConfig = Get-CISMSTeamsOutput -Rec $recnum $clientConfig = Get-CISMSTeamsOutput -Rec $recnum
$approvedProviders = @("AllowDropBox", "AllowBox", "AllowGoogleDrive", "AllowShareFile", "AllowEgnyte") # Testing
#$clientconfig.AllowGoogleDrive = $false
#$clientconfig.AllowBox = $false
#$clientconfig.AllowShareFile = $false
#$clientconfig.AllowEgnyte = $false
#$clientconfig.AllowDropBox = $false
# Define all possible cloud storage providers
$allProviders = @("AllowDropBox", "AllowBox", "AllowGoogleDrive", "AllowShareFile", "AllowEgnyte")
# If ApprovedCloudStorageProviders is provided, map it to the corresponding settings
if ($PSBoundParameters.ContainsKey('ApprovedCloudStorageProviders')) {
$approvedProviders = @()
foreach ($provider in $ApprovedCloudStorageProviders) {
$approvedProviders += "Allow$provider"
}
} else {
# Default approved providers
$approvedProviders = @()
}
$isCompliant = $true $isCompliant = $true
$nonCompliantProviders = @() $nonCompliantProviders = @()
foreach ($provider in $allProviders) {
foreach ($provider in $approvedProviders) { if ($clientConfig.$provider -and -not $approvedProviders.Contains($provider)) {
if (-not $clientConfig.$provider) {
$isCompliant = $false $isCompliant = $false
$nonCompliantProviders += $provider $nonCompliantProviders += $provider
} }
} }
$basePassDetails = "All cloud storage services are approved providers"
if ($ApprovedCloudStorageProviders) {
$basePassDetails = "Approved cloud storage services: $($ApprovedCloudStorageProviders -join ', ')"
}
# Create an instance of CISAuditResult and populate it # Create an instance of CISAuditResult and populate it
$params = @{ $params = @{
Rec = $recnum Rec = $recnum
Result = $isCompliant Result = $isCompliant
Status = if ($isCompliant) { "Pass" } else { "Fail" } Status = if ($isCompliant) { "Pass" } else { "Fail" }
Details = if (-not $isCompliant) { "Non-approved providers enabled: $($nonCompliantProviders -join ', ')" } else { "All cloud storage services are approved providers" } Details = if (-not $isCompliant) { "Non-approved providers enabled: $($nonCompliantProviders -join ', ')" } else { $basePassDetails }
FailureReason = if (-not $isCompliant) { "The following non-approved providers are enabled: $($nonCompliantProviders -join ', ')" } else { "N/A" } FailureReason = if (-not $isCompliant) { "The following non-approved providers are enabled: $($nonCompliantProviders -join ', ')" } else { "N/A" }
} }
$auditResult = Initialize-CISAuditResult @params $auditResult = Initialize-CISAuditResult @params
@@ -53,7 +70,6 @@ function Test-TeamsExternalFileSharing {
$auditResult = Get-TestError -LastError $LastError -recnum $recnum $auditResult = Get-TestError -LastError $LastError -recnum $recnum
} }
} }
end { end {
# Return auditResult # Return auditResult
return $auditResult return $auditResult