339 lines
		
	
	
		
			22 KiB
		
	
	
	
		
			PowerShell
		
	
	
	
	
	
			
		
		
	
	
			339 lines
		
	
	
		
			22 KiB
		
	
	
	
		
			PowerShell
		
	
	
	
	
	
| <#
 | |
|     .SYNOPSIS
 | |
|         This is a sample Private function only visible within the module.
 | |
|     .DESCRIPTION
 | |
|         This sample function is not exported to the module and only return the data passed as parameter.
 | |
|     .EXAMPLE
 | |
|         $null = Get-CISMSTeamsOutput -PrivateData 'NOTHING TO SEE HERE'
 | |
|     .PARAMETER PrivateData
 | |
|         The PrivateData parameter is what will be returned without transformation.
 | |
| #>
 | |
| function Get-CISMSTeamsOutput {
 | |
|     [cmdletBinding()]
 | |
|     param(
 | |
|         [Parameter(Mandatory = $true)]
 | |
|         [String]$Rec
 | |
|     )
 | |
|     begin {
 | |
|         # Begin Block #
 | |
|         <#
 | |
|             # Tests
 | |
|             8.1.1
 | |
|             8.1.2
 | |
|             8.2.1
 | |
|             8.5.1
 | |
|             8.5.2
 | |
|             8.5.3
 | |
|             8.5.4
 | |
|             8.5.5
 | |
|             8.5.6
 | |
|             8.5.7
 | |
|             8.6.1
 | |
|             # Test number array
 | |
|             $testNumbers = @('8.1.1', '8.1.2', '8.2.1', '8.5.1', '8.5.2', '8.5.3', '8.5.4', '8.5.5', '8.5.6', '8.5.7', '8.6.1')
 | |
|         #>
 | |
|     }
 | |
|     process {
 | |
|         try {
 | |
|             Write-Verbose "Get-CISMSTeamsOutput: Retuning data for Rec: $Rec"
 | |
|             switch ($Rec) {
 | |
|                 '8.1.1' {
 | |
|                     # Test-TeamsExternalFileSharing.ps1
 | |
|                     # 8.1.1 (L2) Ensure external file sharing in Teams is enabled for only approved cloud storage services
 | |
|                     # Connect to Teams PowerShell using Connect-MicrosoftTeams
 | |
| 
 | |
|                     # Condition A: The `AllowDropbox` setting is set to `False`.
 | |
|                     # Condition B: The `AllowBox` setting is set to `False`.
 | |
|                     # Condition C: The `AllowGoogleDrive` setting is set to `False`.
 | |
|                     # Condition D: The `AllowShareFile` setting is set to `False`.
 | |
|                     # Condition E: The `AllowEgnyte` setting is set to `False`.
 | |
| 
 | |
|                     # Assuming that 'approvedProviders' is a list of approved cloud storage service names
 | |
|                     # This list must be defined according to your organization's approved cloud storage services
 | |
|                     # Add option for approved providers.
 | |
|                     $clientConfig = Get-CsTeamsClientConfiguration
 | |
|                     return $clientConfig
 | |
|                 }
 | |
|                 '8.1.2' {
 | |
|                     # Test-BlockChannelEmails.ps1
 | |
|                     # 8.1.2 (L1) Ensure users can't send emails to a channel email address
 | |
|                     #
 | |
|                     # Validate test for a pass:
 | |
|                     # - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
 | |
|                     # - Specific conditions to check:
 | |
|                     #   - Condition A: The `AllowEmailIntoChannel` setting in Teams is set to `False`.
 | |
|                     #   - Condition B: The setting `Users can send emails to a channel email address` is set to `Off` in the Teams admin center.
 | |
|                     #   - Condition C: Verification using PowerShell confirms that the `AllowEmailIntoChannel` setting is disabled.
 | |
|                     #
 | |
|                     # Validate test for a fail:
 | |
|                     # - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
 | |
|                     # - Specific conditions to check:
 | |
|                     #   - Condition A: The `AllowEmailIntoChannel` setting in Teams is not set to `False`.
 | |
|                     #   - Condition B: The setting `Users can send emails to a channel email address` is not set to `Off` in the Teams admin center.
 | |
|                     #   - Condition C: Verification using PowerShell indicates that the `AllowEmailIntoChannel` setting is enabled.
 | |
| 
 | |
|                     # Retrieve Teams client configuration
 | |
|                     $teamsClientConfig = Get-CsTeamsClientConfiguration -Identity Global
 | |
|                     return $teamsClientConfig
 | |
|                 }
 | |
|                 '8.2.1' {
 | |
|                     # Test-TeamsExternalAccess.ps1
 | |
|                     # 8.2.1 (L1) Ensure 'external access' is restricted in the Teams admin center
 | |
|                     #
 | |
|                     # Validate test for a pass:
 | |
|                     # - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
 | |
|                     # - Specific conditions to check:
 | |
|                     #   - Condition A: The `AllowTeamsConsumer` setting is `False`.
 | |
|                     #   - Condition B: The `AllowPublicUsers` setting is `False`.
 | |
|                     #   - Condition C: The `AllowFederatedUsers` setting is `False` or, if `True`, the `AllowedDomains` contains only authorized domain names.
 | |
|                     #
 | |
|                     # Validate test for a fail:
 | |
|                     # - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
 | |
|                     # - Specific conditions to check:
 | |
|                     #   - Condition A: The `AllowTeamsConsumer` setting is not `False`.
 | |
|                     #   - Condition B: The `AllowPublicUsers` setting is not `False`.
 | |
|                     #   - Condition C: The `AllowFederatedUsers` setting is `True` and the `AllowedDomains` contains unauthorized domain names or is not configured correctly.
 | |
|                     # Connect to Teams PowerShell using Connect-MicrosoftTeams
 | |
|                     # $externalAccessConfig Mock Object
 | |
|                     <#
 | |
|                         $externalAccessConfig = [PSCustomObject]@{
 | |
|                             Identity                                    = 'Global'
 | |
|                             AllowedDomains                              = 'AllowAllKnownDomains'
 | |
|                             BlockedDomains                              = @()
 | |
|                             AllowFederatedUsers                         = $true
 | |
|                             AllowPublicUsers                            = $true
 | |
|                             AllowTeamsConsumer                          = $true
 | |
|                             AllowTeamsConsumerInbound                   = $true
 | |
|                         }
 | |
|                         $ApprovedFederatedDomains = @('msn.com', 'google.com')
 | |
|                         $externalAccessConfig = [PSCustomObject]@{
 | |
|                             Identity                                    = 'Global'
 | |
|                             AllowedDomains                              = @('msn.com', 'google.com')
 | |
|                             BlockedDomains                              = @()
 | |
|                             AllowFederatedUsers                         = $true
 | |
|                             AllowPublicUsers                            = $false
 | |
|                             AllowTeamsConsumer                          = $false
 | |
|                             AllowTeamsConsumerInbound                   = $true
 | |
|                         }
 | |
|                     #>
 | |
|                     $externalAccessConfig = Get-CsTenantFederationConfiguration
 | |
|                     return $externalAccessConfig
 | |
|                 }
 | |
|                 '8.5.1' {
 | |
|                     # Test-NoAnonymousMeetingJoin.ps1
 | |
|                     # 8.5.1 (L2) Ensure anonymous users can't join a meeting
 | |
|                     #
 | |
|                     # Validate test for a pass:
 | |
|                     # - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
 | |
|                     # - Specific conditions to check:
 | |
|                     #   - Condition A: `AllowAnonymousUsersToJoinMeeting` is set to `False`.
 | |
|                     #   - Condition B: Verification using the UI confirms that `Anonymous users can join a meeting` is set to `Off` in the Global meeting policy.
 | |
|                     #   - Condition C: PowerShell command output indicates that anonymous users are not allowed to join meetings.
 | |
|                     #
 | |
|                     # Validate test for a fail:
 | |
|                     # - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
 | |
|                     # - Specific conditions to check:
 | |
|                     #   - Condition A: `AllowAnonymousUsersToJoinMeeting` is not set to `False`.
 | |
|                     #   - Condition B: Verification using the UI shows that `Anonymous users can join a meeting` is not set to `Off` in the Global meeting policy.
 | |
|                     #   - Condition C: PowerShell command output indicates that anonymous users are allowed to join meetings.
 | |
|                     # Connect to Teams PowerShell using Connect-MicrosoftTeams
 | |
|                     # $teamsMeetingPolicy Mock Object
 | |
|                     <#
 | |
|                         $teamsMeetingPolicy = [PSCustomObject]@{
 | |
|                             AllowAnonymousUsersToJoinMeeting            = $true
 | |
|                         }
 | |
|                     #>
 | |
|                     $teamsMeetingPolicy = Get-CsTeamsMeetingPolicy -Identity Global
 | |
|                     return $teamsMeetingPolicy
 | |
|                 }
 | |
|                 '8.5.2' {
 | |
|                     # Test-NoAnonymousMeetingStart.ps1
 | |
|                     # 8.5.2 (L1) Ensure anonymous users and dial-in callers can't start a meeting
 | |
|                     #
 | |
|                     # Validate test for a pass:
 | |
|                     # - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
 | |
|                     # - Specific conditions to check:
 | |
|                     #   - Condition A: The `AllowAnonymousUsersToStartMeeting` setting in the Teams admin center is set to `False`.
 | |
|                     #   - Condition B: The setting for anonymous users and dial-in callers starting a meeting is configured to ensure they must wait in the lobby.
 | |
|                     #   - Condition C: Verification using the UI confirms that the setting `Anonymous users and dial-in callers can start a meeting` is set to `Off`.
 | |
|                     #
 | |
|                     # Validate test for a fail:
 | |
|                     # - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
 | |
|                     # - Specific conditions to check:
 | |
|                     #   - Condition A: The `AllowAnonymousUsersToStartMeeting` setting in the Teams admin center is not set to `False`.
 | |
|                     #   - Condition B: The setting for anonymous users and dial-in callers starting a meeting allows them to bypass the lobby.
 | |
|                     #   - Condition C: Verification using the UI indicates that the setting `Anonymous users and dial-in callers can start a meeting` is not set to `Off`.
 | |
|                     # Connect to Teams PowerShell using Connect-MicrosoftTeams
 | |
|                     # $CsTeamsMeetingPolicyAnonymous Mock Object
 | |
|                     <#
 | |
|                         $CsTeamsMeetingPolicyAnonymous = [PSCustomObject]@{
 | |
|                             AllowAnonymousUsersToStartMeeting           = $true
 | |
|                         }
 | |
|                     #>
 | |
|                     # Retrieve the Teams meeting policy for the global scope and check if anonymous users can start meetings
 | |
|                     $CsTeamsMeetingPolicyAnonymous = Get-CsTeamsMeetingPolicy -Identity Global | Select-Object -Property AllowAnonymousUsersToStartMeeting
 | |
|                     return $CsTeamsMeetingPolicyAnonymous
 | |
|                 }
 | |
|                 '8.5.3' {
 | |
|                     # Test-OrgOnlyBypassLobby.ps1
 | |
|                     # 8.5.3 (L1) Ensure only people in my org can bypass the lobby
 | |
|                     #
 | |
|                     # Validate test for a pass:
 | |
|                     # - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
 | |
|                     # - Specific conditions to check:
 | |
|                     #   - Condition A: The `AutoAdmittedUsers` setting in the Teams meeting policy is set to `EveryoneInCompanyExcludingGuests`.
 | |
|                     #   - Condition B: The setting for "Who can bypass the lobby" is configured to "People in my org" using the UI.
 | |
|                     #   - Condition C: Verification using the Microsoft Teams admin center confirms that the meeting join & lobby settings are configured as recommended.
 | |
|                     #
 | |
|                     # Validate test for a fail:
 | |
|                     # - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
 | |
|                     # - Specific conditions to check:
 | |
|                     #   - Condition A: The `AutoAdmittedUsers` setting in the Teams meeting policy is not set to `EveryoneInCompanyExcludingGuests`.
 | |
|                     #   - Condition B: The setting for "Who can bypass the lobby" is not configured to "People in my org" using the UI.
 | |
|                     #   - Condition C: Verification using the Microsoft Teams admin center indicates that the meeting join & lobby settings are not configured as recommended.
 | |
|                     # Connect to Teams PowerShell using Connect-MicrosoftTeams
 | |
|                     # Retrieve the Teams meeting policy for lobby bypass settings
 | |
|                     # $CsTeamsMeetingPolicyLobby Mock Object
 | |
|                     <#
 | |
|                         $CsTeamsMeetingPolicyLobby = [PSCustomObject]@{
 | |
|                             AutoAdmittedUsers           = "OrganizerOnly"
 | |
|                         }
 | |
|                     #>
 | |
|                     $CsTeamsMeetingPolicyLobby = Get-CsTeamsMeetingPolicy -Identity Global | Select-Object -Property AutoAdmittedUsers
 | |
|                     return $CsTeamsMeetingPolicyLobby
 | |
|                 }
 | |
|                 '8.5.4' {
 | |
|                     # Test-DialInBypassLobby.ps1
 | |
|                     # 8.5.4 (L1) Ensure users dialing in can't bypass the lobby
 | |
|                     #
 | |
|                     # Validate test for a pass:
 | |
|                     # - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
 | |
|                     # - Specific conditions to check:
 | |
|                     #   - Condition A: The `AllowPSTNUsersToBypassLobby` setting in the Global Teams meeting policy is set to `False`.
 | |
|                     #   - Condition B: Verification using the UI in the Microsoft Teams admin center confirms that "People dialing in can't bypass the lobby" is set to `Off`.
 | |
|                     #   - Condition C: Ensure that individuals who dial in by phone must wait in the lobby until admitted by a meeting organizer, co-organizer, or presenter.
 | |
|                     #
 | |
|                     # Validate test for a fail:
 | |
|                     # - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
 | |
|                     # - Specific conditions to check:
 | |
|                     #   - Condition A: The `AllowPSTNUsersToBypassLobby` setting in the Global Teams meeting policy is not set to `False`.
 | |
|                     #   - Condition B: Verification using the UI in the Microsoft Teams admin center shows that "People dialing in can't bypass the lobby" is not set to `Off`.
 | |
|                     #   - Condition C: Individuals who dial in by phone are able to join the meeting directly without waiting in the lobby.
 | |
|                     # Retrieve Teams meeting policy for PSTN users
 | |
|                     # $CsTeamsMeetingPolicyPSTN Mock Object
 | |
|                     <#
 | |
|                         $CsTeamsMeetingPolicyPSTN = [PSCustomObject]@{
 | |
|                             AllowPSTNUsersToBypassLobby           = $true
 | |
|                         }
 | |
|                     #>
 | |
|                     $CsTeamsMeetingPolicyPSTN = Get-CsTeamsMeetingPolicy -Identity Global | Select-Object -Property AllowPSTNUsersToBypassLobby
 | |
|                     return $CsTeamsMeetingPolicyPSTN
 | |
|                 }
 | |
|                 '8.5.5' {
 | |
|                     # Test-MeetingChatNoAnonymous.ps1
 | |
|                     # 8.5.5 (L2) Ensure meeting chat does not allow anonymous users
 | |
|                     #
 | |
|                     # Validate test for a pass:
 | |
|                     # - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
 | |
|                     # - Specific conditions to check:
 | |
|                     #   - Condition A: The `MeetingChatEnabledType` setting in Teams is set to `EnabledExceptAnonymous`.
 | |
|                     #   - Condition B: The setting for meeting chat is configured to allow chat for everyone except anonymous users.
 | |
|                     #   - Condition C: Verification using the Teams Admin Center confirms that the meeting chat settings are configured as recommended.
 | |
|                     #
 | |
|                     # Validate test for a fail:
 | |
|                     # - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
 | |
|                     # - Specific conditions to check:
 | |
|                     #   - Condition A: The `MeetingChatEnabledType` setting in Teams is not set to `EnabledExceptAnonymous`.
 | |
|                     #   - Condition B: The setting for meeting chat allows chat for anonymous users.
 | |
|                     #   - Condition C: Verification using the Teams Admin Center indicates that the meeting chat settings are not configured as recommended.
 | |
|                     # Retrieve the Teams meeting policy for meeting chat
 | |
|                     # $CsTeamsMeetingPolicyChat Mock Object
 | |
|                     <#
 | |
|                         $CsTeamsMeetingPolicyChat = [PSCustomObject]@{
 | |
|                             MeetingChatEnabledType           = "Enabled"
 | |
|                         }
 | |
|                     #>
 | |
|                     $CsTeamsMeetingPolicyChat = Get-CsTeamsMeetingPolicy -Identity Global | Select-Object -Property MeetingChatEnabledType
 | |
|                     return $CsTeamsMeetingPolicyChat
 | |
|                 }
 | |
|                 '8.5.6' {
 | |
|                     # Test-OrganizersPresent.ps1
 | |
|                     # 8.5.6 (L2) Ensure only organizers and co-organizers can present
 | |
|                     #
 | |
|                     # Validate test for a pass:
 | |
|                     # - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
 | |
|                     # - Specific conditions to check:
 | |
|                     #   - Condition A: The `DesignatedPresenterRoleMode` setting in the Teams meeting policy is set to `OrganizerOnlyUserOverride`.
 | |
|                     #   - Condition B: Verification using the Teams admin center confirms that the setting "Who can present" is configured to "Only organizers and co-organizers".
 | |
|                     #   - Condition C: Verification using PowerShell confirms that the `DesignatedPresenterRoleMode` is set to `OrganizerOnlyUserOverride`.
 | |
|                     #
 | |
|                     # Validate test for a fail:
 | |
|                     # - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
 | |
|                     # - Specific conditions to check:
 | |
|                     #   - Condition A: The `DesignatedPresenterRoleMode` setting in the Teams meeting policy is not set to `OrganizerOnlyUserOverride`.
 | |
|                     #   - Condition B: Verification using the Teams admin center indicates that the setting "Who can present" is not configured to "Only organizers and co-organizers".
 | |
|                     #   - Condition C: Verification using PowerShell indicates that the `DesignatedPresenterRoleMode` is not set to `OrganizerOnlyUserOverride`.
 | |
|                     # Retrieve the Teams meeting policy for presenters
 | |
|                     # $CsTeamsMeetingPolicyPresenters Mock Object
 | |
|                     <#
 | |
|                         $CsTeamsMeetingPolicyPresenters = [PSCustomObject]@{
 | |
|                             DesignatedPresenterRoleMode           = "Enabled"
 | |
|                         }
 | |
|                     #>
 | |
|                     $CsTeamsMeetingPolicyPresenters = Get-CsTeamsMeetingPolicy -Identity Global | Select-Object -Property DesignatedPresenterRoleMode
 | |
|                     return $CsTeamsMeetingPolicyPresenters
 | |
|                 }
 | |
|                 '8.5.7' {
 | |
|                     # Test-ExternalNoControl.ps1
 | |
|                     # 8.5.7 (L1) Ensure external participants can't give or request control
 | |
|                     #
 | |
|                     # Validate test for a pass:
 | |
|                     # - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
 | |
|                     # - Specific conditions to check:
 | |
|                     #   - Condition A: Ensure the `AllowExternalParticipantGiveRequestControl` setting in Teams is set to `False`.
 | |
|                     #   - Condition B: The setting is verified through the Microsoft Teams admin center or via PowerShell command.
 | |
|                     #   - Condition C: Verification using the UI confirms that external participants are unable to give or request control.
 | |
|                     #
 | |
|                     # Validate test for a fail:
 | |
|                     # - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
 | |
|                     # - Specific conditions to check:
 | |
|                     #   - Condition A: The `AllowExternalParticipantGiveRequestControl` setting in Teams is not set to `False`.
 | |
|                     #   - Condition B: The setting is verified through the Microsoft Teams admin center or via PowerShell command.
 | |
|                     #   - Condition C: Verification using the UI indicates that external participants can give or request control.
 | |
|                     # Retrieve Teams meeting policy for external participant control
 | |
|                     # $CsTeamsMeetingPolicyControl Mock Object
 | |
|                     <#
 | |
|                         $CsTeamsMeetingPolicyControl = [PSCustomObject]@{
 | |
|                             AllowExternalParticipantGiveRequestControl           = $true
 | |
|                         }
 | |
|                     #>
 | |
|                     $CsTeamsMeetingPolicyControl = Get-CsTeamsMeetingPolicy -Identity Global | Select-Object -Property AllowExternalParticipantGiveRequestControl
 | |
|                     return $CsTeamsMeetingPolicyControl
 | |
|                 }
 | |
|                 '8.6.1' {
 | |
|                     # Test-ReportSecurityInTeams.ps1
 | |
|                     # 8.6.1 (L1) Ensure users can report security concerns in Teams
 | |
|                     # Retrieve the necessary settings for Teams and Exchange Online
 | |
|                     # Condition A: Ensure the 'Report a security concern' setting in the Teams admin center is set to 'On'.
 | |
|                     # $CsTeamsMessagingPolicy Mock Object
 | |
|                     <#
 | |
|                         $CsTeamsMessagingPolicy = [PSCustomObject]@{
 | |
|                             AllowSecurityEndUserReporting           = $true
 | |
|                         }
 | |
|                     #>
 | |
|                     $CsTeamsMessagingPolicy = Get-CsTeamsMessagingPolicy -Identity Global | Select-Object -Property AllowSecurityEndUserReporting
 | |
|                     return $CsTeamsMessagingPolicy
 | |
|                 }
 | |
|                 default { throw "No match found for test: $Rec" }
 | |
|             }
 | |
|         }
 | |
|         catch {
 | |
|             throw "Get-CISMSTeamsOutput: `n$_"
 | |
|         }
 | |
|     }
 | |
|     end {
 | |
|         Write-Verbose "Retuning data for Rec: $Rec"
 | |
|     }
 | |
| } # end function Get-CISMSTeamsOutput
 | |
| 
 |