M365FoundationsCISReport

0.1.1

tests/Test-RestrictOutlookAddins.ps1

                                function Test-RestrictOutlookAddins {

    [CmdletBinding()]

    param (

        # Parameters could include credentials or other necessary data

    )

    begin {

        # Initialization code

        $auditResult = [CISAuditResult]::new()

        $customPolicyFailures = @()

        $defaultPolicyFailureDetails = @()

        $relevantRoles = @('My Custom Apps', 'My Marketplace Apps', 'My ReadWriteMailbox Apps')

    }

    process {

        # Main functionality

        # 6.3.1 (L2) Ensure users installing Outlook add-ins is not allowed

        # Check all mailboxes for custom policies with unallowed add-ins

        $roleAssignmentPolicies = Get-EXOMailbox | Select-Object -Unique RoleAssignmentPolicy

        if ($roleAssignmentPolicies.RoleAssignmentPolicy) {

            foreach ($policy in $roleAssignmentPolicies) {

                if ($policy.RoleAssignmentPolicy) {

                    $rolePolicyDetails = Get-RoleAssignmentPolicy -Identity $policy.RoleAssignmentPolicy

                    $foundRoles = $rolePolicyDetails.AssignedRoles | Where-Object { $_ -in $relevantRoles }

                    if ($foundRoles) {

                        $customPolicyFailures += "Policy: $($policy.RoleAssignmentPolicy): Roles: $($foundRoles -join ', ')"

                    }

                }

            }

        }

        # Check Default Role Assignment Policy

        $defaultPolicy = Get-RoleAssignmentPolicy "Default Role Assignment Policy"

        $defaultPolicyRoles = $defaultPolicy.AssignedRoles | Where-Object { $_ -in $relevantRoles }

        if ($defaultPolicyRoles) {

            $defaultPolicyFailureDetails = $defaultPolicyRoles

        }

    }

    end {

        # Prepare result object

        $auditResult.Rec = "6.3.1"

        $auditResult.CISControl = "9.4"

        $auditResult.CISDescription = "Restrict Unnecessary or Unauthorized Browser and Email Client Extensions"

        $auditResult.ELevel = "E3"

        $auditResult.ProfileLevel = "L2"

        $auditResult.IG1 = $false

        $auditResult.IG2 = $true

        $auditResult.IG3 = $true

        $auditResult.RecDescription = "Ensure users installing Outlook add-ins is not allowed"

        $detailsString = ""

        if ($customPolicyFailures) {

            $detailsString += "Custom Policy Failures: | "

            # Use pipes or tabs here instead of newlines

            $detailsString += ($customPolicyFailures -join " | ")

        }

        else {

            $detailsString += "Custom Policy Failures: None | "

        }

        $detailsString += "Default Role Assignment Policy: "

        if ($defaultPolicyFailureDetails) {

            $detailsString += ($defaultPolicyFailureDetails -join ', ')

        }

        else {

            $detailsString += "Compliant"

        }

        if ($customPolicyFailures -or $defaultPolicyFailureDetails) {

            $auditResult.Result = $false

            $auditResult.Status = "Fail"

            $auditResult.Details = $detailsString

            $auditResult.FailureReason = "Unauthorized Outlook add-ins found in custom or default policies."

        }

        else {

            $auditResult.Result = $true

            $auditResult.Status = "Pass"

            $auditResult.Details = "No unauthorized Outlook add-ins found in custom or default policies."

            $auditResult.FailureReason = "N/A"

        }

        # Return auditResult

        return $auditResult

    }

}