M365FoundationsCISReport

0.1.3

tests/Test-RestrictOutlookAddins.ps1

                                function Test-RestrictOutlookAddins {

    [CmdletBinding()]

    param (

        # Aligned

        # Parameters could include credentials or other necessary data

    )

    begin {

        # Dot source the class script if necessary

        #. .\source\Classes\CISAuditResult.ps1

        # Initialization code

        $customPolicyFailures = @()

        $defaultPolicyFailureDetails = @()

        $relevantRoles = @('My Custom Apps', 'My Marketplace Apps', 'My ReadWriteMailbox Apps')

    }

    process {

        # 6.3.1 (L2) Ensure users installing Outlook add-ins is not allowed

        # Check all mailboxes for custom policies with unallowed add-ins

        $roleAssignmentPolicies = Get-EXOMailbox | Select-Object -Unique RoleAssignmentPolicy

        if ($roleAssignmentPolicies.RoleAssignmentPolicy) {

            foreach ($policy in $roleAssignmentPolicies) {

                if ($policy.RoleAssignmentPolicy) {

                    $rolePolicyDetails = Get-RoleAssignmentPolicy -Identity $policy.RoleAssignmentPolicy

                    $foundRoles = $rolePolicyDetails.AssignedRoles | Where-Object { $_ -in $relevantRoles }

                    if ($foundRoles) {

                        $customPolicyFailures += "Policy: $($policy.RoleAssignmentPolicy): Roles: $($foundRoles -join ', ')"

                    }

                }

            }

        }

        # Check Default Role Assignment Policy

        $defaultPolicy = Get-RoleAssignmentPolicy "Default Role Assignment Policy"

        $defaultPolicyRoles = $defaultPolicy.AssignedRoles | Where-Object { $_ -in $relevantRoles }

        if ($defaultPolicyRoles) {

            $defaultPolicyFailureDetails = $defaultPolicyRoles

        }

        # Prepare result details string

        $detailsString = ""

        if ($customPolicyFailures) {

            $detailsString += "Custom Policy Failures: | "

            $detailsString += ($customPolicyFailures -join " | ")

        }

        else {

            $detailsString += "Custom Policy Failures: None | "

        }

        $detailsString += "Default Role Assignment Policy: "

        if ($defaultPolicyFailureDetails) {

            $detailsString += ($defaultPolicyFailureDetails -join ', ')

        }

        else {

            $detailsString += "Compliant"

        }

        # Determine result based on findings

        $isCompliant = -not ($customPolicyFailures -or $defaultPolicyFailureDetails)

        # Create and populate the CISAuditResult object

        $params = @{

            Rec            = "6.3.1"

            Result         = $isCompliant

            Status         = if ($isCompliant) { "Pass" } else { "Fail" }

            Details        = $detailsString

            FailureReason  = if ($isCompliant) { "N/A" } else { "Unauthorized Outlook add-ins found in custom or default policies." }

        }

        $auditResult = Initialize-CISAuditResult @params

    }

    end {

        # Return the audit result

        return $auditResult

    }

}