1.3.4 (L1) Ensure 'User owned apps and services' is restricted

Information

By default, users can install add-ins in their Microsoft Word, Excel, and PowerPoint applications, allowing data access within the application.

Do not allow users to install add-ins in Word, Excel, or PowerPoint.

Attackers commonly use vulnerable and custom-built add-ins to access data in user applications.

While allowing users to install add-ins by themselves does allow them to easily acquire useful add-ins that integrate with Microsoft applications, it can represent a risk if not used and monitored carefully.

Disable future user's ability to install add-ins in Microsoft Word, Excel, or PowerPoint helps reduce your threat-surface and mitigate this risk.

Solution

To remediate using the UI:

- Navigate to Microsoft 365 admin center

https://admin.microsoft.com

.
- Click to expand Settings > Org settings
- In Services select User owned apps and services
- Uncheck Let users access the Office Store and Let users start trials on behalf of your organization
- Click Save

To remediate using PowerShell

- Connect to the Microsoft Graph service using Connect-MgGraph -Scopes "OrgSettings-AppsAndServices.ReadWrite.All"
- Run the following Microsoft Graph PowerShell commands:

$uri = "https://graph.microsoft.com/beta/admin/appsAndServices"
$body = @{
"Settings" = @{
"isAppAndServicesTrialEnabled" = $false
"isOfficeStoreEnabled" = $false
}
} | ConvertTo-Json
Invoke-MgGraphRequest -Method PATCH -Uri $uri -Body $body

Impact:

Implementation of this change will impact both end users and administrators. End users will not be able to install add-ins that they may want to install.

See Also

https://workbench.cisecurity.org/benchmarks/20006

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, 800-53|CM-7, CSCv7|5.1

Plugin: microsoft_azure

Control ID: 5e660145e9e02f5820e15541e9730045a75a94b5cdb0357520c27936cf18c6e5