1.3.7 (L2) Ensure 'third-party storage services' are restricted in 'Microsoft 365 on the web'

Information

Third-party storage can be enabled for users in Microsoft 365, allowing them to store and share documents using services such as Dropbox, alongside OneDrive and team sites.

Ensure Microsoft 365 on the web third-party storage services are restricted.

By using external storage services an organization may increase the risk of data breaches and unauthorized access to confidential information. Additionally, third-party services may not adhere to the same security standards as the organization, making it difficult to maintain data privacy and security.

Solution

To remediate using the UI:

- Navigate to Microsoft 365 admin center

https://admin.microsoft.com

- Go to Settings > Org Settings > Services > Microsoft 365 on the web
- Uncheck Let users open files stored in third-party storage services in Microsoft 365 on the web

To remediate using PowerShell:

- Connect to Microsoft Graph using Connect-MgGraph -Scopes "Application.ReadWrite.All"
- Run the following script:

$SP = Get-MgServicePrincipal -Filter "appId eq 'c1f33bc0-bdb4-4248-ba9b-096807ddb43e'"
# If the service principal doesn't exist then create it first.
if (-not $SP) {
$SP = New-MgServicePrincipal -AppId "c1f33bc0-bdb4-4248-ba9b-096807ddb43e"
}

Update-MgServicePrincipal -ServicePrincipalId $SP.Id -AccountEnabled:$false

Impact:

Impact associated with this change is highly dependent upon current practices in the tenant. If users do not use other storage providers, then minimal impact is likely. However, if users do regularly utilize providers outside of the tenant this will affect their ability to continue to do so.

See Also

https://workbench.cisecurity.org/benchmarks/20006

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|13.1, CSCv7|13.4

Plugin: microsoft_azure

Control ID: e051134d14d0b17adb01c012cd694cc2a7d896a4ff51957f8b144e7b080e0a6d