Detections
Analytics
2.8 - Ensure users installing Outlook add-ins is not allowed
Warning! Audit Deprecated
This audit has been deprecated and will be removed in a future update.
View Next Audit VersionInformation
By default, users can install add-ins in their Microsoft Outlook Desktop client, allowing data access within the client application.Do not allow users to install add-ins in Outlook.
Rationale:
Attackers commonly use vulnerable and custom-built add-ins to access data in user applications.
While allowing users to install add-ins by themselves does allow them to easily acquire useful add-ins that integrate with Microsoft applications, it can represent a risk if not used and monitored carefully.
Disable future user's ability to install add-ins in Microsoft Outlook helps reduce your threat-surface and mitigate this risk.
Impact:
Implementation of this change will impact both end users and administrators. End users will not be able to integrate third-party applications that they may wish to use. Administrators are likely to receive requests from end users to grant them permission to necessary third-party applications.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
To prohibit users installing Outlook add-ins, use the Microsoft 365 Admin Center:Select Admin Centers and Exchange.
Click on the Classic Exchange admin center at the bottom.
Select permissions from the Exchange navigation pane.
Select user roles.
De-Select My Custom Apps My Marketplace Apps and My ReadWriteMailboxApps.
To prohibit users installing Outlook add-ins, use the Microsoft Online PowerShell Module:
Connect to Microsoft Online service using Connect-MSOLService.
Run the following Microsoft Online PowerShell command:
$newPolicyName = 'Role Assignment Policy - Prevent Add-ins'
$revisedRoles = 'MyTeamMailboxes', 'MyTextMessaging', 'MyDistributionGroups', 'MyMailSubscriptions', 'MyBaseOptions', 'MyVoiceMail', 'MyProfileInformation', 'MyContactInformation', 'MyRetentionPolicies', 'MyDistributionGroupMembership'
New-RoleAssignmentPolicy -Name $newPolicyName -Roles $revisedRoles
Set-RoleAssignmentPolicy -id $newPolicyName -IsDefault
Get-Mailbox -ResultSize Unlimited | Set-Mailbox -RoleAssignmentPolicy $newPolicyName
If you have other Role Assignment Policies modify the last line to filter out your custom policies
Default Value:
UI - My Custom Apps is Checked, My Marketplace Apps is Checked, and My ReadWriteMailboxApps is Checked
PowerShell - My Custom Apps My Marketplace Apps and My ReadWriteMailboxApps are Present
See Also
Item Details
Audit Name: CIS Microsoft 365 Foundations E3 L2 v1.4.0
References: CSCv7|5.1
Plugin: microsoft_azure
Control ID: 3e157595f1621678ef56f8b673adab6ac83f3454dc5d4b8a7eb8e25a78f2d226