Detections
Analytics
2.8 - Ensure users installing Outlook add-ins is not allowed
Warning! Audit Deprecated
This audit has been deprecated and will be removed in a future update.
View Next Audit VersionInformation
By default, users can install add-ins in their Microsoft Outlook Desktop client, allowing data access within the client application.Do not allow users to install add-ins in Outlook.
Rationale:
Attackers commonly use vulnerable and custom-built add-ins to access data in user applications.
While allowing users to install add-ins by themselves does allow them to easily acquire useful add-ins that integrate with Microsoft applications, it can represent a risk if not used and monitored carefully.
Disable future user's ability to install add-ins in Microsoft Outlook helps reduce your threat-surface and mitigate this risk.
Impact:
Implementation of this change will impact both end users and administrators. End users will not be able to integrate third-party applications that they may wish to use. Administrators are likely to receive requests from end users to grant them permission to necessary third-party applications.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
To prohibit users installing Outlook add-ins, use the Microsoft 365 Admin Center:Select Admin Centers and Exchange.
Click on the Classic Exchange admin center at the bottom.
Select permissions from the Exchange navigation pane.
Select user roles.
Double click Default Role Assignment and deselect My Custom Apps My Marketplace Apps and My ReadWriteMailboxApps.
To prohibit users installing Outlook add-ins, use the Microsoft Online PowerShell Module:
Connect to Microsoft Online service using Connect-MSOLService.
Run the following Microsoft Online PowerShell command:
$newPolicyName = 'Role Assignment Policy - Prevent Add-ins'
$revisedRoles = 'MyTeamMailboxes', 'MyTextMessaging', 'MyDistributionGroups', 'MyMailSubscriptions', 'MyBaseOptions', 'MyVoiceMail', 'MyProfileInformation', 'MyContactInformation', 'MyRetentionPolicies', 'MyDistributionGroupMembership'
New-RoleAssignmentPolicy -Name $newPolicyName -Roles $revisedRoles
Set-RoleAssignmentPolicy -id $newPolicyName -IsDefault
Get-Mailbox -ResultSize Unlimited | Set-Mailbox -RoleAssignmentPolicy $newPolicyName
If you have other Role Assignment Policies modify the last line to filter out your custom policies
Default Value:
UI - My Custom Apps is Checked, My Marketplace Apps is Checked, and My ReadWriteMailboxApps is Checked
PowerShell - My Custom Apps My Marketplace Apps and My ReadWriteMailboxApps are Present
See Also
Item Details
Audit Name: CIS Microsoft 365 Foundations E3 L2 v1.5.0
References: CSCv7|5.1
Plugin: microsoft_azure
Control ID: 2358806de87d79ecae79d5536c15549db8d73f8dbfa3fc374cbc46b09be653a3