Application Permissions - Ensure Users Installing Outlook Add-ins Is Not Allowed


 








Summary

Users can easily install add-ins in their Microsoft Outlook Desktop client, by default, hence allowing data access within the client application.

Do not allow users to install add-in Outlook.

Reason

Attackers often use vulnerable and custom built add-ins to access data in user applications.

Although users are allowed to install add-ins by themselves, they are not permitted to easily acquire useful add-ins that can integrate with Microsoft applications, because it can represent a risk if not used and monitored carefully.

Future user's ability should be disabled to install add-ins in Microsoft Outlook, so that, the associated risk can be mitigated and threat-surface can be reduced. 

What If?

This change can impact both end users and administrators. End users will not be able to integrate third-party applications they wish to use and the administrators may receive requests from end users to grant them permission to necessary third-party applications.

How to?

To prohibit users from installing Outlook add-ins, use the Microsoft 365 Admin Center:
  1. Select Admin centers and Exchange.
  2. Select Classic Exchange admin center at the bottom.
  3. Click permissions from the Exchange navigation pane.
  4. Now, pick user roles.
  5. Double click Default Role Assignment and deselect My Custom Apps My Marketplace Apps and My ReadWriteMailboxApps.

To prohibit users from installing Outlook add-ins, use the Microsoft Online PowerShell Module:

  1. Connect to Microsoft Online service using Connect-MSOLService.
  2. Run the following command:

$newPolicyName = "Role Assignment Policy - Prevent Add-ins"
$revisedRoles = "MyTeamMailboxes", "MyTextMessaging", "MyDistributionGroups", "MyProfileInformation", "MyContactInformation", "MyRetentionPolicies", "MyDistributionGroupMembership"

New-RoleAssignmentPolicy -Name $newPolicyName -Roles $revisedRoles
Set-RoleAssignmentPolicy -id $newPolicyName -IsDefault
Get-Mailbox -ResultSize Unlimited | Set-Mailbox -RoleAssignmentPolicy
$newPolicyName

If you have other Role Assignment Policies, modify the last line to filter out your custom policies.

Monitor:

To verify that users installing Outlook add-ins are not allowed, use the Microsoft 365 Admin Center:
  1. Select Admin centers and Exchange.
  2. Select Classic Exchange admin center at the bottom.
  3. Click permissions from the Exchange navigation pane.
  4. Now, pick user roles.
  5. Double click Default Role Assignment to open it and verify My Custom Apps My Marketplace Apps and My ReadWriteMailboxApps are Not checked.

To verify that users installing Outlook add-ins are not allowed, use the Microsoft Online PowerShell Module:

  1. Connect to Microsoft Online service using Connect-ExchangeOnline.
  2. Run the following command:

Get-EXOMailbox | Select-Object -Unique RoleAssignmentPolicy | ForEach-Object
{ Get-RoleAssignmentPolicy -Identity $ .RoleAssignmentPolicy | Where-Object
{ $_.AssignedRoles -like "*Apps*"}} | Select-Object Identity,
@ {Name="AssignedRoles"; Expression={Get-Mailbox | Select-Object -Unique
RoleAssignmentPolicy | ForEach-Object { Get-RoleAssignmentPolicy -Identity
$_.RoleAssignmentPolicy | Select-Object -ExpandProperty AssignedRoles |
where-Object {$_ -like "*Apps*"}}}}

       3. Verify My Custom Apps My Marketplace Apps and My ReadWriteMailboxApps are not present. 





















Comments

Popular posts from this blog

Deployment (Part 3)

Deployment (Part 1)

Project Resourcing (Part 2)