Back to Blog

Secure & Manage Office 365 with PowerShell – The CIS Approach

Part 1: Auth Controls

Office 365 is central to your business needs and business continuity.  However, it exposes a large (maybe even the largest) risk surface in your organisation.  It is, therefore, crucial to secure it enough to mitigate this ever-present and continuous risk but keep it open enough to ensure as fluid a business as possible.  

Getting this balance right is difficult, and it can be hard to know where to start.  Adopting a common security standard can be a great place.  After that, it is a matter of adjusting the standard to suit your needs and rolling it quickly and effectively. Through this series of articles, we will explore some basic PowerShell commands for Office 365 security. First, let us begin from scratch.

Understanding CIS Cloud Security Controls

The CIS Controls were built by a community of IT experts at the Center for Internet Security, leveraging their first-hand experience defending against advanced cyber-attacks. The CIS Controls are a prescriptive set of thorough defensive best practices that help organisations mitigate some of the most harmful cyber-attacks and support multi-framework compliance. The CIS Controls provide a blueprint and a clear pathway for organisations to initiate and continue working strategically towards their unique security journey.

Why CIS Security Controls?  

The CIS standard is a great place to start.  Not only are they a recognised and sensible framework, but they have an Office 365 benchmark document to help you get there quickly. It is broken down into two sets of control levels, L1 and L2, with the recommendation that you apply L1 controls first. The document lists each control along with reasoning, audit and remediation steps. The steps are manual for the most part; however, Octiga is all about automation, so I will show you how each control can be scripted in PowerShell.  Scripting in this way allows for consistent checking and remediation.

Office 365 CIS L1 Controls

Here we will cover many of the essential controls.  Not every control is listed here either because we do not deem it critical or because there is no way to automate

We are going to cover the CIS controls over a multi-part blog. Here we start with Authentication and Authorisation Controls.

1.1.  Turn off Password Expiry

Reason: Passwords that expire force employees to create weak, reused orwritten-down passwords in an attempt to remember the new password

Check:

     Get-MsolPasswordPolicy -DomainName <DomainName> | ftValidityPeriod

Remediate:

Set-MsolPasswordPolicy -ValidityPeriod 2147483647 -DomainName<DomainName> -NotificationDays 30

Notes: The value of 2147483647 is used asthe maximum allowable validity period

 

1.2.  Enable Modern Authentication for SharePoint

Reason: Allow only secure and up to date security authentication protocol

Check:

Connect-SPOService -Url –https://<tenant>-admin.sharepoint.com

#Replace <Tenant> with your tenant’sname#

Get-SPOTenant

#Check the value of parameter:legacyauthprotocolsenabled

Remediate:

Set-spotenant -legacyauthprotocolsenabled$false

 

1.3.  Enable Modern Authentication for Skype/Teams

Reason: Allow only secure and up to date security authentication protocol

Check:

Get-CsOAuthConfiguration

#check ClientAdalAuthOverride

Remediate:

Set-CsOAuthConfiguration-ClientAdalAuthOverride Allowed

 

1.4.  Enable Modern Authentication at Org level

Reason: Modern Auth Support Multi-Factor and 2 Factor Authentication as part of the OAuth2 framework.  Tenants created before 2017 may not have this turned on

Check:

get-OrganizationConfig

# CHECK OAuth2ClientProfileEnabled

Remediate:

Set-OrganizationConfig-OAuth2ClientProfileEnabled $True

 

1.5.  Enforce Multi-Factor Authentication (MFA) for all Admins

Reason: A breached admin account can lead to untold damage to your Office 365environment and business.  It can besafer to enforce this as a rule rather than enabling MFA for administrative accounts in an ad-hoc manner.  If your organisation has an Azure AD premium P2 licence (comes with Office 365 Business Premium by default), then you can create this conditional access policy

Check:

Get-AzureADMSConditionalAccessPolicy

#Check policies for ones that enforce MFA as a condition on all admin roles.  After you create one you can check the name is in existence as follows

get-AzureADMSConditionalAccessPolicy |Where-Object {$_.DisplayName -eq "<MFA enforcing policy name>"}

Remediate:

#GATHER ROLES

$allAdmins = @(

  "Global administrator"

,"Application administrator"

,"Authentication Administrator"

,"Billing administrator"

,"Cloud applicationadministrator"

,"Conditional Accessadministrator"

,"Exchange administrator"

,"Helpdesk administrator"

,"Password administrator"

,"Privileged authentication administrator"

,"Privileged Role Administrator"

,"Security administrator"

,"SharePoint administrator"

,"User administrator"

)

$adminTemplateIds = @()

 

For ($i=0; $i -lt $allAdmins.Length; $i++){

  $adminTemplateIds += (Get-AzureADDirectoryRoleTemplate | Where-Object{$_.DisplayName -eq $allAdmins[$i]}).ObjectId

   }

 

#CONDITIONS ROLES

$conditions = New-Object -TypeNameMicrosoft.Open.MSGraph.Model.ConditionalAccessConditionSet

$conditions.Users = New-Object -TypeNameMicrosoft.Open.MSGraph.Model.ConditionalAccessUserCondition

$conditions.Users.IncludeRoles =$adminTemplateIds

 

#CONDITIONS APPLICATIONS

$conditions.Applications = New-Object-TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessApplicationCondition

$conditions.Applications.IncludeApplications= "all"

 

#CONDITIONS APPLICATION TYPES

$conditions.ClientAppTypes = "all"

#CONTROLS

$controls = New-Object -TypeNameMicrosoft.Open.MSGraph.Model.ConditionalAccessGrantControls

$controls._Operator = "OR"

$controls.BuiltInControls = "Mfa"

New-AzureADMSConditionalAccessPolicy-DisplayName "<MFA enforcing policy name>" -State "enabled"-Conditions $conditions -GrantControls $controls

Conclusion

We hope that these commands provided you with some guidance on automating the CIS Controls. Stay tuned for the next part of this series! Octiga understands that it is cumbersome to use PowerShell for Office 365 security for all your clients over and over every single day, so we have built a solution around it that will do the laborious task for you within seconds.

Octiga applies and monitors all these security controls for multiple tenants through our Office 365 security suite.  We also offer one-click SaaS onboarding, instant security posture automation & deployment, ready-to-use best-practice templates and wizards, legacy breach detection, threat anomaly visibility and remediation, all on a single universal dashboard. As a result, you can rapidly prioritise work and implement corporate-wide security within seconds!

Drop us a line to understand how Octiga can help your unique business needs through Office 365 Security automation.

More from the Blog

Baseline Security (Posture) Monitoring is the New Breach Monitoring

Learn how to turn security baselines configurations into a multi-dimensional cloud security asset to increase efficiency and revenue.

Read Story

NIST Cybersecurity Framework for Office 365

Strengthen your understanding of the NIST Cybersecurity Framework (CSF) and what implication does it have on cloud security.

Read Story

Zero Trust Model for Cloud Security

A detailed explanation of the zero trust model for cloud security, its principles and an approach to the implementation of it.

Read Story

Never miss a minute.

Sed ut perspiciatis unde omnis iste natus error sit voluptatem accusantium doloremque laudantium, totam rem aperiam, eaque ipsa.
We will never share your email address with third parties.