Secure & Manage Office 365 with PowerShell – The CIS Approach

Part 1: Auth Controls

Office 365 is central to your business needs and business continuity.  However, it exposes a large (maybe even the largest) risk surface in your organisation.  It is, therefore, crucial to secure it enough to mitigate this ever-present and continuous risk but keep it open enough to ensure as fluid a business as possible.  

Getting this balance right is difficult, and it can be hard to know where to start.  Adopting a common security standard can be a great place.  After that, it is a matter of adjusting the standard to suit your needs and rolling it quickly and effectively. Through this series of articles, we will explore some basic PowerShell commands for Office 365 security. First, let us begin from scratch.

‍

Understanding CIS Cloud Security Controls

The CIS Controls were built by a community of IT experts at the Center for Internet Security, leveraging their first-hand experience defending against advanced cyber-attacks. The CIS Controls are a prescriptive set of thorough defensive best practices that help organisations mitigate some of the most harmful cyber-attacks and support multi-framework compliance. The CIS Controls provide a blueprint and a clear pathway for organisations to initiate and continue working strategically towards their unique security journey.

‍

Why CIS Security Controls?  

The CIS standard is a great place to start.  Not only are they a recognised and sensible framework, but they have an Office 365 benchmark document to help you get there quickly. It is broken down into two sets of control levels, L1 and L2, with the recommendation that you apply L1 controls first. The document lists each control along with reasoning, audit and remediation steps. The steps are manual for the most part; however, Octiga is all about automation, so I will show you how each control can be scripted in PowerShell.  Scripting in this way allows for consistent checking and remediation.

‍

Office 365 CIS L1 Controls

Here we will cover many of the essential controls.  Not every control is listed here either because we do not deem it critical or because there is no way to automate

We are going to cover the CIS controls over a multi-part blog. Here we start with Authentication and Authorisation Controls.

‍

1.1.  Turn off Password Expiry

Reason: Passwords that expire force employees to create weak, reused orwritten-down passwords in an attempt to remember the new password

‍

Check:

Get-MsolPasswordPolicy -DomainName [DomainName] | ft ValidityPeriod 

‍

Remediate:

Set-MsolPasswordPolicy -ValidityPeriod 2147483647 -DomainName [DomainName] -NotificationDays 30
#Notes: The value of 2147483647 is used as the maximum allowable validity period

‍

1.2.  Enable Modern Authentication for SharePoint

Reason: Allow only secure and up to date security authentication protocol

Check:

Connect-SPOService -Url –https://[tenant]-admin.sharepoint.com
#Replace [Tenant] with your tenant’s name
Get-SPOTenant
#Check the value of parameter: legacyauthprotocolsenabled

Remediate:

Set-spotenant -legacyauthprotocolsenabled $false

‍

1.3.  Enable Modern Authentication for Skype/Teams

Reason: Allow only secure and up to date security authentication protocol

Check:

	
Get-CsOAuthConfiguration
#check ClientAdalAuthOverride
	

‍

Remediate:

	
Set-CsOAuthConfiguration -ClientAdalAuthOverride Allowed
	

1.4.  Enable Modern Authentication at Org level

Reason: Modern Auth Support Multi-Factor and 2 Factor Authentication as part of the OAuth2 framework.  Tenants created before 2017 may not have this turned on

Check:

	
Get-OrganizationConfig
#CHECK OAuth2ClientProfileEnabled
	

Remediate:

Set-OrganizationConfig-OAuth2ClientProfileEnabled $True

1.5.  Enforce Multi-Factor Authentication (MFA) for all Admins

Reason: A breached admin account can lead to untold damage to your Office 365environment and business.  It can besafer to enforce this as a rule rather than enabling MFA for administrative accounts in an ad-hoc manner.  If your organisation has an Azure AD premium P2 licence (comes with Office 365 Business Premium by default), then you can create this conditional access policy

Check:

Get-AzureADMSConditionalAccessPolicy
#Check policies for ones that enforce MFA as a condition on all admin roles.  After you create one you can check the name is in existence as follows
get-AzureADMSConditionalAccessPolicy | Where-Object {$_.DisplayName -eq "[MFA enforcing policy name]"}

Remediate:

#GATHER ROLES

$allAdmins = @(

  "Global administrator"

,"Application administrator"

,"Authentication Administrator"

,"Billing administrator"

,"Cloud applicationadministrator"

,"Conditional Accessadministrator"

,"Exchange administrator"

,"Helpdesk administrator"

,"Password administrator"

,"Privileged authentication administrator"

,"Privileged Role Administrator"

,"Security administrator"

,"SharePoint administrator"

,"User administrator"

)

$adminTemplateIds = @()

 

For ($i=0; $i -lt $allAdmins.Length; $i++){

  $adminTemplateIds += (Get-AzureADDirectoryRoleTemplate | Where-Object{$_.DisplayName -eq $allAdmins[$i]}).ObjectId

   }



#CONDITIONS ROLES

$conditions = New-Object -TypeNameMicrosoft.Open.MSGraph.Model.ConditionalAccessConditionSet

$conditions.Users = New-Object -TypeNameMicrosoft.Open.MSGraph.Model.ConditionalAccessUserCondition

$conditions.Users.IncludeRoles =$adminTemplateIds


#CONDITIONS APPLICATIONS

$conditions.Applications = New-Object-TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessApplicationCondition

$conditions.Applications.IncludeApplications= "all"

 
#CONDITIONS APPLICATION TYPES

$conditions.ClientAppTypes = "all"


#CONTROLS

$controls = New-Object -TypeNameMicrosoft.Open.MSGraph.Model.ConditionalAccessGrantControls

$controls._Operator = "OR"

$controls.BuiltInControls = "Mfa"

New-AzureADMSConditionalAccessPolicy-DisplayName "[MFA enforcing policy name]" -State "enabled"-Conditions $conditions -GrantControls $controls

‍

Conclusion

We hope that these commands provided you with some guidance on automating the CIS Controls. Stay tuned for the next part of this series! Octiga understands that it is cumbersome to use PowerShell for Office 365 security for all your clients over and over every single day, so we have built a solution around it that will do the laborious task for you within seconds.

Octiga applies and monitors all these security controls for multiple tenants through our Office 365 security suite.  We also offer one-click SaaS onboarding, instant security posture automation & deployment, ready-to-use best-practice templates and wizards, legacy breach detection, threat anomaly visibility and remediation, all on a single universal dashboard. As a result, you can rapidly prioritise work and implement corporate-wide security within seconds!

Drop us a line to understand how Octiga can help your unique business needs through Office 365 Security automation.