Back to Blog

Secure & Manage Office 365 with PowerShell – The CIS Approach

Part 1: Auth Controls

Office 365 is central to your business needs and business continuity.  However, it exposes a large (maybe even the largest) risk surface in your organisation.  It is, therefore, crucial to secure it enough to mitigate this ever-present and continuous risk but keep it open enough to ensure as fluid a business as possible.  

Getting this balance right is difficult, and it can be hard to know where to start.  Adopting a common security standard can be a great place.  After that, it is a matter of adjusting the standard to suit your needs and rolling it quickly and effectively. Through this series of articles, we will explore some basic PowerShell commands for Office 365 security. First, let us begin from scratch.

Understanding CIS Cloud Security Controls

The CIS Controls were built by a community of IT experts at the Center for Internet Security, leveraging their first-hand experience defending against advanced cyber-attacks. The CIS Controls are a prescriptive set of thorough defensive best practices that help organisations mitigate some of the most harmful cyber-attacks and support multi-framework compliance. The CIS Controls provide a blueprint and a clear pathway for organisations to initiate and continue working strategically towards their unique security journey.

Why CIS Security Controls?  

The CIS standard is a great place to start.  Not only are they a recognised and sensible framework, but they have an Office 365 benchmark document to help you get there quickly. It is broken down into two sets of control levels, L1 and L2, with the recommendation that you apply L1 controls first. The document lists each control along with reasoning, audit and remediation steps. The steps are manual for the most part; however, Octiga is all about automation, so I will show you how each control can be scripted in PowerShell.  Scripting in this way allows for consistent checking and remediation.

Office 365 CIS L1 Controls

Here we will cover many of the essential controls.  Not every control is listed here either because we do not deem it critical or because there is no way to automate

We are going to cover the CIS controls over a multi-part blog. Here we start with Authentication and Authorisation Controls.

1.1.  Turn off Password Expiry

Reason: Passwords that expire force employees to create weak, reused orwritten-down passwords in an attempt to remember the new password

Check:

Get-MsolPasswordPolicy -DomainName [DomainName] | ft ValidityPeriod 

Remediate:

Set-MsolPasswordPolicy -ValidityPeriod 2147483647 -DomainName [DomainName] -NotificationDays 30
#Notes: The value of 2147483647 is used as the maximum allowable validity period

1.2.  Enable Modern Authentication for SharePoint

Reason: Allow only secure and up to date security authentication protocol

Check:


Connect-SPOService -Url –https://[tenant]-admin.sharepoint.com
#Replace [Tenant] with your tenant’s name
Get-SPOTenant
#Check the value of parameter: legacyauthprotocolsenabled

Remediate:


Set-spotenant -legacyauthprotocolsenabled $false

1.3.  Enable Modern Authentication for Skype/Teams

Reason: Allow only secure and up to date security authentication protocol

Check:

	
Get-CsOAuthConfiguration
#check ClientAdalAuthOverride
	

Remediate:

	
Set-CsOAuthConfiguration -ClientAdalAuthOverride Allowed
	

 

1.4.  Enable Modern Authentication at Org level

Reason: Modern Auth Support Multi-Factor and 2 Factor Authentication as part of the OAuth2 framework.  Tenants created before 2017 may not have this turned on

Check:

	
Get-OrganizationConfig
#CHECK OAuth2ClientProfileEnabled
	

Remediate:


Set-OrganizationConfig-OAuth2ClientProfileEnabled $True

 

1.5.  Enforce Multi-Factor Authentication (MFA) for all Admins

Reason: A breached admin account can lead to untold damage to your Office 365environment and business.  It can besafer to enforce this as a rule rather than enabling MFA for administrative accounts in an ad-hoc manner.  If your organisation has an Azure AD premium P2 licence (comes with Office 365 Business Premium by default), then you can create this conditional access policy

Check:


Get-AzureADMSConditionalAccessPolicy
#Check policies for ones that enforce MFA as a condition on all admin roles.  After you create one you can check the name is in existence as follows
get-AzureADMSConditionalAccessPolicy | Where-Object {$_.DisplayName -eq "[MFA enforcing policy name]"}

Remediate:


#GATHER ROLES

$allAdmins = @(

  "Global administrator"

,"Application administrator"

,"Authentication Administrator"

,"Billing administrator"

,"Cloud applicationadministrator"

,"Conditional Accessadministrator"

,"Exchange administrator"

,"Helpdesk administrator"

,"Password administrator"

,"Privileged authentication administrator"

,"Privileged Role Administrator"

,"Security administrator"

,"SharePoint administrator"

,"User administrator"

)

$adminTemplateIds = @()

 

For ($i=0; $i -lt $allAdmins.Length; $i++){

  $adminTemplateIds += (Get-AzureADDirectoryRoleTemplate | Where-Object{$_.DisplayName -eq $allAdmins[$i]}).ObjectId

   }



#CONDITIONS ROLES

$conditions = New-Object -TypeNameMicrosoft.Open.MSGraph.Model.ConditionalAccessConditionSet

$conditions.Users = New-Object -TypeNameMicrosoft.Open.MSGraph.Model.ConditionalAccessUserCondition

$conditions.Users.IncludeRoles =$adminTemplateIds


#CONDITIONS APPLICATIONS

$conditions.Applications = New-Object-TypeName Microsoft.Open.MSGraph.Model.ConditionalAccessApplicationCondition

$conditions.Applications.IncludeApplications= "all"

 
#CONDITIONS APPLICATION TYPES

$conditions.ClientAppTypes = "all"


#CONTROLS

$controls = New-Object -TypeNameMicrosoft.Open.MSGraph.Model.ConditionalAccessGrantControls

$controls._Operator = "OR"

$controls.BuiltInControls = "Mfa"

New-AzureADMSConditionalAccessPolicy-DisplayName "[MFA enforcing policy name]" -State "enabled"-Conditions $conditions -GrantControls $controls


Conclusion

We hope that these commands provided you with some guidance on automating the CIS Controls. Stay tuned for the next part of this series! Octiga understands that it is cumbersome to use PowerShell for Office 365 security for all your clients over and over every single day, so we have built a solution around it that will do the laborious task for you within seconds.

Octiga applies and monitors all these security controls for multiple tenants through our Office 365 security suite.  We also offer one-click SaaS onboarding, instant security posture automation & deployment, ready-to-use best-practice templates and wizards, legacy breach detection, threat anomaly visibility and remediation, all on a single universal dashboard. As a result, you can rapidly prioritise work and implement corporate-wide security within seconds!

Drop us a line to understand how Octiga can help your unique business needs through Office 365 Security automation.

More from the Blog

A Closer Look at the Midnight Blizzard Crew

Microsoft's security team has recently made a significant discovery regarding an increase in cyber-attacks orchestrated by the Russian state-backed group known as the Midnight Blizzard crew. This group, which also operates under the aliases Nobelium, APT29, Cozy Bear, Iron Hemlock, and The Dukes, has been actively targeting personal credentials, according to Microsoft's findings.

Read Story

Navigating M365 Secure Score Limitations for MSPs

Discover the limitations of the M365 Secure Score for MSPs. Understand the scope and potential restrictions when using this tool to assess and enhance the security posture of Microsoft 365 environments. Know how to navigate through these shortcomings.

Read Story

Octiga Vs Flying Solo with Office 365 Security for MSPs

The purpose of the Octiga Office 365 security app is not to replace M365 security but to ensure that MSPs can deliver it consistently, coherently and rapidly to all your clients. A short video explains how Octiga makes MSPs' work super efficient and super fast.

Read Story

Never miss a minute.

Sed ut perspiciatis unde omnis iste natus error sit voluptatem accusantium doloremque laudantium, totam rem aperiam, eaque ipsa.
We will never share your email address with third parties.