MT.1041 - Ensure users installing Outlook add-ins is not allowed
Overviewβ
Users SHOULD NOT be allowed to install Outlook add-ins
Rationale: When users can install their own Outlook add-ins, it creates security risks. Malicious add-ins could access email content, exploit vulnerabilities, or facilitate data exfiltration through legitimate-looking add-ins.
Remediation action:β
- Connect to Exchange Online:
Connect-ExchangeOnline
- Get the current role assignment policy:
Get-RoleAssignmentPolicy | Where-Object { $_.IsDefault }
- Check which app-related roles are assigned:
Get-ManagementRoleAssignment -RoleAssignee "Default Role Assignment Policy" | Where-Object { $_.Role -like "My*Apps" }
- Remove the app installation permissions from the default policy:
Get-ManagementRoleAssignment -RoleAssignee "Default Role Assignment Policy" | Where-Object { $_.Role -like "My*Apps" } | Remove-ManagementRoleAssignment -Confirm:$false
- Verify the changes:
Get-ManagementRoleAssignment -RoleAssignee "Default Role Assignment Policy" | Where-Object { $_.Role -like "My*Apps" }
The result should return no assignments.
Related linksβ
- Role-based access control in Exchange Online
- CIS Microsoft 365 Benchmark - 1.3.4 (L1) Ensure 'User owned apps and services' is restricted
- Microsoft Secure Score - Restrict user consent to applications
Test Metadataβ
| Field | Value |
|---|---|
| Test ID | MT.1041 |
| Severity | High |
| Suite | Maester |
| Category | Exchange |
| PowerShell test | Test-MtExoOutlookAddin |
| Tags | Exchange, Maester, MT.1041 |
Sourceβ
- Pester test:
tests/Maester/Exchange/Test-ExchangeSetting.Tests.ps1 - PowerShell source:
powershell/public/maester/exchange/Test-MtExoOutlookAddin.ps1