private/review/exchangeonline/roles/Invoke-ReviewExoOutlookAddinsIsNotAllowedRolePolicy.ps1
function Invoke-ReviewExoOutlookAddinsIsNotAllowedRolePolicy { <# .SYNOPSIS Check if users installing Outlook add-ins is not allowed. .DESCRIPTION Returns review object. .NOTES Requires the following modules: - ExchangeOnlineManagement .EXAMPLE Invoke-ReviewExoOutlookAddinsIsNotAllowedRolePolicy; #> [cmdletbinding()] param ( ) BEGIN { # Write progress. Write-Progress -Activity $MyInvocation.MyCommand -Status 'Running' -CurrentOperation $MyInvocation.MyCommand.Name -PercentComplete -1 -SecondsRemaining -1; # Write to log. Write-CustomLog -Category 'Exchange Online' -Subcategory 'Roles' -Message 'Getting all mailboxes' -Level Verbose; # Get all mailboxes. $mailboxes = Get-Mailbox -ResultSize Unlimited; # List of mailboxes with Outlook add-ins enabled. $roleAssignmentPolicies = New-Object System.Collections.ArrayList; # Role assignment policies used. $usedRoleAssignmentPolicies = New-Object System.Collections.ArrayList; } PROCESS { # Foreach mailbox. foreach ($mailbox in $mailboxes) { # If role assignment policy is null. if ($null -eq $mailbox.RoleAssignmentPolicy) { # Skip. continue; } # If role assignment policy is not in list. if ($usedRoleAssignmentPolicies -notcontains $mailbox.RoleAssignmentPolicy) { # Write to log. Write-CustomLog -Category 'Exchange Online' -Subcategory 'Roles' -Message ("Role assignment policy '{0}' is used in the organization" -f $mailbox.RoleAssignmentPolicy) -Level Verbose; # Add to list. $null = $usedRoleAssignmentPolicies.Add($mailbox.RoleAssignmentPolicy); } } # Foreach role assignment policy used. foreach ($usedRoleAssignmentPolicy in $usedRoleAssignmentPolicies) { # Get role assignment policy. $roleAssignmentPolicy = Get-RoleAssignmentPolicy -Identity $usedRoleAssignmentPolicy; # If there is not any assigned roles with Apps. if ($roleAssignmentPolicy.AssignedRoles -like '*My Custom Apps*' -or $roleAssignmentPolicy.AssignedRoles -like '*My Marketplace Apps*', $roleAssignmentPolicy.AssignedRoles -like '*My ReadWriteMailboxApps*') { # Write to log. Write-CustomLog -Category 'Exchange Online' -Subcategory 'Roles' -Message ("Role assignment policy '{0}' allows users to install outlook add-ins" -f $roleAssignmentPolicy.Name) -Level Verbose; # Add to list. $null = $roleAssignmentPolicies.Add($roleAssignmentPolicy); } } } END { # Bool for review flag. [bool]$reviewFlag = $false; # If review flag should be set. if ($roleAssignmentPolicies.Count -gt 0) { # Should be reviewed. $reviewFlag = $true; } # Create new review object to return. [Review]$review = [Review]::new(); # Add to object. $review.Id = '36ee88d3-0ab8-41ea-90e7-fd9b14ed6a03'; $review.Category = 'Microsoft Exchange Admin Center'; $review.Subcategory = 'Roles'; $review.Title = "Ensure users installing Outlook add-ins is not allowed"; $review.Data = $roleAssignmentPolicies | Select-Object -Property Name, @{Name='AssignedRoles';Expression={$_.AssignedRoles -join ', '}}; $review.Review = $reviewFlag; # Print result. $review.PrintResult(); # Write progress. #Write-Progress -Activity $MyInvocation.MyCommand -Status 'Completed' -CurrentOperation $MyInvocation.MyCommand.Name -Completed; # Return object. return $review; } } |