Information
Specify the administrators and users who can install and manage add-ins for Outlook in Exchange Online
By default, users can install add-ins in their Microsoft Outlook Desktop client, allowing data access within the client application.
Rationale:
Attackers exploit vulnerable or custom add-ins to access user data. Disabling user-installed add-ins in Microsoft Outlook reduces this threat surface.
Impact:
Implementing this change will impact both end users and administrators. End users will be unable to integrate third-party applications they desire, and administrators may receive requests to grant permission for necessary third-party apps.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
To remediate using the UI:
Navigate to Exchange admin center https://admin.exchange.microsoft.com.
Click to expand Roles select User roles.
Select Default Role Assignment Policy.
In the properties pane on the right click on Manage permissions.
Under Other roles uncheck My Custom Apps, My Marketplace Apps and My ReadWriteMailboxApps.
Click Save changes.
To remediate using PowerShell:
Connect to Exchange Online using Connect-ExchangeOnline.
Run the following command:
$policy = 'Role Assignment Policy - Prevent Add-ins'
$roles = 'MyTextMessaging', 'MyDistributionGroups', '
'MyMailSubscriptions', 'MyBaseOptions', 'MyVoiceMail', '
'MyProfileInformation', 'MyContactInformation', 'MyRetentionPolicies', '
'MyDistributionGroupMembership'
New-RoleAssignmentPolicy -Name $policy -Roles $roles
Set-RoleAssignmentPolicy -id $policy -IsDefault
# Assign new policy to all mailboxes
Get-EXOMailbox -ResultSize Unlimited | Set-Mailbox -RoleAssignmentPolicy $policy
If you have other Role Assignment Policies modify the last line to filter out your custom policies
Default Value:
UI - My Custom Apps, My Marketplace Apps, and My ReadWriteMailboxApps are checked
PowerShell - My Custom Apps My Marketplace Apps and My ReadWriteMailboxApps are assigned