CIS.M365.1.3.4 - Ensure
Overview
1.3.4 (L1) Ensure 'User owned apps and services' is restricted
By default, users can install add-ins in their Microsoft Word, Excel, and PowerPoint applications, allowing data access within the application.
Do not allow users to install add-ins in Word, Excel, or PowerPoint.
Rationale
Attackers commonly use vulnerable and custom-built add-ins to access data in user applications.
While allowing users to install add-ins by themselves does allow them to easily acquire useful add-ins that integrate with Microsoft applications, it can represent a risk if not used and monitored carefully.
Disable future user's ability to install add-ins in Microsoft Word, Excel, or PowerPoint helps reduce your threat-surface and mitigate this risk.
Impact
Implementation of this change will impact both end users and administrators. End users will not be able to install add-ins that they may want to install.
Remediation action:
- Navigate to Microsoft 365 admin center.
- Click to expand Settings select Org settings.
- In Services select User owned apps and services.
- Uncheck Let users access the Office Store and Let users start trials on behalf of your organization
- Click Save.
PowerShell
- Connect to the Microsoft Graph service using
Connect-MgGraph -Scopes "OrgSettings-AppsAndServices.ReadWrite.All". - Run the following Microsoft Graph PowerShell commands:
$uri = "https://graph.microsoft.com/beta/admin/appsAndServices"
$body = @{
"Settings" = @{
"isAppAndServicesTrialEnabled" = $false
"isOfficeStoreEnabled" = $false
}
} | ConvertTo-Json
Invoke-MgGraphRequest -Method PATCH -Uri $uri -Body $body
Related links
- Microsoft 365 admin center
- Manage add-ins in the Microsoft 365 admin center
- CIS Microsoft 365 Foundations Benchmark v6.0.1 - Page 56
Test Metadata
| Field | Value |
|---|---|
| Test ID | CIS.M365.1.3.4 |
| Severity | Unknown |
| Suite | CIS |
| Category | CIS E3 Level 1 |
| PowerShell test | Test-MtCisUserOwnedAppsRestricted |
| Tags | CIS, CIS E3, CIS E3 Level 1, CIS E5, CIS E5 Level 1, CIS M365 v6.0.1, CIS.M365.1.3.4, L1, Security |
Source
- Pester test:
tests/cis/Test-MtCisUserOwnedAppsRestricted.Tests.ps1 - PowerShell source:
powershell/public/cis/Test-MtCisUserOwnedAppsRestricted.ps1