Skip to main content
Version: 2.1.0

CIS.M365.6.5.3 - Ensure additional storage providers are restricted in Outlook on the web

Overview

6.5.3 (L2) Ensure additional storage providers are restricted in Outlook on the web

This setting allows users to open certain external files while working in Outlook on the web. If allowed, keep in mind that Microsoft doesn't control the use terms or privacy policies of those third-party services.

Ensure AdditionalStorageProvidersAvailable is restricted on the default OWA policy.

Rationale

By default, additional storage providers are allowed in Office on the Web (such as Box, Dropbox, Facebook, Google Drive, OneDrive Personal, etc.). This could lead to information leakage and additional risk of infection from organizational non-trusted storage providers. Restricting this will inherently reduce risk as it will narrow opportunities for infection and data leakage.

Impact

The impact associated with this change is highly dependent upon current practices in the tenant. If users do not use other storage providers, then minimal impact is likely. However, if users do regularly utilize providers outside of the tenant this will affect their ability to continue to do so.

Remediation

PowerShell
  1. Connect to Exchange Online using Connect-ExchangeOnline.
  2. Run the following PowerShell command:
Set-OwaMailboxPolicy -Identity OwaMailboxPolicy-Default -AdditionalStorageProvidersAvailable $false

Default Value

AdditionalStorageProvidersAvailable : True

Test Metadata

FieldValue
Test IDCIS.M365.6.5.3
SeverityUnknown
SuiteCIS
CategoryCIS E3 Level 2
PowerShell testTest-MtCisExoAdditionalStorageProvider
TagsCIS, CIS E3, CIS E3 Level 2, CIS E5, CIS E5 Level 2, CIS M365 v6.0.1, CIS.M365.6.5.3, L2, Security

Source

  • Pester test: tests/cis/Test-MtCisExoAdditionalStorageProvider.Tests.ps1
  • PowerShell source: powershell/public/cis/Test-MtCisExoAdditionalStorageProvider.ps1