CIS.M365.8.4.1 - (L1) Ensure all or a majority of third-party and custom apps are blocked
Overviewβ
8.4.1 (L1) Ensure app permission policies are configured
This policy setting controls which class of apps are available for users to install.
Rationaleβ
Allowing users to install third-party or unverified apps poses a potential risk of introducing malicious software to the environment.
Impactβ
Users will only be able to install approved classes of apps.
Remediation action:β
- Navigate to Microsoft Teams Admin Center.
- Click to expand Teams apps select Manage apps.
- In the upper right click Actions > Org-wide app settings.
- For Microsoft apps set Let users install and use available apps by default to On or less permissive.
- For Third-party apps set Let users install and use available apps by default to Off.
- For Custom apps set Let users install and use available apps by default to Off.
- For Custom apps set Let users interact with custom apps in preview to Off.
Related linksβ
- Microsoft Teams Admin Center.
- Use app centric management to manage access to apps
- Disabling non-Microsoft and custom apps
- CIS Microsoft 365 Foundations Benchmark v6.0.1 - Page 425
Test Metadataβ
| Field | Value |
|---|---|
| Test ID | CIS.M365.8.4.1 |
| Severity | High |
| Suite | CIS |
| Category | CIS M365 v6.0.1 |
| PowerShell test | Test-MtCisThirdPartyAndCustomApps |
| Tags | CIS, CIS E3 Level 1, CIS M365 v6.0.1, CIS.M365.8.4.1 |
Sourceβ
- Pester test:
tests/cis/Test-MtCisThirdPartyAndCustomApps.Tests.ps1 - PowerShell source:
powershell/public/cis/Test-MtCisThirdPartyAndCustomApps.ps1