maester365 · oed-metzb · Feb 5, 2026 · Feb 5, 2026 · Feb 5, 2026 · Feb 6, 2026
@@ -105,16 +105,16 @@
     'Test-MtCaLicenseUtilization', 'Test-MtCaMfaForAdmin', 'Test-MtCaMfaForAdminManagement', 'Test-MtCaMfaForAllUsers',
     'Test-MtCaMfaForGuest', 'Test-MtCaMfaForRiskySignIn', 'Test-MtCaMisconfiguredIDProtection',
     'Test-MtCaReferencedGroupsExist', 'Test-MtCaReferencedObjectsExist', 'Test-MtCaRequirePasswordChangeForHighUserRisk',
-    'Test-MtCaSecureSecurityInfoRegistration', 'Test-MtCaWIFBlockLegacyAuthentication', 'Test-MtCis365PublicGroup',
+    'Test-MtCaSecureSecurityInfoRegistration', 'Test-MtCaWIFBlockLegacyAuthentication', 'Test-MtCis365PublicGroup', 'Test-MtCisAdminConsentWorkflowEnabled',
     'Test-MtCisAuditLogSearch', 'Test-MtCisAttachmentFilter', 'Test-MtCisAttachmentFilterComprehensive',
-    'Test-MtCisCalendarSharing', 'Test-MtCisCloudAdmin',
-    'Test-MtCisCommunicateWithUnmanagedTeamsUsers', 'Test-MtCisConnectionFilterSafeList', 'Test-MtCisCustomerLockBox',
-    'Test-MtCisDkim', 'Test-MtCisGlobalAdminCount', 'Test-MtCisHostedConnectionFilterPolicy',
-    'Test-MtCisInternalMalwareNotification', 'Test-MtCisOutboundSpamFilterPolicy', 'Test-MtCisPasswordExpiry',
+    'Test-MtCisCalendarSharing', 'Test-MtCisCloudAdmin', 'Test-MtCisCreateTenantDisallowed',
+    'Test-MtCisCommunicateWithUnmanagedTeamsUsers', 'Test-MtCisConnectionFilterSafeList', 'Test-MtCisCustomerLockBox', 'Test-MtCisDevicesWithoutCompliancePolicyMarked',
+    'Test-MtCisDkim', 'Test-MtCisEnsureGuestAccessRestricted', 'Test-MtCisEnsureGuestUserDynamicGroup', 'Test-MtCisEnsureUserConsentToAppsDisallowed', 'Test-MtCisFormsPhishingProtectionEnabled',
+    'Test-MtCisGlobalAdminCount', 'Test-MtCisHostedConnectionFilterPolicy', 'Test-MtCisInternalMalwareNotification', 'Test-MtCisOutboundSpamFilterPolicy', 'Test-MtCisPasswordExpiry',
     'Test-MtCisSafeAntiPhishingPolicy', 'Test-MtCisSafeAttachment', 'Test-MtCisSafeAttachmentsAtpPolicy',
     'Test-MtCisSafeLink', 'Test-MtCisSharedMailboxSignIn', 'Test-MtCisTeamsLobbyBypass',
-    'Test-MtCisTeamsReportSecurityConcerns', 'Test-MtCisThirdPartyAndCustomApps', 'Test-MtCisThirdPartyFileSharing',
-    'Test-MtCisZAP',
+    'Test-MtCisTeamsReportSecurityConcerns', 'Test-MtCisThirdPartyAndCustomApps', 'Test-MtCisThirdPartyApplicationsDisallowed', 'Test-MtCisThirdPartyFileSharing',
+    'Test-MtCisThirdPartyStorageServicesRestricted', 'Test-MtCisUserOwnedAppsRestricted', 'Test-MtCisWeakAuthenticationMethodsDisabled', 'Test-MtCisZAP',
     'Test-MtCisaDkim', 'Test-MtCisaActivationNotification', 'Test-MtCisaAntiSpamAllowList',
     'Test-MtCisaAntiSpamSafeList', 'Test-MtCisaAppAdminConsent', 'Test-MtCisaAppGroupOwnerConsent',
     'Test-MtCisaAppRegistration', 'Test-MtCisaAppUserConsent', 'Test-MtCisaAssignmentNotification',

@@ -0,0 +1,21 @@
+5.1.5.2 (L1) Ensure the admin consent workflow is enabled
+
+**Rationale:**
+The admin consent workflow (Preview) gives admins a secure way to grant access to applications that require admin approval. When a user tries to access an application but is unable to provide consent, they can send a request for admin approval. The request is sent via email to admins who have been designated as reviewers. A reviewer acts on the request, and the user is notified of the action.
+
+#### Remediation action:
+
+1. Navigate to Microsoft Entra ID admin center [https://entra.microsoft.com](https://entra.microsoft.com).
+2. Under **Entra ID** select **Enterprise apps**
+3. Under **Security** select **Consent and permissions**
+4. Under **Manage** select **Admin consent settings**
+5. Set **Users can request admin consent to apps they are unable to consent to** to **Yes**
+6. Click Save.
+
+#### Related links
+
+* [Microsoft Entra admin center | Enterprise apps | Consent and permissions | Admin consent settings](https://entra.microsoft.com/#view/Microsoft_AAD_IAM/ConsentPoliciesMenuBlade/~/AdminConsentSettings)
+* [CIS Microsoft 365 Foundations Benchmark v5.0.0 - Page 187](https://www.cisecurity.org/benchmark/microsoft_365)
+
+<!--- Results --->
+%TestResult%
@@ -0,0 +1,62 @@
+<#
+.SYNOPSIS
+    Checks if the admin consent workflow is enabled
+
+.DESCRIPTION
+    The admin consent workflow should be enabled.
+    CIS Microsoft 365 Foundations Benchmark v5.0.0
+
+.EXAMPLE
+    Test-MtCisAdminConsentWorkflowEnabled
+
+    Returns true if admin consent workflow is enabled
+
+.LINK
+    https://maester.dev/docs/commands/Test-MtCisAdminConsentWorkflowEnabled
+#>
+function Test-MtCisAdminConsentWorkflowEnabled {
+    [CmdletBinding()]
+    [OutputType([bool])]
+    param()
+
+    if (!(Test-MtConnection Graph)) {
+        Add-MtTestResultDetail -SkippedBecause NotConnectedGraph
+        return $null
+    }
+
+    try {
+        Write-Verbose 'Getting settings...'
+        $settings = Invoke-MtGraphRequest -RelativeUri "policies/adminConsentRequestPolicy" -DisableCache
+
+        Write-Verbose 'Executing checks'
+        $checkAdminConsentWorkflowEnabled = $settings | Where-Object { $_.isEnabled -eq $true }
+
+        $testResult = (($checkAdminConsentWorkflowEnabled | Measure-Object).Count -eq 1)
+
+        if ($testResult) {
+            $testResultMarkdown = "Well done. Your tenant settings comply with CIS recommendations.`n`n%TestResult%"
+        } else {
+            $testResultMarkdown = "Your tenant settings not comply with CIS recommendations.`n`n%TestResult%"
+        }
+
+        $resultMd = "| Setting | Result |`n"
+        $resultMd += "| --- | --- |`n"
+
+        if ($checkAdminConsentWorkflowEnabled) {
+            $checkAdminConsentWorkflowEnabledResult = '✅ Pass'
+        } else {
+            $checkAdminConsentWorkflowEnabledResult = '❌ Fail'
+        }
+
+        $resultMd += "| Users can request admin consent to apps they are unable to consent to | $checkAdminConsentWorkflowEnabledResult |`n"
+
+
+        $testResultMarkdown = $testResultMarkdown -replace '%TestResult%', $resultMd
+
+        Add-MtTestResultDetail -Result $testResultMarkdown
+        return $testResult
+    } catch {
+        Add-MtTestResultDetail -SkippedBecause Error -SkippedError $_
+        return $null
+    }
+}
@@ -0,0 +1,21 @@
+5.1.2.3 (L1) Ensure 'Restrict non-admin users from creating tenants' is set to 'Yes'
+
+**Rationale:**
+Restricting tenant creation prevents unauthorized or uncontrolled deployment of resources and ensures that the organization retains control over its infrastructure.
+User generation of shadow IT could lead to multiple, disjointed environments that can make it difficult for IT to manage and secure the organization's data, especially if other users in the organization began using these tenants for business purposes under the misunderstanding that they were secured by the organization's security team.
+
+#### Remediation action:
+
+1. Navigate to Microsoft 365 Entra admin center [https://entra.microsoft.com](https://entra.microsoft.com).
+2. Click to expand **Identity** select **Users**.
+3. Click **User settings**
+4. Set **Restrict non-admin users from creating tenants** to **Yes**
+5. Click Save.
+
+#### Related links
+
+* [Microsoft Entra admin center | Users | User settings](https://entra.microsoft.com/#view/Microsoft_AAD_UsersAndTenants/UserManagementMenuBlade/~/UserSettings/menuId/)
+* [CIS Microsoft 365 Foundations Benchmark v5.0.0 - Page 167](https://www.cisecurity.org/benchmark/microsoft_365)
+
+<!--- Results --->
+%TestResult%
@@ -0,0 +1,61 @@
+<#
+.SYNOPSIS
+    Checks if non-admin users are restricted from creating tenants
+
+.DESCRIPTION
+    Non-admin users should be restricted from creating tenants.
+    CIS Microsoft 365 Foundations Benchmark v5.0.0
+
+.EXAMPLE
+    Test-MtCisCreateTenantDisallowed
+
+    Returns true if non-admin users are restricted from creating tenants.
+
+.LINK
+    https://maester.dev/docs/commands/Test-MtCisCreateTenantDisallowed
+#>
+function Test-MtCisCreateTenantDisallowed {
+    [CmdletBinding()]
+    [OutputType([bool])]
+    param()
+
+    if (!(Test-MtConnection Graph)) {
+        Add-MtTestResultDetail -SkippedBecause NotConnectedGraph
+        return $null
+    }
+
+    try {
+        Write-Verbose 'Getting settings...'
+        $settings = (Invoke-MtGraphRequest -RelativeUri "policies/authorizationPolicy").defaultUserRolePermissions
+
+        Write-Verbose 'Executing checks'
+        $checkAllowedToCreateTenants = $settings | Where-Object { $_.allowedToCreateTenants -eq $false }
+
+        $testResult = (($checkAllowedToCreateTenants | Measure-Object).Count -ge 1)
+
+        if ($testResult) {
+            $testResultMarkdown = "Well done. Your tenant settings comply with CIS recommendations.`n`n%TestResult%"
+        } else {
+            $testResultMarkdown = "Your tenant settings not comply with CIS recommendations.`n`n%TestResult%"
+        }
+
+        $resultMd = "| Setting | Result |`n"
+        $resultMd += "| --- | --- |`n"
+
+        if ($checkAllowedToCreateTenants) {
+            $checkAllowedToCreateTenantsResult = '✅ Pass'
+        } else {
+            $checkAllowedToCreateTenantsResult = '❌ Fail'
+        }
+
+        $resultMd += "| Restrict non-admin users from creating tenants | $checkAllowedToCreateTenantsResult |`n"
+
+        $testResultMarkdown = $testResultMarkdown -replace '%TestResult%', $resultMd
+
+        Add-MtTestResultDetail -Result $testResultMarkdown
+        return $testResult
+    } catch {
+        Add-MtTestResultDetail -SkippedBecause Error -SkippedError $_
+        return $null
+    }
+}
@@ -0,0 +1,20 @@
+4.1 (L2) Ensure devices without a compliance policy are marked 'not compliant'
+
+**Rationale:**
+Implementing this setting is a first step in adopting compliance policies for devices.
+When used in together with Conditional Access policies the attack surface can be reduced by forcing an action to be taken for non-compliant devices.
+
+#### Remediation action:
+
+1. Navigate to Microsoft Intune admin center [https://intune.microsoft.com](https://intune.microsoft.com).
+2. Click on **Devices** and then unter **Managed devices** on **Compliance**.
+3. Click **Compliance settings**.
+4. Ensure **Mark devices with no compliance policy assigned as** set to **Not compliant**
+
+#### Related links
+
+* [Microsoft Intune Admin Center | Devices | Compliance](https://intune.microsoft.com/#view/Microsoft_Intune_DeviceSettings/DevicesMenu/~/compliance)
+* [CIS Microsoft 365 Foundations Benchmark v5.0.0 - Page 156](https://www.cisecurity.org/benchmark/microsoft_365)
+
+<!--- Results --->
+%TestResult%
@@ -0,0 +1,62 @@
+<#
+.SYNOPSIS
+    Checks if devices without a compliance policy assigned are marked "not compliant".
+
+.DESCRIPTION
+    Devices without a compliance policy assigned should be marked "not compliant".
+    CIS Microsoft 365 Foundations Benchmark v5.0.0
+
+.EXAMPLE
+    Test-MtCisDevicesWithoutCompliancePolicyMarked
+
+    Returns true if devices without a compliance policy assigned are marked "not compliant".
+
+.LINK
+    https://maester.dev/docs/commands/Test-MtCisDevicesWithoutCompliancePolicyMarked
+#>
+function Test-MtCisDevicesWithoutCompliancePolicyMarked {
+    [CmdletBinding()]
+    [OutputType([bool])]
+    param()
+
+    if (!(Test-MtConnection Graph)) {
+        Add-MtTestResultDetail -SkippedBecause NotConnectedGraph
+        return $null
+    }
+
+    try {
+        Write-Verbose 'Getting settings...'
+        $settings = Invoke-MtGraphRequest -RelativeUri "deviceManagement/settings" -DisableCache
+
+        Write-Verbose 'Executing checks'
+        $checkSecureByDefault = $settings | Where-Object { $_.secureByDefault -eq $true }
+
+        $testResult = (($checkSecureByDefault | Measure-Object).Count -ge 1)
+
+        if ($testResult) {
+            $testResultMarkdown = "Well done. Your tenant settings comply with CIS recommendations.`n`n%TestResult%"
+        } else {
+            $testResultMarkdown = "Your tenant settings not comply with CIS recommendations.`n`n%TestResult%"
+        }
+
+        $resultMd = "| Setting | Result |`n"
+        $resultMd += "| --- | --- |`n"
+
+        if ($checkSecureByDefault) {
+            $checkSecureByDefaultResult = '✅ Pass'
+        } else {
+            $checkSecureByDefaultResult = '❌ Fail'
+        }
+
+        $resultMd += "| Mark devices with no compliance policy assigned as 'Not compliant' | $checkSecureByDefaultResult |`n"
+
+
+        $testResultMarkdown = $testResultMarkdown -replace '%TestResult%', $resultMd
+
+        Add-MtTestResultDetail -Result $testResultMarkdown
+        return $testResult
+    } catch {
+        Add-MtTestResultDetail -SkippedBecause Error -SkippedError $_
+        return $null
+    }
+}
@@ -0,0 +1,19 @@
+5.1.6.2 (L1) Ensure that guest user access is restricted
+
+**Rationale:**
+By limiting guest access to the most restrictive state this helps prevent malicious group and user object enumeration in the Microsoft 365 environment. This first step, known as reconnaissance in The Cyber Kill Chain, is often conducted by attackers prior to more advanced targeted attacks.
+
+#### Remediation action:
+
+1. Navigate to Microsoft Entra ID admin center [https://entra.microsoft.com](https://entra.microsoft.com).
+2. Under **Entra ID** select **External Identities**
+3. Select **External collaboration settings**
+4. Under **Guest user access** set **Guest user access restrictions** to one of the following:
+   - **Guest users have limited access to properties and memberships of directory objects**
+   - **Guest user access is restricted to properties and memberships of their own directory objects (most restrictive)**
+5. Click Save.
+
+#### Related links
+
+* [Microsoft 365 Entra Admin Center | External Identities | External collaboration settings](https://entra.microsoft.com/#view/Microsoft_AAD_IAM/CompanyRelationshipsMenuBlade/~/Settings/menuId/ExternalIdentitiesGettingStarted)
+* [CIS Microsoft 365 Foundations Benchmark v5.0.0 - Page 193](https://www.cisecurity.org/benchmark/microsoft_365)
@@ -0,0 +1,45 @@
+<#
+.SYNOPSIS
+    Checks if guest user access is restricted.
+
+.DESCRIPTION
+    Guest user access should be restricted to only necessary resources.
+    CIS Microsoft 365 Foundations Benchmark v5.0.0
+
+.EXAMPLE
+    Test-MtCisEnsureGuestAccessRestricted
+
+    Returns true if guest user access is restricted.
+
+.LINK
+    https://maester.dev/docs/commands/Test-MtCisEnsureGuestAccessRestricted
+#>
+function Test-MtCisEnsureGuestAccessRestricted {
+    [CmdletBinding()]
+    [OutputType([bool])]
+    param()
+
+    if (!(Test-MtConnection Graph)) {
+        Add-MtTestResultDetail -SkippedBecause NotConnectedGraph
+        return $null
+    }
+
+    try {
+        Write-Verbose 'Getting settings...'
+        $settings = Invoke-MtGraphRequest -RelativeUri "policies/authorizationPolicy" -DisableCache
+
+        $testResult = $settings.guestUserRoleId -eq "10dae51f-b6af-4016-8d66-8c2a99b929b3" -or $settings.guestUserRoleId -eq "2af84b1e-32c8-42b7-82bc-daa82404023b"
+
+        if ($testResult) {
+            $testResultMarkdown = "Well done. Your tenant settings comply with CIS recommendations."
+        } else {
+            $testResultMarkdown = "Your tenant settings not comply with CIS recommendations."
+        }
+
+        Add-MtTestResultDetail -Result $testResultMarkdown
+        return $testResult
+    } catch {
+        Add-MtTestResultDetail -SkippedBecause Error -SkippedError $_
+        return $null
+    }
+}
@@ -0,0 +1,27 @@
+5.1.3.1 (L1) Ensure a dynamic group for guest users is created
+
+**Rationale:**
+Dynamic groups allow for an automated method to assign group membership.
+Guest user accounts will be automatically added to this group and through this existing conditional access rules, access controls and other security measures will ensure that new guest accounts are restricted in the same manner as existing guest accounts.
+
+#### Remediation action:
+
+1. Navigate to Microsoft 365 Entra admin center [https://entra.microsoft.com](https://entra.microsoft.com).
+2. Click to expand **Identity** select **Groups**.
+3. Click **All groups**
+4. Select **New group** and assign the following values:
+   - Group type: **Security**
+   - Microsoft Entra roles can be assigned to the group: **No**
+   - Membership type: **Dynamic User**
+5. Click **Add dynamic query**.
+6. Click **Edit** above the Rule Syntax box.
+7. Enter `(user.userType -eq "Guest")`
+8. Click **OK** and **Save**.
+
+#### Related links
+
+* [Microsoft 365 Entra admin center | Groups](https://entra.microsoft.com/#view/Microsoft_AAD_IAM/GroupsManagementMenuBlade/~/Overview/menuId/Overview)
+* [CIS Microsoft 365 Foundations Benchmark v5.0.0 - Page 179](https://www.cisecurity.org/benchmark/microsoft_365)
+
+<!--- Results --->
+%TestResult%