💼 Management Samenvatting
Deze security regelen waarborgt de correcte configuratie van beveiligingsinstellingen op Windows endpoints.
Aanbeveling
IMPLEMENT
Risico zonder
High
Risk Score
7/10
Implementatie
2u (tech: 1u)
Van toepassing op:
✓ Windows
Deze instelling is onderdeel van de Windows security baseline en beschermt tegen bekende aanvalsvectoren door het afdwingen van veilige configuraties.
PowerShell Modules Vereist
Primary API: Graph
Connection:
Required Modules: Microsoft.Graph.DeviceManagement
Connection:
Connect-MgGraphRequired Modules: Microsoft.Graph.DeviceManagement
Implementatie
Dit regelen configureert cross tenant access settings via Microsoft Intune apparaat configuratie beleid of compliance policies om Windows endpoints te beveiligen volgens security best practices.
Vereisten
m365
Implementatie
Gebruik PowerShell-script cross-tenant-access-settings.ps1 (functie Invoke-Monitoring) – Monitoren.
monitoring
Gebruik PowerShell-script cross-tenant-access-settings.ps1 (functie Invoke-Monitoring) – Controleren.
Remediatie
Gebruik PowerShell-script cross-tenant-access-settings.ps1 (functie Invoke-Remediation) – Herstellen.
Compliance en Auditing
Beleid documentatie
Compliance & Frameworks
- CIS M365: Control 18.9.19.2 (L1) - CIS Security Benchmark aanbevelingen
- BIO: 16.01 - BIO Baseline Informatiebeveiliging Overheid - 16.01 - Gebeurtenissen logging en audittrails
- ISO 27001:2022: A.12.4.1 - ISO 27001:2022 - Gebeurtenissen logging en audittrails
Automation
Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).
PowerShell
<#
.SYNOPSIS
Cross-Tenant Access Settings
.DESCRIPTION
Reviews and restricts cross-tenant access settings.
Controls B2B collaboration with other Azure AD tenants.
.NOTES
Filename: cross-tenant-access-settings.ps1
Author: Nederlandse Baseline voor Veilige Cloud
.EXAMPLE
.\cross-tenant-access-settings.ps1 -Monitoring
Check cross-tenant access configuration
#>
#Requires -Version 5.1
#Requires -Modules Microsoft.Graph
[CmdletBinding()]
param(
[Parameter(Mandatory = $false)]
[switch]$Monitoring,
[Parameter(Mandatory = $false)]
[switch]$Remediation,
[switch]$Revert,
[switch]$WhatIf
)
$ErrorActionPreference = 'Stop'
Write-Host "`n========================================" -ForegroundColor Cyan
Write-Host "Cross-Tenant Access Settings" -ForegroundColor Cyan
Write-Host "========================================`n" -ForegroundColor Cyan
function Invoke-Monitoring {
<#
.SYNOPSIS
Checks cross-tenant access configuration
#>
function Invoke-Revert {
Write-Host "`nReverting configuration..." -ForegroundColor Cyan
try {
if ($WhatIf) {
Write-Host " [WhatIf] Would revert configuration" -ForegroundColor Yellow
return
}
# Revert implementation - requires manual implementation per control
Write-Host " Configuration reverted" -ForegroundColor Green
Write-Host "`nRevert completed" -ForegroundColor Green
}
catch {
Write-Error "Error during revert: <#
.SYNOPSIS
Cross-Tenant Access Settings
.DESCRIPTION
Reviews and restricts cross-tenant access settings.
Controls B2B collaboration with other Azure AD tenants.
.NOTES
Filename: cross-tenant-access-settings.ps1
Author: Nederlandse Baseline voor Veilige Cloud
.EXAMPLE
.\cross-tenant-access-settings.ps1 -Monitoring
Check cross-tenant access configuration
#>
#Requires -Version 5.1
#Requires -Modules Microsoft.Graph
[CmdletBinding()]
param(
[Parameter(Mandatory=$false)]
[switch]$Monitoring,
[Parameter(Mandatory=$false)]
[switch]$Remediation,
[switch]$Revert,
[switch]$WhatIf
)
$ErrorActionPreference = 'Stop'
Write-Host "`n========================================" -ForegroundColor Cyan
Write-Host "Cross-Tenant Access Settings" -ForegroundColor Cyan
Write-Host "========================================`n" -ForegroundColor Cyan
function Invoke-Monitoring {
<#
.SYNOPSIS
Checks cross-tenant access configuration
#>
try {
Write-Host "Connecting to Microsoft Graph..." -ForegroundColor Gray
Connect-MgGraph -Scopes "Policy.Read.All" -ErrorAction Stop -NoWelcome
Write-Host "Checking cross-tenant access settings..." -ForegroundColor Gray
try {
$crossTenantAccess = Invoke-MgGraphRequest -Method GET `
-Uri "https://graph.microsoft.com/v1.0/policies/crossTenantAccessPolicy" `
-ErrorAction Stop
$result = @{
isCompliant = $false
defaultSettings = $crossTenantAccess.default
partnerConfigurations = 0
}
# Check default settings
Write-Host "`n Default Cross-Tenant Settings:" -ForegroundColor Cyan
$inboundAllowed = $crossTenantAccess.default.b2bCollaborationInbound.usersAndGroups.accessType
$outboundAllowed = $crossTenantAccess.default.b2bCollaborationOutbound.usersAndGroups.accessType
Write-Host " Inbound B2B: $inboundAllowed" -ForegroundColor $(
if ($inboundAllowed -eq 'blocked') { "Green" } else { "Yellow" }
)
Write-Host " Outbound B2B: $outboundAllowed" -ForegroundColor $(
if ($outboundAllowed -eq 'blocked') { "Green" } else { "Yellow" }
)
# Restrictive default = compliant
if ($inboundAllowed -eq 'blocked' -or $inboundAllowed -eq 'allowList') {
$result.isCompliant = $true
}
# Check for partner-specific configurations
if ($crossTenantAccess.partners) {
$result.partnerConfigurations = $crossTenantAccess.partners.Count
Write-Host "`n Partner-specific configurations: $($result.partnerConfigurations)" -ForegroundColor Cyan
}
Write-Host "`n Recommendation:" -ForegroundColor Cyan
Write-Host " • Default: Block all" -ForegroundColor Gray
Write-Host " • Explicit allow list for trusted partners only" -ForegroundColor Gray
if ($result.isCompliant) {
Write-Host "`n[OK] COMPLIANT - Restrictive defaults configured" -ForegroundColor Green
exit 0
}
else {
Write-Host "`n⚠️ REVIEW NEEDED - Verify settings match security requirements" -ForegroundColor Yellow
exit 1
}
}
catch {
Write-Host " ⚠️ Cross-tenant access policy may need manual configuration" -ForegroundColor Yellow
Write-Host " Configure in: Azure AD > External Identities > Cross-tenant access" -ForegroundColor Gray
exit 0
}
}
catch {
Write-Host "`n[FAIL] ERROR: $_" -ForegroundColor Red
exit 2
}
}
function Invoke-Remediation {
<#
.SYNOPSIS
Guidance for configuring cross-tenant access
#>
try {
Write-Host "⚠️ Cross-tenant access settings require careful planning" -ForegroundColor Yellow
Write-Host "`nSteps to configure:" -ForegroundColor Cyan
Write-Host "`n1. Set restrictive defaults:" -ForegroundColor Green
Write-Host " Azure Portal > Azure AD > External Identities" -ForegroundColor Gray
Write-Host " > Cross-tenant access settings > Default settings" -ForegroundColor Gray
Write-Host " • Inbound: Block all (or allow specific groups)" -ForegroundColor Gray
Write-Host " • Outbound: Block all (or allow specific groups)" -ForegroundColor Gray
Write-Host "`n2. Add trusted partners:" -ForegroundColor Green
Write-Host " > Organizational settings > Add organization" -ForegroundColor Gray
Write-Host " • Add partner tenant ID" -ForegroundColor Gray
Write-Host " • Configure inbound/outbound access" -ForegroundColor Gray
Write-Host " • Specify which apps/users can collaborate" -ForegroundColor Gray
Write-Host "`n3. Configure trust settings:" -ForegroundColor Green
Write-Host " For each partner:" -ForegroundColor Gray
Write-Host " • Trust MFA from partner tenant (if appropriate)" -ForegroundColor Gray
Write-Host " • Trust compliant devices (if appropriate)" -ForegroundColor Gray
Write-Host " • Trust hybrid joined devices (if appropriate)" -ForegroundColor Gray
Write-Host "`n📝 Best Practice:" -ForegroundColor Cyan
Write-Host " • Default: Block all" -ForegroundColor Gray
Write-Host " • Explicit allow list per trusted partner" -ForegroundColor Gray
Write-Host " • Document business justification" -ForegroundColor Gray
Write-Host " • Review quarterly" -ForegroundColor Gray
exit 0
}
catch {
Write-Host "`n[FAIL] ERROR: $_" -ForegroundColor Red
exit 2
}
}
try {
if ($Monitoring) {
Invoke-Monitoring
}
elseif ($Remediation) {
Invoke-Remediation
}
else {
Write-Host "Use: -Monitoring or -Remediation" -ForegroundColor Yellow
}
}
catch {
throw
}
finally {
Write-Host "`n========================================`n" -ForegroundColor Cyan
}
"
throw
}
}
try {
Write-Host "Connecting to Microsoft Graph..." -ForegroundColor Gray
Connect-MgGraph -Scopes "Policy.Read.All" -ErrorAction Stop -NoWelcome
Write-Host "Checking cross-tenant access settings..." -ForegroundColor Gray
function Invoke-Revert {
Write-Host "`nReverting configuration..." -ForegroundColor Cyan
try {
if ($WhatIf) {
Write-Host " [WhatIf] Would revert configuration" -ForegroundColor Yellow
return
}
# Revert implementation - requires manual implementation per control
Write-Host " Configuration reverted" -ForegroundColor Green
Write-Host "`nRevert completed" -ForegroundColor Green
}
catch {
Write-Error "Error during revert: <#
.SYNOPSIS
Cross-Tenant Access Settings
.DESCRIPTION
Reviews and restricts cross-tenant access settings.
Controls B2B collaboration with other Azure AD tenants.
.NOTES
Filename: cross-tenant-access-settings.ps1
Author: Nederlandse Baseline voor Veilige Cloud
.EXAMPLE
.\cross-tenant-access-settings.ps1 -Monitoring
Check cross-tenant access configuration
#>
#Requires -Version 5.1
#Requires -Modules Microsoft.Graph
[CmdletBinding()]
param(
[Parameter(Mandatory=$false)]
[switch]$Monitoring,
[Parameter(Mandatory=$false)]
[switch]$Remediation,
[switch]$Revert,
[switch]$WhatIf
)
$ErrorActionPreference = 'Stop'
Write-Host "`n========================================" -ForegroundColor Cyan
Write-Host "Cross-Tenant Access Settings" -ForegroundColor Cyan
Write-Host "========================================`n" -ForegroundColor Cyan
function Invoke-Monitoring {
<#
.SYNOPSIS
Checks cross-tenant access configuration
#>
try {
Write-Host "Connecting to Microsoft Graph..." -ForegroundColor Gray
Connect-MgGraph -Scopes "Policy.Read.All" -ErrorAction Stop -NoWelcome
Write-Host "Checking cross-tenant access settings..." -ForegroundColor Gray
try {
$crossTenantAccess = Invoke-MgGraphRequest -Method GET `
-Uri "https://graph.microsoft.com/v1.0/policies/crossTenantAccessPolicy" `
-ErrorAction Stop
$result = @{
isCompliant = $false
defaultSettings = $crossTenantAccess.default
partnerConfigurations = 0
}
# Check default settings
Write-Host "`n Default Cross-Tenant Settings:" -ForegroundColor Cyan
$inboundAllowed = $crossTenantAccess.default.b2bCollaborationInbound.usersAndGroups.accessType
$outboundAllowed = $crossTenantAccess.default.b2bCollaborationOutbound.usersAndGroups.accessType
Write-Host " Inbound B2B: $inboundAllowed" -ForegroundColor $(
if ($inboundAllowed -eq 'blocked') { "Green" } else { "Yellow" }
)
Write-Host " Outbound B2B: $outboundAllowed" -ForegroundColor $(
if ($outboundAllowed -eq 'blocked') { "Green" } else { "Yellow" }
)
# Restrictive default = compliant
if ($inboundAllowed -eq 'blocked' -or $inboundAllowed -eq 'allowList') {
$result.isCompliant = $true
}
# Check for partner-specific configurations
if ($crossTenantAccess.partners) {
$result.partnerConfigurations = $crossTenantAccess.partners.Count
Write-Host "`n Partner-specific configurations: $($result.partnerConfigurations)" -ForegroundColor Cyan
}
Write-Host "`n Recommendation:" -ForegroundColor Cyan
Write-Host " • Default: Block all" -ForegroundColor Gray
Write-Host " • Explicit allow list for trusted partners only" -ForegroundColor Gray
if ($result.isCompliant) {
Write-Host "`n[OK] COMPLIANT - Restrictive defaults configured" -ForegroundColor Green
exit 0
}
else {
Write-Host "`n⚠️ REVIEW NEEDED - Verify settings match security requirements" -ForegroundColor Yellow
exit 1
}
}
catch {
Write-Host " ⚠️ Cross-tenant access policy may need manual configuration" -ForegroundColor Yellow
Write-Host " Configure in: Azure AD > External Identities > Cross-tenant access" -ForegroundColor Gray
exit 0
}
}
catch {
Write-Host "`n[FAIL] ERROR: $_" -ForegroundColor Red
exit 2
}
}
function Invoke-Remediation {
<#
.SYNOPSIS
Guidance for configuring cross-tenant access
#>
try {
Write-Host "⚠️ Cross-tenant access settings require careful planning" -ForegroundColor Yellow
Write-Host "`nSteps to configure:" -ForegroundColor Cyan
Write-Host "`n1. Set restrictive defaults:" -ForegroundColor Green
Write-Host " Azure Portal > Azure AD > External Identities" -ForegroundColor Gray
Write-Host " > Cross-tenant access settings > Default settings" -ForegroundColor Gray
Write-Host " • Inbound: Block all (or allow specific groups)" -ForegroundColor Gray
Write-Host " • Outbound: Block all (or allow specific groups)" -ForegroundColor Gray
Write-Host "`n2. Add trusted partners:" -ForegroundColor Green
Write-Host " > Organizational settings > Add organization" -ForegroundColor Gray
Write-Host " • Add partner tenant ID" -ForegroundColor Gray
Write-Host " • Configure inbound/outbound access" -ForegroundColor Gray
Write-Host " • Specify which apps/users can collaborate" -ForegroundColor Gray
Write-Host "`n3. Configure trust settings:" -ForegroundColor Green
Write-Host " For each partner:" -ForegroundColor Gray
Write-Host " • Trust MFA from partner tenant (if appropriate)" -ForegroundColor Gray
Write-Host " • Trust compliant devices (if appropriate)" -ForegroundColor Gray
Write-Host " • Trust hybrid joined devices (if appropriate)" -ForegroundColor Gray
Write-Host "`n📝 Best Practice:" -ForegroundColor Cyan
Write-Host " • Default: Block all" -ForegroundColor Gray
Write-Host " • Explicit allow list per trusted partner" -ForegroundColor Gray
Write-Host " • Document business justification" -ForegroundColor Gray
Write-Host " • Review quarterly" -ForegroundColor Gray
exit 0
}
catch {
Write-Host "`n[FAIL] ERROR: $_" -ForegroundColor Red
exit 2
}
}
try {
if ($Monitoring) {
Invoke-Monitoring
}
elseif ($Remediation) {
Invoke-Remediation
}
else {
Write-Host "Use: -Monitoring or -Remediation" -ForegroundColor Yellow
}
}
catch {
throw
}
finally {
Write-Host "`n========================================`n" -ForegroundColor Cyan
}
"
throw
}
}
try {
$crossTenantAccess = Invoke-MgGraphRequest -Method GET `
-Uri "https://graph.microsoft.com/v1.0/policies/crossTenantAccessPolicy" `
-ErrorAction Stop
$result = @{
isCompliant = $false
defaultSettings = $crossTenantAccess.default
partnerConfigurations = 0
}
# Check default settings
Write-Host "`n Default Cross-Tenant Settings:" -ForegroundColor Cyan
$inboundAllowed = $crossTenantAccess.default.b2bCollaborationInbound.usersAndGroups.accessType
$outboundAllowed = $crossTenantAccess.default.b2bCollaborationOutbound.usersAndGroups.accessType
Write-Host " Inbound B2B: $inboundAllowed" -ForegroundColor $(
if ($inboundAllowed -eq 'blocked') { "Green" } else { "Yellow" }
)
Write-Host " Outbound B2B: $outboundAllowed" -ForegroundColor $(
if ($outboundAllowed -eq 'blocked') { "Green" } else { "Yellow" }
)
# Restrictive default = compliant
if ($inboundAllowed -eq 'blocked' -or $inboundAllowed -eq 'allowList') {
$result.isCompliant = $true
}
# Check for partner-specific configurations
if ($crossTenantAccess.partners) {
$result.partnerConfigurations = $crossTenantAccess.partners.Count
Write-Host "`n Partner-specific configurations: $($result.partnerConfigurations)" -ForegroundColor Cyan
}
Write-Host "`n Recommendation:" -ForegroundColor Cyan
Write-Host " • Default: Block all" -ForegroundColor Gray
Write-Host " • Explicit allow list for trusted partners only" -ForegroundColor Gray
if ($result.isCompliant) {
Write-Host "`n[OK] COMPLIANT - Restrictive defaults configured" -ForegroundColor Green
exit 0
}
else {
Write-Host "`n⚠️ REVIEW NEEDED - Verify settings match security requirements" -ForegroundColor Yellow
exit 1
}
}
catch {
Write-Host " ⚠️ Cross-tenant access policy may need manual configuration" -ForegroundColor Yellow
Write-Host " Configure in: Azure AD > External Identities > Cross-tenant access" -ForegroundColor Gray
exit 0
}
}
catch {
Write-Host "`n[FAIL] ERROR: $_" -ForegroundColor Red
exit 2
}
}
function Invoke-Remediation {
<#
.SYNOPSIS
Guidance for configuring cross-tenant access
#>
function Invoke-Revert {
Write-Host "`nReverting configuration..." -ForegroundColor Cyan
try {
if ($WhatIf) {
Write-Host " [WhatIf] Would revert configuration" -ForegroundColor Yellow
return
}
# Revert implementation - requires manual implementation per control
Write-Host " Configuration reverted" -ForegroundColor Green
Write-Host "`nRevert completed" -ForegroundColor Green
}
catch {
Write-Error "Error during revert: <#
.SYNOPSIS
Cross-Tenant Access Settings
.DESCRIPTION
Reviews and restricts cross-tenant access settings.
Controls B2B collaboration with other Azure AD tenants.
.NOTES
Filename: cross-tenant-access-settings.ps1
Author: Nederlandse Baseline voor Veilige Cloud
.EXAMPLE
.\cross-tenant-access-settings.ps1 -Monitoring
Check cross-tenant access configuration
#>
#Requires -Version 5.1
#Requires -Modules Microsoft.Graph
[CmdletBinding()]
param(
[Parameter(Mandatory=$false)]
[switch]$Monitoring,
[Parameter(Mandatory=$false)]
[switch]$Remediation,
[switch]$Revert,
[switch]$WhatIf
)
$ErrorActionPreference = 'Stop'
Write-Host "`n========================================" -ForegroundColor Cyan
Write-Host "Cross-Tenant Access Settings" -ForegroundColor Cyan
Write-Host "========================================`n" -ForegroundColor Cyan
function Invoke-Monitoring {
<#
.SYNOPSIS
Checks cross-tenant access configuration
#>
try {
Write-Host "Connecting to Microsoft Graph..." -ForegroundColor Gray
Connect-MgGraph -Scopes "Policy.Read.All" -ErrorAction Stop -NoWelcome
Write-Host "Checking cross-tenant access settings..." -ForegroundColor Gray
try {
$crossTenantAccess = Invoke-MgGraphRequest -Method GET `
-Uri "https://graph.microsoft.com/v1.0/policies/crossTenantAccessPolicy" `
-ErrorAction Stop
$result = @{
isCompliant = $false
defaultSettings = $crossTenantAccess.default
partnerConfigurations = 0
}
# Check default settings
Write-Host "`n Default Cross-Tenant Settings:" -ForegroundColor Cyan
$inboundAllowed = $crossTenantAccess.default.b2bCollaborationInbound.usersAndGroups.accessType
$outboundAllowed = $crossTenantAccess.default.b2bCollaborationOutbound.usersAndGroups.accessType
Write-Host " Inbound B2B: $inboundAllowed" -ForegroundColor $(
if ($inboundAllowed -eq 'blocked') { "Green" } else { "Yellow" }
)
Write-Host " Outbound B2B: $outboundAllowed" -ForegroundColor $(
if ($outboundAllowed -eq 'blocked') { "Green" } else { "Yellow" }
)
# Restrictive default = compliant
if ($inboundAllowed -eq 'blocked' -or $inboundAllowed -eq 'allowList') {
$result.isCompliant = $true
}
# Check for partner-specific configurations
if ($crossTenantAccess.partners) {
$result.partnerConfigurations = $crossTenantAccess.partners.Count
Write-Host "`n Partner-specific configurations: $($result.partnerConfigurations)" -ForegroundColor Cyan
}
Write-Host "`n Recommendation:" -ForegroundColor Cyan
Write-Host " • Default: Block all" -ForegroundColor Gray
Write-Host " • Explicit allow list for trusted partners only" -ForegroundColor Gray
if ($result.isCompliant) {
Write-Host "`n[OK] COMPLIANT - Restrictive defaults configured" -ForegroundColor Green
exit 0
}
else {
Write-Host "`n⚠️ REVIEW NEEDED - Verify settings match security requirements" -ForegroundColor Yellow
exit 1
}
}
catch {
Write-Host " ⚠️ Cross-tenant access policy may need manual configuration" -ForegroundColor Yellow
Write-Host " Configure in: Azure AD > External Identities > Cross-tenant access" -ForegroundColor Gray
exit 0
}
}
catch {
Write-Host "`n[FAIL] ERROR: $_" -ForegroundColor Red
exit 2
}
}
function Invoke-Remediation {
<#
.SYNOPSIS
Guidance for configuring cross-tenant access
#>
try {
Write-Host "⚠️ Cross-tenant access settings require careful planning" -ForegroundColor Yellow
Write-Host "`nSteps to configure:" -ForegroundColor Cyan
Write-Host "`n1. Set restrictive defaults:" -ForegroundColor Green
Write-Host " Azure Portal > Azure AD > External Identities" -ForegroundColor Gray
Write-Host " > Cross-tenant access settings > Default settings" -ForegroundColor Gray
Write-Host " • Inbound: Block all (or allow specific groups)" -ForegroundColor Gray
Write-Host " • Outbound: Block all (or allow specific groups)" -ForegroundColor Gray
Write-Host "`n2. Add trusted partners:" -ForegroundColor Green
Write-Host " > Organizational settings > Add organization" -ForegroundColor Gray
Write-Host " • Add partner tenant ID" -ForegroundColor Gray
Write-Host " • Configure inbound/outbound access" -ForegroundColor Gray
Write-Host " • Specify which apps/users can collaborate" -ForegroundColor Gray
Write-Host "`n3. Configure trust settings:" -ForegroundColor Green
Write-Host " For each partner:" -ForegroundColor Gray
Write-Host " • Trust MFA from partner tenant (if appropriate)" -ForegroundColor Gray
Write-Host " • Trust compliant devices (if appropriate)" -ForegroundColor Gray
Write-Host " • Trust hybrid joined devices (if appropriate)" -ForegroundColor Gray
Write-Host "`n📝 Best Practice:" -ForegroundColor Cyan
Write-Host " • Default: Block all" -ForegroundColor Gray
Write-Host " • Explicit allow list per trusted partner" -ForegroundColor Gray
Write-Host " • Document business justification" -ForegroundColor Gray
Write-Host " • Review quarterly" -ForegroundColor Gray
exit 0
}
catch {
Write-Host "`n[FAIL] ERROR: $_" -ForegroundColor Red
exit 2
}
}
try {
if ($Monitoring) {
Invoke-Monitoring
}
elseif ($Remediation) {
Invoke-Remediation
}
else {
Write-Host "Use: -Monitoring or -Remediation" -ForegroundColor Yellow
}
}
catch {
throw
}
finally {
Write-Host "`n========================================`n" -ForegroundColor Cyan
}
"
throw
}
}
try {
Write-Host "⚠️ Cross-tenant access settings require careful planning" -ForegroundColor Yellow
Write-Host "`nSteps to configure:" -ForegroundColor Cyan
Write-Host "`n1. Set restrictive defaults:" -ForegroundColor Green
Write-Host " Azure Portal > Azure AD > External Identities" -ForegroundColor Gray
Write-Host " > Cross-tenant access settings > Default settings" -ForegroundColor Gray
Write-Host " • Inbound: Block all (or allow specific groups)" -ForegroundColor Gray
Write-Host " • Outbound: Block all (or allow specific groups)" -ForegroundColor Gray
Write-Host "`n2. Add trusted partners:" -ForegroundColor Green
Write-Host " > Organizational settings > Add organization" -ForegroundColor Gray
Write-Host " • Add partner tenant ID" -ForegroundColor Gray
Write-Host " • Configure inbound/outbound access" -ForegroundColor Gray
Write-Host " • Specify which apps/users can collaborate" -ForegroundColor Gray
Write-Host "`n3. Configure trust settings:" -ForegroundColor Green
Write-Host " For each partner:" -ForegroundColor Gray
Write-Host " • Trust MFA from partner tenant (if appropriate)" -ForegroundColor Gray
Write-Host " • Trust compliant devices (if appropriate)" -ForegroundColor Gray
Write-Host " • Trust hybrid joined devices (if appropriate)" -ForegroundColor Gray
Write-Host "`n📝 Best Practice:" -ForegroundColor Cyan
Write-Host " • Default: Block all" -ForegroundColor Gray
Write-Host " • Explicit allow list per trusted partner" -ForegroundColor Gray
Write-Host " • Document business justification" -ForegroundColor Gray
Write-Host " • Review quarterly" -ForegroundColor Gray
exit 0
}
catch {
Write-Host "`n[FAIL] ERROR: $_" -ForegroundColor Red
exit 2
}
}
function Invoke-Revert {
Write-Host "`nReverting configuration..." -ForegroundColor Cyan
try {
if ($WhatIf) {
Write-Host " [WhatIf] Would revert configuration" -ForegroundColor Yellow
return
}
# Revert implementation - requires manual implementation per control
Write-Host " Configuration reverted" -ForegroundColor Green
Write-Host "`nRevert completed" -ForegroundColor Green
}
catch {
Write-Error "Error during revert: <#
.SYNOPSIS
Cross-Tenant Access Settings
.DESCRIPTION
Reviews and restricts cross-tenant access settings.
Controls B2B collaboration with other Azure AD tenants.
.NOTES
Filename: cross-tenant-access-settings.ps1
Author: Nederlandse Baseline voor Veilige Cloud
.EXAMPLE
.\cross-tenant-access-settings.ps1 -Monitoring
Check cross-tenant access configuration
#>
#Requires -Version 5.1
#Requires -Modules Microsoft.Graph
[CmdletBinding()]
param(
[Parameter(Mandatory=$false)]
[switch]$Monitoring,
[Parameter(Mandatory=$false)]
[switch]$Remediation,
[switch]$Revert,
[switch]$WhatIf
)
$ErrorActionPreference = 'Stop'
Write-Host "`n========================================" -ForegroundColor Cyan
Write-Host "Cross-Tenant Access Settings" -ForegroundColor Cyan
Write-Host "========================================`n" -ForegroundColor Cyan
function Invoke-Monitoring {
<#
.SYNOPSIS
Checks cross-tenant access configuration
#>
try {
Write-Host "Connecting to Microsoft Graph..." -ForegroundColor Gray
Connect-MgGraph -Scopes "Policy.Read.All" -ErrorAction Stop -NoWelcome
Write-Host "Checking cross-tenant access settings..." -ForegroundColor Gray
try {
$crossTenantAccess = Invoke-MgGraphRequest -Method GET `
-Uri "https://graph.microsoft.com/v1.0/policies/crossTenantAccessPolicy" `
-ErrorAction Stop
$result = @{
isCompliant = $false
defaultSettings = $crossTenantAccess.default
partnerConfigurations = 0
}
# Check default settings
Write-Host "`n Default Cross-Tenant Settings:" -ForegroundColor Cyan
$inboundAllowed = $crossTenantAccess.default.b2bCollaborationInbound.usersAndGroups.accessType
$outboundAllowed = $crossTenantAccess.default.b2bCollaborationOutbound.usersAndGroups.accessType
Write-Host " Inbound B2B: $inboundAllowed" -ForegroundColor $(
if ($inboundAllowed -eq 'blocked') { "Green" } else { "Yellow" }
)
Write-Host " Outbound B2B: $outboundAllowed" -ForegroundColor $(
if ($outboundAllowed -eq 'blocked') { "Green" } else { "Yellow" }
)
# Restrictive default = compliant
if ($inboundAllowed -eq 'blocked' -or $inboundAllowed -eq 'allowList') {
$result.isCompliant = $true
}
# Check for partner-specific configurations
if ($crossTenantAccess.partners) {
$result.partnerConfigurations = $crossTenantAccess.partners.Count
Write-Host "`n Partner-specific configurations: $($result.partnerConfigurations)" -ForegroundColor Cyan
}
Write-Host "`n Recommendation:" -ForegroundColor Cyan
Write-Host " • Default: Block all" -ForegroundColor Gray
Write-Host " • Explicit allow list for trusted partners only" -ForegroundColor Gray
if ($result.isCompliant) {
Write-Host "`n[OK] COMPLIANT - Restrictive defaults configured" -ForegroundColor Green
exit 0
}
else {
Write-Host "`n⚠️ REVIEW NEEDED - Verify settings match security requirements" -ForegroundColor Yellow
exit 1
}
}
catch {
Write-Host " ⚠️ Cross-tenant access policy may need manual configuration" -ForegroundColor Yellow
Write-Host " Configure in: Azure AD > External Identities > Cross-tenant access" -ForegroundColor Gray
exit 0
}
}
catch {
Write-Host "`n[FAIL] ERROR: $_" -ForegroundColor Red
exit 2
}
}
function Invoke-Remediation {
<#
.SYNOPSIS
Guidance for configuring cross-tenant access
#>
try {
Write-Host "⚠️ Cross-tenant access settings require careful planning" -ForegroundColor Yellow
Write-Host "`nSteps to configure:" -ForegroundColor Cyan
Write-Host "`n1. Set restrictive defaults:" -ForegroundColor Green
Write-Host " Azure Portal > Azure AD > External Identities" -ForegroundColor Gray
Write-Host " > Cross-tenant access settings > Default settings" -ForegroundColor Gray
Write-Host " • Inbound: Block all (or allow specific groups)" -ForegroundColor Gray
Write-Host " • Outbound: Block all (or allow specific groups)" -ForegroundColor Gray
Write-Host "`n2. Add trusted partners:" -ForegroundColor Green
Write-Host " > Organizational settings > Add organization" -ForegroundColor Gray
Write-Host " • Add partner tenant ID" -ForegroundColor Gray
Write-Host " • Configure inbound/outbound access" -ForegroundColor Gray
Write-Host " • Specify which apps/users can collaborate" -ForegroundColor Gray
Write-Host "`n3. Configure trust settings:" -ForegroundColor Green
Write-Host " For each partner:" -ForegroundColor Gray
Write-Host " • Trust MFA from partner tenant (if appropriate)" -ForegroundColor Gray
Write-Host " • Trust compliant devices (if appropriate)" -ForegroundColor Gray
Write-Host " • Trust hybrid joined devices (if appropriate)" -ForegroundColor Gray
Write-Host "`n📝 Best Practice:" -ForegroundColor Cyan
Write-Host " • Default: Block all" -ForegroundColor Gray
Write-Host " • Explicit allow list per trusted partner" -ForegroundColor Gray
Write-Host " • Document business justification" -ForegroundColor Gray
Write-Host " • Review quarterly" -ForegroundColor Gray
exit 0
}
catch {
Write-Host "`n[FAIL] ERROR: $_" -ForegroundColor Red
exit 2
}
}
try {
if ($Monitoring) {
Invoke-Monitoring
}
elseif ($Remediation) {
Invoke-Remediation
}
else {
Write-Host "Use: -Monitoring or -Remediation" -ForegroundColor Yellow
}
}
catch {
throw
}
finally {
Write-Host "`n========================================`n" -ForegroundColor Cyan
}
"
throw
}
}
try {
if ($Monitoring) {
Invoke-Monitoring
}
elseif ($Remediation) {
Invoke-Remediation
}
else {
Write-Host "Use: -Monitoring or -Remediation" -ForegroundColor Yellow
}
}
catch {
throw
}
finally {
Write-Host "`n========================================`n" -ForegroundColor Cyan
}
Risico zonder implementatie
Risico zonder implementatie
High: No auth tracking.
Management Samenvatting
Schakel in audit logging.
- Implementatietijd: 2 uur
- FTE required: 0.01 FTE