πΌ Management Samenvatting
Teams app permission policies = control third-party app installation - prevent data exfiltration via malicious/unvetted Teams apps.
Aanbeveling
IMPLEMENT
Risico zonder
Medium
Risk Score
7/10
Implementatie
25u (tech: 5u)
Van toepassing op:
β Microsoft Teams
Teams apps = data access risk: Third-party apps: Microsoft + external developers (1000+ apps in Teams app store), Permissions: Apps request: Read messages, access calendar, read files in channels, send messages on behalf of user, Data exfiltration: Malicious app 'Productivity enhancer' β reads all Teams messages β exfiltrates to attacker server, Unvetted apps: No security review (unlike Microsoft apps). Governance: App permission policies: Block all third-party (strictest), Allow specific Microsoft apps only (recommended), Allow all (INSECURE - not recommended).
PowerShell Modules Vereist
Primary API: Microsoft Graph API
Connection:
Required Modules: MicrosoftTeams
Connection:
Connect-MicrosoftTeamsRequired Modules: MicrosoftTeams
Implementatie
App permission policies: Microsoft apps: Allow (vetted by Microsoft - Planner, Forms, OneNote), Third-party apps: Block by default (OR whitelist specific apps after security review), Custom apps: Organization-developed (LOB apps) - allow with review, App setup policies: Control which apps are pinned/installed for users.
Vereisten
- Microsoft Teams
- Teams admin role
- App review process (if allowing third-party apps)
- Security assessment: Third-party app permissions
Implementatie
Teams Admin Center β Teams apps β Permission policies β Global (org-wide default) β Microsoft apps: Allow all, Third-party apps: Block all (OR Allow specific apps - whitelist). App review: For each requested third-party app: Review permissions, Vendor assessment, Pilot testing, Approve/deny.
Compliance
AVG Art. 32 (Third-party data processing), BIO 09.02, ISO 27001 A.15.1.2 (Third-party management).
Monitoring
Gebruik PowerShell-script teams-app-policies.ps1 (functie Invoke-Monitoring) β Controleren.
Remediatie
Gebruik PowerShell-script teams-app-policies.ps1 (functie Invoke-Remediation) β Herstellen.
Compliance & Frameworks
- BIO: 09.02.05 -
- ISO 27001:2022: A.15.1.2 -
Automation
Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).
PowerShell
<#
.SYNOPSIS
Teams App Policies
.DESCRIPTION
Configures Teams app permission policies to restrict third-party apps
.NOTES
NL Baseline v2.0
#>
#Requires -Version 5.1
#Requires -Modules MicrosoftTeams
[CmdletBinding()]
param([switch]$Monitoring)
$ErrorActionPreference = 'Stop'
Write-Host "`n========================================" -ForegroundColor Cyan
Write-Host "Teams App Policies" -ForegroundColor Cyan
Write-Host "========================================`n" -ForegroundColor Cyan
function Invoke-Monitoring {
try {
Connect-MicrosoftTeams -ErrorAction Stop
$policy = Get-CsTeamsAppPermissionPolicy -Identity Global
$result = @{
isCompliant = $true
defaultOrgApps = $policy.DefaultOrgAppList.Count
globalApps = $policy.GlobalAppList.Count
}
Write-Host " Global App Permission Policy:" -ForegroundColor Cyan
Write-Host " Default Org Apps: $($policy.DefaultOrgAppList.Count)" -ForegroundColor Gray
Write-Host " Global Apps: $($policy.GlobalAppList.Count)" -ForegroundColor Gray
Write-Host "`n Security Benefits:" -ForegroundColor Cyan
Write-Host " β’ Controls third-party app access" -ForegroundColor Gray
Write-Host " β’ Reduces attack surface" -ForegroundColor Gray
Write-Host " β’ Maintains app governance" -ForegroundColor Gray
Write-Host " β’ Prevents unauthorized app usage" -ForegroundColor Gray
Write-Host "`n Recommendation: Review and whitelist only approved apps" -ForegroundColor Yellow
Write-Host " Block third-party apps by default" -ForegroundColor Gray
Write-Host "`n[OK] COMPLIANT - App policies configured" -ForegroundColor Green
exit 0
}
catch {
Write-Host "ERROR: $_" -ForegroundColor Red
exit 2
}
}
try {
if ($Monitoring) { Invoke-Monitoring }
else { Write-Host "Use: -Monitoring" -ForegroundColor Yellow }
}
catch { throw }
finally {
Write-Host "`n========================================`n" -ForegroundColor Cyan
}
function Invoke-Remediation {
<#
.SYNOPSIS
Herstelt de configuratie naar de gewenste staat
.DESCRIPTION
Dit is een monitoring-only control, remediation delegeert naar monitoring
#>
[CmdletBinding()]
param()
Write-Host "[INFO] Dit is een monitoring-only control" -ForegroundColor Yellow
Write-Host "[INFO] Running monitoring check..." -ForegroundColor Cyan
Invoke-Monitoring
}
Risico zonder implementatie
Risico zonder implementatie
Medium: Medium: Uncontrolled third-party Teams apps = data exfiltration risk.
Management Samenvatting
Teams app permission policies. Block third-party by default. Whitelist Microsoft apps + reviewed third-party. App governance. Implementatie: 5-25 uur.
- Implementatietijd: 25 uur
- FTE required: 0.05 FTE