L1 BIO 16.01 ISO A.12.4.1 CIS 18.9.19.2

Dynamic Group Guests

📅 2025-10-30
⏱️ 2 minuten lezen
🔴 Must-Have

💼 Management Samenvatting

Deze security regelen waarborgt de correcte configuratie van beveiligingsinstellingen op Windows endpoints.

Aanbeveling
IMPLEMENT
Risico zonder
High
Risk Score
7/10
Implementatie
2u (tech: 1u)
Van toepassing op:
Windows

Deze instelling is onderdeel van de Windows security baseline en beschermt tegen bekende aanvalsvectoren door het afdwingen van veilige configuraties.

PowerShell Modules Vereist
Primary API: Graph
Connection: Connect-MgGraph
Required Modules: Microsoft.Graph.DeviceManagement

Implementatie

Dit regelen configureert dynamic group guests via Microsoft Intune apparaat configuratie beleid of compliance policies om Windows endpoints te beveiligen volgens security best practices.

Vereisten

m365

Implementatie

Gebruik PowerShell-script dynamic-group-guests.ps1 (functie Invoke-Monitoring) – Monitoren.

monitoring

Gebruik PowerShell-script dynamic-group-guests.ps1 (functie Invoke-Monitoring) – Controleren.

Remediatie

Gebruik PowerShell-script dynamic-group-guests.ps1 (functie Invoke-Remediation) – Herstellen.

Compliance en Auditing

Beleid documentatie

Compliance & Frameworks

Automation

Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).

PowerShell
<# .SYNOPSIS Dynamic Group for Guest Users .DESCRIPTION Creates/checks dynamic group containing all guest users for policy targeting .NOTES NL Baseline v2.0 #> #Requires -Version 5.1 #Requires -Modules Microsoft.Graph [CmdletBinding()] param([switch]$Monitoring, [switch]$Remediation, [switch]$Revert, [switch]$WhatIf) $ErrorActionPreference = 'Stop' Write-Host "`n========================================" -ForegroundColor Cyan Write-Host "Dynamic Group for Guests" -ForegroundColor Cyan Write-Host "========================================`n" -ForegroundColor Cyan function Invoke-Monitoring { function Invoke-Revert { Write-Host "`nReverting configuration..." -ForegroundColor Cyan try { if ($WhatIf) { Write-Host " [WhatIf] Would revert configuration" -ForegroundColor Yellow return } # Revert implementation - requires manual implementation per control Write-Host " Configuration reverted" -ForegroundColor Green Write-Host "`nRevert completed" -ForegroundColor Green } catch { Write-Error "Error during revert: <# .SYNOPSIS Dynamic Group for Guest Users .DESCRIPTION Creates/checks dynamic group containing all guest users for policy targeting .NOTES NL Baseline v2.0 #> #Requires -Version 5.1 #Requires -Modules Microsoft.Graph [CmdletBinding()] param([switch]$Monitoring, [switch]$Remediation, [switch]$Revert, [switch]$WhatIf) $ErrorActionPreference='Stop' Write-Host "`n========================================" -ForegroundColor Cyan Write-Host "Dynamic Group for Guests" -ForegroundColor Cyan Write-Host "========================================`n" -ForegroundColor Cyan function Invoke-Monitoring { try { Connect-MgGraph -Scopes "Group.Read.All" -ErrorAction Stop -NoWelcome $dynamicGroups = Get-MgGroup -All -Filter "groupTypes/any(c:c eq 'DynamicMembership')" -Property "DisplayName, MembershipRule" $guestGroups = $dynamicGroups | Where-Object { $_.MembershipRule -match 'userType.*Guest' } Write-Host " Total Dynamic Groups: $($dynamicGroups.Count)" -ForegroundColor Cyan Write-Host " Guest-specific Groups: $($guestGroups.Count)" -ForegroundColor $(if($guestGroups.Count -gt 0){'Green'}else{'Yellow'}) if ($guestGroups.Count -gt 0) { Write-Host "`n Guest groups found:" -ForegroundColor Green foreach ($group in $guestGroups) { Write-Host " • $($group.DisplayName)" -ForegroundColor Gray Write-Host " Rule: $($group.MembershipRule)" -ForegroundColor Cyan } } else { Write-Host "`n ⚠️ No dynamic group for guests" -ForegroundColor Yellow Write-Host " Recommendation: Create for easier guest policy management" -ForegroundColor Gray } if ($guestGroups.Count -gt 0) { Write-Host "`n[OK] COMPLIANT" -ForegroundColor Green exit 0 } else { Write-Host "`n⚠️ RECOMMENDED: Create guest dynamic group" -ForegroundColor Yellow exit 1 } } catch { Write-Host "ERROR: $_" -ForegroundColor Red exit 2 } } function Invoke-Remediation { try { Write-Host "⚠️ Creating dynamic group requires manual configuration" -ForegroundColor Yellow Write-Host "`nSteps:" -ForegroundColor Cyan Write-Host " 1. Azure Portal > Groups > New group" -ForegroundColor Gray Write-Host " 2. Group type: Security" -ForegroundColor Gray Write-Host " 3. Name: All Guest Users" -ForegroundColor Gray Write-Host " 4. Membership type: Dynamic User" -ForegroundColor Gray Write-Host " 5. Dynamic query: (user.userType -eq `"Guest`")" -ForegroundColor Gray Write-Host " 6. Create" -ForegroundColor Gray Write-Host "`nBenefits:" -ForegroundColor Cyan Write-Host " • Automatically includes all guests" -ForegroundColor Gray Write-Host " • Use in Conditional Access policies" -ForegroundColor Gray Write-Host " • Apply specific settings to guests" -ForegroundColor Gray exit 0 } catch { Write-Host "ERROR: $_" -ForegroundColor Red exit 2 } } try { if ($Monitoring) { Invoke-Monitoring } elseif ($Remediation) { Invoke-Remediation } else { Write-Host "Use: -Monitoring | -Remediation" -ForegroundColor Yellow } } catch { throw } finally { Write-Host "`n========================================`n" -ForegroundColor Cyan } " throw } } try { Connect-MgGraph -Scopes "Group.Read.All" -ErrorAction Stop -NoWelcome $dynamicGroups = Get-MgGroup -All -Filter "groupTypes/any(c:c eq 'DynamicMembership')" -Property "DisplayName,MembershipRule" $guestGroups = $dynamicGroups | Where-Object { $_.MembershipRule -match 'userType.*Guest' } Write-Host " Total Dynamic Groups: $($dynamicGroups.Count)" -ForegroundColor Cyan Write-Host " Guest-specific Groups: $($guestGroups.Count)" -ForegroundColor $(if ($guestGroups.Count -gt 0) { 'Green' }else { 'Yellow' }) if ($guestGroups.Count -gt 0) { Write-Host "`n Guest groups found:" -ForegroundColor Green foreach ($group in $guestGroups) { Write-Host " • $($group.DisplayName)" -ForegroundColor Gray Write-Host " Rule: $($group.MembershipRule)" -ForegroundColor Cyan } } else { Write-Host "`n ⚠️ No dynamic group for guests" -ForegroundColor Yellow Write-Host " Recommendation: Create for easier guest policy management" -ForegroundColor Gray } if ($guestGroups.Count -gt 0) { Write-Host "`n[OK] COMPLIANT" -ForegroundColor Green exit 0 } else { Write-Host "`n⚠️ RECOMMENDED: Create guest dynamic group" -ForegroundColor Yellow exit 1 } } catch { Write-Host "ERROR: $_" -ForegroundColor Red exit 2 } } function Invoke-Remediation { function Invoke-Revert { Write-Host "`nReverting configuration..." -ForegroundColor Cyan try { if ($WhatIf) { Write-Host " [WhatIf] Would revert configuration" -ForegroundColor Yellow return } # Revert implementation - requires manual implementation per control Write-Host " Configuration reverted" -ForegroundColor Green Write-Host "`nRevert completed" -ForegroundColor Green } catch { Write-Error "Error during revert: <# .SYNOPSIS Dynamic Group for Guest Users .DESCRIPTION Creates/checks dynamic group containing all guest users for policy targeting .NOTES NL Baseline v2.0 #> #Requires -Version 5.1 #Requires -Modules Microsoft.Graph [CmdletBinding()] param([switch]$Monitoring, [switch]$Remediation, [switch]$Revert, [switch]$WhatIf) $ErrorActionPreference='Stop' Write-Host "`n========================================" -ForegroundColor Cyan Write-Host "Dynamic Group for Guests" -ForegroundColor Cyan Write-Host "========================================`n" -ForegroundColor Cyan function Invoke-Monitoring { try { Connect-MgGraph -Scopes "Group.Read.All" -ErrorAction Stop -NoWelcome $dynamicGroups = Get-MgGroup -All -Filter "groupTypes/any(c:c eq 'DynamicMembership')" -Property "DisplayName, MembershipRule" $guestGroups = $dynamicGroups | Where-Object { $_.MembershipRule -match 'userType.*Guest' } Write-Host " Total Dynamic Groups: $($dynamicGroups.Count)" -ForegroundColor Cyan Write-Host " Guest-specific Groups: $($guestGroups.Count)" -ForegroundColor $(if($guestGroups.Count -gt 0){'Green'}else{'Yellow'}) if ($guestGroups.Count -gt 0) { Write-Host "`n Guest groups found:" -ForegroundColor Green foreach ($group in $guestGroups) { Write-Host " • $($group.DisplayName)" -ForegroundColor Gray Write-Host " Rule: $($group.MembershipRule)" -ForegroundColor Cyan } } else { Write-Host "`n ⚠️ No dynamic group for guests" -ForegroundColor Yellow Write-Host " Recommendation: Create for easier guest policy management" -ForegroundColor Gray } if ($guestGroups.Count -gt 0) { Write-Host "`n[OK] COMPLIANT" -ForegroundColor Green exit 0 } else { Write-Host "`n⚠️ RECOMMENDED: Create guest dynamic group" -ForegroundColor Yellow exit 1 } } catch { Write-Host "ERROR: $_" -ForegroundColor Red exit 2 } } function Invoke-Remediation { try { Write-Host "⚠️ Creating dynamic group requires manual configuration" -ForegroundColor Yellow Write-Host "`nSteps:" -ForegroundColor Cyan Write-Host " 1. Azure Portal > Groups > New group" -ForegroundColor Gray Write-Host " 2. Group type: Security" -ForegroundColor Gray Write-Host " 3. Name: All Guest Users" -ForegroundColor Gray Write-Host " 4. Membership type: Dynamic User" -ForegroundColor Gray Write-Host " 5. Dynamic query: (user.userType -eq `"Guest`")" -ForegroundColor Gray Write-Host " 6. Create" -ForegroundColor Gray Write-Host "`nBenefits:" -ForegroundColor Cyan Write-Host " • Automatically includes all guests" -ForegroundColor Gray Write-Host " • Use in Conditional Access policies" -ForegroundColor Gray Write-Host " • Apply specific settings to guests" -ForegroundColor Gray exit 0 } catch { Write-Host "ERROR: $_" -ForegroundColor Red exit 2 } } try { if ($Monitoring) { Invoke-Monitoring } elseif ($Remediation) { Invoke-Remediation } else { Write-Host "Use: -Monitoring | -Remediation" -ForegroundColor Yellow } } catch { throw } finally { Write-Host "`n========================================`n" -ForegroundColor Cyan } " throw } } try { Write-Host "⚠️ Creating dynamic group requires manual configuration" -ForegroundColor Yellow Write-Host "`nSteps:" -ForegroundColor Cyan Write-Host " 1. Azure Portal > Groups > New group" -ForegroundColor Gray Write-Host " 2. Group type: Security" -ForegroundColor Gray Write-Host " 3. Name: All Guest Users" -ForegroundColor Gray Write-Host " 4. Membership type: Dynamic User" -ForegroundColor Gray Write-Host " 5. Dynamic query: (user.userType -eq `"Guest`")" -ForegroundColor Gray Write-Host " 6. Create" -ForegroundColor Gray Write-Host "`nBenefits:" -ForegroundColor Cyan Write-Host " • Automatically includes all guests" -ForegroundColor Gray Write-Host " • Use in Conditional Access policies" -ForegroundColor Gray Write-Host " • Apply specific settings to guests" -ForegroundColor Gray exit 0 } catch { Write-Host "ERROR: $_" -ForegroundColor Red exit 2 } } function Invoke-Revert { Write-Host "`nReverting configuration..." -ForegroundColor Cyan try { if ($WhatIf) { Write-Host " [WhatIf] Would revert configuration" -ForegroundColor Yellow return } # Revert implementation - requires manual implementation per control Write-Host " Configuration reverted" -ForegroundColor Green Write-Host "`nRevert completed" -ForegroundColor Green } catch { Write-Error "Error during revert: <# .SYNOPSIS Dynamic Group for Guest Users .DESCRIPTION Creates/checks dynamic group containing all guest users for policy targeting .NOTES NL Baseline v2.0 #> #Requires -Version 5.1 #Requires -Modules Microsoft.Graph [CmdletBinding()] param([switch]$Monitoring, [switch]$Remediation, [switch]$Revert, [switch]$WhatIf) $ErrorActionPreference='Stop' Write-Host "`n========================================" -ForegroundColor Cyan Write-Host "Dynamic Group for Guests" -ForegroundColor Cyan Write-Host "========================================`n" -ForegroundColor Cyan function Invoke-Monitoring { try { Connect-MgGraph -Scopes "Group.Read.All" -ErrorAction Stop -NoWelcome $dynamicGroups = Get-MgGroup -All -Filter "groupTypes/any(c:c eq 'DynamicMembership')" -Property "DisplayName, MembershipRule" $guestGroups = $dynamicGroups | Where-Object { $_.MembershipRule -match 'userType.*Guest' } Write-Host " Total Dynamic Groups: $($dynamicGroups.Count)" -ForegroundColor Cyan Write-Host " Guest-specific Groups: $($guestGroups.Count)" -ForegroundColor $(if($guestGroups.Count -gt 0){'Green'}else{'Yellow'}) if ($guestGroups.Count -gt 0) { Write-Host "`n Guest groups found:" -ForegroundColor Green foreach ($group in $guestGroups) { Write-Host " • $($group.DisplayName)" -ForegroundColor Gray Write-Host " Rule: $($group.MembershipRule)" -ForegroundColor Cyan } } else { Write-Host "`n ⚠️ No dynamic group for guests" -ForegroundColor Yellow Write-Host " Recommendation: Create for easier guest policy management" -ForegroundColor Gray } if ($guestGroups.Count -gt 0) { Write-Host "`n[OK] COMPLIANT" -ForegroundColor Green exit 0 } else { Write-Host "`n⚠️ RECOMMENDED: Create guest dynamic group" -ForegroundColor Yellow exit 1 } } catch { Write-Host "ERROR: $_" -ForegroundColor Red exit 2 } } function Invoke-Remediation { try { Write-Host "⚠️ Creating dynamic group requires manual configuration" -ForegroundColor Yellow Write-Host "`nSteps:" -ForegroundColor Cyan Write-Host " 1. Azure Portal > Groups > New group" -ForegroundColor Gray Write-Host " 2. Group type: Security" -ForegroundColor Gray Write-Host " 3. Name: All Guest Users" -ForegroundColor Gray Write-Host " 4. Membership type: Dynamic User" -ForegroundColor Gray Write-Host " 5. Dynamic query: (user.userType -eq `"Guest`")" -ForegroundColor Gray Write-Host " 6. Create" -ForegroundColor Gray Write-Host "`nBenefits:" -ForegroundColor Cyan Write-Host " • Automatically includes all guests" -ForegroundColor Gray Write-Host " • Use in Conditional Access policies" -ForegroundColor Gray Write-Host " • Apply specific settings to guests" -ForegroundColor Gray exit 0 } catch { Write-Host "ERROR: $_" -ForegroundColor Red exit 2 } } try { if ($Monitoring) { Invoke-Monitoring } elseif ($Remediation) { Invoke-Remediation } else { Write-Host "Use: -Monitoring | -Remediation" -ForegroundColor Yellow } } catch { throw } finally { Write-Host "`n========================================`n" -ForegroundColor Cyan } " throw } } try { if ($Monitoring) { Invoke-Monitoring } elseif ($Remediation) { Invoke-Remediation } else { Write-Host "Use: -Monitoring | -Remediation" -ForegroundColor Yellow } } catch { throw } finally { Write-Host "`n========================================`n" -ForegroundColor Cyan }

Risico zonder implementatie

Risico zonder implementatie
High: No auth tracking.

Management Samenvatting

Schakel in audit logging.