Guest Invitations Restricted

<# .SYNOPSIS Guest Invitations Restricted .DESCRIPTION Limits who can invite external guests to the tenant .NOTES NL Baseline v2.0 #> #Requires -Version 5.1 #Requires -Modules Microsoft.Graph [CmdletBinding()] param([switch]$Monitoring, [switch]$Remediation, [switch]$Revert, [switch]$WhatIf) $ErrorActionPreference = 'Stop' Write-Host "`n========================================" -ForegroundColor Cyan Write-Host "Guest Invitations Restricted" -ForegroundColor Cyan Write-Host "========================================`n" -ForegroundColor Cyan function Invoke-Monitoring { try { Connect-MgGraph -Scopes "Policy.Read.All" -ErrorAction Stop -NoWelcome $authPolicy = Invoke-MgGraphRequest -Method GET -Uri "https://graph.microsoft.com/v1.0/policies/authorizationPolicy" $allowInvitesFrom = $authPolicy.allowInvitesFrom Write-Host " Allow Invites From: $allowInvitesFrom" -ForegroundColor $( if ($allowInvitesFrom -in @('adminsAndGuestInviters', 'adminsGuestInvitersAndAllMembers', 'none')) { 'Green' }else { 'Red' } ) Write-Host "`n Options:" -ForegroundColor Cyan Write-Host " • none: Most restrictive (no invites)" -ForegroundColor Gray Write-Host " • adminsAndGuestInviters: Admins only" -ForegroundColor Gray Write-Host " • adminsGuestInvitersAndAllMembers: Members can invite" -ForegroundColor Gray Write-Host " • everyone: Least restrictive (guests can invite)" -ForegroundColor Gray $isCompliant = ($allowInvitesFrom -ne 'everyone') if ($isCompliant) { Write-Host "`n[OK] COMPLIANT - Guest invitations restricted" -ForegroundColor Green exit 0 } else { Write-Host "`n[FAIL] NON-COMPLIANT - Everyone can invite guests!" -ForegroundColor Red exit 1 } } catch { Write-Host "ERROR: $_" -ForegroundColor Red exit 2 } } function Invoke-Remediation { try { Connect-MgGraph -Scopes "Policy.ReadWrite.Authorization" -ErrorAction Stop -NoWelcome $body = @{ allowInvitesFrom = 'adminsAndGuestInviters' } | ConvertTo-Json Invoke-MgGraphRequest -Method PATCH -Uri "https://graph.microsoft.com/v1.0/policies/authorizationPolicy/authorizationPolicy" -Body $body -ErrorAction Stop Write-Host "`n[OK] Guest invitations restricted to admins" -ForegroundColor Green exit 0 } catch { Write-Host "ERROR: $_" -ForegroundColor Red exit 2 } } function Invoke-Revert { try { Connect-MgGraph -Scopes "Policy.ReadWrite.Authorization" -ErrorAction Stop -NoWelcome $body = @{ allowInvitesFrom = 'everyone' } | ConvertTo-Json Invoke-MgGraphRequest -Method PATCH -Uri "https://graph.microsoft.com/v1.0/policies/authorizationPolicy/authorizationPolicy" -Body $body -ErrorAction Stop Write-Host " ⚠️ Everyone can now invite guests" -ForegroundColor Yellow exit 0 } catch { Write-Host "ERROR: $_" -ForegroundColor Red exit 2 } } try { if ($Revert) { Invoke-Revert } elseif ($Monitoring) { Invoke-Monitoring } elseif ($Remediation) { Invoke-Remediation } else { Write-Host "Use: -Monitoring | -Remediation | -Revert" -ForegroundColor Yellow } } catch { throw } finally { Write-Host "`n========================================`n" -ForegroundColor Cyan }