What question is your article answering?External Calendar Sharing [CHK-1031]
This check verifies if sharing calendars with external users is disabled or limited to specific domains.
Rationale
Openly accessible calendars can provide valuable information to attackers, aiding in their preparation and understanding of the organization's internal structure or when employees are more vulnerable to an attack.
Fix
An automated fix is available through Attic.
Manual steps:
- Navigate to the Microsoft 365 exchange admin center.
- Go to Organization > Sharing.
- Open the organization sharing policy by clicking on it.
- Select the "Sharing" tab.
- Click on "Manage sharing settings".
- Ensure "Calendar free/busy information with time only" is selected.
- Click on "Save".
- Repeat for each individual sharing policy. The sharing settings can be found by clicking on the sharing policy and then selecting "manage domains". Each domain has its own sharing settings.
Impact
The check has two possible outcomes:
- Okay: Calendar details sharing with external users is not enabled.
- Warning: A policy to allow calendar details sharing is enabled.
If the output is Warning, we advise disabling the SharingPolicy.
More Information
This measure aligns with the following item from the Center for Internet Security (CIS) Microsoft 365 Foundations Benchmark:
- CIS M365 2.2 - (L2) Ensure calendar details sharing with external users is disabled.