cqrenet/macOS_IntuneManagement
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 4 Wiki Activity

release: v4.1.0 — restructure entry points, add CIS baselines, reporting tools and fzf hints

Browse Source 
- Restructure launchers: Start-IntuneToolkit.ps1 moves to repo root;
  Start-HeadlessIntune.ps1 moves to Scripts/; TUI helper moves to Scripts/Private/
- Add AGENTS.md with project architecture, entry points, and security notes
- Add CIS M365 baseline assets (CISM365-v7, M365-CIS-Rapid) and reporting scripts
- Add Python reporting utilities (Export-SettingsReport, Export-AssignmentReport,
  Export-ObjectInventoryReport) and CA wizard helpers
- Update Deploy-IntuneBaseline.ps1 with Merge conflict resolution, ReportPath,
  and optimized group loading
- Update Initialize-IntuneAuth.ps1 with -RotateSecret and configurable secret expiry
- Update Extensions for Settings Catalog definition auto-export
- Update README with v4.1.0, new entry points and script catalog
- Bump VERSION to 4.1.0
- Harden .gitignore against .DS_Store, __pycache__, .venv-pdf/, local exports,
  Settings.json and IntuneManagement.log
This commit is contained in:
Tomas Kracmar
2026-06-14 15:24:42 +02:00
parent e333af978c
commit d3e0769799
30 changed files with 8711 additions and 175 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Baselines/CISM365-v7-Generated.yaml
+655
View File
@@ -0,0 +1,655 @@
# =====================================================================
# CIS Microsoft 365 Foundations Benchmark v7.0.0 (Draft)
# GENERATED from PDF — review before deploying
# =====================================================================
baseline:
name: CIS-M365-v7-Generated
conflictResolution: Skip
whatIf: false
tenantMutation:
prefix: "CIS-v7-"
groups:
- displayName: "CIS-BreakGlass"
mailNickname: "CISBreakGlass"
securityEnabled: true
- displayName: "CIS-Pilot-Users"
mailNickname: "CISPilotUsers"
securityEnabled: true
tenantConfig:
# ===============================================================
# Section 1: adminCenter
# ===============================================================
adminCenter:
# 1.1.2 (Manual): Ensure two emergency access accounts have been defined
# TODO: Implement manually per PDF instructions
# 1.1.3 (Automated): Ensure that between two and four global admins are designated
# TODO: Map this control to YAML — see PDF for details
# 1.1.4 (Automated): Ensure administrative accounts use licenses with a reduced application footprint
# TODO: Map this control to YAML — see PDF for details
# 1.2.1 (Automated): Ensure that only organizationally managed/approved public groups exist
# TODO: Map this control to YAML — see PDF for details
# 1.2.2: Ensure sign-in to shared mailboxes is blocked
blockSharedMailboxSignIn: true
# 1.3.1: Ensure the 'Password expiration policy' is set to 'Set passwords to never expire (recommended)'
passwordExpiration: "NeverExpire"
# 1.3.2: Ensure 'Idle session timeout' is set to '3 hours (or less)' for unmanaged devices
idleSessionTimeoutHours: 3
# 1.3.3: Ensure 'External sharing' of calendars is not available
externalCalendarSharing: "Disabled"
# 1.3.4: Ensure 'User owned apps and services' is restricted
restrictUserOwnedApps: true
# 1.3.5: Ensure internal phishing protection for Forms is enabled
formsPhishingProtection: true
# 1.3.6: Ensure the customer lockbox feature is enabled
customerLockbox: true
# 1.3.7: Ensure 'third-party storage services' are restricted in 'Microsoft 365 on the web'
restrictThirdPartyStorage: true
# 1.3.8 (Manual): Ensure that Sways cannot be shared with people outside of your organization
# TODO: Implement manually per PDF instructions
# 1.3.9: Ensure shared bookings pages are restricted to select users
restrictSharedBookings: true
# ===============================================================
# Section 5: entraId
# ===============================================================
entraId:
# 5.1.2.1 (Manual): Ensure 'Per-user MFA' is disabled
# TODO: Implement manually per PDF instructions
# 5.1.2.2: Ensure users cannot register applications
blockUserConsent: true
# 5.1.2.3: Ensure 'Restrict non-admin users from creating tenants' is set to 'Yes'
blockTenantCreation: true
# 5.1.2.4 (Manual): Ensure access to the Entra admin center is restricted
# TODO: Implement manually per PDF instructions
# 5.1.2.5 (Manual): Ensure the option to remain signed in is hidden
# TODO: Implement manually per PDF instructions
# 5.1.2.6 (Manual): Ensure 'LinkedIn account connections' is disabled
# TODO: Implement manually per PDF instructions
# 5.1.3.1: Ensure users cannot create security groups
blockSecurityGroupCreation: true
# 5.1.3.2 (Manual): Ensure that 'Restrict user ability to access groups features in My Groups' is set to 'Yes'
# TODO: Implement manually per PDF instructions
# 5.1.3.3 (Manual): Ensure that 'Owners can manage group membership requests in My Groups' is set to 'No'
# TODO: Implement manually per PDF instructions
# 5.1.3.4: Ensure that 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No'
blockM365GroupCreation: true
# 5.1.4.1: Ensure the ability to join devices to Entra is restricted
restrictDeviceJoin: true
# 5.1.4.2: Ensure the maximum number of devices per user is limited
maxDevicesPerUser: 5
# 5.1.4.3: Ensure the GA role is not added as a local administrator during Entra join
gaLocalAdminDisabled: true
# 5.1.4.4: Ensure local administrator assignment is limited during Entra join
limitLocalAdminAssignment: true
# 5.1.4.5: Ensure Local Administrator Password Solution is enabled
enableLAPS: true
# 5.1.4.6: Ensure users are restricted from recovering BitLocker keys
restrictBitLockerRecovery: true
# 5.1.5.1: Ensure user consent to apps accessing company data on their behalf is not allowed
blockUserConsent: true
# 5.1.5.2: Ensure the admin consent workflow is enabled
enableAdminConsentWorkflow: true
# 5.1.5.3: Ensure password addition is blocked for applications
blockPasswordCredentials: true
# 5.1.5.4: Ensure password lifetime for applications does not exceed 180 days
maxPasswordLifetimeDays: 180
# 5.1.5.5: Ensure new application passwords are system-generated
systemGeneratedPasswords: true
# 5.1.5.6: Ensure maximum certificate lifetime for applications does not exceed 180 days
maxCertificateLifetimeDays: 180
# 5.1.6.1: Ensure that collaboration invitations are sent to allowed domains only
restrictCollaborationDomains: true
# 5.1.6.2: Ensure that guest user access is restricted
restrictGuestAccess: true
# 5.1.6.3: Ensure guest user invitations are limited
limitGuestInvitations: true
# 5.1.8.1: Ensure that password hash sync is enabled for hybrid deployments
enablePasswordHashSync: true
# 5.2.3.1: Ensure Microsoft Authenticator is configured to protect against MFA fatigue
authenticatorNumberMatching: true
# 5.2.3.3 (Automated): Ensure password protection is enabled for on-prem Active Directory
# NOTE: Hybrid-only control — requires on-premises Active Directory
# 5.2.3.4: Ensure all member users are 'MFA capable'
mfaCapableUsers: true
# 5.2.3.5: Ensure weak authentication methods are disabled
disableWeakAuthMethods: true
# 5.2.3.6: Ensure system-preferred multifactor authentication is enabled
systemPreferredMFA: true
# 5.2.3.7: Ensure the email OTP authentication method is disabled
disableEmailOTP: true
# 5.2.3.8: Ensure that Account 'Lockout threshold' is '10' or less
lockoutThreshold: 10
# 5.2.3.9: Ensure that Account 'Lockout duration in seconds' is at least 60 seconds
lockoutDurationSeconds: 60
# 5.2.3.10: Ensure Microsoft Authenticator on companion applications is disabled
disableAuthenticatorCompanionApps: true
# 5.2.4.1 (Manual): Ensure 'Self service password reset enabled' is set to 'All'
# TODO: Implement manually per PDF instructions
# 5.2.4.2 (Manual): Ensure that 2 methods are required for password reset
# TODO: Implement manually per PDF instructions
# 5.2.4.3 (Manual): Ensure SSPR registration and authentication re- confirmation are required
# TODO: Implement manually per PDF instructions
# 5.2.4.4 (Manual): Ensure that users are notified on password resets
# TODO: Implement manually per PDF instructions
# 5.2.4.5 (Manual): Ensure all admins are notified when other admins reset their password
# TODO: Implement manually per PDF instructions
# 5.3.1: Ensure privileged role assignments are activated and not assigned
pimRoleActivationRequired: true
# 5.3.2: Ensure 'Access reviews' for guest users are configured
accessReviewsForGuests: true
# 5.3.3: Ensure 'Access reviews' for privileged roles are configured
accessReviewsForPrivilegedRoles: true
# 5.3.4: Ensure approval is required for Global Administrator role activation
requireApprovalForGAActivation: true
# 5.3.5: Ensure approval is required for Privileged Role Administrator activation
requireApprovalForPRAActivation: true
# ===============================================================
# Section 6: exchange
# ===============================================================
exchange:
# 6.1.1: Ensure 'AuditDisabled' organizationally is set to 'False'
enableMailboxAuditOrgWide: true
# 6.1.2: Ensure mailbox audit actions are configured
configureMailboxAuditActions: true
# 6.1.3: Ensure 'AuditBypassEnabled' is not enabled on mailboxes
disableAuditBypass: true
# 6.2.1: Ensure all forms of mail forwarding are blocked and/or disabled
blockExternalForwarding: true
# 6.2.2: Ensure mail transport rules do not whitelist specific domains
noDomainWhitelistTransportRules: true
# 6.2.3: Ensure email from external senders is identified
enableExternalSenderBanner: true
# 6.3.1: Ensure users installing Outlook add-ins is not allowed
blockOutlookAddIns: true
# 6.3.2: Ensure the ability to add personal email accounts and calendars is disabled
disablePersonalEmailAccounts: true
# 6.5.1: Ensure modern authentication for Exchange Online is enabled
enableModernAuthExchange: true
# 6.5.2: Ensure MailTips are enabled for end users
enableMailTips: true
# 6.5.3: Ensure additional storage providers are restricted in Outlook on the web
restrictAdditionalStorageProviders: true
# 6.5.4: Ensure SMTP AUTH is disabled
disableSMTPAuth: true
# 6.5.5: Ensure Direct Send submissions are rejected
rejectDirectSend: true
# ===============================================================
# Section 7: sharePoint
# ===============================================================
sharePoint:
# 7.2.1: Ensure modern authentication for SharePoint applications is required
requireModernAuthSharePoint: true
# 7.2.2: Ensure SharePoint and OneDrive integration with Azure AD B2B is enabled
enableAADB2BIntegration: true
# 7.2.3: Ensure external content sharing is restricted
sharePointExternalSharing: "Disabled"
# 7.2.4: Ensure OneDrive content sharing is restricted
oneDriveExternalSharing: "Disabled"
# 7.2.5: Ensure that SharePoint guest users cannot share items they don't own
preventGuestResharing: true
# 7.2.6: Ensure SharePoint external sharing is restricted
restrictSharePointExternalSharing: true
# 7.2.7: Ensure link sharing is restricted in SharePoint and OneDrive
restrictLinkSharing: true
# 7.2.8: Ensure external sharing is restricted by security group
restrictSharingBySecurityGroup: true
# 7.2.9: Ensure guest access to a site or OneDrive will expire automatically
guestAccessExpirationDays: 30
# 7.2.10: Ensure reauthentication with verification code is restricted
restrictReauthenticationVerificationCode: true
# 7.2.11: Ensure the SharePoint default sharing link permission is set
defaultSharingLinkPermission: "View"
# 7.3.1: Ensure Office 365 SharePoint infected files are disallowed for download
disallowInfectedFileDownload: true
# ===============================================================
# Section 8: teams
# ===============================================================
teams:
# 8.1.1: Ensure external file sharing in Teams is enabled for only approved cloud storage services
restrictExternalFileSharing: true
# 8.1.2: Ensure users can't send emails to a channel email address
blockChannelEmail: true
# 8.2.1: Ensure external domains are restricted in the Teams admin center
restrictExternalDomains: true
# 8.2.2: Ensure communication with unmanaged Teams users is disabled
disableUnmanagedUserCommunication: true
# 8.2.3: Ensure external Teams users cannot initiate conversations
blockExternalUserInitiation: true
# 8.2.4: Ensure the organization cannot communicate with accounts in trial Teams tenants
blockTrialTenantCommunication: true
# 8.4.1 (Manual): Ensure app permission policies are configured
# TODO: Implement manually per PDF instructions
# 8.5.1: Ensure anonymous users can't join a meeting
allowAnonymousUsersToJoinMeeting: false
# 8.5.2: Ensure anonymous users and dial-in callers can't start a meeting
allowAnonymousUsersToStartMeeting: false
# 8.5.3: Ensure only people in my org can bypass the lobby
orgOnlyBypassLobby: true
# 8.5.4: Ensure users dialing in can't bypass the lobby
dialInCantBypassLobby: true
# 8.5.5: Ensure meeting chat does not allow anonymous users
noAnonymousMeetingChat: true
# 8.5.6: Ensure only organizers and co-organizers can present
onlyOrganizersCanPresent: true
# 8.5.7: Ensure external participants can't give or request control
noExternalControl: true
# 8.5.8: Ensure external meeting chat is off
externalMeetingChatOff: true
# 8.5.9: Ensure meeting recording is off by default
meetingRecordingOffByDefault: true
# 8.6.1: Ensure users can report security concerns in Teams
enableSecurityConcernsReporting: true
# ===============================================================
# Section 9: powerBI
# ===============================================================
powerBI:
# 9.1.1: Ensure guest user access is restricted
restrictGuestAccess: true
# 9.1.2: Ensure external user invitations are restricted
restrictExternalInvitations: true
# 9.1.3: Ensure guest access to content is restricted
restrictGuestContentAccess: true
# 9.1.4: Ensure 'Publish to web' is restricted
restrictPublishToWeb: true
# 9.1.5: Ensure 'Interact with and share R and Python' visuals is 'Disabled'
disableRPythonVisuals: true
# 9.1.6: Ensure 'Allow users to apply sensitivity labels for content' is 'Enabled'
enableSensitivityLabels: true
# 9.1.7: Ensure shareable links are restricted
restrictShareableLinks: true
# 9.1.8: Ensure enabling of external data sharing is restricted
restrictExternalDataSharing: true
# 9.1.9: Ensure 'Block ResourceKey Authentication' is 'Enabled'
blockResourceKeyAuth: true
# 9.1.10: Ensure access to APIs by service principals is restricted
restrictServicePrincipalAPIAccess: true
# 9.1.11: Ensure service principals cannot create and use profiles
blockServicePrincipalProfiles: true
# 9.1.12: Ensure service principals ability to create workspaces, connections and deployment pipelines is restricted
restrictServicePrincipalWorkspaceCreation: true
# ===============================================================
# Section 3: purview
# ===============================================================
purview:
# 3.1.1: Ensure Microsoft 365 audit log search is Enabled
enableAuditLogSearch: true
# 3.2.1 (Automated): Ensure DLP policies are enabled
# TODO: Map this control to YAML — see PDF for details
# 3.2.2 (Automated): Ensure DLP policies are enabled for Microsoft Teams
# TODO: Map this control to YAML — see PDF for details
# 3.2.3 (Automated): Ensure DLP policies are published for Copilot users
# TODO: Map this control to YAML — see PDF for details
# 3.3.1 (Automated): Ensure Information Protection sensitivity label policies are published
# TODO: Map this control to YAML — see PDF for details
# ===============================================================
# Section 2: Defender for Office 365
# ===============================================================
defender:
# 2.1.1: Ensure Safe Links for Office Applications is Enabled
safeLinks:
name: "SafeLinks-Default"
enabled: true
trackClicks: true
allowClickThrough: false
scanUrls: true
enableForInternalSenders: true
# 2.1.2: Ensure the Common Attachment Types Filter is enabled
antiMalware:
name: "AntiMalware-Default"
enabled: true
enableInternalNotifications: true
fileTypes: ["ace", "ani", "app", "docm", "exe", "jar", "jnlp", "msi", "ps1", "scr", "vbs", "wsf"]
# 2.1.3: Ensure notifications for internal users sending malware is Enabled
antiMalware:
name: "AntiMalware-InternalNotify"
enabled: true
enableInternalNotifications: true
# 2.1.4: Ensure Safe Attachments policy is enabled
safeAttachments:
name: "SafeAttachments-Default"
enabled: true
action: "Block"
quarantineMessages: true
# 2.1.5: Ensure Safe Attachments for SharePoint, OneDrive, and Microsoft Teams is Enabled
safeAttachments:
name: "SafeAttachments-SPO-Teams"
enabled: true
action: "Block"
enableForSharePoint: true
enableForTeams: true
# 2.1.6: Ensure Exchange Online Spam Policies are set to notify administrators
antiSpam:
name: "AntiSpam-Notify-Admins"
enabled: true
notifyAdmins: true
# 2.1.7: Ensure that an anti-phishing policy has been created
antiPhish:
name: "AntiPhish-Default"
enabled: true
enableMailboxIntelligence: true
enableSpoofIntelligence: true
mailboxIntelligenceProtectionAction: "Quarantine"
# 2.1.8 (Automated): Ensure that SPF records are published for all Exchange Domains
# NOTE: DNS-level control — configure via DNS provider, not M365 tenant
# 2.1.9 (Automated): Ensure that DKIM is enabled for all Exchange Online Domains
# NOTE: DNS-level control — configure via DNS provider, not M365 tenant
# 2.1.10 (Automated): Ensure DMARC records for all Exchange Online domains are published
# NOTE: DNS-level control — configure via DNS provider, not M365 tenant
# 2.1.11: Ensure comprehensive attachment filtering is applied
antiMalware:
name: "AntiMalware-Comprehensive"
enabled: true
enableFileFilter: true
# 2.1.12: Ensure the connection filter IP allow list is not used
connectionFilterIPAllowListEmpty: true
# 2.1.13: Ensure the connection filter safe list is off
connectionFilterSafeListOff: true
# 2.1.14: Ensure inbound anti-spam policies do not contain allowed domains
inboundAntiSpamNoAllowedDomains: true
# 2.1.15: Ensure outbound anti-spam message limits are in place
outboundAntiSpamLimits: true
# 2.2.1 (Manual): Ensure emergency access account activity is monitored
# 2.4.1: Ensure Priority account protection is enabled and configured
priorityAccount:
enabled: true
# 2.4.2: Ensure Priority accounts have 'Strict protection' presets applied
priorityAccount:
strictProtection: true
# 2.4.3 (Manual): Ensure Microsoft Defender for Cloud Apps is enabled and configured
# 2.4.4: Ensure Zero-hour auto purge for Microsoft Teams is on
zap:
enabledForTeams: true
# 2.4.5 (Manual): Ensure 'AIR' remediation is enabled
# ===============================================================
# Section 5.2.2: Conditional Access
# ===============================================================
conditionalAccess:
reportOnly: true
breakGlassGroup: "CIS-BreakGlass"
policies:
- name: "Ensure-multifactor-authentication-is-enabled-for-all-us"
cisControl: "5.2.2.1"
description: "Ensure multifactor authentication is enabled for all users in administrative roles"
state: enabledForReportingButNotEnforced
conditions:
applications:
includeApplications: ["All"]
users:
includeRoles:
- "Global Administrator"
- "Privileged Role Administrator"
- "Security Administrator"
- "Exchange Administrator"
- "SharePoint Administrator"
- "Conditional Access Administrator"
- "Application Administrator"
- "Cloud Application Administrator"
- "User Administrator"
- "Helpdesk Administrator"
- "Billing Administrator"
- "Authentication Administrator"
- "Password Administrator"
- "Global Reader"
grantControls:
builtInControls: ["mfa"]
operator: "OR"
- name: "Ensure-multifactor-authentication-is-enabled-for-all-us"
cisControl: "5.2.2.2"
description: "Ensure multifactor authentication is enabled for all users"
state: enabledForReportingButNotEnforced
conditions:
applications:
includeApplications: ["All"]
users:
includeUsers: ["All"]
grantControls:
builtInControls: ["mfa"]
operator: "OR"
- name: "Enable-Conditional-Access-policies-to-block-legacy-auth"
cisControl: "5.2.2.3"
description: "Enable Conditional Access policies to block legacy authentication"
state: enabledForReportingButNotEnforced
conditions:
applications:
includeApplications: ["All"]
users:
includeUsers: ["All"]
clientAppTypes: ["exchangeActiveSync", "other"]
grantControls:
builtInControls: ["block"]
operator: "OR"
- name: "Ensure-Signin-frequency-is-enabled-and-browser-sessions"
cisControl: "5.2.2.4"
description: "Ensure Sign-in frequency is enabled and browser sessions are not persistent for Administrative users"
state: enabledForReportingButNotEnforced
conditions:
applications:
includeApplications: ["All"]
users:
includeRoles:
- "Global Administrator"
- "Privileged Role Administrator"
- "Security Administrator"
- "Exchange Administrator"
- "SharePoint Administrator"
- "Conditional Access Administrator"
- "Application Administrator"
- "Cloud Application Administrator"
- "User Administrator"
- "Helpdesk Administrator"
- "Billing Administrator"
- "Authentication Administrator"
- "Password Administrator"
- "Global Reader"
grantControls:
builtInControls: ["mfa"]
operator: "OR"
sessionControls:
signInFrequency:
value: 12
type: hours
isEnabled: true
persistentBrowser:
mode: never
isEnabled: true
- name: "Ensure-Phishingresistant-MFA-strength-is-required-for-A"
cisControl: "5.2.2.5"
description: "Ensure 'Phishing-resistant MFA strength' is required for Administrators"
state: enabledForReportingButNotEnforced
conditions:
applications:
includeApplications: ["All"]
users:
includeRoles:
- "Global Administrator"
- "Privileged Role Administrator"
- "Security Administrator"
- "Exchange Administrator"
- "SharePoint Administrator"
- "Conditional Access Administrator"
- "Application Administrator"
- "Cloud Application Administrator"
- "User Administrator"
- "Helpdesk Administrator"
- "Billing Administrator"
- "Authentication Administrator"
- "Password Administrator"
- "Global Reader"
grantControls:
builtInControls: ["authenticationStrength"]
authenticationStrength:
id: "00000000-0000-0000-0000-000000000004"
operator: "OR"
- name: "Enable-Identity-Protection-user-risk-policies"
cisControl: "5.2.2.6"
description: "Enable Identity Protection user risk policies"
state: enabledForReportingButNotEnforced
conditions:
applications:
includeApplications: ["All"]
users:
includeUsers: ["All"]
signInRiskLevels: ["medium", "high"]
grantControls:
builtInControls: ["mfa"]
operator: "OR"
- name: "Enable-Identity-Protection-signin-risk-policies"
cisControl: "5.2.2.7"
description: "Enable Identity Protection sign-in risk policies"
state: enabledForReportingButNotEnforced
conditions:
applications:
includeApplications: ["All"]
users:
includeUsers: ["All"]
signInRiskLevels: ["medium", "high"]
grantControls:
builtInControls: ["mfa"]
operator: "OR"
- name: "Ensure-signin-risk-is-blocked-for-medium-and-high-risk"
cisControl: "5.2.2.8"
description: "Ensure 'sign-in risk' is blocked for medium and high risk"
state: enabledForReportingButNotEnforced
conditions:
applications:
includeApplications: ["All"]
users:
includeUsers: ["All"]
signInRiskLevels: ["medium", "high"]
grantControls:
builtInControls: ["block"]
operator: "OR"
- name: "Ensure-a-managed-device-is-required-for-authentication"
cisControl: "5.2.2.9"
description: "Ensure a managed device is required for authentication"
state: enabledForReportingButNotEnforced
conditions:
applications:
includeApplications: ["All"]
users:
includeUsers: ["All"]
grantControls:
builtInControls: ["compliantDevice", "domainJoinedDevice"]
operator: "OR"
- name: "Ensure-a-managed-device-is-required-to-register-securit"
cisControl: "5.2.2.10"
description: "Ensure a managed device is required to register security information"
state: enabledForReportingButNotEnforced
conditions:
applications:
includeUserActions: ["urn:user:registersecurityinfo"]
users:
includeUsers: ["All"]
grantControls:
builtInControls: ["compliantDevice", "domainJoinedDevice"]
operator: "OR"
- name: "Ensure-signin-frequency-for-Intune-Enrollment-is-set-to"
cisControl: "5.2.2.11"
description: "Ensure sign-in frequency for Intune Enrollment is set to 'Every time'"
state: enabledForReportingButNotEnforced
conditions:
applications:
includeApplications: ["0000000a-0000-0000-c000-000000000000"]
users:
includeUsers: ["All"]
grantControls:
builtInControls: ["mfa"]
operator: "OR"
sessionControls:
signInFrequency:
value: 12
type: hours
isEnabled: true
persistentBrowser:
mode: never
isEnabled: true
- name: "Ensure-the-device-code-signin-flow-is-blocked"
cisControl: "5.2.2.12"
description: "Ensure the device code sign-in flow is blocked"
state: enabledForReportingButNotEnforced
conditions:
applications:
includeApplications: ["All"]
users:
includeUsers: ["All"]
authenticationFlows:
deviceCodeFlow:
isEnabled: true
grantControls:
builtInControls: ["block"]
operator: "OR"
- name: "Ensure-that-periodic-reauthentication-is-required-for-a"
cisControl: "5.2.2.13"
description: "Ensure that periodic reauthentication is required for all users"
state: enabledForReportingButNotEnforced
conditions:
applications:
includeApplications: ["All"]
users:
includeUsers: ["All"]
grantControls:
builtInControls: ["mfa"]
operator: "OR"
- name: "Ensure-trusted-named-locations-are-defined"
cisControl: "5.2.2.14"
description: "Ensure trusted 'named locations' are defined"
state: enabledForReportingButNotEnforced
conditions:
applications:
includeApplications: ["All"]
users:
includeUsers: ["All"]
# TODO: Define named locations in Entra admin center
grantControls:
builtInControls: ["mfa"]
operator: "OR"
- name: "Ensure-exclusionary-geographic-access-controls-are-util"
cisControl: "5.2.2.15"
description: "Ensure exclusionary geographic access controls are utilized"
state: enabledForReportingButNotEnforced
conditions:
applications:
includeApplications: ["All"]
users:
includeUsers: ["All"]
# TODO: Define named locations in Entra admin center
grantControls:
builtInControls: ["mfa"]
operator: "OR"
- name: "Ensure-Token-Protection-is-enforced-for-session-tokens"
cisControl: "5.2.2.16"
description: "Ensure Token Protection is enforced for session tokens"
state: enabledForReportingButNotEnforced
conditions:
applications:
includeApplications: ["All"]
users:
includeUsers: ["All"]
grantControls:
builtInControls: ["mfa"]
operator: "OR"
# TODO: Enable Token Protection via Authentication Strength policy
- name: "Ensure-authentication-transfer-is-blocked"
cisControl: "5.2.2.17"
description: "Ensure authentication transfer is blocked"
state: enabledForReportingButNotEnforced
conditions:
applications:
includeApplications: ["All"]
users:
includeUsers: ["All"]
grantControls:
builtInControls: ["block"]
operator: "OR"
Baselines/CISM365-v7.example.yaml
+466
View File
@@ -0,0 +1,466 @@
# =====================================================================
# CIS Microsoft 365 Foundations Benchmark v7.0.0 (Draft)
# Tenant-Level Baseline Manifest
# =====================================================================
# This YAML extends the OpenIntuneBaseline format to cover M365 tenant
# configuration: Entra ID, Conditional Access, Defender, Exchange,
# SharePoint, and Teams.
#
# HOW TO USE WITH A DRAFT PDF:
# 1. Copy this file to your own baseline (e.g., mytenant-cisv7.yaml)
# 2. As you read the CIS v7.0.0 PDF, transcribe controls into the
# appropriate sections below. Each control has a 'cisControl' field
# for traceability.
# 3. Customize names, exclusions, and groups for your tenant.
# 4. Run: ./Scripts/Deploy-CISM365Baseline.ps1 -BaselinePath ./Baselines/mytenant-cisv7.yaml
#
# SAFETY:
# - Conditional Access policies default to 'reportOnly: true' (globally)
# and 'state: enabledForReportingButNotEnforced' (per-policy).
# - The script also supports -WhatIf.
# - Break-glass accounts/groups are automatically excluded from CA.
# =====================================================================
baseline:
name: CIS-M365-v7-Example
conflictResolution: Skip # Skip | Update | Error
whatIf: false
# -------------------------------------------------------------------
# Global name mutation applied to every policy / CA rule (optional)
# -------------------------------------------------------------------
tenantMutation:
search: "CIS-v7-"
replace: "ACME-CIS-"
# Alternatively use prefix instead of search/replace:
# prefix: "ACME-CIS-"
# -------------------------------------------------------------------
# Cloud-only security groups (mirrors Intune baseline format)
# These are created if they do not exist and can be referenced
# in CA policy assignments by displayName.
# -------------------------------------------------------------------
groups:
- displayName: "CIS-BreakGlass"
mailNickname: "CISBreakGlass"
securityEnabled: true
- displayName: "CIS-Pilot-Users"
mailNickname: "CISPilotUsers"
securityEnabled: true
- displayName: "CIS-All-Company"
mailNickname: "CISAllCompany"
securityEnabled: true
# -------------------------------------------------------------------
# Intune policies (optional — reuses the exact same schema as
# OpenIntuneBaseline.example.yaml). Keep them here if you want a
# single manifest for the whole tenant.
# -------------------------------------------------------------------
policies:
# Example: reuse your existing Intune exports
# - sourcePath: ./policies/CIS-Windows-Compliance.json
# type: CompliancePolicies
# assignments:
# - targetType: Group
# groupName: "CIS-All-Company"
# -------------------------------------------------------------------
# TENANT-LEVEL CONFIGURATION (new section)
# -------------------------------------------------------------------
tenantConfig:
# ===============================================================
# 1. M365 Admin Center (CIS Section 1)
# ===============================================================
adminCenter:
# 1.3.1 (L1) Password expiration
passwordExpiration: NeverExpire # NeverExpire | 90Days | 180Days
# 1.3.2 (L2) Idle session timeout (hours)
idleSessionTimeoutHours: 3
# 1.3.4 (L1) Restrict user owned apps and services
restrictUserOwnedApps: true
# 1.3.5 (L1) Internal phishing protection for Forms
formsPhishingProtection: true
# 1.3.6 (L2) Customer Lockbox
customerLockbox: true
# 1.3.7 (L2) Restrict third-party storage services
restrictThirdPartyStorage: true
# ===============================================================
# 5. Entra ID (CIS Section 5)
# ===============================================================
entraId:
# 5.1.1.1 (L1) Cloud-only administrative accounts
# NOTE: Manual — script can only validate, not create accounts.
# 5.1.1.3 (L1) Global admin count (2-4)
# NOTE: Manual — script assesses only.
# 5.1.2.2 (L2) Disallow third-party integrated applications
blockUserConsent: true
# 5.1.2.3 (L1) Restrict non-admin tenant creation
blockTenantCreation: true
# 5.1.2.4 (L1) Restrict access to Entra admin center
restrictAdminCenterAccess: true
# 5.1.2.6 (L2) Disable LinkedIn account connections
disableLinkedIn: true
# 5.1.3.1 (L1) Dynamic group for guest users
# NOTE: Manual — requires tenant-specific query.
# 5.1.4.2 (L1) Maximum devices per user
maxDevicesPerUser: 5
# 5.1.4.3 (L1) GA not added as local admin during Entra join
gaLocalAdminDisabled: true
# 5.2.3.2 (L1) Custom banned password list
bannedPasswords:
- "Contoso"
- "Password"
- "Welcome"
- "Admin"
- "Login"
# 5.2.3.4 (L1) Ensure all member users are MFA capable
# NOTE: Enforced via Conditional Access below.
# ===============================================================
# 5.2.2 Conditional Access (CIS Section 5.2.2)
# ===============================================================
# CRITICAL: All CA policies are created in REPORT-ONLY mode by
# default. Flip 'reportOnly: false' after you have validated
# traffic in the Entra admin center.
# ===============================================================
conditionalAccess:
reportOnly: true # Global switch for all CA policies
breakGlassGroup: "CIS-BreakGlass" # Auto-excluded from every CA policy
policies:
# -----------------------------------------------------------
# CIS 5.2.2.3 (L1) Block legacy authentication
# -----------------------------------------------------------
- name: "Block-Legacy-Auth"
cisControl: "5.2.2.3"
description: "Block all legacy authentication protocols (EAS, basic auth)"
state: enabledForReportingButNotEnforced # enabled | enabledForReportingButNotEnforced | disabled
conditions:
applications:
includeApplications: ["All"]
users:
includeUsers: ["All"]
# breakGlassGroup is injected automatically by the script
clientAppTypes: ["exchangeActiveSync", "other"]
grantControls:
builtInControls: ["block"]
operator: "OR"
# -----------------------------------------------------------
# CIS 5.2.2.1 (L1) Require MFA for administrative roles
# -----------------------------------------------------------
- name: "Require-MFA-Admins"
cisControl: "5.2.2.1"
description: "Require MFA for all users assigned to administrative roles"
state: enabledForReportingButNotEnforced
conditions:
applications:
includeApplications: ["All"]
users:
includeRoles:
- "Global Administrator"
- "Privileged Role Administrator"
- "Security Administrator"
- "Exchange Administrator"
- "SharePoint Administrator"
- "Conditional Access Administrator"
- "Application Administrator"
- "Cloud Application Administrator"
- "User Administrator"
- "Helpdesk Administrator"
- "Billing Administrator"
- "Authentication Administrator"
- "Password Administrator"
- "Global Reader"
excludeUsers: [] # Add break-glass UPNs here if not using breakGlassGroup
grantControls:
builtInControls: ["mfa"]
operator: "OR"
# -----------------------------------------------------------
# CIS 5.2.2.2 (L1) Require MFA for all users
# -----------------------------------------------------------
- name: "Require-MFA-All-Users"
cisControl: "5.2.2.2"
description: "Require MFA for all user sign-ins"
state: enabledForReportingButNotEnforced
conditions:
applications:
includeApplications: ["All"]
users:
includeUsers: ["All"]
excludeGroups: [] # e.g., ["CIS-Pilot-Users"] for staged rollout
locations:
includeLocations: ["AllTrusted"] # Requires named locations; use "All" if none defined
grantControls:
builtInControls: ["mfa"]
operator: "OR"
# -----------------------------------------------------------
# CIS 5.2.2.4 (L1) Sign-in frequency for admins
# -----------------------------------------------------------
- name: "Admin-SignIn-Frequency"
cisControl: "5.2.2.4"
description: "Require re-authentication every 12h for admins; no persistent browser"
state: enabledForReportingButNotEnforced
conditions:
applications:
includeApplications: ["All"]
users:
includeRoles:
- "Global Administrator"
- "Privileged Role Administrator"
- "Security Administrator"
sessionControls:
signInFrequency:
value: 12
type: hours
isEnabled: true
persistentBrowser:
mode: never
isEnabled: true
grantControls:
builtInControls: ["mfa"]
operator: "OR"
# -----------------------------------------------------------
# CIS 5.2.2.5 (L2) Phishing-resistant MFA for admins
# -----------------------------------------------------------
- name: "Require-PhishingResistant-MFA-Admins"
cisControl: "5.2.2.5"
description: "Require phishing-resistant MFA (FIDO2, certificate) for admins"
state: enabledForReportingButNotEnforced
conditions:
applications:
includeApplications: ["All"]
users:
includeRoles:
- "Global Administrator"
- "Privileged Role Administrator"
- "Security Administrator"
grantControls:
builtInControls: ["authenticationStrength"]
authenticationStrength:
id: "00000000-0000-0000-0000-000000000004" # Phishing-resistant MFA
operator: "OR"
# -----------------------------------------------------------
# CIS 5.2.2.12 (L1) Block device code flow
# -----------------------------------------------------------
- name: "Block-Device-Code-Flow"
cisControl: "5.2.2.12"
description: "Block sign-ins using the device code authentication flow"
state: enabledForReportingButNotEnforced
conditions:
applications:
includeApplications: ["All"]
users:
includeUsers: ["All"]
authenticationFlows:
deviceCodeFlow:
isEnabled: true
ruleType: "include"
grantControls:
builtInControls: ["block"]
operator: "OR"
# -----------------------------------------------------------
# CIS 5.2.2.8 (L2) Block medium/high risk sign-ins
# -----------------------------------------------------------
- name: "Block-HighRisk-SignIns"
cisControl: "5.2.2.8"
description: "Block sign-ins with medium or high risk score (requires Entra ID P2)"
state: enabledForReportingButNotEnforced
conditions:
applications:
includeApplications: ["All"]
users:
includeUsers: ["All"]
signInRiskLevels: ["medium", "high"]
grantControls:
builtInControls: ["block"]
operator: "OR"
# -----------------------------------------------------------
# CIS 5.2.2.9 (L1) Require managed device
# -----------------------------------------------------------
- name: "Require-Managed-Device"
cisControl: "5.2.2.9"
description: "Require device to be compliant or hybrid Entra joined"
state: enabledForReportingButNotEnforced
conditions:
applications:
includeApplications: ["All"]
users:
includeUsers: ["All"]
grantControls:
builtInControls: ["compliantDevice", "domainJoinedDevice"]
operator: "OR"
# -----------------------------------------------------------
# CIS 5.2.2.10 (L1) Require managed device to register security info
# -----------------------------------------------------------
- name: "Require-Managed-Device-Security-Info"
cisControl: "5.2.2.10"
description: "Require managed device when registering security information"
state: enabledForReportingButNotEnforced
conditions:
applications:
includeUserActions: ["urn:user:registersecurityinfo"]
users:
includeUsers: ["All"]
grantControls:
builtInControls: ["compliantDevice", "domainJoinedDevice"]
operator: "OR"
# ===============================================================
# 2. Microsoft Defender for Office 365 (CIS Section 2)
# ===============================================================
defender:
# 2.1.1 (L2) Safe Links for Office Applications
safeLinks:
- name: "SafeLinks-Default"
cisControl: "2.1.1"
enabled: true
trackClicks: true
allowClickThrough: false
scanUrls: true
enableForInternalSenders: true
# The script auto-creates a rule applying this to all accepted domains
# 2.1.4 (L2) Safe Attachments
safeAttachments:
- name: "SafeAttachments-Default"
cisControl: "2.1.4"
enabled: true
action: Block # Block | DynamicDelivery | Monitor
quarantineMessages: true
# 2.1.2 (L1) Common Attachment Types Filter
antiMalware:
- name: "AntiMalware-Default"
cisControl: "2.1.2"
enabled: true
enableInternalNotifications: true
fileTypes:
- ace
- ani
- app
- docm
- exe
- jar
- jnlp
- msi
- ps1
- scr
- vbs
- wsf
# 2.1.3 (L1) Internal malware notifications
# 2.4.4 (L1) Zero-hour auto purge for Teams
# ===============================================================
# 6. Exchange Online (CIS Section 6)
# ===============================================================
exchange:
# 6.1.1 (L1) AuditDisabled organizationally set to False
enableMailboxAuditOrgWide: true
# 6.1.2 (L1) Mailbox audit actions configured
# NOTE: Enabled automatically when org-wide auditing is on (above).
# 6.2.1 (L1) Block all forms of external forwarding
blockExternalForwarding: true
# 6.2.2 (L1) Transport rules do not whitelist domains
# NOTE: Manual review required.
# 6.2.3 (L1) Identify email from external senders
enableExternalSenderBanner: true
# Transport rule: prepend external email warning
externalEmailWarningRule: true
# ===============================================================
# 7. SharePoint / OneDrive (CIS Section 7)
# ===============================================================
sharePoint:
# Default sharing link type
defaultSharingLinkType: Direct # Direct | Internal | AnonymousAccess
# External sharing for SharePoint
sharePointExternalSharing: Disabled
# Options: Disabled | ExistingExternalUserSharingOnly | ExternalUserSharingOnly | Anyone
# External sharing for OneDrive
oneDriveExternalSharing: Disabled
# Guest access expiration (days)
guestAccessExpirationDays: 30
# 7.x (L1) Prevent custom script execution
# NOTE: Set via Set-PnPTenant -DenyAddAndCustomizePages 1
denyCustomScripts: true
# ===============================================================
# 8. Microsoft Teams (CIS Section 8)
# ===============================================================
teams:
# 8.x Anonymous meeting join
allowAnonymousUsersToJoinMeeting: false
# 8.x Anonymous meeting start
allowAnonymousUsersToStartMeeting: false
# 8.x Teams email integration
enableEmailIntegration: false
# 8.x Federation / external access
allowFederatedUsers: false
allowTeamsConsumer: false
# 8.x Restrict unmanaged user access
# NOTE: Controlled via Teams meeting policy; script sets Global.
# ===============================================================
# 3. Microsoft Purview (CIS Section 3)
# ===============================================================
# NOTE: DLP, sensitivity labels, and retention policies are
# highly business-specific. Add them here as needed:
#
# purview:
# dlpPolicies:
# - name: "CIS-DLP-Default"
# ...
# ===============================================================
# 9. Power BI (CIS Section 9)
# ===============================================================
# NOTE: Power BI tenant settings are best managed via
# Microsoft365DSC or direct Admin API calls. Add here if needed.
# ===============================================================
# NEW in v7.0.0 (expected)
# ===============================================================
# As you read the draft PDF, transcribe new controls into the
# appropriate sections above. Use the 'cisControl' field to
# preserve traceability (e.g., cisControl: "5.2.3.7").
Baselines/CISM365-v7.example.yaml.md
+237
View File
@@ -0,0 +1,237 @@
# CIS M365 v7.0.0 YAML Baseline Format
This document describes the YAML schema for `CISM365-v7.example.yaml`, which extends the existing `OpenIntuneBaseline.example.yaml` format to cover **tenant-level** M365 configuration.
## Why This Format?
The existing Intune baseline YAML works great for device policies. For CIS M365 compliance, you need the same declarative approach but for:
- Entra ID settings (password policies, device quotas, consent)
- Conditional Access policies
- Defender for Office 365 policies
- Exchange Online transport rules
- SharePoint / OneDrive sharing
- Microsoft Teams policies
This YAML keeps the **same root structure** as the Intune baseline so you can optionally include Intune policies in the same manifest, or keep them separate.
## Root Structure
```yaml
baseline:
name: string
conflictResolution: Skip | Update | Error
whatIf: false
tenantMutation:
search: string # optional
replace: string # optional
prefix: string # optional (alternative to search/replace)
groups: [] # Cloud-only security groups (same as Intune baseline)
policies: [] # Intune policies (optional, same schema as Intune baseline)
tenantConfig: # NEW: M365 tenant-level configuration
adminCenter: {}
entraId: {}
conditionalAccess: {}
defender: {}
exchange: {}
sharePoint: {}
teams: {}
```
## tenantConfig Sections
### adminCenter
M365 Admin Center settings.
```yaml
adminCenter:
passwordExpiration: NeverExpire # NeverExpire | 90Days | 180Days
idleSessionTimeoutHours: 3
restrictUserOwnedApps: true
formsPhishingProtection: true
customerLockbox: true
restrictThirdPartyStorage: true
```
### entraId
Entra ID directory settings.
```yaml
entraId:
blockUserConsent: true
blockTenantCreation: true
restrictAdminCenterAccess: true
disableLinkedIn: true
maxDevicesPerUser: 5
gaLocalAdminDisabled: true
bannedPasswords:
- "Contoso"
- "Password"
```
### conditionalAccess
The most powerful section. Supports **automatic CA policy creation** with:
- **Global `reportOnly` switch** — all policies default to report-only
- **Automatic break-glass exclusion** — specify one group, it's excluded from every policy
- **Custom naming** via `tenantMutation`
- **Role name resolution** — use friendly names like "Global Administrator", script maps to template IDs
```yaml
conditionalAccess:
reportOnly: true # Global switch
breakGlassGroup: "CIS-BreakGlass" # Auto-excluded from all policies
policies:
- name: "Block-Legacy-Auth"
cisControl: "5.2.2.3"
description: "Block legacy authentication"
state: enabledForReportingButNotEnforced
conditions:
applications:
includeApplications: ["All"]
users:
includeUsers: ["All"]
excludeGroups: ["CIS-Pilot-Users"]
clientAppTypes: ["exchangeActiveSync", "other"]
grantControls:
builtInControls: ["block"]
operator: "OR"
```
**CA Policy Conditions Supported:**
| Condition | YAML Key | Example |
|-----------|----------|---------|
| Apps | `applications.includeApplications` | `["All"]` or `["Office365"]` |
| User actions | `applications.includeUserActions` | `["urn:user:registersecurityinfo"]` |
| Users | `users.includeUsers` | `["All"]` or specific UPNs |
| Groups | `users.includeGroups` / `excludeGroups` | `["CIS-Pilot-Users"]` — resolved by displayName |
| Roles | `users.includeRoles` / `excludeRoles` | `["Global Administrator"]` — friendly names mapped to template IDs |
| Client apps | `clientAppTypes` | `["exchangeActiveSync", "other"]` |
| Sign-in risk | `signInRiskLevels` | `["medium", "high"]` |
| Locations | `locations.includeLocations` | `["AllTrusted"]` or `["All"]` |
| Auth flows | `authenticationFlows.deviceCodeFlow` | `{ isEnabled: true }` |
**Grant Controls Supported:**
| Control | YAML Key |
|---------|----------|
| Block | `grantControls.builtInControls: ["block"]` |
| Require MFA | `grantControls.builtInControls: ["mfa"]` |
| Compliant device | `grantControls.builtInControls: ["compliantDevice", "domainJoinedDevice"]` |
| Phishing-resistant MFA | `grantControls.builtInControls: ["authenticationStrength"]` + `grantControls.authenticationStrength.id` |
**Session Controls Supported:**
```yaml
sessionControls:
signInFrequency:
value: 12
type: hours
isEnabled: true
persistentBrowser:
mode: never # never | always
isEnabled: true
```
### defender
Defender for Office 365 policies.
```yaml
defender:
safeLinks:
- name: "SafeLinks-Default"
cisControl: "2.1.1"
enabled: true
trackClicks: true
allowClickThrough: false
scanUrls: true
enableForInternalSenders: true
safeAttachments:
- name: "SafeAttachments-Default"
cisControl: "2.1.4"
enabled: true
action: Block
quarantineMessages: true
antiMalware:
- name: "AntiMalware-Default"
cisControl: "2.1.2"
enabled: true
enableInternalNotifications: true
fileTypes: ["ace", "exe", "jar", "vbs"]
```
### exchange
Exchange Online settings.
```yaml
exchange:
enableMailboxAuditOrgWide: true
blockExternalForwarding: true
enableExternalSenderBanner: true
externalEmailWarningRule: true
```
### sharePoint
SharePoint / OneDrive sharing settings.
```yaml
sharePoint:
adminUrl: "https://contoso-admin.sharepoint.com"
defaultSharingLinkType: Direct
sharePointExternalSharing: Disabled
oneDriveExternalSharing: Disabled
guestAccessExpirationDays: 30
denyCustomScripts: true
```
### teams
Microsoft Teams policies.
```yaml
teams:
allowAnonymousUsersToJoinMeeting: false
allowAnonymousUsersToStartMeeting: false
enableEmailIntegration: false
allowFederatedUsers: false
allowTeamsConsumer: false
```
## Using the Draft PDF
Since CIS does not publish XLS for draft benchmarks:
1. Open the PDF and work through each section
2. For **automated** controls, add them to the appropriate `tenantConfig` section with the `cisControl` field
3. For **manual** controls, skip them or add a comment
4. The `cisControl` field preserves traceability (e.g., `cisControl: "5.2.2.3"`)
## Deployment
```powershell
# Assess (read-only)
./Scripts/Deploy-CISM365Baseline.ps1 -BaselinePath ./Baselines/mytenant-cisv7.yaml
# Deploy (applies changes)
./Scripts/Deploy-CISM365Baseline.ps1 -BaselinePath ./Baselines/mytenant-cisv7.yaml -Mode Deploy -Apply -Verbose
# Deploy only specific workloads
./Scripts/Deploy-CISM365Baseline.ps1 -BaselinePath ./Baselines/mytenant-cisv7.yaml -Mode Deploy -Apply -Workloads ConditionalAccess,EntraID
```
## Safety Defaults
| Feature | Default | Why |
|---------|---------|-----|
| `Mode` | `Assess` | Must explicitly opt in to changes |
| `conditionalAccess.reportOnly` | `true` | All CA policies created in report-only mode |
| `breakGlassGroup` | Auto-excluded | Prevents lockout |
| `Apply` switch | Required for Deploy | Double-confirmation pattern |
| `-WhatIf` | Supported | Native PowerShell WhatIf |
Baselines/M365-CIS-Rapid/CISM365-RapidBaseline.psd1
+234
View File
@@ -0,0 +1,234 @@
@{
# =====================================================================
# CIS M365 Rapid Baseline Configuration
# =====================================================================
# This file defines the desired state for a new/greenfield tenant.
# Edit values before running Deploy-CISM365RapidBaseline.ps1.
#
# IMPORTANT: This baseline is designed for NEW or NEWLY-ACQUIRED tenants.
# On an established tenant, some changes may impact users.
# =====================================================================
Tenant = @{
# Your tenant's initial .onmicrosoft.com domain
TenantDomain = 'contoso.onmicrosoft.com'
# SharePoint admin center URL
SharePointAdminUrl = 'https://contoso-admin.sharepoint.com'
# License profile: E3 | E5 | E3+P2
# Determines whether P2-only features (Identity Protection, PIM) are configured
LicenseProfile = 'E3'
}
# =====================================================================
# Section 5: Entra ID (Identity)
# =====================================================================
EntraID = @{
# 1.3.1 - Password expiration policy
PasswordExpiration = 'NeverExpire' # NeverExpire | 90Days | 180Days
# 5.2.3.2 - Custom banned password list
BannedPasswords = @('Contoso', 'Contoso1', 'Password', 'Welcome')
# 5.1.2.3 - Restrict non-admin users from creating tenants
BlockTenantCreation = $true
# 5.1.2.6 - Disable LinkedIn account connections
DisableLinkedIn = $true
# 5.1.2.2 - Disallow third-party integrated applications (user consent)
# Note: Set to $true for strict CIS compliance. May break some SaaS integrations.
BlockUserConsent = $true
# 5.1.4.2 - Maximum devices per user
MaxDevicesPerUser = 5
# 5.1.4.3 - Do not add GA role as local admin during Entra join
GALocalAdminDisabled = $true
# 5.2.3.1 - Microsoft Authenticator: protect against MFA fatigue
MFAFatigueProtection = $true
# Emergency access accounts (break-glass) - used for CA policy exclusions
BreakGlassAccounts = @(
'breakglass1@contoso.onmicrosoft.com'
'breakglass2@contoso.onmicrosoft.com'
)
}
# =====================================================================
# Section 5.2.2: Conditional Access Policies
# =====================================================================
ConditionalAccess = @(
@{
Name = 'CIS-Block-Legacy-Auth'
Description = 'CIS 5.2.2.3 - Block legacy authentication protocols'
Enabled = $true
State = 'enabled'
Conditions = @{
Applications = @{ IncludeApplications = @('All') }
Users = @{ IncludeUsers = @('All'); ExcludeUsers = @() }
ClientAppTypes = @('exchangeActiveSync', 'other')
}
GrantControls = @{
BuiltInControls = @('block')
Operator = 'OR'
}
}
@{
Name = 'CIS-Require-MFA-Admins'
Description = 'CIS 5.2.2.1 - Require MFA for all users in administrative roles'
Enabled = $true
State = 'enabled'
Conditions = @{
Applications = @{ IncludeApplications = @('All') }
Users = @{ IncludeUsers = @('All'); ExcludeRoles = @('62e90394-69f5-4237-9190-012177145e10') } # Exclude Global Admin if using PIM
}
GrantControls = @{
BuiltInControls = @('mfa')
Operator = 'OR'
}
}
@{
Name = 'CIS-Require-MFA-All-Users'
Description = 'CIS 5.2.2.2 - Require MFA for all users'
Enabled = $true
State = 'enabled'
Conditions = @{
Applications = @{ IncludeApplications = @('All') }
Users = @{ IncludeUsers = @('All'); ExcludeUsers = @() }
Locations = @{ IncludeLocations = @('AllTrusted') } # Requires named locations
}
GrantControls = @{
BuiltInControls = @('mfa')
Operator = 'OR'
}
}
@{
Name = 'CIS-Block-Device-Code-Flow'
Description = 'CIS 5.2.2.12 - Block device code sign-in flow'
Enabled = $true
State = 'enabled'
Conditions = @{
Applications = @{ IncludeApplications = @('All') }
Users = @{ IncludeUsers = @('All'); ExcludeUsers = @() }
AuthenticationFlows = @{ IncludeAuthenticationFlows = @('deviceCode') }
}
GrantControls = @{
BuiltInControls = @('block')
Operator = 'OR'
}
}
@{
Name = 'CIS-Block-High-Risk-SignIns'
Description = 'CIS 5.2.2.8 - Block sign-ins with medium/high risk (requires P2)'
Enabled = $true
State = 'enabledForReportingButNotEnforced' # Set to 'enabled' after validation
Conditions = @{
Applications = @{ IncludeApplications = @('All') }
Users = @{ IncludeUsers = @('All'); ExcludeUsers = @() }
SignInRiskLevels = @('high', 'medium')
}
GrantControls = @{
BuiltInControls = @('block')
Operator = 'OR'
}
}
)
# =====================================================================
# Section 2: Microsoft Defender for Office 365
# =====================================================================
Defender = @{
# 2.1.1 - Safe Links for Office Applications
SafeLinks = @{
Name = 'CIS-SafeLinks-Default'
Enabled = $true
TrackClicks = $true
AllowClickThrough = $false
ScanUrls = $true
EnableForInternalSenders = $true
}
# 2.1.4 - Safe Attachments
SafeAttachments = @{
Name = 'CIS-SafeAttachments-Default'
Enabled = $true
Action = 'Block' # Block | DynamicDelivery | Monitor
QuarantineMessages = $true
}
# 2.1.2 - Common Attachment Types Filter (built into anti-malware)
AntiMalware = @{
Name = 'CIS-AntiMalware-Default'
Enabled = $true
EnableInternalSenderNotifications = $true
FileTypes = @('ace', 'ani', 'app', 'docm', 'exe', 'iso', 'jar', 'jnlp', 'msi', 'php', 'ps1', 'scr', 'vbs', 'wsf')
}
# Anti-Phish baseline
AntiPhish = @{
Name = 'CIS-AntiPhish-Default'
Enabled = $true
EnableMailboxIntelligence = $true
EnableSpoofIntelligence = $true
MailboxIntelligenceProtectionAction = 'Quarantine'
TargetedUserProtectionAction = 'Quarantine'
TargetedDomainProtectionAction = 'Quarantine'
}
}
# =====================================================================
# Section 6: Exchange Online
# =====================================================================
Exchange = @{
# 6.2.1 - Block all forms of external mail forwarding
BlockExternalForwarding = $true
# 6.1.2 - Enable mailbox auditing organization-wide
EnableMailboxAudit = $true
# 6.2.3 - Identify email from external senders (external sender banner)
EnableExternalSenderBanner = $true
# Transport rule: prepend external email warning
ExternalEmailWarning = $true
}
# =====================================================================
# Section 7: SharePoint / OneDrive
# =====================================================================
SharePoint = @{
# 7.x - Default sharing link type
# Options: Direct, Internal, AnonymousAccess
DefaultSharingLinkType = 'Direct' # Most restrictive = Direct (specific people only)
# 7.x - External sharing for SharePoint
SharePointExternalSharing = 'Disabled' # Disabled | ExistingExternalUserSharingOnly | ExternalUserSharingOnly | Anyone
# 7.x - External sharing for OneDrive
OneDriveExternalSharing = 'Disabled' # Disabled | ExistingExternalUserSharingOnly | ExternalUserSharingOnly | Anyone
# Guest access expiration (days)
GuestAccessExpirationDays = 30
}
# =====================================================================
# Section 8: Microsoft Teams
# =====================================================================
Teams = @{
# 8.x - Allow anonymous users to join meetings
AllowAnonymousMeetingJoin = $false
# 8.x - Allow anonymous users to start meetings
AllowAnonymousMeetingStart = $false
# 8.x - Teams email integration
EnableEmailIntegration = $false
# Federation / external access
AllowFederatedUsers = $false
AllowTeamsConsumer = $false
}
}
Baselines/M365-CIS-Rapid/Deploy-CISM365RapidBaseline.ps1
+699
View File
@@ -0,0 +1,699 @@
<#PSScriptInfo
.VERSION 1.0.0
.GUID 9f3c2a8b-7e1d-4f5a-9b2c-8d3e4f5a6b7c
.AUTHOR IntuneManagement Toolkit
.COMPANYNAME
.COPYRIGHT
.TAGS CIS,M365,Security,Baseline,EntraID,Defender,Exchange,SharePoint,Teams
.LICENSEURI
.PROJECTURI
.ICONURI
.EXTERNALMODULEDEPENDENCIES Microsoft.Graph,ExchangeOnlineManagement,PnP.PowerShell,MicrosoftTeams
.REQUIREDSCRIPTS
.EXTERNALSCRIPTDEPENDENCIES
.RELEASENOTES
v1.0.0 - Initial rapid baseline for CIS M365 Foundations alignment on greenfield/newly-acquired tenants.
#>
<#
.SYNOPSIS
Rapidly deploys (or assesses) a high-impact CIS M365-aligned baseline to a new or newly-acquired tenant.
.DESCRIPTION
This script targets the ~40 highest-impact, easily-automated CIS M365 controls across:
- Entra ID (password policies, auth methods, Conditional Access)
- Microsoft Defender for Office 365 (Safe Links, Safe Attachments, Anti-Phish)
- Exchange Online (external forwarding block, mailbox auditing)
- SharePoint Online / OneDrive (external sharing restrictions)
- Microsoft Teams (anonymous meeting restrictions, federation)
It is designed for NEW or NEWLY-ACQUIRED tenants where disruption risk is low.
On established tenants, run in -Mode Assess first and review every change.
DEFAULT BEHAVIOUR IS READ-ONLY (-Mode Assess). You must specify -Mode Deploy -Apply to make changes.
.PARAMETER Mode
Assess = Read-only audit against the baseline (default)
Deploy = Apply the baseline configuration
.PARAMETER ConfigPath
Path to the .psd1 configuration file. Defaults to .\CISM365-RapidBaseline.psd1
.PARAMETER Apply
Required switch when Mode is 'Deploy'. Prevents accidental execution.
.PARAMETER TenantId
Optional tenant ID for Graph authentication.
.PARAMETER SharePointAdminUrl
Optional SharePoint admin URL (e.g., https://contoso-admin.sharepoint.com).
If omitted, uses the value from the config file.
.PARAMETER Workloads
Array of workloads to process. Default is all.
Options: EntraID, ConditionalAccess, Defender, Exchange, SharePoint, Teams
.EXAMPLE
# Assess your tenant without making any changes
.\Deploy-CISM365RapidBaseline.ps1
.EXAMPLE
# Deploy the baseline after review
.\Deploy-CISM365RapidBaseline.ps1 -Mode Deploy -Apply -Verbose
.EXAMPLE
# Assess only Entra ID and Conditional Access
.\Deploy-CISM365RapidBaseline.ps1 -Workloads @('EntraID','ConditionalAccess')
#>
[CmdletBinding(SupportsShouldProcess)]
param(
[Parameter()]
[ValidateSet('Assess','Deploy')]
[string]$Mode = 'Assess',
[Parameter()]
[string]$ConfigPath = "$PSScriptRoot\CISM365-RapidBaseline.psd1",
[Parameter()]
[switch]$Apply,
[Parameter()]
[string]$TenantId,
[Parameter()]
[string]$SharePointAdminUrl,
[Parameter()]
[ValidateSet('EntraID','ConditionalAccess','Defender','Exchange','SharePoint','Teams')]
[string[]]$Workloads = @('EntraID','ConditionalAccess','Defender','Exchange','SharePoint','Teams')
)
#region Initialization
$ErrorActionPreference = 'Stop'
$script:Results = [System.Collections.Generic.List[object]]::new()
$script:ChangesMade = 0
$script:ChangesSkipped = 0
$script:Errors = 0
function Write-SectionHeader {
param([string]$Title)
Write-Host "`n========================================" -ForegroundColor Cyan
Write-Host " $Title" -ForegroundColor Cyan
Write-Host "========================================" -ForegroundColor Cyan
}
function Add-Result {
param(
[string]$Workload,
[string]$Control,
[string]$Status, # Pass, Fail, Fixed, Skipped, Error
[string]$Message,
[string]$Remediation = ''
)
$script:Results.Add([PSCustomObject]@{
Workload = $Workload
Control = $Control
Status = $Status
Message = $Message
Remediation = $Remediation
})
switch ($Status) {
'Fixed' { $script:ChangesMade++ }
'Skipped' { $script:ChangesSkipped++ }
'Error' { $script:Errors++ }
}
}
# Load configuration
if (-not (Test-Path $ConfigPath)) {
throw "Configuration file not found: $ConfigPath"
}
$Config = Import-PowerShellDataFile -Path $ConfigPath
$TenantDomain = $Config.Tenant.TenantDomain
if (-not $SharePointAdminUrl) { $SharePointAdminUrl = $Config.Tenant.SharePointAdminUrl }
$LicenseProfile = $Config.Tenant.LicenseProfile
#endregion
#region Authentication
Write-SectionHeader "Authentication"
# Microsoft Graph
Write-Host "Connecting to Microsoft Graph..." -NoNewline
$GraphScopes = @(
'Directory.Read.All','Directory.ReadWrite.All','Policy.Read.All','Policy.ReadWrite.ConditionalAccess',
'Organization.Read.All','Organization.ReadWrite.All','RoleManagement.ReadWrite.Directory',
'IdentityRiskyUser.Read.All','IdentityRiskEvent.Read.All'
)
if ($TenantId) {
Connect-MgGraph -Scopes ($GraphScopes -join ',') -TenantId $TenantId -NoWelcome
} else {
Connect-MgGraph -Scopes ($GraphScopes -join ',') -NoWelcome
}
Write-Host " OK" -ForegroundColor Green
# Exchange Online (includes Defender)
if ($Workloads -contains 'Defender' -or $Workloads -contains 'Exchange') {
Write-Host "Connecting to Exchange Online..." -NoNewline
Connect-ExchangeOnline -ShowBanner:$false
Write-Host " OK" -ForegroundColor Green
}
# SharePoint
if ($Workloads -contains 'SharePoint') {
Write-Host "Connecting to SharePoint Online..." -NoNewline
Connect-PnPOnline -Url $SharePointAdminUrl -Interactive
Write-Host " OK" -ForegroundColor Green
}
# Teams
if ($Workloads -contains 'Teams') {
Write-Host "Connecting to Microsoft Teams..." -NoNewline
Connect-MicrosoftTeams
Write-Host " OK" -ForegroundColor Green
}
#endregion
#region Helper Functions
function Test-IsGlobalAdmin {
$context = Get-MgContext
$myRoles = Get-MgRoleManagementDirectoryRoleAssignment -Filter "principalId eq '$($context.Account)'" -ExpandProperty RoleDefinition
return ($myRoles.RoleDefinition.DisplayName -contains 'Global Administrator')
}
function Invoke-WithErrorHandling {
param(
[string]$Workload,
[string]$Control,
[scriptblock]$Action,
[string]$Remediation = ''
)
try {
& $Action
} catch {
Add-Result -Workload $Workload -Control $Control -Status 'Error' -Message $_.Exception.Message -Remediation $Remediation
Write-Warning "[$Workload/$Control] ERROR: $_"
}
}
#endregion
#region Entra ID
if ($Workloads -contains 'EntraID') {
Write-SectionHeader "Entra ID / Identity"
# 1.3.1 - Password expiration
Invoke-WithErrorHandling -Workload 'EntraID' -Control '1.3.1-PasswordExpiration' -Action {
$org = Get-MgOrganization
$currentPolicy = $org.PasswordPolicies
$desired = if ($Config.EntraID.PasswordExpiration -eq 'NeverExpire') { 'None' } else { 'PasswordExpiration' }
if ($Mode -eq 'Assess') {
$pass = ($desired -eq 'None' -and $currentPolicy -contains 'DisablePasswordExpiration')
Add-Result -Workload 'EntraID' -Control '1.3.1-PasswordExpiration' `
-Status $(if ($pass) { 'Pass' } else { 'Fail' }) `
-Message "Current policy: $currentPolicy | Desired: $($Config.EntraID.PasswordExpiration)" `
-Remediation "Set-MgOrganization -PasswordPolicies 'DisablePasswordExpiration'"
} else {
if ($PSCmdlet.ShouldProcess($TenantDomain, "Set password expiration to $($Config.EntraID.PasswordExpiration)")) {
Update-MgOrganization -OrganizationId $org.Id -PasswordPolicies 'DisablePasswordExpiration'
Add-Result -Workload 'EntraID' -Control '1.3.1-PasswordExpiration' -Status 'Fixed' -Message "Set to NeverExpire"
} else {
Add-Result -Workload 'EntraID' -Control '1.3.1-PasswordExpiration' -Status 'Skipped' -Message "WhatIf/Confirm declined"
}
}
}
# 5.2.3.2 - Banned passwords
Invoke-WithErrorHandling -Workload 'EntraID' -Control '5.2.3.2-BannedPasswords' -Action {
$policy = Get-MgPolicyAuthenticationMethodPolicy | Select-Object -ExpandProperty AuthenticationMethodConfigurations | Where-Object { $_.Id -eq 'MicrosoftAuthenticator' }
# Banned password list is actually in directory settings
$settings = Get-MgDirectorySetting | Where-Object { $_.DisplayName -eq 'Password Rule Settings' }
if (-not $settings) {
$template = Get-MgDirectorySettingTemplate | Where-Object { $_.DisplayName -eq 'Password Rule Settings' }
$settings = New-MgDirectorySetting -TemplateId $template.Id
}
$currentList = ($settings.Values | Where-Object { $_.Name -eq 'BannedPasswordList' }).Value
$desiredList = $Config.EntraID.BannedPasswords -join ', '
if ($Mode -eq 'Assess') {
$hasAll = ($Config.EntraID.BannedPasswords | ForEach-Object { $currentList -contains $_ }) -notcontains $false
Add-Result -Workload 'EntraID' -Control '5.2.3.2-BannedPasswords' `
-Status $(if ($hasAll) { 'Pass' } else { 'Fail' }) `
-Message "Current: $currentList | Desired: $desiredList" `
-Remediation "Update-MgDirectorySetting -BannedPasswordList '$desiredList'"
} else {
if ($PSCmdlet.ShouldProcess($TenantDomain, "Update banned password list")) {
$params = @{ BannedPasswordList = $desiredList; EnableBannedPasswordCheck = $true }
Update-MgDirectorySetting -DirectorySettingId $settings.Id -Values $params
Add-Result -Workload 'EntraID' -Control '5.2.3.2-BannedPasswords' -Status 'Fixed' -Message "Updated banned password list"
} else {
Add-Result -Workload 'EntraID' -Control '5.2.3.2-BannedPasswords' -Status 'Skipped' -Message "WhatIf/Confirm declined"
}
}
}
# 5.1.2.3 - Block tenant creation by non-admins
Invoke-WithErrorHandling -Workload 'EntraID' -Control '5.1.2.3-BlockTenantCreation' -Action {
$setting = Get-MgPolicyAuthorizationPolicy
$current = $setting.DefaultUserRolePermissions.AllowedToCreateTenants
$desired = -not $Config.EntraID.BlockTenantCreation
if ($Mode -eq 'Assess') {
Add-Result -Workload 'EntraID' -Control '5.1.2.3-BlockTenantCreation' `
-Status $(if ($current -eq $desired) { 'Pass' } else { 'Fail' }) `
-Message "AllowedToCreateTenants = $current | Desired = $desired" `
-Remediation "Update-MgPolicyAuthorizationPolicy -DefaultUserRolePermissions @{AllowedToCreateTenants=`$false}"
} else {
if ($PSCmdlet.ShouldProcess($TenantDomain, "Set AllowedToCreateTenants = $desired")) {
Update-MgPolicyAuthorizationPolicy -DefaultUserRolePermissions @{ AllowedToCreateTenants = $desired }
Add-Result -Workload 'EntraID' -Control '5.1.2.3-BlockTenantCreation' -Status 'Fixed' -Message "Set to $desired"
} else {
Add-Result -Workload 'EntraID' -Control '5.1.2.3-BlockTenantCreation' -Status 'Skipped' -Message "WhatIf/Confirm declined"
}
}
}
# 5.1.2.6 - Disable LinkedIn
Invoke-WithErrorHandling -Workload 'EntraID' -Control '5.1.2.6-DisableLinkedIn' -Action {
$org = Get-MgOrganization
$current = $org.MarketingNotificationEmails -contains 'LinkedIn'
# LinkedIn setting is in directory settings
$setting = Get-MgDirectorySetting | Where-Object { $_.DisplayName -eq 'Consent Policy Settings' }
# Simplified check - actual LinkedIn config varies by tenant region
Add-Result -Workload 'EntraID' -Control '5.1.2.6-DisableLinkedIn' -Status 'Skipped' `
-Message "LinkedIn integration check requires UI validation or tenant-specific Graph path." `
-Remediation "Navigate to Entra admin center > Users > User settings > LinkedIn account connections"
}
# 5.1.4.2 - Max devices per user
Invoke-WithErrorHandling -Workload 'EntraID' -Control '5.1.4.2-MaxDevicesPerUser' -Action {
$setting = Get-MgPolicyDeviceRegistrationPolicy
$current = $setting.UserDeviceQuota
$desired = $Config.EntraID.MaxDevicesPerUser
if ($Mode -eq 'Assess') {
Add-Result -Workload 'EntraID' -Control '5.1.4.2-MaxDevicesPerUser' `
-Status $(if ($current -le $desired) { 'Pass' } else { 'Fail' }) `
-Message "Current quota: $current | Desired max: $desired" `
-Remediation "Update-MgPolicyDeviceRegistrationPolicy -UserDeviceQuota $desired"
} else {
if ($PSCmdlet.ShouldProcess($TenantDomain, "Set max devices per user to $desired")) {
Update-MgPolicyDeviceRegistrationPolicy -UserDeviceQuota $desired
Add-Result -Workload 'EntraID' -Control '5.1.4.2-MaxDevicesPerUser' -Status 'Fixed' -Message "Set to $desired"
} else {
Add-Result -Workload 'EntraID' -Control '5.1.4.2-MaxDevicesPerUser' -Status 'Skipped' -Message "WhatIf/Confirm declined"
}
}
}
# 5.1.2.2 - Block user consent
Invoke-WithErrorHandling -Workload 'EntraID' -Control '5.1.2.2-BlockUserConsent' -Action {
$policy = Get-MgPolicyAuthorizationPolicy
$current = $policy.DefaultUserRolePermissions.AllowedToCreateApps
$desired = -not $Config.EntraID.BlockUserConsent
if ($Mode -eq 'Assess') {
Add-Result -Workload 'EntraID' -Control '5.1.2.2-BlockUserConsent' `
-Status $(if ($current -eq $desired) { 'Pass' } else { 'Fail' }) `
-Message "AllowedToCreateApps = $current | Desired = $desired" `
-Remediation "Update-MgPolicyAuthorizationPolicy -DefaultUserRolePermissions @{AllowedToCreateApps=`$false}"
} else {
if ($PSCmdlet.ShouldProcess($TenantDomain, "Set AllowedToCreateApps = $desired")) {
Update-MgPolicyAuthorizationPolicy -DefaultUserRolePermissions @{ AllowedToCreateApps = $desired }
Add-Result -Workload 'EntraID' -Control '5.1.2.2-BlockUserConsent' -Status 'Fixed' -Message "Set to $desired"
} else {
Add-Result -Workload 'EntraID' -Control '5.1.2.2-BlockUserConsent' -Status 'Skipped' -Message "WhatIf/Confirm declined"
}
}
}
}
#endregion
#region Conditional Access
if ($Workloads -contains 'ConditionalAccess') {
Write-SectionHeader "Conditional Access"
foreach ($caPolicy in $Config.ConditionalAccess) {
$policyName = $caPolicy.Name
Invoke-WithErrorHandling -Workload 'ConditionalAccess' -Control $policyName -Action {
$existing = Get-MgIdentityConditionalAccessPolicy -Filter "displayName eq '$policyName'" -ErrorAction SilentlyContinue
if ($Mode -eq 'Assess') {
if ($existing) {
$stateMatch = ($existing.State -eq $caPolicy.State)
Add-Result -Workload 'ConditionalAccess' -Control $policyName `
-Status $(if ($stateMatch) { 'Pass' } else { 'Fail' }) `
-Message "Policy exists. State: $($existing.State) | Desired: $($caPolicy.State)" `
-Remediation "Review policy in Entra admin center > Protection > Conditional Access"
} else {
Add-Result -Workload 'ConditionalAccess' -Control $policyName -Status 'Fail' `
-Message "Policy does not exist." `
-Remediation "Create policy '$policyName' via Entra admin center or Graph API"
}
} else {
if ($existing) {
if ($PSCmdlet.ShouldProcess($policyName, "Update Conditional Access policy state to $($caPolicy.State)")) {
Update-MgIdentityConditionalAccessPolicy -ConditionalAccessPolicyId $existing.Id -State $caPolicy.State
Add-Result -Workload 'ConditionalAccess' -Control $policyName -Status 'Fixed' -Message "Updated state to $($caPolicy.State)"
} else {
Add-Result -Workload 'ConditionalAccess' -Control $policyName -Status 'Skipped' -Message "WhatIf/Confirm declined"
}
} else {
# For Deploy mode without existing policy, we provide guidance rather than auto-creating
# because CA policies are complex and tenant-specific (groups, apps, exclusions)
Add-Result -Workload 'ConditionalAccess' -Control $policyName -Status 'Skipped' `
-Message "Policy does not exist. Auto-creation of CA policies is intentionally manual to avoid lockouts." `
-Remediation "Use the sample JSON in this script's comments or build via Entra admin center, then re-run Assess."
}
}
}
}
}
#endregion
#region Defender / Exchange
if ($Workloads -contains 'Defender') {
Write-SectionHeader "Defender for Office 365"
# Safe Links
Invoke-WithErrorHandling -Workload 'Defender' -Control '2.1.1-SafeLinks' -Action {
$policy = Get-SafeLinksPolicy -Identity $Config.Defender.SafeLinks.Name -ErrorAction SilentlyContinue
if ($Mode -eq 'Assess') {
if ($policy) {
$pass = $policy.EnableSafeLinksForEmail -and $policy.TrackClicks -and -not $policy.AllowClickThrough
Add-Result -Workload 'Defender' -Control '2.1.1-SafeLinks' -Status $(if ($pass) { 'Pass' } else { 'Fail' }) `
-Message "Safe Links policy exists. EmailProtection=$($policy.EnableSafeLinksForEmail) TrackClicks=$($policy.TrackClicks) AllowClickThrough=$($policy.AllowClickThrough)" `
-Remediation "Set-SafeLinksPolicy -Identity '$($Config.Defender.SafeLinks.Name)' -EnableSafeLinksForEmail `$true -TrackClicks `$true -AllowClickThrough `$false"
} else {
Add-Result -Workload 'Defender' -Control '2.1.1-SafeLinks' -Status 'Fail' `
-Message "Safe Links policy '$($Config.Defender.SafeLinks.Name)' not found." `
-Remediation "New-SafeLinksPolicy (see script comments for full syntax)"
}
} else {
if ($policy) {
if ($PSCmdlet.ShouldProcess($Config.Defender.SafeLinks.Name, 'Update Safe Links policy')) {
Set-SafeLinksPolicy -Identity $Config.Defender.SafeLinks.Name `
-EnableSafeLinksForEmail $Config.Defender.SafeLinks.Enabled `
-TrackClicks $Config.Defender.SafeLinks.TrackClicks `
-AllowClickThrough $Config.Defender.SafeLinks.AllowClickThrough `
-ScanUrls $Config.Defender.SafeLinks.ScanUrls `
-EnableForInternalSenders $Config.Defender.SafeLinks.EnableForInternalSenders
Add-Result -Workload 'Defender' -Control '2.1.1-SafeLinks' -Status 'Fixed' -Message "Updated Safe Links policy"
} else {
Add-Result -Workload 'Defender' -Control '2.1.1-SafeLinks' -Status 'Skipped' -Message "WhatIf/Confirm declined"
}
} else {
if ($PSCmdlet.ShouldProcess($Config.Defender.SafeLinks.Name, 'Create Safe Links policy')) {
New-SafeLinksPolicy -Name $Config.Defender.SafeLinks.Name `
-EnableSafeLinksForEmail $Config.Defender.SafeLinks.Enabled `
-TrackClicks $Config.Defender.SafeLinks.TrackClicks `
-AllowClickThrough $Config.Defender.SafeLinks.AllowClickThrough `
-ScanUrls $Config.Defender.SafeLinks.ScanUrls `
-EnableForInternalSenders $Config.Defender.SafeLinks.EnableForInternalSenders
# Create rule to apply it
New-SafeLinksRule -Name "$($Config.Defender.SafeLinks.Name)-Rule" -SafeLinksPolicy $Config.Defender.SafeLinks.Name -RecipientDomainIs (Get-AcceptedDomain).Name
Add-Result -Workload 'Defender' -Control '2.1.1-SafeLinks' -Status 'Fixed' -Message "Created Safe Links policy and rule"
} else {
Add-Result -Workload 'Defender' -Control '2.1.1-SafeLinks' -Status 'Skipped' -Message "WhatIf/Confirm declined"
}
}
}
}
# Safe Attachments
Invoke-WithErrorHandling -Workload 'Defender' -Control '2.1.4-SafeAttachments' -Action {
$policy = Get-SafeAttachmentPolicy -Identity $Config.Defender.SafeAttachments.Name -ErrorAction SilentlyContinue
if ($Mode -eq 'Assess') {
if ($policy) {
$pass = $policy.Enable -and ($policy.Action -eq 'Block')
Add-Result -Workload 'Defender' -Control '2.1.4-SafeAttachments' -Status $(if ($pass) { 'Pass' } else { 'Fail' }) `
-Message "Safe Attachments exists. Enabled=$($policy.Enable) Action=$($policy.Action)" `
-Remediation "Set-SafeAttachmentPolicy -Identity '$($Config.Defender.SafeAttachments.Name)' -Enable `$true -Action Block"
} else {
Add-Result -Workload 'Defender' -Control '2.1.4-SafeAttachments' -Status 'Fail' `
-Message "Policy not found." -Remediation "New-SafeAttachmentPolicy -Name '$($Config.Defender.SafeAttachments.Name)' -Enable `$true -Action Block"
}
} else {
if ($policy) {
if ($PSCmdlet.ShouldProcess($Config.Defender.SafeAttachments.Name, 'Update Safe Attachments policy')) {
Set-SafeAttachmentPolicy -Identity $Config.Defender.SafeAttachments.Name `
-Enable $Config.Defender.SafeAttachments.Enabled -Action $Config.Defender.SafeAttachments.Action
Add-Result -Workload 'Defender' -Control '2.1.4-SafeAttachments' -Status 'Fixed' -Message "Updated Safe Attachments policy"
} else {
Add-Result -Workload 'Defender' -Control '2.1.4-SafeAttachments' -Status 'Skipped' -Message "WhatIf/Confirm declined"
}
} else {
if ($PSCmdlet.ShouldProcess($Config.Defender.SafeAttachments.Name, 'Create Safe Attachments policy')) {
New-SafeAttachmentPolicy -Name $Config.Defender.SafeAttachments.Name `
-Enable $Config.Defender.SafeAttachments.Enabled -Action $Config.Defender.SafeAttachments.Action
New-SafeAttachmentRule -Name "$($Config.Defender.SafeAttachments.Name)-Rule" `
-SafeAttachmentPolicy $Config.Defender.SafeAttachments.Name -RecipientDomainIs (Get-AcceptedDomain).Name
Add-Result -Workload 'Defender' -Control '2.1.4-SafeAttachments' -Status 'Fixed' -Message "Created Safe Attachments policy and rule"
} else {
Add-Result -Workload 'Defender' -Control '2.1.4-SafeAttachments' -Status 'Skipped' -Message "WhatIf/Confirm declined"
}
}
}
}
# Anti-Malware (Common Attachment Types Filter)
Invoke-WithErrorHandling -Workload 'Defender' -Control '2.1.2-AntiMalware' -Action {
$policy = Get-MalwareFilterPolicy -Identity $Config.Defender.AntiMalware.Name -ErrorAction SilentlyContinue
if ($Mode -eq 'Assess') {
if ($policy) {
$pass = $policy.EnableInternalSenderNotifications
Add-Result -Workload 'Defender' -Control '2.1.2-AntiMalware' -Status $(if ($pass) { 'Pass' } else { 'Fail' }) `
-Message "Anti-malware policy exists. InternalNotifications=$($policy.EnableInternalSenderNotifications)" `
-Remediation "Set-MalwareFilterPolicy -Identity '$($Config.Defender.AntiMalware.Name)' -EnableInternalSenderNotifications `$true"
} else {
Add-Result -Workload 'Defender' -Control '2.1.2-AntiMalware' -Status 'Fail' `
-Message "Policy not found." -Remediation "New-MalwareFilterPolicy -Name '$($Config.Defender.AntiMalware.Name)' -EnableInternalSenderNotifications `$true"
}
} else {
if ($policy) {
if ($PSCmdlet.ShouldProcess($Config.Defender.AntiMalware.Name, 'Update anti-malware policy')) {
Set-MalwareFilterPolicy -Identity $Config.Defender.AntiMalware.Name -EnableInternalSenderNotifications $true
Add-Result -Workload 'Defender' -Control '2.1.2-AntiMalware' -Status 'Fixed' -Message "Updated anti-malware policy"
} else {
Add-Result -Workload 'Defender' -Control '2.1.2-AntiMalware' -Status 'Skipped' -Message "WhatIf/Confirm declined"
}
} else {
if ($PSCmdlet.ShouldProcess($Config.Defender.AntiMalware.Name, 'Create anti-malware policy')) {
New-MalwareFilterPolicy -Name $Config.Defender.AntiMalware.Name -EnableInternalSenderNotifications $true
Add-Result -Workload 'Defender' -Control '2.1.2-AntiMalware' -Status 'Fixed' -Message "Created anti-malware policy"
} else {
Add-Result -Workload 'Defender' -Control '2.1.2-AntiMalware' -Status 'Skipped' -Message "WhatIf/Confirm declined"
}
}
}
}
}
if ($Workloads -contains 'Exchange') {
Write-SectionHeader "Exchange Online"
# 6.2.1 - Block external forwarding
Invoke-WithErrorHandling -Workload 'Exchange' -Control '6.2.1-BlockExternalForwarding' -Action {
$rule = Get-TransportRule | Where-Object { $_.Name -like '*CIS*forward*' -or $_.Name -eq 'CIS-Block-External-Forwarding' }
if ($Mode -eq 'Assess') {
if ($rule) {
Add-Result -Workload 'Exchange' -Control '6.2.1-BlockExternalForwarding' -Status 'Pass' `
-Message "Transport rule exists: $($rule.Name)"
} else {
Add-Result -Workload 'Exchange' -Control '6.2.1-BlockExternalForwarding' -Status 'Fail' `
-Message "No transport rule blocking external forwarding." `
-Remediation "New-TransportRule -Name 'CIS-Block-External-Forwarding' -FromScope 'InOrganization' -SentToScope 'NotInOrganization' -RejectMessageReasonText 'External forwarding is disabled'"
}
} else {
if (-not $rule) {
if ($PSCmdlet.ShouldProcess('Transport Rule', 'Create external forwarding block')) {
New-TransportRule -Name 'CIS-Block-External-Forwarding' `
-FromScope 'InOrganization' -SentToScope 'NotInOrganization' `
-RejectMessageReasonText 'External forwarding is disabled per security policy.' `
-RejectMessageEnhancedStatusCode '5.7.1'
Add-Result -Workload 'Exchange' -Control '6.2.1-BlockExternalForwarding' -Status 'Fixed' -Message "Created transport rule"
} else {
Add-Result -Workload 'Exchange' -Control '6.2.1-BlockExternalForwarding' -Status 'Skipped' -Message "WhatIf/Confirm declined"
}
} else {
Add-Result -Workload 'Exchange' -Control '6.2.1-BlockExternalForwarding' -Status 'Pass' -Message "Rule already exists"
}
}
}
# 6.1.2 - Enable mailbox auditing
Invoke-WithErrorHandling -Workload 'Exchange' -Control '6.1.2-MailboxAudit' -Action {
$orgConfig = Get-OrganizationConfig
if ($Mode -eq 'Assess') {
$pass = $orgConfig.AuditDisabled -eq $false
Add-Result -Workload 'Exchange' -Control '6.1.2-MailboxAudit' -Status $(if ($pass) { 'Pass' } else { 'Fail' }) `
-Message "AuditDisabled = $($orgConfig.AuditDisabled)" `
-Remediation "Set-OrganizationConfig -AuditDisabled `$false"
} else {
if ($orgConfig.AuditDisabled -ne $false) {
if ($PSCmdlet.ShouldProcess('Organization Config', 'Enable mailbox auditing')) {
Set-OrganizationConfig -AuditDisabled $false
Add-Result -Workload 'Exchange' -Control '6.1.2-MailboxAudit' -Status 'Fixed' -Message "Enabled mailbox auditing"
} else {
Add-Result -Workload 'Exchange' -Control '6.1.2-MailboxAudit' -Status 'Skipped' -Message "WhatIf/Confirm declined"
}
} else {
Add-Result -Workload 'Exchange' -Control '6.1.2-MailboxAudit' -Status 'Pass' -Message "Already enabled"
}
}
}
}
#endregion
#region SharePoint
if ($Workloads -contains 'SharePoint') {
Write-SectionHeader "SharePoint / OneDrive"
Invoke-WithErrorHandling -Workload 'SharePoint' -Control '7.x-ExternalSharing' -Action {
$tenant = Get-PnPTenant
# SharePoint external sharing
$spoSharing = $tenant.SharingCapability
$desiredSpo = $Config.SharePoint.SharePointExternalSharing
if ($Mode -eq 'Assess') {
Add-Result -Workload 'SharePoint' -Control '7.x-SharePointExternalSharing' `
-Status $(if ($spoSharing -eq $desiredSpo) { 'Pass' } else { 'Fail' }) `
-Message "Current: $spoSharing | Desired: $desiredSpo" `
-Remediation "Set-PnPTenant -SharingCapability $desiredSpo"
} else {
if ($spoSharing -ne $desiredSpo) {
if ($PSCmdlet.ShouldProcess('SharePoint Tenant', "Set sharing to $desiredSpo")) {
Set-PnPTenant -SharingCapability $desiredSpo
Add-Result -Workload 'SharePoint' -Control '7.x-SharePointExternalSharing' -Status 'Fixed' -Message "Set to $desiredSpo"
} else {
Add-Result -Workload 'SharePoint' -Control '7.x-SharePointExternalSharing' -Status 'Skipped' -Message "WhatIf/Confirm declined"
}
} else {
Add-Result -Workload 'SharePoint' -Control '7.x-SharePointExternalSharing' -Status 'Pass' -Message "Already set to $desiredSpo"
}
}
# OneDrive external sharing
$odbSharing = $tenant.OneDriveSharingCapability
$desiredOdb = $Config.SharePoint.OneDriveExternalSharing
if ($Mode -eq 'Assess') {
Add-Result -Workload 'SharePoint' -Control '7.x-OneDriveExternalSharing' `
-Status $(if ($odbSharing -eq $desiredOdb) { 'Pass' } else { 'Fail' }) `
-Message "Current: $odbSharing | Desired: $desiredOdb" `
-Remediation "Set-PnPTenant -OneDriveSharingCapability $desiredOdb"
} else {
if ($odbSharing -ne $desiredOdb) {
if ($PSCmdlet.ShouldProcess('OneDrive Tenant', "Set sharing to $desiredOdb")) {
Set-PnPTenant -OneDriveSharingCapability $desiredOdb
Add-Result -Workload 'SharePoint' -Control '7.x-OneDriveExternalSharing' -Status 'Fixed' -Message "Set to $desiredOdb"
} else {
Add-Result -Workload 'SharePoint' -Control '7.x-OneDriveExternalSharing' -Status 'Skipped' -Message "WhatIf/Confirm declined"
}
} else {
Add-Result -Workload 'SharePoint' -Control '7.x-OneDriveExternalSharing' -Status 'Pass' -Message "Already set to $desiredOdb"
}
}
}
}
#endregion
#region Teams
if ($Workloads -contains 'Teams') {
Write-SectionHeader "Microsoft Teams"
Invoke-WithErrorHandling -Workload 'Teams' -Control '8.x-AnonymousMeetings' -Action {
$config = Get-CsTeamsMeetingConfiguration
$anonJoin = (Get-CsTeamsMeetingPolicy -Identity Global).AllowAnonymousUsersToJoinMeeting
$anonStart = (Get-CsTeamsMeetingPolicy -Identity Global).AllowAnonymousUsersToStartMeeting
if ($Mode -eq 'Assess') {
Add-Result -Workload 'Teams' -Control '8.x-AnonymousMeetingJoin' `
-Status $(if ($anonJoin -eq $Config.Teams.AllowAnonymousMeetingJoin) { 'Pass' } else { 'Fail' }) `
-Message "AllowAnonymousUsersToJoinMeeting = $anonJoin | Desired = $($Config.Teams.AllowAnonymousMeetingJoin)" `
-Remediation "Set-CsTeamsMeetingPolicy -Identity Global -AllowAnonymousUsersToJoinMeeting `$false"
} else {
if ($anonJoin -ne $Config.Teams.AllowAnonymousMeetingJoin) {
if ($PSCmdlet.ShouldProcess('Teams Global Policy', 'Restrict anonymous meeting join')) {
Set-CsTeamsMeetingPolicy -Identity Global -AllowAnonymousUsersToJoinMeeting $Config.Teams.AllowAnonymousMeetingJoin
Add-Result -Workload 'Teams' -Control '8.x-AnonymousMeetingJoin' -Status 'Fixed' -Message "Set to $($Config.Teams.AllowAnonymousMeetingJoin)"
} else {
Add-Result -Workload 'Teams' -Control '8.x-AnonymousMeetingJoin' -Status 'Skipped' -Message "WhatIf/Confirm declined"
}
} else {
Add-Result -Workload 'Teams' -Control '8.x-AnonymousMeetingJoin' -Status 'Pass' -Message "Already set correctly"
}
}
}
Invoke-WithErrorHandling -Workload 'Teams' -Control '8.x-Federation' -Action {
$fedConfig = Get-CsTenantFederationConfiguration
if ($Mode -eq 'Assess') {
Add-Result -Workload 'Teams' -Control '8.x-Federation' `
-Status $(if ($fedConfig.AllowFederatedUsers -eq $Config.Teams.AllowFederatedUsers) { 'Pass' } else { 'Fail' }) `
-Message "AllowFederatedUsers = $($fedConfig.AllowFederatedUsers) | Desired = $($Config.Teams.AllowFederatedUsers)" `
-Remediation "Set-CsTenantFederationConfiguration -AllowFederatedUsers `$false"
} else {
if ($fedConfig.AllowFederatedUsers -ne $Config.Teams.AllowFederatedUsers) {
if ($PSCmdlet.ShouldProcess('Teams Federation', "Set AllowFederatedUsers to $($Config.Teams.AllowFederatedUsers)")) {
Set-CsTenantFederationConfiguration -AllowFederatedUsers $Config.Teams.AllowFederatedUsers
Add-Result -Workload 'Teams' -Control '8.x-Federation' -Status 'Fixed' -Message "Set to $($Config.Teams.AllowFederatedUsers)"
} else {
Add-Result -Workload 'Teams' -Control '8.x-Federation' -Status 'Skipped' -Message "WhatIf/Confirm declined"
}
} else {
Add-Result -Workload 'Teams' -Control '8.x-Federation' -Status 'Pass' -Message "Already set correctly"
}
}
}
}
#endregion
#region Report
Write-SectionHeader "Summary Report"
$passCount = ($script:Results | Where-Object { $_.Status -eq 'Pass' }).Count
$failCount = ($script:Results | Where-Object { $_.Status -eq 'Fail' }).Count
$fixedCount = $script:ChangesMade
$skippedCount = $script:ChangesSkipped
$errorCount = $script:Errors
Write-Host "Mode: $Mode" -ForegroundColor $(if ($Mode -eq 'Assess') { 'Green' } else { 'Yellow' })
Write-Host "Workloads: $($Workloads -join ', ')"
Write-Host ""
Write-Host "Results:"
Write-Host " Pass: $passCount" -ForegroundColor Green
Write-Host " Fail: $failCount" -ForegroundColor Red
if ($Mode -eq 'Deploy') {
Write-Host " Fixed: $fixedCount" -ForegroundColor Cyan
Write-Host " Skipped: $skippedCount" -ForegroundColor Yellow
}
Write-Host " Errors: $errorCount" -ForegroundColor $(if ($errorCount -gt 0) { 'Red' } else { 'Gray' })
Write-Host ""
# Export results
$timestamp = Get-Date -Format 'yyyyMMdd_HHmmss'
$reportPath = "$PSScriptRoot\CISM365-RapidBaseline-Report_$Mode`_$timestamp.csv"
$script:Results | Export-Csv -Path $reportPath -NoTypeInformation -Force
Write-Host "Report saved to: $reportPath" -ForegroundColor Green
# Show failures if in Assess mode
if ($Mode -eq 'Assess' -and $failCount -gt 0) {
Write-Host "`nFailed checks:" -ForegroundColor Red
$script:Results | Where-Object { $_.Status -eq 'Fail' } | ForEach-Object {
Write-Host " [$($_.Workload)] $($_.Control): $($_.Message)" -ForegroundColor Red
if ($_.Remediation) { Write-Host " Remediation: $($_.Remediation)" -ForegroundColor DarkGray }
}
}
# Show errors
if ($errorCount -gt 0) {
Write-Host "`nErrors encountered:" -ForegroundColor Red
$script:Results | Where-Object { $_.Status -eq 'Error' } | ForEach-Object {
Write-Host " [$($_.Workload)] $($_.Control): $($_.Message)" -ForegroundColor Red
}
}
Write-Host "`nDone." -ForegroundColor Green
#endregion
Baselines/M365-CIS-Rapid/README.md
+172
View File
@@ -0,0 +1,172 @@
# CIS M365 Rapid Baseline
> **Goal:** Take a new or newly-acquired tenant from zero to ~80% CIS M365 Foundations compliance in hours, not weeks.
Your existing `IntuneManagement` toolkit already handles **Section 4 (Intune)** of the CIS benchmark. This complements it with the tenant-level workloads: Entra ID, Conditional Access, Defender, Exchange, SharePoint, and Teams.
---
## The Reality Check
There is no single "Install-CIS-M365" command. The benchmark has **140 controls** across **9 sections**, and many are:
- **Assessment-only** (e.g., "Ensure 24 global admins exist" — a script can't decide who your admins should be)
- **License-dependent** (Identity Protection risk policies require Entra ID P2)
- **Tenant-specific** (Conditional Access exclusions, emergency access accounts, accepted domains)
**This baseline automates the ~40 highest-impact controls that are safe to script on a greenfield tenant.** The rest require human judgment.
---
## Prerequisites
```powershell
# PowerShell 7+ is strongly recommended
$PSVersionTable.PSVersion
# Install dependencies
Install-Module Microsoft.Graph -Scope CurrentUser -Force
Install-Module ExchangeOnlineManagement -Scope CurrentUser -Force
Install-Module PnP.PowerShell -Scope CurrentUser -Force
Install-Module MicrosoftTeams -Scope CurrentUser -Force
```
**Permissions required:**
- Global Administrator (to create policies and grant consent)
- Or: combination of Privileged Role Administrator + Exchange Administrator + SharePoint Administrator + Teams Administrator
---
## The Fastest Path (Recommended Workflow)
### Step 0: Customize the config
Edit `CISM365-RapidBaseline.psd1`:
- Set your `TenantDomain` and `SharePointAdminUrl`
- Add your **break-glass emergency access accounts** to `BreakGlassAccounts`
- Adjust `ConditionalAccess` policies to reference your actual admin roles/groups
- Review `SharePointExternalSharing``Disabled` is most secure but may break planned collaboration
- Review `BlockUserConsent``true` is CIS-compliant but may break SaaS integrations
### Step 1: Assess (read-only)
```powershell
cd Baselines/M365-CIS-Rapid
# Default: assess everything, make zero changes
./Deploy-CISM365RapidBaseline.ps1
```
Review the CSV report. It tells you exactly what's wrong and how to fix it.
### Step 2: Deploy the easy wins
```powershell
# Deploy with WhatIf first (simulates changes without applying)
./Deploy-CISM365RapidBaseline.ps1 -Mode Deploy -WhatIf
# If satisfied, apply for real
./Deploy-CISM365RapidBaseline.ps1 -Mode Deploy -Apply -Verbose
```
### Step 3: Create Conditional Access policies manually
**This script intentionally does NOT auto-create Conditional Access policies.** CA misconfiguration can lock everyone out of the tenant, including you.
Use the assessment output as a checklist and create them in the Entra admin center:
1. **CIS-Block-Legacy-Auth** — Block all legacy auth protocols
2. **CIS-Require-MFA-Admins** — Require MFA for all admin roles
3. **CIS-Require-MFA-All-Users** — Require MFA for all users
4. **CIS-Block-Device-Code-Flow** — Block device code authentication
5. **CIS-Block-High-Risk-SignIns** — Block medium/high risk sign-ins (requires P2)
> **Pro tip:** Set new CA policies to `enabledForReportingButNotEnforced` for 24 hours before flipping to `enabled`. This lets you verify they don't block legitimate access.
### Step 4: Run a full CIS assessment
```powershell
# Install the comprehensive CIS assessment module
Install-Module CIS-M365-Benchmark -Scope CurrentUser -Force
Connect-CISM365Benchmark
Invoke-CISM365Benchmark -ProfileLevel L1 -ExcludeSections Intune
```
This checks all 140 controls and produces an HTML report with remediation steps for the remaining gaps.
### Step 5: Ongoing governance (optional but recommended)
For drift detection and continuous enforcement, introduce **Microsoft365DSC**:
```powershell
Install-Module Microsoft365DSC -Force
Update-M365DSCDependencies
# Export your now-hardened tenant as code
Export-M365DSCConfiguration -Workloads @("AAD","EXO","SPO","Teams") -Path ./m365-golden
```
Store that golden configuration in Git and run it through a pipeline weekly.
---
## What This Script Covers
| CIS Section | Controls Automated | Notes |
|-------------|-------------------|-------|
| **5.1** M365 Admin Center | Password expiration, tenant creation block, device quota, user consent | |
| **5.2.2** Conditional Access | Assessment only (safe by design) | Manual creation recommended |
| **5.2.3** Auth Methods | Banned password list | |
| **2.1** Defender | Safe Links, Safe Attachments, Anti-malware | Creates policy + rule |
| **6.1/6.2** Exchange | Mailbox auditing, external forwarding block | Transport rule |
| **7.x** SharePoint | External sharing restrictions | SPO + OneDrive |
| **8.x** Teams | Anonymous meeting restrictions, federation | Global policy |
**What it does NOT cover (requires human judgment):**
- Admin role assignments (how many GAs, who are they)
- Emergency access accounts (you must create these first)
- PIM configuration (requires P2, approval workflows)
- DMARC/DKIM/SPF records (DNS-level, not tenant-level)
- DLP policies (business-specific)
- Sensitivity labels (business-specific)
- Intune device policies (use your existing toolkit)
---
## Safety Features
- **`-Mode Assess` is the default.** Nothing changes unless you explicitly say `-Mode Deploy -Apply`.
- **`-WhatIf` is supported.** Use it to preview every change.
- **Break-glass exclusion.** The CA assessment template references `BreakGlassAccounts` — make sure these exist and are excluded from MFA/Compliance policies before enabling them.
- **Modular workloads.** Use `-Workloads` to target only one area at a time.
---
## Newly-Acquired vs. New Tenant
| Scenario | Approach |
|----------|----------|
| **Brand new tenant** (no users yet) | Run `-Mode Deploy -Apply` freely. Then create CA policies. |
| **Newly-acquired tenant** (has users, mailboxes, existing config) | Run `-Mode Assess` first. Review EVERY failed control for business impact before deploying. Some changes (e.g., disabling external sharing, blocking user consent) can break existing workflows. |
---
## Alternatives Considered
| Tool | Best For | Why We Didn't Use It As Primary |
|------|----------|--------------------------------|
| **Microsoft365DSC** | Long-term governance, drift detection | Learning curve is too high for "as fast as possible"; better introduced after initial hardening |
| **CISA ScubaGear** | Federal compliance, audit evidence | Read-only assessment; no deployment capability |
| **CIS-M365-Benchmark** | Comprehensive 140-control assessment | Read-only; excellent for gap analysis after rapid deployment |
| **Maester** | CI/CD testing, continuous validation | Read-only; great for pipelines, not initial deployment |
| **CoreView / Inforcer** | MSP multi-tenant deployment | Commercial; not applicable if you want open-source/scripted |
---
## Next Steps
1. Customize `CISM365-RapidBaseline.psd1`
2. Run assess mode
3. Deploy the easy wins
4. Create CA policies manually with reporting mode
5. Run `CIS-M365-Benchmark` for the remaining gaps
6. Introduce `Microsoft365DSC` for ongoing governance
Baselines/banned-passwords.txt
+26
View File
@@ -0,0 +1,26 @@
# CIS M365 v7 — Banned Passwords (external list)
# One password per line; lines starting with # are ignored
# These are merged with any inline bannedPasswords in the YAML baseline
# Common corporate names
Contoso
Fabrikam
Northwind
Wingtip
# Common weak passwords
Password
Welcome
Admin
Login
Passw0rd
Qwerty
123456
# Microsoft / Office branding
Microsoft
Office365
Outlook
Azure
Teams
SharePoint