cqrenet/macOS_IntuneManagement
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 4 Wiki Activity

release: v4.1.0 — restructure entry points, add CIS baselines, reporting tools and fzf hints

Browse Source 
- Restructure launchers: Start-IntuneToolkit.ps1 moves to repo root;
  Start-HeadlessIntune.ps1 moves to Scripts/; TUI helper moves to Scripts/Private/
- Add AGENTS.md with project architecture, entry points, and security notes
- Add CIS M365 baseline assets (CISM365-v7, M365-CIS-Rapid) and reporting scripts
- Add Python reporting utilities (Export-SettingsReport, Export-AssignmentReport,
  Export-ObjectInventoryReport) and CA wizard helpers
- Update Deploy-IntuneBaseline.ps1 with Merge conflict resolution, ReportPath,
  and optimized group loading
- Update Initialize-IntuneAuth.ps1 with -RotateSecret and configurable secret expiry
- Update Extensions for Settings Catalog definition auto-export
- Update README with v4.1.0, new entry points and script catalog
- Bump VERSION to 4.1.0
- Harden .gitignore against .DS_Store, __pycache__, .venv-pdf/, local exports,
  Settings.json and IntuneManagement.log
This commit is contained in:
Tomas Kracmar
2026-06-14 15:24:42 +02:00
parent e333af978c
commit d3e0769799
30 changed files with 8711 additions and 175 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Baselines/CISM365-v7-Generated.yaml
+655
View File
@@ -0,0 +1,655 @@
# =====================================================================
# CIS Microsoft 365 Foundations Benchmark v7.0.0 (Draft)
# GENERATED from PDF — review before deploying
# =====================================================================
baseline:
name: CIS-M365-v7-Generated
conflictResolution: Skip
whatIf: false
tenantMutation:
prefix: "CIS-v7-"
groups:
- displayName: "CIS-BreakGlass"
mailNickname: "CISBreakGlass"
securityEnabled: true
- displayName: "CIS-Pilot-Users"
mailNickname: "CISPilotUsers"
securityEnabled: true
tenantConfig:
# ===============================================================
# Section 1: adminCenter
# ===============================================================
adminCenter:
# 1.1.2 (Manual): Ensure two emergency access accounts have been defined
# TODO: Implement manually per PDF instructions
# 1.1.3 (Automated): Ensure that between two and four global admins are designated
# TODO: Map this control to YAML — see PDF for details
# 1.1.4 (Automated): Ensure administrative accounts use licenses with a reduced application footprint
# TODO: Map this control to YAML — see PDF for details
# 1.2.1 (Automated): Ensure that only organizationally managed/approved public groups exist
# TODO: Map this control to YAML — see PDF for details
# 1.2.2: Ensure sign-in to shared mailboxes is blocked
blockSharedMailboxSignIn: true
# 1.3.1: Ensure the 'Password expiration policy' is set to 'Set passwords to never expire (recommended)'
passwordExpiration: "NeverExpire"
# 1.3.2: Ensure 'Idle session timeout' is set to '3 hours (or less)' for unmanaged devices
idleSessionTimeoutHours: 3
# 1.3.3: Ensure 'External sharing' of calendars is not available
externalCalendarSharing: "Disabled"
# 1.3.4: Ensure 'User owned apps and services' is restricted
restrictUserOwnedApps: true
# 1.3.5: Ensure internal phishing protection for Forms is enabled
formsPhishingProtection: true
# 1.3.6: Ensure the customer lockbox feature is enabled
customerLockbox: true
# 1.3.7: Ensure 'third-party storage services' are restricted in 'Microsoft 365 on the web'
restrictThirdPartyStorage: true
# 1.3.8 (Manual): Ensure that Sways cannot be shared with people outside of your organization
# TODO: Implement manually per PDF instructions
# 1.3.9: Ensure shared bookings pages are restricted to select users
restrictSharedBookings: true
# ===============================================================
# Section 5: entraId
# ===============================================================
entraId:
# 5.1.2.1 (Manual): Ensure 'Per-user MFA' is disabled
# TODO: Implement manually per PDF instructions
# 5.1.2.2: Ensure users cannot register applications
blockUserConsent: true
# 5.1.2.3: Ensure 'Restrict non-admin users from creating tenants' is set to 'Yes'
blockTenantCreation: true
# 5.1.2.4 (Manual): Ensure access to the Entra admin center is restricted
# TODO: Implement manually per PDF instructions
# 5.1.2.5 (Manual): Ensure the option to remain signed in is hidden
# TODO: Implement manually per PDF instructions
# 5.1.2.6 (Manual): Ensure 'LinkedIn account connections' is disabled
# TODO: Implement manually per PDF instructions
# 5.1.3.1: Ensure users cannot create security groups
blockSecurityGroupCreation: true
# 5.1.3.2 (Manual): Ensure that 'Restrict user ability to access groups features in My Groups' is set to 'Yes'
# TODO: Implement manually per PDF instructions
# 5.1.3.3 (Manual): Ensure that 'Owners can manage group membership requests in My Groups' is set to 'No'
# TODO: Implement manually per PDF instructions
# 5.1.3.4: Ensure that 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No'
blockM365GroupCreation: true
# 5.1.4.1: Ensure the ability to join devices to Entra is restricted
restrictDeviceJoin: true
# 5.1.4.2: Ensure the maximum number of devices per user is limited
maxDevicesPerUser: 5
# 5.1.4.3: Ensure the GA role is not added as a local administrator during Entra join
gaLocalAdminDisabled: true
# 5.1.4.4: Ensure local administrator assignment is limited during Entra join
limitLocalAdminAssignment: true
# 5.1.4.5: Ensure Local Administrator Password Solution is enabled
enableLAPS: true
# 5.1.4.6: Ensure users are restricted from recovering BitLocker keys
restrictBitLockerRecovery: true
# 5.1.5.1: Ensure user consent to apps accessing company data on their behalf is not allowed
blockUserConsent: true
# 5.1.5.2: Ensure the admin consent workflow is enabled
enableAdminConsentWorkflow: true
# 5.1.5.3: Ensure password addition is blocked for applications
blockPasswordCredentials: true
# 5.1.5.4: Ensure password lifetime for applications does not exceed 180 days
maxPasswordLifetimeDays: 180
# 5.1.5.5: Ensure new application passwords are system-generated
systemGeneratedPasswords: true
# 5.1.5.6: Ensure maximum certificate lifetime for applications does not exceed 180 days
maxCertificateLifetimeDays: 180
# 5.1.6.1: Ensure that collaboration invitations are sent to allowed domains only
restrictCollaborationDomains: true
# 5.1.6.2: Ensure that guest user access is restricted
restrictGuestAccess: true
# 5.1.6.3: Ensure guest user invitations are limited
limitGuestInvitations: true
# 5.1.8.1: Ensure that password hash sync is enabled for hybrid deployments
enablePasswordHashSync: true
# 5.2.3.1: Ensure Microsoft Authenticator is configured to protect against MFA fatigue
authenticatorNumberMatching: true
# 5.2.3.3 (Automated): Ensure password protection is enabled for on-prem Active Directory
# NOTE: Hybrid-only control — requires on-premises Active Directory
# 5.2.3.4: Ensure all member users are 'MFA capable'
mfaCapableUsers: true
# 5.2.3.5: Ensure weak authentication methods are disabled
disableWeakAuthMethods: true
# 5.2.3.6: Ensure system-preferred multifactor authentication is enabled
systemPreferredMFA: true
# 5.2.3.7: Ensure the email OTP authentication method is disabled
disableEmailOTP: true
# 5.2.3.8: Ensure that Account 'Lockout threshold' is '10' or less
lockoutThreshold: 10
# 5.2.3.9: Ensure that Account 'Lockout duration in seconds' is at least 60 seconds
lockoutDurationSeconds: 60
# 5.2.3.10: Ensure Microsoft Authenticator on companion applications is disabled
disableAuthenticatorCompanionApps: true
# 5.2.4.1 (Manual): Ensure 'Self service password reset enabled' is set to 'All'
# TODO: Implement manually per PDF instructions
# 5.2.4.2 (Manual): Ensure that 2 methods are required for password reset
# TODO: Implement manually per PDF instructions
# 5.2.4.3 (Manual): Ensure SSPR registration and authentication re- confirmation are required
# TODO: Implement manually per PDF instructions
# 5.2.4.4 (Manual): Ensure that users are notified on password resets
# TODO: Implement manually per PDF instructions
# 5.2.4.5 (Manual): Ensure all admins are notified when other admins reset their password
# TODO: Implement manually per PDF instructions
# 5.3.1: Ensure privileged role assignments are activated and not assigned
pimRoleActivationRequired: true
# 5.3.2: Ensure 'Access reviews' for guest users are configured
accessReviewsForGuests: true
# 5.3.3: Ensure 'Access reviews' for privileged roles are configured
accessReviewsForPrivilegedRoles: true
# 5.3.4: Ensure approval is required for Global Administrator role activation
requireApprovalForGAActivation: true
# 5.3.5: Ensure approval is required for Privileged Role Administrator activation
requireApprovalForPRAActivation: true
# ===============================================================
# Section 6: exchange
# ===============================================================
exchange:
# 6.1.1: Ensure 'AuditDisabled' organizationally is set to 'False'
enableMailboxAuditOrgWide: true
# 6.1.2: Ensure mailbox audit actions are configured
configureMailboxAuditActions: true
# 6.1.3: Ensure 'AuditBypassEnabled' is not enabled on mailboxes
disableAuditBypass: true
# 6.2.1: Ensure all forms of mail forwarding are blocked and/or disabled
blockExternalForwarding: true
# 6.2.2: Ensure mail transport rules do not whitelist specific domains
noDomainWhitelistTransportRules: true
# 6.2.3: Ensure email from external senders is identified
enableExternalSenderBanner: true
# 6.3.1: Ensure users installing Outlook add-ins is not allowed
blockOutlookAddIns: true
# 6.3.2: Ensure the ability to add personal email accounts and calendars is disabled
disablePersonalEmailAccounts: true
# 6.5.1: Ensure modern authentication for Exchange Online is enabled
enableModernAuthExchange: true
# 6.5.2: Ensure MailTips are enabled for end users
enableMailTips: true
# 6.5.3: Ensure additional storage providers are restricted in Outlook on the web
restrictAdditionalStorageProviders: true
# 6.5.4: Ensure SMTP AUTH is disabled
disableSMTPAuth: true
# 6.5.5: Ensure Direct Send submissions are rejected
rejectDirectSend: true
# ===============================================================
# Section 7: sharePoint
# ===============================================================
sharePoint:
# 7.2.1: Ensure modern authentication for SharePoint applications is required
requireModernAuthSharePoint: true
# 7.2.2: Ensure SharePoint and OneDrive integration with Azure AD B2B is enabled
enableAADB2BIntegration: true
# 7.2.3: Ensure external content sharing is restricted
sharePointExternalSharing: "Disabled"
# 7.2.4: Ensure OneDrive content sharing is restricted
oneDriveExternalSharing: "Disabled"
# 7.2.5: Ensure that SharePoint guest users cannot share items they don't own
preventGuestResharing: true
# 7.2.6: Ensure SharePoint external sharing is restricted
restrictSharePointExternalSharing: true
# 7.2.7: Ensure link sharing is restricted in SharePoint and OneDrive
restrictLinkSharing: true
# 7.2.8: Ensure external sharing is restricted by security group
restrictSharingBySecurityGroup: true
# 7.2.9: Ensure guest access to a site or OneDrive will expire automatically
guestAccessExpirationDays: 30
# 7.2.10: Ensure reauthentication with verification code is restricted
restrictReauthenticationVerificationCode: true
# 7.2.11: Ensure the SharePoint default sharing link permission is set
defaultSharingLinkPermission: "View"
# 7.3.1: Ensure Office 365 SharePoint infected files are disallowed for download
disallowInfectedFileDownload: true
# ===============================================================
# Section 8: teams
# ===============================================================
teams:
# 8.1.1: Ensure external file sharing in Teams is enabled for only approved cloud storage services
restrictExternalFileSharing: true
# 8.1.2: Ensure users can't send emails to a channel email address
blockChannelEmail: true
# 8.2.1: Ensure external domains are restricted in the Teams admin center
restrictExternalDomains: true
# 8.2.2: Ensure communication with unmanaged Teams users is disabled
disableUnmanagedUserCommunication: true
# 8.2.3: Ensure external Teams users cannot initiate conversations
blockExternalUserInitiation: true
# 8.2.4: Ensure the organization cannot communicate with accounts in trial Teams tenants
blockTrialTenantCommunication: true
# 8.4.1 (Manual): Ensure app permission policies are configured
# TODO: Implement manually per PDF instructions
# 8.5.1: Ensure anonymous users can't join a meeting
allowAnonymousUsersToJoinMeeting: false
# 8.5.2: Ensure anonymous users and dial-in callers can't start a meeting
allowAnonymousUsersToStartMeeting: false
# 8.5.3: Ensure only people in my org can bypass the lobby
orgOnlyBypassLobby: true
# 8.5.4: Ensure users dialing in can't bypass the lobby
dialInCantBypassLobby: true
# 8.5.5: Ensure meeting chat does not allow anonymous users
noAnonymousMeetingChat: true
# 8.5.6: Ensure only organizers and co-organizers can present
onlyOrganizersCanPresent: true
# 8.5.7: Ensure external participants can't give or request control
noExternalControl: true
# 8.5.8: Ensure external meeting chat is off
externalMeetingChatOff: true
# 8.5.9: Ensure meeting recording is off by default
meetingRecordingOffByDefault: true
# 8.6.1: Ensure users can report security concerns in Teams
enableSecurityConcernsReporting: true
# ===============================================================
# Section 9: powerBI
# ===============================================================
powerBI:
# 9.1.1: Ensure guest user access is restricted
restrictGuestAccess: true
# 9.1.2: Ensure external user invitations are restricted
restrictExternalInvitations: true
# 9.1.3: Ensure guest access to content is restricted
restrictGuestContentAccess: true
# 9.1.4: Ensure 'Publish to web' is restricted
restrictPublishToWeb: true
# 9.1.5: Ensure 'Interact with and share R and Python' visuals is 'Disabled'
disableRPythonVisuals: true
# 9.1.6: Ensure 'Allow users to apply sensitivity labels for content' is 'Enabled'
enableSensitivityLabels: true
# 9.1.7: Ensure shareable links are restricted
restrictShareableLinks: true
# 9.1.8: Ensure enabling of external data sharing is restricted
restrictExternalDataSharing: true
# 9.1.9: Ensure 'Block ResourceKey Authentication' is 'Enabled'
blockResourceKeyAuth: true
# 9.1.10: Ensure access to APIs by service principals is restricted
restrictServicePrincipalAPIAccess: true
# 9.1.11: Ensure service principals cannot create and use profiles
blockServicePrincipalProfiles: true
# 9.1.12: Ensure service principals ability to create workspaces, connections and deployment pipelines is restricted
restrictServicePrincipalWorkspaceCreation: true
# ===============================================================
# Section 3: purview
# ===============================================================
purview:
# 3.1.1: Ensure Microsoft 365 audit log search is Enabled
enableAuditLogSearch: true
# 3.2.1 (Automated): Ensure DLP policies are enabled
# TODO: Map this control to YAML — see PDF for details
# 3.2.2 (Automated): Ensure DLP policies are enabled for Microsoft Teams
# TODO: Map this control to YAML — see PDF for details
# 3.2.3 (Automated): Ensure DLP policies are published for Copilot users
# TODO: Map this control to YAML — see PDF for details
# 3.3.1 (Automated): Ensure Information Protection sensitivity label policies are published
# TODO: Map this control to YAML — see PDF for details
# ===============================================================
# Section 2: Defender for Office 365
# ===============================================================
defender:
# 2.1.1: Ensure Safe Links for Office Applications is Enabled
safeLinks:
name: "SafeLinks-Default"
enabled: true
trackClicks: true
allowClickThrough: false
scanUrls: true
enableForInternalSenders: true
# 2.1.2: Ensure the Common Attachment Types Filter is enabled
antiMalware:
name: "AntiMalware-Default"
enabled: true
enableInternalNotifications: true
fileTypes: ["ace", "ani", "app", "docm", "exe", "jar", "jnlp", "msi", "ps1", "scr", "vbs", "wsf"]
# 2.1.3: Ensure notifications for internal users sending malware is Enabled
antiMalware:
name: "AntiMalware-InternalNotify"
enabled: true
enableInternalNotifications: true
# 2.1.4: Ensure Safe Attachments policy is enabled
safeAttachments:
name: "SafeAttachments-Default"
enabled: true
action: "Block"
quarantineMessages: true
# 2.1.5: Ensure Safe Attachments for SharePoint, OneDrive, and Microsoft Teams is Enabled
safeAttachments:
name: "SafeAttachments-SPO-Teams"
enabled: true
action: "Block"
enableForSharePoint: true
enableForTeams: true
# 2.1.6: Ensure Exchange Online Spam Policies are set to notify administrators
antiSpam:
name: "AntiSpam-Notify-Admins"
enabled: true
notifyAdmins: true
# 2.1.7: Ensure that an anti-phishing policy has been created
antiPhish:
name: "AntiPhish-Default"
enabled: true
enableMailboxIntelligence: true
enableSpoofIntelligence: true
mailboxIntelligenceProtectionAction: "Quarantine"
# 2.1.8 (Automated): Ensure that SPF records are published for all Exchange Domains
# NOTE: DNS-level control — configure via DNS provider, not M365 tenant
# 2.1.9 (Automated): Ensure that DKIM is enabled for all Exchange Online Domains
# NOTE: DNS-level control — configure via DNS provider, not M365 tenant
# 2.1.10 (Automated): Ensure DMARC records for all Exchange Online domains are published
# NOTE: DNS-level control — configure via DNS provider, not M365 tenant
# 2.1.11: Ensure comprehensive attachment filtering is applied
antiMalware:
name: "AntiMalware-Comprehensive"
enabled: true
enableFileFilter: true
# 2.1.12: Ensure the connection filter IP allow list is not used
connectionFilterIPAllowListEmpty: true
# 2.1.13: Ensure the connection filter safe list is off
connectionFilterSafeListOff: true
# 2.1.14: Ensure inbound anti-spam policies do not contain allowed domains
inboundAntiSpamNoAllowedDomains: true
# 2.1.15: Ensure outbound anti-spam message limits are in place
outboundAntiSpamLimits: true
# 2.2.1 (Manual): Ensure emergency access account activity is monitored
# 2.4.1: Ensure Priority account protection is enabled and configured
priorityAccount:
enabled: true
# 2.4.2: Ensure Priority accounts have 'Strict protection' presets applied
priorityAccount:
strictProtection: true
# 2.4.3 (Manual): Ensure Microsoft Defender for Cloud Apps is enabled and configured
# 2.4.4: Ensure Zero-hour auto purge for Microsoft Teams is on
zap:
enabledForTeams: true
# 2.4.5 (Manual): Ensure 'AIR' remediation is enabled
# ===============================================================
# Section 5.2.2: Conditional Access
# ===============================================================
conditionalAccess:
reportOnly: true
breakGlassGroup: "CIS-BreakGlass"
policies:
- name: "Ensure-multifactor-authentication-is-enabled-for-all-us"
cisControl: "5.2.2.1"
description: "Ensure multifactor authentication is enabled for all users in administrative roles"
state: enabledForReportingButNotEnforced
conditions:
applications:
includeApplications: ["All"]
users:
includeRoles:
- "Global Administrator"
- "Privileged Role Administrator"
- "Security Administrator"
- "Exchange Administrator"
- "SharePoint Administrator"
- "Conditional Access Administrator"
- "Application Administrator"
- "Cloud Application Administrator"
- "User Administrator"
- "Helpdesk Administrator"
- "Billing Administrator"
- "Authentication Administrator"
- "Password Administrator"
- "Global Reader"
grantControls:
builtInControls: ["mfa"]
operator: "OR"
- name: "Ensure-multifactor-authentication-is-enabled-for-all-us"
cisControl: "5.2.2.2"
description: "Ensure multifactor authentication is enabled for all users"
state: enabledForReportingButNotEnforced
conditions:
applications:
includeApplications: ["All"]
users:
includeUsers: ["All"]
grantControls:
builtInControls: ["mfa"]
operator: "OR"
- name: "Enable-Conditional-Access-policies-to-block-legacy-auth"
cisControl: "5.2.2.3"
description: "Enable Conditional Access policies to block legacy authentication"
state: enabledForReportingButNotEnforced
conditions:
applications:
includeApplications: ["All"]
users:
includeUsers: ["All"]
clientAppTypes: ["exchangeActiveSync", "other"]
grantControls:
builtInControls: ["block"]
operator: "OR"
- name: "Ensure-Signin-frequency-is-enabled-and-browser-sessions"
cisControl: "5.2.2.4"
description: "Ensure Sign-in frequency is enabled and browser sessions are not persistent for Administrative users"
state: enabledForReportingButNotEnforced
conditions:
applications:
includeApplications: ["All"]
users:
includeRoles:
- "Global Administrator"
- "Privileged Role Administrator"
- "Security Administrator"
- "Exchange Administrator"
- "SharePoint Administrator"
- "Conditional Access Administrator"
- "Application Administrator"
- "Cloud Application Administrator"
- "User Administrator"
- "Helpdesk Administrator"
- "Billing Administrator"
- "Authentication Administrator"
- "Password Administrator"
- "Global Reader"
grantControls:
builtInControls: ["mfa"]
operator: "OR"
sessionControls:
signInFrequency:
value: 12
type: hours
isEnabled: true
persistentBrowser:
mode: never
isEnabled: true
- name: "Ensure-Phishingresistant-MFA-strength-is-required-for-A"
cisControl: "5.2.2.5"
description: "Ensure 'Phishing-resistant MFA strength' is required for Administrators"
state: enabledForReportingButNotEnforced
conditions:
applications:
includeApplications: ["All"]
users:
includeRoles:
- "Global Administrator"
- "Privileged Role Administrator"
- "Security Administrator"
- "Exchange Administrator"
- "SharePoint Administrator"
- "Conditional Access Administrator"
- "Application Administrator"
- "Cloud Application Administrator"
- "User Administrator"
- "Helpdesk Administrator"
- "Billing Administrator"
- "Authentication Administrator"
- "Password Administrator"
- "Global Reader"
grantControls:
builtInControls: ["authenticationStrength"]
authenticationStrength:
id: "00000000-0000-0000-0000-000000000004"
operator: "OR"
- name: "Enable-Identity-Protection-user-risk-policies"
cisControl: "5.2.2.6"
description: "Enable Identity Protection user risk policies"
state: enabledForReportingButNotEnforced
conditions:
applications:
includeApplications: ["All"]
users:
includeUsers: ["All"]
signInRiskLevels: ["medium", "high"]
grantControls:
builtInControls: ["mfa"]
operator: "OR"
- name: "Enable-Identity-Protection-signin-risk-policies"
cisControl: "5.2.2.7"
description: "Enable Identity Protection sign-in risk policies"
state: enabledForReportingButNotEnforced
conditions:
applications:
includeApplications: ["All"]
users:
includeUsers: ["All"]
signInRiskLevels: ["medium", "high"]
grantControls:
builtInControls: ["mfa"]
operator: "OR"
- name: "Ensure-signin-risk-is-blocked-for-medium-and-high-risk"
cisControl: "5.2.2.8"
description: "Ensure 'sign-in risk' is blocked for medium and high risk"
state: enabledForReportingButNotEnforced
conditions:
applications:
includeApplications: ["All"]
users:
includeUsers: ["All"]
signInRiskLevels: ["medium", "high"]
grantControls:
builtInControls: ["block"]
operator: "OR"
- name: "Ensure-a-managed-device-is-required-for-authentication"
cisControl: "5.2.2.9"
description: "Ensure a managed device is required for authentication"
state: enabledForReportingButNotEnforced
conditions:
applications:
includeApplications: ["All"]
users:
includeUsers: ["All"]
grantControls:
builtInControls: ["compliantDevice", "domainJoinedDevice"]
operator: "OR"
- name: "Ensure-a-managed-device-is-required-to-register-securit"
cisControl: "5.2.2.10"
description: "Ensure a managed device is required to register security information"
state: enabledForReportingButNotEnforced
conditions:
applications:
includeUserActions: ["urn:user:registersecurityinfo"]
users:
includeUsers: ["All"]
grantControls:
builtInControls: ["compliantDevice", "domainJoinedDevice"]
operator: "OR"
- name: "Ensure-signin-frequency-for-Intune-Enrollment-is-set-to"
cisControl: "5.2.2.11"
description: "Ensure sign-in frequency for Intune Enrollment is set to 'Every time'"
state: enabledForReportingButNotEnforced
conditions:
applications:
includeApplications: ["0000000a-0000-0000-c000-000000000000"]
users:
includeUsers: ["All"]
grantControls:
builtInControls: ["mfa"]
operator: "OR"
sessionControls:
signInFrequency:
value: 12
type: hours
isEnabled: true
persistentBrowser:
mode: never
isEnabled: true
- name: "Ensure-the-device-code-signin-flow-is-blocked"
cisControl: "5.2.2.12"
description: "Ensure the device code sign-in flow is blocked"
state: enabledForReportingButNotEnforced
conditions:
applications:
includeApplications: ["All"]
users:
includeUsers: ["All"]
authenticationFlows:
deviceCodeFlow:
isEnabled: true
grantControls:
builtInControls: ["block"]
operator: "OR"
- name: "Ensure-that-periodic-reauthentication-is-required-for-a"
cisControl: "5.2.2.13"
description: "Ensure that periodic reauthentication is required for all users"
state: enabledForReportingButNotEnforced
conditions:
applications:
includeApplications: ["All"]
users:
includeUsers: ["All"]
grantControls:
builtInControls: ["mfa"]
operator: "OR"
- name: "Ensure-trusted-named-locations-are-defined"
cisControl: "5.2.2.14"
description: "Ensure trusted 'named locations' are defined"
state: enabledForReportingButNotEnforced
conditions:
applications:
includeApplications: ["All"]
users:
includeUsers: ["All"]
# TODO: Define named locations in Entra admin center
grantControls:
builtInControls: ["mfa"]
operator: "OR"
- name: "Ensure-exclusionary-geographic-access-controls-are-util"
cisControl: "5.2.2.15"
description: "Ensure exclusionary geographic access controls are utilized"
state: enabledForReportingButNotEnforced
conditions:
applications:
includeApplications: ["All"]
users:
includeUsers: ["All"]
# TODO: Define named locations in Entra admin center
grantControls:
builtInControls: ["mfa"]
operator: "OR"
- name: "Ensure-Token-Protection-is-enforced-for-session-tokens"
cisControl: "5.2.2.16"
description: "Ensure Token Protection is enforced for session tokens"
state: enabledForReportingButNotEnforced
conditions:
applications:
includeApplications: ["All"]
users:
includeUsers: ["All"]
grantControls:
builtInControls: ["mfa"]
operator: "OR"
# TODO: Enable Token Protection via Authentication Strength policy
- name: "Ensure-authentication-transfer-is-blocked"
cisControl: "5.2.2.17"
description: "Ensure authentication transfer is blocked"
state: enabledForReportingButNotEnforced
conditions:
applications:
includeApplications: ["All"]
users:
includeUsers: ["All"]
grantControls:
builtInControls: ["block"]
operator: "OR"