release: v4.1.0 — restructure entry points, add CIS baselines, reporting tools and fzf hints

- Restructure launchers: Start-IntuneToolkit.ps1 moves to repo root; Start-HeadlessIntune.ps1 moves to Scripts/; TUI helper moves to Scripts/Private/ - Add AGENTS.md with project architecture, entry points, and security notes - Add CIS M365 baseline assets (CISM365-v7, M365-CIS-Rapid) and reporting scripts - Add Python reporting utilities (Export-SettingsReport, Export-AssignmentReport, Export-ObjectInventoryReport) and CA wizard helpers - Update Deploy-IntuneBaseline.ps1 with Merge conflict resolution, ReportPath, and optimized group loading - Update Initialize-IntuneAuth.ps1 with -RotateSecret and configurable secret expiry - Update Extensions for Settings Catalog definition auto-export - Update README with v4.1.0, new entry points and script catalog - Bump VERSION to 4.1.0 - Harden .gitignore against .DS_Store, __pycache__, .venv-pdf/, local exports, Settings.json and IntuneManagement.log
2026-06-14 15:24:42 +02:00
parent e333af978c
commit d3e0769799
30 changed files with 8711 additions and 175 deletions
@@ -0,0 +1,234 @@
+@{
+    # =====================================================================
+    # CIS M365 Rapid Baseline Configuration
+    # =====================================================================
+    # This file defines the desired state for a new/greenfield tenant.
+    # Edit values before running Deploy-CISM365RapidBaseline.ps1.
+    #
+    # IMPORTANT: This baseline is designed for NEW or NEWLY-ACQUIRED tenants.
+    #            On an established tenant, some changes may impact users.
+    # =====================================================================
+
+    Tenant = @{
+        # Your tenant's initial .onmicrosoft.com domain
+        TenantDomain         = 'contoso.onmicrosoft.com'
+
+        # SharePoint admin center URL
+        SharePointAdminUrl   = 'https://contoso-admin.sharepoint.com'
+
+        # License profile: E3 | E5 | E3+P2
+        # Determines whether P2-only features (Identity Protection, PIM) are configured
+        LicenseProfile       = 'E3'
+    }
+
+    # =====================================================================
+    # Section 5: Entra ID (Identity)
+    # =====================================================================
+    EntraID = @{
+        # 1.3.1 - Password expiration policy
+        PasswordExpiration   = 'NeverExpire'   # NeverExpire | 90Days | 180Days
+
+        # 5.2.3.2 - Custom banned password list
+        BannedPasswords      = @('Contoso', 'Contoso1', 'Password', 'Welcome')
+
+        # 5.1.2.3 - Restrict non-admin users from creating tenants
+        BlockTenantCreation  = $true
+
+        # 5.1.2.6 - Disable LinkedIn account connections
+        DisableLinkedIn      = $true
+
+        # 5.1.2.2 - Disallow third-party integrated applications (user consent)
+        # Note: Set to $true for strict CIS compliance. May break some SaaS integrations.
+        BlockUserConsent     = $true
+
+        # 5.1.4.2 - Maximum devices per user
+        MaxDevicesPerUser    = 5
+
+        # 5.1.4.3 - Do not add GA role as local admin during Entra join
+        GALocalAdminDisabled = $true
+
+        # 5.2.3.1 - Microsoft Authenticator: protect against MFA fatigue
+        MFAFatigueProtection = $true
+
+        # Emergency access accounts (break-glass) - used for CA policy exclusions
+        BreakGlassAccounts   = @(
+            'breakglass1@contoso.onmicrosoft.com'
+            'breakglass2@contoso.onmicrosoft.com'
+        )
+    }
+
+    # =====================================================================
+    # Section 5.2.2: Conditional Access Policies
+    # =====================================================================
+    ConditionalAccess = @(
+        @{
+            Name        = 'CIS-Block-Legacy-Auth'
+            Description = 'CIS 5.2.2.3 - Block legacy authentication protocols'
+            Enabled     = $true
+            State       = 'enabled'
+            Conditions  = @{
+                Applications = @{ IncludeApplications = @('All') }
+                Users        = @{ IncludeUsers = @('All'); ExcludeUsers = @() }
+                ClientAppTypes = @('exchangeActiveSync', 'other')
+            }
+            GrantControls = @{
+                BuiltInControls = @('block')
+                Operator        = 'OR'
+            }
+        }
+        @{
+            Name        = 'CIS-Require-MFA-Admins'
+            Description = 'CIS 5.2.2.1 - Require MFA for all users in administrative roles'
+            Enabled     = $true
+            State       = 'enabled'
+            Conditions  = @{
+                Applications = @{ IncludeApplications = @('All') }
+                Users        = @{ IncludeUsers = @('All'); ExcludeRoles = @('62e90394-69f5-4237-9190-012177145e10') } # Exclude Global Admin if using PIM
+            }
+            GrantControls = @{
+                BuiltInControls = @('mfa')
+                Operator        = 'OR'
+            }
+        }
+        @{
+            Name        = 'CIS-Require-MFA-All-Users'
+            Description = 'CIS 5.2.2.2 - Require MFA for all users'
+            Enabled     = $true
+            State       = 'enabled'
+            Conditions  = @{
+                Applications = @{ IncludeApplications = @('All') }
+                Users        = @{ IncludeUsers = @('All'); ExcludeUsers = @() }
+                Locations    = @{ IncludeLocations = @('AllTrusted') } # Requires named locations
+            }
+            GrantControls = @{
+                BuiltInControls = @('mfa')
+                Operator        = 'OR'
+            }
+        }
+        @{
+            Name        = 'CIS-Block-Device-Code-Flow'
+            Description = 'CIS 5.2.2.12 - Block device code sign-in flow'
+            Enabled     = $true
+            State       = 'enabled'
+            Conditions  = @{
+                Applications   = @{ IncludeApplications = @('All') }
+                Users          = @{ IncludeUsers = @('All'); ExcludeUsers = @() }
+                AuthenticationFlows = @{ IncludeAuthenticationFlows = @('deviceCode') }
+            }
+            GrantControls = @{
+                BuiltInControls = @('block')
+                Operator        = 'OR'
+            }
+        }
+        @{
+            Name        = 'CIS-Block-High-Risk-SignIns'
+            Description = 'CIS 5.2.2.8 - Block sign-ins with medium/high risk (requires P2)'
+            Enabled     = $true
+            State       = 'enabledForReportingButNotEnforced'  # Set to 'enabled' after validation
+            Conditions  = @{
+                Applications = @{ IncludeApplications = @('All') }
+                Users        = @{ IncludeUsers = @('All'); ExcludeUsers = @() }
+                SignInRiskLevels = @('high', 'medium')
+            }
+            GrantControls = @{
+                BuiltInControls = @('block')
+                Operator        = 'OR'
+            }
+        }
+    )
+
+    # =====================================================================
+    # Section 2: Microsoft Defender for Office 365
+    # =====================================================================
+    Defender = @{
+        # 2.1.1 - Safe Links for Office Applications
+        SafeLinks = @{
+            Name              = 'CIS-SafeLinks-Default'
+            Enabled           = $true
+            TrackClicks       = $true
+            AllowClickThrough = $false
+            ScanUrls          = $true
+            EnableForInternalSenders = $true
+        }
+
+        # 2.1.4 - Safe Attachments
+        SafeAttachments = @{
+            Name       = 'CIS-SafeAttachments-Default'
+            Enabled    = $true
+            Action     = 'Block'   # Block | DynamicDelivery | Monitor
+            QuarantineMessages = $true
+        }
+
+        # 2.1.2 - Common Attachment Types Filter (built into anti-malware)
+        AntiMalware = @{
+            Name                  = 'CIS-AntiMalware-Default'
+            Enabled               = $true
+            EnableInternalSenderNotifications = $true
+            FileTypes             = @('ace', 'ani', 'app', 'docm', 'exe', 'iso', 'jar', 'jnlp', 'msi', 'php', 'ps1', 'scr', 'vbs', 'wsf')
+        }
+
+        # Anti-Phish baseline
+        AntiPhish = @{
+            Name                          = 'CIS-AntiPhish-Default'
+            Enabled                       = $true
+            EnableMailboxIntelligence     = $true
+            EnableSpoofIntelligence       = $true
+            MailboxIntelligenceProtectionAction = 'Quarantine'
+            TargetedUserProtectionAction  = 'Quarantine'
+            TargetedDomainProtectionAction = 'Quarantine'
+        }
+    }
+
+    # =====================================================================
+    # Section 6: Exchange Online
+    # =====================================================================
+    Exchange = @{
+        # 6.2.1 - Block all forms of external mail forwarding
+        BlockExternalForwarding = $true
+
+        # 6.1.2 - Enable mailbox auditing organization-wide
+        EnableMailboxAudit      = $true
+
+        # 6.2.3 - Identify email from external senders (external sender banner)
+        EnableExternalSenderBanner = $true
+
+        # Transport rule: prepend external email warning
+        ExternalEmailWarning    = $true
+    }
+
+    # =====================================================================
+    # Section 7: SharePoint / OneDrive
+    # =====================================================================
+    SharePoint = @{
+        # 7.x - Default sharing link type
+        # Options: Direct, Internal, AnonymousAccess
+        DefaultSharingLinkType = 'Direct'   # Most restrictive = Direct (specific people only)
+
+        # 7.x - External sharing for SharePoint
+        SharePointExternalSharing = 'Disabled'   # Disabled | ExistingExternalUserSharingOnly | ExternalUserSharingOnly | Anyone
+
+        # 7.x - External sharing for OneDrive
+        OneDriveExternalSharing   = 'Disabled'   # Disabled | ExistingExternalUserSharingOnly | ExternalUserSharingOnly | Anyone
+
+        # Guest access expiration (days)
+        GuestAccessExpirationDays = 30
+    }
+
+    # =====================================================================
+    # Section 8: Microsoft Teams
+    # =====================================================================
+    Teams = @{
+        # 8.x - Allow anonymous users to join meetings
+        AllowAnonymousMeetingJoin = $false
+
+        # 8.x - Allow anonymous users to start meetings
+        AllowAnonymousMeetingStart = $false
+
+        # 8.x - Teams email integration
+        EnableEmailIntegration     = $false
+
+        # Federation / external access
+        AllowFederatedUsers        = $false
+        AllowTeamsConsumer         = $false
+    }
+}