release: v4.1.0 — restructure entry points, add CIS baselines, reporting tools and fzf hints
- Restructure launchers: Start-IntuneToolkit.ps1 moves to repo root; Start-HeadlessIntune.ps1 moves to Scripts/; TUI helper moves to Scripts/Private/ - Add AGENTS.md with project architecture, entry points, and security notes - Add CIS M365 baseline assets (CISM365-v7, M365-CIS-Rapid) and reporting scripts - Add Python reporting utilities (Export-SettingsReport, Export-AssignmentReport, Export-ObjectInventoryReport) and CA wizard helpers - Update Deploy-IntuneBaseline.ps1 with Merge conflict resolution, ReportPath, and optimized group loading - Update Initialize-IntuneAuth.ps1 with -RotateSecret and configurable secret expiry - Update Extensions for Settings Catalog definition auto-export - Update README with v4.1.0, new entry points and script catalog - Bump VERSION to 4.1.0 - Harden .gitignore against .DS_Store, __pycache__, .venv-pdf/, local exports, Settings.json and IntuneManagement.log
This commit is contained in:
@@ -0,0 +1,172 @@
|
||||
# CIS M365 Rapid Baseline
|
||||
|
||||
> **Goal:** Take a new or newly-acquired tenant from zero to ~80% CIS M365 Foundations compliance in hours, not weeks.
|
||||
|
||||
Your existing `IntuneManagement` toolkit already handles **Section 4 (Intune)** of the CIS benchmark. This complements it with the tenant-level workloads: Entra ID, Conditional Access, Defender, Exchange, SharePoint, and Teams.
|
||||
|
||||
---
|
||||
|
||||
## The Reality Check
|
||||
|
||||
There is no single "Install-CIS-M365" command. The benchmark has **140 controls** across **9 sections**, and many are:
|
||||
- **Assessment-only** (e.g., "Ensure 2–4 global admins exist" — a script can't decide who your admins should be)
|
||||
- **License-dependent** (Identity Protection risk policies require Entra ID P2)
|
||||
- **Tenant-specific** (Conditional Access exclusions, emergency access accounts, accepted domains)
|
||||
|
||||
**This baseline automates the ~40 highest-impact controls that are safe to script on a greenfield tenant.** The rest require human judgment.
|
||||
|
||||
---
|
||||
|
||||
## Prerequisites
|
||||
|
||||
```powershell
|
||||
# PowerShell 7+ is strongly recommended
|
||||
$PSVersionTable.PSVersion
|
||||
|
||||
# Install dependencies
|
||||
Install-Module Microsoft.Graph -Scope CurrentUser -Force
|
||||
Install-Module ExchangeOnlineManagement -Scope CurrentUser -Force
|
||||
Install-Module PnP.PowerShell -Scope CurrentUser -Force
|
||||
Install-Module MicrosoftTeams -Scope CurrentUser -Force
|
||||
```
|
||||
|
||||
**Permissions required:**
|
||||
- Global Administrator (to create policies and grant consent)
|
||||
- Or: combination of Privileged Role Administrator + Exchange Administrator + SharePoint Administrator + Teams Administrator
|
||||
|
||||
---
|
||||
|
||||
## The Fastest Path (Recommended Workflow)
|
||||
|
||||
### Step 0: Customize the config
|
||||
|
||||
Edit `CISM365-RapidBaseline.psd1`:
|
||||
- Set your `TenantDomain` and `SharePointAdminUrl`
|
||||
- Add your **break-glass emergency access accounts** to `BreakGlassAccounts`
|
||||
- Adjust `ConditionalAccess` policies to reference your actual admin roles/groups
|
||||
- Review `SharePointExternalSharing` — `Disabled` is most secure but may break planned collaboration
|
||||
- Review `BlockUserConsent` — `true` is CIS-compliant but may break SaaS integrations
|
||||
|
||||
### Step 1: Assess (read-only)
|
||||
|
||||
```powershell
|
||||
cd Baselines/M365-CIS-Rapid
|
||||
|
||||
# Default: assess everything, make zero changes
|
||||
./Deploy-CISM365RapidBaseline.ps1
|
||||
```
|
||||
|
||||
Review the CSV report. It tells you exactly what's wrong and how to fix it.
|
||||
|
||||
### Step 2: Deploy the easy wins
|
||||
|
||||
```powershell
|
||||
# Deploy with WhatIf first (simulates changes without applying)
|
||||
./Deploy-CISM365RapidBaseline.ps1 -Mode Deploy -WhatIf
|
||||
|
||||
# If satisfied, apply for real
|
||||
./Deploy-CISM365RapidBaseline.ps1 -Mode Deploy -Apply -Verbose
|
||||
```
|
||||
|
||||
### Step 3: Create Conditional Access policies manually
|
||||
|
||||
**This script intentionally does NOT auto-create Conditional Access policies.** CA misconfiguration can lock everyone out of the tenant, including you.
|
||||
|
||||
Use the assessment output as a checklist and create them in the Entra admin center:
|
||||
1. **CIS-Block-Legacy-Auth** — Block all legacy auth protocols
|
||||
2. **CIS-Require-MFA-Admins** — Require MFA for all admin roles
|
||||
3. **CIS-Require-MFA-All-Users** — Require MFA for all users
|
||||
4. **CIS-Block-Device-Code-Flow** — Block device code authentication
|
||||
5. **CIS-Block-High-Risk-SignIns** — Block medium/high risk sign-ins (requires P2)
|
||||
|
||||
> **Pro tip:** Set new CA policies to `enabledForReportingButNotEnforced` for 24 hours before flipping to `enabled`. This lets you verify they don't block legitimate access.
|
||||
|
||||
### Step 4: Run a full CIS assessment
|
||||
|
||||
```powershell
|
||||
# Install the comprehensive CIS assessment module
|
||||
Install-Module CIS-M365-Benchmark -Scope CurrentUser -Force
|
||||
|
||||
Connect-CISM365Benchmark
|
||||
Invoke-CISM365Benchmark -ProfileLevel L1 -ExcludeSections Intune
|
||||
```
|
||||
|
||||
This checks all 140 controls and produces an HTML report with remediation steps for the remaining gaps.
|
||||
|
||||
### Step 5: Ongoing governance (optional but recommended)
|
||||
|
||||
For drift detection and continuous enforcement, introduce **Microsoft365DSC**:
|
||||
|
||||
```powershell
|
||||
Install-Module Microsoft365DSC -Force
|
||||
Update-M365DSCDependencies
|
||||
|
||||
# Export your now-hardened tenant as code
|
||||
Export-M365DSCConfiguration -Workloads @("AAD","EXO","SPO","Teams") -Path ./m365-golden
|
||||
```
|
||||
|
||||
Store that golden configuration in Git and run it through a pipeline weekly.
|
||||
|
||||
---
|
||||
|
||||
## What This Script Covers
|
||||
|
||||
| CIS Section | Controls Automated | Notes |
|
||||
|-------------|-------------------|-------|
|
||||
| **5.1** M365 Admin Center | Password expiration, tenant creation block, device quota, user consent | |
|
||||
| **5.2.2** Conditional Access | Assessment only (safe by design) | Manual creation recommended |
|
||||
| **5.2.3** Auth Methods | Banned password list | |
|
||||
| **2.1** Defender | Safe Links, Safe Attachments, Anti-malware | Creates policy + rule |
|
||||
| **6.1/6.2** Exchange | Mailbox auditing, external forwarding block | Transport rule |
|
||||
| **7.x** SharePoint | External sharing restrictions | SPO + OneDrive |
|
||||
| **8.x** Teams | Anonymous meeting restrictions, federation | Global policy |
|
||||
|
||||
**What it does NOT cover (requires human judgment):**
|
||||
- Admin role assignments (how many GAs, who are they)
|
||||
- Emergency access accounts (you must create these first)
|
||||
- PIM configuration (requires P2, approval workflows)
|
||||
- DMARC/DKIM/SPF records (DNS-level, not tenant-level)
|
||||
- DLP policies (business-specific)
|
||||
- Sensitivity labels (business-specific)
|
||||
- Intune device policies (use your existing toolkit)
|
||||
|
||||
---
|
||||
|
||||
## Safety Features
|
||||
|
||||
- **`-Mode Assess` is the default.** Nothing changes unless you explicitly say `-Mode Deploy -Apply`.
|
||||
- **`-WhatIf` is supported.** Use it to preview every change.
|
||||
- **Break-glass exclusion.** The CA assessment template references `BreakGlassAccounts` — make sure these exist and are excluded from MFA/Compliance policies before enabling them.
|
||||
- **Modular workloads.** Use `-Workloads` to target only one area at a time.
|
||||
|
||||
---
|
||||
|
||||
## Newly-Acquired vs. New Tenant
|
||||
|
||||
| Scenario | Approach |
|
||||
|----------|----------|
|
||||
| **Brand new tenant** (no users yet) | Run `-Mode Deploy -Apply` freely. Then create CA policies. |
|
||||
| **Newly-acquired tenant** (has users, mailboxes, existing config) | Run `-Mode Assess` first. Review EVERY failed control for business impact before deploying. Some changes (e.g., disabling external sharing, blocking user consent) can break existing workflows. |
|
||||
|
||||
---
|
||||
|
||||
## Alternatives Considered
|
||||
|
||||
| Tool | Best For | Why We Didn't Use It As Primary |
|
||||
|------|----------|--------------------------------|
|
||||
| **Microsoft365DSC** | Long-term governance, drift detection | Learning curve is too high for "as fast as possible"; better introduced after initial hardening |
|
||||
| **CISA ScubaGear** | Federal compliance, audit evidence | Read-only assessment; no deployment capability |
|
||||
| **CIS-M365-Benchmark** | Comprehensive 140-control assessment | Read-only; excellent for gap analysis after rapid deployment |
|
||||
| **Maester** | CI/CD testing, continuous validation | Read-only; great for pipelines, not initial deployment |
|
||||
| **CoreView / Inforcer** | MSP multi-tenant deployment | Commercial; not applicable if you want open-source/scripted |
|
||||
|
||||
---
|
||||
|
||||
## Next Steps
|
||||
|
||||
1. Customize `CISM365-RapidBaseline.psd1`
|
||||
2. Run assess mode
|
||||
3. Deploy the easy wins
|
||||
4. Create CA policies manually with reporting mode
|
||||
5. Run `CIS-M365-Benchmark` for the remaining gaps
|
||||
6. Introduce `Microsoft365DSC` for ongoing governance
|
||||
Reference in New Issue
Block a user