baseline: name: Generated-ConditionalAccess-Baseline conflictResolution: Skip whatIf: false tenantConfig: conditionalAccess: reportOnly: false breakGlassGroup: CQRE-BreakGlass policies: - name: CQRE-CA0901-AllUsers-AllApps-BlockLegacyAuth description: Block all legacy authentication protocols state: enabled conditions: applications: includeApplications: - All users: includeUsers: - All clientAppTypes: - exchangeActiveSync - other grantControls: builtInControls: - block operator: OR - name: CQRE-CA1901-AllUsers-SecurityInfo-RequireTrustedLocation description: Require trusted location or managed device to register security info state: enabled conditions: applications: includeUserActions: - urn:user:registersecurityinfo users: includeUsers: - All grantControls: builtInControls: - compliantDevice - domainJoinedDevice operator: OR - name: CQRE-CA0902-AllUsers-AllApps-BlockUnsupportedPlatforms description: Block sign-ins from unknown or unsupported device platforms state: enabled conditions: applications: includeApplications: - All users: includeUsers: - All platforms: includePlatforms: - all excludePlatforms: - android - iOS - windows - macOS grantControls: builtInControls: - block operator: OR - name: CQRE-CA0903-AllUsers-AllApps-BlockDeviceCodeFlow description: Block device-code authentication flow state: enabled conditions: applications: includeApplications: - All users: includeUsers: - All authenticationFlows: deviceCodeFlow: isEnabled: true grantControls: builtInControls: - block operator: OR - name: CQRE-CA1902-AllUsers-AllApps-RequireMFAUntrusted description: Require MFA only from untrusted locations state: enabled conditions: applications: includeApplications: - All users: includeUsers: - All locations: includeLocations: - All excludeLocations: - AllTrusted grantControls: builtInControls: - mfa operator: OR - name: CQRE-CA1903-AllUsers-AllApps-RequireCompliantDevice description: Require compliant or hybrid-joined device for all users state: enabled conditions: applications: includeApplications: - All users: includeUsers: - All grantControls: builtInControls: - compliantDevice - domainJoinedDevice operator: OR - name: CQRE-CA1904-AllUsers-AllApps-BlockUntrustedLocations description: Block sign-ins from untrusted locations state: enabled conditions: applications: includeApplications: - All users: includeUsers: - All locations: includeLocations: - All excludeLocations: - AllTrusted grantControls: builtInControls: - block operator: OR - name: CQRE-CA0904-AllUsers-AllApps-RequireMFAForRiskySignIns description: Require MFA for medium/high risk sign-ins state: enabled conditions: applications: includeApplications: - All users: includeUsers: - All signInRiskLevels: - medium - high grantControls: builtInControls: - mfa operator: OR - name: CQRE-CA0905-AllUsers-AllApps-ForcePasswordChangeHighRiskUsers description: Force password change for high-risk users state: enabled conditions: applications: includeApplications: - All users: includeUsers: - All userRiskLevels: - high grantControls: builtInControls: - passwordChange operator: OR - name: CQRE-CA0906-AllUsers-AllApps-BlockInsiderRisk description: Block sessions flagged by Purview Insider Risk state: enabled conditions: applications: includeApplications: - All users: includeUsers: - All insiderRiskLevels: - elevated grantControls: builtInControls: - block operator: OR - name: CQRE-CA2901-Admins-AllApps-RequireCompliantDevice description: Administrators must use compliant or hybrid-joined devices state: enabled conditions: applications: includeApplications: - All users: includeRoles: &id001 - Global Administrator - Privileged Role Administrator - Security Administrator - Exchange Administrator - SharePoint Administrator - Conditional Access Administrator - Application Administrator - Cloud Application Administrator - User Administrator - Helpdesk Administrator - Billing Administrator - Authentication Administrator - Password Administrator grantControls: builtInControls: - compliantDevice - domainJoinedDevice operator: OR - name: CQRE-CA2902-Admins-AllApps-BlockUntrustedLocations description: Administrators can only sign in from trusted locations state: enabled conditions: applications: includeApplications: - All users: includeRoles: *id001 locations: includeLocations: - All excludeLocations: - AllTrusted grantControls: builtInControls: - block operator: OR - name: CQRE-CA2903-Admins-AllApps-NoPersistentSession description: No persistent browser sessions for admins; re-auth every 12h state: enabled conditions: applications: includeApplications: - All users: includeRoles: *id001 grantControls: builtInControls: - mfa operator: OR sessionControls: signInFrequency: value: 12 type: hours isEnabled: true persistentBrowser: mode: never isEnabled: true - name: CQRE-CA3901-Guests-AllApps-RequireMFA description: Require MFA for guest and external users state: enabled conditions: applications: includeApplications: - All users: includeGuestsOrExternalUsers: guestTypes: - internalGuest - b2bCollaborationGuest - b2bCollaborationMember - b2bDirectConnectUser externalTenants: membershipKind: all grantControls: builtInControls: - mfa operator: OR - name: CQRE-CA3902-Guests-AllApps-RequireTermsOfUse description: Require guests to accept terms of use state: enabled conditions: applications: includeApplications: - All users: includeGuestsOrExternalUsers: guestTypes: - internalGuest - b2bCollaborationGuest - b2bCollaborationMember - b2bDirectConnectUser externalTenants: membershipKind: all grantControls: builtInControls: - termsOfUse operator: OR - name: CQRE-CA4901-AllUsers-O365-AppEnforcedRestrictions description: Enforce application restrictions for Office 365 state: enabled conditions: applications: includeApplications: - Office365 users: includeUsers: - All grantControls: builtInControls: - mfa operator: OR sessionControls: applicationEnforcedRestrictions: isEnabled: true - name: CQRE-CA4902-AllUsers-AzureMgmt-RequireMFA description: Require MFA for Azure management portal state: enabled conditions: applications: includeApplications: - 797f4846-ba00-4fd7-ba43-dac1f8f63013 users: includeUsers: - All grantControls: builtInControls: - mfa operator: OR - name: CQRE-CA4903-AllUsers-AdminPortals-RequireMFA description: Require MFA for Microsoft admin portals state: enabled conditions: applications: includeApplications: - 797f4846-ba00-4fd7-ba43-dac1f8f63013 - c44b4083-3bb0-49c1-b47d-974e53cbdf3c - 1b730954-1685-4b74-9bfd-dac224a7b894 - 00000003-0000-0ff1-ce00-000000000000 - 00000003-0000-0000-c000-000000000000 - de8bc8b5-d9f9-48b1-a8ad-b748da725064 - 00000002-0000-0ff1-ce00-000000000000 - 66a88757-258c-4c72-893c-3e8bed4d6899 users: includeUsers: - All grantControls: builtInControls: - mfa operator: OR