@{ # ===================================================================== # CIS M365 Rapid Baseline Configuration # ===================================================================== # This file defines the desired state for a new/greenfield tenant. # Edit values before running Deploy-CISM365RapidBaseline.ps1. # # IMPORTANT: This baseline is designed for NEW or NEWLY-ACQUIRED tenants. # On an established tenant, some changes may impact users. # ===================================================================== Tenant = @{ # Your tenant's initial .onmicrosoft.com domain TenantDomain = 'contoso.onmicrosoft.com' # SharePoint admin center URL SharePointAdminUrl = 'https://contoso-admin.sharepoint.com' # License profile: E3 | E5 | E3+P2 # Determines whether P2-only features (Identity Protection, PIM) are configured LicenseProfile = 'E3' } # ===================================================================== # Section 5: Entra ID (Identity) # ===================================================================== EntraID = @{ # 1.3.1 - Password expiration policy PasswordExpiration = 'NeverExpire' # NeverExpire | 90Days | 180Days # 5.2.3.2 - Custom banned password list BannedPasswords = @('Contoso', 'Contoso1', 'Password', 'Welcome') # 5.1.2.3 - Restrict non-admin users from creating tenants BlockTenantCreation = $true # 5.1.2.6 - Disable LinkedIn account connections DisableLinkedIn = $true # 5.1.2.2 - Disallow third-party integrated applications (user consent) # Note: Set to $true for strict CIS compliance. May break some SaaS integrations. BlockUserConsent = $true # 5.1.4.2 - Maximum devices per user MaxDevicesPerUser = 5 # 5.1.4.3 - Do not add GA role as local admin during Entra join GALocalAdminDisabled = $true # 5.2.3.1 - Microsoft Authenticator: protect against MFA fatigue MFAFatigueProtection = $true # Emergency access accounts (break-glass) - used for CA policy exclusions BreakGlassAccounts = @( 'breakglass1@contoso.onmicrosoft.com' 'breakglass2@contoso.onmicrosoft.com' ) } # ===================================================================== # Section 5.2.2: Conditional Access Policies # ===================================================================== ConditionalAccess = @( @{ Name = 'CIS-Block-Legacy-Auth' Description = 'CIS 5.2.2.3 - Block legacy authentication protocols' Enabled = $true State = 'enabled' Conditions = @{ Applications = @{ IncludeApplications = @('All') } Users = @{ IncludeUsers = @('All'); ExcludeUsers = @() } ClientAppTypes = @('exchangeActiveSync', 'other') } GrantControls = @{ BuiltInControls = @('block') Operator = 'OR' } } @{ Name = 'CIS-Require-MFA-Admins' Description = 'CIS 5.2.2.1 - Require MFA for all users in administrative roles' Enabled = $true State = 'enabled' Conditions = @{ Applications = @{ IncludeApplications = @('All') } Users = @{ IncludeUsers = @('All'); ExcludeRoles = @('62e90394-69f5-4237-9190-012177145e10') } # Exclude Global Admin if using PIM } GrantControls = @{ BuiltInControls = @('mfa') Operator = 'OR' } } @{ Name = 'CIS-Require-MFA-All-Users' Description = 'CIS 5.2.2.2 - Require MFA for all users' Enabled = $true State = 'enabled' Conditions = @{ Applications = @{ IncludeApplications = @('All') } Users = @{ IncludeUsers = @('All'); ExcludeUsers = @() } Locations = @{ IncludeLocations = @('AllTrusted') } # Requires named locations } GrantControls = @{ BuiltInControls = @('mfa') Operator = 'OR' } } @{ Name = 'CIS-Block-Device-Code-Flow' Description = 'CIS 5.2.2.12 - Block device code sign-in flow' Enabled = $true State = 'enabled' Conditions = @{ Applications = @{ IncludeApplications = @('All') } Users = @{ IncludeUsers = @('All'); ExcludeUsers = @() } AuthenticationFlows = @{ IncludeAuthenticationFlows = @('deviceCode') } } GrantControls = @{ BuiltInControls = @('block') Operator = 'OR' } } @{ Name = 'CIS-Block-High-Risk-SignIns' Description = 'CIS 5.2.2.8 - Block sign-ins with medium/high risk (requires P2)' Enabled = $true State = 'enabledForReportingButNotEnforced' # Set to 'enabled' after validation Conditions = @{ Applications = @{ IncludeApplications = @('All') } Users = @{ IncludeUsers = @('All'); ExcludeUsers = @() } SignInRiskLevels = @('high', 'medium') } GrantControls = @{ BuiltInControls = @('block') Operator = 'OR' } } ) # ===================================================================== # Section 2: Microsoft Defender for Office 365 # ===================================================================== Defender = @{ # 2.1.1 - Safe Links for Office Applications SafeLinks = @{ Name = 'CIS-SafeLinks-Default' Enabled = $true TrackClicks = $true AllowClickThrough = $false ScanUrls = $true EnableForInternalSenders = $true } # 2.1.4 - Safe Attachments SafeAttachments = @{ Name = 'CIS-SafeAttachments-Default' Enabled = $true Action = 'Block' # Block | DynamicDelivery | Monitor QuarantineMessages = $true } # 2.1.2 - Common Attachment Types Filter (built into anti-malware) AntiMalware = @{ Name = 'CIS-AntiMalware-Default' Enabled = $true EnableInternalSenderNotifications = $true FileTypes = @('ace', 'ani', 'app', 'docm', 'exe', 'iso', 'jar', 'jnlp', 'msi', 'php', 'ps1', 'scr', 'vbs', 'wsf') } # Anti-Phish baseline AntiPhish = @{ Name = 'CIS-AntiPhish-Default' Enabled = $true EnableMailboxIntelligence = $true EnableSpoofIntelligence = $true MailboxIntelligenceProtectionAction = 'Quarantine' TargetedUserProtectionAction = 'Quarantine' TargetedDomainProtectionAction = 'Quarantine' } } # ===================================================================== # Section 6: Exchange Online # ===================================================================== Exchange = @{ # 6.2.1 - Block all forms of external mail forwarding BlockExternalForwarding = $true # 6.1.2 - Enable mailbox auditing organization-wide EnableMailboxAudit = $true # 6.2.3 - Identify email from external senders (external sender banner) EnableExternalSenderBanner = $true # Transport rule: prepend external email warning ExternalEmailWarning = $true } # ===================================================================== # Section 7: SharePoint / OneDrive # ===================================================================== SharePoint = @{ # 7.x - Default sharing link type # Options: Direct, Internal, AnonymousAccess DefaultSharingLinkType = 'Direct' # Most restrictive = Direct (specific people only) # 7.x - External sharing for SharePoint SharePointExternalSharing = 'Disabled' # Disabled | ExistingExternalUserSharingOnly | ExternalUserSharingOnly | Anyone # 7.x - External sharing for OneDrive OneDriveExternalSharing = 'Disabled' # Disabled | ExistingExternalUserSharingOnly | ExternalUserSharingOnly | Anyone # Guest access expiration (days) GuestAccessExpirationDays = 30 } # ===================================================================== # Section 8: Microsoft Teams # ===================================================================== Teams = @{ # 8.x - Allow anonymous users to join meetings AllowAnonymousMeetingJoin = $false # 8.x - Allow anonymous users to start meetings AllowAnonymousMeetingStart = $false # 8.x - Teams email integration EnableEmailIntegration = $false # Federation / external access AllowFederatedUsers = $false AllowTeamsConsumer = $false } }