# ===================================================================== # CIS Microsoft 365 Foundations Benchmark v7.0.0 (Draft) # Tenant-Level Baseline Manifest # ===================================================================== # This YAML extends the OpenIntuneBaseline format to cover M365 tenant # configuration: Entra ID, Conditional Access, Defender, Exchange, # SharePoint, and Teams. # # HOW TO USE WITH A DRAFT PDF: # 1. Copy this file to your own baseline (e.g., mytenant-cisv7.yaml) # 2. As you read the CIS v7.0.0 PDF, transcribe controls into the # appropriate sections below. Each control has a 'cisControl' field # for traceability. # 3. Customize names, exclusions, and groups for your tenant. # 4. Run: ./Scripts/Deploy-CISM365Baseline.ps1 -BaselinePath ./Baselines/mytenant-cisv7.yaml # # SAFETY: # - Conditional Access policies default to 'reportOnly: true' (globally) # and 'state: enabledForReportingButNotEnforced' (per-policy). # - The script also supports -WhatIf. # - Break-glass accounts/groups are automatically excluded from CA. # ===================================================================== baseline: name: CIS-M365-v7-Example conflictResolution: Skip # Skip | Update | Error whatIf: false # ------------------------------------------------------------------- # Global name mutation applied to every policy / CA rule (optional) # ------------------------------------------------------------------- tenantMutation: search: "CIS-v7-" replace: "ACME-CIS-" # Alternatively use prefix instead of search/replace: # prefix: "ACME-CIS-" # ------------------------------------------------------------------- # Cloud-only security groups (mirrors Intune baseline format) # These are created if they do not exist and can be referenced # in CA policy assignments by displayName. # ------------------------------------------------------------------- groups: - displayName: "CIS-BreakGlass" mailNickname: "CISBreakGlass" securityEnabled: true - displayName: "CIS-Pilot-Users" mailNickname: "CISPilotUsers" securityEnabled: true - displayName: "CIS-All-Company" mailNickname: "CISAllCompany" securityEnabled: true # ------------------------------------------------------------------- # Intune policies (optional — reuses the exact same schema as # OpenIntuneBaseline.example.yaml). Keep them here if you want a # single manifest for the whole tenant. # ------------------------------------------------------------------- policies: # Example: reuse your existing Intune exports # - sourcePath: ./policies/CIS-Windows-Compliance.json # type: CompliancePolicies # assignments: # - targetType: Group # groupName: "CIS-All-Company" # ------------------------------------------------------------------- # TENANT-LEVEL CONFIGURATION (new section) # ------------------------------------------------------------------- tenantConfig: # =============================================================== # 1. M365 Admin Center (CIS Section 1) # =============================================================== adminCenter: # 1.3.1 (L1) Password expiration passwordExpiration: NeverExpire # NeverExpire | 90Days | 180Days # 1.3.2 (L2) Idle session timeout (hours) idleSessionTimeoutHours: 3 # 1.3.4 (L1) Restrict user owned apps and services restrictUserOwnedApps: true # 1.3.5 (L1) Internal phishing protection for Forms formsPhishingProtection: true # 1.3.6 (L2) Customer Lockbox customerLockbox: true # 1.3.7 (L2) Restrict third-party storage services restrictThirdPartyStorage: true # =============================================================== # 5. Entra ID (CIS Section 5) # =============================================================== entraId: # 5.1.1.1 (L1) Cloud-only administrative accounts # NOTE: Manual — script can only validate, not create accounts. # 5.1.1.3 (L1) Global admin count (2-4) # NOTE: Manual — script assesses only. # 5.1.2.2 (L2) Disallow third-party integrated applications blockUserConsent: true # 5.1.2.3 (L1) Restrict non-admin tenant creation blockTenantCreation: true # 5.1.2.4 (L1) Restrict access to Entra admin center restrictAdminCenterAccess: true # 5.1.2.6 (L2) Disable LinkedIn account connections disableLinkedIn: true # 5.1.3.1 (L1) Dynamic group for guest users # NOTE: Manual — requires tenant-specific query. # 5.1.4.2 (L1) Maximum devices per user maxDevicesPerUser: 5 # 5.1.4.3 (L1) GA not added as local admin during Entra join gaLocalAdminDisabled: true # 5.2.3.2 (L1) Custom banned password list bannedPasswords: - "Contoso" - "Password" - "Welcome" - "Admin" - "Login" # 5.2.3.4 (L1) Ensure all member users are MFA capable # NOTE: Enforced via Conditional Access below. # =============================================================== # 5.2.2 Conditional Access (CIS Section 5.2.2) # =============================================================== # CRITICAL: All CA policies are created in REPORT-ONLY mode by # default. Flip 'reportOnly: false' after you have validated # traffic in the Entra admin center. # =============================================================== conditionalAccess: reportOnly: true # Global switch for all CA policies breakGlassGroup: "CIS-BreakGlass" # Auto-excluded from every CA policy policies: # ----------------------------------------------------------- # CIS 5.2.2.3 (L1) Block legacy authentication # ----------------------------------------------------------- - name: "Block-Legacy-Auth" cisControl: "5.2.2.3" description: "Block all legacy authentication protocols (EAS, basic auth)" state: enabledForReportingButNotEnforced # enabled | enabledForReportingButNotEnforced | disabled conditions: applications: includeApplications: ["All"] users: includeUsers: ["All"] # breakGlassGroup is injected automatically by the script clientAppTypes: ["exchangeActiveSync", "other"] grantControls: builtInControls: ["block"] operator: "OR" # ----------------------------------------------------------- # CIS 5.2.2.1 (L1) Require MFA for administrative roles # ----------------------------------------------------------- - name: "Require-MFA-Admins" cisControl: "5.2.2.1" description: "Require MFA for all users assigned to administrative roles" state: enabledForReportingButNotEnforced conditions: applications: includeApplications: ["All"] users: includeRoles: - "Global Administrator" - "Privileged Role Administrator" - "Security Administrator" - "Exchange Administrator" - "SharePoint Administrator" - "Conditional Access Administrator" - "Application Administrator" - "Cloud Application Administrator" - "User Administrator" - "Helpdesk Administrator" - "Billing Administrator" - "Authentication Administrator" - "Password Administrator" - "Global Reader" excludeUsers: [] # Add break-glass UPNs here if not using breakGlassGroup grantControls: builtInControls: ["mfa"] operator: "OR" # ----------------------------------------------------------- # CIS 5.2.2.2 (L1) Require MFA for all users # ----------------------------------------------------------- - name: "Require-MFA-All-Users" cisControl: "5.2.2.2" description: "Require MFA for all user sign-ins" state: enabledForReportingButNotEnforced conditions: applications: includeApplications: ["All"] users: includeUsers: ["All"] excludeGroups: [] # e.g., ["CIS-Pilot-Users"] for staged rollout locations: includeLocations: ["AllTrusted"] # Requires named locations; use "All" if none defined grantControls: builtInControls: ["mfa"] operator: "OR" # ----------------------------------------------------------- # CIS 5.2.2.4 (L1) Sign-in frequency for admins # ----------------------------------------------------------- - name: "Admin-SignIn-Frequency" cisControl: "5.2.2.4" description: "Require re-authentication every 12h for admins; no persistent browser" state: enabledForReportingButNotEnforced conditions: applications: includeApplications: ["All"] users: includeRoles: - "Global Administrator" - "Privileged Role Administrator" - "Security Administrator" sessionControls: signInFrequency: value: 12 type: hours isEnabled: true persistentBrowser: mode: never isEnabled: true grantControls: builtInControls: ["mfa"] operator: "OR" # ----------------------------------------------------------- # CIS 5.2.2.5 (L2) Phishing-resistant MFA for admins # ----------------------------------------------------------- - name: "Require-PhishingResistant-MFA-Admins" cisControl: "5.2.2.5" description: "Require phishing-resistant MFA (FIDO2, certificate) for admins" state: enabledForReportingButNotEnforced conditions: applications: includeApplications: ["All"] users: includeRoles: - "Global Administrator" - "Privileged Role Administrator" - "Security Administrator" grantControls: builtInControls: ["authenticationStrength"] authenticationStrength: id: "00000000-0000-0000-0000-000000000004" # Phishing-resistant MFA operator: "OR" # ----------------------------------------------------------- # CIS 5.2.2.12 (L1) Block device code flow # ----------------------------------------------------------- - name: "Block-Device-Code-Flow" cisControl: "5.2.2.12" description: "Block sign-ins using the device code authentication flow" state: enabledForReportingButNotEnforced conditions: applications: includeApplications: ["All"] users: includeUsers: ["All"] authenticationFlows: deviceCodeFlow: isEnabled: true ruleType: "include" grantControls: builtInControls: ["block"] operator: "OR" # ----------------------------------------------------------- # CIS 5.2.2.8 (L2) Block medium/high risk sign-ins # ----------------------------------------------------------- - name: "Block-HighRisk-SignIns" cisControl: "5.2.2.8" description: "Block sign-ins with medium or high risk score (requires Entra ID P2)" state: enabledForReportingButNotEnforced conditions: applications: includeApplications: ["All"] users: includeUsers: ["All"] signInRiskLevels: ["medium", "high"] grantControls: builtInControls: ["block"] operator: "OR" # ----------------------------------------------------------- # CIS 5.2.2.9 (L1) Require managed device # ----------------------------------------------------------- - name: "Require-Managed-Device" cisControl: "5.2.2.9" description: "Require device to be compliant or hybrid Entra joined" state: enabledForReportingButNotEnforced conditions: applications: includeApplications: ["All"] users: includeUsers: ["All"] grantControls: builtInControls: ["compliantDevice", "domainJoinedDevice"] operator: "OR" # ----------------------------------------------------------- # CIS 5.2.2.10 (L1) Require managed device to register security info # ----------------------------------------------------------- - name: "Require-Managed-Device-Security-Info" cisControl: "5.2.2.10" description: "Require managed device when registering security information" state: enabledForReportingButNotEnforced conditions: applications: includeUserActions: ["urn:user:registersecurityinfo"] users: includeUsers: ["All"] grantControls: builtInControls: ["compliantDevice", "domainJoinedDevice"] operator: "OR" # =============================================================== # 2. Microsoft Defender for Office 365 (CIS Section 2) # =============================================================== defender: # 2.1.1 (L2) Safe Links for Office Applications safeLinks: - name: "SafeLinks-Default" cisControl: "2.1.1" enabled: true trackClicks: true allowClickThrough: false scanUrls: true enableForInternalSenders: true # The script auto-creates a rule applying this to all accepted domains # 2.1.4 (L2) Safe Attachments safeAttachments: - name: "SafeAttachments-Default" cisControl: "2.1.4" enabled: true action: Block # Block | DynamicDelivery | Monitor quarantineMessages: true # 2.1.2 (L1) Common Attachment Types Filter antiMalware: - name: "AntiMalware-Default" cisControl: "2.1.2" enabled: true enableInternalNotifications: true fileTypes: - ace - ani - app - docm - exe - jar - jnlp - msi - ps1 - scr - vbs - wsf # 2.1.3 (L1) Internal malware notifications # 2.4.4 (L1) Zero-hour auto purge for Teams # =============================================================== # 6. Exchange Online (CIS Section 6) # =============================================================== exchange: # 6.1.1 (L1) AuditDisabled organizationally set to False enableMailboxAuditOrgWide: true # 6.1.2 (L1) Mailbox audit actions configured # NOTE: Enabled automatically when org-wide auditing is on (above). # 6.2.1 (L1) Block all forms of external forwarding blockExternalForwarding: true # 6.2.2 (L1) Transport rules do not whitelist domains # NOTE: Manual review required. # 6.2.3 (L1) Identify email from external senders enableExternalSenderBanner: true # Transport rule: prepend external email warning externalEmailWarningRule: true # =============================================================== # 7. SharePoint / OneDrive (CIS Section 7) # =============================================================== sharePoint: # Default sharing link type defaultSharingLinkType: Direct # Direct | Internal | AnonymousAccess # External sharing for SharePoint sharePointExternalSharing: Disabled # Options: Disabled | ExistingExternalUserSharingOnly | ExternalUserSharingOnly | Anyone # External sharing for OneDrive oneDriveExternalSharing: Disabled # Guest access expiration (days) guestAccessExpirationDays: 30 # 7.x (L1) Prevent custom script execution # NOTE: Set via Set-PnPTenant -DenyAddAndCustomizePages 1 denyCustomScripts: true # =============================================================== # 8. Microsoft Teams (CIS Section 8) # =============================================================== teams: # 8.x Anonymous meeting join allowAnonymousUsersToJoinMeeting: false # 8.x Anonymous meeting start allowAnonymousUsersToStartMeeting: false # 8.x Teams email integration enableEmailIntegration: false # 8.x Federation / external access allowFederatedUsers: false allowTeamsConsumer: false # 8.x Restrict unmanaged user access # NOTE: Controlled via Teams meeting policy; script sets Global. # =============================================================== # 3. Microsoft Purview (CIS Section 3) # =============================================================== # NOTE: DLP, sensitivity labels, and retention policies are # highly business-specific. Add them here as needed: # # purview: # dlpPolicies: # - name: "CIS-DLP-Default" # ... # =============================================================== # 9. Power BI (CIS Section 9) # =============================================================== # NOTE: Power BI tenant settings are best managed via # Microsoft365DSC or direct Admin API calls. Add here if needed. # =============================================================== # NEW in v7.0.0 (expected) # =============================================================== # As you read the draft PDF, transcribe new controls into the # appropriate sections above. Use the 'cisControl' field to # preserve traceability (e.g., cisControl: "5.2.3.7").