tomas.kracmar
d3e0769799
- Restructure launchers: Start-IntuneToolkit.ps1 moves to repo root; Start-HeadlessIntune.ps1 moves to Scripts/; TUI helper moves to Scripts/Private/ - Add AGENTS.md with project architecture, entry points, and security notes - Add CIS M365 baseline assets (CISM365-v7, M365-CIS-Rapid) and reporting scripts - Add Python reporting utilities (Export-SettingsReport, Export-AssignmentReport, Export-ObjectInventoryReport) and CA wizard helpers - Update Deploy-IntuneBaseline.ps1 with Merge conflict resolution, ReportPath, and optimized group loading - Update Initialize-IntuneAuth.ps1 with -RotateSecret and configurable secret expiry - Update Extensions for Settings Catalog definition auto-export - Update README with v4.1.0, new entry points and script catalog - Bump VERSION to 4.1.0 - Harden .gitignore against .DS_Store, __pycache__, .venv-pdf/, local exports, Settings.json and IntuneManagement.log
656 lines
30 KiB
YAML
656 lines
30 KiB
YAML
# =====================================================================
|
|
# CIS Microsoft 365 Foundations Benchmark v7.0.0 (Draft)
|
|
# GENERATED from PDF — review before deploying
|
|
# =====================================================================
|
|
|
|
baseline:
|
|
name: CIS-M365-v7-Generated
|
|
conflictResolution: Skip
|
|
whatIf: false
|
|
|
|
tenantMutation:
|
|
prefix: "CIS-v7-"
|
|
|
|
groups:
|
|
- displayName: "CIS-BreakGlass"
|
|
mailNickname: "CISBreakGlass"
|
|
securityEnabled: true
|
|
- displayName: "CIS-Pilot-Users"
|
|
mailNickname: "CISPilotUsers"
|
|
securityEnabled: true
|
|
|
|
tenantConfig:
|
|
|
|
# ===============================================================
|
|
# Section 1: adminCenter
|
|
# ===============================================================
|
|
adminCenter:
|
|
# 1.1.2 (Manual): Ensure two emergency access accounts have been defined
|
|
# TODO: Implement manually per PDF instructions
|
|
# 1.1.3 (Automated): Ensure that between two and four global admins are designated
|
|
# TODO: Map this control to YAML — see PDF for details
|
|
# 1.1.4 (Automated): Ensure administrative accounts use licenses with a reduced application footprint
|
|
# TODO: Map this control to YAML — see PDF for details
|
|
# 1.2.1 (Automated): Ensure that only organizationally managed/approved public groups exist
|
|
# TODO: Map this control to YAML — see PDF for details
|
|
# 1.2.2: Ensure sign-in to shared mailboxes is blocked
|
|
blockSharedMailboxSignIn: true
|
|
# 1.3.1: Ensure the 'Password expiration policy' is set to 'Set passwords to never expire (recommended)'
|
|
passwordExpiration: "NeverExpire"
|
|
# 1.3.2: Ensure 'Idle session timeout' is set to '3 hours (or less)' for unmanaged devices
|
|
idleSessionTimeoutHours: 3
|
|
# 1.3.3: Ensure 'External sharing' of calendars is not available
|
|
externalCalendarSharing: "Disabled"
|
|
# 1.3.4: Ensure 'User owned apps and services' is restricted
|
|
restrictUserOwnedApps: true
|
|
# 1.3.5: Ensure internal phishing protection for Forms is enabled
|
|
formsPhishingProtection: true
|
|
# 1.3.6: Ensure the customer lockbox feature is enabled
|
|
customerLockbox: true
|
|
# 1.3.7: Ensure 'third-party storage services' are restricted in 'Microsoft 365 on the web'
|
|
restrictThirdPartyStorage: true
|
|
# 1.3.8 (Manual): Ensure that Sways cannot be shared with people outside of your organization
|
|
# TODO: Implement manually per PDF instructions
|
|
# 1.3.9: Ensure shared bookings pages are restricted to select users
|
|
restrictSharedBookings: true
|
|
|
|
# ===============================================================
|
|
# Section 5: entraId
|
|
# ===============================================================
|
|
entraId:
|
|
# 5.1.2.1 (Manual): Ensure 'Per-user MFA' is disabled
|
|
# TODO: Implement manually per PDF instructions
|
|
# 5.1.2.2: Ensure users cannot register applications
|
|
blockUserConsent: true
|
|
# 5.1.2.3: Ensure 'Restrict non-admin users from creating tenants' is set to 'Yes'
|
|
blockTenantCreation: true
|
|
# 5.1.2.4 (Manual): Ensure access to the Entra admin center is restricted
|
|
# TODO: Implement manually per PDF instructions
|
|
# 5.1.2.5 (Manual): Ensure the option to remain signed in is hidden
|
|
# TODO: Implement manually per PDF instructions
|
|
# 5.1.2.6 (Manual): Ensure 'LinkedIn account connections' is disabled
|
|
# TODO: Implement manually per PDF instructions
|
|
# 5.1.3.1: Ensure users cannot create security groups
|
|
blockSecurityGroupCreation: true
|
|
# 5.1.3.2 (Manual): Ensure that 'Restrict user ability to access groups features in My Groups' is set to 'Yes'
|
|
# TODO: Implement manually per PDF instructions
|
|
# 5.1.3.3 (Manual): Ensure that 'Owners can manage group membership requests in My Groups' is set to 'No'
|
|
# TODO: Implement manually per PDF instructions
|
|
# 5.1.3.4: Ensure that 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No'
|
|
blockM365GroupCreation: true
|
|
# 5.1.4.1: Ensure the ability to join devices to Entra is restricted
|
|
restrictDeviceJoin: true
|
|
# 5.1.4.2: Ensure the maximum number of devices per user is limited
|
|
maxDevicesPerUser: 5
|
|
# 5.1.4.3: Ensure the GA role is not added as a local administrator during Entra join
|
|
gaLocalAdminDisabled: true
|
|
# 5.1.4.4: Ensure local administrator assignment is limited during Entra join
|
|
limitLocalAdminAssignment: true
|
|
# 5.1.4.5: Ensure Local Administrator Password Solution is enabled
|
|
enableLAPS: true
|
|
# 5.1.4.6: Ensure users are restricted from recovering BitLocker keys
|
|
restrictBitLockerRecovery: true
|
|
# 5.1.5.1: Ensure user consent to apps accessing company data on their behalf is not allowed
|
|
blockUserConsent: true
|
|
# 5.1.5.2: Ensure the admin consent workflow is enabled
|
|
enableAdminConsentWorkflow: true
|
|
# 5.1.5.3: Ensure password addition is blocked for applications
|
|
blockPasswordCredentials: true
|
|
# 5.1.5.4: Ensure password lifetime for applications does not exceed 180 days
|
|
maxPasswordLifetimeDays: 180
|
|
# 5.1.5.5: Ensure new application passwords are system-generated
|
|
systemGeneratedPasswords: true
|
|
# 5.1.5.6: Ensure maximum certificate lifetime for applications does not exceed 180 days
|
|
maxCertificateLifetimeDays: 180
|
|
# 5.1.6.1: Ensure that collaboration invitations are sent to allowed domains only
|
|
restrictCollaborationDomains: true
|
|
# 5.1.6.2: Ensure that guest user access is restricted
|
|
restrictGuestAccess: true
|
|
# 5.1.6.3: Ensure guest user invitations are limited
|
|
limitGuestInvitations: true
|
|
# 5.1.8.1: Ensure that password hash sync is enabled for hybrid deployments
|
|
enablePasswordHashSync: true
|
|
# 5.2.3.1: Ensure Microsoft Authenticator is configured to protect against MFA fatigue
|
|
authenticatorNumberMatching: true
|
|
# 5.2.3.3 (Automated): Ensure password protection is enabled for on-prem Active Directory
|
|
# NOTE: Hybrid-only control — requires on-premises Active Directory
|
|
# 5.2.3.4: Ensure all member users are 'MFA capable'
|
|
mfaCapableUsers: true
|
|
# 5.2.3.5: Ensure weak authentication methods are disabled
|
|
disableWeakAuthMethods: true
|
|
# 5.2.3.6: Ensure system-preferred multifactor authentication is enabled
|
|
systemPreferredMFA: true
|
|
# 5.2.3.7: Ensure the email OTP authentication method is disabled
|
|
disableEmailOTP: true
|
|
# 5.2.3.8: Ensure that Account 'Lockout threshold' is '10' or less
|
|
lockoutThreshold: 10
|
|
# 5.2.3.9: Ensure that Account 'Lockout duration in seconds' is at least 60 seconds
|
|
lockoutDurationSeconds: 60
|
|
# 5.2.3.10: Ensure Microsoft Authenticator on companion applications is disabled
|
|
disableAuthenticatorCompanionApps: true
|
|
# 5.2.4.1 (Manual): Ensure 'Self service password reset enabled' is set to 'All'
|
|
# TODO: Implement manually per PDF instructions
|
|
# 5.2.4.2 (Manual): Ensure that 2 methods are required for password reset
|
|
# TODO: Implement manually per PDF instructions
|
|
# 5.2.4.3 (Manual): Ensure SSPR registration and authentication re- confirmation are required
|
|
# TODO: Implement manually per PDF instructions
|
|
# 5.2.4.4 (Manual): Ensure that users are notified on password resets
|
|
# TODO: Implement manually per PDF instructions
|
|
# 5.2.4.5 (Manual): Ensure all admins are notified when other admins reset their password
|
|
# TODO: Implement manually per PDF instructions
|
|
# 5.3.1: Ensure privileged role assignments are activated and not assigned
|
|
pimRoleActivationRequired: true
|
|
# 5.3.2: Ensure 'Access reviews' for guest users are configured
|
|
accessReviewsForGuests: true
|
|
# 5.3.3: Ensure 'Access reviews' for privileged roles are configured
|
|
accessReviewsForPrivilegedRoles: true
|
|
# 5.3.4: Ensure approval is required for Global Administrator role activation
|
|
requireApprovalForGAActivation: true
|
|
# 5.3.5: Ensure approval is required for Privileged Role Administrator activation
|
|
requireApprovalForPRAActivation: true
|
|
|
|
# ===============================================================
|
|
# Section 6: exchange
|
|
# ===============================================================
|
|
exchange:
|
|
# 6.1.1: Ensure 'AuditDisabled' organizationally is set to 'False'
|
|
enableMailboxAuditOrgWide: true
|
|
# 6.1.2: Ensure mailbox audit actions are configured
|
|
configureMailboxAuditActions: true
|
|
# 6.1.3: Ensure 'AuditBypassEnabled' is not enabled on mailboxes
|
|
disableAuditBypass: true
|
|
# 6.2.1: Ensure all forms of mail forwarding are blocked and/or disabled
|
|
blockExternalForwarding: true
|
|
# 6.2.2: Ensure mail transport rules do not whitelist specific domains
|
|
noDomainWhitelistTransportRules: true
|
|
# 6.2.3: Ensure email from external senders is identified
|
|
enableExternalSenderBanner: true
|
|
# 6.3.1: Ensure users installing Outlook add-ins is not allowed
|
|
blockOutlookAddIns: true
|
|
# 6.3.2: Ensure the ability to add personal email accounts and calendars is disabled
|
|
disablePersonalEmailAccounts: true
|
|
# 6.5.1: Ensure modern authentication for Exchange Online is enabled
|
|
enableModernAuthExchange: true
|
|
# 6.5.2: Ensure MailTips are enabled for end users
|
|
enableMailTips: true
|
|
# 6.5.3: Ensure additional storage providers are restricted in Outlook on the web
|
|
restrictAdditionalStorageProviders: true
|
|
# 6.5.4: Ensure SMTP AUTH is disabled
|
|
disableSMTPAuth: true
|
|
# 6.5.5: Ensure Direct Send submissions are rejected
|
|
rejectDirectSend: true
|
|
|
|
# ===============================================================
|
|
# Section 7: sharePoint
|
|
# ===============================================================
|
|
sharePoint:
|
|
# 7.2.1: Ensure modern authentication for SharePoint applications is required
|
|
requireModernAuthSharePoint: true
|
|
# 7.2.2: Ensure SharePoint and OneDrive integration with Azure AD B2B is enabled
|
|
enableAADB2BIntegration: true
|
|
# 7.2.3: Ensure external content sharing is restricted
|
|
sharePointExternalSharing: "Disabled"
|
|
# 7.2.4: Ensure OneDrive content sharing is restricted
|
|
oneDriveExternalSharing: "Disabled"
|
|
# 7.2.5: Ensure that SharePoint guest users cannot share items they don't own
|
|
preventGuestResharing: true
|
|
# 7.2.6: Ensure SharePoint external sharing is restricted
|
|
restrictSharePointExternalSharing: true
|
|
# 7.2.7: Ensure link sharing is restricted in SharePoint and OneDrive
|
|
restrictLinkSharing: true
|
|
# 7.2.8: Ensure external sharing is restricted by security group
|
|
restrictSharingBySecurityGroup: true
|
|
# 7.2.9: Ensure guest access to a site or OneDrive will expire automatically
|
|
guestAccessExpirationDays: 30
|
|
# 7.2.10: Ensure reauthentication with verification code is restricted
|
|
restrictReauthenticationVerificationCode: true
|
|
# 7.2.11: Ensure the SharePoint default sharing link permission is set
|
|
defaultSharingLinkPermission: "View"
|
|
# 7.3.1: Ensure Office 365 SharePoint infected files are disallowed for download
|
|
disallowInfectedFileDownload: true
|
|
|
|
# ===============================================================
|
|
# Section 8: teams
|
|
# ===============================================================
|
|
teams:
|
|
# 8.1.1: Ensure external file sharing in Teams is enabled for only approved cloud storage services
|
|
restrictExternalFileSharing: true
|
|
# 8.1.2: Ensure users can't send emails to a channel email address
|
|
blockChannelEmail: true
|
|
# 8.2.1: Ensure external domains are restricted in the Teams admin center
|
|
restrictExternalDomains: true
|
|
# 8.2.2: Ensure communication with unmanaged Teams users is disabled
|
|
disableUnmanagedUserCommunication: true
|
|
# 8.2.3: Ensure external Teams users cannot initiate conversations
|
|
blockExternalUserInitiation: true
|
|
# 8.2.4: Ensure the organization cannot communicate with accounts in trial Teams tenants
|
|
blockTrialTenantCommunication: true
|
|
# 8.4.1 (Manual): Ensure app permission policies are configured
|
|
# TODO: Implement manually per PDF instructions
|
|
# 8.5.1: Ensure anonymous users can't join a meeting
|
|
allowAnonymousUsersToJoinMeeting: false
|
|
# 8.5.2: Ensure anonymous users and dial-in callers can't start a meeting
|
|
allowAnonymousUsersToStartMeeting: false
|
|
# 8.5.3: Ensure only people in my org can bypass the lobby
|
|
orgOnlyBypassLobby: true
|
|
# 8.5.4: Ensure users dialing in can't bypass the lobby
|
|
dialInCantBypassLobby: true
|
|
# 8.5.5: Ensure meeting chat does not allow anonymous users
|
|
noAnonymousMeetingChat: true
|
|
# 8.5.6: Ensure only organizers and co-organizers can present
|
|
onlyOrganizersCanPresent: true
|
|
# 8.5.7: Ensure external participants can't give or request control
|
|
noExternalControl: true
|
|
# 8.5.8: Ensure external meeting chat is off
|
|
externalMeetingChatOff: true
|
|
# 8.5.9: Ensure meeting recording is off by default
|
|
meetingRecordingOffByDefault: true
|
|
# 8.6.1: Ensure users can report security concerns in Teams
|
|
enableSecurityConcernsReporting: true
|
|
|
|
# ===============================================================
|
|
# Section 9: powerBI
|
|
# ===============================================================
|
|
powerBI:
|
|
# 9.1.1: Ensure guest user access is restricted
|
|
restrictGuestAccess: true
|
|
# 9.1.2: Ensure external user invitations are restricted
|
|
restrictExternalInvitations: true
|
|
# 9.1.3: Ensure guest access to content is restricted
|
|
restrictGuestContentAccess: true
|
|
# 9.1.4: Ensure 'Publish to web' is restricted
|
|
restrictPublishToWeb: true
|
|
# 9.1.5: Ensure 'Interact with and share R and Python' visuals is 'Disabled'
|
|
disableRPythonVisuals: true
|
|
# 9.1.6: Ensure 'Allow users to apply sensitivity labels for content' is 'Enabled'
|
|
enableSensitivityLabels: true
|
|
# 9.1.7: Ensure shareable links are restricted
|
|
restrictShareableLinks: true
|
|
# 9.1.8: Ensure enabling of external data sharing is restricted
|
|
restrictExternalDataSharing: true
|
|
# 9.1.9: Ensure 'Block ResourceKey Authentication' is 'Enabled'
|
|
blockResourceKeyAuth: true
|
|
# 9.1.10: Ensure access to APIs by service principals is restricted
|
|
restrictServicePrincipalAPIAccess: true
|
|
# 9.1.11: Ensure service principals cannot create and use profiles
|
|
blockServicePrincipalProfiles: true
|
|
# 9.1.12: Ensure service principals ability to create workspaces, connections and deployment pipelines is restricted
|
|
restrictServicePrincipalWorkspaceCreation: true
|
|
|
|
# ===============================================================
|
|
# Section 3: purview
|
|
# ===============================================================
|
|
purview:
|
|
# 3.1.1: Ensure Microsoft 365 audit log search is Enabled
|
|
enableAuditLogSearch: true
|
|
# 3.2.1 (Automated): Ensure DLP policies are enabled
|
|
# TODO: Map this control to YAML — see PDF for details
|
|
# 3.2.2 (Automated): Ensure DLP policies are enabled for Microsoft Teams
|
|
# TODO: Map this control to YAML — see PDF for details
|
|
# 3.2.3 (Automated): Ensure DLP policies are published for Copilot users
|
|
# TODO: Map this control to YAML — see PDF for details
|
|
# 3.3.1 (Automated): Ensure Information Protection sensitivity label policies are published
|
|
# TODO: Map this control to YAML — see PDF for details
|
|
|
|
# ===============================================================
|
|
# Section 2: Defender for Office 365
|
|
# ===============================================================
|
|
defender:
|
|
# 2.1.1: Ensure Safe Links for Office Applications is Enabled
|
|
safeLinks:
|
|
name: "SafeLinks-Default"
|
|
enabled: true
|
|
trackClicks: true
|
|
allowClickThrough: false
|
|
scanUrls: true
|
|
enableForInternalSenders: true
|
|
# 2.1.2: Ensure the Common Attachment Types Filter is enabled
|
|
antiMalware:
|
|
name: "AntiMalware-Default"
|
|
enabled: true
|
|
enableInternalNotifications: true
|
|
fileTypes: ["ace", "ani", "app", "docm", "exe", "jar", "jnlp", "msi", "ps1", "scr", "vbs", "wsf"]
|
|
# 2.1.3: Ensure notifications for internal users sending malware is Enabled
|
|
antiMalware:
|
|
name: "AntiMalware-InternalNotify"
|
|
enabled: true
|
|
enableInternalNotifications: true
|
|
# 2.1.4: Ensure Safe Attachments policy is enabled
|
|
safeAttachments:
|
|
name: "SafeAttachments-Default"
|
|
enabled: true
|
|
action: "Block"
|
|
quarantineMessages: true
|
|
# 2.1.5: Ensure Safe Attachments for SharePoint, OneDrive, and Microsoft Teams is Enabled
|
|
safeAttachments:
|
|
name: "SafeAttachments-SPO-Teams"
|
|
enabled: true
|
|
action: "Block"
|
|
enableForSharePoint: true
|
|
enableForTeams: true
|
|
# 2.1.6: Ensure Exchange Online Spam Policies are set to notify administrators
|
|
antiSpam:
|
|
name: "AntiSpam-Notify-Admins"
|
|
enabled: true
|
|
notifyAdmins: true
|
|
# 2.1.7: Ensure that an anti-phishing policy has been created
|
|
antiPhish:
|
|
name: "AntiPhish-Default"
|
|
enabled: true
|
|
enableMailboxIntelligence: true
|
|
enableSpoofIntelligence: true
|
|
mailboxIntelligenceProtectionAction: "Quarantine"
|
|
# 2.1.8 (Automated): Ensure that SPF records are published for all Exchange Domains
|
|
# NOTE: DNS-level control — configure via DNS provider, not M365 tenant
|
|
# 2.1.9 (Automated): Ensure that DKIM is enabled for all Exchange Online Domains
|
|
# NOTE: DNS-level control — configure via DNS provider, not M365 tenant
|
|
# 2.1.10 (Automated): Ensure DMARC records for all Exchange Online domains are published
|
|
# NOTE: DNS-level control — configure via DNS provider, not M365 tenant
|
|
# 2.1.11: Ensure comprehensive attachment filtering is applied
|
|
antiMalware:
|
|
name: "AntiMalware-Comprehensive"
|
|
enabled: true
|
|
enableFileFilter: true
|
|
# 2.1.12: Ensure the connection filter IP allow list is not used
|
|
connectionFilterIPAllowListEmpty: true
|
|
# 2.1.13: Ensure the connection filter safe list is off
|
|
connectionFilterSafeListOff: true
|
|
# 2.1.14: Ensure inbound anti-spam policies do not contain allowed domains
|
|
inboundAntiSpamNoAllowedDomains: true
|
|
# 2.1.15: Ensure outbound anti-spam message limits are in place
|
|
outboundAntiSpamLimits: true
|
|
# 2.2.1 (Manual): Ensure emergency access account activity is monitored
|
|
# 2.4.1: Ensure Priority account protection is enabled and configured
|
|
priorityAccount:
|
|
enabled: true
|
|
# 2.4.2: Ensure Priority accounts have 'Strict protection' presets applied
|
|
priorityAccount:
|
|
strictProtection: true
|
|
# 2.4.3 (Manual): Ensure Microsoft Defender for Cloud Apps is enabled and configured
|
|
# 2.4.4: Ensure Zero-hour auto purge for Microsoft Teams is on
|
|
zap:
|
|
enabledForTeams: true
|
|
# 2.4.5 (Manual): Ensure 'AIR' remediation is enabled
|
|
|
|
# ===============================================================
|
|
# Section 5.2.2: Conditional Access
|
|
# ===============================================================
|
|
conditionalAccess:
|
|
reportOnly: true
|
|
breakGlassGroup: "CIS-BreakGlass"
|
|
policies:
|
|
- name: "Ensure-multifactor-authentication-is-enabled-for-all-us"
|
|
cisControl: "5.2.2.1"
|
|
description: "Ensure multifactor authentication is enabled for all users in administrative roles"
|
|
state: enabledForReportingButNotEnforced
|
|
conditions:
|
|
applications:
|
|
includeApplications: ["All"]
|
|
users:
|
|
includeRoles:
|
|
- "Global Administrator"
|
|
- "Privileged Role Administrator"
|
|
- "Security Administrator"
|
|
- "Exchange Administrator"
|
|
- "SharePoint Administrator"
|
|
- "Conditional Access Administrator"
|
|
- "Application Administrator"
|
|
- "Cloud Application Administrator"
|
|
- "User Administrator"
|
|
- "Helpdesk Administrator"
|
|
- "Billing Administrator"
|
|
- "Authentication Administrator"
|
|
- "Password Administrator"
|
|
- "Global Reader"
|
|
grantControls:
|
|
builtInControls: ["mfa"]
|
|
operator: "OR"
|
|
- name: "Ensure-multifactor-authentication-is-enabled-for-all-us"
|
|
cisControl: "5.2.2.2"
|
|
description: "Ensure multifactor authentication is enabled for all users"
|
|
state: enabledForReportingButNotEnforced
|
|
conditions:
|
|
applications:
|
|
includeApplications: ["All"]
|
|
users:
|
|
includeUsers: ["All"]
|
|
grantControls:
|
|
builtInControls: ["mfa"]
|
|
operator: "OR"
|
|
- name: "Enable-Conditional-Access-policies-to-block-legacy-auth"
|
|
cisControl: "5.2.2.3"
|
|
description: "Enable Conditional Access policies to block legacy authentication"
|
|
state: enabledForReportingButNotEnforced
|
|
conditions:
|
|
applications:
|
|
includeApplications: ["All"]
|
|
users:
|
|
includeUsers: ["All"]
|
|
clientAppTypes: ["exchangeActiveSync", "other"]
|
|
grantControls:
|
|
builtInControls: ["block"]
|
|
operator: "OR"
|
|
- name: "Ensure-Signin-frequency-is-enabled-and-browser-sessions"
|
|
cisControl: "5.2.2.4"
|
|
description: "Ensure Sign-in frequency is enabled and browser sessions are not persistent for Administrative users"
|
|
state: enabledForReportingButNotEnforced
|
|
conditions:
|
|
applications:
|
|
includeApplications: ["All"]
|
|
users:
|
|
includeRoles:
|
|
- "Global Administrator"
|
|
- "Privileged Role Administrator"
|
|
- "Security Administrator"
|
|
- "Exchange Administrator"
|
|
- "SharePoint Administrator"
|
|
- "Conditional Access Administrator"
|
|
- "Application Administrator"
|
|
- "Cloud Application Administrator"
|
|
- "User Administrator"
|
|
- "Helpdesk Administrator"
|
|
- "Billing Administrator"
|
|
- "Authentication Administrator"
|
|
- "Password Administrator"
|
|
- "Global Reader"
|
|
grantControls:
|
|
builtInControls: ["mfa"]
|
|
operator: "OR"
|
|
sessionControls:
|
|
signInFrequency:
|
|
value: 12
|
|
type: hours
|
|
isEnabled: true
|
|
persistentBrowser:
|
|
mode: never
|
|
isEnabled: true
|
|
- name: "Ensure-Phishingresistant-MFA-strength-is-required-for-A"
|
|
cisControl: "5.2.2.5"
|
|
description: "Ensure 'Phishing-resistant MFA strength' is required for Administrators"
|
|
state: enabledForReportingButNotEnforced
|
|
conditions:
|
|
applications:
|
|
includeApplications: ["All"]
|
|
users:
|
|
includeRoles:
|
|
- "Global Administrator"
|
|
- "Privileged Role Administrator"
|
|
- "Security Administrator"
|
|
- "Exchange Administrator"
|
|
- "SharePoint Administrator"
|
|
- "Conditional Access Administrator"
|
|
- "Application Administrator"
|
|
- "Cloud Application Administrator"
|
|
- "User Administrator"
|
|
- "Helpdesk Administrator"
|
|
- "Billing Administrator"
|
|
- "Authentication Administrator"
|
|
- "Password Administrator"
|
|
- "Global Reader"
|
|
grantControls:
|
|
builtInControls: ["authenticationStrength"]
|
|
authenticationStrength:
|
|
id: "00000000-0000-0000-0000-000000000004"
|
|
operator: "OR"
|
|
- name: "Enable-Identity-Protection-user-risk-policies"
|
|
cisControl: "5.2.2.6"
|
|
description: "Enable Identity Protection user risk policies"
|
|
state: enabledForReportingButNotEnforced
|
|
conditions:
|
|
applications:
|
|
includeApplications: ["All"]
|
|
users:
|
|
includeUsers: ["All"]
|
|
signInRiskLevels: ["medium", "high"]
|
|
grantControls:
|
|
builtInControls: ["mfa"]
|
|
operator: "OR"
|
|
- name: "Enable-Identity-Protection-signin-risk-policies"
|
|
cisControl: "5.2.2.7"
|
|
description: "Enable Identity Protection sign-in risk policies"
|
|
state: enabledForReportingButNotEnforced
|
|
conditions:
|
|
applications:
|
|
includeApplications: ["All"]
|
|
users:
|
|
includeUsers: ["All"]
|
|
signInRiskLevels: ["medium", "high"]
|
|
grantControls:
|
|
builtInControls: ["mfa"]
|
|
operator: "OR"
|
|
- name: "Ensure-signin-risk-is-blocked-for-medium-and-high-risk"
|
|
cisControl: "5.2.2.8"
|
|
description: "Ensure 'sign-in risk' is blocked for medium and high risk"
|
|
state: enabledForReportingButNotEnforced
|
|
conditions:
|
|
applications:
|
|
includeApplications: ["All"]
|
|
users:
|
|
includeUsers: ["All"]
|
|
signInRiskLevels: ["medium", "high"]
|
|
grantControls:
|
|
builtInControls: ["block"]
|
|
operator: "OR"
|
|
- name: "Ensure-a-managed-device-is-required-for-authentication"
|
|
cisControl: "5.2.2.9"
|
|
description: "Ensure a managed device is required for authentication"
|
|
state: enabledForReportingButNotEnforced
|
|
conditions:
|
|
applications:
|
|
includeApplications: ["All"]
|
|
users:
|
|
includeUsers: ["All"]
|
|
grantControls:
|
|
builtInControls: ["compliantDevice", "domainJoinedDevice"]
|
|
operator: "OR"
|
|
- name: "Ensure-a-managed-device-is-required-to-register-securit"
|
|
cisControl: "5.2.2.10"
|
|
description: "Ensure a managed device is required to register security information"
|
|
state: enabledForReportingButNotEnforced
|
|
conditions:
|
|
applications:
|
|
includeUserActions: ["urn:user:registersecurityinfo"]
|
|
users:
|
|
includeUsers: ["All"]
|
|
grantControls:
|
|
builtInControls: ["compliantDevice", "domainJoinedDevice"]
|
|
operator: "OR"
|
|
- name: "Ensure-signin-frequency-for-Intune-Enrollment-is-set-to"
|
|
cisControl: "5.2.2.11"
|
|
description: "Ensure sign-in frequency for Intune Enrollment is set to 'Every time'"
|
|
state: enabledForReportingButNotEnforced
|
|
conditions:
|
|
applications:
|
|
includeApplications: ["0000000a-0000-0000-c000-000000000000"]
|
|
users:
|
|
includeUsers: ["All"]
|
|
grantControls:
|
|
builtInControls: ["mfa"]
|
|
operator: "OR"
|
|
sessionControls:
|
|
signInFrequency:
|
|
value: 12
|
|
type: hours
|
|
isEnabled: true
|
|
persistentBrowser:
|
|
mode: never
|
|
isEnabled: true
|
|
- name: "Ensure-the-device-code-signin-flow-is-blocked"
|
|
cisControl: "5.2.2.12"
|
|
description: "Ensure the device code sign-in flow is blocked"
|
|
state: enabledForReportingButNotEnforced
|
|
conditions:
|
|
applications:
|
|
includeApplications: ["All"]
|
|
users:
|
|
includeUsers: ["All"]
|
|
authenticationFlows:
|
|
deviceCodeFlow:
|
|
isEnabled: true
|
|
grantControls:
|
|
builtInControls: ["block"]
|
|
operator: "OR"
|
|
- name: "Ensure-that-periodic-reauthentication-is-required-for-a"
|
|
cisControl: "5.2.2.13"
|
|
description: "Ensure that periodic reauthentication is required for all users"
|
|
state: enabledForReportingButNotEnforced
|
|
conditions:
|
|
applications:
|
|
includeApplications: ["All"]
|
|
users:
|
|
includeUsers: ["All"]
|
|
grantControls:
|
|
builtInControls: ["mfa"]
|
|
operator: "OR"
|
|
- name: "Ensure-trusted-named-locations-are-defined"
|
|
cisControl: "5.2.2.14"
|
|
description: "Ensure trusted 'named locations' are defined"
|
|
state: enabledForReportingButNotEnforced
|
|
conditions:
|
|
applications:
|
|
includeApplications: ["All"]
|
|
users:
|
|
includeUsers: ["All"]
|
|
# TODO: Define named locations in Entra admin center
|
|
grantControls:
|
|
builtInControls: ["mfa"]
|
|
operator: "OR"
|
|
- name: "Ensure-exclusionary-geographic-access-controls-are-util"
|
|
cisControl: "5.2.2.15"
|
|
description: "Ensure exclusionary geographic access controls are utilized"
|
|
state: enabledForReportingButNotEnforced
|
|
conditions:
|
|
applications:
|
|
includeApplications: ["All"]
|
|
users:
|
|
includeUsers: ["All"]
|
|
# TODO: Define named locations in Entra admin center
|
|
grantControls:
|
|
builtInControls: ["mfa"]
|
|
operator: "OR"
|
|
- name: "Ensure-Token-Protection-is-enforced-for-session-tokens"
|
|
cisControl: "5.2.2.16"
|
|
description: "Ensure Token Protection is enforced for session tokens"
|
|
state: enabledForReportingButNotEnforced
|
|
conditions:
|
|
applications:
|
|
includeApplications: ["All"]
|
|
users:
|
|
includeUsers: ["All"]
|
|
grantControls:
|
|
builtInControls: ["mfa"]
|
|
operator: "OR"
|
|
# TODO: Enable Token Protection via Authentication Strength policy
|
|
- name: "Ensure-authentication-transfer-is-blocked"
|
|
cisControl: "5.2.2.17"
|
|
description: "Ensure authentication transfer is blocked"
|
|
state: enabledForReportingButNotEnforced
|
|
conditions:
|
|
applications:
|
|
includeApplications: ["All"]
|
|
users:
|
|
includeUsers: ["All"]
|
|
grantControls:
|
|
builtInControls: ["block"]
|
|
operator: "OR"
|