cqrenet/macOS_IntuneManagement
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 4 Wiki Activity
Files
main
macOS_IntuneManagement/Baselines/CISM365-v7.example.yaml
T
tomas.kracmar d3e0769799 release: v4.1.0 — restructure entry points, add CIS baselines, reporting tools and fzf hints 
- Restructure launchers: Start-IntuneToolkit.ps1 moves to repo root;
  Start-HeadlessIntune.ps1 moves to Scripts/; TUI helper moves to Scripts/Private/
- Add AGENTS.md with project architecture, entry points, and security notes
- Add CIS M365 baseline assets (CISM365-v7, M365-CIS-Rapid) and reporting scripts
- Add Python reporting utilities (Export-SettingsReport, Export-AssignmentReport,
  Export-ObjectInventoryReport) and CA wizard helpers
- Update Deploy-IntuneBaseline.ps1 with Merge conflict resolution, ReportPath,
  and optimized group loading
- Update Initialize-IntuneAuth.ps1 with -RotateSecret and configurable secret expiry
- Update Extensions for Settings Catalog definition auto-export
- Update README with v4.1.0, new entry points and script catalog
- Bump VERSION to 4.1.0
- Harden .gitignore against .DS_Store, __pycache__, .venv-pdf/, local exports,
  Settings.json and IntuneManagement.log
2026-06-14 15:24:42 +02:00

467 lines
18 KiB
YAML
Raw Permalink Blame History

# =====================================================================
# CIS Microsoft 365 Foundations Benchmark v7.0.0 (Draft)
# Tenant-Level Baseline Manifest
# =====================================================================
# This YAML extends the OpenIntuneBaseline format to cover M365 tenant
# configuration: Entra ID, Conditional Access, Defender, Exchange,
# SharePoint, and Teams.
#
# HOW TO USE WITH A DRAFT PDF:
# 1. Copy this file to your own baseline (e.g., mytenant-cisv7.yaml)
# 2. As you read the CIS v7.0.0 PDF, transcribe controls into the
# appropriate sections below. Each control has a 'cisControl' field
# for traceability.
# 3. Customize names, exclusions, and groups for your tenant.
# 4. Run: ./Scripts/Deploy-CISM365Baseline.ps1 -BaselinePath ./Baselines/mytenant-cisv7.yaml
#
# SAFETY:
# - Conditional Access policies default to 'reportOnly: true' (globally)
# and 'state: enabledForReportingButNotEnforced' (per-policy).
# - The script also supports -WhatIf.
# - Break-glass accounts/groups are automatically excluded from CA.
# =====================================================================
baseline:
name: CIS-M365-v7-Example
conflictResolution: Skip # Skip | Update | Error
whatIf: false
# -------------------------------------------------------------------
# Global name mutation applied to every policy / CA rule (optional)
# -------------------------------------------------------------------
tenantMutation:
search: "CIS-v7-"
replace: "ACME-CIS-"
# Alternatively use prefix instead of search/replace:
# prefix: "ACME-CIS-"
# -------------------------------------------------------------------
# Cloud-only security groups (mirrors Intune baseline format)
# These are created if they do not exist and can be referenced
# in CA policy assignments by displayName.
# -------------------------------------------------------------------
groups:
- displayName: "CIS-BreakGlass"
mailNickname: "CISBreakGlass"
securityEnabled: true
- displayName: "CIS-Pilot-Users"
mailNickname: "CISPilotUsers"
securityEnabled: true
- displayName: "CIS-All-Company"
mailNickname: "CISAllCompany"
securityEnabled: true
# -------------------------------------------------------------------
# Intune policies (optional — reuses the exact same schema as
# OpenIntuneBaseline.example.yaml). Keep them here if you want a
# single manifest for the whole tenant.
# -------------------------------------------------------------------
policies:
# Example: reuse your existing Intune exports
# - sourcePath: ./policies/CIS-Windows-Compliance.json
# type: CompliancePolicies
# assignments:
# - targetType: Group
# groupName: "CIS-All-Company"
# -------------------------------------------------------------------
# TENANT-LEVEL CONFIGURATION (new section)
# -------------------------------------------------------------------
tenantConfig:
# ===============================================================
# 1. M365 Admin Center (CIS Section 1)
# ===============================================================
adminCenter:
# 1.3.1 (L1) Password expiration
passwordExpiration: NeverExpire # NeverExpire | 90Days | 180Days
# 1.3.2 (L2) Idle session timeout (hours)
idleSessionTimeoutHours: 3
# 1.3.4 (L1) Restrict user owned apps and services
restrictUserOwnedApps: true
# 1.3.5 (L1) Internal phishing protection for Forms
formsPhishingProtection: true
# 1.3.6 (L2) Customer Lockbox
customerLockbox: true
# 1.3.7 (L2) Restrict third-party storage services
restrictThirdPartyStorage: true
# ===============================================================
# 5. Entra ID (CIS Section 5)
# ===============================================================
entraId:
# 5.1.1.1 (L1) Cloud-only administrative accounts
# NOTE: Manual — script can only validate, not create accounts.
# 5.1.1.3 (L1) Global admin count (2-4)
# NOTE: Manual — script assesses only.
# 5.1.2.2 (L2) Disallow third-party integrated applications
blockUserConsent: true
# 5.1.2.3 (L1) Restrict non-admin tenant creation
blockTenantCreation: true
# 5.1.2.4 (L1) Restrict access to Entra admin center
restrictAdminCenterAccess: true
# 5.1.2.6 (L2) Disable LinkedIn account connections
disableLinkedIn: true
# 5.1.3.1 (L1) Dynamic group for guest users
# NOTE: Manual — requires tenant-specific query.
# 5.1.4.2 (L1) Maximum devices per user
maxDevicesPerUser: 5
# 5.1.4.3 (L1) GA not added as local admin during Entra join
gaLocalAdminDisabled: true
# 5.2.3.2 (L1) Custom banned password list
bannedPasswords:
- "Contoso"
- "Password"
- "Welcome"
- "Admin"
- "Login"
# 5.2.3.4 (L1) Ensure all member users are MFA capable
# NOTE: Enforced via Conditional Access below.
# ===============================================================
# 5.2.2 Conditional Access (CIS Section 5.2.2)
# ===============================================================
# CRITICAL: All CA policies are created in REPORT-ONLY mode by
# default. Flip 'reportOnly: false' after you have validated
# traffic in the Entra admin center.
# ===============================================================
conditionalAccess:
reportOnly: true # Global switch for all CA policies
breakGlassGroup: "CIS-BreakGlass" # Auto-excluded from every CA policy
policies:
# -----------------------------------------------------------
# CIS 5.2.2.3 (L1) Block legacy authentication
# -----------------------------------------------------------
- name: "Block-Legacy-Auth"
cisControl: "5.2.2.3"
description: "Block all legacy authentication protocols (EAS, basic auth)"
state: enabledForReportingButNotEnforced # enabled | enabledForReportingButNotEnforced | disabled
conditions:
applications:
includeApplications: ["All"]
users:
includeUsers: ["All"]
# breakGlassGroup is injected automatically by the script
clientAppTypes: ["exchangeActiveSync", "other"]
grantControls:
builtInControls: ["block"]
operator: "OR"
# -----------------------------------------------------------
# CIS 5.2.2.1 (L1) Require MFA for administrative roles
# -----------------------------------------------------------
- name: "Require-MFA-Admins"
cisControl: "5.2.2.1"
description: "Require MFA for all users assigned to administrative roles"
state: enabledForReportingButNotEnforced
conditions:
applications:
includeApplications: ["All"]
users:
includeRoles:
- "Global Administrator"
- "Privileged Role Administrator"
- "Security Administrator"
- "Exchange Administrator"
- "SharePoint Administrator"
- "Conditional Access Administrator"
- "Application Administrator"
- "Cloud Application Administrator"
- "User Administrator"
- "Helpdesk Administrator"
- "Billing Administrator"
- "Authentication Administrator"
- "Password Administrator"
- "Global Reader"
excludeUsers: [] # Add break-glass UPNs here if not using breakGlassGroup
grantControls:
builtInControls: ["mfa"]
operator: "OR"
# -----------------------------------------------------------
# CIS 5.2.2.2 (L1) Require MFA for all users
# -----------------------------------------------------------
- name: "Require-MFA-All-Users"
cisControl: "5.2.2.2"
description: "Require MFA for all user sign-ins"
state: enabledForReportingButNotEnforced
conditions:
applications:
includeApplications: ["All"]
users:
includeUsers: ["All"]
excludeGroups: [] # e.g., ["CIS-Pilot-Users"] for staged rollout
locations:
includeLocations: ["AllTrusted"] # Requires named locations; use "All" if none defined
grantControls:
builtInControls: ["mfa"]
operator: "OR"
# -----------------------------------------------------------
# CIS 5.2.2.4 (L1) Sign-in frequency for admins
# -----------------------------------------------------------
- name: "Admin-SignIn-Frequency"
cisControl: "5.2.2.4"
description: "Require re-authentication every 12h for admins; no persistent browser"
state: enabledForReportingButNotEnforced
conditions:
applications:
includeApplications: ["All"]
users:
includeRoles:
- "Global Administrator"
- "Privileged Role Administrator"
- "Security Administrator"
sessionControls:
signInFrequency:
value: 12
type: hours
isEnabled: true
persistentBrowser:
mode: never
isEnabled: true
grantControls:
builtInControls: ["mfa"]
operator: "OR"
# -----------------------------------------------------------
# CIS 5.2.2.5 (L2) Phishing-resistant MFA for admins
# -----------------------------------------------------------
- name: "Require-PhishingResistant-MFA-Admins"
cisControl: "5.2.2.5"
description: "Require phishing-resistant MFA (FIDO2, certificate) for admins"
state: enabledForReportingButNotEnforced
conditions:
applications:
includeApplications: ["All"]
users:
includeRoles:
- "Global Administrator"
- "Privileged Role Administrator"
- "Security Administrator"
grantControls:
builtInControls: ["authenticationStrength"]
authenticationStrength:
id: "00000000-0000-0000-0000-000000000004" # Phishing-resistant MFA
operator: "OR"
# -----------------------------------------------------------
# CIS 5.2.2.12 (L1) Block device code flow
# -----------------------------------------------------------
- name: "Block-Device-Code-Flow"
cisControl: "5.2.2.12"
description: "Block sign-ins using the device code authentication flow"
state: enabledForReportingButNotEnforced
conditions:
applications:
includeApplications: ["All"]
users:
includeUsers: ["All"]
authenticationFlows:
deviceCodeFlow:
isEnabled: true
ruleType: "include"
grantControls:
builtInControls: ["block"]
operator: "OR"
# -----------------------------------------------------------
# CIS 5.2.2.8 (L2) Block medium/high risk sign-ins
# -----------------------------------------------------------
- name: "Block-HighRisk-SignIns"
cisControl: "5.2.2.8"
description: "Block sign-ins with medium or high risk score (requires Entra ID P2)"
state: enabledForReportingButNotEnforced
conditions:
applications:
includeApplications: ["All"]
users:
includeUsers: ["All"]
signInRiskLevels: ["medium", "high"]
grantControls:
builtInControls: ["block"]
operator: "OR"
# -----------------------------------------------------------
# CIS 5.2.2.9 (L1) Require managed device
# -----------------------------------------------------------
- name: "Require-Managed-Device"
cisControl: "5.2.2.9"
description: "Require device to be compliant or hybrid Entra joined"
state: enabledForReportingButNotEnforced
conditions:
applications:
includeApplications: ["All"]
users:
includeUsers: ["All"]
grantControls:
builtInControls: ["compliantDevice", "domainJoinedDevice"]
operator: "OR"
# -----------------------------------------------------------
# CIS 5.2.2.10 (L1) Require managed device to register security info
# -----------------------------------------------------------
- name: "Require-Managed-Device-Security-Info"
cisControl: "5.2.2.10"
description: "Require managed device when registering security information"
state: enabledForReportingButNotEnforced
conditions:
applications:
includeUserActions: ["urn:user:registersecurityinfo"]
users:
includeUsers: ["All"]
grantControls:
builtInControls: ["compliantDevice", "domainJoinedDevice"]
operator: "OR"
# ===============================================================
# 2. Microsoft Defender for Office 365 (CIS Section 2)
# ===============================================================
defender:
# 2.1.1 (L2) Safe Links for Office Applications
safeLinks:
- name: "SafeLinks-Default"
cisControl: "2.1.1"
enabled: true
trackClicks: true
allowClickThrough: false
scanUrls: true
enableForInternalSenders: true
# The script auto-creates a rule applying this to all accepted domains
# 2.1.4 (L2) Safe Attachments
safeAttachments:
- name: "SafeAttachments-Default"
cisControl: "2.1.4"
enabled: true
action: Block # Block | DynamicDelivery | Monitor
quarantineMessages: true
# 2.1.2 (L1) Common Attachment Types Filter
antiMalware:
- name: "AntiMalware-Default"
cisControl: "2.1.2"
enabled: true
enableInternalNotifications: true
fileTypes:
- ace
- ani
- app
- docm
- exe
- jar
- jnlp
- msi
- ps1
- scr
- vbs
- wsf
# 2.1.3 (L1) Internal malware notifications
# 2.4.4 (L1) Zero-hour auto purge for Teams
# ===============================================================
# 6. Exchange Online (CIS Section 6)
# ===============================================================
exchange:
# 6.1.1 (L1) AuditDisabled organizationally set to False
enableMailboxAuditOrgWide: true
# 6.1.2 (L1) Mailbox audit actions configured
# NOTE: Enabled automatically when org-wide auditing is on (above).
# 6.2.1 (L1) Block all forms of external forwarding
blockExternalForwarding: true
# 6.2.2 (L1) Transport rules do not whitelist domains
# NOTE: Manual review required.
# 6.2.3 (L1) Identify email from external senders
enableExternalSenderBanner: true
# Transport rule: prepend external email warning
externalEmailWarningRule: true
# ===============================================================
# 7. SharePoint / OneDrive (CIS Section 7)
# ===============================================================
sharePoint:
# Default sharing link type
defaultSharingLinkType: Direct # Direct | Internal | AnonymousAccess
# External sharing for SharePoint
sharePointExternalSharing: Disabled
# Options: Disabled | ExistingExternalUserSharingOnly | ExternalUserSharingOnly | Anyone
# External sharing for OneDrive
oneDriveExternalSharing: Disabled
# Guest access expiration (days)
guestAccessExpirationDays: 30
# 7.x (L1) Prevent custom script execution
# NOTE: Set via Set-PnPTenant -DenyAddAndCustomizePages 1
denyCustomScripts: true
# ===============================================================
# 8. Microsoft Teams (CIS Section 8)
# ===============================================================
teams:
# 8.x Anonymous meeting join
allowAnonymousUsersToJoinMeeting: false
# 8.x Anonymous meeting start
allowAnonymousUsersToStartMeeting: false
# 8.x Teams email integration
enableEmailIntegration: false
# 8.x Federation / external access
allowFederatedUsers: false
allowTeamsConsumer: false
# 8.x Restrict unmanaged user access
# NOTE: Controlled via Teams meeting policy; script sets Global.
# ===============================================================
# 3. Microsoft Purview (CIS Section 3)
# ===============================================================
# NOTE: DLP, sensitivity labels, and retention policies are
# highly business-specific. Add them here as needed:
#
# purview:
# dlpPolicies:
# - name: "CIS-DLP-Default"
# ...
# ===============================================================
# 9. Power BI (CIS Section 9)
# ===============================================================
# NOTE: Power BI tenant settings are best managed via
# Microsoft365DSC or direct Admin API calls. Add here if needed.
# ===============================================================
# NEW in v7.0.0 (expected)
# ===============================================================
# As you read the draft PDF, transcribe new controls into the
# appropriate sections above. Use the 'cisControl' field to
# preserve traceability (e.g., cisControl: "5.2.3.7").
Reference in New Issue View Git Blame Copy Permalink