tomas.kracmar
d3e0769799
- Restructure launchers: Start-IntuneToolkit.ps1 moves to repo root; Start-HeadlessIntune.ps1 moves to Scripts/; TUI helper moves to Scripts/Private/ - Add AGENTS.md with project architecture, entry points, and security notes - Add CIS M365 baseline assets (CISM365-v7, M365-CIS-Rapid) and reporting scripts - Add Python reporting utilities (Export-SettingsReport, Export-AssignmentReport, Export-ObjectInventoryReport) and CA wizard helpers - Update Deploy-IntuneBaseline.ps1 with Merge conflict resolution, ReportPath, and optimized group loading - Update Initialize-IntuneAuth.ps1 with -RotateSecret and configurable secret expiry - Update Extensions for Settings Catalog definition auto-export - Update README with v4.1.0, new entry points and script catalog - Bump VERSION to 4.1.0 - Harden .gitignore against .DS_Store, __pycache__, .venv-pdf/, local exports, Settings.json and IntuneManagement.log
CIS M365 Rapid Baseline
Goal: Take a new or newly-acquired tenant from zero to ~80% CIS M365 Foundations compliance in hours, not weeks.
Your existing IntuneManagement toolkit already handles Section 4 (Intune) of the CIS benchmark. This complements it with the tenant-level workloads: Entra ID, Conditional Access, Defender, Exchange, SharePoint, and Teams.
The Reality Check
There is no single "Install-CIS-M365" command. The benchmark has 140 controls across 9 sections, and many are:
- Assessment-only (e.g., "Ensure 2–4 global admins exist" — a script can't decide who your admins should be)
- License-dependent (Identity Protection risk policies require Entra ID P2)
- Tenant-specific (Conditional Access exclusions, emergency access accounts, accepted domains)
This baseline automates the ~40 highest-impact controls that are safe to script on a greenfield tenant. The rest require human judgment.
Prerequisites
# PowerShell 7+ is strongly recommended
$PSVersionTable.PSVersion
# Install dependencies
Install-Module Microsoft.Graph -Scope CurrentUser -Force
Install-Module ExchangeOnlineManagement -Scope CurrentUser -Force
Install-Module PnP.PowerShell -Scope CurrentUser -Force
Install-Module MicrosoftTeams -Scope CurrentUser -Force
Permissions required:
- Global Administrator (to create policies and grant consent)
- Or: combination of Privileged Role Administrator + Exchange Administrator + SharePoint Administrator + Teams Administrator
The Fastest Path (Recommended Workflow)
Step 0: Customize the config
Edit CISM365-RapidBaseline.psd1:
- Set your
TenantDomainandSharePointAdminUrl - Add your break-glass emergency access accounts to
BreakGlassAccounts - Adjust
ConditionalAccesspolicies to reference your actual admin roles/groups - Review
SharePointExternalSharing—Disabledis most secure but may break planned collaboration - Review
BlockUserConsent—trueis CIS-compliant but may break SaaS integrations
Step 1: Assess (read-only)
cd Baselines/M365-CIS-Rapid
# Default: assess everything, make zero changes
./Deploy-CISM365RapidBaseline.ps1
Review the CSV report. It tells you exactly what's wrong and how to fix it.
Step 2: Deploy the easy wins
# Deploy with WhatIf first (simulates changes without applying)
./Deploy-CISM365RapidBaseline.ps1 -Mode Deploy -WhatIf
# If satisfied, apply for real
./Deploy-CISM365RapidBaseline.ps1 -Mode Deploy -Apply -Verbose
Step 3: Create Conditional Access policies manually
This script intentionally does NOT auto-create Conditional Access policies. CA misconfiguration can lock everyone out of the tenant, including you.
Use the assessment output as a checklist and create them in the Entra admin center:
- CIS-Block-Legacy-Auth — Block all legacy auth protocols
- CIS-Require-MFA-Admins — Require MFA for all admin roles
- CIS-Require-MFA-All-Users — Require MFA for all users
- CIS-Block-Device-Code-Flow — Block device code authentication
- CIS-Block-High-Risk-SignIns — Block medium/high risk sign-ins (requires P2)
Pro tip: Set new CA policies to
enabledForReportingButNotEnforcedfor 24 hours before flipping toenabled. This lets you verify they don't block legitimate access.
Step 4: Run a full CIS assessment
# Install the comprehensive CIS assessment module
Install-Module CIS-M365-Benchmark -Scope CurrentUser -Force
Connect-CISM365Benchmark
Invoke-CISM365Benchmark -ProfileLevel L1 -ExcludeSections Intune
This checks all 140 controls and produces an HTML report with remediation steps for the remaining gaps.
Step 5: Ongoing governance (optional but recommended)
For drift detection and continuous enforcement, introduce Microsoft365DSC:
Install-Module Microsoft365DSC -Force
Update-M365DSCDependencies
# Export your now-hardened tenant as code
Export-M365DSCConfiguration -Workloads @("AAD","EXO","SPO","Teams") -Path ./m365-golden
Store that golden configuration in Git and run it through a pipeline weekly.
What This Script Covers
| CIS Section | Controls Automated | Notes |
|---|---|---|
| 5.1 M365 Admin Center | Password expiration, tenant creation block, device quota, user consent | |
| 5.2.2 Conditional Access | Assessment only (safe by design) | Manual creation recommended |
| 5.2.3 Auth Methods | Banned password list | |
| 2.1 Defender | Safe Links, Safe Attachments, Anti-malware | Creates policy + rule |
| 6.1/6.2 Exchange | Mailbox auditing, external forwarding block | Transport rule |
| 7.x SharePoint | External sharing restrictions | SPO + OneDrive |
| 8.x Teams | Anonymous meeting restrictions, federation | Global policy |
What it does NOT cover (requires human judgment):
- Admin role assignments (how many GAs, who are they)
- Emergency access accounts (you must create these first)
- PIM configuration (requires P2, approval workflows)
- DMARC/DKIM/SPF records (DNS-level, not tenant-level)
- DLP policies (business-specific)
- Sensitivity labels (business-specific)
- Intune device policies (use your existing toolkit)
Safety Features
-Mode Assessis the default. Nothing changes unless you explicitly say-Mode Deploy -Apply.-WhatIfis supported. Use it to preview every change.- Break-glass exclusion. The CA assessment template references
BreakGlassAccounts— make sure these exist and are excluded from MFA/Compliance policies before enabling them. - Modular workloads. Use
-Workloadsto target only one area at a time.
Newly-Acquired vs. New Tenant
| Scenario | Approach |
|---|---|
| Brand new tenant (no users yet) | Run -Mode Deploy -Apply freely. Then create CA policies. |
| Newly-acquired tenant (has users, mailboxes, existing config) | Run -Mode Assess first. Review EVERY failed control for business impact before deploying. Some changes (e.g., disabling external sharing, blocking user consent) can break existing workflows. |
Alternatives Considered
| Tool | Best For | Why We Didn't Use It As Primary |
|---|---|---|
| Microsoft365DSC | Long-term governance, drift detection | Learning curve is too high for "as fast as possible"; better introduced after initial hardening |
| CISA ScubaGear | Federal compliance, audit evidence | Read-only assessment; no deployment capability |
| CIS-M365-Benchmark | Comprehensive 140-control assessment | Read-only; excellent for gap analysis after rapid deployment |
| Maester | CI/CD testing, continuous validation | Read-only; great for pipelines, not initial deployment |
| CoreView / Inforcer | MSP multi-tenant deployment | Commercial; not applicable if you want open-source/scripted |
Next Steps
- Customize
CISM365-RapidBaseline.psd1 - Run assess mode
- Deploy the easy wins
- Create CA policies manually with reporting mode
- Run
CIS-M365-Benchmarkfor the remaining gaps - Introduce
Microsoft365DSCfor ongoing governance