cqrenet/macOS_IntuneManagement
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 4 Wiki Activity
Files
main
macOS_IntuneManagement/Baselines/M365-CIS-Rapid/CISM365-RapidBaseline.psd1
T
tomas.kracmar d3e0769799 release: v4.1.0 — restructure entry points, add CIS baselines, reporting tools and fzf hints 
- Restructure launchers: Start-IntuneToolkit.ps1 moves to repo root;
  Start-HeadlessIntune.ps1 moves to Scripts/; TUI helper moves to Scripts/Private/
- Add AGENTS.md with project architecture, entry points, and security notes
- Add CIS M365 baseline assets (CISM365-v7, M365-CIS-Rapid) and reporting scripts
- Add Python reporting utilities (Export-SettingsReport, Export-AssignmentReport,
  Export-ObjectInventoryReport) and CA wizard helpers
- Update Deploy-IntuneBaseline.ps1 with Merge conflict resolution, ReportPath,
  and optimized group loading
- Update Initialize-IntuneAuth.ps1 with -RotateSecret and configurable secret expiry
- Update Extensions for Settings Catalog definition auto-export
- Update README with v4.1.0, new entry points and script catalog
- Bump VERSION to 4.1.0
- Harden .gitignore against .DS_Store, __pycache__, .venv-pdf/, local exports,
  Settings.json and IntuneManagement.log
2026-06-14 15:24:42 +02:00

235 lines
9.4 KiB
PowerShell
Raw Permalink Blame History

@{
# =====================================================================
# CIS M365 Rapid Baseline Configuration
# =====================================================================
# This file defines the desired state for a new/greenfield tenant.
# Edit values before running Deploy-CISM365RapidBaseline.ps1.
#
# IMPORTANT: This baseline is designed for NEW or NEWLY-ACQUIRED tenants.
# On an established tenant, some changes may impact users.
# =====================================================================
Tenant = @{
# Your tenant's initial .onmicrosoft.com domain
TenantDomain = 'contoso.onmicrosoft.com'
# SharePoint admin center URL
SharePointAdminUrl = 'https://contoso-admin.sharepoint.com'
# License profile: E3 | E5 | E3+P2
# Determines whether P2-only features (Identity Protection, PIM) are configured
LicenseProfile = 'E3'
}
# =====================================================================
# Section 5: Entra ID (Identity)
# =====================================================================
EntraID = @{
# 1.3.1 - Password expiration policy
PasswordExpiration = 'NeverExpire' # NeverExpire | 90Days | 180Days
# 5.2.3.2 - Custom banned password list
BannedPasswords = @('Contoso', 'Contoso1', 'Password', 'Welcome')
# 5.1.2.3 - Restrict non-admin users from creating tenants
BlockTenantCreation = $true
# 5.1.2.6 - Disable LinkedIn account connections
DisableLinkedIn = $true
# 5.1.2.2 - Disallow third-party integrated applications (user consent)
# Note: Set to $true for strict CIS compliance. May break some SaaS integrations.
BlockUserConsent = $true
# 5.1.4.2 - Maximum devices per user
MaxDevicesPerUser = 5
# 5.1.4.3 - Do not add GA role as local admin during Entra join
GALocalAdminDisabled = $true
# 5.2.3.1 - Microsoft Authenticator: protect against MFA fatigue
MFAFatigueProtection = $true
# Emergency access accounts (break-glass) - used for CA policy exclusions
BreakGlassAccounts = @(
'breakglass1@contoso.onmicrosoft.com'
'breakglass2@contoso.onmicrosoft.com'
)
}
# =====================================================================
# Section 5.2.2: Conditional Access Policies
# =====================================================================
ConditionalAccess = @(
@{
Name = 'CIS-Block-Legacy-Auth'
Description = 'CIS 5.2.2.3 - Block legacy authentication protocols'
Enabled = $true
State = 'enabled'
Conditions = @{
Applications = @{ IncludeApplications = @('All') }
Users = @{ IncludeUsers = @('All'); ExcludeUsers = @() }
ClientAppTypes = @('exchangeActiveSync', 'other')
}
GrantControls = @{
BuiltInControls = @('block')
Operator = 'OR'
}
}
@{
Name = 'CIS-Require-MFA-Admins'
Description = 'CIS 5.2.2.1 - Require MFA for all users in administrative roles'
Enabled = $true
State = 'enabled'
Conditions = @{
Applications = @{ IncludeApplications = @('All') }
Users = @{ IncludeUsers = @('All'); ExcludeRoles = @('62e90394-69f5-4237-9190-012177145e10') } # Exclude Global Admin if using PIM
}
GrantControls = @{
BuiltInControls = @('mfa')
Operator = 'OR'
}
}
@{
Name = 'CIS-Require-MFA-All-Users'
Description = 'CIS 5.2.2.2 - Require MFA for all users'
Enabled = $true
State = 'enabled'
Conditions = @{
Applications = @{ IncludeApplications = @('All') }
Users = @{ IncludeUsers = @('All'); ExcludeUsers = @() }
Locations = @{ IncludeLocations = @('AllTrusted') } # Requires named locations
}
GrantControls = @{
BuiltInControls = @('mfa')
Operator = 'OR'
}
}
@{
Name = 'CIS-Block-Device-Code-Flow'
Description = 'CIS 5.2.2.12 - Block device code sign-in flow'
Enabled = $true
State = 'enabled'
Conditions = @{
Applications = @{ IncludeApplications = @('All') }
Users = @{ IncludeUsers = @('All'); ExcludeUsers = @() }
AuthenticationFlows = @{ IncludeAuthenticationFlows = @('deviceCode') }
}
GrantControls = @{
BuiltInControls = @('block')
Operator = 'OR'
}
}
@{
Name = 'CIS-Block-High-Risk-SignIns'
Description = 'CIS 5.2.2.8 - Block sign-ins with medium/high risk (requires P2)'
Enabled = $true
State = 'enabledForReportingButNotEnforced' # Set to 'enabled' after validation
Conditions = @{
Applications = @{ IncludeApplications = @('All') }
Users = @{ IncludeUsers = @('All'); ExcludeUsers = @() }
SignInRiskLevels = @('high', 'medium')
}
GrantControls = @{
BuiltInControls = @('block')
Operator = 'OR'
}
}
)
# =====================================================================
# Section 2: Microsoft Defender for Office 365
# =====================================================================
Defender = @{
# 2.1.1 - Safe Links for Office Applications
SafeLinks = @{
Name = 'CIS-SafeLinks-Default'
Enabled = $true
TrackClicks = $true
AllowClickThrough = $false
ScanUrls = $true
EnableForInternalSenders = $true
}
# 2.1.4 - Safe Attachments
SafeAttachments = @{
Name = 'CIS-SafeAttachments-Default'
Enabled = $true
Action = 'Block' # Block | DynamicDelivery | Monitor
QuarantineMessages = $true
}
# 2.1.2 - Common Attachment Types Filter (built into anti-malware)
AntiMalware = @{
Name = 'CIS-AntiMalware-Default'
Enabled = $true
EnableInternalSenderNotifications = $true
FileTypes = @('ace', 'ani', 'app', 'docm', 'exe', 'iso', 'jar', 'jnlp', 'msi', 'php', 'ps1', 'scr', 'vbs', 'wsf')
}
# Anti-Phish baseline
AntiPhish = @{
Name = 'CIS-AntiPhish-Default'
Enabled = $true
EnableMailboxIntelligence = $true
EnableSpoofIntelligence = $true
MailboxIntelligenceProtectionAction = 'Quarantine'
TargetedUserProtectionAction = 'Quarantine'
TargetedDomainProtectionAction = 'Quarantine'
}
}
# =====================================================================
# Section 6: Exchange Online
# =====================================================================
Exchange = @{
# 6.2.1 - Block all forms of external mail forwarding
BlockExternalForwarding = $true
# 6.1.2 - Enable mailbox auditing organization-wide
EnableMailboxAudit = $true
# 6.2.3 - Identify email from external senders (external sender banner)
EnableExternalSenderBanner = $true
# Transport rule: prepend external email warning
ExternalEmailWarning = $true
}
# =====================================================================
# Section 7: SharePoint / OneDrive
# =====================================================================
SharePoint = @{
# 7.x - Default sharing link type
# Options: Direct, Internal, AnonymousAccess
DefaultSharingLinkType = 'Direct' # Most restrictive = Direct (specific people only)
# 7.x - External sharing for SharePoint
SharePointExternalSharing = 'Disabled' # Disabled | ExistingExternalUserSharingOnly | ExternalUserSharingOnly | Anyone
# 7.x - External sharing for OneDrive
OneDriveExternalSharing = 'Disabled' # Disabled | ExistingExternalUserSharingOnly | ExternalUserSharingOnly | Anyone
# Guest access expiration (days)
GuestAccessExpirationDays = 30
}
# =====================================================================
# Section 8: Microsoft Teams
# =====================================================================
Teams = @{
# 8.x - Allow anonymous users to join meetings
AllowAnonymousMeetingJoin = $false
# 8.x - Allow anonymous users to start meetings
AllowAnonymousMeetingStart = $false
# 8.x - Teams email integration
EnableEmailIntegration = $false
# Federation / external access
AllowFederatedUsers = $false
AllowTeamsConsumer = $false
}
}
Reference in New Issue View Git Blame Copy Permalink