cqrenet/macOS_IntuneManagement
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 4 Wiki Activity
Files
122aa2d4e3656cefee216018d4701bda6596da74
macOS_IntuneManagement/Scripts/Baselines/CA-Wizard-Generated.yaml
T
tomas.kracmar d3e0769799 release: v4.1.0 — restructure entry points, add CIS baselines, reporting tools and fzf hints 
- Restructure launchers: Start-IntuneToolkit.ps1 moves to repo root;
  Start-HeadlessIntune.ps1 moves to Scripts/; TUI helper moves to Scripts/Private/
- Add AGENTS.md with project architecture, entry points, and security notes
- Add CIS M365 baseline assets (CISM365-v7, M365-CIS-Rapid) and reporting scripts
- Add Python reporting utilities (Export-SettingsReport, Export-AssignmentReport,
  Export-ObjectInventoryReport) and CA wizard helpers
- Update Deploy-IntuneBaseline.ps1 with Merge conflict resolution, ReportPath,
  and optimized group loading
- Update Initialize-IntuneAuth.ps1 with -RotateSecret and configurable secret expiry
- Update Extensions for Settings Catalog definition auto-export
- Update README with v4.1.0, new entry points and script catalog
- Bump VERSION to 4.1.0
- Harden .gitignore against .DS_Store, __pycache__, .venv-pdf/, local exports,
  Settings.json and IntuneManagement.log
2026-06-14 15:24:42 +02:00

342 lines
9.9 KiB
YAML
Raw Blame History

baseline:
name: Generated-ConditionalAccess-Baseline
conflictResolution: Skip
whatIf: false
tenantConfig:
conditionalAccess:
reportOnly: false
breakGlassGroup: CQRE-BreakGlass
policies:
- name: CQRE-CA0901-AllUsers-AllApps-BlockLegacyAuth
description: Block all legacy authentication protocols
state: enabled
conditions:
applications:
includeApplications:
- All
users:
includeUsers:
- All
clientAppTypes:
- exchangeActiveSync
- other
grantControls:
builtInControls:
- block
operator: OR
- name: CQRE-CA1901-AllUsers-SecurityInfo-RequireTrustedLocation
description: Require trusted location or managed device to register security
info
state: enabled
conditions:
applications:
includeUserActions:
- urn:user:registersecurityinfo
users:
includeUsers:
- All
grantControls:
builtInControls:
- compliantDevice
- domainJoinedDevice
operator: OR
- name: CQRE-CA0902-AllUsers-AllApps-BlockUnsupportedPlatforms
description: Block sign-ins from unknown or unsupported device platforms
state: enabled
conditions:
applications:
includeApplications:
- All
users:
includeUsers:
- All
platforms:
includePlatforms:
- all
excludePlatforms:
- android
- iOS
- windows
- macOS
grantControls:
builtInControls:
- block
operator: OR
- name: CQRE-CA0903-AllUsers-AllApps-BlockDeviceCodeFlow
description: Block device-code authentication flow
state: enabled
conditions:
applications:
includeApplications:
- All
users:
includeUsers:
- All
authenticationFlows:
deviceCodeFlow:
isEnabled: true
grantControls:
builtInControls:
- block
operator: OR
- name: CQRE-CA1902-AllUsers-AllApps-RequireMFAUntrusted
description: Require MFA only from untrusted locations
state: enabled
conditions:
applications:
includeApplications:
- All
users:
includeUsers:
- All
locations:
includeLocations:
- All
excludeLocations:
- AllTrusted
grantControls:
builtInControls:
- mfa
operator: OR
- name: CQRE-CA1903-AllUsers-AllApps-RequireCompliantDevice
description: Require compliant or hybrid-joined device for all users
state: enabled
conditions:
applications:
includeApplications:
- All
users:
includeUsers:
- All
grantControls:
builtInControls:
- compliantDevice
- domainJoinedDevice
operator: OR
- name: CQRE-CA1904-AllUsers-AllApps-BlockUntrustedLocations
description: Block sign-ins from untrusted locations
state: enabled
conditions:
applications:
includeApplications:
- All
users:
includeUsers:
- All
locations:
includeLocations:
- All
excludeLocations:
- AllTrusted
grantControls:
builtInControls:
- block
operator: OR
- name: CQRE-CA0904-AllUsers-AllApps-RequireMFAForRiskySignIns
description: Require MFA for medium/high risk sign-ins
state: enabled
conditions:
applications:
includeApplications:
- All
users:
includeUsers:
- All
signInRiskLevels:
- medium
- high
grantControls:
builtInControls:
- mfa
operator: OR
- name: CQRE-CA0905-AllUsers-AllApps-ForcePasswordChangeHighRiskUsers
description: Force password change for high-risk users
state: enabled
conditions:
applications:
includeApplications:
- All
users:
includeUsers:
- All
userRiskLevels:
- high
grantControls:
builtInControls:
- passwordChange
operator: OR
- name: CQRE-CA0906-AllUsers-AllApps-BlockInsiderRisk
description: Block sessions flagged by Purview Insider Risk
state: enabled
conditions:
applications:
includeApplications:
- All
users:
includeUsers:
- All
insiderRiskLevels:
- elevated
grantControls:
builtInControls:
- block
operator: OR
- name: CQRE-CA2901-Admins-AllApps-RequireCompliantDevice
description: Administrators must use compliant or hybrid-joined devices
state: enabled
conditions:
applications:
includeApplications:
- All
users:
includeRoles: &id001
- Global Administrator
- Privileged Role Administrator
- Security Administrator
- Exchange Administrator
- SharePoint Administrator
- Conditional Access Administrator
- Application Administrator
- Cloud Application Administrator
- User Administrator
- Helpdesk Administrator
- Billing Administrator
- Authentication Administrator
- Password Administrator
grantControls:
builtInControls:
- compliantDevice
- domainJoinedDevice
operator: OR
- name: CQRE-CA2902-Admins-AllApps-BlockUntrustedLocations
description: Administrators can only sign in from trusted locations
state: enabled
conditions:
applications:
includeApplications:
- All
users:
includeRoles: *id001
locations:
includeLocations:
- All
excludeLocations:
- AllTrusted
grantControls:
builtInControls:
- block
operator: OR
- name: CQRE-CA2903-Admins-AllApps-NoPersistentSession
description: No persistent browser sessions for admins; re-auth every 12h
state: enabled
conditions:
applications:
includeApplications:
- All
users:
includeRoles: *id001
grantControls:
builtInControls:
- mfa
operator: OR
sessionControls:
signInFrequency:
value: 12
type: hours
isEnabled: true
persistentBrowser:
mode: never
isEnabled: true
- name: CQRE-CA3901-Guests-AllApps-RequireMFA
description: Require MFA for guest and external users
state: enabled
conditions:
applications:
includeApplications:
- All
users:
includeGuestsOrExternalUsers:
guestTypes:
- internalGuest
- b2bCollaborationGuest
- b2bCollaborationMember
- b2bDirectConnectUser
externalTenants:
membershipKind: all
grantControls:
builtInControls:
- mfa
operator: OR
- name: CQRE-CA3902-Guests-AllApps-RequireTermsOfUse
description: Require guests to accept terms of use
state: enabled
conditions:
applications:
includeApplications:
- All
users:
includeGuestsOrExternalUsers:
guestTypes:
- internalGuest
- b2bCollaborationGuest
- b2bCollaborationMember
- b2bDirectConnectUser
externalTenants:
membershipKind: all
grantControls:
builtInControls:
- termsOfUse
operator: OR
- name: CQRE-CA4901-AllUsers-O365-AppEnforcedRestrictions
description: Enforce application restrictions for Office 365
state: enabled
conditions:
applications:
includeApplications:
- Office365
users:
includeUsers:
- All
grantControls:
builtInControls:
- mfa
operator: OR
sessionControls:
applicationEnforcedRestrictions:
isEnabled: true
- name: CQRE-CA4902-AllUsers-AzureMgmt-RequireMFA
description: Require MFA for Azure management portal
state: enabled
conditions:
applications:
includeApplications:
- 797f4846-ba00-4fd7-ba43-dac1f8f63013
users:
includeUsers:
- All
grantControls:
builtInControls:
- mfa
operator: OR
- name: CQRE-CA4903-AllUsers-AdminPortals-RequireMFA
description: Require MFA for Microsoft admin portals
state: enabled
conditions:
applications:
includeApplications:
- 797f4846-ba00-4fd7-ba43-dac1f8f63013
- c44b4083-3bb0-49c1-b47d-974e53cbdf3c
- 1b730954-1685-4b74-9bfd-dac224a7b894
- 00000003-0000-0ff1-ce00-000000000000
- 00000003-0000-0000-c000-000000000000
- de8bc8b5-d9f9-48b1-a8ad-b748da725064
- 00000002-0000-0ff1-ce00-000000000000
- 66a88757-258c-4c72-893c-3e8bed4d6899
users:
includeUsers:
- All
grantControls:
builtInControls:
- mfa
operator: OR
Reference in New Issue View Git Blame Copy Permalink