macOS_IntuneManagement/Baselines/M365-CIS-Rapid/README.md

# CIS M365 Rapid Baseline

> **Goal:** Take a new or newly-acquired tenant from zero to ~80% CIS M365 Foundations compliance in hours, not weeks.

Your existing `IntuneManagement` toolkit already handles **Section 4 (Intune)** of the CIS benchmark. This complements it with the tenant-level workloads: Entra ID, Conditional Access, Defender, Exchange, SharePoint, and Teams.

---

## The Reality Check

There is no single "Install-CIS-M365" command. The benchmark has **140 controls** across **9 sections**, and many are:
- **Assessment-only** (e.g., "Ensure 2–4 global admins exist" — a script can't decide who your admins should be)
- **License-dependent** (Identity Protection risk policies require Entra ID P2)
- **Tenant-specific** (Conditional Access exclusions, emergency access accounts, accepted domains)

**This baseline automates the ~40 highest-impact controls that are safe to script on a greenfield tenant.** The rest require human judgment.

---

## Prerequisites

```powershell
# PowerShell 7+ is strongly recommended
$PSVersionTable.PSVersion

# Install dependencies
Install-Module Microsoft.Graph         -Scope CurrentUser -Force
Install-Module ExchangeOnlineManagement -Scope CurrentUser -Force
Install-Module PnP.PowerShell          -Scope CurrentUser -Force
Install-Module MicrosoftTeams          -Scope CurrentUser -Force
```

**Permissions required:**
- Global Administrator (to create policies and grant consent)
- Or: combination of Privileged Role Administrator + Exchange Administrator + SharePoint Administrator + Teams Administrator

---

## The Fastest Path (Recommended Workflow)

### Step 0: Customize the config

Edit `CISM365-RapidBaseline.psd1`:
- Set your `TenantDomain` and `SharePointAdminUrl`
- Add your **break-glass emergency access accounts** to `BreakGlassAccounts`
- Adjust `ConditionalAccess` policies to reference your actual admin roles/groups
- Review `SharePointExternalSharing` — `Disabled` is most secure but may break planned collaboration
- Review `BlockUserConsent` — `true` is CIS-compliant but may break SaaS integrations

### Step 1: Assess (read-only)

```powershell
cd Baselines/M365-CIS-Rapid

# Default: assess everything, make zero changes
./Deploy-CISM365RapidBaseline.ps1
```

Review the CSV report. It tells you exactly what's wrong and how to fix it.

### Step 2: Deploy the easy wins

```powershell
# Deploy with WhatIf first (simulates changes without applying)
./Deploy-CISM365RapidBaseline.ps1 -Mode Deploy -WhatIf

# If satisfied, apply for real
./Deploy-CISM365RapidBaseline.ps1 -Mode Deploy -Apply -Verbose
```

### Step 3: Create Conditional Access policies manually

**This script intentionally does NOT auto-create Conditional Access policies.** CA misconfiguration can lock everyone out of the tenant, including you.

Use the assessment output as a checklist and create them in the Entra admin center:
1. **CIS-Block-Legacy-Auth** — Block all legacy auth protocols
2. **CIS-Require-MFA-Admins** — Require MFA for all admin roles
3. **CIS-Require-MFA-All-Users** — Require MFA for all users
4. **CIS-Block-Device-Code-Flow** — Block device code authentication
5. **CIS-Block-High-Risk-SignIns** — Block medium/high risk sign-ins (requires P2)

> **Pro tip:** Set new CA policies to `enabledForReportingButNotEnforced` for 24 hours before flipping to `enabled`. This lets you verify they don't block legitimate access.

### Step 4: Run a full CIS assessment

```powershell
# Install the comprehensive CIS assessment module
Install-Module CIS-M365-Benchmark -Scope CurrentUser -Force

Connect-CISM365Benchmark
Invoke-CISM365Benchmark -ProfileLevel L1 -ExcludeSections Intune
```

This checks all 140 controls and produces an HTML report with remediation steps for the remaining gaps.

### Step 5: Ongoing governance (optional but recommended)

For drift detection and continuous enforcement, introduce **Microsoft365DSC**:

```powershell
Install-Module Microsoft365DSC -Force
Update-M365DSCDependencies

# Export your now-hardened tenant as code
Export-M365DSCConfiguration -Workloads @("AAD","EXO","SPO","Teams") -Path ./m365-golden
```

Store that golden configuration in Git and run it through a pipeline weekly.

---

## What This Script Covers

| CIS Section | Controls Automated | Notes |
|-------------|-------------------|-------|
| **5.1** M365 Admin Center | Password expiration, tenant creation block, device quota, user consent | |
| **5.2.2** Conditional Access | Assessment only (safe by design) | Manual creation recommended |
| **5.2.3** Auth Methods | Banned password list | |
| **2.1** Defender | Safe Links, Safe Attachments, Anti-malware | Creates policy + rule |
| **6.1/6.2** Exchange | Mailbox auditing, external forwarding block | Transport rule |
| **7.x** SharePoint | External sharing restrictions | SPO + OneDrive |
| **8.x** Teams | Anonymous meeting restrictions, federation | Global policy |

**What it does NOT cover (requires human judgment):**
- Admin role assignments (how many GAs, who are they)
- Emergency access accounts (you must create these first)
- PIM configuration (requires P2, approval workflows)
- DMARC/DKIM/SPF records (DNS-level, not tenant-level)
- DLP policies (business-specific)
- Sensitivity labels (business-specific)
- Intune device policies (use your existing toolkit)

---

## Safety Features

- **`-Mode Assess` is the default.** Nothing changes unless you explicitly say `-Mode Deploy -Apply`.
- **`-WhatIf` is supported.** Use it to preview every change.
- **Break-glass exclusion.** The CA assessment template references `BreakGlassAccounts` — make sure these exist and are excluded from MFA/Compliance policies before enabling them.
- **Modular workloads.** Use `-Workloads` to target only one area at a time.

---

## Newly-Acquired vs. New Tenant

| Scenario | Approach |
|----------|----------|
| **Brand new tenant** (no users yet) | Run `-Mode Deploy -Apply` freely. Then create CA policies. |
| **Newly-acquired tenant** (has users, mailboxes, existing config) | Run `-Mode Assess` first. Review EVERY failed control for business impact before deploying. Some changes (e.g., disabling external sharing, blocking user consent) can break existing workflows. |

---

## Alternatives Considered

| Tool | Best For | Why We Didn't Use It As Primary |
|------|----------|--------------------------------|
| **Microsoft365DSC** | Long-term governance, drift detection | Learning curve is too high for "as fast as possible"; better introduced after initial hardening |
| **CISA ScubaGear** | Federal compliance, audit evidence | Read-only assessment; no deployment capability |
| **CIS-M365-Benchmark** | Comprehensive 140-control assessment | Read-only; excellent for gap analysis after rapid deployment |
| **Maester** | CI/CD testing, continuous validation | Read-only; great for pipelines, not initial deployment |
| **CoreView / Inforcer** | MSP multi-tenant deployment | Commercial; not applicable if you want open-source/scripted |

---

## Next Steps

1. Customize `CISM365-RapidBaseline.psd1`
2. Run assess mode
3. Deploy the easy wins
4. Create CA policies manually with reporting mode
5. Run `CIS-M365-Benchmark` for the remaining gaps
6. Introduce `Microsoft365DSC` for ongoing governance