diff --git a/Rego/SharepointConfig.rego b/Rego/SharepointConfig.rego index 459b7b46e9..43d6d1e20c 100644 --- a/Rego/SharepointConfig.rego +++ b/Rego/SharepointConfig.rego @@ -2,96 +2,123 @@ package sharepoint import future.keywords import data.report.utils.NotCheckedDetails import data.report.utils.ReportDetailsBoolean +import data.report.utils.ReportDetailsString + +################### +# MS.SHAREPOINT.1 # +################### # # MS.SHAREPOINT.1.1v1 #-- + +# SharingCapability == 0 Only People In Organization +# SharingCapability == 3 Existing Guests +# SharingCapability == 1 New and Existing Guests +# SharingCapability == 2 Anyone + tests[{ "PolicyId" : "MS.SHAREPOINT.1.1v1", - "Criticality" : "Shall", + "Criticality" : "Should", "Commandlet" : ["Get-SPOTenant", "Get-PnPTenant"], - "ActualValue" : Policy.DefaultSharingLinkType, + "ActualValue" : [Policy.SharingCapability], "ReportDetails" : ReportDetailsBoolean(Status), "RequirementMet" : Status }] { Policy := input.SPO_tenant[_] - Status := Policy.DefaultSharingLinkType == 1 + Conditions := [Policy.SharingCapability == 0, Policy.SharingCapability == 3] + Status := count([Condition | Condition = Conditions[_]; Condition == true]) == 1 } #-- + # # MS.SHAREPOINT.1.2v1 #-- + +# SharingDomainRestrictionMode == 0 Unchecked +# SharingDomainRestrictionMode == 1 Checked +# SharingAllowedDomainList == "domains" Domain list + +tests[{ + "PolicyId" : "MS.SHAREPOINT.1.2v1", + "Criticality" : "Should", + "Commandlet" : ["Get-SPOTenant", "Get-PnPTenant"], + "ActualValue" : [Policy.SharingDomainRestrictionMode], + "ReportDetails" : ReportDetailsBoolean(Status), + "RequirementMet" : Status +}] { + Policy := input.SPO_tenant[_] + Status := Policy.SharingDomainRestrictionMode == 1 +} +#-- + +# +# MS.SHAREPOINT.1.3v1 +#-- +# At this time we are unable to test for approved security groups +# because we have yet to find the setting to check tests[{ "PolicyId" : PolicyId, - "Criticality" : "Shall/Not-Implemented", + "Criticality" : "Should/Not-Implemented", "Commandlet" : [], "ActualValue" : [], "ReportDetails" : NotCheckedDetails(PolicyId), "RequirementMet" : false }] { - PolicyId := "MS.SHAREPOINT.1.2v1" + PolicyId := "MS.SHAREPOINT.1.3v1" true } #-- # -# MS.SHAREPOINT.1.3v1 +# MS.SHAREPOINT.1.4v1 #-- tests[{ - "PolicyId" : "MS.SHAREPOINT.1.3v1", + "PolicyId" : "MS.SHAREPOINT.1.4v1", "Criticality" : "Should", "Commandlet" : ["Get-SPOTenant", "Get-PnPTenant"], - "ActualValue" : Policy.SharingCapability, + "ActualValue" : [Policy.RequireAcceptingAccountMatchInvitedAccount], "ReportDetails" : ReportDetailsBoolean(Status), "RequirementMet" : Status }] { Policy := input.SPO_tenant[_] - Status := Policy.SharingCapability != 2 + Status := Policy.RequireAcceptingAccountMatchInvitedAccount == true } #-- -# -# Baseline 2.2: Policy 2 -#-- -#tests[{ -# "Requirement" : "External sharing SHOULD be limited to approved domains and security groups per interagency collaboration needs", -# "Control" : "Sharepoint 2.2", -# "Criticality" : "Should", -# "Commandlet" : ["Get-SPOTenant", "Get-PnPTenant"], -# "ActualValue" : Policy.SharingDomainRestrictionMode, -# "ReportDetails" : ReportDetailsBoolean(Status), -# "RequirementMet" : Status -#}] { -# Policy := input.SPO_tenant[_] -# Status := Policy.SharingDomainRestrictionMode == 1 -#} -#-- +################### +# MS.SHAREPOINT.2 # +################### # -# Baseline 2.2: Policy 3 +# MS.SHAREPOINT.2.1v1 #-- -#tests[{ -# "Requirement" : "External sharing SHOULD be limited to approved domains and security groups per interagency collaboration needs", -# "Control" : "Sharepoint 2.2", -# "Criticality" : "Should", -# "Commandlet" : ["Get-SPOTenant", "Get-PnPTenant"], -# "ActualValue" : [Policy.SharingCapability, Policy.SharingDomainRestrictionMode], -# "ReportDetails" : ReportDetails2_2(Policy), -# "RequirementMet" : Status -#}] { -# Policy := input.SPO_tenant[_] - # TODO: Missing Allow only users in specific security groups to share externally -#} + +# DefaultSharingLinkType == 1 for Specific People +# DefaultSharingLinkType == 2 for Only people in your organization + +tests[{ + "PolicyId" : "MS.SHAREPOINT.2.1v1", + "Criticality" : "Shall", + "Commandlet" : ["Get-SPOTenant", "Get-PnPTenant"], + "ActualValue" : [Policy.DefaultSharingLinkType], + "ReportDetails" : ReportDetailsBoolean(Status), + "RequirementMet" : Status +}] { + Policy := input.SPO_tenant[_] + Status := Policy.DefaultSharingLinkType == 1 +} #-- -################ -# Baseline 2.3 # -################ +################### +# MS.SHAREPOINT.3 # +################### # -# MS.SHAREPOINT.2.1v1 +# MS.SHAREPOINT.3.1v1 #-- -# At this time we are unable to test for X because of Y +# At this time we are unable to test for sharing settings of specific SharePoint sites +# because we have yet to find the setting to check tests[{ "PolicyId" : PolicyId, "Criticality" : "Should/Not-Implemented", @@ -100,131 +127,131 @@ tests[{ "ReportDetails" : NotCheckedDetails(PolicyId), "RequirementMet" : false }] { - PolicyId := "MS.SHAREPOINT.2.1v1" + PolicyId := "MS.SHAREPOINT.3.1v1" true } #-- +################### +# MS.SHAREPOINT.4 # +################### + # -# MS.SHAREPOINT.3.1v1 +# MS.SHAREPOINT.4.1v1 #-- -ReportDetails2_4_1(Policy) = Description if { +ExpirationTimersGuestAccess(Policy) = [ErrMsg, Status] if { Policy.SharingCapability == 0 - Description := "Requirement met" + ErrMsg := "" + Status := true } -ReportDetails2_4_1(Policy) = Description if { +ExpirationTimersGuestAccess(Policy) = [ErrMsg, Status] if { Policy.SharingCapability != 0 Policy.ExternalUserExpirationRequired == true - Policy.ExternalUserExpireInDays == 30 - Description := "Requirement met" + Policy.ExternalUserExpireInDays <= 30 + ErrMsg := "" + Status := true } -ReportDetails2_4_1(Policy) = Description if { +ExpirationTimersGuestAccess(Policy) = [ErrMsg, Status] if { Policy.SharingCapability != 0 Policy.ExternalUserExpirationRequired == false - Policy.ExternalUserExpireInDays == 30 - Description := "Requirement not met: Expiration timer for 'Guest access to a site or OneDrive' NOT enabled" + Policy.ExternalUserExpireInDays <= 30 + ErrMsg := "Requirement not met: Expiration timer for 'Guest access to a site or OneDrive' NOT enabled" + Status := false } -ReportDetails2_4_1(Policy) = Description if { +ExpirationTimersGuestAccess(Policy) = [ErrMsg, Status] if { Policy.SharingCapability != 0 Policy.ExternalUserExpirationRequired == true - Policy.ExternalUserExpireInDays != 30 - Description := "Requirement not met: Expiration timer for 'Guest access to a site or OneDrive' NOT set to 30 days" + Policy.ExternalUserExpireInDays > 30 + ErrMsg := "Requirement not met: Expiration timer for 'Guest access to a site or OneDrive' NOT set to 30 days or less" + Status := false } -ReportDetails2_4_1(Policy) = Description if { +ExpirationTimersGuestAccess(Policy) = [ErrMsg, Status] if { Policy.SharingCapability != 0 Policy.ExternalUserExpirationRequired == false - Policy.ExternalUserExpireInDays != 30 - Description := "Requirement not met" + Policy.ExternalUserExpireInDays > 30 + ErrMsg := "Requirement not met: Expiration timer for 'Guest access to a site or OneDrive' NOT enabled and set to greater 30 days" + Status := false } - tests[{ - "PolicyId" : "MS.SHAREPOINT.3.1v1", + "PolicyId" : "MS.SHAREPOINT.4.1v1", "Criticality" : "Should", "Commandlet" : ["Get-SPOTenant", "Get-PnPTenant"], "ActualValue" : [Policy.SharingCapability, Policy.ExternalUserExpirationRequired, Policy.ExternalUserExpireInDays], - "ReportDetails" : ReportDetails2_4_1(Policy), + "ReportDetails" : ReportDetailsString(Status, ErrMsg), "RequirementMet" : Status }] { Policy := input.SPO_tenant[_] - - # Role policy requires assignment expiration, but maximum duration is 30 days - Conditions1 := [Policy.ExternalUserExpirationRequired == true, Policy.ExternalUserExpireInDays == 30] - Case := count([Condition | Condition = Conditions1[_]; Condition == false]) == 0 - - # Filter: only include rules that meet one of the two cases - Conditions2 := [Policy.SharingCapability == 0, Case] - Status := count([Condition | Condition = Conditions2[_]; Condition == true]) > 0 + [ErrMsg, Status] := ExpirationTimersGuestAccess(Policy) } #-- -# TODO: Resolve Policy Id -# Baseline 2.4: Policy 2 +# +# MS.SHAREPOINT.4.2v1 #-- -ReportDetails2_4_2(Policy) = Description if { +ExpirationTimersVerificationCode(Policy) = [ErrMsg, Status] if { Policy.SharingCapability == 0 - Description := "Requirement met" + ErrMsg := "" + Status := true } -ReportDetails2_4_2(Policy) = Description if { +ExpirationTimersVerificationCode(Policy) = [ErrMsg, Status] if { Policy.SharingCapability != 0 Policy.EmailAttestationRequired == true - Policy.EmailAttestationReAuthDays == 30 - Description := "Requirement met" + Policy.EmailAttestationReAuthDays <= 30 + ErrMsg := "" + Status := true } -ReportDetails2_4_2(Policy) = Description if { +ExpirationTimersVerificationCode(Policy) = [ErrMsg, Status] if { Policy.SharingCapability != 0 Policy.EmailAttestationRequired == false - Policy.EmailAttestationReAuthDays == 30 - Description := "Requirement not met: Expiration timer for 'People who use a verification code' NOT enabled" + Policy.EmailAttestationReAuthDays <= 30 + ErrMsg := "Requirement not met: Expiration timer for 'People who use a verification code' NOT enabled" + Status := false } -ReportDetails2_4_2(Policy) = Description if { +ExpirationTimersVerificationCode(Policy) = [ErrMsg, Status] if { Policy.SharingCapability != 0 Policy.EmailAttestationRequired == true - Policy.EmailAttestationReAuthDays != 30 - Description := "Requirement not met: Expiration timer for 'People who use a verification code' NOT set to 30 days" + Policy.EmailAttestationReAuthDays > 30 + ErrMsg := "Requirement not met: Expiration timer for 'People who use a verification code' NOT set to 30 days" + Status := false } -ReportDetails2_4_2(Policy) = Description if { +ExpirationTimersVerificationCode(Policy) = [ErrMsg, Status] if { Policy.SharingCapability != 0 Policy.EmailAttestationRequired == false - Policy.EmailAttestationReAuthDays != 30 - Description := "Requirement not met" + Policy.EmailAttestationReAuthDays > 30 + ErrMsg := "Requirement not met: Expiration timer for 'People who use a verification code' NOT enabled and set to greater 30 days" + Status := false } - tests[{ - "Requirement" : "Expiration timer for 'People who use a verification code' should be set to 30 days", - "Control" : "Sharepoint 2.4", + "PolicyId" : "MS.SHAREPOINT.4.2v1", "Criticality" : "Should", "Commandlet" : ["Get-SPOTenant", "Get-PnPTenant"], "ActualValue" : [Policy.SharingCapability, Policy.EmailAttestationRequired, Policy.EmailAttestationReAuthDays], - "ReportDetails" : ReportDetails2_4_2(Policy), + "ReportDetails" : ReportDetailsString(Status, ErrMsg), "RequirementMet" : Status }] { Policy := input.SPO_tenant[_] - - # Role policy requires assignment expiration, but maximum duration is 30 days - Conditions1 := [Policy.EmailAttestationRequired == true, Policy.EmailAttestationReAuthDays == 30] - Case := count([Condition | Condition = Conditions1[_]; Condition == false]) == 0 - - # Filter: only include rules that meet one of the two cases - Conditions2 := [Policy.SharingCapability == 0, Case] - Status := count([Condition | Condition = Conditions2[_]; Condition == true]) > 0 + [ErrMsg, Status] := ExpirationTimersVerificationCode(Policy) } #-- -# TODO: Resolve Policy Id -# Baseline 2.5: Policy 1 +################### +# MS.SHAREPOINT.5 # +################### + +# +# MS.SHAREPOINT.5.1v1 #-- -# At this time we are unable to test for X because of Y +# At this time we are unable to test for running custom scripts on personal sites +# because we have yet to find the setting to check tests[{ - "Requirement" : "Users SHALL be prevented from running custom scripts on personal sites (OneDrive)", - "Control" : "Sharepoint 2.5", "PolicyId" : PolicyId, "Criticality" : "Shall/Not-Implemented", "Commandlet" : [], @@ -232,26 +259,27 @@ tests[{ "ReportDetails" : NotCheckedDetails(PolicyId), "RequirementMet" : false }] { - PolicyId := "MS.SHAREPOINT.TBD" + PolicyId := "MS.SHAREPOINT.5.1v1" true } #-- -# TODO: Resolve Policy Id -# Baseline 2.5: Policy 2 +# +# MS.SHAREPOINT.5.2v1 #-- + +# 1 == Allow users to run custom script on self-service created sites +# 2 == Prevent users from running custom script on self-service created sites + tests[{ - "Requirement" : "Users SHALL be prevented from running custom scripts on self-service created sites", - "Control" : "Sharepoint 2.5", + "PolicyId" : "MS.SHAREPOINT.5.2v1", "Criticality" : "Shall", "Commandlet" : ["Get-SPOSite", "Get-PnPTenantSite"], - "ActualValue" : Policy.DenyAddAndCustomizePages, + "ActualValue" : [Policy.DenyAddAndCustomizePages], "ReportDetails" : ReportDetailsBoolean(Status), "RequirementMet" : Status }] { Policy := input.SPO_site[_] - # 1 == Allow users to run custom script on self-service created sites - # 2 == Prevent users from running custom script on self-service created sites Status := Policy.DenyAddAndCustomizePages == 2 } #-- \ No newline at end of file diff --git a/Testing/Unit/PowerShell/CreateReport/CreateReportStubs/TestResults.json b/Testing/Unit/PowerShell/CreateReport/CreateReportStubs/TestResults.json index ed79cc0e36..917da84cd7 100644 --- a/Testing/Unit/PowerShell/CreateReport/CreateReportStubs/TestResults.json +++ b/Testing/Unit/PowerShell/CreateReport/CreateReportStubs/TestResults.json @@ -1,2318 +1,2318 @@ [ - { - "ActualValue": "", - "Commandlet": [ - "Get-MgSubscribedSku", - "Get-PrivilegedUser" - ], - "Criticality": "Shall", - "PolicyId": "MS.AAD.12.1v1", - "ReportDetails": "0 admin(s) that are not cloud-only found", - "RequirementMet": true - }, - { - "ActualValue": [], - "Commandlet": [], - "Criticality": "Shall/Not-Implemented", - "PolicyId": "MS.AAD.4.2v1", - "ReportDetails": "Not currently checked automatically. See <a href=\"https://github.com/cisagov/ScubaGear/blob/0.3.0/baselines/aad.md#msaad42v1\" target=\"_blank\">Secure Configuration Baseline policy</a> for instructions on manual check", - "RequirementMet": false - }, - { - "ActualValue": [], - "Commandlet": [], - "Criticality": "Shall/Not-Implemented", - "PolicyId": "MS.AAD.4.3v1", - "ReportDetails": "Not currently checked automatically. See <a href=\"https://github.com/cisagov/ScubaGear/blob/0.3.0/baselines/aad.md#msaad43v1\" target=\"_blank\">Secure Configuration Baseline policy</a> for instructions on manual check", - "RequirementMet": false - }, - { - "ActualValue": [], - "Commandlet": [], - "Criticality": "Shall/Not-Implemented", - "PolicyId": "MS.AAD.4.4v1", - "ReportDetails": "Not currently checked automatically. See <a href=\"https://github.com/cisagov/ScubaGear/blob/0.3.0/baselines/aad.md#msaad44v1\" target=\"_blank\">Secure Configuration Baseline policy</a> for instructions on manual check", - "RequirementMet": false - }, - { - "ActualValue": [], - "Commandlet": [], - "Criticality": "Shall/Not-Implemented", - "PolicyId": "MS.AAD.5.1v1", - "ReportDetails": "Not currently checked automatically. See <a href=\"https://github.com/cisagov/ScubaGear/blob/0.3.0/baselines/aad.md#msaad51v1\" target=\"_blank\">Secure Configuration Baseline policy</a> for instructions on manual check", - "RequirementMet": false - }, - { - "ActualValue": [], - "Commandlet": [], - "Criticality": "Shall/Not-Implemented", - "PolicyId": "MS.AAD.5.4v1", - "ReportDetails": "Not currently checked automatically. See <a href=\"https://github.com/cisagov/ScubaGear/blob/0.3.0/baselines/aad.md#msaad54v1\" target=\"_blank\">Secure Configuration Baseline policy</a> for instructions on manual check", - "RequirementMet": false - }, - { - "ActualValue": [], - "Commandlet": [], - "Criticality": "Shall/Not-Implemented", - "PolicyId": "MS.AAD.8.1v1", - "ReportDetails": "Not currently checked automatically. See <a href=\"https://github.com/cisagov/ScubaGear/blob/0.3.0/baselines/aad.md#msaad81v1\" target=\"_blank\">Secure Configuration Baseline policy</a> for instructions on manual check", - "RequirementMet": false - }, - { - "ActualValue": [], - "Commandlet": [], - "Criticality": "Should/Not-Implemented", - "PolicyId": "MS.AAD.18.2v1", - "ReportDetails": "Not currently checked automatically. See <a href=\"https://github.com/cisagov/ScubaGear/blob/0.3.0/baselines/aad.md#msaad182v1\" target=\"_blank\">Secure Configuration Baseline policy</a> for instructions on manual check", - "RequirementMet": false - }, - { - "ActualValue": [], - "Commandlet": [], - "Criticality": "Should/Not-Implemented", - "PolicyId": "MS.AAD.2.2v1", - "ReportDetails": "Not currently checked automatically. See <a href=\"https://github.com/cisagov/ScubaGear/blob/0.3.0/baselines/aad.md#msaad22v1\" target=\"_blank\">Secure Configuration Baseline policy</a> for instructions on manual check", - "RequirementMet": false - }, - { - "ActualValue": [], - "Commandlet": [], - "Criticality": "Should/Not-Implemented", - "PolicyId": "MS.AAD.5.2v1", - "ReportDetails": "Not currently checked automatically. See <a href=\"https://github.com/cisagov/ScubaGear/blob/0.3.0/baselines/aad.md#msaad52v1\" target=\"_blank\">Secure Configuration Baseline policy</a> for instructions on manual check", - "RequirementMet": false - }, - { - "ActualValue": [], - "Commandlet": [], - "Criticality": "Should/Not-Implemented", - "PolicyId": "MS.AAD.5.3v1", - "ReportDetails": "Not currently checked automatically. See <a href=\"https://github.com/cisagov/ScubaGear/blob/0.3.0/baselines/aad.md#msaad53v1\" target=\"_blank\">Secure Configuration Baseline policy</a> for instructions on manual check", - "RequirementMet": false - }, - { - "ActualValue": { - "all_allow_invite_values": [ - { - "AllowInvitesFromValue": "everyone", - "PolicyId": "authorizationPolicy" - } - ] - }, - "Commandlet": [ - "Get-MgPolicyAuthorizationPolicy" - ], - "Criticality": "Should", - "PolicyId": "MS.AAD.18.1v1", - "ReportDetails": "Permission level set to \"everyone\" (authorizationPolicy)", - "RequirementMet": false - }, - { - "ActualValue": { - "all_allowed_create_values": [ - { - "DefaultUser_AllowedToCreateApps": true, - "PolicyId": "authorizationPolicy" - } - ] - }, - "Commandlet": [ - "Get-MgPolicyAuthorizationPolicy" - ], - "Criticality": "Shall", - "PolicyId": "MS.AAD.6.1v1", - "ReportDetails": "1 authorization policies found that allow non-admin users to register third-party applications:<br/>authorizationPolicy", - "RequirementMet": false - }, - { - "ActualValue": { - "all_consent_policies": [ - { - "IsEnabled": true, - "PolicyId": null - } - ] - }, - "Commandlet": [ - "Get-MgPolicyAdminConsentRequestPolicy" - ], - "Criticality": "Shall", - "PolicyId": "MS.AAD.7.2v1", - "ReportDetails": "Requirement met", - "RequirementMet": true - }, - { - "ActualValue": { - "all_grant_policy_values": [ - { - "DefaultUser_DefaultGrantPolicy": [ - "ManagePermissionGrantsForSelf.microsoft-user-default-legacy" - ], - "PolicyId": "authorizationPolicy" - } - ] - }, - "Commandlet": [ - "Get-MgPolicyAuthorizationPolicy" - ], - "Criticality": "Shall", - "PolicyId": "MS.AAD.7.1v1", - "ReportDetails": "1 authorization policies found that allow non-admin users to consent to third-party applications:<br/>authorizationPolicy", - "RequirementMet": false - }, - { - "ActualValue": { - "all_roleid_values": [ - { - "GuestUserRoleId": "10dae51f-b6af-4016-8d66-8c2a99b929b3", - "GuestUserRoleIdString": "Limited access", - "Id": "authorizationPolicy" - } - ] - }, - "Commandlet": [ - "Get-MgPolicyAuthorizationPolicy" - ], - "Criticality": "Should", - "PolicyId": "MS.AAD.18.3v1", - "ReportDetails": "Permission level set to \"Limited access\" (authorizationPolicy)", - "RequirementMet": true - }, - { - "ActualValue": [], - "Commandlet": [ - "Get-MgIdentityConditionalAccessPolicy" - ], - "Criticality": "Shall", - "PolicyId": "MS.AAD.9.1v1", - "ReportDetails": "0 conditional access policy(s) found that meet(s) all requirements. <a href='#caps'>View all CA policies</a>.", - "RequirementMet": false - }, - { - "ActualValue": [], - "Commandlet": [ - "Get-MgIdentityConditionalAccessPolicy" - ], - "Criticality": "Should", - "PolicyId": "MS.AAD.17.1v1", - "ReportDetails": "0 conditional access policy(s) found that meet(s) all requirements. <a href='#caps'>View all CA policies</a>.", - "RequirementMet": false - }, - { - "ActualValue": [ - "Addam Schroll", - "Andrew Huynh", - "Grant Dasher", - "Nanda Katikaneni", - "Shanti Satyapal", - "Ted Kolovos", - "Thomas Comeau" - ], - "Commandlet": [ - "Get-MgSubscribedSku", - "Get-PrivilegedUser" - ], - "Criticality": "Shall", - "PolicyId": "MS.AAD.11.1v1", - "ReportDetails": "7 global admin(s) found:<br/>Addam Schroll, Andrew Huynh, Grant Dasher, Nanda Katikaneni, Shanti Satyapal, Ted Kolovos, Thomas Comeau", - "RequirementMet": false - }, - { - "ActualValue": [ - "Application Administrator", - "Cloud Application Administrator", - "Hybrid Identity Administrator", - "Privileged Role Administrator", - "SharePoint Administrator" - ], - "Commandlet": [ - "Get-MgSubscribedSku", - "Get-PrivilegedRole" - ], - "Criticality": "Should", - "PolicyId": "MS.AAD.15.1v1", - "ReportDetails": "5 role(s) that do not require approval to activate found:<br/>Application Administrator, Cloud Application Administrator, Hybrid Identity Administrator, Privileged Role Administrator, SharePoint Administrator", - "RequirementMet": false - }, - { - "ActualValue": [ - "Exchange Administrator", - "Global Administrator", - "Privileged Role Administrator", - "SharePoint Administrator" - ], - "Commandlet": [ - "Get-MgSubscribedSku", - "Get-PrivilegedRole" - ], - "Criticality": "Shall", - "PolicyId": "MS.AAD.14.2v1", - "ReportDetails": "4 role(s) assigned to users outside of PIM:<br/>Exchange Administrator, Global Administrator, Privileged Role Administrator, SharePoint Administrator", - "RequirementMet": false - }, - { - "ActualValue": [ - "Global Administrator", - "SharePoint Administrator", - "User Administrator" - ], - "Commandlet": [ - "Get-MgSubscribedSku", - "Get-PrivilegedRole" - ], - "Criticality": "Shall", - "PolicyId": "MS.AAD.14.1v1", - "ReportDetails": "3 role(s) configured to allow permanent active assignment or expiration period too long:<br/>Global Administrator, SharePoint Administrator, User Administrator", - "RequirementMet": false - }, - { - "ActualValue": [ - "Live - Block legacy authentication" - ], - "Commandlet": [ - "Get-MgIdentityConditionalAccessPolicy" - ], - "Criticality": "Shall", - "PolicyId": "MS.AAD.1.1v1", - "ReportDetails": "1 conditional access policy(s) found that meet(s) all requirements:<br/>Live - Block legacy authentication. <a href='#caps'>View all CA policies</a>.", - "RequirementMet": true - }, - { - "ActualValue": [ - "Live - MFA Required for Everyone" - ], - "Commandlet": [ - "Get-MgIdentityConditionalAccessPolicy" - ], - "Criticality": "Shall", - "PolicyId": "MS.AAD.4.1v1", - "ReportDetails": "1 conditional access policy(s) found that meet(s) all requirements:<br/>Live - MFA Required for Everyone. <a href='#caps'>View all CA policies</a>.", - "RequirementMet": true - }, - { - "ActualValue": [ - "Live - MFA required for Highly Privileged Roles" - ], - "Commandlet": [ - "Get-MgSubscribedSku", - "Get-PrivilegedRole", - "Get-MgIdentityConditionalAccessPolicy" - ], - "Criticality": "Shall", - "PolicyId": "MS.AAD.13.1v1", - "ReportDetails": "1 conditional access policy(s) found that meet(s) all requirements:<br/>Live - MFA required for Highly Privileged Roles. <a href='#caps'>View all CA policies</a>.", - "RequirementMet": true - }, - { - "ActualValue": [ - "Live - Prevent Persistent Sessions u0026 Enforce Sign-in Frequency" - ], - "Commandlet": [ - "Get-MgIdentityConditionalAccessPolicy" - ], - "Criticality": "Shall", - "PolicyId": "MS.AAD.10.1v1", - "ReportDetails": "1 conditional access policy(s) found that meet(s) all requirements:<br/>Live - Prevent Persistent Sessions u0026 Enforce Sign-in Frequency. <a href='#caps'>View all CA policies</a>.", - "RequirementMet": true - }, - { - "ActualValue": [ - "Live - Risky Sign Ins Block Access" - ], - "Commandlet": [ - "Get-MgIdentityConditionalAccessPolicy" - ], - "Criticality": "Shall", - "PolicyId": "MS.AAD.3.1v1", - "ReportDetails": "1 conditional access policy(s) found that meet(s) all requirements:<br/>Live - Risky Sign Ins Block Access. <a href='#caps'>View all CA policies</a>.", - "RequirementMet": true - }, - { - "ActualValue": [ - "Live - Risky Users Block Access" - ], - "Commandlet": [ - "Get-MgIdentityConditionalAccessPolicy" - ], - "Criticality": "Shall", - "PolicyId": "MS.AAD.2.1v1", - "ReportDetails": "1 conditional access policy(s) found that meet(s) all requirements:<br/>Live - Risky Users Block Access. <a href='#caps'>View all CA policies</a>.", - "RequirementMet": true - }, - { - "ActualValue": [ - "Privileged Role Administrator" - ], - "Commandlet": [ - "Get-MgSubscribedSku", - "Get-PrivilegedRole" - ], - "Criticality": "Shall", - "PolicyId": "MS.AAD.16.2v1", - "ReportDetails": "Requirement met", - "RequirementMet": true - }, - { - "ActualValue": [ - "Privileged Role Administrator" - ], - "Commandlet": [ - "Get-MgSubscribedSku", - "Get-PrivilegedRole" - ], - "Criticality": "Should", - "PolicyId": "MS.AAD.16.3v1", - "ReportDetails": "1 role(s) without notification e-mail configured for role activations found:<br/>Privileged Role Administrator", - "RequirementMet": false - }, - { - "ActualValue": [ - "Privileged Role Administrator", - "User Administrator" - ], - "Commandlet": [ - "Get-MgSubscribedSku", - "Get-PrivilegedRole" - ], - "Criticality": "Shall", - "PolicyId": "MS.AAD.16.1v1", - "ReportDetails": "2 role(s) without notification e-mail configured for role assignments found:<br/>Privileged Role Administrator, User Administrator", - "RequirementMet": false - }, - { - "ActualValue": [ - { - "Name": "EnableGroupSpecificConsent", - "SettingsGroup": "Consent Policy Settings", - "Value": "false" - } - ], - "Commandlet": [ - "Get-MgDirectorySetting" - ], - "Criticality": "Shall", - "PolicyId": "MS.AAD.7.3v1", - "ReportDetails": "Requirement met", - "RequirementMet": true - }, - { - "ActualValue": false, - "Commandlet": [ - "Get-AntiPhishPolicy" - ], - "Control": "Defender 2.5", - "Criticality": "Shall", - "ReportDetails": "Requirement not met", - "Requirement": "All safety tips SHALL be enabled: domain impersonation default policy", - "RequirementMet": false - }, - { - "ActualValue": false, - "Commandlet": [ - "Get-AntiPhishPolicy" - ], - "Control": "Defender 2.5", - "Criticality": "Shall", - "ReportDetails": "Requirement not met", - "Requirement": "All safety tips SHALL be enabled: user impersonation default policy", - "RequirementMet": false - }, - { - "ActualValue": false, - "Commandlet": [ - "Get-AntiPhishPolicy" - ], - "Control": "Defender 2.5", - "Criticality": "Shall", - "ReportDetails": "Requirement not met", - "Requirement": "All safety tips SHALL be enabled: user impersonation unusual characters default policy", - "RequirementMet": false - }, - { - "ActualValue": false, - "Commandlet": [ - "Get-AntiPhishPolicy" - ], - "Criticality": "Shall", - "PolicyId": "MS.DEFENDER.5.8v1", - "ReportDetails": "Requirement not met", - "RequirementMet": false - }, - { - "ActualValue": true, - "Commandlet": [ - "Get-AntiPhishPolicy" - ], - "Control": "Defender 2.5", - "Criticality": "Shall", - "ReportDetails": "Requirement met", - "Requirement": "All safety tips SHALL be enabled: \"?\" for unauthenticated senders for spoof default policy", - "RequirementMet": true - }, - { - "ActualValue": true, - "Commandlet": [ - "Get-AntiPhishPolicy" - ], - "Control": "Defender 2.5", - "Criticality": "Shall", - "ReportDetails": "Requirement met", - "Requirement": "All safety tips SHALL be enabled: \"via\" tag default policy", - "RequirementMet": true - }, - { - "ActualValue": true, - "Commandlet": [ - "Get-HostedContentFilterPolicy" - ], - "Control": "Defender 2.6", - "Criticality": "Shall", - "ReportDetails": "Requirement met", - "Requirement": "Zero-hour auto purge (ZAP) SHALL be enabled for phishing: default policy", - "RequirementMet": true - }, - { - "ActualValue": true, - "Commandlet": [ - "Get-HostedContentFilterPolicy" - ], - "Control": "Defender 2.6", - "Criticality": "Shall", - "ReportDetails": "Requirement met", - "Requirement": "Zero-hour auto purge (ZAP) SHALL be enabled for spam messages: default policy", - "RequirementMet": true - }, - { - "ActualValue": true, - "Commandlet": [ - "Get-HostedContentFilterPolicy" - ], - "Criticality": "Shall", - "PolicyId": "MS.DEFENDER.6.7v1", - "ReportDetails": "Requirement met", - "RequirementMet": true - }, - { - "ActualValue": true, - "Commandlet": [ - "Get-HostedContentFilterPolicy" - ], - "Criticality": "Should", - "PolicyId": "MS.DEFENDER.6.6v1", - "ReportDetails": "Requirement met", - "RequirementMet": true - }, - { - "ActualValue": 7, - "Commandlet": [ - "Get-HostedContentFilterPolicy" - ], - "Criticality": "Should", - "PolicyId": "MS.DEFENDER.6.1v1", - "ReportDetails": "Requirement not met", - "RequirementMet": false - }, - { - "ActualValue": 15, - "Commandlet": [ - "Get-HostedContentFilterPolicy" - ], - "Criticality": "Should", - "PolicyId": "MS.DEFENDER.6.5v1", - "ReportDetails": "Requirement not met", - "RequirementMet": false - }, - { - "ActualValue": "MoveToJmf", - "Commandlet": [ - "Get-AntiPhishPolicy" - ], - "Criticality": "Shall", - "PolicyId": "MS.DEFENDER.5.7v1", - "ReportDetails": "Requirement not met", - "RequirementMet": false - }, - { - "ActualValue": "MoveToJmf", - "Commandlet": [ - "Get-HostedContentFilterPolicy" - ], - "Control": "Defender 2.6", - "Criticality": "Shall", - "ReportDetails": "Requirement met", - "Requirement": "High confidence spam SHALL be moved to either the junk email folder or the quarantine folder: default policy", - "RequirementMet": true - }, - { - "ActualValue": "MoveToJmf", - "Commandlet": [ - "Get-HostedContentFilterPolicy" - ], - "Criticality": "Shall", - "PolicyId": "MS.DEFENDER.6.2v1", - "ReportDetails": "Requirement met", - "RequirementMet": true - }, - { - "ActualValue": "MoveToJmf", - "Commandlet": [ - "Get-HostedContentFilterPolicy" - ], - "Criticality": "Shall", - "PolicyId": "MS.DEFENDER.6.3v1", - "ReportDetails": "Requirement not met", - "RequirementMet": false - }, - { - "ActualValue": "MoveToJmf", - "Commandlet": [ - "Get-HostedContentFilterPolicy" - ], - "Criticality": "Should", - "PolicyId": "MS.DEFENDER.6.4v1", - "ReportDetails": "Requirement met", - "RequirementMet": true - }, - { - "ActualValue": "NoAction", - "Commandlet": [ - "Get-AntiPhishPolicy" - ], - "Control": "Defender 2.5", - "Criticality": "Shall", - "ReportDetails": "Requirement not met", - "Requirement": "Message action SHALL be set to quarantine if the message is detected as impersonated: domains default policy", - "RequirementMet": false - }, - { - "ActualValue": "NoAction", - "Commandlet": [ - "Get-AntiPhishPolicy" - ], - "Control": "Defender 2.5", - "Criticality": "Shall", - "ReportDetails": "Requirement not met", - "Requirement": "Message action SHALL be set to quarantine if the message is detected as impersonated: mailbox default policy", - "RequirementMet": false - }, - { - "ActualValue": "NoAction", - "Commandlet": [ - "Get-AntiPhishPolicy" - ], - "Criticality": "Shall", - "PolicyId": "MS.DEFENDER.5.6v1", - "ReportDetails": "Requirement not met", - "RequirementMet": false - }, - { - "ActualValue": "Quarantine", - "Commandlet": [ - "Get-HostedContentFilterPolicy" - ], - "Control": "Defender 2.6", - "Criticality": "Shall", - "ReportDetails": "Requirement met", - "Requirement": "High confidence phishing SHALL be quarantined: default policy", - "RequirementMet": true - }, - { - "ActualValue": [], - "Commandlet": [], - "Criticality": "Shall/Not-Implemented", - "PolicyId": "MS.DEFENDER.10.2v1", - "ReportDetails": "Not currently checked automatically. See <a href=\"https://github.com/cisagov/ScubaGear/blob/0.3.0/baselines/defender.md#msdefender102v1\" target=\"_blank\">Secure Configuration Baseline policy</a> for instructions on manual check", - "RequirementMet": false - }, - { - "ActualValue": [], - "Commandlet": [], - "Criticality": "Shall/Not-Implemented", - "PolicyId": "MS.DEFENDER.10.3v1", - "ReportDetails": "Not currently checked automatically. See <a href=\"https://github.com/cisagov/ScubaGear/blob/0.3.0/baselines/defender.md#msdefender103v1\" target=\"_blank\">Secure Configuration Baseline policy</a> for instructions on manual check", - "RequirementMet": false - }, - { - "ActualValue": [], - "Commandlet": [], - "Criticality": "Should/Not-Implemented", - "PolicyId": "MS.DEFENDER.2.5v1", - "ReportDetails": "Not currently checked automatically. See <a href=\"https://github.com/cisagov/ScubaGear/blob/0.3.0/baselines/defender.md#msdefender25v1\" target=\"_blank\">Secure Configuration Baseline policy</a> for instructions on manual check", - "RequirementMet": false - }, - { - "ActualValue": [], - "Commandlet": [], - "Criticality": "Should/Not-Implemented", - "PolicyId": "MS.DEFENDER.2.6v1", - "ReportDetails": "Not currently checked automatically. See <a href=\"https://github.com/cisagov/ScubaGear/blob/0.3.0/baselines/defender.md#msdefender26v1\" target=\"_blank\">Secure Configuration Baseline policy</a> for instructions on manual check", - "RequirementMet": false - }, - { - "ActualValue": [], - "Commandlet": [], - "Criticality": "Should/Not-Implemented", - "PolicyId": "MS.DEFENDER.9.2v1", - "ReportDetails": "Not currently checked automatically. See <a href=\"https://github.com/cisagov/ScubaGear/blob/0.3.0/baselines/defender.md#msdefender92v1\" target=\"_blank\">Secure Configuration Baseline policy</a> for instructions on manual check", - "RequirementMet": false - }, - { - "ActualValue": [], - "Commandlet": [ - "Get-AntiPhishPolicy" - ], - "Control": "Defender 2.5", - "Criticality": "Should", - "ReportDetails": "Requirement met", - "Requirement": "All safety tips SHOULD be enabled: \"?\" for unauthenticated senders for spoof non-default policies", - "RequirementMet": true - }, - { - "ActualValue": [], - "Commandlet": [ - "Get-AntiPhishPolicy" - ], - "Control": "Defender 2.5", - "Criticality": "Should", - "ReportDetails": "Requirement met", - "Requirement": "All safety tips SHOULD be enabled: \"via\" tag non-default policies", - "RequirementMet": true - }, - { - "ActualValue": [], - "Commandlet": [ - "Get-AntiPhishPolicy" - ], - "Control": "Defender 2.5", - "Criticality": "Should", - "ReportDetails": "Requirement met", - "Requirement": "All safety tips SHOULD be enabled: domain impersonation non-default policies", - "RequirementMet": true - }, - { - "ActualValue": [], - "Commandlet": [ - "Get-AntiPhishPolicy" - ], - "Control": "Defender 2.5", - "Criticality": "Should", - "ReportDetails": "Requirement met", - "Requirement": "All safety tips SHOULD be enabled: first contact non-default policies", - "RequirementMet": true - }, - { - "ActualValue": [], - "Commandlet": [ - "Get-AntiPhishPolicy" - ], - "Control": "Defender 2.5", - "Criticality": "Should", - "ReportDetails": "Requirement met", - "Requirement": "All safety tips SHOULD be enabled: user impersonation non-default policies", - "RequirementMet": true - }, - { - "ActualValue": [], - "Commandlet": [ - "Get-AntiPhishPolicy" - ], - "Control": "Defender 2.5", - "Criticality": "Should", - "ReportDetails": "Requirement met", - "Requirement": "All safety tips SHOULD be enabled: user impersonation unusual characters non-default policies", - "RequirementMet": true - }, - { - "ActualValue": [], - "Commandlet": [ - "Get-AntiPhishPolicy" - ], - "Control": "Defender 2.5", - "Criticality": "Should", - "ReportDetails": "Requirement met", - "Requirement": "Mail classified as spoofed SHOULD be quarantined: non-default policies", - "RequirementMet": true - }, - { - "ActualValue": [], - "Commandlet": [ - "Get-AntiPhishPolicy" - ], - "Control": "Defender 2.5", - "Criticality": "Should", - "ReportDetails": "Requirement met", - "Requirement": "Message action SHOULD be set to quarantine if the message is detected as impersonated: domains non-default policies", - "RequirementMet": true - }, - { - "ActualValue": [], - "Commandlet": [ - "Get-AntiPhishPolicy" - ], - "Control": "Defender 2.5", - "Criticality": "Should", - "ReportDetails": "Requirement met", - "Requirement": "Message action SHOULD be set to quarantine if the message is detected as impersonated: mailbox non-default policies", - "RequirementMet": true - }, - { - "ActualValue": [], - "Commandlet": [ - "Get-AntiPhishPolicy" - ], - "Control": "Defender 2.5", - "Criticality": "Should", - "ReportDetails": "Requirement met", - "Requirement": "Message action SHOULD be set to quarantine if the message is detected as impersonated: users non-default policies", - "RequirementMet": true - }, - { - "ActualValue": [], - "Commandlet": [ - "Get-AntiPhishPolicy" - ], - "Criticality": "Should", - "PolicyId": "MS.DEFENDER.5.1v1", - "ReportDetails": "No users are included for targeted user protection.", - "RequirementMet": false - }, - { - "ActualValue": [], - "Commandlet": [ - "Get-AntiPhishPolicy" - ], - "Criticality": "Should", - "PolicyId": "MS.DEFENDER.5.2v1", - "ReportDetails": "Requirement not met", - "RequirementMet": false - }, - { - "ActualValue": [], - "Commandlet": [ - "Get-AntiPhishPolicy" - ], - "Criticality": "Should", - "PolicyId": "MS.DEFENDER.5.3v1", - "ReportDetails": "The Custom Domains protection policies: Enabled, EnableTargetedDomainsProtection, and TargetedDomainsToProtect are not set correctly", - "RequirementMet": false - }, - { - "ActualValue": [], - "Commandlet": [ - "Get-AntiPhishPolicy" - ], - "Criticality": "Should", - "PolicyId": "MS.DEFENDER.5.5v1", - "ReportDetails": "Requirement not met", - "RequirementMet": false - }, - { - "ActualValue": [], - "Commandlet": [ - "Get-DLPCompliancePolicy" - ], - "Control": "Defender 2.2", - "Criticality": "Should", - "ReportDetails": "No policy found that applies to OneDrive.", - "Requirement": "The custom policy SHOULD be applied in OneDrive", - "RequirementMet": false - }, - { - "ActualValue": [], - "Commandlet": [ - "Get-DLPCompliancePolicy" - ], - "Control": "Defender 2.2", - "Criticality": "Should", - "ReportDetails": "No policy found that applies to SharePoint.", - "Requirement": "The custom policy SHOULD be applied in SharePoint", - "RequirementMet": false - }, - { - "ActualValue": [], - "Commandlet": [ - "Get-DLPCompliancePolicy" - ], - "Control": "Defender 2.2", - "Criticality": "Should", - "ReportDetails": "No policy found that applies to Teams.", - "Requirement": "The custom policy SHOULD be applied in Teams", - "RequirementMet": false - }, - { - "ActualValue": [], - "Commandlet": [ - "Get-DLPCompliancePolicy" - ], - "Criticality": "Should", - "PolicyId": "MS.DEFENDER.2.2v1", - "ReportDetails": "No policy found that applies to Exchange.", - "RequirementMet": false - }, - { - "ActualValue": [], - "Commandlet": [ - "Get-DlpComplianceRule" - ], - "Control": "Defender 2.2", - "Criticality": "Shall", - "ReportDetails": "No matching rule found for Credit Card Number", - "Requirement": "A custom policy SHALL be configured to protect PII and sensitive information, as defined by the agency: Credit Card Number", - "RequirementMet": false - }, - { - "ActualValue": [], - "Commandlet": [ - "Get-DlpComplianceRule" - ], - "Control": "Defender 2.2", - "Criticality": "Shall", - "ReportDetails": "No matching rule found for U.S. Individual Taxpayer Identification Number (ITIN)", - "Requirement": "A custom policy SHALL be configured to protect PII and sensitive information, as defined by the agency: U.S. Individual Taxpayer Identification Number (ITIN)", - "RequirementMet": false - }, - { - "ActualValue": [], - "Commandlet": [ - "Get-DlpComplianceRule" - ], - "Criticality": "Shall", - "PolicyId": "MS.DEFENDER.2.1v1", - "ReportDetails": "No matching rule found for U.S. Social Security Number (SSN)", - "RequirementMet": false - }, - { - "ActualValue": [], - "Commandlet": [ - "Get-DlpComplianceRule" - ], - "Criticality": "Should", - "PolicyId": "MS.DEFENDER.2.3v1", - "ReportDetails": "Requirement met", - "RequirementMet": true - }, - { - "ActualValue": [], - "Commandlet": [ - "Get-DlpComplianceRule" - ], - "Criticality": "Should", - "PolicyId": "MS.DEFENDER.2.4v1", - "ReportDetails": "Requirement met", - "RequirementMet": true - }, - { - "ActualValue": [], - "Commandlet": [ - "Get-EOPProtectionPolicyRule" - ], - "Control": "Defender 2.1", - "Criticality": "Should", - "ReportDetails": "Requirement met", - "Requirement": "Strict Preset security profiles SHOULD NOT be used", - "RequirementMet": true - }, - { - "ActualValue": [], - "Commandlet": [ - "Get-EOPProtectionPolicyRule" - ], - "Criticality": "Should", - "PolicyId": "MS.DEFENDER.1.1v1", - "ReportDetails": "Requirement met", - "RequirementMet": true - }, - { - "ActualValue": [], - "Commandlet": [ - "Get-HostedContentFilterPolicy" - ], - "Control": "Defender 2.6", - "Criticality": "Should", - "ReportDetails": "Requirement met", - "Requirement": "Allowed senders MAY be added but allowed domains SHOULD NOT be added: non-default", - "RequirementMet": true - }, - { - "ActualValue": [], - "Commandlet": [ - "Get-HostedContentFilterPolicy" - ], - "Control": "Defender 2.6", - "Criticality": "Should", - "ReportDetails": "Requirement met", - "Requirement": "Bulk email SHOULD be moved to either the junk email folder or the quarantine folder: non-default policies", - "RequirementMet": true - }, - { - "ActualValue": [], - "Commandlet": [ - "Get-HostedContentFilterPolicy" - ], - "Control": "Defender 2.6", - "Criticality": "Should", - "ReportDetails": "Requirement met", - "Requirement": "High confidence phishing SHOULD be quarantined: non-default policies", - "RequirementMet": true - }, - { - "ActualValue": [], - "Commandlet": [ - "Get-HostedContentFilterPolicy" - ], - "Control": "Defender 2.6", - "Criticality": "Should", - "ReportDetails": "Requirement met", - "Requirement": "High confidence spam SHOULD be moved to either the junk email folder or the quarantine folder: non-default policies", - "RequirementMet": true - }, - { - "ActualValue": [], - "Commandlet": [ - "Get-HostedContentFilterPolicy" - ], - "Control": "Defender 2.6", - "Criticality": "Should", - "ReportDetails": "Requirement met", - "Requirement": "Phishing SHOULD be quarantined: non-default policies", - "RequirementMet": true - }, - { - "ActualValue": [], - "Commandlet": [ - "Get-HostedContentFilterPolicy" - ], - "Control": "Defender 2.6", - "Criticality": "Should", - "ReportDetails": "Requirement met", - "Requirement": "Spam SHOULD be moved to either the junk email folder or the quarantine folder: non-default policies", - "RequirementMet": true - }, - { - "ActualValue": [], - "Commandlet": [ - "Get-HostedContentFilterPolicy" - ], - "Control": "Defender 2.6", - "Criticality": "Should", - "ReportDetails": "Requirement met", - "Requirement": "Spam in quarantine SHOULD be retained for at least 30 days: non-default policies", - "RequirementMet": true - }, - { - "ActualValue": [], - "Commandlet": [ - "Get-HostedContentFilterPolicy" - ], - "Control": "Defender 2.6", - "Criticality": "Should", - "ReportDetails": "Requirement met", - "Requirement": "Spam safety tips SHOULD be turned on: non-default policies", - "RequirementMet": true - }, - { - "ActualValue": [], - "Commandlet": [ - "Get-HostedContentFilterPolicy" - ], - "Control": "Defender 2.6", - "Criticality": "Should", - "ReportDetails": "Requirement met", - "Requirement": "The bulk complaint level (BCL) threshold SHOULD be set to six or lower: non-default policies", - "RequirementMet": true - }, - { - "ActualValue": [], - "Commandlet": [ - "Get-HostedContentFilterPolicy" - ], - "Control": "Defender 2.6", - "Criticality": "Should", - "ReportDetails": "Requirement met", - "Requirement": "Zero-hour auto purge (ZAP) SHOULD be enabled for Spam: non-default", - "RequirementMet": true - }, - { - "ActualValue": [], - "Commandlet": [ - "Get-HostedContentFilterPolicy" - ], - "Control": "Defender 2.6", - "Criticality": "Should", - "ReportDetails": "Requirement met", - "Requirement": "Zero-hour auto purge (ZAP) SHOULD be enabled for phishing: non-default", - "RequirementMet": true - }, - { - "ActualValue": [], - "Commandlet": [ - "Get-HostedContentFilterPolicy" - ], - "Control": "Defender 2.6", - "Criticality": "Should", - "ReportDetails": "Requirement met", - "Requirement": "Zero-hour auto purge (ZAP) SHOULD be enabled: non-default", - "RequirementMet": true - }, - { - "ActualValue": [], - "Commandlet": [ - "Get-HostedContentFilterPolicy" - ], - "Criticality": "Shall", - "PolicyId": "MS.DEFENDER.6.8v1", - "ReportDetails": "Requirement met", - "RequirementMet": true - }, - { - "ActualValue": [], - "Commandlet": [ - "Get-MalwareFilterPolicy" - ], - "Criticality": "Shall", - "PolicyId": "MS.DEFENDER.3.1v1", - "ReportDetails": "Requirement met", - "RequirementMet": true - }, - { - "ActualValue": [], - "Commandlet": [ - "Get-MalwareFilterPolicy" - ], - "Criticality": "Should", - "PolicyId": "MS.DEFENDER.4.1v1", - "ReportDetails": "Requirement met", - "RequirementMet": true - }, - { - "ActualValue": [], - "Commandlet": [ - "Get-SafeAttachmentPolicy", - "Get-SafeAttachmentRule", - "Get-AcceptedDomain" - ], - "Criticality": "Shall", - "PolicyId": "MS.DEFENDER.8.2v1", - "ReportDetails": "No enabled policy found with action set to block that apply to all domains", - "RequirementMet": false - }, - { - "ActualValue": [], - "Commandlet": [ - "Get-SafeAttachmentPolicy", - "Get-SafeAttachmentRule", - "Get-AcceptedDomain" - ], - "Criticality": "Should", - "PolicyId": "MS.DEFENDER.8.3v1", - "ReportDetails": "No enabled policy found with action set to block and at least one contact specified", - "RequirementMet": false - }, - { - "ActualValue": [], - "Commandlet": [ - "Get-SafeAttachmentRule", - "Get-AcceptedDomain" - ], - "Criticality": "Shall", - "PolicyId": "MS.DEFENDER.8.1v1", - "ReportDetails": "No policy found that applies to all domains: alexwilber.myo365.site, y2zj1.onmicrosoft.com", - "RequirementMet": false - }, - { - "ActualValue": [], - "Commandlet": [ - "Get-SafeLinksPolicy", - "Get-SafeLinksRule" - ], - "Criticality": "Shall", - "PolicyId": "MS.DEFENDER.7.2v1", - "ReportDetails": "Requirement not met", - "RequirementMet": false - }, - { - "ActualValue": [], - "Commandlet": [ - "Get-SafeLinksPolicy", - "Get-SafeLinksRule" - ], - "Criticality": "Shall", - "PolicyId": "MS.DEFENDER.7.3v1", - "ReportDetails": "Requirement not met", - "RequirementMet": false - }, - { - "ActualValue": [], - "Commandlet": [ - "Get-SafeLinksPolicy", - "Get-SafeLinksRule" - ], - "Criticality": "Shall", - "PolicyId": "MS.DEFENDER.7.4v1", - "ReportDetails": "Requirement not met", - "RequirementMet": false - }, - { - "ActualValue": [], - "Commandlet": [ - "Get-SafeLinksPolicy", - "Get-SafeLinksRule" - ], - "Criticality": "Shall", - "PolicyId": "MS.DEFENDER.7.5v1", - "ReportDetails": "Requirement not met", - "RequirementMet": false - }, - { - "ActualValue": [], - "Commandlet": [ - "Get-SafeLinksPolicy", - "Get-SafeLinksRule" - ], - "Criticality": "Shall", - "PolicyId": "MS.DEFENDER.7.6v1", - "ReportDetails": "Requirement not met", - "RequirementMet": false - }, - { - "ActualValue": [], - "Commandlet": [ - "Get-SafeLinksPolicy", - "Get-SafeLinksRule" - ], - "Criticality": "Shall", - "PolicyId": "MS.DEFENDER.7.7v1", - "ReportDetails": "Requirement not met", - "RequirementMet": false - }, - { - "ActualValue": [], - "Commandlet": [ - "Get-SafeLinksPolicy", - "Get-SafeLinksRule" - ], - "Criticality": "Shall", - "PolicyId": "MS.DEFENDER.7.8v1", - "ReportDetails": "Requirement not met", - "RequirementMet": false - }, - { - "ActualValue": [], - "Commandlet": [ - "Get-SafeLinksPolicy", - "Get-SafeLinksRule" - ], - "Criticality": "Shall", - "PolicyId": "MS.DEFENDER.7.9v1", - "ReportDetails": "Requirement not met", - "RequirementMet": false - }, - { - "ActualValue": [], - "Commandlet": [ - "Get-SafeLinksRule", - "Get-AcceptedDomain" - ], - "Criticality": "Shall", - "PolicyId": "MS.DEFENDER.7.1v1", - "ReportDetails": "No policy found that applies to all domains: alexwilber.myo365.site, y2zj1.onmicrosoft.com", - "RequirementMet": false - }, - { - "ActualValue": [ - "A potentially malicious URL click was detected", - "Malware campaign detected after delivery", - "Messages have been delayed", - "Suspicious Email Forwarding Activity", - "Suspicious connector activity", - "Suspicious email sending patterns detected", - "Tenant restricted from sending unprovisioned email", - "Unusual increase in email reported as phish", - "User restricted from sending email" - ], - "Commandlet": [ - "Get-ProtectionAlert" - ], - "Criticality": "Shall", - "PolicyId": "MS.DEFENDER.9.1v1", - "ReportDetails": "9 disabled required alert(s) found: A potentially malicious URL click was detected, Malware campaign detected after delivery, Messages have been delayed, Suspicious Email Forwarding Activity, Suspicious connector activity, Suspicious email sending patterns detected, Tenant restricted from sending unprovisioned email, Unusual increase in email reported as phish, User restricted from sending email", - "RequirementMet": false - }, - { - "ActualValue": [ - "Default" - ], - "Commandlet": [ - "Get-MalwareFilterPolicy" - ], - "Control": "Defender 2.3", - "Criticality": "Should", - "ReportDetails": "Requirement met", - "Requirement": "Disallowed file types SHALL be determined and set. At a minimum, click-to-run files SHOULD be blocked: cmd files", - "RequirementMet": true - }, - { - "ActualValue": [ - "Default" - ], - "Commandlet": [ - "Get-MalwareFilterPolicy" - ], - "Control": "Defender 2.3", - "Criticality": "Should", - "ReportDetails": "Requirement met", - "Requirement": "Disallowed file types SHALL be determined and set. At a minimum, click-to-run files SHOULD be blocked: vbe files", - "RequirementMet": true - }, - { - "ActualValue": [ - "Default" - ], - "Commandlet": [ - "Get-MalwareFilterPolicy" - ], - "Criticality": "Should", - "PolicyId": "MS.DEFENDER.3.2v1", - "ReportDetails": "Requirement met", - "RequirementMet": true - }, - { - "ActualValue": [ - { - "EnableATPForSPOTeamsODB": true, - "Identity": "Default" - } - ], - "Commandlet": [ - "Get-AtpPolicyForO365" - ], - "Criticality": "Should", - "PolicyId": "MS.DEFENDER.8.4v1", - "ReportDetails": "Requirement met", - "RequirementMet": true - }, - { - "ActualValue": [ - { - "Identity": "Admin Audit Log Settings", - "UnifiedAuditLogIngestionEnabled": true - } - ], - "Commandlet": [ - "Get-AdminAuditLogConfig" - ], - "Criticality": "Shall", - "PolicyId": "MS.DEFENDER.10.1v1", - "ReportDetails": "Requirement met", - "RequirementMet": true - }, - { - "ActualValue": [], - "Commandlet": [], - "Criticality": "Shall/3rd Party", - "PolicyId": "MS.EXO.10.1v1", - "ReportDetails": "Custom implementation allowed. If you are using Defender to fulfill this requirement, run the Defender version of this script. Otherwise, use a 3rd party tool OR manually check", - "RequirementMet": false - }, - { - "ActualValue": [], - "Commandlet": [], - "Criticality": "Shall/3rd Party", - "PolicyId": "MS.EXO.10.2v1", - "ReportDetails": "Custom implementation allowed. If you are using Defender to fulfill this requirement, run the Defender version of this script. Otherwise, use a 3rd party tool OR manually check", - "RequirementMet": false - }, - { - "ActualValue": [], - "Commandlet": [], - "Criticality": "Shall/3rd Party", - "PolicyId": "MS.EXO.14.1v1", - "ReportDetails": "Custom implementation allowed. If you are using Defender to fulfill this requirement, run the Defender version of this script. Otherwise, use a 3rd party tool OR manually check", - "RequirementMet": false - }, - { - "ActualValue": [], - "Commandlet": [], - "Criticality": "Shall/3rd Party", - "PolicyId": "MS.EXO.14.2v1", - "ReportDetails": "Custom implementation allowed. If you are using Defender to fulfill this requirement, run the Defender version of this script. Otherwise, use a 3rd party tool OR manually check", - "RequirementMet": false - }, - { - "ActualValue": [], - "Commandlet": [], - "Criticality": "Shall/3rd Party", - "PolicyId": "MS.EXO.14.3v1", - "ReportDetails": "Custom implementation allowed. If you are using Defender to fulfill this requirement, run the Defender version of this script. Otherwise, use a 3rd party tool OR manually check", - "RequirementMet": false - }, - { - "ActualValue": [], - "Commandlet": [], - "Criticality": "Shall/3rd Party", - "PolicyId": "MS.EXO.16.1v1", - "ReportDetails": "Custom implementation allowed. If you are using Defender to fulfill this requirement, run the Defender version of this script. Otherwise, use a 3rd party tool OR manually check", - "RequirementMet": false - }, - { - "ActualValue": [], - "Commandlet": [], - "Criticality": "Shall/3rd Party", - "PolicyId": "MS.EXO.17.1v1", - "ReportDetails": "Custom implementation allowed. If you are using Defender to fulfill this requirement, run the Defender version of this script. Otherwise, use a 3rd party tool OR manually check", - "RequirementMet": false - }, - { - "ActualValue": [], - "Commandlet": [], - "Criticality": "Shall/3rd Party", - "PolicyId": "MS.EXO.17.2v1", - "ReportDetails": "Custom implementation allowed. If you are using Defender to fulfill this requirement, run the Defender version of this script. Otherwise, use a 3rd party tool OR manually check", - "RequirementMet": false - }, - { - "ActualValue": [], - "Commandlet": [], - "Criticality": "Shall/3rd Party", - "PolicyId": "MS.EXO.17.3v1", - "ReportDetails": "Custom implementation allowed. If you are using Defender to fulfill this requirement, run the Defender version of this script. Otherwise, use a 3rd party tool OR manually check", - "RequirementMet": false - }, - { - "ActualValue": [], - "Commandlet": [], - "Criticality": "Shall/3rd Party", - "PolicyId": "MS.EXO.8.1v1", - "ReportDetails": "Custom implementation allowed. If you are using Defender to fulfill this requirement, run the Defender version of this script. Otherwise, use a 3rd party tool OR manually check", - "RequirementMet": false - }, - { - "ActualValue": [], - "Commandlet": [], - "Criticality": "Shall/3rd Party", - "PolicyId": "MS.EXO.8.2v1", - "ReportDetails": "Custom implementation allowed. If you are using Defender to fulfill this requirement, run the Defender version of this script. Otherwise, use a 3rd party tool OR manually check", - "RequirementMet": false - }, - { - "ActualValue": [], - "Commandlet": [], - "Criticality": "Shall/3rd Party", - "PolicyId": "MS.EXO.9.1v1", - "ReportDetails": "Custom implementation allowed. If you are using Defender to fulfill this requirement, run the Defender version of this script. Otherwise, use a 3rd party tool OR manually check", - "RequirementMet": false - }, - { - "ActualValue": [], - "Commandlet": [], - "Criticality": "Shall/3rd Party", - "PolicyId": "MS.EXO.9.3v1", - "ReportDetails": "Custom implementation allowed. If you are using Defender to fulfill this requirement, run the Defender version of this script. Otherwise, use a 3rd party tool OR manually check", - "RequirementMet": false - }, - { - "ActualValue": [], - "Commandlet": [], - "Criticality": "Shall/Not-Implemented", - "PolicyId": "MS.EXO.2.1v1", - "ReportDetails": "Not currently checked automatically. See <a href=\"https://github.com/cisagov/ScubaGear/blob/0.3.0/baselines/exo.md#msexo21v1\" target=\"_blank\">Secure Configuration Baseline policy</a> for instructions on manual check", - "RequirementMet": false - }, - { - "ActualValue": [], - "Commandlet": [], - "Criticality": "Should/3rd Party", - "PolicyId": "MS.EXO.10.3v1", - "ReportDetails": "Custom implementation allowed. If you are using Defender to fulfill this requirement, run the Defender version of this script. Otherwise, use a 3rd party tool OR manually check", - "RequirementMet": false - }, - { - "ActualValue": [], - "Commandlet": [], - "Criticality": "Should/3rd Party", - "PolicyId": "MS.EXO.11.1v1", - "ReportDetails": "Custom implementation allowed. If you are using Defender to fulfill this requirement, run the Defender version of this script. Otherwise, use a 3rd party tool OR manually check", - "RequirementMet": false - }, - { - "ActualValue": [], - "Commandlet": [], - "Criticality": "Should/3rd Party", - "PolicyId": "MS.EXO.11.2v1", - "ReportDetails": "Custom implementation allowed. If you are using Defender to fulfill this requirement, run the Defender version of this script. Otherwise, use a 3rd party tool OR manually check", - "RequirementMet": false - }, - { - "ActualValue": [], - "Commandlet": [], - "Criticality": "Should/3rd Party", - "PolicyId": "MS.EXO.11.3v1", - "ReportDetails": "Custom implementation allowed. If you are using Defender to fulfill this requirement, run the Defender version of this script. Otherwise, use a 3rd party tool OR manually check", - "RequirementMet": false - }, - { - "ActualValue": [], - "Commandlet": [], - "Criticality": "Should/3rd Party", - "PolicyId": "MS.EXO.15.1v1", - "ReportDetails": "Custom implementation allowed. If you are using Defender to fulfill this requirement, run the Defender version of this script. Otherwise, use a 3rd party tool OR manually check", - "RequirementMet": false - }, - { - "ActualValue": [], - "Commandlet": [], - "Criticality": "Should/3rd Party", - "PolicyId": "MS.EXO.15.2v1", - "ReportDetails": "Custom implementation allowed. If you are using Defender to fulfill this requirement, run the Defender version of this script. Otherwise, use a 3rd party tool OR manually check", - "RequirementMet": false - }, - { - "ActualValue": [], - "Commandlet": [], - "Criticality": "Should/3rd Party", - "PolicyId": "MS.EXO.15.3v1", - "ReportDetails": "Custom implementation allowed. If you are using Defender to fulfill this requirement, run the Defender version of this script. Otherwise, use a 3rd party tool OR manually check", - "RequirementMet": false - }, - { - "ActualValue": [], - "Commandlet": [], - "Criticality": "Should/3rd Party", - "PolicyId": "MS.EXO.16.2v1", - "ReportDetails": "Custom implementation allowed. If you are using Defender to fulfill this requirement, run the Defender version of this script. Otherwise, use a 3rd party tool OR manually check", - "RequirementMet": false - }, - { - "ActualValue": [], - "Commandlet": [], - "Criticality": "Should/3rd Party", - "PolicyId": "MS.EXO.9.2v1", - "ReportDetails": "Custom implementation allowed. If you are using Defender to fulfill this requirement, run the Defender version of this script. Otherwise, use a 3rd party tool OR manually check", - "RequirementMet": false - }, - { - "ActualValue": [], - "Commandlet": [ - "Get-ScubaDmarcRecords", - "Get-AcceptedDomain" - ], - "Criticality": "Shall", - "PolicyId": "MS.EXO.4.1v1", - "ReportDetails": "Requirement met", - "RequirementMet": true - }, - { - "ActualValue": [], - "Commandlet": [ - "Get-ScubaDmarcRecords", - "Get-AcceptedDomain" - ], - "Criticality": "Shall", - "PolicyId": "MS.EXO.4.2v1", - "ReportDetails": "Requirement met", - "RequirementMet": true - }, - { - "ActualValue": [], - "Commandlet": [ - "Get-ScubaDmarcRecords", - "Get-AcceptedDomain" - ], - "Criticality": "Shall", - "PolicyId": "MS.EXO.4.3v1", - "ReportDetails": "Requirement met", - "RequirementMet": true - }, - { - "ActualValue": [], - "Commandlet": [ - "Get-ScubaDmarcRecords", - "Get-AcceptedDomain" - ], - "Criticality": "Should", - "PolicyId": "MS.EXO.4.4v1", - "ReportDetails": "Requirement met", - "RequirementMet": true - }, - { - "ActualValue": [], - "Commandlet": [ - "Get-TransportRule" - ], - "Criticality": "Shall", - "PolicyId": "MS.EXO.7.1v1", - "ReportDetails": "No transport rule found that applies warnings to emails received from outside the organization", - "RequirementMet": false - }, - { - "ActualValue": [ - [], - [ - null - ] - ], - "Commandlet": [ - "Get-DkimSigningConfig", - "Get-ScubaDkimRecords", - "Get-AcceptedDomain" - ], - "Criticality": "Should", - "PolicyId": "MS.EXO.3.1v1", - "ReportDetails": "1 of 1 agency domain(s) found in violation: alexwilber.myo365.site", - "RequirementMet": false - }, - { - "ActualValue": [ - { - "AddressBookPolicyRoutingEnabled": false, - "AdminDisplayName": "", - "AgentGeneratedMessageLoopDetectionInSmtpEnabled": true, - "AgentGeneratedMessageLoopDetectionInSubmissionEnabled": true, - "AllowLegacyTLSClients": false, - "AnonymousSenderToRecipientRatePerHour": 1800, - "AttributionRejectBeforeMServRequest": false, - "AttributionRejectConsumerMessages": false, - "ClearCategories": true, - "ConvertDisclaimerWrapperToEml": false, - "ConvertReportToMessage": false, - "CurrentTransportSystemState": "Green", - "DSNConversionMode": "PreserveDSNBody", - "DiagnosticsAggregationServicePort": 9710, - "DistinguishedName": "CN=Transport Settings,CN=Configuration,CN=y2zj1.onmicrosoft.com,CN=ConfigurationUnits,DC=NAMPR10A008,DC=PROD,DC=OUTLOOK,DC=COM", - "EnableExternalHTTPMailDelivery": false, - "ExchangeObjectId": "b4f29764-fa61-4718-ac8d-29e1ad3007b9", - "ExchangeVersion": "0.1 (8.0.535.0)", - "ExternalDelayDsnEnabled": true, - "ExternalDsnDefaultLanguage": null, - "ExternalDsnLanguageDetectionEnabled": true, - "ExternalDsnMaxMessageAttachSize": "10 MB (10,485,760 bytes)", - "ExternalDsnReportingAuthority": null, - "ExternalDsnSendHtml": true, - "ExternalPostmasterAddress": null, - "GenerateCopyOfDSNFor": [], - "Guid": "b4f29764-fa61-4718-ac8d-29e1ad3007b9", - "HeaderPromotionModeSetting": "NoCreate", - "HygieneSuite": "Premium", - "Id": "Transport Settings", - "Identity": "Transport Settings", - "InternalDelayDsnEnabled": true, - "InternalDsnDefaultLanguage": null, - "InternalDsnLanguageDetectionEnabled": true, - "InternalDsnMaxMessageAttachSize": "10 MB (10,485,760 bytes)", - "InternalDsnReportingAuthority": null, - "InternalDsnSendHtml": true, - "InternalSMTPServers": [], - "IsValid": true, - "JournalArchivingEnabled": false, - "JournalMessageExpirationDays": 0, - "JournalReportDLMemberSubstitutionEnabled": false, - "JournalingReportNdrTo": "u003cu003e", - "LegacyArchiveJournalingEnabled": false, - "LegacyArchiveLiveJournalingEnabled": false, - "LegacyJournalingMigrationEnabled": false, - "MaxAllowedAgentGeneratedMessageDepth": 3, - "MaxAllowedAgentGeneratedMessageDepthPerAgent": 2, - "MaxDumpsterSizePerDatabase": "18 MB (18,874,368 bytes)", - "MaxDumpsterTime": "7.00:00:00", - "MaxReceiveSize": "Unlimited", - "MaxRecipientEnvelopeLimit": "Unlimited", - "MaxSendSize": "Unlimited", - "MessageExpiration": "1.00:00:00", - "MigrationEnabled": true, - "Name": "Transport Settings", - "ObjectCategory": "NAMPR10A008.PROD.OUTLOOK.COM/Configuration/Schema/ms-Exch-Transport-Settings", - "ObjectClass": [ - "top", - "container", - "msExchTransportSettings" - ], - "ObjectState": "Unchanged", - "OpenDomainRoutingEnabled": false, - "OrganizationFederatedMailbox": "FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042@y2zj1.onmicrosoft.com", - "OrganizationId": "NAMPR10A008.PROD.OUTLOOK.COM/Microsoft Exchange Hosted Organizations/y2zj1.onmicrosoft.com - NAMPR10A008.PROD.OUTLOOK.COM/ConfigurationUnits/y2zj1.onmicrosoft.com/Configuration", - "OrganizationalUnitRoot": "y2zj1.onmicrosoft.com", - "OriginatingServer": "DM5PR10A08DC002.NAMPR10A008.PROD.OUTLOOK.COM", - "OtherWellKnownObjects": [], - "PreserveReportBodypart": true, - "QueueDiagnosticsAggregationInterval": "00:01:00", - "RedirectDLMessagesForLegacyArchiveJournaling": false, - "RedirectUnprovisionedUserMessagesForLegacyArchiveJournaling": false, - "ReplyAllStormBlockDurationHours": 6, - "ReplyAllStormDetectionMinimumRecipients": 2500, - "ReplyAllStormDetectionMinimumReplies": 10, - "ReplyAllStormProtectionEnabled": true, - "Rfc2231EncodingEnabled": false, - "SafetyNetHoldTime": "7.00:00:00", - "SmtpClientAuthenticationDisabled": true, - "SupervisionTags": [ - "Reject", - "Allow" - ], - "TLSReceiveDomainSecureList": [], - "TLSSendDomainSecureList": [], - "TransportRuleAttachmentTextScanLimit": "1 MB (1,048,576 bytes)", - "TransportRuleCollectionAddedRecipientsLimit": 100, - "TransportRuleCollectionRegexCharsLimit": "20 KB (20,480 bytes)", - "TransportRuleConfig": [ - "TransportRuleMinProductVersion:14.0.0.0", - "TransportRuleRegexValidationTimeout:00:00:00.3000000", - "TransportRuleAttachmentTextScanLimit:1 MB (1,048,576 bytes)", - "TransportRuleSizeLimit:8 KB (8,192 bytes)", - "TransportRuleCollectionRegexCharsLimit:20 KB (20,480 bytes)", - "TransportRuleLimit:300", - "TransportRuleCollectionAddedRecipientsLimit:100" - ], - "TransportRuleLimit": 300, - "TransportRuleMinProductVersion": { - "Build": 0, - "Major": 14, - "MajorRevision": 0, - "Minor": 0, - "MinorRevision": 0, - "Revision": 0 - }, - "TransportRuleRegexValidationTimeout": "00:00:00.3000000", - "TransportRuleSizeLimit": "8 KB (8,192 bytes)", - "TransportSystemState": "", - "VerifySecureSubmitEnabled": false, - "VoicemailJournalingEnabled": true, - "WhenChanged": "/Date(1643184486000)/", - "WhenChangedUTC": "/Date(1643184486000)/", - "WhenCreated": "/Date(1643059670000)/", - "WhenCreatedUTC": "/Date(1643059670000)/", - "Xexch50Enabled": true - } - ], - "Commandlet": [ - "Get-TransportConfig" - ], - "Criticality": "Shall", - "PolicyId": "MS.EXO.5.1v1", - "ReportDetails": "Requirement met", - "RequirementMet": true - }, - { - "ActualValue": [ - { - "AdminDisplayName": "", - "Default": true, - "DistinguishedName": "CN=Default Sharing Policy,CN=Federation,CN=Configuration,CN=y2zj1.onmicrosoft.com,CN=ConfigurationUnits,DC=NAMPR10A008,DC=PROD,DC=OUTLOOK,DC=COM", - "Domains": [ - "Anonymous:CalendarSharingFreeBusyReviewer", - "*:CalendarSharingFreeBusySimple" - ], - "Enabled": true, - "ExchangeObjectId": "2f1ca8cf-5ba5-45e3-b73a-1405ff552a2e", - "ExchangeVersion": "0.10 (14.0.100.0)", - "Guid": "2f1ca8cf-5ba5-45e3-b73a-1405ff552a2e", - "Id": "Default Sharing Policy", - "Identity": "Default Sharing Policy", - "IsValid": true, - "Name": "Default Sharing Policy", - "ObjectCategory": "NAMPR10A008.PROD.OUTLOOK.COM/Configuration/Schema/ms-Exch-Sharing-Policy", - "ObjectClass": [ - "top", - "msExchSharingPolicy" - ], - "ObjectState": "Changed", - "OrganizationId": "NAMPR10A008.PROD.OUTLOOK.COM/Microsoft Exchange Hosted Organizations/y2zj1.onmicrosoft.com - NAMPR10A008.PROD.OUTLOOK.COM/ConfigurationUnits/y2zj1.onmicrosoft.com/Configuration", - "OrganizationalUnitRoot": "y2zj1.onmicrosoft.com", - "OriginatingServer": "DM5PR10A08DC002.NAMPR10A008.PROD.OUTLOOK.COM", - "WhenChanged": "/Date(1645650761000)/", - "WhenChangedUTC": "/Date(1645650761000)/", - "WhenCreated": "/Date(1645650752000)/", - "WhenCreatedUTC": "/Date(1645650752000)/" - } - ], - "Commandlet": [ - "Get-SharingPolicy" - ], - "Criticality": "Shall", - "PolicyId": "MS.EXO.6.1v1", - "ReportDetails": "Requirement met", - "RequirementMet": true - }, - { - "ActualValue": [ - { - "AdminDisplayName": "", - "Default": true, - "DistinguishedName": "CN=Default Sharing Policy,CN=Federation,CN=Configuration,CN=y2zj1.onmicrosoft.com,CN=ConfigurationUnits,DC=NAMPR10A008,DC=PROD,DC=OUTLOOK,DC=COM", - "Domains": [ - "Anonymous:CalendarSharingFreeBusyReviewer", - "*:CalendarSharingFreeBusySimple" - ], - "Enabled": true, - "ExchangeObjectId": "2f1ca8cf-5ba5-45e3-b73a-1405ff552a2e", - "ExchangeVersion": "0.10 (14.0.100.0)", - "Guid": "2f1ca8cf-5ba5-45e3-b73a-1405ff552a2e", - "Id": "Default Sharing Policy", - "Identity": "Default Sharing Policy", - "IsValid": true, - "Name": "Default Sharing Policy", - "ObjectCategory": "NAMPR10A008.PROD.OUTLOOK.COM/Configuration/Schema/ms-Exch-Sharing-Policy", - "ObjectClass": [ - "top", - "msExchSharingPolicy" - ], - "ObjectState": "Changed", - "OrganizationId": "NAMPR10A008.PROD.OUTLOOK.COM/Microsoft Exchange Hosted Organizations/y2zj1.onmicrosoft.com - NAMPR10A008.PROD.OUTLOOK.COM/ConfigurationUnits/y2zj1.onmicrosoft.com/Configuration", - "OrganizationalUnitRoot": "y2zj1.onmicrosoft.com", - "OriginatingServer": "DM5PR10A08DC002.NAMPR10A008.PROD.OUTLOOK.COM", - "WhenChanged": "/Date(1645650761000)/", - "WhenChangedUTC": "/Date(1645650761000)/", - "WhenCreated": "/Date(1645650752000)/", - "WhenCreatedUTC": "/Date(1645650752000)/" - } - ], - "Commandlet": [ - "Get-SharingPolicy" - ], - "Criticality": "Shall", - "PolicyId": "MS.EXO.6.2v1", - "ReportDetails": "Requirement met", - "RequirementMet": true - }, - { - "ActualValue": [ - { - "AdminDisplayName": "", - "DirectoryBasedEdgeBlockMode": "Default", - "DistinguishedName": "CN=Default,CN=Hosted Connection Filter,CN=Transport Settings,CN=Configuration,CN=y2zj1.onmicrosoft.com,CN=ConfigurationUnits,DC=NAMPR10A008,DC=PROD,DC=OUTLOOK,DC=COM", - "EnableSafeList": false, - "ExchangeObjectId": "3843aef3-f3bd-49c1-a674-4d6741ac11b6", - "ExchangeVersion": "0.20 (15.0.0.0)", - "Guid": "3843aef3-f3bd-49c1-a674-4d6741ac11b6", - "IPAllowList": [], - "IPBlockList": [], - "Id": "Default", - "Identity": "Default", - "IsDefault": true, - "IsValid": true, - "Name": "Default", - "ObjectCategory": "NAMPR10A008.PROD.OUTLOOK.COM/Configuration/Schema/ms-Exch-Hosted-Connection-Filter-Policy", - "ObjectClass": [ - "top", - "msExchHostedConnectionFilterPolicy" - ], - "ObjectState": "Unchanged", - "OrganizationId": "NAMPR10A008.PROD.OUTLOOK.COM/Microsoft Exchange Hosted Organizations/y2zj1.onmicrosoft.com - NAMPR10A008.PROD.OUTLOOK.COM/ConfigurationUnits/y2zj1.onmicrosoft.com/Configuration", - "OrganizationalUnitRoot": "y2zj1.onmicrosoft.com", - "OriginatingServer": "DM5PR10A08DC002.NAMPR10A008.PROD.OUTLOOK.COM", - "WhenChanged": "/Date(1645650833000)/", - "WhenChangedUTC": "/Date(1645650833000)/", - "WhenCreated": "/Date(1645650828000)/", - "WhenCreatedUTC": "/Date(1645650828000)/" - } - ], - "Commandlet": [ - "Get-HostedConnectionFilterPolicy" - ], - "Criticality": "Should", - "PolicyId": "MS.EXO.12.1v1", - "ReportDetails": "Requirement met", - "RequirementMet": true - }, - { - "ActualValue": [ - { - "AdminDisplayName": "", - "DirectoryBasedEdgeBlockMode": "Default", - "DistinguishedName": "CN=Default,CN=Hosted Connection Filter,CN=Transport Settings,CN=Configuration,CN=y2zj1.onmicrosoft.com,CN=ConfigurationUnits,DC=NAMPR10A008,DC=PROD,DC=OUTLOOK,DC=COM", - "EnableSafeList": false, - "ExchangeObjectId": "3843aef3-f3bd-49c1-a674-4d6741ac11b6", - "ExchangeVersion": "0.20 (15.0.0.0)", - "Guid": "3843aef3-f3bd-49c1-a674-4d6741ac11b6", - "IPAllowList": [], - "IPBlockList": [], - "Id": "Default", - "Identity": "Default", - "IsDefault": true, - "IsValid": true, - "Name": "Default", - "ObjectCategory": "NAMPR10A008.PROD.OUTLOOK.COM/Configuration/Schema/ms-Exch-Hosted-Connection-Filter-Policy", - "ObjectClass": [ - "top", - "msExchHostedConnectionFilterPolicy" - ], - "ObjectState": "Unchanged", - "OrganizationId": "NAMPR10A008.PROD.OUTLOOK.COM/Microsoft Exchange Hosted Organizations/y2zj1.onmicrosoft.com - NAMPR10A008.PROD.OUTLOOK.COM/ConfigurationUnits/y2zj1.onmicrosoft.com/Configuration", - "OrganizationalUnitRoot": "y2zj1.onmicrosoft.com", - "OriginatingServer": "DM5PR10A08DC002.NAMPR10A008.PROD.OUTLOOK.COM", - "WhenChanged": "/Date(1645650833000)/", - "WhenChangedUTC": "/Date(1645650833000)/", - "WhenCreated": "/Date(1645650828000)/", - "WhenCreatedUTC": "/Date(1645650828000)/" - } - ], - "Commandlet": [ - "Get-HostedConnectionFilterPolicy" - ], - "Criticality": "Should", - "PolicyId": "MS.EXO.12.2v1", - "ReportDetails": "Requirement met", - "RequirementMet": true - }, - { - "ActualValue": [ - { - "AuditDisabled": false, - "DisplayName": "y2zj1", - "Name": "y2zj1.onmicrosoft.com" - } - ], - "Commandlet": [ - "Get-OrganizationConfig" - ], - "Criticality": "Shall", - "PolicyId": "MS.EXO.13.1v1", - "ReportDetails": "Requirement met", - "RequirementMet": true - }, - { - "ActualValue": [], - "Commandlet": [ - "Get-ScubaSpfRecords", - "Get-AcceptedDomain" - ], - "Criticality": "Shall", - "PolicyId": "MS.EXO.2.2v1", - "ReportDetails": "Requirement met", - "RequirementMet": true - }, - { - "ActualValue": [ - "*" - ], - "Commandlet": [ - "Get-RemoteDomain" - ], - "Criticality": "Shall", - "PolicyId": "MS.EXO.1.1v1", - "ReportDetails": "1 remote domain(s) that allows automatic forwarding: *", - "RequirementMet": false - }, - { - "ActualValue": "PowerShell Error", - "Commandlet": [ - "Get-DlpPolicy" - ], - "Criticality": "Should", - "PolicyId": "MS.POWERPLATFORM.2.2v1", - "ReportDetails": "PowerShell Error", - "RequirementMet": false - }, - { - "ActualValue": "PowerShell Error", - "Commandlet": [ - "Get-PowerAppTenantIsolationPolicy" - ], - "Criticality": "Shall", - "PolicyId": "MS.POWERPLATFORM.3.1v1", - "ReportDetails": "PowerShell Error", - "RequirementMet": false - }, - { - "ActualValue": "PowerShell Error", - "Commandlet": [ - "Get-TenantSettings" - ], - "Control": "Power Platform 2.1", - "Criticality": "Shall", - "ReportDetails": "PowerShell Error", - "Requirement": "The ability to create trial environments SHALL be restricted to admins", - "RequirementMet": false - }, - { - "ActualValue": "PowerShell Error", - "Commandlet": [ - "Get-TenantSettings" - ], - "Criticality": "Shall", - "PolicyId": "MS.POWERPLATFORM.1.1v1", - "ReportDetails": "PowerShell Error", - "RequirementMet": false - }, - { - "ActualValue": "PowerShell error", - "Commandlet": [ - "Get-DlpPolicy" - ], - "Criticality": "Should", - "PolicyId": "MS.POWERPLATFORM.2.3v1", - "ReportDetails": "PowerShell error", - "RequirementMet": false - }, - { - "ActualValue": [], - "Commandlet": [], - "Criticality": "Shall/Not-Implemented", - "PolicyId": "MS.POWERPLATFORM.4.1v1", - "ReportDetails": "Not currently checked automatically. See <a href=\"https://github.com/cisagov/ScubaGear/blob/0.3.0/baselines/powerplatform.md#mspowerplatform41v1\" target=\"_blank\">Secure Configuration Baseline policy</a> for instructions on manual check", - "RequirementMet": false - }, - { - "ActualValue": [], - "Commandlet": [], - "Criticality": "Should/Not-Implemented", - "PolicyId": "MS.POWERPLATFORM.3.2v1", - "ReportDetails": "Not currently checked automatically. See <a href=\"https://github.com/cisagov/ScubaGear/blob/0.3.0/baselines/powerplatform.md#mspowerplatform32v1\" target=\"_blank\">Secure Configuration Baseline policy</a> for instructions on manual check", - "RequirementMet": false - }, - { - "ActualValue": [], - "Commandlet": [], - "Criticality": "Should/Not-Implemented", - "PolicyId": "MS.POWERPLATFORM.3.3v1", - "ReportDetails": "Not currently checked automatically. See <a href=\"https://github.com/cisagov/ScubaGear/blob/0.3.0/baselines/powerplatform.md#mspowerplatform33v1\" target=\"_blank\">Secure Configuration Baseline policy</a> for instructions on manual check", - "RequirementMet": false - }, - { - "ActualValue": [], - "Commandlet": [ - "Get-DlpPolicy" - ], - "Criticality": "Shall", - "PolicyId": "MS.POWERPLATFORM.2.1v1", - "ReportDetails": "No policy found that applies to default environment", - "RequirementMet": false - }, - { - "ActualValue": 1, - "Commandlet": [ - "Get-SPOTenant", - "Get-PnPTenant" - ], - "Criticality": "Should", - "PolicyId": "MS.SHAREPOINT.1.3v1", - "ReportDetails": "Requirement met", - "RequirementMet": true - }, - { - "ActualValue": 2, - "Commandlet": [ - "Get-SPOSite", - "Get-PnPTenantSite" - ], - "Control": "Sharepoint 2.5", - "Criticality": "Shall", - "ReportDetails": "Requirement met", - "Requirement": "Users SHALL be prevented from running custom scripts on self-service created sites", - "RequirementMet": true - }, - { - "ActualValue": 2, - "Commandlet": [ - "Get-SPOTenant", - "Get-PnPTenant" - ], - "Criticality": "Shall", - "PolicyId": "MS.SHAREPOINT.1.1v1", - "ReportDetails": "Requirement not met", - "RequirementMet": false - }, - { - "ActualValue": [], - "Commandlet": [], - "Control": "Sharepoint 2.5", - "Criticality": "Shall/Not-Implemented", - "PolicyId": "MS.SHAREPOINT.TBD", - "ReportDetails": "Not currently checked automatically. See <a href=\"https://github.com/cisagov/ScubaGear/blob/0.3.0/baselines/sharepoint.md#mssharepointtbd\" target=\"_blank\">Secure Configuration Baseline policy</a> for instructions on manual check", - "Requirement": "Users SHALL be prevented from running custom scripts on personal sites (OneDrive)", - "RequirementMet": false - }, - { - "ActualValue": [], - "Commandlet": [], - "Criticality": "Shall/Not-Implemented", - "PolicyId": "MS.SHAREPOINT.1.2v1", - "ReportDetails": "Not currently checked automatically. See <a href=\"https://github.com/cisagov/ScubaGear/blob/0.3.0/baselines/sharepoint.md#mssharepoint12v1\" target=\"_blank\">Secure Configuration Baseline policy</a> for instructions on manual check", - "RequirementMet": false - }, - { - "ActualValue": [], - "Commandlet": [], - "Criticality": "Should/Not-Implemented", - "PolicyId": "MS.SHAREPOINT.2.1v1", - "ReportDetails": "Not currently checked automatically. See <a href=\"https://github.com/cisagov/ScubaGear/blob/0.3.0/baselines/sharepoint.md#mssharepoint21v1\" target=\"_blank\">Secure Configuration Baseline policy</a> for instructions on manual check", - "RequirementMet": false - }, - { - "ActualValue": [ - 1, - true, - 29 - ], - "Commandlet": [ - "Get-SPOTenant", - "Get-PnPTenant" - ], - "Control": "Sharepoint 2.4", - "Criticality": "Should", - "ReportDetails": "Requirement not met: Expiration timer for 'People who use a verification code' NOT set to 30 days", - "Requirement": "Expiration timer for 'People who use a verification code' should be set to 30 days", - "RequirementMet": false - }, - { - "ActualValue": [ - 1, - true, - 31 - ], - "Commandlet": [ - "Get-SPOTenant", - "Get-PnPTenant" - ], - "Criticality": "Should", - "PolicyId": "MS.SHAREPOINT.3.1v1", - "ReportDetails": "Requirement not met: Expiration timer for 'Guest access to a site or OneDrive' NOT set to 30 days", - "RequirementMet": false - }, - { - "ActualValue": true, - "Commandlet": [ - "Get-CsTeamsMeetingPolicy" - ], - "Criticality": "Should", - "PolicyId": "MS.TEAMS.9.1v1", - "ReportDetails": "Requirement not met", - "RequirementMet": false - }, - { - "ActualValue": "AlwaysEnabled", - "Commandlet": [ - "Get-CsTeamsMeetingBroadcastPolicy" - ], - "Criticality": "Should", - "PolicyId": "MS.TEAMS.10.1v1", - "ReportDetails": "Requirement not met", - "RequirementMet": false - }, - { - "ActualValue": "EveryoneInCompany", - "Commandlet": [ - "Get-CsTeamsMeetingPolicy" - ], - "Criticality": "Should", - "PolicyId": "MS.TEAMS.3.2v1", - "ReportDetails": "Requirement met", - "RequirementMet": true - }, - { - "ActualValue": [], - "Commandlet": [], - "Criticality": "Shall/3rd Party", - "PolicyId": "MS.TEAMS.11.1v1", - "ReportDetails": "Custom implementation allowed. If you are using Defender to fulfill this requirement, run the Defender version of this script. Otherwise, use a 3rd party tool OR manually check", - "RequirementMet": false - }, - { - "ActualValue": [], - "Commandlet": [], - "Criticality": "Shall/3rd Party", - "PolicyId": "MS.TEAMS.11.4v1", - "ReportDetails": "Custom implementation allowed. If you are using Defender to fulfill this requirement, run the Defender version of this script. Otherwise, use a 3rd party tool OR manually check", - "RequirementMet": false - }, - { - "ActualValue": [], - "Commandlet": [], - "Criticality": "Shall/3rd Party", - "PolicyId": "MS.TEAMS.8.3v1", - "ReportDetails": "Not currently checked automatically. See <a href=\"https://github.com/cisagov/ScubaGear/blob/0.3.0/baselines/teams.md#msteams83v1\" target=\"_blank\">Secure Configuration Baseline policy</a> for instructions on manual check", - "RequirementMet": false - }, - { - "ActualValue": [], - "Commandlet": [], - "Criticality": "Should/3rd Party", - "PolicyId": "MS.TEAMS.11.2v1", - "ReportDetails": "Custom implementation allowed. If you are using Defender to fulfill this requirement, run the Defender version of this script. Otherwise, use a 3rd party tool OR manually check", - "RequirementMet": false - }, - { - "ActualValue": [], - "Commandlet": [], - "Criticality": "Should/3rd Party", - "PolicyId": "MS.TEAMS.12.1v1", - "ReportDetails": "Custom implementation allowed. If you are using Defender to fulfill this requirement, run the Defender version of this script. Otherwise, use a 3rd party tool OR manually check", - "RequirementMet": false - }, - { - "ActualValue": [], - "Commandlet": [], - "Criticality": "Should/3rd Party", - "PolicyId": "MS.TEAMS.12.2v1", - "ReportDetails": "Custom implementation allowed. If you are using Defender to fulfill this requirement, run the Defender version of this script. Otherwise, use a 3rd party tool OR manually check", - "RequirementMet": false - }, - { - "ActualValue": [], - "Commandlet": [], - "Criticality": "Should/3rd Party", - "PolicyId": "MS.TEAMS.13.1v1", - "ReportDetails": "Custom implementation allowed. If you are using Defender to fulfill this requirement, run the Defender version of this script. Otherwise, use a 3rd party tool OR manually check", - "RequirementMet": false - }, - { - "ActualValue": [], - "Commandlet": [], - "Criticality": "Should/3rd Party", - "PolicyId": "MS.TEAMS.13.2v1", - "ReportDetails": "Custom implementation allowed. If you are using Defender to fulfill this requirement, run the Defender version of this script. Otherwise, use a 3rd party tool OR manually check", - "RequirementMet": false - }, - { - "ActualValue": [], - "Commandlet": [], - "Criticality": "Should/3rd Party", - "PolicyId": "MS.TEAMS.13.3v1", - "ReportDetails": "Custom implementation allowed. If you are using Defender to fulfill this requirement, run the Defender version of this script. Otherwise, use a 3rd party tool OR manually check", - "RequirementMet": false - }, - { - "ActualValue": [ - "EveryoneInCompany", - false - ], - "Commandlet": [ - "Get-CsTeamsMeetingPolicy" - ], - "Criticality": "Should", - "PolicyId": "MS.TEAMS.3.1v1", - "ReportDetails": "Requirement met", - "RequirementMet": true - }, - { - "ActualValue": [ - [], - "MicrosoftCommunicationsOnline/NOAM-ED6-A7" - ], - "Commandlet": [ - "Get-CsTeamsClientConfiguration" - ], - "Criticality": "Shall", - "PolicyId": "MS.TEAMS.7.1v1", - "ReportDetails": "Requirement met", - "RequirementMet": true - }, - { - "ActualValue": [], - "Commandlet": [ - "Get-CsTeamsAppPermissionPolicy" - ], - "Criticality": "Should", - "PolicyId": "MS.TEAMS.8.1v1", - "ReportDetails": "Requirement met", - "RequirementMet": true - }, - { - "ActualValue": [], - "Commandlet": [ - "Get-CsTeamsMeetingPolicy" - ], - "Control": "Teams 2.4", - "Criticality": "Should", - "ReportDetails": "Requirement met", - "Requirement": "Anonymous users SHOULD be enabled to join meetings", - "RequirementMet": true - }, - { - "ActualValue": [], - "Commandlet": [ - "Get-CsTeamsMeetingPolicy" - ], - "Criticality": "Shall", - "PolicyId": "MS.TEAMS.2.1v1", - "ReportDetails": "Requirement met", - "RequirementMet": true - }, - { - "ActualValue": [], - "Commandlet": [ - "Get-CsTeamsMeetingPolicy" - ], - "Criticality": "Should", - "PolicyId": "MS.TEAMS.1.1v1", - "ReportDetails": "Requirement met", - "RequirementMet": true - }, - { - "ActualValue": [], - "Commandlet": [ - "Get-CsTeamsMeetingPolicy" - ], - "Criticality": "Should", - "PolicyId": "MS.TEAMS.9.3v1", - "ReportDetails": "Requirement met", - "RequirementMet": true - }, - { - "ActualValue": [], - "Commandlet": [ - "Get-CsTenantFederationConfiguration" - ], - "Criticality": "Shall", - "PolicyId": "MS.TEAMS.4.1v1", - "ReportDetails": "Requirement met", - "RequirementMet": true - }, - { - "ActualValue": [], - "Commandlet": [ - "Get-CsTenantFederationConfiguration" - ], - "Criticality": "Shall", - "PolicyId": "MS.TEAMS.6.1v1", - "ReportDetails": "Requirement met", - "RequirementMet": true - }, - { - "ActualValue": [ - "Global" - ], - "Commandlet": [ - "Get-CsTeamsAppPermissionPolicy" - ], - "Criticality": "Should", - "PolicyId": "MS.TEAMS.8.2av1", - "ReportDetails": "1 meeting policy(ies) found that allow custom apps by default: Global", - "RequirementMet": false - }, - { - "ActualValue": [ - "Global" - ], - "Commandlet": [ - "Get-CsTeamsAppPermissionPolicy" - ], - "Criticality": "Should", - "PolicyId": "MS.TEAMS.8.2v1", - "ReportDetails": "1 meeting policy(ies) found that allow third-party apps by default: Global", - "RequirementMet": false - }, - { - "ActualValue": [ - "Global" - ], - "Commandlet": [ - "Get-CsTenantFederationConfiguration" - ], - "Criticality": "Shall", - "PolicyId": "MS.TEAMS.5.1v1", - "ReportDetails": "1 Configuration allowed unmanaged users to initiate contact with internal user across domains: Global", - "RequirementMet": false - }, - { - "ActualValue": [ - "Global" - ], - "Commandlet": [ - "Get-CsTenantFederationConfiguration" - ], - "Criticality": "Should", - "PolicyId": "MS.TEAMS.5.2v1", - "ReportDetails": "1 Internal users are enabled to initiate contact with unmanaged users across domains: Global", - "RequirementMet": false - } + { + "ActualValue": "", + "Commandlet": [ + "Get-MgSubscribedSku", + "Get-PrivilegedUser" + ], + "Criticality": "Shall", + "PolicyId": "MS.AAD.12.1v1", + "ReportDetails": "0 admin(s) that are not cloud-only found", + "RequirementMet": true + }, + { + "ActualValue": [], + "Commandlet": [], + "Criticality": "Shall/Not-Implemented", + "PolicyId": "MS.AAD.4.2v1", + "ReportDetails": "Not currently checked automatically. See <a href=\"https://github.com/cisagov/ScubaGear/blob/0.3.0/baselines/aad.md#msaad42v1\" target=\"_blank\">Secure Configuration Baseline policy</a> for instructions on manual check", + "RequirementMet": false + }, + { + "ActualValue": [], + "Commandlet": [], + "Criticality": "Shall/Not-Implemented", + "PolicyId": "MS.AAD.4.3v1", + "ReportDetails": "Not currently checked automatically. See <a href=\"https://github.com/cisagov/ScubaGear/blob/0.3.0/baselines/aad.md#msaad43v1\" target=\"_blank\">Secure Configuration Baseline policy</a> for instructions on manual check", + "RequirementMet": false + }, + { + "ActualValue": [], + "Commandlet": [], + "Criticality": "Shall/Not-Implemented", + "PolicyId": "MS.AAD.4.4v1", + "ReportDetails": "Not currently checked automatically. See <a href=\"https://github.com/cisagov/ScubaGear/blob/0.3.0/baselines/aad.md#msaad44v1\" target=\"_blank\">Secure Configuration Baseline policy</a> for instructions on manual check", + "RequirementMet": false + }, + { + "ActualValue": [], + "Commandlet": [], + "Criticality": "Shall/Not-Implemented", + "PolicyId": "MS.AAD.5.1v1", + "ReportDetails": "Not currently checked automatically. See <a href=\"https://github.com/cisagov/ScubaGear/blob/0.3.0/baselines/aad.md#msaad51v1\" target=\"_blank\">Secure Configuration Baseline policy</a> for instructions on manual check", + "RequirementMet": false + }, + { + "ActualValue": [], + "Commandlet": [], + "Criticality": "Shall/Not-Implemented", + "PolicyId": "MS.AAD.5.4v1", + "ReportDetails": "Not currently checked automatically. See <a href=\"https://github.com/cisagov/ScubaGear/blob/0.3.0/baselines/aad.md#msaad54v1\" target=\"_blank\">Secure Configuration Baseline policy</a> for instructions on manual check", + "RequirementMet": false + }, + { + "ActualValue": [], + "Commandlet": [], + "Criticality": "Shall/Not-Implemented", + "PolicyId": "MS.AAD.8.1v1", + "ReportDetails": "Not currently checked automatically. See <a href=\"https://github.com/cisagov/ScubaGear/blob/0.3.0/baselines/aad.md#msaad81v1\" target=\"_blank\">Secure Configuration Baseline policy</a> for instructions on manual check", + "RequirementMet": false + }, + { + "ActualValue": [], + "Commandlet": [], + "Criticality": "Should/Not-Implemented", + "PolicyId": "MS.AAD.18.2v1", + "ReportDetails": "Not currently checked automatically. See <a href=\"https://github.com/cisagov/ScubaGear/blob/0.3.0/baselines/aad.md#msaad182v1\" target=\"_blank\">Secure Configuration Baseline policy</a> for instructions on manual check", + "RequirementMet": false + }, + { + "ActualValue": [], + "Commandlet": [], + "Criticality": "Should/Not-Implemented", + "PolicyId": "MS.AAD.2.2v1", + "ReportDetails": "Not currently checked automatically. See <a href=\"https://github.com/cisagov/ScubaGear/blob/0.3.0/baselines/aad.md#msaad22v1\" target=\"_blank\">Secure Configuration Baseline policy</a> for instructions on manual check", + "RequirementMet": false + }, + { + "ActualValue": [], + "Commandlet": [], + "Criticality": "Should/Not-Implemented", + "PolicyId": "MS.AAD.5.2v1", + "ReportDetails": "Not currently checked automatically. See <a href=\"https://github.com/cisagov/ScubaGear/blob/0.3.0/baselines/aad.md#msaad52v1\" target=\"_blank\">Secure Configuration Baseline policy</a> for instructions on manual check", + "RequirementMet": false + }, + { + "ActualValue": [], + "Commandlet": [], + "Criticality": "Should/Not-Implemented", + "PolicyId": "MS.AAD.5.3v1", + "ReportDetails": "Not currently checked automatically. See <a href=\"https://github.com/cisagov/ScubaGear/blob/0.3.0/baselines/aad.md#msaad53v1\" target=\"_blank\">Secure Configuration Baseline policy</a> for instructions on manual check", + "RequirementMet": false + }, + { + "ActualValue": { + "all_allow_invite_values": [ + { + "AllowInvitesFromValue": "everyone", + "PolicyId": "authorizationPolicy" + } + ] + }, + "Commandlet": [ + "Get-MgPolicyAuthorizationPolicy" + ], + "Criticality": "Should", + "PolicyId": "MS.AAD.18.1v1", + "ReportDetails": "Permission level set to \"everyone\" (authorizationPolicy)", + "RequirementMet": false + }, + { + "ActualValue": { + "all_allowed_create_values": [ + { + "DefaultUser_AllowedToCreateApps": true, + "PolicyId": "authorizationPolicy" + } + ] + }, + "Commandlet": [ + "Get-MgPolicyAuthorizationPolicy" + ], + "Criticality": "Shall", + "PolicyId": "MS.AAD.6.1v1", + "ReportDetails": "1 authorization policies found that allow non-admin users to register third-party applications:<br/>authorizationPolicy", + "RequirementMet": false + }, + { + "ActualValue": { + "all_consent_policies": [ + { + "IsEnabled": true, + "PolicyId": null + } + ] + }, + "Commandlet": [ + "Get-MgPolicyAdminConsentRequestPolicy" + ], + "Criticality": "Shall", + "PolicyId": "MS.AAD.7.2v1", + "ReportDetails": "Requirement met", + "RequirementMet": true + }, + { + "ActualValue": { + "all_grant_policy_values": [ + { + "DefaultUser_DefaultGrantPolicy": [ + "ManagePermissionGrantsForSelf.microsoft-user-default-legacy" + ], + "PolicyId": "authorizationPolicy" + } + ] + }, + "Commandlet": [ + "Get-MgPolicyAuthorizationPolicy" + ], + "Criticality": "Shall", + "PolicyId": "MS.AAD.7.1v1", + "ReportDetails": "1 authorization policies found that allow non-admin users to consent to third-party applications:<br/>authorizationPolicy", + "RequirementMet": false + }, + { + "ActualValue": { + "all_roleid_values": [ + { + "GuestUserRoleId": "10dae51f-b6af-4016-8d66-8c2a99b929b3", + "GuestUserRoleIdString": "Limited access", + "Id": "authorizationPolicy" + } + ] + }, + "Commandlet": [ + "Get-MgPolicyAuthorizationPolicy" + ], + "Criticality": "Should", + "PolicyId": "MS.AAD.18.3v1", + "ReportDetails": "Permission level set to \"Limited access\" (authorizationPolicy)", + "RequirementMet": true + }, + { + "ActualValue": [], + "Commandlet": [ + "Get-MgIdentityConditionalAccessPolicy" + ], + "Criticality": "Shall", + "PolicyId": "MS.AAD.9.1v1", + "ReportDetails": "0 conditional access policy(s) found that meet(s) all requirements. <a href='#caps'>View all CA policies</a>.", + "RequirementMet": false + }, + { + "ActualValue": [], + "Commandlet": [ + "Get-MgIdentityConditionalAccessPolicy" + ], + "Criticality": "Should", + "PolicyId": "MS.AAD.17.1v1", + "ReportDetails": "0 conditional access policy(s) found that meet(s) all requirements. <a href='#caps'>View all CA policies</a>.", + "RequirementMet": false + }, + { + "ActualValue": [ + "Addam Schroll", + "Andrew Huynh", + "Grant Dasher", + "Nanda Katikaneni", + "Shanti Satyapal", + "Ted Kolovos", + "Thomas Comeau" + ], + "Commandlet": [ + "Get-MgSubscribedSku", + "Get-PrivilegedUser" + ], + "Criticality": "Shall", + "PolicyId": "MS.AAD.11.1v1", + "ReportDetails": "7 global admin(s) found:<br/>Addam Schroll, Andrew Huynh, Grant Dasher, Nanda Katikaneni, Shanti Satyapal, Ted Kolovos, Thomas Comeau", + "RequirementMet": false + }, + { + "ActualValue": [ + "Application Administrator", + "Cloud Application Administrator", + "Hybrid Identity Administrator", + "Privileged Role Administrator", + "SharePoint Administrator" + ], + "Commandlet": [ + "Get-MgSubscribedSku", + "Get-PrivilegedRole" + ], + "Criticality": "Should", + "PolicyId": "MS.AAD.15.1v1", + "ReportDetails": "5 role(s) that do not require approval to activate found:<br/>Application Administrator, Cloud Application Administrator, Hybrid Identity Administrator, Privileged Role Administrator, SharePoint Administrator", + "RequirementMet": false + }, + { + "ActualValue": [ + "Exchange Administrator", + "Global Administrator", + "Privileged Role Administrator", + "SharePoint Administrator" + ], + "Commandlet": [ + "Get-MgSubscribedSku", + "Get-PrivilegedRole" + ], + "Criticality": "Shall", + "PolicyId": "MS.AAD.14.2v1", + "ReportDetails": "4 role(s) assigned to users outside of PIM:<br/>Exchange Administrator, Global Administrator, Privileged Role Administrator, SharePoint Administrator", + "RequirementMet": false + }, + { + "ActualValue": [ + "Global Administrator", + "SharePoint Administrator", + "User Administrator" + ], + "Commandlet": [ + "Get-MgSubscribedSku", + "Get-PrivilegedRole" + ], + "Criticality": "Shall", + "PolicyId": "MS.AAD.14.1v1", + "ReportDetails": "3 role(s) configured to allow permanent active assignment or expiration period too long:<br/>Global Administrator, SharePoint Administrator, User Administrator", + "RequirementMet": false + }, + { + "ActualValue": [ + "Live - Block legacy authentication" + ], + "Commandlet": [ + "Get-MgIdentityConditionalAccessPolicy" + ], + "Criticality": "Shall", + "PolicyId": "MS.AAD.1.1v1", + "ReportDetails": "1 conditional access policy(s) found that meet(s) all requirements:<br/>Live - Block legacy authentication. <a href='#caps'>View all CA policies</a>.", + "RequirementMet": true + }, + { + "ActualValue": [ + "Live - MFA Required for Everyone" + ], + "Commandlet": [ + "Get-MgIdentityConditionalAccessPolicy" + ], + "Criticality": "Shall", + "PolicyId": "MS.AAD.4.1v1", + "ReportDetails": "1 conditional access policy(s) found that meet(s) all requirements:<br/>Live - MFA Required for Everyone. <a href='#caps'>View all CA policies</a>.", + "RequirementMet": true + }, + { + "ActualValue": [ + "Live - MFA required for Highly Privileged Roles" + ], + "Commandlet": [ + "Get-MgSubscribedSku", + "Get-PrivilegedRole", + "Get-MgIdentityConditionalAccessPolicy" + ], + "Criticality": "Shall", + "PolicyId": "MS.AAD.13.1v1", + "ReportDetails": "1 conditional access policy(s) found that meet(s) all requirements:<br/>Live - MFA required for Highly Privileged Roles. <a href='#caps'>View all CA policies</a>.", + "RequirementMet": true + }, + { + "ActualValue": [ + "Live - Prevent Persistent Sessions u0026 Enforce Sign-in Frequency" + ], + "Commandlet": [ + "Get-MgIdentityConditionalAccessPolicy" + ], + "Criticality": "Shall", + "PolicyId": "MS.AAD.10.1v1", + "ReportDetails": "1 conditional access policy(s) found that meet(s) all requirements:<br/>Live - Prevent Persistent Sessions u0026 Enforce Sign-in Frequency. <a href='#caps'>View all CA policies</a>.", + "RequirementMet": true + }, + { + "ActualValue": [ + "Live - Risky Sign Ins Block Access" + ], + "Commandlet": [ + "Get-MgIdentityConditionalAccessPolicy" + ], + "Criticality": "Shall", + "PolicyId": "MS.AAD.3.1v1", + "ReportDetails": "1 conditional access policy(s) found that meet(s) all requirements:<br/>Live - Risky Sign Ins Block Access. <a href='#caps'>View all CA policies</a>.", + "RequirementMet": true + }, + { + "ActualValue": [ + "Live - Risky Users Block Access" + ], + "Commandlet": [ + "Get-MgIdentityConditionalAccessPolicy" + ], + "Criticality": "Shall", + "PolicyId": "MS.AAD.2.1v1", + "ReportDetails": "1 conditional access policy(s) found that meet(s) all requirements:<br/>Live - Risky Users Block Access. <a href='#caps'>View all CA policies</a>.", + "RequirementMet": true + }, + { + "ActualValue": [ + "Privileged Role Administrator" + ], + "Commandlet": [ + "Get-MgSubscribedSku", + "Get-PrivilegedRole" + ], + "Criticality": "Shall", + "PolicyId": "MS.AAD.16.2v1", + "ReportDetails": "Requirement met", + "RequirementMet": true + }, + { + "ActualValue": [ + "Privileged Role Administrator" + ], + "Commandlet": [ + "Get-MgSubscribedSku", + "Get-PrivilegedRole" + ], + "Criticality": "Should", + "PolicyId": "MS.AAD.16.3v1", + "ReportDetails": "1 role(s) without notification e-mail configured for role activations found:<br/>Privileged Role Administrator", + "RequirementMet": false + }, + { + "ActualValue": [ + "Privileged Role Administrator", + "User Administrator" + ], + "Commandlet": [ + "Get-MgSubscribedSku", + "Get-PrivilegedRole" + ], + "Criticality": "Shall", + "PolicyId": "MS.AAD.16.1v1", + "ReportDetails": "2 role(s) without notification e-mail configured for role assignments found:<br/>Privileged Role Administrator, User Administrator", + "RequirementMet": false + }, + { + "ActualValue": [ + { + "Name": "EnableGroupSpecificConsent", + "SettingsGroup": "Consent Policy Settings", + "Value": "false" + } + ], + "Commandlet": [ + "Get-MgDirectorySetting" + ], + "Criticality": "Shall", + "PolicyId": "MS.AAD.7.3v1", + "ReportDetails": "Requirement met", + "RequirementMet": true + }, + { + "ActualValue": false, + "Commandlet": [ + "Get-AntiPhishPolicy" + ], + "Control": "Defender 2.5", + "Criticality": "Shall", + "ReportDetails": "Requirement not met", + "Requirement": "All safety tips SHALL be enabled: domain impersonation default policy", + "RequirementMet": false + }, + { + "ActualValue": false, + "Commandlet": [ + "Get-AntiPhishPolicy" + ], + "Control": "Defender 2.5", + "Criticality": "Shall", + "ReportDetails": "Requirement not met", + "Requirement": "All safety tips SHALL be enabled: user impersonation default policy", + "RequirementMet": false + }, + { + "ActualValue": false, + "Commandlet": [ + "Get-AntiPhishPolicy" + ], + "Control": "Defender 2.5", + "Criticality": "Shall", + "ReportDetails": "Requirement not met", + "Requirement": "All safety tips SHALL be enabled: user impersonation unusual characters default policy", + "RequirementMet": false + }, + { + "ActualValue": false, + "Commandlet": [ + "Get-AntiPhishPolicy" + ], + "Criticality": "Shall", + "PolicyId": "MS.DEFENDER.5.8v1", + "ReportDetails": "Requirement not met", + "RequirementMet": false + }, + { + "ActualValue": true, + "Commandlet": [ + "Get-AntiPhishPolicy" + ], + "Control": "Defender 2.5", + "Criticality": "Shall", + "ReportDetails": "Requirement met", + "Requirement": "All safety tips SHALL be enabled: \"?\" for unauthenticated senders for spoof default policy", + "RequirementMet": true + }, + { + "ActualValue": true, + "Commandlet": [ + "Get-AntiPhishPolicy" + ], + "Control": "Defender 2.5", + "Criticality": "Shall", + "ReportDetails": "Requirement met", + "Requirement": "All safety tips SHALL be enabled: \"via\" tag default policy", + "RequirementMet": true + }, + { + "ActualValue": true, + "Commandlet": [ + "Get-HostedContentFilterPolicy" + ], + "Control": "Defender 2.6", + "Criticality": "Shall", + "ReportDetails": "Requirement met", + "Requirement": "Zero-hour auto purge (ZAP) SHALL be enabled for phishing: default policy", + "RequirementMet": true + }, + { + "ActualValue": true, + "Commandlet": [ + "Get-HostedContentFilterPolicy" + ], + "Control": "Defender 2.6", + "Criticality": "Shall", + "ReportDetails": "Requirement met", + "Requirement": "Zero-hour auto purge (ZAP) SHALL be enabled for spam messages: default policy", + "RequirementMet": true + }, + { + "ActualValue": true, + "Commandlet": [ + "Get-HostedContentFilterPolicy" + ], + "Criticality": "Shall", + "PolicyId": "MS.DEFENDER.6.7v1", + "ReportDetails": "Requirement met", + "RequirementMet": true + }, + { + "ActualValue": true, + "Commandlet": [ + "Get-HostedContentFilterPolicy" + ], + "Criticality": "Should", + "PolicyId": "MS.DEFENDER.6.6v1", + "ReportDetails": "Requirement met", + "RequirementMet": true + }, + { + "ActualValue": 7, + "Commandlet": [ + "Get-HostedContentFilterPolicy" + ], + "Criticality": "Should", + "PolicyId": "MS.DEFENDER.6.1v1", + "ReportDetails": "Requirement not met", + "RequirementMet": false + }, + { + "ActualValue": 15, + "Commandlet": [ + "Get-HostedContentFilterPolicy" + ], + "Criticality": "Should", + "PolicyId": "MS.DEFENDER.6.5v1", + "ReportDetails": "Requirement not met", + "RequirementMet": false + }, + { + "ActualValue": "MoveToJmf", + "Commandlet": [ + "Get-AntiPhishPolicy" + ], + "Criticality": "Shall", + "PolicyId": "MS.DEFENDER.5.7v1", + "ReportDetails": "Requirement not met", + "RequirementMet": false + }, + { + "ActualValue": "MoveToJmf", + "Commandlet": [ + "Get-HostedContentFilterPolicy" + ], + "Control": "Defender 2.6", + "Criticality": "Shall", + "ReportDetails": "Requirement met", + "Requirement": "High confidence spam SHALL be moved to either the junk email folder or the quarantine folder: default policy", + "RequirementMet": true + }, + { + "ActualValue": "MoveToJmf", + "Commandlet": [ + "Get-HostedContentFilterPolicy" + ], + "Criticality": "Shall", + "PolicyId": "MS.DEFENDER.6.2v1", + "ReportDetails": "Requirement met", + "RequirementMet": true + }, + { + "ActualValue": "MoveToJmf", + "Commandlet": [ + "Get-HostedContentFilterPolicy" + ], + "Criticality": "Shall", + "PolicyId": "MS.DEFENDER.6.3v1", + "ReportDetails": "Requirement not met", + "RequirementMet": false + }, + { + "ActualValue": "MoveToJmf", + "Commandlet": [ + "Get-HostedContentFilterPolicy" + ], + "Criticality": "Should", + "PolicyId": "MS.DEFENDER.6.4v1", + "ReportDetails": "Requirement met", + "RequirementMet": true + }, + { + "ActualValue": "NoAction", + "Commandlet": [ + "Get-AntiPhishPolicy" + ], + "Control": "Defender 2.5", + "Criticality": "Shall", + "ReportDetails": "Requirement not met", + "Requirement": "Message action SHALL be set to quarantine if the message is detected as impersonated: domains default policy", + "RequirementMet": false + }, + { + "ActualValue": "NoAction", + "Commandlet": [ + "Get-AntiPhishPolicy" + ], + "Control": "Defender 2.5", + "Criticality": "Shall", + "ReportDetails": "Requirement not met", + "Requirement": "Message action SHALL be set to quarantine if the message is detected as impersonated: mailbox default policy", + "RequirementMet": false + }, + { + "ActualValue": "NoAction", + "Commandlet": [ + "Get-AntiPhishPolicy" + ], + "Criticality": "Shall", + "PolicyId": "MS.DEFENDER.5.6v1", + "ReportDetails": "Requirement not met", + "RequirementMet": false + }, + { + "ActualValue": "Quarantine", + "Commandlet": [ + "Get-HostedContentFilterPolicy" + ], + "Control": "Defender 2.6", + "Criticality": "Shall", + "ReportDetails": "Requirement met", + "Requirement": "High confidence phishing SHALL be quarantined: default policy", + "RequirementMet": true + }, + { + "ActualValue": [], + "Commandlet": [], + "Criticality": "Shall/Not-Implemented", + "PolicyId": "MS.DEFENDER.10.2v1", + "ReportDetails": "Not currently checked automatically. See <a href=\"https://github.com/cisagov/ScubaGear/blob/0.3.0/baselines/defender.md#msdefender102v1\" target=\"_blank\">Secure Configuration Baseline policy</a> for instructions on manual check", + "RequirementMet": false + }, + { + "ActualValue": [], + "Commandlet": [], + "Criticality": "Shall/Not-Implemented", + "PolicyId": "MS.DEFENDER.10.3v1", + "ReportDetails": "Not currently checked automatically. See <a href=\"https://github.com/cisagov/ScubaGear/blob/0.3.0/baselines/defender.md#msdefender103v1\" target=\"_blank\">Secure Configuration Baseline policy</a> for instructions on manual check", + "RequirementMet": false + }, + { + "ActualValue": [], + "Commandlet": [], + "Criticality": "Should/Not-Implemented", + "PolicyId": "MS.DEFENDER.2.5v1", + "ReportDetails": "Not currently checked automatically. See <a href=\"https://github.com/cisagov/ScubaGear/blob/0.3.0/baselines/defender.md#msdefender25v1\" target=\"_blank\">Secure Configuration Baseline policy</a> for instructions on manual check", + "RequirementMet": false + }, + { + "ActualValue": [], + "Commandlet": [], + "Criticality": "Should/Not-Implemented", + "PolicyId": "MS.DEFENDER.2.6v1", + "ReportDetails": "Not currently checked automatically. See <a href=\"https://github.com/cisagov/ScubaGear/blob/0.3.0/baselines/defender.md#msdefender26v1\" target=\"_blank\">Secure Configuration Baseline policy</a> for instructions on manual check", + "RequirementMet": false + }, + { + "ActualValue": [], + "Commandlet": [], + "Criticality": "Should/Not-Implemented", + "PolicyId": "MS.DEFENDER.9.2v1", + "ReportDetails": "Not currently checked automatically. See <a href=\"https://github.com/cisagov/ScubaGear/blob/0.3.0/baselines/defender.md#msdefender92v1\" target=\"_blank\">Secure Configuration Baseline policy</a> for instructions on manual check", + "RequirementMet": false + }, + { + "ActualValue": [], + "Commandlet": [ + "Get-AntiPhishPolicy" + ], + "Control": "Defender 2.5", + "Criticality": "Should", + "ReportDetails": "Requirement met", + "Requirement": "All safety tips SHOULD be enabled: \"?\" for unauthenticated senders for spoof non-default policies", + "RequirementMet": true + }, + { + "ActualValue": [], + "Commandlet": [ + "Get-AntiPhishPolicy" + ], + "Control": "Defender 2.5", + "Criticality": "Should", + "ReportDetails": "Requirement met", + "Requirement": "All safety tips SHOULD be enabled: \"via\" tag non-default policies", + "RequirementMet": true + }, + { + "ActualValue": [], + "Commandlet": [ + "Get-AntiPhishPolicy" + ], + "Control": "Defender 2.5", + "Criticality": "Should", + "ReportDetails": "Requirement met", + "Requirement": "All safety tips SHOULD be enabled: domain impersonation non-default policies", + "RequirementMet": true + }, + { + "ActualValue": [], + "Commandlet": [ + "Get-AntiPhishPolicy" + ], + "Control": "Defender 2.5", + "Criticality": "Should", + "ReportDetails": "Requirement met", + "Requirement": "All safety tips SHOULD be enabled: first contact non-default policies", + "RequirementMet": true + }, + { + "ActualValue": [], + "Commandlet": [ + "Get-AntiPhishPolicy" + ], + "Control": "Defender 2.5", + "Criticality": "Should", + "ReportDetails": "Requirement met", + "Requirement": "All safety tips SHOULD be enabled: user impersonation non-default policies", + "RequirementMet": true + }, + { + "ActualValue": [], + "Commandlet": [ + "Get-AntiPhishPolicy" + ], + "Control": "Defender 2.5", + "Criticality": "Should", + "ReportDetails": "Requirement met", + "Requirement": "All safety tips SHOULD be enabled: user impersonation unusual characters non-default policies", + "RequirementMet": true + }, + { + "ActualValue": [], + "Commandlet": [ + "Get-AntiPhishPolicy" + ], + "Control": "Defender 2.5", + "Criticality": "Should", + "ReportDetails": "Requirement met", + "Requirement": "Mail classified as spoofed SHOULD be quarantined: non-default policies", + "RequirementMet": true + }, + { + "ActualValue": [], + "Commandlet": [ + "Get-AntiPhishPolicy" + ], + "Control": "Defender 2.5", + "Criticality": "Should", + "ReportDetails": "Requirement met", + "Requirement": "Message action SHOULD be set to quarantine if the message is detected as impersonated: domains non-default policies", + "RequirementMet": true + }, + { + "ActualValue": [], + "Commandlet": [ + "Get-AntiPhishPolicy" + ], + "Control": "Defender 2.5", + "Criticality": "Should", + "ReportDetails": "Requirement met", + "Requirement": "Message action SHOULD be set to quarantine if the message is detected as impersonated: mailbox non-default policies", + "RequirementMet": true + }, + { + "ActualValue": [], + "Commandlet": [ + "Get-AntiPhishPolicy" + ], + "Control": "Defender 2.5", + "Criticality": "Should", + "ReportDetails": "Requirement met", + "Requirement": "Message action SHOULD be set to quarantine if the message is detected as impersonated: users non-default policies", + "RequirementMet": true + }, + { + "ActualValue": [], + "Commandlet": [ + "Get-AntiPhishPolicy" + ], + "Criticality": "Should", + "PolicyId": "MS.DEFENDER.5.1v1", + "ReportDetails": "No users are included for targeted user protection.", + "RequirementMet": false + }, + { + "ActualValue": [], + "Commandlet": [ + "Get-AntiPhishPolicy" + ], + "Criticality": "Should", + "PolicyId": "MS.DEFENDER.5.2v1", + "ReportDetails": "Requirement not met", + "RequirementMet": false + }, + { + "ActualValue": [], + "Commandlet": [ + "Get-AntiPhishPolicy" + ], + "Criticality": "Should", + "PolicyId": "MS.DEFENDER.5.3v1", + "ReportDetails": "The Custom Domains protection policies: Enabled, EnableTargetedDomainsProtection, and TargetedDomainsToProtect are not set correctly", + "RequirementMet": false + }, + { + "ActualValue": [], + "Commandlet": [ + "Get-AntiPhishPolicy" + ], + "Criticality": "Should", + "PolicyId": "MS.DEFENDER.5.5v1", + "ReportDetails": "Requirement not met", + "RequirementMet": false + }, + { + "ActualValue": [], + "Commandlet": [ + "Get-DLPCompliancePolicy" + ], + "Control": "Defender 2.2", + "Criticality": "Should", + "ReportDetails": "No policy found that applies to OneDrive.", + "Requirement": "The custom policy SHOULD be applied in OneDrive", + "RequirementMet": false + }, + { + "ActualValue": [], + "Commandlet": [ + "Get-DLPCompliancePolicy" + ], + "Control": "Defender 2.2", + "Criticality": "Should", + "ReportDetails": "No policy found that applies to SharePoint.", + "Requirement": "The custom policy SHOULD be applied in SharePoint", + "RequirementMet": false + }, + { + "ActualValue": [], + "Commandlet": [ + "Get-DLPCompliancePolicy" + ], + "Control": "Defender 2.2", + "Criticality": "Should", + "ReportDetails": "No policy found that applies to Teams.", + "Requirement": "The custom policy SHOULD be applied in Teams", + "RequirementMet": false + }, + { + "ActualValue": [], + "Commandlet": [ + "Get-DLPCompliancePolicy" + ], + "Criticality": "Should", + "PolicyId": "MS.DEFENDER.2.2v1", + "ReportDetails": "No policy found that applies to Exchange.", + "RequirementMet": false + }, + { + "ActualValue": [], + "Commandlet": [ + "Get-DlpComplianceRule" + ], + "Control": "Defender 2.2", + "Criticality": "Shall", + "ReportDetails": "No matching rule found for Credit Card Number", + "Requirement": "A custom policy SHALL be configured to protect PII and sensitive information, as defined by the agency: Credit Card Number", + "RequirementMet": false + }, + { + "ActualValue": [], + "Commandlet": [ + "Get-DlpComplianceRule" + ], + "Control": "Defender 2.2", + "Criticality": "Shall", + "ReportDetails": "No matching rule found for U.S. Individual Taxpayer Identification Number (ITIN)", + "Requirement": "A custom policy SHALL be configured to protect PII and sensitive information, as defined by the agency: U.S. Individual Taxpayer Identification Number (ITIN)", + "RequirementMet": false + }, + { + "ActualValue": [], + "Commandlet": [ + "Get-DlpComplianceRule" + ], + "Criticality": "Shall", + "PolicyId": "MS.DEFENDER.2.1v1", + "ReportDetails": "No matching rule found for U.S. Social Security Number (SSN)", + "RequirementMet": false + }, + { + "ActualValue": [], + "Commandlet": [ + "Get-DlpComplianceRule" + ], + "Criticality": "Should", + "PolicyId": "MS.DEFENDER.2.3v1", + "ReportDetails": "Requirement met", + "RequirementMet": true + }, + { + "ActualValue": [], + "Commandlet": [ + "Get-DlpComplianceRule" + ], + "Criticality": "Should", + "PolicyId": "MS.DEFENDER.2.4v1", + "ReportDetails": "Requirement met", + "RequirementMet": true + }, + { + "ActualValue": [], + "Commandlet": [ + "Get-EOPProtectionPolicyRule" + ], + "Control": "Defender 2.1", + "Criticality": "Should", + "ReportDetails": "Requirement met", + "Requirement": "Strict Preset security profiles SHOULD NOT be used", + "RequirementMet": true + }, + { + "ActualValue": [], + "Commandlet": [ + "Get-EOPProtectionPolicyRule" + ], + "Criticality": "Should", + "PolicyId": "MS.DEFENDER.1.1v1", + "ReportDetails": "Requirement met", + "RequirementMet": true + }, + { + "ActualValue": [], + "Commandlet": [ + "Get-HostedContentFilterPolicy" + ], + "Control": "Defender 2.6", + "Criticality": "Should", + "ReportDetails": "Requirement met", + "Requirement": "Allowed senders MAY be added but allowed domains SHOULD NOT be added: non-default", + "RequirementMet": true + }, + { + "ActualValue": [], + "Commandlet": [ + "Get-HostedContentFilterPolicy" + ], + "Control": "Defender 2.6", + "Criticality": "Should", + "ReportDetails": "Requirement met", + "Requirement": "Bulk email SHOULD be moved to either the junk email folder or the quarantine folder: non-default policies", + "RequirementMet": true + }, + { + "ActualValue": [], + "Commandlet": [ + "Get-HostedContentFilterPolicy" + ], + "Control": "Defender 2.6", + "Criticality": "Should", + "ReportDetails": "Requirement met", + "Requirement": "High confidence phishing SHOULD be quarantined: non-default policies", + "RequirementMet": true + }, + { + "ActualValue": [], + "Commandlet": [ + "Get-HostedContentFilterPolicy" + ], + "Control": "Defender 2.6", + "Criticality": "Should", + "ReportDetails": "Requirement met", + "Requirement": "High confidence spam SHOULD be moved to either the junk email folder or the quarantine folder: non-default policies", + "RequirementMet": true + }, + { + "ActualValue": [], + "Commandlet": [ + "Get-HostedContentFilterPolicy" + ], + "Control": "Defender 2.6", + "Criticality": "Should", + "ReportDetails": "Requirement met", + "Requirement": "Phishing SHOULD be quarantined: non-default policies", + "RequirementMet": true + }, + { + "ActualValue": [], + "Commandlet": [ + "Get-HostedContentFilterPolicy" + ], + "Control": "Defender 2.6", + "Criticality": "Should", + "ReportDetails": "Requirement met", + "Requirement": "Spam SHOULD be moved to either the junk email folder or the quarantine folder: non-default policies", + "RequirementMet": true + }, + { + "ActualValue": [], + "Commandlet": [ + "Get-HostedContentFilterPolicy" + ], + "Control": "Defender 2.6", + "Criticality": "Should", + "ReportDetails": "Requirement met", + "Requirement": "Spam in quarantine SHOULD be retained for at least 30 days: non-default policies", + "RequirementMet": true + }, + { + "ActualValue": [], + "Commandlet": [ + "Get-HostedContentFilterPolicy" + ], + "Control": "Defender 2.6", + "Criticality": "Should", + "ReportDetails": "Requirement met", + "Requirement": "Spam safety tips SHOULD be turned on: non-default policies", + "RequirementMet": true + }, + { + "ActualValue": [], + "Commandlet": [ + "Get-HostedContentFilterPolicy" + ], + "Control": "Defender 2.6", + "Criticality": "Should", + "ReportDetails": "Requirement met", + "Requirement": "The bulk complaint level (BCL) threshold SHOULD be set to six or lower: non-default policies", + "RequirementMet": true + }, + { + "ActualValue": [], + "Commandlet": [ + "Get-HostedContentFilterPolicy" + ], + "Control": "Defender 2.6", + "Criticality": "Should", + "ReportDetails": "Requirement met", + "Requirement": "Zero-hour auto purge (ZAP) SHOULD be enabled for Spam: non-default", + "RequirementMet": true + }, + { + "ActualValue": [], + "Commandlet": [ + "Get-HostedContentFilterPolicy" + ], + "Control": "Defender 2.6", + "Criticality": "Should", + "ReportDetails": "Requirement met", + "Requirement": "Zero-hour auto purge (ZAP) SHOULD be enabled for phishing: non-default", + "RequirementMet": true + }, + { + "ActualValue": [], + "Commandlet": [ + "Get-HostedContentFilterPolicy" + ], + "Control": "Defender 2.6", + "Criticality": "Should", + "ReportDetails": "Requirement met", + "Requirement": "Zero-hour auto purge (ZAP) SHOULD be enabled: non-default", + "RequirementMet": true + }, + { + "ActualValue": [], + "Commandlet": [ + "Get-HostedContentFilterPolicy" + ], + "Criticality": "Shall", + "PolicyId": "MS.DEFENDER.6.8v1", + "ReportDetails": "Requirement met", + "RequirementMet": true + }, + { + "ActualValue": [], + "Commandlet": [ + "Get-MalwareFilterPolicy" + ], + "Criticality": "Shall", + "PolicyId": "MS.DEFENDER.3.1v1", + "ReportDetails": "Requirement met", + "RequirementMet": true + }, + { + "ActualValue": [], + "Commandlet": [ + "Get-MalwareFilterPolicy" + ], + "Criticality": "Should", + "PolicyId": "MS.DEFENDER.4.1v1", + "ReportDetails": "Requirement met", + "RequirementMet": true + }, + { + "ActualValue": [], + "Commandlet": [ + "Get-SafeAttachmentPolicy", + "Get-SafeAttachmentRule", + "Get-AcceptedDomain" + ], + "Criticality": "Shall", + "PolicyId": "MS.DEFENDER.8.2v1", + "ReportDetails": "No enabled policy found with action set to block that apply to all domains", + "RequirementMet": false + }, + { + "ActualValue": [], + "Commandlet": [ + "Get-SafeAttachmentPolicy", + "Get-SafeAttachmentRule", + "Get-AcceptedDomain" + ], + "Criticality": "Should", + "PolicyId": "MS.DEFENDER.8.3v1", + "ReportDetails": "No enabled policy found with action set to block and at least one contact specified", + "RequirementMet": false + }, + { + "ActualValue": [], + "Commandlet": [ + "Get-SafeAttachmentRule", + "Get-AcceptedDomain" + ], + "Criticality": "Shall", + "PolicyId": "MS.DEFENDER.8.1v1", + "ReportDetails": "No policy found that applies to all domains: alexwilber.myo365.site, y2zj1.onmicrosoft.com", + "RequirementMet": false + }, + { + "ActualValue": [], + "Commandlet": [ + "Get-SafeLinksPolicy", + "Get-SafeLinksRule" + ], + "Criticality": "Shall", + "PolicyId": "MS.DEFENDER.7.2v1", + "ReportDetails": "Requirement not met", + "RequirementMet": false + }, + { + "ActualValue": [], + "Commandlet": [ + "Get-SafeLinksPolicy", + "Get-SafeLinksRule" + ], + "Criticality": "Shall", + "PolicyId": "MS.DEFENDER.7.3v1", + "ReportDetails": "Requirement not met", + "RequirementMet": false + }, + { + "ActualValue": [], + "Commandlet": [ + "Get-SafeLinksPolicy", + "Get-SafeLinksRule" + ], + "Criticality": "Shall", + "PolicyId": "MS.DEFENDER.7.4v1", + "ReportDetails": "Requirement not met", + "RequirementMet": false + }, + { + "ActualValue": [], + "Commandlet": [ + "Get-SafeLinksPolicy", + "Get-SafeLinksRule" + ], + "Criticality": "Shall", + "PolicyId": "MS.DEFENDER.7.5v1", + "ReportDetails": "Requirement not met", + "RequirementMet": false + }, + { + "ActualValue": [], + "Commandlet": [ + "Get-SafeLinksPolicy", + "Get-SafeLinksRule" + ], + "Criticality": "Shall", + "PolicyId": "MS.DEFENDER.7.6v1", + "ReportDetails": "Requirement not met", + "RequirementMet": false + }, + { + "ActualValue": [], + "Commandlet": [ + "Get-SafeLinksPolicy", + "Get-SafeLinksRule" + ], + "Criticality": "Shall", + "PolicyId": "MS.DEFENDER.7.7v1", + "ReportDetails": "Requirement not met", + "RequirementMet": false + }, + { + "ActualValue": [], + "Commandlet": [ + "Get-SafeLinksPolicy", + "Get-SafeLinksRule" + ], + "Criticality": "Shall", + "PolicyId": "MS.DEFENDER.7.8v1", + "ReportDetails": "Requirement not met", + "RequirementMet": false + }, + { + "ActualValue": [], + "Commandlet": [ + "Get-SafeLinksPolicy", + "Get-SafeLinksRule" + ], + "Criticality": "Shall", + "PolicyId": "MS.DEFENDER.7.9v1", + "ReportDetails": "Requirement not met", + "RequirementMet": false + }, + { + "ActualValue": [], + "Commandlet": [ + "Get-SafeLinksRule", + "Get-AcceptedDomain" + ], + "Criticality": "Shall", + "PolicyId": "MS.DEFENDER.7.1v1", + "ReportDetails": "No policy found that applies to all domains: alexwilber.myo365.site, y2zj1.onmicrosoft.com", + "RequirementMet": false + }, + { + "ActualValue": [ + "A potentially malicious URL click was detected", + "Malware campaign detected after delivery", + "Messages have been delayed", + "Suspicious Email Forwarding Activity", + "Suspicious connector activity", + "Suspicious email sending patterns detected", + "Tenant restricted from sending unprovisioned email", + "Unusual increase in email reported as phish", + "User restricted from sending email" + ], + "Commandlet": [ + "Get-ProtectionAlert" + ], + "Criticality": "Shall", + "PolicyId": "MS.DEFENDER.9.1v1", + "ReportDetails": "9 disabled required alert(s) found: A potentially malicious URL click was detected, Malware campaign detected after delivery, Messages have been delayed, Suspicious Email Forwarding Activity, Suspicious connector activity, Suspicious email sending patterns detected, Tenant restricted from sending unprovisioned email, Unusual increase in email reported as phish, User restricted from sending email", + "RequirementMet": false + }, + { + "ActualValue": [ + "Default" + ], + "Commandlet": [ + "Get-MalwareFilterPolicy" + ], + "Control": "Defender 2.3", + "Criticality": "Should", + "ReportDetails": "Requirement met", + "Requirement": "Disallowed file types SHALL be determined and set. At a minimum, click-to-run files SHOULD be blocked: cmd files", + "RequirementMet": true + }, + { + "ActualValue": [ + "Default" + ], + "Commandlet": [ + "Get-MalwareFilterPolicy" + ], + "Control": "Defender 2.3", + "Criticality": "Should", + "ReportDetails": "Requirement met", + "Requirement": "Disallowed file types SHALL be determined and set. At a minimum, click-to-run files SHOULD be blocked: vbe files", + "RequirementMet": true + }, + { + "ActualValue": [ + "Default" + ], + "Commandlet": [ + "Get-MalwareFilterPolicy" + ], + "Criticality": "Should", + "PolicyId": "MS.DEFENDER.3.2v1", + "ReportDetails": "Requirement met", + "RequirementMet": true + }, + { + "ActualValue": [ + { + "EnableATPForSPOTeamsODB": true, + "Identity": "Default" + } + ], + "Commandlet": [ + "Get-AtpPolicyForO365" + ], + "Criticality": "Should", + "PolicyId": "MS.DEFENDER.8.4v1", + "ReportDetails": "Requirement met", + "RequirementMet": true + }, + { + "ActualValue": [ + { + "Identity": "Admin Audit Log Settings", + "UnifiedAuditLogIngestionEnabled": true + } + ], + "Commandlet": [ + "Get-AdminAuditLogConfig" + ], + "Criticality": "Shall", + "PolicyId": "MS.DEFENDER.10.1v1", + "ReportDetails": "Requirement met", + "RequirementMet": true + }, + { + "ActualValue": [], + "Commandlet": [], + "Criticality": "Shall/3rd Party", + "PolicyId": "MS.EXO.10.1v1", + "ReportDetails": "Custom implementation allowed. If you are using Defender to fulfill this requirement, run the Defender version of this script. Otherwise, use a 3rd party tool OR manually check", + "RequirementMet": false + }, + { + "ActualValue": [], + "Commandlet": [], + "Criticality": "Shall/3rd Party", + "PolicyId": "MS.EXO.10.2v1", + "ReportDetails": "Custom implementation allowed. If you are using Defender to fulfill this requirement, run the Defender version of this script. Otherwise, use a 3rd party tool OR manually check", + "RequirementMet": false + }, + { + "ActualValue": [], + "Commandlet": [], + "Criticality": "Shall/3rd Party", + "PolicyId": "MS.EXO.14.1v1", + "ReportDetails": "Custom implementation allowed. If you are using Defender to fulfill this requirement, run the Defender version of this script. Otherwise, use a 3rd party tool OR manually check", + "RequirementMet": false + }, + { + "ActualValue": [], + "Commandlet": [], + "Criticality": "Shall/3rd Party", + "PolicyId": "MS.EXO.14.2v1", + "ReportDetails": "Custom implementation allowed. If you are using Defender to fulfill this requirement, run the Defender version of this script. Otherwise, use a 3rd party tool OR manually check", + "RequirementMet": false + }, + { + "ActualValue": [], + "Commandlet": [], + "Criticality": "Shall/3rd Party", + "PolicyId": "MS.EXO.14.3v1", + "ReportDetails": "Custom implementation allowed. If you are using Defender to fulfill this requirement, run the Defender version of this script. Otherwise, use a 3rd party tool OR manually check", + "RequirementMet": false + }, + { + "ActualValue": [], + "Commandlet": [], + "Criticality": "Shall/3rd Party", + "PolicyId": "MS.EXO.16.1v1", + "ReportDetails": "Custom implementation allowed. If you are using Defender to fulfill this requirement, run the Defender version of this script. Otherwise, use a 3rd party tool OR manually check", + "RequirementMet": false + }, + { + "ActualValue": [], + "Commandlet": [], + "Criticality": "Shall/3rd Party", + "PolicyId": "MS.EXO.17.1v1", + "ReportDetails": "Custom implementation allowed. If you are using Defender to fulfill this requirement, run the Defender version of this script. Otherwise, use a 3rd party tool OR manually check", + "RequirementMet": false + }, + { + "ActualValue": [], + "Commandlet": [], + "Criticality": "Shall/3rd Party", + "PolicyId": "MS.EXO.17.2v1", + "ReportDetails": "Custom implementation allowed. If you are using Defender to fulfill this requirement, run the Defender version of this script. Otherwise, use a 3rd party tool OR manually check", + "RequirementMet": false + }, + { + "ActualValue": [], + "Commandlet": [], + "Criticality": "Shall/3rd Party", + "PolicyId": "MS.EXO.17.3v1", + "ReportDetails": "Custom implementation allowed. If you are using Defender to fulfill this requirement, run the Defender version of this script. Otherwise, use a 3rd party tool OR manually check", + "RequirementMet": false + }, + { + "ActualValue": [], + "Commandlet": [], + "Criticality": "Shall/3rd Party", + "PolicyId": "MS.EXO.8.1v1", + "ReportDetails": "Custom implementation allowed. If you are using Defender to fulfill this requirement, run the Defender version of this script. Otherwise, use a 3rd party tool OR manually check", + "RequirementMet": false + }, + { + "ActualValue": [], + "Commandlet": [], + "Criticality": "Shall/3rd Party", + "PolicyId": "MS.EXO.8.2v1", + "ReportDetails": "Custom implementation allowed. If you are using Defender to fulfill this requirement, run the Defender version of this script. Otherwise, use a 3rd party tool OR manually check", + "RequirementMet": false + }, + { + "ActualValue": [], + "Commandlet": [], + "Criticality": "Shall/3rd Party", + "PolicyId": "MS.EXO.9.1v1", + "ReportDetails": "Custom implementation allowed. If you are using Defender to fulfill this requirement, run the Defender version of this script. Otherwise, use a 3rd party tool OR manually check", + "RequirementMet": false + }, + { + "ActualValue": [], + "Commandlet": [], + "Criticality": "Shall/3rd Party", + "PolicyId": "MS.EXO.9.3v1", + "ReportDetails": "Custom implementation allowed. If you are using Defender to fulfill this requirement, run the Defender version of this script. Otherwise, use a 3rd party tool OR manually check", + "RequirementMet": false + }, + { + "ActualValue": [], + "Commandlet": [], + "Criticality": "Shall/Not-Implemented", + "PolicyId": "MS.EXO.2.1v1", + "ReportDetails": "Not currently checked automatically. See <a href=\"https://github.com/cisagov/ScubaGear/blob/0.3.0/baselines/exo.md#msexo21v1\" target=\"_blank\">Secure Configuration Baseline policy</a> for instructions on manual check", + "RequirementMet": false + }, + { + "ActualValue": [], + "Commandlet": [], + "Criticality": "Should/3rd Party", + "PolicyId": "MS.EXO.10.3v1", + "ReportDetails": "Custom implementation allowed. If you are using Defender to fulfill this requirement, run the Defender version of this script. Otherwise, use a 3rd party tool OR manually check", + "RequirementMet": false + }, + { + "ActualValue": [], + "Commandlet": [], + "Criticality": "Should/3rd Party", + "PolicyId": "MS.EXO.11.1v1", + "ReportDetails": "Custom implementation allowed. If you are using Defender to fulfill this requirement, run the Defender version of this script. Otherwise, use a 3rd party tool OR manually check", + "RequirementMet": false + }, + { + "ActualValue": [], + "Commandlet": [], + "Criticality": "Should/3rd Party", + "PolicyId": "MS.EXO.11.2v1", + "ReportDetails": "Custom implementation allowed. If you are using Defender to fulfill this requirement, run the Defender version of this script. Otherwise, use a 3rd party tool OR manually check", + "RequirementMet": false + }, + { + "ActualValue": [], + "Commandlet": [], + "Criticality": "Should/3rd Party", + "PolicyId": "MS.EXO.11.3v1", + "ReportDetails": "Custom implementation allowed. If you are using Defender to fulfill this requirement, run the Defender version of this script. Otherwise, use a 3rd party tool OR manually check", + "RequirementMet": false + }, + { + "ActualValue": [], + "Commandlet": [], + "Criticality": "Should/3rd Party", + "PolicyId": "MS.EXO.15.1v1", + "ReportDetails": "Custom implementation allowed. If you are using Defender to fulfill this requirement, run the Defender version of this script. Otherwise, use a 3rd party tool OR manually check", + "RequirementMet": false + }, + { + "ActualValue": [], + "Commandlet": [], + "Criticality": "Should/3rd Party", + "PolicyId": "MS.EXO.15.2v1", + "ReportDetails": "Custom implementation allowed. If you are using Defender to fulfill this requirement, run the Defender version of this script. Otherwise, use a 3rd party tool OR manually check", + "RequirementMet": false + }, + { + "ActualValue": [], + "Commandlet": [], + "Criticality": "Should/3rd Party", + "PolicyId": "MS.EXO.15.3v1", + "ReportDetails": "Custom implementation allowed. If you are using Defender to fulfill this requirement, run the Defender version of this script. Otherwise, use a 3rd party tool OR manually check", + "RequirementMet": false + }, + { + "ActualValue": [], + "Commandlet": [], + "Criticality": "Should/3rd Party", + "PolicyId": "MS.EXO.16.2v1", + "ReportDetails": "Custom implementation allowed. If you are using Defender to fulfill this requirement, run the Defender version of this script. Otherwise, use a 3rd party tool OR manually check", + "RequirementMet": false + }, + { + "ActualValue": [], + "Commandlet": [], + "Criticality": "Should/3rd Party", + "PolicyId": "MS.EXO.9.2v1", + "ReportDetails": "Custom implementation allowed. If you are using Defender to fulfill this requirement, run the Defender version of this script. Otherwise, use a 3rd party tool OR manually check", + "RequirementMet": false + }, + { + "ActualValue": [], + "Commandlet": [ + "Get-ScubaDmarcRecords", + "Get-AcceptedDomain" + ], + "Criticality": "Shall", + "PolicyId": "MS.EXO.4.1v1", + "ReportDetails": "Requirement met", + "RequirementMet": true + }, + { + "ActualValue": [], + "Commandlet": [ + "Get-ScubaDmarcRecords", + "Get-AcceptedDomain" + ], + "Criticality": "Shall", + "PolicyId": "MS.EXO.4.2v1", + "ReportDetails": "Requirement met", + "RequirementMet": true + }, + { + "ActualValue": [], + "Commandlet": [ + "Get-ScubaDmarcRecords", + "Get-AcceptedDomain" + ], + "Criticality": "Shall", + "PolicyId": "MS.EXO.4.3v1", + "ReportDetails": "Requirement met", + "RequirementMet": true + }, + { + "ActualValue": [], + "Commandlet": [ + "Get-ScubaDmarcRecords", + "Get-AcceptedDomain" + ], + "Criticality": "Should", + "PolicyId": "MS.EXO.4.4v1", + "ReportDetails": "Requirement met", + "RequirementMet": true + }, + { + "ActualValue": [], + "Commandlet": [ + "Get-TransportRule" + ], + "Criticality": "Shall", + "PolicyId": "MS.EXO.7.1v1", + "ReportDetails": "No transport rule found that applies warnings to emails received from outside the organization", + "RequirementMet": false + }, + { + "ActualValue": [ + [], + [ + null + ] + ], + "Commandlet": [ + "Get-DkimSigningConfig", + "Get-ScubaDkimRecords", + "Get-AcceptedDomain" + ], + "Criticality": "Should", + "PolicyId": "MS.EXO.3.1v1", + "ReportDetails": "1 of 1 agency domain(s) found in violation: alexwilber.myo365.site", + "RequirementMet": false + }, + { + "ActualValue": [ + { + "AddressBookPolicyRoutingEnabled": false, + "AdminDisplayName": "", + "AgentGeneratedMessageLoopDetectionInSmtpEnabled": true, + "AgentGeneratedMessageLoopDetectionInSubmissionEnabled": true, + "AllowLegacyTLSClients": false, + "AnonymousSenderToRecipientRatePerHour": 1800, + "AttributionRejectBeforeMServRequest": false, + "AttributionRejectConsumerMessages": false, + "ClearCategories": true, + "ConvertDisclaimerWrapperToEml": false, + "ConvertReportToMessage": false, + "CurrentTransportSystemState": "Green", + "DSNConversionMode": "PreserveDSNBody", + "DiagnosticsAggregationServicePort": 9710, + "DistinguishedName": "CN=Transport Settings,CN=Configuration,CN=y2zj1.onmicrosoft.com,CN=ConfigurationUnits,DC=NAMPR10A008,DC=PROD,DC=OUTLOOK,DC=COM", + "EnableExternalHTTPMailDelivery": false, + "ExchangeObjectId": "b4f29764-fa61-4718-ac8d-29e1ad3007b9", + "ExchangeVersion": "0.1 (8.0.535.0)", + "ExternalDelayDsnEnabled": true, + "ExternalDsnDefaultLanguage": null, + "ExternalDsnLanguageDetectionEnabled": true, + "ExternalDsnMaxMessageAttachSize": "10 MB (10,485,760 bytes)", + "ExternalDsnReportingAuthority": null, + "ExternalDsnSendHtml": true, + "ExternalPostmasterAddress": null, + "GenerateCopyOfDSNFor": [], + "Guid": "b4f29764-fa61-4718-ac8d-29e1ad3007b9", + "HeaderPromotionModeSetting": "NoCreate", + "HygieneSuite": "Premium", + "Id": "Transport Settings", + "Identity": "Transport Settings", + "InternalDelayDsnEnabled": true, + "InternalDsnDefaultLanguage": null, + "InternalDsnLanguageDetectionEnabled": true, + "InternalDsnMaxMessageAttachSize": "10 MB (10,485,760 bytes)", + "InternalDsnReportingAuthority": null, + "InternalDsnSendHtml": true, + "InternalSMTPServers": [], + "IsValid": true, + "JournalArchivingEnabled": false, + "JournalMessageExpirationDays": 0, + "JournalReportDLMemberSubstitutionEnabled": false, + "JournalingReportNdrTo": "u003cu003e", + "LegacyArchiveJournalingEnabled": false, + "LegacyArchiveLiveJournalingEnabled": false, + "LegacyJournalingMigrationEnabled": false, + "MaxAllowedAgentGeneratedMessageDepth": 3, + "MaxAllowedAgentGeneratedMessageDepthPerAgent": 2, + "MaxDumpsterSizePerDatabase": "18 MB (18,874,368 bytes)", + "MaxDumpsterTime": "7.00:00:00", + "MaxReceiveSize": "Unlimited", + "MaxRecipientEnvelopeLimit": "Unlimited", + "MaxSendSize": "Unlimited", + "MessageExpiration": "1.00:00:00", + "MigrationEnabled": true, + "Name": "Transport Settings", + "ObjectCategory": "NAMPR10A008.PROD.OUTLOOK.COM/Configuration/Schema/ms-Exch-Transport-Settings", + "ObjectClass": [ + "top", + "container", + "msExchTransportSettings" + ], + "ObjectState": "Unchanged", + "OpenDomainRoutingEnabled": false, + "OrganizationFederatedMailbox": "FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042@y2zj1.onmicrosoft.com", + "OrganizationId": "NAMPR10A008.PROD.OUTLOOK.COM/Microsoft Exchange Hosted Organizations/y2zj1.onmicrosoft.com - NAMPR10A008.PROD.OUTLOOK.COM/ConfigurationUnits/y2zj1.onmicrosoft.com/Configuration", + "OrganizationalUnitRoot": "y2zj1.onmicrosoft.com", + "OriginatingServer": "DM5PR10A08DC002.NAMPR10A008.PROD.OUTLOOK.COM", + "OtherWellKnownObjects": [], + "PreserveReportBodypart": true, + "QueueDiagnosticsAggregationInterval": "00:01:00", + "RedirectDLMessagesForLegacyArchiveJournaling": false, + "RedirectUnprovisionedUserMessagesForLegacyArchiveJournaling": false, + "ReplyAllStormBlockDurationHours": 6, + "ReplyAllStormDetectionMinimumRecipients": 2500, + "ReplyAllStormDetectionMinimumReplies": 10, + "ReplyAllStormProtectionEnabled": true, + "Rfc2231EncodingEnabled": false, + "SafetyNetHoldTime": "7.00:00:00", + "SmtpClientAuthenticationDisabled": true, + "SupervisionTags": [ + "Reject", + "Allow" + ], + "TLSReceiveDomainSecureList": [], + "TLSSendDomainSecureList": [], + "TransportRuleAttachmentTextScanLimit": "1 MB (1,048,576 bytes)", + "TransportRuleCollectionAddedRecipientsLimit": 100, + "TransportRuleCollectionRegexCharsLimit": "20 KB (20,480 bytes)", + "TransportRuleConfig": [ + "TransportRuleMinProductVersion:14.0.0.0", + "TransportRuleRegexValidationTimeout:00:00:00.3000000", + "TransportRuleAttachmentTextScanLimit:1 MB (1,048,576 bytes)", + "TransportRuleSizeLimit:8 KB (8,192 bytes)", + "TransportRuleCollectionRegexCharsLimit:20 KB (20,480 bytes)", + "TransportRuleLimit:300", + "TransportRuleCollectionAddedRecipientsLimit:100" + ], + "TransportRuleLimit": 300, + "TransportRuleMinProductVersion": { + "Build": 0, + "Major": 14, + "MajorRevision": 0, + "Minor": 0, + "MinorRevision": 0, + "Revision": 0 + }, + "TransportRuleRegexValidationTimeout": "00:00:00.3000000", + "TransportRuleSizeLimit": "8 KB (8,192 bytes)", + "TransportSystemState": "", + "VerifySecureSubmitEnabled": false, + "VoicemailJournalingEnabled": true, + "WhenChanged": "/Date(1643184486000)/", + "WhenChangedUTC": "/Date(1643184486000)/", + "WhenCreated": "/Date(1643059670000)/", + "WhenCreatedUTC": "/Date(1643059670000)/", + "Xexch50Enabled": true + } + ], + "Commandlet": [ + "Get-TransportConfig" + ], + "Criticality": "Shall", + "PolicyId": "MS.EXO.5.1v1", + "ReportDetails": "Requirement met", + "RequirementMet": true + }, + { + "ActualValue": [ + { + "AdminDisplayName": "", + "Default": true, + "DistinguishedName": "CN=Default Sharing Policy,CN=Federation,CN=Configuration,CN=y2zj1.onmicrosoft.com,CN=ConfigurationUnits,DC=NAMPR10A008,DC=PROD,DC=OUTLOOK,DC=COM", + "Domains": [ + "Anonymous:CalendarSharingFreeBusyReviewer", + "*:CalendarSharingFreeBusySimple" + ], + "Enabled": true, + "ExchangeObjectId": "2f1ca8cf-5ba5-45e3-b73a-1405ff552a2e", + "ExchangeVersion": "0.10 (14.0.100.0)", + "Guid": "2f1ca8cf-5ba5-45e3-b73a-1405ff552a2e", + "Id": "Default Sharing Policy", + "Identity": "Default Sharing Policy", + "IsValid": true, + "Name": "Default Sharing Policy", + "ObjectCategory": "NAMPR10A008.PROD.OUTLOOK.COM/Configuration/Schema/ms-Exch-Sharing-Policy", + "ObjectClass": [ + "top", + "msExchSharingPolicy" + ], + "ObjectState": "Changed", + "OrganizationId": "NAMPR10A008.PROD.OUTLOOK.COM/Microsoft Exchange Hosted Organizations/y2zj1.onmicrosoft.com - NAMPR10A008.PROD.OUTLOOK.COM/ConfigurationUnits/y2zj1.onmicrosoft.com/Configuration", + "OrganizationalUnitRoot": "y2zj1.onmicrosoft.com", + "OriginatingServer": "DM5PR10A08DC002.NAMPR10A008.PROD.OUTLOOK.COM", + "WhenChanged": "/Date(1645650761000)/", + "WhenChangedUTC": "/Date(1645650761000)/", + "WhenCreated": "/Date(1645650752000)/", + "WhenCreatedUTC": "/Date(1645650752000)/" + } + ], + "Commandlet": [ + "Get-SharingPolicy" + ], + "Criticality": "Shall", + "PolicyId": "MS.EXO.6.1v1", + "ReportDetails": "Requirement met", + "RequirementMet": true + }, + { + "ActualValue": [ + { + "AdminDisplayName": "", + "Default": true, + "DistinguishedName": "CN=Default Sharing Policy,CN=Federation,CN=Configuration,CN=y2zj1.onmicrosoft.com,CN=ConfigurationUnits,DC=NAMPR10A008,DC=PROD,DC=OUTLOOK,DC=COM", + "Domains": [ + "Anonymous:CalendarSharingFreeBusyReviewer", + "*:CalendarSharingFreeBusySimple" + ], + "Enabled": true, + "ExchangeObjectId": "2f1ca8cf-5ba5-45e3-b73a-1405ff552a2e", + "ExchangeVersion": "0.10 (14.0.100.0)", + "Guid": "2f1ca8cf-5ba5-45e3-b73a-1405ff552a2e", + "Id": "Default Sharing Policy", + "Identity": "Default Sharing Policy", + "IsValid": true, + "Name": "Default Sharing Policy", + "ObjectCategory": "NAMPR10A008.PROD.OUTLOOK.COM/Configuration/Schema/ms-Exch-Sharing-Policy", + "ObjectClass": [ + "top", + "msExchSharingPolicy" + ], + "ObjectState": "Changed", + "OrganizationId": "NAMPR10A008.PROD.OUTLOOK.COM/Microsoft Exchange Hosted Organizations/y2zj1.onmicrosoft.com - NAMPR10A008.PROD.OUTLOOK.COM/ConfigurationUnits/y2zj1.onmicrosoft.com/Configuration", + "OrganizationalUnitRoot": "y2zj1.onmicrosoft.com", + "OriginatingServer": "DM5PR10A08DC002.NAMPR10A008.PROD.OUTLOOK.COM", + "WhenChanged": "/Date(1645650761000)/", + "WhenChangedUTC": "/Date(1645650761000)/", + "WhenCreated": "/Date(1645650752000)/", + "WhenCreatedUTC": "/Date(1645650752000)/" + } + ], + "Commandlet": [ + "Get-SharingPolicy" + ], + "Criticality": "Shall", + "PolicyId": "MS.EXO.6.2v1", + "ReportDetails": "Requirement met", + "RequirementMet": true + }, + { + "ActualValue": [ + { + "AdminDisplayName": "", + "DirectoryBasedEdgeBlockMode": "Default", + "DistinguishedName": "CN=Default,CN=Hosted Connection Filter,CN=Transport Settings,CN=Configuration,CN=y2zj1.onmicrosoft.com,CN=ConfigurationUnits,DC=NAMPR10A008,DC=PROD,DC=OUTLOOK,DC=COM", + "EnableSafeList": false, + "ExchangeObjectId": "3843aef3-f3bd-49c1-a674-4d6741ac11b6", + "ExchangeVersion": "0.20 (15.0.0.0)", + "Guid": "3843aef3-f3bd-49c1-a674-4d6741ac11b6", + "IPAllowList": [], + "IPBlockList": [], + "Id": "Default", + "Identity": "Default", + "IsDefault": true, + "IsValid": true, + "Name": "Default", + "ObjectCategory": "NAMPR10A008.PROD.OUTLOOK.COM/Configuration/Schema/ms-Exch-Hosted-Connection-Filter-Policy", + "ObjectClass": [ + "top", + "msExchHostedConnectionFilterPolicy" + ], + "ObjectState": "Unchanged", + "OrganizationId": "NAMPR10A008.PROD.OUTLOOK.COM/Microsoft Exchange Hosted Organizations/y2zj1.onmicrosoft.com - NAMPR10A008.PROD.OUTLOOK.COM/ConfigurationUnits/y2zj1.onmicrosoft.com/Configuration", + "OrganizationalUnitRoot": "y2zj1.onmicrosoft.com", + "OriginatingServer": "DM5PR10A08DC002.NAMPR10A008.PROD.OUTLOOK.COM", + "WhenChanged": "/Date(1645650833000)/", + "WhenChangedUTC": "/Date(1645650833000)/", + "WhenCreated": "/Date(1645650828000)/", + "WhenCreatedUTC": "/Date(1645650828000)/" + } + ], + "Commandlet": [ + "Get-HostedConnectionFilterPolicy" + ], + "Criticality": "Should", + "PolicyId": "MS.EXO.12.1v1", + "ReportDetails": "Requirement met", + "RequirementMet": true + }, + { + "ActualValue": [ + { + "AdminDisplayName": "", + "DirectoryBasedEdgeBlockMode": "Default", + "DistinguishedName": "CN=Default,CN=Hosted Connection Filter,CN=Transport Settings,CN=Configuration,CN=y2zj1.onmicrosoft.com,CN=ConfigurationUnits,DC=NAMPR10A008,DC=PROD,DC=OUTLOOK,DC=COM", + "EnableSafeList": false, + "ExchangeObjectId": "3843aef3-f3bd-49c1-a674-4d6741ac11b6", + "ExchangeVersion": "0.20 (15.0.0.0)", + "Guid": "3843aef3-f3bd-49c1-a674-4d6741ac11b6", + "IPAllowList": [], + "IPBlockList": [], + "Id": "Default", + "Identity": "Default", + "IsDefault": true, + "IsValid": true, + "Name": "Default", + "ObjectCategory": "NAMPR10A008.PROD.OUTLOOK.COM/Configuration/Schema/ms-Exch-Hosted-Connection-Filter-Policy", + "ObjectClass": [ + "top", + "msExchHostedConnectionFilterPolicy" + ], + "ObjectState": "Unchanged", + "OrganizationId": "NAMPR10A008.PROD.OUTLOOK.COM/Microsoft Exchange Hosted Organizations/y2zj1.onmicrosoft.com - NAMPR10A008.PROD.OUTLOOK.COM/ConfigurationUnits/y2zj1.onmicrosoft.com/Configuration", + "OrganizationalUnitRoot": "y2zj1.onmicrosoft.com", + "OriginatingServer": "DM5PR10A08DC002.NAMPR10A008.PROD.OUTLOOK.COM", + "WhenChanged": "/Date(1645650833000)/", + "WhenChangedUTC": "/Date(1645650833000)/", + "WhenCreated": "/Date(1645650828000)/", + "WhenCreatedUTC": "/Date(1645650828000)/" + } + ], + "Commandlet": [ + "Get-HostedConnectionFilterPolicy" + ], + "Criticality": "Should", + "PolicyId": "MS.EXO.12.2v1", + "ReportDetails": "Requirement met", + "RequirementMet": true + }, + { + "ActualValue": [ + { + "AuditDisabled": false, + "DisplayName": "y2zj1", + "Name": "y2zj1.onmicrosoft.com" + } + ], + "Commandlet": [ + "Get-OrganizationConfig" + ], + "Criticality": "Shall", + "PolicyId": "MS.EXO.13.1v1", + "ReportDetails": "Requirement met", + "RequirementMet": true + }, + { + "ActualValue": [], + "Commandlet": [ + "Get-ScubaSpfRecords", + "Get-AcceptedDomain" + ], + "Criticality": "Shall", + "PolicyId": "MS.EXO.2.2v1", + "ReportDetails": "Requirement met", + "RequirementMet": true + }, + { + "ActualValue": [ + "*" + ], + "Commandlet": [ + "Get-RemoteDomain" + ], + "Criticality": "Shall", + "PolicyId": "MS.EXO.1.1v1", + "ReportDetails": "1 remote domain(s) that allows automatic forwarding: *", + "RequirementMet": false + }, + { + "ActualValue": "PowerShell Error", + "Commandlet": [ + "Get-DlpPolicy" + ], + "Criticality": "Should", + "PolicyId": "MS.POWERPLATFORM.2.2v1", + "ReportDetails": "PowerShell Error", + "RequirementMet": false + }, + { + "ActualValue": "PowerShell Error", + "Commandlet": [ + "Get-PowerAppTenantIsolationPolicy" + ], + "Criticality": "Shall", + "PolicyId": "MS.POWERPLATFORM.3.1v1", + "ReportDetails": "PowerShell Error", + "RequirementMet": false + }, + { + "ActualValue": "PowerShell Error", + "Commandlet": [ + "Get-TenantSettings" + ], + "Control": "Power Platform 2.1", + "Criticality": "Shall", + "ReportDetails": "PowerShell Error", + "Requirement": "The ability to create trial environments SHALL be restricted to admins", + "RequirementMet": false + }, + { + "ActualValue": "PowerShell Error", + "Commandlet": [ + "Get-TenantSettings" + ], + "Criticality": "Shall", + "PolicyId": "MS.POWERPLATFORM.1.1v1", + "ReportDetails": "PowerShell Error", + "RequirementMet": false + }, + { + "ActualValue": "PowerShell error", + "Commandlet": [ + "Get-DlpPolicy" + ], + "Criticality": "Should", + "PolicyId": "MS.POWERPLATFORM.2.3v1", + "ReportDetails": "PowerShell error", + "RequirementMet": false + }, + { + "ActualValue": [], + "Commandlet": [], + "Criticality": "Shall/Not-Implemented", + "PolicyId": "MS.POWERPLATFORM.4.1v1", + "ReportDetails": "Not currently checked automatically. See <a href=\"https://github.com/cisagov/ScubaGear/blob/0.3.0/baselines/powerplatform.md#mspowerplatform41v1\" target=\"_blank\">Secure Configuration Baseline policy</a> for instructions on manual check", + "RequirementMet": false + }, + { + "ActualValue": [], + "Commandlet": [], + "Criticality": "Should/Not-Implemented", + "PolicyId": "MS.POWERPLATFORM.3.2v1", + "ReportDetails": "Not currently checked automatically. See <a href=\"https://github.com/cisagov/ScubaGear/blob/0.3.0/baselines/powerplatform.md#mspowerplatform32v1\" target=\"_blank\">Secure Configuration Baseline policy</a> for instructions on manual check", + "RequirementMet": false + }, + { + "ActualValue": [], + "Commandlet": [], + "Criticality": "Should/Not-Implemented", + "PolicyId": "MS.POWERPLATFORM.3.3v1", + "ReportDetails": "Not currently checked automatically. See <a href=\"https://github.com/cisagov/ScubaGear/blob/0.3.0/baselines/powerplatform.md#mspowerplatform33v1\" target=\"_blank\">Secure Configuration Baseline policy</a> for instructions on manual check", + "RequirementMet": false + }, + { + "ActualValue": [], + "Commandlet": [ + "Get-DlpPolicy" + ], + "Criticality": "Shall", + "PolicyId": "MS.POWERPLATFORM.2.1v1", + "ReportDetails": "No policy found that applies to default environment", + "RequirementMet": false + }, + { + "ActualValue": 1, + "Commandlet": [ + "Get-SPOTenant", + "Get-PnPTenant" + ], + "Criticality": "Should", + "PolicyId": "MS.SHAREPOINT.1.3v1", + "ReportDetails": "Requirement met", + "RequirementMet": true + }, + { + "ActualValue": 2, + "Commandlet": [ + "Get-SPOSite", + "Get-PnPTenantSite" + ], + "Control": "Sharepoint 2.5", + "Criticality": "Shall", + "ReportDetails": "Requirement met", + "Requirement": "Users SHALL be prevented from running custom scripts on self-service created sites", + "RequirementMet": true + }, + { + "ActualValue": 2, + "Commandlet": [ + "Get-SPOTenant", + "Get-PnPTenant" + ], + "Criticality": "Shall", + "PolicyId": "MS.SHAREPOINT.1.1v1", + "ReportDetails": "Requirement not met", + "RequirementMet": false + }, + { + "ActualValue": [], + "Commandlet": [], + "Control": "Sharepoint 2.5", + "Criticality": "Shall/Not-Implemented", + "PolicyId": "MS.SHAREPOINT.TBD", + "ReportDetails": "Not currently checked automatically. See <a href=\"https://github.com/cisagov/ScubaGear/blob/0.3.0/baselines/sharepoint.md#mssharepointtbd\" target=\"_blank\">Secure Configuration Baseline policy</a> for instructions on manual check", + "Requirement": "Users SHALL be prevented from running custom scripts on personal sites (OneDrive)", + "RequirementMet": false + }, + { + "ActualValue": [], + "Commandlet": [], + "Criticality": "Shall/Not-Implemented", + "PolicyId": "MS.SHAREPOINT.1.2v1", + "ReportDetails": "Not currently checked automatically. See <a href=\"https://github.com/cisagov/ScubaGear/blob/0.3.0/baselines/sharepoint.md#mssharepoint12v1\" target=\"_blank\">Secure Configuration Baseline policy</a> for instructions on manual check", + "RequirementMet": false + }, + { + "ActualValue": [], + "Commandlet": [], + "Criticality": "Should/Not-Implemented", + "PolicyId": "MS.SHAREPOINT.2.1v1", + "ReportDetails": "Not currently checked automatically. See <a href=\"https://github.com/cisagov/ScubaGear/blob/0.3.0/baselines/sharepoint.md#mssharepoint21v1\" target=\"_blank\">Secure Configuration Baseline policy</a> for instructions on manual check", + "RequirementMet": false + }, + { + "ActualValue": [ + 1, + true, + 29 + ], + "Commandlet": [ + "Get-SPOTenant", + "Get-PnPTenant" + ], + "Control": "Sharepoint 2.4", + "Criticality": "Should", + "ReportDetails": "Requirement not met: Expiration timer for 'People who use a verification code' NOT set to 30 days", + "Requirement": "Expiration timer for 'People who use a verification code' should be set to 30 days", + "RequirementMet": false + }, + { + "ActualValue": [ + 1, + true, + 31 + ], + "Commandlet": [ + "Get-SPOTenant", + "Get-PnPTenant" + ], + "Criticality": "Should", + "PolicyId": "MS.SHAREPOINT.3.1v1", + "ReportDetails": "Requirement not met: Expiration timer for 'Guest access to a site or OneDrive' NOT set to 30 days", + "RequirementMet": false + }, + { + "ActualValue": true, + "Commandlet": [ + "Get-CsTeamsMeetingPolicy" + ], + "Criticality": "Should", + "PolicyId": "MS.TEAMS.9.1v1", + "ReportDetails": "Requirement not met", + "RequirementMet": false + }, + { + "ActualValue": "AlwaysEnabled", + "Commandlet": [ + "Get-CsTeamsMeetingBroadcastPolicy" + ], + "Criticality": "Should", + "PolicyId": "MS.TEAMS.10.1v1", + "ReportDetails": "Requirement not met", + "RequirementMet": false + }, + { + "ActualValue": "EveryoneInCompany", + "Commandlet": [ + "Get-CsTeamsMeetingPolicy" + ], + "Criticality": "Should", + "PolicyId": "MS.TEAMS.3.2v1", + "ReportDetails": "Requirement met", + "RequirementMet": true + }, + { + "ActualValue": [], + "Commandlet": [], + "Criticality": "Shall/3rd Party", + "PolicyId": "MS.TEAMS.11.1v1", + "ReportDetails": "Custom implementation allowed. If you are using Defender to fulfill this requirement, run the Defender version of this script. Otherwise, use a 3rd party tool OR manually check", + "RequirementMet": false + }, + { + "ActualValue": [], + "Commandlet": [], + "Criticality": "Shall/3rd Party", + "PolicyId": "MS.TEAMS.11.4v1", + "ReportDetails": "Custom implementation allowed. If you are using Defender to fulfill this requirement, run the Defender version of this script. Otherwise, use a 3rd party tool OR manually check", + "RequirementMet": false + }, + { + "ActualValue": [], + "Commandlet": [], + "Criticality": "Shall/3rd Party", + "PolicyId": "MS.TEAMS.8.3v1", + "ReportDetails": "Not currently checked automatically. See <a href=\"https://github.com/cisagov/ScubaGear/blob/0.3.0/baselines/teams.md#msteams83v1\" target=\"_blank\">Secure Configuration Baseline policy</a> for instructions on manual check", + "RequirementMet": false + }, + { + "ActualValue": [], + "Commandlet": [], + "Criticality": "Should/3rd Party", + "PolicyId": "MS.TEAMS.11.2v1", + "ReportDetails": "Custom implementation allowed. If you are using Defender to fulfill this requirement, run the Defender version of this script. Otherwise, use a 3rd party tool OR manually check", + "RequirementMet": false + }, + { + "ActualValue": [], + "Commandlet": [], + "Criticality": "Should/3rd Party", + "PolicyId": "MS.TEAMS.12.1v1", + "ReportDetails": "Custom implementation allowed. If you are using Defender to fulfill this requirement, run the Defender version of this script. Otherwise, use a 3rd party tool OR manually check", + "RequirementMet": false + }, + { + "ActualValue": [], + "Commandlet": [], + "Criticality": "Should/3rd Party", + "PolicyId": "MS.TEAMS.12.2v1", + "ReportDetails": "Custom implementation allowed. If you are using Defender to fulfill this requirement, run the Defender version of this script. Otherwise, use a 3rd party tool OR manually check", + "RequirementMet": false + }, + { + "ActualValue": [], + "Commandlet": [], + "Criticality": "Should/3rd Party", + "PolicyId": "MS.TEAMS.13.1v1", + "ReportDetails": "Custom implementation allowed. If you are using Defender to fulfill this requirement, run the Defender version of this script. Otherwise, use a 3rd party tool OR manually check", + "RequirementMet": false + }, + { + "ActualValue": [], + "Commandlet": [], + "Criticality": "Should/3rd Party", + "PolicyId": "MS.TEAMS.13.2v1", + "ReportDetails": "Custom implementation allowed. If you are using Defender to fulfill this requirement, run the Defender version of this script. Otherwise, use a 3rd party tool OR manually check", + "RequirementMet": false + }, + { + "ActualValue": [], + "Commandlet": [], + "Criticality": "Should/3rd Party", + "PolicyId": "MS.TEAMS.13.3v1", + "ReportDetails": "Custom implementation allowed. If you are using Defender to fulfill this requirement, run the Defender version of this script. Otherwise, use a 3rd party tool OR manually check", + "RequirementMet": false + }, + { + "ActualValue": [ + "EveryoneInCompany", + false + ], + "Commandlet": [ + "Get-CsTeamsMeetingPolicy" + ], + "Criticality": "Should", + "PolicyId": "MS.TEAMS.3.1v1", + "ReportDetails": "Requirement met", + "RequirementMet": true + }, + { + "ActualValue": [ + [], + "MicrosoftCommunicationsOnline/NOAM-ED6-A7" + ], + "Commandlet": [ + "Get-CsTeamsClientConfiguration" + ], + "Criticality": "Shall", + "PolicyId": "MS.TEAMS.7.1v1", + "ReportDetails": "Requirement met", + "RequirementMet": true + }, + { + "ActualValue": [], + "Commandlet": [ + "Get-CsTeamsAppPermissionPolicy" + ], + "Criticality": "Should", + "PolicyId": "MS.TEAMS.8.1v1", + "ReportDetails": "Requirement met", + "RequirementMet": true + }, + { + "ActualValue": [], + "Commandlet": [ + "Get-CsTeamsMeetingPolicy" + ], + "Control": "Teams 2.4", + "Criticality": "Should", + "ReportDetails": "Requirement met", + "Requirement": "Anonymous users SHOULD be enabled to join meetings", + "RequirementMet": true + }, + { + "ActualValue": [], + "Commandlet": [ + "Get-CsTeamsMeetingPolicy" + ], + "Criticality": "Shall", + "PolicyId": "MS.TEAMS.2.1v1", + "ReportDetails": "Requirement met", + "RequirementMet": true + }, + { + "ActualValue": [], + "Commandlet": [ + "Get-CsTeamsMeetingPolicy" + ], + "Criticality": "Should", + "PolicyId": "MS.TEAMS.1.1v1", + "ReportDetails": "Requirement met", + "RequirementMet": true + }, + { + "ActualValue": [], + "Commandlet": [ + "Get-CsTeamsMeetingPolicy" + ], + "Criticality": "Should", + "PolicyId": "MS.TEAMS.9.3v1", + "ReportDetails": "Requirement met", + "RequirementMet": true + }, + { + "ActualValue": [], + "Commandlet": [ + "Get-CsTenantFederationConfiguration" + ], + "Criticality": "Shall", + "PolicyId": "MS.TEAMS.4.1v1", + "ReportDetails": "Requirement met", + "RequirementMet": true + }, + { + "ActualValue": [], + "Commandlet": [ + "Get-CsTenantFederationConfiguration" + ], + "Criticality": "Shall", + "PolicyId": "MS.TEAMS.6.1v1", + "ReportDetails": "Requirement met", + "RequirementMet": true + }, + { + "ActualValue": [ + "Global" + ], + "Commandlet": [ + "Get-CsTeamsAppPermissionPolicy" + ], + "Criticality": "Should", + "PolicyId": "MS.TEAMS.8.2av1", + "ReportDetails": "1 meeting policy(ies) found that allow custom apps by default: Global", + "RequirementMet": false + }, + { + "ActualValue": [ + "Global" + ], + "Commandlet": [ + "Get-CsTeamsAppPermissionPolicy" + ], + "Criticality": "Should", + "PolicyId": "MS.TEAMS.8.2v1", + "ReportDetails": "1 meeting policy(ies) found that allow third-party apps by default: Global", + "RequirementMet": false + }, + { + "ActualValue": [ + "Global" + ], + "Commandlet": [ + "Get-CsTenantFederationConfiguration" + ], + "Criticality": "Shall", + "PolicyId": "MS.TEAMS.5.1v1", + "ReportDetails": "1 Configuration allowed unmanaged users to initiate contact with internal user across domains: Global", + "RequirementMet": false + }, + { + "ActualValue": [ + "Global" + ], + "Commandlet": [ + "Get-CsTenantFederationConfiguration" + ], + "Criticality": "Should", + "PolicyId": "MS.TEAMS.5.2v1", + "ReportDetails": "1 Internal users are enabled to initiate contact with unmanaged users across domains: Global", + "RequirementMet": false + } ] \ No newline at end of file diff --git a/Testing/Unit/PowerShell/CreateReport/Import-SecureBaseline.Tests.ps1 b/Testing/Unit/PowerShell/CreateReport/Import-SecureBaseline.Tests.ps1 index 73414e4ce7..d425047ab1 100644 --- a/Testing/Unit/PowerShell/CreateReport/Import-SecureBaseline.Tests.ps1 +++ b/Testing/Unit/PowerShell/CreateReport/Import-SecureBaseline.Tests.ps1 @@ -39,7 +39,7 @@ InModuleScope CreateReport { @{Product = "onedrive"; GroupCount = 7; PolicyCount = 8} @{Product = "powerbi"; GroupCount = 10; PolicyCount = 12} @{Product = "powerplatform"; GroupCount = 4; PolicyCount = 8} - @{Product = "sharepoint"; GroupCount = 5; PolicyCount = 6} + @{Product = "sharepoint"; GroupCount = 5; PolicyCount = 10} @{Product = "teams"; GroupCount = 13; PolicyCount = 28} ){ {$Baselines.$Product} | Should -Not -Throw diff --git a/Testing/Unit/PowerShell/CreateReport/New-Report.Tests.ps1 b/Testing/Unit/PowerShell/CreateReport/New-Report.Tests.ps1 index b39fd24f98..64758d5a28 100644 --- a/Testing/Unit/PowerShell/CreateReport/New-Report.Tests.ps1 +++ b/Testing/Unit/PowerShell/CreateReport/New-Report.Tests.ps1 @@ -46,7 +46,7 @@ InModuleScope CreateReport { @{Product = 'exo'; ErrorCount = 2}, @{Product = 'onedrive'; ErrorCount = 8}, @{Product = 'powerplatform'; ErrorCount = 0}, - @{Product = 'sharepoint'; ErrorCount = 3}, + @{Product = 'sharepoint'; ErrorCount = 5}, @{Product = 'teams'; ErrorCount = 5} ){ $CreateReportParams += @{ diff --git a/Testing/Unit/Rego/Sharepoint/SharepointConfig_01_test.rego b/Testing/Unit/Rego/Sharepoint/SharepointConfig_01_test.rego index ba1b014859..41fca58d22 100644 --- a/Testing/Unit/Rego/Sharepoint/SharepointConfig_01_test.rego +++ b/Testing/Unit/Rego/Sharepoint/SharepointConfig_01_test.rego @@ -1,17 +1,18 @@ package sharepoint import future.keywords +import data.report.utils.NotCheckedDetails # -# Policy 1 +# MS.SHAREPOINT.1.1v1 #-- -test_DefaultSharingLinkType_Correct if { +test_SharingCapability_Correct_V1 if { PolicyId := "MS.SHAREPOINT.1.1v1" Output := tests with input as { "SPO_tenant": [ { - "DefaultSharingLinkType" : 1 + "SharingCapability" : 0 } ] } @@ -23,13 +24,145 @@ test_DefaultSharingLinkType_Correct if { RuleOutput[0].ReportDetails == "Requirement met" } -test_DefaultSharingLinkType_Incorrect if { +test_SharingCapability_Correct_V2 if { PolicyId := "MS.SHAREPOINT.1.1v1" Output := tests with input as { "SPO_tenant": [ { - "DefaultSharingLinkType" : 2 + "SharingCapability" : 3 + } + ] + } + + RuleOutput := [Result | Result = Output[_]; Result.PolicyId == PolicyId] + + count(RuleOutput) == 1 + RuleOutput[0].RequirementMet + RuleOutput[0].ReportDetails == "Requirement met" +} + +test_SharingCapability_Incorrect_V1 if { + PolicyId := "MS.SHAREPOINT.1.1v1" + + Output := tests with input as { + "SPO_tenant": [ + { + "SharingCapability" : 1 + } + ] + } + + RuleOutput := [Result | Result = Output[_]; Result.PolicyId == PolicyId] + + count(RuleOutput) == 1 + not RuleOutput[0].RequirementMet + RuleOutput[0].ReportDetails == "Requirement not met" +} + +test_SharingCapability_Incorrect_V2 if { + PolicyId := "MS.SHAREPOINT.1.1v1" + + Output := tests with input as { + "SPO_tenant": [ + { + "SharingCapability" : 2 + } + ] + } + + RuleOutput := [Result | Result = Output[_]; Result.PolicyId == PolicyId] + + count(RuleOutput) == 1 + not RuleOutput[0].RequirementMet + RuleOutput[0].ReportDetails == "Requirement not met" +} +#-- + +# +# MS.SHAREPOINT.1.2v1 +#-- +test_SharingDomainRestrictionMode_Correct if { + PolicyId := "MS.SHAREPOINT.1.2v1" + + Output := tests with input as { + "SPO_tenant": [ + { + "SharingDomainRestrictionMode" : 1 + } + ] + } + + RuleOutput := [Result | Result = Output[_]; Result.PolicyId == PolicyId] + + count(RuleOutput) == 1 + RuleOutput[0].RequirementMet + RuleOutput[0].ReportDetails == "Requirement met" +} + +test_SharingDomainRestrictionMode_Incorrect if { + PolicyId := "MS.SHAREPOINT.1.2v1" + + Output := tests with input as { + "SPO_tenant": [ + { + "SharingDomainRestrictionMode" : 0 + } + ] + } + + RuleOutput := [Result | Result = Output[_]; Result.PolicyId == PolicyId] + + count(RuleOutput) == 1 + not RuleOutput[0].RequirementMet + RuleOutput[0].ReportDetails == "Requirement not met" +} +#-- + +# +# MS.SHAREPOINT.1.3v1 +#-- +test_NotImplemented_Correct if { + PolicyId := "MS.SHAREPOINT.1.3v1" + + Output := tests with input as { } + + RuleOutput := [Result | Result = Output[_]; Result.PolicyId == PolicyId] + + count(RuleOutput) == 1 + not RuleOutput[0].RequirementMet + RuleOutput[0].ReportDetails == NotCheckedDetails(PolicyId) +} +#-- + +# +# MS.SHAREPOINT.1.4v1 +#-- +test_RequireAcceptingAccountMatchInvitedAccount_Correct if { + PolicyId := "MS.SHAREPOINT.1.4v1" + + Output := tests with input as { + "SPO_tenant": [ + { + "RequireAcceptingAccountMatchInvitedAccount" : true + } + ] + } + + RuleOutput := [Result | Result = Output[_]; Result.PolicyId == PolicyId] + + count(RuleOutput) == 1 + RuleOutput[0].RequirementMet + RuleOutput[0].ReportDetails == "Requirement met" +} + +test_RequireAcceptingAccountMatchInvitedAccount_Incorrect if { + PolicyId := "MS.SHAREPOINT.1.4v1" + + Output := tests with input as { + "SPO_tenant": [ + { + "RequireAcceptingAccountMatchInvitedAccount" : false } ] } @@ -40,3 +173,4 @@ test_DefaultSharingLinkType_Incorrect if { not RuleOutput[0].RequirementMet RuleOutput[0].ReportDetails == "Requirement not met" } +#-- \ No newline at end of file diff --git a/Testing/Unit/Rego/Sharepoint/SharepointConfig_02_test.rego b/Testing/Unit/Rego/Sharepoint/SharepointConfig_02_test.rego index 1953086f7d..2529ee0a43 100644 --- a/Testing/Unit/Rego/Sharepoint/SharepointConfig_02_test.rego +++ b/Testing/Unit/Rego/Sharepoint/SharepointConfig_02_test.rego @@ -3,33 +3,15 @@ import future.keywords # -# Policy 1 +# MS.SHAREPOINT.2.1v1 #-- -test_SharingCapability_Correct_V1 if { - PolicyId := "MS.SHAREPOINT.1.3v1" - - Output := tests with input as { - "SPO_tenant": [ - { - "SharingCapability" : 1 - } - ] - } - - RuleOutput := [Result | Result = Output[_]; Result.PolicyId == PolicyId] - - count(RuleOutput) == 1 - RuleOutput[0].RequirementMet - RuleOutput[0].ReportDetails == "Requirement met" -} - -test_SharingCapability_Correct_V2 if { - PolicyId := "MS.SHAREPOINT.1.3v1" +test_DefaultSharingLinkType_Correct if { + PolicyId := "MS.SHAREPOINT.2.1v1" Output := tests with input as { "SPO_tenant": [ { - "SharingCapability" : 0 + "DefaultSharingLinkType" : 1 } ] } @@ -41,13 +23,13 @@ test_SharingCapability_Correct_V2 if { RuleOutput[0].ReportDetails == "Requirement met" } -test_SharingCapability_Incorrect if { - PolicyId := "MS.SHAREPOINT.1.3v1" +test_DefaultSharingLinkType_Incorrect if { + PolicyId := "MS.SHAREPOINT.2.1v1" Output := tests with input as { "SPO_tenant": [ { - "SharingCapability" : 2 + "DefaultSharingLinkType" : 2 } ] } @@ -57,4 +39,5 @@ test_SharingCapability_Incorrect if { count(RuleOutput) == 1 not RuleOutput[0].RequirementMet RuleOutput[0].ReportDetails == "Requirement not met" -} \ No newline at end of file +} +#-- \ No newline at end of file diff --git a/Testing/Unit/Rego/Sharepoint/SharepointConfig_03_test.rego b/Testing/Unit/Rego/Sharepoint/SharepointConfig_03_test.rego index c63204f413..04820f45cb 100644 --- a/Testing/Unit/Rego/Sharepoint/SharepointConfig_03_test.rego +++ b/Testing/Unit/Rego/Sharepoint/SharepointConfig_03_test.rego @@ -2,12 +2,13 @@ package sharepoint import future.keywords import data.report.utils.NotCheckedDetails + # -# Policy 1 +# MS.SHAREPOINT.3.1v1 #-- test_NotImplemented_Correct if { - PolicyId := "MS.SHAREPOINT.2.1v1" - + PolicyId := "MS.SHAREPOINT.3.1v1" + Output := tests with input as { } RuleOutput := [Result | Result = Output[_]; Result.PolicyId == PolicyId] @@ -15,4 +16,5 @@ test_NotImplemented_Correct if { count(RuleOutput) == 1 not RuleOutput[0].RequirementMet RuleOutput[0].ReportDetails == NotCheckedDetails(PolicyId) -} \ No newline at end of file +} +#-- \ No newline at end of file diff --git a/Testing/Unit/Rego/Sharepoint/SharepointConfig_04_test.rego b/Testing/Unit/Rego/Sharepoint/SharepointConfig_04_test.rego index 89406e7263..2c83c359b6 100644 --- a/Testing/Unit/Rego/Sharepoint/SharepointConfig_04_test.rego +++ b/Testing/Unit/Rego/Sharepoint/SharepointConfig_04_test.rego @@ -3,17 +3,17 @@ import future.keywords # -# Policy 1 +# MS.SHAREPOINT.4.1v1 #-- test_SharingCapability_Correct_V1 if { - PolicyId := "MS.SHAREPOINT.3.1v1" + PolicyId := "MS.SHAREPOINT.4.1v1" Output := tests with input as { "SPO_tenant": [ { "SharingCapability" : 0, "ExternalUserExpirationRequired" : true, - "ExternalUserExpireInDays" : 30 + "ExternalUserExpireInDays": 30 } ] } @@ -26,74 +26,14 @@ test_SharingCapability_Correct_V1 if { } test_SharingCapability_Correct_V2 if { - PolicyId := "MS.SHAREPOINT.3.1v1" + PolicyId := "MS.SHAREPOINT.4.1v1" Output := tests with input as { "SPO_tenant": [ { - "SharingCapability" : 0, - "ExternalUserExpirationRequired" : false, - "ExternalUserExpireInDays" : 30 - } - ] - } - - RuleOutput := [Result | Result = Output[_]; Result.PolicyId == PolicyId] - - count(RuleOutput) == 1 - RuleOutput[0].RequirementMet - RuleOutput[0].ReportDetails == "Requirement met" -} - -test_SharingCapability_Correct_V3 if { - PolicyId := "MS.SHAREPOINT.3.1v1" - - Output := tests with input as { - "SPO_tenant": [ - { - "SharingCapability" : 0, - "ExternalUserExpirationRequired" : true, - "ExternalUserExpireInDays" : 29 - } - ] - } - - RuleOutput := [Result | Result = Output[_]; Result.PolicyId == PolicyId] - - count(RuleOutput) == 1 - RuleOutput[0].RequirementMet - RuleOutput[0].ReportDetails == "Requirement met" -} - -test_SharingCapability_Correct_V4 if { - PolicyId := "MS.SHAREPOINT.3.1v1" - - Output := tests with input as { - "SPO_tenant": [ - { - "SharingCapability" : 0, + "SharingCapability" : 1, "ExternalUserExpirationRequired" : true, - "ExternalUserExpireInDays" : 31 - } - ] - } - - RuleOutput := [Result | Result = Output[_]; Result.PolicyId == PolicyId] - - count(RuleOutput) == 1 - RuleOutput[0].RequirementMet - RuleOutput[0].ReportDetails == "Requirement met" -} - -test_SharingCapability_Correct_V5 if { - PolicyId := "MS.SHAREPOINT.3.1v1" - - Output := tests with input as { - "SPO_tenant": [ - { - "SharingCapability" : 0, - "ExternalUserExpirationRequired" : false, - "ExternalUserExpireInDays" : 29 + "ExternalUserExpireInDays": 30 } ] } @@ -105,35 +45,15 @@ test_SharingCapability_Correct_V5 if { RuleOutput[0].ReportDetails == "Requirement met" } -test_SharingCapability_Correct_V6 if { - PolicyId := "MS.SHAREPOINT.3.1v1" - - Output := tests with input as { - "SPO_tenant": [ - { - "SharingCapability" : 0, - "ExternalUserExpirationRequired" : false, - "ExternalUserExpireInDays" : 31 - } - ] - } - - RuleOutput := [Result | Result = Output[_]; Result.PolicyId == PolicyId] - - count(RuleOutput) == 1 - RuleOutput[0].RequirementMet - RuleOutput[0].ReportDetails == "Requirement met" -} - -test_Multi_Correct if { - PolicyId := "MS.SHAREPOINT.3.1v1" +test_ExternalUserExpireInDays_Correct if { + PolicyId := "MS.SHAREPOINT.4.1v1" Output := tests with input as { "SPO_tenant": [ { "SharingCapability" : 1, "ExternalUserExpirationRequired" : true, - "ExternalUserExpireInDays" : 30 + "ExternalUserExpireInDays": 29 } ] } @@ -145,15 +65,15 @@ test_Multi_Correct if { RuleOutput[0].ReportDetails == "Requirement met" } -test_ExternalUserExpirationRequired_Incorrect if { - PolicyId := "MS.SHAREPOINT.3.1v1" +test_Multi_Incorrect_V1 if { + PolicyId := "MS.SHAREPOINT.4.1v1" Output := tests with input as { "SPO_tenant": [ { "SharingCapability" : 1, "ExternalUserExpirationRequired" : false, - "ExternalUserExpireInDays" : 30 + "ExternalUserExpireInDays": 31 } ] } @@ -162,58 +82,18 @@ test_ExternalUserExpirationRequired_Incorrect if { count(RuleOutput) == 1 not RuleOutput[0].RequirementMet - RuleOutput[0].ReportDetails == "Requirement not met: Expiration timer for 'Guest access to a site or OneDrive' NOT enabled" + RuleOutput[0].ReportDetails == "Requirement not met: Expiration timer for 'Guest access to a site or OneDrive' NOT enabled and set to greater 30 days" } -test_ExternalUserExpireInDays_Incorrect_V1 if { - PolicyId := "MS.SHAREPOINT.3.1v1" - - Output := tests with input as { - "SPO_tenant": [ - { - "SharingCapability" : 1, - "ExternalUserExpirationRequired" : true, - "ExternalUserExpireInDays" : 29 - } - ] - } - - RuleOutput := [Result | Result = Output[_]; Result.PolicyId == PolicyId] - - count(RuleOutput) == 1 - not RuleOutput[0].RequirementMet - RuleOutput[0].ReportDetails == "Requirement not met: Expiration timer for 'Guest access to a site or OneDrive' NOT set to 30 days" -} - -test_ExternalUserExpireInDays_Incorrect_V2 if { - PolicyId := "MS.SHAREPOINT.3.1v1" - - Output := tests with input as { - "SPO_tenant": [ - { - "SharingCapability" : 1, - "ExternalUserExpirationRequired" : true, - "ExternalUserExpireInDays" : 31 - } - ] - } - - RuleOutput := [Result | Result = Output[_]; Result.PolicyId == PolicyId] - - count(RuleOutput) == 1 - not RuleOutput[0].RequirementMet - RuleOutput[0].ReportDetails == "Requirement not met: Expiration timer for 'Guest access to a site or OneDrive' NOT set to 30 days" -} - -test_Multi_Incorrect_V1 if { - PolicyId := "MS.SHAREPOINT.3.1v1" +test_ExternalUserExpirationRequired_Incorrect_V2 if { + PolicyId := "MS.SHAREPOINT.4.1v1" Output := tests with input as { "SPO_tenant": [ { "SharingCapability" : 1, "ExternalUserExpirationRequired" : false, - "ExternalUserExpireInDays" : 29 + "ExternalUserExpireInDays": 29 } ] } @@ -222,18 +102,18 @@ test_Multi_Incorrect_V1 if { count(RuleOutput) == 1 not RuleOutput[0].RequirementMet - RuleOutput[0].ReportDetails == "Requirement not met" + RuleOutput[0].ReportDetails == "Requirement not met: Expiration timer for 'Guest access to a site or OneDrive' NOT enabled" } -test_Multi_Incorrect_V2 if { - PolicyId := "MS.SHAREPOINT.3.1v1" +test_ExternalUserExpireInDays_Incorrect_V3 if { + PolicyId := "MS.SHAREPOINT.4.1v1" Output := tests with input as { "SPO_tenant": [ { "SharingCapability" : 1, - "ExternalUserExpirationRequired" : false, - "ExternalUserExpireInDays" : 31 + "ExternalUserExpirationRequired" : true, + "ExternalUserExpireInDays": 31 } ] } @@ -242,69 +122,27 @@ test_Multi_Incorrect_V2 if { count(RuleOutput) == 1 not RuleOutput[0].RequirementMet - RuleOutput[0].ReportDetails == "Requirement not met" + RuleOutput[0].ReportDetails == "Requirement not met: Expiration timer for 'Guest access to a site or OneDrive' NOT set to 30 days or less" } +#-- # -# Policy 2 +# MS.SHAREPOINT.4.2v1 #-- -test_SharingCapability_Correct_V1 if { - ControlNumber := "Sharepoint 2.4" - Requirement := "Expiration timer for 'People who use a verification code' should be set to 30 days" - - Output := tests with input as { - "SPO_tenant": [ - { - "SharingCapability" : 0, - "EmailAttestationRequired" : true, - "EmailAttestationReAuthDays" : 30 - } - ] - } - - RuleOutput := [Result | Result = Output[_]; Result.Control == ControlNumber; Result.Requirement == Requirement] - - count(RuleOutput) == 1 - RuleOutput[0].RequirementMet - RuleOutput[0].ReportDetails == "Requirement met" -} - -test_SharingCapability_Correct_V2 if { - ControlNumber := "Sharepoint 2.4" - Requirement := "Expiration timer for 'People who use a verification code' should be set to 30 days" - - Output := tests with input as { - "SPO_tenant": [ - { - "SharingCapability" : 0, - "EmailAttestationRequired" : false, - "EmailAttestationReAuthDays" : 30 - } - ] - } - - RuleOutput := [Result | Result = Output[_]; Result.Control == ControlNumber; Result.Requirement == Requirement] - - count(RuleOutput) == 1 - RuleOutput[0].RequirementMet - RuleOutput[0].ReportDetails == "Requirement met" -} - test_SharingCapability_Correct_V3 if { - ControlNumber := "Sharepoint 2.4" - Requirement := "Expiration timer for 'People who use a verification code' should be set to 30 days" + PolicyId := "MS.SHAREPOINT.4.2v1" Output := tests with input as { "SPO_tenant": [ { "SharingCapability" : 0, "EmailAttestationRequired" : true, - "EmailAttestationReAuthDays" : 29 + "EmailAttestationReAuthDays": 30 } ] } - RuleOutput := [Result | Result = Output[_]; Result.Control == ControlNumber; Result.Requirement == Requirement] + RuleOutput := [Result | Result = Output[_]; Result.PolicyId == PolicyId] count(RuleOutput) == 1 RuleOutput[0].RequirementMet @@ -312,190 +150,102 @@ test_SharingCapability_Correct_V3 if { } test_SharingCapability_Correct_V4 if { - ControlNumber := "Sharepoint 2.4" - Requirement := "Expiration timer for 'People who use a verification code' should be set to 30 days" + PolicyId := "MS.SHAREPOINT.4.2v1" Output := tests with input as { "SPO_tenant": [ { - "SharingCapability" : 0, + "SharingCapability" : 1, "EmailAttestationRequired" : true, - "EmailAttestationReAuthDays" : 31 - } - ] - } - - RuleOutput := [Result | Result = Output[_]; Result.Control == ControlNumber; Result.Requirement == Requirement] - - count(RuleOutput) == 1 - RuleOutput[0].RequirementMet - RuleOutput[0].ReportDetails == "Requirement met" -} - -test_SharingCapability_Correct_V5 if { - ControlNumber := "Sharepoint 2.4" - Requirement := "Expiration timer for 'People who use a verification code' should be set to 30 days" - - Output := tests with input as { - "SPO_tenant": [ - { - "SharingCapability" : 0, - "EmailAttestationRequired" : false, - "EmailAttestationReAuthDays" : 29 - } - ] - } - - RuleOutput := [Result | Result = Output[_]; Result.Control == ControlNumber; Result.Requirement == Requirement] - - count(RuleOutput) == 1 - RuleOutput[0].RequirementMet - RuleOutput[0].ReportDetails == "Requirement met" -} - -test_SharingCapability_Correct_V6 if { - ControlNumber := "Sharepoint 2.4" - Requirement := "Expiration timer for 'People who use a verification code' should be set to 30 days" - - Output := tests with input as { - "SPO_tenant": [ - { - "SharingCapability" : 0, - "EmailAttestationRequired" : false, - "EmailAttestationReAuthDays" : 31 + "EmailAttestationReAuthDays": 30 } ] } - RuleOutput := [Result | Result = Output[_]; Result.Control == ControlNumber; Result.Requirement == Requirement] + RuleOutput := [Result | Result = Output[_]; Result.PolicyId == PolicyId] count(RuleOutput) == 1 RuleOutput[0].RequirementMet RuleOutput[0].ReportDetails == "Requirement met" } -test_Multi_Correct if { - ControlNumber := "Sharepoint 2.4" - Requirement := "Expiration timer for 'People who use a verification code' should be set to 30 days" +test_EmailAttestationReAuthDays_Correct if { + PolicyId := "MS.SHAREPOINT.4.2v1" Output := tests with input as { "SPO_tenant": [ { "SharingCapability" : 1, "EmailAttestationRequired" : true, - "EmailAttestationReAuthDays" : 30 + "EmailAttestationReAuthDays": 29 } ] } - RuleOutput := [Result | Result = Output[_]; Result.Control == ControlNumber; Result.Requirement == Requirement] + RuleOutput := [Result | Result = Output[_]; Result.PolicyId == PolicyId] count(RuleOutput) == 1 RuleOutput[0].RequirementMet RuleOutput[0].ReportDetails == "Requirement met" } -test_EmailAttestationRequired_Incorrect if { - ControlNumber := "Sharepoint 2.4" - Requirement := "Expiration timer for 'People who use a verification code' should be set to 30 days" +test_Multi_Incorrect_V1 if { + PolicyId := "MS.SHAREPOINT.4.2v1" Output := tests with input as { "SPO_tenant": [ { "SharingCapability" : 1, "EmailAttestationRequired" : false, - "EmailAttestationReAuthDays" : 30 + "EmailAttestationReAuthDays": 31 } ] } - RuleOutput := [Result | Result = Output[_]; Result.Control == ControlNumber; Result.Requirement == Requirement] + RuleOutput := [Result | Result = Output[_]; Result.PolicyId == PolicyId] count(RuleOutput) == 1 not RuleOutput[0].RequirementMet - RuleOutput[0].ReportDetails == "Requirement not met: Expiration timer for 'People who use a verification code' NOT enabled" + RuleOutput[0].ReportDetails == "Requirement not met: Expiration timer for 'People who use a verification code' NOT enabled and set to greater 30 days" } -test_EmailAttestationReAuthDays_Incorrect_V1 if { - ControlNumber := "Sharepoint 2.4" - Requirement := "Expiration timer for 'People who use a verification code' should be set to 30 days" +test_EmailAttestationRequired_Incorrect_V2 if { + PolicyId := "MS.SHAREPOINT.4.2v1" Output := tests with input as { "SPO_tenant": [ { "SharingCapability" : 1, - "EmailAttestationRequired" : true, - "EmailAttestationReAuthDays" : 29 + "EmailAttestationRequired" : false, + "EmailAttestationReAuthDays": 29 } ] } - RuleOutput := [Result | Result = Output[_]; Result.Control == ControlNumber; Result.Requirement == Requirement] + RuleOutput := [Result | Result = Output[_]; Result.PolicyId == PolicyId] count(RuleOutput) == 1 not RuleOutput[0].RequirementMet - RuleOutput[0].ReportDetails == "Requirement not met: Expiration timer for 'People who use a verification code' NOT set to 30 days" + RuleOutput[0].ReportDetails == "Requirement not met: Expiration timer for 'People who use a verification code' NOT enabled" } -test_EmailAttestationReAuthDays_Incorrect_V2 if { - ControlNumber := "Sharepoint 2.4" - Requirement := "Expiration timer for 'People who use a verification code' should be set to 30 days" +test_EmailAttestationReAuthDays_Incorrect_V3 if { + PolicyId := "MS.SHAREPOINT.4.2v1" Output := tests with input as { "SPO_tenant": [ { "SharingCapability" : 1, "EmailAttestationRequired" : true, - "EmailAttestationReAuthDays" : 31 + "EmailAttestationReAuthDays": 31 } ] } - RuleOutput := [Result | Result = Output[_]; Result.Control == ControlNumber; Result.Requirement == Requirement] + RuleOutput := [Result | Result = Output[_]; Result.PolicyId == PolicyId] count(RuleOutput) == 1 not RuleOutput[0].RequirementMet RuleOutput[0].ReportDetails == "Requirement not met: Expiration timer for 'People who use a verification code' NOT set to 30 days" } - -test_Multi_Incorrect_V1 if { - ControlNumber := "Sharepoint 2.4" - Requirement := "Expiration timer for 'People who use a verification code' should be set to 30 days" - - Output := tests with input as { - "SPO_tenant": [ - { - "SharingCapability" : 1, - "EmailAttestationRequired" : false, - "EmailAttestationReAuthDays" : 29 - } - ] - } - - RuleOutput := [Result | Result = Output[_]; Result.Control == ControlNumber; Result.Requirement == Requirement] - - count(RuleOutput) == 1 - not RuleOutput[0].RequirementMet - RuleOutput[0].ReportDetails == "Requirement not met" -} - -test_Multi_Incorrect_V2 if { - ControlNumber := "Sharepoint 2.4" - Requirement := "Expiration timer for 'People who use a verification code' should be set to 30 days" - - Output := tests with input as { - "SPO_tenant": [ - { - "SharingCapability" : 1, - "EmailAttestationRequired" : false, - "EmailAttestationReAuthDays" : 31 - } - ] - } - - RuleOutput := [Result | Result = Output[_]; Result.Control == ControlNumber; Result.Requirement == Requirement] - - count(RuleOutput) == 1 - not RuleOutput[0].RequirementMet - RuleOutput[0].ReportDetails == "Requirement not met" -} \ No newline at end of file +#-- \ No newline at end of file diff --git a/Testing/Unit/Rego/Sharepoint/SharepointConfig_05_test.rego b/Testing/Unit/Rego/Sharepoint/SharepointConfig_05_test.rego index 450c50cdf9..1b0fa9e478 100644 --- a/Testing/Unit/Rego/Sharepoint/SharepointConfig_05_test.rego +++ b/Testing/Unit/Rego/Sharepoint/SharepointConfig_05_test.rego @@ -2,39 +2,38 @@ package sharepoint import future.keywords import data.report.utils.NotCheckedDetails + # -# Policy 1 +# MS.SHAREPOINT.5.1v1 #-- test_NotImplemented_Correct if { - ControlNumber := "Sharepoint 2.5" - PolicyId := "MS.SHAREPOINT.TBD" - Requirement := "Users SHALL be prevented from running custom scripts on personal sites (OneDrive)" + PolicyId := "MS.SHAREPOINT.5.1v1" Output := tests with input as { } - RuleOutput := [Result | Result = Output[_]; Result.Control == ControlNumber; Result.Requirement == Requirement] + RuleOutput := [Result | Result = Output[_]; Result.PolicyId == PolicyId] count(RuleOutput) == 1 not RuleOutput[0].RequirementMet RuleOutput[0].ReportDetails == NotCheckedDetails(PolicyId) } +#-- # -# Policy 2 +# MS.SHAREPOINT.5.2v1 #-- test_DenyAddAndCustomizePages_Correct if { - ControlNumber := "Sharepoint 2.5" - Requirement := "Users SHALL be prevented from running custom scripts on self-service created sites" + PolicyId := "MS.SHAREPOINT.5.2v1" Output := tests with input as { "SPO_site": [ { "DenyAddAndCustomizePages" : 2 } - ] + ] } - RuleOutput := [Result | Result = Output[_]; Result.Control == ControlNumber; Result.Requirement == Requirement] + RuleOutput := [Result | Result = Output[_]; Result.PolicyId == PolicyId] count(RuleOutput) == 1 RuleOutput[0].RequirementMet @@ -42,8 +41,7 @@ test_DenyAddAndCustomizePages_Correct if { } test_DenyAddAndCustomizePages_Incorrect if { - ControlNumber := "Sharepoint 2.5" - Requirement := "Users SHALL be prevented from running custom scripts on self-service created sites" + PolicyId := "MS.SHAREPOINT.5.2v1" Output := tests with input as { "SPO_site": [ @@ -53,9 +51,10 @@ test_DenyAddAndCustomizePages_Incorrect if { ] } - RuleOutput := [Result | Result = Output[_]; Result.Control == ControlNumber; Result.Requirement == Requirement] + RuleOutput := [Result | Result = Output[_]; Result.PolicyId == PolicyId] count(RuleOutput) == 1 not RuleOutput[0].RequirementMet RuleOutput[0].ReportDetails == "Requirement not met" } +#-- \ No newline at end of file diff --git a/baselines/sharepoint.md b/baselines/sharepoint.md index b153f02bc2..aebd9431ab 100644 --- a/baselines/sharepoint.md +++ b/baselines/sharepoint.md @@ -66,39 +66,7 @@ listed. # Baselines -## 1. File and Folder Links Default Sharing Settings - -This policy ensures that when sharing files in SharePoint, there are -several possible scopes, including agency-wide or “anyone with the -link.” - -### Policies - -#### MS.SHAREPOINT.1.1v1 -File and folder links default sharing setting SHALL be set to Specific People (Only the People the User Specifies). -- _Rationale:_ TODO -- _Last modified:_ June 2023 - -### Resources - -- [File and folder links \| Microsoft - Documents](https://docs.microsoft.com/en-us/sharepoint/turn-external-sharing-on-or-off#file-and-folder-links) - -### License Requirements - -- N/A - -### Implementation - -In the **SharePoint admin** **center**: - -1. In the left-hand navigation bar, click **Policies** -\> **Sharing** - to display sharing settings. - -2. Under **File and folder links**, ensure that the default link type - is set to **Specific people (only the people the user specifies)**. - -## 2. External Sharing +## 1. External Sharing SharePoint allows sharing with users who are outside the agency, which is convenient but may pose a data loss or other information security @@ -109,7 +77,7 @@ groups per interagency collaboration needs. for OneDrive and Teams to the same, selected level. OneDrive and Teams can be less permissive (not more permissive) than SharePoint Online. -Adding approved domains and/or security groups will also be reflected in +Adding approved domains and security groups will also be reflected in OneDrive external sharing settings. External access may be granted on a per-domain basis. This may be @@ -119,8 +87,24 @@ Program](https://community.max.gov/display/Egov/Interagency+Collaboration+Progra OMB Max Site for a list of .gov domains for sharing). ### Policies -#### MS.SHAREPOINT.2.1v1 -External sharing SHOULD be limited to approved domains and security groups per interagency collaboration needs. +#### MS.SHAREPOINT.1.1v1 +External sharing SHOULD be limited to Existing Guests or the more restrictive setting, Only People in your Organization. +- _Rationale:_ TODO +- _Last modified:_ June 2023 +- _Note:_ Same implementation in MS.ONEDRIVE.1.1v1 + +#### MS.SHAREPOINT.1.2v1 +External sharing SHOULD be limited to approved domains per interagency collaboration needs. +- _Rationale:_ TODO +- _Last modified:_ June 2023 + +#### MS.SHAREPOINT.1.3v1 +External sharing SHOULD be limited to approved security groups per interagency collaboration needs. +- _Rationale:_ TODO +- _Last modified:_ June 2023 + +#### MS.SHAREPOINT.1.4v1 +Guest access SHOULD be limited to the email the invitation was sent. - _Rationale:_ TODO - _Last modified:_ June 2023 @@ -133,39 +117,96 @@ External sharing SHOULD be limited to approved domains and security groups per i - N/A -### Implementation +### Implementation + +MS.SHAREPOINT.1.1v1, in the **SharePoint admin center**: + +1. Select **Policies** -\> **Sharing** + +2. Adjust external sharing slider to **Existing Guests** or **Only people in your organization** + +3. Select **Save** + +MS.SHAREPOINT.1.2v1, in the **SharePoint admin center**: + +1. Select **Policies** -\> **Sharing** + +2. Expand **More external sharing settings** + +3. Select **Limit external sharing by domain** + +4. Select **Add domains** + +5. Add approved external domains + +6. Select **Save** -To adjust sharing settings, in the **SharePoint admin center**: +MS.SHAREPOINT.1.3v1, in the **SharePoint admin center**: -1. Select **Policies** -\> **Sharing**. +1. Select **Policies** -\> **Sharing** -2. Adjust external sharing slider to **New and Existing Guests.** +2. Expand **More external sharing settings** -3. Expand **More external sharing settings.** +3. Select **Allow only users in specific security groups to share + externally** -4. Select **Limit external sharing by domain**. +4. Select **Manage security groups** -5. Select **Add domains.** +5. Add approved security groups -6. Add domains. +6. Select **Save** -7. Select **Save.** +MS.SHAREPOINT.1.4v1, in the **SharePoint admin center**: -8. Select **Allow only users in specific security groups to share - externally**. +1. Select **Policies** -\> **Sharing** -9. Select **Manage security groups.** +2. Expand **More external sharing settings** -10. Add security groups. +3. Select **Guests must sign in using the same account to which sharing invitations are sent** -11. Select **Save.** +4. Select **Save** -## 3. Sensitivity Levels +## 2. File and Folder Links Default Sharing Settings + +This policy ensures that when sharing files in SharePoint, there are +several possible scopes, including agency-wide or “anyone with the +link.” + +### Policies + +#### MS.SHAREPOINT.2.1v1 +File and folder links default sharing setting SHALL be set to Specific People (only the people the user specifies). +- _Rationale:_ TODO +- _Last modified:_ June 2023 +_Note:_ Similar implementation in MS.ONEDRIVE.3.1v1 + +### Resources + +- [File and folder links \| Microsoft + Documents](https://docs.microsoft.com/en-us/sharepoint/turn-external-sharing-on-or-off#file-and-folder-links) + +### License Requirements + +- N/A + +### Implementation + +MS.SHAREPOINT.2.1v1, in the **SharePoint admin center**: + +1. In the left-hand navigation bar, click **Policies** -\> **Sharing** + to display sharing settings + +2. Under **File and folder links**, ensure that the default link type + is set to **Specific people (only the people the user specifies)** + +3. Select **Save** + +## 3. Sensitivity Levels SharePoint allows sharing with users who are outside the agency, which is convenient but may pose a data loss or other information security -risk. This working group recommends outside of the default -organizational settings agencies should evaluate each created site and +risk. This baseline policy recommends, outside of the default +organizational settings, agencies evaluate each created site and adjust sharing settings best aligned to their respective sensitivity level. @@ -184,26 +225,24 @@ Sharing settings for specific SharePoint sites SHOULD align to their sensitivity - N/A -### Implementation - -To limit external sharing by domain, in the **SharePoint admin center**: +### Implementation -1. Select **Sites.** +MS.SHAREPOINT.3.1v1, in the **SharePoint admin center**: -2. Select **Active sites.** +1. Select **Sites** -3. Select **Site name.** +2. Select **Active sites** -4. Select **Add domains.** +3. Select **Site name** -5. Select **Policies.** +4. Select **Settings** -6. Under **external sharing**, select **Edit**. +5. Select **More sharing settings** -7. Select permissions aligning to the risk posture associated with the - sensitivity of the SharePoint site. +6. Select permissions aligning to the risk posture associated with the + sensitivity of the SharePoint site -8. Select **Save.** +7. Select **Save** ## 4. Guest Access to a Site or OneDrive @@ -217,12 +256,12 @@ for OneDrive and Teams to the same, specified expiration times. ### Policies #### MS.SHAREPOINT.4.1v1 -Expiration timers for guest access to a site or OneDrive and people who use a verification code SHOULD be set. +Expiration timers for guest access to a site or OneDrive SHOULD be set to 30 days or less. - _Rationale:_ TODO - _Last modified:_ June 2023 #### MS.SHAREPOINT.4.2v1 -Expiration timers SHOULD be set to 30 days. +Expiration timers for people who use a verification code SHOULD be set to 30 days or less. - _Rationale:_ TODO - _Last modified:_ June 2023 @@ -234,34 +273,53 @@ Expiration timers SHOULD be set to 30 days. - [Managing SharePoint Online Security: A Team Effort \| Microsoft Build](https://docs.microsoft.com/en-us/microsoft-365/community/sharepoint-security-a-team-effort) +- [Secure external sharing recipient experience \| Microsoft + Build](https://learn.microsoft.com/en-us/sharepoint/what-s-new-in-sharing-in-targeted-release) -### Implementation +### Implementation -To limit external sharing by domain, in the **SharePoint admin center**: +MS.SHAREPOINT.4.1v1, in the **SharePoint admin center**: -1. Select **Policies** -\> **Sharing**. +1. Select **Policies** -\> **Sharing** -2. Expand **More external sharing settings.** +2. Expand **More external sharing settings** 3. Select **Guest access to a site or OneDrive will expire - automatically after this many days.** + automatically after this many days** -4. Enter “30” days. +4. Enter “30” days or less -5. Select **People who use a verification code must reauthenticate - after this many days**. +5. Select **Save** -6. Enter “30 days”. +MS.SHAREPOINT.4.2v1, in the **SharePoint admin center**: + +1. Select **Policies** -\> **Sharing** + +2. Expand **More external sharing settings** + +3. Select **People who use a verification code must reauthenticate + after this many days** + +4. Enter “30 days” or less + +5. Select **Save** ## 5. Custom Scripts Allowing users to run custom scripts can potentially allow malicious -scripts to run in a trusted environment. For this reason, running custom -scripts should not be allowed. +scripts to run in a trusted environment. Microsoft provides settings to +mitigate this risk by preventing users from running custom scripts. ### Policy #### MS.SHAREPOINT.5.1v1 -Users SHALL be prevented from running custom scripts. +Users SHALL be prevented from running custom scripts on personal sites. +- _Rationale:_ TODO +- _Last modified:_ June 2023 + +#### MS.SHAREPOINT.5.2v1 +Users SHALL be prevented from running custom scripts on self-service created sites. +- _Rationale:_ TODO +- _Last modified:_ June 2023 ### Resources @@ -274,15 +332,30 @@ Users SHALL be prevented from running custom scripts. ### Implementation -In the **SharePoint Classic admin center**: +MS.SHAREPOINT.5.1v1, in the **SharePoint admin center**: + +1. Select **Settings** + +2. Scroll down to select **classic settings page** + +3. Scroll to the **Custom Script** setting + +4. Select **Prevent users from running custom script on personal sites** + +5. Select **Ok** + +MS.SHAREPOINT.5.1v1, in the **SharePoint admin center**: + +1. Select **Settings** + +2. Scroll down to select **classic settings page** -1. Scroll to the **Custom Script** setting and select both of the - following: +3. Scroll to the **Custom Script** setting -2. **Prevent users from running custom script on personal sites.** +4. Select **Prevent users from running custom script on self-service created + sites** -3. **Prevent users from running custom script on self-service created - sites.** +5. Select **Ok** # Acknowledgements @@ -333,4 +406,4 @@ Matthew Snitchler (Sandia), Darryl Purdy (USCB), Brandon Frankens Dr. Mukesh Rohatgi (MITRE), Lee Szilagyi (MITRE), Nanda Katikaneni (MITRE), Ted Kolovos (MITRE), Thomas Comeau (MITRE), Karen Caraway (MITRE), Jackie Whieldon (MITRE), Jeanne Firey (MITRE), Kenneth Myers -(General Services Administration). +(General Services Administration). \ No newline at end of file