diff --git a/src/data/standards.json b/src/data/standards.json
index 9c6577c64b99..7d2bffc47d84 100644
--- a/src/data/standards.json
+++ b/src/data/standards.json
@@ -7,10 +7,30 @@
"docsDescription": "",
"executiveText": "Establishes designated contact email addresses for receiving important Microsoft 365 subscription updates and notifications. This ensures proper communication channels are maintained for general, security, marketing, and technical matters, improving organizational responsiveness to critical system updates.",
"addedComponent": [
- { "type": "textField", "name": "standards.MailContacts.GeneralContact", "label": "General Contact", "required": false },
- { "type": "textField", "name": "standards.MailContacts.SecurityContact", "label": "Security Contact", "required": false },
- { "type": "textField", "name": "standards.MailContacts.MarketingContact", "label": "Marketing Contact", "required": false },
- { "type": "textField", "name": "standards.MailContacts.TechContact", "label": "Technical Contact", "required": false }
+ {
+ "type": "textField",
+ "name": "standards.MailContacts.GeneralContact",
+ "label": "General Contact",
+ "required": false
+ },
+ {
+ "type": "textField",
+ "name": "standards.MailContacts.SecurityContact",
+ "label": "Security Contact",
+ "required": false
+ },
+ {
+ "type": "textField",
+ "name": "standards.MailContacts.MarketingContact",
+ "label": "Marketing Contact",
+ "required": false
+ },
+ {
+ "type": "textField",
+ "name": "standards.MailContacts.TechContact",
+ "label": "Technical Contact",
+ "required": false
+ }
],
"label": "Set contact e-mails",
"impact": "Low Impact",
@@ -27,10 +47,30 @@
"docsDescription": "This standard creates a new mail contact in Exchange Online. Mail contacts are useful for adding external email addresses to your organization's address book. They can be used for distribution lists, shared mailboxes, and other collaboration scenarios.",
"executiveText": "Automatically creates external email contacts in the organization's address book, enabling seamless communication with external partners and vendors. This standardizes contact management across all company locations and improves collaboration efficiency.",
"addedComponent": [
- { "type": "textField", "name": "standards.DeployMailContact.ExternalEmailAddress", "label": "External Email Address", "required": true },
- { "type": "textField", "name": "standards.DeployMailContact.DisplayName", "label": "Display Name", "required": true },
- { "type": "textField", "name": "standards.DeployMailContact.FirstName", "label": "First Name", "required": false },
- { "type": "textField", "name": "standards.DeployMailContact.LastName", "label": "Last Name", "required": false }
+ {
+ "type": "textField",
+ "name": "standards.DeployMailContact.ExternalEmailAddress",
+ "label": "External Email Address",
+ "required": true
+ },
+ {
+ "type": "textField",
+ "name": "standards.DeployMailContact.DisplayName",
+ "label": "Display Name",
+ "required": true
+ },
+ {
+ "type": "textField",
+ "name": "standards.DeployMailContact.FirstName",
+ "label": "First Name",
+ "required": false
+ },
+ {
+ "type": "textField",
+ "name": "standards.DeployMailContact.LastName",
+ "label": "Last Name",
+ "required": false
+ }
],
"label": "Deploy Mail Contact",
"impact": "Low Impact",
@@ -38,7 +78,13 @@
"addedDate": "2024-03-19",
"powershellEquivalent": "New-MailContact",
"recommendedBy": ["CIPP"],
- "requiredCapabilities": ["EXCHANGE_S_STANDARD", "EXCHANGE_S_ENTERPRISE", "EXCHANGE_S_STANDARD_GOV", "EXCHANGE_S_ENTERPRISE_GOV", "EXCHANGE_LITE"]
+ "requiredCapabilities": [
+ "EXCHANGE_S_STANDARD",
+ "EXCHANGE_S_ENTERPRISE",
+ "EXCHANGE_S_STANDARD_GOV",
+ "EXCHANGE_S_ENTERPRISE_GOV",
+ "EXCHANGE_LITE"
+ ]
},
{
"name": "standards.DeployContactTemplates",
@@ -54,7 +100,12 @@
"creatable": false,
"label": "Select Mail Contact Templates",
"name": "standards.DeployContactTemplates.templateIds",
- "api": { "url": "/api/ListContactTemplates", "labelField": "name", "valueField": "GUID", "queryKey": "Contact Templates" }
+ "api": {
+ "url": "/api/ListContactTemplates",
+ "labelField": "name",
+ "valueField": "GUID",
+ "queryKey": "Contact Templates"
+ }
}
],
"label": "Deploy Mail Contact Template",
@@ -64,12 +115,24 @@
"addedDate": "2025-05-31",
"powershellEquivalent": "New-MailContact",
"recommendedBy": ["CIPP"],
- "requiredCapabilities": ["EXCHANGE_S_STANDARD", "EXCHANGE_S_ENTERPRISE", "EXCHANGE_S_STANDARD_GOV", "EXCHANGE_S_ENTERPRISE_GOV", "EXCHANGE_LITE"]
+ "requiredCapabilities": [
+ "EXCHANGE_S_STANDARD",
+ "EXCHANGE_S_ENTERPRISE",
+ "EXCHANGE_S_STANDARD_GOV",
+ "EXCHANGE_S_ENTERPRISE_GOV",
+ "EXCHANGE_LITE"
+ ]
},
{
"name": "standards.AuditLog",
"cat": "Global Standards",
- "tag": ["CIS M365 5.0 (3.1.1)", "mip_search_auditlog", "NIST CSF 2.0 (DE.CM-09)", "CISAMSEXO171", "CISAMSEXO173"],
+ "tag": [
+ "CIS M365 5.0 (3.1.1)",
+ "mip_search_auditlog",
+ "NIST CSF 2.0 (DE.CM-09)",
+ "CISAMSEXO171",
+ "CISAMSEXO173"
+ ],
"helpText": "Enables the Unified Audit Log for tracking and auditing activities. Also runs Enable-OrganizationCustomization if necessary.",
"executiveText": "Activates comprehensive activity logging across Microsoft 365 services to track user actions, system changes, and security events. This provides essential audit trails for compliance requirements, security investigations, and regulatory reporting.",
"addedComponent": [],
@@ -79,7 +142,13 @@
"addedDate": "2021-11-16",
"powershellEquivalent": "Enable-OrganizationCustomization",
"recommendedBy": ["CIS", "CIPP"],
- "requiredCapabilities": ["EXCHANGE_S_STANDARD", "EXCHANGE_S_ENTERPRISE", "EXCHANGE_S_STANDARD_GOV", "EXCHANGE_S_ENTERPRISE_GOV", "EXCHANGE_LITE"]
+ "requiredCapabilities": [
+ "EXCHANGE_S_STANDARD",
+ "EXCHANGE_S_ENTERPRISE",
+ "EXCHANGE_S_STANDARD_GOV",
+ "EXCHANGE_S_ENTERPRISE_GOV",
+ "EXCHANGE_LITE"
+ ]
},
{
"name": "standards.RestrictThirdPartyStorageServices",
@@ -95,7 +164,14 @@
"addedDate": "2025-06-06",
"powershellEquivalent": "New-MgServicePrincipal and Update-MgServicePrincipal",
"recommendedBy": ["CIS"],
- "requiredCapabilities": ["SHAREPOINTWAC", "SHAREPOINTSTANDARD", "SHAREPOINTENTERPRISE", "SHAREPOINTENTERPRISE_EDU", "ONEDRIVE_BASIC", "ONEDRIVE_ENTERPRISE"]
+ "requiredCapabilities": [
+ "SHAREPOINTWAC",
+ "SHAREPOINTSTANDARD",
+ "SHAREPOINTENTERPRISE",
+ "SHAREPOINTENTERPRISE_EDU",
+ "ONEDRIVE_BASIC",
+ "ONEDRIVE_ENTERPRISE"
+ ]
},
{
"name": "standards.ProfilePhotos",
@@ -123,7 +199,13 @@
"addedDate": "2025-01-19",
"powershellEquivalent": "Set-OrganizationConfig -ProfilePhotoOptions EnablePhotos and Update-MgBetaAdminPeople",
"recommendedBy": [],
- "requiredCapabilities": ["EXCHANGE_S_STANDARD", "EXCHANGE_S_ENTERPRISE", "EXCHANGE_S_STANDARD_GOV", "EXCHANGE_S_ENTERPRISE_GOV", "EXCHANGE_LITE"]
+ "requiredCapabilities": [
+ "EXCHANGE_S_STANDARD",
+ "EXCHANGE_S_ENTERPRISE",
+ "EXCHANGE_S_STANDARD_GOV",
+ "EXCHANGE_S_ENTERPRISE_GOV",
+ "EXCHANGE_LITE"
+ ]
},
{
"name": "standards.PhishProtection",
@@ -148,9 +230,23 @@
"helpText": "Sets the branding for the tenant. This includes the login page, and the Office 365 portal.",
"executiveText": "Customizes Microsoft 365 login pages and portals with company branding, including logos, colors, and messaging. This creates a consistent corporate identity experience for employees and reinforces brand recognition while maintaining professional appearance across all Microsoft services.",
"addedComponent": [
- { "type": "textField", "name": "standards.Branding.signInPageText", "label": "Sign-in page text", "required": false },
- { "type": "textField", "name": "standards.Branding.usernameHintText", "label": "Username hint Text", "required": false },
- { "type": "switch", "name": "standards.Branding.hideAccountResetCredentials", "label": "Hide self-service password reset" },
+ {
+ "type": "textField",
+ "name": "standards.Branding.signInPageText",
+ "label": "Sign-in page text",
+ "required": false
+ },
+ {
+ "type": "textField",
+ "name": "standards.Branding.usernameHintText",
+ "label": "Username hint Text",
+ "required": false
+ },
+ {
+ "type": "switch",
+ "name": "standards.Branding.hideAccountResetCredentials",
+ "label": "Hide self-service password reset"
+ },
{
"type": "autoComplete",
"multiple": false,
@@ -234,7 +330,17 @@
{
"name": "standards.DisableGuestDirectory",
"cat": "Global Standards",
- "tag": ["CIS M365 5.0 (5.1.6.2)", "CISA (MS.AAD.5.1v1)", "EIDSCA.AP14", "EIDSCA.ST08", "EIDSCA.ST09", "NIST CSF 2.0 (PR.AA-05)", "EIDSCAAP07", "EIDSCAST08", "EIDSCAST09"],
+ "tag": [
+ "CIS M365 5.0 (5.1.6.2)",
+ "CISA (MS.AAD.5.1v1)",
+ "EIDSCA.AP14",
+ "EIDSCA.ST08",
+ "EIDSCA.ST09",
+ "NIST CSF 2.0 (PR.AA-05)",
+ "EIDSCAAP07",
+ "EIDSCAST08",
+ "EIDSCAST09"
+ ],
"helpText": "Disables Guest access to enumerate directory objects. This prevents guest users from seeing other users or guests in the directory.",
"docsDescription": "Sets it so guests can view only their own user profile. Permission to view other users isn't allowed. Also restricts guest users from seeing the membership of groups they're in. See exactly what get locked down in the [Microsoft documentation.](https://learn.microsoft.com/en-us/entra/fundamentals/users-default-permissions)",
"executiveText": "Restricts external guest users from viewing the company's employee directory and organizational structure, protecting sensitive information about staff and internal groups. This security measure prevents unauthorized access to corporate contact information while still allowing necessary collaboration.",
@@ -260,12 +366,25 @@
"addedDate": "2021-11-16",
"powershellEquivalent": "Set-TransportConfig -SmtpClientAuthenticationDisabled $true",
"recommendedBy": ["CIS", "CIPP"],
- "requiredCapabilities": ["EXCHANGE_S_STANDARD", "EXCHANGE_S_ENTERPRISE", "EXCHANGE_S_STANDARD_GOV", "EXCHANGE_S_ENTERPRISE_GOV", "EXCHANGE_LITE"]
+ "requiredCapabilities": [
+ "EXCHANGE_S_STANDARD",
+ "EXCHANGE_S_ENTERPRISE",
+ "EXCHANGE_S_STANDARD_GOV",
+ "EXCHANGE_S_ENTERPRISE_GOV",
+ "EXCHANGE_LITE"
+ ]
},
{
"name": "standards.ActivityBasedTimeout",
"cat": "Global Standards",
- "tag": ["CIS M365 5.0 (1.3.2)", "spo_idle_session_timeout", "NIST CSF 2.0 (PR.AA-03)", "ZTNA21813", "ZTNA21814", "ZTNA21815"],
+ "tag": [
+ "CIS M365 5.0 (1.3.2)",
+ "spo_idle_session_timeout",
+ "NIST CSF 2.0 (PR.AA-03)",
+ "ZTNA21813",
+ "ZTNA21814",
+ "ZTNA21815"
+ ],
"helpText": "Enables and sets Idle session timeout for Microsoft 365 to 1 hour. This policy affects most M365 web apps",
"executiveText": "Automatically logs out inactive users from Microsoft 365 applications after a specified time period to prevent unauthorized access to company data on unattended devices. This security measure protects against data breaches when employees leave workstations unlocked.",
"addedComponent": [
@@ -333,6 +452,33 @@
"powershellEquivalent": "Update-MgBetaPolicyAuthenticationMethodPolicy",
"recommendedBy": []
},
+ {
+ "name": "standards.AdminSSPR",
+ "cat": "Entra (AAD) Standards",
+ "tag": ["EIDSCA.AP01", "EIDSCAAP01", "ZTNA21842"],
+ "helpText": "Controls whether administrators are allowed to use Self-Service Password Reset through the Microsoft Entra authorization policy.",
+ "docsDescription": "Configures the allowedToUseSSPR property on the Microsoft Entra authorization policy. Microsoft documents this property as controlling whether administrators of the tenant can use Self-Service Password Reset. Use this standard to explicitly enable or disable administrator SSPR based on your security policy.",
+ "executiveText": "Controls whether tenant administrators can reset their own passwords through Self-Service Password Reset. Disabling this capability forces privileged accounts through more controlled recovery processes and reduces the risk of self-service recovery being misused on administrative identities.",
+ "addedComponent": [
+ {
+ "type": "autoComplete",
+ "multiple": false,
+ "creatable": false,
+ "label": "Select value",
+ "name": "standards.AdminSSPR.state",
+ "options": [
+ { "label": "Enabled", "value": "enabled" },
+ { "label": "Disabled", "value": "disabled" }
+ ]
+ }
+ ],
+ "label": "Set administrator Self-Service Password Reset state",
+ "impact": "Low Impact",
+ "impactColour": "info",
+ "addedDate": "2026-04-21",
+ "powershellEquivalent": "Update-MgBetaPolicyAuthorizationPolicy",
+ "recommendedBy": ["CIPP"]
+ },
{
"name": "standards.AuthMethodsPolicyMigration",
"cat": "Entra (AAD) Standards",
@@ -380,13 +526,21 @@
"queryKey": "StdAppApprovalTemplateList",
"addedField": { "AppId": "AppId" }
},
- "condition": { "field": "standards.AppDeploy.mode", "compareType": "is", "compareValue": "template" }
+ "condition": {
+ "field": "standards.AppDeploy.mode",
+ "compareType": "is",
+ "compareValue": "template"
+ }
},
{
"type": "textField",
"name": "standards.AppDeploy.appids",
"label": "Application IDs, comma separated",
- "condition": { "field": "standards.AppDeploy.mode", "compareType": "isNot", "compareValue": "template" }
+ "condition": {
+ "field": "standards.AppDeploy.mode",
+ "compareType": "isNot",
+ "compareValue": "template"
+ }
}
],
"label": "Deploy Application",
@@ -414,7 +568,23 @@
{
"name": "standards.PWdisplayAppInformationRequiredState",
"cat": "Entra (AAD) Standards",
- "tag": ["CIS M365 5.0 (2.3.1)", "EIDSCA.AM03", "EIDSCA.AM04", "EIDSCA.AM06", "EIDSCA.AM07", "EIDSCA.AM09", "EIDSCA.AM10", "NIST CSF 2.0 (PR.AA-03)", "EIDSCAAM01", "EIDSCAAM03", "EIDSCAAM04", "EIDSCAAM06", "EIDSCAAM07", "EIDSCAAM09", "EIDSCAAM10"],
+ "tag": [
+ "CIS M365 5.0 (2.3.1)",
+ "EIDSCA.AM03",
+ "EIDSCA.AM04",
+ "EIDSCA.AM06",
+ "EIDSCA.AM07",
+ "EIDSCA.AM09",
+ "EIDSCA.AM10",
+ "NIST CSF 2.0 (PR.AA-03)",
+ "EIDSCAAM01",
+ "EIDSCAAM03",
+ "EIDSCAAM04",
+ "EIDSCAAM06",
+ "EIDSCAAM07",
+ "EIDSCAAM09",
+ "EIDSCAAM10"
+ ],
"helpText": "Enables the MS authenticator app to display information about the app that is requesting authentication. This displays the application name.",
"docsDescription": "Allows users to use Passwordless with Number Matching and adds location information from the last request",
"executiveText": "Enhances authentication security by requiring users to match numbers and showing detailed information about login requests, including application names and location data. This helps employees verify legitimate login attempts and prevents unauthorized access through more secure authentication methods.",
@@ -472,7 +642,21 @@
{
"name": "standards.EnableFIDO2",
"cat": "Entra (AAD) Standards",
- "tag": ["EIDSCA.AF01", "EIDSCA.AF02", "EIDSCA.AF03", "EIDSCA.AF04", "EIDSCA.AF05", "EIDSCA.AF06", "NIST CSF 2.0 (PR.AA-03)", "EIDSCAAF01", "EIDSCAAF02", "EIDSCAAF03", "EIDSCAAF04", "EIDSCAAF05", "EIDSCAAF06"],
+ "tag": [
+ "EIDSCA.AF01",
+ "EIDSCA.AF02",
+ "EIDSCA.AF03",
+ "EIDSCA.AF04",
+ "EIDSCA.AF05",
+ "EIDSCA.AF06",
+ "NIST CSF 2.0 (PR.AA-03)",
+ "EIDSCAAF01",
+ "EIDSCAAF02",
+ "EIDSCAAF03",
+ "EIDSCAAF04",
+ "EIDSCAAF05",
+ "EIDSCAAF06"
+ ],
"helpText": "Enables the FIDO2 authenticationMethod for the tenant",
"docsDescription": "Enables FIDO2 capabilities for the tenant. This allows users to use FIDO2 keys like a Yubikey for authentication.",
"executiveText": "Enables support for hardware security keys (like YubiKey) that provide the highest level of authentication security. These physical devices prevent phishing attacks and credential theft, offering superior protection for high-value accounts and sensitive business operations.",
@@ -574,11 +758,27 @@
{
"name": "standards.CustomBannedPasswordList",
"cat": "Entra (AAD) Standards",
- "tag": ["CIS M365 5.0 (5.2.3.2)", "ZTNA21848", "ZTNA21849", "ZTNA21850", "EIDSCAPR01", "EIDSCAPR02", "EIDSCAPR03", "EIDSCAPR05", "EIDSCAPR06"],
+ "tag": [
+ "CIS M365 5.0 (5.2.3.2)",
+ "ZTNA21848",
+ "ZTNA21849",
+ "ZTNA21850",
+ "EIDSCAPR01",
+ "EIDSCAPR02",
+ "EIDSCAPR03",
+ "EIDSCAPR05",
+ "EIDSCAPR06"
+ ],
"helpText": "**Requires Entra ID P1.** Updates and enables the Entra ID custom banned password list with the supplied words. Enter words separated by commas or semicolons. Each word must be 4-16 characters long. Maximum 1,000 words allowed.",
"docsDescription": "Updates and enables the Entra ID custom banned password list with the supplied words. This supplements the global banned password list maintained by Microsoft. The custom list is limited to 1,000 key base terms of 4-16 characters each. Entra ID will [block variations and common substitutions](https://learn.microsoft.com/en-us/entra/identity/authentication/tutorial-configure-custom-password-protection#configure-custom-banned-passwords) of these words in user passwords. [How are passwords evaluated?](https://learn.microsoft.com/en-us/entra/identity/authentication/concept-password-ban-bad#score-calculation)",
"addedComponent": [
- { "type": "textField", "name": "standards.CustomBannedPasswordList.BannedWords", "label": "Banned Words", "placeholder": "Banned words separated by commas or semicolons", "required": true }
+ {
+ "type": "textField",
+ "name": "standards.CustomBannedPasswordList.BannedWords",
+ "label": "Banned Words",
+ "placeholder": "Banned words separated by commas or semicolons",
+ "required": true
+ }
],
"label": "Set Entra ID Custom Banned Password List",
"impact": "Medium Impact",
@@ -632,12 +832,31 @@
{
"name": "standards.EnableAppConsentRequests",
"cat": "Entra (AAD) Standards",
- "tag": ["CIS M365 5.0 (1.5.2)", "CISA (MS.AAD.9.1v1)", "EIDSCA.CP04", "EIDSCA.CR01", "EIDSCA.CR02", "EIDSCA.CR03", "EIDSCA.CR04", "Essential 8 (1507)", "NIST CSF 2.0 (PR.AA-05)", "ZTNA21869", "EIDSCACR01", "EIDSCACR02", "EIDSCACR03", "EIDSCACR04"],
+ "tag": [
+ "CIS M365 5.0 (1.5.2)",
+ "CISA (MS.AAD.9.1v1)",
+ "EIDSCA.CP04",
+ "EIDSCA.CR01",
+ "EIDSCA.CR02",
+ "EIDSCA.CR03",
+ "EIDSCA.CR04",
+ "Essential 8 (1507)",
+ "NIST CSF 2.0 (PR.AA-05)",
+ "ZTNA21869",
+ "EIDSCACR01",
+ "EIDSCACR02",
+ "EIDSCACR03",
+ "EIDSCACR04"
+ ],
"helpText": "Enables App consent admin requests for the tenant via the GA role. Does not overwrite existing reviewer settings",
"docsDescription": "Enables the ability for users to request admin consent for applications. Should be used in conjunction with the \"Require admin consent for applications\" standards",
"executiveText": "Establishes a formal approval process where employees can request access to business applications that require administrative review. This balances security with productivity by allowing controlled access to necessary tools while preventing unauthorized application installations.",
"addedComponent": [
- { "type": "AdminRolesMultiSelect", "label": "App Consent Reviewer Roles", "name": "standards.EnableAppConsentRequests.ReviewerRoles" }
+ {
+ "type": "AdminRolesMultiSelect",
+ "label": "App Consent Reviewer Roles",
+ "name": "standards.EnableAppConsentRequests.ReviewerRoles"
+ }
],
"label": "Enable App consent admin requests",
"impact": "Low Impact",
@@ -697,12 +916,26 @@
"addedDate": "2022-07-17",
"powershellEquivalent": "Update-MgBetaDirectorySetting",
"recommendedBy": [],
- "requiredCapabilities": ["SHAREPOINTWAC", "SHAREPOINTSTANDARD", "SHAREPOINTENTERPRISE", "SHAREPOINTENTERPRISE_EDU", "ONEDRIVE_BASIC", "ONEDRIVE_ENTERPRISE"]
+ "requiredCapabilities": [
+ "SHAREPOINTWAC",
+ "SHAREPOINTSTANDARD",
+ "SHAREPOINTENTERPRISE",
+ "SHAREPOINTENTERPRISE_EDU",
+ "ONEDRIVE_BASIC",
+ "ONEDRIVE_ENTERPRISE"
+ ]
},
{
"name": "standards.DisableAppCreation",
"cat": "Entra (AAD) Standards",
- "tag": ["CIS M365 5.0 (1.2.2)", "CISA (MS.AAD.4.1v1)", "EIDSCA.AP10", "Essential 8 (1175)", "NIST CSF 2.0 (PR.AA-05)", "EIDSCAAP10"],
+ "tag": [
+ "CIS M365 5.0 (1.2.2)",
+ "CISA (MS.AAD.4.1v1)",
+ "EIDSCA.AP10",
+ "Essential 8 (1175)",
+ "NIST CSF 2.0 (PR.AA-05)",
+ "EIDSCAAP10"
+ ],
"helpText": "Disables the ability for users to create App registrations in the tenant.",
"docsDescription": "Disables the ability for users to create applications in Entra. Done to prevent breached accounts from creating an app to maintain access to the tenant, even after the breached account has been secured.",
"executiveText": "Prevents regular employees from creating application registrations that could be used to maintain unauthorized access to company systems. This security measure ensures that only authorized IT personnel can create applications, reducing the risk of persistent security breaches through malicious applications.",
@@ -776,8 +1009,17 @@
"helpText": "**Requires 'Billing Administrator' GDAP role.** This standard disables all self service licenses and enables all exclusions",
"executiveText": "Prevents employees from purchasing Microsoft 365 licenses independently, ensuring all software acquisitions go through proper procurement channels. This maintains budget control, prevents unauthorized spending, and ensures compliance with corporate licensing agreements.",
"addedComponent": [
- { "type": "textField", "name": "standards.DisableSelfServiceLicenses.Exclusions", "label": "License Ids to exclude from this standard", "required": false },
- { "type": "switch", "name": "standards.DisableSelfServiceLicenses.DisableTrials", "label": "Disable starting trials on behalf of your organization" }
+ {
+ "type": "textField",
+ "name": "standards.DisableSelfServiceLicenses.Exclusions",
+ "label": "License Ids to exclude from this standard",
+ "required": false
+ },
+ {
+ "type": "switch",
+ "name": "standards.DisableSelfServiceLicenses.DisableTrials",
+ "label": "Disable starting trials on behalf of your organization"
+ }
],
"label": "Disable Self Service Licensing",
"impact": "Medium Impact",
@@ -793,7 +1035,13 @@
"helpText": "Blocks login for guest users that have not logged in for a number of days",
"executiveText": "Automatically disables external guest accounts that haven't been used for a number of days, reducing security risks from dormant accounts while maintaining access for active external collaborators. This helps maintain a clean user directory and reduces potential attack vectors.",
"addedComponent": [
- { "type": "number", "name": "standards.DisableGuests.days", "required": true, "defaultValue": 90, "label": "Days of inactivity" }
+ {
+ "type": "number",
+ "name": "standards.DisableGuests.days",
+ "required": true,
+ "defaultValue": 90,
+ "label": "Days of inactivity"
+ }
],
"label": "Disable Guest accounts that have not logged on for a number of days",
"impact": "Medium Impact",
@@ -806,12 +1054,32 @@
{
"name": "standards.OauthConsent",
"cat": "Entra (AAD) Standards",
- "tag": ["CIS M365 5.0 (1.5.1)", "CISA (MS.AAD.4.2v1)", "EIDSCA.AP08", "EIDSCA.AP09", "Essential 8 (1175)", "NIST CSF 2.0 (PR.AA-05)", "ZTNA21772", "ZTNA21774", "ZTNA21807", "EIDSCAAP08", "EIDSCAAP09", "EIDSCACP01", "EIDSCACP03", "EIDSCACP04"],
+ "tag": [
+ "CIS M365 5.0 (1.5.1)",
+ "CISA (MS.AAD.4.2v1)",
+ "EIDSCA.AP08",
+ "EIDSCA.AP09",
+ "Essential 8 (1175)",
+ "NIST CSF 2.0 (PR.AA-05)",
+ "ZTNA21772",
+ "ZTNA21774",
+ "ZTNA21807",
+ "EIDSCAAP08",
+ "EIDSCAAP09",
+ "EIDSCACP01",
+ "EIDSCACP03",
+ "EIDSCACP04"
+ ],
"helpText": "Disables users from being able to consent to applications, except for those specified in the field below",
"docsDescription": "Requires users to get administrator consent before sharing data with applications. You can preapprove specific applications.",
"executiveText": "Requires administrative approval before employees can grant applications access to company data, preventing unauthorized data sharing and potential security breaches. This protects against malicious applications while allowing approved business tools to function normally.",
"addedComponent": [
- { "type": "textField", "name": "standards.OauthConsent.AllowedApps", "label": "Allowed application IDs, comma separated", "required": false }
+ {
+ "type": "textField",
+ "name": "standards.OauthConsent.AllowedApps",
+ "label": "Allowed application IDs, comma separated",
+ "required": false
+ }
],
"label": "Require admin consent for applications (Prevent OAuth phishing)",
"impact": "Medium Impact",
@@ -850,7 +1118,10 @@
"name": "standards.GuestInvite.allowInvitesFrom",
"options": [
{ "label": "Everyone", "value": "everyone" },
- { "label": "Admins, Guest inviters and All Members", "value": "adminsGuestInvitersAndAllMembers" },
+ {
+ "label": "Admins, Guest inviters and All Members",
+ "value": "adminsGuestInvitersAndAllMembers"
+ },
{ "label": "Admins and Guest inviters", "value": "adminsAndGuestInviters" },
{ "label": "None", "value": "none" }
]
@@ -995,7 +1266,20 @@
{
"name": "standards.PerUserMFA",
"cat": "Entra (AAD) Standards",
- "tag": ["CIS M365 5.0 (1.2.1)", "CIS M365 5.0 (1.1.1)", "CIS M365 5.0 (1.1.2)", "CISA (MS.AAD.1.1v1)", "CISA (MS.AAD.1.2v1)", "Essential 8 (1504)", "Essential 8 (1173)", "Essential 8 (1401)", "NIST CSF 2.0 (PR.AA-03)", "ZTNA21780", "ZTNA21782", "ZTNA21796"],
+ "tag": [
+ "CIS M365 5.0 (1.2.1)",
+ "CIS M365 5.0 (1.1.1)",
+ "CIS M365 5.0 (1.1.2)",
+ "CISA (MS.AAD.1.1v1)",
+ "CISA (MS.AAD.1.2v1)",
+ "Essential 8 (1504)",
+ "Essential 8 (1173)",
+ "Essential 8 (1401)",
+ "NIST CSF 2.0 (PR.AA-03)",
+ "ZTNA21780",
+ "ZTNA21782",
+ "ZTNA21796"
+ ],
"helpText": "Enables per user MFA for all users.",
"executiveText": "Requires all employees to use multi-factor authentication for enhanced account security, significantly reducing the risk of unauthorized access from compromised passwords. This fundamental security measure protects against the majority of account-based attacks and is essential for maintaining strong cybersecurity posture.",
"addedComponent": [],
@@ -1061,8 +1345,18 @@
{ "label": "Disabled", "value": "disabled" }
]
},
- { "type": "number", "required": false, "name": "standards.AppManagementPolicy.passwordCredentialsMaxLifetime", "label": "Password Credentials Max Lifetime (Days)" },
- { "type": "number", "required": false, "name": "standards.AppManagementPolicy.keyCredentialsMaxLifetime", "label": "Key Credentials Max Lifetime (Days)" }
+ {
+ "type": "number",
+ "required": false,
+ "name": "standards.AppManagementPolicy.passwordCredentialsMaxLifetime",
+ "label": "Password Credentials Max Lifetime (Days)"
+ },
+ {
+ "type": "number",
+ "required": false,
+ "name": "standards.AppManagementPolicy.keyCredentialsMaxLifetime",
+ "label": "Key Credentials Max Lifetime (Days)"
+ }
],
"label": "Set Default App Management Policy",
"impact": "Medium Impact",
@@ -1078,7 +1372,11 @@
"helpText": "Set the Outbound Spam Alert e-mail address",
"docsDescription": "Sets the e-mail address to which outbound spam alerts are sent.",
"addedComponent": [
- { "type": "textField", "name": "standards.OutBoundSpamAlert.OutboundSpamContact", "label": "Outbound spam contact" }
+ {
+ "type": "textField",
+ "name": "standards.OutBoundSpamAlert.OutboundSpamContact",
+ "label": "Outbound spam contact"
+ }
],
"label": "Set Outbound Spam Alert e-mail",
"impact": "Low Impact",
@@ -1086,7 +1384,13 @@
"addedDate": "2023-05-03",
"powershellEquivalent": "Set-HostedOutboundSpamFilterPolicy",
"recommendedBy": ["CIS"],
- "requiredCapabilities": ["EXCHANGE_S_STANDARD", "EXCHANGE_S_ENTERPRISE", "EXCHANGE_S_STANDARD_GOV", "EXCHANGE_S_ENTERPRISE_GOV", "EXCHANGE_LITE"]
+ "requiredCapabilities": [
+ "EXCHANGE_S_STANDARD",
+ "EXCHANGE_S_ENTERPRISE",
+ "EXCHANGE_S_STANDARD_GOV",
+ "EXCHANGE_S_ENTERPRISE_GOV",
+ "EXCHANGE_LITE"
+ ]
},
{
"name": "standards.MessageExpiration",
@@ -1101,7 +1405,13 @@
"addedDate": "2024-02-23",
"powershellEquivalent": "Set-TransportConfig -MessageExpirationTimeout 12.00:00:00",
"recommendedBy": [],
- "requiredCapabilities": ["EXCHANGE_S_STANDARD", "EXCHANGE_S_ENTERPRISE", "EXCHANGE_S_STANDARD_GOV", "EXCHANGE_S_ENTERPRISE_GOV", "EXCHANGE_LITE"]
+ "requiredCapabilities": [
+ "EXCHANGE_S_STANDARD",
+ "EXCHANGE_S_ENTERPRISE",
+ "EXCHANGE_S_STANDARD_GOV",
+ "EXCHANGE_S_ENTERPRISE_GOV",
+ "EXCHANGE_LITE"
+ ]
},
{
"name": "standards.GlobalQuarantineNotifications",
@@ -1128,7 +1438,13 @@
"addedDate": "2024-05-03",
"powershellEquivalent": "Set-QuarantinePolicy -EndUserSpamNotificationFrequency",
"recommendedBy": [],
- "requiredCapabilities": ["EXCHANGE_S_STANDARD", "EXCHANGE_S_ENTERPRISE", "EXCHANGE_S_STANDARD_GOV", "EXCHANGE_S_ENTERPRISE_GOV", "EXCHANGE_LITE"]
+ "requiredCapabilities": [
+ "EXCHANGE_S_STANDARD",
+ "EXCHANGE_S_ENTERPRISE",
+ "EXCHANGE_S_STANDARD_GOV",
+ "EXCHANGE_S_ENTERPRISE_GOV",
+ "EXCHANGE_LITE"
+ ]
},
{
"name": "standards.DisableTNEF",
@@ -1144,7 +1460,13 @@
"addedDate": "2024-04-26",
"powershellEquivalent": "Set-RemoteDomain -Identity 'Default' -TNEFEnabled $false",
"recommendedBy": ["CIPP"],
- "requiredCapabilities": ["EXCHANGE_S_STANDARD", "EXCHANGE_S_ENTERPRISE", "EXCHANGE_S_STANDARD_GOV", "EXCHANGE_S_ENTERPRISE_GOV", "EXCHANGE_LITE"]
+ "requiredCapabilities": [
+ "EXCHANGE_S_STANDARD",
+ "EXCHANGE_S_ENTERPRISE",
+ "EXCHANGE_S_STANDARD_GOV",
+ "EXCHANGE_S_ENTERPRISE_GOV",
+ "EXCHANGE_LITE"
+ ]
},
{
"name": "standards.FocusedInbox",
@@ -1171,7 +1493,13 @@
"addedDate": "2024-04-26",
"powershellEquivalent": "Set-OrganizationConfig -FocusedInboxOn $true or $false",
"recommendedBy": [],
- "requiredCapabilities": ["EXCHANGE_S_STANDARD", "EXCHANGE_S_ENTERPRISE", "EXCHANGE_S_STANDARD_GOV", "EXCHANGE_S_ENTERPRISE_GOV", "EXCHANGE_LITE"]
+ "requiredCapabilities": [
+ "EXCHANGE_S_STANDARD",
+ "EXCHANGE_S_ENTERPRISE",
+ "EXCHANGE_S_STANDARD_GOV",
+ "EXCHANGE_S_ENTERPRISE_GOV",
+ "EXCHANGE_LITE"
+ ]
},
{
"name": "standards.CloudMessageRecall",
@@ -1198,7 +1526,13 @@
"addedDate": "2024-05-31",
"powershellEquivalent": "Set-OrganizationConfig -MessageRecallEnabled",
"recommendedBy": [],
- "requiredCapabilities": ["EXCHANGE_S_STANDARD", "EXCHANGE_S_ENTERPRISE", "EXCHANGE_S_STANDARD_GOV", "EXCHANGE_S_ENTERPRISE_GOV", "EXCHANGE_LITE"]
+ "requiredCapabilities": [
+ "EXCHANGE_S_STANDARD",
+ "EXCHANGE_S_ENTERPRISE",
+ "EXCHANGE_S_STANDARD_GOV",
+ "EXCHANGE_S_ENTERPRISE_GOV",
+ "EXCHANGE_LITE"
+ ]
},
{
"name": "standards.AutoExpandArchive",
@@ -1214,7 +1548,13 @@
"addedDate": "2021-11-16",
"powershellEquivalent": "Set-OrganizationConfig -AutoExpandingArchive",
"recommendedBy": [],
- "requiredCapabilities": ["EXCHANGE_S_STANDARD", "EXCHANGE_S_ENTERPRISE", "EXCHANGE_S_STANDARD_GOV", "EXCHANGE_S_ENTERPRISE_GOV", "EXCHANGE_LITE"]
+ "requiredCapabilities": [
+ "EXCHANGE_S_STANDARD",
+ "EXCHANGE_S_ENTERPRISE",
+ "EXCHANGE_S_STANDARD_GOV",
+ "EXCHANGE_S_ENTERPRISE_GOV",
+ "EXCHANGE_LITE"
+ ]
},
{
"name": "standards.TwoClickEmailProtection",
@@ -1242,7 +1582,13 @@
"addedDate": "2025-06-13",
"powershellEquivalent": "Set-OrganizationConfig -TwoClickMailPreviewEnabled $true | $false",
"recommendedBy": [],
- "requiredCapabilities": ["EXCHANGE_S_STANDARD", "EXCHANGE_S_ENTERPRISE", "EXCHANGE_S_STANDARD_GOV", "EXCHANGE_S_ENTERPRISE_GOV", "EXCHANGE_LITE"]
+ "requiredCapabilities": [
+ "EXCHANGE_S_STANDARD",
+ "EXCHANGE_S_ENTERPRISE",
+ "EXCHANGE_S_STANDARD_GOV",
+ "EXCHANGE_S_ENTERPRISE_GOV",
+ "EXCHANGE_LITE"
+ ]
},
{
"name": "standards.EnableOnlineArchiving",
@@ -1257,7 +1603,13 @@
"addedDate": "2024-01-20",
"powershellEquivalent": "Enable-Mailbox -Archive $true",
"recommendedBy": [],
- "requiredCapabilities": ["EXCHANGE_S_STANDARD", "EXCHANGE_S_ENTERPRISE", "EXCHANGE_S_STANDARD_GOV", "EXCHANGE_S_ENTERPRISE_GOV", "EXCHANGE_LITE"]
+ "requiredCapabilities": [
+ "EXCHANGE_S_STANDARD",
+ "EXCHANGE_S_ENTERPRISE",
+ "EXCHANGE_S_STANDARD_GOV",
+ "EXCHANGE_S_ENTERPRISE_GOV",
+ "EXCHANGE_LITE"
+ ]
},
{
"name": "standards.EnableLitigationHold",
@@ -1266,7 +1618,13 @@
"helpText": "Enables litigation hold for all UserMailboxes with a valid license.",
"executiveText": "Preserves all email content for legal and compliance purposes by preventing permanent deletion of emails, even when users attempt to delete them. This is essential for organizations subject to legal discovery requirements or regulatory compliance mandates.",
"addedComponent": [
- { "type": "textField", "name": "standards.EnableLitigationHold.days", "required": false, "label": "Days to apply for litigation hold", "helperText": "Number of days to apply litigation hold for. If left blank or set to Unlimited, litigation hold will be applied indefinitely." }
+ {
+ "type": "textField",
+ "name": "standards.EnableLitigationHold.days",
+ "required": false,
+ "label": "Days to apply for litigation hold",
+ "helperText": "Number of days to apply litigation hold for. If left blank or set to Unlimited, litigation hold will be applied indefinitely."
+ }
],
"label": "Enable Litigation Hold for all users",
"impact": "Low Impact",
@@ -1274,7 +1632,13 @@
"addedDate": "2024-06-25",
"powershellEquivalent": "Set-Mailbox -LitigationHoldEnabled $true",
"recommendedBy": [],
- "requiredCapabilities": ["EXCHANGE_S_STANDARD", "EXCHANGE_S_ENTERPRISE", "EXCHANGE_S_STANDARD_GOV", "EXCHANGE_S_ENTERPRISE_GOV", "EXCHANGE_LITE"]
+ "requiredCapabilities": [
+ "EXCHANGE_S_STANDARD",
+ "EXCHANGE_S_ENTERPRISE",
+ "EXCHANGE_S_STANDARD_GOV",
+ "EXCHANGE_S_ENTERPRISE_GOV",
+ "EXCHANGE_LITE"
+ ]
},
{
"name": "standards.SpoofWarn",
@@ -1294,7 +1658,14 @@
{ "label": "Disabled", "value": "disabled" }
]
},
- { "type": "autoComplete", "multiple": true, "creatable": true, "required": false, "label": "Enter allowed senders(domain.com, *.domain.com or test@domain.com)", "name": "standards.SpoofWarn.AllowListAdd" }
+ {
+ "type": "autoComplete",
+ "multiple": true,
+ "creatable": true,
+ "required": false,
+ "label": "Enter allowed senders(domain.com, *.domain.com or test@domain.com)",
+ "name": "standards.SpoofWarn.AllowListAdd"
+ }
],
"label": "Enable or disable 'external' warning in Outlook",
"impact": "Low Impact",
@@ -1302,7 +1673,13 @@
"addedDate": "2021-11-16",
"powershellEquivalent": "Set-ExternalInOutlook –Enabled $true or $false",
"recommendedBy": ["CIS", "CIPP"],
- "requiredCapabilities": ["EXCHANGE_S_STANDARD", "EXCHANGE_S_ENTERPRISE", "EXCHANGE_S_STANDARD_GOV", "EXCHANGE_S_ENTERPRISE_GOV", "EXCHANGE_LITE"]
+ "requiredCapabilities": [
+ "EXCHANGE_S_STANDARD",
+ "EXCHANGE_S_ENTERPRISE",
+ "EXCHANGE_S_STANDARD_GOV",
+ "EXCHANGE_S_ENTERPRISE_GOV",
+ "EXCHANGE_LITE"
+ ]
},
{
"name": "standards.EnableMailTips",
@@ -1311,7 +1688,13 @@
"helpText": "Enables all MailTips in Outlook. MailTips are the notifications Outlook and Outlook on the web shows when an email you create, meets some requirements",
"executiveText": "Enables helpful notifications in Outlook that warn users about potential email issues, such as sending to large groups, external recipients, or invalid addresses. This reduces email mistakes and improves communication efficiency by providing real-time guidance to employees.",
"addedComponent": [
- { "type": "number", "name": "standards.EnableMailTips.MailTipsLargeAudienceThreshold", "label": "Number of recipients to trigger the large audience MailTip (Default is 25)", "placeholder": "Enter a profile name", "defaultValue": 25 }
+ {
+ "type": "number",
+ "name": "standards.EnableMailTips.MailTipsLargeAudienceThreshold",
+ "label": "Number of recipients to trigger the large audience MailTip (Default is 25)",
+ "placeholder": "Enter a profile name",
+ "defaultValue": 25
+ }
],
"label": "Enable all MailTips",
"impact": "Low Impact",
@@ -1319,7 +1702,13 @@
"addedDate": "2024-01-14",
"powershellEquivalent": "Set-OrganizationConfig",
"recommendedBy": ["CIS", "CIPP"],
- "requiredCapabilities": ["EXCHANGE_S_STANDARD", "EXCHANGE_S_ENTERPRISE", "EXCHANGE_S_STANDARD_GOV", "EXCHANGE_S_ENTERPRISE_GOV", "EXCHANGE_LITE"]
+ "requiredCapabilities": [
+ "EXCHANGE_S_STANDARD",
+ "EXCHANGE_S_ENTERPRISE",
+ "EXCHANGE_S_STANDARD_GOV",
+ "EXCHANGE_S_ENTERPRISE_GOV",
+ "EXCHANGE_LITE"
+ ]
},
{
"name": "standards.TeamsMeetingsByDefault",
@@ -1346,7 +1735,13 @@
"addedDate": "2024-05-31",
"powershellEquivalent": "Set-OrganizationConfig -OnlineMeetingsByDefaultEnabled",
"recommendedBy": [],
- "requiredCapabilities": ["EXCHANGE_S_STANDARD", "EXCHANGE_S_ENTERPRISE", "EXCHANGE_S_STANDARD_GOV", "EXCHANGE_S_ENTERPRISE_GOV", "EXCHANGE_LITE"]
+ "requiredCapabilities": [
+ "EXCHANGE_S_STANDARD",
+ "EXCHANGE_S_ENTERPRISE",
+ "EXCHANGE_S_STANDARD_GOV",
+ "EXCHANGE_S_ENTERPRISE_GOV",
+ "EXCHANGE_LITE"
+ ]
},
{
"name": "standards.DisableViva",
@@ -1376,7 +1771,13 @@
"addedDate": "2023-03-14",
"powershellEquivalent": "Rotate-DkimSigningConfig",
"recommendedBy": ["CIS", "CIPP"],
- "requiredCapabilities": ["EXCHANGE_S_STANDARD", "EXCHANGE_S_ENTERPRISE", "EXCHANGE_S_STANDARD_GOV", "EXCHANGE_S_ENTERPRISE_GOV", "EXCHANGE_LITE"]
+ "requiredCapabilities": [
+ "EXCHANGE_S_STANDARD",
+ "EXCHANGE_S_ENTERPRISE",
+ "EXCHANGE_S_STANDARD_GOV",
+ "EXCHANGE_S_ENTERPRISE_GOV",
+ "EXCHANGE_LITE"
+ ]
},
{
"name": "standards.EnableExchangeCloudManagement",
@@ -1403,7 +1804,12 @@
"addedDate": "2026-03-28",
"powershellEquivalent": "Set-Mailbox -Identity user@domain.com -IsExchangeCloudManaged $true or $false",
"recommendedBy": ["Microsoft", "CIPP"],
- "requiredCapabilities": ["EXCHANGE_S_STANDARD", "EXCHANGE_S_ENTERPRISE", "EXCHANGE_S_STANDARD_GOV", "EXCHANGE_S_ENTERPRISE_GOV"]
+ "requiredCapabilities": [
+ "EXCHANGE_S_STANDARD",
+ "EXCHANGE_S_ENTERPRISE",
+ "EXCHANGE_S_STANDARD_GOV",
+ "EXCHANGE_S_ENTERPRISE_GOV"
+ ]
},
{
"name": "standards.AddDKIM",
@@ -1418,7 +1824,13 @@
"addedDate": "2023-03-14",
"powershellEquivalent": "New-DkimSigningConfig and Set-DkimSigningConfig",
"recommendedBy": ["CIS", "CIPP"],
- "requiredCapabilities": ["EXCHANGE_S_STANDARD", "EXCHANGE_S_ENTERPRISE", "EXCHANGE_S_STANDARD_GOV", "EXCHANGE_S_ENTERPRISE_GOV", "EXCHANGE_LITE"]
+ "requiredCapabilities": [
+ "EXCHANGE_S_STANDARD",
+ "EXCHANGE_S_ENTERPRISE",
+ "EXCHANGE_S_STANDARD_GOV",
+ "EXCHANGE_S_ENTERPRISE_GOV",
+ "EXCHANGE_LITE"
+ ]
},
{
"name": "standards.AddDMARCToMOERA",
@@ -1452,7 +1864,16 @@
{
"name": "standards.EnableMailboxAuditing",
"cat": "Exchange Standards",
- "tag": ["CIS M365 5.0 (6.1.1)", "CIS M365 5.0 (6.1.2)", "CIS M365 5.0 (6.1.3)", "exo_mailboxaudit", "Essential 8 (1509)", "Essential 8 (1683)", "NIST CSF 2.0 (DE.CM-09)", "CISAMSEXO131"],
+ "tag": [
+ "CIS M365 5.0 (6.1.1)",
+ "CIS M365 5.0 (6.1.2)",
+ "CIS M365 5.0 (6.1.3)",
+ "exo_mailboxaudit",
+ "Essential 8 (1509)",
+ "Essential 8 (1683)",
+ "NIST CSF 2.0 (DE.CM-09)",
+ "CISAMSEXO131"
+ ],
"helpText": "Enables Mailbox auditing for all mailboxes and on tenant level. Disables audit bypass on all mailboxes. Unified Audit Log needs to be enabled for this standard to function.",
"docsDescription": "Enables mailbox auditing on tenant level and for all mailboxes. Disables audit bypass on all mailboxes. By default Microsoft does not enable mailbox auditing for Resource Mailboxes, Public Folder Mailboxes and DiscoverySearch Mailboxes. Unified Audit Log needs to be enabled for this standard to function.",
"executiveText": "Enables comprehensive logging of all email access and modifications across all employee mailboxes, providing detailed audit trails for security investigations and compliance requirements. This helps detect unauthorized access, data breaches, and supports regulatory compliance efforts.",
@@ -1463,7 +1884,13 @@
"addedDate": "2024-01-08",
"powershellEquivalent": "Set-OrganizationConfig -AuditDisabled $false",
"recommendedBy": ["CIS", "CIPP"],
- "requiredCapabilities": ["EXCHANGE_S_STANDARD", "EXCHANGE_S_ENTERPRISE", "EXCHANGE_S_STANDARD_GOV", "EXCHANGE_S_ENTERPRISE_GOV", "EXCHANGE_LITE"]
+ "requiredCapabilities": [
+ "EXCHANGE_S_STANDARD",
+ "EXCHANGE_S_ENTERPRISE",
+ "EXCHANGE_S_STANDARD_GOV",
+ "EXCHANGE_S_ENTERPRISE_GOV",
+ "EXCHANGE_LITE"
+ ]
},
{
"name": "standards.AutoArchive",
@@ -1490,7 +1917,13 @@
"addedDate": "2025-12-11",
"powershellEquivalent": "Set-OrganizationConfig -AutoArchivingThresholdPercentage 80-100",
"recommendedBy": [],
- "requiredCapabilities": ["EXCHANGE_S_STANDARD", "EXCHANGE_S_ENTERPRISE", "EXCHANGE_S_STANDARD_GOV", "EXCHANGE_S_ENTERPRISE_GOV", "EXCHANGE_LITE"]
+ "requiredCapabilities": [
+ "EXCHANGE_S_STANDARD",
+ "EXCHANGE_S_ENTERPRISE",
+ "EXCHANGE_S_STANDARD_GOV",
+ "EXCHANGE_S_ENTERPRISE_GOV",
+ "EXCHANGE_LITE"
+ ]
},
{
"name": "standards.AutoArchiveMailbox",
@@ -1518,7 +1951,13 @@
"addedDate": "2026-01-16",
"powershellEquivalent": "Set-OrganizationConfig -AutoEnableArchiveMailbox $true|$false",
"recommendedBy": [],
- "requiredCapabilities": ["EXCHANGE_S_STANDARD", "EXCHANGE_S_ENTERPRISE", "EXCHANGE_S_STANDARD_GOV", "EXCHANGE_S_ENTERPRISE_GOV", "EXCHANGE_LITE"]
+ "requiredCapabilities": [
+ "EXCHANGE_S_STANDARD",
+ "EXCHANGE_S_ENTERPRISE",
+ "EXCHANGE_S_STANDARD_GOV",
+ "EXCHANGE_S_ENTERPRISE_GOV",
+ "EXCHANGE_LITE"
+ ]
},
{
"name": "standards.SendReceiveLimitTenant",
@@ -1554,7 +1993,13 @@
"addedDate": "2023-11-16",
"powershellEquivalent": "Set-MailboxPlan",
"recommendedBy": [],
- "requiredCapabilities": ["EXCHANGE_S_STANDARD", "EXCHANGE_S_ENTERPRISE", "EXCHANGE_S_STANDARD_GOV", "EXCHANGE_S_ENTERPRISE_GOV", "EXCHANGE_LITE"]
+ "requiredCapabilities": [
+ "EXCHANGE_S_STANDARD",
+ "EXCHANGE_S_ENTERPRISE",
+ "EXCHANGE_S_STANDARD_GOV",
+ "EXCHANGE_S_ENTERPRISE_GOV",
+ "EXCHANGE_LITE"
+ ]
},
{
"name": "standards.calDefault",
@@ -1571,16 +2016,43 @@
"label": "Select Sharing Level",
"name": "standards.calDefault.permissionLevel",
"options": [
- { "label": "Owner - The user can create, read, edit, and delete all items in the folder, and create subfolders. The user is both folder owner and folder contact.", "value": "Owner" },
- { "label": "Publishing Editor - The user can create, read, edit, and delete all items in the folder, and create subfolders.", "value": "PublishingEditor" },
- { "label": "Editor - The user can create items in the folder. The contents of the folder do not appear.", "value": "Editor" },
- { "label": "Publishing Author. The user can read, create all items/subfolders. Can modify and delete only items they create.", "value": "PublishingAuthor" },
- { "label": "Author - The user can create and read items, and modify and delete items that they create.", "value": "Author" },
- { "label": "Non Editing Author - The user has full read access and create items. Can can delete only own items.", "value": "NonEditingAuthor" },
+ {
+ "label": "Owner - The user can create, read, edit, and delete all items in the folder, and create subfolders. The user is both folder owner and folder contact.",
+ "value": "Owner"
+ },
+ {
+ "label": "Publishing Editor - The user can create, read, edit, and delete all items in the folder, and create subfolders.",
+ "value": "PublishingEditor"
+ },
+ {
+ "label": "Editor - The user can create items in the folder. The contents of the folder do not appear.",
+ "value": "Editor"
+ },
+ {
+ "label": "Publishing Author. The user can read, create all items/subfolders. Can modify and delete only items they create.",
+ "value": "PublishingAuthor"
+ },
+ {
+ "label": "Author - The user can create and read items, and modify and delete items that they create.",
+ "value": "Author"
+ },
+ {
+ "label": "Non Editing Author - The user has full read access and create items. Can can delete only own items.",
+ "value": "NonEditingAuthor"
+ },
{ "label": "Reviewer - The user can read all items in the folder.", "value": "Reviewer" },
- { "label": "Contributor - The user can create items and folders.", "value": "Contributor" },
- { "label": "Availability Only - Indicates that the user can view only free/busy time within the calendar.", "value": "AvailabilityOnly" },
- { "label": "Limited Details - The user can view free/busy time within the calendar and the subject and location of appointments.", "value": "LimitedDetails" },
+ {
+ "label": "Contributor - The user can create items and folders.",
+ "value": "Contributor"
+ },
+ {
+ "label": "Availability Only - Indicates that the user can view only free/busy time within the calendar.",
+ "value": "AvailabilityOnly"
+ },
+ {
+ "label": "Limited Details - The user can view free/busy time within the calendar and the subject and location of appointments.",
+ "value": "LimitedDetails"
+ },
{ "label": "None - The user has no permissions on the folder.", "value": "none" }
]
}
@@ -1591,7 +2063,13 @@
"addedDate": "2023-04-27",
"powershellEquivalent": "Set-MailboxFolderPermission",
"recommendedBy": [],
- "requiredCapabilities": ["EXCHANGE_S_STANDARD", "EXCHANGE_S_ENTERPRISE", "EXCHANGE_S_STANDARD_GOV", "EXCHANGE_S_ENTERPRISE_GOV", "EXCHANGE_LITE"]
+ "requiredCapabilities": [
+ "EXCHANGE_S_STANDARD",
+ "EXCHANGE_S_ENTERPRISE",
+ "EXCHANGE_S_STANDARD_GOV",
+ "EXCHANGE_S_ENTERPRISE_GOV",
+ "EXCHANGE_LITE"
+ ]
},
{
"name": "standards.EXOOutboundSpamLimits",
@@ -1640,7 +2118,10 @@
"options": [
{ "label": "Alert", "value": "Alert" },
{ "label": "Block User", "value": "BlockUser" },
- { "label": "Block user from sending mail for the rest of the day", "value": "BlockUserForToday" }
+ {
+ "label": "Block user from sending mail for the rest of the day",
+ "value": "BlockUserForToday"
+ }
]
}
],
@@ -1650,7 +2131,13 @@
"addedDate": "2025-05-13",
"powershellEquivalent": "Set-HostedOutboundSpamFilterPolicy",
"recommendedBy": ["CIPP", "CIS"],
- "requiredCapabilities": ["EXCHANGE_S_STANDARD", "EXCHANGE_S_ENTERPRISE", "EXCHANGE_S_STANDARD_GOV", "EXCHANGE_S_ENTERPRISE_GOV", "EXCHANGE_LITE"]
+ "requiredCapabilities": [
+ "EXCHANGE_S_STANDARD",
+ "EXCHANGE_S_ENTERPRISE",
+ "EXCHANGE_S_STANDARD_GOV",
+ "EXCHANGE_S_ENTERPRISE_GOV",
+ "EXCHANGE_LITE"
+ ]
},
{
"name": "standards.DisableExternalCalendarSharing",
@@ -1666,7 +2153,13 @@
"addedDate": "2024-01-08",
"powershellEquivalent": "Get-SharingPolicy | Set-SharingPolicy -Enabled $False",
"recommendedBy": ["CIS"],
- "requiredCapabilities": ["EXCHANGE_S_STANDARD", "EXCHANGE_S_ENTERPRISE", "EXCHANGE_S_STANDARD_GOV", "EXCHANGE_S_ENTERPRISE_GOV", "EXCHANGE_LITE"]
+ "requiredCapabilities": [
+ "EXCHANGE_S_STANDARD",
+ "EXCHANGE_S_ENTERPRISE",
+ "EXCHANGE_S_STANDARD_GOV",
+ "EXCHANGE_S_ENTERPRISE_GOV",
+ "EXCHANGE_LITE"
+ ]
},
{
"name": "standards.AutoAddProxy",
@@ -1698,7 +2191,13 @@
"addedDate": "2024-01-17",
"powershellEquivalent": "Get-OwaMailboxPolicy | Set-OwaMailboxPolicy -AdditionalStorageProvidersEnabled $False",
"recommendedBy": ["CIS"],
- "requiredCapabilities": ["EXCHANGE_S_STANDARD", "EXCHANGE_S_ENTERPRISE", "EXCHANGE_S_STANDARD_GOV", "EXCHANGE_S_ENTERPRISE_GOV", "EXCHANGE_LITE"]
+ "requiredCapabilities": [
+ "EXCHANGE_S_STANDARD",
+ "EXCHANGE_S_ENTERPRISE",
+ "EXCHANGE_S_STANDARD_GOV",
+ "EXCHANGE_S_ENTERPRISE_GOV",
+ "EXCHANGE_LITE"
+ ]
},
{
"name": "standards.AntiSpamSafeList",
@@ -1708,7 +2207,11 @@
"docsDescription": "Sets [Microsoft's built-in 'safe list'](https://learn.microsoft.com/en-us/powershell/module/exchange/set-hostedconnectionfilterpolicy?view=exchange-ps#-enablesafelist) in the anti-spam connection filter policy, rather than setting a custom safe/block list of IPs.",
"executiveText": "Enables Microsoft's pre-approved list of trusted email servers to improve email delivery from legitimate sources while maintaining spam protection. This reduces false positives where legitimate emails might be blocked while still protecting against spam and malicious emails.",
"addedComponent": [
- { "type": "switch", "name": "standards.AntiSpamSafeList.EnableSafeList", "label": "Enable Safe List" }
+ {
+ "type": "switch",
+ "name": "standards.AntiSpamSafeList.EnableSafeList",
+ "label": "Enable Safe List"
+ }
],
"label": "Set Anti-Spam Connection Filter Safe List",
"impact": "Medium Impact",
@@ -1716,7 +2219,13 @@
"addedDate": "2025-02-15",
"powershellEquivalent": "Set-HostedConnectionFilterPolicy \"Default\" -EnableSafeList $true",
"recommendedBy": [],
- "requiredCapabilities": ["EXCHANGE_S_STANDARD", "EXCHANGE_S_ENTERPRISE", "EXCHANGE_S_STANDARD_GOV", "EXCHANGE_S_ENTERPRISE_GOV", "EXCHANGE_LITE"]
+ "requiredCapabilities": [
+ "EXCHANGE_S_STANDARD",
+ "EXCHANGE_S_ENTERPRISE",
+ "EXCHANGE_S_STANDARD_GOV",
+ "EXCHANGE_S_ENTERPRISE_GOV",
+ "EXCHANGE_LITE"
+ ]
},
{
"name": "standards.ShortenMeetings",
@@ -1763,7 +2272,13 @@
"addedDate": "2024-05-27",
"powershellEquivalent": "Set-OrganizationConfig -ShortenEventScopeDefault -DefaultMinutesToReduceShortEventsBy -DefaultMinutesToReduceLongEventsBy",
"recommendedBy": [],
- "requiredCapabilities": ["EXCHANGE_S_STANDARD", "EXCHANGE_S_ENTERPRISE", "EXCHANGE_S_STANDARD_GOV", "EXCHANGE_S_ENTERPRISE_GOV", "EXCHANGE_LITE"]
+ "requiredCapabilities": [
+ "EXCHANGE_S_STANDARD",
+ "EXCHANGE_S_ENTERPRISE",
+ "EXCHANGE_S_STANDARD_GOV",
+ "EXCHANGE_S_ENTERPRISE_GOV",
+ "EXCHANGE_LITE"
+ ]
},
{
"name": "standards.Bookings",
@@ -1790,7 +2305,13 @@
"addedDate": "2024-05-31",
"powershellEquivalent": "Set-OrganizationConfig -BookingsEnabled",
"recommendedBy": [],
- "requiredCapabilities": ["EXCHANGE_S_STANDARD", "EXCHANGE_S_ENTERPRISE", "EXCHANGE_S_STANDARD_GOV", "EXCHANGE_S_ENTERPRISE_GOV", "EXCHANGE_LITE"]
+ "requiredCapabilities": [
+ "EXCHANGE_S_STANDARD",
+ "EXCHANGE_S_ENTERPRISE",
+ "EXCHANGE_S_STANDARD_GOV",
+ "EXCHANGE_S_ENTERPRISE_GOV",
+ "EXCHANGE_LITE"
+ ]
},
{
"name": "standards.EXODirectSend",
@@ -1822,7 +2343,13 @@
{
"name": "standards.DisableOutlookAddins",
"cat": "Exchange Standards",
- "tag": ["CIS M365 5.0 (6.3.1)", "exo_outlookaddins", "NIST CSF 2.0 (PR.AA-05)", "NIST CSF 2.0 (PR.PS-05)", "ZTNA21817"],
+ "tag": [
+ "CIS M365 5.0 (6.3.1)",
+ "exo_outlookaddins",
+ "NIST CSF 2.0 (PR.AA-05)",
+ "NIST CSF 2.0 (PR.PS-05)",
+ "ZTNA21817"
+ ],
"helpText": "Disables the ability for users to install add-ins in Outlook. This is to prevent users from installing malicious add-ins.",
"docsDescription": "Disables users from being able to install add-ins in Outlook. Only admins are able to approve add-ins for the users. This is done to reduce the threat surface for data exfiltration.",
"executiveText": "Prevents employees from installing third-party add-ins in Outlook without administrative approval, reducing security risks from potentially malicious extensions. This ensures only vetted and approved tools can access company email data while maintaining centralized control over email functionality.",
@@ -1833,7 +2360,13 @@
"addedDate": "2024-02-05",
"powershellEquivalent": "Get-ManagementRoleAssignment | Remove-ManagementRoleAssignment",
"recommendedBy": ["CIS"],
- "requiredCapabilities": ["EXCHANGE_S_STANDARD", "EXCHANGE_S_ENTERPRISE", "EXCHANGE_S_STANDARD_GOV", "EXCHANGE_S_ENTERPRISE_GOV", "EXCHANGE_LITE"]
+ "requiredCapabilities": [
+ "EXCHANGE_S_STANDARD",
+ "EXCHANGE_S_ENTERPRISE",
+ "EXCHANGE_S_STANDARD_GOV",
+ "EXCHANGE_S_ENTERPRISE_GOV",
+ "EXCHANGE_LITE"
+ ]
},
{
"name": "standards.SafeSendersDisable",
@@ -1849,7 +2382,13 @@
"addedDate": "2023-10-26",
"powershellEquivalent": "Set-MailboxJunkEmailConfiguration",
"recommendedBy": ["CIPP"],
- "requiredCapabilities": ["EXCHANGE_S_STANDARD", "EXCHANGE_S_ENTERPRISE", "EXCHANGE_S_STANDARD_GOV", "EXCHANGE_S_ENTERPRISE_GOV", "EXCHANGE_LITE"]
+ "requiredCapabilities": [
+ "EXCHANGE_S_STANDARD",
+ "EXCHANGE_S_ENTERPRISE",
+ "EXCHANGE_S_STANDARD_GOV",
+ "EXCHANGE_S_ENTERPRISE_GOV",
+ "EXCHANGE_LITE"
+ ]
},
{
"name": "standards.DelegateSentItems",
@@ -1859,7 +2398,11 @@
"docsDescription": "This makes sure that e-mails sent from shared mailboxes or delegate mailboxes, end up in the mailbox of the shared/delegate mailbox instead of the sender, allowing you to keep replies in the same mailbox as the original e-mail.",
"executiveText": "Ensures emails sent from shared mailboxes (like info@company.com) are stored in the shared mailbox rather than the individual sender's mailbox. This maintains complete email threads in one location, improving collaboration and ensuring all team members can see the full conversation history.",
"addedComponent": [
- { "type": "switch", "label": "Include user mailboxes", "name": "standards.DelegateSentItems.IncludeUserMailboxes" }
+ {
+ "type": "switch",
+ "label": "Include user mailboxes",
+ "name": "standards.DelegateSentItems.IncludeUserMailboxes"
+ }
],
"label": "Set mailbox Sent Items delegation (Sent items for shared mailboxes)",
"impact": "Medium Impact",
@@ -1867,7 +2410,13 @@
"addedDate": "2021-11-16",
"powershellEquivalent": "Set-Mailbox",
"recommendedBy": [],
- "requiredCapabilities": ["EXCHANGE_S_STANDARD", "EXCHANGE_S_ENTERPRISE", "EXCHANGE_S_STANDARD_GOV", "EXCHANGE_S_ENTERPRISE_GOV", "EXCHANGE_LITE"]
+ "requiredCapabilities": [
+ "EXCHANGE_S_STANDARD",
+ "EXCHANGE_S_ENTERPRISE",
+ "EXCHANGE_S_STANDARD_GOV",
+ "EXCHANGE_S_ENTERPRISE_GOV",
+ "EXCHANGE_LITE"
+ ]
},
{
"name": "standards.SendFromAlias",
@@ -1895,7 +2444,13 @@
"addedDate": "2022-05-25",
"powershellEquivalent": "Set-Mailbox",
"recommendedBy": ["CIPP"],
- "requiredCapabilities": ["EXCHANGE_S_STANDARD", "EXCHANGE_S_ENTERPRISE", "EXCHANGE_S_STANDARD_GOV", "EXCHANGE_S_ENTERPRISE_GOV", "EXCHANGE_LITE"]
+ "requiredCapabilities": [
+ "EXCHANGE_S_STANDARD",
+ "EXCHANGE_S_ENTERPRISE",
+ "EXCHANGE_S_STANDARD_GOV",
+ "EXCHANGE_S_ENTERPRISE_GOV",
+ "EXCHANGE_LITE"
+ ]
},
{
"name": "standards.UserSubmissions",
@@ -1915,7 +2470,12 @@
{ "label": "Disabled", "value": "disable" }
]
},
- { "type": "textField", "name": "standards.UserSubmissions.email", "required": false, "label": "Destination email address" }
+ {
+ "type": "textField",
+ "name": "standards.UserSubmissions.email",
+ "required": false,
+ "label": "Destination email address"
+ }
],
"label": "Set the state of the built-in Report button in Outlook",
"impact": "Medium Impact",
@@ -1923,7 +2483,13 @@
"addedDate": "2024-06-28",
"powershellEquivalent": "New-ReportSubmissionPolicy or Set-ReportSubmissionPolicy and New-ReportSubmissionRule or Set-ReportSubmissionRule",
"recommendedBy": [],
- "requiredCapabilities": ["EXCHANGE_S_STANDARD", "EXCHANGE_S_ENTERPRISE", "EXCHANGE_S_STANDARD_GOV", "EXCHANGE_S_ENTERPRISE_GOV", "EXCHANGE_LITE"]
+ "requiredCapabilities": [
+ "EXCHANGE_S_STANDARD",
+ "EXCHANGE_S_ENTERPRISE",
+ "EXCHANGE_S_STANDARD_GOV",
+ "EXCHANGE_S_ENTERPRISE_GOV",
+ "EXCHANGE_LITE"
+ ]
},
{
"name": "standards.DisableSharedMailbox",
@@ -1954,12 +2520,24 @@
"addedDate": "2025-06-01",
"powershellEquivalent": "Get-Mailbox & Update-MgUser",
"recommendedBy": ["Microsoft", "CIPP"],
- "requiredCapabilities": ["EXCHANGE_S_STANDARD", "EXCHANGE_S_ENTERPRISE", "EXCHANGE_S_STANDARD_GOV", "EXCHANGE_S_ENTERPRISE_GOV", "EXCHANGE_LITE"]
+ "requiredCapabilities": [
+ "EXCHANGE_S_STANDARD",
+ "EXCHANGE_S_ENTERPRISE",
+ "EXCHANGE_S_STANDARD_GOV",
+ "EXCHANGE_S_ENTERPRISE_GOV",
+ "EXCHANGE_LITE"
+ ]
},
{
"name": "standards.EXODisableAutoForwarding",
"cat": "Exchange Standards",
- "tag": ["CIS M365 5.0 (6.2.1)", "mdo_autoforwardingmode", "mdo_blockmailforward", "CISA (MS.EXO.4.1v1)", "NIST CSF 2.0 (PR.DS-02)"],
+ "tag": [
+ "CIS M365 5.0 (6.2.1)",
+ "mdo_autoforwardingmode",
+ "mdo_blockmailforward",
+ "CISA (MS.EXO.4.1v1)",
+ "NIST CSF 2.0 (PR.DS-02)"
+ ],
"helpText": "Disables the ability for users to automatically forward e-mails to external recipients.",
"docsDescription": "Disables the ability for users to automatically forward e-mails to external recipients. This is to prevent data exfiltration. Please check if there are any legitimate use cases for this feature before implementing, like forwarding invoices and such.",
"executiveText": "Prevents employees from automatically forwarding company emails to external addresses, protecting against data leaks and unauthorized information sharing. This security measure helps maintain control over sensitive business communications while preventing both accidental and intentional data exfiltration.",
@@ -1970,7 +2548,13 @@
"addedDate": "2024-07-26",
"powershellEquivalent": "Set-HostedOutboundSpamFilterPolicy -AutoForwardingMode 'Off'",
"recommendedBy": ["CIS", "CIPP"],
- "requiredCapabilities": ["EXCHANGE_S_STANDARD", "EXCHANGE_S_ENTERPRISE", "EXCHANGE_S_STANDARD_GOV", "EXCHANGE_S_ENTERPRISE_GOV", "EXCHANGE_LITE"]
+ "requiredCapabilities": [
+ "EXCHANGE_S_STANDARD",
+ "EXCHANGE_S_ENTERPRISE",
+ "EXCHANGE_S_STANDARD_GOV",
+ "EXCHANGE_S_ENTERPRISE_GOV",
+ "EXCHANGE_LITE"
+ ]
},
{
"name": "standards.RetentionPolicyTag",
@@ -1980,7 +2564,12 @@
"docsDescription": "Creates a CIPP - Deleted Items retention policy tag that permanently deletes items in the Deleted Items folder after X days.",
"executiveText": "Automatically and permanently removes deleted emails after a specified number of days, helping manage storage costs and ensuring compliance with data retention policies. This prevents accumulation of unnecessary deleted items while maintaining a reasonable recovery window for accidentally deleted emails.",
"addedComponent": [
- { "type": "number", "name": "standards.RetentionPolicyTag.AgeLimitForRetention", "label": "Retention Days", "required": true }
+ {
+ "type": "number",
+ "name": "standards.RetentionPolicyTag.AgeLimitForRetention",
+ "label": "Retention Days",
+ "required": true
+ }
],
"label": "Retention Policy, permanently delete items in Deleted Items after X days",
"impact": "High Impact",
@@ -1988,7 +2577,13 @@
"addedDate": "2025-02-02",
"powershellEquivalent": "Set-RetentionPolicyTag",
"recommendedBy": [],
- "requiredCapabilities": ["EXCHANGE_S_STANDARD", "EXCHANGE_S_ENTERPRISE", "EXCHANGE_S_STANDARD_GOV", "EXCHANGE_S_ENTERPRISE_GOV", "EXCHANGE_LITE"]
+ "requiredCapabilities": [
+ "EXCHANGE_S_STANDARD",
+ "EXCHANGE_S_ENTERPRISE",
+ "EXCHANGE_S_STANDARD_GOV",
+ "EXCHANGE_S_ENTERPRISE_GOV",
+ "EXCHANGE_LITE"
+ ]
},
{
"name": "standards.QuarantineRequestAlert",
@@ -1998,7 +2593,11 @@
"docsDescription": "Sets a e-mail address to alert when a User requests to release a quarantined message. This is useful for monitoring and ensuring that the correct messages are released.",
"executiveText": "Notifies IT administrators when employees request to release emails that were quarantined for security reasons, enabling oversight of potentially dangerous messages. This helps ensure that legitimate emails are released while maintaining security controls over suspicious content.",
"addedComponent": [
- { "type": "textField", "name": "standards.QuarantineRequestAlert.NotifyUser", "label": "E-mail to receive the alert" }
+ {
+ "type": "textField",
+ "name": "standards.QuarantineRequestAlert.NotifyUser",
+ "label": "E-mail to receive the alert"
+ }
],
"label": "Quarantine Release Request Alert",
"impact": "Low Impact",
@@ -2006,7 +2605,13 @@
"addedDate": "2024-07-15",
"powershellEquivalent": "New-ProtectionAlert and Set-ProtectionAlert",
"recommendedBy": [],
- "requiredCapabilities": ["EXCHANGE_S_STANDARD", "EXCHANGE_S_ENTERPRISE", "EXCHANGE_S_STANDARD_GOV", "EXCHANGE_S_ENTERPRISE_GOV", "EXCHANGE_LITE"]
+ "requiredCapabilities": [
+ "EXCHANGE_S_STANDARD",
+ "EXCHANGE_S_ENTERPRISE",
+ "EXCHANGE_S_STANDARD_GOV",
+ "EXCHANGE_S_ENTERPRISE_GOV",
+ "EXCHANGE_LITE"
+ ]
},
{
"name": "standards.SharePointMassDeletionAlert",
@@ -2016,9 +2621,26 @@
"docsDescription": "Sets a e-mail address to alert when a User deletes more than 20 SharePoint files within 60 minutes. This is useful for monitoring and ensuring that the correct SharePoint files are deleted. NB: Requires a Office 365 E5 subscription, Office 365 E3 with Threat Intelligence or Office 365 EquivioAnalytics add-on.",
"executiveText": "Alerts administrators when employees delete large numbers of SharePoint files in a short time period, helping detect potential data destruction attacks, ransomware, or accidental mass deletions. This early warning system enables rapid response to protect critical business documents and data.",
"addedComponent": [
- { "type": "number", "name": "standards.SharePointMassDeletionAlert.Threshold", "label": "Max files to delete within the time frame", "defaultValue": 20 },
- { "type": "number", "name": "standards.SharePointMassDeletionAlert.TimeWindow", "label": "Time frame in minutes", "defaultValue": 60 },
- { "type": "autoComplete", "multiple": true, "creatable": true, "required": true, "name": "standards.SharePointMassDeletionAlert.NotifyUser", "label": "E-mail to receive the alert" }
+ {
+ "type": "number",
+ "name": "standards.SharePointMassDeletionAlert.Threshold",
+ "label": "Max files to delete within the time frame",
+ "defaultValue": 20
+ },
+ {
+ "type": "number",
+ "name": "standards.SharePointMassDeletionAlert.TimeWindow",
+ "label": "Time frame in minutes",
+ "defaultValue": 60
+ },
+ {
+ "type": "autoComplete",
+ "multiple": true,
+ "creatable": true,
+ "required": true,
+ "name": "standards.SharePointMassDeletionAlert.NotifyUser",
+ "label": "E-mail to receive the alert"
+ }
],
"label": "SharePoint Mass Deletion Alert",
"impact": "Low Impact",
@@ -2045,22 +2667,80 @@
"creatable": false,
"name": "standards.SafeLinksTemplatePolicy.TemplateIds",
"label": "Select SafeLinks Policy Templates",
- "api": { "url": "/api/ListSafeLinksPolicyTemplates", "labelField": "TemplateName", "valueField": "GUID", "queryKey": "ListSafeLinksPolicyTemplates" }
+ "api": {
+ "url": "/api/ListSafeLinksPolicyTemplates",
+ "labelField": "TemplateName",
+ "valueField": "GUID",
+ "queryKey": "ListSafeLinksPolicyTemplates"
+ }
}
],
- "requiredCapabilities": ["EXCHANGE_S_STANDARD", "EXCHANGE_S_ENTERPRISE", "EXCHANGE_S_STANDARD_GOV", "EXCHANGE_S_ENTERPRISE_GOV", "EXCHANGE_LITE"]
+ "requiredCapabilities": [
+ "EXCHANGE_S_STANDARD",
+ "EXCHANGE_S_ENTERPRISE",
+ "EXCHANGE_S_STANDARD_GOV",
+ "EXCHANGE_S_ENTERPRISE_GOV",
+ "EXCHANGE_LITE"
+ ]
},
{
"name": "standards.SafeLinksPolicy",
"cat": "Defender Standards",
- "tag": ["CIS M365 5.0 (2.1.1)", "mdo_safelinksforemail", "mdo_safelinksforOfficeApps", "NIST CSF 2.0 (DE.CM-09)", "ORCA105", "ORCA106", "ORCA107", "ORCA112", "ORCA113", "ORCA114", "ORCA116", "ORCA119", "ORCA156", "ORCA179", "ORCA226", "ORCA236", "ORCA237", "ORCA238", "CISAMSEXO151", "CISAMSEXO152", "CISAMSEXO153"],
+ "tag": [
+ "CIS M365 5.0 (2.1.1)",
+ "mdo_safelinksforemail",
+ "mdo_safelinksforOfficeApps",
+ "NIST CSF 2.0 (DE.CM-09)",
+ "ORCA105",
+ "ORCA106",
+ "ORCA107",
+ "ORCA112",
+ "ORCA113",
+ "ORCA114",
+ "ORCA116",
+ "ORCA119",
+ "ORCA156",
+ "ORCA179",
+ "ORCA226",
+ "ORCA236",
+ "ORCA237",
+ "ORCA238",
+ "CISAMSEXO151",
+ "CISAMSEXO152",
+ "CISAMSEXO153"
+ ],
"helpText": "This creates a Safe Links policy that automatically scans, tracks, and and enables safe links for Email, Office, and Teams for both external and internal senders",
"addedComponent": [
- { "type": "textField", "name": "standards.SafeLinksPolicy.name", "label": "Policy Name", "required": true, "defaultValue": "CIPP Default SafeLinks Policy" },
- { "type": "switch", "label": "AllowClickThrough", "name": "standards.SafeLinksPolicy.AllowClickThrough" },
- { "type": "switch", "label": "DisableUrlRewrite", "name": "standards.SafeLinksPolicy.DisableUrlRewrite" },
- { "type": "switch", "label": "EnableOrganizationBranding", "name": "standards.SafeLinksPolicy.EnableOrganizationBranding" },
- { "type": "autoComplete", "multiple": true, "creatable": true, "required": false, "name": "standards.SafeLinksPolicy.DoNotRewriteUrls", "label": "Do not rewrite the following URLs in email" }
+ {
+ "type": "textField",
+ "name": "standards.SafeLinksPolicy.name",
+ "label": "Policy Name",
+ "required": true,
+ "defaultValue": "CIPP Default SafeLinks Policy"
+ },
+ {
+ "type": "switch",
+ "label": "AllowClickThrough",
+ "name": "standards.SafeLinksPolicy.AllowClickThrough"
+ },
+ {
+ "type": "switch",
+ "label": "DisableUrlRewrite",
+ "name": "standards.SafeLinksPolicy.DisableUrlRewrite"
+ },
+ {
+ "type": "switch",
+ "label": "EnableOrganizationBranding",
+ "name": "standards.SafeLinksPolicy.EnableOrganizationBranding"
+ },
+ {
+ "type": "autoComplete",
+ "multiple": true,
+ "creatable": true,
+ "required": false,
+ "name": "standards.SafeLinksPolicy.DoNotRewriteUrls",
+ "label": "Do not rewrite the following URLs in email"
+ }
],
"label": "Default Safe Links Policy",
"impact": "Low Impact",
@@ -2068,15 +2748,60 @@
"addedDate": "2024-03-25",
"powershellEquivalent": "Set-SafeLinksPolicy or New-SafeLinksPolicy",
"recommendedBy": ["CIS"],
- "requiredCapabilities": ["EXCHANGE_S_STANDARD", "EXCHANGE_S_ENTERPRISE", "EXCHANGE_S_STANDARD_GOV", "EXCHANGE_S_ENTERPRISE_GOV", "EXCHANGE_LITE"]
+ "requiredCapabilities": [
+ "EXCHANGE_S_STANDARD",
+ "EXCHANGE_S_ENTERPRISE",
+ "EXCHANGE_S_STANDARD_GOV",
+ "EXCHANGE_S_ENTERPRISE_GOV",
+ "EXCHANGE_LITE"
+ ]
},
{
"name": "standards.AntiPhishPolicy",
"cat": "Defender Standards",
- "tag": ["mdo_safeattachments", "mdo_highconfidencespamaction", "mdo_highconfidencephishaction", "mdo_phisspamacation", "mdo_spam_notifications_only_for_admins", "mdo_antiphishingpolicies", "mdo_phishthresholdlevel", "CIS M365 5.0 (2.1.7)", "NIST CSF 2.0 (DE.CM-09)", "ORCA104", "ORCA115", "ORCA180", "ORCA220", "ORCA221", "ORCA222", "ORCA223", "ORCA228", "ORCA229", "ORCA230", "ORCA233", "ORCA234", "ORCA235", "ORCA239", "ORCA242", "ORCA243", "ORCA244", "ZTNA21784", "ZTNA21817", "ZTNA21819", "CISAMSEXO111", "CISAMSEXO112", "CISAMSEXO113"],
+ "tag": [
+ "mdo_safeattachments",
+ "mdo_highconfidencespamaction",
+ "mdo_highconfidencephishaction",
+ "mdo_phisspamacation",
+ "mdo_spam_notifications_only_for_admins",
+ "mdo_antiphishingpolicies",
+ "mdo_phishthresholdlevel",
+ "CIS M365 5.0 (2.1.7)",
+ "NIST CSF 2.0 (DE.CM-09)",
+ "ORCA104",
+ "ORCA115",
+ "ORCA180",
+ "ORCA220",
+ "ORCA221",
+ "ORCA222",
+ "ORCA223",
+ "ORCA228",
+ "ORCA229",
+ "ORCA230",
+ "ORCA233",
+ "ORCA234",
+ "ORCA235",
+ "ORCA239",
+ "ORCA242",
+ "ORCA243",
+ "ORCA244",
+ "ZTNA21784",
+ "ZTNA21817",
+ "ZTNA21819",
+ "CISAMSEXO111",
+ "CISAMSEXO112",
+ "CISAMSEXO113"
+ ],
"helpText": "This creates a Anti-Phishing policy that automatically enables Mailbox Intelligence and spoofing, optional switches for Mail tips.",
"addedComponent": [
- { "type": "textField", "name": "standards.AntiPhishPolicy.name", "label": "Policy Name", "required": true, "defaultValue": "CIPP Default Anti-Phishing Policy" },
+ {
+ "type": "textField",
+ "name": "standards.AntiPhishPolicy.name",
+ "label": "Policy Name",
+ "required": true,
+ "defaultValue": "CIPP Default Anti-Phishing Policy"
+ },
{
"type": "number",
"label": "Phishing email threshold. (Default 1)",
@@ -2087,10 +2812,30 @@
"max": { "value": 4, "message": "Maximum value is 4" }
}
},
- { "type": "switch", "label": "Show first contact safety tip", "name": "standards.AntiPhishPolicy.EnableFirstContactSafetyTips", "defaultValue": true },
- { "type": "switch", "label": "Show user impersonation safety tip", "name": "standards.AntiPhishPolicy.EnableSimilarUsersSafetyTips", "defaultValue": true },
- { "type": "switch", "label": "Show domain impersonation safety tip", "name": "standards.AntiPhishPolicy.EnableSimilarDomainsSafetyTips", "defaultValue": true },
- { "type": "switch", "label": "Show user impersonation unusual characters safety tip", "name": "standards.AntiPhishPolicy.EnableUnusualCharactersSafetyTips", "defaultValue": true },
+ {
+ "type": "switch",
+ "label": "Show first contact safety tip",
+ "name": "standards.AntiPhishPolicy.EnableFirstContactSafetyTips",
+ "defaultValue": true
+ },
+ {
+ "type": "switch",
+ "label": "Show user impersonation safety tip",
+ "name": "standards.AntiPhishPolicy.EnableSimilarUsersSafetyTips",
+ "defaultValue": true
+ },
+ {
+ "type": "switch",
+ "label": "Show domain impersonation safety tip",
+ "name": "standards.AntiPhishPolicy.EnableSimilarDomainsSafetyTips",
+ "defaultValue": true
+ },
+ {
+ "type": "switch",
+ "label": "Show user impersonation unusual characters safety tip",
+ "name": "standards.AntiPhishPolicy.EnableUnusualCharactersSafetyTips",
+ "defaultValue": true
+ },
{
"type": "select",
"multiple": false,
@@ -2110,7 +2855,10 @@
"options": [
{ "label": "AdminOnlyAccessPolicy", "value": "AdminOnlyAccessPolicy" },
{ "label": "DefaultFullAccessPolicy", "value": "DefaultFullAccessPolicy" },
- { "label": "DefaultFullAccessWithNotificationPolicy", "value": "DefaultFullAccessWithNotificationPolicy" }
+ {
+ "label": "DefaultFullAccessWithNotificationPolicy",
+ "value": "DefaultFullAccessWithNotificationPolicy"
+ }
]
},
{
@@ -2133,7 +2881,10 @@
"options": [
{ "label": "AdminOnlyAccessPolicy", "value": "AdminOnlyAccessPolicy" },
{ "label": "DefaultFullAccessPolicy", "value": "DefaultFullAccessPolicy" },
- { "label": "DefaultFullAccessWithNotificationPolicy", "value": "DefaultFullAccessWithNotificationPolicy" }
+ {
+ "label": "DefaultFullAccessWithNotificationPolicy",
+ "value": "DefaultFullAccessWithNotificationPolicy"
+ }
]
},
{
@@ -2154,7 +2905,10 @@
"label": "Quarantine policy for domain impersonation",
"name": "standards.AntiPhishPolicy.TargetedDomainQuarantineTag",
"options": [
- { "label": "DefaultFullAccessWithNotificationPolicy", "value": "DefaultFullAccessWithNotificationPolicy" },
+ {
+ "label": "DefaultFullAccessWithNotificationPolicy",
+ "value": "DefaultFullAccessWithNotificationPolicy"
+ },
{ "label": "AdminOnlyAccessPolicy", "value": "AdminOnlyAccessPolicy" },
{ "label": "DefaultFullAccessPolicy", "value": "DefaultFullAccessPolicy" }
]
@@ -2179,7 +2933,10 @@
"options": [
{ "label": "AdminOnlyAccessPolicy", "value": "AdminOnlyAccessPolicy" },
{ "label": "DefaultFullAccessPolicy", "value": "DefaultFullAccessPolicy" },
- { "label": "DefaultFullAccessWithNotificationPolicy", "value": "DefaultFullAccessWithNotificationPolicy" }
+ {
+ "label": "DefaultFullAccessWithNotificationPolicy",
+ "value": "DefaultFullAccessWithNotificationPolicy"
+ }
]
}
],
@@ -2189,15 +2946,35 @@
"addedDate": "2024-03-25",
"powershellEquivalent": "Set-AntiPhishPolicy or New-AntiPhishPolicy",
"recommendedBy": ["CIS"],
- "requiredCapabilities": ["EXCHANGE_S_STANDARD", "EXCHANGE_S_ENTERPRISE", "EXCHANGE_S_STANDARD_GOV", "EXCHANGE_S_ENTERPRISE_GOV", "EXCHANGE_LITE"]
+ "requiredCapabilities": [
+ "EXCHANGE_S_STANDARD",
+ "EXCHANGE_S_ENTERPRISE",
+ "EXCHANGE_S_STANDARD_GOV",
+ "EXCHANGE_S_ENTERPRISE_GOV",
+ "EXCHANGE_LITE"
+ ]
},
{
"name": "standards.SafeAttachmentPolicy",
"cat": "Defender Standards",
- "tag": ["CIS M365 5.0 (2.1.4)", "mdo_safedocuments", "mdo_commonattachmentsfilter", "mdo_safeattachmentpolicy", "NIST CSF 2.0 (DE.CM-09)", "ORCA158", "ORCA227"],
+ "tag": [
+ "CIS M365 5.0 (2.1.4)",
+ "mdo_safedocuments",
+ "mdo_commonattachmentsfilter",
+ "mdo_safeattachmentpolicy",
+ "NIST CSF 2.0 (DE.CM-09)",
+ "ORCA158",
+ "ORCA227"
+ ],
"helpText": "This creates a Safe Attachment policy",
"addedComponent": [
- { "type": "textField", "name": "standards.SafeAttachmentPolicy.name", "label": "Policy Name", "required": true, "defaultValue": "CIPP Default Safe Attachment Policy" },
+ {
+ "type": "textField",
+ "name": "standards.SafeAttachmentPolicy.name",
+ "label": "Policy Name",
+ "required": true,
+ "defaultValue": "CIPP Default Safe Attachment Policy"
+ },
{
"type": "select",
"multiple": false,
@@ -2218,7 +2995,10 @@
"options": [
{ "label": "AdminOnlyAccessPolicy", "value": "AdminOnlyAccessPolicy" },
{ "label": "DefaultFullAccessPolicy", "value": "DefaultFullAccessPolicy" },
- { "label": "DefaultFullAccessWithNotificationPolicy", "value": "DefaultFullAccessWithNotificationPolicy" }
+ {
+ "label": "DefaultFullAccessWithNotificationPolicy",
+ "value": "DefaultFullAccessWithNotificationPolicy"
+ }
]
},
{ "type": "switch", "label": "Redirect", "name": "standards.SafeAttachmentPolicy.Redirect" },
@@ -2227,7 +3007,11 @@
"name": "standards.SafeAttachmentPolicy.RedirectAddress",
"label": "Redirect Address",
"required": false,
- "condition": { "field": "standards.SafeAttachmentPolicy.Redirect", "compareType": "is", "compareValue": true }
+ "condition": {
+ "field": "standards.SafeAttachmentPolicy.Redirect",
+ "compareType": "is",
+ "compareValue": true
+ }
}
],
"label": "Default Safe Attachment Policy",
@@ -2236,7 +3020,13 @@
"addedDate": "2024-03-25",
"powershellEquivalent": "Set-SafeAttachmentPolicy or New-SafeAttachmentPolicy",
"recommendedBy": ["CIS"],
- "requiredCapabilities": ["EXCHANGE_S_STANDARD", "EXCHANGE_S_ENTERPRISE", "EXCHANGE_S_STANDARD_GOV", "EXCHANGE_S_ENTERPRISE_GOV", "EXCHANGE_LITE"]
+ "requiredCapabilities": [
+ "EXCHANGE_S_STANDARD",
+ "EXCHANGE_S_ENTERPRISE",
+ "EXCHANGE_S_STANDARD_GOV",
+ "EXCHANGE_S_ENTERPRISE_GOV",
+ "EXCHANGE_LITE"
+ ]
},
{
"name": "standards.AtpPolicyForO365",
@@ -2244,7 +3034,13 @@
"tag": ["CIS M365 5.0 (2.1.5)", "NIST CSF 2.0 (DE.CM-09)"],
"helpText": "This creates a Atp policy that enables Defender for Office 365 for SharePoint, OneDrive and Microsoft Teams.",
"addedComponent": [
- { "type": "switch", "label": "Allow people to click through Protected View even if Safe Documents identified the file as malicious", "name": "standards.AtpPolicyForO365.AllowSafeDocsOpen", "defaultValue": false, "required": false }
+ {
+ "type": "switch",
+ "label": "Allow people to click through Protected View even if Safe Documents identified the file as malicious",
+ "name": "standards.AtpPolicyForO365.AllowSafeDocsOpen",
+ "defaultValue": false,
+ "required": false
+ }
],
"label": "Default Atp Policy For O365",
"impact": "Low Impact",
@@ -2252,7 +3048,14 @@
"addedDate": "2024-03-25",
"powershellEquivalent": "Set-AtpPolicyForO365",
"recommendedBy": ["CIS"],
- "requiredCapabilities": ["SHAREPOINTWAC", "SHAREPOINTSTANDARD", "SHAREPOINTENTERPRISE", "SHAREPOINTENTERPRISE_EDU", "ONEDRIVE_BASIC", "ONEDRIVE_ENTERPRISE"]
+ "requiredCapabilities": [
+ "SHAREPOINTWAC",
+ "SHAREPOINTSTANDARD",
+ "SHAREPOINTENTERPRISE",
+ "SHAREPOINTENTERPRISE_EDU",
+ "ONEDRIVE_BASIC",
+ "ONEDRIVE_ENTERPRISE"
+ ]
},
{
"name": "standards.PhishingSimulations",
@@ -2260,37 +3063,97 @@
"tag": [],
"helpText": "This creates a phishing simulation policy that enables phishing simulations for the entire tenant.",
"addedComponent": [
- { "type": "autoComplete", "multiple": true, "creatable": true, "required": true, "label": "Phishing Simulation Domains", "name": "standards.PhishingSimulations.Domains" },
- { "type": "autoComplete", "multiple": true, "creatable": true, "required": true, "label": "Phishing Simulation Sender IP Ranges", "name": "standards.PhishingSimulations.SenderIpRanges" },
- { "type": "autoComplete", "multiple": true, "creatable": true, "required": false, "label": "Phishing Simulation Urls", "name": "standards.PhishingSimulations.PhishingSimUrls" },
- { "type": "switch", "label": "Remove extra urls", "name": "standards.PhishingSimulations.RemoveExtraUrls", "defaultValue": false, "required": false }
- ],
- "label": "Phishing Simulation Configuration",
- "impact": "Medium Impact",
- "impactColour": "info",
- "addedDate": "2025-03-27",
- "powershellEquivalent": "New-TenantAllowBlockListItems, New-PhishSimOverridePolicy and New-ExoPhishSimOverrideRule",
- "recommendedBy": [],
- "requiredCapabilities": ["EXCHANGE_S_STANDARD", "EXCHANGE_S_ENTERPRISE", "EXCHANGE_S_STANDARD_GOV", "EXCHANGE_S_ENTERPRISE_GOV", "EXCHANGE_LITE"]
- },
- {
- "name": "standards.MalwareFilterPolicy",
- "cat": "Defender Standards",
- "tag": ["CIS M365 5.0 (2.1.2)", "CIS M365 5.0 (2.1.3)", "mdo_zapspam", "mdo_zapphish", "mdo_zapmalware", "NIST CSF 2.0 (DE.CM-09)", "ORCA121", "ORCA124", "ORCA232", "ZTNA21817", "ZTNA21819", "CISAMSEXO95", "CISAMSEXO101", "CISAMSEXO102", "CISAMSEXO103"],
- "helpText": "This creates a Malware filter policy that enables the default File filter and Zero-hour auto purge for malware.",
- "addedComponent": [
- { "type": "textField", "name": "standards.MalwareFilterPolicy.name", "label": "Policy Name", "required": true, "defaultValue": "CIPP Default Malware Policy" },
{
- "type": "select",
- "multiple": false,
- "label": "FileTypeAction",
+ "type": "autoComplete",
+ "multiple": true,
+ "creatable": true,
+ "required": true,
+ "label": "Phishing Simulation Domains",
+ "name": "standards.PhishingSimulations.Domains"
+ },
+ {
+ "type": "autoComplete",
+ "multiple": true,
+ "creatable": true,
+ "required": true,
+ "label": "Phishing Simulation Sender IP Ranges",
+ "name": "standards.PhishingSimulations.SenderIpRanges"
+ },
+ {
+ "type": "autoComplete",
+ "multiple": true,
+ "creatable": true,
+ "required": false,
+ "label": "Phishing Simulation Urls",
+ "name": "standards.PhishingSimulations.PhishingSimUrls"
+ },
+ {
+ "type": "switch",
+ "label": "Remove extra urls",
+ "name": "standards.PhishingSimulations.RemoveExtraUrls",
+ "defaultValue": false,
+ "required": false
+ }
+ ],
+ "label": "Phishing Simulation Configuration",
+ "impact": "Medium Impact",
+ "impactColour": "info",
+ "addedDate": "2025-03-27",
+ "powershellEquivalent": "New-TenantAllowBlockListItems, New-PhishSimOverridePolicy and New-ExoPhishSimOverrideRule",
+ "recommendedBy": [],
+ "requiredCapabilities": [
+ "EXCHANGE_S_STANDARD",
+ "EXCHANGE_S_ENTERPRISE",
+ "EXCHANGE_S_STANDARD_GOV",
+ "EXCHANGE_S_ENTERPRISE_GOV",
+ "EXCHANGE_LITE"
+ ]
+ },
+ {
+ "name": "standards.MalwareFilterPolicy",
+ "cat": "Defender Standards",
+ "tag": [
+ "CIS M365 5.0 (2.1.2)",
+ "CIS M365 5.0 (2.1.3)",
+ "mdo_zapspam",
+ "mdo_zapphish",
+ "mdo_zapmalware",
+ "NIST CSF 2.0 (DE.CM-09)",
+ "ORCA121",
+ "ORCA124",
+ "ORCA232",
+ "ZTNA21817",
+ "ZTNA21819",
+ "CISAMSEXO95",
+ "CISAMSEXO101",
+ "CISAMSEXO102",
+ "CISAMSEXO103"
+ ],
+ "helpText": "This creates a Malware filter policy that enables the default File filter and Zero-hour auto purge for malware.",
+ "addedComponent": [
+ {
+ "type": "textField",
+ "name": "standards.MalwareFilterPolicy.name",
+ "label": "Policy Name",
+ "required": true,
+ "defaultValue": "CIPP Default Malware Policy"
+ },
+ {
+ "type": "select",
+ "multiple": false,
+ "label": "FileTypeAction",
"name": "standards.MalwareFilterPolicy.FileTypeAction",
"options": [
{ "label": "Reject", "value": "Reject" },
{ "label": "Quarantine the message", "value": "Quarantine" }
]
},
- { "type": "textField", "name": "standards.MalwareFilterPolicy.OptionalFileTypes", "required": false, "label": "Optional File Types, Comma separated" },
+ {
+ "type": "textField",
+ "name": "standards.MalwareFilterPolicy.OptionalFileTypes",
+ "required": false,
+ "label": "Optional File Types, Comma separated"
+ },
{
"type": "select",
"multiple": false,
@@ -2300,24 +3163,45 @@
"options": [
{ "label": "AdminOnlyAccessPolicy", "value": "AdminOnlyAccessPolicy" },
{ "label": "DefaultFullAccessPolicy", "value": "DefaultFullAccessPolicy" },
- { "label": "DefaultFullAccessWithNotificationPolicy", "value": "DefaultFullAccessWithNotificationPolicy" }
+ {
+ "label": "DefaultFullAccessWithNotificationPolicy",
+ "value": "DefaultFullAccessWithNotificationPolicy"
+ }
]
},
- { "type": "switch", "label": "Enable Internal Sender Admin Notifications", "required": false, "name": "standards.MalwareFilterPolicy.EnableInternalSenderAdminNotifications" },
+ {
+ "type": "switch",
+ "label": "Enable Internal Sender Admin Notifications",
+ "required": false,
+ "name": "standards.MalwareFilterPolicy.EnableInternalSenderAdminNotifications"
+ },
{
"type": "textField",
"name": "standards.MalwareFilterPolicy.InternalSenderAdminAddress",
"required": false,
"label": "Internal Sender Admin Address",
- "condition": { "field": "standards.MalwareFilterPolicy.EnableInternalSenderAdminNotifications", "compareType": "is", "compareValue": true }
+ "condition": {
+ "field": "standards.MalwareFilterPolicy.EnableInternalSenderAdminNotifications",
+ "compareType": "is",
+ "compareValue": true
+ }
+ },
+ {
+ "type": "switch",
+ "label": "Enable External Sender Admin Notifications",
+ "required": false,
+ "name": "standards.MalwareFilterPolicy.EnableExternalSenderAdminNotifications"
},
- { "type": "switch", "label": "Enable External Sender Admin Notifications", "required": false, "name": "standards.MalwareFilterPolicy.EnableExternalSenderAdminNotifications" },
{
"type": "textField",
"name": "standards.MalwareFilterPolicy.ExternalSenderAdminAddress",
"required": false,
"label": "External Sender Admin Address",
- "condition": { "field": "standards.MalwareFilterPolicy.EnableExternalSenderAdminNotifications", "compareType": "is", "compareValue": true }
+ "condition": {
+ "field": "standards.MalwareFilterPolicy.EnableExternalSenderAdminNotifications",
+ "compareType": "is",
+ "compareValue": true
+ }
}
],
"label": "Default Malware Filter Policy",
@@ -2326,7 +3210,13 @@
"addedDate": "2024-03-25",
"powershellEquivalent": "Set-MalwareFilterPolicy or New-MalwareFilterPolicy",
"recommendedBy": ["CIS"],
- "requiredCapabilities": ["EXCHANGE_S_STANDARD", "EXCHANGE_S_ENTERPRISE", "EXCHANGE_S_STANDARD_GOV", "EXCHANGE_S_ENTERPRISE_GOV", "EXCHANGE_LITE"]
+ "requiredCapabilities": [
+ "EXCHANGE_S_STANDARD",
+ "EXCHANGE_S_ENTERPRISE",
+ "EXCHANGE_S_STANDARD_GOV",
+ "EXCHANGE_S_ENTERPRISE_GOV",
+ "EXCHANGE_LITE"
+ ]
},
{
"name": "standards.PhishSimSpoofIntelligence",
@@ -2334,8 +3224,21 @@
"tag": [],
"helpText": "This adds allowed domains to the Spoof Intelligence Allow/Block List.",
"addedComponent": [
- { "type": "switch", "label": "Remove extra domains from the allow list", "name": "standards.PhishSimSpoofIntelligence.RemoveExtraDomains", "defaultValue": false, "required": false },
- { "type": "autoComplete", "multiple": true, "creatable": true, "required": false, "label": "Allowed Domains", "name": "standards.PhishSimSpoofIntelligence.AllowedDomains" }
+ {
+ "type": "switch",
+ "label": "Remove extra domains from the allow list",
+ "name": "standards.PhishSimSpoofIntelligence.RemoveExtraDomains",
+ "defaultValue": false,
+ "required": false
+ },
+ {
+ "type": "autoComplete",
+ "multiple": true,
+ "creatable": true,
+ "required": false,
+ "label": "Allowed Domains",
+ "name": "standards.PhishSimSpoofIntelligence.AllowedDomains"
+ }
],
"label": "Add allowed domains to Spoof Intelligence",
"impact": "Medium Impact",
@@ -2343,16 +3246,46 @@
"addedDate": "2025-03-28",
"powershellEquivalent": "New-TenantAllowBlockListSpoofItems",
"recommendedBy": [],
- "requiredCapabilities": ["EXCHANGE_S_STANDARD", "EXCHANGE_S_ENTERPRISE", "EXCHANGE_S_STANDARD_GOV", "EXCHANGE_S_ENTERPRISE_GOV", "EXCHANGE_LITE"]
+ "requiredCapabilities": [
+ "EXCHANGE_S_STANDARD",
+ "EXCHANGE_S_ENTERPRISE",
+ "EXCHANGE_S_STANDARD_GOV",
+ "EXCHANGE_S_ENTERPRISE_GOV",
+ "EXCHANGE_LITE"
+ ]
},
{
"name": "standards.SpamFilterPolicy",
"cat": "Defender Standards",
- "tag": ["ORCA100", "ORCA101", "ORCA102", "ORCA103", "ORCA104", "ORCA123", "ORCA139", "ORCA140", "ORCA141", "ORCA142", "ORCA143", "ORCA224", "ORCA231", "ORCA241", "CISAMSEXO141", "CISAMSEXO142", "CISAMSEXO143"],
+ "tag": [
+ "ORCA100",
+ "ORCA101",
+ "ORCA102",
+ "ORCA103",
+ "ORCA104",
+ "ORCA123",
+ "ORCA139",
+ "ORCA140",
+ "ORCA141",
+ "ORCA142",
+ "ORCA143",
+ "ORCA224",
+ "ORCA231",
+ "ORCA241",
+ "CISAMSEXO141",
+ "CISAMSEXO142",
+ "CISAMSEXO143"
+ ],
"helpText": "This standard creates a Spam filter policy similar to the default strict policy.",
"docsDescription": "This standard creates a Spam filter policy similar to the default strict policy, the following settings are configured to on by default: IncreaseScoreWithNumericIps, IncreaseScoreWithRedirectToOtherPort, MarkAsSpamEmptyMessages, MarkAsSpamJavaScriptInHtml, MarkAsSpamSpfRecordHardFail, MarkAsSpamFromAddressAuthFail, MarkAsSpamNdrBackscatter, MarkAsSpamBulkMail, InlineSafetyTipsEnabled, PhishZapEnabled, SpamZapEnabled",
"addedComponent": [
- { "type": "textField", "name": "standards.SpamFilterPolicy.name", "label": "Policy Name", "required": true, "defaultValue": "CIPP Default Spam Filter Policy" },
+ {
+ "type": "textField",
+ "name": "standards.SpamFilterPolicy.name",
+ "label": "Policy Name",
+ "required": true,
+ "defaultValue": "CIPP Default Spam Filter Policy"
+ },
{
"type": "number",
"label": "Bulk email threshold (Default 7)",
@@ -2385,7 +3318,10 @@
"options": [
{ "label": "AdminOnlyAccessPolicy", "value": "AdminOnlyAccessPolicy" },
{ "label": "DefaultFullAccessPolicy", "value": "DefaultFullAccessPolicy" },
- { "label": "DefaultFullAccessWithNotificationPolicy", "value": "DefaultFullAccessWithNotificationPolicy" }
+ {
+ "label": "DefaultFullAccessWithNotificationPolicy",
+ "value": "DefaultFullAccessWithNotificationPolicy"
+ }
]
},
{
@@ -2410,7 +3346,10 @@
"options": [
{ "label": "AdminOnlyAccessPolicy", "value": "AdminOnlyAccessPolicy" },
{ "label": "DefaultFullAccessPolicy", "value": "DefaultFullAccessPolicy" },
- { "label": "DefaultFullAccessWithNotificationPolicy", "value": "DefaultFullAccessWithNotificationPolicy" }
+ {
+ "label": "DefaultFullAccessWithNotificationPolicy",
+ "value": "DefaultFullAccessWithNotificationPolicy"
+ }
]
},
{
@@ -2435,7 +3374,10 @@
"options": [
{ "label": "AdminOnlyAccessPolicy", "value": "AdminOnlyAccessPolicy" },
{ "label": "DefaultFullAccessPolicy", "value": "DefaultFullAccessPolicy" },
- { "label": "DefaultFullAccessWithNotificationPolicy", "value": "DefaultFullAccessWithNotificationPolicy" }
+ {
+ "label": "DefaultFullAccessWithNotificationPolicy",
+ "value": "DefaultFullAccessWithNotificationPolicy"
+ }
]
},
{
@@ -2460,7 +3402,10 @@
"options": [
{ "label": "AdminOnlyAccessPolicy", "value": "AdminOnlyAccessPolicy" },
{ "label": "DefaultFullAccessPolicy", "value": "DefaultFullAccessPolicy" },
- { "label": "DefaultFullAccessWithNotificationPolicy", "value": "DefaultFullAccessWithNotificationPolicy" }
+ {
+ "label": "DefaultFullAccessWithNotificationPolicy",
+ "value": "DefaultFullAccessWithNotificationPolicy"
+ }
]
},
{
@@ -2473,18 +3418,66 @@
"options": [
{ "label": "AdminOnlyAccessPolicy", "value": "AdminOnlyAccessPolicy" },
{ "label": "DefaultFullAccessPolicy", "value": "DefaultFullAccessPolicy" },
- { "label": "DefaultFullAccessWithNotificationPolicy", "value": "DefaultFullAccessWithNotificationPolicy" }
+ {
+ "label": "DefaultFullAccessWithNotificationPolicy",
+ "value": "DefaultFullAccessWithNotificationPolicy"
+ }
]
},
- { "type": "switch", "name": "standards.SpamFilterPolicy.IncreaseScoreWithImageLinks", "label": "Increase score if message contains image links to remote websites", "defaultValue": false },
- { "type": "switch", "name": "standards.SpamFilterPolicy.IncreaseScoreWithBizOrInfoUrls", "label": "Increase score if message contains links to .biz or .info domains", "defaultValue": false },
- { "type": "switch", "name": "standards.SpamFilterPolicy.MarkAsSpamFramesInHtml", "label": "Mark as spam if message contains HTML or iframe tags", "defaultValue": false },
- { "type": "switch", "name": "standards.SpamFilterPolicy.MarkAsSpamObjectTagsInHtml", "label": "Mark as spam if message contains HTML object tags", "defaultValue": false },
- { "type": "switch", "name": "standards.SpamFilterPolicy.MarkAsSpamEmbedTagsInHtml", "label": "Mark as spam if message contains HTML embed tags", "defaultValue": false },
- { "type": "switch", "name": "standards.SpamFilterPolicy.MarkAsSpamFormTagsInHtml", "label": "Mark as spam if message contains HTML form tags", "defaultValue": false },
- { "type": "switch", "name": "standards.SpamFilterPolicy.MarkAsSpamWebBugsInHtml", "label": "Mark as spam if message contains web bugs (also known as web beacons)", "defaultValue": false },
- { "type": "switch", "name": "standards.SpamFilterPolicy.MarkAsSpamSensitiveWordList", "label": "Mark as spam if message contains words from the sensitive words list", "defaultValue": false },
- { "type": "switch", "name": "standards.SpamFilterPolicy.EnableLanguageBlockList", "label": "Enable language block list", "defaultValue": false },
+ {
+ "type": "switch",
+ "name": "standards.SpamFilterPolicy.IncreaseScoreWithImageLinks",
+ "label": "Increase score if message contains image links to remote websites",
+ "defaultValue": false
+ },
+ {
+ "type": "switch",
+ "name": "standards.SpamFilterPolicy.IncreaseScoreWithBizOrInfoUrls",
+ "label": "Increase score if message contains links to .biz or .info domains",
+ "defaultValue": false
+ },
+ {
+ "type": "switch",
+ "name": "standards.SpamFilterPolicy.MarkAsSpamFramesInHtml",
+ "label": "Mark as spam if message contains HTML or iframe tags",
+ "defaultValue": false
+ },
+ {
+ "type": "switch",
+ "name": "standards.SpamFilterPolicy.MarkAsSpamObjectTagsInHtml",
+ "label": "Mark as spam if message contains HTML object tags",
+ "defaultValue": false
+ },
+ {
+ "type": "switch",
+ "name": "standards.SpamFilterPolicy.MarkAsSpamEmbedTagsInHtml",
+ "label": "Mark as spam if message contains HTML embed tags",
+ "defaultValue": false
+ },
+ {
+ "type": "switch",
+ "name": "standards.SpamFilterPolicy.MarkAsSpamFormTagsInHtml",
+ "label": "Mark as spam if message contains HTML form tags",
+ "defaultValue": false
+ },
+ {
+ "type": "switch",
+ "name": "standards.SpamFilterPolicy.MarkAsSpamWebBugsInHtml",
+ "label": "Mark as spam if message contains web bugs (also known as web beacons)",
+ "defaultValue": false
+ },
+ {
+ "type": "switch",
+ "name": "standards.SpamFilterPolicy.MarkAsSpamSensitiveWordList",
+ "label": "Mark as spam if message contains words from the sensitive words list",
+ "defaultValue": false
+ },
+ {
+ "type": "switch",
+ "name": "standards.SpamFilterPolicy.EnableLanguageBlockList",
+ "label": "Enable language block list",
+ "defaultValue": false
+ },
{
"type": "autoComplete",
"multiple": true,
@@ -2492,9 +3485,18 @@
"required": false,
"name": "standards.SpamFilterPolicy.LanguageBlockList",
"label": "Languages to block (uppercase ISO 639-1 two-letter)",
- "condition": { "field": "standards.SpamFilterPolicy.EnableLanguageBlockList", "compareType": "is", "compareValue": true }
+ "condition": {
+ "field": "standards.SpamFilterPolicy.EnableLanguageBlockList",
+ "compareType": "is",
+ "compareValue": true
+ }
+ },
+ {
+ "type": "switch",
+ "name": "standards.SpamFilterPolicy.EnableRegionBlockList",
+ "label": "Enable region block list",
+ "defaultValue": false
},
- { "type": "switch", "name": "standards.SpamFilterPolicy.EnableRegionBlockList", "label": "Enable region block list", "defaultValue": false },
{
"type": "autoComplete",
"multiple": true,
@@ -2502,9 +3504,20 @@
"required": false,
"name": "standards.SpamFilterPolicy.RegionBlockList",
"label": "Regions to block (uppercase ISO 3166-1 two-letter)",
- "condition": { "field": "standards.SpamFilterPolicy.EnableRegionBlockList", "compareType": "is", "compareValue": true }
+ "condition": {
+ "field": "standards.SpamFilterPolicy.EnableRegionBlockList",
+ "compareType": "is",
+ "compareValue": true
+ }
},
- { "type": "autoComplete", "multiple": true, "creatable": true, "required": false, "name": "standards.SpamFilterPolicy.AllowedSenderDomains", "label": "Allowed sender domains" }
+ {
+ "type": "autoComplete",
+ "multiple": true,
+ "creatable": true,
+ "required": false,
+ "name": "standards.SpamFilterPolicy.AllowedSenderDomains",
+ "label": "Allowed sender domains"
+ }
],
"label": "Default Spam Filter Policy",
"impact": "Medium Impact",
@@ -2512,7 +3525,13 @@
"addedDate": "2024-07-15",
"powershellEquivalent": "New-HostedContentFilterPolicy or Set-HostedContentFilterPolicy",
"recommendedBy": [],
- "requiredCapabilities": ["EXCHANGE_S_STANDARD", "EXCHANGE_S_ENTERPRISE", "EXCHANGE_S_STANDARD_GOV", "EXCHANGE_S_ENTERPRISE_GOV", "EXCHANGE_LITE"]
+ "requiredCapabilities": [
+ "EXCHANGE_S_STANDARD",
+ "EXCHANGE_S_ENTERPRISE",
+ "EXCHANGE_S_STANDARD_GOV",
+ "EXCHANGE_S_ENTERPRISE_GOV",
+ "EXCHANGE_LITE"
+ ]
},
{
"name": "standards.QuarantineTemplate",
@@ -2522,23 +3541,72 @@
"helpText": "This standard creates a Custom Quarantine Policies that can be used in Anti-Spam and all MDO365 policies. Quarantine Policies can be used to specify recipients permissions, enable end-user spam notifications, and specify the release action preference",
"executiveText": "Creates standardized quarantine policies that define how employees can interact with quarantined emails, including permissions to release, delete, or preview suspicious messages. This ensures consistent security handling across the organization while providing appropriate user access to manage quarantined content.",
"addedComponent": [
- { "type": "autoComplete", "multiple": false, "creatable": true, "name": "displayName", "label": "Quarantine Display Name", "required": true },
- { "type": "switch", "label": "Enable end-user spam notifications", "name": "ESNEnabled", "defaultValue": true, "required": false },
+ {
+ "type": "autoComplete",
+ "multiple": false,
+ "creatable": true,
+ "name": "displayName",
+ "label": "Quarantine Display Name",
+ "required": true
+ },
+ {
+ "type": "switch",
+ "label": "Enable end-user spam notifications",
+ "name": "ESNEnabled",
+ "defaultValue": true,
+ "required": false
+ },
{
"type": "select",
"multiple": false,
"label": "Select release action preference",
"name": "ReleaseAction",
"options": [
- { "label": "Allow recipients to request a message to be released from quarantine", "value": "PermissionToRequestRelease" },
- { "label": "Allow recipients to release a message from quarantine", "value": "PermissionToRelease" }
+ {
+ "label": "Allow recipients to request a message to be released from quarantine",
+ "value": "PermissionToRequestRelease"
+ },
+ {
+ "label": "Allow recipients to release a message from quarantine",
+ "value": "PermissionToRelease"
+ }
]
},
- { "type": "switch", "label": "Include Messages From Blocked Sender Address", "name": "IncludeMessagesFromBlockedSenderAddress", "defaultValue": false, "required": false },
- { "type": "switch", "label": "Allow recipients to delete message", "name": "PermissionToDelete", "defaultValue": false, "required": false },
- { "type": "switch", "label": "Allow recipients to preview message", "name": "PermissionToPreview", "defaultValue": false, "required": false },
- { "type": "switch", "label": "Allow recipients to block Sender Address", "name": "PermissionToBlockSender", "defaultValue": false, "required": false },
- { "type": "switch", "label": "Allow recipients to whitelist Sender Address", "name": "PermissionToAllowSender", "defaultValue": false, "required": false }
+ {
+ "type": "switch",
+ "label": "Include Messages From Blocked Sender Address",
+ "name": "IncludeMessagesFromBlockedSenderAddress",
+ "defaultValue": false,
+ "required": false
+ },
+ {
+ "type": "switch",
+ "label": "Allow recipients to delete message",
+ "name": "PermissionToDelete",
+ "defaultValue": false,
+ "required": false
+ },
+ {
+ "type": "switch",
+ "label": "Allow recipients to preview message",
+ "name": "PermissionToPreview",
+ "defaultValue": false,
+ "required": false
+ },
+ {
+ "type": "switch",
+ "label": "Allow recipients to block Sender Address",
+ "name": "PermissionToBlockSender",
+ "defaultValue": false,
+ "required": false
+ },
+ {
+ "type": "switch",
+ "label": "Allow recipients to whitelist Sender Address",
+ "name": "PermissionToAllowSender",
+ "defaultValue": false,
+ "required": false
+ }
],
"label": "Custom Quarantine Policy",
"multiple": true,
@@ -2547,7 +3615,13 @@
"addedDate": "2025-05-16",
"powershellEquivalent": "Set-QuarantinePolicy or New-QuarantinePolicy",
"recommendedBy": [],
- "requiredCapabilities": ["EXCHANGE_S_STANDARD", "EXCHANGE_S_ENTERPRISE", "EXCHANGE_S_STANDARD_GOV", "EXCHANGE_S_ENTERPRISE_GOV", "EXCHANGE_LITE"]
+ "requiredCapabilities": [
+ "EXCHANGE_S_STANDARD",
+ "EXCHANGE_S_ENTERPRISE",
+ "EXCHANGE_S_STANDARD_GOV",
+ "EXCHANGE_S_ENTERPRISE_GOV",
+ "EXCHANGE_LITE"
+ ]
},
{
"name": "standards.IntuneWindowsDiagnostic",
@@ -2557,8 +3631,18 @@
"docsDescription": "Enables Windows diagnostic data in processor configuration for your Intune tenant. This setting is required for several Intune features including Windows feature update device readiness reports, compatibility risk reports, driver update reports, and update policy alerts. When enabled, your organization becomes the controller of Windows diagnostic data collected from managed devices, allowing Intune to use this data for reporting and update management features. More information can be found in [Microsoft's documentation.](https://go.microsoft.com/fwlink/?linkid=2204384)",
"executiveText": "Enables access to Windows Update reporting and compatibility analysis features in Intune by allowing the use of Windows diagnostic data. This unlocks important capabilities like device readiness reports for feature updates, driver update reports, and proactive alerts for update failures, helping IT teams plan and monitor Windows updates more effectively across the organization.",
"addedComponent": [
- { "type": "switch", "name": "standards.IntuneWindowsDiagnostic.areDataProcessorServiceForWindowsFeaturesEnabled", "label": "Enable Windows data", "defaultValue": false },
- { "type": "switch", "name": "standards.IntuneWindowsDiagnostic.hasValidWindowsLicense", "label": "Confirm ownership of the required Windows E3 or equivalent licenses (Enables Windows update app and driver compatibility reports)", "defaultValue": false }
+ {
+ "type": "switch",
+ "name": "standards.IntuneWindowsDiagnostic.areDataProcessorServiceForWindowsFeaturesEnabled",
+ "label": "Enable Windows data",
+ "defaultValue": false
+ },
+ {
+ "type": "switch",
+ "name": "standards.IntuneWindowsDiagnostic.hasValidWindowsLicense",
+ "label": "Confirm ownership of the required Windows E3 or equivalent licenses (Enables Windows update app and driver compatibility reports)",
+ "defaultValue": false
+ }
],
"label": "Set Intune Windows diagnostic data settings",
"impact": "Low Impact",
@@ -2604,7 +3688,11 @@
"helpText": "A value between 31 and 365 is supported. retired devices are removed from Intune after the specified number of days.",
"executiveText": "Automatically removes inactive devices from management after a specified period, helping maintain a clean device inventory and reducing security risks from abandoned or lost devices. This policy ensures that only actively used corporate devices remain in the management system.",
"addedComponent": [
- { "type": "number", "name": "standards.intuneDeviceRetirementDays.days", "label": "Maximum days" }
+ {
+ "type": "number",
+ "name": "standards.intuneDeviceRetirementDays.days",
+ "label": "Maximum days"
+ }
],
"label": "Set inactive device retirement days",
"impact": "Low Impact",
@@ -2621,16 +3709,65 @@
"helpText": "Sets the branding profile for the Intune Company Portal app. This is a tenant wide setting and overrules any settings set on the app level.",
"executiveText": "Customizes the Intune Company Portal app with company branding, contact information, and support details, providing employees with a consistent corporate experience when managing their devices. This improves user experience and ensures employees know how to get IT support when needed.",
"addedComponent": [
- { "type": "textField", "name": "standards.intuneBrandingProfile.displayName", "label": "Organization name", "required": false },
- { "type": "switch", "name": "standards.intuneBrandingProfile.showLogo", "label": "Show logo" },
- { "type": "switch", "name": "standards.intuneBrandingProfile.showDisplayNameNextToLogo", "label": "Show organization name next to logo", "required": false },
- { "type": "textField", "name": "standards.intuneBrandingProfile.contactITName", "label": "Contact IT name", "required": false },
- { "type": "textField", "name": "standards.intuneBrandingProfile.contactITPhoneNumber", "label": "Contact IT phone number", "required": false },
- { "type": "textField", "name": "standards.intuneBrandingProfile.contactITEmailAddress", "label": "Contact IT email address", "required": false },
- { "type": "textField", "name": "standards.intuneBrandingProfile.contactITNotes", "label": "Contact IT notes", "required": false },
- { "type": "textField", "name": "standards.intuneBrandingProfile.onlineSupportSiteName", "label": "Online support site name", "required": false },
- { "type": "textField", "name": "standards.intuneBrandingProfile.onlineSupportSiteUrl", "label": "Online support site URL", "required": false },
- { "type": "textField", "name": "standards.intuneBrandingProfile.privacyUrl", "label": "Privacy statement URL", "required": false }
+ {
+ "type": "textField",
+ "name": "standards.intuneBrandingProfile.displayName",
+ "label": "Organization name",
+ "required": false
+ },
+ {
+ "type": "switch",
+ "name": "standards.intuneBrandingProfile.showLogo",
+ "label": "Show logo"
+ },
+ {
+ "type": "switch",
+ "name": "standards.intuneBrandingProfile.showDisplayNameNextToLogo",
+ "label": "Show organization name next to logo",
+ "required": false
+ },
+ {
+ "type": "textField",
+ "name": "standards.intuneBrandingProfile.contactITName",
+ "label": "Contact IT name",
+ "required": false
+ },
+ {
+ "type": "textField",
+ "name": "standards.intuneBrandingProfile.contactITPhoneNumber",
+ "label": "Contact IT phone number",
+ "required": false
+ },
+ {
+ "type": "textField",
+ "name": "standards.intuneBrandingProfile.contactITEmailAddress",
+ "label": "Contact IT email address",
+ "required": false
+ },
+ {
+ "type": "textField",
+ "name": "standards.intuneBrandingProfile.contactITNotes",
+ "label": "Contact IT notes",
+ "required": false
+ },
+ {
+ "type": "textField",
+ "name": "standards.intuneBrandingProfile.onlineSupportSiteName",
+ "label": "Online support site name",
+ "required": false
+ },
+ {
+ "type": "textField",
+ "name": "standards.intuneBrandingProfile.onlineSupportSiteUrl",
+ "label": "Online support site URL",
+ "required": false
+ },
+ {
+ "type": "textField",
+ "name": "standards.intuneBrandingProfile.privacyUrl",
+ "label": "Privacy statement URL",
+ "required": false
+ }
],
"label": "Set Intune Company Portal branding profile",
"impact": "Low Impact",
@@ -2696,7 +3833,12 @@
{ "label": "Custom Group", "value": "selected" }
]
},
- { "type": "textField", "name": "standards.MDMScope.customGroup", "label": "Custom Group Name", "required": false }
+ {
+ "type": "textField",
+ "name": "standards.MDMScope.customGroup",
+ "label": "Custom Group Name",
+ "required": false
+ }
],
"label": "Configure MDM user scope",
"impact": "Low Impact",
@@ -2713,16 +3855,66 @@
"helpText": "Sets the default platform restrictions for enrolling devices into Intune. Note: Do not block personally owned if platform is blocked.",
"executiveText": "Controls which types of devices (iOS, Android, Windows, macOS) and ownership models (corporate vs. personal) can be enrolled in the company's device management system. This helps maintain security standards while supporting necessary business device types and usage scenarios.",
"addedComponent": [
- { "type": "switch", "name": "standards.DefaultPlatformRestrictions.platformAndroidForWorkBlocked", "label": "Block platform Android Enterprise (work profile)", "default": false },
- { "type": "switch", "name": "standards.DefaultPlatformRestrictions.personalAndroidForWorkBlocked", "label": "Block personally owned Android Enterprise (work profile)", "default": false },
- { "type": "switch", "name": "standards.DefaultPlatformRestrictions.platformAndroidBlocked", "label": "Block platform Android", "default": false },
- { "type": "switch", "name": "standards.DefaultPlatformRestrictions.personalAndroidBlocked", "label": "Block personally owned Android", "default": false },
- { "type": "switch", "name": "standards.DefaultPlatformRestrictions.platformiOSBlocked", "label": "Block platform iOS", "default": false },
- { "type": "switch", "name": "standards.DefaultPlatformRestrictions.personaliOSBlocked", "label": "Block personally owned iOS", "default": false },
- { "type": "switch", "name": "standards.DefaultPlatformRestrictions.platformMacOSBlocked", "label": "Block platform macOS", "default": false },
- { "type": "switch", "name": "standards.DefaultPlatformRestrictions.personalMacOSBlocked", "label": "Block personally owned macOS", "default": false },
- { "type": "switch", "name": "standards.DefaultPlatformRestrictions.platformWindowsBlocked", "label": "Block platform Windows", "default": false },
- { "type": "switch", "name": "standards.DefaultPlatformRestrictions.personalWindowsBlocked", "label": "Block personally owned Windows", "default": false }
+ {
+ "type": "switch",
+ "name": "standards.DefaultPlatformRestrictions.platformAndroidForWorkBlocked",
+ "label": "Block platform Android Enterprise (work profile)",
+ "default": false
+ },
+ {
+ "type": "switch",
+ "name": "standards.DefaultPlatformRestrictions.personalAndroidForWorkBlocked",
+ "label": "Block personally owned Android Enterprise (work profile)",
+ "default": false
+ },
+ {
+ "type": "switch",
+ "name": "standards.DefaultPlatformRestrictions.platformAndroidBlocked",
+ "label": "Block platform Android",
+ "default": false
+ },
+ {
+ "type": "switch",
+ "name": "standards.DefaultPlatformRestrictions.personalAndroidBlocked",
+ "label": "Block personally owned Android",
+ "default": false
+ },
+ {
+ "type": "switch",
+ "name": "standards.DefaultPlatformRestrictions.platformiOSBlocked",
+ "label": "Block platform iOS",
+ "default": false
+ },
+ {
+ "type": "switch",
+ "name": "standards.DefaultPlatformRestrictions.personaliOSBlocked",
+ "label": "Block personally owned iOS",
+ "default": false
+ },
+ {
+ "type": "switch",
+ "name": "standards.DefaultPlatformRestrictions.platformMacOSBlocked",
+ "label": "Block platform macOS",
+ "default": false
+ },
+ {
+ "type": "switch",
+ "name": "standards.DefaultPlatformRestrictions.personalMacOSBlocked",
+ "label": "Block personally owned macOS",
+ "default": false
+ },
+ {
+ "type": "switch",
+ "name": "standards.DefaultPlatformRestrictions.platformWindowsBlocked",
+ "label": "Block platform Windows",
+ "default": false
+ },
+ {
+ "type": "switch",
+ "name": "standards.DefaultPlatformRestrictions.personalWindowsBlocked",
+ "label": "Block personally owned Windows",
+ "default": false
+ }
],
"label": "Device enrollment restrictions",
"impact": "Low Impact",
@@ -2740,7 +3932,11 @@
"docsDescription": "Controls whether Windows shows the \"Allow my organization to manage my device\" prompt when users add a work or school account. When set to disabled, this setting prevents automatic MDM enrollment during the account registration flow, separating account registration from device enrollment. This is useful for environments where you want to allow users to add work accounts without triggering MDM enrollment.",
"executiveText": "Controls automatic device management enrollment during work account setup. When disabled, users can add work accounts to their Windows devices without the prompt asking to allow organizational device management, preventing unintended MDM enrollments on personal or BYOD devices.",
"addedComponent": [
- { "type": "switch", "name": "standards.MDMEnrollmentDuringRegistration.disableEnrollment", "label": "Disable MDM enrollment during registration" }
+ {
+ "type": "switch",
+ "name": "standards.MDMEnrollmentDuringRegistration.disableEnrollment",
+ "label": "Disable MDM enrollment during registration"
+ }
],
"label": "Configure MDM enrollment when adding work or school account",
"impact": "Medium Impact",
@@ -2768,7 +3964,12 @@
{ "label": "Disabled", "value": "disabled" }
]
},
- { "type": "switch", "name": "standards.EnrollmentWindowsHelloForBusinessConfiguration.securityDeviceRequired", "label": "Use a Trusted Platform Module (TPM)", "default": true },
+ {
+ "type": "switch",
+ "name": "standards.EnrollmentWindowsHelloForBusinessConfiguration.securityDeviceRequired",
+ "label": "Use a Trusted Platform Module (TPM)",
+ "default": true
+ },
{
"type": "number",
"name": "standards.EnrollmentWindowsHelloForBusinessConfiguration.pinMinimumLength",
@@ -2822,9 +4023,24 @@
{ "label": "Required", "value": "required" }
]
},
- { "type": "number", "name": "standards.EnrollmentWindowsHelloForBusinessConfiguration.pinExpirationInDays", "label": "PIN expiration (days) - 0 to disable", "default": 0 },
- { "type": "number", "name": "standards.EnrollmentWindowsHelloForBusinessConfiguration.pinPreviousBlockCount", "label": "PIN history - 0 to disable", "default": 0 },
- { "type": "switch", "name": "standards.EnrollmentWindowsHelloForBusinessConfiguration.unlockWithBiometricsEnabled", "label": "Allow biometric authentication", "default": true },
+ {
+ "type": "number",
+ "name": "standards.EnrollmentWindowsHelloForBusinessConfiguration.pinExpirationInDays",
+ "label": "PIN expiration (days) - 0 to disable",
+ "default": 0
+ },
+ {
+ "type": "number",
+ "name": "standards.EnrollmentWindowsHelloForBusinessConfiguration.pinPreviousBlockCount",
+ "label": "PIN history - 0 to disable",
+ "default": 0
+ },
+ {
+ "type": "switch",
+ "name": "standards.EnrollmentWindowsHelloForBusinessConfiguration.unlockWithBiometricsEnabled",
+ "label": "Allow biometric authentication",
+ "default": true
+ },
{
"type": "autoComplete",
"name": "standards.EnrollmentWindowsHelloForBusinessConfiguration.enhancedBiometricsState",
@@ -2836,7 +4052,12 @@
{ "label": "Disabled", "value": "disabled" }
]
},
- { "type": "switch", "name": "standards.EnrollmentWindowsHelloForBusinessConfiguration.remotePassportEnabled", "label": "Allow phone sign-in", "default": true }
+ {
+ "type": "switch",
+ "name": "standards.EnrollmentWindowsHelloForBusinessConfiguration.remotePassportEnabled",
+ "label": "Allow phone sign-in",
+ "default": true
+ }
],
"label": "Windows Hello for Business enrollment configuration",
"impact": "Low Impact",
@@ -2853,7 +4074,12 @@
"helpText": "Sets the maximum number of devices that can be registered by a user. A value of 0 disables device registration by users",
"executiveText": "Limits how many devices each employee can register for corporate access, preventing excessive device proliferation while accommodating legitimate business needs. This helps maintain security oversight and prevents potential abuse of device registration privileges.",
"addedComponent": [
- { "type": "number", "name": "standards.intuneDeviceReg.max", "label": "Maximum devices (Enter 2147483647 for unlimited.)", "required": true }
+ {
+ "type": "number",
+ "name": "standards.intuneDeviceReg.max",
+ "label": "Maximum devices (Enter 2147483647 for unlimited.)",
+ "required": true
+ }
],
"label": "Set Maximum Number of Devices per user",
"impact": "Medium Impact",
@@ -2871,8 +4097,18 @@
"docsDescription": "Configures the Device Registration Policy local administrator behavior for registering users. When enabled, users who register devices are not granted local administrator rights, you can also configure if Global Administrators are added as local admins.",
"executiveText": "Controls whether employees who enroll devices automatically receive local administrator access. Disabling registering-user admin rights follows least-privilege principles and reduces security risk from over-privileged endpoints.",
"addedComponent": [
- { "type": "switch", "name": "standards.intuneDeviceRegLocalAdmins.disableRegisteringUsers", "label": "Disable registering users as local administrators", "defaultValue": true },
- { "type": "switch", "name": "standards.intuneDeviceRegLocalAdmins.enableGlobalAdmins", "label": "Allow Global Administrators to be local administrators", "defaultValue": true }
+ {
+ "type": "switch",
+ "name": "standards.intuneDeviceRegLocalAdmins.disableRegisteringUsers",
+ "label": "Disable registering users as local administrators",
+ "defaultValue": true
+ },
+ {
+ "type": "switch",
+ "name": "standards.intuneDeviceRegLocalAdmins.enableGlobalAdmins",
+ "label": "Allow Global Administrators to be local administrators",
+ "defaultValue": true
+ }
],
"label": "Configure local administrator rights for users joining devices",
"impact": "Medium Impact",
@@ -2889,7 +4125,12 @@
"docsDescription": "Configures whether users can register devices with Entra. When disabled, users are unable to register devices with Entra.",
"executiveText": "Controls whether employees can register their devices for corporate access. Disabling user device registration prevents unauthorized or unmanaged devices from connecting to company resources, enhancing overall security posture.",
"addedComponent": [
- { "type": "switch", "name": "standards.intuneRestrictUserDeviceRegistration.disableUserDeviceRegistration", "label": "Disable users from registering devices", "defaultValue": true }
+ {
+ "type": "switch",
+ "name": "standards.intuneRestrictUserDeviceRegistration.disableUserDeviceRegistration",
+ "label": "Disable users from registering devices",
+ "defaultValue": true
+ }
],
"label": "Configure user restriction for Entra device registration",
"impact": "High Impact",
@@ -2946,7 +4187,14 @@
"addedDate": "2022-06-15",
"powershellEquivalent": "Update-MgBetaAdminSharePointSetting",
"recommendedBy": [],
- "requiredCapabilities": ["SHAREPOINTWAC", "SHAREPOINTSTANDARD", "SHAREPOINTENTERPRISE", "SHAREPOINTENTERPRISE_EDU", "ONEDRIVE_BASIC", "ONEDRIVE_ENTERPRISE"]
+ "requiredCapabilities": [
+ "SHAREPOINTWAC",
+ "SHAREPOINTSTANDARD",
+ "SHAREPOINTENTERPRISE",
+ "SHAREPOINTENTERPRISE_EDU",
+ "ONEDRIVE_BASIC",
+ "ONEDRIVE_ENTERPRISE"
+ ]
},
{
"name": "standards.SPFileRequests",
@@ -2956,7 +4204,11 @@
"docsDescription": "File Requests allow users to create secure upload-only share links where uploads are hidden from other people using the link. This creates a secure and private way for people to upload files to a folder. This feature is not enabled by default on new tenants and requires PowerShell configuration. This standard enables or disables this feature and optionally configures link expiration settings for both SharePoint and OneDrive.",
"executiveText": "Enables secure file upload functionality that allows external users to submit files directly to company folders without seeing other submissions or folder contents. This provides a professional and secure way to collect documents from clients, vendors, and partners while maintaining data privacy and security.",
"addedComponent": [
- { "type": "switch", "name": "standards.SPFileRequests.state", "label": "Enable File Requests" },
+ {
+ "type": "switch",
+ "name": "standards.SPFileRequests.state",
+ "label": "Enable File Requests"
+ },
{
"type": "number",
"name": "standards.SPFileRequests.expirationDays",
@@ -2974,7 +4226,14 @@
"addedDate": "2025-07-30",
"powershellEquivalent": "Set-SPOTenant -CoreRequestFilesLinkEnabled $true -OneDriveRequestFilesLinkEnabled $true -CoreRequestFilesLinkExpirationInDays 30 -OneDriveRequestFilesLinkExpirationInDays 30",
"recommendedBy": ["CIPP"],
- "requiredCapabilities": ["SHAREPOINTWAC", "SHAREPOINTSTANDARD", "SHAREPOINTENTERPRISE", "SHAREPOINTENTERPRISE_EDU", "ONEDRIVE_BASIC", "ONEDRIVE_ENTERPRISE"]
+ "requiredCapabilities": [
+ "SHAREPOINTWAC",
+ "SHAREPOINTSTANDARD",
+ "SHAREPOINTENTERPRISE",
+ "SHAREPOINTENTERPRISE_EDU",
+ "ONEDRIVE_BASIC",
+ "ONEDRIVE_ENTERPRISE"
+ ]
},
{
"name": "standards.TenantDefaultTimezone",
@@ -2983,7 +4242,11 @@
"helpText": "Sets the default timezone for the tenant. This will be used for all new users and sites.",
"executiveText": "Standardizes the timezone setting across all SharePoint sites and new user accounts, ensuring consistent scheduling and time-based operations throughout the organization. This improves collaboration efficiency and reduces confusion in global or multi-timezone organizations.",
"addedComponent": [
- { "type": "TimezoneSelect", "name": "standards.TenantDefaultTimezone.Timezone", "label": "Timezone" }
+ {
+ "type": "TimezoneSelect",
+ "name": "standards.TenantDefaultTimezone.Timezone",
+ "label": "Timezone"
+ }
],
"label": "Set Default Timezone for Tenant",
"impact": "Low Impact",
@@ -2991,7 +4254,14 @@
"addedDate": "2024-04-20",
"powershellEquivalent": "Update-MgBetaAdminSharePointSetting",
"recommendedBy": [],
- "requiredCapabilities": ["SHAREPOINTWAC", "SHAREPOINTSTANDARD", "SHAREPOINTENTERPRISE", "SHAREPOINTENTERPRISE_EDU", "ONEDRIVE_BASIC", "ONEDRIVE_ENTERPRISE"]
+ "requiredCapabilities": [
+ "SHAREPOINTWAC",
+ "SHAREPOINTSTANDARD",
+ "SHAREPOINTENTERPRISE",
+ "SHAREPOINTENTERPRISE_EDU",
+ "ONEDRIVE_BASIC",
+ "ONEDRIVE_ENTERPRISE"
+ ]
},
{
"name": "standards.SPAzureB2B",
@@ -3006,7 +4276,14 @@
"addedDate": "2024-07-09",
"powershellEquivalent": "Set-SPOTenant -EnableAzureADB2BIntegration $true",
"recommendedBy": ["CIS"],
- "requiredCapabilities": ["SHAREPOINTWAC", "SHAREPOINTSTANDARD", "SHAREPOINTENTERPRISE", "SHAREPOINTENTERPRISE_EDU", "ONEDRIVE_BASIC", "ONEDRIVE_ENTERPRISE"]
+ "requiredCapabilities": [
+ "SHAREPOINTWAC",
+ "SHAREPOINTSTANDARD",
+ "SHAREPOINTENTERPRISE",
+ "SHAREPOINTENTERPRISE_EDU",
+ "ONEDRIVE_BASIC",
+ "ONEDRIVE_ENTERPRISE"
+ ]
},
{
"name": "standards.SPDisallowInfectedFiles",
@@ -3021,7 +4298,14 @@
"addedDate": "2024-07-09",
"powershellEquivalent": "Set-SPOTenant -DisallowInfectedFileDownload $true",
"recommendedBy": ["CIS", "CIPP"],
- "requiredCapabilities": ["SHAREPOINTWAC", "SHAREPOINTSTANDARD", "SHAREPOINTENTERPRISE", "SHAREPOINTENTERPRISE_EDU", "ONEDRIVE_BASIC", "ONEDRIVE_ENTERPRISE"]
+ "requiredCapabilities": [
+ "SHAREPOINTWAC",
+ "SHAREPOINTSTANDARD",
+ "SHAREPOINTENTERPRISE",
+ "SHAREPOINTENTERPRISE_EDU",
+ "ONEDRIVE_BASIC",
+ "ONEDRIVE_ENTERPRISE"
+ ]
},
{
"name": "standards.SPDisableLegacyWorkflows",
@@ -3036,7 +4320,14 @@
"addedDate": "2024-07-15",
"powershellEquivalent": "Set-SPOTenant -DisableWorkflow2010 $true -DisableWorkflow2013 $true -DisableBackToClassic $true",
"recommendedBy": [],
- "requiredCapabilities": ["SHAREPOINTWAC", "SHAREPOINTSTANDARD", "SHAREPOINTENTERPRISE", "SHAREPOINTENTERPRISE_EDU", "ONEDRIVE_BASIC", "ONEDRIVE_ENTERPRISE"]
+ "requiredCapabilities": [
+ "SHAREPOINTWAC",
+ "SHAREPOINTSTANDARD",
+ "SHAREPOINTENTERPRISE",
+ "SHAREPOINTENTERPRISE_EDU",
+ "ONEDRIVE_BASIC",
+ "ONEDRIVE_ENTERPRISE"
+ ]
},
{
"name": "standards.SPDirectSharing",
@@ -3051,7 +4342,14 @@
"addedDate": "2024-07-09",
"powershellEquivalent": "Set-SPOTenant -DefaultSharingLinkType Direct",
"recommendedBy": ["CIS", "CIPP"],
- "requiredCapabilities": ["SHAREPOINTWAC", "SHAREPOINTSTANDARD", "SHAREPOINTENTERPRISE", "SHAREPOINTENTERPRISE_EDU", "ONEDRIVE_BASIC", "ONEDRIVE_ENTERPRISE"]
+ "requiredCapabilities": [
+ "SHAREPOINTWAC",
+ "SHAREPOINTSTANDARD",
+ "SHAREPOINTENTERPRISE",
+ "SHAREPOINTENTERPRISE_EDU",
+ "ONEDRIVE_BASIC",
+ "ONEDRIVE_ENTERPRISE"
+ ]
},
{
"name": "standards.SPExternalUserExpiration",
@@ -3077,7 +4375,14 @@
"addedDate": "2024-07-09",
"powershellEquivalent": "Set-SPOTenant -ExternalUserExpireInDays 30 -ExternalUserExpirationRequired $True",
"recommendedBy": ["CIS"],
- "requiredCapabilities": ["SHAREPOINTWAC", "SHAREPOINTSTANDARD", "SHAREPOINTENTERPRISE", "SHAREPOINTENTERPRISE_EDU", "ONEDRIVE_BASIC", "ONEDRIVE_ENTERPRISE"]
+ "requiredCapabilities": [
+ "SHAREPOINTWAC",
+ "SHAREPOINTSTANDARD",
+ "SHAREPOINTENTERPRISE",
+ "SHAREPOINTENTERPRISE_EDU",
+ "ONEDRIVE_BASIC",
+ "ONEDRIVE_ENTERPRISE"
+ ]
},
{
"name": "standards.SPEmailAttestation",
@@ -3103,12 +4408,25 @@
"addedDate": "2024-07-09",
"powershellEquivalent": "Set-SPOTenant -EmailAttestationRequired $true -EmailAttestationReAuthDays 15",
"recommendedBy": ["CIS", "CIPP"],
- "requiredCapabilities": ["SHAREPOINTWAC", "SHAREPOINTSTANDARD", "SHAREPOINTENTERPRISE", "SHAREPOINTENTERPRISE_EDU", "ONEDRIVE_BASIC", "ONEDRIVE_ENTERPRISE"]
+ "requiredCapabilities": [
+ "SHAREPOINTWAC",
+ "SHAREPOINTSTANDARD",
+ "SHAREPOINTENTERPRISE",
+ "SHAREPOINTENTERPRISE_EDU",
+ "ONEDRIVE_BASIC",
+ "ONEDRIVE_ENTERPRISE"
+ ]
},
{
"name": "standards.DefaultSharingLink",
"cat": "SharePoint Standards",
- "tag": ["CIS M365 5.0 (7.2.7)", "CIS M365 5.0 (7.2.11)", "CISA (MS.SPO.1.4v1)", "ZTNA21803", "ZTNA21804"],
+ "tag": [
+ "CIS M365 5.0 (7.2.7)",
+ "CIS M365 5.0 (7.2.11)",
+ "CISA (MS.SPO.1.4v1)",
+ "ZTNA21803",
+ "ZTNA21804"
+ ],
"helpText": "Configure the SharePoint default sharing link type and permission. This setting controls both the type of sharing link created by default and the permission level assigned to those links.",
"docsDescription": "Sets the default sharing link type (Direct or Internal) and permission (View) in SharePoint and OneDrive. Direct sharing means links only work for specific people, while Internal sharing means links work for anyone in the organization. Setting the view permission as the default ensures that users must deliberately select the edit permission when sharing a link, reducing the risk of unintentionally granting edit privileges.",
"executiveText": "Configures SharePoint default sharing links to implement the principle of least privilege for document sharing. This security measure reduces the risk of accidental data modification while maintaining collaboration functionality, requiring users to explicitly select Edit permissions when necessary. The sharing type setting controls whether links are restricted to specific recipients or available to the entire organization. This reduces the risk of accidental data exposure through link sharing.",
@@ -3132,7 +4450,14 @@
"addedDate": "2025-06-13",
"powershellEquivalent": "Set-SPOTenant -DefaultSharingLinkType [Direct|Internal] -DefaultLinkPermission View",
"recommendedBy": ["CIS", "CIPP"],
- "requiredCapabilities": ["SHAREPOINTWAC", "SHAREPOINTSTANDARD", "SHAREPOINTENTERPRISE", "SHAREPOINTENTERPRISE_EDU", "ONEDRIVE_BASIC", "ONEDRIVE_ENTERPRISE"]
+ "requiredCapabilities": [
+ "SHAREPOINTWAC",
+ "SHAREPOINTSTANDARD",
+ "SHAREPOINTENTERPRISE",
+ "SHAREPOINTENTERPRISE_EDU",
+ "ONEDRIVE_BASIC",
+ "ONEDRIVE_ENTERPRISE"
+ ]
},
{
"name": "standards.DisableAddShortcutsToOneDrive",
@@ -3159,7 +4484,14 @@
"addedDate": "2023-07-25",
"powershellEquivalent": "Set-SPOTenant -DisableAddShortcutsToOneDrive $true or $false",
"recommendedBy": [],
- "requiredCapabilities": ["SHAREPOINTWAC", "SHAREPOINTSTANDARD", "SHAREPOINTENTERPRISE", "SHAREPOINTENTERPRISE_EDU", "ONEDRIVE_BASIC", "ONEDRIVE_ENTERPRISE"]
+ "requiredCapabilities": [
+ "SHAREPOINTWAC",
+ "SHAREPOINTSTANDARD",
+ "SHAREPOINTENTERPRISE",
+ "SHAREPOINTENTERPRISE_EDU",
+ "ONEDRIVE_BASIC",
+ "ONEDRIVE_ENTERPRISE"
+ ]
},
{
"name": "standards.SPSyncButtonState",
@@ -3186,12 +4518,27 @@
"addedDate": "2024-07-26",
"powershellEquivalent": "Set-SPOTenant -HideSyncButtonOnTeamSite $true or $false",
"recommendedBy": [],
- "requiredCapabilities": ["SHAREPOINTWAC", "SHAREPOINTSTANDARD", "SHAREPOINTENTERPRISE", "SHAREPOINTENTERPRISE_EDU", "ONEDRIVE_BASIC", "ONEDRIVE_ENTERPRISE"]
+ "requiredCapabilities": [
+ "SHAREPOINTWAC",
+ "SHAREPOINTSTANDARD",
+ "SHAREPOINTENTERPRISE",
+ "SHAREPOINTENTERPRISE_EDU",
+ "ONEDRIVE_BASIC",
+ "ONEDRIVE_ENTERPRISE"
+ ]
},
{
"name": "standards.DisableSharePointLegacyAuth",
"cat": "SharePoint Standards",
- "tag": ["CIS M365 5.0 (6.5.1)", "CIS M365 5.0 (7.2.1)", "spo_legacy_auth", "CISA (MS.AAD.3.1v1)", "NIST CSF 2.0 (PR.IR-01)", "ZTNA21776", "ZTNA21797"],
+ "tag": [
+ "CIS M365 5.0 (6.5.1)",
+ "CIS M365 5.0 (7.2.1)",
+ "spo_legacy_auth",
+ "CISA (MS.AAD.3.1v1)",
+ "NIST CSF 2.0 (PR.IR-01)",
+ "ZTNA21776",
+ "ZTNA21797"
+ ],
"helpText": "Disables the ability to authenticate with SharePoint using legacy authentication methods. Any applications that use legacy authentication will need to be updated to use modern authentication.",
"docsDescription": "Disables the ability for users and applications to access SharePoint via legacy basic authentication. This will likely not have any user impact, but will block systems/applications depending on basic auth or the SharePointOnlineCredentials class.",
"executiveText": "Disables outdated authentication methods for SharePoint access, forcing applications and users to use modern, more secure authentication protocols. This significantly improves security by eliminating vulnerable authentication pathways while requiring updates to older applications.",
@@ -3202,12 +4549,25 @@
"addedDate": "2024-02-05",
"powershellEquivalent": "Set-SPOTenant -LegacyAuthProtocolsEnabled $false",
"recommendedBy": ["CIS", "CIPP"],
- "requiredCapabilities": ["SHAREPOINTWAC", "SHAREPOINTSTANDARD", "SHAREPOINTENTERPRISE", "SHAREPOINTENTERPRISE_EDU", "ONEDRIVE_BASIC", "ONEDRIVE_ENTERPRISE"]
+ "requiredCapabilities": [
+ "SHAREPOINTWAC",
+ "SHAREPOINTSTANDARD",
+ "SHAREPOINTENTERPRISE",
+ "SHAREPOINTENTERPRISE_EDU",
+ "ONEDRIVE_BASIC",
+ "ONEDRIVE_ENTERPRISE"
+ ]
},
{
"name": "standards.sharingCapability",
"cat": "SharePoint Standards",
- "tag": ["CIS M365 5.0 (7.2.3)", "CISA (MS.AAD.14.1v1)", "CISA (MS.SPO.1.1v1)", "ZTNA21803", "ZTNA21804"],
+ "tag": [
+ "CIS M365 5.0 (7.2.3)",
+ "CISA (MS.AAD.14.1v1)",
+ "CISA (MS.SPO.1.1v1)",
+ "ZTNA21803",
+ "ZTNA21804"
+ ],
"helpText": "Sets the default sharing level for OneDrive and SharePoint. This is a tenant wide setting and overrules any settings set on the site level",
"executiveText": "Defines the organization's default policy for sharing files and folders in SharePoint and OneDrive, balancing collaboration needs with security requirements. This fundamental setting determines whether employees can share with external users, anonymous links, or only internal colleagues.",
"addedComponent": [
@@ -3217,10 +4577,22 @@
"label": "Select Sharing Level",
"name": "standards.sharingCapability.Level",
"options": [
- { "label": "Users can share only with people in the organization. No external sharing is allowed.", "value": "disabled" },
- { "label": "Users can share with new and existing guests. Guests must sign in or provide a verification code.", "value": "externalUserSharingOnly" },
- { "label": "Users can share with anyone by using links that do not require sign-in.", "value": "externalUserAndGuestSharing" },
- { "label": "Users can share with existing guests (those already in the directory of the organization).", "value": "existingExternalUserSharingOnly" }
+ {
+ "label": "Users can share only with people in the organization. No external sharing is allowed.",
+ "value": "disabled"
+ },
+ {
+ "label": "Users can share with new and existing guests. Guests must sign in or provide a verification code.",
+ "value": "externalUserSharingOnly"
+ },
+ {
+ "label": "Users can share with anyone by using links that do not require sign-in.",
+ "value": "externalUserAndGuestSharing"
+ },
+ {
+ "label": "Users can share with existing guests (those already in the directory of the organization).",
+ "value": "existingExternalUserSharingOnly"
+ }
]
}
],
@@ -3230,12 +4602,25 @@
"addedDate": "2022-06-15",
"powershellEquivalent": "Update-MgBetaAdminSharePointSetting",
"recommendedBy": ["CIS", "CIPP"],
- "requiredCapabilities": ["SHAREPOINTWAC", "SHAREPOINTSTANDARD", "SHAREPOINTENTERPRISE", "SHAREPOINTENTERPRISE_EDU", "ONEDRIVE_BASIC", "ONEDRIVE_ENTERPRISE"]
+ "requiredCapabilities": [
+ "SHAREPOINTWAC",
+ "SHAREPOINTSTANDARD",
+ "SHAREPOINTENTERPRISE",
+ "SHAREPOINTENTERPRISE_EDU",
+ "ONEDRIVE_BASIC",
+ "ONEDRIVE_ENTERPRISE"
+ ]
},
{
"name": "standards.DisableReshare",
"cat": "SharePoint Standards",
- "tag": ["CIS M365 5.0 (7.2.5)", "CISA (MS.AAD.14.2v1)", "CISA (MS.SPO.1.2v1)", "ZTNA21803", "ZTNA21804"],
+ "tag": [
+ "CIS M365 5.0 (7.2.5)",
+ "CISA (MS.AAD.14.2v1)",
+ "CISA (MS.SPO.1.2v1)",
+ "ZTNA21803",
+ "ZTNA21804"
+ ],
"helpText": "Disables the ability for external users to share files they don't own. Sharing links can only be made for People with existing access",
"docsDescription": "Disables the ability for external users to share files they don't own. Sharing links can only be made for People with existing access. This is a tenant wide setting and overrules any settings set on the site level",
"executiveText": "Prevents external users from sharing company documents with additional people, maintaining control over document distribution and preventing unauthorized access expansion. This security measure ensures that external sharing remains within intended boundaries set by internal employees.",
@@ -3246,7 +4631,14 @@
"addedDate": "2022-06-15",
"powershellEquivalent": "Update-MgBetaAdminSharePointSetting",
"recommendedBy": ["CIS", "CIPP"],
- "requiredCapabilities": ["SHAREPOINTWAC", "SHAREPOINTSTANDARD", "SHAREPOINTENTERPRISE", "SHAREPOINTENTERPRISE_EDU", "ONEDRIVE_BASIC", "ONEDRIVE_ENTERPRISE"]
+ "requiredCapabilities": [
+ "SHAREPOINTWAC",
+ "SHAREPOINTSTANDARD",
+ "SHAREPOINTENTERPRISE",
+ "SHAREPOINTENTERPRISE_EDU",
+ "ONEDRIVE_BASIC",
+ "ONEDRIVE_ENTERPRISE"
+ ]
},
{
"name": "standards.DisableUserSiteCreate",
@@ -3262,7 +4654,14 @@
"addedDate": "2022-06-15",
"powershellEquivalent": "Update-MgAdminSharePointSetting",
"recommendedBy": [],
- "requiredCapabilities": ["SHAREPOINTWAC", "SHAREPOINTSTANDARD", "SHAREPOINTENTERPRISE", "SHAREPOINTENTERPRISE_EDU", "ONEDRIVE_BASIC", "ONEDRIVE_ENTERPRISE"]
+ "requiredCapabilities": [
+ "SHAREPOINTWAC",
+ "SHAREPOINTSTANDARD",
+ "SHAREPOINTENTERPRISE",
+ "SHAREPOINTENTERPRISE_EDU",
+ "ONEDRIVE_BASIC",
+ "ONEDRIVE_ENTERPRISE"
+ ]
},
{
"name": "standards.ExcludedfileExt",
@@ -3271,7 +4670,11 @@
"helpText": "Sets the file extensions that are excluded from syncing with OneDrive. These files will be blocked from upload. '*.' is automatically added to the extension and can be omitted.",
"executiveText": "Blocks specific file types from being uploaded or synchronized to OneDrive, helping prevent security risks from potentially dangerous file formats. This security measure protects against malware distribution while allowing legitimate business file types to be shared safely.",
"addedComponent": [
- { "type": "textField", "name": "standards.ExcludedfileExt.ext", "label": "Extensions, Comma separated" }
+ {
+ "type": "textField",
+ "name": "standards.ExcludedfileExt.ext",
+ "label": "Extensions, Comma separated"
+ }
],
"label": "Exclude File Extensions from Syncing",
"impact": "High Impact",
@@ -3279,7 +4682,14 @@
"addedDate": "2022-06-15",
"powershellEquivalent": "Update-MgAdminSharePointSetting",
"recommendedBy": [],
- "requiredCapabilities": ["SHAREPOINTWAC", "SHAREPOINTSTANDARD", "SHAREPOINTENTERPRISE", "SHAREPOINTENTERPRISE_EDU", "ONEDRIVE_BASIC", "ONEDRIVE_ENTERPRISE"]
+ "requiredCapabilities": [
+ "SHAREPOINTWAC",
+ "SHAREPOINTSTANDARD",
+ "SHAREPOINTENTERPRISE",
+ "SHAREPOINTENTERPRISE_EDU",
+ "ONEDRIVE_BASIC",
+ "ONEDRIVE_ENTERPRISE"
+ ]
},
{
"name": "standards.disableMacSync",
@@ -3294,7 +4704,14 @@
"addedDate": "2022-06-15",
"powershellEquivalent": "Update-MgAdminSharePointSetting",
"recommendedBy": [],
- "requiredCapabilities": ["SHAREPOINTWAC", "SHAREPOINTSTANDARD", "SHAREPOINTENTERPRISE", "SHAREPOINTENTERPRISE_EDU", "ONEDRIVE_BASIC", "ONEDRIVE_ENTERPRISE"]
+ "requiredCapabilities": [
+ "SHAREPOINTWAC",
+ "SHAREPOINTSTANDARD",
+ "SHAREPOINTENTERPRISE",
+ "SHAREPOINTENTERPRISE_EDU",
+ "ONEDRIVE_BASIC",
+ "ONEDRIVE_ENTERPRISE"
+ ]
},
{
"name": "standards.unmanagedSync",
@@ -3328,7 +4745,13 @@
{
"name": "standards.sharingDomainRestriction",
"cat": "SharePoint Standards",
- "tag": ["CIS M365 5.0 (7.2.6)", "CISA (MS.AAD.14.3v1)", "CISA (MS.SPO.1.3v1)", "ZTNA21803", "ZTNA21804"],
+ "tag": [
+ "CIS M365 5.0 (7.2.6)",
+ "CISA (MS.AAD.14.3v1)",
+ "CISA (MS.SPO.1.3v1)",
+ "ZTNA21803",
+ "ZTNA21804"
+ ],
"helpText": "Restricts sharing to only users with the specified domain. This is useful for organizations that only want to share with their own domain.",
"executiveText": "Controls which external domains employees can share files with, enabling secure collaboration with trusted partners while blocking sharing with unauthorized organizations. This targeted approach maintains necessary business relationships while preventing data exposure to unknown entities.",
"addedComponent": [
@@ -3343,7 +4766,12 @@
{ "label": "Block sharing to specific domains", "value": "blockList" }
]
},
- { "type": "textField", "name": "standards.sharingDomainRestriction.Domains", "label": "Domains to allow/block, comma separated", "required": false }
+ {
+ "type": "textField",
+ "name": "standards.sharingDomainRestriction.Domains",
+ "label": "Domains to allow/block, comma separated",
+ "required": false
+ }
],
"label": "Restrict sharing to a specific domain",
"impact": "High Impact",
@@ -3351,12 +4779,26 @@
"addedDate": "2024-06-20",
"powershellEquivalent": "Update-MgAdminSharePointSetting",
"recommendedBy": [],
- "requiredCapabilities": ["SHAREPOINTWAC", "SHAREPOINTSTANDARD", "SHAREPOINTENTERPRISE", "SHAREPOINTENTERPRISE_EDU", "ONEDRIVE_BASIC", "ONEDRIVE_ENTERPRISE"]
+ "requiredCapabilities": [
+ "SHAREPOINTWAC",
+ "SHAREPOINTSTANDARD",
+ "SHAREPOINTENTERPRISE",
+ "SHAREPOINTENTERPRISE_EDU",
+ "ONEDRIVE_BASIC",
+ "ONEDRIVE_ENTERPRISE"
+ ]
},
{
"name": "standards.TeamsGlobalMeetingPolicy",
"cat": "Teams Standards",
- "tag": ["CIS M365 5.0 (8.5.1)", "CIS M365 5.0 (8.5.2)", "CIS M365 5.0 (8.5.3)", "CIS M365 5.0 (8.5.4)", "CIS M365 5.0 (8.5.5)", "CIS M365 5.0 (8.5.6)"],
+ "tag": [
+ "CIS M365 5.0 (8.5.1)",
+ "CIS M365 5.0 (8.5.2)",
+ "CIS M365 5.0 (8.5.3)",
+ "CIS M365 5.0 (8.5.4)",
+ "CIS M365 5.0 (8.5.5)",
+ "CIS M365 5.0 (8.5.6)"
+ ],
"helpText": "Defines the CIS recommended global meeting policy for Teams. This includes AllowAnonymousUsersToJoinMeeting, AllowAnonymousUsersToStartMeeting, AutoAdmittedUsers, AllowPSTNUsersToBypassLobby, MeetingChatEnabledType, DesignatedPresenterRoleMode, AllowExternalParticipantGiveRequestControl, AllowParticipantGiveRequestControl",
"executiveText": "Establishes security-focused default settings for Teams meetings, controlling who can join meetings, present content, and participate in chats. These policies balance collaboration needs with security requirements, ensuring meetings remain productive while protecting against unauthorized access and disruption.",
"addedComponent": [
@@ -3370,14 +4812,25 @@
"options": [
{ "label": "Everyone", "value": "EveryoneUserOverride" },
{ "label": "People in my organization", "value": "EveryoneInCompanyUserOverride" },
- { "label": "People in my organization and trusted organizations", "value": "EveryoneInSameAndFederatedCompanyUserOverride" },
+ {
+ "label": "People in my organization and trusted organizations",
+ "value": "EveryoneInSameAndFederatedCompanyUserOverride"
+ },
{ "label": "Only organizer", "value": "OrganizerOnlyUserOverride" }
]
},
- { "type": "switch", "name": "standards.TeamsGlobalMeetingPolicy.AllowAnonymousUsersToJoinMeeting", "label": "Allow anonymous users to join meeting" },
- { "type": "switch", "name": "standards.TeamsGlobalMeetingPolicy.AllowAnonymousUsersToStartMeeting", "label": "Allow anonymous users to start meeting" },
{
- "type": "autoComplete",
+ "type": "switch",
+ "name": "standards.TeamsGlobalMeetingPolicy.AllowAnonymousUsersToJoinMeeting",
+ "label": "Allow anonymous users to join meeting"
+ },
+ {
+ "type": "switch",
+ "name": "standards.TeamsGlobalMeetingPolicy.AllowAnonymousUsersToStartMeeting",
+ "label": "Allow anonymous users to start meeting"
+ },
+ {
+ "type": "autoComplete",
"required": false,
"multiple": false,
"creatable": false,
@@ -3386,13 +4839,23 @@
"helperText": "If left blank, the current value will not be changed.",
"options": [
{ "label": "Only organizers and co-organizers", "value": "OrganizerOnly" },
- { "label": "People in organization excluding guests", "value": "EveryoneInCompanyExcludingGuests" },
- { "label": "People in same or federated organizations", "value": "EveryoneInSameAndFederatedCompany" },
+ {
+ "label": "People in organization excluding guests",
+ "value": "EveryoneInCompanyExcludingGuests"
+ },
+ {
+ "label": "People in same or federated organizations",
+ "value": "EveryoneInSameAndFederatedCompany"
+ },
{ "label": "People who were invited", "value": "InvitedUsers" },
{ "label": "Everyone", "value": "Everyone" }
]
},
- { "type": "switch", "name": "standards.TeamsGlobalMeetingPolicy.AllowPSTNUsersToBypassLobby", "label": "Allow dial-in users to bypass lobby" },
+ {
+ "type": "switch",
+ "name": "standards.TeamsGlobalMeetingPolicy.AllowPSTNUsersToBypassLobby",
+ "label": "Allow dial-in users to bypass lobby"
+ },
{
"type": "autoComplete",
"required": true,
@@ -3406,8 +4869,16 @@
{ "label": "Off for everyone", "value": "Disabled" }
]
},
- { "type": "switch", "name": "standards.TeamsGlobalMeetingPolicy.AllowParticipantGiveRequestControl", "label": "Participants can give or request control" },
- { "type": "switch", "name": "standards.TeamsGlobalMeetingPolicy.AllowExternalParticipantGiveRequestControl", "label": "External participants can give or request control" }
+ {
+ "type": "switch",
+ "name": "standards.TeamsGlobalMeetingPolicy.AllowParticipantGiveRequestControl",
+ "label": "Participants can give or request control"
+ },
+ {
+ "type": "switch",
+ "name": "standards.TeamsGlobalMeetingPolicy.AllowExternalParticipantGiveRequestControl",
+ "label": "External participants can give or request control"
+ }
],
"label": "Define Global Meeting Policy for Teams",
"impact": "Low Impact",
@@ -3425,8 +4896,18 @@
"docsDescription": "Configures Teams messaging safety features to protect users from weaponizable files and malicious URLs in chats and channels. Weaponizable File Protection automatically blocks messages containing potentially dangerous file types (like .exe, .dll, .bat, etc.). Malicious URL Protection scans URLs in messages and displays warnings when potentially harmful links are detected. These protections work across internal and external collaboration scenarios.",
"executiveText": "Enables automated security protections in Microsoft Teams to block dangerous files and warn users about malicious links in chat messages. This helps protect employees from file-based attacks and phishing attempts. These safeguards work seamlessly in the background, providing essential protection without disrupting normal business communication.",
"addedComponent": [
- { "type": "switch", "name": "standards.TeamsChatProtection.FileTypeCheck", "label": "Enable Weaponizable File Protection", "defaultValue": true },
- { "type": "switch", "name": "standards.TeamsChatProtection.UrlReputationCheck", "label": "Enable Malicious URL Protection", "defaultValue": true }
+ {
+ "type": "switch",
+ "name": "standards.TeamsChatProtection.FileTypeCheck",
+ "label": "Enable Weaponizable File Protection",
+ "defaultValue": true
+ },
+ {
+ "type": "switch",
+ "name": "standards.TeamsChatProtection.UrlReputationCheck",
+ "label": "Enable Malicious URL Protection",
+ "defaultValue": true
+ }
],
"label": "Set Teams Chat Protection Settings",
"impact": "Low Impact",
@@ -3470,7 +4951,11 @@
"docsDescription": "Teams channel email addresses are an optional feature that allows users to email the Teams channel directly.",
"executiveText": "Controls whether Teams channels can receive emails directly, enabling integration between email and team collaboration. This feature can improve workflow efficiency by allowing external communications to flow into team discussions, though it may need management for security or organizational reasons.",
"addedComponent": [
- { "type": "switch", "name": "standards.TeamsEmailIntegration.AllowEmailIntoChannel", "label": "Allow channel emails" }
+ {
+ "type": "switch",
+ "name": "standards.TeamsEmailIntegration.AllowEmailIntoChannel",
+ "label": "Allow channel emails"
+ }
],
"label": "Disallow emails to be sent to channel email addresses",
"impact": "Low Impact",
@@ -3489,7 +4974,11 @@
"docsDescription": "Allow guest users access to teams. Guest users are users who are not part of your organization but have been invited to collaborate with your organization in Teams. This setting allows you to control whether guest users can access Teams.",
"executiveText": "Determines whether external partners, vendors, and collaborators can be invited to participate in Teams conversations and meetings. This fundamental setting enables external collaboration while requiring careful management to balance openness with security and information protection.",
"addedComponent": [
- { "type": "switch", "name": "standards.TeamsGuestAccess.AllowGuestUser", "label": "Allow guest users" }
+ {
+ "type": "switch",
+ "name": "standards.TeamsGuestAccess.AllowGuestUser",
+ "label": "Allow guest users"
+ }
],
"label": "Allow guest users in Teams",
"impact": "Low Impact",
@@ -3515,7 +5004,10 @@
"name": "standards.TeamsMeetingVerification.CaptchaVerificationForMeetingJoin",
"options": [
{ "label": "Not Required", "value": "NotRequired" },
- { "label": "Anonymous Users and Untrusted Organizations", "value": "AnonymousUsersAndUntrustedOrganizations" }
+ {
+ "label": "Anonymous Users and Untrusted Organizations",
+ "value": "AnonymousUsersAndUntrustedOrganizations"
+ }
]
}
],
@@ -3534,11 +5026,31 @@
"helpText": "Ensure external file sharing in Teams is enabled for only approved cloud storage services.",
"executiveText": "Controls which external cloud storage services (like Google Drive, Dropbox, Box) employees can access through Teams, ensuring file sharing occurs only through approved and secure platforms. This helps maintain data governance while supporting necessary business integrations.",
"addedComponent": [
- { "type": "switch", "name": "standards.TeamsExternalFileSharing.AllowGoogleDrive", "label": "Allow Google Drive" },
- { "type": "switch", "name": "standards.TeamsExternalFileSharing.AllowShareFile", "label": "Allow ShareFile" },
- { "type": "switch", "name": "standards.TeamsExternalFileSharing.AllowBox", "label": "Allow Box" },
- { "type": "switch", "name": "standards.TeamsExternalFileSharing.AllowDropBox", "label": "Allow Dropbox" },
- { "type": "switch", "name": "standards.TeamsExternalFileSharing.AllowEgnyte", "label": "Allow Egnyte" }
+ {
+ "type": "switch",
+ "name": "standards.TeamsExternalFileSharing.AllowGoogleDrive",
+ "label": "Allow Google Drive"
+ },
+ {
+ "type": "switch",
+ "name": "standards.TeamsExternalFileSharing.AllowShareFile",
+ "label": "Allow ShareFile"
+ },
+ {
+ "type": "switch",
+ "name": "standards.TeamsExternalFileSharing.AllowBox",
+ "label": "Allow Box"
+ },
+ {
+ "type": "switch",
+ "name": "standards.TeamsExternalFileSharing.AllowDropBox",
+ "label": "Allow Dropbox"
+ },
+ {
+ "type": "switch",
+ "name": "standards.TeamsExternalFileSharing.AllowEgnyte",
+ "label": "Allow Egnyte"
+ }
],
"label": "Define approved cloud storage services for external file sharing in Teams",
"impact": "Low Impact",
@@ -3585,8 +5097,16 @@
"docsDescription": "Sets the properties of the Global external access policy. External access policies determine whether or not your users can: 1) communicate with users who have Session Initiation Protocol (SIP) accounts with a federated organization; 2) communicate with users who are using custom applications built with Azure Communication Services; 3) access Skype for Business Server over the Internet, without having to log on to your internal network; 4) communicate with users who have SIP accounts with a public instant messaging (IM) provider such as Skype; and, 5) communicate with people who are using Teams with an account that's not managed by an organization.",
"executiveText": "Defines the organization's policy for communicating with external users through Teams, including other organizations, Skype users, and unmanaged accounts. This fundamental setting determines the scope of external collaboration while maintaining security boundaries for business communications.",
"addedComponent": [
- { "type": "switch", "name": "standards.TeamsExternalAccessPolicy.EnableFederationAccess", "label": "Allow communication from trusted organizations" },
- { "type": "switch", "name": "standards.TeamsExternalAccessPolicy.EnableTeamsConsumerAccess", "label": "Allow communication with unmanaged Teams accounts" }
+ {
+ "type": "switch",
+ "name": "standards.TeamsExternalAccessPolicy.EnableFederationAccess",
+ "label": "Allow communication from trusted organizations"
+ },
+ {
+ "type": "switch",
+ "name": "standards.TeamsExternalAccessPolicy.EnableTeamsConsumerAccess",
+ "label": "Allow communication with unmanaged Teams accounts"
+ }
],
"label": "External Access Settings for Microsoft Teams",
"impact": "Medium Impact",
@@ -3604,7 +5124,11 @@
"docsDescription": "Sets the properties of the Global federation configuration. Federation configuration settings determine whether or not your users can communicate with users who have SIP accounts with a federated organization.",
"executiveText": "Configures how the organization federates with external organizations for Teams communication, controlling whether employees can communicate with specific external domains or all external organizations. This setting enables secure inter-organizational collaboration while maintaining control over external communications.",
"addedComponent": [
- { "type": "switch", "name": "standards.TeamsFederationConfiguration.AllowTeamsConsumer", "label": "Allow users to communicate with other organizations" },
+ {
+ "type": "switch",
+ "name": "standards.TeamsFederationConfiguration.AllowTeamsConsumer",
+ "label": "Allow users to communicate with other organizations"
+ },
{
"type": "autoComplete",
"required": true,
@@ -3675,10 +5199,30 @@
"docsDescription": "Sets the properties of the Global messaging policy. Messaging policies control which chat and channel messaging features are available to users in Teams.",
"executiveText": "Defines what messaging capabilities employees have in Teams, including the ability to edit or delete messages, create custom emojis, and report inappropriate content. These policies help maintain professional communication standards while enabling necessary collaboration features.",
"addedComponent": [
- { "type": "switch", "name": "standards.TeamsMessagingPolicy.AllowOwnerDeleteMessage", "label": "Allow Owner to Delete Messages", "defaultValue": false },
- { "type": "switch", "name": "standards.TeamsMessagingPolicy.AllowUserDeleteMessage", "label": "Allow User to Delete Messages", "defaultValue": true },
- { "type": "switch", "name": "standards.TeamsMessagingPolicy.AllowUserEditMessage", "label": "Allow User to Edit Messages", "defaultValue": true },
- { "type": "switch", "name": "standards.TeamsMessagingPolicy.AllowUserDeleteChat", "label": "Allow User to Delete Chats", "defaultValue": true },
+ {
+ "type": "switch",
+ "name": "standards.TeamsMessagingPolicy.AllowOwnerDeleteMessage",
+ "label": "Allow Owner to Delete Messages",
+ "defaultValue": false
+ },
+ {
+ "type": "switch",
+ "name": "standards.TeamsMessagingPolicy.AllowUserDeleteMessage",
+ "label": "Allow User to Delete Messages",
+ "defaultValue": true
+ },
+ {
+ "type": "switch",
+ "name": "standards.TeamsMessagingPolicy.AllowUserEditMessage",
+ "label": "Allow User to Edit Messages",
+ "defaultValue": true
+ },
+ {
+ "type": "switch",
+ "name": "standards.TeamsMessagingPolicy.AllowUserDeleteChat",
+ "label": "Allow User to Delete Chats",
+ "defaultValue": true
+ },
{
"type": "autoComplete",
"required": true,
@@ -3692,10 +5236,30 @@
{ "label": "Turned off for everyone", "value": "None" }
]
},
- { "type": "switch", "name": "standards.TeamsMessagingPolicy.CreateCustomEmojis", "label": "Allow Creating Custom Emojis", "defaultValue": true },
- { "type": "switch", "name": "standards.TeamsMessagingPolicy.DeleteCustomEmojis", "label": "Allow Deleting Custom Emojis", "defaultValue": false },
- { "type": "switch", "name": "standards.TeamsMessagingPolicy.AllowSecurityEndUserReporting", "label": "Allow reporting message as security concern", "defaultValue": true },
- { "type": "switch", "name": "standards.TeamsMessagingPolicy.AllowCommunicationComplianceEndUserReporting", "label": "Allow reporting message as inappropriate content", "defaultValue": true }
+ {
+ "type": "switch",
+ "name": "standards.TeamsMessagingPolicy.CreateCustomEmojis",
+ "label": "Allow Creating Custom Emojis",
+ "defaultValue": true
+ },
+ {
+ "type": "switch",
+ "name": "standards.TeamsMessagingPolicy.DeleteCustomEmojis",
+ "label": "Allow Deleting Custom Emojis",
+ "defaultValue": false
+ },
+ {
+ "type": "switch",
+ "name": "standards.TeamsMessagingPolicy.AllowSecurityEndUserReporting",
+ "label": "Allow reporting message as security concern",
+ "defaultValue": true
+ },
+ {
+ "type": "switch",
+ "name": "standards.TeamsMessagingPolicy.AllowCommunicationComplianceEndUserReporting",
+ "label": "Allow reporting message as inappropriate content",
+ "defaultValue": true
+ }
],
"label": "Global Messaging Policy for Microsoft Teams",
"impact": "Medium Impact",
@@ -3724,14 +5288,54 @@
"max": { "value": 1440, "message": "Maximum value is 1440" }
}
},
- { "type": "textField", "name": "standards.AutopilotStatusPage.ErrorMessage", "label": "Custom Error Message", "required": false },
- { "type": "switch", "name": "standards.AutopilotStatusPage.ShowProgress", "label": "Show progress to users", "defaultValue": true },
- { "type": "switch", "name": "standards.AutopilotStatusPage.EnableLog", "label": "Turn on log collection", "defaultValue": true },
- { "type": "switch", "name": "standards.AutopilotStatusPage.OBEEOnly", "label": "Show status page only with OOBE setup", "defaultValue": true },
- { "type": "switch", "name": "standards.AutopilotStatusPage.InstallWindowsUpdates", "label": "Install Windows Updates during setup", "defaultValue": true },
- { "type": "switch", "name": "standards.AutopilotStatusPage.BlockDevice", "label": "Block device usage during setup", "defaultValue": true },
- { "type": "switch", "name": "standards.AutopilotStatusPage.AllowReset", "label": "Allow reset", "defaultValue": true },
- { "type": "switch", "name": "standards.AutopilotStatusPage.AllowFail", "label": "Allow users to use device if setup fails", "defaultValue": true }
+ {
+ "type": "textField",
+ "name": "standards.AutopilotStatusPage.ErrorMessage",
+ "label": "Custom Error Message",
+ "required": false
+ },
+ {
+ "type": "switch",
+ "name": "standards.AutopilotStatusPage.ShowProgress",
+ "label": "Show progress to users",
+ "defaultValue": true
+ },
+ {
+ "type": "switch",
+ "name": "standards.AutopilotStatusPage.EnableLog",
+ "label": "Turn on log collection",
+ "defaultValue": true
+ },
+ {
+ "type": "switch",
+ "name": "standards.AutopilotStatusPage.OBEEOnly",
+ "label": "Show status page only with OOBE setup",
+ "defaultValue": true
+ },
+ {
+ "type": "switch",
+ "name": "standards.AutopilotStatusPage.InstallWindowsUpdates",
+ "label": "Install Windows Updates during setup",
+ "defaultValue": true
+ },
+ {
+ "type": "switch",
+ "name": "standards.AutopilotStatusPage.BlockDevice",
+ "label": "Block device usage during setup",
+ "defaultValue": true
+ },
+ {
+ "type": "switch",
+ "name": "standards.AutopilotStatusPage.AllowReset",
+ "label": "Allow reset",
+ "defaultValue": true
+ },
+ {
+ "type": "switch",
+ "name": "standards.AutopilotStatusPage.AllowFail",
+ "label": "Allow users to use device if setup fails",
+ "defaultValue": true
+ }
],
"label": "Enable Autopilot Status Page",
"impact": "Low Impact",
@@ -3748,9 +5352,22 @@
"helpText": "Assign the appropriate Autopilot profile to streamline device deployment.",
"docsDescription": "This standard allows the deployment of Autopilot profiles to devices, including settings such as unique name templates, language options, and local admin privileges.",
"addedComponent": [
- { "type": "textField", "name": "standards.AutopilotProfile.DisplayName", "label": "Profile Display Name" },
- { "type": "textField", "name": "standards.AutopilotProfile.Description", "label": "Profile Description" },
- { "type": "textField", "name": "standards.AutopilotProfile.DeviceNameTemplate", "label": "Unique Device Name Template", "required": false },
+ {
+ "type": "textField",
+ "name": "standards.AutopilotProfile.DisplayName",
+ "label": "Profile Display Name"
+ },
+ {
+ "type": "textField",
+ "name": "standards.AutopilotProfile.Description",
+ "label": "Profile Description"
+ },
+ {
+ "type": "textField",
+ "name": "standards.AutopilotProfile.DeviceNameTemplate",
+ "label": "Unique Device Name Template",
+ "required": false
+ },
{
"type": "autoComplete",
"multiple": false,
@@ -3760,15 +5377,60 @@
"label": "Languages",
"api": { "url": "/languageList.json", "labelField": "languageTag", "valueField": "tag" }
},
- { "type": "switch", "name": "standards.AutopilotProfile.CollectHash", "label": "Convert all targeted devices to Autopilot", "defaultValue": true },
- { "type": "switch", "name": "standards.AutopilotProfile.AssignToAllDevices", "label": "Assign to all devices", "defaultValue": true },
- { "type": "switch", "name": "standards.AutopilotProfile.SelfDeployingMode", "label": "Enable Self-deploying Mode", "defaultValue": true },
- { "type": "switch", "name": "standards.AutopilotProfile.HideTerms", "label": "Hide Terms and Conditions", "defaultValue": true },
- { "type": "switch", "name": "standards.AutopilotProfile.HidePrivacy", "label": "Hide Privacy Settings", "defaultValue": true },
- { "type": "switch", "name": "standards.AutopilotProfile.HideChangeAccount", "label": "Hide Change Account Options", "defaultValue": true },
- { "type": "switch", "name": "standards.AutopilotProfile.NotLocalAdmin", "label": "Setup user as a standard user (not local admin)", "defaultValue": true },
- { "type": "switch", "name": "standards.AutopilotProfile.AllowWhiteGlove", "label": "Allow White Glove OOBE", "defaultValue": true },
- { "type": "switch", "name": "standards.AutopilotProfile.AutoKeyboard", "label": "Automatically configure keyboard", "defaultValue": true }
+ {
+ "type": "switch",
+ "name": "standards.AutopilotProfile.CollectHash",
+ "label": "Convert all targeted devices to Autopilot",
+ "defaultValue": true
+ },
+ {
+ "type": "switch",
+ "name": "standards.AutopilotProfile.AssignToAllDevices",
+ "label": "Assign to all devices",
+ "defaultValue": true
+ },
+ {
+ "type": "switch",
+ "name": "standards.AutopilotProfile.SelfDeployingMode",
+ "label": "Enable Self-deploying Mode",
+ "defaultValue": true
+ },
+ {
+ "type": "switch",
+ "name": "standards.AutopilotProfile.HideTerms",
+ "label": "Hide Terms and Conditions",
+ "defaultValue": true
+ },
+ {
+ "type": "switch",
+ "name": "standards.AutopilotProfile.HidePrivacy",
+ "label": "Hide Privacy Settings",
+ "defaultValue": true
+ },
+ {
+ "type": "switch",
+ "name": "standards.AutopilotProfile.HideChangeAccount",
+ "label": "Hide Change Account Options",
+ "defaultValue": true
+ },
+ {
+ "type": "switch",
+ "name": "standards.AutopilotProfile.NotLocalAdmin",
+ "label": "Setup user as a standard user (not local admin)",
+ "defaultValue": true
+ },
+ {
+ "type": "switch",
+ "name": "standards.AutopilotProfile.AllowWhiteGlove",
+ "label": "Allow White Glove OOBE",
+ "defaultValue": true
+ },
+ {
+ "type": "switch",
+ "name": "standards.AutopilotProfile.AutoKeyboard",
+ "label": "Automatically configure keyboard",
+ "defaultValue": true
+ }
],
"label": "Enable Autopilot Profile",
"impact": "Low Impact",
@@ -3811,7 +5473,12 @@
"creatable": false,
"name": "TemplateList-Tags",
"label": "Or select a package of Intune Templates",
- "api": { "queryKey": "ListIntuneTemplates-tag-autcomplete", "url": "/api/ListIntuneTemplates?mode=Tag", "labelField": "label", "valueField": "value" }
+ "api": {
+ "queryKey": "ListIntuneTemplates-tag-autcomplete",
+ "url": "/api/ListIntuneTemplates?mode=Tag",
+ "labelField": "label",
+ "valueField": "value"
+ }
},
{
"name": "AssignTo",
@@ -3825,10 +5492,27 @@
{ "label": "Assign to Custom Group", "value": "customGroup" }
]
},
- { "type": "textField", "required": false, "name": "customGroup", "label": "Enter the custom group name if you selected 'Assign to Custom Group'. Wildcards are allowed." },
+ {
+ "type": "textField",
+ "required": false,
+ "name": "customGroup",
+ "label": "Enter the custom group name if you selected 'Assign to Custom Group'. Wildcards are allowed."
+ },
{ "type": "switch", "name": "verifyAssignments", "label": "Verify policy assignments" },
- { "name": "excludeGroup", "label": "Exclude Groups", "type": "textField", "required": false, "helpText": "Enter the group name(s) to exclude from the assignment. Wildcards are allowed. Multiple group names are comma-seperated." },
- { "type": "textField", "required": false, "name": "assignmentFilter", "label": "Assignment Filter Name (Optional)", "helpText": "Enter the assignment filter name to apply to this policy assignment. Wildcards are allowed." },
+ {
+ "name": "excludeGroup",
+ "label": "Exclude Groups",
+ "type": "textField",
+ "required": false,
+ "helpText": "Enter the group name(s) to exclude from the assignment. Wildcards are allowed. Multiple group names are comma-seperated."
+ },
+ {
+ "type": "textField",
+ "required": false,
+ "name": "assignmentFilter",
+ "label": "Assignment Filter Name (Optional)",
+ "helpText": "Enter the assignment filter name to apply to this policy assignment. Wildcards are allowed."
+ },
{
"name": "assignmentFilterType",
"label": "Assignment Filter Mode (Optional)",
@@ -3888,11 +5572,27 @@
"type": "autoComplete",
"name": "transportRuleTemplate",
"label": "Select Transport Rule Template",
- "api": { "url": "/api/ListTransportRulesTemplates?noJson=true", "labelField": "name", "valueField": "GUID", "queryKey": "ListTransportRulesTemplates" }
+ "api": {
+ "url": "/api/ListTransportRulesTemplates?noJson=true",
+ "labelField": "name",
+ "valueField": "GUID",
+ "queryKey": "ListTransportRulesTemplates"
+ }
},
- { "type": "switch", "label": "Overwrite existing transport rules", "name": "overwrite", "defaultValue": true }
+ {
+ "type": "switch",
+ "label": "Overwrite existing transport rules",
+ "name": "overwrite",
+ "defaultValue": true
+ }
],
- "requiredCapabilities": ["EXCHANGE_S_STANDARD", "EXCHANGE_S_ENTERPRISE", "EXCHANGE_S_STANDARD_GOV", "EXCHANGE_S_ENTERPRISE_GOV", "EXCHANGE_LITE"]
+ "requiredCapabilities": [
+ "EXCHANGE_S_STANDARD",
+ "EXCHANGE_S_ENTERPRISE",
+ "EXCHANGE_S_STANDARD_GOV",
+ "EXCHANGE_S_ENTERPRISE_GOV",
+ "EXCHANGE_LITE"
+ ]
},
{
"name": "standards.ConditionalAccessTemplate",
@@ -3930,7 +5630,11 @@
{ "value": "enabledForReportingButNotEnforced", "label": "Set to report only" }
]
},
- { "type": "switch", "name": "DisableSD", "label": "Disable Security Defaults when deploying policy" },
+ {
+ "type": "switch",
+ "name": "DisableSD",
+ "label": "Disable Security Defaults when deploying policy"
+ },
{ "type": "switch", "name": "CreateGroups", "label": "Create groups if they do not exist" }
],
"requiredCapabilities": ["AAD_PREMIUM", "AAD_PREMIUM_P2"]
@@ -3949,10 +5653,21 @@
"type": "autoComplete",
"name": "exConnectorTemplate",
"label": "Select Exchange Connector Template",
- "api": { "url": "/api/ListExConnectorTemplates", "labelField": "name", "valueField": "GUID", "queryKey": "ListExConnectorTemplates" }
+ "api": {
+ "url": "/api/ListExConnectorTemplates",
+ "labelField": "name",
+ "valueField": "GUID",
+ "queryKey": "ListExConnectorTemplates"
+ }
}
],
- "requiredCapabilities": ["EXCHANGE_S_STANDARD", "EXCHANGE_S_ENTERPRISE", "EXCHANGE_S_STANDARD_GOV", "EXCHANGE_S_ENTERPRISE_GOV", "EXCHANGE_LITE"]
+ "requiredCapabilities": [
+ "EXCHANGE_S_STANDARD",
+ "EXCHANGE_S_ENTERPRISE",
+ "EXCHANGE_S_STANDARD_GOV",
+ "EXCHANGE_S_ENTERPRISE_GOV",
+ "EXCHANGE_LITE"
+ ]
},
{
"name": "standards.GroupTemplate",
@@ -3969,7 +5684,13 @@
"type": "autoComplete",
"name": "groupTemplate",
"label": "Select Group Template",
- "api": { "url": "/api/ListGroupTemplates", "labelField": "Displayname", "altLabelField": "displayName", "valueField": "GUID", "queryKey": "ListGroupTemplates" }
+ "api": {
+ "url": "/api/ListGroupTemplates",
+ "labelField": "Displayname",
+ "altLabelField": "displayName",
+ "valueField": "GUID",
+ "queryKey": "ListGroupTemplates"
+ }
}
],
"requiredCapabilities": ["EXCHANGE_S_STANDARD", "EXCHANGE_S_ENTERPRISE", "EXCHANGE_LITE"]
@@ -3989,7 +5710,13 @@
"type": "autoComplete",
"name": "assignmentFilterTemplate",
"label": "Select Assignment Filter Template",
- "api": { "url": "/api/ListAssignmentFilterTemplates", "labelField": "Displayname", "altLabelField": "displayName", "valueField": "GUID", "queryKey": "ListAssignmentFilterTemplates" }
+ "api": {
+ "url": "/api/ListAssignmentFilterTemplates",
+ "labelField": "Displayname",
+ "altLabelField": "displayName",
+ "valueField": "GUID",
+ "queryKey": "ListAssignmentFilterTemplates"
+ }
}
],
"requiredCapabilities": ["INTUNE_A", "MDM_Services", "EMS", "SCCM", "MICROSOFTINTUNEPLAN1"]
@@ -4010,10 +5737,22 @@
"required": false,
"multiple": true,
"label": "Select Tenant Allow/Block List Template",
- "api": { "url": "/api/ListTenantAllowBlockListTemplates", "labelField": "templateName", "valueField": "GUID", "queryKey": "ListTenantAllowBlockListTemplates", "showRefresh": true }
+ "api": {
+ "url": "/api/ListTenantAllowBlockListTemplates",
+ "labelField": "templateName",
+ "valueField": "GUID",
+ "queryKey": "ListTenantAllowBlockListTemplates",
+ "showRefresh": true
+ }
}
],
- "requiredCapabilities": ["EXCHANGE_S_STANDARD", "EXCHANGE_S_ENTERPRISE", "EXCHANGE_S_STANDARD_GOV", "EXCHANGE_S_ENTERPRISE_GOV", "EXCHANGE_LITE"]
+ "requiredCapabilities": [
+ "EXCHANGE_S_STANDARD",
+ "EXCHANGE_S_ENTERPRISE",
+ "EXCHANGE_S_STANDARD_GOV",
+ "EXCHANGE_S_ENTERPRISE_GOV",
+ "EXCHANGE_LITE"
+ ]
},
{
"name": "standards.MailboxRecipientLimits",
@@ -4040,7 +5779,13 @@
"addedDate": "2025-05-28",
"powershellEquivalent": "Set-Mailbox -RecipientLimits",
"recommendedBy": ["CIPP"],
- "requiredCapabilities": ["EXCHANGE_S_STANDARD", "EXCHANGE_S_ENTERPRISE", "EXCHANGE_S_STANDARD_GOV", "EXCHANGE_S_ENTERPRISE_GOV", "EXCHANGE_LITE"]
+ "requiredCapabilities": [
+ "EXCHANGE_S_STANDARD",
+ "EXCHANGE_S_ENTERPRISE",
+ "EXCHANGE_S_STANDARD_GOV",
+ "EXCHANGE_S_ENTERPRISE_GOV",
+ "EXCHANGE_LITE"
+ ]
},
{
"name": "standards.DisableExchangeOnlinePowerShell",
@@ -4055,7 +5800,13 @@
"addedDate": "2025-06-19",
"powershellEquivalent": "Set-User -Identity $user -RemotePowerShellEnabled $false",
"recommendedBy": ["CIS", "CIPP"],
- "requiredCapabilities": ["EXCHANGE_S_STANDARD", "EXCHANGE_S_ENTERPRISE", "EXCHANGE_S_STANDARD_GOV", "EXCHANGE_S_ENTERPRISE_GOV", "EXCHANGE_LITE"]
+ "requiredCapabilities": [
+ "EXCHANGE_S_STANDARD",
+ "EXCHANGE_S_ENTERPRISE",
+ "EXCHANGE_S_STANDARD_GOV",
+ "EXCHANGE_S_ENTERPRISE_GOV",
+ "EXCHANGE_LITE"
+ ]
},
{
"name": "standards.OWAAttachmentRestrictions",
@@ -4071,7 +5822,10 @@
"label": "Attachment Restriction Policy",
"options": [
{ "label": "Read Only (View/Edit via Office Online, no download)", "value": "ReadOnly" },
- { "label": "Read Only Plus Attachments Blocked (Cannot see attachments)", "value": "ReadOnlyPlusAttachmentsBlocked" }
+ {
+ "label": "Read Only Plus Attachments Blocked (Cannot see attachments)",
+ "value": "ReadOnlyPlusAttachmentsBlocked"
+ }
],
"defaultValue": "ReadOnlyPlusAttachmentsBlocked"
}
@@ -4082,7 +5836,13 @@
"addedDate": "2025-08-22",
"powershellEquivalent": "Set-OwaMailboxPolicy -Identity \"OwaMailboxPolicy-Default\" -ConditionalAccessPolicy ReadOnlyPlusAttachmentsBlocked",
"recommendedBy": ["Microsoft Zero Trust", "CIPP"],
- "requiredCapabilities": ["EXCHANGE_S_STANDARD", "EXCHANGE_S_ENTERPRISE", "EXCHANGE_S_STANDARD_GOV", "EXCHANGE_S_ENTERPRISE_GOV", "EXCHANGE_LITE"]
+ "requiredCapabilities": [
+ "EXCHANGE_S_STANDARD",
+ "EXCHANGE_S_ENTERPRISE",
+ "EXCHANGE_S_STANDARD_GOV",
+ "EXCHANGE_S_ENTERPRISE_GOV",
+ "EXCHANGE_LITE"
+ ]
},
{
"name": "standards.LegacyEmailReportAddins",
@@ -4106,28 +5866,158 @@
"docsDescription": "Creates an Intune Win32 script application that writes registry keys to install and configure the Check by CyberDrain browser extension on managed devices for both Google Chrome and Microsoft Edge browsers. Uses a PowerShell detection script to enforce configuration drift — when settings change in CIPP the app is automatically redeployed.",
"executiveText": "Automatically deploys the Check by CyberDrain browser extension across all company devices with configurable security and branding settings, ensuring consistent security monitoring and compliance capabilities. This extension provides enhanced security features and monitoring tools that help protect against threats while maintaining user productivity.",
"addedComponent": [
- { "type": "switch", "name": "standards.DeployCheckChromeExtension.showNotifications", "label": "Show notifications", "defaultValue": true },
- { "type": "switch", "name": "standards.DeployCheckChromeExtension.enableValidPageBadge", "label": "Enable valid page badge", "defaultValue": false },
- { "type": "switch", "name": "standards.DeployCheckChromeExtension.enablePageBlocking", "label": "Enable page blocking", "defaultValue": true },
- { "type": "switch", "name": "standards.DeployCheckChromeExtension.forceToolbarPin", "label": "Force pin extension to toolbar", "defaultValue": false },
- { "type": "switch", "name": "standards.DeployCheckChromeExtension.enableCippReporting", "label": "Enable CIPP reporting", "defaultValue": true },
- { "type": "textField", "name": "standards.DeployCheckChromeExtension.customRulesUrl", "label": "Custom Rules URL", "placeholder": "https://YOUR-CIPP-SERVER-URL/rules.json", "helperText": "Enter the URL for custom rules if you have them. This should point to a JSON file with the same structure as the rules.json used for CIPP reporting.", "required": false },
- { "type": "number", "name": "standards.DeployCheckChromeExtension.updateInterval", "label": "Update interval (hours)", "defaultValue": 24 },
- { "type": "switch", "name": "standards.DeployCheckChromeExtension.enableDebugLogging", "label": "Enable debug logging", "defaultValue": false },
- { "type": "switch", "name": "standards.DeployCheckChromeExtension.enableGenericWebhook", "label": "Enable generic webhook", "defaultValue": false },
- { "type": "textField", "name": "standards.DeployCheckChromeExtension.webhookUrl", "label": "Webhook URL", "placeholder": "https://webhook.example.com/endpoint", "required": false },
- { "type": "autoComplete", "multiple": true, "creatable": true, "required": false, "name": "standards.DeployCheckChromeExtension.webhookEvents", "label": "Webhook Events", "placeholder": "e.g. pageBlocked, pageAllowed" },
- { "type": "autoComplete", "multiple": true, "creatable": true, "required": false, "freeSolo": true, "name": "standards.DeployCheckChromeExtension.urlAllowlist", "label": "URL Allowlist", "placeholder": "e.g. https://example.com/*", "helperText": "Enter URLs to allowlist in the extension. Press enter to add each URL. Wildcards are allowed. This should be used for sites that are being blocked by the extension but are known to be safe." },
- { "type": "switch", "name": "standards.DeployCheckChromeExtension.domainSquattingEnabled", "label": "Enable domain squatting detection", "defaultValue": true },
- { "type": "textField", "name": "standards.DeployCheckChromeExtension.companyName", "label": "Company Name", "placeholder": "YOUR-COMPANY", "required": false },
- { "type": "textField", "name": "standards.DeployCheckChromeExtension.companyURL", "label": "Company URL", "placeholder": "https://yourcompany.com", "required": false },
- { "type": "textField", "name": "standards.DeployCheckChromeExtension.productName", "label": "Product Name", "placeholder": "YOUR-PRODUCT-NAME", "required": false },
- { "type": "textField", "name": "standards.DeployCheckChromeExtension.supportEmail", "label": "Support Email", "placeholder": "support@yourcompany.com", "required": false },
- { "type": "textField", "name": "standards.DeployCheckChromeExtension.supportUrl", "label": "Support URL", "placeholder": "https://support.yourcompany.com", "required": false },
- { "type": "textField", "name": "standards.DeployCheckChromeExtension.privacyPolicyUrl", "label": "Privacy Policy URL", "placeholder": "https://yourcompany.com/privacy", "required": false },
- { "type": "textField", "name": "standards.DeployCheckChromeExtension.aboutUrl", "label": "About URL", "placeholder": "https://yourcompany.com/about", "required": false },
- { "type": "textField", "name": "standards.DeployCheckChromeExtension.primaryColor", "label": "Primary Color", "placeholder": "#F77F00", "required": false },
- { "type": "textField", "name": "standards.DeployCheckChromeExtension.logoUrl", "label": "Logo URL", "placeholder": "https://yourcompany.com/logo.png", "required": false },
+ {
+ "type": "switch",
+ "name": "standards.DeployCheckChromeExtension.showNotifications",
+ "label": "Show notifications",
+ "defaultValue": true
+ },
+ {
+ "type": "switch",
+ "name": "standards.DeployCheckChromeExtension.enableValidPageBadge",
+ "label": "Enable valid page badge",
+ "defaultValue": false
+ },
+ {
+ "type": "switch",
+ "name": "standards.DeployCheckChromeExtension.enablePageBlocking",
+ "label": "Enable page blocking",
+ "defaultValue": true
+ },
+ {
+ "type": "switch",
+ "name": "standards.DeployCheckChromeExtension.forceToolbarPin",
+ "label": "Force pin extension to toolbar",
+ "defaultValue": false
+ },
+ {
+ "type": "switch",
+ "name": "standards.DeployCheckChromeExtension.enableCippReporting",
+ "label": "Enable CIPP reporting",
+ "defaultValue": true
+ },
+ {
+ "type": "textField",
+ "name": "standards.DeployCheckChromeExtension.customRulesUrl",
+ "label": "Custom Rules URL",
+ "placeholder": "https://YOUR-CIPP-SERVER-URL/rules.json",
+ "helperText": "Enter the URL for custom rules if you have them. This should point to a JSON file with the same structure as the rules.json used for CIPP reporting.",
+ "required": false
+ },
+ {
+ "type": "number",
+ "name": "standards.DeployCheckChromeExtension.updateInterval",
+ "label": "Update interval (hours)",
+ "defaultValue": 24
+ },
+ {
+ "type": "switch",
+ "name": "standards.DeployCheckChromeExtension.enableDebugLogging",
+ "label": "Enable debug logging",
+ "defaultValue": false
+ },
+ {
+ "type": "switch",
+ "name": "standards.DeployCheckChromeExtension.enableGenericWebhook",
+ "label": "Enable generic webhook",
+ "defaultValue": false
+ },
+ {
+ "type": "textField",
+ "name": "standards.DeployCheckChromeExtension.webhookUrl",
+ "label": "Webhook URL",
+ "placeholder": "https://webhook.example.com/endpoint",
+ "required": false
+ },
+ {
+ "type": "autoComplete",
+ "multiple": true,
+ "creatable": true,
+ "required": false,
+ "name": "standards.DeployCheckChromeExtension.webhookEvents",
+ "label": "Webhook Events",
+ "placeholder": "e.g. pageBlocked, pageAllowed"
+ },
+ {
+ "type": "autoComplete",
+ "multiple": true,
+ "creatable": true,
+ "required": false,
+ "freeSolo": true,
+ "name": "standards.DeployCheckChromeExtension.urlAllowlist",
+ "label": "URL Allowlist",
+ "placeholder": "e.g. https://example.com/*",
+ "helperText": "Enter URLs to allowlist in the extension. Press enter to add each URL. Wildcards are allowed. This should be used for sites that are being blocked by the extension but are known to be safe."
+ },
+ {
+ "type": "switch",
+ "name": "standards.DeployCheckChromeExtension.domainSquattingEnabled",
+ "label": "Enable domain squatting detection",
+ "defaultValue": true
+ },
+ {
+ "type": "textField",
+ "name": "standards.DeployCheckChromeExtension.companyName",
+ "label": "Company Name",
+ "placeholder": "YOUR-COMPANY",
+ "required": false
+ },
+ {
+ "type": "textField",
+ "name": "standards.DeployCheckChromeExtension.companyURL",
+ "label": "Company URL",
+ "placeholder": "https://yourcompany.com",
+ "required": false
+ },
+ {
+ "type": "textField",
+ "name": "standards.DeployCheckChromeExtension.productName",
+ "label": "Product Name",
+ "placeholder": "YOUR-PRODUCT-NAME",
+ "required": false
+ },
+ {
+ "type": "textField",
+ "name": "standards.DeployCheckChromeExtension.supportEmail",
+ "label": "Support Email",
+ "placeholder": "support@yourcompany.com",
+ "required": false
+ },
+ {
+ "type": "textField",
+ "name": "standards.DeployCheckChromeExtension.supportUrl",
+ "label": "Support URL",
+ "placeholder": "https://support.yourcompany.com",
+ "required": false
+ },
+ {
+ "type": "textField",
+ "name": "standards.DeployCheckChromeExtension.privacyPolicyUrl",
+ "label": "Privacy Policy URL",
+ "placeholder": "https://yourcompany.com/privacy",
+ "required": false
+ },
+ {
+ "type": "textField",
+ "name": "standards.DeployCheckChromeExtension.aboutUrl",
+ "label": "About URL",
+ "placeholder": "https://yourcompany.com/about",
+ "required": false
+ },
+ {
+ "type": "textField",
+ "name": "standards.DeployCheckChromeExtension.primaryColor",
+ "label": "Primary Color",
+ "placeholder": "#F77F00",
+ "required": false
+ },
+ {
+ "type": "textField",
+ "name": "standards.DeployCheckChromeExtension.logoUrl",
+ "label": "Logo URL",
+ "placeholder": "https://yourcompany.com/logo.png",
+ "required": false
+ },
{
"name": "AssignTo",
"label": "Who should this app be assigned to?",
@@ -4140,7 +6030,12 @@
{ "label": "Assign to Custom Group", "value": "customGroup" }
]
},
- { "type": "textField", "required": false, "name": "customGroup", "label": "Enter the custom group name if you selected 'Assign to Custom Group'. Wildcards are allowed." }
+ {
+ "type": "textField",
+ "required": false,
+ "name": "customGroup",
+ "label": "Enter the custom group name if you selected 'Assign to Custom Group'. Wildcards are allowed."
+ }
],
"label": "Deploy Check by CyberDrain Browser Extension",
"impact": "Low Impact",
@@ -4208,11 +6103,34 @@
"executiveText": "Protects staff from display-name impersonation attacks by injecting a visible warning banner on emails that appear to come from a colleague but originate externally. Rules are maintained automatically across all letter groups and updated whenever the standard runs.",
"addedComponent": [
{ "type": "heading", "label": "Alert Banner (HTML)", "required": false },
- { "type": "textField", "name": "standards.ColleagueImpersonationAlert.disclaimerHtml", "label": "Disclaimer HTML – Paste the full HTML for the warning banner", "required": true },
- { "type": "heading", "label": "Keyword Exclusions (Exclude certain users by keywords)", "required": false },
- { "type": "autoComplete", "name": "standards.ColleagueImpersonationAlert.excludedMailboxes", "label": "Exclude mailboxes by keywords for example any Displayname starting with (Leaver)", "multiple": true, "creatable": true, "required": false },
+ {
+ "type": "textField",
+ "name": "standards.ColleagueImpersonationAlert.disclaimerHtml",
+ "label": "Disclaimer HTML – Paste the full HTML for the warning banner",
+ "required": true
+ },
+ {
+ "type": "heading",
+ "label": "Keyword Exclusions (Exclude certain users by keywords)",
+ "required": false
+ },
+ {
+ "type": "autoComplete",
+ "name": "standards.ColleagueImpersonationAlert.excludedMailboxes",
+ "label": "Exclude mailboxes by keywords for example any Displayname starting with (Leaver)",
+ "multiple": true,
+ "creatable": true,
+ "required": false
+ },
{ "type": "heading", "label": "Exempt Senders (Email Accounts)", "required": false },
- { "type": "autoComplete", "name": "standards.ColleagueImpersonationAlert.additionalExemptSenders", "label": "Additional exempt sender addresses", "multiple": true, "creatable": true, "required": false }
+ {
+ "type": "autoComplete",
+ "name": "standards.ColleagueImpersonationAlert.additionalExemptSenders",
+ "label": "Additional exempt sender addresses",
+ "multiple": true,
+ "creatable": true,
+ "required": false
+ }
],
"label": "Colleague Impersonation Alert Transport Rules",
"impact": "Medium Impact",
@@ -4220,7 +6138,13 @@
"addedDate": "2026-03-22",
"powershellEquivalent": "New-TransportRule / Set-TransportRule",
"recommendedBy": [],
- "requiredCapabilities": ["EXCHANGE_S_STANDARD", "EXCHANGE_S_ENTERPRISE", "EXCHANGE_S_STANDARD_GOV", "EXCHANGE_S_ENTERPRISE_GOV", "EXCHANGE_LITE"]
+ "requiredCapabilities": [
+ "EXCHANGE_S_STANDARD",
+ "EXCHANGE_S_ENTERPRISE",
+ "EXCHANGE_S_STANDARD_GOV",
+ "EXCHANGE_S_ENTERPRISE_GOV",
+ "EXCHANGE_LITE"
+ ]
},
{
"name": "standards.DefenderCompliancePolicy",
@@ -4230,22 +6154,102 @@
"docsDescription": "Configures the Microsoft Defender for Endpoint mobile threat defense connector with Intune. This enables compliance evaluation across platforms (Android, iOS/iPadOS, macOS, Windows) and controls settings like blocking unsupported OS versions, requiring partner data for compliance, and enabling mobile application management. The connector must be enabled before platform-specific compliance policies can evaluate device risk from MDE.",
"executiveText": "Establishes the critical link between Microsoft Defender for Endpoint and Intune, enabling security risk data from MDE to be used in device compliance policies. This ensures that only devices meeting your organization's security standards can access corporate resources, providing a foundational layer of Zero Trust security across all platforms.",
"addedComponent": [
- { "type": "switch", "name": "standards.DefenderCompliancePolicy.ConnectAndroid", "label": "Connect Android devices to MDE", "defaultValue": false },
- { "type": "switch", "name": "standards.DefenderCompliancePolicy.ConnectAndroidCompliance", "label": "Connect Android 6.0.0+ (App-based MAM)", "defaultValue": false },
- { "type": "switch", "name": "standards.DefenderCompliancePolicy.androidDeviceBlockedOnMissingPartnerData", "label": "Block Android if partner data unavailable", "defaultValue": false },
- { "type": "switch", "name": "standards.DefenderCompliancePolicy.ConnectIos", "label": "Connect iOS/iPadOS devices to MDE", "defaultValue": false },
- { "type": "switch", "name": "standards.DefenderCompliancePolicy.ConnectIosCompliance", "label": "Connect iOS 13.0+ (App-based MAM)", "defaultValue": false },
- { "type": "switch", "name": "standards.DefenderCompliancePolicy.appSync", "label": "Enable App Sync for iOS", "defaultValue": false },
- { "type": "switch", "name": "standards.DefenderCompliancePolicy.iosDeviceBlockedOnMissingPartnerData", "label": "Block iOS if partner data unavailable", "defaultValue": false },
- { "type": "switch", "name": "standards.DefenderCompliancePolicy.allowPartnerToCollectIosCertificateMetadata", "label": "Collect certificate metadata from iOS", "defaultValue": false },
- { "type": "switch", "name": "standards.DefenderCompliancePolicy.allowPartnerToCollectIosPersonalCertificateMetadata", "label": "Collect personal certificate metadata from iOS", "defaultValue": false },
- { "type": "switch", "name": "standards.DefenderCompliancePolicy.ConnectMac", "label": "Connect macOS devices to MDE", "defaultValue": false },
- { "type": "switch", "name": "standards.DefenderCompliancePolicy.macDeviceBlockedOnMissingPartnerData", "label": "Block macOS if partner data unavailable", "defaultValue": false },
- { "type": "switch", "name": "standards.DefenderCompliancePolicy.ConnectWindows", "label": "Connect Windows 10.0.15063+ to MDE", "defaultValue": false },
- { "type": "switch", "name": "standards.DefenderCompliancePolicy.windowsMobileApplicationManagementEnabled", "label": "Connect Windows (MAM)", "defaultValue": false },
- { "type": "switch", "name": "standards.DefenderCompliancePolicy.windowsDeviceBlockedOnMissingPartnerData", "label": "Block Windows if partner data unavailable", "defaultValue": false },
- { "type": "switch", "name": "standards.DefenderCompliancePolicy.BlockunsupportedOS", "label": "Block unsupported OS versions", "defaultValue": false },
- { "type": "switch", "name": "standards.DefenderCompliancePolicy.AllowMEMEnforceCompliance", "label": "Allow MEM enforcement of compliance", "defaultValue": false }
+ {
+ "type": "switch",
+ "name": "standards.DefenderCompliancePolicy.ConnectAndroid",
+ "label": "Connect Android devices to MDE",
+ "defaultValue": false
+ },
+ {
+ "type": "switch",
+ "name": "standards.DefenderCompliancePolicy.ConnectAndroidCompliance",
+ "label": "Connect Android 6.0.0+ (App-based MAM)",
+ "defaultValue": false
+ },
+ {
+ "type": "switch",
+ "name": "standards.DefenderCompliancePolicy.androidDeviceBlockedOnMissingPartnerData",
+ "label": "Block Android if partner data unavailable",
+ "defaultValue": false
+ },
+ {
+ "type": "switch",
+ "name": "standards.DefenderCompliancePolicy.ConnectIos",
+ "label": "Connect iOS/iPadOS devices to MDE",
+ "defaultValue": false
+ },
+ {
+ "type": "switch",
+ "name": "standards.DefenderCompliancePolicy.ConnectIosCompliance",
+ "label": "Connect iOS 13.0+ (App-based MAM)",
+ "defaultValue": false
+ },
+ {
+ "type": "switch",
+ "name": "standards.DefenderCompliancePolicy.appSync",
+ "label": "Enable App Sync for iOS",
+ "defaultValue": false
+ },
+ {
+ "type": "switch",
+ "name": "standards.DefenderCompliancePolicy.iosDeviceBlockedOnMissingPartnerData",
+ "label": "Block iOS if partner data unavailable",
+ "defaultValue": false
+ },
+ {
+ "type": "switch",
+ "name": "standards.DefenderCompliancePolicy.allowPartnerToCollectIosCertificateMetadata",
+ "label": "Collect certificate metadata from iOS",
+ "defaultValue": false
+ },
+ {
+ "type": "switch",
+ "name": "standards.DefenderCompliancePolicy.allowPartnerToCollectIosPersonalCertificateMetadata",
+ "label": "Collect personal certificate metadata from iOS",
+ "defaultValue": false
+ },
+ {
+ "type": "switch",
+ "name": "standards.DefenderCompliancePolicy.ConnectMac",
+ "label": "Connect macOS devices to MDE",
+ "defaultValue": false
+ },
+ {
+ "type": "switch",
+ "name": "standards.DefenderCompliancePolicy.macDeviceBlockedOnMissingPartnerData",
+ "label": "Block macOS if partner data unavailable",
+ "defaultValue": false
+ },
+ {
+ "type": "switch",
+ "name": "standards.DefenderCompliancePolicy.ConnectWindows",
+ "label": "Connect Windows 10.0.15063+ to MDE",
+ "defaultValue": false
+ },
+ {
+ "type": "switch",
+ "name": "standards.DefenderCompliancePolicy.windowsMobileApplicationManagementEnabled",
+ "label": "Connect Windows (MAM)",
+ "defaultValue": false
+ },
+ {
+ "type": "switch",
+ "name": "standards.DefenderCompliancePolicy.windowsDeviceBlockedOnMissingPartnerData",
+ "label": "Block Windows if partner data unavailable",
+ "defaultValue": false
+ },
+ {
+ "type": "switch",
+ "name": "standards.DefenderCompliancePolicy.BlockunsupportedOS",
+ "label": "Block unsupported OS versions",
+ "defaultValue": false
+ },
+ {
+ "type": "switch",
+ "name": "standards.DefenderCompliancePolicy.AllowMEMEnforceCompliance",
+ "label": "Allow MEM enforcement of compliance",
+ "defaultValue": false
+ }
],
"label": "Defender for Endpoint - Intune Compliance Connector",
"impact": "High Impact",
@@ -4262,11 +6266,37 @@
"docsDescription": "Configures the Global Quarantine Policy branding and notification settings for the tenant. This includes the quarantine notification sender display name, custom subject line, disclaimer text, the from address used for notifications, and whether to use org branding. Notification frequency is managed separately by the GlobalQuarantineNotifications standard.",
"executiveText": "Ensures quarantine notification emails are branded and configured consistently, so end users receive clear, professional alerts about quarantined messages and know how to request release.",
"addedComponent": [
- { "type": "textField", "name": "standards.GlobalQuarantineSettings.SenderName", "label": "Sender Display Name (e.g. Contoso-Office365Alerts)", "helperText": "Will be overridden if an active sender address with an existing display name is used.", "required": false },
- { "type": "textField", "name": "standards.GlobalQuarantineSettings.CustomSubject", "label": "Subject", "required": false },
- { "type": "textField", "name": "standards.GlobalQuarantineSettings.CustomDisclaimer", "label": "Disclaimer (max 200 characters)", "required": false },
- { "type": "textField", "name": "standards.GlobalQuarantineSettings.FromAddress", "label": "Specify Sender Address (must be an internal mailbox)", "required": false },
- { "type": "switch", "name": "standards.GlobalQuarantineSettings.OrganizationBrandingEnabled", "label": "Use Organization Branding (logo)", "helperText": "Requires branding to be configured in the Microsoft 365 admin centre." }
+ {
+ "type": "textField",
+ "name": "standards.GlobalQuarantineSettings.SenderName",
+ "label": "Sender Display Name (e.g. Contoso-Office365Alerts)",
+ "helperText": "Will be overridden if an active sender address with an existing display name is used.",
+ "required": false
+ },
+ {
+ "type": "textField",
+ "name": "standards.GlobalQuarantineSettings.CustomSubject",
+ "label": "Subject",
+ "required": false
+ },
+ {
+ "type": "textField",
+ "name": "standards.GlobalQuarantineSettings.CustomDisclaimer",
+ "label": "Disclaimer (max 200 characters)",
+ "required": false
+ },
+ {
+ "type": "textField",
+ "name": "standards.GlobalQuarantineSettings.FromAddress",
+ "label": "Specify Sender Address (must be an internal mailbox)",
+ "required": false
+ },
+ {
+ "type": "switch",
+ "name": "standards.GlobalQuarantineSettings.OrganizationBrandingEnabled",
+ "label": "Use Organization Branding (logo)",
+ "helperText": "Requires branding to be configured in the Microsoft 365 admin centre."
+ }
],
"label": "Configure Global Quarantine Notification Settings",
"impact": "Low Impact",
@@ -4274,6 +6304,12 @@
"addedDate": "2026-04-02",
"powershellEquivalent": "Set-QuarantinePolicy (GlobalQuarantinePolicy)",
"recommendedBy": [],
- "requiredCapabilities": ["EXCHANGE_S_STANDARD", "EXCHANGE_S_ENTERPRISE", "EXCHANGE_S_STANDARD_GOV", "EXCHANGE_S_ENTERPRISE_GOV", "EXCHANGE_LITE"]
+ "requiredCapabilities": [
+ "EXCHANGE_S_STANDARD",
+ "EXCHANGE_S_ENTERPRISE",
+ "EXCHANGE_S_STANDARD_GOV",
+ "EXCHANGE_S_ENTERPRISE_GOV",
+ "EXCHANGE_LITE"
+ ]
}
-]
\ No newline at end of file
+]
diff --git a/src/pages/identity/administration/jit-admin-templates/add.jsx b/src/pages/identity/administration/jit-admin-templates/add.jsx
index 895bc63e8332..f2549b66ec4d 100644
--- a/src/pages/identity/administration/jit-admin-templates/add.jsx
+++ b/src/pages/identity/administration/jit-admin-templates/add.jsx
@@ -7,8 +7,10 @@ import CippFormComponent from "../../../../components/CippComponents/CippFormCom
import { CippFormCondition } from "../../../../components/CippComponents/CippFormCondition";
import { CippFormDomainSelector } from "../../../../components/CippComponents/CippFormDomainSelector";
import { CippFormUserSelector } from "../../../../components/CippComponents/CippFormUserSelector";
+import { CippFormGroupSelector } from "../../../../components/CippComponents/CippFormGroupSelector";
import gdaproles from "../../../../data/GDAPRoles.json";
import { useSettings } from "../../../../hooks/use-settings";
+import { useEffect } from "react";
const Page = () => {
const userSettingsDefaults = useSettings();
@@ -21,6 +23,39 @@ const Page = () => {
const watchedTenant = useWatch({ control: formControl.control, name: "tenantFilter" });
const isAllTenants = watchedTenant?.value === "AllTenants" || watchedTenant === "AllTenants";
+ const useRoles = useWatch({ control: formControl.control, name: "defaultUseRoles" });
+ const useGroups = useWatch({ control: formControl.control, name: "defaultUseGroups" });
+
+ // Clear fields when switches are toggled off
+ useEffect(() => {
+ if (!useRoles) {
+ formControl.setValue("defaultRoles", []);
+ }
+ }, [useRoles]);
+
+ useEffect(() => {
+ if (!useGroups) {
+ formControl.setValue("defaultGroups", []);
+ }
+ }, [useGroups]);
+
+ // Reset expiration action when switches change
+ useEffect(() => {
+ const currentAction = formControl.getValues("defaultExpireAction");
+ if (!currentAction?.value) return;
+
+ if (!useRoles && currentAction.value === "RemoveRoles") {
+ formControl.setValue("defaultExpireAction", null);
+ } else if (!useGroups && currentAction.value === "RemoveGroups") {
+ formControl.setValue("defaultExpireAction", null);
+ } else if ((!useRoles || !useGroups) && currentAction.value === "RemoveRolesAndGroups") {
+ formControl.setValue("defaultExpireAction", null);
+ } else if (useRoles && useGroups && currentAction.value === "RemoveRoles") {
+ formControl.setValue("defaultExpireAction", null);
+ } else if (useRoles && useGroups && currentAction.value === "RemoveGroups") {
+ formControl.setValue("defaultExpireAction", null);
+ }
+ }, [useRoles, useGroups]);
return (
<>
@@ -64,26 +99,83 @@ const Page = () => {
({ label: role.Name, value: role.ObjectId }))}
+ type="switch"
+ label="Admin Roles"
+ name="defaultUseRoles"
formControl={formControl}
- required={true}
- validators={{
- required: "At least one default role is required",
- validate: (options) => {
- if (!options?.length) {
- return "At least one default role is required";
- }
- return true;
- },
- }}
/>
+ {!isAllTenants && (
+
+ )}
+ {!useRoles && !useGroups && (
+
+ Please select at least "Admin Roles" or "Group Membership"
+
+ )}
+
+
+ ({ label: role.Name, value: role.ObjectId }))}
+ formControl={formControl}
+ required={true}
+ validators={{
+ required: "At least one default role is required",
+ validate: (options) => {
+ if (!options?.length) {
+ return "At least one default role is required";
+ }
+ return true;
+ },
+ }}
+ />
+
+
+
+ {!isAllTenants && (
+
+
+ {
+ if (!options?.length) {
+ return "At least one group is required";
+ }
+ return true;
+ },
+ }}
+ />
+
+
+ )}
+
{
name="defaultExpireAction"
multiple={false}
creatable={false}
- options={[
- { label: "Delete User", value: "DeleteUser" },
- { label: "Disable User", value: "DisableUser" },
- { label: "Remove Roles", value: "RemoveRoles" },
- ]}
+ options={(() => {
+ const opts = [
+ { label: "Delete User", value: "DeleteUser" },
+ { label: "Disable User", value: "DisableUser" },
+ ];
+ if (useRoles && useGroups) {
+ opts.push({ label: "Remove Roles and Groups", value: "RemoveRolesAndGroups" });
+ } else if (useRoles) {
+ opts.push({ label: "Remove Roles", value: "RemoveRoles" });
+ } else if (useGroups) {
+ opts.push({ label: "Remove Groups", value: "RemoveGroups" });
+ }
+ return opts;
+ })()}
formControl={formControl}
+ required={true}
+ validators={{ required: "Expiration action is required" }}
/>
-
-
- {
const watchedTenant = useWatch({ control: formControl.control, name: "tenantFilter" });
const isAllTenants = watchedTenant?.value === "AllTenants" || watchedTenant === "AllTenants";
+ const useRoles = useWatch({ control: formControl.control, name: "defaultUseRoles" });
+ const useGroups = useWatch({ control: formControl.control, name: "defaultUseGroups" });
+
+ // Clear fields when switches are toggled off
+ useEffect(() => {
+ if (!useRoles) {
+ formControl.setValue("defaultRoles", []);
+ }
+ }, [useRoles]);
+
+ useEffect(() => {
+ if (!useGroups) {
+ formControl.setValue("defaultGroups", []);
+ }
+ }, [useGroups]);
+
+ // Reset expiration action when switches change
+ useEffect(() => {
+ const currentAction = formControl.getValues("defaultExpireAction");
+ if (!currentAction?.value) return;
+
+ if (!useRoles && currentAction.value === "RemoveRoles") {
+ formControl.setValue("defaultExpireAction", null);
+ } else if (!useGroups && currentAction.value === "RemoveGroups") {
+ formControl.setValue("defaultExpireAction", null);
+ } else if ((!useRoles || !useGroups) && currentAction.value === "RemoveRolesAndGroups") {
+ formControl.setValue("defaultExpireAction", null);
+ } else if (useRoles && useGroups && currentAction.value === "RemoveRoles") {
+ formControl.setValue("defaultExpireAction", null);
+ } else if (useRoles && useGroups && currentAction.value === "RemoveGroups") {
+ formControl.setValue("defaultExpireAction", null);
+ }
+ }, [useRoles, useGroups]);
// Get the template data
const template = ApiGetCall({
@@ -88,26 +122,83 @@ const Page = () => {
({ label: role.Name, value: role.ObjectId }))}
+ type="switch"
+ label="Admin Roles"
+ name="defaultUseRoles"
formControl={formControl}
- required={true}
- validators={{
- required: "At least one default role is required",
- validate: (options) => {
- if (!options?.length) {
- return "At least one default role is required";
- }
- return true;
- },
- }}
/>
+ {!isAllTenants && (
+
+ )}
+ {!useRoles && !useGroups && (
+
+ Please select at least "Admin Roles" or "Group Membership"
+
+ )}
+
+
+ ({ label: role.Name, value: role.ObjectId }))}
+ formControl={formControl}
+ required={true}
+ validators={{
+ required: "At least one default role is required",
+ validate: (options) => {
+ if (!options?.length) {
+ return "At least one default role is required";
+ }
+ return true;
+ },
+ }}
+ />
+
+
+
+ {!isAllTenants && (
+
+
+ {
+ if (!options?.length) {
+ return "At least one group is required";
+ }
+ return true;
+ },
+ }}
+ />
+
+
+ )}
+
{
name="defaultExpireAction"
multiple={false}
creatable={false}
- options={[
- { label: "Delete User", value: "DeleteUser" },
- { label: "Disable User", value: "DisableUser" },
- { label: "Remove Roles", value: "RemoveRoles" },
- ]}
+ options={(() => {
+ const opts = [
+ { label: "Delete User", value: "DeleteUser" },
+ { label: "Disable User", value: "DisableUser" },
+ ];
+ if (useRoles && useGroups) {
+ opts.push({ label: "Remove Roles and Groups", value: "RemoveRolesAndGroups" });
+ } else if (useRoles) {
+ opts.push({ label: "Remove Roles", value: "RemoveRoles" });
+ } else if (useGroups) {
+ opts.push({ label: "Remove Groups", value: "RemoveGroups" });
+ }
+ return opts;
+ })()}
formControl={formControl}
+ required={true}
+ validators={{ required: "Expiration action is required" }}
/>
diff --git a/src/pages/identity/administration/jit-admin/add.jsx b/src/pages/identity/administration/jit-admin/add.jsx
index 16842bd313f6..d2d3d959d3f0 100644
--- a/src/pages/identity/administration/jit-admin/add.jsx
+++ b/src/pages/identity/administration/jit-admin/add.jsx
@@ -173,7 +173,10 @@ const Page = () => {
};
// Set all template-driven fields
+ formControl.setValue("useRoles", template.defaultUseRoles ?? true, { shouldDirty: true });
+ formControl.setValue("useGroups", template.defaultUseGroups ?? false, { shouldDirty: true });
formControl.setValue("adminRoles", template.defaultRoles || [], { shouldDirty: true });
+ formControl.setValue("groupMemberships", template.defaultGroups || [], { shouldDirty: true });
formControl.setValue("expireAction", template.defaultExpireAction || null, {
shouldDirty: true,
});