### DMARC TXT Record Configuration Source: https://github.com/kelvintegelaar/cipp-api/blob/master/Modules/CIPPTests/Public/Tests/CIS/Identity/Invoke-CippTestCIS_2_1_10.md Publish this TXT record at _dmarc. to enable DMARC. Start with 'quarantine' policy and monitor reports before moving to 'reject'. ```dns v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@ ``` -------------------------------- ### Configure Custom Banned Passwords Source: https://github.com/kelvintegelaar/cipp-api/blob/master/Modules/CIPPTests/Public/Tests/SMB1001/Identity/Invoke-CippTestSMB1001_2_1.md Use this PowerShell comment-based help to guide the configuration of custom banned passwords within the Entra portal. It outlines the navigation path and the requirement for 4-16 character organization-specific terms. ```powershell # Configure custom banned passwords in Entra Portal # https://entra.microsoft.com > Protection > Authentication methods > Password protection # Enable "Enforce custom list" and add 4-16 character organisation-specific terms. ``` -------------------------------- ### Deploy Windows LAPS via Intune Source: https://github.com/kelvintegelaar/cipp-api/blob/master/Modules/CIPPTests/Public/Tests/SMB1001/Devices/Invoke-CippTestSMB1001_2_2.md This comment indicates the process for deploying Windows LAPS via Intune. It is a crucial step for managing local administrator credentials securely, addressing the SMB1001 (2.2) requirement. The deployment is typically managed through Endpoint security > Account protection > Local admin password solution. ```powershell # 2. Deploy Windows LAPS via Intune (Endpoint security > Account protection > Local admin password solution) ``` -------------------------------- ### Disable Anonymous Users Starting Teams Meetings Source: https://github.com/kelvintegelaar/cipp-api/blob/master/Modules/CIPPTests/Public/Tests/CIS/Identity/Invoke-CippTestCIS_8_5_2.md Use this PowerShell command to set the global Teams meeting policy to disallow anonymous users from starting meetings. This is a remediation action for CIS Benchmark 8.5.2. ```powershell Set-CsTeamsMeetingPolicy -Identity Global -AllowAnonymousUsersToStartMeeting $false ``` -------------------------------- ### Set Tenant Federation Configuration Source: https://github.com/kelvintegelaar/cipp-api/blob/master/Modules/CIPPTests/Public/Tests/CIS/Identity/Invoke-CippTestCIS_8_2_1.md Use this command to specify a list of allowed domains for tenant federation. This restricts external communication to only the listed partners. ```powershell Set-CsTenantFederationConfiguration -AllowedDomains (New-CsEdgeAllowList -AllowedDomain 'partner1.com','partner2.com') ``` -------------------------------- ### Enable Safety Tips via PowerShell Source: https://github.com/kelvintegelaar/cipp-api/blob/master/Modules/CIPPTests/Public/Tests/CISA/Identity/Invoke-CippTestCISAMSEXO112.md Use this PowerShell command to enable user impersonation, domain impersonation, and unusual characters safety tips for a specified anti-phishing policy. Ensure the policy identity is correctly set. ```powershell Set-AntiPhishPolicy -Identity "Standard Preset Security Policy" ` -EnableSimilarUsersSafetyTips $true ` -EnableSimilarDomainsSafetyTips $true ` -EnableUnusualCharactersSafetyTips $true ``` -------------------------------- ### Enable Customer Lockbox Configuration Source: https://github.com/kelvintegelaar/cipp-api/blob/master/Modules/CIPPTests/Public/Tests/CIS/Identity/Invoke-CippTestCIS_1_3_6.md Run this command to enable the Customer Lockbox feature in your organization. This ensures explicit approval is required before data access. ```powershell Set-OrganizationConfig -CustomerLockBoxEnabled $true ``` -------------------------------- ### Disable Office Store and Trial Subscriptions Source: https://github.com/kelvintegelaar/cipp-api/blob/master/Modules/CIPPTests/Public/Tests/CIS/Identity/Invoke-CippTestCIS_1_3_4.md Use this PowerShell command to disable both the Office Store and app/service trial subscriptions via the Microsoft Graph API. This prevents users from accessing the Office Store and starting trials for add-ins. ```powershell $body = @{ Settings = @{ isAppAndServicesTrialEnabled = $false; isOfficeStoreEnabled = $false } } | ConvertTo-Json Invoke-MgGraphRequest -Method PATCH -Uri 'https://graph.microsoft.com/beta/admin/appsAndServices' -Body $body ``` -------------------------------- ### Remove Outlook Add-in Roles from Role Assignment Policies Source: https://github.com/kelvintegelaar/cipp-api/blob/master/Modules/CIPPTests/Public/Tests/CIS/Identity/Invoke-CippTestCIS_6_3_1.md This script iterates through all role assignment policies and removes the 'My Custom Apps', 'My Marketplace Apps', and 'My ReadWriteMailbox Apps' assignments. This is a remediation step to prevent unauthorized add-in installations. ```powershell Get-RoleAssignmentPolicy | ForEach-Object { Remove-ManagementRoleAssignment -Identity ("$($_.Name)\My Custom Apps") -Confirm:$false Remove-ManagementRoleAssignment -Identity ("$($_.Name)\My Marketplace Apps") -Confirm:$false Remove-ManagementRoleAssignment -Identity ("$($_.Name)\My ReadWriteMailbox Apps") -Confirm:$false } ``` -------------------------------- ### Create and Enable DKIM Signing Configuration with PowerShell Source: https://github.com/kelvintegelaar/cipp-api/blob/master/Modules/CIPPTests/Public/Tests/CISA/Identity/Invoke-CippTestCISAMSEXO31.md Use these PowerShell commands to create a new DKIM signing configuration for a domain or enable an existing one. Ensure you replace 'contoso.com' with your actual domain name. ```powershell # Create DKIM signing configuration New-DkimSigningConfig -DomainName "contoso.com" -Enabled $true # Enable existing DKIM configuration Set-DkimSigningConfig -Identity "contoso.com" -Enabled $true ``` -------------------------------- ### Build PowerShell Module Source: https://github.com/kelvintegelaar/cipp-api/blob/master/Tools/ModuleBuilder/3.1.8/en-US/about_ModuleBuilder.help.txt Use this command to build your module. It creates a versioned folder with an updated Module Manifest and PSM1 file, compiling all functions and running Pester tests. ```powershell PS C:\> Build-Module -SourcePath .\ModuleBuilder\Source\build.psd1 ``` -------------------------------- ### Create Default Safe Links Policy Source: https://github.com/kelvintegelaar/cipp-api/blob/master/Modules/CIPPTests/Public/Tests/CIS/Identity/Invoke-CippTestCIS_2_1_1.md Use this command to create a new Safe Links policy with default settings for email, Teams, and Office, enabling URL scanning and click tracking while disallowing click-through to malicious sites. ```powershell New-SafeLinksPolicy -Name 'Default Safe Links' -EnableSafeLinksForEmail $true -EnableSafeLinksForTeams $true -EnableSafeLinksForOffice $true -ScanUrls $true -TrackClicks $true -AllowClickThrough $false -DisableUrlRewrite $false -DeliverMessageAfterScan $true -EnableForInternalSenders $true ``` -------------------------------- ### Enable Standard Preset Security Policy via PowerShell Source: https://github.com/kelvintegelaar/cipp-api/blob/master/Modules/CIPPTests/Public/Tests/CISA/Identity/Invoke-CippTestCISAMSEXO111.md Use these PowerShell commands to enable the Standard Preset Security Policy, which includes impersonation protection. Ensure you have the necessary permissions to run these cmdlets. ```powershell Enable-EOPProtectionPolicyRule -Identity "Standard Preset Security Policy" Enable-ATPProtectionPolicyRule -Identity "Standard Preset Security Policy" ``` -------------------------------- ### Enable and Configure MailTips Source: https://github.com/kelvintegelaar/cipp-api/blob/master/Modules/CIPPTests/Public/Tests/CIS/Identity/Invoke-CippTestCIS_6_5_2.md Enables all MailTips, external recipient tips, and group metrics, and sets the threshold for large audience warnings. This helps educate users and prevent data leaks. ```powershell Set-OrganizationConfig -MailTipsAllTipsEnabled $true -MailTipsExternalRecipientsTipsEnabled $true -MailTipsGroupMetricsEnabled $true -MailTipsLargeAudienceThreshold 25 ``` -------------------------------- ### List Tenant Allow/Block Senders Source: https://github.com/kelvintegelaar/cipp-api/blob/master/Modules/CIPPTests/Public/Tests/CISA/Identity/Invoke-CippTestCISAMSEXO121.md Use this PowerShell command to list all senders currently added to the tenant's allow list. This helps in identifying potentially risky entries. ```powershell # List all allowed senders Get-TenantAllowBlockListItems -ListType Sender -Action Allow ``` -------------------------------- ### Enable Azure AD B2B Integration Source: https://github.com/kelvintegelaar/cipp-api/blob/master/Modules/CIPPTests/Public/Tests/CIS/Identity/Invoke-CippTestCIS_7_2_2.md This command enables Azure AD B2B integration for SharePoint and OneDrive. Ensure this is set to $true to manage external users as guest identities. ```powershell Set-SPOTenant -EnableAzureADB2BIntegration $true ``` -------------------------------- ### Enable DKIM Signing Source: https://github.com/kelvintegelaar/cipp-api/blob/master/Modules/CIPPTests/Public/Tests/CIS/Identity/Invoke-CippTestCIS_2_1_9.md Use this command to enable DKIM signing for a specified domain. Ensure the necessary CNAME records are published before execution. ```powershell Set-DkimSigningConfig -Identity -Enabled $true ``` -------------------------------- ### Create Default Anti-Phishing Policy Source: https://github.com/kelvintegelaar/cipp-api/blob/master/Modules/CIPPTests/Public/Tests/CIS/Identity/Invoke-CippTestCIS_2_1_7.md This cmdlet creates a new anti-phishing policy with a specified name and enables various security features including mailbox intelligence, spoof intelligence, and different types of safety tips. It also configures the action to be taken for targeted users, domains, and in case of mailbox intelligence failures. ```powershell New-AntiPhishPolicy -Name 'Default Anti-Phishing' -Enabled $true -PhishThresholdLevel 2 -EnableMailboxIntelligence $true -EnableMailboxIntelligenceProtection $true -EnableSpoofIntelligence $true -EnableFirstContactSafetyTips $true -EnableSimilarUsersSafetyTips $true -EnableSimilarDomainsSafetyTips $true -EnableUnusualCharactersSafetyTips $true -TargetedUserProtectionAction Quarantine -MailboxIntelligenceProtectionAction Quarantine -TargetedDomainProtectionAction Quarantine -AuthenticationFailAction Quarantine ``` -------------------------------- ### Configure DKIM, SPF, and DMARC Records Source: https://github.com/kelvintegelaar/cipp-api/blob/master/Modules/CIPPTests/Public/Tests/SMB1001/Identity/Invoke-CippTestSMB1001_2_12.md Use these PowerShell commands and DNS TXT record values to configure DKIM signing, SPF policy, and DMARC policy for your domain. Ensure DKIM key size is 2048 bits and DMARC policy is set to 'reject' or 'quarantine' for Level 3 compliance. ```powershell # DKIM New-DkimSigningConfig -DomainName contoso.com -KeySize 2048 -Enabled $true ``` ```powershell # SPF (DNS TXT) "v=spf1 include:spf.protection.outlook.com -all" ``` ```powershell # DMARC (DNS TXT at _dmarc.contoso.com) "v=DMARC1; p=reject; rua=mailto:dmarc@contoso.com" ``` -------------------------------- ### Configure Exchange Online Sharing Policy via PowerShell Source: https://github.com/kelvintegelaar/cipp-api/blob/master/Modules/CIPPTests/Public/Tests/CISA/Identity/Invoke-CippTestCISAMSEXO62.md Use these PowerShell commands to set the default sharing policy to allow only free/busy information for all domains, and optionally allow detailed sharing for specific partner domains. ```powershell # Allow only free/busy with all domains Set-SharingPolicy -Identity "Default Sharing Policy" -Domains ":CalendarSharingFreeBusySimple" ``` ```powershell # For specific domains, you can allow details Set-SharingPolicy -Identity "Default Sharing Policy" -Domains @{Add="partner.com:CalendarSharingFreeBusyDetail"} ``` -------------------------------- ### Enable Admin Consent Workflow Source: https://github.com/kelvintegelaar/cipp-api/blob/master/Modules/CIPPTests/Public/Tests/CIS/Identity/Invoke-CippTestCIS_5_1_5_2.md Enables the admin consent workflow, configures reviewer notifications, reminder settings, and the request duration. It also specifies a reviewer by UPN. ```powershell Update-MgPolicyAdminConsentRequestPolicy -IsEnabled $true -NotifyReviewers $true -RemindersEnabled $true -RequestDurationInDays 30 -Reviewers @(@{query='/users/'; queryType='MicrosoftGraph'; queryRoot=$null}) ``` -------------------------------- ### Enable Real-time URL Scanning via PowerShell Source: https://github.com/kelvintegelaar/cipp-api/blob/master/Modules/CIPPTests/Public/Tests/CISA/Identity/Invoke-CippTestCISAMSEXO152.md Use this PowerShell command to enable real-time URL scanning for a Safe Links policy. Ensure you replace 'Default' with the appropriate policy identity if not using the default policy. ```powershell Set-SafeLinksPolicy -Identity "Default" -ScanUrls $true ``` -------------------------------- ### Enable Litigation Hold on User Mailboxes Source: https://github.com/kelvintegelaar/cipp-api/blob/master/Modules/CIPPTests/Public/Tests/SMB1001/Identity/Invoke-CippTestSMB1001_3_1.md This script enables Litigation Hold on all user mailboxes in Exchange Online. It is a component of a broader backup and recovery strategy, complementing third-party offline backup solutions. ```powershell Get-Mailbox -RecipientTypeDetails UserMailbox -ResultSize Unlimited | Set-Mailbox -LitigationHoldEnabled $true ``` -------------------------------- ### Enable Unified Audit Log Ingestion Source: https://github.com/kelvintegelaar/cipp-api/blob/master/Modules/CIPPTests/Public/Tests/CIS/Identity/Invoke-CippTestCIS_3_1_1.md Run this PowerShell command to enable unified audit log ingestion. This ensures that all administrative and user activities are logged for forensic purposes. ```powershell Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true ``` -------------------------------- ### Enable Mailbox Intelligence via PowerShell Source: https://github.com/kelvintegelaar/cipp-api/blob/master/Modules/CIPPTests/Public/Tests/CISA/Identity/Invoke-CippTestCISAMSEXO113.md Use this PowerShell command to enable mailbox intelligence and impersonation protection for a specified anti-phishing policy. ```powershell Set-AntiPhishPolicy -Identity "Standard Preset Security Policy" ` -EnableMailboxIntelligence $true ` -EnableMailboxIntelligenceProtection $true ``` -------------------------------- ### Enable and Configure Mailbox Audit Actions Source: https://github.com/kelvintegelaar/cipp-api/blob/master/Modules/CIPPTests/Public/Tests/CIS/Identity/Invoke-CippTestCIS_6_1_2.md This script enables auditing for all user mailboxes and configures specific audit actions for the mailbox owner. These actions include logging mailbox logins, hard deletes, moving items to deleted items, soft deletes, folder permission updates, inbox rule updates, and mail item access. ```powershell Get-Mailbox -RecipientTypeDetails UserMailbox -ResultSize Unlimited | Set-Mailbox -AuditEnabled $true -AuditOwner @{Add='MailboxLogin','HardDelete','MoveToDeletedItems','SoftDelete','UpdateFolderPermissions','UpdateInboxRules','MailItemsAccessed'} ``` -------------------------------- ### Configure Allowed Sharing Domains Source: https://github.com/kelvintegelaar/cipp-api/blob/master/Modules/CIPPTests/Public/Tests/CIS/Identity/Invoke-CippTestCIS_7_2_6.md This command configures the tenant-wide sharing policy to only allow external sharing with domains specified in the 'SharingAllowedDomainList'. Ensure the domains listed are accurate and necessary for your organization's external collaboration needs. ```powershell Set-SPOTenant -SharingDomainRestrictionMode AllowList -SharingAllowedDomainList 'partner1.com partner2.com' ``` -------------------------------- ### Enable Organization Auditing Source: https://github.com/kelvintegelaar/cipp-api/blob/master/Modules/CIPPTests/Public/Tests/CIS/Identity/Invoke-CippTestCIS_6_1_1.md Use this command to enable auditing at the organization level. This ensures that mailbox actions are recorded, even if the Unified Audit Log is enabled. ```powershell Set-OrganizationConfig -AuditDisabled $false ``` -------------------------------- ### Configure Malware Filter Policy with PowerShell Source: https://github.com/kelvintegelaar/cipp-api/blob/master/Modules/CIPPTests/Public/Tests/CISA/Identity/Invoke-CippTestCISAMSEXO95.md Use this PowerShell command to enable the common attachments filter and specify a list of blocked file types, including common executables. Ensure the policy identity is correctly set. ```powershell Set-MalwareFilterPolicy -Identity "Default" -EnableFileFilter $true -FileTypes @("ace","ani","app","cab","docm","exe","jar","reg","scr","vbe","vbs","cmd","bat","com","cpl","dll","exe","hta","inf","ins","isp","js","jse","lib","lnk","mde","msc","msp","mst","pif","scr","sct","shb","sys","vb","vbe","vbs","vxd","wsc","wsf","wsh") ``` -------------------------------- ### Enable and Set Guest Expiration Policy Source: https://github.com/kelvintegelaar/cipp-api/blob/master/Modules/CIPPTests/Public/Tests/CIS/Identity/Invoke-CippTestCIS_7_2_9.md Enables the expiration of external user access and sets the expiration period to 30 days. This ensures that dormant guest accounts are automatically removed, improving security. ```powershell Set-SPOTenant -ExternalUserExpirationRequired $true -ExternalUserExpireInDays 30 ``` -------------------------------- ### Configure ATP Policies for SharePoint, OneDrive, and Teams Source: https://github.com/kelvintegelaar/cipp-api/blob/master/Modules/CIPPTests/Public/Tests/CIS/Identity/Invoke-CippTestCIS_2_1_5.md Enables ATP for SharePoint, OneDrive, and Teams, and configures Safe Docs settings. Use this to enforce malware scanning on files uploaded to these services. ```powershell Set-AtpPolicyForO365 -EnableATPForSPOTeamsODB $true -EnableSafeDocs $true -AllowSafeDocsOpen $false ```