search

asterictnl-lvdw / M365SAT

Microsoft 365 Security Assessment Tool - A Easy-To-Use Microsoft 365 Security Assessment Tool
MIT License
35 stars 16 forks source link

Check E3 different than E5 #50

Closed frisotrip closed 2 weeks ago

frisotrip commented 3 weeks ago

Hello

Still testing the script. We have all E5 subscriptions, so i have changed the "LicenseMode" to E5. When running the script the results are less that when i run the same tenant with E3 settings.

And another question: If i had a different subscription then E3 or E5, could i also use this script?

asterictnl-lvdw commented 3 weeks ago

Hello @frisotrip ,

Thank you for submitting this question.

I will respond to each part of your question as these are multiple questions.

First of all,

Let me clarify how the LicenseMode parameter works as that will answer the first question with the code in M365SAT.psm1:

        [Parameter(Mandatory = $false,
            HelpMessage = 'Choose Benchmark License Mode: E3 / E5 / All')]
        [ValidateSet("E3", "E5", 'All', IgnoreCase = $true)]
        [string]$LicenseMode = "All",

Normally if you have E5 license you would most likely select the All option since you want to audit all the things. If you provide only E5 you will get only the actual things that are E5 Licensed, but not the E3. What I could do is instead of making it a string I could make it a [String[]] so it accepts multiple parameters, but I do not see the benefit for that if you have 3 choices that is either A/B or AB, if there would be more license levels that CIS would look at then this would be interesting.

There are several situations where tenants only have an E3 license, then you should only audit on the E3 license stuff as the E5 things are useless to audit, since you do not have that license you cannot check that upon compliancy.

Some companies first want to implement their E3 things before implementing their E5 things, this is why I made the E5 a seperate choice so you can also choose to seperately audit on E5 modules.

In your case you should select 'All' if you want to audit on both E3 and E5.

For the other question that really depends on what licenses you have. Most of the time E3 is covered in the most licenses. The CIS benchmark looks mainly at the E3 and E5 Licenses. If you encounter issues with some inspectors that might be because you do not have the license for it. For this use-case you should audit for E3 instead.

I hope this answers your question.

Kind regards,

~Leonardo

frisotrip commented 2 weeks ago

Leonardo Thanx