cisagov / ScubaGear

Automation to assess the state of your M365 tenant against CISA's baselines
https://www.cisa.gov/resources-tools/services/secure-cloud-business-applications-scuba-project
Creative Commons Zero v1.0 Universal
1.65k stars 221 forks source link

Add a -Strict flag to toggle evaluating Policy exclusions #451

Open buidav opened 1 year ago

buidav commented 1 year ago

💡 Summary

This is flag is for use cases when the ScubaGear operator is unable to inspect the exclusions of the conditional access policies of the tenant being assessed and add those exclusions to the config file.

We can leave the default value as -Strict but have the option for the user to pass in -Strict:$false to turn off the evaluation. We can reuse this flag if/when we start assessing exclusions for Teams and Defender policies.

Motivation and context

Give the option for certain ScubaGear users to run the tool without having to account for exclusions.

Implementation notes

Acceptance criteria

Users are able to toggle the strict assessment of certain policies on or off.

adhilto commented 1 year ago

For Defender, specifically MS.DEFENDER.1.2v1 and MS.DEFENDER.1.3v1 would need this.