search

tmaestrini / easyGovernance

governance and validation for configuration baselines in M365 – made as easy as possible
MIT License
11 stars 4 forks source link

Baseline schema modification #8

Closed tmaestrini closed 3 months ago

tmaestrini commented 3 months ago

Hey @dako365 and @sympmarc

I'd like to introduce a little change of the schema for our baselines. For example, the baseline 5.2 (SharePoint Online) would then look like this (look for the 👈 signs in the following yaml file):

Topic: SharePoint Online
Type: Baseline
Id: M365.SPO-5.2
Version: 1.0 # 👈 new parameter

References:
  - https://www.cisa.gov/sites/default/files/2023-12/SharePoint%20and%20OneDrive%20SCB_12.20.2023.pdf
  - https://blueprint.oobe.com.au/as-built-as-configured/office-365/#sharing
  - https://blueprint.oobe.com.au/as-built-as-configured/office-365/#access-control
  - https://blueprint.oobe.com.au/as-built-as-configured/office-365/#sharepoint-settings    

Configuration:
  - enforces: ExternalSharing # 👈 new 'enforces' attribute to group settings that belong together
    with: # 👈 new 'with' attribute to distinguish the settings / features from other params within the structure
      SharingCapability: ExistingExternalUserSharingOnly # Specifies what the sharing capabilities are for the site
      DefaultSharingLinkType: Internal # Specifies the default sharing link type
      DefaultLinkPermission: View
      RequireAcceptingAccountMatchInvitedAccount: true # Ensures that an external user can only accept an external sharing invitation with an account matching the invited email address.
      RequireAnonymousLinksExpireInDays: 30 # Specifies all anonymous links that have been created (or will be created) will expire after the set number of days (set to 0 to remove).
      FileAnonymousLinkType: View # Sets whether anonymous access links can allow recipients to only view or view and edit. 
      FolderAnonymousLinkType: View # Sets whether anonymous access links can allow recipients to only view or view and edit. 
      CoreRequestFilesLinkEnabled: true # Enable or disable the Request files link on the core partition for all SharePoint sites (not including OneDrive sites).
      ExternalUserExpireInDays: 30 # When a value is set, it means that the access of the external user will expire in those many number of days.
      EmailAttestationRequired: true # Sets email attestation to required.
      EmailAttestationReAuthDays: 30 # Sets the number of days for email attestation re-authentication. Value can be from 1 to 365 days.
      PreventExternalUsersFromResharing: true # Prevents external users from resharing files, folders, and sites that they do not own.
      SharingDomainRestrictionMode: AllowList # Specifies the external sharing mode for domains.
      SharingAllowedDomainList: "" # Specifies a list of email domains that is allowed for sharing with the external collaborators (comma separated).
      ShowEveryoneClaim: false # Enables the administrator to hide the Everyone claim in the People Picker. 
      ShowEveryoneExceptExternalUsersClaim: false # Enables the administrator to hide the "Everyone except external users" claim in the People Picker. 
  - enforces: ApplicationsAndWebparts
    with: 
      DisabledWebPartIds: ""
  - enforces: AccessControl
    with: 
      ConditionalAccessPolicy: AllowLimitedAccess # Blocks or limits access to SharePoint and OneDrive content from un-managed devices.
      BrowserIdleSignout: true
      BrowserIdleSignoutMinutes: 60
      BrowserIdleSignoutWarningMinutes: 5
      LegacyAuthProtocolsEnabled: false # Setting this parameter prevents Office clients using non-modern authentication protocols from accessing SharePoint Online resources
    references: # 👈 new attritbute 'references' to support an admin by providing an configuration url (for example)
      - BrowserIdleSignout: ${{tenantAdminUrl}}/_layouts/15/online/AdminHome.aspx#/accessControl/IdleSession
  - enforces: SiteCreationAndStorageLimits
    with:
      NotificationsInSharePointEnabled: true # Enables or disables notifications in SharePoint.
      DenyAddAndCustomizePages: true
      DenySiteCreationByUsers: true

These changes make the corresponding values and the whole baseline easier to handle within validation and provisioning engines and gives us the flexibility for future extensions with additional parameters.

sympmarc commented 3 months ago

Those seem like good changes. TBH, I didn't dig into the specifics of that YAML file yet, since you seemed to have it well in hand.