CIS-M365-Benchmark

Author(s)

• Mohammed Siddiqui

Tags

CIS Microsoft365 M365 Compliance Security Audit Benchmark EntraID AzureAD Exchange SharePoint Teams Intune Defender Purview SecurityCompliance GRC RiskManagement

Functions

Connect-CISBenchmark Invoke-CISBenchmark Get-CISBenchmarkControl Test-CISBenchmarkPrerequisites Get-CISBenchmarkInfo

PSEditions

Desktop Core

Dependencies

This module has no dependencies.

Release Notes

## v2.4.2 - Comprehensive False Positive Fixes

Fixed SIX controls based on comprehensive validation review:

HIGH PRIORITY (Eliminated False Positives/Negatives):
- 5.1.5.1: User consent validation completely rewritten - now detects all consent-enabling policies
- 5.2.2.1: Admin MFA validates all 9 critical admin roles OR "All directory roles"
- 5.1.6.3: Guest inviter now accepts both "adminsAndGuestInviters" and "adminsOnly"

MEDIUM PRIORITY (Enhanced Accuracy):
- 2.1.14: Anti-spam provides detailed breakdown of allowed domains/senders
- 6.1.2: Mailbox audit sample increased from 5 to 50 with compliance rate reporting
- 5.2.2.2: MFA for all users now FAILS with excessive exclusions (>5)

Impact: Eliminated 3 critical false positive/negative risks, enhanced 3 validations with better accuracy for large tenants.

## v2.4.1 - Bug Fixes for User-Reported Issues

Fixed FOUR controls based on user feedback:
- 5.1.3.1: Dynamic guest group detection now handles multiple membership rule formats
- 5.2.3.1: Enhanced Microsoft Authenticator property access with better null handling
- 5.2.3.2: Improved custom banned password detection with fallback to manual check
- 7.2.3: Strengthened SharePoint external sharing validation with explicit array matching

## v2.4.0 - Critical False Positive Fixes (Batch 2 - COMPLETE)

Fixed ELEVEN additional controls to eliminate false positives:
- 5.2.2.4: Admin sign-in frequency validates actual value (≤4 hours)
- 5.2.2.10: MFA registration validates managed device requirement
- 5.2.2.11: Intune enrollment validates "every time" frequency
- 5.2.3.6: System-preferred MFA fixed hashtable property access
- 6.5.3: OWA storage providers checks all policies
- 8.2.1: Teams external domains fixed contradictory logic
- 7.2.4: OneDrive sharing accepts ExternalUserSharingOnly
- 8.4.1: Teams app policies uses correct cmdlet
- 5.2.2.3: Legacy auth enhanced client type validation
- 7.3.4: Site custom scripts improved filtering
- CA Enhancements: Report-only detection + exclusion warnings

## v2.3.8 - Multiple Critical Fixes for False Positives

Fixed THREE false positive controls:
- Control 5.2.3.2: Now correctly detects custom banned password lists using directory settings API
- Control 5.2.4.1: Changed to manual (no API exists for SSPR "All" vs "Selected" scope)
- Control 7.2.3: Now accepts "New and existing guests" (ExternalUserSharingOnly) as compliant per CIS Benchmark

## v2.3.7 - Bug Fix for Microsoft Authenticator Number Matching Detection

Fixed Control 5.2.3.1: Corrected hashtable property access for Microsoft Authenticator MFA fatigue settings. Control was returning empty value for number matching despite being enabled. Changed from direct property access to hashtable key access for nested Graph API objects.

Fixes #3

## v2.3.6 - Critical Fix for False Positive

Fixed Control 5.1.2.4: Changed from automated to manual check. Microsoft does NOT provide Graph API to check "Restrict access to Entra admin center" setting. Control now properly marked as MANUAL per CIS Benchmark specifications.

Fixes #1

## v2.3.5 - Bug Fix Release

Fixed ProfileLevel Parameter: Now correctly filters controls by L1/L2/All. ProfileLevel="L1" shows ONLY L1 controls (previously showed L2 as well).

Fixes #2

For complete changelog see: https://github.com/mohammedsiddiqui6872/CIS-Microsoft-365-Foundations-Benchmark-v5.0.0/blob/main/CHANGELOG.md