CIS-M365-Benchmark

2.4.2

CIS-M365-Benchmark.psd1

                                #

# Module manifest for module 'CIS-M365-Benchmark'

#

# Generated by: Mohammed Siddiqui

#

# Generated on: 2025-01-11

#

@{

# Script module or binary module file associated with this manifest.

RootModule = 'CIS-M365-Benchmark.psm1'

# Version number of this module.

ModuleVersion = '2.4.2'

# Supported PSEditions

CompatiblePSEditions = @('Desktop', 'Core')

# ID used to uniquely identify this module

GUID = 'a1b2c3d4-e5f6-7890-abcd-ef1234567890'

# Author of this module

Author = 'Mohammed Siddiqui'

# Company or vendor of this module

CompanyName = 'Community'

# Copyright statement for this module

Copyright = '(c) 2025 Mohammed Siddiqui. All rights reserved. MIT License.'

# Description of the functionality provided by this module

Description = 'Comprehensive PowerShell script that audits Microsoft 365 environments against all 130 CIS Microsoft 365 Foundations Benchmark v5.0.0 controls. Features 68% automated compliance checks with HTML and CSV reporting. Covers M365 Admin Center, Defender, Purview, Intune, Entra ID, Exchange, SharePoint, Teams, and Power BI security controls.'

# Minimum version of the PowerShell engine required by this module

PowerShellVersion = '5.1'

# Name of the PowerShell host required by this module

# PowerShellHostName = ''

# Minimum version of the PowerShell host required by this module

# PowerShellHostVersion = ''

# Minimum version of Microsoft .NET Framework required by this module. This prerequisite is valid for the PowerShell Desktop edition only.

# DotNetFrameworkVersion = ''

# Minimum version of the common language runtime (CLR) required by this module. This prerequisite is valid for the PowerShell Desktop edition only.

# ClrVersion = ''

# Processor architecture (None, X86, Amd64) required by this module

# ProcessorArchitecture = ''

# Modules that must be imported into the global environment prior to importing this module

# Note: Dependencies are checked at runtime with option to install

# RequiredModules = @()

# Assemblies that must be loaded prior to importing this module

# RequiredAssemblies = @()

# Script files (.ps1) that are run in the caller's environment prior to importing this module.

# ScriptsToProcess = @()

# Type files (.ps1xml) to be loaded when importing this module

# TypesToProcess = @()

# Format files (.ps1xml) to be loaded when importing this module

# FormatsToProcess = @()

# Modules to import as nested modules of the module specified in RootModule/ModuleToProcess

# NestedModules = @()

# Functions to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no functions to export.

FunctionsToExport = @(

    'Connect-CISBenchmark',

    'Invoke-CISBenchmark',

    'Get-CISBenchmarkControl',

    'Test-CISBenchmarkPrerequisites',

    'Get-CISBenchmarkInfo'

)

# Cmdlets to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no cmdlets to export.

CmdletsToExport = @()

# Variables to export from this module

VariablesToExport = @()

# Aliases to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no aliases to export.

AliasesToExport = @()

# DSC resources to export from this module

# DscResourcesToExport = @()

# List of all modules packaged with this module

# ModuleList = @()

# List of all files packaged with this module

FileList = @(

    'CIS-M365-Benchmark.psm1',

    'CIS-M365-Compliance-Checker.ps1',

    'README.md',

    'CHANGELOG.md',

    'PERMISSIONS.md',

    'LICENSE'

)

# Private data to pass to the module specified in RootModule/ModuleToProcess. This may also contain a PSData hashtable with additional module metadata used by PowerShell.

PrivateData = @{

    PSData = @{

        # Tags applied to this module. These help with module discovery in online galleries.

        Tags = @('CIS', 'Microsoft365', 'M365', 'Compliance', 'Security', 'Audit', 'Benchmark', 'EntraID', 'AzureAD', 'Exchange', 'SharePoint', 'Teams', 'Intune', 'Defender', 'Purview', 'SecurityCompliance', 'GRC', 'RiskManagement')

        # A URL to the license for this module.

        LicenseUri = 'https://github.com/mohammedsiddiqui6872/CIS-Microsoft-365-Foundations-Benchmark-v5.0.0/blob/main/LICENSE'

        # A URL to the main website for this project.

        ProjectUri = 'https://github.com/mohammedsiddiqui6872/CIS-Microsoft-365-Foundations-Benchmark-v5.0.0'

        # A URL to an icon representing this module.

        IconUri = 'https://raw.githubusercontent.com/mohammedsiddiqui6872/CIS-Microsoft-365-Foundations-Benchmark-v5.0.0/main/.github/icon.png'

        # ReleaseNotes of this module

        ReleaseNotes = @'

## v2.4.2 - Comprehensive False Positive Fixes

Fixed SIX controls based on comprehensive validation review:

HIGH PRIORITY (Eliminated False Positives/Negatives):

- 5.1.5.1: User consent validation completely rewritten - now detects all consent-enabling policies

- 5.2.2.1: Admin MFA validates all 9 critical admin roles OR "All directory roles"

- 5.1.6.3: Guest inviter now accepts both "adminsAndGuestInviters" and "adminsOnly"

MEDIUM PRIORITY (Enhanced Accuracy):

- 2.1.14: Anti-spam provides detailed breakdown of allowed domains/senders

- 6.1.2: Mailbox audit sample increased from 5 to 50 with compliance rate reporting

- 5.2.2.2: MFA for all users now FAILS with excessive exclusions (>5)

Impact: Eliminated 3 critical false positive/negative risks, enhanced 3 validations with better accuracy for large tenants.

## v2.4.1 - Bug Fixes for User-Reported Issues

Fixed FOUR controls based on user feedback:

- 5.1.3.1: Dynamic guest group detection now handles multiple membership rule formats

- 5.2.3.1: Enhanced Microsoft Authenticator property access with better null handling

- 5.2.3.2: Improved custom banned password detection with fallback to manual check

- 7.2.3: Strengthened SharePoint external sharing validation with explicit array matching

## v2.4.0 - Critical False Positive Fixes (Batch 2 - COMPLETE)

Fixed ELEVEN additional controls to eliminate false positives:

- 5.2.2.4: Admin sign-in frequency validates actual value (≤4 hours)

- 5.2.2.10: MFA registration validates managed device requirement

- 5.2.2.11: Intune enrollment validates "every time" frequency

- 5.2.3.6: System-preferred MFA fixed hashtable property access

- 6.5.3: OWA storage providers checks all policies

- 8.2.1: Teams external domains fixed contradictory logic

- 7.2.4: OneDrive sharing accepts ExternalUserSharingOnly

- 8.4.1: Teams app policies uses correct cmdlet

- 5.2.2.3: Legacy auth enhanced client type validation

- 7.3.4: Site custom scripts improved filtering

- CA Enhancements: Report-only detection + exclusion warnings

## v2.3.8 - Multiple Critical Fixes for False Positives

Fixed THREE false positive controls:

- Control 5.2.3.2: Now correctly detects custom banned password lists using directory settings API

- Control 5.2.4.1: Changed to manual (no API exists for SSPR "All" vs "Selected" scope)

- Control 7.2.3: Now accepts "New and existing guests" (ExternalUserSharingOnly) as compliant per CIS Benchmark

## v2.3.7 - Bug Fix for Microsoft Authenticator Number Matching Detection

Fixed Control 5.2.3.1: Corrected hashtable property access for Microsoft Authenticator MFA fatigue settings. Control was returning empty value for number matching despite being enabled. Changed from direct property access to hashtable key access for nested Graph API objects.

Fixes #3

## v2.3.6 - Critical Fix for False Positive

Fixed Control 5.1.2.4: Changed from automated to manual check. Microsoft does NOT provide Graph API to check "Restrict access to Entra admin center" setting. Control now properly marked as MANUAL per CIS Benchmark specifications.

Fixes #1

## v2.3.5 - Bug Fix Release

Fixed ProfileLevel Parameter: Now correctly filters controls by L1/L2/All. ProfileLevel="L1" shows ONLY L1 controls (previously showed L2 as well).

Fixes #2

For complete changelog see: https://github.com/mohammedsiddiqui6872/CIS-Microsoft-365-Foundations-Benchmark-v5.0.0/blob/main/CHANGELOG.md

'@

        # Prerelease string of this module

        # Prerelease = ''

        # Flag to indicate whether the module requires explicit user acceptance for install/update/save

        RequireLicenseAcceptance = $false

        # External dependent modules of this module

        # ExternalModuleDependencies = @()

    } # End of PSData hashtable

} # End of PrivateData hashtable

# HelpInfo URI of this module

HelpInfoURI = 'https://github.com/mohammedsiddiqui6872/CIS-Microsoft-365-Foundations-Benchmark-v5.0.0/blob/main/README.md'

# Default prefix for commands exported from this module. Override the default prefix using Import-Module -Prefix.

# DefaultCommandPrefix = ''

}