{"$schema":"./sku-feature-map.schema.json","version":"2.1.0","featureGroups":{"conditional-access":{"displayName":"Conditional Access","description":"Policy-based access controls that evaluate sign-in conditions (location, device, risk) to enforce MFA, block access, or require compliant devices.","category":"Identity","servicePlans":["AAD_PREMIUM"],"detectionChecks":["ENTRA-CA-001","ENTRA-CA-002","ENTRA-CA-003","CA-EXCLUSION-001","CA-DEVICE-001","CA-DEVICE-002","CA-DEVICECODE-001","CA-LEGACYAUTH-001","CA-INTUNE-001","CA-RISKPOLICY-001","CA-ROLECOVERAGE-001","CA-SIGNIN-FREQ-001"],"valueCategory":"Security","estimatedEffort":"High","quickWin":false,"effortTier":"Quick Win","learnUrl":"https://learn.microsoft.com/en-us/entra/identity/conditional-access/howto-conditional-access-policy-block-legacy","prerequisites":["device-management","identity-protection"]},"mfa-enforcement":{"displayName":"Multi-Factor Authentication","description":"Enforce MFA for all users and administrators through Conditional Access policies and per-user MFA settings.","category":"Identity","servicePlans":["AAD_PREMIUM","MFA_PREMIUM"],"detectionChecks":["ENTRA-MFA-001","ENTRA-MFA-002","CA-MFA-ADMIN-001","CA-MFA-ALL-001","CA-PHISHRES-001","ENTRA-PERUSER-001","ENTRA-SECDEFAULT-001"],"valueCategory":"Security","estimatedEffort":"Medium","quickWin":false,"effortTier":"Quick Win","learnUrl":"https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-getstarted","prerequisites":[]},"authentication-methods":{"displayName":"Authentication Methods and Password Protection","description":"Configure strong authentication methods, disable weak methods, enable password protection with custom banned password lists, and configure SSPR.","category":"Identity","servicePlans":["AAD_PREMIUM"],"detectionChecks":["ENTRA-AUTHMETHOD-001","ENTRA-AUTHMETHOD-002","ENTRA-AUTHMETHOD-003","ENTRA-AUTHMETHOD-004","ENTRA-PASSWORD-001","ENTRA-PASSWORD-002","ENTRA-PASSWORD-003","ENTRA-PASSWORD-004","ENTRA-PASSWORD-005","ENTRA-SSPR-001","ENTRA-SSPR-002"],"valueCategory":"Security","estimatedEffort":"Medium","quickWin":false,"effortTier":"Quick Win","learnUrl":"https://learn.microsoft.com/en-us/entra/identity/authentication/howto-sspr-deployment","prerequisites":[]},"privileged-identity-management":{"displayName":"Privileged Identity Management","description":"Just-in-time role activation, access reviews for privileged roles and guest users, and approval workflows for critical role assignments.","category":"Identity","servicePlans":["AAD_PREMIUM_P2"],"detectionChecks":["ENTRA-PIM-001","ENTRA-PIM-002","ENTRA-PIM-003","ENTRA-PIM-004","ENTRA-PIM-005","ENTRA-PIM-006","ENTRA-PIM-007","ENTRA-PIM-008","ENTRA-PIM-009","ENTRA-PIM-010"],"valueCategory":"Security","estimatedEffort":"High","quickWin":false,"effortTier":"Strategic","learnUrl":"https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-configure","prerequisites":[]},"identity-protection":{"displayName":"Identity Protection Risk Policies","description":"Automated detection and remediation of identity-based risks using sign-in risk and user risk policies powered by Entra ID P2.","category":"Identity","servicePlans":["AAD_PREMIUM_P2"],"detectionChecks":["CA-SIGNINRISK-001","CA-SIGNINRISK-002","CA-USERRISK-001"],"valueCategory":"Security","estimatedEffort":"Medium","quickWin":false,"effortTier":"Strategic","learnUrl":"https://learn.microsoft.com/en-us/entra/id-protection/howto-identity-protection-configure-risk-policies","prerequisites":["mfa-enforcement"]},"admin-governance":{"displayName":"Administrative Account Governance","description":"Controls for global admin count, cloud-only admin accounts, break-glass accounts, restricted admin center access, and stale admin detection.","category":"Identity","servicePlans":["AAD_PREMIUM"],"detectionChecks":["ENTRA-ADMIN-001","ENTRA-ADMIN-002","ENTRA-ADMIN-003","ENTRA-BREAKGLASS-001","ENTRA-CLOUDADMIN-001","ENTRA-CLOUDADMIN-002","ENTRA-STALEADMIN-001","ENTRA-SYNCADMIN-001","ENTRA-HYBRID-001","ENTRA-HYBRID-002"],"valueCategory":"Security","estimatedEffort":"Medium","quickWin":false,"effortTier":"Quick Win","learnUrl":"https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/security-emergency-access","prerequisites":[]},"guest-and-external-access":{"displayName":"Guest and External Access Controls","description":"Restrict guest user access, limit invitation permissions, enforce domain restrictions, and control external collaboration settings.","category":"Identity","servicePlans":["AAD_PREMIUM"],"detectionChecks":["ENTRA-GUEST-001","ENTRA-GUEST-002","ENTRA-GUEST-003","ENTRA-GUEST-004","ENTRA-GROUP-001","ENTRA-GROUP-002","ENTRA-GROUP-003","ENTRA-GROUP-004","ENTRA-GROUP-005","ENTRA-GROUP-006"],"valueCategory":"Security","estimatedEffort":"Medium","quickWin":false,"effortTier":"Medium","learnUrl":"https://learn.microsoft.com/en-us/entra/external-id/external-identities-overview","prerequisites":[]},"app-registration-governance":{"displayName":"Application and Enterprise App Governance","description":"Control user app registrations, consent flows, enterprise app permissions, and detect overprivileged or inactive applications.","category":"Identity","servicePlans":["AAD_PREMIUM"],"detectionChecks":["ENTRA-APPREG-001","ENTRA-APPS-001","ENTRA-APPS-002","ENTRA-CONSENT-001","ENTRA-CONSENT-002","ENTRA-ENTAPP-001","ENTRA-ENTAPP-002","ENTRA-ENTAPP-003","ENTRA-ENTAPP-004","ENTRA-ENTAPP-005","ENTRA-ENTAPP-006","ENTRA-ENTAPP-007","ENTRA-ENTAPP-008","ENTRA-ENTAPP-009"],"valueCategory":"Security","estimatedEffort":"Medium","quickWin":false,"effortTier":"Medium","learnUrl":"https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/configure-user-consent","prerequisites":[]},"device-management":{"displayName":"Device Management and Compliance","description":"Intune device enrollment, compliance policies, encryption, update rings, and Entra device join restrictions.","category":"Security","servicePlans":["INTUNE_A"],"detectionChecks":["ENTRA-DEVICE-001","ENTRA-DEVICE-002","ENTRA-DEVICE-003","ENTRA-DEVICE-004","ENTRA-DEVICE-005","ENTRA-DEVICE-006","INTUNE-COMPLIANCE-001","INTUNE-ENCRYPTION-001","INTUNE-ENROLL-001","INTUNE-ENROLLMENT-001","INTUNE-MAA-001","INTUNE-RBAC-001","INTUNE-SECURITY-001","INTUNE-UPDATE-001","INTUNE-WIPEAUDIT-001"],"valueCategory":"Security","estimatedEffort":"High","quickWin":false,"effortTier":"Medium","learnUrl":"https://learn.microsoft.com/en-us/entra/identity/devices/manage-device-identities","prerequisites":[]},"defender-antimalware":{"displayName":"Defender Anti-Malware and Anti-Spam","description":"Exchange Online Protection policies for malware filtering, common attachment type blocking, anti-spam, outbound spam limits, and administrator notifications.","category":"Security","servicePlans":["EXCHANGE_S_ENTERPRISE"],"detectionChecks":["DEFENDER-ANTIMALWARE-001","DEFENDER-ANTIMALWARE-002","DEFENDER-ANTISPAM-001","DEFENDER-ANTISPAM-002","DEFENDER-MALWARE-002","DEFENDER-OUTBOUND-001","DEFENDER-ZAP-001"],"valueCategory":"Security","estimatedEffort":"Medium","quickWin":true,"effortTier":"Quick Win","learnUrl":"https://learn.microsoft.com/en-us/defender-office-365/anti-spam-protection-about","prerequisites":[]},"defender-safe-attachments":{"displayName":"Safe Attachments","description":"Defender for Office 365 Safe Attachments policies that scan email attachments and files in SharePoint, OneDrive, and Teams for malware.","category":"Security","servicePlans":["ATP_ENTERPRISE"],"detectionChecks":["DEFENDER-SAFEATTACH-001","DEFENDER-SAFEATTACH-002"],"valueCategory":"Security","estimatedEffort":"Low","quickWin":true,"effortTier":"Medium","learnUrl":"https://learn.microsoft.com/en-us/defender-office-365/safe-attachments-about","prerequisites":[]},"defender-safe-links":{"displayName":"Safe Links","description":"Defender for Office 365 Safe Links policies providing time-of-click URL scanning and rewriting for email messages and Office applications.","category":"Security","servicePlans":["ATP_ENTERPRISE"],"detectionChecks":["DEFENDER-SAFELINKS-001"],"valueCategory":"Security","estimatedEffort":"Low","quickWin":true,"effortTier":"Medium","learnUrl":"https://learn.microsoft.com/en-us/defender-office-365/safe-links-about","prerequisites":[]},"defender-antiphishing":{"displayName":"Anti-Phishing Protection","description":"Advanced anti-phishing policies including impersonation protection, mailbox intelligence, and spoof settings in Defender for Office 365.","category":"Security","servicePlans":["ATP_ENTERPRISE"],"detectionChecks":["DEFENDER-ANTIPHISH-001","EXO-ANTIPHISH-001","EXO-ANTISPAM-001"],"valueCategory":"Security","estimatedEffort":"Medium","quickWin":false,"effortTier":"Medium","learnUrl":"https://learn.microsoft.com/en-us/defender-office-365/anti-phishing-policies-about","prerequisites":[]},"defender-priority-accounts":{"displayName":"Priority Account Protection","description":"Enable priority account tagging and apply strict protection presets for high-value user accounts.","category":"Security","servicePlans":["ATP_ENTERPRISE"],"detectionChecks":["DEFENDER-PRIORITY-001","DEFENDER-PRIORITY-002"],"valueCategory":"Security","estimatedEffort":"Low","quickWin":true,"effortTier":"Medium","learnUrl":"https://learn.microsoft.com/en-us/defender-office-365/priority-accounts-security-recommendations","prerequisites":[]},"defender-cloud-apps":{"displayName":"Defender for Cloud Apps","description":"Microsoft Defender for Cloud Apps providing visibility, data control, and threat protection across cloud services.","category":"Security","servicePlans":["ADALLOM_S_STANDALONE"],"detectionChecks":["DEFENDER-CLOUDAPPS-001"],"valueCategory":"Security","estimatedEffort":"High","quickWin":false,"effortTier":"Strategic","learnUrl":"https://learn.microsoft.com/en-us/defender-cloud-apps/what-is-defender-for-cloud-apps","prerequisites":[]},"defender-endpoint":{"displayName":"Defender for Endpoint","description":"Microsoft Defender for Endpoint providing endpoint detection and response, threat hunting, and automated investigation and remediation.","category":"Security","servicePlans":["WINDEFATP"],"detectionChecks":["DEFENDER-SECURESCORE-001"],"valueCategory":"Security","estimatedEffort":"High","quickWin":false,"effortTier":"Strategic","learnUrl":"https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-endpoint","prerequisites":[]},"email-authentication":{"displayName":"Email Authentication (SPF/DKIM/DMARC)","description":"DNS-based email authentication records including SPF, DKIM signing, and DMARC policies for all Exchange Online domains.","category":"Security","servicePlans":["EXCHANGE_S_ENTERPRISE"],"detectionChecks":["DNS-SPF-001","DNS-DKIM-001","DNS-DMARC-001","EXO-DKIM-001"],"valueCategory":"Security","estimatedEffort":"Medium","quickWin":false,"effortTier":"Quick Win","learnUrl":"https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/email-authentication-dmarc-configure","prerequisites":[]},"exchange-transport-security":{"displayName":"Exchange Transport and Mail Flow Security","description":"Exchange Online mail flow rules, forwarding controls, external sender tagging, connection filters, modern authentication, and shared mailbox hardening.","category":"Security","servicePlans":["EXCHANGE_S_ENTERPRISE"],"detectionChecks":["EXO-AUTH-001","EXO-AUTH-002","EXO-CONNFILTER-001","EXO-CONNFILTER-002","EXO-DIRECTSEND-001","EXO-EXTTAG-001","EXO-FORWARD-001","EXO-MAILTIPS-001","EXO-MALWARE-001","EXO-OWA-001","EXO-SHAREDMBX-001","EXO-TRANSPORT-001","EXO-TRANSPORT-002","EXO-ADDINS-001"],"valueCategory":"Security","estimatedEffort":"Medium","quickWin":false,"effortTier":"Quick Win","learnUrl":"https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/outbound-spam-policies-external-email-forwarding","prerequisites":[]},"dlp-policies":{"displayName":"Data Loss Prevention","description":"DLP policies across Exchange, SharePoint, OneDrive, and Teams to detect and prevent sharing of sensitive information.","category":"Compliance","servicePlans":["MIP_S_CLP1"],"detectionChecks":["COMPLIANCE-DLP-001","COMPLIANCE-DLP-002"],"valueCategory":"Compliance","estimatedEffort":"High","quickWin":false,"effortTier":"Strategic","learnUrl":"https://learn.microsoft.com/en-us/purview/dlp-learn-about-dlp","prerequisites":[]},"sensitivity-labels":{"displayName":"Sensitivity Labels and Information Protection","description":"Publish sensitivity label policies for classifying and protecting documents and emails with encryption and access restrictions.","category":"Compliance","servicePlans":["MIP_S_CLP1"],"detectionChecks":["COMPLIANCE-LABELS-001"],"valueCategory":"Compliance","estimatedEffort":"High","quickWin":false,"effortTier":"Strategic","learnUrl":"https://learn.microsoft.com/en-us/purview/sensitivity-labels","prerequisites":[]},"audit-logging":{"displayName":"Audit Logging","description":"Unified audit log search, mailbox auditing, and advanced audit capabilities for forensic investigation and compliance monitoring.","category":"Compliance","servicePlans":["EXCHANGE_S_ENTERPRISE"],"detectionChecks":["COMPLIANCE-AUDIT-001","COMPLIANCE-ALERTPOLICY-001","EXO-AUDIT-001","EXO-AUDIT-002","EXO-AUDIT-003","PURVIEW-AUDIT-001"],"valueCategory":"Compliance","estimatedEffort":"Low","quickWin":true,"effortTier":"Quick Win","learnUrl":"https://learn.microsoft.com/en-us/purview/audit-mailboxes","prerequisites":[]},"customer-lockbox":{"displayName":"Customer Lockbox","description":"Require approval before Microsoft support engineers can access tenant data during service requests.","category":"Compliance","servicePlans":["LOCKBOX_ENTERPRISE"],"detectionChecks":["EXO-LOCKBOX-001"],"valueCategory":"Compliance","estimatedEffort":"Low","quickWin":true,"effortTier":"Medium","learnUrl":"https://learn.microsoft.com/en-us/purview/customer-lockbox-requests","prerequisites":[]},"data-retention":{"displayName":"Data Retention Policies","description":"Retention policies covering Exchange, Teams, and SharePoint/OneDrive to ensure compliance with data retention requirements.","category":"Compliance","servicePlans":["EXCHANGE_S_ENTERPRISE","SHAREPOINTENTERPRISE","TEAMS1"],"detectionChecks":["PURVIEW-RETENTION-001","PURVIEW-RETENTION-002","PURVIEW-RETENTION-003","PURVIEW-RETENTION-004","PURVIEW-RETENTION-005"],"valueCategory":"Compliance","estimatedEffort":"Medium","quickWin":false,"effortTier":"Medium","learnUrl":"https://learn.microsoft.com/en-us/purview/retention-policies-exchange","prerequisites":[]},"sharepoint-external-sharing":{"displayName":"SharePoint and OneDrive External Sharing","description":"Control external content sharing, guest access expiration, sharing link defaults, domain restrictions, and sync restrictions for unmanaged devices.","category":"Collaboration","servicePlans":["SHAREPOINTENTERPRISE"],"detectionChecks":["SPO-SHARING-001","SPO-SHARING-002","SPO-SHARING-003","SPO-SHARING-004","SPO-SHARING-005","SPO-SHARING-006","SPO-SHARING-007","SPO-SHARING-008","SPO-OD-001","SPO-AUTH-001","SPO-B2B-001","SPO-SESSION-001","SPO-SYNC-001","SPO-SYNC-002","SPO-MALWARE-002","SPO-SCRIPT-001","SPO-SCRIPT-002","SPO-SWAY-001","SPO-LOOP-001","SPO-LOOP-002"],"valueCategory":"Collaboration","estimatedEffort":"Medium","quickWin":false,"effortTier":"Medium","learnUrl":"https://learn.microsoft.com/en-us/sharepoint/turn-external-sharing-on-or-off","prerequisites":[]},"teams-security":{"displayName":"Teams Meeting and Collaboration Security","description":"Teams meeting policies, external access controls, guest access settings, app permissions, and security reporting.","category":"Collaboration","servicePlans":["TEAMS1"],"detectionChecks":["TEAMS-MEETING-001","TEAMS-MEETING-002","TEAMS-MEETING-003","TEAMS-MEETING-004","TEAMS-MEETING-005","TEAMS-MEETING-006","TEAMS-MEETING-007","TEAMS-MEETING-008","TEAMS-MEETING-009","TEAMS-EXTACCESS-001","TEAMS-EXTACCESS-002","TEAMS-EXTACCESS-003","TEAMS-EXTACCESS-004","TEAMS-GUEST-001","TEAMS-APPS-001","TEAMS-APPS-002","TEAMS-CLIENT-001","TEAMS-CLIENT-002","TEAMS-REPORTING-001","TEAMS-INFO-001"],"valueCategory":"Collaboration","estimatedEffort":"Medium","quickWin":false,"effortTier":"Medium","learnUrl":"https://learn.microsoft.com/en-us/microsoftteams/manage-external-access","prerequisites":[]},"forms-security":{"displayName":"Microsoft Forms Security","description":"Restrict external access to Forms, enable phishing protection, control collaboration and result visibility for surveys and forms.","category":"Collaboration","servicePlans":["FORMS_PLAN_E3"],"detectionChecks":["FORMS-CONFIG-001","FORMS-CONFIG-002","FORMS-CONFIG-003","FORMS-CONFIG-004","FORMS-CONFIG-005","FORMS-CONFIG-006"],"valueCategory":"Security","estimatedEffort":"Low","quickWin":true,"effortTier":"Quick Win","learnUrl":"https://learn.microsoft.com/en-us/microsoft-forms/administrator-settings-microsoft-forms","prerequisites":[]},"power-bi-security":{"displayName":"Power BI Tenant Security","description":"Power BI sharing restrictions, guest access controls, publish-to-web restrictions, service principal controls, and sensitivity label enforcement.","category":"Collaboration","servicePlans":["EXCHANGE_S_ENTERPRISE"],"detectionChecks":["PBI-AUTH-001","PBI-API-001","PBI-CONTENT-001","PBI-GUEST-001","PBI-INVITE-001","PBI-LABELS-001","PBI-LINK-001","PBI-PROFILE-001","PBI-PUBLISH-001","PBI-SCRIPT-001","PBI-SHARING-001","PBI-TENANT-001","PBI-TENANT-002","PBI-TENANT-003","POWERBI-AUTH-001","POWERBI-AUTH-002","POWERBI-AUTH-003","POWERBI-GUEST-001","POWERBI-GUEST-002","POWERBI-GUEST-003","POWERBI-INFOPROT-001","POWERBI-SHARING-001","POWERBI-SHARING-002","POWERBI-SHARING-003","POWERBI-SHARING-004"],"valueCategory":"Security","estimatedEffort":"Medium","quickWin":false,"effortTier":"Medium","learnUrl":"https://learn.microsoft.com/en-us/power-bi/admin/service-admin-portal","prerequisites":[]},"tenant-and-org-settings":{"displayName":"Tenant and Organization Settings","description":"Tenant-wide settings including restricting tenant creation, LinkedIn connections, third-party storage, session timeout, and org-wide security controls.","category":"Security","servicePlans":["AAD_PREMIUM"],"detectionChecks":["ENTRA-TENANT-001","ENTRA-LINKEDIN-001","ENTRA-ORGSETTING-001","ENTRA-ORGSETTING-002","ENTRA-ORGSETTING-003","ENTRA-ORGSETTING-004","ENTRA-SESSION-001","ENTRA-ROLEGROUP-001","EXO-SHARING-001"],"valueCategory":"Security","estimatedEffort":"Low","quickWin":true,"effortTier":"Medium","learnUrl":"https://learn.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules","prerequisites":[]}},"skuTiers":{"E3":{"includedPlans":["AAD_PREMIUM","MFA_PREMIUM","INTUNE_A","EXCHANGE_S_ENTERPRISE","SHAREPOINTENTERPRISE","TEAMS1","MIP_S_CLP1","MDE_LITE","FORMS_PLAN_E3","ContentExplorer_Standard","RMS_S_ENTERPRISE","RMS_S_PREMIUM","ADALLOM_S_DISCOVERY"]},"E5":{"includedPlans":["AAD_PREMIUM","AAD_PREMIUM_P2","MFA_PREMIUM","INTUNE_A","EXCHANGE_S_ENTERPRISE","SHAREPOINTENTERPRISE","TEAMS1","MIP_S_CLP1","MIP_S_CLP2","ATP_ENTERPRISE","THREAT_INTELLIGENCE","WINDEFATP","LOCKBOX_ENTERPRISE","ADALLOM_S_STANDALONE","ADALLOM_S_DISCOVERY","MICROSOFTENDPOINTDLP","COMMUNICATIONS_DLP","INFORMATION_BARRIERS","EQUIVIO_ANALYTICS","M365_ADVANCED_AUDITING","SAFEDOCS","PREMIUM_ENCRYPTION","FORMS_PLAN_E5","ContentExplorer_Standard","Content_Explorer","RMS_S_ENTERPRISE","RMS_S_PREMIUM","RMS_S_PREMIUM2","MDE_LITE","MTP","ATA"]}},"$comment":"featureGroups schema v2.1.0: restored effortTier, learnUrl, prerequisites fields for downstream compatibility"}
|