controls/sku-feature-map.json
|
{
"version": "1.0.0", "description": "Maps M365 features to SKU service plans, assessment CheckIds, effort tiers, and documentation links", "categories": [ { "id": "identity-access", "name": "Identity & Access", "icon": "Person" }, { "id": "email-security", "name": "Email Security", "icon": "Shield" }, { "id": "data-protection", "name": "Data Protection", "icon": "Lock" }, { "id": "device-management", "name": "Device Management", "icon": "Phone" }, { "id": "collaboration", "name": "Collaboration Security", "icon": "People" }, { "id": "threat-protection", "name": "Threat Protection", "icon": "Warning" } ], "features": [ { "featureId": "mfa-registration", "name": "MFA Registration & Enforcement", "category": "identity-access", "description": "Require all users to register for and use multi-factor authentication", "effortTier": "Quick Win", "requiredServicePlans": ["AAD_PREMIUM"], "checkIds": ["ENTRA-MFA-001", "ENTRA-MFA-002", "ENTRA-PERUSER-001"], "csvSignals": [], "prerequisites": [], "learnUrl": "https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-getstarted", "tags": ["E3", "identity"] }, { "featureId": "conditional-access-mfa", "name": "Conditional Access MFA Policies", "category": "identity-access", "description": "Enforce MFA for admins and all users via Conditional Access policies", "effortTier": "Medium", "requiredServicePlans": ["AAD_PREMIUM"], "checkIds": ["CA-MFA-ADMIN-001", "CA-MFA-ALL-001"], "csvSignals": [], "prerequisites": ["mfa-registration"], "learnUrl": "https://learn.microsoft.com/en-us/entra/identity/conditional-access/howto-conditional-access-policy-all-users-mfa", "tags": ["E3", "identity", "conditional-access"] }, { "featureId": "conditional-access-legacy-auth", "name": "Block Legacy Authentication", "category": "identity-access", "description": "Block legacy authentication protocols that bypass MFA via Conditional Access", "effortTier": "Quick Win", "requiredServicePlans": ["AAD_PREMIUM"], "checkIds": ["CA-LEGACYAUTH-001"], "csvSignals": [], "prerequisites": [], "learnUrl": "https://learn.microsoft.com/en-us/entra/identity/conditional-access/howto-conditional-access-policy-block-legacy", "tags": ["E3", "identity", "conditional-access"] }, { "featureId": "conditional-access-device", "name": "Device-Based Conditional Access", "category": "identity-access", "description": "Require compliant or hybrid-joined devices for access", "effortTier": "Medium", "requiredServicePlans": ["AAD_PREMIUM"], "checkIds": ["CA-DEVICE-001", "CA-DEVICE-002"], "csvSignals": [], "prerequisites": [], "learnUrl": "https://learn.microsoft.com/en-us/entra/identity/conditional-access/howto-conditional-access-policy-compliant-device", "tags": ["E3", "identity", "conditional-access"] }, { "featureId": "conditional-access-signin-frequency", "name": "Sign-In Frequency & Session Controls", "category": "identity-access", "description": "Control sign-in frequency and persistent browser sessions", "effortTier": "Medium", "requiredServicePlans": ["AAD_PREMIUM"], "checkIds": ["CA-SIGNIN-FREQ-001"], "csvSignals": [], "prerequisites": [], "learnUrl": "https://learn.microsoft.com/en-us/entra/identity/conditional-access/howto-conditional-access-session-lifetime", "tags": ["E3", "identity", "conditional-access"] }, { "featureId": "conditional-access-phishres", "name": "Phishing-Resistant Authentication", "category": "identity-access", "description": "Require phishing-resistant MFA methods for sensitive operations", "effortTier": "Strategic", "requiredServicePlans": ["AAD_PREMIUM_P2"], "checkIds": ["CA-PHISHRES-001"], "csvSignals": [], "prerequisites": ["mfa-registration"], "learnUrl": "https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-strengths", "tags": ["E3", "identity", "conditional-access"] }, { "featureId": "pim", "name": "Privileged Identity Management", "category": "identity-access", "description": "Enable just-in-time privileged access with approval workflows and time-bound role assignments", "effortTier": "Strategic", "requiredServicePlans": ["AAD_PREMIUM_P2"], "checkIds": ["ENTRA-PIM-001", "ENTRA-PIM-002", "ENTRA-PIM-003", "ENTRA-PIM-004", "ENTRA-PIM-005", "ENTRA-PIM-006", "ENTRA-PIM-007", "ENTRA-PIM-008", "ENTRA-PIM-009", "ENTRA-PIM-010"], "csvSignals": [], "prerequisites": [], "learnUrl": "https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-configure", "tags": ["E5", "identity", "governance"] }, { "featureId": "risk-based-ca-signin", "name": "Risk-Based Conditional Access (Sign-in Risk)", "category": "identity-access", "description": "Automatically respond to risky sign-ins with step-up authentication or blocking", "effortTier": "Strategic", "requiredServicePlans": ["AAD_PREMIUM_P2"], "checkIds": ["CA-SIGNINRISK-001", "CA-SIGNINRISK-002"], "csvSignals": [], "prerequisites": ["conditional-access-mfa"], "learnUrl": "https://learn.microsoft.com/en-us/entra/id-protection/howto-identity-protection-configure-risk-policies", "tags": ["E5", "identity", "conditional-access"] }, { "featureId": "risk-based-ca-user", "name": "Risk-Based Conditional Access (User Risk)", "category": "identity-access", "description": "Require password change or block access when user risk is detected", "effortTier": "Strategic", "requiredServicePlans": ["AAD_PREMIUM_P2"], "checkIds": ["CA-USERRISK-001"], "csvSignals": [], "prerequisites": ["conditional-access-mfa"], "learnUrl": "https://learn.microsoft.com/en-us/entra/id-protection/howto-identity-protection-configure-risk-policies", "tags": ["E5", "identity", "conditional-access"] }, { "featureId": "risk-based-ca-policy", "name": "Risk-Based Policy Enforcement", "category": "identity-access", "description": "Combine sign-in and user risk signals into comprehensive risk-based policies", "effortTier": "Strategic", "requiredServicePlans": ["AAD_PREMIUM_P2"], "checkIds": ["CA-RISKPOLICY-001"], "csvSignals": [], "prerequisites": ["risk-based-ca-signin", "risk-based-ca-user"], "learnUrl": "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-policies", "tags": ["E5", "identity", "conditional-access"] }, { "featureId": "sspr", "name": "Self-Service Password Reset", "category": "identity-access", "description": "Enable users to reset their own passwords securely without helpdesk calls", "effortTier": "Quick Win", "requiredServicePlans": ["AAD_PREMIUM"], "checkIds": ["ENTRA-SSPR-001", "ENTRA-SSPR-002"], "csvSignals": [], "prerequisites": [], "learnUrl": "https://learn.microsoft.com/en-us/entra/identity/authentication/howto-sspr-deployment", "tags": ["E3", "identity"] }, { "featureId": "emergency-access", "name": "Emergency Access Accounts", "category": "identity-access", "description": "Maintain break-glass accounts to prevent tenant lockout scenarios", "effortTier": "Quick Win", "requiredServicePlans": ["AAD_PREMIUM"], "checkIds": ["ENTRA-ADMIN-003", "ENTRA-BREAKGLASS-001"], "csvSignals": [], "prerequisites": [], "learnUrl": "https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/security-emergency-access", "tags": ["E3", "identity", "admin"] }, { "featureId": "security-defaults", "name": "Security Defaults", "category": "identity-access", "description": "Enable baseline security defaults for tenants without Conditional Access", "effortTier": "Quick Win", "requiredServicePlans": ["AAD_PREMIUM"], "checkIds": ["ENTRA-SECDEFAULT-001", "ENTRA-SECDEFAULT-002"], "csvSignals": [], "prerequisites": [], "learnUrl": "https://learn.microsoft.com/en-us/entra/fundamentals/security-defaults", "tags": ["E3", "identity"] }, { "featureId": "admin-mfa-strength", "name": "Admin MFA Authentication Strength", "category": "identity-access", "description": "Ensure administrators use strong MFA methods resistant to phishing", "effortTier": "Quick Win", "requiredServicePlans": ["AAD_PREMIUM"], "checkIds": ["ENTRA-ADMIN-004"], "csvSignals": [], "prerequisites": ["mfa-registration"], "learnUrl": "https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-strengths", "tags": ["E3", "identity", "admin"] }, { "featureId": "password-protection", "name": "Password Protection & Policies", "category": "identity-access", "description": "Configure banned password lists and smart lockout to prevent weak passwords", "effortTier": "Medium", "requiredServicePlans": ["AAD_PREMIUM"], "checkIds": ["ENTRA-PASSWORD-001", "ENTRA-PASSWORD-002", "ENTRA-PASSWORD-003", "ENTRA-PASSWORD-004", "ENTRA-PASSWORD-005"], "csvSignals": [], "prerequisites": [], "learnUrl": "https://learn.microsoft.com/en-us/entra/identity/authentication/concept-password-ban-bad", "tags": ["E3", "identity"] }, { "featureId": "device-registration", "name": "Device Registration & Join Settings", "category": "identity-access", "description": "Control which users can register and join devices to Entra ID", "effortTier": "Medium", "requiredServicePlans": ["AAD_PREMIUM"], "checkIds": ["ENTRA-DEVICE-001", "ENTRA-DEVICE-002", "ENTRA-DEVICE-003", "ENTRA-DEVICE-004", "ENTRA-DEVICE-005", "ENTRA-DEVICE-006"], "csvSignals": [], "prerequisites": [], "learnUrl": "https://learn.microsoft.com/en-us/entra/identity/devices/manage-device-identities", "tags": ["E3", "identity", "devices"] }, { "featureId": "safe-links", "name": "Safe Links", "category": "email-security", "description": "Protect users from malicious URLs in email and Office documents with time-of-click verification", "effortTier": "Medium", "requiredServicePlans": ["ATP_ENTERPRISE"], "checkIds": ["DEFENDER-SAFELINKS-001"], "csvSignals": [], "prerequisites": [], "learnUrl": "https://learn.microsoft.com/en-us/defender-office-365/safe-links-about", "tags": ["E5", "email", "defender"] }, { "featureId": "safe-attachments", "name": "Safe Attachments", "category": "email-security", "description": "Scan email attachments in a sandbox environment before delivery", "effortTier": "Medium", "requiredServicePlans": ["ATP_ENTERPRISE"], "checkIds": ["DEFENDER-SAFEATTACH-001", "DEFENDER-SAFEATTACH-002"], "csvSignals": [], "prerequisites": [], "learnUrl": "https://learn.microsoft.com/en-us/defender-office-365/safe-attachments-about", "tags": ["E5", "email", "defender"] }, { "featureId": "anti-phishing", "name": "Anti-Phishing Policies", "category": "email-security", "description": "Configure impersonation protection, mailbox intelligence, and spoof settings", "effortTier": "Medium", "requiredServicePlans": ["ATP_ENTERPRISE"], "checkIds": ["DEFENDER-ANTIPHISH-001"], "csvSignals": [], "prerequisites": [], "learnUrl": "https://learn.microsoft.com/en-us/defender-office-365/anti-phishing-policies-about", "tags": ["E5", "email", "defender"] }, { "featureId": "dmarc-enforcement", "name": "DMARC Enforcement", "category": "email-security", "description": "Publish DMARC records to prevent email spoofing and receive aggregate reports", "effortTier": "Quick Win", "requiredServicePlans": ["EXCHANGE_S_ENTERPRISE"], "checkIds": ["DNS-DMARC-001"], "csvSignals": [], "prerequisites": ["spf", "dkim"], "learnUrl": "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/email-authentication-dmarc-configure", "tags": ["E3", "email", "dns"] }, { "featureId": "dkim", "name": "DKIM Signing", "category": "email-security", "description": "Enable DomainKeys Identified Mail signing for outbound email authentication", "effortTier": "Quick Win", "requiredServicePlans": ["EXCHANGE_S_ENTERPRISE"], "checkIds": ["DNS-DKIM-001"], "csvSignals": [], "prerequisites": [], "learnUrl": "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/email-authentication-dkim-configure", "tags": ["E3", "email", "dns"] }, { "featureId": "spf", "name": "SPF Records", "category": "email-security", "description": "Configure Sender Policy Framework records to authorize legitimate email senders", "effortTier": "Quick Win", "requiredServicePlans": ["EXCHANGE_S_ENTERPRISE"], "checkIds": ["DNS-SPF-001"], "csvSignals": [], "prerequisites": [], "learnUrl": "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/email-authentication-spf-configure", "tags": ["E3", "email", "dns"] }, { "featureId": "mailbox-auditing", "name": "Mailbox Auditing", "category": "email-security", "description": "Ensure mailbox audit logging is enabled for all mailboxes", "effortTier": "Quick Win", "requiredServicePlans": ["EXCHANGE_S_ENTERPRISE"], "checkIds": ["EXO-AUDIT-001", "EXO-AUDIT-002", "EXO-AUDIT-003"], "csvSignals": [], "prerequisites": [], "learnUrl": "https://learn.microsoft.com/en-us/purview/audit-mailboxes", "tags": ["E3", "email", "audit"] }, { "featureId": "external-forwarding-block", "name": "External Email Forwarding Block", "category": "email-security", "description": "Block automatic email forwarding to external recipients to prevent data exfiltration", "effortTier": "Quick Win", "requiredServicePlans": ["EXCHANGE_S_ENTERPRISE"], "checkIds": ["EXO-FORWARD-001"], "csvSignals": [], "prerequisites": [], "learnUrl": "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/outbound-spam-policies-external-email-forwarding", "tags": ["E3", "email"] }, { "featureId": "anti-spam", "name": "Anti-Spam Policies", "category": "email-security", "description": "Configure inbound and outbound anti-spam filtering and connection filter policies", "effortTier": "Quick Win", "requiredServicePlans": ["EXCHANGE_S_ENTERPRISE"], "checkIds": ["DEFENDER-ANTISPAM-001", "DEFENDER-ANTISPAM-002", "DEFENDER-OUTBOUND-001", "EXO-CONNFILTER-001", "EXO-CONNFILTER-002"], "csvSignals": [], "prerequisites": [], "learnUrl": "https://learn.microsoft.com/en-us/defender-office-365/anti-spam-protection-about", "tags": ["E3", "email", "defender"] }, { "featureId": "anti-malware", "name": "Anti-Malware Policies", "category": "email-security", "description": "Configure malware filtering policies for email attachments", "effortTier": "Quick Win", "requiredServicePlans": ["EXCHANGE_S_ENTERPRISE"], "checkIds": ["DEFENDER-ANTIMALWARE-001", "DEFENDER-ANTIMALWARE-002", "DEFENDER-MALWARE-002"], "csvSignals": [], "prerequisites": [], "learnUrl": "https://learn.microsoft.com/en-us/defender-office-365/anti-malware-protection-about", "tags": ["E3", "email", "defender"] }, { "featureId": "modern-auth-exchange", "name": "Modern Authentication for Exchange", "category": "email-security", "description": "Ensure modern authentication is enabled and basic auth is blocked for Exchange Online", "effortTier": "Quick Win", "requiredServicePlans": ["EXCHANGE_S_ENTERPRISE"], "checkIds": ["EXO-AUTH-001", "EXO-AUTH-002"], "csvSignals": [], "prerequisites": [], "learnUrl": "https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/enable-or-disable-modern-authentication-in-exchange-online", "tags": ["E3", "email"] }, { "featureId": "dlp-policies", "name": "Data Loss Prevention Policies", "category": "data-protection", "description": "Create DLP policies to detect and protect sensitive information across M365 services", "effortTier": "Strategic", "requiredServicePlans": ["INFORMATION_PROTECTION_COMPLIANCE"], "checkIds": ["COMPLIANCE-DLP-001", "COMPLIANCE-DLP-002"], "csvSignals": [], "prerequisites": [], "learnUrl": "https://learn.microsoft.com/en-us/purview/dlp-learn-about-dlp", "tags": ["E5", "data-protection", "compliance"] }, { "featureId": "sensitivity-labels", "name": "Sensitivity Labels", "category": "data-protection", "description": "Classify and protect documents and emails with sensitivity labels", "effortTier": "Strategic", "requiredServicePlans": ["INFORMATION_PROTECTION_COMPLIANCE"], "checkIds": ["COMPLIANCE-LABELS-001"], "csvSignals": [], "prerequisites": [], "learnUrl": "https://learn.microsoft.com/en-us/purview/sensitivity-labels", "tags": ["E5", "data-protection", "compliance"] }, { "featureId": "customer-lockbox", "name": "Customer Lockbox", "category": "data-protection", "description": "Require approval before Microsoft support engineers can access tenant data", "effortTier": "Medium", "requiredServicePlans": ["LOCKBOX_ENTERPRISE"], "checkIds": ["EXO-LOCKBOX-001"], "csvSignals": [], "prerequisites": [], "learnUrl": "https://learn.microsoft.com/en-us/purview/customer-lockbox-requests", "tags": ["E5", "data-protection"] }, { "featureId": "retention-policies", "name": "Retention Policies", "category": "data-protection", "description": "Configure data retention policies to meet compliance and legal requirements", "effortTier": "Medium", "requiredServicePlans": ["EXCHANGE_S_ENTERPRISE"], "checkIds": ["PURVIEW-RETENTION-001", "PURVIEW-RETENTION-002", "PURVIEW-RETENTION-003", "PURVIEW-RETENTION-004", "PURVIEW-RETENTION-005"], "csvSignals": [], "prerequisites": [], "learnUrl": "https://learn.microsoft.com/en-us/purview/retention-policies-exchange", "tags": ["E3", "data-protection", "compliance"] }, { "featureId": "audit-logging", "name": "Unified Audit Logging", "category": "data-protection", "description": "Enable unified audit logging for security investigations and compliance", "effortTier": "Quick Win", "requiredServicePlans": ["EXCHANGE_S_ENTERPRISE"], "checkIds": ["COMPLIANCE-AUDIT-001"], "csvSignals": [], "prerequisites": [], "learnUrl": "https://learn.microsoft.com/en-us/purview/audit-log-enable-disable", "tags": ["E3", "data-protection", "audit"] }, { "featureId": "intune-enrollment", "name": "Intune Device Enrollment", "category": "device-management", "description": "Configure Intune enrollment settings and MDM authority for device management", "effortTier": "Strategic", "requiredServicePlans": ["INTUNE_A"], "checkIds": ["INTUNE-ENROLL-001", "INTUNE-COMPLIANCE-001"], "csvSignals": [], "prerequisites": [], "learnUrl": "https://learn.microsoft.com/en-us/mem/intune/enrollment/device-enrollment", "tags": ["E3", "devices", "intune"] }, { "featureId": "intune-compliance", "name": "Intune Compliance Policies with CA", "category": "device-management", "description": "Require device compliance before granting access via Conditional Access integration", "effortTier": "Medium", "requiredServicePlans": ["INTUNE_A"], "checkIds": ["INTUNE-MAA-001", "CA-INTUNE-001"], "csvSignals": [], "prerequisites": ["intune-enrollment"], "learnUrl": "https://learn.microsoft.com/en-us/mem/intune/protect/conditional-access-intune-common-ways-use", "tags": ["E3", "devices", "intune", "conditional-access"] }, { "featureId": "intune-rbac", "name": "Intune RBAC & Remote Wipe Audit", "category": "device-management", "description": "Configure role-based access control for Intune administration and audit remote wipe actions", "effortTier": "Medium", "requiredServicePlans": ["INTUNE_A"], "checkIds": ["INTUNE-RBAC-001", "INTUNE-WIPEAUDIT-001"], "csvSignals": [], "prerequisites": ["intune-enrollment"], "learnUrl": "https://learn.microsoft.com/en-us/mem/intune/fundamentals/role-based-access-control", "tags": ["E3", "devices", "intune"] }, { "featureId": "spo-external-sharing", "name": "SharePoint External Sharing Controls", "category": "collaboration", "description": "Configure external sharing limits for SharePoint Online and OneDrive", "effortTier": "Medium", "requiredServicePlans": ["SHAREPOINTENTERPRISE"], "checkIds": ["SPO-SHARING-001", "SPO-SHARING-002", "SPO-SHARING-003", "SPO-SHARING-004", "SPO-SHARING-005", "SPO-SHARING-006", "SPO-SHARING-007", "SPO-SHARING-008"], "csvSignals": [], "prerequisites": [], "learnUrl": "https://learn.microsoft.com/en-us/sharepoint/turn-external-sharing-on-or-off", "tags": ["E3", "collaboration", "sharepoint"] }, { "featureId": "spo-malware-scanning", "name": "SharePoint Safe Attachments", "category": "collaboration", "description": "Enable Safe Attachments for SharePoint, OneDrive, and Teams to scan uploaded files", "effortTier": "Quick Win", "requiredServicePlans": ["ATP_ENTERPRISE"], "checkIds": ["SPO-MALWARE-002"], "csvSignals": [], "prerequisites": [], "learnUrl": "https://learn.microsoft.com/en-us/defender-office-365/safe-attachments-for-spo-odfb-teams-about", "tags": ["E5", "collaboration", "defender"] }, { "featureId": "spo-script-control", "name": "SharePoint Custom Script Control", "category": "collaboration", "description": "Restrict custom script execution on SharePoint sites to prevent malicious code", "effortTier": "Quick Win", "requiredServicePlans": ["SHAREPOINTENTERPRISE"], "checkIds": ["SPO-SCRIPT-001", "SPO-SCRIPT-002"], "csvSignals": [], "prerequisites": [], "learnUrl": "https://learn.microsoft.com/en-us/sharepoint/allow-or-prevent-custom-script", "tags": ["E3", "collaboration", "sharepoint"] }, { "featureId": "spo-auth-sync", "name": "SharePoint Authentication & Sync", "category": "collaboration", "description": "Configure SharePoint authentication policies, B2B integration, and sync client restrictions", "effortTier": "Medium", "requiredServicePlans": ["SHAREPOINTENTERPRISE"], "checkIds": ["SPO-AUTH-001", "SPO-B2B-001", "SPO-SYNC-001", "SPO-SYNC-002", "SPO-SESSION-001"], "csvSignals": [], "prerequisites": [], "learnUrl": "https://learn.microsoft.com/en-us/sharepoint/control-access-from-unmanaged-devices", "tags": ["E3", "collaboration", "sharepoint"] }, { "featureId": "teams-external-access", "name": "Teams External Access Controls", "category": "collaboration", "description": "Configure external and federated access settings for Teams communication", "effortTier": "Medium", "requiredServicePlans": ["TEAMS1"], "checkIds": ["TEAMS-EXTACCESS-001", "TEAMS-EXTACCESS-002", "TEAMS-EXTACCESS-003", "TEAMS-EXTACCESS-004"], "csvSignals": [], "prerequisites": [], "learnUrl": "https://learn.microsoft.com/en-us/microsoftteams/manage-external-access", "tags": ["E3", "collaboration", "teams"] }, { "featureId": "teams-meeting-security", "name": "Teams Meeting Security", "category": "collaboration", "description": "Configure meeting policies for lobby, recording, transcription, and external presenters", "effortTier": "Medium", "requiredServicePlans": ["TEAMS1"], "checkIds": ["TEAMS-MEETING-001", "TEAMS-MEETING-002", "TEAMS-MEETING-003", "TEAMS-MEETING-004", "TEAMS-MEETING-005", "TEAMS-MEETING-006", "TEAMS-MEETING-007", "TEAMS-MEETING-008", "TEAMS-MEETING-009"], "csvSignals": [], "prerequisites": [], "learnUrl": "https://learn.microsoft.com/en-us/microsoftteams/meeting-policies-overview", "tags": ["E3", "collaboration", "teams"] }, { "featureId": "teams-apps-client", "name": "Teams App & Client Security", "category": "collaboration", "description": "Control third-party app installation and client-side security settings in Teams", "effortTier": "Medium", "requiredServicePlans": ["TEAMS1"], "checkIds": ["TEAMS-APPS-001", "TEAMS-APPS-002", "TEAMS-CLIENT-001", "TEAMS-CLIENT-002", "TEAMS-INFO-001", "TEAMS-REPORTING-001"], "csvSignals": [], "prerequisites": [], "learnUrl": "https://learn.microsoft.com/en-us/microsoftteams/admin-settings", "tags": ["E3", "collaboration", "teams"] }, { "featureId": "forms-security", "name": "Microsoft Forms Security", "category": "collaboration", "description": "Configure Forms settings to control external sharing and data collection", "effortTier": "Quick Win", "requiredServicePlans": ["FORMS_PLAN_E3"], "checkIds": ["FORMS-CONFIG-001", "FORMS-CONFIG-002", "FORMS-CONFIG-003", "FORMS-CONFIG-004", "FORMS-CONFIG-005", "FORMS-CONFIG-006"], "csvSignals": [], "prerequisites": [], "learnUrl": "https://learn.microsoft.com/en-us/microsoft-forms/administrator-settings-microsoft-forms", "tags": ["E3", "collaboration", "forms"] }, { "featureId": "powerbi-security", "name": "Power BI Security & Sharing", "category": "collaboration", "description": "Configure Power BI authentication, guest access, sharing, and information protection settings", "effortTier": "Medium", "requiredServicePlans": ["BI_AZURE_P2"], "checkIds": ["POWERBI-AUTH-001", "POWERBI-AUTH-002", "POWERBI-AUTH-003", "POWERBI-GUEST-001", "POWERBI-GUEST-002", "POWERBI-GUEST-003", "POWERBI-INFOPROT-001", "POWERBI-SHARING-001", "POWERBI-SHARING-002", "POWERBI-SHARING-003", "POWERBI-SHARING-004"], "csvSignals": [], "prerequisites": [], "learnUrl": "https://learn.microsoft.com/en-us/power-bi/admin/service-admin-portal", "tags": ["E3", "collaboration", "powerbi"] }, { "featureId": "defender-preset-policies", "name": "Defender Preset Security Policies", "category": "threat-protection", "description": "Enable Standard or Strict preset policies for baseline Defender for Office 365 protection", "effortTier": "Quick Win", "requiredServicePlans": ["EXCHANGE_S_ENTERPRISE"], "checkIds": ["EXO-EXTTAG-001"], "csvSignals": [], "prerequisites": [], "learnUrl": "https://learn.microsoft.com/en-us/defender-office-365/preset-security-policies", "tags": ["E3", "threat-protection", "defender"] }, { "featureId": "zap", "name": "Zero-hour Auto Purge (ZAP)", "category": "threat-protection", "description": "Enable zero-hour auto purge to retroactively remove malicious messages from mailboxes", "effortTier": "Quick Win", "requiredServicePlans": ["ATP_ENTERPRISE"], "checkIds": ["DEFENDER-ZAP-001"], "csvSignals": [], "prerequisites": [], "learnUrl": "https://learn.microsoft.com/en-us/defender-office-365/zero-hour-auto-purge", "tags": ["E5", "threat-protection", "defender"] }, { "featureId": "priority-account-protection", "name": "Priority Account Protection", "category": "threat-protection", "description": "Tag and apply enhanced protection to priority accounts (executives, finance, IT admins)", "effortTier": "Medium", "requiredServicePlans": ["ATP_ENTERPRISE"], "checkIds": ["DEFENDER-PRIORITY-001", "DEFENDER-PRIORITY-002"], "csvSignals": [], "prerequisites": [], "learnUrl": "https://learn.microsoft.com/en-us/defender-office-365/priority-accounts-security-recommendations", "tags": ["E5", "threat-protection", "defender"] }, { "featureId": "app-consent-governance", "name": "Application Consent & Governance", "category": "threat-protection", "description": "Control user consent grants and enforce admin approval workflows for application permissions", "effortTier": "Medium", "requiredServicePlans": ["AAD_PREMIUM"], "checkIds": ["ENTRA-CONSENT-001", "ENTRA-CONSENT-002", "ENTRA-CONSENT-003", "ENTRA-CONSENT-004"], "csvSignals": [], "prerequisites": [], "learnUrl": "https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/configure-user-consent", "tags": ["E3", "threat-protection", "identity"] }, { "featureId": "app-registration-security", "name": "Application Registration Security", "category": "threat-protection", "description": "Restrict app registration, enforce credential hygiene, and monitor enterprise app configurations", "effortTier": "Medium", "requiredServicePlans": ["AAD_PREMIUM"], "checkIds": ["ENTRA-APPREG-001", "ENTRA-APPREG-002", "ENTRA-APPREG-003", "ENTRA-APPREG-004", "ENTRA-APPS-001", "ENTRA-APPS-002"], "csvSignals": [], "prerequisites": [], "learnUrl": "https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/application-management-fundamentals", "tags": ["E3", "threat-protection", "identity"] }, { "featureId": "enterprise-app-security", "name": "Enterprise Application Security", "category": "threat-protection", "description": "Audit enterprise app permissions, credential hygiene, reply URIs, and impersonation risks", "effortTier": "Strategic", "requiredServicePlans": ["AAD_PREMIUM"], "checkIds": ["ENTRA-ENTAPP-001", "ENTRA-ENTAPP-002", "ENTRA-ENTAPP-003", "ENTRA-ENTAPP-004", "ENTRA-ENTAPP-005", "ENTRA-ENTAPP-006", "ENTRA-ENTAPP-007", "ENTRA-ENTAPP-008", "ENTRA-ENTAPP-009", "ENTRA-ENTAPP-010", "ENTRA-ENTAPP-011", "ENTRA-ENTAPP-012", "ENTRA-ENTAPP-013", "ENTRA-ENTAPP-014", "ENTRA-ENTAPP-015", "ENTRA-ENTAPP-016", "ENTRA-ENTAPP-017", "ENTRA-ENTAPP-018", "ENTRA-ENTAPP-019", "ENTRA-ENTAPP-020", "ENTRA-ENTAPP-021"], "csvSignals": [], "prerequisites": [], "learnUrl": "https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/overview-application-gallery", "tags": ["E3", "threat-protection", "identity", "app-security"] }, { "featureId": "exchange-transport-security", "name": "Exchange Transport & Sharing Rules", "category": "email-security", "description": "Configure mail flow rules, OWA policies, shared mailbox auth, and calendar sharing controls", "effortTier": "Medium", "requiredServicePlans": ["EXCHANGE_S_ENTERPRISE"], "checkIds": ["EXO-TRANSPORT-001", "EXO-OWA-001", "EXO-SHAREDMBX-001", "EXO-SHARING-001", "EXO-MAILTIPS-001", "EXO-ADDINS-001", "EXO-HIDDEN-001", "EXO-DIRECTSEND-001"], "csvSignals": [], "prerequisites": [], "learnUrl": "https://learn.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules", "tags": ["E3", "email"] }, { "featureId": "guest-access-governance", "name": "Guest Access Governance", "category": "identity-access", "description": "Control guest user invitations, access restrictions, and cross-tenant collaboration settings", "effortTier": "Medium", "requiredServicePlans": ["AAD_PREMIUM"], "checkIds": ["ENTRA-GUEST-001", "ENTRA-GUEST-002", "ENTRA-GUEST-003", "ENTRA-GUEST-004"], "csvSignals": [], "prerequisites": [], "learnUrl": "https://learn.microsoft.com/en-us/entra/external-id/external-identities-overview", "tags": ["E3", "identity", "governance"] } ] } |