View on GitHub

ScubaGear

Automation to assess the state of your M365 tenant against CISA's baselines

ScubaGear Execution

ScubaGear is executed with the Invoke-SCuBA command on a Windows computer, and it can be invoked interactively or non-interactively. Both modes require the appropriate permissions to be configured and the dependencies to be installed. Additionally, if ScubaGear was downloaded from GitHub, the module must be imported.

Import Module

If ScubaGear was installed by downloading from GitHub, it must be imported into every new PowerShell terminal session before it can be executed. To import the module, open a PowerShell 5.1 terminal, navigate to the repository folder, and run this command:

# Import the module into the session
Import-Module .\PowerShell\ScubaGear 

Note: Do not add a \ to the end of the .\PowerShell\ScubaGear path.

Install Dependencies

ScubaGear requires a number of dependencies to be installed before it can be invoked. To install the dependencies:

# Install the minimum required dependencies
Initialize-SCuBA 

Interactive Mode

Interactive mode simply means that the user will be prompted for their credentials that are required to authenticate to the tenant. A prompt may popup for the user to select their profile for each product being tested but the user should only have to enter their credentials once.

All Products

To assess all products, use the -ProductNames flag with a wildcard:

# Assess all products
Invoke-SCuBA -ProductNames *

Single Product

To assess one product, use the -ProductNames flag with a product name:

# Only assess Teams
Invoke-SCuBA -ProductNames teams

The complete list of all product names can be found on the parameters page.

Multiple Products

To assess multiple products, add them to the -ProductNames flag, separated by commas:

# Assess SharePoint and Teams
Invoke-SCuBA -ProductNames sharepoint, teams

Custom Output Location

By default, ScubaGear creates a new directory in the current directory and then adds report files to that new directory. To change the location of the output:

# Set custom output location
Invoke-SCuBA -ProductNames teams ` 
  -OutPath C:\Users\johndoe\reports

More information about the resulting reports can be found on the reports page.

Non-interactive Mode

Non-interactive mode means that the credentials that are required by the underlying Microsoft libraries are supplied via command-line parameters or the config file. It uses an Entra ID service principal and a certificate thumbprint, thus enabling ScubaGear to be used in automated processes, such as pipelines and scheduled jobs.

# Assess with service principal
Invoke-SCuBA -ProductNames * `
  -CertificateThumbprint fedcba9876543210fedcba9876543210fedcba98 `
  -AppID abcdef0123456789abcde01234566789 `
  -Organization contoso.onmicrosoft.com 

Parameters

Now that you know the basics, you can learn more about setting parameters on the parameters page or by running Get-Help:

# Get ScubaGear help
Get-Help -Name Invoke-SCuBA `
  -Full