View on GitHub

ScubaGear

Automation to assess the state of your M365 tenant against CISA's baselines

Assumptions

M365 Product License Assumption

ScubaGear has been tested against tenants that have an M365 E3 or G3 and E5 or G5 license bundle. It may still function for tenants that do not have one of these bundles.

Note: DOD endpoints are included, but have not been tested. Please open an issue if you encounter bugs.

Some of the policy checks in the baselines rely on the following licenses, which are included by default in M365 E5 and G5:

All controls that require a license beyond E3 or G3 note the required license in its respective “License Requirements” section. In almost all cases, the requirement for controls that require an additional license can be met using a third-party service. In order to prevent ScubaGear from reporting failures for any controls you implement using a third-party service, you will need to document that you use a third-party service by configuring ScubaGear to omit the relevant controls. See Omit Policies for more details.