diff --git a/.github/ISSUE_TEMPLATE/CLA.yml b/.github/ISSUE_TEMPLATE/CLA.yml deleted file mode 100644 index c2180bb38d05..000000000000 --- a/.github/ISSUE_TEMPLATE/CLA.yml +++ /dev/null @@ -1,54 +0,0 @@ -name: CLA - Contributor License Agreement -description: Sign the CLA for CIPP and CIPP-API -labels: [CLA] - -body: -- type: markdown - attributes: - value: > - CONTRIBUTOR LICENSE AGREEMENT ("Agreement") - - Version 1.0 - - 1. Definitions - - "Contribution" means any original work of authorship, including any modifications or additions to an existing work, that is intentionally submitted by You to Kelvin Tegelaar for inclusion in, or documentation of, any of the products owned or managed by Kelvin Tegelaar (the "Work"). For the purposes of this definition, "submitted" means any form of electronic, verbal, or written communication sent to Kelvin Tegelaar or its representatives, including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking systems that are managed by, or on behalf of, Kelvin Tegelaar for the purpose of discussing and improving the Work, but excluding communication that is conspicuously marked or otherwise designated in writing by You as "Not a Contribution." - - "You" (or "Your") means the copyright owner or legal entity authorized by the copyright owner that is making this Agreement with Kelvin Tegelaar. For legal entities, the entity making a Contribution and all other entities that control, are controlled by, or are under common control with that entity are considered to be a single contributor. This Agreement applies both to future Contributions and Contributions made prior to the date of this Agreement. - - 2. Grant of Copyright License - - Subject to the terms and conditions of this Agreement, You hereby grant to Kelvin Tegelaar and to recipients of software distributed by Kelvin Tegelaar a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute Your Contributions and such derivative works for the purpose of dual licensing the application. - - 3. Grant of Patent License - - You grant Kelvin Tegelaar, and those who receive the Contribution directly or indirectly from Kelvin Tegelaar, a perpetual, worldwide, non-exclusive, royalty-free, irrevocable license under Your patent claims that are necessarily infringed by the Contribution or the combination of the Contribution with the Project to which it was submitted, to make, have made, use, offer to sell, sell, import, and otherwise dispose of the Contribution alone or with the Project. - - 4. Other Rights Reserved - - Each party reserves all rights not expressly granted in this Agreement. No additional licenses or rights whatsoever (including, without limitation, any implied licenses) are granted by implication, exhaustion, estoppel, or otherwise. - - You are not expected to provide support for your Contributions, except to the extent you desire to provide - support. You may provide support for free, for a fee, or not at all. Unless required by applicable law or agreed to in - writing, you provide your Contributions on an “AS IS” BASIS, WITHOUT WARRANTIES OR CONDITIONS OF - ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES - OR CONDITIONS OF TITLE, NON-INFRINGEMENT, MERCHANTABILITY, OR FITNESS FOR A - PARTICULAR PURPOSE. - - 5. Representations - - You represent that you are legally entitled to grant the above licenses. If your employer(s) has rights to intellectual property that you create, you represent that you have received permission to make Contributions on behalf of that employer, or that your employer has waived such rights for your Contributions to Kelvin Tegelaar. - - You represent that each of Your Contributions is Your original creation. You represent that Your Contribution submissions include complete details of any third-party license or other restriction (including, but not limited to, related patents and trademarks) of which you are personally aware and which are associated with any part of Your Contributions. - - 6. Project Sale - - In the event that the Project is sold or otherwise transferred in ownership in its entirety to a third party, a sum equivalent to fifteen percent (15%) of the total sale price or value of the consideration received shall be set aside. This sum shall be divided amongst all Contributors who have entered into this Agreement, with each Contributor receiving a portion proportional to the relative quantity and significance of their Contributions to the Project, as determined by Kelvin Tegelaar. The method and timeframe of the distribution shall be at the discretion of Kelvin Tegelaar and shall be communicated - -- type: textarea - attributes: - label: Description - description: > - Type "I Agree" in the text area. - validations: - required: true diff --git a/.github/ISSUE_TEMPLATE/bug.yml b/.github/ISSUE_TEMPLATE/bug.yml index 1e0e6afd8faa..db613f4551c2 100644 --- a/.github/ISSUE_TEMPLATE/bug.yml +++ b/.github/ISSUE_TEMPLATE/bug.yml @@ -1,42 +1,92 @@ -name: 🐞 Bug report -description: Report errors or unexpected behaviors for CIPP and CIPP-API -labels: [unconfirmed-by-user , bug] +name: "🐞 Bug report" +description: "Report errors or unexpected behaviors for CIPP and CIPP-API" +title: "[Bug]: " +labels: + - "unconfirmed-by-user" + - "bug" body: -- type: markdown - attributes: - value: > - Thanks for reporting. - - - Make sure you are able to reproduce this issue on the latest released version of CIPP & CIPP-API. - - - Please search the existing issues to see if there has been a similar issue filed - - - This is not the location for support. Issues that request support or are not a bug will be closed. -- type: textarea - attributes: - label: Description - description: > - Please describe the issue and expected result. You can include a screenshot by pasting it. Issues with a description that is too short or does not explain each step in detail will be closed. - - Example: - - 1.) go to Settings - 2.) Click on a tenant in access check - 3.) Click on the green pixel in the bottom right corner - 4.) A bug appears. - validations: - required: true -- type: textarea - attributes: - label: Environment data - description: > - Please let us know your environment information. This must follow this format or the ticket will be closed: - Sponsored / Non-sponsored instance - Front end version number: - Back end version number: - Tried Tenant Cache Clear: true/false - Tried Token Cache Clear: true/false - render: PowerShell - validations: - required: true + - type: markdown + attributes: + value: | + **Thank you for taking the time to report a potential bug for CIPP and CIPP-API!** + + Please follow the instructions below and provide as much detail as possible to help us understand and reproduce the issue. + + - type: checkboxes + id: confirmations + attributes: + label: "Required confirmations before submitting" + description: "Please check all boxes that apply." + options: + - label: "**I can reproduce this issue on the latest released versions** of both CIPP and CIPP-API." + required: true + - label: "**I have searched existing issues** (both open and closed) to avoid duplicates." + required: true + - label: "I am **not** requesting general support; this is an actual bug report." + required: true + + # 3) Description / Steps to reproduce + - type: textarea + id: description + attributes: + label: "Issue Description" + description: | + **Describe the issue clearly and provide step-by-step instructions to reproduce it.** + Screenshots can be attached by pasting them here. + + Example steps to reproduce: + 1. Go to **Settings** + 2. Click on a tenant in **Access Check** + 3. Click on the green pixel in the bottom-right corner + 4. Observe the unexpected behavior + validations: + required: true + + # 4) Environment type (Sponsored vs. Non-sponsored) + - type: dropdown + id: environment_type + attributes: + label: "Environment Type" + description: "Select whether you are using currently a paying user of the product, or if you are utilizing the free version" + options: + - "Sponsored (paying) user" + - "Non-sponsored user" + validations: + required: true + + # 5) Front End / Back End versions + - type: input + id: front_end_version + attributes: + label: "Front End Version" + description: "Please specify the front end version number (e.g., v1.2.3)." + validations: + required: true + + - type: input + id: back_end_version + attributes: + label: "Back End Version" + description: "Please specify the back end version number (e.g., v1.2.3)." + validations: + required: true + + # 7) Additional logs or trace (optional) + - type: textarea + id: logs + attributes: + label: "Relevant Logs / Stack Trace" + description: | + If available, please share any relevant logs or stack trace data. + Remove or redact any sensitive info before posting. + render: plaintext + validations: + required: false + + # 8) Closing note + - type: markdown + attributes: + value: | + Thank you for your submission! A maintainer will review your report. + Please watch the issue for follow-up questions or status updates. diff --git a/.github/ISSUE_TEMPLATE/config.yml b/.github/ISSUE_TEMPLATE/config.yml new file mode 100644 index 000000000000..9fa384883c3b --- /dev/null +++ b/.github/ISSUE_TEMPLATE/config.yml @@ -0,0 +1,9 @@ +blank_issues_enabled: false +contact_links: + - name: Security Reports + url: https://github.com/KelvinTegelaar/CIPP/security/advisories + about: Please report security vulnerabilities here. + - name: Community Discord + url: https://discord.gg/cyberdrain + about: Join our discord community here. + diff --git a/.github/ISSUE_TEMPLATE/feature.yml b/.github/ISSUE_TEMPLATE/feature.yml index de839daf7a30..4978afebd026 100644 --- a/.github/ISSUE_TEMPLATE/feature.yml +++ b/.github/ISSUE_TEMPLATE/feature.yml @@ -1,32 +1,84 @@ -name: ✨ Feature request -description: Suggest a new feature or improvement -title: '[Feature Request]: ' -labels: [enhancement, no-priority] +name: "✨ Feature request" +description: "Suggest a new feature or improvement" +title: "[Feature Request]: " +labels: + - "enhancement" + - "no-priority" body: -- type: markdown - attributes: - value: > - Thanks for suggesting a feature! - - - Please search the existing feature request to see if there has been a similar issue filed. - - - If a feature has been filed before, but not followed up by a contributor, you can develop the feature yourself by checking the development documentation [here](https://docs.cipp.app/dev-documentation/cipp-dev-guide/setting-up-for-local-development). - - - Repeat feature requests are allowed if the previous request has been closed for more than 30 days - - - drive-by feature requests without effort will be closed. - - - A feature request has 14 days to be fullfilled before automatically being closed. if you want to work on the feature yourself use the phrase "I'd like to work on this please!" - - - Feature requests that are detrimental to security will also be closed without notice. -- type: textarea - attributes: - label: Description of the new feature - must be an in-depth explanation of the feature you want, reasoning why, and the added benefits for MSPs as a whole. - validations: - required: true -- type: textarea - attributes: - label: PowerShell commands you would normally use to achieve above request - validations: - required: false + # Introductory Markdown + - type: markdown + attributes: + value: | + **Thank you for suggesting a new feature or improvement for CIPP** + + Before creating a request, please: + + 1. Check that you have an active sponsorship, only users that are sponsoring CIPP at the $99,- sponsorship level can create feature requests. + 1. Search existing **open and closed** feature requests to avoid duplicates. + 2. Note that **repeat feature requests** are permitted if a previous request was closed more than 30 days ago. + 3. Consider implementing the feature yourself by reviewing the [development documentation](https://docs.cipp.app/dev-documentation/cipp-dev-guide/setting-up-for-local-development). + 4. Feature requests that lack sufficient detail or feasibility may be closed at any time. + 5. **This request will auto-close in 14 days** if no meaningful progress or collaboration occurs. + 6. If you would like to work on this feature, comment `"I'd like to work on this please!"` + 7. Any request that is detrimental to security or the product’s stability will be closed without notice. + + # Checkboxes for Confirmations + - type: checkboxes + id: confirmations + attributes: + label: "Please confirm:" + description: "Check all boxes that apply." + options: + - label: "**I have searched existing feature requests** (open and closed) and found no duplicates." + required: true + - label: "**me or my organization is currently an active sponsor of the product at the $99,- level." + required: true + + - type: textarea + id: problem-statement + attributes: + label: "Problem Statement" + description: | + **What problem does this feature solve or what gap does it fill?** + Provide a concise explanation. For example: + - "When I need to enable MFA for all users, it takes a lot of time to do it per user. I'd like to enable this for all users in button press" + - "To update a user property for exchange I need to go through 5 portals and 2 systems to be able to make a change." + validations: + required: true + + # Field 2: Benefits for MSPs + - type: textarea + id: msp-benefits + attributes: + label: "Benefits for MSPs" + description: | + **How would this feature help MSPs in their day-to-day tasks or overall operations?** + - Does it reduce manual work? + - Does it improve security or scalability? + - Does it offer clarity or automation to commonly repeated tasks? + validations: + required: true + + # Field 3: Value or Importance + - type: textarea + id: feature-value + attributes: + label: "Value or Importance" + description: | + **Why is this feature particularly valuable or important to add?** + - If it's critical, explain why. + - If it's optional or nice-to-have, describe how it still adds notable value. + validations: + required: true + + # Optional field for PowerShell commands + - type: textarea + id: powershell-commands + attributes: + label: "PowerShell Commands (Optional)" + description: | + If you currently achieve this functionality or a similar workaround using PowerShell, please share your scripts or snippets here. + This information helps contributors understand the existing workflow and aids in development. + validations: + required: false diff --git a/.github/workflows/Comment_on_Issues.yml b/.github/workflows/Comment_on_Issues.yml index 38e9a5405a28..8d83f6237d82 100644 --- a/.github/workflows/Comment_on_Issues.yml +++ b/.github/workflows/Comment_on_Issues.yml @@ -16,15 +16,7 @@ jobs: with: issue-number: ${{ github.event.issue.number }} body: | - Thank you for creating a bug. Please make sure your bug is indeed a unique case by checking current and past issues, and reading the complete documentation at https://docs.cipp.app/ - If your bug is a known documentation issue, it will be closed without notice by a contributor. To confirm that this is not a bug found in the documentation, please copy and paste the following comment: "I confirm that I have checked the documentation thoroughly and believe this to be an actual bug." - - Without confirming, your report will be closed in 24 hours. If you'd like this bug to be assigned to you, please comment "I would like to work on this please!". - add-comment_fr: - if: github.repository_owner == 'KelvinTegelaar' && github.event.label.name == 'enhancement' - runs-on: ubuntu-latest - permissions: - issues: write - steps: - - name: Add Comment - uses: peter-evans/create-or-update@v3 + Thank you for reporting a potential bug. If you would like to work on this bug, please comment: + > I would like to work on this please! + + Thank you for helping us maintain the project! diff --git a/.github/workflows/auto_comments.yml b/.github/workflows/auto_comments.yml new file mode 100644 index 000000000000..7d7b11b45474 --- /dev/null +++ b/.github/workflows/auto_comments.yml @@ -0,0 +1,83 @@ +name: "Handle Comment Commands" + +on: + issue_comment: + types: + - created + +jobs: + handle_comment: + runs-on: ubuntu-latest + # We need permissions to modify issue comments. + # 'issues: write' is required for deleting comments. + permissions: + issues: write + + steps: + # 1) If the comment includes '!notasponsor', delete it using GitHub Script + - name: Delete !notasponsor comment + if: contains(github.event.comment.body, '!notasponsor') + uses: actions/github-script@v6 + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + script: | + await github.rest.issues.deleteComment({ + owner: context.repo.owner, + repo: context.repo.repo, + comment_id: context.payload.comment.id + }); + + # 2) Post a sponsor-specific reply + - name: Reply to !notasponsor + if: contains(github.event.comment.body, '!notasponsor') + uses: peter-evans/create-or-update-comment@v3 + with: + issue-number: ${{ github.event.issue.number }} + body: | + Hello, + + Thank you for your interest in improving CIPP! + To keep our development process focused and manageable, **feature requests are limited to paying users**. This policy helps us prioritize improvements that directly benefit those actively supporting CIPP and ensures we can sustain our development and support. + + When a sponsor makes a feature request, their support covers training, development, documentation, and security checks. Allowing non-sponsor requests could lead to a backlog that slows down updates and stretches resources thin, ultimately affecting the quality and sustainability of CIPP. + + While we’ve closed this request, we appreciate your input. You’re always welcome to participate in ongoing discussions or contribute to open issues. If you are a developer, feel free to open a PR that includes your feature request or comment "**I’d like to work on this!**" to assign the issue to yourself. + + **Did you get this notification in error?** Reply with a screenshot of your sponsorship payment and we’ll reopen the issue. + + _Thank you for understanding,_ + **The CIPP Team** + + # 3) If the comment includes '!support', classify as a support request + - name: Reply to !support + if: contains(github.event.comment.body, '!support') + uses: peter-evans/create-or-update-comment@v3 + with: + issue-number: ${{ github.event.issue.number }} + body: | + Hello, + + Thank you for reaching out! This report has been classified as a **support request** rather than a bug or feature request. To keep our development process focused, support requests are limited to paying users. This policy allows us to prioritize resources for those actively supporting CIPP, helping us maintain high-quality development and support. + + Sponsors can contact our helpdesk directly via email for assistance with any issues or questions. For non-sponsor support, please refer to our documentation and community discussions—many questions have been answered there. + + **Did you get this notification in error?** Reply with a screenshot of your sponsorship payment, and we’ll gladly reopen the request. + + _Thank you for your understanding,_ + **The CIPP Team** + + # 4) If the comment includes '!incomplete', note the bug or feature request is incomplete + - name: Reply to !incomplete + if: contains(github.event.comment.body, '!incomplete') + uses: peter-evans/create-or-update-comment@v3 + with: + issue-number: ${{ github.event.issue.number }} + body: | + Hello, + + Thank you for your submission! It appears this **bug report or feature request is incomplete**. We need a clear description, steps to reproduce (for bugs), or a comprehensive overview of the requested feature. + + Please submit a new request with all the necessary details. Without sufficient information, it’s difficult for contributors to triage or implement solutions. + + _Thank you!_ + **The CIPP Team** diff --git a/.github/workflows/dev_deploy.yml b/.github/workflows/dev_deploy.yml deleted file mode 100644 index 01fd002acea0..000000000000 --- a/.github/workflows/dev_deploy.yml +++ /dev/null @@ -1,41 +0,0 @@ -name: CIPP Development Frontend CI/CD - -on: - push: - branches: - - dev - -jobs: - build_and_deploy_job: - if: github.event.repository.fork == false && github.event_name == 'push' - runs-on: ubuntu-latest - name: Build and Deploy Job - steps: - - uses: actions/checkout@v4 - with: - submodules: true - - name: Build And Deploy - id: builddeploy - uses: Azure/static-web-apps-deploy@v1 - with: - azure_static_web_apps_api_token: ${{ secrets.AZURE_STATIC_WEB_APPS_API_TOKEN_AMBITIOUS_MOSS_0A047A40F }} # change this to your repository secret name - repo_token: ${{ secrets.GITHUB_TOKEN }} # Used for Github integrations (i.e. PR comments) - action: 'upload' - ###### Repository/Build Configurations - These values can be configured to match your app requirements. ###### - # For more information regarding Static Web App workflow configurations, please visit: https://aka.ms/swaworkflowconfig - app_location: '/' # App source code path - api_location: '' # Api source code path - optional - output_location: 'out' # Built app content directory - optional - ###### End of Repository/Build Configurations ###### - - close_pull_request_job: - if: github.event.repository.fork == false && github.event_name == 'pull_request' && github.event.action == 'closed' - runs-on: ubuntu-latest - name: Close Pull Request Job - steps: - - name: Close Pull Request - id: closepullrequest - uses: Azure/static-web-apps-deploy@v1 - with: - azure_static_web_apps_api_token: ${{ secrets.AZURE_STATIC_WEB_APPS_API_TOKEN_AMBITIOUS_MOSS_0A047A40F }} # change this to your repository secret name - action: 'close' diff --git a/.github/workflows/PR_Branch_Check.yml b/.github/workflows/pr_check.yml similarity index 88% rename from .github/workflows/PR_Branch_Check.yml rename to .github/workflows/pr_check.yml index 06c2f6774a39..0d9e2fd7abcd 100644 --- a/.github/workflows/PR_Branch_Check.yml +++ b/.github/workflows/pr_check.yml @@ -16,14 +16,13 @@ permissions: jobs: check-branch: - if: github.event.repository.fork == false runs-on: ubuntu-latest steps: - name: Check and Comment on PR # Only process fork PRs with specific branch conditions # Must be a fork AND (source is main/master OR target is main/master) if: | - github.event.pull_request.head.repo.fork == true && + github.event.pull_request.head.repo.fork == true && ((github.event.pull_request.head.ref == 'main' || github.event.pull_request.head.ref == 'master') || (github.event.pull_request.base.ref == 'main' || github.event.pull_request.base.ref == 'master')) uses: actions/github-script@v7 @@ -32,7 +31,7 @@ jobs: script: | let message = ''; - message += '🔄 If you are attempting to update your CIPP repo please follow the instructions at: https://docs.cipp.app/setup/self-hosting-guide/updating '; + message += '🔄 If you are attempting to update your CIPP repo please follow the instructions at: https://docs.cipp.app/setup/self-hosting-guide/updating. Are you a sponsor? Contact the helpdesk for direct assistance with updating to the latest version.'; message += '\n\n'; // Check if PR is targeting main/master @@ -41,20 +40,20 @@ jobs: } // Check if PR is from a fork's main/master branch - if (context.payload.pull_request.head.repo.fork && + if (context.payload.pull_request.head.repo.fork && (context.payload.pull_request.head.ref === 'main' || context.payload.pull_request.head.ref === 'master')) { message += '⚠️ This PR cannot be merged because it originates from your fork\'s main/master branch. If you are attempting to contribute code please PR from your dev branch or another non-main/master branch.\n\n'; } - message += '🔒 This PR will now be automatically closed due to the above violation(s).'; - + message += '🔒 This PR will now be automatically closed due to the above rules.'; + // Post the comment await github.rest.issues.createComment({ ...context.repo, issue_number: context.issue.number, body: message }); - + // Close the PR await github.rest.pulls.update({ ...context.repo, diff --git a/README.md b/README.md index c9d878457c36..29ef370db018 100644 --- a/README.md +++ b/README.md @@ -1 +1,13 @@ -#Replace with CIPPREadMe \ No newline at end of file +![CyberDrain Light](github_assets/img/CIPP.png#gh-dark-mode-only) +![CyberDrain Dark](github_assets/img/CIPP-Light.png#gh-light-mode-only) + +# What is this? + +The CyberDrain Improved Partner Portal is a portal to help manage administration for Microsoft Partners. The current Microsoft partner landscape makes it fairly hard to manage multi tenant situations, with loads of manual work. Microsoft Lighthouse might resolve this in the future but development of this is lagging far behind development of the current market for Microsoft Partners. +This project is a way to help you with administration, with user management, and deploying your own preferred standards. It's not a replacement for security tools, or a way to cut costs on specific subscriptions. The tool should assist you in removing the gripes with standard partner management and save you several hours per engineer per month. +For more information, we recommend checking out our website [here](https://cipp.app) +For detailed documentation about features of CIPP, please check out our [documentation.](https://docs.cipp.app) + +# Our sponsors + +You can find our sponsors [here.](https://docs.cipp.app/#our-sponsors) diff --git a/github_assets/img/CIPP-Light.png b/github_assets/img/CIPP-Light.png new file mode 100644 index 000000000000..6d9ad4e7fad4 Binary files /dev/null and b/github_assets/img/CIPP-Light.png differ diff --git a/github_assets/img/CIPP.png b/github_assets/img/CIPP.png new file mode 100644 index 000000000000..c3cec15dd468 Binary files /dev/null and b/github_assets/img/CIPP.png differ diff --git a/github_assets/img/CyberDrain.png b/github_assets/img/CyberDrain.png new file mode 100644 index 000000000000..e27dbdacd2f2 Binary files /dev/null and b/github_assets/img/CyberDrain.png differ diff --git a/github_assets/img/Genuine-logo-vertical-light.png b/github_assets/img/Genuine-logo-vertical-light.png new file mode 100644 index 000000000000..9742b901b31a Binary files /dev/null and b/github_assets/img/Genuine-logo-vertical-light.png differ diff --git a/github_assets/img/Genuine-logo-vertical-light_dark.png b/github_assets/img/Genuine-logo-vertical-light_dark.png new file mode 100644 index 000000000000..9742b901b31a Binary files /dev/null and b/github_assets/img/Genuine-logo-vertical-light_dark.png differ diff --git a/github_assets/img/Huntress.png b/github_assets/img/Huntress.png new file mode 100644 index 000000000000..8fe7421ba341 Binary files /dev/null and b/github_assets/img/Huntress.png differ diff --git a/github_assets/img/Immybot.png b/github_assets/img/Immybot.png new file mode 100644 index 000000000000..66a115fda14d Binary files /dev/null and b/github_assets/img/Immybot.png differ diff --git a/github_assets/img/Logo.png b/github_assets/img/Logo.png new file mode 100644 index 000000000000..8caed1332233 Binary files /dev/null and b/github_assets/img/Logo.png differ diff --git a/github_assets/img/NinjaOne-Dark.png b/github_assets/img/NinjaOne-Dark.png new file mode 100644 index 000000000000..3a4f69f76ce3 Binary files /dev/null and b/github_assets/img/NinjaOne-Dark.png differ diff --git a/github_assets/img/NinjaOne-Light.png b/github_assets/img/NinjaOne-Light.png new file mode 100644 index 000000000000..289fe66e3f61 Binary files /dev/null and b/github_assets/img/NinjaOne-Light.png differ diff --git a/github_assets/img/favicon.png b/github_assets/img/favicon.png new file mode 100644 index 000000000000..8caed1332233 Binary files /dev/null and b/github_assets/img/favicon.png differ diff --git a/github_assets/img/halopsa-red-grey.svg b/github_assets/img/halopsa-red-grey.svg new file mode 100644 index 000000000000..9d45a2b5d619 --- /dev/null +++ b/github_assets/img/halopsa-red-grey.svg @@ -0,0 +1 @@ + \ No newline at end of file diff --git a/github_assets/img/oitpsonsor_light.png b/github_assets/img/oitpsonsor_light.png new file mode 100644 index 000000000000..c023f4c94f98 Binary files /dev/null and b/github_assets/img/oitpsonsor_light.png differ diff --git a/github_assets/img/oitpsonsor_light.webp b/github_assets/img/oitpsonsor_light.webp new file mode 100644 index 000000000000..8c36621827e3 Binary files /dev/null and b/github_assets/img/oitpsonsor_light.webp differ diff --git a/github_assets/img/profilepic.png b/github_assets/img/profilepic.png new file mode 100644 index 000000000000..31dc9315eac7 Binary files /dev/null and b/github_assets/img/profilepic.png differ diff --git a/github_assets/screenshots/AssignLicense.gif b/github_assets/screenshots/AssignLicense.gif new file mode 100644 index 000000000000..100ab1be673c Binary files /dev/null and b/github_assets/screenshots/AssignLicense.gif differ diff --git a/github_assets/screenshots/IntunePolicyEngine.gif b/github_assets/screenshots/IntunePolicyEngine.gif new file mode 100644 index 000000000000..f135793b975f Binary files /dev/null and b/github_assets/screenshots/IntunePolicyEngine.gif differ diff --git a/github_assets/screenshots/MyChocoApp.gif b/github_assets/screenshots/MyChocoApp.gif new file mode 100644 index 000000000000..e41581103e55 Binary files /dev/null and b/github_assets/screenshots/MyChocoApp.gif differ diff --git a/github_assets/screenshots/OffboardUser.gif b/github_assets/screenshots/OffboardUser.gif new file mode 100644 index 000000000000..18ea7c37cbae Binary files /dev/null and b/github_assets/screenshots/OffboardUser.gif differ diff --git a/github_assets/screenshots/SetStandard.gif b/github_assets/screenshots/SetStandard.gif new file mode 100644 index 000000000000..64bc063bd14c Binary files /dev/null and b/github_assets/screenshots/SetStandard.gif differ diff --git a/github_assets/screenshots/Teams.gif b/github_assets/screenshots/Teams.gif new file mode 100644 index 000000000000..20465a3114a8 Binary files /dev/null and b/github_assets/screenshots/Teams.gif differ diff --git a/src/data/standards.json b/src/data/standards.json index 616a60642fe4..b027c365d60b 100644 --- a/src/data/standards.json +++ b/src/data/standards.json @@ -2,7 +2,7 @@ { "name": "standards.MailContacts", "cat": "Global Standards", - "tag": ["lowimpact"], + "tag": [], "helpText": "Defines the email address to receive general updates and information related to M365 subscriptions. Leave a contact field blank if you do not want to update the contact information.", "docsDescription": "", "addedComponent": [ @@ -40,7 +40,7 @@ { "name": "standards.AuditLog", "cat": "Global Standards", - "tag": ["lowimpact", "CIS", "mip_search_auditlog"], + "tag": ["CIS", "mip_search_auditlog"], "helpText": "Enables the Unified Audit Log for tracking and auditing activities. Also runs Enable-OrganizationCustomization if necessary.", "addedComponent": [], "label": "Enable the Unified Audit Log", @@ -52,7 +52,7 @@ { "name": "standards.ProfilePhotos", "cat": "Global Standards", - "tag": ["lowimpact"], + "tag": [], "helpText": "Controls whether users can set their own profile photos in Microsoft 365.", "docsDescription": "Controls whether users can set their own profile photos in Microsoft 365. When disabled, only User and Global administrators can update profile photos for users.", "addedComponent": [ @@ -83,7 +83,7 @@ { "name": "standards.PhishProtection", "cat": "Global Standards", - "tag": ["lowimpact"], + "tag": [], "helpText": "Adds branding to the logon page that only appears if the url is not login.microsoftonline.com. This potentially prevents AITM attacks via EvilNginx. This will also automatically generate alerts if a clone of your login page has been found when set to Remediate.", "addedComponent": [], "label": "Enable Phishing Protection system via branding CSS", @@ -100,7 +100,7 @@ { "name": "standards.Branding", "cat": "Global Standards", - "tag": ["lowimpact"], + "tag": [], "helpText": "Sets the branding for the tenant. This includes the login page, and the Office 365 portal.", "addedComponent": [ { @@ -156,7 +156,7 @@ { "name": "standards.EnableCustomerLockbox", "cat": "Global Standards", - "tag": ["lowimpact", "CIS", "CustomerLockBoxEnabled"], + "tag": ["CIS", "CustomerLockBoxEnabled"], "helpText": "Enables Customer Lockbox that offers an approval process for Microsoft support to access organization data", "docsDescription": "Customer Lockbox ensures that Microsoft can't access your content to do service operations without your explicit approval. Customer Lockbox ensures only authorized requests allow access to your organizations data.", "addedComponent": [], @@ -169,7 +169,7 @@ { "name": "standards.EnablePronouns", "cat": "Global Standards", - "tag": ["lowimpact"], + "tag": [], "helpText": "Enables the Pronouns feature for the tenant. This allows users to set their pronouns in their profile.", "addedComponent": [], "label": "Enable Pronouns", @@ -181,7 +181,7 @@ { "name": "standards.AnonReportDisable", "cat": "Global Standards", - "tag": ["lowimpact"], + "tag": [], "helpText": "Shows usernames instead of pseudo anonymised names in reports. This standard is required for reporting to work correctly.", "docsDescription": "Microsoft announced some APIs and reports no longer return names, to comply with compliance and legal requirements in specific countries. This proves an issue for a lot of MSPs because those reports are often helpful for engineers. This standard applies a setting that shows usernames in those API calls / reports.", "addedComponent": [], @@ -194,7 +194,7 @@ { "name": "standards.DisableGuestDirectory", "cat": "Global Standards", - "tag": ["lowimpact"], + "tag": [], "helpText": "Disables Guest access to enumerate directory objects. This prevents guest users from seeing other users or guests in the directory.", "docsDescription": "Sets it so guests can view only their own user profile. Permission to view other users isn't allowed. Also restricts guest users from seeing the membership of groups they're in. See exactly what get locked down in the [Microsoft documentation.](https://learn.microsoft.com/en-us/entra/fundamentals/users-default-permissions)", "addedComponent": [], @@ -220,7 +220,7 @@ { "name": "standards.ActivityBasedTimeout", "cat": "Global Standards", - "tag": ["mediumimpact", "CIS", "spo_idle_session_timeout"], + "tag": ["CIS", "spo_idle_session_timeout"], "helpText": "Enables and sets Idle session timeout for Microsoft 365 to 1 hour. This policy affects most M365 web apps", "addedComponent": [ { @@ -262,7 +262,7 @@ { "name": "standards.AuthMethodsSettings", "cat": "Entra (AAD) Standards", - "tag": ["lowimpact"], + "tag": [], "helpText": "Configures the report suspicious activity settings and system credential preferences in the authentication methods policy.", "docsDescription": "Controls the authentication methods policy settings for reporting suspicious activity and system credential preferences. These settings help enhance the security of authentication in your organization.", "addedComponent": [ @@ -320,7 +320,7 @@ { "name": "standards.AppDeploy", "cat": "Entra (AAD) Standards", - "tag": ["lowimpact"], + "tag": [], "helpText": "Deploys selected applications to the tenant. Use a comma separated list of application IDs to deploy multiple applications. Permissions will be copied from the source application.", "docsDescription": "Uses the CIPP functionality that deploys applications across an entire tenant base as a standard.", "addedComponent": [ @@ -339,7 +339,7 @@ { "name": "standards.laps", "cat": "Entra (AAD) Standards", - "tag": ["lowimpact"], + "tag": [], "helpText": "Enables the tenant to use LAPS. You must still create a policy for LAPS to be active on all devices. Use the template standards to deploy this by default.", "docsDescription": "Enables the LAPS functionality on the tenant. Prerequisite for using Windows LAPS via Azure AD.", "addedComponent": [], @@ -352,7 +352,7 @@ { "name": "standards.PWdisplayAppInformationRequiredState", "cat": "Entra (AAD) Standards", - "tag": ["lowimpact", "CIS"], + "tag": ["CIS"], "helpText": "Enables the MS authenticator app to display information about the app that is requesting authentication. This displays the application name.", "docsDescription": "Allows users to use Passwordless with Number Matching and adds location information from the last request", "addedComponent": [], @@ -365,7 +365,7 @@ { "name": "standards.allowOTPTokens", "cat": "Entra (AAD) Standards", - "tag": ["lowimpact"], + "tag": [], "helpText": "Allows you to use MS authenticator OTP token generator", "docsDescription": "Allows you to use Microsoft Authenticator OTP token generator. Useful for using the NPS extension as MFA on VPN clients.", "addedComponent": [], @@ -378,7 +378,7 @@ { "name": "standards.PWcompanionAppAllowedState", "cat": "Entra (AAD) Standards", - "tag": ["lowimpact"], + "tag": [], "helpText": "Sets the state of Authenticator Lite, Authenticator lite is a companion app for passwordless authentication.", "docsDescription": "Sets the Authenticator Lite state to enabled. This allows users to use the Authenticator Lite built into the Outlook app instead of the full Authenticator app.", "addedComponent": [ @@ -409,7 +409,7 @@ { "name": "standards.EnableFIDO2", "cat": "Entra (AAD) Standards", - "tag": ["lowimpact"], + "tag": [], "helpText": "Enables the FIDO2 authenticationMethod for the tenant", "docsDescription": "Enables FIDO2 capabilities for the tenant. This allows users to use FIDO2 keys like a Yubikey for authentication.", "addedComponent": [], @@ -422,7 +422,7 @@ { "name": "standards.EnableHardwareOAuth", "cat": "Entra (AAD) Standards", - "tag": ["lowimpact"], + "tag": [], "helpText": "Enables the HardwareOath authenticationMethod for the tenant. This allows you to use hardware tokens for generating 6 digit MFA codes.", "docsDescription": "Enables Hardware OAuth tokens for the tenant. This allows users to use hardware tokens like a Yubikey for authentication.", "addedComponent": [], @@ -435,7 +435,7 @@ { "name": "standards.allowOAuthTokens", "cat": "Entra (AAD) Standards", - "tag": ["lowimpact"], + "tag": [], "helpText": "Allows you to use any software OAuth token generator", "docsDescription": "Enables OTP Software OAuth tokens for the tenant. This allows users to use OTP codes generated via software, like a password manager to be used as an authentication method.", "addedComponent": [], @@ -448,7 +448,7 @@ { "name": "standards.TAP", "cat": "Entra (AAD) Standards", - "tag": ["lowimpact"], + "tag": [], "helpText": "Enables TAP and sets the default TAP lifetime to 1 hour. This configuration also allows you to select if a TAP is single use or multi-logon.", "docsDescription": "Enables Temporary Password generation for the tenant.", "addedComponent": [ @@ -479,7 +479,7 @@ { "name": "standards.PasswordExpireDisabled", "cat": "Entra (AAD) Standards", - "tag": ["lowimpact", "CIS", "PWAgePolicyNew"], + "tag": ["CIS", "PWAgePolicyNew"], "helpText": "Disables the expiration of passwords for the tenant by setting the password expiration policy to never expire for any user.", "docsDescription": "Sets passwords to never expire for tenant, recommended to use in conjunction with secure password requirements.", "addedComponent": [], @@ -492,7 +492,7 @@ { "name": "standards.ExternalMFATrusted", "cat": "Entra (AAD) Standards", - "tag": ["lowimpact"], + "tag": [], "helpText": "Sets the state of the Cross-tenant access setting to trust external MFA. This allows guest users to use their home tenant MFA to access your tenant.", "addedComponent": [ { @@ -522,7 +522,7 @@ { "name": "standards.DisableTenantCreation", "cat": "Entra (AAD) Standards", - "tag": ["lowimpact", "CIS"], + "tag": ["CIS"], "helpText": "Restricts creation of M365 tenants to the Global Administrator or Tenant Creator roles. ", "docsDescription": "Users by default are allowed to create M365 tenants. This disables that so only admins can create new M365 tenants.", "addedComponent": [], @@ -535,7 +535,7 @@ { "name": "standards.EnableAppConsentRequests", "cat": "Entra (AAD) Standards", - "tag": ["lowimpact", "CIS"], + "tag": ["CIS"], "helpText": "Enables App consent admin requests for the tenant via the GA role. Does not overwrite existing reviewer settings", "docsDescription": "Enables the ability for users to request admin consent for applications. Should be used in conjunction with the \"Require admin consent for applications\" standards", "addedComponent": [ @@ -554,7 +554,7 @@ { "name": "standards.NudgeMFA", "cat": "Entra (AAD) Standards", - "tag": ["lowimpact"], + "tag": [], "helpText": "Sets the state of the registration campaign for the tenant", "docsDescription": "Sets the state of the registration campaign for the tenant. If enabled nudges users to set up the Microsoft Authenticator during sign-in.", "addedComponent": [ @@ -591,7 +591,7 @@ { "name": "standards.DisableM365GroupUsers", "cat": "Entra (AAD) Standards", - "tag": ["lowimpact"], + "tag": [], "helpText": "Restricts M365 group creation to certain admin roles. This disables the ability to create Teams, SharePoint sites, Planner, etc", "docsDescription": "Users by default are allowed to create M365 groups. This restricts M365 group creation to certain admin roles. This disables the ability to create Teams, SharePoint sites, Planner, etc", "addedComponent": [], @@ -604,7 +604,7 @@ { "name": "standards.DisableAppCreation", "cat": "Entra (AAD) Standards", - "tag": ["lowimpact", "CIS"], + "tag": ["CIS"], "helpText": "Disables the ability for users to create App registrations in the tenant.", "docsDescription": "Disables the ability for users to create applications in Entra. Done to prevent breached accounts from creating an app to maintain access to the tenant, even after the breached account has been secured.", "addedComponent": [], @@ -672,7 +672,7 @@ { "name": "standards.OauthConsent", "cat": "Entra (AAD) Standards", - "tag": ["mediumimpact", "CIS"], + "tag": ["CIS"], "helpText": "Disables users from being able to consent to applications, except for those specified in the field below", "docsDescription": "Requires users to get administrator consent before sharing data with applications. You can preapprove specific applications.", "addedComponent": [ @@ -692,7 +692,7 @@ { "name": "standards.OauthConsentLowSec", "cat": "Entra (AAD) Standards", - "tag": ["mediumimpact", "IntegratedApps"], + "tag": ["IntegratedApps"], "helpText": "Sets the default oauth consent level so users can consent to applications that have low risks.", "docsDescription": "Allows users to consent to applications with low assigned risk.", "label": "Allow users to consent to applications with low security risk (Prevent OAuth phishing. Lower impact, less secure)", @@ -743,7 +743,7 @@ { "name": "standards.StaleEntraDevices", "cat": "Entra (AAD) Standards", - "tag": ["highimpact", "CIS"], + "tag": ["CIS"], "helpText": "Cleans up Entra devices that have not connected/signed in for the specified number of days.", "docsDescription": "Cleans up Entra devices that have not connected/signed in for the specified number of days. First disables and later deletes the devices. More info can be found in the [Microsoft documentation](https://learn.microsoft.com/en-us/entra/identity/devices/manage-stale-devices)", "addedComponent": [ @@ -868,7 +868,7 @@ { "name": "standards.OutBoundSpamAlert", "cat": "Exchange Standards", - "tag": ["lowimpact", "CIS"], + "tag": ["CIS"], "helpText": "Set the Outbound Spam Alert e-mail address", "docsDescription": "Sets the e-mail address to which outbound spam alerts are sent.", "addedComponent": [ @@ -887,7 +887,7 @@ { "name": "standards.MessageExpiration", "cat": "Exchange Standards", - "tag": ["lowimpact"], + "tag": [], "helpText": "Sets the transport message configuration to timeout a message at 12 hours.", "docsDescription": "Expires messages in the transport queue after 12 hours. Makes the NDR for failed messages show up faster for users. Default is 24 hours.", "addedComponent": [], @@ -900,7 +900,7 @@ { "name": "standards.GlobalQuarantineNotifications", "cat": "Exchange Standards", - "tag": ["lowimpact"], + "tag": [], "helpText": "Sets the Global Quarantine Notification Interval to the selected value. Determines how often the quarantine notification is sent to users.", "docsDescription": "Sets the global quarantine notification interval for the tenant. This is the time between the quarantine notification emails are sent out to users. Default is 24 hours.", "addedComponent": [ @@ -934,7 +934,7 @@ { "name": "standards.DisableTNEF", "cat": "Exchange Standards", - "tag": ["lowimpact"], + "tag": [], "helpText": "Disables Transport Neutral Encapsulation Format (TNEF)/winmail.dat for the tenant. TNEF can cause issues if the recipient is not using a client supporting TNEF.", "docsDescription": "Disables Transport Neutral Encapsulation Format (TNEF)/winmail.dat for the tenant. TNEF can cause issues if the recipient is not using a client supporting TNEF. Cannot be overridden by the user. For more information, see [Microsoft's documentation.](https://learn.microsoft.com/en-us/exchange/mail-flow/content-conversion/tnef-conversion?view=exchserver-2019)", "addedComponent": [], @@ -947,7 +947,7 @@ { "name": "standards.FocusedInbox", "cat": "Exchange Standards", - "tag": ["lowimpact"], + "tag": [], "helpText": "Sets the default Focused Inbox state for the tenant. This can be overridden by the user.", "docsDescription": "Sets the default Focused Inbox state for the tenant. This can be overridden by the user in their Outlook settings. For more information, see [Microsoft's documentation.](https://support.microsoft.com/en-us/office/focused-inbox-for-outlook-f445ad7f-02f4-4294-a82e-71d8964e3978)", "addedComponent": [ @@ -977,7 +977,7 @@ { "name": "standards.CloudMessageRecall", "cat": "Exchange Standards", - "tag": ["lowimpact"], + "tag": [], "helpText": "Sets the Cloud Message Recall state for the tenant. This allows users to recall messages from the cloud.", "docsDescription": "Sets the default state for Cloud Message Recall for the tenant. By default this is enabled. You can read more about the feature [here.](https://techcommunity.microsoft.com/t5/exchange-team-blog/cloud-based-message-recall-in-exchange-online/ba-p/3744714)", "addedComponent": [ @@ -1007,7 +1007,7 @@ { "name": "standards.AutoExpandArchive", "cat": "Exchange Standards", - "tag": ["lowimpact"], + "tag": [], "helpText": "Enables auto-expanding archives for the tenant", "docsDescription": "Enables auto-expanding archives for the tenant. Does not enable archives for users.", "addedComponent": [], @@ -1020,7 +1020,7 @@ { "name": "standards.EnableOnlineArchiving", "cat": "Exchange Standards", - "tag": ["lowimpact"], + "tag": [], "helpText": "Enables the In-Place Online Archive for all UserMailboxes with a valid license.", "addedComponent": [], "label": "Enable Online Archive for all users", @@ -1032,7 +1032,7 @@ { "name": "standards.EnableLitigationHold", "cat": "Exchange Standards", - "tag": ["lowimpact"], + "tag": [], "helpText": "Enables litigation hold for all UserMailboxes with a valid license.", "addedComponent": [], "label": "Enable Litigation Hold for all users", @@ -1044,7 +1044,7 @@ { "name": "standards.SpoofWarn", "cat": "Exchange Standards", - "tag": ["lowimpact", "CIS"], + "tag": ["CIS"], "helpText": "Adds or removes indicators to e-mail messages received from external senders in Outlook. Works on all Outlook clients/OWA", "docsDescription": "Adds or removes indicators to e-mail messages received from external senders in Outlook. You can read more about this feature on [Microsoft's Exchange Team Blog.](https://techcommunity.microsoft.com/t5/exchange-team-blog/native-external-sender-callouts-on-email-in-outlook/ba-p/2250098)", "addedComponent": [ @@ -1074,7 +1074,7 @@ { "name": "standards.EnableMailTips", "cat": "Exchange Standards", - "tag": ["lowimpact", "CIS", "exo_mailtipsenabled"], + "tag": ["CIS", "exo_mailtipsenabled"], "helpText": "Enables all MailTips in Outlook. MailTips are the notifications Outlook and Outlook on the web shows when an email you create, meets some requirements", "addedComponent": [ { @@ -1094,7 +1094,7 @@ { "name": "standards.TeamsMeetingsByDefault", "cat": "Exchange Standards", - "tag": ["lowimpact"], + "tag": [], "helpText": "Sets the default state for automatically turning meetings into Teams meetings for the tenant. This can be overridden by the user in Outlook.", "addedComponent": [ { @@ -1123,7 +1123,7 @@ { "name": "standards.DisableViva", "cat": "Exchange Standards", - "tag": ["lowimpact"], + "tag": [], "helpText": "Disables the daily viva reports for all users.", "docsDescription": "", "addedComponent": [], @@ -1136,7 +1136,7 @@ { "name": "standards.RotateDKIM", "cat": "Exchange Standards", - "tag": ["lowimpact", "CIS"], + "tag": ["CIS"], "helpText": "Rotate DKIM keys that are 1024 bit to 2048 bit", "addedComponent": [], "label": "Rotate DKIM keys that are 1024 bit to 2048 bit", @@ -1148,7 +1148,7 @@ { "name": "standards.AddDKIM", "cat": "Exchange Standards", - "tag": ["lowimpact", "CIS"], + "tag": ["CIS"], "helpText": "Enables DKIM for all domains that currently support it", "addedComponent": [], "label": "Enables DKIM for all domains that currently support it", @@ -1160,7 +1160,7 @@ { "name": "standards.EnableMailboxAuditing", "cat": "Exchange Standards", - "tag": ["lowimpact", "CIS", "exo_mailboxaudit"], + "tag": ["CIS", "exo_mailboxaudit"], "helpText": "Enables Mailbox auditing for all mailboxes and on tenant level. Disables audit bypass on all mailboxes. Unified Audit Log needs to be enabled for this standard to function.", "docsDescription": "Enables mailbox auditing on tenant level and for all mailboxes. Disables audit bypass on all mailboxes. By default Microsoft does not enable mailbox auditing for Resource Mailboxes, Public Folder Mailboxes and DiscoverySearch Mailboxes. Unified Audit Log needs to be enabled for this standard to function.", "addedComponent": [], @@ -1173,7 +1173,7 @@ { "name": "standards.SendReceiveLimitTenant", "cat": "Exchange Standards", - "tag": ["lowimpact"], + "tag": [], "helpText": "Sets the Send and Receive limits for new users. Valid values are 1MB to 150MB", "addedComponent": [ { @@ -1198,7 +1198,7 @@ { "name": "standards.calDefault", "cat": "Exchange Standards", - "tag": ["lowimpact"], + "tag": [], "helpText": "Sets the default sharing level for the default calendar, for all users", "docsDescription": "Sets the default sharing level for the default calendar for all users in the tenant. You can read about the different sharing levels [here.](https://learn.microsoft.com/en-us/powershell/module/exchange/set-mailboxfolderpermission?view=exchange-ps#-accessrights)", "disabledFeatures": { @@ -1269,7 +1269,7 @@ { "name": "standards.DisableExternalCalendarSharing", "cat": "Exchange Standards", - "tag": ["lowimpact", "CIS", "exo_individualsharing"], + "tag": ["CIS", "exo_individualsharing"], "helpText": "Disables the ability for users to share their calendar with external users. Only for the default policy, so exclusions can be made if needed.", "docsDescription": "Disables external calendar sharing for the entire tenant. This is not a widely used feature, and it's therefore unlikely that this will impact users. Only for the default policy, so exclusions can be made if needed by making a new policy and assigning it to users.", "addedComponent": [], @@ -1282,7 +1282,7 @@ { "name": "standardsAutoAddProxy", "cat": "Exchange Standards", - "tag": ["lowimpact", "CIS"], + "tag": ["CIS"], "helpText": "Automatically adds all available domains as a proxy address.", "docsDescription": "Automatically finds all available domain names in the tenant, and tries to add proxyaddresses based on the users UPN to each of these.", "addedComponent": [], @@ -1294,7 +1294,7 @@ { "name": "standards.DisableAdditionalStorageProviders", "cat": "Exchange Standards", - "tag": ["lowimpact", "CIS", "exo_storageproviderrestricted"], + "tag": ["CIS", "exo_storageproviderrestricted"], "helpText": "Disables the ability for users to open files in Outlook on the Web, from other providers such as Box, Dropbox, Facebook, Google Drive, OneDrive Personal, etc.", "docsDescription": "Disables additional storage providers in OWA. This is to prevent users from using personal storage providers like Dropbox, Google Drive, etc. Usually this has little user impact.", "addedComponent": [], @@ -1382,7 +1382,7 @@ { "name": "standards.DisableOutlookAddins", "cat": "Exchange Standards", - "tag": ["mediumimpact", "CIS", "exo_outlookaddins"], + "tag": ["CIS", "exo_outlookaddins"], "helpText": "Disables the ability for users to install add-ins in Outlook. This is to prevent users from installing malicious add-ins.", "docsDescription": "Disables users from being able to install add-ins in Outlook. Only admins are able to approve add-ins for the users. This is done to reduce the threat surface for data exfiltration.", "addedComponent": [], @@ -1480,7 +1480,7 @@ { "name": "standards.DisableSharedMailbox", "cat": "Exchange Standards", - "tag": ["mediumimpact", "CIS"], + "tag": ["CIS"], "helpText": "Blocks login for all accounts that are marked as a shared mailbox. This is Microsoft best practice to prevent direct logons to shared mailboxes.", "docsDescription": "Shared mailboxes can be directly logged into if the password is reset, this presents a security risk as do all shared login credentials. Microsoft's recommendation is to disable the user account for shared mailboxes. It would be a good idea to review the sign-in reports to establish potential impact.", "addedComponent": [], @@ -1493,7 +1493,7 @@ { "name": "standards.EXODisableAutoForwarding", "cat": "Exchange Standards", - "tag": ["highimpact", "CIS", "mdo_autoforwardingmode", "mdo_blockmailforward"], + "tag": ["CIS", "mdo_autoforwardingmode", "mdo_blockmailforward"], "helpText": "Disables the ability for users to automatically forward e-mails to external recipients.", "docsDescription": "Disables the ability for users to automatically forward e-mails to external recipients. This is to prevent data exfiltration. Please check if there are any legitimate use cases for this feature before implementing, like forwarding invoices and such.", "addedComponent": [], @@ -1526,7 +1526,7 @@ { "name": "standards.QuarantineRequestAlert", "cat": "Defender Standards", - "tag": ["lowimpact"], + "tag": [], "helpText": "Sets a e-mail address to alert when a User requests to release a quarantined message.", "docsDescription": "Sets a e-mail address to alert when a User requests to release a quarantined message. This is useful for monitoring and ensuring that the correct messages are released.", "addedComponent": [ @@ -1545,7 +1545,7 @@ { "name": "standards.SafeLinksPolicy", "cat": "Defender Standards", - "tag": ["lowimpact", "CIS", "mdo_safelinksforemail", "mdo_safelinksforOfficeApps"], + "tag": ["CIS", "mdo_safelinksforemail", "mdo_safelinksforOfficeApps"], "helpText": "This creates a safelink policy that automatically scans, tracks, and and enables safe links for Email, Office, and Teams for both external and internal senders", "addedComponent": [ { @@ -1574,7 +1574,6 @@ "name": "standards.AntiPhishPolicy", "cat": "Defender Standards", "tag": [ - "lowimpact", "CIS", "mdo_safeattachments", "mdo_highconfidencespamaction", @@ -1783,7 +1782,6 @@ "name": "standards.SafeAttachmentPolicy", "cat": "Defender Standards", "tag": [ - "lowimpact", "CIS", "mdo_safedocuments", "mdo_commonattachmentsfilter", @@ -1852,7 +1850,7 @@ { "name": "standards.AtpPolicyForO365", "cat": "Defender Standards", - "tag": ["lowimpact", "CIS"], + "tag": ["CIS"], "helpText": "This creates a Atp policy that enables Defender for Office 365 for SharePoint, OneDrive and Microsoft Teams.", "addedComponent": [ { @@ -1872,7 +1870,7 @@ { "name": "standards.MalwareFilterPolicy", "cat": "Defender Standards", - "tag": ["lowimpact", "CIS", "mdo_zapspam", "mdo_zapphish", "mdo_zapmalware"], + "tag": ["CIS", "mdo_zapspam", "mdo_zapphish", "mdo_zapmalware"], "helpText": "This creates a Malware filter policy that enables the default File filter and Zero-hour auto purge for malware.", "addedComponent": [ { @@ -2152,7 +2150,7 @@ { "name": "standards.intuneDeviceRetirementDays", "cat": "Intune Standards", - "tag": ["lowimpact"], + "tag": [], "helpText": "A value between 0 and 270 is supported. A value of 0 disables retirement, retired devices are removed from Intune after the specified number of days.", "addedComponent": [ { @@ -2170,7 +2168,7 @@ { "name": "standards.intuneBrandingProfile", "cat": "Intune Standards", - "tag": ["lowimpact"], + "tag": [], "helpText": "Sets the branding profile for the Intune Company Portal app. This is a tenant wide setting and overrules any settings set on the app level.", "addedComponent": [ { @@ -2242,7 +2240,7 @@ { "name": "standards.IntuneComplianceSettings", "cat": "Intune Standards", - "tag": ["lowimpact"], + "tag": [], "helpText": "Sets the mark devices with no compliance policy assigned as compliance/non compliant and Compliance status validity period.", "addedComponent": [ { @@ -2307,7 +2305,7 @@ { "name": "standards.DeletedUserRentention", "cat": "SharePoint Standards", - "tag": ["lowimpact"], + "tag": [], "helpText": "Sets the retention period for deleted users OneDrive to the specified period of time. The default is 30 days.", "docsDescription": "When a OneDrive user gets deleted, the personal SharePoint site is saved for selected amount of time that data can be retrieved from it.", "addedComponent": [ @@ -2377,7 +2375,7 @@ { "name": "standards.TenantDefaultTimezone", "cat": "SharePoint Standards", - "tag": ["lowimpact"], + "tag": [], "helpText": "Sets the default timezone for the tenant. This will be used for all new users and sites.", "addedComponent": [ { @@ -2395,7 +2393,7 @@ { "name": "standards.SPAzureB2B", "cat": "SharePoint Standards", - "tag": ["lowimpact", "CIS"], + "tag": ["CIS"], "helpText": "Ensure SharePoint and OneDrive integration with Azure AD B2B is enabled", "addedComponent": [], "label": "Enable SharePoint and OneDrive integration with Azure AD B2B", @@ -2407,7 +2405,7 @@ { "name": "standards.SPDisallowInfectedFiles", "cat": "SharePoint Standards", - "tag": ["lowimpact", "CIS"], + "tag": ["CIS"], "helpText": "Ensure Office 365 SharePoint infected files are disallowed for download", "addedComponent": [], "label": "Disallow downloading infected files from SharePoint", @@ -2419,7 +2417,7 @@ { "name": "standards.SPDisableLegacyWorkflows", "cat": "SharePoint Standards", - "tag": ["lowimpact"], + "tag": [], "helpText": "Disables the creation of new SharePoint 2010 and 2013 classic workflows and removes the 'Return to classic SharePoint' link on modern SharePoint list and library pages.", "addedComponent": [], "label": "Disable Legacy Workflows", @@ -2431,7 +2429,7 @@ { "name": "standards.SPDirectSharing", "cat": "SharePoint Standards", - "tag": ["mediumimpact", "CIS"], + "tag": ["CIS"], "helpText": "Ensure default link sharing is set to Direct in SharePoint and OneDrive", "addedComponent": [], "label": "Default sharing to Direct users", @@ -2443,7 +2441,7 @@ { "name": "standards.SPExternalUserExpiration", "cat": "SharePoint Standards", - "tag": ["mediumimpact", "CIS"], + "tag": ["CIS"], "helpText": "Ensure guest access to a site or OneDrive will expire automatically", "addedComponent": [ { @@ -2461,7 +2459,7 @@ { "name": "standards.SPEmailAttestation", "cat": "SharePoint Standards", - "tag": ["mediumimpact", "CIS"], + "tag": ["CIS"], "helpText": "Ensure reauthentication with verification code is restricted", "addedComponent": [ { @@ -2539,7 +2537,7 @@ { "name": "standards.DisableSharePointLegacyAuth", "cat": "SharePoint Standards", - "tag": ["mediumimpact", "CIS", "spo_legacy_auth"], + "tag": ["CIS", "spo_legacy_auth"], "helpText": "Disables the ability to authenticate with SharePoint using legacy authentication methods. Any applications that use legacy authentication will need to be updated to use modern authentication.", "docsDescription": "Disables the ability for users and applications to access SharePoint via legacy basic authentication. This will likely not have any user impact, but will block systems/applications depending on basic auth or the SharePointOnlineCredentials class.", "addedComponent": [], @@ -2552,7 +2550,7 @@ { "name": "standards.sharingCapability", "cat": "SharePoint Standards", - "tag": ["highimpact", "CIS"], + "tag": ["CIS"], "helpText": "Sets the default sharing level for OneDrive and SharePoint. This is a tenant wide setting and overrules any settings set on the site level", "addedComponent": [ { @@ -2589,7 +2587,7 @@ { "name": "standards.DisableReshare", "cat": "SharePoint Standards", - "tag": ["highimpact", "CIS"], + "tag": ["CIS"], "helpText": "Disables the ability for external users to share files they don't own. Sharing links can only be made for People with existing access", "docsDescription": "Disables the ability for external users to share files they don't own. Sharing links can only be made for People with existing access. This is a tenant wide setting and overrules any settings set on the site level", "addedComponent": [], @@ -2657,7 +2655,7 @@ { "name": "standards.sharingDomainRestriction", "cat": "SharePoint Standards", - "tag": ["highimpact", "CIS"], + "tag": ["CIS"], "helpText": "Restricts sharing to only users with the specified domain. This is useful for organizations that only want to share with their own domain.", "addedComponent": [ { @@ -2696,7 +2694,7 @@ { "name": "standards.TeamsGlobalMeetingPolicy", "cat": "Teams Standards", - "tag": ["lowimpact"], + "tag": [], "helpText": "Defines the CIS recommended global meeting policy for Teams. This includes AllowAnonymousUsersToJoinMeeting, AllowAnonymousUsersToStartMeeting, AutoAdmittedUsers, AllowPSTNUsersToBypassLobby, MeetingChatEnabledType, DesignatedPresenterRoleMode, AllowExternalParticipantGiveRequestControl", "addedComponent": [ { @@ -2762,7 +2760,7 @@ { "name": "standards.TeamsEmailIntegration", "cat": "Teams Standards", - "tag": ["lowimpact"], + "tag": [], "helpText": "Should users be allowed to send emails directly to a channel email addresses?", "docsDescription": "Teams channel email addresses are an optional feature that allows users to email the Teams channel directly.", "addedComponent": [ @@ -2781,7 +2779,7 @@ { "name": "standards.TeamsExternalFileSharing", "cat": "Teams Standards", - "tag": ["lowimpact"], + "tag": [], "helpText": "Ensure external file sharing in Teams is enabled for only approved cloud storage services.", "addedComponent": [ { @@ -2819,7 +2817,7 @@ { "name": "standards.TeamsEnrollUser", "cat": "Teams Standards", - "tag": ["lowimpact"], + "tag": [], "helpText": "Controls whether users with this policy can set the voice profile capture and enrollment through the Recognition tab in their Teams client settings.", "docsDescription": "Controls whether users with this policy can set the voice profile capture and enrollment through the Recognition tab in their Teams client settings.", "addedComponent": [ @@ -3020,7 +3018,7 @@ { "name": "standards.AutopilotStatusPage", "cat": "Device Management Standards", - "tag": ["lowimpact"], + "tag": [], "disabledFeatures": { "report": true, "warn": true, @@ -3091,7 +3089,7 @@ { "name": "standards.AutopilotProfile", "cat": "Device Management Standards", - "tag": ["lowimpact"], + "tag": [], "disabledFeatures": { "report": true, "warn": true, @@ -3197,7 +3195,7 @@ "warn": true, "remediate": false }, - "impact": "High", + "impact": "High Impact", "helpText": "Deploy and manage Intune templates across devices.", "addedComponent": [ { @@ -3242,7 +3240,7 @@ "warn": true, "remediate": false }, - "impact": "Medium", + "impact": "Medium Impact", "helpText": "Deploy transport rules to manage email flow.", "addedComponent": [ { @@ -3268,7 +3266,7 @@ "warn": true, "remediate": false }, - "impact": "High", + "impact": "High Impact", "helpText": "Manage conditional access policies for better security.", "addedComponent": [ { @@ -3304,7 +3302,7 @@ "warn": true, "remediate": false }, - "impact": "Medium", + "impact": "Medium Impact", "helpText": "Deploy and manage Exchange connectors.", "addedComponent": [ { @@ -3330,7 +3328,7 @@ "warn": true, "remediate": false }, - "impact": "Medium", + "impact": "Medium Impact", "helpText": "Deploy and manage group templates.", "addedComponent": [ {