Entra ID Compliance Configuration

This project provides automated configuration for Microsoft Entra ID (formerly Azure AD) tenants, ensuring compliance with:

• FedRAMP (Federal Risk and Authorization Management Program)
• SCUBA (Secure Cloud Business Applications) by CISA
• CIS (Center for Internet Security) Benchmarks

🎯 Overview

This automation suite configures an Entra ID P2 tenant with security controls and governance policies required for enterprise and government compliance.

Cloud Compatibility: Works with commercial/public Azure cloud, GCC Moderate, GCC High, and GCC DoD environments. See Cloud Environment Notes for endpoint details.

📁 Project Structure

EntraConfig/
├── ConditionalAccess/          # Conditional Access Policy templates
│   ├── Deploy-CAPolicies.ps1   # Deployment script
│   └── Policies/               # JSON policy definitions
├── TenantConfiguration/        # General tenant settings
│   ├── Set-BaselineConfig.ps1  # Baseline security configuration
│   ├── Set-PasswordPolicies.ps1
│   └── Set-ExternalCollaboration.ps1
├── SCUBA/                      # SCUBA compliance configurations
│   └── Set-SCUBAControls.ps1
├── Audit/                      # Compliance auditing and reporting
│   ├── Test-Compliance.ps1
│   └── Export-ComplianceReport.ps1
├── Deploy-All.ps1              # Master deployment script
└── README.md                   # This file

🚀 Quick Start

Prerequisites

1. PowerShell 7+ installed

2. Microsoft Graph PowerShell SDK modules:

   Install-Module Microsoft.Graph -Scope CurrentUser -Repository PSGallery -Force

3. Permissions Required:

   • Global Administrator or equivalent roles
   • Consent for Microsoft Graph API permissions

Initial Setup

# Connect to Microsoft Graph
Connect-MgGraph -Scopes "Policy.ReadWrite.ConditionalAccess", `
    "Policy.Read.All", "Directory.ReadWrite.All", "Organization.ReadWrite.All"

# Verify connection
Get-MgContext

Deployment

# Full deployment (run from repository root)
.\Deploy-All.ps1

# Or deploy components individually:
.\ConditionalAccess\Deploy-CAPolicies.ps1
.\TenantConfiguration\Set-BaselineConfig.ps1
.\SCUBA\Set-SCUBAControls.ps1

🔒 Compliance Frameworks

FedRAMP Controls

• AC-2: Account Management (automated provisioning/deprovisioning)
• AC-7: Unsuccessful Login Attempts (Smart Lockout)
• IA-2: Identification and Authentication (MFA)
• IA-5: Authenticator Management (Password policies)
• SC-7: Boundary Protection (Conditional Access)

SCUBA Baseline

Implements CISA's Secure Cloud Business Applications security baseline for M365, including:

• Identity Foundation
• Device Management
• Application Protection
• Data Protection

CIS Microsoft 365 Benchmarks

• 1.x: Account/Authentication controls
• 2.x: Application Permissions
• 6.x: Auditing and Monitoring

📋 Conditional Access Policies

The following CA policies are deployed, each mapped to specific compliance controls:

Policy ID	Policy Name	Purpose	Controls
CA001	Require-MFA-AllUsers	Enforce MFA for all users	FedRAMP: IA-2, IA-2(1) SCUBA: MS.AAD.2.1v1 CIS: 1.1.3, 1.3.1
CA002	Block-Legacy-Auth	Block legacy authentication	FedRAMP: IA-2(8), SC-7 SCUBA: MS.AAD.1.1v1 CIS: 1.1.5, 1.3.6
CA003	Require-Compliant-Device	Require compliant/hybrid joined devices	FedRAMP: AC-3, SC-7 SCUBA: MS.AAD.3.2v1 CIS: 1.2.1, 6.1.3
CA004	Require-MFA-Admins	MFA for privileged roles	FedRAMP: IA-2, AC-2(1) SCUBA: MS.AAD.2.2v1 CIS: 1.1.1, 1.3.1
CA005	Block-Unknown-Locations	Block access from untrusted locations	FedRAMP: AC-3, SC-7 SCUBA: MS.AAD.3.2v1 CIS: 1.2.2, 6.1.2
CA006	Sign-In-Risk-Policy	Require MFA on risky sign-ins	FedRAMP: IA-4, IA-8 SCUBA: MS.AAD.3.7v1 CIS: 1.3.3
CA007	User-Risk-Policy	Force password change on high user risk	FedRAMP: IA-4, IA-8 SCUBA: MS.AAD.3.8v1 CIS: 1.3.3
CA008	Block-Countries	Block access from high-risk countries	FedRAMP: SC-7, AC-20 SCUBA: MS.AAD.3.2v1 CIS: 6.1.2

📖 See CONTROL-MAPPING.md for detailed control mappings and cross-references.

🛠️ Tenant Configurations

Security Defaults

• Security defaults disabled (replaced by CA policies)
• Modern authentication enforced

Password Policies

• Password expiration: 180 days (FedRAMP requirement)
• Password complexity: Enforced
• Banned password list: Custom terms added
• Smart Lockout: Enabled (10 failed attempts)

External Collaboration

• Guest user access: Restricted
• Guest invite settings: Admins and specific roles only
• External sharing: Limited to approved domains

Privileged Identity Management (PIM)

• Just-In-Time access for admin roles
• Approval workflows for elevation
• Maximum activation duration: 8 hours

📊 Auditing & Reporting

Run compliance checks:

# Generate compliance report
.\Audit\Export-ComplianceReport.ps1 -OutputPath ".\Reports\Compliance-$(Get-Date -Format 'yyyyMMdd').xlsx"

# Test specific compliance framework
.\Audit\Test-Compliance.ps1 -Framework SCUBA
.\Audit\Test-Compliance.ps1 -Framework CIS

⚠️ Important Notes

• Testing: Always test in a non-production tenant first
• Review: Review all policies before deployment and adjust for your organization's needs
• Break-Glass: Ensure break-glass accounts are excluded from certain CA policies
• Monitoring: Enable continuous monitoring through Azure Monitor and Sentinel
• Security Gaps: See SECURITY-GAPS-ROADMAP.md for additional controls needed for complete compliance

📈 Implementation Roadmap

This repository provides Phase 0 (foundation) of a complete Entra ID security implementation. For full compliance and operational maturity, see:

SECURITY-GAPS-ROADMAP.md - Comprehensive gap analysis covering:

• Privileged Identity Management (PIM) automation
• Access reviews and identity governance
• Named locations configuration (required for CA005/CA008)
• Logging, monitoring, and alerting (SCUBA MS.AAD.7.x)
• Self-Service Password Reset (SSPR)
• Password protection enforcement
• Authentication methods policy
• Device management integration (Intune)
• Application governance
• Advanced session controls
• 4-phase implementation plan with timelines

🔄 Maintenance

• Review and update policies quarterly
• Monitor for new SCUBA/CIS benchmark updates
• Audit conditional access policy effectiveness monthly
• Review sign-in logs for blocked access patterns

🌐 Cloud Environment Notes

This project works with all Azure cloud environments. The scripts default to the commercial/public cloud endpoint, which is also used by GCC Moderate.

Endpoint Reference

Environment	Cloud Infrastructure	Graph Endpoint	Connection Command
Commercial/Public	Global	graph.microsoft.com	Connect-MgGraph
GCC Moderate	Global	graph.microsoft.com	Connect-MgGraph
GCC High	USGov	graph.microsoft.us	Connect-MgGraph -Environment USGov
GCC DoD	USGov	graph.microsoft.us	Connect-MgGraph -Environment USGov

Using GCC High or GCC DoD

If your tenant is in GCC High or GCC DoD, modify the connection commands in the scripts:

# Replace Connect-MgGraph with:
Connect-MgGraph -Environment USGov -Scopes "Policy.ReadWrite.ConditionalAccess", `
    "Policy.Read.All", "Directory.ReadWrite.All", "Organization.ReadWrite.All"

Note: GCC Moderate uses the same commercial cloud infrastructure as public Azure, with government-specific compliance and data residency requirements. GCC High and DoD use dedicated government cloud infrastructure.

📚 References

• SCUBA Project
• CIS Microsoft 365 Benchmarks
• FedRAMP Security Controls
• Microsoft Graph GCC High/DoD Documentation

📝 License

This project is licensed under the MIT License - see the LICENSE file for details.

🤝 Contributing

Review all changes for compliance impact before submitting pull requests.