standards.json

[
  {
    "name": "standards.MailContacts",
    "cat": "Global Standards",
    "tag": ["lowimpact"],
    "helpText": "Defines the email address to receive general updates and information related to M365 subscriptions. Leave a contact field blank if you do not want to update the contact information.",
    "docsDescription": "",
    "addedComponent": [
      {
        "type": "input",
        "name": "standards.MailContacts.GeneralContact",
        "label": "General Contact"
      },
      {
        "type": "input",
        "name": "standards.MailContacts.SecurityContact",
        "label": "Security Contact"
      },
      {
        "type": "input",
        "name": "standards.MailContacts.MarketingContact",
        "label": "Marketing Contact"
      },
      {
        "type": "input",
        "name": "standards.MailContacts.TechContact",
        "label": "Technical Contact"
      }
    ],
    "label": "Set contact e-mails",
    "impact": "Low Impact",
    "impactColour": "info",
    "powershellEquivalent": "Set-MsolCompanyContactInformation",
    "recommendedBy": []
  },
  {
    "name": "standards.AuditLog",
    "cat": "Global Standards",
    "tag": ["lowimpact", "CIS", "mip_search_auditlog"],
    "helpText": "Enables the Unified Audit Log for tracking and auditing activities. Also runs Enable-OrganizationCustomization if necessary.",
    "addedComponent": [],
    "label": "Enable the Unified Audit Log",
    "impact": "Low Impact",
    "impactColour": "info",
    "powershellEquivalent": "Enable-OrganizationCustomization",
    "recommendedBy": ["CIS"]
  },
  {
    "name": "standards.PhishProtection",
    "cat": "Global Standards",
    "tag": ["lowimpact"],
    "helpText": "Adds branding to the logon page that only appears if the url is not login.microsoftonline.com. This potentially prevents AITM attacks via EvilNginx. This will also automatically generate alerts if a clone of your login page has been found when set to Remediate.",
    "addedComponent": [],
    "label": "Enable Phishing Protection system via branding CSS",
    "impact": "Low Impact",
    "impactColour": "info",
    "disabledFeatures": {
      "report": true,
      "warn": true,
      "remediate": false
    },
    "powershellEquivalent": "Portal only",
    "recommendedBy": ["CIPP"]
  },
  {
    "name": "standards.Branding",
    "cat": "Global Standards",
    "tag": ["lowimpact"],
    "helpText": "Sets the branding for the tenant. This includes the login page, and the Office 365 portal.",
    "addedComponent": [
      {
        "type": "input",
        "name": "standards.Branding.signInPageText",
        "label": "Sign-in page text"
      },
      {
        "type": "input",
        "name": "standards.Branding.usernameHintText",
        "label": "Username hint Text"
      },
      {
        "type": "boolean",
        "name": "standards.Branding.hideAccountResetCredentials",
        "label": "Hide self-service password reset"
      },
      {
        "type": "Select",
        "label": "Visual Template",
        "name": "standards.Branding.layoutTemplateType",
        "values": [
          {
            "label": "Full-screen background",
            "value": "default"
          },
          {
            "label": "Partial-screen background",
            "value": "verticalSplit"
          }
        ]
      },
      {
        "type": "boolean",
        "name": "standards.Branding.isHeaderShown",
        "label": "Show header"
      },
      {
        "type": "boolean",
        "name": "standards.Branding.isFooterShown",
        "label": "Show footer"
      }
    ],
    "label": "Set branding for the tenant",
    "impact": "Low Impact",
    "impactColour": "info",
    "powershellEquivalent": "Portal only",
    "recommendedBy": []
  },
  {
    "name": "standards.EnableCustomerLockbox",
    "cat": "Global Standards",
    "tag": ["lowimpact", "CIS", "CustomerLockBoxEnabled"],
    "helpText": "Enables Customer Lockbox that offers an approval process for Microsoft support to access organization data",
    "docsDescription": "Customer Lockbox ensures that Microsoft can't access your content to do service operations without your explicit approval. Customer Lockbox ensures only authorized requests allow access to your organizations data.",
    "addedComponent": [],
    "label": "Enable Customer Lockbox",
    "impact": "Low Impact",
    "impactColour": "info",
    "powershellEquivalent": "Set-OrganizationConfig -CustomerLockBoxEnabled $true",
    "recommendedBy": ["CIS"]
  },
  {
    "name": "standards.EnablePronouns",
    "cat": "Global Standards",
    "tag": ["lowimpact"],
    "helpText": "Enables the Pronouns feature for the tenant. This allows users to set their pronouns in their profile.",
    "addedComponent": [],
    "label": "Enable Pronouns",
    "impact": "Low Impact",
    "impactColour": "info",
    "powershellEquivalent": "Update-MgBetaAdminPeoplePronoun -IsEnabledInOrganization:$true",
    "recommendedBy": []
  },
  {
    "name": "standards.AnonReportDisable",
    "cat": "Global Standards",
    "tag": ["lowimpact"],
    "helpText": "Shows usernames instead of pseudo anonymised names in reports. This standard is required for reporting to work correctly.",
    "docsDescription": "Microsoft announced some APIs and reports no longer return names, to comply with compliance and legal requirements in specific countries. This proves an issue for a lot of MSPs because those reports are often helpful for engineers. This standard applies a setting that shows usernames in those API calls / reports.",
    "addedComponent": [],
    "label": "Enable Usernames instead of pseudo anonymised names in reports",
    "impact": "Low Impact",
    "impactColour": "info",
    "powershellEquivalent": "Update-MgBetaAdminReportSetting -BodyParameter @{displayConcealedNames = $true}",
    "recommendedBy": []
  },
  {
    "name": "standards.DisableGuestDirectory",
    "cat": "Global Standards",
    "tag": ["lowimpact"],
    "helpText": "Disables Guest access to enumerate directory objects. This prevents guest users from seeing other users or guests in the directory.",
    "docsDescription": "Sets it so guests can view only their own user profile. Permission to view other users isn't allowed. Also restricts guest users from seeing the membership of groups they're in. See exactly what get locked down in the [Microsoft documentation.](https://learn.microsoft.com/en-us/entra/fundamentals/users-default-permissions)",
    "addedComponent": [],
    "label": "Restrict guest user access to directory objects",
    "impact": "Low Impact",
    "impactColour": "info",
    "powershellEquivalent": "Set-AzureADMSAuthorizationPolicy -GuestUserRoleId '2af84b1e-32c8-42b7-82bc-daa82404023b'",
    "recommendedBy": []
  },
  {
    "name": "standards.DisableBasicAuthSMTP",
    "cat": "Global Standards",
    "tag": ["mediumimpact"],
    "helpText": "Disables SMTP AUTH for the organization and all users. This is the default for new tenants. ",
    "docsDescription": "Disables SMTP basic authentication for the tenant and all users with it explicitly enabled.",
    "addedComponent": [],
    "label": "Disable SMTP Basic Authentication",
    "impact": "Medium Impact",
    "impactColour": "warning",
    "powershellEquivalent": "Set-TransportConfig -SmtpClientAuthenticationDisabled $true",
    "recommendedBy": []
  },
  {
    "name": "standards.ActivityBasedTimeout",
    "cat": "Global Standards",
    "tag": ["mediumimpact", "CIS", "spo_idle_session_timeout"],
    "helpText": "Enables and sets Idle session timeout for Microsoft 365 to 1 hour. This policy affects most M365 web apps",
    "addedComponent": [
      {
        "type": "Select",
        "label": "Select value",
        "name": "standards.ActivityBasedTimeout.timeout",
        "values": [
          {
            "label": "1 Hour",
            "value": "01:00:00"
          },
          {
            "label": "3 Hours",
            "value": "03:00:00"
          },
          {
            "label": "6 Hours",
            "value": "06:00:00"
          },
          {
            "label": "12 Hours",
            "value": "12:00:00"
          },
          {
            "label": "24 Hours",
            "value": "1.00:00:00"
          }
        ]
      }
    ],
    "label": "Enable Activity based Timeout",
    "impact": "Medium Impact",
    "impactColour": "warning",
    "powershellEquivalent": "Portal or Graph API",
    "recommendedBy": ["CIS"]
  },
  {
    "name": "standards.AppDeploy",
    "cat": "Entra (AAD) Standards",
    "tag": ["lowimpact"],
    "helpText": "Deploys selected applications to the tenant. Use a comma separated list of application IDs to deploy multiple applications. Permissions will be copied from the source application.",
    "docsDescription": "Uses the CIPP functionality that deploys applications across an entire tenant base as a standard.",
    "addedComponent": [
      {
        "type": "input",
        "name": "standards.AppDeploy.appids",
        "label": "Application IDs, comma separated"
      }
    ],
    "label": "Deploy Application",
    "impact": "Low Impact",
    "impactColour": "info",
    "powershellEquivalent": "Portal or Graph API",
    "recommendedBy": []
  },
  {
    "name": "standards.laps",
    "cat": "Entra (AAD) Standards",
    "tag": ["lowimpact"],
    "helpText": "Enables the tenant to use LAPS. You must still create a policy for LAPS to be active on all devices. Use the template standards to deploy this by default.",
    "docsDescription": "Enables the LAPS functionality on the tenant. Prerequisite for using Windows LAPS via Azure AD.",
    "addedComponent": [],
    "label": "Enable LAPS on the tenant",
    "impact": "Low Impact",
    "impactColour": "info",
    "powershellEquivalent": "Portal or Graph API",
    "recommendedBy": []
  },
  {
    "name": "standards.PWdisplayAppInformationRequiredState",
    "cat": "Entra (AAD) Standards",
    "tag": ["lowimpact", "CIS"],
    "helpText": "Enables the MS authenticator app to display information about the app that is requesting authentication. This displays the application name.",
    "docsDescription": "Allows users to use Passwordless with Number Matching and adds location information from the last request",
    "addedComponent": [],
    "label": "Enable Passwordless with Location information and Number Matching",
    "impact": "Low Impact",
    "impactColour": "info",
    "powershellEquivalent": "Update-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration",
    "recommendedBy": ["CIS"]
  },
  {
    "name": "standards.allowOTPTokens",
    "cat": "Entra (AAD) Standards",
    "tag": ["lowimpact"],
    "helpText": "Allows you to use MS authenticator OTP token generator",
    "docsDescription": "Allows you to use Microsoft Authenticator OTP token generator. Useful for using the NPS extension as MFA on VPN clients.",
    "addedComponent": [],
    "label": "Enable OTP via Authenticator",
    "impact": "Low Impact",
    "impactColour": "info",
    "powershellEquivalent": "Update-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration",
    "recommendedBy": []
  },
  {
    "name": "standards.PWcompanionAppAllowedState",
    "cat": "Entra (AAD) Standards",
    "tag": ["lowimpact"],
    "helpText": "Sets the state of Authenticator Lite, Authenticator lite is a companion app for passwordless authentication.",
    "docsDescription": "Sets the Authenticator Lite state to enabled. This allows users to use the Authenticator Lite built into the Outlook app instead of the full Authenticator app.",
    "addedComponent": [
      {
        "type": "Select",
        "label": "Select value",
        "name": "standards.PWcompanionAppAllowedState.state",
        "values": [
          {
            "label": "Enabled",
            "value": "enabled"
          },
          {
            "label": "Disabled",
            "value": "disabled"
          }
        ]
      }
    ],
    "label": "Set Authenticator Lite state",
    "impact": "Low Impact",
    "impactColour": "info",
    "powershellEquivalent": "Update-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration",
    "recommendedBy": []
  },
  {
    "name": "standards.EnableFIDO2",
    "cat": "Entra (AAD) Standards",
    "tag": ["lowimpact"],
    "helpText": "Enables the FIDO2 authenticationMethod for the tenant",
    "docsDescription": "Enables FIDO2 capabilities for the tenant. This allows users to use FIDO2 keys like a Yubikey for authentication.",
    "addedComponent": [],
    "label": "Enable FIDO2 capabilities",
    "impact": "Low Impact",
    "impactColour": "info",
    "powershellEquivalent": "Update-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration",
    "recommendedBy": []
  },
  {
    "name": "standards.EnableHardwareOAuth",
    "cat": "Entra (AAD) Standards",
    "tag": ["lowimpact"],
    "helpText": "Enables the HardwareOath authenticationMethod for the tenant. This allows you to use hardware tokens for generating 6 digit MFA codes.",
    "docsDescription": "Enables Hardware OAuth tokens for the tenant. This allows users to use hardware tokens like a Yubikey for authentication.",
    "addedComponent": [],
    "label": "Enable Hardware OAuth tokens",
    "impact": "Low Impact",
    "impactColour": "info",
    "powershellEquivalent": "Update-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration",
    "recommendedBy": []
  },
  {
    "name": "standards.allowOAuthTokens",
    "cat": "Entra (AAD) Standards",
    "tag": ["lowimpact"],
    "helpText": "Allows you to use any software OAuth token generator",
    "docsDescription": "Enables OTP Software OAuth tokens for the tenant. This allows users to use OTP codes generated via software, like a password manager to be used as an authentication method.",
    "addedComponent": [],
    "label": "Enable OTP Software OAuth tokens",
    "impact": "Low Impact",
    "impactColour": "info",
    "powershellEquivalent": "Update-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration",
    "recommendedBy": []
  },
  {
    "name": "standards.TAP",
    "cat": "Entra (AAD) Standards",
    "tag": ["lowimpact"],
    "helpText": "Enables TAP and sets the default TAP lifetime to 1 hour. This configuration also allows you to select if a TAP is single use or multi-logon.",
    "docsDescription": "Enables Temporary Password generation for the tenant.",
    "addedComponent": [
      {
        "type": "Select",
        "label": "Select TAP Lifetime",
        "name": "standards.TAP.config",
        "values": [
          {
            "label": "Only Once",
            "value": "true"
          },
          {
            "label": "Multiple Logons",
            "value": "false"
          }
        ]
      }
    ],
    "label": "Enable Temporary Access Passwords",
    "impact": "Low Impact",
    "impactColour": "info",
    "powershellEquivalent": "Update-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration",
    "recommendedBy": []
  },
  {
    "name": "standards.PasswordExpireDisabled",
    "cat": "Entra (AAD) Standards",
    "tag": ["lowimpact", "CIS", "PWAgePolicyNew"],
    "helpText": "Disables the expiration of passwords for the tenant by setting the password expiration policy to never expire for any user.",
    "docsDescription": "Sets passwords to never expire for tenant, recommended to use in conjunction with secure password requirements.",
    "addedComponent": [],
    "label": "Do not expire passwords",
    "impact": "Low Impact",
    "impactColour": "info",
    "powershellEquivalent": "Update-MgDomain",
    "recommendedBy": ["CIS"]
  },
  {
    "name": "standards.ExternalMFATrusted",
    "cat": "Entra (AAD) Standards",
    "tag": ["lowimpact"],
    "helpText": "Sets the state of the Cross-tenant access setting to trust external MFA. This allows guest users to use their home tenant MFA to access your tenant.",
    "addedComponent": [
      {
        "type": "Select",
        "label": "Select value",
        "name": "standards.ExternalMFATrusted.state",
        "values": [
          {
            "label": "Enabled",
            "value": "true"
          },
          {
            "label": "Disabled",
            "value": "false"
          }
        ]
      }
    ],
    "label": "Sets the Cross-tenant access setting to trust external MFA",
    "impact": "Low Impact",
    "impactColour": "info",
    "powershellEquivalent": "Update-MgBetaPolicyCrossTenantAccessPolicyDefault",
    "recommendedBy": []
  },
  {
    "name": "standards.DisableTenantCreation",
    "cat": "Entra (AAD) Standards",
    "tag": ["lowimpact", "CIS"],
    "helpText": "Restricts creation of M365 tenants to the Global Administrator or Tenant Creator roles. ",
    "docsDescription": "Users by default are allowed to create M365 tenants. This disables that so only admins can create new M365 tenants.",
    "addedComponent": [],
    "label": "Disable M365 Tenant creation by users",
    "impact": "Low Impact",
    "impactColour": "info",
    "powershellEquivalent": "Update-MgPolicyAuthorizationPolicy",
    "recommendedBy": ["CIS"]
  },
  {
    "name": "standards.EnableAppConsentRequests",
    "cat": "Entra (AAD) Standards",
    "tag": ["lowimpact", "CIS"],
    "helpText": "Enables App consent admin requests for the tenant via the GA role. Does not overwrite existing reviewer settings",
    "docsDescription": "Enables the ability for users to request admin consent for applications. Should be used in conjunction with the \"Require admin consent for applications\" standards",
    "addedComponent": [
      {
        "type": "AdminRolesMultiSelect",
        "label": "App Consent Reviewer Roles",
        "name": "standards.EnableAppConsentRequests.ReviewerRoles"
      }
    ],
    "label": "Enable App consent admin requests",
    "impact": "Low Impact",
    "impactColour": "info",
    "powershellEquivalent": "Update-MgPolicyAdminConsentRequestPolicy",
    "recommendedBy": ["CIS"]
  },
  {
    "name": "standards.NudgeMFA",
    "cat": "Entra (AAD) Standards",
    "tag": ["lowimpact"],
    "helpText": "Sets the state of the registration campaign for the tenant",
    "docsDescription": "Sets the state of the registration campaign for the tenant. If enabled nudges users to set up the Microsoft Authenticator during sign-in.",
    "addedComponent": [
      {
        "type": "Select",
        "label": "Select value",
        "name": "standards.NudgeMFA.state",
        "values": [
          {
            "label": "Enabled",
            "value": "enabled"
          },
          {
            "label": "Disabled",
            "value": "disabled"
          }
        ]
      },
      {
        "type": "number",
        "name": "standards.NudgeMFA.snoozeDurationInDays",
        "label": "Number of days to allow users to skip registering Authenticator (0-14, default is 1)",
        "default": 1
      }
    ],
    "label": "Sets the state for the request to setup Authenticator",
    "impact": "Low Impact",
    "impactColour": "info",
    "powershellEquivalent": "Update-MgPolicyAuthenticationMethodPolicy",
    "recommendedBy": []
  },
  {
    "name": "standards.DisableM365GroupUsers",
    "cat": "Entra (AAD) Standards",
    "tag": ["lowimpact"],
    "helpText": "Restricts M365 group creation to certain admin roles. This disables the ability to create Teams, Sharepoint sites, Planner, etc",
    "docsDescription": "Users by default are allowed to create M365 groups. This restricts M365 group creation to certain admin roles. This disables the ability to create Teams, SharePoint sites, Planner, etc",
    "addedComponent": [],
    "label": "Disable M365 Group creation by users",
    "impact": "Low Impact",
    "impactColour": "info",
    "powershellEquivalent": "Update-MgBetaDirectorySetting",
    "recommendedBy": []
  },
  {
    "name": "standards.DisableAppCreation",
    "cat": "Entra (AAD) Standards",
    "tag": ["lowimpact", "CIS"],
    "helpText": "Disables the ability for users to create App registrations in the tenant.",
    "docsDescription": "Disables the ability for users to create applications in Entra. Done to prevent breached accounts from creating an app to maintain access to the tenant, even after the breached account has been secured.",
    "addedComponent": [],
    "label": "Disable App creation by users",
    "impact": "Low Impact",
    "impactColour": "info",
    "powershellEquivalent": "Update-MgPolicyAuthorizationPolicy",
    "recommendedBy": ["CIS"]
  },
  {
    "name": "standards.DisableSecurityGroupUsers",
    "cat": "Entra (AAD) Standards",
    "tag": ["mediumimpact"],
    "helpText": "Completely disables the creation of security groups by users. This also breaks the ability to manage groups themselves, or create Teams",
    "addedComponent": [],
    "label": "Disable Security Group creation by users",
    "impact": "Medium Impact",
    "impactColour": "warning",
    "powershellEquivalent": "Update-MgBetaPolicyAuthorizationPolicy",
    "recommendedBy": []
  },
  {
    "name": "standards.LegacyMFACleanup",
    "cat": "Entra (AAD) Standards",
    "tag": ["mediumimpact"],
    "helpText": "This standard currently does not function and can be safely disabled",
    "addedComponent": [],
    "label": "Remove Legacy MFA if SD or CA is active",
    "impact": "Medium Impact",
    "impactColour": "warning",
    "powershellEquivalent": "Set-MsolUser -StrongAuthenticationRequirements $null",
    "recommendedBy": []
  },
  {
    "name": "standards.DisableSelfServiceLicenses",
    "cat": "Entra (AAD) Standards",
    "tag": ["mediumimpact"],
    "helpText": "This standard disables all self service licenses and enables all exclusions",
    "addedComponent": [
      {
        "type": "input",
        "name": "standards.DisableSelfServiceLicenses.Exclusions",
        "label": "License Ids to exclude from this standard"
      }
    ],
    "label": "Disable Self Service Licensing",
    "impact": "Medium Impact",
    "impactColour": "warning",
    "powershellEquivalent": "Set-MsolCompanySettings -AllowAdHocSubscriptions $false",
    "recommendedBy": []
  },
  {
    "name": "standards.DisableGuests",
    "cat": "Entra (AAD) Standards",
    "tag": ["mediumimpact"],
    "helpText": "Blocks login for guest users that have not logged in for 90 days",
    "addedComponent": [],
    "label": "Disable Guest accounts that have not logged on for 90 days",
    "impact": "Medium Impact",
    "impactColour": "warning",
    "powershellEquivalent": "Graph API",
    "recommendedBy": []
  },
  {
    "name": "standards.OauthConsent",
    "cat": "Entra (AAD) Standards",
    "tag": ["mediumimpact", "CIS"],
    "helpText": "Disables users from being able to consent to applications, except for those specified in the field below",
    "docsDescription": "Requires users to get administrator consent before sharing data with applications. You can preapprove specific applications.",
    "addedComponent": [
      {
        "type": "input",
        "name": "standards.OauthConsent.AllowedApps",
        "label": "Allowed application IDs, comma separated"
      }
    ],
    "label": "Require admin consent for applications (Prevent OAuth phishing)",
    "impact": "Medium Impact",
    "impactColour": "warning",
    "powershellEquivalent": "Update-MgPolicyAuthorizationPolicy",
    "recommendedBy": ["CIS"]
  },
  {
    "name": "standards.OauthConsentLowSec",
    "cat": "Entra (AAD) Standards",
    "tag": ["mediumimpact", "IntegratedApps"],
    "helpText": "Sets the default oauth consent level so users can consent to applications that have low risks.",
    "docsDescription": "Allows users to consent to applications with low assigned risk.",
    "label": "Allow users to consent to applications with low security risk (Prevent OAuth phishing. Lower impact, less secure)",
    "impact": "Medium Impact",
    "impactColour": "warning",
    "powershellEquivalent": "Update-MgPolicyAuthorizationPolicy",
    "recommendedBy": []
  },
  {
    "name": "standards.UndoOauth",
    "cat": "Entra (AAD) Standards",
    "tag": ["highimpact"],
    "helpText": "Disables App consent and set to Allow user consent for apps",
    "addedComponent": [],
    "label": "Undo App Consent Standard",
    "impact": "High Impact",
    "impactColour": "danger",
    "powershellEquivalent": "Update-MgPolicyAuthorizationPolicy",
    "recommendedBy": []
  },
  {
    "name": "standards.SecurityDefaults",
    "cat": "Entra (AAD) Standards",
    "tag": ["highimpact"],
    "helpText": "Enables security defaults for the tenant, for newer tenants this is enabled by default. Do not enable this feature if you use Conditional Access.",
    "docsDescription": "Enables SD for the tenant, which disables all forms of basic authentication and enforces users to configure MFA. Users are only prompted for MFA when a logon is considered 'suspect' by Microsoft.",
    "addedComponent": [],
    "label": "Enable Security Defaults",
    "impact": "High Impact",
    "impactColour": "danger",
    "powershellEquivalent": "[Read more here](https://www.cyberdrain.com/automating-with-powershell-enabling-secure-defaults-and-sd-explained/)",
    "recommendedBy": []
  },
  {
    "name": "standards.DisableSMS",
    "cat": "Entra (AAD) Standards",
    "tag": ["highimpact"],
    "helpText": "This blocks users from using SMS as an MFA method. If a user only has SMS as a MFA method, they will be unable to log in.",
    "docsDescription": "Disables SMS as an MFA method for the tenant. If a user only has SMS as a MFA method, they will be unable to sign in.",
    "addedComponent": [],
    "label": "Disables SMS as an MFA method",
    "impact": "High Impact",
    "impactColour": "danger",
    "powershellEquivalent": "Update-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration",
    "recommendedBy": []
  },
  {
    "name": "standards.DisableVoice",
    "cat": "Entra (AAD) Standards",
    "tag": ["highimpact"],
    "helpText": "This blocks users from using Voice call as an MFA method. If a user only has Voice as a MFA method, they will be unable to log in.",
    "docsDescription": "Disables Voice call as an MFA method for the tenant. If a user only has Voice call as a MFA method, they will be unable to sign in.",
    "addedComponent": [],
    "label": "Disables Voice call as an MFA method",
    "impact": "High Impact",
    "impactColour": "danger",
    "powershellEquivalent": "Update-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration",
    "recommendedBy": []
  },
  {
    "name": "standards.DisableEmail",
    "cat": "Entra (AAD) Standards",
    "tag": ["highimpact"],
    "helpText": "This blocks users from using email as an MFA method. This disables the email OTP option for guest users, and instead prompts them to create a Microsoft account.",
    "addedComponent": [],
    "label": "Disables Email as an MFA method",
    "impact": "High Impact",
    "impactColour": "danger",
    "powershellEquivalent": "Update-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration",
    "recommendedBy": []
  },
  {
    "name": "standards.Disablex509Certificate",
    "cat": "Entra (AAD) Standards",
    "tag": ["highimpact"],
    "helpText": "This blocks users from using Certificates as an MFA method.",
    "docsDescription": "",
    "addedComponent": [],
    "label": "Disables Certificates as an MFA method",
    "impact": "High Impact",
    "impactColour": "danger",
    "powershellEquivalent": "Update-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration",
    "recommendedBy": []
  },
  {
    "name": "standards.PerUserMFA",
    "cat": "Entra (AAD) Standards",
    "tag": ["highimpact"],
    "helpText": "Enables per user MFA for all users.",
    "addedComponent": [],
    "label": "Enables per user MFA for all users.",
    "impact": "High Impact",
    "impactColour": "danger",
    "powershellEquivalent": "Graph API",
    "recommendedBy": []
  },
  {
    "name": "standards.OutBoundSpamAlert",
    "cat": "Exchange Standards",
    "tag": ["lowimpact", "CIS"],
    "helpText": "Set the Outbound Spam Alert e-mail address",
    "docsDescription": "Sets the e-mail address to which outbound spam alerts are sent.",
    "addedComponent": [
      {
        "type": "input",
        "name": "standards.OutBoundSpamAlert.OutboundSpamContact",
        "label": "Outbound spam contact"
      }
    ],
    "label": "Set Outbound Spam Alert e-mail",
    "impact": "Low Impact",
    "impactColour": "info",
    "powershellEquivalent": "Set-HostedOutboundSpamFilterPolicy",
    "recommendedBy": ["CIS"]
  },
  {
    "name": "standards.MessageExpiration",
    "cat": "Exchange Standards",
    "tag": ["lowimpact"],
    "helpText": "Sets the transport message configuration to timeout a message at 12 hours.",
    "docsDescription": "Expires messages in the transport queue after 12 hours. Makes the NDR for failed messages show up faster for users. Default is 24 hours.",
    "addedComponent": [],
    "label": "Lower Transport Message Expiration to 12 hours",
    "impact": "Low Impact",
    "impactColour": "info",
    "powershellEquivalent": "Set-TransportConfig -MessageExpirationTimeout 12.00:00:00",
    "recommendedBy": []
  },
  {
    "name": "standards.GlobalQuarantineNotifications",
    "cat": "Exchange Standards",
    "tag": ["lowimpact"],
    "helpText": "Sets the Global Quarantine Notification Interval to the selected value. Determines how often the quarantine notification is sent to users.",
    "docsDescription": "Sets the global quarantine notification interval for the tenant. This is the time between the quarantine notification emails are sent out to users. Default is 24 hours.",
    "addedComponent": [
      {
        "type": "Select",
        "label": "Select value",
        "name": "standards.GlobalQuarantineNotifications.NotificationInterval",
        "values": [
          {
            "label": "4 hours",
            "value": "04:00:00"
          },
          {
            "label": "1 day/Daily",
            "value": "1.00:00:00"
          },
          {
            "label": "7 days/Weekly",
            "value": "7.00:00:00"
          }
        ]
      }
    ],
    "label": "Set Global Quarantine Notification Interval",
    "impact": "Low Impact",
    "impactColour": "info",
    "powershellEquivalent": "Set-QuarantinePolicy -EndUserSpamNotificationFrequency",
    "recommendedBy": []
  },
  {
    "name": "standards.DisableTNEF",
    "cat": "Exchange Standards",
    "tag": ["lowimpact"],
    "helpText": "Disables Transport Neutral Encapsulation Format (TNEF)/winmail.dat for the tenant. TNEF can cause issues if the recipient is not using a client supporting TNEF.",
    "docsDescription": "Disables Transport Neutral Encapsulation Format (TNEF)/winmail.dat for the tenant. TNEF can cause issues if the recipient is not using a client supporting TNEF. Cannot be overridden by the user. For more information, see [Microsoft's documentation.](https://learn.microsoft.com/en-us/exchange/mail-flow/content-conversion/tnef-conversion?view=exchserver-2019)",
    "addedComponent": [],
    "label": "Disable TNEF/winmail.dat",
    "impact": "Low Impact",
    "impactColour": "info",
    "powershellEquivalent": "Set-RemoteDomain -Identity 'Default' -TNEFEnabled $false",
    "recommendedBy": []
  },
  {
    "name": "standards.FocusedInbox",
    "cat": "Exchange Standards",
    "tag": ["lowimpact"],
    "helpText": "Sets the default Focused Inbox state for the tenant. This can be overridden by the user.",
    "docsDescription": "Sets the default Focused Inbox state for the tenant. This can be overridden by the user in their Outlook settings. For more information, see [Microsoft's documentation.](https://support.microsoft.com/en-us/office/focused-inbox-for-outlook-f445ad7f-02f4-4294-a82e-71d8964e3978)",
    "addedComponent": [
      {
        "type": "Select",
        "label": "Select value",
        "name": "standards.FocusedInbox.state",
        "values": [
          {
            "label": "Enabled",
            "value": "enabled"
          },
          {
            "label": "Disabled",
            "value": "disabled"
          }
        ]
      }
    ],
    "label": "Set Focused Inbox state",
    "impact": "Low Impact",
    "impactColour": "info",
    "powershellEquivalent": "Set-OrganizationConfig -FocusedInboxOn $true or $false",
    "recommendedBy": []
  },
  {
    "name": "standards.CloudMessageRecall",
    "cat": "Exchange Standards",
    "tag": ["lowimpact"],
    "helpText": "Sets the Cloud Message Recall state for the tenant. This allows users to recall messages from the cloud.",
    "docsDescription": "Sets the default state for Cloud Message Recall for the tenant. By default this is enabled. You can read more about the feature [here.](https://techcommunity.microsoft.com/t5/exchange-team-blog/cloud-based-message-recall-in-exchange-online/ba-p/3744714)",
    "addedComponent": [
      {
        "type": "Select",
        "label": "Select value",
        "name": "standards.CloudMessageRecall.state",
        "values": [
          {
            "label": "Enabled",
            "value": "true"
          },
          {
            "label": "Disabled",
            "value": "false"
          }
        ]
      }
    ],
    "label": "Set Cloud Message Recall state",
    "impact": "Low Impact",
    "impactColour": "info",
    "powershellEquivalent": "Set-OrganizationConfig -MessageRecallEnabled",
    "recommendedBy": []
  },
  {
    "name": "standards.AutoExpandArchive",
    "cat": "Exchange Standards",
    "tag": ["lowimpact"],
    "helpText": "Enables auto-expanding archives for the tenant",
    "docsDescription": "Enables auto-expanding archives for the tenant. Does not enable archives for users.",
    "addedComponent": [],
    "label": "Enable Auto-expanding archives",
    "impact": "Low Impact",
    "impactColour": "info",
    "powershellEquivalent": "Set-OrganizationConfig -AutoExpandingArchive",
    "recommendedBy": []
  },
  {
    "name": "standards.EnableOnlineArchiving",
    "cat": "Exchange Standards",
    "tag": ["lowimpact"],
    "helpText": "Enables the In-Place Online Archive for all UserMailboxes with a valid license.",
    "addedComponent": [],
    "label": "Enable Online Archive for all users",
    "impact": "Low Impact",
    "impactColour": "info",
    "powershellEquivalent": "Enable-Mailbox -Archive $true",
    "recommendedBy": []
  },
  {
    "name": "standards.EnableLitigationHold",
    "cat": "Exchange Standards",
    "tag": ["lowimpact"],
    "helpText": "Enables litigation hold for all UserMailboxes with a valid license.",
    "addedComponent": [],
    "label": "Enable Litigation Hold for all users",
    "impact": "Low Impact",
    "impactColour": "info",
    "powershellEquivalent": "Set-Mailbox -LitigationHoldEnabled $true",
    "recommendedBy": []
  },
  {
    "name": "standards.SpoofWarn",
    "cat": "Exchange Standards",
    "tag": ["lowimpact", "CIS"],
    "helpText": "Adds or removes indicators to e-mail messages received from external senders in Outlook. Works on all Outlook clients/OWA",
    "docsDescription": "Adds or removes indicators to e-mail messages received from external senders in Outlook. You can read more about this feature on [Microsoft's Exchange Team Blog.](https://techcommunity.microsoft.com/t5/exchange-team-blog/native-external-sender-callouts-on-email-in-outlook/ba-p/2250098)",
    "addedComponent": [
      {
        "type": "Select",
        "label": "Select value",
        "name": "standards.SpoofWarn.state",
        "values": [
          {
            "label": "Enabled",
            "value": "enabled"
          },
          {
            "label": "Disabled",
            "value": "disabled"
          }
        ]
      }
    ],
    "label": "Enable or disable 'external' warning in Outlook",
    "impact": "Low Impact",
    "impactColour": "info",
    "powershellEquivalent": "et-ExternalInOutlook –Enabled $true or $false",
    "recommendedBy": ["CIS"]
  },
  {
    "name": "standards.EnableMailTips",
    "cat": "Exchange Standards",
    "tag": ["lowimpact", "CIS", "exo_mailtipsenabled"],
    "helpText": "Enables all MailTips in Outlook. MailTips are the notifications Outlook and Outlook on the web shows when an email you create, meets some requirements",
    "addedComponent": [
      {
        "type": "number",
        "name": "standards.EnableMailTips.MailTipsLargeAudienceThreshold",
        "label": "Number of recipients to trigger the large audience MailTip (Default is 25)",
        "placeholder": "Enter a profile name",
        "default": 25
      }
    ],
    "label": "Enable all MailTips",
    "impact": "Low Impact",
    "impactColour": "info",
    "powershellEquivalent": "Set-OrganizationConfig",
    "recommendedBy": ["CIS"]
  },
  {
    "name": "standards.TeamsMeetingsByDefault",
    "cat": "Exchange Standards",
    "tag": ["lowimpact"],
    "helpText": "Sets the default state for automatically turning meetings into Teams meetings for the tenant. This can be overridden by the user in Outlook.",
    "addedComponent": [
      {
        "type": "Select",
        "label": "Select value",
        "name": "standards.TeamsMeetingsByDefault.state",
        "values": [
          {
            "label": "Enabled",
            "value": "true"
          },
          {
            "label": "Disabled",
            "value": "false"
          }
        ]
      }
    ],
    "label": "Set Teams Meetings by default state",
    "impact": "Low Impact",
    "impactColour": "info",
    "powershellEquivalent": "Set-OrganizationConfig -OnlineMeetingsByDefaultEnabled",
    "recommendedBy": []
  },
  {
    "name": "standards.DisableViva",
    "cat": "Exchange Standards",
    "tag": ["lowimpact"],
    "helpText": "Disables the daily viva reports for all users.",
    "docsDescription": "",
    "addedComponent": [],
    "label": "Disable daily Insight/Viva reports",
    "impact": "Low Impact",
    "impactColour": "info",
    "powershellEquivalent": "Set-UserBriefingConfig",
    "recommendedBy": []
  },
  {
    "name": "standards.RotateDKIM",
    "cat": "Exchange Standards",
    "tag": ["lowimpact", "CIS"],
    "helpText": "Rotate DKIM keys that are 1024 bit to 2048 bit",
    "addedComponent": [],
    "label": "Rotate DKIM keys that are 1024 bit to 2048 bit",
    "impact": "Low Impact",
    "impactColour": "info",
    "powershellEquivalent": "Rotate-DkimSigningConfig",
    "recommendedBy": ["CIS"]
  },
  {
    "name": "standards.AddDKIM",
    "cat": "Exchange Standards",
    "tag": ["lowimpact", "CIS"],
    "helpText": "Enables DKIM for all domains that currently support it",
    "addedComponent": [],
    "label": "Enables DKIM for all domains that currently support it",
    "impact": "Low Impact",
    "impactColour": "info",
    "powershellEquivalent": "New-DkimSigningConfig and Set-DkimSigningConfig",
    "recommendedBy": ["CIS"]
  },
  {
    "name": "standards.EnableMailboxAuditing",
    "cat": "Exchange Standards",
    "tag": ["lowimpact", "CIS", "exo_mailboxaudit"],
    "helpText": "Enables Mailbox auditing for all mailboxes and on tenant level. Disables audit bypass on all mailboxes. Unified Audit Log needs to be enabled for this standard to function.",
    "docsDescription": "Enables mailbox auditing on tenant level and for all mailboxes. Disables audit bypass on all mailboxes. By default Microsoft does not enable mailbox auditing for Resource Mailboxes, Public Folder Mailboxes and DiscoverySearch Mailboxes. Unified Audit Log needs to be enabled for this standard to function.",
    "addedComponent": [],
    "label": "Enable Mailbox auditing",
    "impact": "Low Impact",
    "impactColour": "info",
    "powershellEquivalent": "Set-OrganizationConfig -AuditDisabled $false",
    "recommendedBy": ["CIS"]
  },
  {
    "name": "standards.SendReceiveLimitTenant",
    "cat": "Exchange Standards",
    "tag": ["lowimpact"],
    "helpText": "Sets the Send and Receive limits for new users. Valid values are 1MB to 150MB",
    "addedComponent": [
      {
        "type": "number",
        "name": "standards.SendReceiveLimitTenant.SendLimit",
        "label": "Send limit in MB (Default is 35)",
        "default": 35
      },
      {
        "type": "number",
        "name": "standards.SendReceiveLimitTenant.ReceiveLimit",
        "label": "Receive Limit in MB (Default is 36)",
        "default": 36
      }
    ],
    "label": "Set send/receive size limits",
    "impact": "Low Impact",
    "impactColour": "info",
    "powershellEquivalent": "Set-MailboxPlan",
    "recommendedBy": []
  },
  {
    "name": "standards.calDefault",
    "cat": "Exchange Standards",
    "tag": ["lowimpact"],
    "helpText": "Sets the default sharing level for the default calendar, for all users",
    "docsDescription": "Sets the default sharing level for the default calendar for all users in the tenant. You can read about the different sharing levels [here.](https://learn.microsoft.com/en-us/powershell/module/exchange/set-mailboxfolderpermission?view=exchange-ps#-accessrights)",
    "disabledFeatures": {
      "report": true,
      "warn": true,
      "remediate": false
    },
    "addedComponent": [
      {
        "type": "Select",
        "label": "Select Sharing Level",
        "name": "standards.calDefault.permissionlevel",
        "values": [
          {
            "label": "Owner - The user can create, read, edit, and delete all items in the folder, and create subfolders. The user is both folder owner and folder contact.",
            "value": "Owner"
          },
          {
            "label": "Publishing Editor - The user can create, read, edit, and delete all items in the folder, and create subfolders.",
            "value": "PublishingEditor"
          },
          {
            "label": "Editor - The user can create items in the folder. The contents of the folder do not appear.",
            "value": "Editor"
          },
          {
            "label": "Publishing Author.  The user can read, create all items/subfolders. Can modify and delete only items they create.",
            "value": "PublishingAuthor"
          },
          {
            "label": "Author - The user can create and read items, and modify and delete items that they create.",
            "value": "Author"
          },
          {
            "label": "Non Editing Author - The user has full read access and create items. Can can delete only own items.",
            "value": "NonEditingAuthor"
          },
          {
            "label": "Reviewer - The user can read all items in the folder.",
            "value": "Reviewer"
          },
          {
            "label": "Contributor - The user can create items and folders.",
            "value": "Contributor"
          },
          {
            "label": "Availability Only - Indicates that the user can view only free/busy time within the calendar.",
            "value": "AvailabilityOnly"
          },
          {
            "label": "Limited Details - The user can view free/busy time within the calendar and the subject and location of appointments.",
            "value": "LimitedDetails"
          },
          {
            "label": "None - The user has no permissions on the folder.",
            "value": "none"
          }
        ]
      }
    ],
    "label": "Set Sharing Level for Default calendar",
    "impact": "Low Impact",
    "impactColour": "info",
    "powershellEquivalent": "Set-MailboxFolderPermission",
    "recommendedBy": []
  },
  {
    "name": "standards.DisableExternalCalendarSharing",
    "cat": "Exchange Standards",
    "tag": ["lowimpact", "CIS", "exo_individualsharing"],
    "helpText": "Disables the ability for users to share their calendar with external users. Only for the default policy, so exclusions can be made if needed.",
    "docsDescription": "Disables external calendar sharing for the entire tenant. This is not a widely used feature, and it's therefore unlikely that this will impact users. Only for the default policy, so exclusions can be made if needed by making a new policy and assigning it to users.",
    "addedComponent": [],
    "label": "Disable external calendar sharing",
    "impact": "Low Impact",
    "impactColour": "info",
    "powershellEquivalent": "Get-SharingPolicy | Set-SharingPolicy -Enabled $False",
    "recommendedBy": ["CIS"]
  },
  {
    "name": "standards.DisableAdditionalStorageProviders",
    "cat": "Exchange Standards",
    "tag": ["lowimpact", "CIS", "exo_storageproviderrestricted"],
    "helpText": "Disables the ability for users to open files in Outlook on the Web, from other providers such as Box, Dropbox, Facebook, Google Drive, OneDrive Personal, etc.",
    "docsDescription": "Disables additional storage providers in OWA. This is to prevent users from using personal storage providers like Dropbox, Google Drive, etc. Usually this has little user impact.",
    "addedComponent": [],
    "label": "Disable additional storage providers in OWA",
    "impact": "Low Impact",
    "impactColour": "info",
    "powershellEquivalent": "Get-OwaMailboxPolicy | Set-OwaMailboxPolicy -AdditionalStorageProvidersEnabled $False",
    "recommendedBy": ["CIS"]
  },
  {
    "name": "standards.ShortenMeetings",
    "cat": "Exchange Standards",
    "tag": ["mediumimpact"],
    "helpText": "Sets the shorten meetings settings on a tenant level. This will shorten meetings by the selected amount of minutes. Valid values are 0 to 29. Short meetings are under 60 minutes, long meetings are over 60 minutes.",
    "addedComponent": [
      {
        "type": "Select",
        "label": "Select value",
        "name": "standards.ShortenMeetings.ShortenEventScopeDefault",
        "values": [
          {
            "label": "Disabled/None",
            "value": "None"
          },
          {
            "label": "End early",
            "value": "EndEarly"
          },
          {
            "label": "Start late",
            "value": "StartLate"
          }
        ]
      },
      {
        "type": "number",
        "name": "standards.ShortenMeetings.DefaultMinutesToReduceShortEventsBy",
        "label": "Minutes to reduce short calendar events by (Default is 5)",
        "default": 5
      },
      {
        "type": "number",
        "name": "standards.ShortenMeetings.DefaultMinutesToReduceLongEventsBy",
        "label": "Minutes to reduce long calendar events by (Default is 10)",
        "default": 10
      }
    ],
    "label": "Set shorten meetings state",
    "impact": "Medium Impact",
    "impactColour": "warning",
    "powershellEquivalent": "Set-OrganizationConfig -ShortenEventScopeDefault -DefaultMinutesToReduceShortEventsBy -DefaultMinutesToReduceLongEventsBy",
    "recommendedBy": []
  },
  {
    "name": "standards.Bookings",
    "cat": "Exchange Standards",
    "tag": ["mediumimpact"],
    "helpText": "Sets the state of Bookings on the tenant. Bookings is a scheduling tool that allows users to book appointments with others both internal and external.",
    "docsDescription": "",
    "addedComponent": [
      {
        "type": "Select",
        "label": "Select value",
        "name": "standards.Bookings.state",
        "values": [
          {
            "label": "Enabled",
            "value": "true"
          },
          {
            "label": "Disabled",
            "value": "false"
          }
        ]
      }
    ],
    "label": "Set Bookings state",
    "impact": "Medium Impact",
    "impactColour": "warning",
    "powershellEquivalent": "Set-OrganizationConfig -BookingsEnabled",
    "recommendedBy": []
  },
  {
    "name": "standards.DisableOutlookAddins",
    "cat": "Exchange Standards",
    "tag": ["mediumimpact", "CIS", "exo_outlookaddins"],
    "helpText": "Disables the ability for users to install add-ins in Outlook. This is to prevent users from installing malicious add-ins.",
    "docsDescription": "Disables users from being able to install add-ins in Outlook. Only admins are able to approve add-ins for the users. This is done to reduce the threat surface for data exfiltration.",
    "addedComponent": [],
    "label": "Disable users from installing add-ins in Outlook",
    "impact": "Medium Impact",
    "impactColour": "warning",
    "powershellEquivalent": "Get-ManagementRoleAssignment | Remove-ManagementRoleAssignment",
    "recommendedBy": ["CIS"]
  },
  {
    "name": "standards.SafeSendersDisable",
    "cat": "Exchange Standards",
    "tag": ["mediumimpact"],
    "helpText": "Loops through all users and removes the Safe Senders list. This is to prevent SPF bypass attacks, as the Safe Senders list is not checked by SPF.",
    "addedComponent": [],
    "disabledFeatures": {
      "report": true,
      "warn": true,
      "remediate": false
    },
    "label": "Remove Safe Senders to prevent SPF bypass",
    "impact": "Medium Impact",
    "impactColour": "warning",
    "powershellEquivalent": "Set-MailboxJunkEmailConfiguration",
    "recommendedBy": []
  },
  {
    "name": "standards.DelegateSentItems",
    "cat": "Exchange Standards",
    "tag": ["mediumimpact"],
    "helpText": "Sets emails sent as and on behalf of shared mailboxes to also be stored in the shared mailbox sent items folder",
    "docsDescription": "This makes sure that e-mails sent from shared mailboxes or delegate mailboxes, end up in the mailbox of the shared/delegate mailbox instead of the sender, allowing you to keep replies in the same mailbox as the original e-mail.",
    "addedComponent": [],
    "label": "Set mailbox Sent Items delegation (Sent items for shared mailboxes)",
    "impact": "Medium Impact",
    "impactColour": "warning",
    "powershellEquivalent": "Set-Mailbox",
    "recommendedBy": []
  },
  {
    "name": "standards.SendFromAlias",
    "cat": "Exchange Standards",
    "tag": ["mediumimpact"],
    "helpText": "Enables the ability for users to send from their alias addresses.",
    "docsDescription": "Allows users to change the 'from' address to any set in their Azure AD Profile.",
    "addedComponent": [],
    "label": "Allow users to send from their alias addresses",
    "impact": "Medium Impact",
    "impactColour": "warning",
    "powershellEquivalent": "Set-Mailbox",
    "recommendedBy": []
  },
  {
    "name": "standards.UserSubmissions",
    "cat": "Exchange Standards",
    "tag": ["mediumimpact"],
    "helpText": "Set the state of the spam submission button in Outlook",
    "docsDescription": "Set the state of the built-in Report button in Outlook. This gives the users the ability to report emails as spam or phish.",
    "addedComponent": [
      {
        "type": "Select",
        "label": "Select value",
        "name": "standards.UserSubmissions.state",
        "values": [
          {
            "label": "Enabled",
            "value": "enable"
          },
          {
            "label": "Disabled",
            "value": "disable"
          }
        ]
      },
      {
        "type": "input",
        "name": "standards.UserSubmissions.email",
        "label": "Destination email address"
      }
    ],
    "label": "Set the state of the built-in Report button in Outlook",
    "impact": "Medium Impact",
    "impactColour": "warning",
    "powershellEquivalent": "New-ReportSubmissionPolicy or Set-ReportSubmissionPolicy and New-ReportSubmissionRule or Set-ReportSubmissionRule",
    "recommendedBy": []
  },
  {
    "name": "standards.DisableSharedMailbox",
    "cat": "Exchange Standards",
    "tag": ["mediumimpact", "CIS"],
    "helpText": "Blocks login for all accounts that are marked as a shared mailbox. This is Microsoft best practice to prevent direct logons to shared mailboxes.",
    "docsDescription": "Shared mailboxes can be directly logged into if the password is reset, this presents a security risk as do all shared login credentials. Microsoft's recommendation is to disable the user account for shared mailboxes. It would be a good idea to review the sign-in reports to establish potential impact.",
    "addedComponent": [],
    "label": "Disable Shared Mailbox AAD accounts",
    "impact": "Medium Impact",
    "impactColour": "warning",
    "powershellEquivalent": "Get-Mailbox & Update-MgUser",
    "recommendedBy": ["CIS"]
  },
  {
    "name": "standards.EXODisableAutoForwarding",
    "cat": "Exchange Standards",
    "tag": ["highimpact", "CIS", "mdo_autoforwardingmode", "mdo_blockmailforward"],
    "helpText": "Disables the ability for users to automatically forward e-mails to external recipients.",
    "docsDescription": "Disables the ability for users to automatically forward e-mails to external recipients. This is to prevent data exfiltration. Please check if there are any legitimate use cases for this feature before implementing, like forwarding invoices and such.",
    "addedComponent": [],
    "label": "Disable automatic forwarding to external recipients",
    "impact": "High Impact",
    "impactColour": "danger",
    "powershellEquivalent": "Set-HostedOutboundSpamFilterPolicy -AutoForwardingMode 'Off'",
    "recommendedBy": ["CIS"]
  },
  {
    "name": "standards.QuarantineRequestAlert",
    "cat": "Defender Standards",
    "tag": ["lowimpact"],
    "helpText": "Sets a e-mail address to alert when a User requests to release a quarantined message.",
    "docsDescription": "Sets a e-mail address to alert when a User requests to release a quarantined message. This is useful for monitoring and ensuring that the correct messages are released.",
    "addedComponent": [
      {
        "type": "input",
        "name": "standards.QuarantineRequestAlert.NotifyUser",
        "label": "E-mail to receive the alert"
      }
    ],
    "label": "Quarantine Release Request Alert",
    "impact": "Low Impact",
    "impactColour": "info",
    "powershellEquivalent": "New-ProtectionAlert and Set-ProtectionAlert",
    "recommendedBy": []
  },
  {
    "name": "standards.SafeLinksPolicy",
    "cat": "Defender Standards",
    "tag": ["lowimpact", "CIS", "mdo_safelinksforemail", "mdo_safelinksforOfficeApps"],
    "helpText": "This creates a safelink policy that automatically scans, tracks, and and enables safe links for Email, Office, and Teams for both external and internal senders",
    "addedComponent": [
      {
        "type": "boolean",
        "label": "AllowClickThrough",
        "name": "standards.SafeLinksPolicy.AllowClickThrough"
      },
      {
        "type": "boolean",
        "label": "DisableUrlRewrite",
        "name": "standards.SafeLinksPolicy.DisableUrlRewrite"
      },
      {
        "type": "boolean",
        "label": "EnableOrganizationBranding",
        "name": "standards.SafeLinksPolicy.EnableOrganizationBranding"
      }
    ],
    "label": "Default SafeLinks Policy",
    "impact": "Low Impact",
    "impactColour": "info",
    "powershellEquivalent": "Set-SafeLinksPolicy or New-SafeLinksPolicy",
    "recommendedBy": ["CIS"]
  },
  {
    "name": "standards.AntiPhishPolicy",
    "cat": "Defender Standards",
    "tag": [
      "lowimpact",
      "CIS",
      "mdo_safeattachments",
      "mdo_highconfidencespamaction",
      "mdo_highconfidencephishaction",
      "mdo_phisspamacation",
      "mdo_spam_notifications_only_for_admins",
      "mdo_antiphishingpolicies",
      "mdo_phishthresholdlevel"
    ],
    "helpText": "This creates a Anti-Phishing policy that automatically enables Mailbox Intelligence and spoofing, optional switches for Mailtips.",
    "addedComponent": [
      {
        "type": "number",
        "label": "Phishing email threshold. (Default 1)",
        "name": "standards.AntiPhishPolicy.PhishThresholdLevel",
        "default": 1
      },
      {
        "type": "boolean",
        "label": "Show first contact safety tip",
        "name": "standards.AntiPhishPolicy.EnableFirstContactSafetyTips",
        "default": true
      },
      {
        "type": "boolean",
        "label": "Show user impersonation safety tip",
        "name": "standards.AntiPhishPolicy.EnableSimilarUsersSafetyTips",
        "default": true
      },
      {
        "type": "boolean",
        "label": "Show domain impersonation safety tip",
        "name": "standards.AntiPhishPolicy.EnableSimilarDomainsSafetyTips",
        "default": true
      },
      {
        "type": "boolean",
        "label": "Show user impersonation unusual characters safety tip",
        "name": "standards.AntiPhishPolicy.EnableUnusualCharactersSafetyTips",
        "default": true
      },
      {
        "type": "Select",
        "label": "If the message is detected as spoof by spoof intelligence",
        "name": "standards.AntiPhishPolicy.AuthenticationFailAction",
        "values": [
          {
            "label": "Quarantine the message",
            "value": "Quarantine"
          },
          {
            "label": "Move to Junk Folder",
            "value": "MoveToJmf"
          }
        ]
      },
      {
        "type": "Select",
        "label": "Quarantine policy for Spoof",
        "name": "standards.AntiPhishPolicy.SpoofQuarantineTag",
        "values": [
          {
            "label": "AdminOnlyAccessPolicy",
            "value": "AdminOnlyAccessPolicy"
          },
          {
            "label": "DefaultFullAccessPolicy",
            "value": "DefaultFullAccessPolicy"
          },
          {
            "label": "DefaultFullAccessWithNotificationPolicy",
            "value": "DefaultFullAccessWithNotificationPolicy"
          }
        ]
      },
      {
        "type": "Select",
        "label": "If a message is detected as user impersonation",
        "name": "standards.AntiPhishPolicy.TargetedUserProtectionAction",
        "values": [
          {
            "label": "Move to Junk Folder",
            "value": "MoveToJmf"
          },
          {
            "label": "Delete the message before its delivered",
            "value": "Delete"
          },
          {
            "label": "Quarantine the message",
            "value": "Quarantine"
          }
        ]
      },
      {
        "type": "Select",
        "label": "Quarantine policy for user impersonation",
        "name": "standards.AntiPhishPolicy.TargetedUserQuarantineTag",
        "values": [
          {
            "label": "AdminOnlyAccessPolicy",
            "value": "AdminOnlyAccessPolicy"
          },
          {
            "label": "DefaultFullAccessPolicy",
            "value": "DefaultFullAccessPolicy"
          },
          {
            "label": "DefaultFullAccessWithNotificationPolicy",
            "value": "DefaultFullAccessWithNotificationPolicy"
          }
        ]
      },
      {
        "type": "Select",
        "label": "If a message is detected as domain impersonation",
        "name": "standards.AntiPhishPolicy.TargetedDomainProtectionAction",
        "values": [
          {
            "label": "Move to Junk Folder",
            "value": "MoveToJmf"
          },
          {
            "label": "Delete the message before its delivered",
            "value": "Delete"
          },
          {
            "label": "Quarantine the message",
            "value": "Quarantine"
          }
        ]
      },
      {
        "type": "Select",
        "label": "Quarantine policy for domain impersonation",
        "name": "standards.AntiPhishPolicy.TargetedDomainQuarantineTag",
        "values": [
          {
            "label": "DefaultFullAccessWithNotificationPolicy",
            "value": "DefaultFullAccessWithNotificationPolicy"
          },
          {
            "label": "AdminOnlyAccessPolicy",
            "value": "AdminOnlyAccessPolicy"
          },
          {
            "label": "DefaultFullAccessPolicy",
            "value": "DefaultFullAccessPolicy"
          }
        ]
      },
      {
        "type": "Select",
        "label": "If Mailbox Intelligence detects an impersonated user",
        "name": "standards.AntiPhishPolicy.MailboxIntelligenceProtectionAction",
        "values": [
          {
            "label": "Move to Junk Folder",
            "value": "MoveToJmf"
          },
          {
            "label": "Delete the message before its delivered",
            "value": "Delete"
          },
          {
            "label": "Quarantine the message",
            "value": "Quarantine"
          }
        ]
      },
      {
        "type": "Select",
        "label": "Apply quarantine policy",
        "name": "standards.AntiPhishPolicy.MailboxIntelligenceQuarantineTag",
        "values": [
          {
            "label": "AdminOnlyAccessPolicy",
            "value": "AdminOnlyAccessPolicy"
          },
          {
            "label": "DefaultFullAccessPolicy",
            "value": "DefaultFullAccessPolicy"
          },
          {
            "label": "DefaultFullAccessWithNotificationPolicy",
            "value": "DefaultFullAccessWithNotificationPolicy"
          }
        ]
      }
    ],
    "label": "Default Anti-Phishing Policy",
    "impact": "Low Impact",
    "impactColour": "info",
    "powershellEquivalent": "Set-AntiphishPolicy or New-AntiphishPolicy",
    "recommendedBy": ["CIS"]
  },
  {
    "name": "standards.SafeAttachmentPolicy",
    "cat": "Defender Standards",
    "tag": [
      "lowimpact",
      "CIS",
      "mdo_safedocuments",
      "mdo_commonattachmentsfilter",
      "mdo_safeattachmentpolicy"
    ],
    "helpText": "This creates a Safe Attachment policy",
    "addedComponent": [
      {
        "type": "Select",
        "label": "Action",
        "name": "standards.SafeAttachmentPolicy.Action",
        "values": [
          {
            "label": "Allow",
            "value": "Allow"
          },
          {
            "label": "Block",
            "value": "Block"
          },
          {
            "label": "DynamicDelivery",
            "value": "DynamicDelivery"
          }
        ]
      },
      {
        "type": "Select",
        "label": "QuarantineTag",
        "name": "standards.SafeAttachmentPolicy.QuarantineTag",
        "values": [
          {
            "label": "AdminOnlyAccessPolicy",
            "value": "AdminOnlyAccessPolicy"
          },
          {
            "label": "DefaultFullAccessPolicy",
            "value": "DefaultFullAccessPolicy"
          },
          {
            "label": "DefaultFullAccessWithNotificationPolicy",
            "value": "DefaultFullAccessWithNotificationPolicy"
          }
        ]
      },
      {
        "type": "boolean",
        "label": "Redirect",
        "name": "standards.SafeAttachmentPolicy.Redirect"
      },
      {
        "type": "input",
        "name": "standards.SafeAttachmentPolicy.RedirectAddress",
        "label": "Redirect Address"
      }
    ],
    "label": "Default Safe Attachment Policy",
    "impact": "Low Impact",
    "impactColour": "info",
    "powershellEquivalent": "Set-SafeAttachmentPolicy or New-SafeAttachmentPolicy",
    "recommendedBy": ["CIS"]
  },
  {
    "name": "standards.AtpPolicyForO365",
    "cat": "Defender Standards",
    "tag": ["lowimpact", "CIS"],
    "helpText": "This creates a Atp policy that enables Defender for Office 365 for Sharepoint, OneDrive and Microsoft Teams.",
    "addedComponent": [
      {
        "type": "boolean",
        "label": "Allow people to click through Protected View even if Safe Documents identified the file as malicious",
        "name": "standards.AtpPolicyForO365.AllowSafeDocsOpen",
        "default": false
      }
    ],
    "label": "Default Atp Policy For O365",
    "impact": "Low Impact",
    "impactColour": "info",
    "powershellEquivalent": "Set-AtpPolicyForO365",
    "recommendedBy": ["CIS"]
  },
  {
    "name": "standards.MalwareFilterPolicy",
    "cat": "Defender Standards",
    "tag": ["lowimpact", "CIS", "mdo_zapspam", "mdo_zapphish", "mdo_zapmalware"],
    "helpText": "This creates a Malware filter policy that enables the default File filter and Zero-hour auto purge for malware.",
    "addedComponent": [
      {
        "type": "Select",
        "label": "FileTypeAction",
        "name": "standards.MalwareFilterPolicy.FileTypeAction",
        "values": [
          {
            "label": "Reject",
            "value": "Reject"
          },
          {
            "label": "Quarantine the message",
            "value": "Quarantine"
          }
        ]
      },
      {
        "type": "input",
        "name": "standards.MalwareFilterPolicy.OptionalFileTypes",
        "label": "Optional File Types, Comma separated"
      },
      {
        "type": "Select",
        "label": "QuarantineTag",
        "name": "standards.MalwareFilterPolicy.QuarantineTag",
        "values": [
          {
            "label": "AdminOnlyAccessPolicy",
            "value": "AdminOnlyAccessPolicy"
          },
          {
            "label": "DefaultFullAccessPolicy",
            "value": "DefaultFullAccessPolicy"
          },
          {
            "label": "DefaultFullAccessWithNotificationPolicy",
            "value": "DefaultFullAccessWithNotificationPolicy"
          }
        ]
      },
      {
        "type": "boolean",
        "label": "Enable Internal Sender Admin Notifications",
        "name": "standards.MalwareFilterPolicy.EnableInternalSenderAdminNotifications"
      },
      {
        "type": "input",
        "name": "standards.MalwareFilterPolicy.InternalSenderAdminAddress",
        "label": "Internal Sender Admin Address"
      },
      {
        "type": "boolean",
        "label": "Enable External Sender Admin Notifications",
        "name": "standards.MalwareFilterPolicy.EnableExternalSenderAdminNotifications"
      },
      {
        "type": "input",
        "name": "standards.MalwareFilterPolicy.ExternalSenderAdminAddress",
        "label": "External Sender Admin Address"
      }
    ],
    "label": "Default Malware Filter Policy",
    "impact": "Low Impact",
    "impactColour": "info",
    "powershellEquivalent": "Set-MalwareFilterPolicy or New-MalwareFilterPolicy",
    "recommendedBy": ["CIS"]
  },
  {
    "name": "standards.SpamFilterPolicy",
    "cat": "Defender Standards",
    "tag": ["mediumimpact"],
    "helpText": "This standard creates a Spam filter policy similar to the default strict policy.",
    "addedComponent": [
      {
        "type": "number",
        "label": "Bulk email threshold (Default 7)",
        "name": "standards.SpamFilterPolicy.BulkThreshold",
        "default": 7
      },
      {
        "type": "Select",
        "label": "Spam Action",
        "name": "standards.SpamFilterPolicy.SpamAction",
        "values": [
          {
            "label": "Quarantine the message",
            "value": "Quarantine"
          },
          {
            "label": "Move message to Junk Email folder",
            "value": "MoveToJmf"
          }
        ]
      },
      {
        "type": "Select",
        "label": "Spam Quarantine Tag",
        "name": "standards.SpamFilterPolicy.SpamQuarantineTag",
        "values": [
          {
            "label": "AdminOnlyAccessPolicy",
            "value": "AdminOnlyAccessPolicy"
          },
          {
            "label": "DefaultFullAccessPolicy",
            "value": "DefaultFullAccessPolicy"
          },
          {
            "label": "DefaultFullAccessWithNotificationPolicy",
            "value": "DefaultFullAccessWithNotificationPolicy"
          }
        ]
      },
      {
        "type": "Select",
        "label": "High Confidence Spam Action",
        "name": "standards.SpamFilterPolicy.HighConfidenceSpamAction",
        "values": [
          {
            "label": "Quarantine the message",
            "value": "Quarantine"
          },
          {
            "label": "Move message to Junk Email folder",
            "value": "MoveToJmf"
          }
        ]
      },
      {
        "type": "Select",
        "label": "High Confidence Spam Quarantine Tag",
        "name": "standards.SpamFilterPolicy.HighConfidenceSpamQuarantineTag",
        "values": [
          {
            "label": "AdminOnlyAccessPolicy",
            "value": "AdminOnlyAccessPolicy"
          },
          {
            "label": "DefaultFullAccessPolicy",
            "value": "DefaultFullAccessPolicy"
          },
          {
            "label": "DefaultFullAccessWithNotificationPolicy",
            "value": "DefaultFullAccessWithNotificationPolicy"
          }
        ]
      },
      {
        "type": "Select",
        "label": "Bulk Spam Action",
        "name": "standards.SpamFilterPolicy.BulkSpamAction",
        "values": [
          {
            "label": "Quarantine the message",
            "value": "Quarantine"
          },
          {
            "label": "Move message to Junk Email folder",
            "value": "MoveToJmf"
          }
        ]
      },
      {
        "type": "Select",
        "label": "Bulk Quarantine Tag",
        "name": "standards.SpamFilterPolicy.BulkQuarantineTag",
        "values": [
          {
            "label": "AdminOnlyAccessPolicy",
            "value": "AdminOnlyAccessPolicy"
          },
          {
            "label": "DefaultFullAccessPolicy",
            "value": "DefaultFullAccessPolicy"
          },
          {
            "label": "DefaultFullAccessWithNotificationPolicy",
            "value": "DefaultFullAccessWithNotificationPolicy"
          }
        ]
      },
      {
        "type": "Select",
        "label": "Phish Spam Action",
        "name": "standards.SpamFilterPolicy.PhishSpamAction",
        "values": [
          {
            "label": "Quarantine the message",
            "value": "Quarantine"
          },
          {
            "label": "Move message to Junk Email folder",
            "value": "MoveToJmf"
          }
        ]
      },
      {
        "type": "Select",
        "label": "Phish Quarantine Tag",
        "name": "standards.SpamFilterPolicy.PhishQuarantineTag",
        "values": [
          {
            "label": "AdminOnlyAccessPolicy",
            "value": "AdminOnlyAccessPolicy"
          },
          {
            "label": "DefaultFullAccessPolicy",
            "value": "DefaultFullAccessPolicy"
          },
          {
            "label": "DefaultFullAccessWithNotificationPolicy",
            "value": "DefaultFullAccessWithNotificationPolicy"
          }
        ]
      },
      {
        "type": "Select",
        "label": "High Confidence Phish Quarantine Tag",
        "name": "standards.SpamFilterPolicy.HighConfidencePhishQuarantineTag",
        "values": [
          {
            "label": "AdminOnlyAccessPolicy",
            "value": "AdminOnlyAccessPolicy"
          },
          {
            "label": "DefaultFullAccessPolicy",
            "value": "DefaultFullAccessPolicy"
          },
          {
            "label": "DefaultFullAccessWithNotificationPolicy",
            "value": "DefaultFullAccessWithNotificationPolicy"
          }
        ]
      }
    ],
    "label": "Default Spam Filter Policy",
    "impact": "Medium Impact",
    "impactColour": "warning",
    "powershellEquivalent": "New-HostedContentFilterPolicy or Set-HostedContentFilterPolicy",
    "recommendedBy": []
  },
  {
    "name": "standards.intuneDeviceRetirementDays",
    "cat": "Intune Standards",
    "tag": ["lowimpact"],
    "helpText": "A value between 0 and 270 is supported. A value of 0 disables retirement, retired devices are removed from Intune after the specified number of days.",
    "addedComponent": [
      {
        "type": "number",
        "name": "standards.intuneDeviceRetirementDays.days",
        "label": "Maximum days (0 equals disabled)"
      }
    ],
    "label": "Set inactive device retirement days",
    "impact": "Low Impact",
    "impactColour": "info",
    "powershellEquivalent": "Graph API",
    "recommendedBy": []
  },
  {
    "name": "standards.intuneBrandingProfile",
    "cat": "Intune Standards",
    "tag": ["lowimpact"],
    "helpText": "Sets the branding profile for the Intune Company Portal app. This is a tenant wide setting and overrules any settings set on the app level.",
    "addedComponent": [
      {
        "type": "input",
        "name": "standards.intuneBrandingProfile.displayName",
        "label": "Organization name"
      },
      {
        "type": "boolean",
        "name": "standards.intuneBrandingProfile.showLogo",
        "label": "Show logo"
      },
      {
        "type": "boolean",
        "name": "standards.intuneBrandingProfile.showDisplayNameNextToLogo",
        "label": "Show organization name next to logo"
      },
      {
        "type": "input",
        "name": "standards.intuneBrandingProfile.contactITName",
        "label": "Contact IT name"
      },
      {
        "type": "input",
        "name": "standards.intuneBrandingProfile.contactITPhoneNumber",
        "label": "Contact IT phone number"
      },
      {
        "type": "input",
        "name": "standards.intuneBrandingProfile.contactITEmailAddress",
        "label": "Contact IT email address"
      },
      {
        "type": "input",
        "name": "standards.intuneBrandingProfile.contactITNotes",
        "label": "Contact IT notes"
      },
      {
        "type": "input",
        "name": "standards.intuneBrandingProfile.onlineSupportSiteName",
        "label": "Online support site name"
      },
      {
        "type": "input",
        "name": "standards.intuneBrandingProfile.onlineSupportSiteUrl",
        "label": "Online support site URL"
      },
      {
        "type": "input",
        "name": "standards.intuneBrandingProfile.privacyUrl",
        "label": "Privacy statement URL"
      }
    ],
    "label": "Set Intune Company Portal branding profile",
    "impact": "Low Impact",
    "impactColour": "info",
    "powershellEquivalent": "Graph API",
    "recommendedBy": []
  },
  {
    "name": "standards.intuneDeviceReg",
    "cat": "Intune Standards",
    "tag": ["mediumimpact"],
    "helpText": "sets the maximum number of devices that can be registered by a user. A value of 0 disables device registration by users",
    "addedComponent": [
      {
        "type": "number",
        "name": "standards.intuneDeviceReg.max",
        "label": "Maximum devices (Enter 2147483647 for unlimited.)"
      }
    ],
    "label": "Set Maximum Number of Devices per user",
    "impact": "Medium Impact",
    "impactColour": "warning",
    "powershellEquivalent": "Update-MgBetaPolicyDeviceRegistrationPolicy",
    "recommendedBy": []
  },
  {
    "name": "standards.intuneRequireMFA",
    "cat": "Intune Standards",
    "tag": ["mediumimpact"],
    "helpText": "Requires MFA for all users to register devices with Intune. This is useful when not using Conditional Access.",
    "label": "Require Multifactor Authentication to register or join devices with Microsoft Entra",
    "impact": "Medium Impact",
    "impactColour": "warning",
    "powershellEquivalent": "Update-MgBetaPolicyDeviceRegistrationPolicy",
    "recommendedBy": []
  },
  {
    "name": "standards.DeletedUserRentention",
    "cat": "SharePoint Standards",
    "tag": ["lowimpact"],
    "helpText": "Sets the retention period for deleted users OneDrive to the specified period of time. The default is 30 days.",
    "docsDescription": "When a OneDrive user gets deleted, the personal SharePoint site is saved for selected amount of time that data can be retrieved from it.",
    "addedComponent": [
      {
        "type": "Select",
        "name": "standards.DeletedUserRentention.Days",
        "label": "Retention time (Default 30 days)",
        "values": [
          {
            "label": "30 days",
            "value": "30"
          },
          {
            "label": "90 days",
            "value": "90"
          },
          {
            "label": "1 year",
            "value": "365"
          },
          {
            "label": "2 years",
            "value": "730"
          },
          {
            "label": "3 years",
            "value": "1095"
          },
          {
            "label": "4 years",
            "value": "1460"
          },
          {
            "label": "5 years",
            "value": "1825"
          },
          {
            "label": "6 years",
            "value": "2190"
          },
          {
            "label": "7 years",
            "value": "2555"
          },
          {
            "label": "8 years",
            "value": "2920"
          },
          {
            "label": "9 years",
            "value": "3285"
          },
          {
            "label": "10 years",
            "value": "3650"
          }
        ]
      }
    ],
    "label": "Set deleted user retention time in OneDrive",
    "impact": "Low Impact",
    "impactColour": "info",
    "powershellEquivalent": "Update-MgBetaAdminSharepointSetting",
    "recommendedBy": []
  },
  {
    "name": "standards.TenantDefaultTimezone",
    "cat": "SharePoint Standards",
    "tag": ["lowimpact"],
    "helpText": "Sets the default timezone for the tenant. This will be used for all new users and sites.",
    "addedComponent": [
      {
        "type": "TimezoneSelect",
        "name": "standards.TenantDefaultTimezone.Timezone",
        "label": "Timezone"
      }
    ],
    "label": "Set Default Timezone for Tenant",
    "impact": "Low Impact",
    "impactColour": "info",
    "powershellEquivalent": "Update-MgBetaAdminSharepointSetting",
    "recommendedBy": []
  },
  {
    "name": "standards.SPAzureB2B",
    "cat": "SharePoint Standards",
    "tag": ["lowimpact", "CIS"],
    "helpText": "Ensure SharePoint and OneDrive integration with Azure AD B2B is enabled",
    "addedComponent": [],
    "label": "Enable SharePoint and OneDrive integration with Azure AD B2B",
    "impact": "Low Impact",
    "impactColour": "info",
    "powershellEquivalent": "Set-SPOTenant -EnableAzureADB2BIntegration $true",
    "recommendedBy": ["CIS 3.0"]
  },
  {
    "name": "standards.SPDisallowInfectedFiles",
    "cat": "SharePoint Standards",
    "tag": ["lowimpact", "CIS"],
    "helpText": "Ensure Office 365 SharePoint infected files are disallowed for download",
    "addedComponent": [],
    "label": "Disallow downloading infected files from SharePoint",
    "impact": "Low Impact",
    "impactColour": "info",
    "powershellEquivalent": "Set-SPOTenant -DisallowInfectedFileDownload $true",
    "recommendedBy": ["CIS 3.0"]
  },
  {
    "name": "standards.SPDisableLegacyWorkflows",
    "cat": "SharePoint Standards",
    "tag": ["lowimpact"],
    "helpText": "Disables the creation of new SharePoint 2010 and 2013 classic workflows and removes the 'Return to classic SharePoint' link on modern SharePoint list and library pages.",
    "addedComponent": [],
    "label": "Disable Legacy Workflows",
    "impact": "Low Impact",
    "impactColour": "info",
    "powershellEquivalent": "Set-SPOTenant -DisableWorkflow2010 $true -DisableWorkflow2013 $true -DisableBackToClassic $true",
    "recommendedBy": []
  },
  {
    "name": "standards.SPDirectSharing",
    "cat": "SharePoint Standards",
    "tag": ["mediumimpact", "CIS"],
    "helpText": "Ensure default link sharing is set to Direct in SharePoint and OneDrive",
    "addedComponent": [],
    "label": "Default sharing to Direct users",
    "impact": "Medium Impact",
    "impactColour": "warning",
    "powershellEquivalent": "Set-SPOTenant -DefaultSharingLinkType Direct",
    "recommendedBy": ["CIS 3.0"]
  },
  {
    "name": "standards.SPExternalUserExpiration",
    "cat": "SharePoint Standards",
    "tag": ["mediumimpact", "CIS"],
    "helpText": "Ensure guest access to a site or OneDrive will expire automatically",
    "addedComponent": [
      {
        "type": "number",
        "name": "standards.SPExternalUserExpiration.Days",
        "label": "Days until expiration (Default 60)"
      }
    ],
    "label": "Set guest access to expire automatically",
    "impact": "Medium Impact",
    "impactColour": "warning",
    "powershellEquivalent": "Set-SPOTenant -ExternalUserExpireInDays 30 -ExternalUserExpirationRequired $True",
    "recommendedBy": ["CIS 3.0"]
  },
  {
    "name": "standards.SPEmailAttestation",
    "cat": "SharePoint Standards",
    "tag": ["mediumimpact", "CIS"],
    "helpText": "Ensure reauthentication with verification code is restricted",
    "addedComponent": [
      {
        "type": "number",
        "name": "standards.SPEmailAttestation.Days",
        "label": "Require reauth every X Days (Default 15)"
      }
    ],
    "label": "Require reauthentication with verification code",
    "impact": "Medium Impact",
    "impactColour": "warning",
    "powershellEquivalent": "Set-SPOTenant -EmailAttestationRequired $true -EmailAttestationReAuthDays 15",
    "recommendedBy": ["CIS 3.0"]
  },
  {
    "name": "standards.DisableAddShortcutsToOneDrive",
    "cat": "SharePoint Standards",
    "tag": ["mediumimpact"],
    "helpText": "If disabled, the button Add shortcut to OneDrive will be removed and users in the tenant will no longer be able to add new shortcuts to their OneDrive. Existing shortcuts will remain functional",
    "addedComponent": [
      {
        "type": "Select",
        "label": "Add Shortcuts To OneDrive button state",
        "name": "standards.DisableAddShortcutsToOneDrive.state",
        "values": [
          {
            "label": "Disabled",
            "value": "true"
          },
          {
            "label": "Enabled",
            "value": "false"
          }
        ]
      }
    ],
    "label": "Set Add Shortcuts To OneDrive button state",
    "impact": "Medium Impact",
    "impactColour": "warning",
    "powershellEquivalent": "Set-SPOTenant -DisableAddShortcutsToOneDrive $true or $false",
    "recommendedBy": []
  },
  {
    "name": "standards.SPSyncButtonState",
    "cat": "SharePoint Standards",
    "tag": ["mediumimpact"],
    "helpText": "If disabled, users in the tenant will no longer be able to use the Sync button to sync SharePoint content on all sites. However, existing synced content will remain functional on the user's computer.",
    "addedComponent": [
      {
        "type": "Select",
        "label": "SharePoint Sync Button state",
        "name": "standards.SPSyncButtonState.state",
        "values": [
          {
            "label": "Disabled",
            "value": "true"
          },
          {
            "label": "Enabled",
            "value": "false"
          }
        ]
      }
    ],
    "label": "Set SharePoint sync button state",
    "impact": "Medium Impact",
    "impactColour": "warning",
    "powershellEquivalent": "Set-SPOTenant -HideSyncButtonOnTeamSite $true or $false",
    "recommendedBy": []
  },
  {
    "name": "standards.DisableSharePointLegacyAuth",
    "cat": "SharePoint Standards",
    "tag": ["mediumimpact", "CIS", "spo_legacy_auth"],
    "helpText": "Disables the ability to authenticate with SharePoint using legacy authentication methods. Any applications that use legacy authentication will need to be updated to use modern authentication.",
    "docsDescription": "Disables the ability for users and applications to access SharePoint via legacy basic authentication. This will likely not have any user impact, but will block systems/applications depending on basic auth or the SharePointOnlineCredentials class.",
    "addedComponent": [],
    "label": "Disable legacy basic authentication for SharePoint",
    "impact": "Medium Impact",
    "impactColour": "warning",
    "powershellEquivalent": "Set-SPOTenant -LegacyAuthProtocolsEnabled $false",
    "recommendedBy": ["CIS"]
  },
  {
    "name": "standards.sharingCapability",
    "cat": "SharePoint Standards",
    "tag": ["highimpact", "CIS"],
    "helpText": "Sets the default sharing level for OneDrive and Sharepoint. This is a tenant wide setting and overrules any settings set on the site level",
    "addedComponent": [
      {
        "type": "Select",
        "label": "Select Sharing Level",
        "name": "standards.sharingCapability.Level",
        "values": [
          {
            "label": "Users can share only with people in the organization. No external sharing is allowed.",
            "value": "disabled"
          },
          {
            "label": "Users can share with new and existing guests. Guests must sign in or provide a verification code.",
            "value": "externalUserSharingOnly"
          },
          {
            "label": "Users can share with anyone by using links that do not require sign-in.",
            "value": "externalUserAndGuestSharing"
          },
          {
            "label": "Users can share with existing guests (those already in the directory of the organization).",
            "value": "existingExternalUserSharingOnly"
          }
        ]
      }
    ],
    "label": "Set Sharing Level for OneDrive and Sharepoint",
    "impact": "High Impact",
    "impactColour": "danger",
    "powershellEquivalent": "Update-MgBetaAdminSharepointSetting",
    "recommendedBy": ["CIS"]
  },
  {
    "name": "standards.DisableReshare",
    "cat": "SharePoint Standards",
    "tag": ["highimpact", "CIS"],
    "helpText": "Disables the ability for external users to share files they don't own. Sharing links can only be made for People with existing access",
    "docsDescription": "Disables the ability for external users to share files they don't own. Sharing links can only be made for People with existing access. This is a tenant wide setting and overrules any settings set on the site level",
    "addedComponent": [],
    "label": "Disable Resharing by External Users",
    "impact": "High Impact",
    "impactColour": "danger",
    "powershellEquivalent": "Update-MgBetaAdminSharepointSetting",
    "recommendedBy": ["CIS"]
  },
  {
    "name": "standards.DisableUserSiteCreate",
    "cat": "SharePoint Standards",
    "tag": ["highimpact"],
    "helpText": "Disables users from creating new SharePoint sites",
    "docsDescription": "Disables standard users from creating SharePoint sites, also disables the ability to fully create teams",
    "addedComponent": [],
    "label": "Disable site creation by standard users",
    "impact": "High Impact",
    "impactColour": "danger",
    "powershellEquivalent": "Update-MgAdminSharepointSetting",
    "recommendedBy": []
  },
  {
    "name": "standards.ExcludedfileExt",
    "cat": "SharePoint Standards",
    "tag": ["highimpact"],
    "helpText": "Sets the file extensions that are excluded from syncing with OneDrive. These files will be blocked from upload. '*.' is automatically added to the extension and can be omitted.",
    "addedComponent": [
      {
        "type": "input",
        "name": "standards.ExcludedfileExt.ext",
        "label": "Extensions, Comma separated"
      }
    ],
    "label": "Exclude File Extensions from Syncing",
    "impact": "High Impact",
    "impactColour": "danger",
    "powershellEquivalent": "Update-MgAdminSharepointSetting",
    "recommendedBy": []
  },
  {
    "name": "standards.disableMacSync",
    "cat": "SharePoint Standards",
    "tag": ["highimpact"],
    "helpText": "Disables the ability for Mac devices to sync with OneDrive.",
    "addedComponent": [],
    "label": "Do not allow Mac devices to sync using OneDrive",
    "impact": "High Impact",
    "impactColour": "danger",
    "powershellEquivalent": "Update-MgAdminSharepointSetting",
    "recommendedBy": []
  },
  {
    "name": "standards.unmanagedSync",
    "cat": "SharePoint Standards",
    "tag": ["highimpact"],
    "helpText": "The unmanaged Sync standard has been temporarily disabled and does nothing.",
    "addedComponent": [],
    "label": "Only allow users to sync OneDrive from AAD joined devices",
    "impact": "High Impact",
    "impactColour": "danger",
    "powershellEquivalent": "Update-MgAdminSharepointSetting",
    "recommendedBy": []
  },
  {
    "name": "standards.sharingDomainRestriction",
    "cat": "SharePoint Standards",
    "tag": ["highimpact", "CIS"],
    "helpText": "Restricts sharing to only users with the specified domain. This is useful for organizations that only want to share with their own domain.",
    "addedComponent": [
      {
        "type": "Select",
        "name": "standards.sharingDomainRestriction.Mode",
        "label": "Limit external sharing by domains",
        "values": [
          {
            "label": "Off",
            "value": "none"
          },
          {
            "label": "Restrict sharing to specific domains",
            "value": "allowList"
          },
          {
            "label": "Block sharing to specific domains",
            "value": "blockList"
          }
        ]
      },
      {
        "type": "input",
        "name": "standards.sharingDomainRestriction.Domains",
        "label": "Domains to allow/block, comma separated"
      }
    ],
    "label": "Restrict sharing to a specific domain",
    "impact": "High Impact",
    "impactColour": "danger",
    "powershellEquivalent": "Update-MgAdminSharepointSetting",
    "recommendedBy": []
  },
  {
    "name": "standards.TeamsGlobalMeetingPolicy",
    "cat": "Teams Standards",
    "tag": ["lowimpact"],
    "helpText": "Defines the CIS recommended global meeting policy for Teams. This includes AllowAnonymousUsersToJoinMeeting, AllowAnonymousUsersToStartMeeting, AutoAdmittedUsers, AllowPSTNUsersToBypassLobby, MeetingChatEnabledType, DesignatedPresenterRoleMode, AllowExternalParticipantGiveRequestControl",
    "addedComponent": [
      {
        "type": "Select",
        "name": "standards.TeamsGlobalMeetingPolicy.DesignatedPresenterRoleMode",
        "label": "Default value of the `Who can present?`",
        "values": [
          {
            "label": "EveryoneUserOverride",
            "value": "EveryoneUserOverride"
          },
          {
            "label": "EveryoneInCompanyUserOverride",
            "value": "EveryoneInCompanyUserOverride"
          },
          {
            "label": "EveryoneInSameAndFederatedCompanyUserOverride",
            "value": "EveryoneInSameAndFederatedCompanyUserOverride"
          },
          {
            "label": "OrganizerOnlyUserOverride",
            "value": "OrganizerOnlyUserOverride"
          }
        ]
      }
    ],
    "label": "Define Global Meeting Policy for Teams",
    "impact": "Low Impact",
    "impactColour": "info",
    "powershellEquivalent": "Set-CsTeamsMeetingPolicy -AllowAnonymousUsersToJoinMeeting $false -AllowAnonymousUsersToStartMeeting $false -AutoAdmittedUsers EveryoneInCompanyExcludingGuests -AllowPSTNUsersToBypassLobby $false -MeetingChatEnabledType EnabledExceptAnonymous -DesignatedPresenterRoleMode $DesignatedPresenterRoleMode -AllowExternalParticipantGiveRequestControl $false",
    "recommendedBy": ["CIS 3.0"]
  },
  {
    "name": "standards.TeamsEmailIntegration",
    "cat": "Teams Standards",
    "tag": ["lowimpact"],
    "helpText": "Should users be allowed to send emails directly to a channel email addresses?",
    "docsDescription": "Teams channel email addresses are an optional feature that allows users to email the Teams channel directly.",
    "addedComponent": [
      {
        "type": "boolean",
        "name": "standards.TeamsEmailIntegration.AllowEmailIntoChannel",
        "label": "Allow channel emails"
      }
    ],
    "label": "Disallow emails to be sent to channel email addresses",
    "impact": "Low Impact",
    "impactColour": "info",
    "powershellEquivalent": "Set-CsTeamsClientConfiguration -AllowEmailIntoChannel $false",
    "recommendedBy": ["CIS 3.0"]
  },
  {
    "name": "standards.TeamsExternalFileSharing",
    "cat": "Teams Standards",
    "tag": ["lowimpact"],
    "helpText": "Ensure external file sharing in Teams is enabled for only approved cloud storage services.",
    "addedComponent": [
      {
        "type": "boolean",
        "name": "standards.TeamsExternalFileSharing.AllowGoogleDrive",
        "label": "Allow Google Drive"
      },
      {
        "type": "boolean",
        "name": "standards.TeamsExternalFileSharing.AllowShareFile",
        "label": "Allow ShareFile"
      },
      {
        "type": "boolean",
        "name": "standards.TeamsExternalFileSharing.AllowBox",
        "label": "Allow Box"
      },
      {
        "type": "boolean",
        "name": "standards.TeamsExternalFileSharing.AllowDropBox",
        "label": "Allow Dropbox"
      },
      {
        "type": "boolean",
        "name": "standards.TeamsExternalFileSharing.AllowEgnyte",
        "label": "Allow Egnyte"
      }
    ],
    "label": "Define approved cloud storage services for external file sharing in Teams",
    "impact": "Low Impact",
    "impactColour": "info",
    "powershellEquivalent": "Set-CsTeamsClientConfiguration -AllowGoogleDrive $false -AllowShareFile $false -AllowBox $false -AllowDropBox $false -AllowEgnyte $false",
    "recommendedBy": ["CIS 3.0"]
  },
  {
    "name": "standards.TeamsExternalAccessPolicy",
    "cat": "Teams Standards",
    "tag": ["mediumimpact"],
    "helpText": "Sets the properties of the Global external access policy.",
    "docsDescription": "Sets the properties of the Global external access policy. External access policies determine whether or not your users can: 1) communicate with users who have Session Initiation Protocol (SIP) accounts with a federated organization; 2) communicate with users who are using custom applications built with Azure Communication Services; 3) access Skype for Business Server over the Internet, without having to log on to your internal network; 4) communicate with users who have SIP accounts with a public instant messaging (IM) provider such as Skype; and, 5) communicate with people who are using Teams with an account that's not managed by an organization.",
    "addedComponent": [
      {
        "type": "boolean",
        "name": "standards.TeamsExternalAccessPolicy.EnableFederationAccess",
        "label": "Allow communication from trusted organizations"
      },
      {
        "type": "boolean",
        "name": "standards.TeamsExternalAccessPolicy.EnablePublicCloudAccess",
        "label": "Allow user to communicate with Skype users"
      },
      {
        "type": "boolean",
        "name": "standards.TeamsExternalAccessPolicy.EnableTeamsConsumerAccess",
        "label": "Allow communication with unmanaged Teams accounts"
      }
    ],
    "label": "External Access Settings for Microsoft Teams",
    "impact": "Medium Impact",
    "impactColour": "warning",
    "powershellEquivalent": "Set-CsExternalAccessPolicy",
    "recommendedBy": []
  },
  {
    "name": "standards.TeamsFederationConfiguration",
    "cat": "Teams Standards",
    "tag": ["mediumimpact"],
    "helpText": "Sets the properties of the Global federation configuration.",
    "docsDescription": "Sets the properties of the Global federation configuration. Federation configuration settings determine whether or not your users can communicate with users who have SIP accounts with a federated organization.",
    "addedComponent": [
      {
        "type": "boolean",
        "name": "standards.TeamsFederationConfiguration.AllowTeamsConsumer",
        "label": "Allow users to communicate with other organizations"
      },
      {
        "type": "boolean",
        "name": "standards.TeamsFederationConfiguration.AllowPublicUsers",
        "label": "Allow users to communicate with Skype Users"
      },
      {
        "type": "Select",
        "name": "standards.TeamsFederationConfiguration.DomainControl",
        "label": "Communication Mode",
        "values": [
          {
            "label": "Allow all external domains",
            "value": "AllowAllExternal"
          },
          {
            "label": "Block all external domains",
            "value": "BlockAllExternal"
          },
          {
            "label": "Allow specific external domains",
            "value": "AllowSpecificExternal"
          },
          {
            "label": "Block specific external domains",
            "value": "BlockSpecificExternal"
          }
        ]
      },
      {
        "type": "input",
        "name": "standards.TeamsFederationConfiguration.DomainList",
        "label": "Domains, Comma separated"
      }
    ],
    "label": "Federation Configuration for Microsoft Teams",
    "impact": "Medium Impact",
    "impactColour": "warning",
    "powershellEquivalent": "Set-CsTenantFederationConfiguration",
    "recommendedBy": []
  }
]