include config, force set path to public

.gitignore

@@ -7,5 +7,4 @@ chocoapps.cache
 Cache_*
 Logs
 ExcludedTenants
-Config
 SendNotifications/config.json

Config/49a8069e-3b46-4680-a035-9250bc675446.CATemplate.json

@@ -0,0 +1,41 @@
+{
+  "state": "enabled",
+  "grantControls": {
+    "builtInControls": ["mfa"],
+    "operator": "OR",
+    "termsOfUse": [],
+    "customAuthenticationFactors": []
+  },
+  "conditions": {
+    "times": null,
+    "locations": null,
+    "signInRiskLevels": [],
+    "devices": null,
+    "deviceStates": null,
+    "users": {
+      "excludeRoles": [],
+      "excludeUsers": [],
+      "excludeGroups": [],
+      "includeUsers": ["All"],
+      "includeRoles": [],
+      "includeGroups": []
+    },
+    "servicePrincipalRiskLevels": [],
+    "userRiskLevels": [],
+    "clientAppTypes": [
+      "exchangeActiveSync",
+      "browser",
+      "mobileAppsAndDesktopClients",
+      "other"
+    ],
+    "platforms": null,
+    "clientApplications": null,
+    "applications": {
+      "includeApplications": ["All"],
+      "includeUserActions": [],
+      "includeAuthenticationContextClassReferences": [],
+      "excludeApplications": []
+    }
+  },
+  "displayName": "Enforce Multi factor authentication for each application"
+}

Config/4d9206b0-4f96-41e6-86a5-f78cdcff5069.IntuneTemplate.json

@@ -0,0 +1,7 @@
+{
+  "Displayname": "CIPP Default: Set screen lock time to 5 minutes",
+  "Description": "Sets the screen to lock after 5 minutes of inactivity.",
+  "RAWJson": "{\"name\":\"Set Screen Lockout to 5 minutes\",\"description\":\"\",\"platforms\":\"windows10\",\"technologies\":\"mdm\",\"roleScopeTagIds\":[\"0\"],\"settings\":[{\"@odata.type\":\"#microsoft.graph.deviceManagementConfigurationSetting\",\"settingInstance\":{\"@odata.type\":\"#microsoft.graph.deviceManagementConfigurationSimpleSettingInstance\",\"settingDefinitionId\":\"device_vendor_msft_policy_config_localpoliciessecurityoptions_interactivelogon_machineinactivitylimit_v2\",\"simpleSettingValue\":{\"@odata.type\":\"#microsoft.graph.deviceManagementConfigurationIntegerSettingValue\",\"value\":300}}}]}",
+  "Type": "Catalog",
+  "GUID": "4d9206b0-4f96-41e6-86a5-f78cdcff5069.IntuneTemplate.json"
+}

Config/59bd753c-4204-4b3a-b84b-850d4b69f494.IntuneTemplate.json

@@ -0,0 +1,7 @@
+{
+  "Displayname": "LAPS",
+  "Description": "",
+  "RAWJson": "{\r\n  \"name\": \"LAPS\",\r\n  \"description\": \"\",\r\n  \"settings\": [\r\n    {\r\n      \"id\": \"0\",\r\n      \"settingInstance\": {\r\n        \"@odata.type\": \"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance\",\r\n        \"settingDefinitionId\": \"device_vendor_msft_laps_policies_backupdirectory\",\r\n        \"settingInstanceTemplateReference\": {\r\n          \"settingInstanceTemplateId\": \"a3270f64-e493-499d-8900-90290f61ed8a\"\r\n        },\r\n        \"choiceSettingValue\": {\r\n          \"value\": \"device_vendor_msft_laps_policies_backupdirectory_1\",\r\n          \"settingValueTemplateReference\": {\r\n            \"settingValueTemplateId\": \"4d90f03d-e14c-43c4-86da-681da96a2f92\",\r\n            \"useTemplateDefault\": false\r\n          },\r\n          \"children\": [\r\n            {\r\n              \"@odata.type\": \"#microsoft.graph.deviceManagementConfigurationSimpleSettingInstance\",\r\n              \"settingDefinitionId\": \"device_vendor_msft_laps_policies_passwordagedays_aad\",\r\n              \"settingInstanceTemplateReference\": null,\r\n              \"simpleSettingValue\": {\r\n                \"@odata.type\": \"#microsoft.graph.deviceManagementConfigurationIntegerSettingValue\",\r\n                \"settingValueTemplateReference\": null,\r\n                \"value\": 30\r\n              }\r\n            }\r\n          ]\r\n        }\r\n      }\r\n    },\r\n    {\r\n      \"id\": \"1\",\r\n      \"settingInstance\": {\r\n        \"@odata.type\": \"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance\",\r\n        \"settingDefinitionId\": \"device_vendor_msft_laps_policies_passwordcomplexity\",\r\n        \"settingInstanceTemplateReference\": {\r\n          \"settingInstanceTemplateId\": \"8a7459e8-1d1c-458a-8906-7b27d216de52\"\r\n        },\r\n        \"choiceSettingValue\": {\r\n          \"value\": \"device_vendor_msft_laps_policies_passwordcomplexity_4\",\r\n          \"settingValueTemplateReference\": {\r\n            \"settingValueTemplateId\": \"aa883ab5-625e-4e3b-b830-a37a4bb8ce01\",\r\n            \"useTemplateDefault\": false\r\n          },\r\n          \"children\": []\r\n        }\r\n      }\r\n    }\r\n  ],\r\n  \"platforms\": \"windows10\",\r\n  \"technologies\": \"mdm\",\r\n  \"templateReference\": {\r\n    \"templateId\": \"adc46e5a-f4aa-4ff6-aeff-4f27bc525796_1\",\r\n    \"templateFamily\": \"endpointSecurityAccountProtection\",\r\n    \"templateDisplayName\": \"Local admin password solution (Windows LAPS)\",\r\n    \"templateDisplayVersion\": \"Version 1\"\r\n  }\r\n}",
+  "Type": "Catalog",
+  "GUID": "59bd753c-4204-4b3a-b84b-850d4b69f494"
+}

Config/7547f73c-3cb0-460c-a4bd-391944908007.IntuneTemplate.json

@@ -0,0 +1,7 @@
+{
+  "Displayname": "CIPP Default: Skip Autopilot User Setup Page",
+  "Description": "Skips the autopilot user setup page",
+  "RAWJson": "{\"id\":\"00000000-0000-0000-0000-000000000000\",\"displayName\":\"Skip Autopilot User Setup Page\",\"roleScopeTagIds\":[\"0\"],\"@odata.type\":\"#microsoft.graph.windows10CustomConfiguration\",\"omaSettings\":[{\"displayName\":\"SkipUserSetupPage\",\"omaUri\":\"./Device/Vendor/MSFT/DMClient/Provider/MS DM Server/FirstSyncStatus/SkipUserStatusPage\",\"@odata.type\":\"#microsoft.graph.omaSettingBoolean\",\"value\":\"true\"}]}",
+  "Type": "Device",
+  "GUID": "7547f73c-3cb0-460c-a4bd-391944908007.IntuneTemplate.json"
+}

Config/7b41924e-3051-4a23-b0d0-8cdeadc2c05a.IntuneTemplate.json

@@ -0,0 +1,7 @@
+{
+  "Displayname": "CIPP Default: Enable Onedrive Silent Logon and Known Folder Move",
+  "Description": "This policy enables Onedrive Silent Logon and Known Folder move",
+  "RAWJson": "{\n\"added\":[\n{\n\"enabled\":true,\n\"presentationValues\":[],\n\"[email protected]\":\"https://graph.microsoft.com/beta/deviceManagement/groupPolicyDefinitions('9a4db949-29e4-4e31-a129-bf2b88d8fa1b')\"\n},\n{\n\"enabled\":true,\n\"presentationValues\":[\n{\n\"@odata.type\":\"#microsoft.graph.groupPolicyPresentationValueText\",\n\"value\":\"%tenantid%\",\n\"[email protected]\":\"https://graph.microsoft.com/beta/deviceManagement/groupPolicyDefinitions('39147fa2-6c5e-437b-8264-19b50b891709')/presentations('fbefbbdf-5382-477c-8b6c-71f4a06e2805')\"\n},\n{\n\"@odata.type\":\"#microsoft.graph.groupPolicyPresentationValueText\",\n\"value\":\"0\",\n\"[email protected]\":\"https://graph.microsoft.com/beta/deviceManagement/groupPolicyDefinitions('39147fa2-6c5e-437b-8264-19b50b891709')/presentations('35c82072-a93b-4022-be14-8684c2f6fcc2')\"\n}\n],\n\"[email protected]\":\"https://graph.microsoft.com/beta/deviceManagement/groupPolicyDefinitions('39147fa2-6c5e-437b-8264-19b50b891709')\"\n},\n{\n\"enabled\":true,\n\"presentationValues\":[],\n\"[email protected]\":\"https://graph.microsoft.com/beta/deviceManagement/groupPolicyDefinitions('81c07ba0-7512-402d-b1f6-00856975cfab')\"\n},\n{\n\"enabled\":true,\n\"presentationValues\":[],\n\"[email protected]\":\"https://graph.microsoft.com/beta/deviceManagement/groupPolicyDefinitions('61b07a01-7e60-4127-b086-f6b32458a5c5')\"\n},\n],\n\"updated\":[],\n\"deletedIds\":[]\n}",
+  "Type": "Admin",
+  "GUID": "7b41924e-3051-4a23-b0d0-8cdeadc2c05a.IntuneTemplate.json"
+}

Config/7e06b0de-0469-4aae-89be-d83c44b5799f.IntuneTemplate.json

@@ -0,0 +1,7 @@
+{
+  "Displayname": "CIPP Default: Enable Bitlocker Encryption for OS drives",
+  "Description": "Enables Bitlocker and stores the key in Azure AD for system Drives",
+  "RAWJson": "{\"id\":\"00000000-0000-0000-0000-000000000000\",\"displayName\":\"CIPP: Enable Bitlocker Encryption\",\"roleScopeTagIds\":[\"0\"],\"@odata.type\":\"#microsoft.graph.windows10EndpointProtectionConfiguration\",\"applicationGuardEnabledOptions\":\"notConfigured\",\"firewallCertificateRevocationListCheckMethod\":\"deviceDefault\",\"firewallPacketQueueingMethod\":\"deviceDefault\",\"deviceGuardLocalSystemAuthorityCredentialGuardSettings\":\"notConfigured\",\"defenderSecurityCenterNotificationsFromApp\":\"notConfigured\",\"windowsDefenderTamperProtection\":\"notConfigured\",\"defenderSecurityCenterITContactDisplay\":\"notConfigured\",\"xboxServicesAccessoryManagementServiceStartupMode\":\"manual\",\"xboxServicesLiveAuthManagerServiceStartupMode\":\"manual\",\"xboxServicesLiveGameSaveServiceStartupMode\":\"manual\",\"xboxServicesLiveNetworkingServiceStartupMode\":\"manual\",\"applicationGuardBlockClipboardSharing\":\"notConfigured\",\"defenderPreventCredentialStealingType\":\"notConfigured\",\"defenderAdobeReaderLaunchChildProcess\":\"notConfigured\",\"defenderOfficeCommunicationAppsLaunchChildProcess\":\"notConfigured\",\"defenderAdvancedRansomewareProtectionType\":\"notConfigured\",\"defenderNetworkProtectionType\":\"notConfigured\",\"localSecurityOptionsFormatAndEjectOfRemovableMediaAllowedUser\":\"notConfigured\",\"localSecurityOptionsSmartCardRemovalBehavior\":\"lockWorkstation\",\"localSecurityOptionsInformationDisplayedOnLockScreen\":\"notConfigured\",\"localSecurityOptionsMinimumSessionSecurityForNtlmSspBasedClients\":\"none\",\"localSecurityOptionsMinimumSessionSecurityForNtlmSspBasedServers\":\"none\",\"lanManagerAuthenticationLevel\":\"lmAndNltm\",\"localSecurityOptionsAdministratorElevationPromptBehavior\":\"notConfigured\",\"localSecurityOptionsStandardUserElevationPromptBehavior\":\"notConfigured\",\"userRightsAccessCredentialManagerAsTrustedCaller\":null,\"userRightsLocalLogOn\":null,\"userRightsAllowAccessFromNetwork\":null,\"userRightsActAsPartOfTheOperatingSystem\":null,\"userRightsBackupData\":null,\"userRightsChangeSystemTime\":null,\"userRightsCreateGlobalObjects\":null,\"userRightsCreatePageFile\":null,\"userRightsCreatePermanentSharedObjects\":null,\"userRightsCreateSymbolicLinks\":null,\"userRightsCreateToken\":null,\"userRightsDebugPrograms\":null,\"userRightsBlockAccessFromNetwork\":null,\"userRightsDenyLocalLogOn\":null,\"userRightsRemoteDesktopServicesLogOn\":null,\"userRightsDelegation\":null,\"userRightsGenerateSecurityAudits\":null,\"userRightsImpersonateClient\":null,\"userRightsIncreaseSchedulingPriority\":null,\"userRightsLoadUnloadDrivers\":null,\"userRightsLockMemory\":null,\"userRightsManageAuditingAndSecurityLogs\":null,\"userRightsManageVolumes\":null,\"userRightsModifyFirmwareEnvironment\":null,\"userRightsModifyObjectLabels\":null,\"userRightsProfileSingleProcess\":null,\"userRightsRemoteShutdown\":null,\"userRightsRestoreData\":null,\"userRightsTakeOwnership\":null,\"bitLockerRecoveryPasswordRotation\":\"notConfigured\",\"bitLockerPrebootRecoveryMsgURLOption\":\"default\",\"bitLockerEncryptDevice\":true,\"bitLockerDisableWarningForOtherDiskEncryption\":true,\"bitLockerAllowStandardUserEncryption\":true,\"bitLockerSyntheticSystemDrivePolicybitLockerDriveRecovery\":true,\"applicationGuardAllowPrintToPDF\":false,\"applicationGuardAllowPrintToXPS\":false,\"applicationGuardAllowPrintToLocalPrinters\":false,\"applicationGuardAllowPrintToNetworkPrinters\":false,\"bitLockerFixedDrivePolicy\":{\"requireEncryptionForWriteAccess\":false,\"recoveryOptions\":null,\"encryptionMethod\":null},\"bitLockerRemovableDrivePolicy\":{\"requireEncryptionForWriteAccess\":false,\"encryptionMethod\":null},\"bitLockerSystemDrivePolicy\":{\"startupAuthenticationRequired\":true,\"startupAuthenticationTpmUsage\":\"allowed\",\"startupAuthenticationTpmPinUsage\":\"allowed\",\"startupAuthenticationTpmKeyUsage\":\"allowed\",\"startupAuthenticationTpmPinAndKeyUsage\":\"allowed\",\"startupAuthenticationBlockWithoutTpmChip\":false,\"minimumPinLength\":null,\"recoveryOptions\":{\"blockDataRecoveryAgent\":false,\"recoveryPasswordUsage\":\"allowed\",\"recoveryKeyUsage\":\"allowed\",\"enableRecoveryInformationSaveToStore\":true,\"recoveryInformationToStore\":\"passwordAndKey\",\"enableBitLockerAfterRecoveryInformationToStore\":true},\"prebootRecoveryEnableMessageAndUrl\":false,\"encryptionMethod\":null},\"firewallProfileDomain\":null,\"firewallProfilePrivate\":null,\"firewallProfilePublic\":null,\"deviceGuardEnableVirtualizationBasedSecurity\":false,\"deviceGuardEnableSecureBootWithDMA\":false}",
+  "Type": "Device",
+  "GUID": "7e06b0de-0469-4aae-89be-d83c44b5799f.IntuneTemplate.json"
+}

Config/8d57edc3-071d-42e7-86b1-126720645ac6.TransportRuleTemplate.json

@@ -0,0 +1,34 @@
+{
+  "name": "Block Specific email addresses with a hard rejection",
+  "applyome": false,
+  "attachmenthasexecutablecontent": false,
+  "attachmentispasswordprotected": false,
+  "attachmentisunsupported": false,
+  "attachmentprocessinglimitexceeded": false,
+  "comments": "\n",
+  "deletemessage": false,
+  "exceptifattachmenthasexecutablecontent": false,
+  "exceptifattachmentispasswordprotected": false,
+  "exceptifattachmentisunsupported": false,
+  "exceptifattachmentprocessinglimitexceeded": false,
+  "exceptifhasnoclassification": false,
+  "exceptifhassenderoverride": false,
+  "from": ["[email protected]"],
+  "hasnoclassification": false,
+  "hassenderoverride": false,
+  "mode": "enforce",
+  "moderatemessagebymanager": false,
+  "quarantine": false,
+  "recipientaddresstype": "resolved",
+  "rejectmessageenhancedstatuscode": "5.7.1",
+  "rejectmessagereasontext": "Your email has been rejected.",
+  "removeome": false,
+  "removeomev2": false,
+  "removermsattachmentencryption": false,
+  "routemessageoutboundrequiretls": false,
+  "ruleerroraction": "ignore",
+  "rulesubtype": "none",
+  "senderaddresslocation": "header",
+  "stopruleprocessing": false,
+  "uselegacyregex": false
+}

Config/CIPPDefaultTable.BPATemplate.json

@@ -0,0 +1,192 @@
+{
+  "name": "CIPP Best Practices v1.0 - Table view",
+  "style": "Table",
+  "Fields": [
+    {
+      "name": "PasswordNeverExpires",
+      "API": "Graph",
+      "URL": "https://graph.microsoft.com/beta/domains",
+      "ExtractFields": ["passwordValidityPeriodInDays"],
+      "where": "$_.passwordValidityPeriodInDays -eq 2147483647",
+      "StoreAs": "bool",
+      "FrontendFields": [
+        {
+          "name": "Password Never Expires",
+          "value": "PasswordNeverExpires",
+          "formatter": "bool"
+        }
+      ]
+    },
+    {
+      "name": "OAuthAppConsent",
+      "API": "Graph",
+      "URL": "https://graph.microsoft.com/v1.0/policies/authorizationPolicy?$select=defaultUserRolePermissions",
+      "ExtractFields": ["defaultuserrolepermissions"],
+      "where": "'ManagePermissionGrantsForSelf.microsoft-user-default-legacy' -notin $_.defaultuserrolepermissions.permissionGrantPoliciesAssigned",
+      "StoreAs": "bool",
+      "FrontendFields": [
+        {
+          "name": "OAuth App Consent",
+          "value": "OAuthAppConsent",
+          "formatter": "bool"
+        }
+      ]
+    },
+    {
+      "name": "UnifiedAuditLog",
+      "API": "Exchange",
+      "Command": "Get-AdminAuditLogConfig",
+      "ExtractFields": ["UnifiedAuditLogIngestionEnabled"],
+      "StoreAs": "bool",
+      "FrontendFields": [
+        {
+          "name": "Unified Audit Log",
+          "value": "UnifiedAuditLog",
+          "formatter": "bool"
+        }
+      ]
+    },
+    {
+      "name": "MFANudgeState",
+      "API": "Graph",
+      "URL": "https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy",
+      "ExtractFields": ["registrationEnforcement"],
+      "StoreAs": "bool",
+      "where": "$_.registrationEnforcement.authenticationMethodsRegistrationCampaign.state -eq 'Enabled'",
+      "FrontendFields": [
+        {
+          "name": "MFA Registration Campaign Enabled",
+          "value": "MFANudgeState",
+          "formatter": "bool"
+        }
+      ]
+    },
+    {
+      "name": "TAPEnabled",
+      "API": "Graph",
+      "URL": "https://graph.microsoft.com/beta/policies/authenticationmethodspolicy/authenticationMethodConfigurations/TemporaryAccessPass",
+      "ExtractFields": ["State"],
+      "StoreAs": "bool",
+      "FrontendFields": [
+        {
+          "name": "Temporary Access Pass Enabled",
+          "value": "TAPEnabled",
+          "formatter": "bool"
+        }
+      ]
+    },
+    {
+      "name": "SecureDefaultState",
+      "API": "Graph",
+      "URL": "https://graph.microsoft.com/beta/policies/identitySecurityDefaultsEnforcementPolicy",
+      "ExtractFields": ["IsEnabled"],
+      "StoreAs": "bool",
+      "FrontendFields": [
+        {
+          "name": "Secure Defaults State Enabled",
+          "value": "SecureDefaultState",
+          "formatter": "warnBool"
+        }
+      ]
+    },
+    {
+      "name": "AnonymousPrivacyReports",
+      "API": "Graph",
+      "URL": "https://graph.microsoft.com/beta/admin/reportSettings",
+      "ExtractFields": ["displayConcealedNames"],
+      "StoreAs": "bool",
+      "where": "$_.displayConcealedNames -eq $false",
+      "FrontendFields": [
+        {
+          "name": "Anonymous Privacy Reports",
+          "value": "AnonymousPrivacyReports",
+          "formatter": "reverseBool"
+        }
+      ]
+    },
+    {
+      "name": "MessageCopyforSentAsDisabled",
+      "API": "Exchange",
+      "Command": "Get-Mailbox",
+      "Parameters": {
+        "RecipientTypeDetails": ["SharedMailbox", "UserMailbox"]
+      },
+      "where": "$_.MessageCopyForSentAsEnabled -eq $false",
+      "ExtractFields": ["userprincipalname", "messageCopyForSentAsEnabled"],
+      "StoreAs": "JSON",
+      "FrontendFields": [
+        {
+          "name": "Message Copy for Sent-As Disabled",
+          "formatter": "table",
+          "value": "MessageCopyforSentAsDisabled"
+        }
+      ]
+    },
+    {
+      "name": "SharedMailboxeswithenabledusers",
+      "API": "Exchange",
+      "Command": "Get-Mailbox",
+      "Parameters": {
+        "RecipientTypeDetails": "SharedMailbox"
+      },
+      "where": "$_.accountDisabled -eq $false",
+      "ExtractFields": ["userprincipalname", "accountDisabled"],
+      "StoreAs": "JSON",
+      "FrontendFields": [
+        {
+          "name": "Shared Mailboxes with enabled users",
+          "formatter": "table",
+          "value": "SharedMailboxeswithenabledusers"
+        }
+      ]
+    },
+    {
+      "name": "Unusedlicenses",
+      "API": "CIPPFunction",
+      "Command": "Get-CIPPLicenseOverview",
+      "ExtractFields": [
+        "License",
+        "TotalLicenses",
+        "availableUnits",
+        "CountUsed"
+      ],
+      "StoreAs": "JSON",
+      "where": "$_.availableUnits -gt 0",
+      "FrontendFields": [
+        {
+          "name": "Unused licenses",
+          "formatter": "table",
+          "value": "Unusedlicenses"
+        }
+      ]
+    },
+    {
+      "name": "CurrentSecureScore",
+      "API": "Graph",
+      "URL": "https://graph.microsoft.com/beta/security/secureScores?$top=1",
+      "Parameters": {
+        "Nopagination": true
+      },
+      "ExtractFields": ["currentScore", "maxScore", "averageComparativeScores"],
+      "StoreAs": "JSON",
+      "FrontendFields": [
+        {
+          "name": "Current Secure Score",
+          "value": "CurrentSecureScore.currentScore"
+        },
+        {
+          "name": "Max Secure Score",
+          "value": "CurrentSecureScore.maxScore"
+        },
+        {
+          "name": "Average Comparative Score (All Tenants)",
+          "value": "CurrentSecureScore.averageComparativeScores[0].averageScore"
+        },
+        {
+          "name": "Average Comparative Score (Similiar Size Tenants)",
+          "value": "CurrentSecureScore.averageComparativeScores[1].averageScore"
+        }
+      ]
+    }
+  ]
+}