maester-config.json

{
  "GlobalSettings": {
    "EmergencyAccessAccounts": [],
    "DataverseEnvironmentUrl": ""
  },
  "TestSettings": [
    {
      "Id": "CIS.M365.1.1.1",
      "Severity": "High",
      "Title": "(L1) Ensure Administrative accounts are cloud-only"
    },
    {
      "Id": "CIS.M365.1.1.3",
      "Severity": "High",
      "Title": "(L1) Ensure that between two and four global admins are designated"
    },
    {
      "Id": "CIS.M365.1.2.1",
      "Severity": "Medium",
      "Title": "(L2) Ensure that only organizationally managed/approved public groups exist"
    },
    {
      "Id": "CIS.M365.1.2.2",
      "Severity": "High",
      "Title": "(L1) Ensure sign-in to shared mailboxes is blocked"
    },
    {
      "Id": "CIS.M365.1.3.1",
      "Severity": "High",
      "Title": "(L1) Ensure the 'Password expiration policy' is set to 'Set passwords to never expire (recommended)'"
    },
    {
      "Id": "CIS.M365.1.3.3",
      "Severity": "Medium",
      "Title": "(L2) Ensure 'External sharing' of calendars is not available"
    },
    {
      "Id": "CIS.M365.1.3.6",
      "Severity": "High",
      "Title": "(L2) Ensure the customer lockbox feature is enabled"
    },
    {
      "Id": "CIS.M365.2.1.1",
      "Severity": "Medium",
      "Title": "(L2) Ensure Safe Links for Office Applications is Enabled (Only Checks Default Policy)"
    },
    {
      "Id": "CIS.M365.2.1.2",
      "Severity": "Medium",
      "Title": "(L1) Ensure the Common Attachment Types Filter is enabled (Only Checks Default Policy)"
    },
    {
      "Id": "CIS.M365.2.1.3",
      "Severity": "Medium",
      "Title": "(L1) Ensure notifications for internal users sending malware is Enabled (Only Checks Default Policy)"
    },
    {
      "Id": "CIS.M365.2.1.4",
      "Severity": "High",
      "Title": "(L2) Ensure Safe Attachments policy is enabled (Only Checks Default Policy)"
    },
    {
      "Id": "CIS.M365.2.1.5",
      "Severity": "High",
      "Title": "(L2) Ensure Safe Attachments for SharePoint, OneDrive, and Microsoft Teams is Enabled"
    },
    {
      "Id": "CIS.M365.2.1.6",
      "Severity": "Medium",
      "Title": "(L1) Ensure Exchange Online Spam Policies are set to notify administrators (Only Checks Default Policy)"
    },
    {
      "Id": "CIS.M365.2.1.7",
      "Severity": "Medium",
      "Title": "(L1) Ensure that an anti-phishing policy has been created (Only Checks Default Policy)"
    },
    {
      "Id": "CIS.M365.2.1.9",
      "Severity": "High",
      "Title": "(L1) Ensure that DKIM is enabled for all Exchange Online Domains"
    },
    {
      "Id": "CIS.M365.2.1.11",
      "Severity": "High",
      "Title": "(L2) Ensure comprehensive attachment filtering is applied"
    },
    {
      "Id": "CIS.M365.2.1.12",
      "Severity": "Medium",
      "Title": "(L1) Ensure the connection filter IP allow list is not used (Only Checks Default Policy)"
    },
    {
      "Id": "CIS.M365.2.1.13",
      "Severity": "Medium",
      "Title": "(L1) Ensure the connection filter safe list is off (Only Checks Default Policy)"
    },
    {
      "Id": "CIS.M365.2.4.4",
      "Severity": "Medium",
      "Title": "(L1) Ensure Zero-hour auto purge for Microsoft Teams is on (Only Checks ZAP is enabled)"
    },
    {
      "Id": "CIS.M365.3.1.1",
      "Severity": "High",
      "Title": "(L1) Ensure Microsoft 365 audit log search is Enabled"
    },
    {
      "Id": "CIS.M365.8.1.1",
      "Severity": "Medium",
      "Title": "(L2) Ensure external file sharing in Teams is enabled for only approved cloud storage services"
    },
    {
      "Id": "CIS.M365.8.2.2",
      "Severity": "Medium",
      "Title": "(L1) Ensure communication with unmanaged Teams users is disabled"
    },
    {
      "Id": "CIS.M365.8.2.4",
      "Severity": "Medium",
      "Title": "(L1) Ensure communication with Skype users is disabled"
    },
    {
      "Id": "CIS.M365.8.4.1",
      "Severity": "High",
      "Title": "(L1) Ensure all or a majority of third-party and custom apps are blocked"
    },
    {
      "Id": "CIS.M365.8.5.3",
      "Severity": "Medium",
      "Title": "(L1) Ensure only people in my org can bypass the lobby"
    },
    {
      "Id": "CIS.M365.8.6.1",
      "Severity": "Medium",
      "Title": "(L1) Ensure users can report security concerns in Teams to internal destination"
    },
    {
      "Id": "CISA.MS.AAD.1.1",
      "Severity": "High",
      "Title": "Legacy authentication SHALL be blocked."
    },
    {
      "Id": "CISA.MS.AAD.2.1",
      "Severity": "High",
      "Title": "Users detected as high risk SHALL be blocked."
    },
    {
      "Id": "CISA.MS.AAD.2.2",
      "Severity": "High",
      "Title": "A notification SHOULD be sent to the administrator when high-risk users are detected."
    },
    {
      "Id": "CISA.MS.AAD.2.3",
      "Severity": "High",
      "Title": "Sign-ins detected as high risk SHALL be blocked."
    },
    {
      "Id": "CISA.MS.AAD.3.1",
      "Severity": "High",
      "Title": "Phishing-resistant MFA SHALL be enforced for all users."
    },
    {
      "Id": "CISA.MS.AAD.3.2",
      "Severity": "High",
      "Title": "If phishing-resistant MFA has not been enforced, an alternative MFA method SHALL be enforced for all users."
    },
    {
      "Id": "CISA.MS.AAD.3.3",
      "Severity": "Medium",
      "Title": "If Microsoft Authenticator is enabled, it SHALL be configured to show login context information."
    },
    {
      "Id": "CISA.MS.AAD.3.4",
      "Severity": "High",
      "Title": "The Authentication Methods Manage Migration feature SHALL be set to Migration Complete."
    },
    {
      "Id": "CISA.MS.AAD.3.5",
      "Severity": "High",
      "Title": "The authentication methods SMS, Voice Call, and Email One-Time Passcode (OTP) SHALL be disabled."
    },
    {
      "Id": "CISA.MS.AAD.3.6",
      "Severity": "High",
      "Title": "Phishing-resistant MFA SHALL be required for highly privileged roles."
    },
    {
      "Id": "CISA.MS.AAD.3.7",
      "Severity": "High",
      "Title": "Managed devices SHOULD be required for authentication."
    },
    {
      "Id": "CISA.MS.AAD.3.8",
      "Severity": "High",
      "Title": "Managed Devices SHOULD be required to register MFA."
    },
    {
      "Id": "CISA.MS.AAD.4.1",
      "Severity": "High",
      "Title": "Security logs SHALL be sent to the agency's security operations center for monitoring."
    },
    {
      "Id": "CISA.MS.AAD.5.1",
      "Severity": "High",
      "Title": "Only administrators SHALL be allowed to register applications."
    },
    {
      "Id": "CISA.MS.AAD.5.2",
      "Severity": "High",
      "Title": "Only administrators SHALL be allowed to consent to applications."
    },
    {
      "Id": "CISA.MS.AAD.5.3",
      "Severity": "High",
      "Title": "An admin consent workflow SHALL be configured for applications."
    },
    {
      "Id": "CISA.MS.AAD.5.4",
      "Severity": "High",
      "Title": "Group owners SHALL NOT be allowed to consent to applications."
    },
    {
      "Id": "CISA.MS.AAD.6.1",
      "Severity": "High",
      "Title": "User passwords SHALL NOT expire."
    },
    {
      "Id": "CISA.MS.AAD.7.1",
      "Severity": "High",
      "Title": "A minimum of two users and a maximum of eight users SHALL be provisioned with the Global Administrator role."
    },
    {
      "Id": "CISA.MS.AAD.7.2",
      "Severity": "High",
      "Title": "Privileged users SHALL be provisioned with finer-grained roles instead of Global Administrator."
    },
    {
      "Id": "CISA.MS.AAD.7.3",
      "Severity": "High",
      "Title": "Privileged users SHALL be provisioned cloud-only accounts separate from an on-premises directory or other federated identity providers."
    },
    {
      "Id": "CISA.MS.AAD.7.4",
      "Severity": "High",
      "Title": "Permanent active role assignments SHALL NOT be allowed for highly privileged roles."
    },
    {
      "Id": "CISA.MS.AAD.7.5",
      "Severity": "High",
      "Title": "Provisioning users to highly privileged roles SHALL NOT occur outside of a PAM system."
    },
    {
      "Id": "CISA.MS.AAD.7.6",
      "Severity": "High",
      "Title": "Activation of the Global Administrator role SHALL require approval."
    },
    {
      "Id": "CISA.MS.AAD.7.7",
      "Severity": "High",
      "Title": "Eligible and Active highly privileged role assignments SHALL trigger an alert."
    },
    {
      "Id": "CISA.MS.AAD.7.8",
      "Severity": "High",
      "Title": "User activation of the Global Administrator role SHALL trigger an alert."
    },
    {
      "Id": "CISA.MS.AAD.7.9",
      "Severity": "High",
      "Title": "User activation of other highly privileged roles SHOULD trigger an alert."
    },
    {
      "Id": "CISA.MS.AAD.8.1",
      "Severity": "Medium",
      "Title": "Guest users SHOULD have limited or restricted access to Azure AD directory objects."
    },
    {
      "Id": "CISA.MS.AAD.8.2",
      "Severity": "High",
      "Title": "Only users with the Guest Inviter role SHOULD be able to invite guest users."
    },
    {
      "Id": "CISA.MS.AAD.8.3",
      "Severity": "Medium",
      "Title": "Guest invites SHOULD only be allowed to specific external domains that have been authorized by the agency for legitimate business purposes."
    },
    {
      "Id": "CISA.MS.EXO.1.1",
      "Severity": "High",
      "Title": "Automatic forwarding to external domains SHALL be disabled."
    },
    {
      "Id": "CISA.MS.EXO.2.1",
      "Severity": "Medium",
      "Title": "A list of approved IP addresses for sending mail SHALL be maintained."
    },
    {
      "Id": "CISA.MS.EXO.2.2",
      "Severity": "Medium",
      "Title": "An SPF policy SHALL be published for each domain, designating only these addresses as approved senders."
    },
    {
      "Id": "CISA.MS.EXO.3.1",
      "Severity": "Medium",
      "Title": "DKIM SHOULD be enabled for all domains."
    },
    {
      "Id": "CISA.MS.EXO.4.1",
      "Severity": "Medium",
      "Title": "A DMARC policy SHALL be published for every second-level domain."
    },
    {
      "Id": "CISA.MS.EXO.4.2",
      "Severity": "High",
      "Title": "The DMARC message rejection option SHALL be p=reject."
    },
    {
      "Id": "CISA.MS.EXO.4.3",
      "Severity": "Medium",
      "Title": "The DMARC point of contact for aggregate reports SHALL include reports@dmarc.cyber.dhs.gov."
    },
    {
      "Id": "CISA.MS.EXO.5.1",
      "Severity": "High",
      "Title": "SMTP AUTH SHALL be disabled."
    },
    {
      "Id": "CISA.MS.EXO.6.1",
      "Severity": "Medium",
      "Title": "Contact folders SHALL NOT be shared with all domains."
    },
    {
      "Id": "CISA.MS.EXO.6.2",
      "Severity": "Medium",
      "Title": "Calendar details SHALL NOT be shared with all domains."
    },
    {
      "Id": "CISA.MS.EXO.7.1",
      "Severity": "Medium",
      "Title": "External sender warnings SHALL be implemented."
    },
    {
      "Id": "CISA.MS.EXO.8.1",
      "Severity": "High",
      "Title": "A DLP solution SHALL be used."
    },
    {
      "Id": "CISA.MS.EXO.8.2",
      "Severity": "Medium",
      "Title": "The DLP solution SHALL protect personally identifiable information (PII) and sensitive information, as defined by the agency."
    },
    {
      "Id": "CISA.MS.EXO.8.3",
      "Severity": "Medium",
      "Title": "The selected DLP solution SHOULD offer services comparable to the native DLP solution offered by Microsoft."
    },
    {
      "Id": "CISA.MS.EXO.8.4",
      "Severity": "High",
      "Title": "At a minimum, the DLP solution SHALL restrict sharing credit card numbers, U.S. Individual Taxpayer Identification Numbers (ITIN), and U.S. Social Security numbers (SSN) via email."
    },
    {
      "Id": "CISA.MS.EXO.9.1",
      "Severity": "Medium",
      "Title": "Emails SHALL be filtered by attachment file types."
    },
    {
      "Id": "CISA.MS.EXO.9.2",
      "Severity": "Medium",
      "Title": "The attachment filter SHOULD attempt to determine the true file type and assess the file extension."
    },
    {
      "Id": "CISA.MS.EXO.9.3",
      "Severity": "High",
      "Title": "Disallowed file types SHALL be determined and enforced."
    },
    {
      "Id": "CISA.MS.EXO.9.4",
      "Severity": "Medium",
      "Title": "Alternatively chosen filtering solutions SHOULD offer services comparable to Microsoft Defender's Common Attachment Filter."
    },
    {
      "Id": "CISA.MS.EXO.9.5",
      "Severity": "High",
      "Title": "At a minimum, click-to-run files SHOULD be blocked (e.g., .exe, .cmd, and .vbe)."
    },
    {
      "Id": "CISA.MS.EXO.10.1",
      "Severity": "High",
      "Title": "Emails SHALL be scanned for malware."
    },
    {
      "Id": "CISA.MS.EXO.10.2",
      "Severity": "High",
      "Title": "Emails identified as containing malware SHALL be quarantined or dropped."
    },
    {
      "Id": "CISA.MS.EXO.10.3",
      "Severity": "High",
      "Title": "Email scanning SHALL be capable of reviewing emails after delivery."
    },
    {
      "Id": "CISA.MS.EXO.11.1",
      "Severity": "High",
      "Title": "Impersonation protection checks SHOULD be used."
    },
    {
      "Id": "CISA.MS.EXO.11.2",
      "Severity": "Medium",
      "Title": "User warnings, comparable to the user safety tips included with EOP, SHOULD be displayed."
    },
    {
      "Id": "CISA.MS.EXO.11.3",
      "Severity": "Medium",
      "Title": "The phishing protection solution SHOULD include an AI-based phishing detection tool comparable to EOP Mailbox Intelligence."
    },
    {
      "Id": "CISA.MS.EXO.12.1",
      "Severity": "Medium",
      "Title": "IP allow lists SHOULD NOT be created."
    },
    {
      "Id": "CISA.MS.EXO.12.2",
      "Severity": "Medium",
      "Title": "Safe lists SHOULD NOT be enabled."
    },
    {
      "Id": "CISA.MS.EXO.13.1",
      "Severity": "High",
      "Title": "Mailbox auditing SHALL be enabled."
    },
    {
      "Id": "CISA.MS.EXO.14.1",
      "Severity": "High",
      "Title": "A spam filter SHALL be enabled."
    },
    {
      "Id": "CISA.MS.EXO.14.2",
      "Severity": "Medium",
      "Title": "Spam and high confidence spam SHALL be moved to either the junk email folder or the quarantine folder."
    },
    {
      "Id": "CISA.MS.EXO.14.3",
      "Severity": "Medium",
      "Title": "Allowed domains SHALL NOT be added to inbound anti-spam protection policies."
    },
    {
      "Id": "CISA.MS.EXO.14.4",
      "Severity": "Medium",
      "Title": "If a third-party party filtering solution is used, the solution SHOULD offer services comparable to the native spam filtering offered by Microsoft."
    },
    {
      "Id": "CISA.MS.EXO.15.1",
      "Severity": "Medium",
      "Title": "URL comparison with a block-list SHOULD be enabled."
    },
    {
      "Id": "CISA.MS.EXO.15.2",
      "Severity": "High",
      "Title": "Direct download links SHOULD be scanned for malware."
    },
    {
      "Id": "CISA.MS.EXO.15.3",
      "Severity": "Medium",
      "Title": "User click tracking SHOULD be enabled."
    },
    {
      "Id": "CISA.MS.EXO.16.1",
      "Severity": "High",
      "Title": "Alerts SHALL be enabled."
    },
    {
      "Id": "CISA.MS.EXO.16.2",
      "Severity": "Medium",
      "Title": "Alerts SHOULD be sent to a monitored address or incorporated into a security information and event management (SIEM) system."
    },
    {
      "Id": "CISA.MS.EXO.17.1",
      "Severity": "High",
      "Title": "Microsoft Purview Audit (Standard) logging SHALL be enabled."
    },
    {
      "Id": "CISA.MS.EXO.17.2",
      "Severity": "Medium",
      "Title": "Microsoft Purview Audit (Premium) logging SHALL be enabled."
    },
    {
      "Id": "CISA.MS.EXO.17.3",
      "Severity": "Medium",
      "Title": "Audit logs SHALL be maintained for at least the minimum duration dictated by OMB M-21-31 (Appendix C)."
    },
    {
      "Id": "CISA.MS.SHAREPOINT.1.1",
      "Severity": "Medium",
      "Title": "External sharing for SharePoint SHALL be limited to Existing guests or Only People in your organization."
    },
    {
      "Id": "CISA.MS.SHAREPOINT.1.3",
      "Severity": "High",
      "Title": "External sharing SHALL be restricted to approved external domains and/or users in approved security groups per interagency collaboration needs."
    },
    {
      "Id": "EIDSCA.AF01",
      "Severity": "High",
      "Title": "Authentication Method - FIDO2 security key - State."
    },
    {
      "Id": "EIDSCA.AF02",
      "Severity": "Medium",
      "Title": "Authentication Method - FIDO2 security key - Allow self-service set up."
    },
    {
      "Id": "EIDSCA.AF03",
      "Severity": "High",
      "Title": "Authentication Method - FIDO2 security key - Enforce attestation."
    },
    {
      "Id": "EIDSCA.AF04",
      "Severity": "High",
      "Title": "Authentication Method - FIDO2 security key - Enforce key restrictions."
    },
    {
      "Id": "EIDSCA.AF05",
      "Severity": "High",
      "Title": "Authentication Method - FIDO2 security key - Restricted."
    },
    {
      "Id": "EIDSCA.AF06",
      "Severity": "Medium",
      "Title": "Authentication Method - FIDO2 security key - Restrict specific keys."
    },
    {
      "Id": "EIDSCA.AG01",
      "Severity": "High",
      "Title": "Authentication Method - General Settings - Manage migration."
    },
    {
      "Id": "EIDSCA.AG02",
      "Severity": "Medium",
      "Title": "Authentication Method - General Settings - Report suspicious activity - State."
    },
    {
      "Id": "EIDSCA.AG03",
      "Severity": "Medium",
      "Title": "Authentication Method - General Settings - Report suspicious activity - Included users/groups."
    },
    {
      "Id": "EIDSCA.AM01",
      "Severity": "High",
      "Title": "Authentication Method - Microsoft Authenticator - State."
    },
    {
      "Id": "EIDSCA.AM02",
      "Severity": "Medium",
      "Title": "Authentication Method - Microsoft Authenticator - Allow use of Microsoft Authenticator OTP."
    },
    {
      "Id": "EIDSCA.AM03",
      "Severity": "Medium",
      "Title": "Authentication Method - Microsoft Authenticator - Require number matching for push notifications."
    },
    {
      "Id": "EIDSCA.AM04",
      "Severity": "Medium",
      "Title": "Authentication Method - Microsoft Authenticator - Included users/groups of number matching for push notifications."
    },
    {
      "Id": "EIDSCA.AM06",
      "Severity": "Medium",
      "Title": "Authentication Method - Microsoft Authenticator - Show application name in push and passwordless notifications."
    },
    {
      "Id": "EIDSCA.AM07",
      "Severity": "Medium",
      "Title": "Authentication Method - Microsoft Authenticator - Included users/groups to show application name in push and passwordless notifications."
    },
    {
      "Id": "EIDSCA.AM09",
      "Severity": "Medium",
      "Title": "Authentication Method - Microsoft Authenticator - Show geographic location in push and passwordless notifications."
    },
    {
      "Id": "EIDSCA.AM10",
      "Severity": "Medium",
      "Title": "Authentication Method - Microsoft Authenticator - Included users/groups to show geographic location in push and passwordless notifications."
    },
    {
      "Id": "EIDSCA.AP01",
      "Severity": "High",
      "Title": "Default Authorization Settings - Enabled Self service password reset for administrators."
    },
    {
      "Id": "EIDSCA.AP04",
      "Severity": "Medium",
      "Title": "Default Authorization Settings - Guest invite restrictions."
    },
    {
      "Id": "EIDSCA.AP05",
      "Severity": "Medium",
      "Title": "Default Authorization Settings - Sign-up for email based subscription."
    },
    {
      "Id": "EIDSCA.AP06",
      "Severity": "Medium",
      "Title": "Default Authorization Settings - User can join the tenant by email validation."
    },
    {
      "Id": "EIDSCA.AP07",
      "Severity": "High",
      "Title": "Default Authorization Settings - Guest user access."
    },
    {
      "Id": "EIDSCA.AP08",
      "Severity": "Medium",
      "Title": "Default Authorization Settings - User consent policy assigned for applications."
    },
    {
      "Id": "EIDSCA.AP09",
      "Severity": "Medium",
      "Title": "Default Authorization Settings - Allow user consent on risk-based apps."
    },
    {
      "Id": "EIDSCA.AP10",
      "Severity": "High",
      "Title": "Default Authorization Settings - Default User Role Permissions - Allowed to create Apps."
    },
    {
      "Id": "EIDSCA.AP14",
      "Severity": "High",
      "Title": "Default Authorization Settings - Default User Role Permissions - Allowed to read other users."
    },
    {
      "Id": "EIDSCA.AS04",
      "Severity": "High",
      "Title": "Authentication Method - SMS - Use for sign-in."
    },
    {
      "Id": "EIDSCA.AT01",
      "Severity": "High",
      "Title": "Authentication Method - Temporary Access Pass - State."
    },
    {
      "Id": "EIDSCA.AT02",
      "Severity": "High",
      "Title": "Authentication Method - Temporary Access Pass - One-time."
    },
    {
      "Id": "EIDSCA.AV01",
      "Severity": "High",
      "Title": "Authentication Method - Voice call - State."
    },
    {
      "Id": "EIDSCA.CP01",
      "Severity": "High",
      "Title": "Default Settings - Consent Policy Settings - Group owner consent for apps accessing data."
    },
    {
      "Id": "EIDSCA.CP03",
      "Severity": "High",
      "Title": "Default Settings - Consent Policy Settings - Block user consent for risky apps."
    },
    {
      "Id": "EIDSCA.CP04",
      "Severity": "Medium",
      "Title": "Default Settings - Consent Policy Settings - Users can request admin consent to apps they are unable to consent to."
    },
    {
      "Id": "EIDSCA.CR01",
      "Severity": "High",
      "Title": "Consent Framework - Admin Consent Request - Policy to enable or disable admin consent request feature."
    },
    {
      "Id": "EIDSCA.CR02",
      "Severity": "Medium",
      "Title": "Consent Framework - Admin Consent Request - Reviewers will receive email notifications for requests."
    },
    {
      "Id": "EIDSCA.CR03",
      "Severity": "Medium",
      "Title": "Consent Framework - Admin Consent Request - Reviewers will receive email notifications when admin consent requests are about to expire."
    },
    {
      "Id": "EIDSCA.CR04",
      "Severity": "High",
      "Title": "Consent Framework - Admin Consent Request - Consent request duration (days)."
    },
    {
      "Id": "EIDSCA.PR01",
      "Severity": "High",
      "Title": "Default Settings - Password Rule Settings - Password Protection - Mode."
    },
    {
      "Id": "EIDSCA.PR02",
      "Severity": "High",
      "Title": "Default Settings - Password Rule Settings - Password Protection - Enable password protection on Windows Server Active Directory."
    },
    {
      "Id": "EIDSCA.PR03",
      "Severity": "Medium",
      "Title": "Default Settings - Password Rule Settings - Enforce custom list."
    },
    {
      "Id": "EIDSCA.PR05",
      "Severity": "Medium",
      "Title": "Default Settings - Password Rule Settings - Smart Lockout - Lockout duration in seconds."
    },
    {
      "Id": "EIDSCA.PR06",
      "Severity": "Medium",
      "Title": "Default Settings - Password Rule Settings - Smart Lockout - Lockout threshold."
    },
    {
      "Id": "EIDSCA.ST08",
      "Severity": "Medium",
      "Title": "Default Settings - Classification and M365 Groups - M365 groups - Allow Guests to become Group Owner."
    },
    {
      "Id": "EIDSCA.ST09",
      "Severity": "Medium",
      "Title": "Default Settings - Classification and M365 Groups - M365 groups - Allow Guests to have access to groups content."
    },
    {
      "Id": "MT.1001",
      "Severity": "Medium",
      "Title": "At least one Conditional Access policy is configured with device compliance."
    },
    {
      "Id": "MT.1002",
      "Severity": "High",
      "Title": "App management restrictions on applications and service principals is configured and enabled."
    },
    {
      "Id": "MT.1003",
      "Severity": "High",
      "Title": "At least one Conditional Access policy is configured with All Apps."
    },
    {
      "Id": "MT.1004",
      "Severity": "High",
      "Title": "At least one Conditional Access policy is configured with All Apps and All Users."
    },
    {
      "Id": "MT.1005",
      "Severity": "High",
      "Title": "All Conditional Access policies are configured to exclude at least one emergency/break glass account or group."
    },
    {
      "Id": "MT.1006",
      "Severity": "High",
      "Title": "At least one Conditional Access policy is configured to require MFA for admins."
    },
    {
      "Id": "MT.1007",
      "Severity": "High",
      "Title": "At least one Conditional Access policy is configured to require MFA for all users."
    },
    {
      "Id": "MT.1008",
      "Severity": "High",
      "Title": "At least one Conditional Access policy is configured to require MFA for Azure management."
    },
    {
      "Id": "MT.1009",
      "Severity": "High",
      "Title": "At least one Conditional Access policy is configured to block other legacy authentication."
    },
    {
      "Id": "MT.1010",
      "Severity": "High",
      "Title": "At least one Conditional Access policy is configured to block legacy authentication for Exchange ActiveSync."
    },
    {
      "Id": "MT.1011",
      "Severity": "High",
      "Title": "At least one Conditional Access policy is configured to secure security info registration only from a trusted location."
    },
    {
      "Id": "MT.1012",
      "Severity": "High",
      "Title": "At least one Conditional Access policy is configured to require MFA for risky sign-ins."
    },
    {
      "Id": "MT.1013",
      "Severity": "High",
      "Title": "At least one Conditional Access policy is configured to require new password when user risk is high."
    },
    {
      "Id": "MT.1014",
      "Severity": "High",
      "Title": "At least one Conditional Access policy is configured to require compliant or Entra hybrid joined devices for admins."
    },
    {
      "Id": "MT.1015",
      "Severity": "Medium",
      "Title": "At least one Conditional Access policy is configured to block access for unknown or unsupported device platforms."
    },
    {
      "Id": "MT.1016",
      "Severity": "High",
      "Title": "At least one Conditional Access policy is configured to require MFA for guest access."
    },
    {
      "Id": "MT.1017",
      "Severity": "High",
      "Title": "At least one Conditional Access policy is configured to enforce non persistent browser session for non-corporate devices."
    },
    {
      "Id": "MT.1018",
      "Severity": "Medium",
      "Title": "At least one Conditional Access policy is configured to enforce sign-in frequency for non-corporate devices."
    },
    {
      "Id": "MT.1019",
      "Severity": "Medium",
      "Title": "At least one Conditional Access policy is configured to enable application enforced restrictions."
    },
    {
      "Id": "MT.1020",
      "Severity": "High",
      "Title": "All Conditional Access policies are configured to exclude directory synchronization accounts or do not scope them."
    },
    {
      "Id": "MT.1021",
      "Severity": "High",
      "Title": "Security Defaults are enabled."
    },
    {
      "Id": "MT.1022",
      "Severity": "Medium",
      "Title": "All users utilizing a P1 license should be licensed."
    },
    {
      "Id": "MT.1023",
      "Severity": "Medium",
      "Title": "All users utilizing a P2 license should be licensed."
    },
    {
      "Id": "MT.1025",
      "Severity": "High",
      "Title": "No external user with permanent role assignment on Control Plane."
    },
    {
      "Id": "MT.1026",
      "Severity": "High",
      "Title": "No hybrid user with permanent role assignment on Control Plane."
    },
    {
      "Id": "MT.1027",
      "Severity": "High",
      "Title": "No Service Principal with Client Secret and permanent role assignment on Control Plane."
    },
    {
      "Id": "MT.1028",
      "Severity": "High",
      "Title": "No user with mailbox and permanent role assignment on Control Plane."
    },
    {
      "Id": "MT.1029",
      "Severity": "High",
      "Title": "Stale accounts are not assigned to privileged roles."
    },
    {
      "Id": "MT.1030",
      "Severity": "High",
      "Title": "Eligible role assignments on Control Plane are in use by administrators."
    },
    {
      "Id": "MT.1031",
      "Severity": "High",
      "Title": "Privileged role on Control Plane are managed by PIM only."
    },
    {
      "Id": "MT.1032",
      "Severity": "High",
      "Title": "Limited number of Global Admins are assigned."
    },
    {
      "Id": "MT.1033.0",
      "Severity": "High",
      "Title": "User should be blocked from using legacy authentication (<userPrincipalName>)"
    },
    {
      "Id": "MT.1033.1",
      "Severity": "High",
      "Title": "User should be blocked from using legacy authentication (<userPrincipalName>)"
    },
    {
      "Id": "MT.1033.2",
      "Severity": "High",
      "Title": "User should be blocked from using legacy authentication (<userPrincipalName>)"
    },
    {
      "Id": "MT.1033.3",
      "Severity": "High",
      "Title": "User should be blocked from using legacy authentication (<userPrincipalName>)"
    },
    {
      "Id": "MT.1033.4",
      "Severity": "High",
      "Title": "User should be blocked from using legacy authentication (<userPrincipalName>)"
    },
    {
      "Id": "MT.1034.0",
      "Severity": "High",
      "Title": "Emergency access users should not be blocked (<userPrincipalName>)"
    },
    {
      "Id": "MT.1034.1",
      "Severity": "High",
      "Title": "Emergency access users should not be blocked (<userPrincipalName>)"
    },
    {
      "Id": "MT.1034.2",
      "Severity": "High",
      "Title": "Emergency access users should not be blocked (<userPrincipalName>)"
    },
    {
      "Id": "MT.1034.3",
      "Severity": "High",
      "Title": "Emergency access users should not be blocked (<userPrincipalName>)"
    },
    {
      "Id": "MT.1034.4",
      "Severity": "High",
      "Title": "Emergency access users should not be blocked (<userPrincipalName>)"
    },
    {
      "Id": "MT.1035",
      "Severity": "High",
      "Title": "All security groups assigned to Conditional Access Policies should be protected by RMAU."
    },
    {
      "Id": "MT.1036",
      "Severity": "Medium",
      "Title": "All excluded objects should have a fallback include in another policy."
    },
    {
      "Id": "MT.1037",
      "Severity": "High",
      "Title": "Only users with Presenter role are allowed to present in Teams meetings"
    },
    {
      "Id": "MT.1038",
      "Severity": "Medium",
      "Title": "Conditional Access policies should not include or exclude deleted groups."
    },
    {
      "Id": "MT.1039",
      "Severity": "Low",
      "Title": "Ensure MailTips are enabled for end users"
    },
    {
      "Id": "MT.1040",
      "Severity": "Medium",
      "Title": "Ensure additional storage providers are restricted in Outlook on the web"
    },
    {
      "Id": "MT.1041",
      "Severity": "High",
      "Title": "Ensure users installing Outlook add-ins is not allowed"
    },
    {
      "Id": "MT.1042",
      "Severity": "Medium",
      "Title": "Restrict dial-in users from bypassing a meeting lobby"
    },
    {
      "Id": "MT.1043",
      "Severity": "Medium",
      "Title": "Ensure Spam confidence level (SCL) is configured in mail transport rules with specific domains"
    },
    {
      "Id": "MT.1044",
      "Severity": "High",
      "Title": "Ensure modern authentication for Exchange Online is enabled"
    },
    {
      "Id": "MT.1045",
      "Severity": "Medium",
      "Title": "Only invited users should be automatically admitted to Teams meetings"
    },
    {
      "Id": "MT.1046",
      "Severity": "Medium",
      "Title": "Restrict anonymous users from joining meetings"
    },
    {
      "Id": "MT.1047",
      "Severity": "Medium",
      "Title": "Restrict anonymous users from starting Teams meetings"
    },
    {
      "Id": "MT.1048",
      "Severity": "Medium",
      "Title": "Limit external participants from having control in a Teams meeting"
    },
    {
      "Id": "MT.1049",
      "Severity": "High",
      "Title": "Conditional Access policies for User Risk and Sign-in Risk should be configured separately."
    },
    {
      "Id": "MT.1050",
      "Severity": "High",
      "Title": "Apps with high-risk permissions having a direct path to Global Admin"
    },
    {
      "Id": "MT.1051",
      "Severity": "High",
      "Title": "Apps with high-risk permissions having an indirect path to Global Admin"
    },
    {
      "Id": "MT.1052",
      "Severity": "High",
      "Title": "At least one Conditional Access policy is targeting the Device Code authentication flow."
    },
    {
      "Id": "MT.1053",
      "Severity": "Medium",
      "Title": "Ensure intune device clean-up rule is configured"
    },
    {
      "Id": "MT.1054",
      "Severity": "Medium",
      "Title": "Ensure built-in Device Compliance Policy marks devices with no compliance policy assigned as 'Not compliant'"
    },
    {
      "Id": "MT.1055",
      "Severity": "Medium",
      "Title": "Microsoft 365 Group (and Team) creation should be restricted to approved users."
    },
    {
      "Id": "MT.1056",
      "Severity": "High",
      "Title": "Ensure that no person has permanent access to all Azure subscriptions at the root scope"
    },
    {
      "Id": "MT.1057",
      "Severity": "Medium",
      "Title": "Ensure Microsoft 365 Group (and Team) expiration is configured to notify users."
    },
    {
      "Id": "MT.1058",
      "Severity": "Medium",
      "Title": "Ensure Microsoft 365 Group (and Team) expiration is configured to auto-expire groups."
    },
    {
      "Id": "MT.1059",
      "Severity": "Medium",
      "Title": "Microsoft Defender for Identity health issues should be resolved"
    },
    {
      "Id": "MT.1061",
      "Severity": "Medium",
      "Title": "Device registration MFA control conflicts with Conditional Access policies"
    },
    {
      "Id": "MT.1062",
      "Severity": "Medium",
      "Title": "Ensure Direct Send is set to be rejected"
    },
    {
      "Id": "MT.1063",
      "Severity": "High",
      "Title": "All app registration owners should have MFA registered"
    },
    {
      "Id": "MT.1064",
      "Severity": "High",
      "Title": "Management group creation should be limited to users with explicit write access"
    },
    {
      "Id": "MT.1065",
      "Severity": "High",
      "Title": "Soft Delete should be enabled on all Recovery Services Vaults"
    },
    {
      "Id": "MT.1066",
      "Severity": "Medium",
      "Title": "Conditional Access policies should not include or exclude deleted users, groups, or roles."
    },
    {
      "Id": "MT.1067",
      "Severity": "Medium",
      "Title": "Authentication methods policies should not reference deleted groups."
    },
    {
      "Id": "MT.1068",
      "Severity": "Medium",
      "Title": "Restrict non-admin users from creating tenants"
    },
    {
      "Id": "MT.1069",
      "Severity": "Low",
      "Title": "Restrict non-admin users from creating security groups."
    },
    {
      "Id": "MT.1070",
      "Severity": "Medium",
      "Title": "Restrict device join to selected users/groups or none."
    },
    {
      "Id": "MT.1071",
      "Severity": "Medium",
      "Title": "At least one Conditional Access policy explicitly includes Azure DevOps."
    },
    {
      "Id": "MT.1072",
      "Severity": "High",
      "Title": "Conditional access policies should not use the deprecated Approved Client App grant."
    },
    {
      "Id": "MT.1073",
      "Severity": "Medium",
      "Title": "Soft- and hard-matching of synchronized objects should be blocked."
    },
    {
      "Id": "MT.1074",
      "Severity": "Medium",
      "Title": "Mailboxes should not send outbound mails using the .onmicrosoft.com domain."
    },
    {
      "Id": "MT.1075",
      "Severity": "Medium",
      "Title": "Third Party Entra Apps should only have explicitly assigned users instead of All Users."
    },
    {
      "Id": "MT.1076",
      "Severity": "High",
      "Title": "MOERA SHOULD NOT be used for sent mail."
    },
    {
      "Id": "MT.1077",
      "Severity": "Medium",
      "Title": "App registrations with privileged API permissions should not have owners"
    },
    {
      "Id": "MT.1078",
      "Severity": "Medium",
      "Title": "App registrations with highly privileged directory roles should not have owners"
    },
    {
      "Id": "MT.1079",
      "Severity": "Medium",
      "Title": "Privileged API permissions on service principals should not remain unused"
    },
    {
      "Id": "MT.1080",
      "Severity": "Medium",
      "Title": "Credentials, tokens, or cookies from highly privileged users should not be exposed on vulnerable endpoints"
    },
    {
      "Id": "MT.1081",
      "Severity": "Medium",
      "Title": "Hybrid users should not be assigned Entra ID role assignments"
    },
    {
      "Id": "MT.1083",
      "Severity": "Low",
      "Title": "Ensure Delicensing Resiliency is enabled"
    },
    {
      "Id": "MT.1084",
      "Severity": "High",
      "Title": "Seamless Single SignOn should be disabled for all domains in EntraID Connect servers."
    },
    {
      "Id": "MT.1085",
      "Severity": "Medium",
      "Title": "Pending approvals for Critical Asset Management should not be present"
    },
    {
      "Id": "MT.1086",
      "Severity": "Low",
      "Title": "Devices should not share both critical and non-critical user credentials."
    },
    {
      "Id": "MT.1087",
      "Severity": "High",
      "Title": "Devices should not be publicly exposed with remotely exploitable, highly likely to be exploited, high or critical severity CVE's."
    },
    {
      "Id": "MT.1088",
      "Severity": "Medium",
      "Title": "Devices with critical credentials should be protected by TPM."
    },
    {
      "Id": "MT.1089",
      "Severity": "Medium",
      "Title": "Devices with critical credentials should be protected by Credential Guard."
    },
    {
      "Id": "MT.1090",
      "Severity": "Medium",
      "Title": "Global administrator role should not be added as local administrator on the device during Microsoft Entra join"
    },
    {
      "Id": "MT.1091",
      "Severity": "Medium",
      "Title": "Registering user should not be added as local administrator on the device during Microsoft Entra join"
    },
    {
      "Id": "MT.1092",
      "Severity": "High",
      "Title": "Intune APNS certificate should be valid for more than 30 days"
    },
    {
      "Id": "MT.1093",
      "Severity": "High",
      "Title": "Apple Automated Device Enrollment Tokens should be valid for more than 30 days"
    },
    {
      "Id": "MT.1094",
      "Severity": "High",
      "Title": "Apple Volume Purchase Program Tokens should be valid for more than 30 days"
    },
    {
      "Id": "MT.1095",
      "Severity": "High",
      "Title": "Android Enterprise Account Connection should be healthy"
    },
    {
      "Id": "MT.1096",
      "Severity": "Medium",
      "Title": "Intune Multi Admin approval should be configured"
    },
    {
      "Id": "MT.1097",
      "Severity": "High",
      "Title": "Certificate Connectors should be healthy and running supported versions"
    },
    {
      "Id": "MT.1098",
      "Severity": "Critical",
      "Title": "Mobile Threat Defense Connectors should be healthy"
    },
    {
      "Id": "MT.1099",
      "Severity": "Low",
      "Title": "Windows Diagnostic Data Processing should be enabled"
    },
    {
      "Id": "MT.1100",
      "Severity": "High",
      "Title": "Intune Audit Logs should be retained"
    },
    {
      "Id": "MT.1101",
      "Severity": "Low",
      "Title": "Default Branding Profile should be customized"
    },
    {
      "Id": "MT.1102",
      "Severity": "High",
      "Title": "Windows Feature Update Policy Settings should not reference end of support builds"
    },
    {
      "Id": "MT.1103",
      "Severity": "High",
      "Title": "Intune RBAC groups should be protected by Restricted Management Administrative Units or Role Assignable groups"
    },
    {
      "Id": "MT.1105",
      "Severity": "Low",
      "Title": "MDM Authority should be set to Microsoft Intune"
    },
    {
      "Id": "MT.1106",
      "Severity": "Medium",
      "Title": "Catalog resources must have valid roles (no stale app roles or deleted SPNs)"
    },
    {
      "Id": "MT.1107",
      "Severity": "Medium",
      "Title": "Access packages and catalogs should not reference deleted groups"
    },
    {
      "Id": "MT.1108",
      "Severity": "Medium",
      "Title": "Access packages should not have inactive or orphaned assignment policies"
    },
    {
      "Id": "MT.1109",
      "Severity": "Medium",
      "Title": "Access package approval workflows must have valid approvers"
    },
    {
      "Id": "MT.1110",
      "Severity": "Medium",
      "Title": "No catalog should contain resources without any associated access packages"
    },
    {
      "Id": "MT.1111",
      "Severity": "Low",
      "Title": "High privileged user should be linked to an identity"
    },
    {
      "Id": "MT.1112",
      "Severity": "Medium",
      "Title": "Privileged user accounts should not remain enabled when the linked primary account is disabled"
    },
    {
      "Id": "MT.1113",
      "Severity": "High",
      "Title": "AI agents should not be shared with broad access control policies"
    },
    {
      "Id": "MT.1114",
      "Severity": "High",
      "Title": "AI agents should require user authentication"
    },
    {
      "Id": "MT.1115",
      "Severity": "Medium",
      "Title": "AI agents should not have risky HTTP configurations"
    },
    {
      "Id": "MT.1116",
      "Severity": "High",
      "Title": "AI agents should not send email with AI-controlled inputs"
    },
    {
      "Id": "MT.1117",
      "Severity": "Low",
      "Title": "Published AI agents should not be dormant"
    },
    {
      "Id": "MT.1118",
      "Severity": "Medium",
      "Title": "AI agents should avoid using author (maker) authentication for tools"
    },
    {
      "Id": "MT.1119",
      "Severity": "High",
      "Title": "AI agents should not have hard-coded credentials in topics"
    },
    {
      "Id": "MT.1120",
      "Severity": "Medium",
      "Title": "AI agents should not use MCP server tools without review"
    },
    {
      "Id": "MT.1121",
      "Severity": "Medium",
      "Title": "AI agents with generative orchestration should have custom instructions"
    },
    {
      "Id": "MT.1122",
      "Severity": "Medium",
      "Title": "AI agents should not have orphaned ownership"
    },
    {
      "Id": "MT.1123",
      "Severity": "High",
      "Title": "Ensure BitLocker full disk encryption is configured via Intune"
    },
    {
      "Id": "ORCA.100",
      "Severity": "Medium",
      "Title": "Bulk Complaint Level threshold is between 4 and 6."
    },
    {
      "Id": "ORCA.101",
      "Severity": "Medium",
      "Title": "Bulk is marked as spam."
    },
    {
      "Id": "ORCA.102",
      "Severity": "Medium",
      "Title": "Advanced Spam filter options are turned off."
    },
    {
      "Id": "ORCA.103",
      "Severity": "Medium",
      "Title": "Outbound spam filter policy settings configured."
    },
    {
      "Id": "ORCA.104",
      "Severity": "High",
      "Title": "High Confidence Phish action set to Quarantine message."
    },
    {
      "Id": "ORCA.105",
      "Severity": "Medium",
      "Title": "Safe Links Synchronous URL detonation is enabled."
    },
    {
      "Id": "ORCA.106",
      "Severity": "Medium",
      "Title": "Quarantine retention period is 30 days."
    },
    {
      "Id": "ORCA.107",
      "Severity": "Low",
      "Title": "End-user spam notification is enabled."
    },
    {
      "Id": "ORCA.108",
      "Severity": "Medium",
      "Title": "DKIM signing is set up for all your custom domains."
    },
    {
      "Id": "ORCA.108.1",
      "Severity": "Medium",
      "Title": "DNS Records have been set up to support DKIM."
    },
    {
      "Id": "ORCA.109",
      "Severity": "Medium",
      "Title": "Senders are not being allow listed in an unsafe manner."
    },
    {
      "Id": "ORCA.110",
      "Severity": "Medium",
      "Title": "Internal Sender notifications are disabled."
    },
    {
      "Id": "ORCA.111",
      "Severity": "High",
      "Title": "Anti-phishing policy exists and EnableUnauthenticatedSender is true."
    },
    {
      "Id": "ORCA.112",
      "Severity": "Medium",
      "Title": "Anti-spoofing protection action is configured to Move message to the recipients' Junk Email folders in Anti-phishing policy."
    },
    {
      "Id": "ORCA.113",
      "Severity": "Medium",
      "Title": "AllowClickThrough is disabled in Safe Links policies."
    },
    {
      "Id": "ORCA.114",
      "Severity": "High",
      "Title": "No IP Allow Lists have been configured."
    },
    {
      "Id": "ORCA.115",
      "Severity": "Medium",
      "Title": "Mailbox intelligence based impersonation protection is enabled in anti-phishing policies."
    },
    {
      "Id": "ORCA.116",
      "Severity": "Medium",
      "Title": "Mailbox intelligence based impersonation protection action set to move message to junk mail folder."
    },
    {
      "Id": "ORCA.118.1",
      "Severity": "High",
      "Title": "Domains are not being allow listed in an unsafe manner in Anti-Spam Policies."
    },
    {
      "Id": "ORCA.118.2",
      "Severity": "High",
      "Title": "Domains are not being allow listed in an unsafe manner in Transport Rules."
    },
    {
      "Id": "ORCA.118.3",
      "Severity": "Medium",
      "Title": "Your own domains are not being allow listed in an unsafe manner in Anti-Spam Policies."
    },
    {
      "Id": "ORCA.118.4",
      "Severity": "Medium",
      "Title": "Your own domains are not being allow listed in an unsafe manner in Transport Rules."
    },
    {
      "Id": "ORCA.119",
      "Severity": "Info",
      "Title": "Similar Domains Safety Tips is enabled."
    },
    {
      "Id": "ORCA.120.1",
      "Severity": "Medium",
      "Title": "Zero Hour Autopurge Enabled for Phish."
    },
    {
      "Id": "ORCA.120.2",
      "Severity": "Medium",
      "Title": "Zero Hour Autopurge Enabled for Malware."
    },
    {
      "Id": "ORCA.120.3",
      "Severity": "Medium",
      "Title": "Zero Hour Autopurge Enabled for Spam."
    },
    {
      "Id": "ORCA.121",
      "Severity": "Low",
      "Title": "Supported filter policy action used."
    },
    {
      "Id": "ORCA.123",
      "Severity": "Info",
      "Title": "Unusual Characters Safety Tips is enabled."
    },
    {
      "Id": "ORCA.124",
      "Severity": "High",
      "Title": "Safe attachments unknown malware response set to block messages."
    },
    {
      "Id": "ORCA.139",
      "Severity": "Low",
      "Title": "Spam action set to move message to junk mail folder or quarantine."
    },
    {
      "Id": "ORCA.140",
      "Severity": "High",
      "Title": "High Confidence Spam action set to Quarantine message."
    },
    {
      "Id": "ORCA.141",
      "Severity": "Medium",
      "Title": "Bulk action set to Move message to Junk Email Folder."
    },
    {
      "Id": "ORCA.142",
      "Severity": "Medium",
      "Title": "Phish action set to Quarantine message."
    },
    {
      "Id": "ORCA.143",
      "Severity": "Info",
      "Title": "Safety Tips are enabled."
    },
    {
      "Id": "ORCA.156",
      "Severity": "Medium",
      "Title": "Safe Links Policies are tracking when user clicks on safe links."
    },
    {
      "Id": "ORCA.158",
      "Severity": "Medium",
      "Title": "Safe Attachments is enabled for SharePoint and Teams."
    },
    {
      "Id": "ORCA.179",
      "Severity": "Medium",
      "Title": "Safe Links is enabled intra-organization."
    },
    {
      "Id": "ORCA.180",
      "Severity": "Medium",
      "Title": "Anti-phishing policy exists and EnableSpoofIntelligence is true."
    },
    {
      "Id": "ORCA.189",
      "Severity": "Medium",
      "Title": "Safe Attachments is not bypassed."
    },
    {
      "Id": "ORCA.189.2",
      "Severity": "High",
      "Title": "Safe Links is not bypassed."
    },
    {
      "Id": "ORCA.205",
      "Severity": "Medium",
      "Title": "Common attachment type filter is enabled."
    },
    {
      "Id": "ORCA.220",
      "Severity": "Medium",
      "Title": "Advanced Phish filter Threshold level is adequate."
    },
    {
      "Id": "ORCA.221",
      "Severity": "Medium",
      "Title": "Mailbox intelligence is enabled in anti-phishing policies."
    },
    {
      "Id": "ORCA.222",
      "Severity": "Medium",
      "Title": "Domain Impersonation action is set to move to Quarantine."
    },
    {
      "Id": "ORCA.223",
      "Severity": "High",
      "Title": "User impersonation action is set to move to Quarantine."
    },
    {
      "Id": "ORCA.224",
      "Severity": "Info",
      "Title": "Similar Users Safety Tips is enabled."
    },
    {
      "Id": "ORCA.225",
      "Severity": "Medium",
      "Title": "Safe Documents is enabled for Office clients."
    },
    {
      "Id": "ORCA.226",
      "Severity": "Medium",
      "Title": "Each domain has a Safe Link policy applied to it."
    },
    {
      "Id": "ORCA.227",
      "Severity": "Medium",
      "Title": "Each domain has a Safe Attachments policy applied to it."
    },
    {
      "Id": "ORCA.228",
      "Severity": "High",
      "Title": "No trusted senders in Anti-phishing policy."
    },
    {
      "Id": "ORCA.229",
      "Severity": "Medium",
      "Title": "No trusted domains in Anti-phishing policy."
    },
    {
      "Id": "ORCA.230",
      "Severity": "Medium",
      "Title": "Each domain has a Anti-phishing policy applied to it, or the default policy is being used."
    },
    {
      "Id": "ORCA.231",
      "Severity": "Medium",
      "Title": "Each domain has a anti-spam policy applied to it, or the default policy is being used."
    },
    {
      "Id": "ORCA.232",
      "Severity": "High",
      "Title": "Each domain has a malware filter policy applied to it, or the default policy is being used."
    },
    {
      "Id": "ORCA.233",
      "Severity": "Medium",
      "Title": "Domains are pointed directly at EOP or enhanced filtering is used."
    },
    {
      "Id": "ORCA.233.1",
      "Severity": "Medium",
      "Title": "Domains are pointed directly at EOP or enhanced filtering is configured on all default connectors."
    },
    {
      "Id": "ORCA.234",
      "Severity": "Medium",
      "Title": "Click through is disabled for Safe Documents."
    },
    {
      "Id": "ORCA.235",
      "Severity": "Medium",
      "Title": "SPF records is set up for all your custom domains."
    },
    {
      "Id": "ORCA.236",
      "Severity": "Medium",
      "Title": "Safe Links is enabled for emails."
    },
    {
      "Id": "ORCA.237",
      "Severity": "Medium",
      "Title": "Safe Links is enabled for teams messages."
    },
    {
      "Id": "ORCA.238",
      "Severity": "Medium",
      "Title": "Safe Links is enabled for office documents."
    },
    {
      "Id": "ORCA.239",
      "Severity": "High",
      "Title": "No exclusions for the built-in protection policies."
    },
    {
      "Id": "ORCA.240",
      "Severity": "Medium",
      "Title": "Outlook is configured to display external tags for external emails."
    },
    {
      "Id": "ORCA.241",
      "Severity": "Medium",
      "Title": "Anti-phishing policy exists and EnableFirstContactSafetyTips is true."
    },
    {
      "Id": "ORCA.242",
      "Severity": "High",
      "Title": "Important protection alerts responsible for AIR activities are enabled."
    },
    {
      "Id": "ORCA.243",
      "Severity": "Medium",
      "Title": "Authenticated Receive Chain is set up for domains not pointing to EOP/MDO, or all domains point to EOP/MDO."
    },
    {
      "Id": "ORCA.244",
      "Severity": "Medium",
      "Title": "Policies are configured to honor sending domains DMARC."
    },
    {
      "Id": "ORCA.1000",
      "Severity": "High",
      "Title": "Exchange Online Protection (EOP) is enabled."
    },
    {
      "Id": "ORCA.1001",
      "Severity": "High",
      "Title": "Spam filter policy settings configured."
    },
    {
      "Id": "ORCA.1002",
      "Severity": "High",
      "Title": "Malware filter policy settings configured."
    },
    {
      "Id": "ORCA.1003",
      "Severity": "High",
      "Title": "Phishing filter policy settings configured."
    },
    {
      "Id": "ORCA.1004",
      "Severity": "High",
      "Title": "<URL> filtering policy settings configured."
    },
    {
      "Id": "AZDO.1000",
      "Severity": "High",
      "Title": "Azure DevOps OAuth apps can access resources in your organization through OAuth"
    },
    {
      "Id": "AZDO.1001",
      "Severity": "High",
      "Title": "Identities can connect to your organization's Git repos through SSH"
    },
    {
      "Id": "AZDO.1002",
      "Severity": "High",
      "Title": "Log Audit Events"
    },
    {
      "Id": "AZDO.1003",
      "Severity": "High",
      "Title": "Restrict public projects"
    },
    {
      "Id": "AZDO.1004",
      "Severity": "High",
      "Title": "Additional protections when using public registries"
    },
    {
      "Id": "AZDO.1005",
      "Severity": "High",
      "Title": "IP Conditional Access policy validation"
    },
    {
      "Id": "AZDO.1006",
      "Severity": "High",
      "Title": "External Users access"
    },
    {
      "Id": "AZDO.1007",
      "Severity": "High",
      "Title": "Team and project administrator are allowed to invite new users"
    },
    {
      "Id": "AZDO.1008",
      "Severity": "Medium",
      "Title": "Request access to Azure DevOps by e-mail notifications to administrators"
    },
    {
      "Id": "AZDO.1009",
      "Severity": "Info",
      "Title": "Feedback Collection"
    },
    {
      "Id": "AZDO.1010",
      "Severity": "High",
      "Title": "Audit streaming"
    },
    {
      "Id": "AZDO.1011",
      "Severity": "Info",
      "Title": "Project Resource Limits"
    },
    {
      "Id": "AZDO.1012",
      "Severity": "Info",
      "Title": "Work Items Tags Limits"
    },
    {
      "Id": "AZDO.1013",
      "Severity": "High",
      "Title": "Organization Owner should not be an individual"
    },
    {
      "Id": "AZDO.1014",
      "Severity": "Medium",
      "Title": "Anonymous access to pipeline badges"
    },
    {
      "Id": "AZDO.1015",
      "Severity": "High",
      "Title": "Limit variables that can be set at queue time"
    },
    {
      "Id": "AZDO.1016",
      "Severity": "High",
      "Title": "Limit job authorization scope to current project for non-release pipelines"
    },
    {
      "Id": "AZDO.1017",
      "Severity": "High",
      "Title": "Limit job authorization scope to current project for classic release pipelines"
    },
    {
      "Id": "AZDO.1018",
      "Severity": "High",
      "Title": "Protect access to repositories in YAML pipelines"
    },
    {
      "Id": "AZDO.1019",
      "Severity": "Medium",
      "Title": "Stage chooser"
    },
    {
      "Id": "AZDO.1020",
      "Severity": "Medium",
      "Title": "Creation of classic build pipelines"
    },
    {
      "Id": "AZDO.1021",
      "Severity": "Medium",
      "Title": "Creation of classic release pipelines"
    },
    {
      "Id": "AZDO.1022",
      "Severity": "High",
      "Title": "Limit building pull requests from forked GitHub repositories"
    },
    {
      "Id": "AZDO.1023",
      "Severity": "High",
      "Title": "Disable Marketplace tasks"
    },
    {
      "Id": "AZDO.1024",
      "Severity": "Medium",
      "Title": "Disable Node 6 tasks"
    },
    {
      "Id": "AZDO.1025",
      "Severity": "High",
      "Title": "Enable shell tasks arguments validation"
    },
    {
      "Id": "AZDO.1026",
      "Severity": "Medium",
      "Title": "Enable automatic enrollment to Advanced Security for Azure DevOps"
    },
    {
      "Id": "AZDO.1027",
      "Severity": "Medium",
      "Title": "Disable showing Gravatar images for users outside of your enterprise"
    },
    {
      "Id": "AZDO.1028",
      "Severity": "Medium",
      "Title": "Disable creation of TFVC repositories"
    },
    {
      "Id": "AZDO.1029",
      "Severity": "Medium",
      "Title": "Storage Usage Limit"
    },
    {
      "Id": "AZDO.1030",
      "Severity": "Critical",
      "Title": "Project Collection Administrators"
    },
    {
      "Id": "AZDO.1031",
      "Severity": "High",
      "Title": "Validate SSH key expiration"
    },
    {
      "Id": "AZDO.1032",
      "Severity": "High",
      "Title": "Restrict creation of global Personal Access Tokens"
    },
    {
      "Id": "AZDO.1033",
      "Severity": "Critical",
      "Title": "Enable automatic revocation of leaked Personal Access Tokens"
    },
    {
      "Id": "AZDO.1034",
      "Severity": "High",
      "Title": "Restrict creation of new Azure DevOps organizations"
    },
    {
      "Id": "AZDO.1035",
      "Severity": "High",
      "Title": "Restrict Personal Access Token lifespan"
    },
    {
      "Id": "AZDO.1036",
      "Severity": "High",
      "Title": "Restrict Personal Access Token full scope"
    }
  ]
}