CISA Published a Free Microsoft 365 Security Baseline. Here Is How to Run It Against Your Tenant
TL;DR
- CISA's SCuBA project publishes a free security baseline for Microsoft 365 spanning Azure AD, Exchange, Teams, Defender, OneDrive, SharePoint, and Power Platform.
- ScubaGear, the companion PowerShell tool on GitHub, collects evidence from a tenant automatically and marks each recommendation pass, warning, fail, or not evaluated.
- As of November 2022 the project is in alpha, runs one tenant at a time, and does not evaluate Endpoint Manager (Intune).
- The report surfaces controls your licensing cannot support, which turns a single run into a quick licensing gap analysis.
- We forked ScubaGear to map every recommendation to the CIS Controls v8, built from the CIS Microsoft 365 Foundations Benchmark v1.5.0.
Ask ten engineers what a secure Microsoft 365 tenant looks like and you will get ten different checklists. As of November 2022, there is an official one to argue about: CISA's SCuBA project (Secure Cloud Business Applications) publishes a recommended security baseline for the whole M365 suite, and it ships with a PowerShell tool called ScubaGear that grades a tenant against it automatically. The project is still in alpha, but the recommendations span Azure AD, Exchange, Teams, Defender, OneDrive, SharePoint, and even Power Platform, which makes it one of the better free starting points for a tenant assessment. This post walks through running the tool, what the output looks like, and a fork we built that maps each recommendation to the CIS Controls.
What ScubaGear checks and what the report shows
The project lives on GitHub (opens in new tab) and consists of the PowerShell scripts that perform the assessment. You choose which products to evaluate, and the tool generates one report per product.

Each report lists every recommended baseline for that product, color coded as pass, warning, fail, or not evaluated. The screenshot below comes from our fork (opens in new tab), which is why a CIS Controls column appears alongside each recommendation.

One detail worth calling out: the report can show where your licensing falls short of a control, as in the Azure Active Directory results above, which come from a tenant on Business Premium. That makes a single run double as a licensing gap analysis.
How to run the assessment, step by step
- Download the ZIP file from the repository.
- Run the
Setup.ps1file. Your PowerShell execution policy needs to be set to unrestricted. - Modify the
RunScuba.ps1file to set the output file location, the products to assess, and the endpoint variable if you want Power Platform included in the output. - Run the
RunScuba.ps1script.
Expect to authenticate multiple times during the run. The simple path is a Global Admin with MFA enabled; the README (opens in new tab) documents the least-privileged role per product if you would rather scope down.
When the assessment finishes, a browser window opens with the report automatically. If you left the output path alone, a Reports folder appears inside the Scubagear-main folder you downloaded.
A full video walkthrough is available here: running the CISA SCuBA assessment on YouTube (opens in new tab).
Where the CIS Controls mapping comes from
We wanted the CIS Controls in the output, so we forked the repository (opens in new tab) and built the mapping into the script. The entries combine the existing CIS Microsoft 365 Foundations Benchmark v1.5.0 (opens in new tab) with the CIS Controls v8 standard (opens in new tab). The result: every SCuBA recommendation in the report carries the CIS Control it maps to, which helps when a client or insurer wants findings expressed in a recognized framework.
Limits worth knowing as of November 2022
- The script is not built for multi-tenancy. One tenant per run.
- Endpoint Manager (Intune) is not evaluated, a real gap given how many critical configurations live there.
- The tool shows where licensing blocks a control, as covered above, which is useful rather than limiting, but plan for the conversation it starts.
- Some recommendations carry meaningful end-user impact. Understand the implications of a policy before you flip it on.
- The policy recommendations also exist standalone, without the tool, at Secure Cloud Business Applications (SCuBA) | CISA (opens in new tab).
Troubleshooting consecutive tenant runs
The one problem we hit: running the assessment against multiple tenants back to back throws errors, even from a fresh PowerShell window. The fix is disconnecting the lingering Graph session between runs:
Disconnect-MgGraphRun that, then start the next tenant's assessment.
Our take
Even in alpha, this is a strong assessment, strong enough to use for prospecting. The Endpoint Manager gap stings, since Intune holds many of the configurations MSPs care about most, but for everything ScubaGear does cover, it gives you an authoritative, free, repeatable baseline check. Worth your time.
Frequently asked questions
What permissions does ScubaGear need to run?
The simple route is a Global Admin account with MFA enabled. If you prefer least privilege, the project README lists the minimum role required per product, so you can scope the account down to only what the assessment touches.
Why does ScubaGear error out when you run it against a second tenant?
The Microsoft Graph session from the first run persists, even across new PowerShell windows. Run Disconnect-MgGraph before starting the next tenant and the consecutive runs complete cleanly.
Does the SCuBA baseline cover Intune?
No. As of November 2022, Endpoint Manager is not evaluated, so device compliance and configuration policies need a separate review despite carrying many critical settings.
The baseline check that runs itself
ScubaGear grades one tenant per run, by hand. CloudCapsule checks 250+ controls across every tenant you manage in about 60 seconds, mapped to the frameworks your clients and insurers ask about.
Run a free scan
Written by
Nick Ross
CEO · Microsoft MVP · Founder, T-Minus 365
Nick is not just a CEO, he's a respected thought leader and influencer in the MSP space. Tens of thousands of MSPs learn through his YouTube channel, T-Minus365. Nick has been honored as a three-time Microsoft MVP for his educational content; his expertise and influence are the backbone of our mission, ensuring that you are in the best hands when it comes to security.
Nick joined Pax8 in 2017, where he would ultimately oversee product management for PSA and Microsoft integrations. Following his tenure at Pax8, Nick has continued to demonstrate his leadership prowess as an executive at various MSPs, culminating in his most recent role at Sourcepass.
Nick holds a Bachelor's Degree in Business Management from Florida State University, as well as a Minor Degree in Entrepreneurship. In his free time, Nick is an avid hiker, reader, and fitness-junkie.


