Skip to content

Ali Kabbani

Your Guide to Online Safety

Menu
  • Home
  • Powershell
  • Network
  • Microsoft 365
Menu

Secure Cloud Business Applications (ScubaGear)

Posted on March 3, 2024 by admin

A Microsoft tenant encompasses numerous Microsoft admin centers and configuration settings. Verifying the security status each time can be time-consuming. Establishing a security baseline is essential for determining the starting point or focus areas. Think of it as a checklist for security recommendations. This article demonstrates how to utilize a PowerShell script to retrieve all Microsoft 365 security recommendations and provides insights into the resulting reports.

Secure Cloud Business Applications (SCuBA)

The Cybersecurity and Infrastructure Security Agency (CISA) initiated the Secure Cloud Business Applications (SCuBA) project to offer guidance and tools for safeguarding cloud business application environments within agencies. The aim is to protect federal information generated, accessed, shared, and stored in these environments.

SCuBA facilitates the enhancement of security for information assets of the Federal Civilian Executive Branch (FCEB) stored in cloud environments by ensuring consistent, effective, modern, and manageable security configurations for the following products:

– Microsoft Defender for Office 365
– Microsoft Azure Active Directory
– Microsoft Exchange Online
– Microsoft SharePoint and OneDrive for Business
– Microsoft Power BI
– Microsoft Power Platform
– Microsoft Teams

 

How to get a Microsoft 365 security baseline report

To create a Microsoft 365 security recommendations report, follow these steps:

Step 1. Download ScubaGear

Go to the official ScubaGear GitHub releases page and download the latest version. You need to download the Zip file.

Microsoft 365 security recommendations with PowerShell script download

Extract the folder in the Zip file and save it in C:\Temp. It’s best to rename the folder to ScubaGear without the version number.

ScubaGear folder in Temp folder

Step 2. Run ScubaGear SetUp.ps1 PowerShell script

Only PowerShell 5.1 is currently supported. PowerShell 7 may work, but has not been tested. Full PowerShell 7 support will be added in a future release.

Run PowerShell as administrator and run the Set-ExecutionPolicy to RemoteSigned or Unrestricted.

Set-ExecutionPolicy Unrestricted

To install the module dependencies, open a new PowerShell 5.1 terminal and run SetUp.ps1 from the ScubaGear folder.

C:\Temp\ScubaGear\.\SetUp.ps1

You can get the below error at the end:

Unable to download OPA executable. To try manually downloading, see details in README under ‘Download the required OPA executable’.

We will fix that error by manually downloading the OPA executable and placing the file in the correct folder.

Microsoft 365 security recommendations with PowerShell script error

Step 3. Download OPA executable

Download the OPA executable from here and paste it into C:\Temp\ScubaGear.

Microsoft 365 security recommendations with PowerShell script OPA

Check the downloaded OPA version.

C:\Temp\ScubaGear\.\opa_windows_amd64.exe version

This is how the output looks.

Version: 0.61.0
Build Commit: ea7a3e13c8fdceadeb199904facb4990fcb010f8
Build Timestamp: 2024-01-25T13:06:02Z
Build Hostname: c86b8b609133
Go Version: go1.21.5
Platform: windows/amd64
WebAssembly: available

Step 4. Run ScubaGear PowerShell script

Import the ScubaGear module into your session

Import-Module -Name "C:\Temp\ScubaGear\.\PowerShell\ScubaGear"

Run the script against all products and create a report.

Invoke-SCuBA -OPAPath "C:\Temp\ScubaGear\" -OutPath "C:\Temp\ScubaGear\"

Run the script against Microsoft Entra ID and create a report.

Invoke-SCuBA -OPAPath "C:\Temp\ScubaGear\" -ProductNames aad -OutPath "C:\Temp\ScubaGear"

Run the script against multiple products and create a report.

Invoke-SCuBA -OPAPath "C:\Temp\ScubaGear\" -ProductNames aad, exo, teams -OutPath "C:\Temp\ScubaGear"

Note: You will get a couple of Microsoft sign-in prompts where you have to enter your Microsoft 365 global administrator credentials. This is needed to retrieve the information from all the Microsoft products.

Step 5. Check Microsoft 365 security baseline report

An HTML report will appear automatically. If not, open the report from the folder.

Script reports folder

The report shows the Microsoft products and the details in numbers. Click on a product to view all the details with the information.

In our example, we will click on Exchange Online.

Microsoft 365 security recommendations with PowerShell script report html

The Exchange Online Baseline Report shows everything in excellent detail.

Microsoft 365 security recommendations with PowerShell script Exchange Online report

Look into it and fix what you can so the tests will pass the next time you run the report. Don’t immediately adjust every setting so the results will pass. Every organization is different, and you need to approach this carefully.

Disconnect SCuBA session

Disconnect from all the Microsoft sessions after you finish, or if you want to run it against another tenant.

Disconnect-SCuBATenant

That’s it!

 

Source: Ali Tajran

Recent Posts

  • Get unlicensed OneDrive user accounts report
  • Signing a security.txt File with a GPG Key
  • What is SPF Lookup Limit and How to Fix It?
  • Microsoft’s Different Copilots
  • Secure Cloud Business Applications (ScubaGear)

Archives

  • September 2024
  • March 2024
  • October 2019
  • April 2019

Categories

  • Certificates
  • Email Security
  • Microsoft 365
  • Powershell
  • Uncategorized

Meta

  • Log in
  • Entries feed
  • Comments feed
  • WordPress.org

© 2025 Ali Kabbani | Powered by Superbs Personal Blog theme
Menu
  • Home
  • Powershell
  • Network
  • Microsoft 365