Introduction
Managing security and compliance in Microsoft 365 (O365) is crucial to protecting sensitive data and ensuring regulatory adherence. However, unused or misconfigured policies, permissions, and access controls can accumulate as your environment grows, creating security risks and inefficiencies.
SCuBA (Secure Cloud Business Applications) is a framework developed to enhance security and resilience in cloud environments, particularly for government and enterprise organizations. It provides standardized configurations, best practices, and automation tools to help organizations secure Microsoft 365 workloads while aligning with CISA (Cybersecurity and Infrastructure Security Agency) guidelines. By implementing SCuBA recommendations, organizations can improve visibility, enforce security baselines, and proactively mitigate cyber threats in their cloud environments.
Procedure
Getting Started
Before using SCuBA to assess and secure your Microsoft 365 environment, ensure that your tenant has the required licenses, that your system meets all software prerequisites, and that you have the necessary user and application permissions for a successful assessment.
License Requirements
SCuBA has been tested on Microsoft 365 tenants with E3/G3 and E5/G5 license bundles. While it may still function on tenants without these bundles, some security assessments and policy checks may be limited.
Certain baseline policy checks depend on specific Microsoft 365 security features, which are included by default in E5 and G5 plans. These features include:
Software Requirements
User Permissions
SCuBA queries various Microsoft 365 APIs to assess security configurations. To allow this, the user running SCuBA must have the minimum required roles for each Microsoft 365 product:
Application Permissions
SCuBA requires Microsoft Graph API access for Entra ID and SharePoint assessments. If permissions are not pre-configured, SCuBA will request them.
The following Microsoft Graph API permissions must be granted:
Installing SCuBA
Method 1: Installing SCuBA from PSGallery
Open PowerShell as Administrator.
Run the following command to install SCuBA:
Verify the installation:
Initialize SCuBA and its dependencies:
Method 2: Installing SCuBA from GitHub
Open your web browser and go to the SCuBA Releases page.
Locate the latest version of SCuBA.
Under the Assets section, click the
.zipfile (e.g.,ScubaGear-v1.5.0.zip) to download it.Once downloaded, extract the
.zipfile to a directory of your choice.Open PowerShell as Administrator.
Navigate to the directory where you have SCuBA extracted to.
Run the following command to import the SCuBA module:
8. Initialize SCuBA and its dependencies:
Using SCuBA
Once SCuBA is installed, you can use it to assess the security configurations of your Microsoft 365 environment. This portion of the guide will explain how to run SCuBA using both PowerShell Gallery (PSGallery) installations and GitHub installations.
If you installed SCuBA using PowerShell Gallery, you can run it directly.
Open up PowerShell with administrator privileges.
Run the following command to assess all supported Microsoft 365 products:
3. You will be prompted to sign in. Sign in with the appropriate credentials to run the report.
After the report is run, use the following command to manually disconnect from your session to ensure that there are no lingering authenticated connections.
If you downloaded SCuBA manually from GitHub, you need to import the module before running it.
Open up PowerShell with administrator privileges.
Navigate to the directory where you have SCuBA saved.
Run the following command to import the SCuBA module:
4. Afterward, run the following command to assess all supported Microsoft 365 products:
5. After the report is run, use the following command to manually disconnect from your session to ensure that there are no lingering authenticated connections.
