// the find
cisagov/ScubaGear
Automation to assess the state of your M365 tenant against CISA's baselines
ScubaGear is a PowerShell module from CISA that audits Microsoft 365 tenant configuration against the agency's Secure Configuration Baselines. It pulls settings via M365 APIs, runs them through Open Policy Agent with Rego policies, and spits out HTML/JSON/CSV compliance reports. The target is federal agencies under BOD 25-01, but any M365 shop that wants a structured security audit can use it.
The OPA/Rego evaluation layer is the right architectural call — policy-as-code means the baselines are auditable, diffable, and testable, which the 400+ unit tests for Rego rules confirm. Coverage is genuinely broad: Entra ID, Exchange Online, Teams, SharePoint, Power Platform, Power BI, and Defender all get their own provider and baseline, not just the obvious ones. The NIST SP 800-53 and MITRE ATT&CK mappings are included and maintained, which saves weeks of work if your organization needs to tie findings to a compliance framework. The new ScubaConfigApp GUI with live YAML preview and Graph integration for group selection is a real usability improvement for admins who aren't comfortable hand-editing config files.
It only runs on Windows with PowerShell 5 — the PSGallery install instruction says 'open a PowerShell 5 terminal on a Windows computer', which locks out Linux/macOS CI pipelines and anyone who has moved to PS 7. Running a full tenant assessment requires significant M365 permissions and interactive auth by default; the non-interactive/service principal path exists but is documented separately and noticeably more painful to set up. The tool is read-only — it reports gaps but does nothing to remediate them, so after a run you're staring at a list of failures with no automation path forward (that's by design, but it means pairing it with something like DSC or Terraform for remediation is entirely on you). ScubaConnect automates execution but is a separate repo with its own infrastructure requirements, so 'just run it on a schedule' is more work than the README implies.