├── ExportAndImport ├── ConditionalAccessPolicies │ ├── export-conditionalAccess.ps1 │ ├── import-conditionalAccess.ps1 │ └── policies │ │ ├── Location - Office.json │ │ ├── Policy - Blocking sign-ins for users attempting to use legacy authentication protocols.json │ │ ├── Policy - Require multi-factor authentication for all users.json │ │ ├── Policy - Require multi-factor authentication for guest accounts.json │ │ ├── Policy - Require multi-factor authentication for users with administrative roles.json │ │ └── Policy - Requiring trusted locations for Azure AD Multi-Factor Authentication registration.json └── Intune │ ├── export-intune.ps1 │ ├── import-intune.ps1 │ └── policies │ ├── Compliance - Windows 10.json │ ├── Configuration - Windows 10 - Device restrictions.json │ ├── Configuration - Windows 10 - Endpoint protection.json │ ├── Configuration - Windows 10 - Identity protection.json │ ├── Configuration - Windows 10 - Microsoft Defender for Endpoint.json │ ├── Configuration - Windows 10 - Update rings.json │ ├── Configuration - Windows 10 - Windows health monitoring.json │ ├── EndPoint Security - Attack surface reduction rules.json │ ├── EndPoint Security - MDM Security Baseline.json │ ├── EndPoint Security - Microsoft Defender for Endpoint baseline.json │ ├── EndPoint Security - Microsoft Edge baseline.json │ └── Managed App - Windows 10.json ├── LICENSE └── README.md /ExportAndImport/ConditionalAccessPolicies/export-conditionalAccess.ps1: -------------------------------------------------------------------------------- 1 | <#PSScriptInfo 2 | .VERSION 0.1 3 | .GUID 9ef7a4b3-c6bb-488c-8eb4-39278901d6a9 4 | .AUTHOR 5 | Maarten Peeters 6 | .COMPANYNAME 7 | CloudSecuritea 8 | .COPYRIGHT 9 | .TAGS 10 | .LICENSEURI 11 | .PROJECTURI 12 | .ICONURI 13 | .EXTERNALMODULEDEPENDENCIES 14 | .RELEASENOTES 15 | Version 0.1: Original published version. 16 | #> 17 | 18 | <# 19 | .SYNOPSIS 20 | This script will export all conditional access policies and named locations 21 | 22 | .DESCRIPTION 23 | This script will export all conditional access policies and named locations 24 | 25 | .PARAMETER client_Id 26 | Enter the client ID of the application created for this task 27 | 28 | .PARAMETER client_Secret 29 | Enter the client Secret of the application created for this task 30 | 31 | .PARAMETER tenant_Id 32 | Enter the tenant id 33 | 34 | .PARAMETER location 35 | Enter the location to store the .JSON files 36 | 37 | .EXAMPLE 38 | export-conditionalAccess.ps1 -client_Id -client_Secret -tenantName -location 39 | 40 | .NOTES 41 | Version: 0.1 42 | Author: Maarten Peeters 43 | Creation Date: 15/09/2021 44 | Purpose/Change: Init 45 | 46 | Version Changes: 47 | 0.1 Initial 48 | #> 49 | 50 | param( 51 | [Parameter(mandatory = $true)] 52 | [String]$client_Id, 53 | [Parameter(mandatory = $true)] 54 | [String]$client_Secret, 55 | [Parameter(mandatory = $true)] 56 | [String]$tenant_Id, 57 | [Parameter(mandatory = $true)] 58 | [String]$location 59 | ) 60 | 61 | #################### 62 | # Connect to Graph # 63 | #################### 64 | $Body = @{ 65 | Grant_Type = "client_credentials" 66 | resource = "https://graph.microsoft.com" 67 | client_id = $client_Id 68 | client_secret = $client_Secret 69 | } 70 | 71 | $ConnectGraph = Invoke-RestMethod -Uri "https://login.microsoft.com/$tenant_Id/oauth2/token?api-version=1.0" -Method POST -Body $Body 72 | 73 | ######################## 74 | # Variable Collections # 75 | ######################## 76 | 77 | $HeaderParams = @{ 78 | 'Content-Type' = "application\json" 79 | 'Authorization' = "Bearer $($ConnectGraph.access_token)" 80 | } 81 | 82 | #Conditional Access policies 83 | $conditionalAccessPoliciesRequest = (Invoke-RestMethod -Headers $HeaderParams -Uri "https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies" -Method Get) 84 | $conditionalAccessPolicies = $conditionalAccessPoliciesRequest.value 85 | 86 | #Named locations 87 | $namedLocationsRequest = (Invoke-RestMethod -Headers $HeaderParams -Uri "https://graph.microsoft.com/v1.0/identity/conditionalAccess/namedLocations" -Method Get) 88 | $namedLocations = $namedLocationsRequest.value 89 | 90 | ################## 91 | # Export to JSON # 92 | ################## 93 | 94 | try{ 95 | foreach($policy in $conditionalAccessPolicies){ 96 | $filePath = "$($location)\Policy - $($policy.displayName).json" 97 | $policy | convertto-json -Depth 10 | out-file $filePath 98 | $Clean = Get-Content $filePath | Select-String -Pattern '"id":', '"createdDateTime":', '"modifiedDateTime":' -notmatch 99 | $Clean | Out-File -FilePath $filePath 100 | write-host "Exported policy: $($policy.displayName)" -ForegroundColor green 101 | } 102 | } 103 | catch{ 104 | write-host "Error: $($_.Exception.Message)" -ForegroundColor red 105 | } 106 | 107 | try{ 108 | foreach($namedLocation in $namedLocations){ 109 | $filePath = "$($location)\Location - $($namedLocation.displayName).json" 110 | $namedLocation | convertto-json -Depth 10 | out-file $filePath 111 | $Clean = Get-Content $filePath | Select-String -Pattern '"id":', '"createdDateTime":', '"modifiedDateTime":' -notmatch 112 | $Clean | Out-File -FilePath $filePath 113 | write-host "Exported location: $($namedLocation.displayName)" -ForegroundColor green 114 | } 115 | } 116 | catch{ 117 | write-host "Error: $($_.Exception.Message)" -ForegroundColor red 118 | } -------------------------------------------------------------------------------- /ExportAndImport/ConditionalAccessPolicies/import-conditionalAccess.ps1: -------------------------------------------------------------------------------- 1 | <#PSScriptInfo 2 | .VERSION 0.1 3 | .GUID 559d4445-fdcf-42e0-8f38-eacff1949a04 4 | .AUTHOR 5 | Maarten Peeters 6 | .COMPANYNAME 7 | CloudSecuritea 8 | .COPYRIGHT 9 | .TAGS 10 | .LICENSEURI 11 | .PROJECTURI 12 | .ICONURI 13 | .EXTERNALMODULEDEPENDENCIES 14 | .RELEASENOTES 15 | Version 0.1: Original published version. 16 | #> 17 | 18 | <# 19 | .SYNOPSIS 20 | This script will import all conditional access policies and named locations 21 | 22 | .DESCRIPTION 23 | This script will import all conditional access policies and named locations 24 | 25 | .PARAMETER client_Id 26 | Enter the client ID of the application created for this task 27 | 28 | .PARAMETER client_Secret 29 | Enter the client Secret of the application created for this task 30 | 31 | .PARAMETER tenant_Id 32 | Enter the tenant name 33 | 34 | .PARAMETER location 35 | Enter the location where the JSON files have been stored 36 | 37 | .EXAMPLE 38 | import-conditionalAccess.ps1 -client_Id -client_Secret -tenantName -location 39 | 40 | .NOTES 41 | Version: 0.1 42 | Author: Maarten Peeters 43 | Creation Date: 15/09/2021 44 | Purpose/Change: Init 45 | 46 | Version Changes: 47 | 0.1 Initial 48 | #> 49 | 50 | param( 51 | [Parameter(mandatory = $true)] 52 | [String]$client_Id, 53 | [Parameter(mandatory = $true)] 54 | [String]$client_Secret, 55 | [Parameter(mandatory = $true)] 56 | [String]$tenant_Id, 57 | [Parameter(mandatory = $true)] 58 | [String]$location 59 | ) 60 | 61 | #################### 62 | # Connect to Graph # 63 | #################### 64 | $Body = @{ 65 | Grant_Type = "client_credentials" 66 | resource = "https://graph.microsoft.com" 67 | client_id = $client_Id 68 | client_secret = $client_Secret 69 | } 70 | 71 | $ConnectGraph = Invoke-RestMethod -Uri "https://login.microsoft.com/$tenant_Id/oauth2/token?api-version=1.0" -Method POST -Body $Body 72 | 73 | ######################## 74 | # Variable Collections # 75 | ######################## 76 | 77 | #Conditional Access policies 78 | $conditionalAccessPolicies = Get-ChildItem -Path "$($location)\Policy*" 79 | 80 | #Named locations 81 | $namedLocations = Get-ChildItem -Path "$($location)\Location*" 82 | 83 | ###################################### 84 | # Create Conditional Access policies # 85 | ###################################### 86 | 87 | $HeaderParams = @{ 88 | 'Content-Type' = "application\json" 89 | 'Authorization' = "Bearer $($ConnectGraph.access_token)" 90 | } 91 | 92 | try{ 93 | foreach($policy in $conditionalAccessPolicies){ 94 | $JSON = Get-Content $policy.fullName 95 | $response = Invoke-RestMethod -Headers $HeaderParams -Uri "https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies" -UseBasicParsing -Method POST -ContentType "application/json" -Body $JSON 96 | write-host "Imported policy: $(($JSON | convertfrom-json).displayname)" -ForegroundColor green 97 | } 98 | } 99 | catch{ 100 | write-host "Error: $($_.Exception.Message)" -ForegroundColor red 101 | } 102 | 103 | try{ 104 | foreach($namedLocation in $namedLocations){ 105 | $JSON = Get-Content $namedLocation.fullName 106 | $response = Invoke-RestMethod -Headers $HeaderParams -Uri "https://graph.microsoft.com/v1.0/identity/conditionalAccess/namedLocations" -UseBasicParsing -Method POST -ContentType "application/json" -Body $JSON 107 | write-host "Imported location: $(($JSON | convertfrom-json).displayname)" -ForegroundColor green 108 | } 109 | } 110 | catch{ 111 | write-host "Error: $($_.Exception.Message)" -ForegroundColor red 112 | } -------------------------------------------------------------------------------- /ExportAndImport/ConditionalAccessPolicies/policies/Location - Office.json: -------------------------------------------------------------------------------- 1 | 2 | { 3 | "@odata.type": "#microsoft.graph.ipNamedLocation", 4 | "displayName": "Office", 5 | "isTrusted": true, 6 | "ipRanges": [ 7 | { 8 | "@odata.type": "#microsoft.graph.iPv4CidrRange", 9 | "cidrAddress": "***.**.***.***/**" 10 | } 11 | ] 12 | } 13 | 14 | 15 | -------------------------------------------------------------------------------- /ExportAndImport/ConditionalAccessPolicies/policies/Policy - Blocking sign-ins for users attempting to use legacy authentication protocols.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CloudSecuritea/O365ExportImport/1d9aa0263423950f592dac1c5ac7d84d0afefae5/ExportAndImport/ConditionalAccessPolicies/policies/Policy - Blocking sign-ins for users attempting to use legacy authentication protocols.json -------------------------------------------------------------------------------- /ExportAndImport/ConditionalAccessPolicies/policies/Policy - Require multi-factor authentication for all users.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CloudSecuritea/O365ExportImport/1d9aa0263423950f592dac1c5ac7d84d0afefae5/ExportAndImport/ConditionalAccessPolicies/policies/Policy - Require multi-factor authentication for all users.json -------------------------------------------------------------------------------- /ExportAndImport/ConditionalAccessPolicies/policies/Policy - Require multi-factor authentication for guest accounts.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CloudSecuritea/O365ExportImport/1d9aa0263423950f592dac1c5ac7d84d0afefae5/ExportAndImport/ConditionalAccessPolicies/policies/Policy - Require multi-factor authentication for guest accounts.json -------------------------------------------------------------------------------- /ExportAndImport/ConditionalAccessPolicies/policies/Policy - Require multi-factor authentication for users with administrative roles.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CloudSecuritea/O365ExportImport/1d9aa0263423950f592dac1c5ac7d84d0afefae5/ExportAndImport/ConditionalAccessPolicies/policies/Policy - Require multi-factor authentication for users with administrative roles.json -------------------------------------------------------------------------------- /ExportAndImport/ConditionalAccessPolicies/policies/Policy - Requiring trusted locations for Azure AD Multi-Factor Authentication registration.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CloudSecuritea/O365ExportImport/1d9aa0263423950f592dac1c5ac7d84d0afefae5/ExportAndImport/ConditionalAccessPolicies/policies/Policy - Requiring trusted locations for Azure AD Multi-Factor Authentication registration.json -------------------------------------------------------------------------------- /ExportAndImport/Intune/export-intune.ps1: -------------------------------------------------------------------------------- 1 | <#PSScriptInfo 2 | .VERSION 0.1 3 | .GUID a7d9a727-03d3-4521-972a-0f46d7e21edc 4 | .AUTHOR 5 | Maarten Peeters 6 | .COMPANYNAME 7 | CloudSecuritea 8 | .COPYRIGHT 9 | .TAGS 10 | .LICENSEURI 11 | .PROJECTURI 12 | .ICONURI 13 | .EXTERNALMODULEDEPENDENCIES 14 | .RELEASENOTES 15 | Version 0.1: Original published version. 16 | #> 17 | 18 | <# 19 | .SYNOPSIS 20 | This script will export Intune policies 21 | 22 | .DESCRIPTION 23 | This script will export Intune policies 24 | 25 | .PARAMETER client_Id 26 | Enter the client ID of the application created for this task 27 | 28 | .PARAMETER client_Secret 29 | Enter the client Secret of the application created for this task 30 | 31 | .PARAMETER tenant_Id 32 | Enter the tenant id 33 | 34 | .PARAMETER location 35 | Enter the location to store the .JSON files 36 | 37 | .EXAMPLE 38 | export-intune.ps1 -client_Id -client_Secret -tenantName -location 39 | 40 | .NOTES 41 | Version: 0.1 42 | Author: Maarten Peeters 43 | Creation Date: 17/09/2021 44 | Purpose/Change: Init 45 | 46 | Version Changes: 47 | 0.1 Initial 48 | #> 49 | 50 | param( 51 | [Parameter(mandatory = $true)] 52 | [String]$client_Id, 53 | [Parameter(mandatory = $true)] 54 | [String]$client_Secret, 55 | [Parameter(mandatory = $true)] 56 | [String]$tenant_Id, 57 | [Parameter(mandatory = $true)] 58 | [String]$location 59 | ) 60 | 61 | #################### 62 | # Connect to Graph # 63 | #################### 64 | $Body = @{ 65 | Grant_Type = "client_credentials" 66 | resource = "https://graph.microsoft.com" 67 | client_id = $client_Id 68 | client_secret = $client_Secret 69 | } 70 | 71 | $ConnectGraph = Invoke-RestMethod -Uri "https://login.microsoft.com/$tenant_Id/oauth2/token?api-version=1.0" -Method POST -Body $Body 72 | 73 | ######################## 74 | # Variable Collections # 75 | ######################## 76 | 77 | $HeaderParams = @{ 78 | 'Content-Type' = "application\json" 79 | 'Authorization' = "Bearer $($ConnectGraph.access_token)" 80 | } 81 | 82 | #Compliance policies 83 | $compliancePoliciesRequest = (Invoke-RestMethod -Headers $HeaderParams -Uri "https://graph.microsoft.com/v1.0/deviceManagement/deviceCompliancePolicies" -Method Get) 84 | $compliancePolicies = $compliancePoliciesRequest.value 85 | 86 | #Configuration policies 87 | $configurationPoliciesRequest = (Invoke-RestMethod -Headers $HeaderParams -Uri "https://graph.microsoft.com/beta/deviceManagement/deviceConfigurations" -Method Get) 88 | $configurationPolicies = $ConfigurationPoliciesRequest.value 89 | 90 | #Endpoint Security policies 91 | $endpointSecurityPoliciesRequest = (Invoke-RestMethod -Headers $HeaderParams -Uri "https://graph.microsoft.com/beta/deviceManagement/intents" -Method Get) 92 | $endpointSecurityPolicies = $endpointSecurityPoliciesRequest.value 93 | 94 | $endpointSecurityTemplatesRequest = (Invoke-RestMethod -Headers $HeaderParams -Uri "https://graph.microsoft.com/beta/deviceManagement/templates?`$filter=(isof(%27microsoft.graph.securityBaselineTemplate%27))" -Method Get) 95 | $endpointSecurityTemplates = $endpointSecurityTemplatesRequest.value 96 | 97 | #Managed app policies 98 | $managedAppPoliciesRequest = (Invoke-RestMethod -Headers $HeaderParams -Uri "https://graph.microsoft.com/beta/deviceAppManagement/managedAppPolicies" -Method Get) 99 | $managedAppPolicies = $managedAppPoliciesRequest.value 100 | 101 | ################## 102 | # Export to JSON # 103 | ################## 104 | 105 | #Compliance policies 106 | try{ 107 | foreach($policy in $compliancePolicies){ 108 | $filePath = "$($location)\Compliance - $($policy.displayName).json" 109 | $policy | convertto-json -Depth 10 | out-file $filePath 110 | write-host "Exported policy: $($policy.displayName)" -ForegroundColor green 111 | } 112 | } 113 | catch{ 114 | write-host "Error: $($_.Exception.Message)" -ForegroundColor red 115 | } 116 | 117 | #Configuration policies 118 | try{ 119 | foreach($policy in $ConfigurationPolicies){ 120 | $filePath = "$($location)\Configuration - $($policy.displayName).json" 121 | $policy | convertto-json -Depth 10 | out-file $filePath 122 | $Clean = Get-Content $filePath | Select-String -Pattern '"id":', '"createdDateTime":', '"modifiedDateTime":', '"version":', '"supportsScopeTags":' -notmatch 123 | $Clean | Out-File -FilePath $filePath 124 | write-host "Exported policy: $($policy.displayName)" -ForegroundColor green 125 | } 126 | } 127 | catch{ 128 | write-host "Error: $($_.Exception.Message)" -ForegroundColor red 129 | } 130 | 131 | #Endpoint Security policies 132 | try{ 133 | foreach($policy in $endpointSecurityPolicies){ 134 | $filePath = "$($location)\EndPoint Security - $($policy.displayName).json" 135 | 136 | # Creating object for JSON output 137 | $JSON = New-Object -TypeName PSObject 138 | 139 | Add-Member -InputObject $JSON -MemberType 'NoteProperty' -Name 'displayName' -Value $policy.displayName 140 | Add-Member -InputObject $JSON -MemberType 'NoteProperty' -Name 'description' -Value $policy.description 141 | Add-Member -InputObject $JSON -MemberType 'NoteProperty' -Name 'roleScopeTagIds' -Value $policy.roleScopeTagIds 142 | $ES_Template = $endpointSecurityTemplates | ? { $_.id -eq $policy.templateId } 143 | Add-Member -InputObject $JSON -MemberType 'NoteProperty' -Name 'TemplateDisplayName' -Value $ES_Template.displayName 144 | Add-Member -InputObject $JSON -MemberType 'NoteProperty' -Name 'TemplateId' -Value $ES_Template.id 145 | Add-Member -InputObject $JSON -MemberType 'NoteProperty' -Name 'versionInfo' -Value $ES_Template.versionInfo 146 | 147 | # Getting all categories in specified Endpoint Security Template 148 | $categoriesRequest = (Invoke-RestMethod -Headers $HeaderParams -Uri "https://graph.microsoft.com/beta/deviceManagement/templates/$($ES_Template.id)/categories" -Method Get) 149 | $categories = $categoriesRequest.value 150 | 151 | $settings = @() 152 | foreach($category in $Categories){ 153 | $policyId = $policy.id 154 | $categoryId = $category.id 155 | $categorySettingsRequest = (Invoke-RestMethod -Headers $HeaderParams -Uri "https://graph.microsoft.com/beta/deviceManagement/intents/$policyId/categories/$categoryId/settings?`$expand=Microsoft.Graph.DeviceManagementComplexSettingInstance/Value" -Method Get) 156 | $Settings += $categorySettingsRequest.value 157 | } 158 | 159 | # Adding All settings to settingsDelta ready for JSON export 160 | Add-Member -InputObject $JSON -MemberType 'NoteProperty' -Name 'settingsDelta' -Value @($Settings) 161 | 162 | $JSON | convertto-json -depth 5 | out-file $filePath 163 | 164 | write-host "Exported policy: $($policy.displayName)" -ForegroundColor green 165 | } 166 | } 167 | catch{ 168 | write-host "Error: $($_.Exception.Message)" -ForegroundColor red 169 | } 170 | 171 | #Managed app policies 172 | try{ 173 | foreach($policy in $managedAppPolicies){ 174 | $filePath = "$($location)\Managed App - $($policy.displayName).json" 175 | $policy | convertto-json -Depth 10 | out-file $filePath 176 | $Clean = Get-Content $filePath | Select-String -Pattern '"id":', '"createdDateTime":', '"lastModifiedDateTime":', '"version":' -notmatch 177 | $Clean | Out-File -FilePath $filePath 178 | write-host "Exported policy: $($policy.displayName)" -ForegroundColor green 179 | } 180 | } 181 | catch{ 182 | write-host "Error: $($_.Exception.Message)" -ForegroundColor red 183 | } -------------------------------------------------------------------------------- /ExportAndImport/Intune/import-intune.ps1: -------------------------------------------------------------------------------- 1 | <#PSScriptInfo 2 | .VERSION 0.1 3 | .GUID c70a2663-468a-49cc-bc4a-1efd971b78cd 4 | .AUTHOR 5 | Maarten Peeters 6 | .COMPANYNAME 7 | CloudSecuritea 8 | .COPYRIGHT 9 | .TAGS 10 | .LICENSEURI 11 | .PROJECTURI 12 | .ICONURI 13 | .EXTERNALMODULEDEPENDENCIES 14 | .RELEASENOTES 15 | Version 0.1: Original published version. 16 | #> 17 | 18 | <# 19 | .SYNOPSIS 20 | This script will import Intune policies 21 | 22 | .DESCRIPTION 23 | This script will import Intune policies 24 | 25 | .PARAMETER client_Id 26 | Enter the client ID of the application created for this task 27 | 28 | .PARAMETER client_Secret 29 | Enter the client Secret of the application created for this task 30 | 31 | .PARAMETER tenant_Id 32 | Enter the tenant id 33 | 34 | .PARAMETER location 35 | Enter the location to store the .JSON files 36 | 37 | .EXAMPLE 38 | import-intune.ps1 -client_Id -client_Secret -tenantName -location 39 | 40 | .NOTES 41 | Version: 0.1 42 | Author: Maarten Peeters 43 | Creation Date: 17/09/2021 44 | Purpose/Change: Init 45 | 46 | Version Changes: 47 | 0.1 Initial 48 | #> 49 | 50 | param( 51 | [Parameter(mandatory = $true)] 52 | [String]$client_Id, 53 | [Parameter(mandatory = $true)] 54 | [String]$client_Secret, 55 | [Parameter(mandatory = $true)] 56 | [String]$tenant_Id, 57 | [Parameter(mandatory = $true)] 58 | [String]$location 59 | ) 60 | 61 | #################### 62 | # Connect to Graph # 63 | #################### 64 | $Body = @{ 65 | Grant_Type = "client_credentials" 66 | resource = "https://graph.microsoft.com" 67 | client_id = $client_Id 68 | client_secret = $client_Secret 69 | } 70 | 71 | $ConnectGraph = Invoke-RestMethod -Uri "https://login.microsoft.com/$tenant_Id/oauth2/token?api-version=1.0" -Method POST -Body $Body 72 | 73 | ######################## 74 | # Variable Collections # 75 | ######################## 76 | 77 | #Compliance policies 78 | $compliancePolicies = Get-ChildItem -Path "$($location)\Compliance*" 79 | 80 | #Configuration policies 81 | $ConfigurationPolicies = Get-ChildItem -Path "$($location)\Configuration*" 82 | 83 | #Endpoint Security policies 84 | $endpointSecurityPolicies = Get-ChildItem -Path "$($location)\Endpoint Security*" 85 | 86 | #Managed App policies 87 | $managedAppPolicies = Get-ChildItem -Path "$($location)\Managed App*" 88 | 89 | ################## 90 | # Export to JSON # 91 | ################## 92 | 93 | $HeaderParams = @{ 94 | 'Content-Type' = "application\json" 95 | 'Authorization' = "Bearer $($ConnectGraph.access_token)" 96 | } 97 | 98 | #Compliance policies 99 | try{ 100 | foreach($policy in $compliancePolicies){ 101 | $JSON = Get-Content $policy.fullName 102 | 103 | # If missing, adds a default required block scheduled action to the compliance policy request body, as this value is not returned when retrieving compliance policies. 104 | $scheduledActionsForRule = '"scheduledActionsForRule":[{"ruleName":"PasswordRequired","scheduledActionConfigurations":[{"actionType":"block","gracePeriodHours":0,"notificationTemplateId":"","notificationMessageCCList":[]}]}]' 105 | $JSON = $JSON.trimend("}") 106 | $JSON = $JSON.TrimEnd() + "," + "`r`n" 107 | $JSON = $JSON + $scheduledActionsForRule + "`r`n" + "}" 108 | 109 | $response = Invoke-RestMethod -Headers $HeaderParams -Uri "https://graph.microsoft.com/v1.0/deviceManagement/deviceCompliancePolicies" -UseBasicParsing -Method POST -ContentType "application/json" -Body $JSON 110 | write-host "Imported policy: $(($JSON | convertfrom-json).displayname)" -ForegroundColor green 111 | } 112 | } 113 | catch{ 114 | write-host "Error: $($_.Exception.Message)" -ForegroundColor red 115 | } 116 | 117 | #Configuration policies 118 | try{ 119 | foreach($policy in $ConfigurationPolicies){ 120 | $JSON = Get-Content $policy.fullName 121 | $response = Invoke-RestMethod -Headers $HeaderParams -Uri "https://graph.microsoft.com/beta/deviceManagement/deviceConfigurations" -UseBasicParsing -Method POST -ContentType "application/json" -Body $JSON 122 | write-host "Imported policy: $(($JSON | convertfrom-json).displayname)" -ForegroundColor green 123 | } 124 | } 125 | catch{ 126 | write-host "Error: $($_.Exception.Message)" -ForegroundColor red 127 | } 128 | 129 | #Endpoint Security policies 130 | try{ 131 | foreach($policy in $endpointSecurityPolicies){ 132 | $JSON = Get-Content $policy.fullName 133 | $JSON_Convert = $JSON | ConvertFrom-Json 134 | $JSON_TemplateId = $JSON_Convert.templateId 135 | $response = Invoke-RestMethod -Headers $HeaderParams -Uri "https://graph.microsoft.com/beta/deviceManagement/templates/$JSON_TemplateId/createInstance" -UseBasicParsing -Method POST -ContentType "application/json" -Body $JSON 136 | write-host "Imported policy: $(($JSON | convertfrom-json).displayname)" -ForegroundColor green 137 | } 138 | } 139 | catch{ 140 | write-host "Error: $($_.Exception.Message)" -ForegroundColor red 141 | } 142 | 143 | #Managed App policies 144 | try{ 145 | foreach($policy in $managedAppPolicies){ 146 | $JSON = Get-Content $policy.fullName 147 | $JSON_Convert = $JSON | ConvertFrom-Json 148 | $JSON_TemplateId = $JSON_Convert.templateId 149 | $response = Invoke-RestMethod -Headers $HeaderParams -Uri "https://graph.microsoft.com/beta/deviceAppManagement/managedAppPolicies" -UseBasicParsing -Method POST -ContentType "application/json" -Body $JSON 150 | write-host "Imported policy: $(($JSON | convertfrom-json).displayname)" -ForegroundColor green 151 | } 152 | } 153 | catch{ 154 | write-host "Error: $($_.Exception.Message)" -ForegroundColor red 155 | } -------------------------------------------------------------------------------- /ExportAndImport/Intune/policies/Compliance - Windows 10.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CloudSecuritea/O365ExportImport/1d9aa0263423950f592dac1c5ac7d84d0afefae5/ExportAndImport/Intune/policies/Compliance - Windows 10.json -------------------------------------------------------------------------------- /ExportAndImport/Intune/policies/Configuration - Windows 10 - Device restrictions.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CloudSecuritea/O365ExportImport/1d9aa0263423950f592dac1c5ac7d84d0afefae5/ExportAndImport/Intune/policies/Configuration - Windows 10 - Device restrictions.json -------------------------------------------------------------------------------- /ExportAndImport/Intune/policies/Configuration - Windows 10 - Endpoint protection.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CloudSecuritea/O365ExportImport/1d9aa0263423950f592dac1c5ac7d84d0afefae5/ExportAndImport/Intune/policies/Configuration - Windows 10 - Endpoint protection.json -------------------------------------------------------------------------------- /ExportAndImport/Intune/policies/Configuration - Windows 10 - Identity protection.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CloudSecuritea/O365ExportImport/1d9aa0263423950f592dac1c5ac7d84d0afefae5/ExportAndImport/Intune/policies/Configuration - Windows 10 - Identity protection.json -------------------------------------------------------------------------------- /ExportAndImport/Intune/policies/Configuration - Windows 10 - Microsoft Defender for Endpoint.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CloudSecuritea/O365ExportImport/1d9aa0263423950f592dac1c5ac7d84d0afefae5/ExportAndImport/Intune/policies/Configuration - Windows 10 - Microsoft Defender for Endpoint.json -------------------------------------------------------------------------------- /ExportAndImport/Intune/policies/Configuration - Windows 10 - Update rings.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CloudSecuritea/O365ExportImport/1d9aa0263423950f592dac1c5ac7d84d0afefae5/ExportAndImport/Intune/policies/Configuration - Windows 10 - Update rings.json -------------------------------------------------------------------------------- /ExportAndImport/Intune/policies/Configuration - Windows 10 - Windows health monitoring.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CloudSecuritea/O365ExportImport/1d9aa0263423950f592dac1c5ac7d84d0afefae5/ExportAndImport/Intune/policies/Configuration - Windows 10 - Windows health monitoring.json -------------------------------------------------------------------------------- /ExportAndImport/Intune/policies/EndPoint Security - Attack surface reduction rules.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CloudSecuritea/O365ExportImport/1d9aa0263423950f592dac1c5ac7d84d0afefae5/ExportAndImport/Intune/policies/EndPoint Security - Attack surface reduction rules.json -------------------------------------------------------------------------------- /ExportAndImport/Intune/policies/EndPoint Security - MDM Security Baseline.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CloudSecuritea/O365ExportImport/1d9aa0263423950f592dac1c5ac7d84d0afefae5/ExportAndImport/Intune/policies/EndPoint Security - MDM Security Baseline.json -------------------------------------------------------------------------------- /ExportAndImport/Intune/policies/EndPoint Security - Microsoft Defender for Endpoint baseline.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CloudSecuritea/O365ExportImport/1d9aa0263423950f592dac1c5ac7d84d0afefae5/ExportAndImport/Intune/policies/EndPoint Security - Microsoft Defender for Endpoint baseline.json -------------------------------------------------------------------------------- /ExportAndImport/Intune/policies/EndPoint Security - Microsoft Edge baseline.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CloudSecuritea/O365ExportImport/1d9aa0263423950f592dac1c5ac7d84d0afefae5/ExportAndImport/Intune/policies/EndPoint Security - Microsoft Edge baseline.json -------------------------------------------------------------------------------- /ExportAndImport/Intune/policies/Managed App - Windows 10.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CloudSecuritea/O365ExportImport/1d9aa0263423950f592dac1c5ac7d84d0afefae5/ExportAndImport/Intune/policies/Managed App - Windows 10.json -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2021 CloudSecuritea 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # O365ExportImport 2 | # https://www.cloudsecuritea.com/2021/09/export-import-of-office-365-and-azure-configuration/ 3 | 4 | In two weeks I’ll be starting at a new company as an Information Security specialist. In order to prepare for this new endeavor I’ll be updating my developer tenant for testing purposes. All best practices I know and found on the internet will be added to the configuration. I want to configure for example Teams, SharePoint, Endpoint, MCAS and Microsoft Information Protection. Developer tenants are auto renewable every 120 days if there has been activity detected on the tenant. The next couple of blogs will be focused on exporting and importing configuration settings using PowerShell so I can get quickly up and running again should my developer tenant expire. For each topic I’ll create a new post. The PowerShell scripts and configs will be stored in GitHub. Bear with me as content will be updated when ready. 5 | 6 | Exporting & Importing topics 7 | 8 | This is the first blog which will outline my ambition to create a post for the below topics. I’m not yet sure if all best practices and configurations are PowerShell/Graph ready but I’ll learn that on the way. 9 | 10 | Azure Active Directory 11 | Azure Active Directory Identity Protection 12 | Security Center 13 | Compliance Center 14 | SharePoint & OneDrive 15 | Teams 16 | Exchange 17 | Endpoint (Intune) 18 | Stream 19 | Conditional Access 20 | Office 365 General 21 | Power BI 22 | Yammer 23 | Defender for Endpoint 24 | Defender for Office 365 25 | Microsoft Cloud App Security 26 | Microsoft Information Protection 27 | Microsoft 365 developer program 28 | 29 | I was contemplating adding one Microsoft 365 E5 license for testing and updating the configuration for my personal tenant. A Microsoft 365 developer subscription doesn’t have Defender for Endpoint and I really want that functionality in my test environment. I decided to add the Defender for Endpoint add-on to the developer tenant as a trial which is active for 3 months. The developer tenant also has 25 licenses which will make testing easier between users. I’ve created my developer tenant the first moment we were able to create an E5 tenant as it was E3 previously and I’ve got 68 days remaining until Microsoft will verify my activity and decide if I can use it for 120 more days. Interested in a Microsoft 365 E5 tenant to test your solutions for the Microsoft 365 platform? Go to Developer Program – Microsoft 365 and join now with your personal Outlook account or a business account. --------------------------------------------------------------------------------