Securing Microsoft 365 with ScubaGear: A Deep Dive into Automated Security Assessments


Published on Feb 14, 2024   —   2 min read

ScubaGear, developed by CISA (Cybersecurity and Infrastructure Security Agency), is a powerful automation tool designed to assess the security of Microsoft 365 (M365) tenant configurations against CISA's recommended baselines. The primary goal of ScubaGear is to ensure that M365 environments adhere to best practices in security, providing organizations with a robust assessment of their cloud application security posture.

Getting Started with ScubaGear

ScubaGear operates through PowerShell, leveraging the Open Policy Agent (OPA) for policy evaluation. To get started, users must download a specific version of OPA compatible with ScubaGear, placing the executable within the root directory of ScubaGear. PowerShell execution policies may need to be adjusted depending on your system's configuration to allow ScubaGear to run. Specifically, Windows Servers may require the execution policy to be set to RemoteSigned, while Windows clients might need the same setting or adjustments to handle scripts downloaded from the Internet.

Features and Capabilities

  • Enhanced Security: From version 0.3.0 onwards, ScubaGear is signed by a commonly trusted CA, simplifying the execution process on various Windows environments.
  • Flexible Execution Modes: ScubaGear can be run both interactively, prompting for user credentials, and non-interactively, using an Azure AD application service principal. This versatility supports automation in CI/CD pipelines or scheduled security assessments.
  • Comprehensive Assessments: Users can execute ScubaGear to assess a wide range of M365 products, such as Azure Active Directory, Exchange Online, SharePoint Online, and Microsoft Teams, among others. It provides detailed reports in JSON and HTML formats, offering actionable insights into the security posture of assessed M365 services.
  • Configurability: ScubaGear supports customization through configuration files in YAML or JSON formats, allowing users to tailor assessments to their specific needs. These configurations can include which M365 products to assess, output paths for reports, and specific parameters for each product assessment.

Recent Updates and Enhancements

Recent updates have focused on improving usability, security, and the breadth of assessments ScubaGear can perform. These updates include fixing bugs related to report generation, handling policy descriptions, and improving the tool's documentation to facilitate easier use. Moreover, significant enhancements were made to baseline assessments to ensure alignment with the latest security practices and the introduction of features such as non-interactive authentication modes for automated environments.


ScubaGear represents a significant step forward in securing M365 environments. By providing a detailed assessment of an organization's adherence to recommended security baselines, it plays a crucial role in identifying and mitigating potential vulnerabilities within cloud business applications. For organizations looking to enhance their cloud security posture, ScubaGear offers a comprehensive, automated solution to achieve this goal.

For more detailed information, examples of use, and guidance on getting started with ScubaGear, please visit the official GitHub repository.

Share on Facebook Share on Linkedin Share on Twitter Send by email

Subscribe to the newsletter

Subscribe to the newsletter for the latest news and work updates straight to your inbox, every week.