ScubaGear – Microsoft Cloud baseline security (CISA)

Published by necrolingus on

ScubaGear – Secure Cloud Business Applications (SCuBA) Secure Configuration Baseline

ScubeGear was released by CISA and assesses your Microsoft Cloud against “Secure Cloud Business Applications” (SCuBA) baseline policies.

More can be found on CISA’s Github: https://github.com/cisagov/ScubaGear

This post will serve as a quick starting guide.

Update 11 November 2025

ScubaGear now has a YAML config file which you can get here: https://github.com/cisagov/ScubaGear/blob/main/PowerShell/ScubaGear/Sample-Config-Files/full_config.yaml

GUI Interface (Release Candidate):

You can install a prerelease vsion of Scubagear that now has a user interface: https://www.powershellgallery.com/packages/ScubaGear/1.7.0-rc1

You can launch the GUI with “Start-ScubaConfigApp

Useful Commands

Get-Command -Module ScubaGear
Uninstall-Module -Name "ScubaGear"

Download the ScubaGear Powershell application

Download their latest release from Github: https://github.com/cisagov/ScubaGear/releases

(You can also install it directly from Powershell but I prefer the manual approach)

Once downloaded, extract it to e.g. c:\Temp

Extracted


Installation

(Most of the below is directly from https://github.com/cisagov/ScubaGear/blob/main/docs/installation/github.md)

Navigate to where you extracted it (e.g. C:\temp\ScubaGear-1.4.0\ScubaGear-1.4.0) and run:

Import-Module .\PowerShell\ScubaGear

Ensure your PowerShell execution policy is set to “Remote Signed”:

Get-ExecutionPolicy

If it is not Remote Signed, then change it:

# Set execution policy to Remote Signed
Set-ExecutionPolicy `
  -ExecutionPolicy RemoteSigned `
  -Scope LocalMachine

Next, initialize Scuba:

Initialize-SCuBA

And then double check that is is installed successfully:

Invoke-SCuBA -Version

Run ScubaGear

I ran ScubaGear to only assess AAD:

Invoke-SCuBA -ConfigFilePath C:\devstuff\scubagear\config.yml -ProductNames aad

You will need to provide admin consent, so ensure your user can, otherwise approve the consent in https://entra.microsoft.com/ under Admin Consent Requests.

ScubaGear admin consent and permissions it asks for


Issue

There seems to be an issue where ScubeGear is looking for the existence of Conditional Access Policies, and if you have none, it fails. See https://github.com/cisagov/ScubaGear/issues/1748

Just create a random Conditional Access Policy to get past this issue.

Your error will look something like the below:

ScubaGear error if you do not have a conditional access policy.


You will notice a new App Registration was created after granting consent with a whole bunch of permissions:

New app registration


Report

When ScubaGear is done running, it will open a browser with the report. The report is saved on disk here:

Report location


The report provides extremely detailed information, with links to external resources by CISA to help you remediate the findings.

Report example

Categories: Security
Tags:

necrolingus

Tech enthusiast and home labber

Related Posts

Networking

Internal DNS with NPM and PiHole and how to keep Cloudflare Tunnels from breaking

Internal DNS with NPM and PiHole and how to keep Cloudflare Tunnels from breaking For a long time to access a docker app on my home server, I had to remember which random port I Read more

Networking

Hacking a Cheap Temu WiFi Camera and RTSP Stream

Hacking a Cheap Temu WiFi Camera I recently got my hands on a cheap Temu WiFi camera made by Jooan. I figured I will attempt to hack this cheap Temu WiFi camera and stumbled upon Read more

Docker

Cloudflare Tunnel on Oracle VM in a Docker Container

Cloudflare Tunnel on Oracle VM in a Docker Container I could not get cloudflared to work on my Oracle VM when running it as a Docker container. I could see the tunnel is connected in Read more