ScubaGear – Secure Cloud Business Applications (SCuBA) Secure Configuration Baseline
ScubeGear was released by CISA and assesses your Microsoft Cloud against “Secure Cloud Business Applications” (SCuBA) baseline policies.
More can be found on CISA’s Github: https://github.com/cisagov/ScubaGear
This post will serve as a quick starting guide.
Download the ScubaGear Powershell application
Download their latest release from Github: https://github.com/cisagov/ScubaGear/releases
(You can also install it directly from Powershell but I prefer the manual approach)
Once downloaded, extract it to e.g. c:\Temp
Installation
(Most of the below is directly from https://github.com/cisagov/ScubaGear/blob/main/docs/installation/github.md)
Navigate to where you extracted it (e.g. C:\temp\ScubaGear-1.4.0\ScubaGear-1.4.0) and run:
Import-Module .\PowerShell\ScubaGear
Ensure your PowerShell execution policy is set to “Remote Signed”:
Get-ExecutionPolicy
If it is not Remote Signed, then change it:
# Set execution policy to Remote Signed
Set-ExecutionPolicy `
-ExecutionPolicy RemoteSigned `
-Scope LocalMachine
Next, initialize Scuba:
Initialize-SCuBA
And then double check that is is installed successfully:
Invoke-SCuBA -Version
Run ScubaGear
I had some issues when running ScubaGear with the below command, i.e. on all products:
Invoke-SCuBA -ProductNames *
I then looked at the error and found ScubaGear supports the following product list:
$ProductDetails = @{
aad = "Azure Active Directory"
defender = "Microsoft 365 Defender"
exo = "Exchange Online"
powerplatform = "Microsoft Power Platform"
sharepoint = "SharePoint Online"
teams = "Microsoft Teams"
}
(I found the product list in \ScubaGear-1.4.0\PowerShell\ScubaGear\Modules\Orchestrator.psm1)
I then decided to run ScubaGear as such to only assess AAD:
Invoke-SCuBA -ProductNames aad
You will need to provide admin consent, so ensure your user can, otherwise approve the consent in https://entra.microsoft.com/ under Admin Consent Requests.
You will notice a new App Registration was created after granting consent with a whole bunch of permissions:
Report
When ScubaGear is done running, it will open a browser with the report. The report is saved on disk here:
The report provides extremely detailed information, with links to external resources by CISA to help you remediate the findings.