diff --git a/.vscode/tasks.json b/.vscode/tasks.json index d333219..b495fd4 100644 --- a/.vscode/tasks.json +++ b/.vscode/tasks.json @@ -33,4 +33,4 @@ "problemMatcher": [] } ] -} +} \ No newline at end of file diff --git a/docs/Data-Gateway/index.md b/docs/Data-Gateway/index.md new file mode 100644 index 0000000..3120a9a --- /dev/null +++ b/docs/Data-Gateway/index.md @@ -0,0 +1,5 @@ +# Data Gateway + +๐Ÿšง **This page is still under development.** + + diff --git a/docs/Discover/Deployment/0-Prerequisites.md b/docs/Discover/Deployment/0-Prerequisites.md deleted file mode 100644 index edeb009..0000000 --- a/docs/Discover/Deployment/0-Prerequisites.md +++ /dev/null @@ -1,39 +0,0 @@ -# Prerequisites - -SHI License Analytics is an enterprise product from SHI International Corp. that requires permissions and software to run. - -## Software/System Configuration - -- [X] The latest version of PowerShell 64Bit installed[^1] -- [X] Internet access with no traffic inspection for the Microsoft owned domains[^2] -- [X] 2GB of available RAM -- [X] [Azure SQL Database Configured](./Azure-SQL-Database.md) - -!!! info "Assumptions" - Our technical requirements are based off performance within an enterprise containing ~10,000 users performing data collection twice a month. For larger enterprises, or varying frequency of report generation, consider having a higher power machine and/or increasing storage capacity of the database. - -## Permissions - -The below Entra ID roles are required to be able to read all of the service configuration information. -The sub-bullet points are the description of what configurations are read by the permissions. - -!!! info "Permissions Usage" - SHI License Analytics will never change your service configuration in any way during an audit. All permissions are used only for data retrieval and are the set of least privilege possible for the data that is being gathered. - -- [X] Global Reader - - [Defender for Endpoint](../Plugins/DefenderEndpoint.md) - - [Defender for Identity](../Plugins/DefenderIdentity.md) - - [Entra ID P1 and P2](../Plugins/EntraID.md) -- [X] Security Administrator - - [Defender for Endpoint](../Plugins/DefenderEndpoint.md) - - [Defender for Identity](../Plugins/DefenderIdentity.md) -- [X] User Administrator - - [Entra ID P1](../Plugins/EntraID.md) - -## See Also - -- [Getting Started](../Getting-Started.md) -- [Azure SQL Database Configuration](./Azure-SQL-Database.md) - -[^1]: 7.4.0 is the latest at the time of writing. -[^2]: The software should work even if this is present, it just isn't guaranteed to work. You can read more about this requirement that Microsoft lays out on [this Microsoft Docs page](https://learn.microsoft.com/en-us/microsoft-365/enterprise/microsoft-365-network-connectivity-principles){:target="_blank"}. diff --git a/docs/Discover/Deployment/Silent-Installation.md b/docs/Discover/Deployment/Silent-Installation.md deleted file mode 100644 index b87a262..0000000 --- a/docs/Discover/Deployment/Silent-Installation.md +++ /dev/null @@ -1,44 +0,0 @@ -# Silent Installation - -## Overview - -The installer is an MSI file, and the standard `/qn` switch for quiet no GUI installation works as expected. -In addition to the `/qn`, the SQL Server host name needs to be specified as a property at install time. - -This additional property is mandatory as the default operation of Discover doesn't prompt for this value. - -## Configuration Reference - -| Name | Mandatory | Default Value | Description | -| :------------------------: | :--------------: | :-----------: | :--------------------------------------------------------------- | -| `AZSQL_SERVER_FQDN` | :material-check: | nothing | FQDN of the Azure SQL Server that hosts the. | -| `CORRELATION_TABLE_NAME` | :material-close: | `Correlation` | Name of the table to use to store all of the corelation records. | -| `DATABASE_NAME` | :material-close: | `Results` | Name of the database that all of the records are saved to. | -| `LICENSE_COUNT_TABLE_NAME` | :material-close: | `LicenseData` | Name of the table that contains all of the license data records. | - -## Examples - -```CMD title="Deploy SLA Silently" -License-Analytics.msi /qn AZSQL_SERVER_FQDN=shi-example.database.windows.net -``` - -!!! note "Naming Format" - Replace `shi-example.database.windows.net` with the hostname of your Azure SQL Database Server. The hostname should be the name only, without any protocol specifiers (such as `sql://` or `https://`) or virtual directories. - -```CMD title="Deploy with custom DB name" -License-Analytics.msi /qn AZSQL_SERVER_FQDN=shi-example.database.windows.net DATABASE_NAME=CustomerTracker -``` - -```CMD title="Custom Correlation Table Name" -License-Analytics.msi /qn AZSQL_SERVER_FQDN=shi-example.database.windows.net CORRELATION_TABLE_NAME=RunTracker -``` - -```CMD title="Custom License Data Table Name" -License-Analytics.msi /qn AZSQL_SERVER_FQDN=shi-example.database.windows.net LICENSE_COUNT_TABLE_NAME=CustomerTracker -``` - -## See Also - -- [Prerequisites](0-Prerequisites.md) -- [Getting Started](../Getting-Started.md) -- [Standard Installation](Standard-Install.md) diff --git a/docs/Discover/Deployment/Standard-Install.md b/docs/Discover/Deployment/Standard-Install.md deleted file mode 100644 index 2aac2eb..0000000 --- a/docs/Discover/Deployment/Standard-Install.md +++ /dev/null @@ -1,45 +0,0 @@ -# Standard Installation - -To install Discover, you need to have a copy of the installer, which is distributed in MSI format. -If you do not have an installer, please reach out to us [on our website](https://shilab.com/contact/){:target="_blank"}. - -## Installation Instructions - -1. Install the ***latest*** version of PowerShell LTS. - - !!! note "PowerShell Deployment Options" - We recommend to deploy the [Store](https://www.microsoft.com/store/apps/9MZ1SNWT0N5D){:target="_blank"} version of the PowerShell runtime. - - MSI, WinGet and ZIP files are all also available, see the [docs](https://learn.microsoft.com/en-us/powershell/scripting/install/installing-powershell-on-windows){:target="_blank"} for more info. - - The `pwsh.exe` binary must registered in the Application Registration system, as described in the [Microsoft Documentation](https://learn.microsoft.com/en-us/windows/win32/shell/app-registration#registering-applications){:target="_blank"}. - - Currently only local user installs of PowerShell are supported for the desktop shortcut. For local machine installs of PowerShell, the CLI is required to run Discover. - -2. Run the Discover installer. - -3. On the main screen, enter the FQDN of the Azure SQL Server. - - !!! note "Naming Format" - Replace `*.database.windows.net` with the hostname of your Azure SQL Database Server. The hostname should be the name only, without any protocol specifiers (such as `sql://` or `https://`) or virtual directories. - - ![Screenshot of the installer's main screen.](../assets/images/screenshots/Installer-Dark.png#only-dark){ loading=lazy } - ![Screenshot of the installer's main screen.](../assets/images/screenshots/Installer-Light.png#only-light){ loading=lazy } - -4. (Optional) If you want to configure the `Correlation`, `License Data`, or `Database Name`, select the drop down and chose 'Configure' - - ![Screenshot of the installer's main screen with the dropdown menu visible.](../assets/images/screenshots/Dropdown-Dark.png#only-dark){ loading=lazy } - ![Screenshot of the installer's main screen with the dropdown menu visible.](../assets/images/screenshots/Dropdown-Light.png#only-light){ loading=lazy } - -5. (Optional) Configure the options to match the results you want. - - ![Screenshot of the installer's optional configuration screen.](../assets/images/screenshots/AdvancedConfig-Dark.png#only-dark){ loading=lazy } - ![Screenshot of the installer's optional configuration screen.](../assets/images/screenshots/AdvancedConfig-Light.png#only-light){ loading=lazy } - -6. Press the Install button. - -## See Also - -- [Prerequisites](0-Prerequisites.md) -- [Getting Started](../Getting-Started.md) -- [Silent Installation](Silent-Installation.md) diff --git a/docs/Discover/Getting-Started.md b/docs/Discover/Getting-Started.md deleted file mode 100644 index 6237499..0000000 --- a/docs/Discover/Getting-Started.md +++ /dev/null @@ -1,53 +0,0 @@ -# Getting Started - -Please read through the [prerequisites](Deployment/0-Prerequisites.md) to make sure you have all you need before you begin. - -If you have not already installed the Discover app, please follow the [installation guide](Deployment/Standard-Install.md). - -## Default Mode - -Default mode runs Discover authentication in a InPrivate/Incognito window. -It also uses all of the configured database settings and can't be overridden. -The majority of the time, this is what should be run. Please reach out to SHI or your security department if other options are required. - -1. Double click the desktop icon titled `Run License Analytics` - -2. Log into the Az SQL Database (Only first log in screen) - -3. Log into the tenant to be analyzed (All subsequent login screens) - - !!! info "Authentication Info" - The first authentication prompt is for the tenant that the reports will be saved in. - Log in with the account that is authorized to write to the reports DB. - - The next set of login prompts are for the tenant that should be analyzed for license compliance. - You will need to log into the account more than once due to the type of systems that will be analyzed. - -4. Sit back and relax while the engine retrieves and reports the compliance status of the target tenant. - -## CLI Mode - -1. Open PowerShell 7 - -2. Run `Get-LicenseCompliance` - - !!! info "Configuration Info" - For information on the various modes of operation, parameters, and configurations, please run `Get-Help Get-LicenseCompliance` to get the latest information. - -3. Log into the Az SQL and tenant to be analyzed. - - !!! info "Authentication Info" - The first authentication prompt is for the tenant that the reports will be saved in. - Log in with the account that is authorized to write to the reports DB. - - The next set of login prompts are for the tenant that should be analyzed for license compliance. - You will need to log into the account more than once due to the type of systems that will be analyzed. - -4. Sit back and relax while the engine retrieves and reports the compliance status of the target tenant. - -## See Also - -- [Prerequisites](Deployment/0-Prerequisites.md) -- [Installation Guide](Deployment/Standard-Install.md) -- [Silent Installation](Deployment/Silent-Installation.md) -- [Installing PowerShell on Windows](https://learn.microsoft.com/en-us/powershell/scripting/install/installing-powershell-on-windows) diff --git a/docs/Discover/Plugins/Overview.md b/docs/Discover/Plugins/Overview.md deleted file mode 100644 index 6e8e4fe..0000000 --- a/docs/Discover/Plugins/Overview.md +++ /dev/null @@ -1,14 +0,0 @@ -# Overview - -The Discover product uses plugins to retrieve data, normalize it and send it to the core engine for processing. - -Each plugin can represent one or more license levels. A license level is a set of features that a customer can access based on their subscription plan. For example, the P1 license level includes basic features such as access reviews and identity protection, while the P2 license level includes advanced features such as entitlement management and identity governance. - -Plugins are written in PowerShell and use the Discover PowerShell module to interact with the core engine. The Discover PowerShell module provides cmdlets for authentication, data validation, logging, error handling, and sending data to the core engine. Plugins can also use external APIs to retrieve data from different sources, such as Azure, Microsoft 365, or EntraID. - -When evaluating the available licenses, container licenses are taken into account. -e.g. if you have E3 and E5 licenses and the Entra ID plugin is executed, the available P1 license count will be retrieved from both the E3 and E5 since both of those container licenses have P1 licenses. - -Some plugins may have different behavior, please read the plugin details page for more information on the specific plugin in question. - -Each plugin accesses a different set of service configurations and some plugins access configurations that are not available to global reader. Because of this, each plugin will have the necessary set of permissions documented on the plugin's page. Only the minimum set of permissions needed to operate are listed and the list doesn't inherit from other plugins. diff --git a/docs/Discover/index.md b/docs/Discover/index.md deleted file mode 100644 index 68b3a97..0000000 --- a/docs/Discover/index.md +++ /dev/null @@ -1,43 +0,0 @@ -# License Analytics - -## Overview - -Discover is a system that retrieves the Microsoft Service configurations and performs analysis against the data to evaluate the count of license records that are required to satisfy the service configuration. -Discover also retrieves a count of purchased licenses so that it can make the determination if a license violation is in progress so that easy review of the overall compliance state of an organization can be saved into an Azure SQL Database of choice. - -Once the data is in the Azure SQL Database, it is easy to integrate it into Business Intelligence software such as PowerBI to create reports. - -Because the service configuration of each license is expressed differently, plugins are used to interface the core engine into the various configurations for the license in question. - ---- - -## Technical Breakdown - -Discover is broken into three distinct parts: - -- Core Engine -- Database Boilerplate -- Plugins - -## Core Engine - -The core engine is responsible for authenticating to the various APIs, such as the M365 substrate, Graph API and Azure Rest API. - -The core engine is also responsible for making sure the DB Tables are present and have the correct Schema. - -The core engine's final responsibility is to enumerate, validate and execute the plugins. - -## Database Boilerplate - -The DB boilerplate system is responsible for ensuring data is in the correct format and running the SQL statements against the DB. - -## Plugins - -Plugins are responsible for retrieving and standardizing the service configuration data. - ---- - -## See Also - -- [Supported Licenses](Supported-Licenses.md) -- [Plugins](Plugins/Overview.md) diff --git a/docs/SHIELD/Defend/Deployment.md b/docs/SHIELD/Defend/Deployment.md new file mode 100644 index 0000000..a5921cf --- /dev/null +++ b/docs/SHIELD/Defend/Deployment.md @@ -0,0 +1,59 @@ +# Deployment + +The Defend module is deployed automatically as part of the SHIELD platformโ€™s **Core Infrastructure deployment** process. It does not require any separate deployment scripts or packages. + +This page clarifies when and how Defend becomes active, and what its dependencies are. + +--- + +## When Is Defend Activated? + +Defend becomes available immediately after the **Deploy Core Infrastructure** action is completed in the SHIELD UI. + +This process provisions all objects that Defend needs in order to operate: + +- Security groups by security class (Enterprise, Specialized, Privileged) +- Entra ID Administrative Units for lifecycle scope isolation +- Intune Scope Tags and associated device policies +- Lifecycle engine triggers and UI cards + +Once this is complete, the **Lifecycle Device Management** and **Lifecycle User Management** cards appear in the SHIELD UI. + +--- + +## No Separate Installer Required + +There is no separate installer, script, or action to "deploy Defend." + +Instead, this module is: + +- **Provisioned as part of the Deploy module's infrastructure** +- **Enabled via the SHIELD web app** once infrastructure provisioning is complete + +You can verify readiness by visiting `{your-subdomain}.azurewebsites.net` and checking that: + +- The home screen includes Lifecycle action cards +- Clicking them loads the correct views with no warnings + +--- + +## Prerequisites + +To use Defend, the following must already be deployed: + +- Core infrastructure via Deploy +- Required Entra ID roles (Global Reader, Security Admin) +- Devices or users exist in Entra ID and are synced with Intune (where applicable) +- Defender for Endpoint workspace is initialized (for device enforcement) + +๐Ÿ“– [View Full Prerequisites](Prerequisites.md) + +--- + +## Related Pages + +- [Defend Overview](index.md) +- [Defend Usage Guide](Usage-Guide/index.md) +- [Defend Reference](Reference/index.md) +- [Troubleshooting](Troubleshooting.md) +- [SHIELD Platform Deployment](../Getting-Started.md) \ No newline at end of file diff --git a/docs/SHIELD/Defend/Prerequisites.md b/docs/SHIELD/Defend/Prerequisites.md new file mode 100644 index 0000000..cc285f8 --- /dev/null +++ b/docs/SHIELD/Defend/Prerequisites.md @@ -0,0 +1,66 @@ +# Prerequisites + +The Defend module manages user and device lifecycle operations. Before using this module, the following prerequisites must be in place within your Microsoft 365 environment. + +These requirements ensure that SHIELD can enforce security controls, commission resources, and assign users or devices to their correct roles. + +--- + +## Infrastructure Requirements + +The Defend module relies on infrastructure that must be deployed via the Deploy module. Specifically, the following must already exist: + +- Core infrastructure has been deployed via the **Deploy Core Infrastructure** action +- Conditional Access policies are applied based on security class +- Entra ID Administrative Units and security groups are provisioned +- Intune is configured with scope tags + +๐Ÿ“– See [SHIELD Platform Prerequisites](../Prerequisites/index.md) + +--- + +## Role-Based Permissions + +To use Defendโ€™s lifecycle functionality, the signed-in admin must have the following roles in Entra ID: + +| Role | Reason | +|------|--------| +| Global Reader | Required to enumerate users and devices | +| Security Administrator | Required for actions that interact with Defender and Intune APIs | +| User Administrator | Required for privileged user provisioning and removal | + +--- + +## Device and User Sync + +For SHIELD to manage identities and endpoints, the following must be true: + +- Users are present in Entra ID +- Devices are registered or hybrid-joined with Entra ID +- Devices must be visible in Intune (for privileged device management) +- Users and devices must be assigned to the correct security class + +--- + +## Defender for Endpoint Readiness + +SHIELD uses Microsoft Defender for Endpoint to enforce privileged device controls. The Defender portal must have a provisioned workspace before certain lifecycle actions can succeed. + +To verify: + +1. Go to [Microsoft 365 Defender](https://security.microsoft.com){:target="_blank"} +2. Click on **Devices** +3. If a table of devices appears, your workspace is ready +4. If prompted to initialize setup, follow instructions and wait until the UI is fully active + +๐Ÿ“– For more detail, see the [Defend Usage Guide](Usage-Guide/index.md), under **Defender for Endpoint Workspace Creation** + +--- + +## Related Pages + +- [Defend Deployment](Deployment.md) +- [Defend Usage Guide](Usage-Guide/index.md) +- [Hardware Requirements](Reference/index.md) +- [SHIELD Prerequisites](../Prerequisites/index.md) + diff --git a/docs/SHIELD/Reference/Custom-Apps/Corp-VM/Changelog.md b/docs/SHIELD/Defend/Reference/Custom-Apps/Corp-VM/Changelog.md similarity index 100% rename from docs/SHIELD/Reference/Custom-Apps/Corp-VM/Changelog.md rename to docs/SHIELD/Defend/Reference/Custom-Apps/Corp-VM/Changelog.md diff --git a/docs/SHIELD/Reference/Custom-Apps/Corp-VM/index.md b/docs/SHIELD/Defend/Reference/Custom-Apps/Corp-VM/index.md similarity index 100% rename from docs/SHIELD/Reference/Custom-Apps/Corp-VM/index.md rename to docs/SHIELD/Defend/Reference/Custom-Apps/Corp-VM/index.md diff --git a/docs/SHIELD/Reference/Custom-Apps/ManagedInstaller-Config/Changelog.md b/docs/SHIELD/Defend/Reference/Custom-Apps/ManagedInstaller-Config/Changelog.md similarity index 100% rename from docs/SHIELD/Reference/Custom-Apps/ManagedInstaller-Config/Changelog.md rename to docs/SHIELD/Defend/Reference/Custom-Apps/ManagedInstaller-Config/Changelog.md diff --git a/docs/SHIELD/Reference/Custom-Apps/ManagedInstaller-Config/index.md b/docs/SHIELD/Defend/Reference/Custom-Apps/ManagedInstaller-Config/index.md similarity index 100% rename from docs/SHIELD/Reference/Custom-Apps/ManagedInstaller-Config/index.md rename to docs/SHIELD/Defend/Reference/Custom-Apps/ManagedInstaller-Config/index.md diff --git a/docs/SHIELD/Reference/Custom-Apps/Security-Config/Changelog.md b/docs/SHIELD/Defend/Reference/Custom-Apps/Security-Config/Changelog.md similarity index 100% rename from docs/SHIELD/Reference/Custom-Apps/Security-Config/Changelog.md rename to docs/SHIELD/Defend/Reference/Custom-Apps/Security-Config/Changelog.md diff --git a/docs/SHIELD/Reference/Custom-Apps/Security-Config/File-Changes.md b/docs/SHIELD/Defend/Reference/Custom-Apps/Security-Config/File-Changes.md similarity index 100% rename from docs/SHIELD/Reference/Custom-Apps/Security-Config/File-Changes.md rename to docs/SHIELD/Defend/Reference/Custom-Apps/Security-Config/File-Changes.md diff --git a/docs/SHIELD/Reference/Custom-Apps/Security-Config/Registry-Changes.md b/docs/SHIELD/Defend/Reference/Custom-Apps/Security-Config/Registry-Changes.md similarity index 100% rename from docs/SHIELD/Reference/Custom-Apps/Security-Config/Registry-Changes.md rename to docs/SHIELD/Defend/Reference/Custom-Apps/Security-Config/Registry-Changes.md diff --git a/docs/SHIELD/Reference/Custom-Apps/Security-Config/index.md b/docs/SHIELD/Defend/Reference/Custom-Apps/Security-Config/index.md similarity index 100% rename from docs/SHIELD/Reference/Custom-Apps/Security-Config/index.md rename to docs/SHIELD/Defend/Reference/Custom-Apps/Security-Config/index.md diff --git a/docs/SHIELD/Reference/Architecture/Diagrams/Device-Assign.md b/docs/SHIELD/Defend/Reference/Diagrams/Device-Assign.md similarity index 93% rename from docs/SHIELD/Reference/Architecture/Diagrams/Device-Assign.md rename to docs/SHIELD/Defend/Reference/Diagrams/Device-Assign.md index 28fdf25..bcea31c 100644 --- a/docs/SHIELD/Reference/Architecture/Diagrams/Device-Assign.md +++ b/docs/SHIELD/Defend/Reference/Diagrams/Device-Assign.md @@ -4,7 +4,7 @@ hide: --- # Device - Assign -The lifecycle management engine is responsible for a variety of tasks. Below is the flowchart of the logical process that is completed when a device is [assigned one or more users](../../../Getting-Started/Usage-Guide/Lifecycle-Management/Device/2-Assign.md). +The lifecycle management engine is responsible for a variety of tasks. Below is the flowchart of the logical process that is completed when a device is [assigned one or more users](../../Usage-Guide/Device/2-Assign.md). --- diff --git a/docs/SHIELD/Reference/Architecture/Diagrams/Device-Commission.md b/docs/SHIELD/Defend/Reference/Diagrams/Device-Commission.md similarity index 96% rename from docs/SHIELD/Reference/Architecture/Diagrams/Device-Commission.md rename to docs/SHIELD/Defend/Reference/Diagrams/Device-Commission.md index 27b86bd..9ee3426 100644 --- a/docs/SHIELD/Reference/Architecture/Diagrams/Device-Commission.md +++ b/docs/SHIELD/Defend/Reference/Diagrams/Device-Commission.md @@ -4,7 +4,7 @@ hide: --- # Device - Commission -The lifecycle management engine is responsible for a variety of tasks. Below is the flowchart of the logical process that is completed when a device is [commissioned](../../../Getting-Started/Usage-Guide/Lifecycle-Management/Device/0-Commission.md). +The lifecycle management engine is responsible for a variety of tasks. Below is the flowchart of the logical process that is completed when a device is [commissioned](../../Usage-Guide/Device/0-Commission.md). --- diff --git a/docs/SHIELD/Reference/Architecture/Diagrams/Device-Decommission.md b/docs/SHIELD/Defend/Reference/Diagrams/Device-Decommission.md similarity index 93% rename from docs/SHIELD/Reference/Architecture/Diagrams/Device-Decommission.md rename to docs/SHIELD/Defend/Reference/Diagrams/Device-Decommission.md index 4d25b26..8690396 100644 --- a/docs/SHIELD/Reference/Architecture/Diagrams/Device-Decommission.md +++ b/docs/SHIELD/Defend/Reference/Diagrams/Device-Decommission.md @@ -4,7 +4,7 @@ hide: --- # Device - Decommission -The lifecycle management engine is responsible for a variety of tasks. Below is the flowchart of the logical process that is completed when a device is [decommissioned](../../../Getting-Started/Usage-Guide/Lifecycle-Management/Device/1-Decommission.md). +The lifecycle management engine is responsible for a variety of tasks. Below is the flowchart of the logical process that is completed when a device is [decommissioned](../../Usage-Guide/Device/1-Decommission.md). --- diff --git a/docs/SHIELD/Reference/Architecture/Diagrams/Device-Unassign.md b/docs/SHIELD/Defend/Reference/Diagrams/Device-Unassign.md similarity index 93% rename from docs/SHIELD/Reference/Architecture/Diagrams/Device-Unassign.md rename to docs/SHIELD/Defend/Reference/Diagrams/Device-Unassign.md index e5ca300..ffc85a6 100644 --- a/docs/SHIELD/Reference/Architecture/Diagrams/Device-Unassign.md +++ b/docs/SHIELD/Defend/Reference/Diagrams/Device-Unassign.md @@ -4,7 +4,7 @@ hide: --- # Device - Unassign -The lifecycle management engine is responsible for a variety of tasks. Below is the flowchart of the logical process that is completed when a device is [unassigned one or more users](../../../Getting-Started/Usage-Guide/Lifecycle-Management/Device/3-Unassign.md). +The lifecycle management engine is responsible for a variety of tasks. Below is the flowchart of the logical process that is completed when a device is [unassigned one or more users](../../Usage-Guide/Device/3-Unassign.md). --- diff --git a/docs/SHIELD/Reference/Architecture/Diagrams/User-Commission.md b/docs/SHIELD/Defend/Reference/Diagrams/User-Commission.md similarity index 94% rename from docs/SHIELD/Reference/Architecture/Diagrams/User-Commission.md rename to docs/SHIELD/Defend/Reference/Diagrams/User-Commission.md index 2d01aea..e6d59c9 100644 --- a/docs/SHIELD/Reference/Architecture/Diagrams/User-Commission.md +++ b/docs/SHIELD/Defend/Reference/Diagrams/User-Commission.md @@ -4,7 +4,7 @@ hide: --- # User - Commission -The lifecycle management engine is responsible for a variety of tasks. Below is the flowchart of the logical process that is completed when a user is [commissioned](../../../Getting-Started/Usage-Guide/Lifecycle-Management/User/Commission.md). +The lifecycle management engine is responsible for a variety of tasks. Below is the flowchart of the logical process that is completed when a user is [commissioned](../../Usage-Guide/User/Commission.md). --- diff --git a/docs/SHIELD/Reference/Architecture/Diagrams/User-Decommission.md b/docs/SHIELD/Defend/Reference/Diagrams/User-Decommission.md similarity index 92% rename from docs/SHIELD/Reference/Architecture/Diagrams/User-Decommission.md rename to docs/SHIELD/Defend/Reference/Diagrams/User-Decommission.md index efd92ce..f28446e 100644 --- a/docs/SHIELD/Reference/Architecture/Diagrams/User-Decommission.md +++ b/docs/SHIELD/Defend/Reference/Diagrams/User-Decommission.md @@ -4,7 +4,7 @@ hide: --- # User - Decommission -The lifecycle management engine is responsible for a variety of tasks. Below is the flowchart of the logical process that is completed when a user is [decommissioned](../../../Getting-Started/Usage-Guide/Lifecycle-Management/User/Decommission.md). +The lifecycle management engine is responsible for a variety of tasks. Below is the flowchart of the logical process that is completed when a user is [decommissioned](../../Usage-Guide/User/Decommission.md). --- diff --git a/docs/SHIELD/Reference/Architecture/Hardware-Selection.md b/docs/SHIELD/Defend/Reference/Hardware-Selection.md similarity index 89% rename from docs/SHIELD/Reference/Architecture/Hardware-Selection.md rename to docs/SHIELD/Defend/Reference/Hardware-Selection.md index dc525d7..09c9bc8 100644 --- a/docs/SHIELD/Reference/Architecture/Hardware-Selection.md +++ b/docs/SHIELD/Defend/Reference/Hardware-Selection.md @@ -54,6 +54,6 @@ For further guidance on hardware selection or compatibility, please refer to the ## See Also -- [Lifecycle Management Overview](../../Getting-Started/Usage-Guide/Lifecycle-Management/index.md): Learn more about the lifecycle management features of SHIELD and how it simplifies the management of user and device objects. -- [Commissioning a New Device](../../Getting-Started/Usage-Guide/Lifecycle-Management/Device/0-Commission.md): Step-by-step guide on commissioning (adopting) a new device using SHIELD. -- [Decommission a Managed Device](../../Getting-Started/Usage-Guide/Lifecycle-Management/Device/1-Decommission.md): Step-by-step guide on decommissioning (removing) a device that is currently being managed by SHIELD. +- [Lifecycle Management Overview](../Usage-Guide/index.md): Learn more about the lifecycle management features of SHIELD and how it simplifies the management of user and device objects. +- [Commissioning a New Device](../Usage-Guide/Device/0-Commission.md): Step-by-step guide on commissioning (adopting) a new device using SHIELD. +- [Decommission a Managed Device](../Usage-Guide/Device/1-Decommission.md): Step-by-step guide on decommissioning (removing) a device that is currently being managed by SHIELD. diff --git a/docs/SHIELD/Reference/Architecture/Lifecycle/Privileged Device Workflows.md b/docs/SHIELD/Defend/Reference/Lifecycle/Privileged Device Workflows.md similarity index 100% rename from docs/SHIELD/Reference/Architecture/Lifecycle/Privileged Device Workflows.md rename to docs/SHIELD/Defend/Reference/Lifecycle/Privileged Device Workflows.md diff --git a/docs/SHIELD/Defend/Reference/index.md b/docs/SHIELD/Defend/Reference/index.md new file mode 100644 index 0000000..8e9381a --- /dev/null +++ b/docs/SHIELD/Defend/Reference/index.md @@ -0,0 +1,88 @@ +# Reference + +This reference page for the Defend module provides a comprehensive view of all supporting technical material that underpins lifecycle management operations, including: + +- Hardware requirements for each security class +- Full lifecycle diagrams for devices and users +- Notes on privileged workflows +- Relevant configuration examples + +All information here is specific to the Defend module and complements the main [Usage Guide](../Usage-Guide/index.md). + +--- + +## Hardware Requirements + +SHIELD enforces hardware baselines per security class, especially for **Privileged Security Mode (PSM)**, to reduce the risk of compromise through firmware, bootkits, and untrusted supply chains. + +### Enterprise and Specialized Modes (ESM/SSM) + +| Requirement | Recommendation | +|--------------------|----------------------------------------------| +| OS | Windows 10 or later | +| RAM | 16GB or more | +| OEM Devices | Microsoft Surface or Lenovo preferred | +| Graphics Support | NVIDIA recommended (avoid AMD graphics) | + +!!! info "Device Security Considerations" + In ESM/SSM, hardware risks are lower, but itโ€™s still important to avoid unsupported OEMs and poor firmware hygiene. These devices typically handle non-elevated tasks. + +### Privileged Mode (PSM) + +| Requirement | Recommendation | +|--------------------|----------------------------------------------| +| OS | Windows 11 Secure Core Certified | +| CPU | Intel Core i7 or Ryzen 7 equivalent | +| RAM | 32GB recommended (16GB minimum) | +| Storage | 256GB+ NVMe SSD | +| Certification | [Secure Core Certified](https://www.microsoft.com/en-us/windows/business/windows-11-secured-core-computers) | + +!!! warning "Potential Hardware Backdoors" + Avoid OEMs that allow firmware-level master password resets or silent security bypasses. SHIELD recommends only certified hardware from Microsoft and Lenovo for PSM operations. + +--- + +## Lifecycle Workflow Diagrams + +Each SHIELD lifecycle action is mapped to a standardized backend workflow. The following flowcharts show the logic for each user and device operation. + +### Device Workflow Diagrams + +#### Commission Device +๐Ÿ“Š [Device - Commission](./Diagrams/Device-Commission.md) + +#### Decommission Device +๐Ÿ“Š [Device - Decommission](./Diagrams/Device-Decommission.md) + +#### Assign User to Device +๐Ÿ“Š [Device - Assign](./Diagrams/Device-Assign.md) + +#### Unassign User from Device +๐Ÿ“Š [Device - Unassign](./Diagrams/Device-Unassign.md) + +--- + +### User Workflow Diagrams + +#### Commission User +๐Ÿ“Š [User - Commission](./Diagrams/User-Commission.md) + +#### Decommission User +๐Ÿ“Š [User - Decommission](./Diagrams/User-Decommission.md) + +--- + +## Privileged Workflows (Coming Soon) + +A dedicated section for advanced Privileged workflows, including intermediary logic and RBAC extensions, will be added in a future release. + +๐Ÿ“„ Placeholder: [Privileged Device Workflows](./Lifecycle/Privileged Device Workflows.md) + +--- + +## Related Pages + +- [Defend Usage Guide](../Usage-Guide/index.md) +- [Device Lifecycle](../Usage-Guide/Device/0-Commission.md) +- [User Lifecycle](../Usage-Guide/User/Commission.md) + diff --git a/docs/SHIELD/Defend/Troubleshooting.md b/docs/SHIELD/Defend/Troubleshooting.md new file mode 100644 index 0000000..96f26f4 --- /dev/null +++ b/docs/SHIELD/Defend/Troubleshooting.md @@ -0,0 +1,90 @@ +# Troubleshooting + +This section addresses common issues encountered when using the Defend moduleโ€™s lifecycle management features. It also offers clarification on edge cases, expected behaviors, and safe recovery actions. + +--- + +## Issue: Devices not appearing in SHIELD UI + +**Cause:** +- Devices are not hybrid-joined or cloud-joined to Entra ID +- Devices are not enrolled or synced into Intune + +**Resolution:** +- Confirm the device is joined to Entra ID +- Ensure it is visible in the Intune portal ([https://intune.microsoft.com](https://intune.microsoft.com)) +- Ensure it is not already managed by another tenant or stale registration + +--- + +## Issue: Users not showing up when trying to commission + +**Cause:** +- The user has already been onboarded +- The user is filtered out by Entra ID query +- Admin does not have required permissions + +**Resolution:** +- Verify the user exists in Entra ID +- Confirm you're operating with Global Reader or User Administrator role +- Switch to a different security class to check other eligible users + +--- + +## Issue: Lifecycle actions failing silently or UI not responding + +**Cause:** +- Required Defender for Endpoint workspace is not initialized +- Scoped Intune tags are missing +- Conditional Access policies are not yet deployed + +**Resolution:** +- Follow workspace setup verification steps in the [Usage Guide](Usage-Guide/index.md), under **Defender for Endpoint Workspace Creation** +- Check that SHIELD infrastructure was successfully deployed from the Deploy module +- Review prerequisites in [Defend Prerequisites](Prerequisites.md) + +--- + +## Issue: Privileged device wipe triggered unexpectedly + +**Cause:** +- Privileged commissioning/unassignment flow triggered without assigned users +- Attempted to assign a new user without retaining previous assignment + +**Resolution:** +- Always include current assigned users in the assignment flow +- Ensure wipe behavior for privileged devices is clearly understood (see the [Usage Guide](Usage-Guide/index.md)) + +--- + +## Issue: Temporary credentials not saved after privileged user creation + +**Cause:** +- Admin did not record credentials from the popup +- UI was closed or refreshed before saving + +**Resolution:** +- Re-run commissioning with a new user +- Contact SHI if lifecycle audit recovery is needed + +--- + +## FAQs + +### Are lifecycle actions idempotent? +Yes. If a device or user is already managed, SHIELD will not reapply the same configuration unless it detects a mismatch. + +### Can I reverse a decommission action? +No. Once a user or device is removed, it must be re-commissioned. + +### Does the UI prevent mistakes? +Yes โ€” warnings and confirmations are built into the UI. However, wipe actions for privileged devices occur automatically in certain workflows. + +--- + +## Related Pages + +- [Defend Usage Guide](Usage-Guide/index.md) +- [Defend Reference](Reference/index.md) +- [Defend Prerequisites](Prerequisites.md) + diff --git a/docs/SHIELD/Getting-Started/Usage-Guide/Lifecycle-Management/Device/0-Commission.md b/docs/SHIELD/Defend/Usage-Guide/Device/0-Commission.md similarity index 83% rename from docs/SHIELD/Getting-Started/Usage-Guide/Lifecycle-Management/Device/0-Commission.md rename to docs/SHIELD/Defend/Usage-Guide/Device/0-Commission.md index 96db24b..a451dbe 100644 --- a/docs/SHIELD/Getting-Started/Usage-Guide/Lifecycle-Management/Device/0-Commission.md +++ b/docs/SHIELD/Defend/Usage-Guide/Device/0-Commission.md @@ -5,7 +5,7 @@ The lifecycle management system can bring devices into and out of management fol This guide will walk the security admin through the process of commissioning new managed devices. !!! note "Privileged Hardware" - For requirements and best practices on privileged hardware, please see the [Hardware Selection](../../../../Reference/Architecture/Hardware-Selection.md) documentation. + For requirements and best practices on privileged hardware, please see the [Hardware Selection](../../Reference/Hardware-Selection.md) documentation. ## Process @@ -30,5 +30,5 @@ This guide will walk the security admin through the process of commissioning new ## See Also -- [Hardware Selection](../../../../Reference/Architecture/Hardware-Selection.md) -- [Device Onboarding Workflow Reference](../../../../Reference/Architecture/Diagrams/Device-Commission.md) +- [Hardware Selection](../../Reference/Hardware-Selection.md) +- [Device Onboarding Workflow Reference](../../Reference/Diagrams/Device-Commission.md) diff --git a/docs/SHIELD/Getting-Started/Usage-Guide/Lifecycle-Management/Device/1-Decommission.md b/docs/SHIELD/Defend/Usage-Guide/Device/1-Decommission.md similarity index 94% rename from docs/SHIELD/Getting-Started/Usage-Guide/Lifecycle-Management/Device/1-Decommission.md rename to docs/SHIELD/Defend/Usage-Guide/Device/1-Decommission.md index 9520ad7..08b2a20 100644 --- a/docs/SHIELD/Getting-Started/Usage-Guide/Lifecycle-Management/Device/1-Decommission.md +++ b/docs/SHIELD/Defend/Usage-Guide/Device/1-Decommission.md @@ -27,4 +27,4 @@ This guide will walk the security admin through the process of commissioning new ## See Also -- [Device Offboarding Workflow Reference](../../../../Reference/Architecture/Diagrams/Device-Decommission.md) +- [Device Offboarding Workflow Reference](../../Reference/Diagrams/Device-Decommission.md) diff --git a/docs/SHIELD/Getting-Started/Usage-Guide/Lifecycle-Management/Device/2-Assign.md b/docs/SHIELD/Defend/Usage-Guide/Device/2-Assign.md similarity index 95% rename from docs/SHIELD/Getting-Started/Usage-Guide/Lifecycle-Management/Device/2-Assign.md rename to docs/SHIELD/Defend/Usage-Guide/Device/2-Assign.md index 01359f6..08330b4 100644 --- a/docs/SHIELD/Getting-Started/Usage-Guide/Lifecycle-Management/Device/2-Assign.md +++ b/docs/SHIELD/Defend/Usage-Guide/Device/2-Assign.md @@ -33,4 +33,4 @@ The user assignment process also adds the requested user(s) to the Hyper-V admin ## See Also -- [Device Assignment Workflow Reference](../../../../Reference/Architecture/Diagrams/Device-Assign.md) +- [Device Assignment Workflow Reference](../../Reference/Diagrams/Device-Assign.md) diff --git a/docs/SHIELD/Getting-Started/Usage-Guide/Lifecycle-Management/Device/3-Unassign.md b/docs/SHIELD/Defend/Usage-Guide/Device/3-Unassign.md similarity index 95% rename from docs/SHIELD/Getting-Started/Usage-Guide/Lifecycle-Management/Device/3-Unassign.md rename to docs/SHIELD/Defend/Usage-Guide/Device/3-Unassign.md index 2cf838d..0cdaa63 100644 --- a/docs/SHIELD/Getting-Started/Usage-Guide/Lifecycle-Management/Device/3-Unassign.md +++ b/docs/SHIELD/Defend/Usage-Guide/Device/3-Unassign.md @@ -31,4 +31,4 @@ The user un-assignment process also removes the requested user(s) from the Hyper ## See Also -- [Device Unassign Workflow Reference](../../../../Reference/Architecture/Diagrams/Device-Unassign.md) +- [Device Unassign Workflow Reference](../../Reference/Diagrams/Device-Unassign.md) diff --git a/docs/SHIELD/Getting-Started/Usage-Guide/Lifecycle-Management/User/Commission.md b/docs/SHIELD/Defend/Usage-Guide/User/Commission.md similarity index 94% rename from docs/SHIELD/Getting-Started/Usage-Guide/Lifecycle-Management/User/Commission.md rename to docs/SHIELD/Defend/Usage-Guide/User/Commission.md index b856c6b..783344f 100644 --- a/docs/SHIELD/Getting-Started/Usage-Guide/Lifecycle-Management/User/Commission.md +++ b/docs/SHIELD/Defend/Usage-Guide/User/Commission.md @@ -27,4 +27,4 @@ For privileged users, it creates a new cloud only user account that is correlate ## See Also -- [User Commission Workflow Reference](../../../../Reference/Architecture/Diagrams/User-Commission.md) +- [User Commission Workflow Reference](../../Reference/Diagrams/User-Commission.md) diff --git a/docs/SHIELD/Getting-Started/Usage-Guide/Lifecycle-Management/User/Decommission.md b/docs/SHIELD/Defend/Usage-Guide/User/Decommission.md similarity index 94% rename from docs/SHIELD/Getting-Started/Usage-Guide/Lifecycle-Management/User/Decommission.md rename to docs/SHIELD/Defend/Usage-Guide/User/Decommission.md index 27f676b..c64a029 100644 --- a/docs/SHIELD/Getting-Started/Usage-Guide/Lifecycle-Management/User/Decommission.md +++ b/docs/SHIELD/Defend/Usage-Guide/User/Decommission.md @@ -27,4 +27,4 @@ When removing privileged user(s) from management, the privileged account is dele ## See Also -- [User Decommission Workflow Reference](../../../../Reference/Architecture/Diagrams/User-Decommission.md) +- [User Decommission Workflow Reference](../../Reference/Diagrams/User-Decommission.md) diff --git a/docs/SHIELD/Defend/Usage-Guide/index.md b/docs/SHIELD/Defend/Usage-Guide/index.md new file mode 100644 index 0000000..1967bf7 --- /dev/null +++ b/docs/SHIELD/Defend/Usage-Guide/index.md @@ -0,0 +1,121 @@ +# Usage Guide + +The Defend module in SHIELD provides lifecycle management for users and devices after the infrastructure is deployed. This guide explains how to perform key operations such as commissioning, decommissioning, assigning, and unassigning users or devices, all while respecting security class boundaries (Enterprise, Specialized, Privileged). + +--- + +## Lifecycle Management Overview + +Lifecycle Management is triggered from within the SHIELD web interface and allows you to: + +- Onboard or offboard users and devices +- Assign users to Privileged Access Workstations (PAWs) +- Enforce metadata tagging and Intune integration +- Apply group policies and conditional access boundaries + +All actions are class-aware and scoped by SHIELDโ€™s infrastructure. + +--- + +## Device Lifecycle Operations + +Device lifecycle flows differ by class. Devices marked as Privileged undergo more stringent controls, such as wiping during onboarding. + +### Commission a Device + +Commissioning a device registers it with SHIELD and assigns lifecycle metadata. Privileged devices will be wiped if they are Intune-managed to ensure a clean baseline. + +๐Ÿ“– [Commission a Device](./Device/0-Commission.md) +๐Ÿ“Š [Workflow Diagram](../Reference/Diagrams/Device-Commission.md) + +#### UI Example +. +![Select Device - Light](../../../assets/Images/Screenshots/Select-Unmanaged-Device-Light.png#only-light){ loading=lazy width="300" } +![Select Device - Dark](../../../assets/Images/Screenshots/Select-Unmanaged-Device-Dark.png#only-dark){ loading=lazy width="300" } + +!!! warning "Privileged Commissioning" + Wipe commands are issued to Intune-managed devices during commissioning to protect against residual compromise. + +--- + +### Decommission a Device + +Removes a device from SHIELDโ€™s lifecycle system. + +๐Ÿ“– [Decommission a Device](./Device/1-Decommission.md) +๐Ÿ“Š [Workflow Diagram](../Reference/Diagrams/Device-Decommission.md) + +--- + +### Assign a User to a PAW + +Assigns one or more users to a privileged device (PAW). All others will be denied access. + +๐Ÿ“– [Assign User](./Device/2-Assign.md) +๐Ÿ“Š [Workflow Diagram](../Reference/Diagrams/Device-Assign.md) + +--- + +### Unassign a User from a PAW + +Removes a userโ€™s access from a PAW. If no users remain, a wipe is issued. + +๐Ÿ“– [Unassign User](./Device/3-Unassign.md) +๐Ÿ“Š [Workflow Diagram](../Reference/Diagrams/Device-Unassign.md) + +--- + +## User Lifecycle Operations + +SHIELD supports onboarding and offboarding for both privileged and non-privileged users. + +### Commission a User + +Privileged users are created as new cloud-only accounts. Others are brought into management using existing identities. Temporary credentials are generated at creation. + +๐Ÿ“– [Commission a User](./User/Commission.md) +๐Ÿ“Š [Workflow Diagram](../Reference/Diagrams/User-Commission.md) + +#### UI Example + +![Select User - Light](../../../assets/Images/Screenshots/Select-Unmanaged-User-Light.png#only-light){ loading=lazy width="300" } +![Select User - Dark](../../../assets/Images/Screenshots/Select-Unmanaged-User-Dark.png#only-dark){ loading=lazy width="300" } + +#### Temporary Credential Dialog + +![Temp Credentials - Light](../../../assets/Images/Screenshots/Temporary-Credential-Dialog-Light.png#only-light){ loading=lazy } +![Temp Credentials - Dark](../../../assets/Images/Screenshots/Temporary-Credential-Dialog-Dark.png#only-dark){ loading=lazy } + +--- + +### Decommission a User + +Privileged users are deleted from Entra ID. Non-privileged users are simply removed from SHIELD management. + +๐Ÿ“– [Decommission a User](./User/Decommission.md) +๐Ÿ“Š [Workflow Diagram](../Reference/Diagrams/User-Decommission.md) + +--- + +## Security Classes + +All operations respect SHIELDโ€™s class-based enforcement: + +- **Enterprise**: standard users/devices with baseline protections +- **Specialized**: enhanced controls and policy targeting +- **Privileged**: strict isolation, hardware requirements, auto-wiping, credential controls + +Class is selected at the top of the UI before performing lifecycle actions. + +!!! note "Default Class" + The UI defaults to **Privileged**. Make sure to adjust if managing non-privileged assets. + +--- + +## Related Pages + +- [Defend Overview](index.md) +- [Device Commissioning](./Device/0-Commission.md) +- [User Commissioning](./User/Commission.md) +- [Reference Diagrams](../Reference/index.md) +- [Hardware Requirements](../Reference/Hardware-Selection.md) \ No newline at end of file diff --git a/docs/SHIELD/Defend/index.md b/docs/SHIELD/Defend/index.md new file mode 100644 index 0000000..bbc513c --- /dev/null +++ b/docs/SHIELD/Defend/index.md @@ -0,0 +1,50 @@ +# Overview + +The Defend module is responsible for all lifecycle operations within the SHIELD platform. It provides user and device onboarding, offboarding, access enforcement, and enforcement of privileged workflows in alignment with the SPA model deployed by the Deploy module. + +Whereas the Deploy module provisions the infrastructure, **Defend is responsible for using that infrastructure to manage the identities and devices inside it**. + +--- + +## What Defend Manages + +- Commissioning and decommissioning users and devices +- Assigning privileged users to privileged devices (PAWs) +- Automatic Intune and Entra ID tagging +- Lifecycle management rules based on selected security class + +All these actions are exposed via the SHIELD Lifecycle UI and the platformโ€™s API endpoints. + +--- + +## Security Class Enforcement + +Defend strictly applies the lifecycle rules associated with each of SHIELDโ€™s supported security classes: + +- **Enterprise (ESM)** โ€“ standard business users and workstations +- **Specialized (SSM)** โ€“ elevated or regulated roles and systems +- **Privileged (PSM)** โ€“ most secure tier, requires clean hardware, wipes on commission/unassign, and restricted access boundaries + +The class is selected in the UI prior to performing any lifecycle action. + +--- + +## Entry Points + +After the SHIELD infrastructure is deployed, the Defend module is accessed via the SHIELD UI home screen: + +- **Lifecycle Device Management** โ€“ for commissioning, decommissioning, assignment, and unassignment +- **Lifecycle User Management** โ€“ for onboarding and offboarding privileged and standard users + +The lifecycle engine handles all object mapping, Intune tagging, group membership, and access scope enforcement automatically based on your selections. + +--- + +## Related Pages + +- [Deployment](Deployment.md) +- [Prerequisites](Prerequisites.md) +- [Usage Guide](Usage-Guide/index.md) +- [Reference](Reference/index.md) +- [Troubleshooting](Troubleshooting.md) + diff --git a/docs/SHIELD/Deploy/Deployment/index.md b/docs/SHIELD/Deploy/Deployment/index.md new file mode 100644 index 0000000..717b952 --- /dev/null +++ b/docs/SHIELD/Deploy/Deployment/index.md @@ -0,0 +1,78 @@ +# Deployment + +The Deploy module is provisioned automatically as part of the SHIELD platformโ€™s Core Infrastructure deployment. This page provides clarity on how the Deploy module fits into the broader deployment flow and what is delivered specifically by this module. + +--- + +## When Is Deploy Activated? + +Deploy is automatically initialized when you use the **Deploy Core Infrastructure** feature within the SHIELD web app. This step sets up all underlying identity, device, and Conditional Access scaffolding that the Defend and Discover modules rely on. + +There is no separate installation or deployment process specific to the Deploy module. However, understanding what Deploy provisions is key to understanding how the rest of SHIELD works. + +--- + +## What Is Deployed? + +The Deploy module provisions all foundational objects required for SHIELDโ€™s lifecycle and security logic: + +- Security groups for each SPA tier (Enterprise, Specialized, Privileged) +- Intune Scope Tags for device policy enforcement +- Entra ID Administrative Units for object-level access scoping +- Conditional Access policies (by class and group) +- Autopilot profile placeholders +- Role-linked management groups and access control structure + +All of these are deployed and linked to your tenant using least-privilege automation logic. + +--- + +## Where to Deploy + +You can launch the SHIELD UI and deploy the infrastructure from: + +๐Ÿ“ `{your-subdomain}.azurewebsites.net` + +From the home screen: + +1. Click **Deploy Core Infrastructure** +2. Review the Terms and Conditions +3. Check the agreement box +4. Click **Deploy Infrastructure** + +Youโ€™ll then see: + +- A progress spinner +- Automatic status updates +- A redirect to the home screen when finished + +๐Ÿ“– See full UI walkthrough and screenshots in the [Usage Guide](../Usage-Guide.md#deploy-core-infrastructure-ui-flow) + +--- + +## Need to Customize? + +After deployment, you can: + +- Change autopilot profiles and device configurations +- Modify Conditional Access settings +- Tag additional users or groups + +However, **the following objects are immutable after deployment:** + +- Security groups +- Intune scope tags +- Entra ID Administrative Units + +These cannot be renamed or deleted through the SHIELD UI. + +--- + +## Related Pages + +- [Deploy Overview](index.md) +- [Deploy Usage Guide](../Usage-Guide.md) +- [Reference Docs](../Reference/index.md) +- [Troubleshooting](../Troubleshooting.md) +- [Full SHIELD Deployment](../../Getting-Started.md) + diff --git a/docs/SHIELD/Deploy/Reference/index.md b/docs/SHIELD/Deploy/Reference/index.md new file mode 100644 index 0000000..3d6f300 --- /dev/null +++ b/docs/SHIELD/Deploy/Reference/index.md @@ -0,0 +1,54 @@ +# Reference + +This reference section provides technical specifications and supporting details for SHIELDโ€™s Deploy module, including identity protection policies and configuration recommendations that align with the SPA architecture. + +--- + +## Identity Protection Policy Configuration + +The Deploy module provisions policies to restrict sign-in to privileged accounts under specific conditions, enforcing Microsoft's guidance around secure administrative access. + +These policies are designed to: + +- Detect high-risk sign-in events +- Block access to privileged resources if risk conditions are met +- Route access through compliant devices and monitored interfaces + +This aligns with Microsoftโ€™s Zero Trust security model and helps enforce separation between administrative and user environments. + +--- + +### Key Concepts + +- **Policy Scope**: Only applies to privileged role-holding users (PAWs) +- **Conditions Evaluated**: + - Sign-in risk level + - Device compliance state + - Location and interface origin +- **Actions Taken**: + - Block sign-in + - Require MFA or compliant device + - Redirect to monitored jump station if policy fails + +!!! note "SHIELD Default Behavior" + These identity protection policies are deployed automatically when Core Infrastructure is deployed via the SHIELD UI. + +--- + +## Related Reference Docs + +Additional SPA-related configuration details are available in the global [Reference Guide](../../Reference.md), including: + +- Full lifecycle flow diagrams +- Microsoft Graph permissions required by SHIELD +- Hardware and certification requirements for SPA devices + +--- + +## Related Pages + +- [Deploy Overview](index.md) +- [Deployment](../Deployment/index.md) +- [Deploy Usage Guide](../Usage-Guide.md) +- [Troubleshooting](../Troubleshooting.md) + diff --git a/docs/SHIELD/Deploy/Troubleshooting.md b/docs/SHIELD/Deploy/Troubleshooting.md new file mode 100644 index 0000000..92b26ef --- /dev/null +++ b/docs/SHIELD/Deploy/Troubleshooting.md @@ -0,0 +1,14 @@ +# Troubleshooting + +๐Ÿšง **This section is still under development.** + +We are actively gathering feedback to build out comprehensive troubleshooting flows. Please check back soon for updated content. + +--- + +If you encounter any issues in the meantime: + +- Refer to the [Uninstall Guide](../Reference/Uninstall.md) for resetting the environment +- Review your deployment [prerequisites](../Prerequisites/index.md) +- Contact SHI Support for critical blocking errors + diff --git a/docs/SHIELD/Deploy/Usage-Guide.md b/docs/SHIELD/Deploy/Usage-Guide.md new file mode 100644 index 0000000..44cc914 --- /dev/null +++ b/docs/SHIELD/Deploy/Usage-Guide.md @@ -0,0 +1,82 @@ +# Usage Guide + +The Deploy module in SHIELD provides a self-service interface to manage the infrastructure deployed under the SPA framework. Once the initial setup is complete, this guide walks through how to manage core configuration objects using the SHIELD UI. + +--- + +## Managing Infrastructure with SHIELD + +After core deployment is complete, the Deploy module allows you to: + +- View and validate infrastructure components +- Create and manage scoped security groups +- Manage Entra ID Administrative Units +- Assign configuration profiles and scope tags +- Monitor deployment status and lifecycle metadata + +These actions are performed through the **Lifecycle Infrastructure** interface on the SHIELD home screen. + +--- + +## Defender for Endpoint Workspace Creation + +SHIELD relies on Microsoft Defender for Endpoint to enforce protections on devices within the Privileged Access Boundary. Before deploying Conditional Access policies or tagging devices, Defender must be initialized. + +### How to Check Workspace Status + +1. Go to [Microsoft 365 Defender](https://security.microsoft.com){:target="_blank"}. +2. Navigate to **Devices** in the left menu. +3. If a device list appears, the workspace is already created. +4. If you see a splash screen indicating setup, wait until it completes. + +Once initialized, Defender for Endpoint will automatically integrate with SHIELD's lifecycle and tagging logic. + +--- + +## Lifecycle Actions Enabled by Deploy + +The infrastructure deployed by this module supports: + +- Device class-based lifecycle enforcement (Enterprise, Specialized, Privileged) +- Dynamic user and device scoping based on conditional access policies +- Tagging systems to trigger automated controls via Intune and Entra ID + +All these features are available via the SHIELD UI, and are configured automatically based on security class and role mappings. + +--- + +## Visual Walkthrough + +Once core deployment is complete, your SHIELD UI will provide management cards for: + +- **Deploy Core Infrastructure** (initial setup) +- **Manage Infrastructure** (view/edit configs) +- **Lifecycle Device Management** (commission, assign, unassign) +- **Lifecycle User Management** (create, remove, assign roles) + +### Deploy Core Infrastructure UI Flow + +#### 1. Deploy Button with Checkbox Confirmation + +![Infrastructure Deployment Page with Checkbox Highlighted](../../assets/Images/Screenshots/Core-Infrastructure-Deployment.png){ loading=lazy } + +#### 2. Deployment in Progress + +![Deployment Spinner Screenshot](../../assets/Images/Screenshots/Spinner.png){ loading=lazy } + +#### 3. Completion Redirect โ€“ SHIELD Home Screen + +![SHIELD Home Screen - Light Mode](../../assets/Images/Screenshots/Home-Screen-Light.png#only-light){ loading=lazy } +![SHIELD Home Screen - Dark Mode](../../assets/Images/Screenshots/Home-Screen-Dark.png#only-dark){ loading=lazy } + +!!! info "Automation Note" + SHIELD manages all object relationships behind the scenes (e.g., group assignments, RBAC links, tag application). You only need to select the correct class and object โ€” SHIELD handles the rest. + +--- + +## Related Pages + +- [Deploy Overview](index.md) +- [Deployment Guide](../Getting-Started.md) +- [Reference Docs](Reference/index.md) +- [Troubleshooting](Troubleshooting.md) \ No newline at end of file diff --git a/docs/SHIELD/Deploy/index.md b/docs/SHIELD/Deploy/index.md new file mode 100644 index 0000000..7281767 --- /dev/null +++ b/docs/SHIELD/Deploy/index.md @@ -0,0 +1,83 @@ +# Overview + +SHIELDโ€™s Deploy module provides the foundation for a secure environment using Microsoftโ€™s **Securing Privileged Access (SPA)** architecture. This module automates the provisioning of security-critical components such as identity boundaries, privileged access zones, Conditional Access policies, and more. + +The Deploy module ensures your environment is segmented appropriately and aligns with Microsoftโ€™s Zero Trust principles by separating enterprise and privileged systems. + +--- + +## What Is SPA? + +Microsoftโ€™s **Securing Privileged Access (SPA)** model is a layered defense framework designed to protect your most critical systems from identity compromise. SPA separates access tiers between everyday business operations and sensitive administrative functions. + +The diagram below illustrates SPAโ€™s architecture and how privileged vs enterprise identity flows interact with the environment. + +```mermaid +flowchart LR + privInterface <--> businessAssets + entInterface <--> businessAssets + + subgraph businessAssets [Business Systems and Assets] + subgraph Technology + ITSM + Databases + DCs("Domain Controllers") + ADFS("AD FS") + ADCS("AD CS") + cloud("Cloud Hosts (Azure, AWS, GCP, etc.)") + end + + subgraph misc [Other Departments] + Executive + Legal + HR + Finance + end + end + + subgraph Privileged [Privileged Access] + privIdent --- privInterface + privDev("Devices") --- privIdent("Identities") -.- privIntermediary("Intermediaries") -.- privInterface("Interfaces") + end + + subgraph Enterprise [Enterprise Access] + entIdent --- entInterface + entDev("Devices") --- entIdent("Identities") -.- entIntermediary("Intermediaries") -.- entInterface("Interfaces") + end +``` + +--- + +## What Does Deploy Include? + +The Deploy module provisions all infrastructure required to enforce this separation of trust boundaries, including: + +- Tiered security groups +- Intune scope tags +- Entra ID administrative units +- Device onboarding and configuration profiles +- Conditional Access policies +- Role-based access control for privileged systems + +These objects form the **Privileged Access Boundary** and are deployed via the SHIELD app in a few clicks. + +--- + +## Why It Matters + +By centralizing and automating the deployment of SPA, the Deploy module: + +- Eliminates human error in policy setup +- Reduces deployment time from months to minutes +- Enables a repeatable, auditable security baseline +- Ensures identity boundaries are established before user/device onboarding + +--- + +## Related Pages + +- [Deployment Guide](../Getting-Started.md) +- [Deploy Usage Guide](Usage-Guide.md) +- [Deploy Reference](Reference/index.md) +- [Troubleshooting Deploy Module](Troubleshooting.md) + diff --git a/docs/SHIELD/Discover/Deployment/index.md b/docs/SHIELD/Discover/Deployment/index.md new file mode 100644 index 0000000..2557ceb --- /dev/null +++ b/docs/SHIELD/Discover/Deployment/index.md @@ -0,0 +1,99 @@ +# Deployment + +This page outlines how to deploy the Discover engine and configure the local environment needed to run plugin-based audits and store results in Azure SQL. + +All installation methods rely on a lightweight MSI and PowerShell-driven configuration. This module runs entirely on the client side and requires no backend installation. + +--- + +## Standard Installation (GUI-Based) + +Use the GUI-based MSI for interactive setup. This is recommended for most environments. + +### Installation Steps + +1. Download the MSI installer +2. Launch the installer +3. Enter the **FQDN** of your Azure SQL Database + ๐Ÿ“Œ Example: shi-example.database.windows.net +4. (Optional) Click **Configure** to customize: + - Table names for correlation and license data + - Database name +5. Click **Install** + +### Screenshots + +#### Main Installer Screen + +![Installer - Light](../assets/images/screenshots/Installer-Light.png#only-light){ loading=lazy } +![Installer - Dark](../assets/images/screenshots/Installer-Dark.png#only-dark){ loading=lazy } + +#### Dropdown Menu + +![Dropdown - Light](../assets/images/screenshots/Dropdown-Light.png#only-light){ loading=lazy } +![Dropdown - Dark](../assets/images/screenshots/Dropdown-Dark.png#only-dark){ loading=lazy } + +#### Advanced Configuration + +![Advanced Config - Light](../assets/images/screenshots/AdvancedConfig-Light.png#only-light){ loading=lazy } +![Advanced Config - Dark](../assets/images/screenshots/AdvancedConfig-Dark.png#only-dark){ loading=lazy } + +!!! note "Shortcut Behavior" + Machine-wide installs of PowerShell require launching Discover via CLI. Desktop shortcuts are only supported for user-scoped installs. + +--- + +## Silent Installation (Script-Based) + +Use silent install mode for automation and unattended deployments. + +### Required Properties + +| Property | Required | Default | Description | +|----------|----------|---------|-------------| +| AZSQL_SERVER_FQDN | โœ… | None | FQDN of the Azure SQL Server | +| CORRELATION_TABLE_NAME | โŒ | Correlation | Name of correlation table | +| DATABASE_NAME | โŒ | Results | Target database name | +| LICENSE_COUNT_TABLE_NAME | โŒ | LicenseData | License records table | + +### Examples + +```cmd +License-Analytics.msi /qn AZSQL_SERVER_FQDN=shi-example.database.windows.net +``` + +```cmd +License-Analytics.msi /qn AZSQL_SERVER_FQDN=shi-example.database.windows.net DATABASE_NAME=CustomerTracker +``` + +```cmd +License-Analytics.msi /qn AZSQL_SERVER_FQDN=shi-example.database.windows.net CORRELATION_TABLE_NAME=RunTracker +``` + +```cmd +License-Analytics.msi /qn AZSQL_SERVER_FQDN=shi-example.database.windows.net LICENSE_COUNT_TABLE_NAME=CustomerTracker +``` + +!!! note "Naming Format" + The FQDN should not include protocols (sql://) or directory paths (/db). Use only the raw hostname. + +--- + +## Azure SQL Configuration + +Before installation, ensure your Azure SQL database is provisioned: + +- Entra ID authentication is enabled +- Your user has permission to create and write to the DB +- [Auto-permissions tool](../Reference/index.md#azure-sql-configuration) is available for bulk role assignment + +๐Ÿ“– See full details in the [Reference Guide](../Reference/index.md#azure-sql-configuration) + +--- + +## Related Pages + +- [Discover Overview](index.md) +- [Discover Usage Guide](../Usage-Guide.md) +- [Reference](../Reference/index.md) +- [Troubleshooting](../Troubleshooting.md) \ No newline at end of file diff --git a/docs/Discover/Plugins/DefenderEndpoint.md b/docs/SHIELD/Discover/Plugins/DefenderEndpoint.md similarity index 94% rename from docs/Discover/Plugins/DefenderEndpoint.md rename to docs/SHIELD/Discover/Plugins/DefenderEndpoint.md index 7903948..dfa7545 100644 --- a/docs/Discover/Plugins/DefenderEndpoint.md +++ b/docs/SHIELD/Discover/Plugins/DefenderEndpoint.md @@ -5,7 +5,7 @@ This is because the license data is coming from MDE and not the licensing system ## Licenses Checked -Please note that due to the way Microsoft makes this data available, the license report format uses the mappings found in the [Reserved Principals](../Reserved-Principals.md) page. +Please note that due to the way Microsoft makes this data available, the license report format uses the mappings found in the [Reserved Principals](../Reference/Reserved-Principals.md) page. - Defender for Business (SMB) - `bfc1bbd9-981b-4f71-9b82-17c35fd0e2a4` - Defender for Endpoint P1 - `292cc034-7b7c-4950-aaf5-943befd3f1d4` diff --git a/docs/Discover/Plugins/DefenderIdentity.md b/docs/SHIELD/Discover/Plugins/DefenderIdentity.md similarity index 95% rename from docs/Discover/Plugins/DefenderIdentity.md rename to docs/SHIELD/Discover/Plugins/DefenderIdentity.md index f4107ff..05c51a5 100644 --- a/docs/Discover/Plugins/DefenderIdentity.md +++ b/docs/SHIELD/Discover/Plugins/DefenderIdentity.md @@ -14,7 +14,7 @@ Other types of principals such as devices and groups are ignored. ## Licenses Checked -Please note that due to the way Microsoft makes this data available, the license report format uses the mappings found in the [Reserved Principals](../Reserved-Principals.md) page. +Please note that due to the way Microsoft makes this data available, the license report format uses the mappings found in the [Reserved Principals](../Reference/Reserved-Principals.md) page. - Defender for Identity - `14ab5db5-e6c4-4b20-b4bc-13e36fd2227f` diff --git a/docs/Discover/Plugins/EntraID.md b/docs/SHIELD/Discover/Plugins/EntraID.md similarity index 100% rename from docs/Discover/Plugins/EntraID.md rename to docs/SHIELD/Discover/Plugins/EntraID.md diff --git a/docs/Discover/Architecture/Infrastructure.md b/docs/SHIELD/Discover/Reference/Architecture/Infrastructure.md similarity index 92% rename from docs/Discover/Architecture/Infrastructure.md rename to docs/SHIELD/Discover/Reference/Architecture/Infrastructure.md index cd5c693..84e0598 100644 --- a/docs/Discover/Architecture/Infrastructure.md +++ b/docs/SHIELD/Discover/Reference/Architecture/Infrastructure.md @@ -7,7 +7,7 @@ Each plugin interacts with the specific service configuration that is being inte For an annotated threat model of the application's infrastructure architecture, please see the attached Microsoft [Threat Model Tool](https://aka.ms/tmt) representation of the infrastructure architecture. -[Annotated Infrastructure Threat Model](../assets/threat-models/infrastructure.tm7) +[Annotated Infrastructure Threat Model](../../assets/threat-models/infrastructure.tm7) ## Diagram diff --git a/docs/Discover/Architecture/Process-Flow.md b/docs/SHIELD/Discover/Reference/Architecture/Process-Flow.md similarity index 100% rename from docs/Discover/Architecture/Process-Flow.md rename to docs/SHIELD/Discover/Reference/Architecture/Process-Flow.md diff --git a/docs/Discover/Deployment/Azure-SQL-Database.md b/docs/SHIELD/Discover/Reference/Azure-SQL-Database.md similarity index 96% rename from docs/Discover/Deployment/Azure-SQL-Database.md rename to docs/SHIELD/Discover/Reference/Azure-SQL-Database.md index 0ab840b..3381f9a 100644 --- a/docs/Discover/Deployment/Azure-SQL-Database.md +++ b/docs/SHIELD/Discover/Reference/Azure-SQL-Database.md @@ -59,5 +59,5 @@ Add-AzLicenseDb -SubscriptionId 'c82e42ee-4dea-450e-8f24-52ff699a8f99' -ReadGrou ## See Also -- [Standard Installation](../Deployment/Standard-Install.md) -- [Silent Installation](../Deployment/Silent-Installation.md) +- [Standard Installation](../Deployment/index.md#standard-installation-gui-based) +- [Silent Installation](../Deployment/index.md#silent-installation-script-based) diff --git a/docs/Discover/Database-Schema.md b/docs/SHIELD/Discover/Reference/Database-Schema.md similarity index 94% rename from docs/Discover/Database-Schema.md rename to docs/SHIELD/Discover/Reference/Database-Schema.md index b34febe..f112bf4 100644 --- a/docs/Discover/Database-Schema.md +++ b/docs/SHIELD/Discover/Reference/Database-Schema.md @@ -9,7 +9,7 @@ One of these records will be generated per run and contains the login informatio The License Data table stores the specific metadata for a single license. This includes data such as the count of used and available licenses as well as display names for the license and a correlation ID to link it to a run of the Discover tool. -All values will not be `null` in the DB. If a value can't be retrieved it will be set as 0 or false or the equivalent `null` state for the type of the column, not the `null` value. Please see the documentation for each [plugin](Plugins/Overview.md) to see what values are expected. +All values will not be `null` in the DB. If a value can't be retrieved it will be set as 0 or false or the equivalent `null` state for the type of the column, not the `null` value. Please see the documentation for each [plugin section](../Reference/index.md#plugin-overview) to see what values are expected. ## Diagram @@ -75,5 +75,6 @@ The code will enforce the relationships, the SQL server won't know they exist. ## See Also -- [Plugins](Plugins/Overview.md) -- [Standard Installation](Deployment/Standard-Install.md) +- [plugin section](../Reference/index.md#plugin-overview) +- [Standard Installation](../Deployment/index.md#standard-installation-gui-based) + diff --git a/docs/Discover/Reserved-Principals.md b/docs/SHIELD/Discover/Reference/Reserved-Principals.md similarity index 88% rename from docs/Discover/Reserved-Principals.md rename to docs/SHIELD/Discover/Reference/Reserved-Principals.md index 2f06e29..3e2aebc 100644 --- a/docs/Discover/Reserved-Principals.md +++ b/docs/SHIELD/Discover/Reference/Reserved-Principals.md @@ -3,7 +3,7 @@ Some services can't correlate their principals and a number of consumed licenses will still be calculated. The below IDs are reserved for those incompatible apps. The IDs are not a principal. They represent the type of license being reported about. -These IDs are not to be correlated outside of the License Analytics system as they are not guaranteed to be globally unique across all products from all vendors. They are unique to License Analytics. +These IDs are not to be correlated outside of the Discover system as they are not guaranteed to be globally unique across all products from all vendors. They are unique to Discover. ## Defender for Endpoint diff --git a/docs/SHIELD/Discover/Reference/index.md b/docs/SHIELD/Discover/Reference/index.md new file mode 100644 index 0000000..3ee0a72 --- /dev/null +++ b/docs/SHIELD/Discover/Reference/index.md @@ -0,0 +1,96 @@ +# Reference + +This page provides a complete reference for the Discover module, including plugins, schema, licensing models, and core configuration expectations. + +--- + +## Plugin Overview + +Discover uses a plugin architecture to retrieve data from Microsoft 365 services. Each plugin is executed independently, and the results are standardized before being uploaded to the Azure SQL database. + +### Included Plugins + +| Plugin | Description | +|--------|-------------| +| **EntraID** | Retrieves directory settings, user roles, and licensing scope | +| **Defender for Endpoint** | Collects device configurations and security compliance mappings | +| **Defender for Identity** | Evaluates privileged identity policies, alerts, and audit logic | + +๐Ÿ“– Plugin logic is described in the [Execution Flow Diagram](../index.md#execution-process) + +--- + +## Database Schema + +All data collected by Discover is stored in an Azure SQL Database. The core tables include: + +| Table | Description | +|-------|-------------| +| `Correlation` | Top-level run metadata and timestamp linkage | +| `LicenseData` | All license configuration results | +| `Results` | Engine output for each plugin and validation step | + +For full structure and table relationships, see the [Schema Documentation](Database-Schema.md) + +--- + +## Supported Licenses + +Discover analyzes how Microsoft 365 licenses are configured and applied. This includes SKUs across all verticals: + +- Enterprise (E1, E3, E5) +- Education (A1, A3, A5) +- Government (G1, G3, G5) +- Frontline (F1, F3) + +๐Ÿ“– License breakdown and mappings: [Supported Licenses](../Supported-Licenses.md) + +--- + +## Reserved Principals + +Some Entra ID accounts are marked as reserved and should not be altered by automation. Discover recognizes these automatically and excludes them from plugin evaluations. + +๐Ÿ“– See list of principals in: [Reserved Principals](Reserved-Principals.md) + +--- + +## Azure SQL Configuration + +Discover requires an Azure SQL Database for storing its results. Refer to [Deployment โ†’ Azure SQL Setup](../Deployment/index.md#azure-sql-configuration) for setup steps. + +To automatically configure permissions via PowerShell: + +```powershell +Add-AzLicenseDb -SubscriptionId '' -ReadGroupId '' -WriteGroupId '' +``` + +```powershell +Get-Help -Name 'Add-AzLicenseDb' -Full +``` + +--- + +## Architecture and Flow Diagrams + +### Infrastructure Diagram + +๐Ÿ“– See [Infrastructure Diagram](../index.md#infrastructure-architecture) + +- Shows PowerShell client to Entra ID + SQL interaction +- Includes threat model reference: [infrastructure.tm7](../assets/threat-models/infrastructure.tm7) + +### Execution Flow + +๐Ÿ“– See [Execution Flow](../index.md#execution-process) + +- Describes correlation record creation, plugin execution loop, and upload pattern + +--- + +## Related Pages + +- [Discover Overview](index.md) +- [Deployment](../Deployment/index.md) +- [Usage Guide](../Usage-Guide.md) +- [Troubleshooting](../Troubleshooting.md) \ No newline at end of file diff --git a/docs/Discover/Supported-Licenses.md b/docs/SHIELD/Discover/Supported-Licenses.md similarity index 100% rename from docs/Discover/Supported-Licenses.md rename to docs/SHIELD/Discover/Supported-Licenses.md diff --git a/docs/SHIELD/Discover/Troubleshooting.md b/docs/SHIELD/Discover/Troubleshooting.md new file mode 100644 index 0000000..5d917d0 --- /dev/null +++ b/docs/SHIELD/Discover/Troubleshooting.md @@ -0,0 +1,88 @@ +# Troubleshooting + +This page documents common issues that may occur when running the Discover module, along with guidance on resolution, retries, and output validation. + +These cases are drawn from the expected behavior of plugin execution, Azure SQL access, and Defender/Graph API interactions. + +--- + +## Issue: Plugin run starts but no data appears in SQL + +**Possible Causes:** +- Azure SQL FQDN was entered incorrectly +- No write permissions for the logged-in user +- Plugin executed but no relevant configuration was found + +**Resolution:** +- Verify that `AZSQL_SERVER_FQDN` is correct and reachable from the client machine +- Check user permissions on the database +- Ensure that plugins are active and supported for the tenant configuration + +--- + +## Issue: Installer runs but shortcut is missing + +**Cause:** +- Discover was installed machine-wide + +**Resolution:** +- Use CLI directly: + +```powershell +Start-DiscoverAudit.ps1 -CompanyName "Contoso" -Mode "Standard" +``` + +Shortcuts are only created for user-scoped installs. + +--- + +## Issue: Silent install fails with no error + +**Possible Causes:** +- Required `AZSQL_SERVER_FQDN` parameter was omitted +- MSI was run with incorrect context or permissions + +**Resolution:** +- Add `/l*v install.log` to enable verbose logging +- Confirm all parameters are supplied and formatted correctly +- Example: + +```cmd +License-Analytics.msi /qn AZSQL_SERVER_FQDN=yourserver.database.windows.net +``` + +--- + +## Issue: Script hangs at plugin step + +**Possible Causes:** +- API credentials have expired +- Microsoft Graph rate-limiting or auth error + +**Resolution:** +- Re-authenticate via PowerShell session +- Run again with fresh token +- Use `Get-Help .\Start-DiscoverAudit.ps1 -Full` for CLI flags + +--- + +## FAQs + +### Is Discover idempotent? +Yes โ€” the correlation ID ensures that repeated runs do not corrupt existing data. + +### Where is the output stored? +Output is written to the Azure SQL database defined during install. Table names include `Correlation`, `LicenseData`, and `Results`. + +### Can I re-run Discover with new plugins? +Yes. You may add new plugin files to the plugin directory and rerun the audit. + +--- + +## Related Pages + +- [Discover Overview](index.md) +- [Deployment](Deployment/index.md) +- [Usage Guide](Usage-Guide.md) +- [Reference](Reference/index.md) + diff --git a/docs/SHIELD/Discover/Usage-Guide.md b/docs/SHIELD/Discover/Usage-Guide.md new file mode 100644 index 0000000..4533028 --- /dev/null +++ b/docs/SHIELD/Discover/Usage-Guide.md @@ -0,0 +1,67 @@ +# Usage Guide + +This guide explains how to run Discover, what to expect from its output, and how to interact with its data once collected. + +The Discover engine runs locally via PowerShell and sends results to a specified Azure SQL Database. The interface is terminal-based and uses plugin-based configuration. + +--- + +## Running Discover + +After installing the application, you can run Discover using either the command line or PowerShell script shortcut. + +### CLI Launch (Typical Flow) + +```powershell +Start-DiscoverAudit.ps1 -CompanyName "Contoso" -Mode "Standard" +``` + +Depending on your install method and configuration, a GUI prompt may open (for standard install) or the plugin flow will begin directly (for CLI installs). + +--- + +## Plugin Execution Behavior + +When Discover runs, it processes all installed plugins in order: + +1. Authentication to Entra ID and Azure SQL +2. Creation of a correlation record to link results +3. Enumeration and validation of plugins +4. Sequential plugin execution (data collection + processing) +5. Upload of result data to Azure SQL tables + +Each plugin runs independently and its results are normalized before database submission. + +๐Ÿ“– Plugin behavior is described in [Reference โ†’ Plugin Overview](Reference/index.md#plugin-overview) + +--- + +## Where Results Go + +- Output is written to the Azure SQL Database configured at install time +- Each run generates a correlation record with timestamp and run metadata +- You can query this database directly using SQL tools or BI platforms (like Power BI) + +The schema is documented in the [Reference Guide](Reference/index.md#database-schema) + +--- + +## Example Power BI Setup + +Once data is stored in Azure SQL, you can use Power BI to: + +- Visualize configuration compliance +- Track license optimization opportunities +- Export audit snapshots for reporting + +Simply connect to your Azure SQL DB using Power BI Desktop and load the relevant tables. + +--- + +## Related Pages + +- [Discover Overview](index.md) +- [Discover Deployment](Deployment/index.md) +- [Reference](Reference/index.md) +- [Troubleshooting](Troubleshooting.md) + diff --git a/docs/Discover/assets/images/screenshots/AdvancedConfig-Dark.png b/docs/SHIELD/Discover/assets/images/screenshots/AdvancedConfig-Dark.png similarity index 100% rename from docs/Discover/assets/images/screenshots/AdvancedConfig-Dark.png rename to docs/SHIELD/Discover/assets/images/screenshots/AdvancedConfig-Dark.png diff --git a/docs/Discover/assets/images/screenshots/AdvancedConfig-Light.png b/docs/SHIELD/Discover/assets/images/screenshots/AdvancedConfig-Light.png similarity index 100% rename from docs/Discover/assets/images/screenshots/AdvancedConfig-Light.png rename to docs/SHIELD/Discover/assets/images/screenshots/AdvancedConfig-Light.png diff --git a/docs/Discover/assets/images/screenshots/Dropdown-Dark.png b/docs/SHIELD/Discover/assets/images/screenshots/Dropdown-Dark.png similarity index 100% rename from docs/Discover/assets/images/screenshots/Dropdown-Dark.png rename to docs/SHIELD/Discover/assets/images/screenshots/Dropdown-Dark.png diff --git a/docs/Discover/assets/images/screenshots/Dropdown-Light.png b/docs/SHIELD/Discover/assets/images/screenshots/Dropdown-Light.png similarity index 100% rename from docs/Discover/assets/images/screenshots/Dropdown-Light.png rename to docs/SHIELD/Discover/assets/images/screenshots/Dropdown-Light.png diff --git a/docs/Discover/assets/images/screenshots/Installer-Dark.png b/docs/SHIELD/Discover/assets/images/screenshots/Installer-Dark.png similarity index 100% rename from docs/Discover/assets/images/screenshots/Installer-Dark.png rename to docs/SHIELD/Discover/assets/images/screenshots/Installer-Dark.png diff --git a/docs/Discover/assets/images/screenshots/Installer-Light.png b/docs/SHIELD/Discover/assets/images/screenshots/Installer-Light.png similarity index 100% rename from docs/Discover/assets/images/screenshots/Installer-Light.png rename to docs/SHIELD/Discover/assets/images/screenshots/Installer-Light.png diff --git a/docs/Discover/assets/threat-models/infrastructure.tm7 b/docs/SHIELD/Discover/assets/threat-models/infrastructure.tm7 similarity index 99% rename from docs/Discover/assets/threat-models/infrastructure.tm7 rename to docs/SHIELD/Discover/assets/threat-models/infrastructure.tm7 index 4d46652..b3a6e03 100644 --- a/docs/Discover/assets/threat-models/infrastructure.tm7 +++ b/docs/SHIELD/Discover/assets/threat-models/infrastructure.tm7 @@ -6,7 +6,7 @@ Azure SQL Database PowerShell Modules: - Microsoft.Graph.Beta - Az -- SqlServerA PowerShell script collects the service configuration from the customer environment, processes the assignemnts, and stores the data in the specified Azure SQL database.MootElliot HuffmanLicense AnalyticsTH91bf841d4d-97e6-4069-b676-07a28f2d041b9bf12db2-dc23-48ed-923a-4438dfb5ae120a3667bd-b55a-424b-9882-5996e1403c1eAzureAD\ElliotHuffman8e769290-317f-4cd4-9a7c-b4fcdee365909bf12db2-dc23-48ed-923a-4438dfb5ae1229bf841d4d-97e6-4069-b676-07a28f2d041b:9bf12db2-dc23-48ed-923a-4438dfb5ae12:0a3667bd-b55a-424b-9882-5996e1403c1e2023-12-12T14:34:08.612176-05:00HighTitleAn adversary can leverage the weak scalability of token cache and cause DoSUserThreatCategoryDenial of ServiceUserThreatShortDescriptionDenial of Service happens when the process or a datastore is not able to service incoming requests or perform up to specUserThreatDescriptionThe default cache that ADAL (Active Directory Authentication Library) uses is an in-memory cache that relies on a static store, available process-wide. While this works for native applications, it does not scale for mid tier and backend applications. This can cause availability issues and result in denial of service either by the influence of an adversary or by the large scale of application's users.StateInformationThis is a purely Azure Fabric operation, this isn't exposed in any way to customers, tenants or other non-microsoft internal processes.InteractionStringValidate AuthPossibleMitigationsOverride the default ADAL token cache with a scalable alternative. Refer: <a href="https://aka.ms/tmtauthn#adal-scalable">https://aka.ms/tmtauthn#adal-scalable</a>PriorityHighSDLPhaseDesignbf841d4d-97e6-4069-b676-07a28f2d041bNotApplicable0a3667bd-b55a-424b-9882-5996e1403c1eTH91falsefalseTH1489015b784-fd98-41cd-9b85-a833cf8ee489f6270ed4-865d-4b27-b7ab-b3d9b76d9872bf841d4d-97e6-4069-b676-07a28f2d041bAzureAD\ElliotHuffman8e769290-317f-4cd4-9a7c-b4fcdee36590f6270ed4-865d-4b27-b7ab-b3d9b76d9872259015b784-fd98-41cd-9b85-a833cf8ee489:f6270ed4-865d-4b27-b7ab-b3d9b76d9872:bf841d4d-97e6-4069-b676-07a28f2d041b2023-12-12T14:26:55.8092356-05:00HighTitleAn adversary can gain long term, persistent access to an Azure SQL DB instance through the compromise of local user account password(s)UserThreatCategoryElevation of PrivilegesUserThreatShortDescriptionA user subject gains increased capability or privilege by taking advantage of an implementation bugUserThreatDescriptionAn adversary can gain long term, persistent access to an Azure SQL DB instance through the compromise of local user account password(s).StateInformationNo local accounts are allowed to authenticate by default. Only Entra ID validated access tokens are allowed, which are correlated to a central account.InteractionStringData + Auth TokenPossibleMitigationsIt is recommended to rotate user account passwords (e.g. those used in connection strings) regularly, in accordance with your organization's policies. Store secrets in a secret storage solution (e.g. Azure Key Vault).PriorityHighSDLPhaseImplementation9015b784-fd98-41cd-9b85-a833cf8ee489Mitigatedbf841d4d-97e6-4069-b676-07a28f2d041bTH148falsefalseTH11bf841d4d-97e6-4069-b676-07a28f2d041b9bf12db2-dc23-48ed-923a-4438dfb5ae120a3667bd-b55a-424b-9882-5996e1403c1eAzureAD\ElliotHuffman8e769290-317f-4cd4-9a7c-b4fcdee365909bf12db2-dc23-48ed-923a-4438dfb5ae1230bf841d4d-97e6-4069-b676-07a28f2d041b:9bf12db2-dc23-48ed-923a-4438dfb5ae12:0a3667bd-b55a-424b-9882-5996e1403c1e2023-12-12T14:14:08.818951-05:00HighTitleAn adversary can bypass authentication due to non-standard Azure AD authentication schemesUserThreatCategorySpoofingUserThreatShortDescriptionSpoofing is when a process or entity is something other than its claimed identity. Examples include substituting a process, a file, website or a network addressUserThreatDescriptionAn adversary can bypass authentication due to non-standard Azure AD authentication schemesStateInformationThis is a purely Azure Fabric operation, this isn't exposed in any way to customers, tenants or other non-microsoft internal processes.InteractionStringValidate AuthPossibleMitigationsUse standard authentication scenarios supported by Azure Active Directory. Refer: <a href="https://aka.ms/tmtauthn#authn-aad">https://aka.ms/tmtauthn#authn-aad</a>PriorityHighSDLPhaseImplementationbf841d4d-97e6-4069-b676-07a28f2d041bNotApplicable0a3667bd-b55a-424b-9882-5996e1403c1eTH11falsefalseTH1469015b784-fd98-41cd-9b85-a833cf8ee489f6270ed4-865d-4b27-b7ab-b3d9b76d9872bf841d4d-97e6-4069-b676-07a28f2d041bAzureAD\ElliotHuffman8e769290-317f-4cd4-9a7c-b4fcdee36590f6270ed4-865d-4b27-b7ab-b3d9b76d9872239015b784-fd98-41cd-9b85-a833cf8ee489:f6270ed4-865d-4b27-b7ab-b3d9b76d9872:bf841d4d-97e6-4069-b676-07a28f2d041b2023-12-12T14:28:50.8174123-05:00HighTitleA compromised identity may permit more privileges than intended to an adversary due to weak permission and role assignmentsUserThreatCategoryElevation of PrivilegesUserThreatShortDescriptionA user subject gains increased capability or privilege by taking advantage of an implementation bugUserThreatDescriptionA compromised identity may permit more privileges than intended to an adversary due to weak permission and role assignments.StateInformationMinimal permissions are granted to the DB writer security group as to be able to create tables, alter schema and add data to tables. +- SqlServerA PowerShell script collects the service configuration from the customer environment, processes the assignemnts, and stores the data in the specified Azure SQL database.MootElliot HuffmanDiscoverTH91bf841d4d-97e6-4069-b676-07a28f2d041b9bf12db2-dc23-48ed-923a-4438dfb5ae120a3667bd-b55a-424b-9882-5996e1403c1eAzureAD\ElliotHuffman8e769290-317f-4cd4-9a7c-b4fcdee365909bf12db2-dc23-48ed-923a-4438dfb5ae1229bf841d4d-97e6-4069-b676-07a28f2d041b:9bf12db2-dc23-48ed-923a-4438dfb5ae12:0a3667bd-b55a-424b-9882-5996e1403c1e2023-12-12T14:34:08.612176-05:00HighTitleAn adversary can leverage the weak scalability of token cache and cause DoSUserThreatCategoryDenial of ServiceUserThreatShortDescriptionDenial of Service happens when the process or a datastore is not able to service incoming requests or perform up to specUserThreatDescriptionThe default cache that ADAL (Active Directory Authentication Library) uses is an in-memory cache that relies on a static store, available process-wide. While this works for native applications, it does not scale for mid tier and backend applications. This can cause availability issues and result in denial of service either by the influence of an adversary or by the large scale of application's users.StateInformationThis is a purely Azure Fabric operation, this isn't exposed in any way to customers, tenants or other non-microsoft internal processes.InteractionStringValidate AuthPossibleMitigationsOverride the default ADAL token cache with a scalable alternative. Refer: <a href="https://aka.ms/tmtauthn#adal-scalable">https://aka.ms/tmtauthn#adal-scalable</a>PriorityHighSDLPhaseDesignbf841d4d-97e6-4069-b676-07a28f2d041bNotApplicable0a3667bd-b55a-424b-9882-5996e1403c1eTH91falsefalseTH1489015b784-fd98-41cd-9b85-a833cf8ee489f6270ed4-865d-4b27-b7ab-b3d9b76d9872bf841d4d-97e6-4069-b676-07a28f2d041bAzureAD\ElliotHuffman8e769290-317f-4cd4-9a7c-b4fcdee36590f6270ed4-865d-4b27-b7ab-b3d9b76d9872259015b784-fd98-41cd-9b85-a833cf8ee489:f6270ed4-865d-4b27-b7ab-b3d9b76d9872:bf841d4d-97e6-4069-b676-07a28f2d041b2023-12-12T14:26:55.8092356-05:00HighTitleAn adversary can gain long term, persistent access to an Azure SQL DB instance through the compromise of local user account password(s)UserThreatCategoryElevation of PrivilegesUserThreatShortDescriptionA user subject gains increased capability or privilege by taking advantage of an implementation bugUserThreatDescriptionAn adversary can gain long term, persistent access to an Azure SQL DB instance through the compromise of local user account password(s).StateInformationNo local accounts are allowed to authenticate by default. Only Entra ID validated access tokens are allowed, which are correlated to a central account.InteractionStringData + Auth TokenPossibleMitigationsIt is recommended to rotate user account passwords (e.g. those used in connection strings) regularly, in accordance with your organization's policies. Store secrets in a secret storage solution (e.g. Azure Key Vault).PriorityHighSDLPhaseImplementation9015b784-fd98-41cd-9b85-a833cf8ee489Mitigatedbf841d4d-97e6-4069-b676-07a28f2d041bTH148falsefalseTH11bf841d4d-97e6-4069-b676-07a28f2d041b9bf12db2-dc23-48ed-923a-4438dfb5ae120a3667bd-b55a-424b-9882-5996e1403c1eAzureAD\ElliotHuffman8e769290-317f-4cd4-9a7c-b4fcdee365909bf12db2-dc23-48ed-923a-4438dfb5ae1230bf841d4d-97e6-4069-b676-07a28f2d041b:9bf12db2-dc23-48ed-923a-4438dfb5ae12:0a3667bd-b55a-424b-9882-5996e1403c1e2023-12-12T14:14:08.818951-05:00HighTitleAn adversary can bypass authentication due to non-standard Azure AD authentication schemesUserThreatCategorySpoofingUserThreatShortDescriptionSpoofing is when a process or entity is something other than its claimed identity. Examples include substituting a process, a file, website or a network addressUserThreatDescriptionAn adversary can bypass authentication due to non-standard Azure AD authentication schemesStateInformationThis is a purely Azure Fabric operation, this isn't exposed in any way to customers, tenants or other non-microsoft internal processes.InteractionStringValidate AuthPossibleMitigationsUse standard authentication scenarios supported by Azure Active Directory. Refer: <a href="https://aka.ms/tmtauthn#authn-aad">https://aka.ms/tmtauthn#authn-aad</a>PriorityHighSDLPhaseImplementationbf841d4d-97e6-4069-b676-07a28f2d041bNotApplicable0a3667bd-b55a-424b-9882-5996e1403c1eTH11falsefalseTH1469015b784-fd98-41cd-9b85-a833cf8ee489f6270ed4-865d-4b27-b7ab-b3d9b76d9872bf841d4d-97e6-4069-b676-07a28f2d041bAzureAD\ElliotHuffman8e769290-317f-4cd4-9a7c-b4fcdee36590f6270ed4-865d-4b27-b7ab-b3d9b76d9872239015b784-fd98-41cd-9b85-a833cf8ee489:f6270ed4-865d-4b27-b7ab-b3d9b76d9872:bf841d4d-97e6-4069-b676-07a28f2d041b2023-12-12T14:28:50.8174123-05:00HighTitleA compromised identity may permit more privileges than intended to an adversary due to weak permission and role assignmentsUserThreatCategoryElevation of PrivilegesUserThreatShortDescriptionA user subject gains increased capability or privilege by taking advantage of an implementation bugUserThreatDescriptionA compromised identity may permit more privileges than intended to an adversary due to weak permission and role assignments.StateInformationMinimal permissions are granted to the DB writer security group as to be able to create tables, alter schema and add data to tables. This will be fully mitigated in the next major version when the whole platform will be rewritten into typescript and an API will sit infront of the DB, eliminating all permissions that the end user will have for the DB.InteractionStringData + Auth TokenPossibleMitigationsIt is recommended to review permission and role assignments to ensure the users are granted the least privileges necessary. Refer: <a href="https://aka.ms/tmt-th146">https://aka.ms/tmt-th146</a>PriorityHighSDLPhaseImplementation9015b784-fd98-41cd-9b85-a833cf8ee489Mitigatedbf841d4d-97e6-4069-b676-07a28f2d041bTH146falsefalseTH100a3667bd-b55a-424b-9882-5996e1403c1e9078ba02-5cbb-4d18-9da0-c41ee7b2c9febf841d4d-97e6-4069-b676-07a28f2d041bAzureAD\ElliotHuffman8e769290-317f-4cd4-9a7c-b4fcdee365909078ba02-5cbb-4d18-9da0-c41ee7b2c9fe310a3667bd-b55a-424b-9882-5996e1403c1e:9078ba02-5cbb-4d18-9da0-c41ee7b2c9fe:bf841d4d-97e6-4069-b676-07a28f2d041b2023-12-12T14:33:34.6715324-05:00HighTitleAn adversary can gain unauthorized access to Azure SQL database due to weak account policyUserThreatCategoryElevation of PrivilegesUserThreatShortDescriptionA user subject gains increased capability or privilege by taking advantage of an implementation bugUserThreatDescriptionDue to poorly configured account policies, adversary can launch brute force attacks on Azure SQL Database StateInformationThis is a purely Azure Fabric operation, this isn't exposed in any way to customers, tenants or other non-microsoft internal processes.InteractionStringConfirmationPossibleMitigationsWhen possible use Azure Active Directory Authentication for connecting to SQL Database. Refer: <a href="https://aka.ms/tmt-th10a">https://aka.ms/tmt-th10a</a> Ensure that least-privileged accounts are used to connect to Database server. Refer: <a href="https://aka.ms/tmt-th10b">https://aka.ms/tmt-th10b</a> and <a href="https://aka.ms/tmt-th10c">https://aka.ms/tmt-th10c</a>PriorityHighSDLPhaseImplementation0a3667bd-b55a-424b-9882-5996e1403c1eNotApplicablebf841d4d-97e6-4069-b676-07a28f2d041bTH10falsefalseTH1449015b784-fd98-41cd-9b85-a833cf8ee489f6270ed4-865d-4b27-b7ab-b3d9b76d9872bf841d4d-97e6-4069-b676-07a28f2d041bAzureAD\ElliotHuffman8e769290-317f-4cd4-9a7c-b4fcdee36590f6270ed4-865d-4b27-b7ab-b3d9b76d9872219015b784-fd98-41cd-9b85-a833cf8ee489:f6270ed4-865d-4b27-b7ab-b3d9b76d9872:bf841d4d-97e6-4069-b676-07a28f2d041b2023-12-12T14:23:36.5889461-05:00HighTitleAn adversary can read confidential data due to weak connection string configurationUserThreatCategoryInformation DisclosureUserThreatShortDescriptionInformation disclosure happens when the information can be read by an unauthorized partyUserThreatDescriptionAn adversary can read confidential data due to weak connection string configuration.StateInformationNo connection strings are generated or used. All connections are encrypted via TLS 1.2 or greater. When using the cmdlets, the encrypt strict and TrustServerCertificate $false parameters are set to ensure a non-tampered connection.InteractionStringData + Auth TokenPossibleMitigationsClients connecting to an Azure SQL Database instance using a connection string should ensure encrypt=true and trustservercertificate=false are set. This configuration ensures that connections are encrypted only if there is a verifiable server certificate (otherwise the connection attempt fails). This helps protect against Man-In-The-Middle attacks. Refer: <a href="https://aka.ms/tmt-th144">https://aka.ms/tmt-th144</a>PriorityHighSDLPhaseImplementation9015b784-fd98-41cd-9b85-a833cf8ee489Mitigatedbf841d4d-97e6-4069-b676-07a28f2d041bTH144falsefalseTH1439015b784-fd98-41cd-9b85-a833cf8ee489f6270ed4-865d-4b27-b7ab-b3d9b76d9872bf841d4d-97e6-4069-b676-07a28f2d041bAzureAD\ElliotHuffman8e769290-317f-4cd4-9a7c-b4fcdee36590f6270ed4-865d-4b27-b7ab-b3d9b76d9872209015b784-fd98-41cd-9b85-a833cf8ee489:f6270ed4-865d-4b27-b7ab-b3d9b76d9872:bf841d4d-97e6-4069-b676-07a28f2d041b2023-12-12T14:30:22.6492358-05:00HighTitleAn adversary can gain unauthorized access to Azure SQL DB instances due to weak network security configuration.UserThreatCategoryElevation of PrivilegesUserThreatShortDescriptionA user subject gains increased capability or privilege by taking advantage of an implementation bugUserThreatDescriptionAn adversary can gain unauthorized access to Azure SQL DB instances due to weak network security configuration.StateInformationTLS 1.2 or greater is required for all connections.InteractionStringData + Auth TokenPossibleMitigationsRestrict access to Azure SQL Database instances by configuring server-level and database-level firewall rules to permit connections from selected networks (e.g. a virtual network or a custom set of IP addresses) where possible. Refer:<a href="https://aka.ms/tmt-th143">https://aka.ms/tmt-th143</a>PriorityHighSDLPhaseImplementation9015b784-fd98-41cd-9b85-a833cf8ee489Mitigatedbf841d4d-97e6-4069-b676-07a28f2d041bTH143falsefalseTH1179015b784-fd98-41cd-9b85-a833cf8ee489f6270ed4-865d-4b27-b7ab-b3d9b76d9872bf841d4d-97e6-4069-b676-07a28f2d041bAzureAD\ElliotHuffman8e769290-317f-4cd4-9a7c-b4fcdee36590f6270ed4-865d-4b27-b7ab-b3d9b76d9872199015b784-fd98-41cd-9b85-a833cf8ee489:f6270ed4-865d-4b27-b7ab-b3d9b76d9872:bf841d4d-97e6-4069-b676-07a28f2d041b2023-12-12T14:37:08.2597348-05:00HighTitleAn adversary may spoof an Azure administrator and gain access to Azure subscription portalUserThreatCategorySpoofingUserThreatShortDescriptionSpoofing is when a process or entity is something other than its claimed identity. Examples include substituting a process, a file, website or a network addressUserThreatDescriptionAn adversary may spoof an Azure administrator and gain access to Azure subscription portal if the administrator's credentials are compromised.StateInformationUser accounts are goverened by their respective organization owners, MLA supports all MFA and anti-spoofing configs that Entra does. The DB Access token is scoped only to DBs that the user is allowed to access. It doesn't work for any other types of resources. diff --git a/docs/SHIELD/Discover/index.md b/docs/SHIELD/Discover/index.md new file mode 100644 index 0000000..6be85a6 --- /dev/null +++ b/docs/SHIELD/Discover/index.md @@ -0,0 +1,246 @@ +# Overview + +The Discover module enables advanced licensing intelligence and compliance reporting for Microsoft 365 services. It retrieves configuration data from multiple service APIs, analyzes it, and stores compliance results in an Azure SQL database for visualization in tools like Power BI. + +Discover is plugin-driven, lightweight, and runs entirely from the client environment via PowerShell. + +--- + +## What Discover Does + +- Retrieves Microsoft service configuration data using Graph API and Defender APIs +- Evaluates license assignments against usage and configuration +- Stores structured results in an Azure SQL database +- Visualizes data using third-party tools such as Power BI + +Discover allows organizations to: + +- Ensure license assignments match technical requirements +- Detect gaps in purchased vs. configured capabilities +- Automate configuration audits across tenants + +--- + +## Plugin Architecture + +Discoverโ€™s core engine is extensible through plugins. Each plugin is responsible for extracting and evaluating configuration from a specific service: + +- ๐Ÿ”Œ **Entra ID Plugin** โ€“ Retrieves directory and user-level settings +- ๐Ÿ”Œ **Defender for Endpoint Plugin** โ€“ Retrieves configuration and licensing status +- ๐Ÿ”Œ **Defender for Identity Plugin** โ€“ Extracts rules and signals used in audit logic + +Plugins are executed sequentially, and their results are normalized before being uploaded to the Azure SQL Database. + +๐Ÿ“– See full list in [Reference โ†’ Plugin Overview](Reference/index.md#plugin-overview) + +--- + +## Infrastructure Architecture + +The infrastructure diagram below shows how the Discover engine interacts with Microsoft services and securely stores results in Azure SQL: + +### Infrastructure Flow + +```mermaid +flowchart + subgraph "Client Environment" + Client["PowerShell Client"] + end + + subgraph "Microsoft Trust Boundary (Cloud Boundary)" + EntraId["Entra ID"] + SqlDb[("Azure SQL Database")] + end + + Client --> | Step 1 - Request Auth Code | EntraId + EntraId --> | Step 2 - Receive Auth Code | Client + Client --> | Step 3 - Data + Auth Token | SqlDb + SqlDb --> | Step 4 - Validate Auth Token | EntraId + EntraId --> | Step 5 - Auth Token Confirmation | SqlDb + SqlDb --> | Step 6 - Confirm DB Operation | Client +``` + +๐Ÿ“„ Download annotated threat model: [Infrastructure Threat Model (.tm7)](assets/threat-models/infrastructure.tm7) + +--- + +## Execution Process + +The following diagram shows the plugin execution flow from engine startup through plugin enumeration, execution, and data upload. + +### Execution Flowchart + +```mermaid +flowchart TD + +AzSqlDb[("Report Storage")] + +Start["Start"] +Initialization["Configure Core Engine"] +LoginHost["Log into Az SQL Server's tenant"] +LoginCustomer["Log into tenant that\ndata is to be retrieved from"] +ReportCorelationRecord["Create a record to\ncorrelate all counts for a run"] +LoadPlugins["Enumerate/Validate and Run Plugins"] + +subgraph plugin +StartPlugin["Start execution\non specified plugin"] +GetData["Query APIs to get configuration data"] +ProcessData["Organize and Deduplicate Data"] +ReportProcessedData["Upload Processed Data to Az SQL DB"] +EndPlugin["End execution\nof current plugin"] +end + +LoopPlugin["Check if another\nplugin is present"] +LogOut["Log out of all sessions"] +SuccessEnd["Finish Reporting\nSuccessfully"] + +Start --> Initialization +Initialization --> LoginHost +LoginHost --> LoginCustomer +LoginCustomer --> ReportCorelationRecord +ReportCorelationRecord -.-> AzSqlDb +ReportCorelationRecord --> LoadPlugins +LoadPlugins --> StartPlugin +StartPlugin --> GetData +GetData --> ProcessData +ProcessData --> ReportProcessedData +ReportProcessedData -.-> AzSqlDb +ReportProcessedData --> EndPlugin +EndPlugin --> LoopPlugin +LoopPlugin -->|If Yes| StartPlugin +LoopPlugin -->|If No| LogOut +LogOut --> SuccessEnd +``` + +--- + +## Related Pages + +- [Discover Deployment](Deployment/index.md) +- [Discover Usage Guide](Usage-Guide.md) +- [Discover Reference](Reference/index.md) +- [Troubleshooting Discover](Troubleshooting.md) + +# Overview + +The Discover module enables advanced licensing intelligence and compliance reporting for Microsoft 365 services. It retrieves configuration data from multiple service APIs, analyzes it, and stores compliance results in an Azure SQL database for visualization in tools like Power BI. + +Discover is plugin-driven, lightweight, and runs entirely from the client environment via PowerShell. + +--- + +## What Discover Does + +- Retrieves Microsoft service configuration data using Graph API and Defender APIs +- Evaluates license assignments against usage and configuration +- Stores structured results in an Azure SQL database +- Visualizes data using third-party tools such as Power BI + +Discover allows organizations to: + +- Ensure license assignments match technical requirements +- Detect gaps in purchased vs. configured capabilities +- Automate configuration audits across tenants + +--- + +## Plugin Architecture + +Discoverโ€™s core engine is extensible through plugins. Each plugin is responsible for extracting and evaluating configuration from a specific service: + +- ๐Ÿ”Œ **Entra ID Plugin** โ€“ Retrieves directory and user-level settings +- ๐Ÿ”Œ **Defender for Endpoint Plugin** โ€“ Retrieves configuration and licensing status +- ๐Ÿ”Œ **Defender for Identity Plugin** โ€“ Extracts rules and signals used in audit logic + +Plugins are executed sequentially, and their results are normalized before being uploaded to the Azure SQL Database. + +๐Ÿ“– See full list in [Reference โ†’ Plugin Overview](Reference/index.md#plugin-overview) + +--- + +## Infrastructure Architecture + +The infrastructure diagram below shows how the Discover engine interacts with Microsoft services and securely stores results in Azure SQL: + +### Infrastructure Flow + +```mermaid +flowchart + subgraph "Client Environment" + Client["PowerShell Client"] + end + + subgraph "Microsoft Trust Boundary (Cloud Boundary)" + EntraId["Entra ID"] + SqlDb[("Azure SQL Database")] + end + + Client --> | Step 1 - Request Auth Code | EntraId + EntraId --> | Step 2 - Receive Auth Code | Client + Client --> | Step 3 - Data + Auth Token | SqlDb + SqlDb --> | Step 4 - Validate Auth Token | EntraId + EntraId --> | Step 5 - Auth Token Confirmation | SqlDb + SqlDb --> | Step 6 - Confirm DB Operation | Client +``` + +๐Ÿ“„ Download annotated threat model: [Infrastructure Threat Model (.tm7)](assets/threat-models/infrastructure.tm7) + +--- + +## Execution Process + +The following diagram shows the plugin execution flow from engine startup through plugin enumeration, execution, and data upload. + +### Execution Flowchart + +```mermaid +flowchart TD + +AzSqlDb[("Report Storage")] + +Start["Start"] +Initialization["Configure Core Engine"] +LoginHost["Log into Az SQL Server's tenant"] +LoginCustomer["Log into tenant that\ndata is to be retrieved from"] +ReportCorelationRecord["Create a record to\ncorrelate all counts for a run"] +LoadPlugins["Enumerate/Validate and Run Plugins"] + +subgraph plugin +StartPlugin["Start execution\non specified plugin"] +GetData["Query APIs to get configuration data"] +ProcessData["Organize and Deduplicate Data"] +ReportProcessedData["Upload Processed Data to Az SQL DB"] +EndPlugin["End execution\nof current plugin"] +end + +LoopPlugin["Check if another\nplugin is present"] +LogOut["Log out of all sessions"] +SuccessEnd["Finish Reporting\nSuccessfully"] + +Start --> Initialization +Initialization --> LoginHost +LoginHost --> LoginCustomer +LoginCustomer --> ReportCorelationRecord +ReportCorelationRecord -.-> AzSqlDb +ReportCorelationRecord --> LoadPlugins +LoadPlugins --> StartPlugin +StartPlugin --> GetData +GetData --> ProcessData +ProcessData --> ReportProcessedData +ReportProcessedData -.-> AzSqlDb +ReportProcessedData --> EndPlugin +EndPlugin --> LoopPlugin +LoopPlugin -->|If Yes| StartPlugin +LoopPlugin -->|If No| LogOut +LogOut --> SuccessEnd +``` + +--- + +## Related Pages + +- [Discover Deployment](Deployment/index.md) +- [Discover Usage Guide](Usage-Guide.md) +- [Discover Reference](Reference/index.md) +- [Troubleshooting Discover](Troubleshooting.md) + diff --git a/docs/SHIELD/Getting-Started.md b/docs/SHIELD/Getting-Started.md new file mode 100644 index 0000000..50e3fec --- /dev/null +++ b/docs/SHIELD/Getting-Started.md @@ -0,0 +1,195 @@ +# Getting Started + +This page outlines how to deploy SHIELD and Discover, including manual installation, silent installs, SQL configuration, and the upcoming Azure Marketplace integration. + +--- + +## Manual Deployment (SHIELD) + +You can deploy the SHIELD orchestration server manually using a local PowerShell script and the official SOP `.zip` bundle. + +!!! info "Access Requirements" + Manual deployment is only available to SHI employees or partners who have access to the installation package. + +### Steps + +1. **Download** the PowerShell installer: + ๐Ÿ‘‰ [Install-SOP.ps1](Scripts/Install-Sop.ps1) + +2. **Prepare your environment**: + - Note your Azure Subscription ID + - Place the `.zip` file in the same directory as the script + +3. **Run the deployment**: + ```powershell + Install-SOP.ps1 -SubscriptionId "{Your Azure Subscription ID}" -Path ".\{Your ZIP File Name}.zip" -CompanyName "{YourCompanyNameHere}" + ``` + +4. **Need help?** + Run: + ```powershell + Get-Help .\Install-Sop.ps1 -Full + ``` + +!!! danger "Best Practice" + Deploy SHIELD in a fresh, isolated Azure subscription for optimal permission boundaries. + +--- + +## Azure Marketplace Deployment + +Coming soon! SHIELD will soon be available as a 1-click deploy option from the Azure Marketplace. + +--- + +## Discover Deployment Options + +Discover is a standalone component used for licensing analysis and compliance tracking. It supports both GUI and script-based installations depending on your environment. + +--- + +## Standard Installation (GUI-Based) + +Use the MSI installer for a guided, visual installation of Discover. + +### Installation Instructions + +1. Install the **latest version** of PowerShell LTS. + + !!! note "PowerShell Deployment Options" + We recommend using the [Microsoft Store version](https://www.microsoft.com/store/apps/9MZ1SNWT0N5D){:target="_blank"}. + You can also use MSI, WinGet, or ZIP downloads listed in [Microsoft's documentation](https://learn.microsoft.com/en-us/powershell/scripting/install/installing-powershell-on-windows){:target="_blank"}. + + The `pwsh.exe` binary must be registered via [Application Registration](https://learn.microsoft.com/en-us/windows/win32/shell/app-registration#registering-applications){:target="_blank"}. + +2. Run the Discover installer. + +3. On the main screen, enter the **FQDN** of your Azure SQL Server. + ๐Ÿ“Œ Example: `shi-example.database.windows.net` + +4. (Optional) Click **Configure** to customize: + - Correlation table name + - License data table name + - SQL database name + +5. (Optional) Review the config summary. + +6. Click **Install**. + +### Screenshots + +#### Main Installer Screen + +![Installer - Light](Discover/assets/images/screenshots/Installer-Light.png#only-light){ loading=lazy } +![Installer - Dark](Discover/assets/images/screenshots/Installer-Dark.png#only-dark){ loading=lazy } + +#### Configuration Dropdown + +![Dropdown - Light](Discover/assets/images/screenshots/Dropdown-Light.png#only-light){ loading=lazy } +![Dropdown - Dark](Discover/assets/images/screenshots/Dropdown-Dark.png#only-dark){ loading=lazy } + +#### Advanced Configuration + +![Advanced Config - Light](Discover/assets/images/screenshots/AdvancedConfig-Light.png#only-light){ loading=lazy } +![Advanced Config - Dark](Discover/assets/images/screenshots/AdvancedConfig-Dark.png#only-dark){ loading=lazy } + +!!! note "Shortcut Behavior" + Desktop shortcuts are only created for user-scoped installs. Machine-wide installs must be launched via CLI. + +--- + +## Silent Installation (Script-Based) + +This method allows for fully automated or unattended installation using MSI flags. + +### Configuration Reference + +| Name | Required | Default | Description | +|------|----------|---------|-------------| +| `AZSQL_SERVER_FQDN` | โœ… | *(none)* | SQL Server FQDN | +| `CORRELATION_TABLE_NAME` | โŒ | `Correlation` | Table for correlation data | +| `DATABASE_NAME` | โŒ | `Results` | SQL database name | +| `LICENSE_COUNT_TABLE_NAME` | โŒ | `LicenseData` | Table for license usage data | + +### Examples + +```cmd +License-Analytics.msi /qn AZSQL_SERVER_FQDN=shi-example.database.windows.net +``` + +```cmd +License-Analytics.msi /qn AZSQL_SERVER_FQDN=shi-example.database.windows.net DATABASE_NAME=CustomerTracker +``` + +```cmd +License-Analytics.msi /qn AZSQL_SERVER_FQDN=shi-example.database.windows.net CORRELATION_TABLE_NAME=RunTracker +``` + +```cmd +License-Analytics.msi /qn AZSQL_SERVER_FQDN=shi-example.database.windows.net LICENSE_COUNT_TABLE_NAME=CustomerTracker +``` + +!!! note "Naming Format" + Do not include protocols (e.g., `sql://`) or paths in the FQDN. + +--- + +## Azure SQL Database Setup + +Discover requires a dedicated Azure SQL Database (or managed instance) to store all usage and audit data. + +### Required Configuration + +- โœ… SQL DB or Managed Instance +- โœ… Entra ID authentication enabled +- โœ… Network connectivity from client to DB + +### Storage Requirements + +- ~1,676 bytes per Discover run +- ~40KB per year for typical usage +- Easily fits within the Azure SQL 2GB tier + +### Recommended Configuration + +| Setting | Why | +|---------|-----| +| Use Entra ID Auth Only | Prevent SQL login usage | +| Limit Allowed IPs | Restrict DB access | +| Enable Backups | Avoid data loss | +| Enable Defender for SQL | Threat detection | +| Audit Admin Activity | Compliance & visibility | +| Enable SQL Auditing | Track all changes | +| Send Logs to SIEM | Centralize log collection | +| Avoid BYOK/HYOK/CMK | Unless legally required | +| Set Azure Monitor Alerts | Detect low storage/CPU | + +--- + +### Auto Permission Assignment Tool + +You can use Discoverโ€™s PowerShell utility to auto-configure SQL access via Entra ID security groups. + +#### Example Command + +```powershell +Add-AzLicenseDb -SubscriptionId 'your-sub-id' -ReadGroupId 'read-group-id' -WriteGroupId 'write-group-id' +``` + +#### Get Help + +```powershell +Get-Help -Name 'Add-AzLicenseDb' -Full +``` + +!!! info "Replace IDs" + Use your real Azure subscription and Entra group IDs. + +--- + +## See Also + +- [Standard Installation](#standard-installation-gui-based) +- [Silent Installation](#silent-installation-script-based) +- [Azure SQL Setup (from Prerequisites)](Prerequisites/index.md#azure-sql-setup) + diff --git a/docs/SHIELD/Getting-Started/Deployment/Azure-Marketplace.md b/docs/SHIELD/Getting-Started/Deployment/Azure-Marketplace.md deleted file mode 100644 index c0b538b..0000000 --- a/docs/SHIELD/Getting-Started/Deployment/Azure-Marketplace.md +++ /dev/null @@ -1,6 +0,0 @@ -# Azure Marketplace - -Deploy from the Azure marketplace. - -!!! note - Coming soon! diff --git a/docs/SHIELD/Getting-Started/Deployment/Manual-Deployment.md b/docs/SHIELD/Getting-Started/Deployment/Manual-Deployment.md deleted file mode 100644 index 3b65b89..0000000 --- a/docs/SHIELD/Getting-Started/Deployment/Manual-Deployment.md +++ /dev/null @@ -1,34 +0,0 @@ -# Manual Deployment - -Deploy the SOP app into an Azure App service by using a local deployment script and the zip file containing the SOP Server software. - -!!! info "Access Requirements" - This is currently a manual process and can only be performed if you have the zip file. Because of this, it can only be performed by SHI employees or partners. - -1. Download the PowerShell based installer script: -[Install-SOP.ps1](Scripts/Install-Sop.ps1) - -2. Make a note of the `Azure Subscription ID` you want to deploy SOP to. - - !!! Danger "Security Best Practice" - To achieve the best permission and quota isolation, this app should be deployed into an un-used/empty and independent subscription. - -3. Make sure that the SOP Zip file is in the same folder as the PowerShell deployment script. - -4. Run the deployment script with the below minimal parameters: - - ``` PowerShell title="PowerShell" - Install-SOP.ps1 -SubscriptionId "{Your Azure Subscription ID}" -Path ".\{SOP Zip File Name.zip}" -CompanyName "{YourCompanyNameHere}" - ``` - - !!! question "Script Help" - Please replace the content in the curly brackets and the brackets themselves with the value you expect. - If you would like more help on how to run the script, including examples and additional settings, please run the following command: - `#!PowerShell Get-Help .\Install-Sop.ps1 -Full` - -5. After the SOP has been deployed, please clean up all of the files used to deploy the app service. They are no longer needed. - - !!! note "Errors During Deployment" - The deployment is idempotent, if errors occur, just run the script a second time. It will correct any missing deployment items the second time around. - -6. Please see the app usage docs for next steps. diff --git a/docs/SHIELD/Getting-Started/Prerequisites.md b/docs/SHIELD/Getting-Started/Prerequisites.md deleted file mode 100644 index 1e4da3c..0000000 --- a/docs/SHIELD/Getting-Started/Prerequisites.md +++ /dev/null @@ -1,36 +0,0 @@ -# Prerequisites - -SHIELD is an enterprise product that requires specific licenses and configurations to deploy and use. - -To simplify the documentation, we use the `M` prefix to refer to the different license types of Microsoft 365 licensing, such as `M1`, `M3`, `M5`, etc. This prefix can replace the other prefixes that indicate the type of organization, such as `E` for Enterprise, `A` for Education, `G` for Government, `F` for Frontline, and so on. - ---- - -## Base Requirements - -- [X] Deploying User has `Global Admin Rights` (for [manual deployment](Deployment/Manual-Deployment.md) only) -- [X] Defender for Endpoint has had its [workspace created](Usage-Guide/Deploy-Core-Infrastructure/MDE-Enable.md) -- [X] Security Defaults [are shut off](https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults#disabling-security-defaults) in Entra ID -- [X] Certificate Authentication is [disabled in the Entra ID authentication](https://learn.microsoft.com/en-us/azure/active-directory/authentication/how-to-certificate-based-authentication#step-2-enable-cba-on-the-tenant) methods for SHIELD's ESM, SSM and PSM root security groups - ---- - -## ESM - -- [X] `M3` [or equivalent](https://go.microsoft.com/fwlink/?linkid=2139145){:target="_blank"} licenses are purchased and enabled in the target tenant -- [X] Devices to be managed through SHIELD need to be either Hybrid or Cloud only joined - ---- - -## SSM - -- [X] `M5` [or equivalent](https://go.microsoft.com/fwlink/?linkid=2139145){:target="_blank"} licenses are purchased and enabled in the target tenant -- [X] Devices to be managed through SHIELD need to be either Hybrid or Cloud only joined - ---- - -## PSM - -- [X] `M5` [or equivalent](https://go.microsoft.com/fwlink/?linkid=2139145){:target="_blank"} licenses are purchased and enabled in the target tenant -- [X] Secure Core Certified hardware. Please see the [hardware selection](../Reference/Architecture/Hardware-Selection.md) documentation for details -- [X] Devices need to be registered in Autopilot to be allowed to be commissioned into a PAW diff --git a/docs/SHIELD/Getting-Started/Usage-Guide/Deploy-Core-Infrastructure/MDE-Enable.md b/docs/SHIELD/Getting-Started/Usage-Guide/Deploy-Core-Infrastructure/MDE-Enable.md deleted file mode 100644 index 95c75f3..0000000 --- a/docs/SHIELD/Getting-Started/Usage-Guide/Deploy-Core-Infrastructure/MDE-Enable.md +++ /dev/null @@ -1,9 +0,0 @@ -# Defender for Endpoint - Workspace Creation - -The first time Microsoft Defender for Endpoint's (MDE) UI is loaded, it creates a workspace to store all of the security, usage, and telemetry data. - -This automated workspace provisioning process can be completed by navigating to the [Microsoft 365 Defender Portal](https://security.microsoft.com){:target="_blank"} and selecting the devices tab on the left. - -If the list of devices in table format loads, the workspace has already been set up. - -If you get a splash screen saying the workspace/MDE is being set up, please wait until the process has completed. After the splash screen disappears, MDE is fully initialized in the tenant. diff --git a/docs/SHIELD/Getting-Started/Usage-Guide/Deploy-Core-Infrastructure/index.md b/docs/SHIELD/Getting-Started/Usage-Guide/Deploy-Core-Infrastructure/index.md deleted file mode 100644 index f4e983c..0000000 --- a/docs/SHIELD/Getting-Started/Usage-Guide/Deploy-Core-Infrastructure/index.md +++ /dev/null @@ -1,36 +0,0 @@ -# Deploy Core Infrastructure - -You have to meet the prerequisites before being able to deploy the core infrastructure. -The core infrastructure is where the main configurations reside for the SHIELD product. -Once this is deployed, the configurations can be customized and the lifecycle management system can be used. - -After deployment, the only parts of the core infrastructure that can't be touched are the `security groups`, `Intune scope tags` and `Entra ID Administrative Units`. All other items can be modified, including the device configurations, autopilot profiles and conditional access. - -!!! note "Prerequisites Check" - Don't forget to make sure you meet the prerequisites as listed here: - [Getting Started - Prerequisites](../../Prerequisites.md) - ---- - -## Deployment - -After the pre-requisites are met, you can deploy the core infrastructure. -Deploying the core-infrastructure is pretty easy: - -1. Open the SHI Orchestration Platform app to the URL that you deployed to. It will open itself to the `Infrastructure Deployment` page. - - !!! note "Portal Location" - By default, this is a subdomain at `{your-company}.azurewebsites.net` - -2. Read the `Terms and Conditions` document and if you agree, select the `I agree to the terms and conditions` check box. This will enable and arm the `Deploy Infrastructure` button. - - ![Screenshot of the Infrastructure Deployment page showing the "I agree" button as checked and the deploy button as enabled. The check box is highlighted by a red box indicating what should be selected.](../../../assets/Images/Screenshots/Core-Infrastructure-Deployment.png){ loading=lazy } - -3. Push the `Deploy Infrastructure` button. This will deploy all the supporting components to the lifecycle management system. - - ![Screenshot of the core infrastructure deployment spinner indicating a deployment is in progress. The spinner has been highlighted by a red box indicating where the deployment in progress spinner will appear.](../../../assets/Images/Screenshots/Spinner.png){ loading=lazy } - -4. Once the deployment has completed it will redirect you to the home screen as seen in the below screenshot. - - ![Screenshot of the home page with the navigation cards visible.](../../../assets/Images/Screenshots/Home-Screen-Light.png#only-light){ loading=lazy } - ![Screenshot of the home page with the navigation cards visible.](../../../assets/Images/Screenshots/Home-Screen-Dark.png#only-dark){ loading=lazy } diff --git a/docs/SHIELD/Getting-Started/Usage-Guide/Lifecycle-Management/index.md b/docs/SHIELD/Getting-Started/Usage-Guide/Lifecycle-Management/index.md deleted file mode 100644 index 5988d6c..0000000 --- a/docs/SHIELD/Getting-Started/Usage-Guide/Lifecycle-Management/index.md +++ /dev/null @@ -1,32 +0,0 @@ -# Overview - -Lifecycle management is the system that manages the various types of managed objects, such as users, devices, intermediaries (in development), interfaces/servers (also in development), and their unique configurations after the core infrastructure is deployed. It can adopt and abandon managed objects from the managed architecture. - -The lifecycle management feature in the SHIELD app provides an easy-to-use UI that makes managing the relationship between security levels easy and the adoption of managed security controls feel familiar to the M365 environment. The lifecycle management engine is responsible for manipulating the device identity properly so that the correct set of metadata, categorization, microsegmentation, and management are applied. All lifecycle operations are designed to be scalable. - -## How it works - -The lifecycle management system gets triggered when a command is executed from the app's UI or API. Depending on the command, the back-end system may create unique configurations, edit existing ones, or create new user accounts. More specifics will be located in each child page for the respective category of actions (e.g., devices, users, interfaces, etc.). - -## Managed Objects - -### Devices - -The SHIELD app manages two types of devices: privileged and enterprise. Privileged class managed devices can only be selected from a list of autopilot-enabled devices. Enterprise devices can be any device in Entra ID. For privileged devices, we recommend using devices that have never been turned on before and are ideally still in their packages. Also, for privileged devices, we only recommend Microsoft Surface or Lenovo devices. It is possible to use other devices, but we have not tested them and do not plan on supporting others. For privileged devices, we only recommend the laptop or slate form factor for security reasons. - -Lifecycle management operations for devices include commission and decommission for all devices, assign user for privileged devices, and other specific operations depending on the device's security class. - -### Users - -The SHIELD app manages three types of users: privileged, specialized, and enterprise. These are security levels that determine the level of protection each user requires. Privileged users are the most secure, followed by specialized and enterprise. - -Lifecycle management operations for users include creating, and removing user accounts, depending on the user's security class. - -## Summary - -Lifecycle management is a critical feature in the SHIELD app that enables the management of various managed objects, such as users and devices. With this feature, you can easily manage the relationship between security levels and adopt managed security controls in a familiar environment. The lifecycle management engine is scalable and responsible for manipulating device identities properly, so the correct set of metadata, categorization, microsegmentation, and management are applied. - -## See Also - -- Intermediaries Lifecycle Management - Coming Soon -- Interfaces/Servers Lifecycle Management - Coming Soon diff --git a/docs/SHIELD/Getting-Started/Usage-Guide/index.md b/docs/SHIELD/Getting-Started/Usage-Guide/index.md deleted file mode 100644 index 9627e7d..0000000 --- a/docs/SHIELD/Getting-Started/Usage-Guide/index.md +++ /dev/null @@ -1,33 +0,0 @@ -# Overview - -## Infrastructure Management - -Infrastructure management is responsible for the underlying common set of settings that go across all security classes and managed objects. - -This system is responsible for deploying and keeping them up to date. - -[:octicons-rocket-24: Deploy Core Infrastructure](Deploy-Core-Infrastructure/index.md){ .md-button } - -## Lifecycle Management - -Lifecycle management is where you will spend most of your time. Performing actions such as creating PAWs or enrolling enterprise class users into management. - -### Device - -- [Commission a Device](Lifecycle-Management/Device/0-Commission.md) -- [Decommission a Device](Lifecycle-Management/Device/1-Decommission.md) -- [Assign a Privileged Device](Lifecycle-Management/Device/2-Assign.md) -- [Unassign a Privileged Device](Lifecycle-Management/Device/3-Unassign.md) - -### User - -- [Commission a user](Lifecycle-Management/User/Commission.md) -- [Decommission a user](Lifecycle-Management/User/Decommission.md) - ---- - -## See Also - -- [SPA - SHI Architecture Overview](../../Reference/Architecture/Securing-Privileged-Access.md) -- [SPA - MSFT Docs](https://aka.ms/spa){:target="_blank"} -- [Security Classes - MSFT Docs](https://learn.microsoft.com/en-us/security/privileged-access-workstations/privileged-access-security-levels){:target="_blank"} diff --git a/docs/SHIELD/Getting-Started/index.md b/docs/SHIELD/Getting-Started/index.md deleted file mode 100644 index a4e58a3..0000000 --- a/docs/SHIELD/Getting-Started/index.md +++ /dev/null @@ -1,17 +0,0 @@ -# Overview - -To use the app, two primary deployments must happen: the server and the architectural core infrastructure. -The server is deployed first then the server deploys the core infrastructure. - -1. To deploy the server, chose from one of the below deployment methods:
- - - [:fontawesome-solid-file-zipper: Deploy Using Manual Method](Deployment/Manual-Deployment.md){ .md-button } - -2. Deploy the core infrastructure using the Web UI:
- - [:octicons-rocket-24: Deploy Core Infrastructure](Usage-Guide/Deploy-Core-Infrastructure/index.md){ .md-button } - -3. Manage your infrastructure using the SHIELD app's Lifecycle management engine:
- - [:fontawesome-solid-rotate: Manage Lifecycle](Usage-Guide/Lifecycle-Management/index.md){ .md-button } diff --git a/docs/SHIELD/Getting-Started/Deployment/Required-Graph-API-Permissions.md b/docs/SHIELD/Prerequisites/Required-Graph-API-Permissions.md similarity index 99% rename from docs/SHIELD/Getting-Started/Deployment/Required-Graph-API-Permissions.md rename to docs/SHIELD/Prerequisites/Required-Graph-API-Permissions.md index a1b584d..165fe35 100644 --- a/docs/SHIELD/Getting-Started/Deployment/Required-Graph-API-Permissions.md +++ b/docs/SHIELD/Prerequisites/Required-Graph-API-Permissions.md @@ -34,7 +34,7 @@ The below Microsoft Graph API permissions are necessary for the operation of thi | Permission Name | Self Auto Granted | What it is used for | |-----------------|-------------------|---------------------| -| `LicenseReport.ReadWrite` | โœ… | Used to store the license report after a run of License Analytics has completed. | +| `LicenseReport.ReadWrite` | โœ… | Used to store the license report after a run of Discover has completed. | | `Telemetry.Sop.ReadWrite` | โœ… | Used by SOP to store its monthly telemetry report and keep it isolated from other tenants. | ## SHI Orchestration Platform - Authenticator Permissions List diff --git a/docs/SHIELD/Prerequisites/index.md b/docs/SHIELD/Prerequisites/index.md new file mode 100644 index 0000000..7aae20f --- /dev/null +++ b/docs/SHIELD/Prerequisites/index.md @@ -0,0 +1,136 @@ +# Prerequisites + +Before deploying SHIELD or using Discover, ensure your environment meets all license, configuration, permission, and software requirements. + +This page is divided into two parts: + + +1. [SHIELD Core Platform Requirements](#shield-core-platform-requirements) +2. [Discover System Requirements](#discover-system-requirements) + +--- + +## SHIELD Core Platform Requirements + +SHIELD automates secure deployment and lifecycle management using Microsoft 365 and Azure. It requires specific license levels, identity configurations, and Microsoft Defender components. + +### Environment Requirements + +- โœ… Deploying user must have **Global Admin Rights** +- โœ… Microsoft Defender for Endpoint must be provisioned. See [Defend Usage Guide](../Defend/Usage-Guide/index.md), under **Defender for Endpoint Workspace Creation** +- โœ… [Security Defaults](https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults#disabling-security-defaults) must be disabled in Entra ID +- โœ… [Certificate Authentication](https://learn.microsoft.com/en-us/azure/active-directory/authentication/how-to-certificate-based-authentication#step-2-enable-cba-on-the-tenant) must be disabled for SHIELDโ€™s security groups + +--- + +### Licensing Requirements by Mode + +SHIELD uses `M3` and `M5` to refer to Microsoft 365 license families, abstracting E3/E5 and similar plans. + +| Mode | License | Additional Requirements | +|------|---------|--------------------------| +| **ESM** (Enterprise Security Mode) | M3 or equivalent | Devices must be Hybrid or Cloud Joined | +| **SSM** (Specialized Security Mode) | M5 or equivalent | Devices must be Hybrid or Cloud Joined | +| **PSM** (Privileged Security Mode) | M5 or equivalent | Devices must be Autopilot-registered and [Secure Core Certified](../Defend/Reference/Hardware-Selection.md) | + +--- + +## Discover System Requirements + +Discover is a component of SHIELD that audits licensing configuration, queries Microsoft APIs, and stores analysis in an Azure SQL Database. The following setup is required. + +--- + +### System & Runtime Configuration + +- โœ… Latest version of **PowerShell (64-bit)** (e.g. 7.4.0 or later) +- โœ… Internet access with no SSL/TLS inspection for Microsoft-owned domains +- โœ… At least **2GB of available RAM** +- โœ… Azure SQL Database is configured and reachable (see setup below) + +!!! info "Assumptions" + These recommendations assume ~10,000 users running Discover twice a month. For larger organizations or more frequent use, increase memory and SQL capacity. + +--- + +### Entra ID Role Permissions + +Discover uses read-only Entra ID roles for configuration queries. These permissions are scoped with the principle of least privilege. + +| Role | Required For | +|------|---------------| +| **Global Reader** | Basic environment access (Defender, Entra ID) | +| **Security Administrator** | Access to Defender for Endpoint & Identity APIs | +| **User Administrator** | Access to user directory properties | + +**Related plugin guides:** +docs\SHIELD\Reference\Plugins\DefenderEndpoint.md +- ๐Ÿ“„ [Defender for Endpoint](../Discover/Plugins/DefenderEndpoint.md) +- ๐Ÿ“„ [Defender for Identity](../Discover/Plugins/DefenderIdentity.md) +- ๐Ÿ“„ [Entra ID](../Discover/Plugins/EntraID.md) + +!!! info "Permissions Note" + Discover will never modify your configuration. All operations are read-only and scoped to data retrieval. + +--- + +### Azure SQL Setup + +An Azure SQL Database is required to store audit results. You can use an existing DB or provision a new one. + +๐Ÿ“– [Deployment โ†’ Azure SQL Database Setup](../Getting-Started.md#azure-sql-database-setup) + +**Required:** + +- Entra ID Authentication is enabled +- Client running Discover must have network access (e.g., VPN or VNet) + +**Storage Notes:** + +- Each Discover run generates ~1,676 bytes +- Typical org = ~40KB/year +- 2GB base DB size is sufficient in most cases + +--- + +### Recommended SQL Configuration + +These settings are optional but highly recommended for security, auditability, and reliability: + +- [Use Entra ID Authentication Only](https://learn.microsoft.com/en-us/azure/azure-sql/database/authentication-azure-ad-only-authentication-tutorial) +- [Limit IP ranges](https://learn.microsoft.com/en-us/azure/azure-sql/database/firewall-configure) +- [Enable database backups](https://learn.microsoft.com/en-us/azure/azure-sql/database/automated-backups-overview) +- [Enable Defender for SQL](https://learn.microsoft.com/en-us/azure/azure-sql/database/azure-defender-for-sql) +- [Audit support operations](https://learn.microsoft.com/en-us/azure/azure-sql/database/auditing-overview) +- [Send logs to SIEM](https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/diagnostic-settings) +- [Alert on low resources](https://learn.microsoft.com/en-us/azure/azure-monitor/best-practices-alerts) +- Avoid BYOK/HYOK/CMK unless legally required + +--- + +### Auto Permissions Assignment Tool + +Discover includes a PowerShell tool to auto-configure SQL permissions via Entra security groups. + +```powershell +Add-AzLicenseDb -SubscriptionId '' -ReadGroupId '' -WriteGroupId '' +``` + +To view tool options: + +```powershell +Get-Help -Name 'Add-AzLicenseDb' -Full +``` + +!!! info + Replace values above with your actual subscription and Entra group IDs. + +--- + +## Related Pages + +- ๐Ÿ“„ [Hardware Requirements](../Defend/Reference/Hardware-Selection.md) +- ๐Ÿ“„ [Deployment Guide](../Getting-Started.md) +- ๐Ÿ“„ [Azure SQL Setup](../Getting-Started.md#azure-sql-database-setup) +- ๐Ÿ“„ [Silent Installation Instructions](../Getting-Started.md#silent-installation-script-based) +- ๐Ÿ“„ [Standard Installation Instructions](../Getting-Started.md#standard-installation-gui-based) \ No newline at end of file diff --git a/docs/SHIELD/Reference.md b/docs/SHIELD/Reference.md new file mode 100644 index 0000000..33f75cc --- /dev/null +++ b/docs/SHIELD/Reference.md @@ -0,0 +1,118 @@ +# Reference + +This reference section contains key technical specifications and supporting details for working with SHIELD, including: + +- Microsoft Graph API permissions required for SHIELD functionality +- Hardware requirements based on security mode +- Full lifecycle workflow diagrams for both users and devices + +--- + +## Microsoft Graph API Permissions + +SHIELD requires specific Graph API permissions to function correctly. These permissions are either assigned automatically by SHIELD or require pre-assignment by an admin. + +!!! note "Permission Scope Legend" + โœ… = Automatically assigned by SHIELD + โŒ = Must be manually assigned by an admin + +### Entra ID Role Permissions + +| Permission Name | Auto Granted | Description | +|-----------------|--------------|-------------| +| Privileged Authentication Administrator | โœ… | Required to delete privileged users with role lockouts. | + +### Graph API Permissions + +| Permission Name | Auto Granted | Description | +|-----------------|--------------|-------------| +| AdministrativeUnit.ReadWrite.All | โœ… | Manage restricted admin units. | +| AppRoleAssignment.ReadWrite.All | โŒ | Assign Managed Identity permissions. | +| Application.ReadWrite.All | โŒ | Create and maintain app registrations. | +| Device.ReadWrite.All | โœ… | Enumerate and tag Entra ID devices. | +| DeviceManagementApps.ReadWrite.All | โœ… | Configure Intune managed installer. | +| DeviceManagementConfiguration.ReadWrite.All | โœ… | Manage configuration profiles in Intune. | +| DeviceManagementManagedDevices.PrivilegedOperations.All | โœ… | Send Wipe commands to devices. | +| DeviceManagementManagedDevices.ReadWrite.All | โœ… | Remove old session hosts, list devices. | +| DeviceManagementRBAC.ReadWrite.All | โœ… | Manage scope tags and app config. | +| DeviceManagementServiceConfig.ReadWrite.All | โœ… | Read and manage Autopilot config. | +| Group.ReadWrite.All | โœ… | Manage security groups in Entra ID. | +| Policy.Read.All / Policy.ReadWrite.ConditionalAccess | โœ… | Enforce and manage Conditional Access policies. | +| RoleManagement.ReadWrite.Directory | โœ… | Assign roles to security groups. | +| User.ReadWrite.All | โœ… | Manage user lifecycle in Entra ID. | + +### SHI Data Gateway Permissions + +| Permission Name | Auto Granted | Description | +|-----------------|--------------|-------------| +| LicenseReport.ReadWrite | โœ… | Store license reports after Discover runs. | +| Telemetry.Sop.ReadWrite | โœ… | Upload monthly telemetry reports. | + +### SHI Orchestration Platform Authenticator + +| Permission Name | Auto Granted | Description | +|-----------------|--------------|-------------| +| Authenticator.Attest | โœ… | Authenticate SOP against tenant during API operations. | + +--- + +## Hardware Requirements + +Hardware requirements for SHIELD vary by security level. + +### ESM & SSM (Enterprise/Specialized Security Modes) + +| Requirement | Recommended | +|-------------|-------------| +| OS | Windows 10 or later | +| RAM | 16GB or higher | +| OEMs | Microsoft Surface, Lenovo | +| Graphics | NVIDIA preferred (no AMD) | + +!!! info "Device Security Notes" + Risk of firmware-level threats is lower in ESM/SSM. Still, choose reputable OEMs and avoid unsupported firmware. + +### PSM (Privileged Security Mode) + +| Requirement | Recommended | +|-------------|-------------| +| OS | Windows 11 Secure Core Certified | +| CPU | Intel i7 / Ryzen 7 or better | +| RAM | 32GB (16GB minimum) | +| Storage | 256GB NVMe | +| Certification | [Secure Core Certified](https://www.microsoft.com/en-us/windows/business/windows-11-secured-core-computers) | + +!!! warning "Hardware Backdoor Risk" + Avoid OEMs known to support master password removal or insecure firmware (e.g., older Dell, HP, Samsung). Prioritize Secure Core Certified devices from trusted vendors. + +More info: +- [Microsoft Secure Core Devices โ€“ Microsoft](https://www.microsoft.com/en-us/windows/business/devices?col=securedcorepc) + +--- + +## Lifecycle Workflow Diagrams + +The following flowcharts describe what happens behind the scenes during key lifecycle operations. + +### Device Workflows + +- ๐Ÿ“Š [Device Commissioning](Defend/Reference/Diagrams/Device-Commission.md) +- ๐Ÿ“Š [Device Decommissioning](Defend/Reference/Diagrams/Device-Decommission.md) +- ๐Ÿ“Š [Device Assignment](Defend/Reference/Diagrams/Device-Assign.md) +- ๐Ÿ“Š [Device Unassignment](Defend/Reference/Diagrams/Device-Unassign.md) + +### User Workflows + +- ๐Ÿ“Š [User Commissioning](Defend/Reference/Diagrams/User-Commission.md) +- ๐Ÿ“Š [User Decommissioning](Defend/Reference/Diagrams/User-Decommission.md) + +These diagrams match the logic used in the SHIELD backend and provide a visual reference for each action. + +--- + +## Related Pages + +- [Deployment Guide](Getting-Started.md) +- [Usage Guide](Usage-Guide.md) +- [Prerequisites](Prerequisites/index.md) + diff --git a/docs/SHIELD/Reference/Architecture/Diagrams/Initialization-ServerAuth.md b/docs/SHIELD/Reference/Architecture/Diagrams/Initialization-ServerAuth.md deleted file mode 100644 index ba05c18..0000000 --- a/docs/SHIELD/Reference/Architecture/Diagrams/Initialization-ServerAuth.md +++ /dev/null @@ -1,73 +0,0 @@ ---- -hide: - - toc ---- -# Initialization - Orchestration Authentication - -The authentication system is responsible for authenticating, and authorizing the SHIELD orchestration client to the various Microsoft APIs. - -The Authentication engine is configured via [environmental variables](../../../Reference/Settings/Environmental-Variables-Reference.md) in combination with the use of managed identity. - ---- - -## Legend - -``` mermaid -flowchart TD - -Start[/"Start"\] -Process["Process"] -Conditional(["Conditional Check"]) -Stop{{"Stop Execution"}} - -start1[ ] --> | Execution Flow, Carries Data | end1[ ] -style start1 height:0px; -style end1 height:0px; -start2[ ] -.-> | Decision, Carries data | end2[ ] -style start2 height:0px; -style end2 height:0px; -``` - ---- - -## Process - -``` mermaid -flowchart TD - -Start[/"Start"\] -ValidateAuthData["Validate the authentication data\nand set authentication mode in the state"] -ManagedIdentityIdCheck(["Check if MI ID was provided"]) -CreateMiWithId["Create MI Credential\n(Using a User Assigned MI)"] -CreateMiWithoutId["Create MI Credential\n(Using a System Assigned MI)"] -CheckAuthType(["Check Auth Type in State"]) -QueueKvSecretAuth["Queue Client Secret Auth\nusing a Secret in Key Vault"] -QueueAppRegAuth["Queue Client Secret Auth\nUsing secret in environmental variable"] -QueueMiAuth["Queue Managed Identity Auth"] -FailAuthQueue{{"End\n(Failed to select auth type)"}} -ChainAuth["Create Credential Chain"] -StoreAuthChain["Store the Cred Chain in class instance"] -GetToken["Get Entra ID Authentication Token"] -ExtractTenant["Extract Tenant ID"] -StoreTenantId["Store Tenant ID in State"] -SuccessEnd{{"End\n(Successful Execution)"}} - -Start --> ValidateAuthData -ValidateAuthData --> ManagedIdentityIdCheck -ManagedIdentityIdCheck -.-> | Yes | CreateMiWithId -ManagedIdentityIdCheck -.-> | No | CreateMiWithoutId -CreateMiWithId --> | Managed Identity Credential | CheckAuthType -CreateMiWithoutId --> | Managed Identity Credential | CheckAuthType -CheckAuthType -.-> | Key Vault | QueueKvSecretAuth -CheckAuthType -.-> | App Registration | QueueAppRegAuth -CheckAuthType -.-> | Managed Identity | QueueMiAuth -CheckAuthType -.-> | Invalid State | FailAuthQueue -QueueKvSecretAuth --> | Azure Credential Object | ChainAuth -QueueAppRegAuth --> | Azure Credential Object | ChainAuth -QueueMiAuth --> | Azure Credential Object | ChainAuth -ChainAuth --> | Chained Credential Object | StoreAuthChain -StoreAuthChain --> | Chained Credential Object | GetToken -GetToken --> | Raw Auth Token | ExtractTenant -ExtractTenant --> | Tenant ID | StoreTenantId -StoreTenantId --> SuccessEnd -``` diff --git a/docs/SHIELD/Reference/Architecture/Infrastructure/Identity-Protection-Policy.md b/docs/SHIELD/Reference/Architecture/Infrastructure/Identity-Protection-Policy.md deleted file mode 100644 index e51a72d..0000000 --- a/docs/SHIELD/Reference/Architecture/Infrastructure/Identity-Protection-Policy.md +++ /dev/null @@ -1,159 +0,0 @@ -Conditional Access Policies are critical to how Entra ID secures sign in. -Below are the list of policies that are automatically deployed and why they are necessary for securing privileged access. - -## SOP - Compliance - -- **Setting Name:** SOP - Compliance -- **Type of Policy:** Conditional Access -- **Description:** -Requires devices to be marked as compliant and requires MFA sign in -- **Why it is needed (what does it secure against):** -Forces devices to be managed devices and requires MFA to protect all cloud apps. Protects against credential theft or any any attempt to password spray, brute force, or otherwise reuse credentials. -- **Who this applies to:** -Entra ID Groups: Privileged device Devices & Privileged Users -- **When the policy triggers:** -When a principal in the Privileged device Devices or Privileged User group attempts to access any cloud app. - -## SOP - User Risk - -- **Setting Name:** SOP - User Risk -- **Description:** -Prevents signing in if user has a user risk of Low/Medium/High -- **Why it is needed (what does it secure against):** -If a user risk of Low/Medium/High is detected, it will block the sign in. Prevents attacks that attempt to reuse credentials in unfamiliar locations from risky IPs(as determined by Microsoft Threat Intelligence), and from suspicious behavior. -- **Who this applies to:** -Entra ID Groups: Privileged device Devices & Privileged Users -- **When the policy triggers:** -When a principal in the Privileged device Devices or Privileged User group attempts to access any cloud app with a user risk of Low/Medium/High, their sign in will be blocked. - -## SOP - Sign-in Risk - -- **Setting Name:** SOP - Sign-in Risk -- **Description:** -Prevents signing in if user has a sign-in risk of Low/Medium/High -- **Why it is needed (what does it secure against):** -If a sign-in risk of Low/Medium/High is detected, it will block the sign in. This will protect against unfamiliar location sign in attempts that the principal has not signed in from before. -- **Who this applies to:** -Entra ID Groups: Privileged device Devices & Privileged Users -- **When the policy triggers:** -When a principal in the Privileged device Devices or Privileged User group attempts to access any cloud app with a sign-in risk of Low/Medium/High, their sign in will be blocked. - -## SOP - OS Enforcement - -- **Setting Name:** SOP - OS Enforcement -- **Description:** -Prevents signing in if user is NOT using Windows OS -- **Why it is needed (what does it secure against):** -Ensures sign ins are only coming from Windows OS machines. Protects against attackers attempting to utilize other operating systems. -- **Who this applies to:** -Entra ID Groups: Privileged device Devices & Privileged Users -- **When the policy triggers:** -When a principal in the in Privileged device Devices or Privileged Users attempts to sign into any cloud app from a NON Windows OS, their sign in will be blocked. - -## SOP - Location - -- **Setting Name:** SOP - Location -- **Description:** -Prevents signing in if user is in a known risky location -- **Why it is needed (what does it secure against):** -Ensures sign ins are only coming from United States based IPs. Protects against credential theft. -- **Who this applies to:** -Entra ID Groups: Privileged device Devices & Privileged Users -- **When the policy triggers:** -When a principal in the Privileged device Devices or Privileged Users attempts to sign into any cloud app from outside the United States, their sign in will be blocked. - -## SOP - Legacy Auth - -- **Setting Name:** SOP - Legacy Auth -- **Description:** -Prevents signing in if user is utilizing legacy authentication such as Exchange ActiveSync, POP, IMAP, SMTP. -- **Why it is needed (what does it secure against):** -Ensures sign ins are only coming from modern authentication. -- **Who this applies to:** -Entra ID Groups: Privileged device Devices & Privileged Users -- **When the policy triggers:** -When a principal in the Privileged device Devices or Privileged Users attempts to sign into any cloud app utilizing legacy authentication, their sign in will be blocked. - -## SOP - Hardware Enforcement - -- **Setting Name:** SOP - Hardware Enforcement -- **Description:** -Prevents signing in if user is not signing in from a Privileged device configured device. Devices must meet the naming convention set through Intune Autopilot and a custom extension attribute to be allowed sign in from this policy. -- **Why it is needed (what does it secure against):** -Ensures sign ins are only coming from Privileged device configured devices. Protects against privilege escalation attempts from other devices managed by the organization, but are not Privileged devices. -- **Who this applies to:** -Entra ID Groups: Privileged device Devices & Privileged Users -- **When the policy triggers:** -When a principal in the Privileged device Devices or Privileged Users attempts to sign into any cloud app utilizing a device not meeting the custom extension attribute and not falling under the autopilot naming convention, their sign in will be blocked. - -## SOP - MCAS - -- **Setting Name:** SOP - MCAS -- **Description:** -Sends all cloud sessions over to Microsoft Cloud App Security -- **Why it is needed (what does it secure against):** -Ensures sessions are going over to Microsoft Cloud App Security for tracking, additional policy configuration, and security controls. -- **Who this applies to:** -Entra ID Groups: Privileged device Devices & Privileged Users -- **When the policy triggers:** -When any principal from Privileged device Devices or Privileged Users accesses any cloud app. - -## SOP - MFA - -- **Setting Name:** SOP - MFA -- **Description:** -Requires a multi-factor credential when signing in. -- **Why it is needed (what does it secure against):** -Ensures sign ins are protected through multi-factor authentication. Protects against credential theft and password attacks. -- **Who this applies to:** -Entra ID Groups: Privileged device Devices & Privileged Users -- **When the policy triggers:** -All sign-ins by principals in the Privileged device Devices and Privileged Users will require a MFA token - -## SOP - Session Duration - -- **Setting Name:** SOP - Session Duration -- **Description:** -Forces principals to re-authenticate utilizing their Entra ID credentials after their session has been established for 9 hours -- **Why it is needed (what does it secure against):** -Ensures users cannot leave sessions open over multiple days and reduces risk of someone utilizing an established session after hours. -- **Who this applies to:** -Entra ID Groups: Privileged device Devices & Privileged Users -- **When the policy triggers:** -After a session has existed for 9 hours, principals will be required to re-authenticate - -## SOP - Session Persistence - -- **Setting Name:** SOP - Session Persistence -- **Description:** -When a browser session is closed, it will require principals to re-authenticate into all cloud apps utilizing their Entra ID credentials. -- **Why it is needed (what does it secure against):** -Ensures that on new browser sessions, new sessions will be established utilizing a principals Entra ID credentials -- **Who this applies to:** -Entra ID Groups: Privileged device Devices & Privileged Users -- **When the policy triggers:** -When a browser session is closed and relaunched, a re-authentication will occur. - -## SOP - Disable CA Resilience Downgrade - -- **Setting Name:** SOP - Disable CA Resilience Downgrade -- **Description:** -If their is an outage in Entra ID and Conditional Access policies cannot be evaluated, it will block principals from authenticating. -- **Why it is needed (what does it secure against):** -Ensures that no principals can bypass any Conditional Access policies when their is an outage. -- **Who this applies to:** -Entra ID Groups: Privileged device Devices & Privileged Users -- **When the policy triggers:** -If their is an outage in Entra ID, once a principals session expires they will not be able to continue in their session until Entra ID Conditional Access is able to be evaluated again. - -## Continuous Access Evaluation - -- **Setting Name:** Continuous Access Evaluation -- **Description:** -Anytime Entra ID detects a change in signal on the session, such as location, IP address, permissions, it will reprocess the conditional access policies on the account -- **Why it is needed (what does it secure against):** -This protects against credential theft attacks, session stealing, and users inadvertently trying to authenticate from prohibited locations. If a user is authenticated in a permitted location and then moves to a prohibited location it will then end the session. -- **Who this applies to:** -Entra ID Groups: Privileged device Devices & Privileged Users or all users if already set. -- **When the policy triggers:** -Anytime there is a change in signal on the token diff --git a/docs/SHIELD/Reference/Architecture/Securing-Privileged-Access.md b/docs/SHIELD/Reference/Architecture/Securing-Privileged-Access.md deleted file mode 100644 index 165c0c7..0000000 --- a/docs/SHIELD/Reference/Architecture/Securing-Privileged-Access.md +++ /dev/null @@ -1,43 +0,0 @@ ---- -hide: - - toc ---- -# Securing Privileged Access (SPA) - -Microsoft's Securing Privileged Access (SPA) is a comprehensive solution designed to help organizations protect their critical assets from unauthorized access or data breaches. SPA provides a unified platform for managing and monitoring privileged access across an organization's entire infrastructure, including on-premises, cloud, and hybrid environments. - -Below is a diagram that represents the architecture from a top down view. - -``` mermaid -flowchart LR - privInterface <--> businessAssets - entInterface <--> businessAssets - - subgraph businessAssets [Business Systems and Assets] - subgraph Technology - ITSM - Databases - DCs("Domain Controllers") - ADFS("AD FS") - ADCS("AD CS") - cloud("Cloud Hosts (Azure, AWS, GCP, etc.)") - end - - subgraph misc [Other Departments] - Executive - Legal - HR - Finance - end - end - - subgraph Privileged [Privileged Access] - privIdent --- privInterface - privDev("Devices") --- privIdent("Identities") -.- privIntermediary("Intermediaries") -.- privInterface("Interfaces") - end - - subgraph Enterprise [Enterprise Access] - entIdent --- entInterface - entDev("Devices") --- entIdent("Identities") -.- entIntermediary("Intermediaries") -.- entInterface("Interfaces") - end -``` diff --git a/docs/SHIELD/Reference/Development/Data-Formats/0-DeviceGroup-Description.md b/docs/SHIELD/Reference/Development/Data-Formats/0-DeviceGroup-Description.md deleted file mode 100644 index b01941e..0000000 --- a/docs/SHIELD/Reference/Development/Data-Formats/0-DeviceGroup-Description.md +++ /dev/null @@ -1,96 +0,0 @@ -# Device - Unique Group - -This application stores its managed device configurations in the security group description that the managed device is directly a member of. Because of this, do not change the description field that was configured by this app, otherwise you could cause issues with the management of your devices. - -Order of the description's items does not matter, the below config is displayed in a logical order. The actual values may be in any order depending on the initialization of features and which order they were turned on. - ---- - -## Examples - -Examples of various managed device unique group descriptions. - ---- - -### Privileged Device - -``` title="SOP - PSM - ce27fc58-0d74-4d72-bba2-105d8d90483f ๐Ÿ’ป" -CommissionedDate=2023-07-18T01:35:34.760Z,UserAssignment=8fe82ce9-cd69-4f4d-a6d0-8508fa163381,GroupAssignment=8e544b86-39ae-44c1-9ba4-0faeb456f259 -``` - -### Privileged Device Hosted in Another Device - -``` title="SOP - PSM - 029f899b-e08a-4434-8e47-355bea58680f ๐Ÿ’ป" -CommissionedDate=2023-07-18T01:35:34.760Z,UserAssignment=db9892d0-43f3-4688-b6c4-1a38267ca4cb,GroupAssignment=f6fbec86-904b-473f-be0d-3681df9022c8,ParentDevice=bf7b6877-5e7d-4945-a71f-b9b0f257e696 -``` - -### Enterprise class device - -``` title="SOP - ESM - 2db6bcf4-8cb3-4284-8ef4-57a525128344 ๐Ÿ’ป" -CommissionedDate=2023-07-18T01:35:34.760Z -``` - ---- - -## Properties - -Technical details on the properties/values that can be set on the device unique groups. - ---- - -### CommissionedDate - -**Expected Data:** -The JavaScript [`toJSON()`](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Date/toJSON) output of the [`Date`](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Date) object that represents the time when the device was commissioned. - -**Description:** -This is used to keep track of when a device was commissioned. This could be useful for audit, governance or tamper detection. - -**Example:** -`CommissionedDate=2023-07-18T01:35:34.760Z` - ---- - -### UserAssignment - -**Expected Data:** -The object ID (GUID) of the settings catalog that controls the assignment of user accounts for the specified privileged device. - -**Description:** -The settings catalog keeps track of the user accounts that are allowed to log into the privileged device. -This property is just a pointer to the relevant settings catalog. - -Only privileged devices will have this property as user assignments only occur on privileged devices. - -**Example:** -`UserAssignment=db9892d0-43f3-4688-b6c4-1a38267ca4cb` - ---- - -### GroupAssignment - -**Expected Data:** -The object ID (GUID) of the settings catalog that controls the local membership of user accounts for the specified privileged device. - -**Description:** -The custom settings (OMA-URI) template enforces local admin and hyper-v admin rights on the local device. -This property is just a pointer to the relevant settings catalog. - -Only privileged devices will have this property as strict local group management only occurs on privileged devices. - -**Example:** -`GroupAssignment=f6fbec86-904b-473f-be0d-3681df9022c8` - ---- - -### ParentDevice - -**Expected Data:** -The Device ID (GUID) of the device that hosts the current device. - -**Description:** -Devices can be hosted on other devices, this field is used to correlate these devices. -This will usually be used with privileged devices where a privileged device hosts another privileged device. - -**Example:** -`ParentDevice=bf7b6877-5e7d-4945-a71f-b9b0f257e696` diff --git a/docs/SHIELD/Reference/Development/Data-Formats/2-PSM-IntuneScopeTag.md b/docs/SHIELD/Reference/Development/Data-Formats/2-PSM-IntuneScopeTag.md deleted file mode 100644 index f4a6b67..0000000 --- a/docs/SHIELD/Reference/Development/Data-Formats/2-PSM-IntuneScopeTag.md +++ /dev/null @@ -1,139 +0,0 @@ -# PSM - Intune Scope Tag - -The [prefix](../../Settings/Environmental-Variables-Reference.md#sop_name_prefix) and [suffix](../../Settings/Environmental-Variables-Reference.md#sop_name_suffix) can be changed in the SHIELD server settings. The default settings are being used for the tag name below. - -## Example Configurations - -Example configurations of the privileged security class Intune Scope Tag. - ---- - -### Default Naming - -``` INI title="SOP - PSM" -AU=5767b44d-8e1c-4c1d-9770-675be4900e6d -DevSg=0b7a6be8-deee-4f93-97bd-082926a7349c -UsrSg=e7f4c4f4-c457-45ae-883b-820b368f8310 -SiloSg=973e7bb7-1e7b-4269-98f4-0e169aa4ce57 -InterSg=8ee5bcdd-8406-4ad6-9845-6a36fb895438 -Config=44c05cd0-8a3c-43fe-b47f-3ac329381d1b -UsrTag=96735da7-260b-44aa-b7bd-f463bc5c9f4a -``` - -### Custom Prefix and Suffix Naming - -``` INI title="eLabs - PSM - Cloud" -AU=1d576094-f918-4741-8339-e93ae4e9a1d8 -DevSg=3267afa7-9bfb-40ff-ba6b-096ba66a7d60 -UsrSg=55435fae-7bc7-4bbd-a5fe-ecf896226324 -SiloSg=7af57f26-5a4b-4188-8e0c-dab0a70ac6a9 -InterSg=763b2330-6364-43b2-985f-e6d78a736b7d -Config=179ca1b2-de83-48c2-ac26-8e1d1a3c0951 -UsrTag=cd0214b7-54b0-4211-bb5a-63798e197d20 -``` - ---- - -## Properties - -Technical details on the properties/values that can be set on the privileged scope tag. - ---- - -### AU - -**Expected Data:** -The Object ID (GUID) of the Administrative Unit that contains all of the privileged objects. - -**Description:** -This is an Entra ID Restricted Admin Unit that contains a list of security groups, devices, apps and users. -The group is made in such a way (restricted AU) that existing admins will have no access. To manage objects in the AU, you need to have an AU scoped role assignment for this AU. -The membership of this AU is automatically maintained by SHIELD. - -**Example:** -`AU=5767b44d-8e1c-4c1d-9770-675be4900e6d` - ---- - -### DevSg - -**Expected Data:** -The Object ID (GUID) of the Security Group that is the parent of all of the unique privileged device security groups. - -**Description:** -This is used as the root search point to identify all of the privileged devices. -The application will treat all device identities and security groups under this SG to be privileged devices. - -**Example:** -`DevSg=0b7a6be8-deee-4f93-97bd-082926a7349c` - ---- - -### UsrSg - -**Expected Data:** -The Object ID (GUID) of the Security Group that is the parent of all of the unique privileged user security groups. - -**Description:** -This is used as the root search point to identify all of the privileged users. -The application will treat all user identities and security groups under this SG to be privileged users. - -**Example:** -`UsrSg=e7f4c4f4-c457-45ae-883b-820b368f8310` - ---- - -### SiloSg - -**Expected Data:** -The Object ID (GUID) of the Security Group that contains all of the privileged silos. - -**Description:** -This security group only contains only security groups. The security groups that are members of this SG contain the configuration of their respective silo. Each security group that is a member of this SG represents a single silo. - -This SG contains only privileged silos. - -**Example:** -`SiloSg=b259dff3-34a7-43af-a2af-e94d36552cb9` - ---- - -### InterSg - -**Expected Data:** -The Object ID (GUID) of the Security Group that contains all of the privileged intermediaries. - -**Description:** -This security group only contains only security groups. The security groups that are members of this SG contain the configuration of their respective intermediary. Each security group that is a member of this SG represents a single intermediary. - -This SG contains only privileged intermediaries. - -**Example:** -`InterSg=b53d5d7d-d5c2-4d28-bf1f-7c3925cfc60e` - ---- - -### Config - -**Expected Data:** -The Object ID (GUID) of the Security Group that contains all of the privileged configurations. - -**Description:** -This security group is used for non-user/device configuration management, mostly for the marketplace and various intermediaries. This could also be used for by the end user to add config support to their custom stuff outside of SHIELD's lifecycle management and marketplace engines. This Security Group will be scanned for transitive membership count during license usage evaluation. - -**Example:** -`Config=b0be63f9-d6ff-422b-b026-6e5e9ba8e15a` - ---- - -### UsrTag - -**Expected Data:** -The Object ID (GUID) of the Security Group that contains all of the privileged users. - -**Description:** -This security group only contains users. Specifically all of the privileged (priv) users. -This group is assigned a permanent Entra ID role so that when the priv user logs into a Windows machine, the role's SID is exposed to the local machine. This can then be used to block authentication. - -**Example:** -`UsrTag=96735da7-260b-44aa-b7bd-f463bc5c9f4a` diff --git a/docs/SHIELD/Reference/Development/Data-Formats/3-SSM-IntuneScopeTag.md b/docs/SHIELD/Reference/Development/Data-Formats/3-SSM-IntuneScopeTag.md deleted file mode 100644 index fe0b2da..0000000 --- a/docs/SHIELD/Reference/Development/Data-Formats/3-SSM-IntuneScopeTag.md +++ /dev/null @@ -1,122 +0,0 @@ -# SSM - Intune Scope Tag - -The [prefix](../../Settings/Environmental-Variables-Reference.md#sop_name_prefix) and [suffix](../../Settings/Environmental-Variables-Reference.md#sop_name_suffix) can be changed in the SHIELD server settings. The default settings are being used for the tag name below. - -## Example Configurations - -Example configurations of the specialized security class Intune Scope Tag. - ---- - -### Default Naming - -``` INI title="SOP - SSM" -AU=037b1de8-ed8e-4a6f-9647-80f24ec4c0e7 -DevSg=473e19d7-9472-4575-9708-6c0ac3d92085 -UsrSg=8beae504-9f15-429c-a64c-1c764c8bfd0b -SiloSg=a5b56352-1a8f-46f1-9cbd-e23741f7d250 -InterSg=3302d571-cd36-4206-8c97-357bab06067a -Config=81c25c86-4ae9-480d-853e-964c59d34ee0 -``` - -### Custom Prefix and Suffix Naming - -``` INI title="eLabs - SSM - Cloud" -AU=f7992cd7-98d8-481d-82b4-8da77f3e99c9 -DevSg=233dc85a-3199-4560-8094-97175b611637 -UsrSg=d45e7fa0-050f-4635-819d-2ca063c37a7f -SiloSg=68b65d6b-2206-413f-82b3-70be052eeb09 -InterSg=cf6169cf-fb48-46d8-a636-2c7cab3864d1 -Config=8bf74523-bdc4-4fd0-9a64-85da259fcb7c -``` - ---- - -## Properties - -Technical details on the properties/values that can be set on the specialized scope tag. - ---- - -### AU - -**Expected Data:** -The Object ID (GUID) of the Administrative Unit that contains all of the specialized objects. - -**Description:** -This is a normal Entra ID Admin Unit that contains a list of specialized security groups, devices, apps and users. -The membership of this AU is automatically maintained by SHIELD. - -**Example:** -`SAu=037b1de8-ed8e-4a6f-9647-80f24ec4c0e7` - ---- - -### DevSg - -**Expected Data:** -The Object ID (GUID) of the Security Group that is the parent of all of the individual specialized device security groups. - -**Description:** -This is used as the root search point to identify all of the specialized devices. -The application will treat all device identities and security groups under this SG to be specialized devices. - -**Example:** -`DevSg=473e19d7-9472-4575-9708-6c0ac3d92085` - ---- - -### UsrSg - -**Expected Data:** -The Object ID (GUID) of the Security Group that is the parent of all of the individual specialized user security groups. - -**Description:** -This is used as the root search point to identify all of the specialized users. -The application will treat all users identities and security groups under this SG to be specialized users. - -**Example:** -`UsrSg=8beae504-9f15-429c-a64c-1c764c8bfd0b` - ---- - -### SiloSg - -**Expected Data:** -The Object ID (GUID) of the Security Group that contains all of the specialized silos. - -**Description:** -This security group only contains only security groups. The security groups that are members of this SG contain the configuration of their respective silo. Each security group that is a member of this SG represents a single silo. - -This SG contains only specialized silos. - -**Example:** -`SiloSg=36cbf501-b13e-45cc-8f80-6d52a4429c89` - ---- - -### InterSg - -**Expected Data:** -The Object ID (GUID) of the Security Group that contains all of the specialized intermediaries. - -**Description:** -This security group only contains only security groups. The security groups that are members of this SG contain the configuration of their respective intermediary. Each security group that is a member of this SG represents a single intermediary. - -This SG contains only specialized intermediaries. - -**Example:** -`InterSg=7b7c24ab-fbc6-4ed3-8aae-6fe9103974ce` - ---- - -### Config - -**Expected Data:** -The Object ID (GUID) of the Security Group that contains all of the specialized configurations. - -**Description:** -This security group is used for non-user/device configuration management, mostly for the marketplace and various intermediaries. This could also be used for by the end user to add config support to their custom stuff outside of SHIELD's lifecycle management and marketplace engines. This Security Group will be scanned for transitive membership count during license usage evaluation. - -**Example:** -`Config=8cceab01-e50b-4e8a-89f0-ea9ded40d9ec` diff --git a/docs/SHIELD/Reference/Development/Data-Formats/4-ESM-IntuneScopeTag.md b/docs/SHIELD/Reference/Development/Data-Formats/4-ESM-IntuneScopeTag.md deleted file mode 100644 index 1c352e1..0000000 --- a/docs/SHIELD/Reference/Development/Data-Formats/4-ESM-IntuneScopeTag.md +++ /dev/null @@ -1,122 +0,0 @@ -# ESM - Intune Scope Tag - -The [prefix](../../Settings/Environmental-Variables-Reference.md#sop_name_prefix) and [suffix](../../Settings/Environmental-Variables-Reference.md#sop_name_suffix) can be changed in the SHIELD server settings. The default settings are being used for the tag name below. - -## Example Configurations - -Example configurations of the enterprise security class Intune Scope Tag. - ---- - -### Default Naming - -``` INI title="SOP - ESM" -AU=5b7c868e-98bf-437e-acf6-32c433328198 -DevSg=66eeb4f4-91f8-431f-a336-1adf7bcb276f -UsrSg=3fd68a6f-0fd0-45b3-84ec-bfadccb10350 -SiloSg=628fceed-4c6c-42b6-ab15-8513a265b1b1 -InterSg=814fb4a4-c484-4e41-80ff-089b61031221 -Config=8fa10c0d-8d51-49e4-8476-ed8e22374881 -``` - -### Custom Prefix and Suffix Naming - -``` INI title="eLabs - ESM - Cloud" -AU=3e54c5c2-a2cf-4ca5-897e-97d706b5e31b -DevSg=d014ae16-7748-4722-ba28-196a008bcb30 -UsrSg=08fd53d4-b002-40cf-bcfa-95a7fcda0bcd -SiloSg=3c80e644-e631-41f1-b426-0183482ef716 -InterSg=8af317ee-7ce4-40c8-bd2a-b5fba7afe39e -Config=508c54d2-8a6f-4212-a506-ef0622dd766e -``` - ---- - -## Properties - -Technical details on the properties/values that can be set on the enterprise scope tag. - ---- - -### AU - -**Expected Data:** -The Object ID (GUID) of the Administrative Unit that contains all of the enterprise objects. - -**Description:** -This is a normal Entra ID Admin Unit that contains a list of enterprise security groups, devices, apps and users. -The membership of this AU is automatically maintained by SHIELD. - -**Example:** -`AU=5b7c868e-98bf-437e-acf6-32c433328198` - ---- - -### DevSg - -**Expected Data:** -The Object ID (GUID) of the Security Group that is the parent of all of the enterprise class device security groups. - -**Description:** -This is used as the root search point to identify all of the enterprise devices. -The application will treat all device identities and security groups under this SG to be enterprise devices. - -**Example:** -`DevSg=66eeb4f4-91f8-431f-a336-1adf7bcb276f` - ---- - -### UsrSg - -**Expected Data:** -The Object ID (GUID) of the Security Group that is the parent of all of the enterprise class user security groups. - -**Description:** -This is used as the root search point to identify all of the enterprise users. -The application will treat all user identities and security groups under this SG to be enterprise users. - -**Example:** -`UsrSg=3fd68a6f-0fd0-45b3-84ec-bfadccb10350` - ---- - -### SiloSg - -**Expected Data:** -The Object ID (GUID) of the Security Group that contains all of the enterprise silos. - -**Description:** -This security group only contains only security groups. The security groups that are members of this SG contain the configuration of their respective silo. Each security group that is a member of this SG represents a single silo. - -This SG contains only enterprise silos. - -**Example:** -`SiloSg=28cb89fe-8226-4fec-bd23-48481a264117` - ---- - -### InterSg - -**Expected Data:** -The Object ID (GUID) of the Security Group that contains all of the enterprise intermediaries. - -**Description:** -This security group only contains only security groups. The security groups that are members of this SG contain the configuration of their respective intermediary. Each security group that is a member of this SG represents a single intermediary. - -This SG contains only enterprise intermediaries. - -**Example:** -`InterSg=f3637d69-364b-48a3-8067-cb2305e332ef` - ---- - -### Config - -**Expected Data:** -The Object ID (GUID) of the Security Group that contains all of the enterprise configurations. - -**Description:** -This security group is used for non-user/device configuration management, mostly for the marketplace and various intermediaries. This could also be used for by the end user to add config support to their custom stuff outside of SHIELD's lifecycle management and marketplace engines. This Security Group will be scanned for transitive membership count during license usage evaluation. - -**Example:** -`Config=02d4399a-5c6a-447f-9d0f-38bbdf2b24b9` diff --git a/docs/SHIELD/Reference/Development/Data-Formats/1-Common-IntuneScopeTag.md b/docs/SHIELD/Reference/Development/Data-Formats/Intune Scope Tag.md similarity index 85% rename from docs/SHIELD/Reference/Development/Data-Formats/1-Common-IntuneScopeTag.md rename to docs/SHIELD/Reference/Development/Data-Formats/Intune Scope Tag.md index cc88da4..4916c63 100644 --- a/docs/SHIELD/Reference/Development/Data-Formats/1-Common-IntuneScopeTag.md +++ b/docs/SHIELD/Reference/Development/Data-Formats/Intune Scope Tag.md @@ -49,7 +49,7 @@ Technical details on the properties/values that can be set on the root/common sc This is a whole number that is the unique ID of the scope tag. **Description:** -This is the ID of the Intune Role Scope Tag that separates privileged configurations from other [security classes](../../Architecture/Securing-Privileged-Access.md). The description field also contains additional context and configurations as described [here](2-PSM-IntuneScopeTag.md). +This is the ID of the Intune Role Scope Tag that separates privileged configurations from other [security classes](../../../Deploy/index.md#what-is-spa). **Example:** `PsmId=21` @@ -62,7 +62,7 @@ This is the ID of the Intune Role Scope Tag that separates privileged configurat This is a whole number that is the unique ID of the scope tag. **Description:** -This is the ID of the Intune Role Scope Tag that separates specialized configurations from other [security classes](../../Architecture/Securing-Privileged-Access.md). The description field also contains additional context and configurations as described [here](3-SSM-IntuneScopeTag.md). +This is the ID of the Intune Role Scope Tag that separates specialized configurations from other [security classes](../../../Deploy/index.md#what-is-spa). **Example:** `SsmId=21` @@ -75,7 +75,7 @@ This is the ID of the Intune Role Scope Tag that separates specialized configura This is a whole number that is the unique ID of the scope tag. **Description:** -This is the ID of the Intune Role Scope Tag that separates enterprise configurations from other [security classes](../../Architecture/Securing-Privileged-Access.md). The description field also contains additional context and configurations as described [here](4-ESM-IntuneScopeTag.md). +This is the ID of the Intune Role Scope Tag that separates enterprise configurations from other [security classes](../../../Deploy/index.md#what-is-spa). **Example:** `EsmId=21` diff --git a/docs/SHIELD/Reference/Settings/Configure-Managed-Identity.md b/docs/SHIELD/Reference/Settings/Configure-Managed-Identity.md index c018309..762c2d0 100644 --- a/docs/SHIELD/Reference/Settings/Configure-Managed-Identity.md +++ b/docs/SHIELD/Reference/Settings/Configure-Managed-Identity.md @@ -34,7 +34,7 @@ No fear, PowerShell is here! Check out this PowerShell app: The PowerShell app will graphically list all the managed identities, let you select one, then graphically list all the Graph API permissions you can assign it. Assign the permissions listed here: -[Required Graph API Permissions](../../Getting-Started/Deployment/Required-Graph-API-Permissions.md) +[Required Graph API Permissions](../../Prerequisites/Required-Graph-API-Permissions.md) For more information on how the PowerShell app works, check out this MS Docs article: diff --git a/docs/SHIELD/Reference/Uninstall.md b/docs/SHIELD/Reference/Uninstall.md new file mode 100644 index 0000000..cc75abf --- /dev/null +++ b/docs/SHIELD/Reference/Uninstall.md @@ -0,0 +1,77 @@ +# Uninstall + +This section covers how to uninstall or reset SHIELD's Deploy module infrastructure and outlines common considerations for support and recovery scenarios. + +--- + +## Uninstalling SHIELD Deploy Infrastructure + +The SHIELD platform uses multiple Microsoft 365 services to create configuration components. Removing these components manually is complex and can break your tenant setup. Use the provided uninstall script only if directed by SHI support. + +!!! danger "Data Loss Warning" + If you uninstall the architecture, **you will clear out any managed objects and configurations** deployed by the Deploy module. This procedure should only be followed if SHI explicitly instructs you to do so. + +!!! note "Stateless Server Reminder" + SHIELDโ€™s application server is stateless. You can safely redeploy the app after cleanup without losing data stored in the Microsoft cloud (e.g., Intune tags, Entra groups). + +--- + +## Uninstall Procedure + +1. **Stop the SHIELD server** to prevent regeneration of infrastructure during cleanup. + +2. **Download the uninstall script**: + + ๐Ÿ“ฅ [Uninstall-ShieldArchitecture.ps1](../Scripts/Uninstall-ShieldArchitecture.ps1) + +3. **Remove all Microsoft.Graph modules** to prevent version conflicts: + + ```powershell + Get-Module -Name '*Microsoft.Graph*' -ListAvailable | Uninstall-Module + ``` + +!!! note + You may have to run the above command twice because the order of operations tries to uninstall a dependency first rather than last. Running it the second time will remove the remaining dependency. + +4. **Install the correct version of Microsoft Graph Beta modules**: + + ```powershell + Install-Module -Name 'Microsoft.Graph.Beta' -RequiredVersion '2.1.0' -Scope 'AllUsers' + ``` + +5. **Run the uninstall script** to remove SHIELD-deployed infrastructure. + + The script is designed to remove: + - Entra ID groups and admin units + - Intune scope tags + - Conditional Access policies created by SHIELD + + It does **not** delete data outside the SHIELD-deployed infrastructure. + +--- + +## FAQs & Recovery Notes + +### What if the uninstall script fails? + +Try re-running the script. It is designed to be idempotent and will retry safely. Make sure you have proper permissions and the correct PowerShell modules installed. + +### Can I re-deploy SHIELD after uninstalling? + +Yes. SHIELD can be redeployed using the same app interface or script, as long as all infrastructure components have been successfully removed. + +### What is not removed? + +- Audit logs in Entra ID +- Device enrollment history +- Local device configurations if not managed via Intune + +--- + +## Related Pages + +- [Deploy Overview](../Deploy/index.md) +- [Deploy Usage Guide](../Deploy/Usage-Guide.md) +- [Deployment](../Deploy/Deployment/index.md) +- [Deploy Reference](../Deploy/Reference/index.md) + diff --git a/docs/SHIELD/Getting-Started/Deployment/Scripts/Install-Sop.ps1 b/docs/SHIELD/Scripts/Install-Sop.ps1 similarity index 100% rename from docs/SHIELD/Getting-Started/Deployment/Scripts/Install-Sop.ps1 rename to docs/SHIELD/Scripts/Install-Sop.ps1 diff --git a/docs/SHIELD/Troubleshooting/Assets/Scripts/Uninstall-ShieldArchitecture.ps1 b/docs/SHIELD/Scripts/Uninstall-ShieldArchitecture.ps1 similarity index 100% rename from docs/SHIELD/Troubleshooting/Assets/Scripts/Uninstall-ShieldArchitecture.ps1 rename to docs/SHIELD/Scripts/Uninstall-ShieldArchitecture.ps1 diff --git a/docs/SHIELD/Troubleshooting/Uninstall.md b/docs/SHIELD/Troubleshooting/Uninstall.md deleted file mode 100644 index 863f260..0000000 --- a/docs/SHIELD/Troubleshooting/Uninstall.md +++ /dev/null @@ -1,59 +0,0 @@ -# Uninstall Procedure - -Removing SHIELD from an Azure tenant is a two step process: -Removing the hosting environment and removing the configurations put in place by the orchestration software. - -!!! Danger "Data Loss Warning!!!" - If you uninstall the architecture, **you will clear out any managed objects and those configurations**, this procedure should only be followed if a SHI employee tells you to do so. - All data is stored in the architecture itself in the form of Intune Scope Tag, or Entra ID Security Group descriptions. - -!!! note - The Server software doesn't store any data (stateless) and should be safe to reinstall at the same or a newer version. - Frequently, all that is needed to be done if troubleshooting an existing fresh installation is to uninstall the architecture and run the infrastructure deployment process again. - -## Process - -It is recommended that the server software be stopped before completing any of the below so that new configurations are not generated during the removal process. - ---- - -### Architecture - -The core architecture is the set of settings across all of the managed systems (E.G. M365, Entra ID, Intune, etc.) - -1. Download the SHIELD Architecture Uninstall script: -[Uninstall-ShieldArchitecture.ps1](Assets/Scripts/Uninstall-ShieldArchitecture.ps1) - -2. Make sure to have no other `Microsoft.Graph` PowerShell Modules installed: - - ``` PowerShell title="Uninstall all Microsoft 365 Graph API PowerShell Modules" - Get-Module -Name '*Microsoft.Graph*' -ListAvailable | Uninstall-Module - ``` - - !!! note - You may have to run the above command twice because the order of operations tries to uninstall a dependency first rather than last. Running it the second time will remove the remaining dependency. - -3. Install the `Microsoft.Graph.Beta` PowerShell Module: - - ``` PowerShell title="Install Microsoft 365 Graph API Beta Modules" - Install-Module -Name 'Microsoft.Graph.Beta' -RequiredVersion '2.1.0' -Scope 'AllUsers' - ``` - ---- - -### Server - -1. Delete the `SHI-Host` resource group in Azure. - - !!! note - The resource group may have been renamed during deployment, the default name is `SHI-Host`. - -2. Delete the Server's User Login App Registration from Entra ID: -`SHI Orchestration Platform - User Login` - -3. (Optional) Delete the Server's Orchestration App Registration from Entra ID: -`SHI Orchestration Platform - Server` or `SHI Orchestration Platform - Self Host` - - !!! note - The only time step three needs to be done is if you are cleaning up a dev copy or an on-prem hosted version of the app. This doesn't need to be done for an Azure hosted copy since a Managed Identity tied to the App Server is used. - The Managed Identity would have been deleted along with the server host and software in step 1. diff --git a/docs/SHIELD/Usage-Guide.md b/docs/SHIELD/Usage-Guide.md new file mode 100644 index 0000000..c585aa4 --- /dev/null +++ b/docs/SHIELD/Usage-Guide.md @@ -0,0 +1,129 @@ +# Usage Guide + +This guide explains how to operate SHIELD once it's been deployed. It covers core infrastructure deployment, device and user lifecycle management, and links to detailed task-level workflows. + +--- + +## Core Infrastructure Management + +After deploying SHIELD, your first task is to set up the **Core Infrastructure**, which includes: + +- Security groups +- Intune Scope Tags +- Entra ID Administrative Units +- Autopilot profiles +- Conditional Access baseline policies + +These are deployed via the SHIELD UI at `{your-subdomain}.azurewebsites.net` using the **Deploy Core Infrastructure** card on the home screen. + +!!! note "Immutable Components" + Security groups, scope tags, and admin units cannot be changed after deployment. All other settings can be modified afterward. + +๐Ÿ“– For step-by-step deployment instructions, see the [Deployment Guide](./Getting-Started.md) + +--- + +## Lifecycle Management Overview + +SHIELD provides full lifecycle control of identities and devices, organized by three security levels: + +- **Enterprise** +- **Specialized** +- **Privileged** + +Lifecycle actions include: + +- Commissioning & decommissioning devices +- Assigning users to PAWs (Privileged Access Workstations) +- Creating and removing privileged users + +These operations are triggered directly from the SHIELD appโ€™s **Lifecycle Management** section. + +--- + +## Device Management + +Device operations are performed through the Lifecycle interface. The following guides explain each task: + +### Commission a Device + +- Adds devices to SHIELD management +- Privileged devices are wiped/reset before being configured + +๐Ÿ“– [Commission a Device](Defend/Usage-Guide/Device/0-Commission.md) +๐Ÿ“Š [Commission Workflow Diagram](Defend/Reference/Diagrams/Device-Commission.md) + +--- + +### Decommission a Device + +- Removes the device from SHIELD +- Privileged devices are reset and removed from their assigned groups + +๐Ÿ“– [Decommission a Device](Defend/Usage-Guide/Device/1-Decommission.md) +๐Ÿ“Š [Decommission Workflow Diagram](Defend/Reference/Diagrams/Device-Decommission.md) + +--- + +### Assign a User to a PAW + +- Assigns allowed users to a privileged device +- All other users are blocked from login + +๐Ÿ“– [Assign User](Defend/Usage-Guide/Device/2-Assign.md) +๐Ÿ“Š [Assignment Workflow](Defend/Reference/Diagrams/Device-Assign.md) + +--- + +### Unassign a User + +- Removes users from a PAW +- If no users remain, a wipe command is triggered + +๐Ÿ“– [Unassign User](Defend/Usage-Guide/Device/3-Unassign.md) +๐Ÿ“Š [Unassign Workflow](Defend/Reference/Diagrams/Device-Unassign.md) + +--- + +## User Management + +SHIELD manages three user types โ€” Privileged, Specialized, and Enterprise โ€” and supports creating, onboarding, and offboarding these accounts. + +### Commission a User + +- Adds an existing Entra ID user or creates a new cloud-only privileged account +- Temporary credentials are shown upon creation + +๐Ÿ“– [Commission a User](Defend/Usage-Guide/User/Commission.md) +๐Ÿ“Š [Commission Workflow](Defend/Reference/Diagrams/User-Commission.md) + +--- + +### Decommission a User + +- Removes the user from SHIELD +- Privileged accounts are deleted; others are de-tagged + +๐Ÿ“– [Decommission a User](Defend/Usage-Guide/User/Decommission.md) +๐Ÿ“Š [Decommission Workflow](Defend/Reference/Diagrams/User-Decommission.md) + +--- + +## Other Object Types + +SHIELD will soon support additional lifecycle workflows: + +- **Intermediaries** โ€“ Virtual session hosts or temporary worker devices +- **Interfaces/Servers** โ€“ Backend infrastructure and shared management planes + +๐Ÿ› ๏ธ Coming soon + +--- + +## Summary + +- Core Infrastructure must be deployed first +- Use Lifecycle Management to adopt and manage devices/users +- Task-level actions (commission, assign, etc.) are performed via the SHIELD UI +- Each action links to a detailed guide and diagram for deeper understanding + diff --git a/docs/SHIELD/index.md b/docs/SHIELD/index.md index ecbaacb..2292df3 100644 --- a/docs/SHIELD/index.md +++ b/docs/SHIELD/index.md @@ -23,7 +23,7 @@ SHIELD is an orchestration tool in the larger security landscape. It does not br ## Prerequisites -Check out this page for more details: [Getting Started - Prerequisites](Getting-Started/Prerequisites.md) +Check out this page for more details: [Getting Started - Prerequisites](Prerequisites/index.md) ## Recommended Environment @@ -40,9 +40,9 @@ In the rest of the documentation, we will provide detailed instructions on how t ## See Also -- [Usage Guides](Getting-Started/Usage-Guide/index.md) +- [Usage Guides](Usage-Guide.md) - Change Log - Coming Soon! - [SHIELD Architecture](Reference/Architecture/index.md) - [API Documentation](Reference/Development/OpenAPI.md) -- [Troubleshooting](Troubleshooting/Uninstall.md) +- [Troubleshooting](Deploy/Troubleshooting.md) - [Contact Us](https://shilab.com/contact) diff --git a/docs/SHIELD/assets/Images/Screenshots/Class-Selector-Enterprise-Dark.png b/docs/assets/Images/Screenshots/Class-Selector-Enterprise-Dark.png similarity index 100% rename from docs/SHIELD/assets/Images/Screenshots/Class-Selector-Enterprise-Dark.png rename to docs/assets/Images/Screenshots/Class-Selector-Enterprise-Dark.png diff --git a/docs/SHIELD/assets/Images/Screenshots/Class-Selector-Enterprise-Light.png b/docs/assets/Images/Screenshots/Class-Selector-Enterprise-Light.png similarity index 100% rename from docs/SHIELD/assets/Images/Screenshots/Class-Selector-Enterprise-Light.png rename to docs/assets/Images/Screenshots/Class-Selector-Enterprise-Light.png diff --git a/docs/SHIELD/assets/Images/Screenshots/Class-Selector-Privileged-Dark.png b/docs/assets/Images/Screenshots/Class-Selector-Privileged-Dark.png similarity index 100% rename from docs/SHIELD/assets/Images/Screenshots/Class-Selector-Privileged-Dark.png rename to docs/assets/Images/Screenshots/Class-Selector-Privileged-Dark.png diff --git a/docs/SHIELD/assets/Images/Screenshots/Class-Selector-Privileged-Light.png b/docs/assets/Images/Screenshots/Class-Selector-Privileged-Light.png similarity index 100% rename from docs/SHIELD/assets/Images/Screenshots/Class-Selector-Privileged-Light.png rename to docs/assets/Images/Screenshots/Class-Selector-Privileged-Light.png diff --git a/docs/SHIELD/assets/Images/Screenshots/Class-Selector-Specialized-Dark.png b/docs/assets/Images/Screenshots/Class-Selector-Specialized-Dark.png similarity index 100% rename from docs/SHIELD/assets/Images/Screenshots/Class-Selector-Specialized-Dark.png rename to docs/assets/Images/Screenshots/Class-Selector-Specialized-Dark.png diff --git a/docs/SHIELD/assets/Images/Screenshots/Class-Selector-Specialized-Light.png b/docs/assets/Images/Screenshots/Class-Selector-Specialized-Light.png similarity index 100% rename from docs/SHIELD/assets/Images/Screenshots/Class-Selector-Specialized-Light.png rename to docs/assets/Images/Screenshots/Class-Selector-Specialized-Light.png diff --git a/docs/SHIELD/assets/Images/Screenshots/Confirm-Unassign-Dark.png b/docs/assets/Images/Screenshots/Confirm-Unassign-Dark.png similarity index 100% rename from docs/SHIELD/assets/Images/Screenshots/Confirm-Unassign-Dark.png rename to docs/assets/Images/Screenshots/Confirm-Unassign-Dark.png diff --git a/docs/SHIELD/assets/Images/Screenshots/Confirm-Unassign-Light.png b/docs/assets/Images/Screenshots/Confirm-Unassign-Light.png similarity index 100% rename from docs/SHIELD/assets/Images/Screenshots/Confirm-Unassign-Light.png rename to docs/assets/Images/Screenshots/Confirm-Unassign-Light.png diff --git a/docs/SHIELD/assets/Images/Screenshots/Core-Infrastructure-Deployment.png b/docs/assets/Images/Screenshots/Core-Infrastructure-Deployment.png similarity index 100% rename from docs/SHIELD/assets/Images/Screenshots/Core-Infrastructure-Deployment.png rename to docs/assets/Images/Screenshots/Core-Infrastructure-Deployment.png diff --git a/docs/SHIELD/assets/Images/Screenshots/Decommission-Confirmation-Dialog-Dark.png b/docs/assets/Images/Screenshots/Decommission-Confirmation-Dialog-Dark.png similarity index 100% rename from docs/SHIELD/assets/Images/Screenshots/Decommission-Confirmation-Dialog-Dark.png rename to docs/assets/Images/Screenshots/Decommission-Confirmation-Dialog-Dark.png diff --git a/docs/SHIELD/assets/Images/Screenshots/Decommission-Confirmation-Dialog-Light.png b/docs/assets/Images/Screenshots/Decommission-Confirmation-Dialog-Light.png similarity index 100% rename from docs/SHIELD/assets/Images/Screenshots/Decommission-Confirmation-Dialog-Light.png rename to docs/assets/Images/Screenshots/Decommission-Confirmation-Dialog-Light.png diff --git a/docs/SHIELD/assets/Images/Screenshots/Home-Screen-Dark.png b/docs/assets/Images/Screenshots/Home-Screen-Dark.png similarity index 100% rename from docs/SHIELD/assets/Images/Screenshots/Home-Screen-Dark.png rename to docs/assets/Images/Screenshots/Home-Screen-Dark.png diff --git a/docs/SHIELD/assets/Images/Screenshots/Home-Screen-Light.png b/docs/assets/Images/Screenshots/Home-Screen-Light.png similarity index 100% rename from docs/SHIELD/assets/Images/Screenshots/Home-Screen-Light.png rename to docs/assets/Images/Screenshots/Home-Screen-Light.png diff --git a/docs/SHIELD/assets/Images/Screenshots/Select-Unmanaged-Device-Dark.png b/docs/assets/Images/Screenshots/Select-Unmanaged-Device-Dark.png similarity index 100% rename from docs/SHIELD/assets/Images/Screenshots/Select-Unmanaged-Device-Dark.png rename to docs/assets/Images/Screenshots/Select-Unmanaged-Device-Dark.png diff --git a/docs/SHIELD/assets/Images/Screenshots/Select-Unmanaged-Device-Light.png b/docs/assets/Images/Screenshots/Select-Unmanaged-Device-Light.png similarity index 100% rename from docs/SHIELD/assets/Images/Screenshots/Select-Unmanaged-Device-Light.png rename to docs/assets/Images/Screenshots/Select-Unmanaged-Device-Light.png diff --git a/docs/SHIELD/assets/Images/Screenshots/Select-Unmanaged-User-Dark.png b/docs/assets/Images/Screenshots/Select-Unmanaged-User-Dark.png similarity index 100% rename from docs/SHIELD/assets/Images/Screenshots/Select-Unmanaged-User-Dark.png rename to docs/assets/Images/Screenshots/Select-Unmanaged-User-Dark.png diff --git a/docs/SHIELD/assets/Images/Screenshots/Select-Unmanaged-User-Light.png b/docs/assets/Images/Screenshots/Select-Unmanaged-User-Light.png similarity index 100% rename from docs/SHIELD/assets/Images/Screenshots/Select-Unmanaged-User-Light.png rename to docs/assets/Images/Screenshots/Select-Unmanaged-User-Light.png diff --git a/docs/SHIELD/assets/Images/Screenshots/Select-User-to-Assign-Dark.png b/docs/assets/Images/Screenshots/Select-User-to-Assign-Dark.png similarity index 100% rename from docs/SHIELD/assets/Images/Screenshots/Select-User-to-Assign-Dark.png rename to docs/assets/Images/Screenshots/Select-User-to-Assign-Dark.png diff --git a/docs/SHIELD/assets/Images/Screenshots/Select-User-to-Assign-Light.png b/docs/assets/Images/Screenshots/Select-User-to-Assign-Light.png similarity index 100% rename from docs/SHIELD/assets/Images/Screenshots/Select-User-to-Assign-Light.png rename to docs/assets/Images/Screenshots/Select-User-to-Assign-Light.png diff --git a/docs/SHIELD/assets/Images/Screenshots/Select-User-to-Remove-Dark.png b/docs/assets/Images/Screenshots/Select-User-to-Remove-Dark.png similarity index 100% rename from docs/SHIELD/assets/Images/Screenshots/Select-User-to-Remove-Dark.png rename to docs/assets/Images/Screenshots/Select-User-to-Remove-Dark.png diff --git a/docs/SHIELD/assets/Images/Screenshots/Select-User-to-Remove-Light.png b/docs/assets/Images/Screenshots/Select-User-to-Remove-Light.png similarity index 100% rename from docs/SHIELD/assets/Images/Screenshots/Select-User-to-Remove-Light.png rename to docs/assets/Images/Screenshots/Select-User-to-Remove-Light.png diff --git a/docs/SHIELD/assets/Images/Screenshots/Select-User-to-Unassign-Dark.png b/docs/assets/Images/Screenshots/Select-User-to-Unassign-Dark.png similarity index 100% rename from docs/SHIELD/assets/Images/Screenshots/Select-User-to-Unassign-Dark.png rename to docs/assets/Images/Screenshots/Select-User-to-Unassign-Dark.png diff --git a/docs/SHIELD/assets/Images/Screenshots/Select-User-to-Unassign-Light.png b/docs/assets/Images/Screenshots/Select-User-to-Unassign-Light.png similarity index 100% rename from docs/SHIELD/assets/Images/Screenshots/Select-User-to-Unassign-Light.png rename to docs/assets/Images/Screenshots/Select-User-to-Unassign-Light.png diff --git a/docs/SHIELD/assets/Images/Screenshots/Selected-Device-Decommission-Dark.png b/docs/assets/Images/Screenshots/Selected-Device-Decommission-Dark.png similarity index 100% rename from docs/SHIELD/assets/Images/Screenshots/Selected-Device-Decommission-Dark.png rename to docs/assets/Images/Screenshots/Selected-Device-Decommission-Dark.png diff --git a/docs/SHIELD/assets/Images/Screenshots/Selected-Device-Decommission-Light.png b/docs/assets/Images/Screenshots/Selected-Device-Decommission-Light.png similarity index 100% rename from docs/SHIELD/assets/Images/Screenshots/Selected-Device-Decommission-Light.png rename to docs/assets/Images/Screenshots/Selected-Device-Decommission-Light.png diff --git a/docs/SHIELD/assets/Images/Screenshots/Spinner.png b/docs/assets/Images/Screenshots/Spinner.png similarity index 100% rename from docs/SHIELD/assets/Images/Screenshots/Spinner.png rename to docs/assets/Images/Screenshots/Spinner.png diff --git a/docs/SHIELD/assets/Images/Screenshots/Temporary-Credential-Dialog-Dark.png b/docs/assets/Images/Screenshots/Temporary-Credential-Dialog-Dark.png similarity index 100% rename from docs/SHIELD/assets/Images/Screenshots/Temporary-Credential-Dialog-Dark.png rename to docs/assets/Images/Screenshots/Temporary-Credential-Dialog-Dark.png diff --git a/docs/SHIELD/assets/Images/Screenshots/Temporary-Credential-Dialog-Light.png b/docs/assets/Images/Screenshots/Temporary-Credential-Dialog-Light.png similarity index 100% rename from docs/SHIELD/assets/Images/Screenshots/Temporary-Credential-Dialog-Light.png rename to docs/assets/Images/Screenshots/Temporary-Credential-Dialog-Light.png diff --git a/docs/SHIELD/assets/Images/Screenshots/User-Remove-Confirmation-Dialog-Dark.png b/docs/assets/Images/Screenshots/User-Remove-Confirmation-Dialog-Dark.png similarity index 100% rename from docs/SHIELD/assets/Images/Screenshots/User-Remove-Confirmation-Dialog-Dark.png rename to docs/assets/Images/Screenshots/User-Remove-Confirmation-Dialog-Dark.png diff --git a/docs/SHIELD/assets/Images/Screenshots/User-Remove-Confirmation-Dialog-Light.png b/docs/assets/Images/Screenshots/User-Remove-Confirmation-Dialog-Light.png similarity index 100% rename from docs/SHIELD/assets/Images/Screenshots/User-Remove-Confirmation-Dialog-Light.png rename to docs/assets/Images/Screenshots/User-Remove-Confirmation-Dialog-Light.png diff --git a/docs/index.md b/docs/index.md index c3304f9..d6d23d2 100644 --- a/docs/index.md +++ b/docs/index.md @@ -14,8 +14,16 @@ Manages the state of security tenant wide using a multi-tiered architecture. [:lock: SHIELD](SHIELD/index.md){ .md-button } -## SHI Discover +### Deploy + +[:mag: Deploy](SHIELD/Prerequisites/index.md){ .md-button } + +### Defend + +[:mag: Defend](SHIELD/Defend/Usage-Guide/index.md){ .md-button } + +### Discover Retrieves and validates the state of license compliance tenant wide. -[:mag: Discover](Discover/index.md){ .md-button } +[:mag: Discover](SHIELD/Discover/index.md){ .md-button } diff --git a/mkdocs.yml b/mkdocs.yml index 5da86f8..3e912ff 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -1,9 +1,6 @@ site_name: SHI Orchestration Platform - Documentation site_url: https://docs.shilab.com/ site_description: Documentation for the SHI orchestration platform -repo_url: https://github.com/Software-Hardware-Integration-Lab/Documentation -repo_name: Software-Hardware-Integration-Lab/Documentation -# edit_uri: edit/main/docs/ copyright: Copyright © 2025 SHI International Corp.  |  Change cookie settings theme: name: material @@ -40,7 +37,6 @@ theme: - navigation.top - navigation.sections - navigation.indexes - - navigation.expand - navigation.footer - content.tabs.link - content.tooltips @@ -138,3 +134,96 @@ extra: name: SHI's home on Instagram watch: - includes +nav: + - Home: index.md + + - SHIELD: + - Overview: SHIELD/index.md + - Prerequisites: + - Overview: SHIELD/Prerequisites/index.md + - Graph API Permissions: SHIELD/Prerequisites/Required-Graph-API-Permissions.md + - Getting Started: SHIELD/Getting-Started.md + - Usage Guide: SHIELD/Usage-Guide.md + + - Deploy: + - Overview: SHIELD/Deploy/index.md + - Deployment: SHIELD/Deploy/Deployment/index.md + - Usage Guide: SHIELD/Deploy/Usage-Guide.md + - Reference: SHIELD/Deploy/Reference/index.md + - Troubleshooting: SHIELD/Deploy/Troubleshooting.md + + - Defend: + - Overview: SHIELD/Defend/index.md + - Prerequisites: SHIELD/Defend/Prerequisites.md + - Deployment: SHIELD/Defend/Deployment.md + - Usage Guide: + - Overview: SHIELD/Defend/Usage-Guide/index.md + - Devices: + - Commission Device: SHIELD/Defend/Usage-Guide/Device/0-Commission.md + - Decommission Device: SHIELD/Defend/Usage-Guide/Device/1-Decommission.md + - Assign Device: SHIELD/Defend/Usage-Guide/Device/2-Assign.md + - Unassign Device: SHIELD/Defend/Usage-Guide/Device/3-Unassign.md + - Users: + - Commission User: SHIELD/Defend/Usage-Guide/User/Commission.md + - Decommission User: SHIELD/Defend/Usage-Guide/User/Decommission.md + - Reference: + - Overview: SHIELD/Defend/Reference/index.md + - Hardware Selection: SHIELD/Defend/Reference/Hardware-Selection.md + - Custom Apps: + - Corp VM: + - Index: SHIELD/Defend/Reference/Custom-Apps/Corp-VM/index.md + - Changelog: SHIELD/Defend/Reference/Custom-Apps/Corp-VM/Changelog.md + - Managed Installer Config: + - Index: SHIELD/Defend/Reference/Custom-Apps/ManagedInstaller-Config/index.md + - Changelog: SHIELD/Defend/Reference/Custom-Apps/ManagedInstaller-Config/Changelog.md + - Security Config: + - Index: SHIELD/Defend/Reference/Custom-Apps/Security-Config/index.md + - Changelog: SHIELD/Defend/Reference/Custom-Apps/Security-Config/Changelog.md + - File Changes: SHIELD/Defend/Reference/Custom-Apps/Security-Config/File-Changes.md + - Registry Changes: SHIELD/Defend/Reference/Custom-Apps/Security-Config/Registry-Changes.md + - Diagrams: + - Device Commission: SHIELD/Defend/Reference/Diagrams/Device-Commission.md + - Device Decommission: SHIELD/Defend/Reference/Diagrams/Device-Decommission.md + - Device Assign: SHIELD/Defend/Reference/Diagrams/Device-Assign.md + - Device Unassign: SHIELD/Defend/Reference/Diagrams/Device-Unassign.md + - User Commission: SHIELD/Defend/Reference/Diagrams/User-Commission.md + - User Decommission: SHIELD/Defend/Reference/Diagrams/User-Decommission.md + - Lifecycle: + - Privileged Device Workflows: SHIELD/Defend/Reference/Lifecycle/Privileged Device Workflows.md + - Troubleshooting: SHIELD/Defend/Troubleshooting.md + + - Discover: + - Overview: SHIELD/Discover/index.md + - Deployment: SHIELD/Discover/Deployment/index.md + - Usage Guide: SHIELD/Discover/Usage-Guide.md + - Plugins: + - Entra ID: SHIELD/Discover/Plugins/EntraID.md + - Defender for Endpoint: SHIELD/Discover/Plugins/DefenderEndpoint.md + - Defender for Identity: SHIELD/Discover/Plugins/DefenderIdentity.md + - Supported Licenses: SHIELD/Discover/Supported-Licenses.md + - Reference: + - Overview: SHIELD/Discover/Reference/index.md + - Database Schema: SHIELD/Discover/Reference/Database-Schema.md + - Azure SQL Database: SHIELD/Discover/Reference/Azure-SQL-Database.md + - Reserved Principals: SHIELD/Discover/Reference/Reserved-Principals.md + - Architecture: + - Infrastructure: SHIELD/Discover/Reference/Architecture/Infrastructure.md + - Process Flow: SHIELD/Discover/Reference/Architecture/Process-Flow.md + - Troubleshooting: SHIELD/Discover/Troubleshooting.md + + - Reference: + - Architecture: + - Overview: SHIELD/Reference/Architecture/index.md + - Threat Model: SHIELD/Reference/Architecture/Threat-Models/ISV-To-Customer.md + - Review Template: SHIELD/Reference/Architecture/Review-Template.md + - Development: + - OpenAPI Spec: SHIELD/Reference/Development/OpenAPI.md + - Intune Scope Tag Format: SHIELD/Reference/Development/Data-Formats/Intune Scope Tag.md + - Settings: + - Configure Managed Identity: SHIELD/Reference/Settings/Configure-Managed-Identity.md + - Debug Mode: SHIELD/Reference/Settings/Debug-Mode.md + - Environment Variables: SHIELD/Reference/Settings/Environmental-Variables-Reference.md + - Uninstall: SHIELD/Reference/Uninstall.md + + - Data Gateway: + - Overview: Data-Gateway/index.md diff --git a/requirements.txt b/requirements.txt index fc06472..deda35b 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,3 +1,4 @@ mkdocs == 1.6.1 -mkdocs-material == 9.6.9 +mkdocs-material == 9.6.11 mkdocs-glightbox == 0.4.0 +