M365 Conditional Access baseline + one-click browser deployer for Microsoft 365

Posted by FunctionPitiful@reddit | sysadmin | View on Reddit | 3 comments

Sharing something I built for my own tenants and figured others might use.

For anyone managing M365: Conditional Access is the policy engine that gates sign-ins (require MFA, block legacy auth, block from outside trusted countries, etc.). Setting up a sane baseline is a half-day job per tenant and easy to misconfigure into a lockout.

Built a hardened baseline (40 policies, 6 personas including admins / guests / service accounts / workload agents) and a browser-based deployer that ships it without any of the usual hassle:

No client secrets, no GitHub Actions, no scripts, no Cloud Shell
Click a button on the README, sign in to your tenant as a CA admin, deploys via delegated Graph
Everything lands in report-only by default (a few in disabled where report-only doesn't apply). You enable manually after review.
Skips any policy where the display name already exists — won't overwrite anything you've tuned
Dry run mode

Lockout-safe by design: the deploy code hardcodes the disabled/report-only state, so even a bad commit can't flip policies to enforced.

https://github.com/Teuftis/ConditionalAccessBaseline-Hardened

MIT, free, open to feedback. If you spin it up on a dev tenant and something breaks, file an issue.

[-]

Kumorigoe@reddit

Sorry, it seems this comment or thread has violated a sub-reddit rule and has been removed by a moderator.

Do Not Conduct Marketing Operations Within This Community.

It is not acceptable to advertise a product, service, Blog or FOSS Project within this community outside of authorized threads.
It is not acceptable to perform product research or market research within this community without permission.
The Reddit advertising system exists to help you reach out to new or existing customers.
Product Representatives are free to discuss their product in the context of an existing, naturally-occurring discussion. Astroturfing is not permitted.
As always, users must disclose any affiliation with a product.
Content creators should refrain from directing this community to their own content.

Your content may be better suited for our companion sub-reddit: /r/SysAdminBlogs

If you wish to appeal this action please don't hesitate to message the moderation team.

mixduptransistor@reddit

How much of this was written by AI? Because the readme sounds like it was extremely written by AI

FunctionPitiful@reddit (OP)

Readme is AI-polished, yeah, I write the structure and the technical content, then run it through Claude to clean up the prose because English isn't my first language and my raw writing reads rough. The policies, the deploy logic, the JSON, the architecture decisions are all mine.

Happy to answer anything specific about the actual baseline or the deployer if you have questions.