{"id":20268262,"url":"https://github.com/officedev/mcca","last_synced_at":"2025-04-11T03:38:45.074Z","repository":{"id":43336356,"uuid":"297598641","full_name":"OfficeDev/MCCA","owner":"OfficeDev","description":"Microsoft Compliance Configuration Analyzer","archived":false,"fork":false,"pushed_at":"2023-08-29T14:07:50.000Z","size":423,"stargazers_count":103,"open_issues_count":5,"forks_count":24,"subscribers_count":14,"default_branch":"main","last_synced_at":"2025-03-25T01:41:22.907Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"PowerShell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/OfficeDev.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null}},"created_at":"2020-09-22T09:22:52.000Z","updated_at":"2025-03-19T08:02:38.000Z","dependencies_parsed_at":"2022-09-09T09:10:44.823Z","dependency_job_id":"9907f7df-5f3a-476d-b0a5-f2caf8892706","html_url":"https://github.com/OfficeDev/MCCA","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/OfficeDev%2FMCCA","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/OfficeDev%2FMCCA/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/OfficeDev%2FMCCA/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/OfficeDev%2FMCCA/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/OfficeDev","download_url":"https://codeload.github.com/OfficeDev/MCCA/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248338437,"owners_count":21087208,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-14T12:17:18.229Z","updated_at":"2025-04-11T03:38:45.056Z","avatar_url":"https://github.com/OfficeDev.png","language":"PowerShell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Overview\n\nMicrosoft Compliance Configuration Analyzer (MCCA) is a tool which, on execution, generates a report highlighting known issues in your compliance configurations in achieving data protection guidelines and recommends best practices to follow.\n\n# What is Microsoft Compliance Configuration Analyzer (MCCA)?\n\nIt is a PowerShell-based utility that will fetch your tenant’s current configurations \u0026 validate these configurations against Microsoft 365 recommended best practices. These best practices are based on a set of controls that include key regulations and standards for data protection and general data governance. MCCA then provides you with an actionable status report for improving your compliance posture.\n\n# Why should I use it?\n\nOften tenants face challenges in diagnosing their compliance posture \u0026 ensuring that they have the right configurations in place to protect their environment completely. These are largely manual processes which tend to be time consuming \u0026 allow for human error. Furthermore, with the evolving compliance landscape the risk of blind spots also increases.\nMCCA is a diagnostic tool that will report the status of your current configurations. This allows you to focus efforts more on making the right configurations. \n\n# What is in scope?\n\nThis version will provide you recommendations for the M365 Compliance solutions listed below. We will keep adding more solutions \u0026 richer recommendations in future versions of this tool.\n \n 1.\tMicrosoft Information Protection\n a. \tData Loss Prevention\n b.\tInformation Protection\n 2.\tMicrosoft Information Governance\n a.\tInformation Governance\n b.\tRecords Management\n 3.\tInsider Risk\n a.\tCommunication Compliance\n b.\tInsider Risk Management\n 4.\tDiscovery \u0026 Response\n a.\tAudit\n b.\teDiscovery\n\n# That is awesome! How do I run it?\n\n# Pre-Requisites\n\nBefore running the tool, you should confirm your Microsoft 365 subscription and any add-ons. To access and use MCCA, your organization must have one of the following subscriptions or add-ons:\n \n •\tMicrosoft 365 E5 subscription (paid or trial version)\n •\tMicrosoft 365 E3 subscription + the Microsoft 365 E5 Compliance add-on\n\nYou will be able to run this tool without an E5 subscription or M365 E5 Compliance add-on, but MCCA will still report statuses for E5 workloads \u0026 capabilities.\n\nFor running the tool:\n \n\n1. You must have PowerShell version 5.1 or above to run this tool.\n\n2. You must have Exchange Online PowerShell module (You can follow\n either of the following 2 methods to download the same)\n\n * Exchange Online PowerShell V2 module that is available via the\n PowerShell gallery:\n\n \u003e Install-Module -Name ExchangeOnlineManagement\n\n * Exchange Online PowerShell module (\u003chttp://aka.ms/exopsmodule\u003e)\n\n3. You must have appropriate role/user permissions to be able to run\n this tool. The following table provides details of which roles will\n have access to which sections of the report.\n\nOther roles within the organisation (not listed in the table below) may\nnot be able to run the tool or they may be able to run the tool with\nlimited information in the final report.\n\n\n|User Role |MIP | | MIG | |Insider Risk | |Discovery \u0026 Response | |\n|------------------------------------|---------|------------|--------------|----------------------|---------|--------|-----------|---------------- |\n| |**DLP** |**IP** |**IG** |**RM** |**IRM** |**CC** |**Audit** |**eDiscovery** |\n|Azure Information Protection admin |No |No\u003csup\u003e1\u003c/sup\u003e |No |No |No |No |No \u003csup\u003e4\u003c/sup\u003e |No |\n|Compliance admin |Yes |Yes |Yes |Yes |Yes |Yes |Yes |Yes |\n|Compliance Data Admin |Yes |Yes\u003csup\u003e2\u003c/sup\u003e |Yes |Yes |Yes |Yes\u003csup\u003e3\u003c/sup\u003e |Yes\u003csup\u003e5\u003c/sup\u003e |No |\n|Customer Lockbox access approver |No |No |No |No |No |No |No |No |\n|Exchange Admin |No |No\u003csup\u003e1\u003c/sup\u003e |No |No |No |No |No\u003csup\u003e4\u003c/sup\u003e |No |\n|Global admin |Yes |Yes |Yes |Yes |Yes |Yes |Yes |Yes |\n|Global reader |Yes |Yes |Yes |Yes |No |No |Yes |No |\n|Helpdesk admin |No |No\u003csup\u003e1\u003c/sup\u003e |No |No |No |No |No\u003csup\u003e4\u003c/sup\u003e |No |\n|Non-Admin User |No |No |No |No |No |No |No |No |\n|Reports reader |No |No |No |No |No |No |No |No |\n|Security admin |Yes |Yes\u003csup\u003e2\u003c/sup\u003e |No |No |No |No |Yes\u003csup\u003e5\u003c/sup\u003e |No |\n|Security operator |Yes |No |No |No |No |No |Yes\u003csup\u003e5\u003c/sup\u003e |No |\n|Security reader |Yes |Yes\u003csup\u003e2\u003c/sup\u003e |No |No |No |No |Yes\u003csup\u003e5\u003c/sup\u003e |No |\n|Service support admin |No |No |No |No |No |No |No |No |\n|SharePoint admin |No |No |No |No |No |No |No |No |\n|Teams service admin |No |No |No |No |No |No |No |No |\n|User admin |No |No |No |No |No |No |No |No |\n\nExceptions:\n\n\u003csup\u003e1\u003c/sup\u003e User will not be able generate report for IP apart from \"Use IRM for Exchange Online\" section.\n\n\u003csup\u003e2\u003c/sup\u003e User will be able generate report for IP apart from \"Use IRM for Exchange Online\" section.\n\n\u003csup\u003e3\u003c/sup\u003e User will be able generate report for IP apart from \"Enable Communication Compliance in O365\" section.\n\n\u003csup\u003e4\u003c/sup\u003e User will not be able generate report for IP apart from \"Enable Auditing in Office 365\" section.\n\n\u003csup\u003e5\u003c/sup\u003e User will be able generate report for IP apart from \"Enable Auditing in Office 365\" section.\n\n# Install Guide\t\n\nStep 1: Open PowerShell in administrator mode\n \nStep 2: Install MCCA \n \n Install-Module -Name MCCAPreview\n\nStep 3: Generate MCCA Report\n \n Use the following cmdlet to generate the MCCA report.\n Get-MCCAReport\n \n This will generate a report based on the geolocation of your tenant. If an error occurs while fetching your tenant’s geolocation, you will get a report covering all supported geolocations.\n \n You can learn more about this cmdlet by running the following.\n \n Get-Help Get-MCCAReport\n\n Input Parameters\t\n You can also get a tailored report based on specific input parameters listed below.\n\n 1.\tGeolocation\n \n Get-MCCAReport -Geo @(1,7)\n This will generate a report based on the geolocations entered by you.You need to input appropriate numbers from the following list corresponding to the regions. \n Input\tRegion\n 1\tAsia-Pacific\n 2\tAustralia\n 3\tCanada\n 4\tEurope (excl. France) / Middle East / Africa\n 5\tFrance\n 6\tIndia\n 7\tJapan\n 8\tKorea\n 9\tNorth America (excl. Canada)\n 10\tSouth America\n 11\tSouth Africa\n 12\tSwitzerland\n 13\tUnited Arab Emirates\n 14\tUnited Kingdom\n\n Note: As an add-on, the report will always include MCCA supported international sensitive information types like SWIFT Code, Credit Card Number etc.\n\n 2.\tSolutions\n \n Get-MCCAReport -Solution @(1,7)\n This will generate a report only for the solutions entered by you. You need to input appropriate numbers from the following list corresponding to the solution. \n Input\tSolution\n 1\tData Loss Prevention\n 2\tInformation Protection\n 3\tInformation Governance\n 4\tRecords Management\n 5\tCommunication Compliance\n 6\tInsider Risk Management\n 7\tAudit\n 8\teDiscovery\n\n 3. Multiple Parameters\n \n Get-MCCAReport -Solution @(1,7) -Geo @(9)\n \n This will generate a report only on for the solutions entered by you and based on the regions you have selected. \n In either of the cases, there will be a prompt to enter your credentials. Once you enter your credentials, MCCA will run for a while and an HTML report will be generated.\n \n 4. ExchangeEnvironmentName\n \n This will generate MCCA report for Security \u0026 Compliance Center PowerShell in a Microsoft 365 DoD organization or Microsoft GCC High organization\n \n O365USGovDoD\n This will generate MCCA report for Security \u0026 Compliance Center PowerShell in a Microsoft 365 DoD organization.\n \n Get-MCCAReport -ExchangeEnvironmentName O365USGovDoD\n\n O365USGovGCCHigh\n This will generate MCCA report for Security \u0026 Compliance Center PowerShell in a Microsoft GCC High organization.\n \n Get-MCCAReport -ExchangeEnvironmentName O365USGovGCCHigh\n \n 5. TurnOffDataCollection\n\n Get-MCCAReport -TurnOffDataCollection\n \n If you wish to switch off data collection use this parameter.\n \n# License\nWe use the following open source components in order to generate the report:\n •\tBootstrap, MIT License - https://getbootstrap.com/docs/4.0/about/license/\n •\tFontawesome, CC BY 4.0 License - https://fontawesome.com/license/free\n •\tclipboard.js v1.5.3, MIT License - https://cdn.jsdelivr.net/clipboard.js/1.5.3/clipboard.min.js\n\n\n## Frequently Asked Questions (FAQ)\n\n### Will this tool make any changes to my existing settings, policies, etc.?\n\nMCCA is a diagnostic tool that is \"read-only\". It fetches information\nabout your current configurations to generate a report but will not\nalter any of your existing configurations.\n\n### What different sections do I see in my report?\n\nThe report provides you with:\n\n* Solutions summary: It provides a break-down of statuses at a\n solution level. Each solution has counters that tell you how many\n recommendations are informational, require improvement and are OK.\n\n* Solution drill-down: Following solutions summary, each solution has\n a separate section that provides detailed information about\n configurations \u0026 their status.\n\n * Each solution may have 1 or more improvement actions which will\n further be broken down into finer configurations. MCCA will\n provide you a status both at an improvement action level \u0026 also\n for finer configurations.\n\n### Can I generate report for specific sections within the report?\n\nYes, you can generate report for specific sections within the report.\nYou can use the solution input parameter `--solution \u003cinput solution\nnumber\u003e` to generate the report for a specific solution from the\nfollowing list:\n\n|Input |Solution |\n|-------|-------------------------- |\n|1 |Data Loss Prevention |\n|2 |Information Protection |\n|3 |Information Governance |\n|4 |Records Management |\n|5 |Communication Compliance |\n|6 |Insider Risk Management |\n|7 |Audit |\n|8 |eDiscovery |\n\nFor e.g. If you wanted to create report for the DLP solution only then\nyou can run the following command:\n\n```powershell\nGet-MCCAReport --solution @(1)\n```\n\nYou can learn more about this input parameter in the Input Parameters\nsection within the Install Guide above.\n\n### What does Recommendation, Informational, Improvement \u0026 OK messages mean?\n\nAll recommendations provided by MCCA report are categorized in 3 types\nof status:\n\n* Recommendations: These are best practices that your tenant\n should follow.\\\n *Note: The support for these messages is limited in the current\n version so you may not see any recommendations in your report.*\n\n* Informational: These messages/statuses represent information\n in your current environment \u0026 are non-actionable in nature.\n\n* Improvement: These messages/statuses highlight areas that\n need your attention \u0026 are actionable. Sections which are marked as\n \"Improvement\" would generally have 1 or more configurations marked\n as \"Improvement\".\n\n* OK: These messages/statuses indicate that a given area is configured efficiently to meet data protection baselines.\n\n### Why don't I see my tenant's name on the report?\n\nDue to a technical error, the tool would not have been able to fetch\nyour tenant's name. In the event of such error, you may not see your\ntenant name on the report. Please try running the tool again after some\ntime. If the issue persists, please reach out to us at\n[MCCAhelp\\@microsoft.com](mailto:mecahelp@microsoft.com) and/or contact\nyour Microsoft partner.\n\n### Why do I see \"No active policy defined\" when I already have policies defined?\n\nThe policies created by you may be protecting a subset of information,\nworkloads, user groups and/or other criteria. \"No active policy defined\"\nhighlights the areas that are not protected by your current policies and\nneed an action on your part.\n\nWe provide \"Remediation Scripts\" which you can run from your PowerShell\nconsole \u0026 the required policies will automatically be set up.\n\nPlease refer to \"Remarks\" section in your report to understand why you\nare seeing \"Improvement\". If you still have concerns, please reach out\nto us at [MCCAhelp\\@microsoft.com](mailto:mecahelp@microsoft.com) or\ncontact your Microsoft partner.\n\n### Why do I see \"Policy defined but not protected on 1 or more workloads\" when I already have policies defined?\n\nOften there is a case where a given area (sensitive information,\nworkloads, user groups and/or other criteria) may be protected in 1 or\nmore policies in your environment but would not be protected across your\nentire environment.\n\nE.g. Your current policy configurations may U.S. / U.K. Passport Number\non SharePoint \u0026 Exchange but not on OneDrive \u0026 Teams. This puts you at\nrisk.\n\nTo avoid such cases, MCCA will highlight all the affected areas. You\nwill need to review these and either tweak your current policies and/or\ncreate new ones to accommodate these areas.\n\n### What are remediation scripts?\n\nWhen MCCA identifies if your current policies have zero coverage for\ncertain sensitive information types, it provides you with \"Remediation\nScripts\" to help you avoid the hassle of manually setting up these\npolicies. These policies will be created in *Test* mode and you will\nstill have review \u0026 enable it manually.\n\nYou should review script parameters \u0026 then run these scripts from your *Windows PowerShell ISE* console.\nYou would need to connect to [Connect to Security \u0026 Compliance Center PowerShell](https://docs.microsoft.com/en-us/powershell/exchange/connect-to-scc-powershell?view=exchange-ps) or [Connect to Exchange Online Center PowerShell](https://docs.microsoft.com/en-us/powershell/exchange/connect-to-exchange-online-powershell?view=exchange-ps) to execute these scripts. On successful execution of the scripts, the\nrequired policies will automatically be set up.\n\nNote: These scripts are pre-configured and may need tweaking to achieve\nbest results for your organization. We are working on improving these\nscripts in future versions of this tool.\n\n### Why is the report asking me to protect Sensitive Information Types which I do not have in my environment?\n\nThis version of the tool aims to protect all possible sensitive\ninformation types across multiple geographies and/or industries.\n\nFuture versions of this tool will provide recommendations to you based\non the nature of information you have in your environment.\n\n### Can I generate the report to get recommendations for Sensitive Information Types applicable to my tenant's geographic regions?\n\nYes, you can generate the report for specific geographic regions.\n\nBy default, the tool will generate a report based on the geolocation for\nyour tenant. If you wish to run the report for specific geos then while\nrunning the `Get-MCCAReport` cmdlet, you can input an extra parameter by\n`--Geo` followed by 1 or more region numbers supported by MCCA.\n\nPlease refer the *Install Guide* section above for more detailed steps.\n\n### How can I add my organization's Logo in the report?\n\nYou can quickly add your organization's logo in the report by replacing the image file present in the Image folder with your logo's image with same name and file extension (i.e. logo.jpg). Please note that your logo image should be able to accurately fit within the width of 250px and height of 150px respectively.\n\n### How do I save my report?\n\nPlease use the \"Print\" button provided on top right corner of the report\nto export a PDF (subject to your browser and/or system support for\nprinting as a PDF) or print a physical copy of your report.\n\n#\tThis tool is awesome! How do I provide feedback and suggestions for future versions?\nPlease share your feedback \u0026 suggestions with us using this [form](https://forms.office.com/Pages/ResponsePage.aspx?id=v4j5cvGGr0GRqy180BHbR-ItstQd6pNMqw0W9LKA5vxUOFNGUFgxRDJFTkg3VE5NQTQwTUVVVDNVMi4u). We are dying to hear from you. :)\n\n# Contributing\n\nThis project welcomes contributions and suggestions. Most contributions require you to agree to a\nContributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us\nthe rights to use your contribution. For details, visit https://cla.opensource.microsoft.com.\n\nWhen you submit a pull request, a CLA bot will automatically determine whether you need to provide\na CLA and decorate the PR appropriately (e.g., status check, comment). Simply follow the instructions\nprovided by the bot. You will only need to do this once across all repos using our CLA.\n\nThis project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/).\nFor more information see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) or\ncontact [opencode@microsoft.com](mailto:opencode@microsoft.com) with any additional questions or comments.\n\n# Trademark\n\nTrademarks This project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft trademarks or logos is subject to and must follow Microsoft's Trademark \u0026 Brand Guidelines. Use of Microsoft trademarks or logos in modified versions of this project must not cause confusion or imply Microsoft sponsorship. Any use of third-party trademarks or logos are subject to those third-party's policies.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fofficedev%2Fmcca","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fofficedev%2Fmcca","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fofficedev%2Fmcca/lists"}