v0.3.0 — Per-domain depth: Identity + DNS
14 new checks across Identity and DNS domains. Total findings on mock run: 42 (was 30 in v0.2).
New Identity checks (+8)
- Authentication methods policy (SMS deprecated, FIDO2 enablement)
- Application consent policy (permissive default = consent-phishing exposure)
- Service principal inventory + credential expiration within 60 days
- Named locations defined
- Cross-tenant access policy unrestricted inbound
- Sign-in risk policy enabled (Identity Protection)
- Self-service password reset enabled
- Standing-admin multi-role detection refined
New DNS checks (+6)
- CAA records configured (control which CAs can issue certs)
- DNSSEC enabled (DS record at parent)
- SPF lookup count nearing RFC 7208 max 10 (PermError risk)
- DMARC sub-policy (sp=) explicitly defined
- DKIM key strength manual-verification guidance
- MX backup record awareness
Schema v1.1 — documentation_url field
Findings now carry an optional documentation_url pointing to authoritative external reference (Microsoft Learn, NIST, RFC). Generate-Report surfaces these as inline links.
Backward compatible — findings without the field continue to validate.
Test coverage
114 Pester tests passing. End-to-end mock run produces 42 findings across 5 domains.
Next: v0.4 (Sentinel + Defender O365 depth)
Per ROADMAP.md: Sentinel +10 checks (data connectors, workbooks, hunting queries, playbooks, watchlists, threat indicators, ML/UEBA, solutions, ingestion baselines), Defender O365 +10 checks (quarantine policies, priority account protection, ZAP, attack simulation, Safe Documents, anti-spoofing, outbound spam thresholds, connection filter, transport rules, bulk threshold).