Skip to content

Defender configuration ExcludedGroups stated to use GUID not DisplayName #1888

New issue
New issue
Open
Open
Defender configuration ExcludedGroups stated to use GUID not DisplayName#1888
Labels
bugThis issue or pull request addresses broken functionality
@DickTracyII

Description

@DickTracyII
DickTracyII
opened on Dec 3, 2025

Prerequisites

  • This issue has an informative and human-readable title.

ScubaGear Version

1.6.0

Operating System

Windows 11

PowerShell Version

5.1

M365 Environment and License(s)

M365Environment: Comm, GCC
License: G5

🐛 Summary

The Defender baseline configuration contains an inconsistency:

  • The documentation in the full configuration states that ExcludedGroups must use GUIDs.
  • However, Defender actually requires DisplayName with FQDN (e.g., [email protected]), not GUIDs.

This mismatch causes incorrect validation results and confusion when building baseline configurations.

Steps to reproduce

  1. Create or load a Defender baseline config file with an ExcludedGroups section.
  2. Provide the SensitiveAccount ExcludedGroup value in the correct format (DisplayName@fqdn) in yaml.
  3. Run:
    Invoke-SCuBA -ProductNames defender -ConfigFilePath <yourconfig>.yaml
  4. Inspect the json export which shows displayname with fqdn.

Expected behavior

  • The full config and defender sample config should reflect that ExcludedGroups uses DisplayName with FQDN, not GUIDs.
  • ScubaGear should validate FQDN-formatted DisplayNames correctly.
  • Documentation and examples should be updated.
  • Validation should not fail when using the correct DisplayName@domain format.

Output from Initialize-SCuBA (optional)

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugThis issue or pull request addresses broken functionality

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions