CIS Microsoft 365 Foundations Benchmark

CIS 1.2.0 Security Controls for Microsoft 365: a curated list of the most important and least user-impacting security controls that can be audited and remediated.

Account / Authentication
Ensure multifactor authentication is enabled for all users in administrative roles
Ensure that multi-factor authentication is enabled for all non-privileged users
Ensure that between two and four global admins are designated
Ensure self-service password reset is enabled
Ensure that ‘Number of methods required to reset’ is set to ‘2’
Ensure Azure Active Directory Password Protection for Active Directory is enabled in order to protect against the use of common passwords.
Enable Conditional Access policies to block legacy authentication protocols in Office 365.
Ensure that password hash sync is enabled for resiliency and leaked credential detection.
Enabled Identity Protection to identify anomalous logon behavior: Azure Active Directory Identity Protection monitors account behaviors and enables organizations to configure automated responses to detected suspicious actions related to user identities.
Ensure Security Defaults is disabled on Azure Active Directory. The use of Security Defaults however will prohibit custom settings which are being set with more advanced settings from this benchmark.
Ensure modern authentication for Exchange Online is enabled
Ensure modern authentication for Skype/Teams for Business Online is enabled
Ensure modern authentication for SharePoint applications is required
Ensure that Office 365 Passwords Are Not Set to Expire
Application Permissions
Ensure users installing Word, Excel, and PowerPoint add-ins is not allowed
Ensure calendar details sharing with external users is disabled
Ensure O365 ATP SafeLinks for Office Applications is Enabled
Ensure Office 365 ATP for SharePoint, OneDrive, and Microsoft Teams is Enabled
Ensure Office 365 SharePoint infected files are disallowed for download
Data Management
Ensure the customer lockbox feature is enabled: It requires Microsoft to get your approval for any datacenter operation that grants a Microsoft support engineer or other employee direct access to any of your data.
Ensure Data Loss Prevention(DLP) policies are enabled
Ensure DLP policies are enabled for Microsoft Teams
Ensure that shared access signature tokens expire within an hour
Ensure that external users cannot share files, folders, and sites they do not own
Ensure external file sharing in Teams is enabled for only approved cloud storage services
Email Security / Exchange Online
Ensure the Common Attachment Types Filter is enabled
Ensure Exchange Online Spam Policies are set correctly
Ensure mail transport rules do not forward email to external domains
Ensure mail transport rules do not whitelist specific domains
Ensure the Advanced Threat Protection Safe Links policy is enabled
Ensure the Advanced Threat Protection Safe Attachments policy is enabled
Ensure that an anti-phishing policy has been created
Ensure that DKIM is enabled for all Exchange Online Domains
Ensure that SPF records are published for all Exchange Domains
Ensure DMARC Records for all Exchange Online domains are published
Ensure notifications for internal users sending malware is Enabled
Ensure Microsoft 365 audit log search is Enabled
Ensure mailbox auditing for all users is Enabled
Ensure the Azure AD ‘Risky sign-ins’ report is reviewed at least weekly
Ensure the self-service password reset activity report is reviewed at least weekly
Ensure user role group changes are reviewed at least weekly
Ensure mail forwarding rules are reviewed at least weekly
Ensure the Malware Detections report is reviewed at least weekly
Ensure non-global administrator role group assignments are reviewed at least weekly
Ensure the spoofed domains report is review weekly
Ensure the Account Provisioning Activity report is reviewed at least weekly
Ensure the Mailbox Access by Non-Owners Report is reviewed at least biweekly
Ensure Guest Users are reviewed at least biweekly
Ensure the report of users who have had their email privileges restricted due to spamming is reviewed
Ensure document sharing is being controlled by domains with whitelist or blacklist
Ensure expiration time for external sharing links is set
Mobile Device Management
Ensure mobile device management polices are set to require advanced security configurations to protect from basic internet attacks
Ensure that mobile device password reuse is prohibited
Ensure that mobile devices are set to never expire passwords
Ensure that users cannot connect from devices that are jail broken or rooted
Ensure that mobile device encryption is enabled to prevent unauthorized access to mobile data
Ensure that mobile devices require a complex password to prevent brute force attacks
Ensure that settings are enable to lock devices after a period of inactivity to prevent unauthorized access
Ensure mobile devices require the use of a password
Ensure that devices connecting have AV and a local firewall enabled