CIS 1.2.0 Security Controls for Microsoft 365: a curated list of the most important and least user-impacting security controls that can be audited and remediated.
| Account / Authentication |
| Ensure multifactor authentication is enabled for all users in administrative roles |
| Ensure that multi-factor authentication is enabled for all non-privileged users |
| Ensure that between two and four global admins are designated |
| Ensure self-service password reset is enabled |
| Ensure that ‘Number of methods required to reset’ is set to ‘2’ |
| Ensure Azure Active Directory Password Protection for Active Directory is enabled in order to protect against the use of common passwords. |
| Enable Conditional Access policies to block legacy authentication protocols in Office 365. |
| Ensure that password hash sync is enabled for resiliency and leaked credential detection. |
| Enabled Identity Protection to identify anomalous logon behavior: Azure Active Directory Identity Protection monitors account behaviors and enables organizations to configure automated responses to detected suspicious actions related to user identities. |
| Ensure Security Defaults is disabled on Azure Active Directory. The use of Security Defaults however will prohibit custom settings which are being set with more advanced settings from this benchmark. |
| Ensure modern authentication for Exchange Online is enabled |
| Ensure modern authentication for Skype/Teams for Business Online is enabled |
| Ensure modern authentication for SharePoint applications is required |
| Ensure that Office 365 Passwords Are Not Set to Expire |
| Application Permissions |
| Ensure users installing Word, Excel, and PowerPoint add-ins is not allowed |
| Ensure calendar details sharing with external users is disabled |
| Ensure O365 ATP SafeLinks for Office Applications is Enabled |
| Ensure Office 365 ATP for SharePoint, OneDrive, and Microsoft Teams is Enabled |
| Ensure Office 365 SharePoint infected files are disallowed for download |
| Data Management |
| Ensure the customer lockbox feature is enabled: It requires Microsoft to get your approval for any datacenter operation that grants a Microsoft support engineer or other employee direct access to any of your data. |
| Ensure Data Loss Prevention(DLP) policies are enabled |
| Ensure DLP policies are enabled for Microsoft Teams |
| Ensure that shared access signature tokens expire within an hour |
| Ensure that external users cannot share files, folders, and sites they do not own |
| Ensure external file sharing in Teams is enabled for only approved cloud storage services |
| Email Security / Exchange Online |
| Ensure the Common Attachment Types Filter is enabled |
| Ensure Exchange Online Spam Policies are set correctly |
| Ensure mail transport rules do not forward email to external domains |
| Ensure mail transport rules do not whitelist specific domains |
| Ensure the Advanced Threat Protection Safe Links policy is enabled |
| Ensure the Advanced Threat Protection Safe Attachments policy is enabled |
| Ensure that an anti-phishing policy has been created |
| Ensure that DKIM is enabled for all Exchange Online Domains |
| Ensure that SPF records are published for all Exchange Domains |
| Ensure DMARC Records for all Exchange Online domains are published |
| Ensure notifications for internal users sending malware is Enabled |
| Auditing |
| Ensure Microsoft 365 audit log search is Enabled |
| Ensure mailbox auditing for all users is Enabled |
| Ensure the Azure AD ‘Risky sign-ins’ report is reviewed at least weekly |
| Ensure the self-service password reset activity report is reviewed at least weekly |
| Ensure user role group changes are reviewed at least weekly |
| Ensure mail forwarding rules are reviewed at least weekly |
| Ensure the Malware Detections report is reviewed at least weekly |
| Ensure non-global administrator role group assignments are reviewed at least weekly |
| Ensure the spoofed domains report is review weekly |
| Ensure the Account Provisioning Activity report is reviewed at least weekly |
| Ensure the Mailbox Access by Non-Owners Report is reviewed at least biweekly |
| Ensure Guest Users are reviewed at least biweekly |
| Ensure the report of users who have had their email privileges restricted due to spamming is reviewed |
| Storage |
| Ensure document sharing is being controlled by domains with whitelist or blacklist |
| Ensure expiration time for external sharing links is set |
| Mobile Device Management |
| Ensure mobile device management polices are set to require advanced security configurations to protect from basic internet attacks |
| Ensure that mobile device password reuse is prohibited |
| Ensure that mobile devices are set to never expire passwords |
| Ensure that users cannot connect from devices that are jail broken or rooted |
| Ensure that mobile device encryption is enabled to prevent unauthorized access to mobile data |
| Ensure that mobile devices require a complex password to prevent brute force attacks |
| Ensure that settings are enable to lock devices after a period of inactivity to prevent unauthorized access |
| Ensure mobile devices require the use of a password |
| Ensure that devices connecting have AV and a local firewall enabled |