CIS 1.2.0 Security Controls for Microsoft 365: a curated list of the most important and least user-impacting security controls that can be audited and remediated.
Account / Authentication |
Ensure multifactor authentication is enabled for all users in administrative roles |
Ensure that multi-factor authentication is enabled for all non-privileged users |
Ensure that between two and four global admins are designated |
Ensure self-service password reset is enabled |
Ensure that ‘Number of methods required to reset’ is set to ‘2’ |
Ensure Azure Active Directory Password Protection for Active Directory is enabled in order to protect against the use of common passwords. |
Enable Conditional Access policies to block legacy authentication protocols in Office 365. |
Ensure that password hash sync is enabled for resiliency and leaked credential detection. |
Enabled Identity Protection to identify anomalous logon behavior: Azure Active Directory Identity Protection monitors account behaviors and enables organizations to configure automated responses to detected suspicious actions related to user identities. |
Ensure Security Defaults is disabled on Azure Active Directory. The use of Security Defaults however will prohibit custom settings which are being set with more advanced settings from this benchmark. |
Ensure modern authentication for Exchange Online is enabled |
Ensure modern authentication for Skype/Teams for Business Online is enabled |
Ensure modern authentication for SharePoint applications is required |
Ensure that Office 365 Passwords Are Not Set to Expire |
Application Permissions |
Ensure users installing Word, Excel, and PowerPoint add-ins is not allowed |
Ensure calendar details sharing with external users is disabled |
Ensure O365 ATP SafeLinks for Office Applications is Enabled |
Ensure Office 365 ATP for SharePoint, OneDrive, and Microsoft Teams is Enabled |
Ensure Office 365 SharePoint infected files are disallowed for download |
Data Management |
Ensure the customer lockbox feature is enabled: It requires Microsoft to get your approval for any datacenter operation that grants a Microsoft support engineer or other employee direct access to any of your data. |
Ensure Data Loss Prevention(DLP) policies are enabled |
Ensure DLP policies are enabled for Microsoft Teams |
Ensure that shared access signature tokens expire within an hour |
Ensure that external users cannot share files, folders, and sites they do not own |
Ensure external file sharing in Teams is enabled for only approved cloud storage services |
Email Security / Exchange Online |
Ensure the Common Attachment Types Filter is enabled |
Ensure Exchange Online Spam Policies are set correctly |
Ensure mail transport rules do not forward email to external domains |
Ensure mail transport rules do not whitelist specific domains |
Ensure the Advanced Threat Protection Safe Links policy is enabled |
Ensure the Advanced Threat Protection Safe Attachments policy is enabled |
Ensure that an anti-phishing policy has been created |
Ensure that DKIM is enabled for all Exchange Online Domains |
Ensure that SPF records are published for all Exchange Domains |
Ensure DMARC Records for all Exchange Online domains are published |
Ensure notifications for internal users sending malware is Enabled |
Auditing |
Ensure Microsoft 365 audit log search is Enabled |
Ensure mailbox auditing for all users is Enabled |
Ensure the Azure AD ‘Risky sign-ins’ report is reviewed at least weekly |
Ensure the self-service password reset activity report is reviewed at least weekly |
Ensure user role group changes are reviewed at least weekly |
Ensure mail forwarding rules are reviewed at least weekly |
Ensure the Malware Detections report is reviewed at least weekly |
Ensure non-global administrator role group assignments are reviewed at least weekly |
Ensure the spoofed domains report is review weekly |
Ensure the Account Provisioning Activity report is reviewed at least weekly |
Ensure the Mailbox Access by Non-Owners Report is reviewed at least biweekly |
Ensure Guest Users are reviewed at least biweekly |
Ensure the report of users who have had their email privileges restricted due to spamming is reviewed |
Storage |
Ensure document sharing is being controlled by domains with whitelist or blacklist |
Ensure expiration time for external sharing links is set |
Mobile Device Management |
Ensure mobile device management polices are set to require advanced security configurations to protect from basic internet attacks |
Ensure that mobile device password reuse is prohibited |
Ensure that mobile devices are set to never expire passwords |
Ensure that users cannot connect from devices that are jail broken or rooted |
Ensure that mobile device encryption is enabled to prevent unauthorized access to mobile data |
Ensure that mobile devices require a complex password to prevent brute force attacks |
Ensure that settings are enable to lock devices after a period of inactivity to prevent unauthorized access |
Ensure mobile devices require the use of a password |
Ensure that devices connecting have AV and a local firewall enabled |