SMART PROFILER
SECURITY ASSESSMENT REPORT
Technology: Microsoft 365 CIS v3.1.0
Tenant: DynamicPacksnet.onmicrosoft.com
Assessment Date: 02/18/2025 11:02:10
9Critical
17High
1Medium
1Low
22Passed
185Manual Check
Security Score: 9.36%
CIS Assessment Table Status
CIS Assessment Table contains the status for both CIS and SmartProfiler Tests. You can create a Test Template that only includes CIS Tests from SmartProfiler Console. However, we recommend executing assessment using a Test Template which includes both CIS and SmartProfiler Tests.
M365 Admin Center-Users
Ensure Administrative accounts are separate and cloud-only
Critical
IMPACT
Not all Administrative Accounts are Cloud-Only. Administrative users will have to switch accounts and utilize login/logout functionality when performing administrative tasks, as well as not benefiting from SSO. None None
RECOMMENDATION
Administrative accounts are special privileged accounts that could have varying levels of access to data, users, and settings. Regular user accounts should never be utilized for administrative tasks and care should be taken, in the case of a hybrid environment, to keep Administrative accounts separate from on-prem accounts. Administrative accounts should not have applications assigned so that they have no access to
Ensure administrative accounts use licenses with a reduced application footprint
Critical
IMPACT
Administrative users will have to switch accounts and utilize login/logout functionality when performing administrative tasks, as well as not benefiting from SSO. Note: Alerts will be sent to the TenantAdmins, including Global Administrators, by default. To ensure proper receipt, configure alerts to be sent to security or operations staff with valid email addresses or a security operations center. Otherwise, after adoption of this recommendation, alerts sent to TenantAdmins may go unreceived due to the lack of an application-based license assigned to the Global Administrator accounts.
RECOMMENDATION
Ensure two emergency access accounts have been defined
Critical
IMPACT
Item does not meet all the requirements as per test. Emergency access or accounts are limited for emergency scenarios where normal administrative accounts are unavailable. They are not assigned to a specific user and will have a combination of physical and technical controls to prevent them from being accessed outside a true emergency. These emergencies could be due to several things, including: - Technical failures of a cellular provider or Microsoft related service such as MFA. - The last remaining Global Administrator account is inaccessible. Ensure two Emergency Access accounts have been defined. NOTE: Microsoft provides a number of recommendations for these accounts and how to configure them. For more information on this, please refer to the references section. The CIS Benchmark outlines the more critical things to consider. In various situations, an organization may require the use of a break glass account to gain emergency access. In the event of losing access to administrative functions, an organization may experience a significant loss in its ability to provide support, lose insight into its security posture, and potentially suffer financial losses. If care is not taken in properly implementing an emergency access account this could weaken security posture. Microsoft recommends excluding at least one of these accounts from all conditional access rules therefore passwords must have sufficient entropy and length to protect against random guesses. FIDO2 security keys may be used instead of a password for secure passwordless solution. None None
RECOMMENDATION
Step 1 - Create two emergency access accounts: 1. Navigate to Microsoft 365 admin center https://admin.microsoft.com 2. Expand Users > Active Users 3. Click Add user and create a new user with these criteria: - Name the account in a way that does NOT identify it with a particular person. - Assign the account to the default .onmicrosoft.com domain and not the organizations. - The password must be at least 16 characters and generated randomly. - Do not assign a license. - Assign the user the Global Administrator role. 4. Repeat the above steps for the second account. Step 2 - Exclude at least one account from conditional access policies: 1. Navigate Microsoft Entra admin center https://entra.microsoft.com/ 2. Expand Azure Active Directory > Protect & Secure > Conditional Access 3. Inspect the conditional access policies. 4. For each rule add an exclusion for at least one of the emergency access accounts. 5. Users > Exclude > Users and groups and select one emergency access account. Step 3 - Ensure the necessary procedures and policies are in place: - In order for accounts to be effectively used in a break glass situation the proper policies and procedures must be authorized and distributed by senior management. - FIDO2 Security Keys, if used, should be locked in a secure separate fireproof location. - Passwords should be at least 16 characters, randomly generated and MAY be separated in multiple pieces to be joined on emergency. NOTE: Microsoft documentation contains in-depth information on securing break glass accounts, please refer to the references section.
Ensure that between two and four global admins are designated
Critical
IMPACT
There is only one Global Administrator assigned to the Global Administrator group. The potential impact associated with ensuring compliance with this requirement is dependent upon the current number of global administrators configured in the tenant. If there is only one global administrator in a tenant, an additional global administrator will need to be identified and configured. If there are more than four global administrators, a review of role requirements for current global administrators will be required to identify which of the users require global administrator access. None None
RECOMMENDATION
More than one global administrator should be designated so a single admin can be monitored and to provide redundancy should a single admin leave an organization. Additionally, there should be no more than four global admins set for any tenant. Ideally global administrators will have no licenses assigned to them.
Ensure Guest Users are reviewed and disabled
Critical
IMPACT
Found Guest accounts found. Auditing Process needs to be created and followed. There is no impact if the auditing process is created and followed. None None
RECOMMENDATION
Guest users can be set up for those users not in your tenant to still be granted access to resources. It is important to maintain visibility for what guest users are established in the tenant. Periodic review of guest users ensures proper access to resources in your tenant. To verify the report is being reviewed at least biweekly, confirm that the necessary procedures are in place and being followed.
M365 Admin Center-Accounts and Authentication
Ensure Microsoft 365 User Roles have less than 10 Admins
Manual Check
IMPACT
Some Microsoft 365 User Roles contain more than 10 members. Refer issue details. None None
RECOMMENDATION
Please review the list and make sure only designated members are part of Microsoft 365 User Roles and it is not recommended to have more than 10 members in each role.
Ensure Microsoft 365 Users Have Strong Password Requirements Configured
Critical
IMPACT
Some Microsoft 365 Users do not have Strong Password Requirements Set. Users can use Weak passwords which is a security risk. None None
RECOMMENDATION
Please use Set-MSOLUser Cmdlet and enable Strong Password Requirements for these users.
Ensure self-service password reset is enabled
Critical
IMPACT
Self-Service Password Reset is not enabled for Tenant. The impact associated with this setting is that users will be required to provide additional contact information to enroll in self-service password reset. Additionally, minor user education may be required for users that are used to calling a help desk for assistance with password resets. As of August of 2020 combined registration is automatic for new tenants therefore users will not need to register for password reset separately from multi-factor authentication. None None
RECOMMENDATION
Users will no longer need to engage the helpdesk for password resets, and the password reset mechanism will automatically block common, easily guessable passwords. Combined registration should be enabled if not already, as of August of 2020 combined registration is automatic for new tenants therefore users will not need to register for password reset separately from multi-factor authentication.
Ensure that Microsoft 365 Passwords Are Not Set to Expire
Critical
IMPACT
Not all Microsoft 365 Password Policies are configured for all domains. The primary impact associated with this change is ensuring that users understand the process for making or requesting a password change when required. None None
RECOMMENDATION
Microsoft cloud-only accounts have a pre-defined password policy that cannot be changed. The only items that can change are the number of days until a password expires and whether or not passwords expire at all. Organizations such as NIST and Microsoft have updated their password policy recommendations to not arbitrarily require users to change their passwords after a specific amount of time, unless there is evidence that the password is compromised, or the user forgot it. They suggest this even for single factor (Password Only) use cases, with a reasoning that forcing arbitrary password changes on users actually make the passwords less secure. Other recommendations within this Benchmark suggest the use of MFA authentication for at least critical accounts (at minimum), which makes password expiration even less useful as well as password protection for Azure AD.
Ensure Microsoft 365 Exchange Online Modern Authentication is Used
Critical
IMPACT
Modern Authentication is not enabled. Newer clients will not be able to use Modern Authentication feature of Microsoft 365 causing multiple logon prompts. None None
RECOMMENDATION
It is recommended to enable Microsoft 365 Modern Authentication Service.
Ensure Microsoft 365 Exchange Online Privileged Access Management is Used
Manual Check
IMPACT
Microsoft 365 Privileged Access Management is NOT enabled. Refer issue details. None None
RECOMMENDATION
It is recommended to enable PAM in Microsoft 365.
M365 Admin Center-Auditing
Ensure Enterprise Applications Role Assignments are reviewed weekly
Manual Check
IMPACT
Found role assignments were not found for enterprise applications. Applications have an attack surface for security breaches and must be monitored. While not targeted as often as user accounts, breaches can occur. Because applications often run without human intervention, the attacks may be harder to detect. None None
RECOMMENDATION
It is recommended that the Security administrator reviews the list of role assignments to each Enterprise Application and removes them if they are not needed.
M365 Admin Center-Teams and Groups
Ensure that only organizationally managed-approved public groups exist
Manual Check
IMPACT
Public Groups found in Microsoft 365 Tenant. If the recommendation is applied, group owners could receive more access requests than usual, especially regarding groups originally meant to be public. None None
RECOMMENDATION
Ensure that only organizationally managed and approved public groups exist. When a group has public privacy. users may access data related to this group. Administrators are notified when a user uses the Azure Portal. Requesting access to the group forces users to send a message to the group owner. But they still have immediate access to the group. Public in this case means public to the identities within the organization.
Manual Check
IMPACT
Item does not meet all the requirements as per test. Shared mailboxes are used when multiple people need access to the same mailbox, such as a company information or support email address, reception desk, or other function that might be shared by multiple people. Users with permissions to the group mailbox can send as or send on behalf of the mailbox email address if the administrator has given that user permissions to do that. This is particularly useful for help and support mailboxes because users can send emails from or Shared mailboxes are created with a corresponding user account using a system generated password that is unknown at the time of creation. The recommended state is Sign in blocked for Shared mailboxes. The intent of the shared mailbox is the only allow delegated access from other mailboxes. An admin could reset the password, or an attacker could potentially gain access to the shared mailbox allowing the direct sign-in to the shared mailbox and subsequently the sending of email from a sender that does not have a unique identity. To prevent this, block sign-in for the account that is associated with the shared mailbox. None None
RECOMMENDATION
Block sign-in to shared mailboxes in the UI:
1. Navigate to Microsoft 365 admin center https://admin.microsoft.com/
2. Click to expand Teams & groups and select Shared mailboxes.
3. Take note of all shared mailboxes.
4. Click to expand Users and select Active users.
5. Select a shared mailbox account to open its properties pane and then select Block sign-in.
6. Check the box for Block this user from signing in.
7. Repeat for any additional shared mailboxes.
Using PowerShell connect with 2 modules:
1. Connect using Connect-AzureAD.
2. To disable sign-in for a single account:
Set-AzureADUser -ObjectId TestUser@example.com -AccountEnabled $false
3. Or, the following script will block sign-in to all Shared Mailboxes.
4. Connect using Connect-ExchangeOnline.
$MBX = Get-EXOMailbox -RecipientTypeDetails SharedMailbox
$MBX | ForEach {Set-AzureADUser -ObjectId $_.ExternalDirectoryObjectId -AccountEnabled $false}
M365 Admin Center-Settings
Ensure the Password expiration policy is set to Set passwords to never expire (recommended)
Manual Check
IMPACT
Item does not meet all the requirements as per test. Microsoft cloud-only accounts have a pre-defined password policy that cannot be changed. The only items that can change are the number of days until a password expires and whether or whether passwords expire at all. Organizations such as NIST and Microsoft have updated their password policy recommendations to not arbitrarily require users to change their passwords after a specific amount of time, unless there is evidence that the password is compromised or the user forgot it. They suggest this even for single factor (Password Only) use cases, with a reasoning that forcing arbitrary password changes on users actually make the passwords less secure. Other recommendations within this Benchmark suggest the use of MFA authentication for at least critical accounts (at minimum), which makes password expiration even less useful as well as password protection for Azure AD. When setting passwords not to expire it is important to have other controls in place to supplement this setting. See below for related recommendations and user guidance. - Ban common passwords - Educate users to not reuse organization passwords anywhere else - Enforce Multi-Factor Authentication registration for all users None None
RECOMMENDATION
To set Microsoft 365 passwords are set to never expire: 1. Navigate to Microsoft 365 admin center https://admin.microsoft.com. 2. Click to expand Settings select Org Settings. 3. Click on Security & privacy. 4. Check the Set passwords to never expire (recommended) box. 5. Click Save. To set Microsoft 365 Passwords Are Not Set to Expire, use the Microsoft Graph PowerShell module: 1. Connect to the Microsoft Graph service using Connect-MgGraph -Scopes . 2. Run the following Microsoft Graph PowerShell command: Update-MgDomain -DomainId-PasswordValidityPeriodInDays 2147483647 -PasswordNotificationWindowInDays 30
Ensure Idle session timeout is set to 3 hours (or less) for unmanaged devices
Passed
IMPACT
Item does not meet all the requirements as per test. Idle session timeout allows the configuration of a setting which will timeout inactive users after a pre-determined amount of time. When a user reaches the set idle timeout session, they will get a notification that they are about to be signed out. They have to select to stay signed in or they will be automatically signed out of all Microsoft 365 web apps. Combined with a Conditional Access rule this will only impact unmanaged devices. A managed device is considered a device managed by Intune MDM. The following Microsoft 365 web apps are supported. - Outlook Web App - OneDrive for Business - SharePoint Online (SPO) - Office.com and other start pages - Office (Word, Excel, PowerPoint) on the web - Microsoft 365 Admin Center NOTE: Idle session timeout doesn't affect Microsoft 365 desktop and mobile apps. The recommended setting is 3 hours (or less) for unmanaged devices. Ending idle sessions through an automatic process can help protect sensitive company data and will add another layer of security for end users who work on unmanaged devices that can potentially be accessed by the public. Unauthorized individuals onsite or remotely can take advantage of systems left unattended over time. Automatic timing out of sessions makes this more difficult. If step 2 in the Audit/Remediation procedure is left out then there is no issue with this from a security standpoint. However, it will require users on trusted devices to sign in more frequently which could result in credential prompt fatigue. None None
RECOMMENDATION
To configure Idle session timeout: 1. Navigate to the Microsoft 365 admin center https://admin.microsoft.com/. 2. Click to expand Settings Select Org settings. 3. Click Security & Privacy tab. 4. Select Idle session timeout. 5. Check the box Turn on to set the period of inactivity for users to be signed off of Microsoft 365 web apps 6. Set a maximum value of 3 hours. 7. Click save. Step 2 - Ensure the Conditional Access policy is in place: 1. Navigate to Microsoft Entra admin center https://entra.microsoft.com/ 2. Expand Azure Active Directory > Protect & secure > Conditional Access 3. Click New policy and give the policy a name. 4. Select Users > All users. 5. Select Cloud apps or actions > Select apps and select Office 365 6. Select Conditions > Client apps > Yes check only Browser unchecking all other boxes. 7. Select Sessions and check Use app enforced restrictions. 8. Set Enable policy to On and click Create. NOTE: To ensure that idle timeouts affect only unmanaged devices, both steps must be completed.
Ensure calendar details sharing with external users is disabled
Passed
IMPACT
Calendar Details Sharing with External Users is not disabled. This functionality is not widely used. As a result, it is unlikely that implementation of this setting will have an impact to most users. Users that do utilize this functionality are likely to experience a minor inconvenience when scheduling meetings. None None
RECOMMENDATION
You should not allow your users to share the full details of their calendars with external users. Attackers often spend time learning about your organization before launching an attack. Publicly available calendars can help attackers understand organizational relationships and determine when specific users may be more vulnerable to an attack, such as when they are traveling.
Ensure User owned apps and services is restricted
Passed
IMPACT
Item does not meet all the requirements as per test. By default, users can install add-ins in their Microsoft Word, Excel, and PowerPoint applications, allowing data access within the application. Do not allow users to install add-ins in Word, Excel, or PowerPoint. Attackers commonly use vulnerable and custom-built add-ins to access data in user applications. While allowing users to install add-ins by themselves does allow them to easily acquire useful add-ins that integrate with Microsoft applications, it can represent a risk if not used and monitored carefully. Disable future users ability to install add-ins in Microsoft Word, Excel, or PowerPoint helps reduce your threat-surface and mitigate this risk. Implementation of this change will impact both end users and administrators. End users will not be able to install add-ins that they may want to install. None None
RECOMMENDATION
To prohibit users installing Office Store add-ins and starting 365 trials: 1. Navigate to Microsoft 365 admin center https://admin.microsoft.com. 2. Click to expand Settings Select Org settings. 3. Under Services select User owned apps and services. 4. Uncheck Let users access the Office Store and Let users start trials on behalf of your organization. 5. Click Save.
Ensure internal phishing protection for Forms is enabled
Manual Check
IMPACT
Item does not meet all the requirements as per test. Microsoft Forms can be used for phishing attacks by asking personal or sensitive information and collecting the results. Microsoft 365 has built-in protection that will proactively scan for phishing attempt in forms such personal information request. Enabling internal phishing protection for Microsoft Forms will prevent attackers using forms for phishing attacks by asking personal or other sensitive information and URLs. If potential phishing was detected, the form will be temporarily blocked and cannot be distributed, and response collection will not happen until it is unblocked by the administrator or keywords were removed by the creator. None None
RECOMMENDATION
To enable internal phishing protection for Forms: 1. Navigate to Microsoft 365 admin center https://admin.microsoft.com. 2. Click to expand Settings then select Org settings. 3. Under Services select Microsoft Forms. 4. Click the checkbox labeled Add internal phishing protection under Phishing protection. 5. Click Save.
Ensure the customer lockbox feature is enabled
Manual Check
IMPACT
Customer Lockbox Feature is not enabled. The impact associated with this setting is a requirement to grant Microsoft access to the tenant environment prior to a Microsoft engineer accessing the environment for support or troubleshooting. None None
RECOMMENDATION
You should enable the Customer Lockbox feature. It requires Microsoft to get your approval for any datacenter operation that grants a Microsoft support engineer or other employee direct access to any of your data. For example, in some cases a Microsoft support engineer might need access to your Microsoft 365 content in order to help troubleshoot and fix an issue for you. Customer lockbox requests also have an
Ensure third-party storage services are restricted in Microsoft 365 on the web
Manual Check
IMPACT
Item does not meet all the requirements as per test. Third-party storage can be enabled for users in Microsoft 365, allowing them to store and share documents using services such as Dropbox, alongside OneDrive and team sites. Ensure Microsoft 365 on the web third-party storage services are restricted. By using external storage services an organization may increase the risk of data breaches and unauthorized access to confidential information. Additionally, third-party services may not adhere to the same security standards as the organization, making it difficult to maintain data privacy and security. The Impact associated with this change is highly dependent upon current practices in the tenant. If users do not use other storage providers, then minimal impact is likely. However, if users do regularly utilize providers outside of the tenant this will affect their ability to continue to do so. None None
RECOMMENDATION
To restrict Microsoft 365 on the web: 1. Navigate to Microsoft 365 admin center https://admin.microsoft.com 2. Go to Settings > Org Settings > Services > Microsoft 365 on the web 3. Uncheck Let users open files stored in third-party storage services in Microsoft 365 on the web
Manual Check
IMPACT
Sways Cannot be shared with people outside of your organization is not configured. Interactive reports, presentations, newsletters, and other items created in Sway will not be shared outside the organization by users. None None
RECOMMENDATION
Disable external sharing of Sway items such as reports, newsletters, presentations etc. that could contain sensitive information. Disable external sharing of Sway documents that can contain sensitive information to prevent accidental or arbitrary data leaks.
Microsoft 365 Defender-Email and Collaboration
Ensure Safe Links for Office Applications is Enabled
Manual Check
IMPACT
Safe Links for Office Applications are not enabled. User impact associated with this change is minor - users may experience a very short delay when clicking on URLs in Office documents before being directed to the requested site. Users should be informed of the change as, in the event a link is unsafe and blocked, they will receive a message that it has been blocked. None None
RECOMMENDATION
Enabling Safe Links policy for Office applications allows URL's that exist inside of Office documents and email applications opened by Office, Office Online and Office mobile to be processed against Defender for Office time-of-click verification and rewritten if required. Note: E5 Licensing includes a number of Built-in Protection policies. When auditing policies note which policy you are viewing, and keep in mind CIS recommendations often extend the Default or Build-in Policies provided by MS. In order to Pass the highest priority policy must match all settings recommended. Safe Links for Office applications extends phishing protection to documents and emails that contain hyperlinks, even after they have been delivered to a user.
Ensure the Common Attachment Types Filter is enabled
Manual Check
IMPACT
Common Attachment Filter is not enabled. Blocking common malicious file types should not have an impact in modern computing environments. None None
RECOMMENDATION
The Common Attachment Types Filter lets a user block known and custom malicious file types from being attached to emails. Blocking known malicious file types can help prevent malware-infested files from infecting a host.
Ensure notifications for internal users sending malware is Enabled
Manual Check
IMPACT
Notifications for Internal Users Sending Malware is not enabled. Notification of account with potential issues should not cause an impact to the user. None None
RECOMMENDATION
Exchange Online Protection (EOP) is the cloud-based filtering service that protects your organization against spam, malware, and other email threats. EOP is included in all Microsoft 365 organizations with Exchange Online mailboxes. EOP uses flexible anti-malware policies for malware protection settings. These policies
Ensure Safe Attachments policy is enabled
Manual Check
IMPACT
Item does not meet all the requirements as per test. The Safe Attachments policy helps protect users from malware in email attachments by scanning attachments for viruses, malware, and other malicious content. When an email attachment is received by a user, Safe Attachments will scan the attachment in a secure environment and provide a verdict on whether the attachment is safe or not. The Enabling Safe Attachments policy helps protect against malware threats in email attachments by analyzing suspicious attachments in a secure, cloud-based environment before they are delivered to the users inbox. This provides an additional layer of security and can prevent new or unseen types of malwares from infiltrating the organizations network. Delivery of email with attachments may be delayed while scanning is occurring. None None
RECOMMENDATION
To enable the Safe Attachments policy: 1. Navigate to Microsoft 365 Defender https://security.microsoft.com. 2. Click to expand E-mail & Collaboration select Policies & rules. 3. On the Policies & rules page select Threat policies. 4. Under Policies select Safe Attachments. 5. Click + Create. 6. Create a Policy Name and Description, and then click Next. 7. Select all valid domains and click Next. 8. Select Block. 9. Quarantine policy is AdminOnlyAccessPolicy. 10. Leave Enable redirect unchecked. 11. Click Next and finally Submit.
Manual Check
IMPACT
Safe Attachments for SharePoint-OneDrive-Teams is not enabled. Impact associated with Safe Attachments is minimal, and equivalent to impact associated with anti-virus scanners in an environment. None None
RECOMMENDATION
Safe Attachments for SharePoint, OneDrive, and Microsoft Teams scans these services for malicious files.
Ensure Exchange Online Spam Policies are set correctly
Manual Check
IMPACT
Exchange Online Spam Policies are not set correctly. Notification of users that have been blocked should not cause an impact to the user. None None
RECOMMENDATION
In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, email messages are automatically protected against spam (junk email) by EOP. Configure Exchange Online Spam Policies to copy emails and notify someone when a sender in your tenant has been blocked for sending spam emails. A blocked account is a good indication that the account in question has been breached and an attacker is using it to send spam emails to other people.
Ensure that an anti-phishing policy has been created
Manual Check
IMPACT
Anti-Phishing Policy has not been created. Turning on Anti-Phishing should not cause an impact. Messages will be displayed when applicable. None None
RECOMMENDATION
By default, Microsoft 365 includes built-in features that help protect your users from phishing attacks. Set up anti-phishing polices to increase this protection, for example by refining settings to better detect and prevent impersonation and spoofing attacks. The default policy applies to all users within the organization, and is a single view where you can fine-tune anti-phishing protection. Custom policies can be created and configured for specific users, groups or domains within the organization and will take precedence over the default policy for the scoped users. Protects users from phishing attacks (like impersonation and spoofing) and uses safety tips to warn users about potentially harmful messages.
Ensure that SPF records are published for all Exchange Domains
Manual Check
IMPACT
SPF Records are not published for all domains. There should be minimal impact of setting up SPF records. However, organizations should ensure proper SPF record setup as email could be flagged as spam if SPF is not setup appropriately. None None
RECOMMENDATION
For each domain that is configured in Exchange, a corresponding Sender Policy Framework (SPF) record should be created. SPF records allow Exchange Online Protection and other mail systems know where messages from your domains are allowed to originate. This information can be used to by that system to determine how to treat the message based on if it is being spoofed or is valid.
Ensure No Domains with SPF Soft Fail are Configured
Manual Check
IMPACT
Item does not meet all the requirements as per test. The domains listed above have SPF records that are configured with soft failure. Soft failure tells hosts receiving email that falsely purports to be from the organization that they should flag the email as failing a sender verification check but should still deliver the email. This means that adversaries still have significant leeway to imitate the organization's brand and domains when sending email because many users will still see the fake email even though it failed the sender verification check. None None
RECOMMENDATION
Consider setting the SPF qualifier in the SPF DNS record for the affected domains to '-' (fail) rather than '~' (soft fail). This will help ensure that mail that does not truly originate from the organization's servers will be rejected by the recipients. However, it should be noted that once this action is taken, any mail from the organization's domain which does not pass a sender verification check may automatically be blocked by the recipient's mail servers. This can lead to dropped emails in cases where the organization's own SPF record is not set up properly and has not been adequately tested, causing sender verification failures. For this reason, soft failure is often recommended as an intermediate step to test the benefits and configuration of SPF. Always proceed with appropriate caution during SPF rollouts and ensure that the difference between soft and hard failure is fully understood before implementing either.
Ensure that DKIM is enabled for all Exchange Online Domains
Manual Check
IMPACT
DKIM is not enabled for all exchange domains. There should be no impact of setting up DKIM however organizations should ensure appropriate setup to ensure continuous mail-flow. None None
RECOMMENDATION
You should use DKIM in addition to SPF and DMARC to help prevent spoofers from sending messages that look like they are coming from your domain. By enabling DKIM with Microsoft 365, messages that are sent from Exchange Online will be cryptographically signed. This will allow the receiving email system to validate that the messages were generated by a server that the organization authorized and not being spoofed.
Ensure DMARC Records for all Exchange Online domains are published
Manual Check
IMPACT
DMARC Records for all Exchange Domains are not published. There should be no impact of setting up DMARC however organizations should ensure appropriate setup to ensure continuous mail-flow. None None
RECOMMENDATION
Publish Domain-Based Message Authentication, Reporting and Conformance (DMARC) records for each Exchange Online Accepted Domain. Domain-based Message Authentication, Reporting and Conformance (DMARC) work with Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) to authenticate mail senders and ensure that destination email systems trust messages sent from your domain.
Ensure the spoofed domains are reviewed and actioned
Manual Check
IMPACT
Found Spoofed domains. Please review the list and act accordingly. Auditing Process needs to be created and followed. None None
RECOMMENDATION
Use spoof intelligence in the Security Center on the Anti-spam settings page to review all senders who are spoofing either domains that are part of your organization or spoofing external domains. Spoof intelligence is available as part of Microsoft 365 Enterprise E5 or separately as part of Defender for Microsoft 365 and as of October 2018 Exchange Online Protection (EOP). Bad actors spoof domains to trick users into conducting actions they normally would not or should not via phishing emails. Running this report will inform the message administrators of current activities, and the phishing techniques used by bad actors. This information can be used to inform end users and plan against future campaigns.
Ensure the Restricted entities are reviewed and actioned
Manual Check
IMPACT
Item does not meet all the requirements as per test. Microsoft 365 Defender reviews of Restricted Entities will provide a list of user accounts restricted from sending e-mail. If a user exceeds one of the outbound sending limits as specified in the service limits or in outbound spam policies, the user is restricted from sending email, but they can still receive email. Users who are found on the restricted users list have a high probability of having been compromised. Review of this list will allow an organization to remediate these user accounts, and then unblock them. None None
RECOMMENDATION
To review the report of users who have had their email privileges restricted due to spamming: 1. Navigate to Microsoft 365 Defender https://security.microsoft.com. 2. Under Email & collaboration navigate to Review. 3. Click Restricted Entities. 4. Review alerts and take appropriate action (unblocking) after account has been remediated. Review a list of users blocked from sending messages using PowerShell: 1. Connect to Exchange Online using Connect-ExchangeOnline 2. Run the following PowerShell command: Get-BlockedSenderAddress 3. Review.
Ensure all security threats in the Threat protection status report are reviewed and actioned
Manual Check
IMPACT
All Security Threats are not reviewed by Microsoft 365 Engineer weekly. You should review all the security threats in the Threat protection status report at least weekly. This report shows specific instances of Microsoft blocking a malware attachment from reaching your users, phishing being blocked, impersonation attempts, etc. None None
RECOMMENDATION
While this report isn't strictly actionable, reviewing it will give you a sense of the overall volume of various security threats targeting your users, which may prompt you to adopt more aggressive threat mitigations.
Ensure comprehensive attachment filtering is applied
Manual Check
IMPACT
For file types that are business necessary users will need to use other organizationally approved methods to transfer blocked extension types between business partners.
RECOMMENDATION
Ensure the connection filter IP allow list is not used
Manual Check
IMPACT
This is the default behavior. IP Allow lists may reduce false positives, however, this benefit is outweighed by the importance of a policy which scans all messages regardless of the origin. This supports the principle of zero trust.
RECOMMENDATION
Ensure the connection filter safe list is off
Manual Check
IMPACT
This is the default behavior. IP Allow lists may reduce false positives, however, this benefit is outweighed by the importance of a policy which scans all messages regardless of the origin. This supports the principle of zero trust.
RECOMMENDATION
To remediate using the UI: 1. Navigate to Microsoft 365 Defender https://security.microsoft.com. 2. Click to expand Email & collaboration select Policies & rules> Threat policies. 3. Under Policies select Anti-spam. 4. Click on the Connection filter policy (Default). 5. Click Edit connection filter policy. 6. Uncheck Turn on safe list. 7. Click Save.
Ensure inbound anti-spam policies do not contain allowed domains
Manual Check
IMPACT
This is the default behavior. Allowed domains may reduce false positives, however, this benefit is outweighed by the importance of having a policy which scans all messages regardless of the origin. As an alternative consider sender based lists. This supports the principle of zero trust.
RECOMMENDATION
To remediate using the UI: 1. Navigate to Microsoft 365 Defender https://security.microsoft.com. 2. Click to expand Email & collaboration select Policies & rules> Threat policies. 3. Under Policies select Anti-spam. 4. Open each out of compliance inbound anti-spam policy by clicking on it. 5. Click Edit allowed and blocked senders and domains. 6. Select Allow domains. 7. Delete each domain from the domains list. 8. Click Done > Save. 9. Repeat as needed.
Microsoft 365 Defender-Audit
Ensure the Account Provisioning Activity report is reviewed and actioned
Manual Check
IMPACT
Auditing Process is not created and followed. Auditing Process needs to be created and followed. None None
RECOMMENDATION
The Account Provisioning Activity report details any account provisioning that was attempted by an external application. If you don't usually use a third-party provider to manage accounts, any entry on the list is likely illicit. If you do, this is a great way to monitor transaction volumes and look for new or unusual third party applications that are managing users. If you see something unusual, contact the provider to determine if the action is legitimate.
Ensure non-global administrator role group assignments are reviewed and actioned
Manual Check
IMPACT
Auditing Process is not created and followed. Auditing Process needs to be created and followed. None None
RECOMMENDATION
You should review non-global administrator role group assignments at least every week. While these roles are less powerful than a global admin, they do grant special privileges that can be used illicitly. If you see something unusual, contact the user to confirm it is a legitimate need.
Microsoft 365 Defender-Settings
Ensure Priority account protection is enabled and configured
Manual Check
IMPACT
Item does not meet all the requirements as per test. Identify _priority accounts_ to utilize Microsoft 365s advanced custom security features. This is an essential tool to bolster protection for users who are frequently targeted due to their critical positions, such as executives, leaders, managers, or others who have access to sensitive, confidential, financial, or high-priority information. Once these accounts are identified, several services and features can be enabled, including threat policies, enhanced sign-in protection through conditional access policies, and alert policies, enabling faster response times for incident response teams. Enabling priority account protection for users in Microsoft 365 is necessary to enhance security for accounts with access to sensitive data and high privileges, such as CEOs, CISOs, CFOs, and IT admins. These priority accounts are often targeted by spear phishing or whaling attacks and require stronger protection to prevent account compromise. To address this, Microsoft 365 and Microsoft Defender for Microsoft 365 offer several key features that provide extra security, including the identification of incidents and alerts involving priority accounts and the use of built-in custom protections designed specifically for them. None None
RECOMMENDATION
_Remediate with a 3-step process_ Step 1: Enable Priority account protection in Microsoft 365 Defender: 1. Navigate to Microsoft 365 Defender https://security.microsoft.com/ 2. Select Settings > E-mail & Collaboration > Priority account protection 3. Ensure Priority account protection is set to On Step 2: Tag priority accounts: 4. Select User tags 5. Select the PRIORITY ACCOUNT tag and click Edit 6. Select Add members to add users, or groups. Groups are recommended. 7. Repeat the previous 2 steps for any additional tags needed, such as Finance or HR. 8. Next and Submit. Step 3: Configure E-mail alerts for Priority Accounts: 9. Expand E-mail & Collaboration on the left column. 10. Select New Alert Policy 11. Enter a valid policy Name & Description. Set Severity to High and Category to Threat management. 12. Set Activity is to Detected malware in an e-mail message 13. Mail direction is Inbound 14. Select Add Condition and User: recipient tags are 15. In the Selection option field add chosen priority tags such as Priority account. 16. Select Every time an activity matches the rule. 17. Next and Verify valid recipient(s) are selected. 18. Next and select Yes, turn it on right away. Click Submit to save the alert. 19. Repeat steps 10 - 18 for the Activity field Activity is: Phishing email detected at time of delivery NOTE: Any additional activity types may be added as needed. Above are the minimum recommended.
Ensure Priority accounts have Strict protection presets applied
Manual Check
IMPACT
Item does not meet all the requirements as per test. Preset security policies have been established by Microsoft, utilizing observations and experiences within datacenters to strike a balance between the exclusion of malicious content from users and limiting unwarranted disruptions. These policies can apply to all, or select users and encompass recommendations for addressing spam, malware, and phishing threats. The policy parameters are pre-determined and non-adjustable. Strict protection has the most aggressive protection of the 3 presets. - EOP: Anti-spam, Anti-malware and Anti-phishing - Defender: Spoof protection, Impersonation protection and Advanced phishing - Defender: Safe Links and Safe Attachments NOTE: The preset security polices cannot target Priority account TAGS currently, groups should be used instead. Enabling priority account protection for users in Microsoft 365 is necessary to enhance security for accounts with access to sensitive data and high privileges, such as CEOs, CISOs, CFOs, and IT admins. These priority accounts are often targeted by spear phishing or whaling attacks and require stronger protection to prevent account compromise. The implementation of stringent, pre-defined policies may result in instances of false positive, however, the benefit of requiring the end-user to preview junk email before accessing their inbox outweighs the potential risk of mistakenly perceiving a malicious email as safe due to its placement in the inbox. Strict policies are more likely to cause false positives in anti-spam, phishing, impersonation, spoofing and intelligence responses. None None
RECOMMENDATION
Enable strict preset security policies for Priority accounts: 1. Navigate to Microsoft 365 Defender https://security.microsoft.com/ 2. Select to expand E-mail & collaboration. 3. Select Policies & rules > Threat policies > Preset security policies. 4. Click to Manage protection settings for Strict protection preset. 5. For Apply Exchange Online Protection select at minimum Specific recipients and include the Accounts/Groups identified as Priority Accounts. 6. For Apply Defender for Microsoft 365 Protection select at minimum Specific recipients and include the Accounts/Groups identified as Priority Accounts. 7. For Impersonation protection click Next and add valid e-mails or priority accounts both internal and external that may be subject to impersonation. 8. For Protected custom domains add the organizations domain name, along side other key partners. 9. Click Next and finally Confirm
Ensure Microsoft Defender for Cloud Apps is Enabled
Manual Check
IMPACT
Microsoft Defender for Cloud App is not enabled. There is no impact if Microsoft Defender for Cloud App is enabled but ensure security posture of Microsoft 365 is improved. None None
RECOMMENDATION
Enabling Microsoft Defender for Cloud Apps gives you insight into suspicious activity in Microsoft 365 so you can investigate situations that are potentially problematic and, if needed, take action to address security issues. You can receive notifications of triggered alerts for atypical or suspicious activities, see how your organization's data in Microsoft 365 is accessed and used, suspend user accounts exhibiting suspicious activity, and require users to log back into Microsoft 365 apps after an alert has been triggered.
Ensure Zero-hour auto purge for Microsoft Teams is on
Manual Check
IMPACT
As with any anti-malware or anti-phishing product, false positives may occur.
RECOMMENDATION
To remediate using the UI: 1. Navigate to Microsoft Defender https://security.microsoft.com/ 2. Click to expand System select Settings > Email & collaboration > Microsoft Teams protection. 3. Set Zero-hour auto purge (ZAP) to On (Default)
Microsoft Purview-Audit
Ensure Microsoft 365 audit log search is Enabled
Manual Check
IMPACT
Microsoft 365 Audit Log Search is not enabled. Auditing Process needs to be created and followed. None None
RECOMMENDATION
When audit log search in the Microsoft Purview compliance portal is enabled, user and admin activity from your organization is recorded in the audit log and retained for 90 days. However, your organization might be using a third-party security information and event management (SIEM) application to access your auditing data. In that case, a global admin can turn off audit log search in Microsoft 365. Enabling Microsoft Purview audit log search helps Microsoft 365 back-office teams to investigate activities for regular security operational or forensic purposes.
Ensure user role group changes are reviewed and actioned
Manual Check
IMPACT
Auditing Process is not created and followed. By performing regular reviews, the Administrators assigning rights to users will need to inevitably provide justification for those changes to security auditors. Documentation that includes detailed policies, procedures, and change requests will need to be considered in order to keep a secure organization functioning within its planned operational level. None None
RECOMMENDATION
Role-Based Access Control allows for permissions to be assigned to users based on their roles within an organization. It is a more manageable form of access control that is less prone to errors. These user roles can be audited inside of Microsoft Purview to provide a security auditor insight into user privilege change.
Microsoft Purview-Data Loss Protection
Ensure DLP policies are enabled
Manual Check
IMPACT
DLP Policies are not enabled. Enabling a Teams DLP policy will allow sensitive data in Exchange Online and SharePoint Online to be detected or blocked. Always ensure to follow appropriate procedures in regard to testing and implementation of DLP policies based on your organizational standards. None None
RECOMMENDATION
Enabling Data Loss Prevention (DLP) policies allow Exchange Online and SharePoint Online content to be scanned for specific types of data like social security numbers, credit card numbers, or passwords.
Ensure DLP policies are enabled for Microsoft Teams
Manual Check
IMPACT
DLP Policies are not enabled for Microsoft Teams. Enabling a Teams DLP policy will allow sensitive data in Teams channels or chat messages to be detected or blocked. None None
RECOMMENDATION
Enabling Data Loss Prevention (DLP) policies for Microsoft Teams, blocks sensitive content when shared in teams or channels. Content to be scanned for specific types of data like social security numbers, credit card numbers, or passwords. Enabling DLP policies alerts users and administrators that specific types of data should not be exposed, helping to protect the data from accidental exposure.
Ensure DLP Policy is enabled for OneDrive
Manual Check
IMPACT
DLP for OneDrive is not enabled. Data Loss Prevention (DLP) capabilities protect your data where it is stored, when it is moved, and when it is shared. None None
RECOMMENDATION
It is recommended to enable DLP for OneDrive.
Manual Check
IMPACT
DLP Policy for SharePoint is not enabled. As businesses continue to digitize their operations, data protection has become a top priority. Microsoft SharePoint Online, a cloud-based collaboration and document management solution, offers a built-in Data Loss Prevention (DLP) solution to help safeguard sensitive information. DLP in SharePoint Online is important because it helps organizations protect their sensitive information from being shared with unauthorized parties. This is especially critical in industries that are highly regulated, such as healthcare and finance. None None
RECOMMENDATION
It is recommended to enable DLP Policy for SharePoint.
Ensure Custom Anti-Malware Policy is Present
Manual Check
IMPACT
Item does not meet all the requirements as per test. It is possible to create custom anti-malware policies in Exchange Online to provide additional protection against threats that may be received via email. No anti-malware policy besides the Microsoft Default Anti-Malware Policy was detected in the O365 Tenant. Although the default anti-malware policy can provide some protection, each organization should consider creating an anti-malware policy that is customized to suit the nature of their day-to-day activities. None None
RECOMMENDATION
Follow the 'Configure anti-malware policies in Exchange Online Protection' guide below for a full introduction to creating a custom anti-malware policy. It is possible to create an anti-malware policy and enable it through the Exchange administration center or via Exchange Online PowerShell using the Set-MalwareFilterPolicy or New-MalwareFilterPolicy commands.
Ensure Custom Anti-Phishing Policy is Present
Manual Check
IMPACT
Item does not meet all the requirements as per test. It is possible to create custom Anti-Phishing Policies in Exchange Online to provide additional protection against threats that may be received via email. No Anti-Phishing Policy besides the Microsoft Default Anti-Phishing Policy was detected in the O365 tenant. Although the default Anti-Phishing Policy can provide some protection, each organization should consider creating an Anti-Phishing Policy that is customized to suit the nature of their day-to-day activities. None None
RECOMMENDATION
Follow the 'Anti-Phishing Policies in Microsoft 365' article below to begin constructing a custom Anti-Phishing Policy.
Ensure Custom DLP Policies are Present
Manual Check
IMPACT
Item does not meet all the requirements as per test. Organizations have sensitive information under their control such as financial data, proprietary data, credit card numbers, health records, or social security numbers. To help protect this sensitive data and reduce risk, they need a way to prevent their users from inappropriately sharing it with people who should not have it. Default configurations may not meet the business needs, or compliance requirements of the organization. Custom policies can be configured to address any gaps that default settings do not remediate. None None
RECOMMENDATION
Determine if a custom DLP policy is beneficial for the Tenant, identify any gaps between desired end state and default policy configurations, and implement any new policies as needed.
Ensure Custom DLP Sensitive Information Types are Defined
Manual Check
IMPACT
Item does not meet all the requirements as per test. Organizations have sensitive information under their control such as financial data, proprietary data, credit card numbers, health records, or social security numbers. Default configurations may not meet the business needs, or compliance requirements of the organization. Custom-defined information types may be configured to mitigate any gaps that default settings do not address. None None
RECOMMENDATION
Determine if there is a need for custom DLP Sensitive Information types and add as needed.
Microsoft Purview-Information Protection
Manual Check
IMPACT
SharePoint Online Information Protection Policies are not set up and used. The creation of data classification policies is unlikely to have a significant not impact on an organization. However, maintaining long-term adherence to policies may require ongoing training and compliance efforts across the organization. Therefore, organizations should include training and compliance planning as part of the data classification policy creation process. None None
RECOMMENDATION
To set up SharePoint Online Information Protection: 1. Navigate to Microsoft Purview compliance portal https://compliance.microsoft.com. 2. Under Solutions select Information protection. 3. Click on the Label policies tab. 4. Click Create a label to create a label. 5. Select the label and click on the Publish label. 6. Fill out the forms to create the policy.
Microsoft Entra admin center-Identity-Overview
Ensure Security Defaults is disabled on Azure Active Directory
Manual Check
IMPACT
Security Defaults is not disabled in Azure AD. The potential impact associated with disabling of Security Defaults is dependent upon the security controls implemented in the environment. It is likely that most organizations disabling Security Defaults plan to implement equivalent controls to replace Security Defaults. It may be necessary to check settings in other Microsoft products, such as Azure, to ensure settings and functionality are as expected when disabling security defaults for MS365. None None
RECOMMENDATION
Security defaults in Azure Active Directory (Azure AD) make it easier to be secure and help protect your organization. Security defaults contain preconfigured security settings for common attacks. Microsoft is making security defaults available to everyone. The goal is to ensure that all organizations have a basic level of security-enabled at no extra cost. You turn on security defaults in the Azure portal. The use of security defaults however will prohibit custom settings which are being set with more advanced settings from this benchmark. Security defaults provide secure default settings that we manage on behalf of organizations to keep customers safe until they are ready to manage their own identity security settings.
Microsoft Entra admin center-Identity-Users
Ensure Per-user MFA is disabled
Manual Check
IMPACT
Item does not meet all the requirements as per test. Legacy per-user Multi-Factor Authentication (MFA) can be configured to require individual users to provide multiple authentication factors, such as passwords and additional verification codes, to access their accounts. It was introduced in earlier versions of Office 365, prior to the more comprehensive implementation of Conditional Access (CA). Both security defaults and conditional access with security defaults turned off are not compatible with per-user multi-factor authentication (MFA), which can lead to undesirable user authentication states. The CIS Microsoft 365 Benchmark explicitly employs Conditional Access for MFA as an enhancement over security defaults and as a replacement for the outdated per-user MFA. To ensure a consistent authentication state disable per-user MFA on all accounts. Accounts using per-user MFA will need to be migrated to use CA. Prior to disabling per-user MFA the organization must be prepared to implement conditional access MFA to avoid security gaps and allow for a smooth transition. This will help ensure relevant accounts are covered by MFA during the change phase from disabling per-user MFA to enabling CA MFA. Section 5.2.2 in this document covers the creation of a CA rule for both administrators and all users in the tenant. Microsoft has detailed documentation on migrating from per-user MFA including a PowerShell script titled [Convert users from per-user MFA to Conditional Access based MFA](https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-getstarted#convert-users-from-per-user-mfa-to-conditional-access-based-mfa) None None
RECOMMENDATION
Disable per-user MFA using the UI: 1. Navigate to Microsoft Entra admin center https://entra.microsoft.com/. 2. Click to expand Identity > Users select All users. 3. Click on Per-user MFA on the top row. 4. Click the empty box next to Display Name to select all accounts. 5. On the far right under _quick steps_ click Disable.
Ensure third party integrated applications are not allowed
Manual Check
IMPACT
Third party integrated applications are not allowed and is not configured. Implementation of this change will impact both end users and administrators. End users will not be able to integrate third-party applications that they may wish to use. None None
RECOMMENDATION
Do not allow third party integrated applications to connect to your services. You should not allow third party integrated applications to connect to your services unless there is a very clear value, and you have robust security controls in place. While there are legitimate uses, attackers can grant access from breached accounts to third party applications to exfiltrate data from your tenancy without having to maintain the
Ensure Restrict non-admin users from creating tenants is set to Yes
Manual Check
IMPACT
Item does not meet all the requirements as per test. Non-privileged users can create tenants in the Azure AD and Entra administration portal under Manage tenant. The creation of a tenant is recorded in the Audit log as category DirectoryManagement and activity Create Company. Anyone who creates a tenant becomes the Global Administrator of that tenant. The newly created tenant doesn't inherit any settings or configurations. Restricting tenant creation prevents unauthorized or uncontrolled deployment of resources and ensures that the organization retains control over its infrastructure. User generation of shadow IT could lead to multiple, disjointed environments that can make it difficult for IT to manage and secure the organizations data, especially if other users in the organization began using these tenants for business purposes under the misunderstanding that they were secured by the organizations security team. Non-admin users will need to contact I.T. if they have a valid reason to create a tenant. None None
RECOMMENDATION
Restrict access to the Azure AD portal:
1. Navigate to Microsoft Entra admin center https://entra.microsoft.com/
2. Click to expand Identity> Users > User settings.
3. Set Restrict non-admin users from creating tenants to Yes then Save.
To remediate using PowerShell:
1. Connect to Microsoft Graph using Connect-MgGraph -Scopes
2. Run the following commands.
# Create hashtable and update the auth policy
$params = @{ AllowedToCreateTenants = $false }
Update-MgPolicyAuthorizationPolicy -DefaultUserRolePermissions $params
Ensure Restrict access to the Azure AD administration portal is set to Yes
Manual Check
IMPACT
Item does not meet all the requirements as per test. Restrict non-privileged users from signing into the Azure Active Directory portal. Note: This recommendation only affects access to the Azure AD web portal. It does not prevent privileged users from using other methods such as Rest API or PowerShell to obtain information. Those channels are addressed elsewhere in this document. The Azure AD administrative (AAD) portal contains sensitive data and permission settings, which are still enforced based on the users role. However, an end user may inadvertently change properties or account settings that could result in increased administrative overhead. Additionally, a compromised end user account could be used by a malicious attacker as a means to gather additional information and escalate an attack. Note: Users will still be able to sign into Azure Active directory admin center but will be unable to see directory information. None None
RECOMMENDATION
Ensure access to the Azure AD portal is restricted: 1. Navigate to Microsoft Entra admin center https://entra.microsoft.com/ 2. Click to expand Identity> Users > User settings. 3. Set Restrict access to Microsoft Entra ID administration portal to Yes then Save.
Manual Check
IMPACT
Option to remain signed in is not hidden and needs to be configured. Please see impact. Allowing users to select this option presents risk, especially in the event that the user signs into their account on a publicly accessible computer/web browser. In this case it would be trivial for an unauthorized person to gain access to any associated cloud data from that account. Once this setting is hidden users will no longer be prompted upon sign-in with the message Stay signed in. This may mean users will be forced to sign in more frequently. None None
RECOMMENDATION
The option for the user to Stay signed in or the Keep me signed in option will prompt a user after a successful login, when the user selects this option a persistent refresh token is created. Typically, this lasts for 90 days and does not prompt for sign-in or Multi-Factor.
Ensure LinkedIn account connections is disabled
Manual Check
IMPACT
Item does not meet all the requirements as per test. LinkedIn account connections allow users to connect their Microsoft work or school account with LinkedIn. After a user connects their accounts, information and highlights from LinkedIn are available in some Microsoft apps and services. Disabling LinkedIn integration prevents potential phishing attacks and risk scenarios where an external party could accidentally disclose sensitive information. Users will not be able to sync contacts or use LinkedIn integration. None None
RECOMMENDATION
To disable LinkedIn account connections: 1. Navigate to Microsoft Entra admin center https://entra.microsoft.com/. 2. Click to expand Identity > Users select User settings. 3. Under LinkedIn account connections select No. 4. Click Save.
Ensure access to the Entra admin center is restricted
Manual Check
IMPACT
RECOMMENDATION
To remediate using the UI: 1. Navigate to Microsoft Entra admin center https://entra.microsoft.com/ 2. Click to expand Identity> Users > User settings. 3. Set Restrict access to Microsoft Entra admin center to Yes then Save.
Microsoft Entra admin center-Identity-Groups
Ensure a dynamic group for guest users is created
Manual Check
IMPACT
Item does not meet all the requirements as per test. A dynamic group is a dynamic configuration of security group membership for Azure Active Directory. Administrators can set rules to populate groups that are created in Azure AD based on user attributes (such as userType, department, or country/region). Members can be automatically added to or removed from a security group based on their attributes. The recommended state is to create a dynamic group that includes guest accounts. Dynamic groups allow for an automated method to assign group membership. Guest user accounts will be automatically added to this group and through this existing conditional access rules, access controls and other security measures will ensure that new guest accounts are restricted in the same manner as existing guest accounts. None None
RECOMMENDATION
Create a dynamic guest group:
1. Navigate to Microsoft Entra admin center https://entra.microsoft.com/.
2. Click to expand Identity > Groups select All groups.
3. Select New group and assign the following values:
- Group type: Security
- Azure AD Roles can be assigned: No
- Membership type: Dynamic User
4. Select Add dynamic query.
5. Above the Rule syntax text box, select Edit.
6. Place the following expression in the box:
(user.userType -eq )
7. Select OK and Save
Using PowerShell:
1. Connect to Microsoft Graph using Connect-MgGraph -Scopes
2. In the script below edit DisplayName and MailNickname as needed and run:
$params = @{
DisplayName =
MailNickname =
MailEnabled = $false
SecurityEnabled = $true
GroupTypes =
MembershipRule = (user.userType -eq )
MembershipRuleProcessingState =
}
New-MgGroup @params
Microsoft Entra admin center-Identity-Applications
Ensure the Application Usage report is reviewed and actioned
Manual Check
IMPACT
Application usage report review is not in place. Auditing Process needs to be created and followed. None None
RECOMMENDATION
The Application Usage report includes a usage summary for all Software as a Service (SaaS) applications that are integrated with your directory. Review the list of app registrations on a regular basis to look for risky apps that users have enabled that could cause data spillage or accidental elevation of privilege. Attackers can often get access to data illicitly through third-party SaaS applications. To verify the report is being reviewed at least weekly, confirm that the necessary procedures are in place and being followed.
Ensure user consent to apps accessing company data on their behalf is not allowed
Manual Check
IMPACT
Consent to Apps accessing company data on their behalf is not allowed and is not configured. If user consent is disabled previous consent grants will still be honored but all future consent operations must be performed by an administrator. None None
RECOMMENDATION
By default, users can consent to applications accessing your organization's data, although only for some permissions. For example, by default a user can consent to allow an app to access their own mailbox or the Teams conversations for a team the user owns but cannot consent to allow an app unattended access to read and write to all SharePoint sites in your organization. Do not allow users to grant consent to apps accessing company data on their behalf. Attackers commonly use custom applications to trick users into granting them access to company data.
Ensure the admin consent workflow is enabled
Manual Check
IMPACT
Admin Consent workflow is not enabled. To approve requests a reviewer must be a global administrator, cloud application administrator or application administrator. None None
RECOMMENDATION
Without an admin consent workflow (Preview), a user in a tenant where user consent is disabled will be blocked when they try to access any app that requires permissions to access organizational data. The user sees a generic error message that says they're unauthorized to access the app and they should ask their admin for help. The admin consent workflow (Preview) gives admins a secure way to grant access to
Ensure that guest user access is restricted
Manual Check
IMPACT
The default is Guest users have limited access to properties and memberships of directory objects. When using the most restrictive setting, guests will only be able to access their own profiles and will not be allowed to see other users profiles, groups, or group memberships. There are some known issues with Yammer that will prevent guests that are signed in from leaving the group.
RECOMMENDATION
To remediate using the UI: 1. Navigate to Microsoft Entra admin center https://entra.microsoft.com/. 2. Click to expand Identity > External Identities select External collaboration settings. 3. Under Guest user access set Guest user access restrictions to one of the following: State: Guest users have limited access to properties and memberships of directory objects State: Guest user access is restricted to properties and memberships of their own directory objects (most restrictive)
Ensure guest user invitations are limited to the Guest Inviter role
Manual Check
IMPACT
This introduces an obstacle to collaboration by restricting who can invite guest users to the organization. Designated Guest Inviters must be assigned, and an approval process established and clearly communicated to all users.
RECOMMENDATION
To remediate using the UI: 1. Navigate to Microsoft Entra admin center https://entra.microsoft.com/. 2. Click to expand Identity > External Identities select External collaboration settings. 3. Under Guest invite settings set Guest invite restrictions to Only users assigned to specific admin roles can invite guest users.
Microsoft Entra admin center-Identity-External Identities
Ensure that collaboration invitations are sent to allowed domains only
Manual Check
IMPACT
Collaboration Invitations are not sent to allowed domains only. This could make harder collaboration if the setting is not quickly updated when a new domain is identified as allowed. None None
RECOMMENDATION
Users should be able to send collaboration invitations to allowed domains only. By specifying allowed domains for collaborations, external user companies are explicitly identified. Also, this prevents internal users from inviting unknown external users such as personal accounts and gives them access to resources.
Microsoft Entra admin center-Identity-Hybrid Management
Ensure that password hash sync is enabled for hybrid deployments
Manual Check
IMPACT
Password Sync is not enabled for hybrid deployments. Compliance or regulatory restrictions may exist, depending on the organization's business sector, that preclude hashed versions of passwords from being securely transmitted to cloud data centers. None None
RECOMMENDATION
Password hash synchronization is one of the sign-in methods used to accomplish hybrid identity synchronization. Azure AD Connect synchronizes a hash, of the hash, of a user's password from an on-premises Active Directory instance to a cloud-based Azure AD instance. Applicable only to Hybrid Deployments. Password hash synchronization helps by reducing the number of passwords your users will need to remember.
Microsoft Entra admin center-Protection-Conditional Access
Ensure multifactor authentication is enabled for all users in administrative roles
Manual Check
IMPACT
Some Admin Accounts are not MFA Enabled. Please review impact and enable. Implementation of multifactor authentication for all users in administrative roles will necessitate a change to user routine. All users in administrative roles will be required to enroll in multifactor authentication using phone, SMS, or an authentication application. After enrollment, use of multifactor authentication will be required for future access to the environment. None None
RECOMMENDATION
Enable multifactor authentication for all users who are members of administrative roles in Microsoft 365 Tenant.
Ensure multifactor authentication is enabled for all users
Manual Check
IMPACT
Item does not meet all the requirements as per test. Enable multifactor authentication for all users in the Microsoft 365 tenant. Users will be prompted to authenticate with a second factor upon logging in to Microsoft 365 services. The second factor is most commonly a text message to a registered mobile phone number where they type in an authorization code, or with a mobile application like Microsoft Authenticator. Multifactor authentication requires an individual to present a minimum of two separate forms of authentication before access is granted. Multifactor authentication provides additional assurance that the individual attempting to gain access is who they claim to be. With multifactor authentication, an attacker would need to compromise at least two different authentication mechanisms, increasing the difficulty of compromise and thus reducing the risk. Implementation of multifactor authentication for all users will necessitate a change to user routine. All users will be required to enroll in multifactor authentication using phone, SMS, or an authentication application. After enrollment, use of multifactor authentication will be required for future authentication to the environment. NOTE: Organizations that have difficulty enforcing MFA globally due lack of the budget to provide company owned mobile devices to every user, or equally are unable to force end users to use their personal devices due to regulations, unions, or policy have another option. FIDO2 Security keys may be used as a stand in for this recommendation. They are more secure, phishing resistant, and are affordable for an organization to issue to every end user. None None
RECOMMENDATION
To enable multifactor authentication for all users: 1. Navigate to the Microsoft Entra admin center https://entra.microsoft.com. 2. Click expand Protection > Conditional Access select Policies. 3. Click New policy. 4. Go to Assignments > Users and groups > Include > select All users (and do not exclude any user). 5. Select Cloud apps or actions > All cloud apps (and don't exclude any apps). 6. Access Controls > Grant > Require multi-factor authentication (and nothing else). 7. Leave all other conditions blank. 8. Make sure the policy is Enabled/On. 9. Create.
Enable Conditional Access policies to block legacy authentication
Manual Check
IMPACT
No Conditional Access policies were found. Enabling this setting will prevent users from connecting with older versions of Office, ActiveSync or using protocols like IMAP, POP or SMTP and may require upgrades to older versions of Office, and use of mobile mail clients that support modern authentication. None None
RECOMMENDATION
Use Conditional Access to block legacy authentication protocols in Microsoft 365. Legacy authentication protocols do not support multi-factor authentication. These protocols are often used by attackers because of this deficiency. Blocking legacy authentication makes it harder for attackers to gain access.
Ensure Sign-in frequency is enabled and browser sessions are not persistent for Administrative users
Manual Check
IMPACT
Item does not meet all the requirements as per test. In complex deployments, organizations might have a need to restrict authentication sessions. Conditional Access policies allow for the targeting of specific user accounts. Some scenarios might include: - Resource access from an unmanaged or shared device - Access to sensitive information from an external network - High-privileged users - Business-critical applications. Ensure Sign-in frequency does not exceed 4 hours for E3 tenants, or 24 hours for E5 tenants using Privileged Identity Management. Ensure Persistent browser session is set to Never persist. NOTE: This CA policy can be added to the previous CA policy in this benchmark Forcing a time out for MFA will help ensure that sessions are not kept alive for an indefinite period of time, ensuring that browser sessions are not persistent will help in prevention of drive-by attacks in web browsers, this also prevents creation and saving of session cookies leaving nothing for an attacker to take. Users with Administrative roles will be prompted at the frequency set for MFA. None None
RECOMMENDATION
To configure Sign-in frequency and browser sessions persistence for administrative users: 1. Navigate to Microsoft Entra admin center https://entra.microsoft.com/. 2. Click to expand Protection > Conditional Access Select Policies. 3. Click New policy 4. Click Users and groups 5. Under Include select -Select users and groups- and then select -Directory roles-. 6. At a minimum, select the roles in the section below. 7. Go to Cloud apps or actions > Cloud apps > Include > select All cloud apps (and don't exclude any apps). 8. Under Access controls > Grant > select Grant access > check Require multi-factor authentication (and nothing else). 9. Under Session select Sign-in frequency and set to at most 4 hours for E3 tenants. E5 tenants with PIM can be set to a maximum value of 24 hours. 10. Check Persistent browser session then select Never persistent in the drop-down menu. 11. For Enable Policy select On and click Save At minimum these directory roles should be included for MFA: - Application administrator - Authentication administrator - Billing administrator - Cloud application administrator - Conditional Access administrator - Exchange administrator - Global administrator - Global reader - Helpdesk administrator - Password administrator - Privileged authentication administrator - Privileged role administrator - Security administrator - SharePoint administrator - User administrator
Ensure Phishing-resistant MFA strength is required for Administrators
Manual Check
IMPACT
Item does not meet all the requirements as per test. Authentication strength is a Conditional Access control that allows administrators to specify which combination of authentication methods can be used to access a resource. For example, they can make only phishing-resistant authentication methods available to access a sensitive resource. But to access a non-sensitive resource, they can allow less secure multifactor authentication (MFA) combinations, such as password + SMS. Microsoft has 3 built-in authentication strengths. MFA strength, password less MFA strength, and Phishing-resistant MFA strength. Ensure administrator roles are using a CA policy with Phishing-resistant MFA strength. Administrators can then enroll using one of 3 methods: - FIDO2 Security Key - Windows Hello for Business - Certificate-based authentication (Multi-Factor) NOTE: Additional steps to configure methods such as FIDO2 keys are not covered here but can be found in related MS articles in the references section. The Conditional Access policy only ensures 1 of the 3 methods is used. WARNING: Administrators should be pre-registered for a strong authentication mechanism before this Conditional Access Policy is enforced. Additionally, as stated elsewhere in the CIS Benchmark a break-glass administrator account should be excluded from this policy to ensure unfettered access in the case of an emergency. Sophisticated attacks targeting MFA are more prevalent as the use of it becomes more widespread. These 3 methods are considered phishing-resistant as they remove passwords from the login workflow. It also ensures that public/private key exchange can only happen between the devices and a registered provider which prevents login to fake or phishing websites. If administrators are not pre-registered for a strong authentication method prior to a conditional access policy is created, then a condition could occur where a user can not register for strong authentication because they don't meet the conditional access policy requirements and therefore are prevented from signing in. None None
RECOMMENDATION
To create a phishing-resistant MFA CA policy for users in administrative roles: 1. Navigate to the Microsoft Entra admin center https://entra.microsoft.com. 2. Click expand Protection > Conditional Access select Policies. 3. Click New policy. 4. Go to Users > Users and groups > Include > Select users and groups > Directory roles 5. Add at least the Directory roles listed after these steps. 6. Select Cloud apps or actions > All cloud apps (and don't exclude any apps). 7. Grant > Grant Access with Require authentication strength (Preview): Phishing-resistant MFA 8. Click Select 9. Set Enable policy to Report-only and click Create At minimum these directory roles should be included for the policy: - Application administrator - Authentication administrator - Billing administrator - Cloud application administrator - Conditional Access administrator - Exchange administrator - Global administrator - Global reader - Helpdesk administrator - Password administrator - Privileged authentication administrator - Privileged role administrator - Security administrator - SharePoint administrator - User administrator WARNING: Ensure administrators are pre-registered with strong authentication before enforcing the policy. After which the policy must be set to On.
Enable Azure AD Identity Protection user risk policies
Manual Check
IMPACT
Azure AD User Risk Policies are not enabled. When the policy triggers, access to the account will either be blocked, or the user would be required to use multi-factor authentication and change their password. Users who haven't registered MFA on their account will be blocked from accessing it. If account access is blocked, an admin would need to recover the account. It is therefore recommended that the MFA registration policy be configured for all users who are a part of the User Risk policy. None None
RECOMMENDATION
Azure Active Directory Identity Protection user risk policies detect the probability that a user account has been compromised. With the user risk policy turned on, Azure AD detects the probability that a user account has risky sign-in.
Enable Azure AD Identity Protection sign-in risk policies
Manual Check
IMPACT
Azure AD Identity Protection Sign-In Risk Policies are not configured. When the policy triggers, the user will need MFA to access the account. In the case of a user who hasn't registered MFA on their account, they would be blocked from accessing their account. It is therefore recommended that the MFA registration policy be configured for all users who are a part of the Sign-in Risk policy. None None
RECOMMENDATION
Azure Active Directory Identity Protection sign-in risk detects risks in real-time and offline. A risky sign-in is an indicator for a sign-in attempt that might not have been performed by the legitimate owner of a user account. Turning on the sign-in risk policy ensures that suspicious sign-ins are challenged for multi-factor authentication.
Ensure Microsoft Azure Management is limited to administrative roles
Manual Check
IMPACT
Item does not meet all the requirements as per test. The Microsoft Azure Management application governs various Azure services and can be secured through the implementation of a Conditional Access policy. This policy can restrict specific user accounts from accessing the related portals and applications. When Conditional Access policy is targeted to the Microsoft Azure Management application, within the Conditional Access policy app picker the policy will be enforced for tokens issued to application IDs of a set of services closely bound to the portal. - Azure Resource Manager - Azure portal, which also covers the Microsoft Entra admin center - Azure Data Lake - Application Insights API - Log Analytics API Microsoft Azure Management should be restricted to specific pre-determined administrative roles. NOTE: Blocking Microsoft Azure Management will prevent non-privileged users from signing into most portals other than Microsoft 365 Defender and Microsoft Purview. Blocking sign-in to Azure Management applications and portals enhances security of sensitive data by restricting access to privileged users. This mitigates potential exposure due to administrative errors or software vulnerabilities, as well as acting as a defense in depth measure against security breaches. PIM functionality will be impacted unless non-privileged users are first assigned to a permanent group or role that is excluded from this policy. When attempting to checkout a role in the Entra ID PIM area they will receive the message Because the policy is applied to the Azure management portal and API, services, or clients with an Azure API service dependency, can indirectly be impacted: Classic deployment model APIs Azure PowerShell Azure CLI Azure DevOps Azure Data Factory portal Azure Event Hubs Azure Service Bus Azure SQL Database SQL Managed Instance Azure Synapse Visual Studio subscriptions administrator portal Microsoft IoT Central None None
RECOMMENDATION
To enable Microsoft Azure Management restrictions: 1. Navigate to the Microsoft Entra admin center https://entra.microsoft.com. 2. Click expand Protection > Conditional Access select Policies. 3. Click New Policy and then name the policy. 4. Select Users > Include > All Users 5. Select Users > Exclude > Directory roles and select only administrative roles. See audit section for more information. 6. Select Cloud apps or actions > Select apps > Select then click the box next to Microsoft Azure Management. 7. Click Select. 8. Select Grant > Block access and click Select. 9. Ensure Enable Policy is On then click Create. WARNING: Exclude Global Administrator at a minimum to avoid being locked out. Report-only is a good option to use when testing any Conditional Access policy for the first time.
Enable Identity Protection user risk policies
Manual Check
IMPACT
Upon policy activation, account access will be either blocked or the user will be required to use multi-factor authentication (MFA) and change their password. Users without registered MFA will be denied access, necessitating an admin to recover the account. To avoid inconvenience, it is advised to configure the MFA registration policy for all users under the User Risk policy. Additionally, users identified in the Risky Users section will be affected by this policy. To gain a better understanding of the impact on the organizations environment, the list of Risky Users should be reviewed before enforcing the policy.
RECOMMENDATION
To remediate using the UI: 1. Navigate to the Microsoft Entra admin center https://entra.microsoft.com. 2. Click expand Protection > Conditional Access select Policies. 3. Create a new policy by selecting New policy. 4. Set the following conditions within the policy: Under Users or workload identities choose All users Under Cloud apps or actions choose All cloud apps Under Conditions choose User risk then Yes and select the user risk level High. Under Access Controls select Grant then in the right pane click Grant access then select Require multifactor authentication and Require password change. Under Session ensure Sign-in frequency is set to Every time. Click Select. 5. Under Enable policy set it to Report Only until the organization is ready to enable it. 6. Click Create. Note: for more information regarding risk levels refer to Microsofts Identity Protection & Risk Doc
Enable Identity Protection sign-in risk policies
Manual Check
IMPACT
When the policy triggers, the user will need MFA to access the account. In the case of a user who hasnt registered MFA on their account, they would be blocked from accessing their account. It is therefore recommended that the MFA registration policy be configured for all users who are a part of the Sign-in Risk policy.
RECOMMENDATION
To configure a Sign-In risk policy, use the following steps: 1. Navigate to the Microsoft Entra admin center https://entra.microsoft.com. 2. Click expand Protection > Conditional Access select Policies. 3. Create a new policy by selecting New policy. 4. Set the following conditions within the policy. Under Users or workload identities choose All users. Under Cloud apps or actions choose All cloud apps. Under Conditions choose Sign-in risk then Yes and check the risk level boxes High and Medium. Under Access Controls select Grant then in the right pane click Grant access then select Require multifactor authentication. Under Session select Sign-in Frequency and set to Every time. Click Select. 5. Under Enable policy set it to Report Only until the organization is ready to enable it. 6. Click Create. Note: For more information regarding risk levels refer to Microsofts Identity Protection & Risk Doc
Ensure admin center access is limited to administrative roles
Manual Check
IMPACT
PIM functionality will be impacted unless non-privileged users are first assigned to a permanent group or role that is excluded from this policy. When attempting to checkout a role in the Entra ID PIM area they will receive the message You dont have access to this Your sign-in was successful but you dont have permission to access this resource. Users included in the policy will be unable to manually installs applications when clicking on Install Microsoft 365 apps. Users included in the policy will be unable to access the Quarantine in the Defender admin center at https://security.microsoft.com/quarantine
RECOMMENDATION
To remediate using the UI: 1. Navigate to the Microsoft Entra admin center https://entra.microsoft.com. 2. Click expand Protection > Conditional Access select Policies. 3. Click New Policy. Under Users include All Users. Under Users select Exclude and check Directory roles and select only administrative roles and a group of PIM eligible users. Under Target resources select Cloud apps and Select apps then select the Microsoft Admin Portals app. Confirm by clicking Select. Under Grant select Block access and click Select. 4. Under Enable policy set it to Report Only until the organization is ready to enable it. 5. Click Create. Warning: Exclude Global Administrator at a minimum to avoid being locked out. Report-only is a good option to use when testing any Conditional Access policy for the first time. Note: In order for PIM to function a group of users eligible for PIM roles must be excluded from the policy.
Ensure sign-in risk is blocked for medium and high risk
Manual Check
IMPACT
Sign-in risk is heavily dependent on detecting risk based on atypical behaviors. Due to this it is important to run this policy in a report-only mode to better understand how the organizations environment and user activity may influence sign-in risk before turning the policy on. Once its understood what actions may trigger a medium or high sign-in risk event I.T. can then work to create an environment to reduce false positives. For example, employees might be required to notify security personnel when they intend to travel with intent to access work resources. Note: Break-glass accounts should always be excluded from risk detection.
RECOMMENDATION
To remediate using the UI: 1. Navigate to the Microsoft Entra admin center https://entra.microsoft.com. 2. Click expand Protection > Conditional Access select Policies. 3. Create a new policy by selecting New policy. 4. Set the following conditions within the policy. Under Users include All users and only exclude valid users. Under Target resources include All cloud apps and do not set any exclusions. Under Conditions choose Sign-in risk values of High and Medium and click Done. Under Grant choose Block access and click Select. 5. Under Enable policy set it to Report Only until the organization is ready to enable it. 6. Click Create. Note: Break-glass accounts should be excluded from sign-in risk policies.
Ensure a managed device is required for authentication
Manual Check
IMPACT
Unmanaged devices will not be permitted as a valid authenticator. As a result this may require the organization to mature their device enrollment and management. The following devices can be considered managed: Entra hybrid joined from Active Directory Entra joined and enrolled in Intune, with compliance policies Entra registered and enrolled in Intune, with compliances policies
RECOMMENDATION
To remediate using the UI: 1. Navigate to the Microsoft Entra admin center https://entra.microsoft.com. 2. Click expand Protection > Conditional Access select Policies. 3. Create a new policy by selecting New policy. -Under Users include All users. Under Target resources include All cloud apps. Under Grant select Grant access. Check Require multifactor authentication and Require Microsoft Entra hybrid joined device. Choose Require one of the selected controls and click Select at the bottom. Under Enable policy set it to Report Only until the organization is ready to enable it. Click Create.
Ensure a managed device is required for MFA registration
Manual Check
IMPACT
The organization will be required to have a mature device management process. New devices provided to users will need to be pre-enrolled in Intune, auto-enrolled or be Entra hybrid joined. Otherwise, the user will be unable to complete registration, requiring additional resources from I.T. This could be more disruptive in remote worker environments where the MDM maturity is low. In these cases where the person enrolling in MFA (enrollee) doesnt have physical access to a managed device, a help desk process can be created using a Teams meeting to complete enrollment using: 1) a durable process to verify the enrollees identity including government identification with a photograph held up to the camera, information only the enrollee should know, and verification by the enrollees direct manager in the same meeting; 2) complete enrollment in the same Teams meeting with the enrollee being granted screen and keyboard access to the help desk persons InPrivate Edge browser session.
RECOMMENDATION
To remediate using the UI: 1. Navigate to the Microsoft Entra admin center https://entra.microsoft.com. 2. Click expand Protection > Conditional Access select Policies. 3. Create a new policy by selecting New policy. Under Users include All users. Under Target resources select User actions and check Register security information. Under Grant select Grant access. Check Require multifactor authentication and Require Microsoft Entra hybrid joined device. Choose Require one of the selected controls and click Select at the bottom. Under Enable policy set it to Report Only until the organization is ready to enable it. Click Create.
Microsoft Entra admin center-Protection-Authentication Methods
Ensure Microsoft Authenticator is configured to protect against MFA fatigue
Manual Check
IMPACT
Item does not meet all the requirements as per test. Microsoft has released additional settings to enhance the configuration of the Microsoft Authenticator application. These settings provide additional information and context to users who receive MFA passwordless and push requests, such as geographic location the request came from, the requesting application and requiring a number match. Ensure the following are Enabled. - Require number matching for push notifications - Show application name in push and passwordless notifications - Show geographic location in push and passwordless notifications NOTE: On February 27, 2023, Microsoft started enforcing number matching tenant-wide for all users using Microsoft Authenticator. As the use of strong authentication has become more widespread, attackers have started to exploit the tendency of users to experience. This occurs when users are repeatedly asked to provide additional forms of identification, leading them to eventually approve requests without fully verifying the source. To counteract this, number matching can be employed to ensure the security of the authentication process. With this method, users are prompted to confirm a number displayed on their original device and enter it into the device being used for MFA. Additionally, other information such as geolocation and application details are displayed to enhance the end users awareness. Among these 3 options, number matching provides the strongest net security gain. Additional interaction will be required by end users using number matching as opposed to simply pressing for login attempts. None None
RECOMMENDATION
To configure Microsoft Authenticator to protect against MFA fatigue: 1. Navigate to the Microsoft Entra admin center https://entra.microsoft.com. 2. Click to expand Protection > Authentication methods select Policies. 3. Select Microsoft Authenticator 4. Under Enable and Target ensure the setting is set to Enable. 5. Select Configure 6. Set the following Microsoft Authenticator settings: - Require number matching for push notifications Status is set to Enabled, Target All users - Show application name in push and passwordless notifications is set to Enabled, Target All users - Show geographic location in push and passwordless notifications is set to Enabled, Target All users
Ensure custom banned passwords lists are used
Manual Check
IMPACT
Item does not meet all the requirements as per test. With Azure AD Password Protection, default global banned password lists are automatically applied to all users in an Azure AD tenant. To support business and security needs, custom banned password lists can be defined. When users change or reset their passwords, these banned password lists are checked to enforce the use of strong passwords. A custom banned password list should include some of the following examples: - Brand names - Product names - Locations, such as company headquarters - Company-specific internal terms - Abbreviations that have specific company meaning Creating a new password can be difficult regardless of ones technical background. It is common to look around ones environment for suggestions when building a password, however, this may include picking words specific to the organization as inspiration for a password. An adversary may employ what is called a mangler to create permutations of these specific words in an attempt to crack passwords or hashes making it easier to reach their goal. If a custom banned password list includes too many common dictionary words, or short words that are part of compound words, then perfectly secure passwords may be blocked. The organization should consider a balance between security and usability when creating a list. None None
RECOMMENDATION
Create a custom banned password list: 1. Navigate to Microsoft Entra admin center https://entra.microsoft.com/ 2. Click to expand Protection > Authentication methods 3. Select Password protection 4. Set Enforce custom list to Yes 5. In Custom banned password list create a list using suggestions outlined in this document. 6. Click Save NOTE: Below is a list of examples that can be used as a starting place. The references section contains more suggestions. - Brand names - Product names - Locations, such as company headquarters - Company-specific internal terms - Abbreviations that have specific company meaning
Ensure that password protection is enabled for Active Directory
Manual Check
IMPACT
Password Protection is not enabled. The potential impact associated with implementation of this setting is dependent upon the existing password policies in place in the environment. For environments that have strong password policies in place, the impact will be minimal. For organizations that do not have strong password policies in place, implementation of Azure Active Directory Password Protection may require users to change passwords and adhere to more stringent requirements than they have been accustomed to. None None
RECOMMENDATION
Enable Azure Active Directory Password Protection to Active Directory to protect against the use of common passwords. Note: This recommendation applies to Hybrid deployments only, and will have no
Microsoft Entra admin center-Protection-Password Reset
Ensure Self service password reset enabled is set to All
Manual Check
IMPACT
Item does not meet all the requirements as per test. Enabling self-service password reset allows users to reset their own passwords in Azure AD. When users sign in to Microsoft 365, they will be prompted to enter additional contact information that will help them reset their password in the future. If combined registration is enabled additional information, outside of multi-factor, will not be needed. NOTE: Effective Oct. 1st, 2022, Microsoft will begin to enable combined registration for all users in Azure AD tenants created before August 15th, 2020. Tenants created after this date are enabled with combined registration by default. Users will no longer need to engage the helpdesk for password resets, and the password reset mechanism will automatically block common, easily guessable passwords. Users will be required to provide additional contact information to enroll in self-service password reset. Additionally, minor user education may be required for users that are used to calling a help desk for assistance with password resets. NOTE: This is unavailable if using Azure AD Connect / Sync in a hybrid environment. None None
RECOMMENDATION
To enable self-service password reset: 1. Navigate to Microsoft Entra admin center https://entra.microsoft.com/. 2. Click to expand Protection > Password reset select Properties. 3. Set Self service password reset enabled to All
Ensure the self-service password reset activity report is reviewed and actioned
Manual Check
IMPACT
Auditing is not in place and report is not being reviewed. Auditing Process needs to be created and followed. None None
RECOMMENDATION
The Microsoft 365 platform allows a user to reset their password in the event they forget it. The self-service password reset activity report logs each time a user successfully resets their password this way. You should review the self-service password reset activity report at least weekly. An attacker will commonly compromise an account, then change the password to something they control and can manage. To verify the report is being reviewed at least weekly, confirm that the necessary procedures are in place and being followed.
Microsoft Entra admin center-Protection-Risk Activities
Ensure the Azure AD Risky sign-ins report is reviewed at least weekly
Manual Check
IMPACT
Auditing is not in place and report is not being reviewed. Auditing Process needs to be created and followed. None None
RECOMMENDATION
Reviewing this report on a regular basis allows for identification and remediation of compromised accounts.
Microsoft Entra admin center-Identity Governance
Use Just In Time privileged access to Microsoft 365 roles
Manual Check
IMPACT
Just In Time Access is not enabled for Microsoft 365 Roles. Implementation of Just in Time privileged access is likely to necessitate changes to administrator routine. Administrators will only be granted access to administrative roles when required. When administrators request role activation, they will need to document the reason for requiring role access, anticipated time required to have the access, and to reauthenticate to enable role access. None None
RECOMMENDATION
Azure Active Directory Privileged Identity Management can be used to audit roles, allow just in time activation of roles and allow for periodic role attestation. Organizations should remove permanent members from privileged Microsoft 365 roles and instead make them eligible, through a JIT activation workflow. Organizations want to minimize the number of people who have access to secure information or resources, because that reduces the chance of a malicious actor getting that access, or an authorized user inadvertently impacting a sensitive resource. However, users still need to carry out privileged operations in Azure AD and Microsoft 365. Organizations can give users just-in-time (JIT) privileged access to roles.
Ensure Privileged Identity Management is used to manage roles
Manual Check
IMPACT
Item does not meet all the requirements as per test. Access reviews enable administrators to establish an efficient automated process for reviewing group memberships, access to enterprise applications, and role assignments. These reviews can be scheduled to recur regularly, with flexible options for delegating the task of reviewing membership to different members of the organization. Ensure Access reviews for Guest Users are configured to be performed no less frequently than monthly. Access to groups and applications for guests can change over time. If a guest users access to a particular folder goes unnoticed, they may unintentionally gain access to sensitive data if a member adds new files or data to the folder or application. Access reviews can help reduce the risks associated with outdated assignments by requiring a member of the organization to conduct the reviews. Furthermore, these reviews can enable a fail-closed mechanism to remove access to the subject if the reviewer does not respond to the review. Access reviews that are ignored may cause guest users to lose access to resources temporarily. None None
RECOMMENDATION
Create an access review for Guest Users: 1. Navigate to Microsoft Entra admin center https://entra.microsoft.com/ 2. Click to expand Identity Governance and select Access reviews 3. Click New access review. 4. Select what to review choose Teams + Groups. 5. Review Scope set to All Microsoft 365 groups with guest users, do not exclude groups. 6. Scope set to Guest users only then click Next: Reviews. 7. Select reviewer as an appropriate user that is NOT the guest user themselves. 8. Duration (in days) at most 3. 9. Review recurrence is Monthly or more frequent. 10. End is set to Never, then click Next: Settings. 11. Check Auto apply results to resource. 12. Set If reviewers don't respond to Remove access. 13. Check the following: Justification required, E-mail notifications, Reminders. 14. Click Next: Review + Create and finally click Create.
Ensure Access reviews for Guest Users are configured
Manual Check
IMPACT
Item does not meet all the requirements as per test. Access reviews enable administrators to establish an efficient automated process for reviewing group memberships, access to enterprise applications, and role assignments. These reviews can be scheduled to recur regularly, with flexible options for delegating the task of reviewing membership to different members of the organization. Ensure Access reviews for Guest Users are configured to be performed no less frequently than monthly. Access to groups and applications for guests can change over time. If a guest users access to a particular folder goes unnoticed, they may unintentionally gain access to sensitive data if a member adds new files or data to the folder or application. Access reviews can help reduce the risks associated with outdated assignments by requiring a member of the organization to conduct the reviews. Furthermore, these reviews can enable a fail-closed mechanism to remove access to the subject if the reviewer does not respond to the review. Access reviews that are ignored may cause guest users to lose access to resources temporarily. None None
RECOMMENDATION
Create an access review for Guest Users: 1. Navigate to Microsoft Entra admin center https://entra.microsoft.com/ 2. Click to expand Identity Governance and select Access reviews 3. Click New access review. 4. Select what to review choose Teams + Groups. 5. Review Scope set to All Microsoft 365 groups with guest users, do not exclude groups. 6. Scope set to Guest users only then click Next: Reviews. 7. Select reviewer as an appropriate user that is NOT the guest user themselves. 8. Duration (in days) at most 3. 9. Review recurrence is Monthly or more frequent. 10. End is set to Never, then click Next: Settings. 11. Check Auto apply results to resource. 12. Set If reviewers don't respond to Remove access. 13. Check the following: Justification required, E-mail notifications, Reminders. 14. Click Next: Review + Create and finally click Create.
Ensure Access reviews for high privileged Azure AD roles are configured
Manual Check
IMPACT
Item does not meet all the requirements as per test. Access reviews enable administrators to establish an efficient automated process for reviewing group memberships, access to enterprise applications, and role assignments. These reviews can be scheduled to recur regularly, with flexible options for delegating the task of reviewing membership to different members of the organization. Ensure Access reviews for high privileged Azure AD roles are done no less frequently than weekly. These reviews should include at a minimum the roles listed below: - Global Administrator - Exchange Administrator - SharePoint Administrator - Teams Administrator - Security Administrator NOTE: An access review is created for each role selected after completing the process. Regular review of critical high privileged roles in Azure AD will help identify role drift, or potential malicious activity. This will enable the practice and application of where even non-privileged users like security auditors can be assigned to review assigned roles in an organization. Furthermore, if configured these reviews can enable a fail-closed mechanism to remove access to the subject if the reviewer does not respond to the review. None None
RECOMMENDATION
Create an access review for high privileged roles: 1. Navigate to Microsoft Entra admin center https://entra.microsoft.com/ 2. Click to expand Identity Governance and select Privileged Identity Management 3. Select Azure AD Roles under Manage 4. Select Access reviews and click New access review. 5. Provide a name and description. 6. Frequency set to Weekly or more frequent. 7. Duration (in days) is set to at most 3. 8. End set to Never. 9. Role select these roles: Global Administrator,Exchange Administrator,SharePoint Administrator,Teams Administrator,Security Administrator 9. Assignment type set to All active and eligible assignments. 10. Reviewers set to Selected user(s) or group(s) 11. Select reviewers are member(s) responsible for this type of review. 12. Auto apply results to resource set to Enable 13. If reviewers don't respond is set to No change 14. Show recommendations set to Enable 15. Require reason or approval set to Enable 16. Mail notifications set to Enable 17. Reminders set to Enable 18. Click Start to save the review. NOTE: Reviewers will have the ability to revoke roles should be trusted individuals who understand the impact of the access reviews. The principle of separation of duties should be considered so that no one administrator is reviewing their own access levels.
Ensure approval is required for Global Administrator role activation
Manual Check
IMPACT
Approvers do not need to be assigned the same role or be members of the same group. Its important to have at least two approvers and an emergency access (break-glass) account to prevent a scenario where no Global Administrators are available. For example, if the last active Global Administrator leaves the organization, and only eligible but inactive Global Administrators remain, a trusted approver without the Global Administrator role or an emergency access account would be essential to avoid delays in critical administrative tasks.
RECOMMENDATION
To remediate using the UI: 1.Navigate to Microsoft Entra admin center https://entra.microsoft.com/. 2. Click to expand Identity Governance select Privileged Identity Management. 3. Under Manage select Microsoft Entra Roles. 4. Under Manage select Roles. 5. Select Global Administrator in the list. 6. Select Role settings and click Edit. 7. Check the Require approval to activate box. 8. Add at least two approvers. 9. Click Update.
Microsoft Exchange admin center-Audit
Ensure AuditDisabled organizationally is set to False
Manual Check
IMPACT
Item does not meet all the requirements as per test. The value False indicates that mailbox auditing on by default is turned on for the organization. Mailbox auditing on by default in the organization overrides the mailbox auditing settings on individual mailboxes. For example, if mailbox auditing is turned off for a mailbox (the AuditEnabled property on the mailbox is False), the default mailbox actions are still audited for the mailbox, because mailbox auditing on by default is turned on for the organization. Turning off mailbox auditing on by default ($true) has the following results: - Mailbox auditing is turned off for your organization. - From the time you turn off mailbox auditing on by default, no mailbox actions are audited, even if mailbox auditing is enabled on a mailbox (the AuditEnabled property on the mailbox is True). - Mailbox auditing is not turned on for new mailboxes and setting the AuditEnabled property on a new or existing mailbox to True is ignored. - Any mailbox audit bypass association settings (configured by using the Set-MailboxAuditBypassAssociation cmdlet) are ignored. - Existing mailbox audit records are retained until the audit log age limit for the record expires. The recommended state for this setting is False at the organization level. This will enable auditing and enforce the default. Enforcing the default ensures auditing was not turned off intentionally or accidentally. Auditing mailbox actions will allow forensics and IR teams to trace various malicious activities that can generate TTPs caused by inbox access and tampering. NOTE: Without advanced auditing (E5 function) the logs are limited to 90 days. None - this is the default behavior as of 2019. None None
RECOMMENDATION
Enable mailbox auditing at the organizational level: 1. Connect to Exchange Online using Connect-ExchangeOnline. 2. Run the following PowerShell command: Set-OrganizationConfig -AuditDisabled $false
Ensure mailbox auditing for E3 users is Enabled
Manual Check
IMPACT
Item does not meet all the requirements as per test. Mailbox audit logging is turned on by default in all organizations. This effort started in January 2019, and means that certain actions performed by mailbox owners, delegates, and admins are automatically logged. The corresponding mailbox audit records are available for admins to search in the mailbox audit log. Mailboxes and shared mailboxes have actions assigned to them individually in order to audit the data the organization determines valuable at the mailbox level. The recommended state is AuditEnabled to True on all user mailboxes along with additional audit actions beyond the Microsoft defaults. Note: Due to some differences in defaults for audit actions this recommendation is specific to users assigned an E3 license only. Whether it is for regulatory compliance or for tracking unauthorized configuration changes in Microsoft 365, enabling mailbox auditing, and ensuring the proper mailbox actions are accounted for allows for Microsoft 365 teams to run security operations, forensics or general investigations on mailbox activities. The following mailbox types ignore the organizational default and must have AuditEnabled set to True at the mailbox level in order to capture relevant audit data. - Resource Mailboxes - Public Folder Mailboxes - DiscoverySearch Mailbox Note: Without advanced auditing (E5 function) the logs are limited to 90 days. None - this is the default behavior. None None
RECOMMENDATION
To enable mailbox auditing for all user mailboxes using PowerShell:
1. Connect to Exchange Online using Connect-ExchangeOnline.
2. Run the following PowerShell script:
$AuditAdmin = @(
, , , , , ,
, , , , ,
, ,
)
$AuditDelegate = @(
, , , , ,
, , , , ,
,
)
$AuditOwner = @(
, , , , ,
, , , ,
,
)
$MBX = Get-EXOMailbox -ResultSize Unlimited | Where-Object { $_.RecipientTypeDetails -eq }
$MBX | Set-Mailbox -AuditEnabled $true
-AuditLogAgeLimit 90 -AuditAdmin $AuditAdmin -AuditDelegate $AuditDelegate
-AuditOwner $AuditOwner
Ensure mailbox auditing for E5 users is Enabled
Manual Check
IMPACT
Item does not meet all the requirements as per test. Mailbox audit logging is turned on by default in all organizations. This effort started in January 2019, and means that certain actions performed by mailbox owners, delegates, and admins are automatically logged. The corresponding mailbox audit records are available for admins to search in the mailbox audit log. Mailboxes and shared mailboxes have actions assigned to them individually in order to audit the data the organization determines valuable at the mailbox level. The recommended state is AuditEnabled to True on all user mailboxes along with additional audit actions beyond the Microsoft defaults. Note: Due to some differences in defaults for audit actions this recommendation is specific to users assigned an E5 license, or auditing addon license, only. Whether it is for regulatory compliance or for tracking unauthorized configuration changes in Microsoft 365, enabling mailbox auditing and ensuring the proper mailbox actions are accounted for allows for Microsoft 365 teams to run security operations, forensics or general investigations on mailbox activities. The following mailbox types ignore the organizational default and must have AuditEnabled set to True at the mailbox level in order to capture relevant audit data. - Resource Mailboxes - Public Folder Mailboxes - DiscoverySearch Mailbox NOTE: Without advanced auditing (E5 function) the logs are limited to 90 days. None - this is the default behavior. None None
RECOMMENDATION
To enable mailbox auditing for all user mailboxes using PowerShell:
1. Connect to Exchange Online using Connect-ExchangeOnline.
2. Run the following PowerShell script:
$AuditAdmin = @(
, , , , ,
, , , ,
, , , , ,
,
)
$AuditDelegate = @(
, , , , ,
, , , ,
, , ,
)
$AuditOwner = @(
, , , , ,
, , , , ,
, ,
)
$MBX = Get-EXOMailbox -ResultSize Unlimited | Where-Object { $_.RecipientTypeDetails -eq }
$MBX | Set-Mailbox -AuditEnabled $true
-AuditLogAgeLimit 180 -AuditAdmin $AuditAdmin -AuditDelegate $AuditDelegate
-AuditOwner $AuditOwner
Note: When running this script mailboxes without an E5 or Azure Audit Premium license applied will generate an error as they are not licensed for the additional actions which come default with E5.
Ensure AuditBypassEnabled is not enabled on mailboxes
Manual Check
IMPACT
Item does not meet all the requirements as per test. When configuring a user or computer account to bypass mailbox audit logging, the system will not record any access or actions performed by the said user or computer account on any mailbox. Administratively this was introduced to reduce the volume of entries in the mailbox audit logs on trusted user or computer accounts. Ensure AuditBypassEnabled is not enabled on accounts without a written exception. If a mailbox audit bypass association is added for an account, the account can access any mailbox in the organization to which it has been assigned access permissions, without generating any mailbox audit logging entries for such access or recording any actions taken, such as message deletions. Enabling this parameter, whether intentionally or unintentionally, could allow insiders or malicious actors to conceal their activity on specific mailboxes. Ensuring proper logging of user actions and mailbox operations in the audit log will enable comprehensive incident response and forensics. None - this is the default behavior. None None
RECOMMENDATION
Disable Audit Bypass on all mailboxes using PowerShell:
1. Connect to Exchange Online using Connect-ExchangeOnline.
2. The following example PowerShell script will disable AuditBypass for all mailboxes which currently have it enabled:
# Get mailboxes with AuditBypassEnabled set to $true
$MBXAudit = Get-MailboxAuditBypassAssociation -ResultSize unlimited | Where-Object { $_.AuditBypassEnabled -eq $true }
foreach ($mailbox in $MBXAudit) {
$mailboxName = $mailbox.Name
Set-MailboxAuditBypassAssociation -Identity $mailboxName -AuditBypassEnabled $false
Write-Host -ForegroundColor Green
}
Ensure Microsoft 365 Exchange Online Admin Auditing Is Enabled
Manual Check
IMPACT
Microsoft 365 Admin Auditing is disabled. It is a security risk and not compliance issue. None None
RECOMMENDATION
It is recommended to enable Admin Auditing so data can be audited, such as when someone changes the permissions on a mailbox.
Ensure Microsoft 365 Exchange Online Unified Auditing Is Enabled
Manual Check
IMPACT
Microsoft 365 Unified Auditing is disabled. It is a security risk and not compliance issue. None None
RECOMMENDATION
It is recommended to enable Unified Auditing so data can be audited, such as when someone changes the permissions on a mailbox.
Microsoft Exchange admin center-Mailflow
Ensure all forms of mail forwarding are blocked and-or disabled
Manual Check
IMPACT
Item does not meet all the requirements as per test. Not Reported None None
RECOMMENDATION
Not Reported
Ensure mail transport rules do not whitelist specific domains
Manual Check
IMPACT
Mail Transport rules are not configured not to forward to specific domains. Care should be taken before implementation to ensure there is no business need for case-by-case whitelisting. Removing all whitelisted domains could affect incoming mail flow to an organization although modern systems sending legitimate mail should have no issue with this. None None
RECOMMENDATION
You should set your Exchange Online mail transport rules so they do not whitelist any specific domains. Removing all whitelisted domains could effect incoming mail flow to an organization although modern systems sending legitimate mail should have no issue with this. Whitelisting domains in transport rules bypasses regular malware and phishing scanning, which can enable an attacker to launch attacks against your users from a safe haven domain.
Ensure Tagging is enabled for External Emails
Manual Check
IMPACT
Tagging is not enabled for external emails. Since most scam emails originate from external sources, its better to create awareness among users before opening the external emails. With the External email tagging feature, an External tag can be added to the external emails. It helps Outlook users handle those emails with extra attention. None None
RECOMMENDATION
It is recommended to enable tagging for all external emails. Please use Set-ExternalInOutlook ?Enabled $true to enable tagging.
Ensure Tagging does not allow specific domains
Manual Check
IMPACT
Tagging allows specific domains. In phishing attacks, malicious actors send messages/emails pretending to be trusted persons or organizations. Employees are the first line of cyber defense. So, Microsoft 365 admins should take the necessary steps to upskill their users. Since most scam emails originate from external sources, its better to create awareness among users before opening the external emails. With the External email tagging feature, an ?External? tag can be added to the external emails. It helps Outlook users handle those emails with extra attention. None None
RECOMMENDATION
In case you need to white-list some domains as part of tagging please make sure the list added contains only the domains you intend to add as part of allowed list. However, as a security best practice we should not allow specific domains.
Ensure Transport Rules to Block Exchange Auto-Forwarding is configured
Manual Check
IMPACT
Item does not meet all the requirements as per test. No Exchange Online Transport Rules are in place to block email auto-forwarding. Cyber adversaries often configure compromised Office 365 accounts to forward emails to external persons. It is therefore advisable to configure an Exchange transport rule that blocks auto-forwarded emails. None None
RECOMMENDATION
Navigate to the Mail Flow; Rules screen in the Exchange Admin Center. Add a rule that applies when the message is auto-forwarded and takes the action of blocking the message. An article in the References section also describes this process. There are additional steps below that detail how to stop email forwarding.
Ensure Do Not Bypass the Safe Attachments Filter is not configured
Manual Check
IMPACT
Item does not meet all the requirements as per test. In Exchange, it is possible to create mail transport rules that bypass the Safe Attachments detection capability. The rules listed above bypass the Safe Attachments capability. Consider reviewing these rules, as bypassing the Safe Attachments capability even for a subset of senders could be considered insecure depending on the context or may be an indicator of compromise. None None
RECOMMENDATION
Navigate to the Mail Flow; Rules screen in the Exchange Admin Center. Look for the offending rules and begin the process of assessing who created them and whether they are necessary to the continued function of the organization. If they are not, remove the rules.
Ensure Do Not Bypass the Safe Links Feature is not configured
Manual Check
IMPACT
Item does not meet all the requirements as per test. In Exchange, it is possible to create mail transport rules that bypass the Safe Links detection capability. The rules listed above bypass the Safe Links capability. Consider reviewing these rules, as bypassing the Safe Links capability even for a subset of senders should be considered dangerous. None None
RECOMMENDATION
Navigate to the Mail Flow; Rules screen in the Exchange Admin Center. Look for the offending rules and begin the process of assessing who created them and whether they are necessary to the continued function of the organization. If they are not, remove the rules.
Ensure Exchange Modern Authentication is Enabled
Manual Check
IMPACT
Item does not meet all the requirements as per test. Modern Authentication is an Exchange feature that allows authentication capabilities such as Multi-Factor Authentication, smart cards, and certificate-based authentication to function. It is recommended that Modern Authentication be enabled for Exchange Online in order to provide these capabilities. None None
RECOMMENDATION
Use the Set-OrganizationConfig PowerShell command as listed below. Multiple reference guides are linked in the References section below.
Ensure Transport Rules to Block Executable Attachments are configured
Manual Check
IMPACT
Item does not meet all the requirements as per test. No Exchange Online Transport Rules are in place to block email containing executable attachments. Executable attachments can be used to deliver malicious payloads and exfiltrate company data. None None
RECOMMENDATION
Navigate to the Mail Flow Rules screen in the Exchange Admin Center. Add a rule that applies when the message contains executable attachments and takes the action of blocking the message. An article in the References section also describes this process.
Ensure Malware Filter Policies Alert for Internal Users Sending Malware is configured
Manual Check
IMPACT
Item does not meet all the requirements as per test. Malware being sent by an internal user's email account is often an indication that a security event has occurred. For this reason, it is strongly recommended that each organization have malware filter policies that alert administrators when malware is being sent by an internal user's account. It is possible to configure malware filter policies in O365 that generate these alerts. The malware filter policies listed herein do not alert an administrator when an internal user sends malware. None None
RECOMMENDATION
It is possible to configure malware filter policies from within the Exchange Online Protection portal or through the Set-MalwareFilterPolicy command as listed below. Make sure the policy is set to email a service account or administrator that is active and monitored and consider establishing a retention period for which to store malware alerts, as they may be evidence in future security incidents.
Ensure Transport Rules to Block Large Attachments are configured
Manual Check
IMPACT
Item does not meet all the requirements as per test. No Exchange Online Transport Rules are in place to block emails with overly large attachments. Emails with overly large attachments may present a security risk for several reasons. Emails the domains receive may have overly large attachments that contain malware, and adversaries sometimes use overly large files in an attempt to bypass anti-malware scanners or otherwise avoid suspicion. An adversary with access to an organizational email account may also use a large attachment to exfiltrate sensitive data from the organization; for example, emailing an encrypted archive file to other adversarial infrastructure using a compromised O365 account. It is often recommended to create a rule that detects and blocks attachments over a certain size for these reasons. None None
RECOMMENDATION
Go to the Exchange Mail Flow rules screen and create a new rule which blocks attachments over a designated size.
Ensure Mailbox Auditing is Enabled at Tenant Level
Manual Check
IMPACT
Item does not meet all the requirements as per test. Mailbox Auditing is an Exchange mailbox feature that, when activated, generates audit logs for events related to a user's use of email. This is one of the most oft-recommended security improvements to Exchange because mailbox audit logs can contain information critical in a detection or response scenario such as triaging a business email compromise. Mailbox auditing can be globally enabled at the Tenant level, which supersedes all per-mailbox settings, but it is not currently enabled. None None
RECOMMENDATION
Mailbox auditing can be globally enabled within the Tenant using the Set-OrganizationConfig commandlet as follows Set-OrganizationConfig -AuditDisabled $false.
Ensure Mailboxes without Mailbox Auditing are not present
Manual Check
IMPACT
Item does not meet all the requirements as per test. The Exchange mailboxes listed above do not have Mailbox Auditing enabled. Mailbox Auditing enables the logging of certain actions performed by mailbox owners and administrators and is a valuable source of data for the investigation and analysis of security incidents such as business email compromises. It is recommended that Mailbox Auditing be enabled for the affected mailboxes. Note that it is possible mailbox auditing is enabled globally, which would supersede these findings. None None
RECOMMENDATION
Mailbox auditing can be quickly enabled for a user with the Set-Mailbox commandlet as follows Set-Mailbox -Identity [user_email] -AuditEnabled $true. A list of affected email addresses for this finding is embedded in this report.
Ensure Safe Attachments is Enabled
Manual Check
IMPACT
Item does not meet all the requirements as per test. The Microsoft Office 365 Safe Attachments feature is not enabled. Safe Attachments is a Microsoft feature that uses behavioral analysis and detonation in a virtual environment to add another layer of defense against malware on top of existing Exchange Online anti-malware policies. It is recommended to enable this feature. This finding may also indicate that the O365 license tier does not enable ATP features. None None
RECOMMENDATION
Safe Attachments can be configured by navigating to the Threat Management portal in the Office 365 Security and Compliance center. The first reference below is a detailed guide to configuring ATP Safe Attachments.
Ensure Safe Links is Enabled
Manual Check
IMPACT
Item does not meet all the requirements as per test. Safe Links is a feature of O365 that enables real-time detection of malicious links in incoming Exchange emails and other Office 365 applications, such as Microsoft Teams. Safe Links is not enabled in the O365 tenant. This may be because the organization does not have the appropriate license level to use the feature, or because it has been disabled. This lowers the amount of built-in protection O365 offers the organization against phishing and other attacks. None None
RECOMMENDATION
Safe Links can be configured by navigating to the Threat Management portal in the Office 365 Security and Compliance center. The first guide below is a quick introduction to enabling Safe Links while the second is a detailed reference.
Ensure Safe Links Click-Through is Not Allowed
Manual Check
IMPACT
Item does not meet all the requirements as per test. Advanced Threat Protection Safe Links (ATP Safe Links) is an Office 365 feature that enables the detection of suspicious links used in attacks delivered via Exchange Email and Teams, such as phishing attacks. ATP Safe Links is configured to allow users to click through a link flagged as unsafe if they choose. It is recommended to disable this ability, as users will often click through to potentially unsafe links if they are given the choice, partially negating the benefit of Safe Links. None None
RECOMMENDATION
Use the Set-SafeLinksPolicy function in the Exchange Online PowerShell module as follows Set-SafeLinksPolicy -AllowClickThrough $false.
Ensure Safe Links Flags Links in Real Time
Manual Check
IMPACT
Item does not meet all the requirements as per test. Safe Links is an Office 365 feature that enables the detection of suspicious links used in attacks delivered via Exchange Email and Teams, such as phishing attacks. ATP Safe Links can be configured to flag dangerous links in email and guarantee that the email will not be delivered until the Safe Links scanning is complete. This is the ideal Safe Links setting. However, this setting is currently disabled, which means it is possible for emails to be delivered before Safe Links protections have been applied. It is also possible that this inspector finding was generated because ATP Safe Links is not enabled or the organization does not have an appropriate O365 license tier to use ATP Safe Links features, in which case the remediation described below would not apply. None None
RECOMMENDATION
Use the Set-SafeLinksPolicy function in the Exchange Online PowerShell module as follows Set-SafeLinksPolicy -DeliverMessageAfterScan $false.
Ensure SMTP Authentication is disabled Globally
Manual Check
IMPACT
Item does not meet all the requirements as per test. SMTP Authentication is a method of authenticating to an Exchange Online mailbox to deliver email. Cyber adversaries have used SMTP authentication as a workaround for subtly conducting password spraying attacks or other credential-related attacks and bypassing Multi-Factor Authentication protection because legacy authentication methods such as SMTP do not support MFA. There are two ways of disabling SMTP, globally and granularly on a per-user-mailbox level. It is recommended that SMTP Authentication be globally disabled if possible. Note that this may disrupt the functionality of legacy or other applications that require it for continued operations., None None
RECOMMENDATION
Use the Exchange Online administration module for PowerShell to execute the listed PowerShell command. Note that SMTP authentication for individual mailboxes may still need to be located and disabled using the Set-CASMailbox command with the -SmtpClientAuthenticationDisabled script.,
Ensure mail transport rules do not forward email to external domains
Manual Check
IMPACT
Mail Transport Rules are not configured correctly not to forward to external domains. No Exchange Online Transport Rules are in place to block email auto-forwarding. Cyber adversaries often configure compromised Office 365 accounts to forward emails to external persons. It is therefore advisable to configure an Exchange transport rule that blocks auto-forwarded emails. None None
RECOMMENDATION
Navigate to the Mail Flow; Rules screen in the Exchange Admin Center. Add a rule that applies when the message is auto-forwarded and takes the action of blocking the message. An article in the References section also describes this process. There are additional steps below that detail how to stop email forwarding.
Ensure automatic forwarding options are disabled
Manual Check
IMPACT
Care should be taken before implementation to ensure there is no business need for case- by-case auto-forwarding. None None
RECOMMENDATION
Disabling auto-forwarding to remote domains will affect all users in an organization.
Ensure the Client Rules Forwarding Block is enabled
Manual Check
IMPACT
Client Rules Forwarding is not blocked. Care should be taken before implementation to ensure there is no business need for case- by-case auto-forwarding. Disabling auto-forwarding to remote domains will affect all users in an organization. None None
RECOMMENDATION
You should set your Exchange Online mail transport rules to not forward email to domains outside of your organization. Automatic forwarding to prevent users from auto-forwarding mail via Outlook or Outlook on the web should also be disabled. Alongside this Client Rules Forwarding Block, which prevents the use of any client-side rules that forward email to an external domain, should also be enabled.
Ensure the Advanced Threat Protection Safe Links policy is enabled
Manual Check
IMPACT
Advanced Threat Protection Safe Links Policy is not enabled. When enabling and configuring ATP Safe Links, the impact to the end-user should be low. Users should be informed of the change as in the event a link is unsafe and blocked, they will receive a message that it has been blocked. None None
RECOMMENDATION
You should review all the security threats in the Threat protection status report at least weekly. This report shows specific instances of Microsoft blocking a malware attachment from reaching your users, phishing being blocked, impersonation attempts, etc.
Ensure the Advanced Threat Protection SafeAttachments policy is enabled
Manual Check
IMPACT
Safe Attachment Policy is not enabled. Delivery of email with attachments may be delayed while scanning is occurring. Delay is very Minute after enabling. 60 Sec to 1 Min None None
RECOMMENDATION
Enabling the Safe Attachments policy extends malware protections to include routing all messages and attachments without a known malware signature to a special hypervisor environment. In that environment, a behavior analysis is performed using a variety of machine learning and analysis techniques to detect malicious intent. This policy increases the likelihood of identifying and stopping previously unknown malware.
Ensure that an anti-phishing policy has been created
Manual Check
IMPACT
Anti-Phishing Policy has not been created. Turning on Anti-Phishing should not cause an impact. Messages will be displayed when applicable. None None
RECOMMENDATION
By default, Microsoft 365 includes built-in features that help protect your users from phishing attacks. Set up anti-phishing polices to increase this protection, for example by refining settings to better detect and prevent impersonation and spoofing attacks. The default policy applies to all users within the organization and is a single view where you can fine-tune anti-phishing protection. Custom policies can be created and configured for specific users, groups or domains within the organization and will take precedence over the default policy for the scoped users. Protects users from phishing attacks (like impersonation and spoofing) and uses safety tips to warn users about potentially harmful messages.
Ensure mailbox auditing for all users is Enabled
Manual Check
IMPACT
Found some mailboxes found without auditing enabled. Auditing Process needs to be created and followed. None None
RECOMMENDATION
By turning on mailbox auditing, Microsoft 365 back-office teams can track logons to a mailbox as well as what actions are taken while the user is logged on. After you turn on mailbox audit logging for a mailbox, you can search the audit log for mailbox activity. Additionally, when mailbox audit logging is turned on, some actions performed by administrators, delegates, and owners are logged by default. Starting in January 2019, Microsoft is turning on mailbox audit logging by default for all organizations.
Ensure all member users are MFA capable
Manual Check
IMPACT
When using the UI audit method guest users will appear in the report and unless the organization is applying MFA rules to guests then they will need to be manually filtered. Accounts that provide on-premises directory synchronization also appear in these reports.
RECOMMENDATION
Remediation steps will depend on the status of the personnel in question or configuration of Conditional Access policies and will not be covered in detail. Administrators should review each user identified on a case-by-case basis using the conditions below. User has never signed on: Employment status should be reviewed, and appropriate action taken on the user accounts roles, licensing and enablement. Conditional Access policy applicability: Ensure a CA policy is in place requiring all users to use MFA. Ensure the user is not excluded from the CA MFA policy. Ensure the policys state is set to On Use What if to determine applicable CA policies. (Protection > Conditional Access > Policies) Review the user account in Sign-in logs. Under the Activity Details pane click the Conditional Access tab to view applied policies. Note: Conditional Access is covered step by step in section 5.2.2
Ensure weak authentication methods are disabled
Manual Check
IMPACT
Disabling Email OTP will prevent one-time pass codes from being sent to unverified guest users accessing Microsoft 365 resources on the tenant. They will be required to use a personal Microsoft account, a managed Microsoft Entra account, be part of a federation or be configured as a guest in the host tenants Microsoft Entra ID.
RECOMMENDATION
To remediate using the UI: 1. Navigate to Microsoft Entra admin center https://entra.microsoft.com/. 2. Click to expand Protection select Authentication methods. 3. Select Policies. 4. Inspect each method that is out of compliance and remediate: Click on the method to open it. Change the Enable toggle to the off position. Click Save. Note: If the save button remains greyed out after toggling a method off, then first turn it back on and then change the position of the Target selection (all users or select groups). Turn the method off again and save. This was observed to be a bug in the UI at the time this document was published.
Ensure email from external senders is identified
Manual Check
IMPACT
Mail flow rules using external tagging will need to be disabled before enabling this to avoid duplicate [External] tags. The Outlook desktop client is the last to receive this update and the feature is only available for certain versions see below: Outlook for Windows: Update 4/26/23: External Tag view in Outlook for Windows (matching other clients) released to production for Current Channel and Monthly Enterprise Channel in Version 2211 for builds 15831.20190 and higher. We anticipate the External tag to reach Semi-Annual Preview Channel with Version 2308 on the September 12th 2023 public update and reach Semi-Annual Enterprise Channel with Version 2308 with the January 9th 2024 public update.
RECOMMENDATION
To remediate using PowerShell: 1. Connect to Exchange online using Connect-ExchangeOnline. 2. Run the following PowerShell command: Set-ExternalInOutlook -Enabled $true
Microsoft Exchange admin center-Roles
Ensure users installing Outlook add-ins is not allowed
Manual Check
IMPACT
Outlook Add-Ins is allowed. Implementation of this change will impact both end users and administrators. End users will not be able to integrate third-party applications that they may wish to use. None None
RECOMMENDATION
By default, users can install add-ins in their Microsoft Outlook Desktop client, allowing data access within the client application. Do not allow users to install add-ins in Outlook. Attackers commonly use vulnerable and custom-built add-ins to access data in user applications. While allowing users to install add-ins by themselves does allow them to easily acquire useful add-ins that integrate with Microsoft applications, it can represent a risk if not used and monitored carefully. Disable future user's ability to install add-ins in Microsoft Outlook helps reduce your threat-surface and mitigate this risk.
Microsoft Exchange admin center-Reports
Ensure mail forwarding rules are reviewed and actioned
Passed
IMPACT
Auditing Process is not created and followed. Auditing Process needs to be created and followed. None None
RECOMMENDATION
The Exchange Online environment can be configured in a way that allows for automatic forwarding of email. This can be done using Transport Rules in the Admin Center, Auto Forwarding per mailbox, and client-based rules in Outlook. Administrators and users both are given several methods to automatically and quickly send e-mails outside of your organization. Reviewing mail forwarding rules will provide the Messaging Administrator with insight into possible attempts to exfiltrate data from the organization. Weekly review helps create a recognition of baseline, legitimate activity of users. This will aid in helping identify the more malicious activity of bad actors when/if they choose to use this side-channel.
Ensure the Malware Detections report is reviewed at least weekly
Passed
IMPACT
Auditing Process needs to be created and followed. None None
RECOMMENDATION
None None
Ensure Microsoft 365 Deleted Mailboxes are identified and Verified
Passed
IMPACT
Deleted Mailboxes were found in Microsoft 365 Exchange Online. Refer issue details. None None
RECOMMENDATION
Please check why these mailboxes were deleted or restore if any mailbox is important.
Ensure Microsoft 365 Hidden Mailboxes are Identified
Passed
IMPACT
Some mailboxes are hidden from the address list. These mailboxes will not appear in the address list. None None
RECOMMENDATION
Please review the list provided.
Ensure Mailboxes External Address Forwarding is not configured
Passed
IMPACT
Some Mailboxes are configured with External Forwarding. It is a security risk. Mailboxes must not be configured with forwarding to prevent data loss. None None
RECOMMENDATION
Please review the list and make sure to remove forwarding from these mailboxes.
Ensure Exchange Online Mailboxes on Litigation Hold
Passed
IMPACT
Some Mailboxes are in Litigation Hold. Refer issue details. None None
RECOMMENDATION
Please review the list provided.
Ensure Exchange Online SPAM Domains are identified
Passed
IMPACT
Found SPAM Items. It is a security risk. None None
RECOMMENDATION
Identify the SPAM domains and block them.
Ensure Exchange Online Mailbox Auditing is enabled
Passed
IMPACT
Auditing is not enabled for mailboxes. Auditing is required for mailboxes in order to see changes that have been taking place. None None
RECOMMENDATION
Please review the list provided.
Microsoft 365 Exchange Online Admin Success and Failure Attempts
Passed
IMPACT
Found failure attempts from Admins when accessing Microsoft 365 objects. It is a security risk. None None
RECOMMENDATION
Please review the data and make sure the attempts did not cause any issues.
Microsoft 365 Exchange Online External Access Admin Success and Failure Attempts
Passed
IMPACT
Found failure attempts from External Admins when accessing Microsoft 365 objects. It is a security risk. None None
RECOMMENDATION
Please review the data and make sure the attempts did not cause any issues.
Microsoft Exchange admin center-Settings
Ensure modern authentication for Exchange Online is enabled
Passed
IMPACT
Modern Authentication is not enabled for Exchange Online. Users of older email clients, such as Outlook 2013 and Outlook 2016, will no longer be able to authenticate to Exchange using Basic Authentication, which will necessitate migration to modern authentication practices. None None
RECOMMENDATION
Modern authentication in Microsoft 365 enables authentication features like multifactor authentication (MFA) using smart cards, certificate-based authentication (CBA), and third-party SAML identity providers. When you enable modern authentication in Exchange Online, Outlook 2016 and Outlook 2013 use modern authentication to log in to Microsoft 365 mailboxes. When you disable modern authentication in Exchange
Ensure MailTips are enabled for end users
Passed
IMPACT
MailTips are not enabled for end users. No impact. None None
RECOMMENDATION
MailTips assist end users with identifying strange patterns to emails they send. Setting up MailTips gives a visual aid to users when they send emails to large groups of recipients or send emails to recipients not within the tenant.
Ensure external storage providers available in Outlook on the Web are restricted
Passed
IMPACT
External Storage Providers in Outlook on the Web are not restricted. The impact associated with this change is highly dependent upon current practices in the tenant. If users do not use other storage providers, then minimal impact is likely. However, if users do regularly utilize providers outside of the tenant this will affect their ability to continue to do so. None None
RECOMMENDATION
You should restrict storage providers that are integrated with Outlook on the Web. If users do regularly utilize providers outside of the tenant this will affect their ability to continue to do so. By default, additional storage providers are allowed in Outlook on the Web (such as Box, Dropbox, Facebook, Google Drive, OneDrive Personal, etc.). This could lead to information leakage and additional risk of infection from organizational non-trusted storage providers. Restricting this will inherently reduce risk as it will narrow opportunities for infection and data leakage.
Ensure Email Security Checks are Bypassed Based on Sender Domain are not configured
Passed
IMPACT
Item does not meet all the requirements as per test. In the Exchange transport rules settings, it is possible to implement transport rules that bypass spam filtering and other email security capabilities (Exchange Online Protection) based on an IP address or domain (allowlisting). This makes a significan not assumption of trust that should be reviewed and reconsidered. The transport rules listed herein bypass email security based on a domain allowlist. None None
RECOMMENDATION
Locate the rules 365Inspect has identified (they are listed in this report) and determine who created the rules. Pursue a dialogue or analysis of whether the Exchange Online Protection is necessary for continued operations and whether another solution is possible. If the rules are not necessary, remove the rules.
Ensure Email Security Checks are Bypassed Based on Sender IP are not configured
Passed
IMPACT
Item does not meet all the requirements as per test. In the Exchange transport rules settings, it is possible to implement transport rules that bypass spam filtering and other email security capabilities (Exchange Online Protection) based on an IP address or domain (allowlisting). This makes a significan not assumption of trust that should be reviewed and reconsidered. The transport rules listed herein bypass email security based on an IP address allowlist. None None
RECOMMENDATION
Locate the rules 365Inspect has identified (they are listed in this report) and determine who created the rules. Pursue a dialogue or analysis of whether the allowlisting is necessary for continued operations and whether another solution is possible. If the rules are not necessary, remove the rules.
Ensure No Exchange Mailboxes with FullAccess Delegates are present
Passed
IMPACT
Item does not meet all the requirements as per test. The Exchange Online mailboxes listed above have delegated Full Access permissions to another account. None None
RECOMMENDATION
This finding refers to individual mailboxes that have Full Access delegated permissions. For these mailboxes, verify that the delegate access is expected, appropriate, and does not violate company policy. Remediation can be accomplished by running the listed PowerShell command. A list of affected email addresses is included in this report.
Ensure No Exchange Mailboxes with SendAs Delegates are present
Passed
IMPACT
Item does not meet all the requirements as per test. The Exchange Online mailboxes listed above have delegated SendAs permissions to another account. None None
RECOMMENDATION
This finding refers to individual mailboxes that have SendAs delegated permissions. For these mailboxes, verify that the delegate access is expected, appropriate, and does not violate company policy. Remediation can be accomplished by running the listed PowerShell command. A list of affected email addresses is included in this report.
Ensure No Exchange Mailboxes with SendOnBehalfOf Delegates are present
Passed
IMPACT
Item does not meet all the requirements as per test. The Exchange Online mailboxes listed above have delegated SendOnBehalfOf permissions to another account. None None
RECOMMENDATION
This finding refers to individual mailboxes that have SendOnBehalfOf delegated permissions. For these mailboxes, verify that the delegate access is expected, appropriate, and does not violate company policy. Remediation can be accomplished by running the listed PowerShell command. A list of affected email addresses is included in this report.
Microsoft SharePoint Admin Center-Policies
Manual Check
IMPACT
Basic Authentication is not enabled for SharePoint Online. Implementation of modern authentication for SharePoint will require users to authenticate to SharePoint using modern authentication. This may cause a minor impact to typical user behavior. None None
RECOMMENDATION
Strong authentication controls, such as the use of multifactor authentication, may be circumvented if basic authentication is used by SharePoint applications. Requiring modern authentication for SharePoint applications ensures strong authentication mechanisms are used when establishing sessions between these applications, SharePoint, and connecting users.
Manual Check
IMPACT
Item does not meet all the requirements as per test. Azure AD B2B provides authentication and management of guests. Authentication happens via one-time passcode when they don't already have a work or school account or a Microsoft account. Integration with SharePoint and OneDrive allows for more granular control of how guest user accounts are managed in the organizations AAD, unifying a similar guest experience already deployed in other Microsoft 365 services such as Teams. Note: Global Reader role currently cannot access SharePoint using PowerShell. External users assigned guest accounts will be subject to Azure AD access policies, such as multi-factor authentication. This provides a way to manage guest identities and control access to SharePoint and OneDrive resources. Without this integration, files can be shared without account registration, making it more challenging to audit and manage who has access to the organizations data. Azure B2B collaboration is used with other Azure services so should not be new or unusual. Microsoft also has made the experience seamless when turning on integration on SharePoint sites that already have active files shared with guest users. The referenced Microsoft article on the subject has more details on this. None None
RECOMMENDATION
To remediate using PowerShell: 1. Connect to SharePoint Online using Connect-SPOService 2. Run the following command: Set-SPOTenant -EnableAzureADB2BIntegration $true
Ensure external content sharing is restricted
Manual Check
IMPACT
Item does not meet all the requirements as per test. The external sharing settings govern sharing for the organization overall. Each site has its own sharing setting that can be set independently, though it must be at the same or more restrictive setting as the organization. The new and existing guests option requires people who have received invitations to sign in with their work or school account (if their organization uses Microsoft 365) or a Microsoft account, or to provide a code to verify their identity. Users can share with guests already in your organizations directory, and they can send invitations to people who will be added to the directory if they sign in. The recommended state is New and existing guests or less permissive. Forcing guest authentication on the organizations tenant enables the implementation of controls and oversight over external file sharing. When a guest is registered with the organization, they now have an identity which can be accounted for. This identity can also have other restrictions applied to it through group membership and conditional access rules. When using Azure AD B2B integration, Azure AD external collaboration settings, such as guest invite settings and collaboration restrictions apply. None None
RECOMMENDATION
To remediate using the UI: 1. Navigate to SharePoint admin center https://admin.microsoft.com/sharepoint 2. Click to expand Policies > Sharing. 3. Locate the External sharing section. 4. Under SharePoint, move the slider bar to New and existing guests or a less permissive level. - OneDrive will also be moved to the same level and can never be more permissive than SharePoint. To remediate using PowerShell: 1. Connect to SharePoint Online service using Connect-SPOService. 2. Run the following cmdlet to establish the minimum recommended state: Set-SPOTenant -SharingCapability ExternalUserSharingOnly Note: Other acceptable values for this parameter that are more restrictive include: Disabled and ExistingExternalUserSharingOnly.
Ensure OneDrive content sharing is restricted
Manual Check
IMPACT
Item does not meet all the requirements as per test. This setting governs the global permissiveness of OneDrive content sharing in the organization. OneDrive content sharing can be restricted independent of SharePoint but can never be more permissive than the level established with SharePoint. The recommended state is Only people in your organization. OneDrive, designed for end-user cloud storage, inherently provides less oversight and control compared to SharePoint, which often involves additional content overseers or site administrators. This autonomy can lead to potential risks such as inadvertent sharing of privileged information by end users. Restricting external OneDrive sharing will require users to transfer content to SharePoint folders first which have those tighter controls. Users will be required to take additional steps to share OneDrive content or use other official channels. None None
RECOMMENDATION
To remediate using the UI: 1. Navigate to SharePoint admin center https://admin.microsoft.com/sharepoint 2. Click to expand Policies > Sharing. 3. Locate the External sharing section. 4. Under OneDrive, set the slider bar to Only people in your organization. To remediate using PowerShell: 1. Connect to SharePoint Online service using Connect-SPOService. 2. Run the following cmdlet: Set-SPOTenant -OneDriveSharingCapability Disabled
Manual Check
IMPACT
Item does not meet all the requirements as per test. SharePoint gives users the ability to share files, folders, and site collections. Internal users can share with external collaborators, and with the right permissions could share to other external parties. Sharing and collaboration are key; however, file, folder, or site collection owners should have the authority over what external users get shared with to prevent unauthorized disclosures of information. The impact associated with this change is highly dependent upon current practices. If users do not regularly share with external parties, then minimal impact is likely. However, if users do regularly share with guests/externally, minimum impacts could occur as those external users will be unable to re-share content. None None
RECOMMENDATION
To remediate using the UI: 1. Navigate to SharePoint admin center https://admin.microsoft.com/sharepoint 2. Click to expand Policies then select Sharing. 3. Expand More external sharing settings, uncheck Allow guests to share items they don't own. 4. Click Save. To remediate using PowerShell: 1. Connect to SharePoint Online service using Connect-SPOService. 2. Run the following SharePoint Online PowerShell command: Set-SPOTenant -PreventExternalUsersFromResharing $True
Ensure document sharing is being controlled by domains with whitelist or blacklist
Manual Check
IMPACT
Document Sharing control for domains is not configured. Enabling this feature will prevent users from sharing documents with domains outside of the organization unless allowed. None None
RECOMMENDATION
You should control sharing of documents to external domains by either blocking domains or only allowing sharing with specific named domains. Enabling this feature will prevent users from sharing documents with domains outside of the organization unless allowed. Attackers will often attempt to expose sensitive information to external entities through sharing, and restricting the domains that your users can share documents with will reduce that surface area.
Manual Check
IMPACT
Item does not meet all the requirements as per test. This setting sets the default link type that a user will see when sharing content in OneDrive or SharePoint. It does not restrict or exclude any other options. The recommended state is Specific people (only the people the user specifies) By defaulting to specific people, the user will first need to consider whether or not the content being shared should be accessible by the entire organization versus select individuals. This aids in reinforcing the concept of least privilege. None None
RECOMMENDATION
To audit using the UI: 1. Navigate to SharePoint admin center https://admin.microsoft.com/sharepoint 2. Click to expand Policies > Sharing. 3. Scroll to Filer and folder links. 4. Set Choose the type of link thats selected by default when users share files and folders in SharePoint and OneDrive to Specific people (only the people the user specifies) To remediate using PowerShell: 1. Connect to SharePoint Online using Connect-SPOService. 2. Run the following PowerShell command: Set-SPOTenant -DefaultSharingLinkType Direct
Ensure external sharing is restricted by security group
Manual Check
IMPACT
Item does not meet all the requirements as per test. External sharing of content can be restricted to specific security groups. This setting is global, applies to sharing in both SharePoint and OneDrive and cannot be set at the site level in SharePoint. The recommended state is Enabled or Checked. Note: Users in these security groups must be allowed to invite guests in the Azure Active Directory guest invite settings in Microsoft Entra. Identity > External Identities > External collaboration settings Organizations wishing to create tighter security controls for external sharing can set this to enforce role-based access control by using security groups already defined in Microsoft Entra. OneDrive will also be governed by this and there is no granular control at the SharePoint site level. None None
RECOMMENDATION
To remediate using the UI: 1. Navigate to SharePoint admin center https://admin.microsoft.com/sharepoint 2. Click to expand Policies > Sharing. 3. Scroll to and expand More external sharing settings. 4. Set the following: - Check Allow only users in specific security groups to share externally - Define Manage security groups in accordance with company procedure.
Ensure expiration time for external sharing links is set
Manual Check
IMPACT
Expiration time for External Sharing Links is not set. Enabling this feature will ensure that link expire within the defined number of days. This will have an effect on links that were previously not set with an expiration. None None
RECOMMENDATION
The external sharing features of Microsoft SharePoint let users in your organization share content with people outside the organization (such as partners, vendors, clients, or customers). External sharing in SharePoint is part of secure collaboration with Microsoft 365. An attacker can compromise a user account for a short period of time, send anonymous sharing links to an external account, then take their time accessing the data. They can also compromise external accounts and steal the anonymous sharing links sent to those external entities well after the data has been shared. Restricting how long the links are valid can reduce the window of opportunity for attackers.
Ensure reauthentication with verification code is restricted
Manual Check
IMPACT
Item does not meet all the requirements as per test. This setting configures if guests who use a verification code to access the site or links are required to reauthenticate after a set number of days. The recommended state is 15 or less. By increasing the frequency of times guests need to reauthenticate this ensures guest user access to data is not prolonged beyond an acceptable amount of time. Guests who use Microsoft 365 in their organization can sign in using their work or school account to access the site or document. After the one-time passcode for verification has been entered for the first time, guests will authenticate with their work or school account and have a guest account created in the hosts organization. Note: If OneDrive and SharePoint integration with Azure AD B2B is enabled as per the CIS Benchmark the one-time-passcode experience will be replaced. Please visit [Secure external sharing in SharePoint - SharePoint in Microsoft 365 | Microsoft Learn](https://learn.microsoft.com/en-US/sharepoint/what-s-new-in-sharing-in-targeted-release?WT.mc_id=365AdminCSH_spo) for more information. None None
RECOMMENDATION
To remediate using the UI: 1. Navigate to SharePoint admin center https://admin.microsoft.com/sharepoint 2. Click to expand Policies > Sharing. 3. Scroll to and expand More external sharing settings. 4. Set People who use a verification code must reauthenticate after this many days to 15 or less. To remediate using PowerShell: 1. Connect to SharePoint Online service using Connect-SPOService. 2. Run the following cmdlet: Set-SPOTenant -EmailAttestationRequired $true -EmailAttestationReAuthDays 15
Ensure guest access to a site or OneDrive will expire automatically
Manual Check
IMPACT
Site collection administrators will have to renew access to guests who still need access after 30 days. They will receive an e-mail notification once per week about guest access that is about to expire. Note: The guest expiration policy only applies to guests who use sharing links or guests who have direct permissions to a SharePoint site after the guest policy is enabled. The guest policy does not apply to guest users that have pre-existing permissions or access through a sharing link before the guest expiration policy is applied.
RECOMMENDATION
To remediate using the UI: 1. Navigate to SharePoint admin center https://admin.microsoft.com/sharepoint 2. Click to expand Policies > Sharing. 3. Scroll to and expand More external sharing settings. 4. Set Guest access to a site or OneDrive will expire automatically after this many days to 30 To remediate using PowerShell: 1. Connect to SharePoint Online service using Connect-SPOService. 2. Run the following cmdlet: Set-SPOTenant -ExternalUserExpireInDays 30 -ExternalUserExpirationRequired $True
Manual Check
IMPACT
Not applicable
RECOMMENDATION
To remediate using the UI: 1. Navigate to SharePoint admin center https://admin.microsoft.com/sharepoint 2. Click to expand Policies > Sharing. 3. Scroll to File and folder links. 4. Set Choose the permission thats selected by default for sharing links to View. To remediate using PowerShell: 1. Connect to SharePoint Online service using Connect-SPOService. 2. Run the following cmdlet: Set-SPOTenant -DefaultLinkPermission View
Microsoft SharePoint Admin Center-Settings
Manual Check
IMPACT
SharePoint Infected Files are disallowed for download is not enabled. The only potential impact associated with implementation of this setting is potential inconvenience associated with the small percentage of false positive detections that may occur. None None
RECOMMENDATION
By default, SharePoint online allows files that Defender for Microsoft 365 has detected as infected to be downloaded. Defender for Microsoft 365 for SharePoint, OneDrive, and Microsoft Teams protects your
Block OneDrive for Business sync from unmanaged devices
Manual Check
IMPACT
OneDrive for Business Sync from unmanaged Devices is not blocked. Enabling this feature will prevent users from using the OneDrive for Business Sync client on devices that are not joined to the domains that were defined. Enabling this feature will prevent users from using the OneDrive for Business Sync client on devices that are not joined to the domains that were defined. None None
RECOMMENDATION
Unmanaged devices pose a risk, since their security cannot be verified through existing security policies, brokers, or endpoint protection. Allowing users to sync data to these devices takes that data out of the control of the organization. This increases the risk of the data either being intentionally or accidentally leaked. Note: This setting is only applicable to Active Directory domains when operating in a hybrid configuration. It does not apply to Azure AD domains. If you have devices which are only Azure AD joined, consider using a Conditional Access Policy instead.
Ensure custom script execution is restricted on personal sites
Manual Check
IMPACT
Item does not meet all the requirements as per test. This setting controls custom script execution on OneDrive or user-created sites. Custom scripts can allow users to change the look, feel and behavior of sites and pages. Every script that runs in a SharePoint page (whether its an HTML page in a document library or a JavaScript in a Script Editor Web Part) always runs in the context of the user visiting the page and the SharePoint application. This means: - Scripts have access to everything the user has access to. - Scripts can access content across several Microsoft 365 services and even beyond with Microsoft Graph integration. The recommended state is Prevent users from running custom script on personal sites and Prevent users from running custom script on self-service created sites. Custom scripts could contain malicious instructions unknown to the user or administrator. When users are allowed to run custom script, the organization can no longer enforce governance, scope the capabilities of inserted code, block specific parts of code, or block all custom code that has been deployed. If scripting is allowed the following things cannot be audited: - What code has been inserted - Where the code has been inserted - Who inserted the code Note: Microsoft recommends using the [SharePoint Framework](https://learn.microsoft.com/en-us/sharepoint/dev/spfx/sharepoint-framework-overview) instead of custom scripts. None - this is the default behavior. None None
RECOMMENDATION
To remediate using the UI: 1. Navigate to SharePoint admin center https://admin.microsoft.com/sharepoint 2. Select Settings. 3. At the bottom of the page click the classic settings page hyperlink. 4. Scroll to locate the Custom Script section. On the right set the following: - Select Prevent users from running custom script on personal sites. - Select Prevent users from running custom script on self-service created sites.
Ensure custom script execution is restricted on site collections
Manual Check
IMPACT
Item does not meet all the requirements as per test. This setting controls custom script execution on a particulate site (previously called ). Custom scripts can allow users to change the look, feel and behavior of sites and pages. Every script that runs in a SharePoint page (whether its an HTML page in a document library or a JavaScript in a Script Editor Web Part) always runs in the context of the user visiting the page and the SharePoint application. This means: - Scripts have access to everything the user has access to. - Scripts can access content across several Microsoft 365 services and even beyond with Microsoft Graph integration. The recommended state is DenyAddAndCustomizePages set to $true. Custom scripts could contain malicious instructions unknown to the user or administrator. When users are allowed to run custom script, the organization can no longer enforce governance, scope the capabilities of inserted code, block specific parts of code, or block all custom code that has been deployed. If scripting is allowed the following things cannot be audited: - What code has been inserted - Where the code has been inserted - Who inserted the code Note: Microsoft recommends using the [SharePoint Framework](https://learn.microsoft.com/en-us/sharepoint/dev/spfx/sharepoint-framework-overview) instead of custom scripts. None - this is the default behavior. None None
RECOMMENDATION
To remediate using PowerShell: 1. Connect to SharePoint Online using Connect-SPOService. 2. Edit the below and run for each site as needeed: Set-SPOSite -Identity-DenyAddAndCustomizePages $true Note: The property DenyAddAndCustomizePages cannot be set on the MySite host, which is displayed with a URL like https://tenant id-my.sharepoint.com/
Manual Check
IMPACT
SharePoint Sites are enabled for both External and User Sharing. If you have confidential information that can be shared with external users. None None
RECOMMENDATION
Recommended action is to disable SharePoint sites for both external and user sharing.
Manual Check
IMPACT
External User sharing - sharing by email - is not disabled. When users share with people outside the organization, an invitation is sent to the person in email, which contains a link to the shared item. If you have confidential information that should never be shared externally, we recommend storing the information in a site that has external sharing turned off. Create additional sites as needed to use for external sharing. This helps you to manage security risk by preventing external access to sensitive information. None None
RECOMMENDATION
It is recommended to review the sharing policy and adjust accordingly.
Manual Check
IMPACT
Impact associated with this change is highly dependent upon current practices. If users do not regularly share with external parties, then minimal impact is likely. None None
RECOMMENDATION
If users do regularly share with guests/externally minimum impacts could occur as those external users will be unable to 're-share' content.
Manual Check
IMPACT
Item does not meet all the requirements as per test. SharePoint is the organization's hub for sharing files amongst each other. SharePoint can also permit users to share content with anonymous outsiders or members of other organizations (commonly referred to as \external users\). Sharing with external users and guests is currently enabled in this instance of SharePoint. This setting may increase the probability of sensitive information being shared outside of the organization, either accidentally or as a means of data exfiltration by a cyber adversary with access to the organizational environment. Consider disabling this setting for the sake of preventing such occurrences if there is no intention of sharing information outside of the organization as part of the organization's mission. However, note that some degree of external sharing is vital for many organizations. Furthermore, disabling external sharing is not necessarily a panacea for problems related to confidential information, as users may still mistakenly or maliciously share confidential information through a number of channels. Continue to apply good sense in data loss prevention and other forms of monitoring even if external sharing is disabled. None None
RECOMMENDATION
First, look at the \Affected Objects\ section of the report for this finding; it should indicate which global sharing permission level the organization has currently enabled in SharePoint. If this is too permissive for the organization's use cases, consider taking action. There are multiple ways to change this setting. Navigate to Settings; Services; Sites in the O365 Admin portal, or the Sharing page of the SharePoint Administration Center. Doing either should present a list of global sharing capabilities, where \Share with Anyone\ is the default; change this to a more restrictive setting. Before taking this action, it is advised to engage with other stakeholders in the organization to determine if SharePoint external sharing is used for an organizational function. An appropriate workaround or alternative course of action may need to be determined. Additionally, sharing settings besides the global-level settings are available; consider reading the \Limit sharing in Microsoft 365\ guide below if additional granularity in sharing settings is required.
Manual Check
IMPACT
Item does not meet all the requirements as per test. SharePoint is the organization's hub for sharing files amongst each other. SharePoint can also permit users to share content with anonymous outsiders or members of other organizations (commonly referred to as \external users\). Current SharePoint settings are configured such that, if users share a file with an external user, that external user can re-share the file arbitrarily with other external users. This is a highly permissive setting that could result in the unsafe propagation of the organization's confidential information in ways that may not be fully intended. None None
RECOMMENDATION
Depending on the organization's use case, external user resharing may be disabled. This is most easily accomplished with the Set-SPOTenant PowerShell commandlet from the SharePoint Online administration module.
Manual Check
IMPACT
Item does not meet all the requirements as per test. SharePoint legacy authentication is enabled. Cyber adversaries frequently attempt credential stuffing and other attacks against legacy authentication protocols because they are subject to less scrutiny and are typically exempt from Multi-Factor Authentication and other modern access requirements. It is recommended to globally disable SharePoint legacy authentication. None None
RECOMMENDATION
Consider using the SharePoint PowerShell module to disable legacy authentication protocols. Note that globally disabling legacy authentication could have an adverse effect on some users or applications that require legacy authentication to perform their functions. In such cases, it is possible to more granularly set up a Conditional Access Policy that blocks legacy authentication for only those users and applications who do not strictly require it. Documentation for both approaches is provided in the references below.
Manual Check
IMPACT
Item does not meet all the requirements as per test. The organization's instance of SharePoint is set to never expire links to documents accessible by the 'Anyone' group. 'Anyone' links that exists indefinitely could be abused by an adversary or enable leakage of sensitive information in multiple ways. A value of -1 indicates anonymous links never expire. It is suggested that these links expire eventually to control possible information disclosure. None None
RECOMMENDATION
In the SharePoint administration center, navigate to Sharing; Choose expiration and permissions options for Anyone links. Select a link expiry period and save the settings. Prior to taking this action, discuss amongst the organization whether anyone is using non-expiring Anyone links for a legitimate purpose.
Manual Check
IMPACT
Item does not meet all the requirements as per test. Modern Authentication is a SharePoint Online setting that allows authentication features such as MFA, smart cards, and certificate-based authentication to function. These authentication features, particularly MFA, are vital for the secure operation of an organization. It is recommended to enable SharePoint modern authentication. None None
RECOMMENDATION
Use the SharePoint PowerShell administration module to configure the OfficeClientADALDisabled setting. This enables SharePoint modern authentication programmatically. Additional steps should be taken to disable SharePoint Legacy Authentication to complement this action.
Manual Check
IMPACT
Item does not meet all the requirements as per test. Idle session sign-out lets you specify a time at which users are warned and are later signed out of Microsoft 365 after a period of browser inactivity in SharePoint and OneDrive. None None
RECOMMENDATION
This policy is one of several you can use with SharePoint and OneDrive to balance security and user productivity and help keep your data safe, regardless of where users access the data from, what device they're working on, and how secure their network connection is.
Microsoft Teams Admin Center-Teams
Ensure external file sharing in Teams is enabled for only approved cloud storage services
High
IMPACT
External File Sharing in Teams is enabled. The impact associated with this change is highly dependent upon current practices in the tenant. If users do not use other storage providers, then minimal impact is likely. However, if users do regularly utilize providers outside of the tenant this will affect their ability to continue to do so. None None
RECOMMENDATION
Microsoft Teams enables collaboration via file sharing. This file sharing is conducted within Teams, using SharePoint Online, by default; however, third-party cloud services are allowed as well. Ensuring that only authorized cloud storage providers are accessible from Teams will help to dissuade the use of non-approved storage providers.
Ensure users cant send emails to a channel email address
High
IMPACT
Item does not meet all the requirements as per test. Teams channel email addresses are an optional feature that allows users to email the Teams channel directly. Channel email addresses are not under the tenants domain and organizations do not have control over the security settings for this email address. An attacker could email channels directly if they discover the channel email address. Users will not be able to email the channel directly. None None
RECOMMENDATION
To remediate using the UI: 1. Navigate to Microsoft Teams admin center https://admin.teams.microsoft.com. 2. Click to expand Teams select Teams settings. 3. Under email integration set Users can send emails to a channel email address to Off. To remediate using PowerShell: 1. Connect to Teams PowerShell using Connect-MicrosoftTeams. 2. Run the following command to set the recommended state: Set-CsTeamsClientConfiguration -Identity Global -AllowEmailIntoChannel $false
Ensure End-to-end encryption for Microsoft Teams is enabled
High
IMPACT
End-To-End encryption is not enabled for Teams Calling. In recent times, Microsoft Teams has emerged as the ultimate workspace for real-time collaboration and communication. Since most of the business communication is carried out by MS teams, security has become a concern. By default, Teams calls over VOIP are encrypted using Transport Layer Security (TLS) and Secure Real-Time Transport Protocol (SRTP). However, these protocols allow admins to configure automatic recording and transcription of calls. None None
RECOMMENDATION
It is recommended to enable end-to-end calling encryption enabled for Teams calls.
Ensure external domains are not allowed in Teams
High
IMPACT
External Domains are not allowed in Teams is not configured. The impact associated with this change is highly dependent upon current practices in the tenant. If users do not regularly communicate with external parties using Skype or Teams channels, then minimal impact is likely. However, if users do regularly utilize Teams and Skype for client communication, potentially significant impacts could occur, and users should be contacts, and if necessary, alternate mechanisms to continue this communication should be identified prior to disabling external access to Teams and Skype. None None
RECOMMENDATION
As of December 2021 the default for Teams external communication is set to 'People in my organization can communicate with Teams users whose accounts aren't managed by an organization.' This means that users can communicate with personal Microsoft accounts (e.g. Hotmail, Outlook etc.), which presents data loss / phishing / social engineering risks. You should not allow your users to communicate with Skype or Teams users outside your organization. While there are legitimate, productivity-improving scenarios for this, it also represents a potential security threat because those external users will be able to interact with your users over Skype for Business or Teams. Users are prone to data loss / phishing / social engineering attacks via Teams.
Microsoft Teams Admin Center-Policies
Ensure Microsoft Teams External Domain Communication Policies are configured
Medium
IMPACT
Item does not meet all the requirements as per test. Microsoft Teams External Domain Communication Policies. None None
RECOMMENDATION
Review Microsoft Teams External Access Policies and validate that all results are expected, and no conflicting rules are in place.
Ensure Microsoft Teams Users Allowed to Invite Anonymous Users is disabled
High
IMPACT
Item does not meet all the requirements as per test. Microsoft Teams by default enables and allows anonymous users to join Teams meetings. This finding returns the users within the Tenant that have the ability to invite anonymous users into the Teams environment. Some organizations may wish to disable this functionality, or restrict certain users, members, or roles from allowing anonymous users to join meetings. Changing these settings may have unintended consequences. Speak with shareholders and understand what functionality may be affected before disabling this access. None None
RECOMMENDATION
This can be mitigated by navigating to the Teams admin center and turning off 'Anonymous users can join a meeting' under Meeting settings. This disables anonymous access globally. Alternatively, specific users and groups can be targeted by creating a new Meeting Policy and issuing the listed command in PowerShell.
Ensure Microsoft Teams Policies Allow Anonymous Members is disabled
High
IMPACT
Item does not meet all the requirements as per test. Microsoft Teams by default enables and allows authenticated users to invite anonymous users to join Teams meetings. Some organizations may wish to disable this functionality, or restrict certain users, members, or roles from allowing anonymous users to join meetings. Changing these settings may have unintended consequences. Speak with shareholders and understand what functionality may be affected before disabling this access. None None
RECOMMENDATION
This can be mitigated by navigating to the Teams admin center and turning off 'Anonymous users can join a meeting' under Meeting settings. This disables anonymous access globally. Alternatively, specific users and groups can be targeted by creating a new Meeting Policy and issuing the listed command in PowerShell.
Ensure Microsoft Teams Consumer Communication Policies are configured
High
IMPACT
Item does not meet all the requirements as per test. Microsoft Teams External Access Policies allow communication with Teams users not managed by an organization. None None
RECOMMENDATION
Review Microsoft Teams External Access Policies and validate that all results are expected, and no conflicting rules are in place.
Ensure Microsoft Teams External Access Policies are configured
Low
IMPACT
Item does not meet all the requirements as per test. Microsoft Teams External Access Policies. None None
RECOMMENDATION
Review Microsoft Teams External Access Policies and validate that all results are expected, and no conflicting rules are in place.
Ensure Microsoft Teams Users Allowed to Preview Links in Messages is disabled
High
IMPACT
Item does not meet all the requirements as per test. Microsoft Teams by default enables and allows users to preview links in messages. Some organizations may wish to disable this functionality. Changing these settings may have unintended consequences. Speak with stakeholders and understand what functionality may be affected before disabling this access. None None
RECOMMENDATION
This can be mitigated by navigating to the Teams admin center and turning off 'Allow URL Previews' under Messaging settings. This disables link previews globally. Alternatively, specific users and groups can be targeted by creating a new Messaging Policy and issuing the listed command in PowerShell.
Ensure Safe Links for Teams is Enabled
High
IMPACT
Item does not meet all the requirements as per test. Safe Links is a feature of O365 that enables real-time detection of malicious links in incoming Exchange emails and other Office 365 applications. The Safe Links feature can also be enabled for links shared via Microsoft Teams. However, this setting is disabled in the 365 instance. Enabling it can decrease the risk of phishing and other attacks that might utilize malicious links sent via Teams, although it is not a panacea for these attacks. None None
RECOMMENDATION
Perhaps the most convenient way to enable this feature is to use the Set-SafeLinksPolicy command in PowerShell as listed below. Note that some organizations may have chosen to disable Safe Links for Teams if it interferes with day-to-day operations, so key stakeholders should be surveyed before enabling Safe Links for Teams.
Microsoft Teams Admin Center-Users
Ensure external access is restricted in the Teams admin center
High
IMPACT
Item does not meet all the requirements as per test. This policy setting controls chat with external unmanaged Skype and Teams users. Users in the organization will not be searchable by unmanaged Skype or Teams users and will have to initiate all communications with unmanaged users. Note: As of December 2021, the default for Teams external communication is set to People in my organization can communicate with Teams users whose accounts are not managed by an organization. Note #2: Skype for business is deprecated as of July 31, 2021, although these settings may still be valid for a period of time. See the link in the reference section for more information. Allowing users to communicate with Skype or Teams users outside of an organization presents a potential security threat as external users can interact with organization users over Skype for Business or Teams. While legitimate, productivity-improving scenarios exist, they are outweighed by the risk of data loss, phishing, and social engineering attacks against organization users via Teams. Therefore, it is recommended to restrict external communications in order to minimize the risk of security incidents. The impact of disabling external access to Teams and Skype for an organization is highly dependent on current usage practices. If users infrequently communicate with external parties using these channels, the impact is likely to be minimal. However, if users regularly use Teams and Skype for client communication, the impact could be significant. Therefore, before disabling external access, users should be notified, and alternate communication mechanisms should be identified to ensure continuity of communication. Note: Chat with external unmanaged Teams users is not available in GCC, GCC High, or DOD deployments, or in private cloud environments. None None
RECOMMENDATION
To remediate using the UI: 1. Navigate to Microsoft Teams admin center https://admin.teams.microsoft.com/. 2. Click to expand Users select External access. 3. Under Teams and Skype for Business users in external organizations Select Block all external domains - NOTE: If the organizations policy allows selecting any allowed external domains. 4. Under Teams accounts not managed by an organization move the slider to Off. 5. Under Skype users move the slider is to Off. 6. Click Save. To remediate using PowerShell: - Connect to Teams PowerShell using Connect-MicrosoftTeams - Run the following command: Set-CsTenantFederationConfiguration -AllowTeamsConsumer False -AllowPublicUsers False -AllowFederatedUsers $false - To allow only specific external domains run these commands replacing the example domains with approved domains: Set-CsTenantFederationConfiguration -AllowTeamsConsumer $false -AllowPublicUsers $false -AllowFederatedUsers $true $list = New-Object Collections.Generic.List[String] $list.add() $list.add() Set-CsTenantFederationConfiguration -AllowedDomainsAsAList $list
Microsoft Teams Admin Center-Teams Apps
Ensure app permission policies are configured
High
IMPACT
Item does not meet all the requirements as per test. This policy setting controls which class of apps are available for users to install. Allowing users to install third-party or unverified apps poses a potential risk of introducing malicious software to the environment. Users will only be able to install approved classes of apps. None None
RECOMMENDATION
To set app permission policies: 1. Navigate to Microsoft Teams admin center https://admin.teams.microsoft.com. 2. Click to expand Teams apps select Permission policies. 3. Click Global (Org-wide default). 4. For Microsoft apps set app permission policies to Allow all apps. 5. For Third-party apps set app permission policies to Block all apps OR Allow specific apps and block all others. 6. For Custom apps set app permission policies to Block all apps OR Allow specific apps and block all others.
Ensure communication with unmanaged Teams users is disabled
High
IMPACT
Users will be unable to communicate with Teams users who are not managed by an organization. Note: The settings that govern chats and meetings with external unmanaged Teams users arent available in GCC, GCC High, or DOD deployments, or in private cloud environments.
RECOMMENDATION
To remediate using the UI: 1. Navigate to Microsoft Teams admin center https://admin.teams.microsoft.com/. 2. Click to expand Users select External access. 3. Scroll to Teams accounts not managed by an organization 4. Set People in my organization can communicate with Teams users whose accounts arent managed by an organization to Off. 5. Click Save. To remediate using PowerShell: 1. Connect to Teams PowerShell using Connect-MicrosoftTeams 2. Run the following command: Set-CsTenantFederationConfiguration -AllowTeamsConsumer $false
Ensure external Teams users cannot initiate conversations
High
IMPACT
The impact of disabling this is very low. Note: Chats and meetings with external unmanaged Teams users isnt available in GCC, GCC High, or DOD deployments, or in private cloud environments.
RECOMMENDATION
To remediate using the UI: 1. Navigate to Microsoft Teams admin center https://admin.teams.microsoft.com/. 2. Click to expand Users select External access. 3. Scroll to Teams accounts not managed by an organization 4. Uncheck External users with Teams accounts not managed by an organization can contact users in my organization. 5. Click Save. Note: If People in my organization can communicate with Teams users whose accounts arent managed by an organization is already set to Off then this setting will not be visible and can be considered to be in a passing state. To remediate using PowerShell: 1. Connect to Teams PowerShell using Connect-MicrosoftTeams 2. Run the following command: Set-CsTenantFederationConfiguration -AllowTeamsConsumerInbound $false
Ensure communication with Skype users is disabled
High
IMPACT
Teams users will be unable to communicate with Skype users that are not in the same organization.
RECOMMENDATION
To remediate using the UI: 1. Navigate to Microsoft Teams admin center https://admin.teams.microsoft.com/. 2. Click to expand Users select External access. 3. Locate Skype users 4. Set Allow users in my organization to communicate with Skype users to Off. 5. Click Save. To remediate using PowerShell: Connect to Teams PowerShell using Connect-MicrosoftTeams Run the following command: Set-CsTenantFederationConfiguration -AllowPublicUsers $false
Microsoft Teams Admin Center-Meetings
Ensure anonymous users cant join a meeting
High
IMPACT
Item does not meet all the requirements as per test. This policy setting can prevent anyone other than invited attendees (people directly invited by the organizer, or to whom an invitation was forwarded) from bypassing the lobby and entering the meeting. For more information on how to setup a sensitive meeting, please visit: [Configure Teams meetings with protection for sensitive data - Microsoft Teams | Microsoft Learn] (https://learn.microsoft.com/en-us/MicrosoftTeams/configure-meetings-sensitive-protection) For meetings that could contain sensitive information, it is best to allow the meeting organizer to vet anyone not directly sent an invite before admitting them to the meeting. This will also prevent the anonymous user from using the meeting link to have meetings at unscheduled times. Note: Those companies that don't normally operate at a Level 2 environment, but do deal with sensitive information, may want to consider this policy setting. Individuals who were not sent or forwarded a meeting invite will not be able to join the meeting automatically. None None
RECOMMENDATION
To remediate using the UI: 1. Navigate to Microsoft Teams admin center https://admin.teams.microsoft.com. 2. Click to expand Meetings select Meeting policies. 3. Click Global (Org-wide default) 3. Under meeting join & lobby set Anonymous users can join a meeting to Off. To remediate using PowerShell: 1. Connect to Teams PowerShell using Connect-MicrosoftTeams 2. Run the following command to set the recommended state: Set-CsTeamsMeetingPolicy -Identity Global -AllowAnonymousUsersToJoinMeeting $false
Ensure anonymous users and dial-in callers cant start a meeting
Passed
IMPACT
Item has met all the requirements as per test.
RECOMMENDATION
Ensure only people in my org can bypass the lobby
High
IMPACT
Item does not meet all the requirements as per test. This policy setting controls who can join a meeting directly and who must wait in the lobby until they are admitted by an organizer, co-organizer, or presenter of the meeting. For meetings that could contain sensitive information, it is best to allow the meeting organizer to vet anyone not directly sent an invite before admitting them to the meeting. This will also prevent the anonymous user from using the meeting link to have meetings at unscheduled times. Individuals who were not part of the organization will have to wait in the lobby until they are admitted by an organizer, co-organizer, or presenter of the meeting. None None
RECOMMENDATION
To remediate using the UI: 1. Navigate to Microsoft Teams admin center https://admin.teams.microsoft.com. 2. Click to expand Meetings select Meeting policies. 3. Click Global (Org-wide default). 3. Under meeting join & lobby set Who can bypass the lobby to People in my org. To remediate using PowerShell: 1. Connect to Teams PowerShell using Connect-MicrosoftTeams. 2. Run the following command to set the recommended state: Set-CsTeamsMeetingPolicy -Identity Global -AutoAdmittedUsers
Ensure users dialing in cant bypass the lobby
High
IMPACT
Item does not meet all the requirements as per test. This policy setting controls if users who dial in by phone can join the meeting directly or must wait in the lobby. Admittance to the meeting from the lobby is authorized by the meeting organizer, co-organizer, or presenter of the meeting. For meetings that could contain sensitive information, it is best to allow the meeting organizer to vet anyone not directly from the organization. Individuals who are dialing in to the meeting must wait in the lobby until a meeting organizer, co-organizer, or presenter admits them. None None
RECOMMENDATION
To remediate using the UI: 1. Navigate to Microsoft Teams admin center https://admin.teams.microsoft.com. 2. Click to expand Meetings select Meeting policies. 3. Click Global (Org-wide default). 3. Under meeting join & lobby set People dialing in can not bypass the lobby to Off. To remediate using PowerShell: 1. Connect to Teams PowerShell using Connect-MicrosoftTeams. 2. Run the following command to set the recommended state: Set-CsTeamsMeetingPolicy -Identity Global -AllowPSTNUsersToBypassLobby $false
Ensure meeting chat does not allow anonymous users
Manual Check
IMPACT
Item does not meet all the requirements as per test. This policy setting controls who has access to read and write chat messages during a meeting. Ensuring that only authorized individuals can read and write chat messages during a meeting reduces the risk that a malicious user can inadvertently show content that is not appropriate or view sensitive information. Only authorized individuals will be able to read and write chat messages during a meeting. None None
RECOMMENDATION
To remediate using the UI: 1. Navigate to Microsoft Teams admin center https://admin.teams.microsoft.com. 2. Click to expand Meetings select Meeting policies. 3. Click Global (Org-wide default). 3. Under meeting engagement set Meeting chat to On for everyone but anonymous users. To remediate using PowerShell: 1. Connect to Teams PowerShell using Connect-MicrosoftTeams. 2. Run the following command to set the recommended state: Set-CsTeamsMeetingPolicy -Identity Global -MeetingChatEnabledType
Ensure only organizers and co-organizers can present
Manual Check
IMPACT
Item does not meet all the requirements as per test. This policy setting controls who can present in a Teams meeting. Note: Organizers and co-organizers can change this setting when the meeting is set up. Ensuring that only authorized individuals are able to present reduces the risk that a malicious user can inadvertently show content that is not appropriate. Only organizers and co-organizers will be able to present without being granted permission. None None
RECOMMENDATION
To remediate using the UI: 1. Navigate to Microsoft Teams admin center https://admin.teams.microsoft.com. 2. Click to expand Meetings select Meeting policies. 3. Click Global (Org-wide default). 3. Under content sharing set Who can present to Only organizers and co-organizers. To remediate using PowerShell: 1. Connect to Teams PowerShell using Connect-MicrosoftTeams. 2. Run the following command to set the recommended state: Set-CsTeamsMeetingPolicy -Identity Global -DesignatedPresenterRoleMode
Ensure external participants cant give or request control
Manual Check
IMPACT
Item does not meet all the requirements as per test. This policy setting allows control of who can present in meetings and who can request control of the presentation while a meeting is underway. Ensuring that only authorized individuals and not external participants are able to present and request control reduces the risk that a malicious user can inadvertently show content that is not appropriate. External participants are categorized as follows: external users, guests, and anonymous users. External participants will not be able to present or request control during the meeting. Warning: This setting also affects webinars. Note: At this time, to give and take control of shared content during a meeting, both parties must be using the Teams desktop client. Control is not supported when either party is running Teams in a browser. None None
RECOMMENDATION
To remediate using the UI: 1. Navigate to Microsoft Teams admin center https://admin.teams.microsoft.com. 2. Click to expand Meetings select Meeting policies. 3. Click Global (Org-wide default). 3. Under content sharing set External participants can give or request control to Off. To remediate using PowerShell: 1. Connect to Teams PowerShell using Connect-MicrosoftTeams. 2. Run the following command to set the recommended state: Set-CsTeamsMeetingPolicy -Identity Global -AllowExternalParticipantGiveRequestControl $false
Ensure external meeting chat is off
Manual Check
IMPACT
When joining external meetings users will be unable to read or write chat messages in Teams meetings with organizations that they dont have a trust relationship with. This will completely remove the chat functionality in meetings. From an I.T. perspective both the upkeep of adding new organizations to the trusted list and the decision-making process behind whether to trust or not trust an external partner will increase time expenditure.
RECOMMENDATION
To remediate using the UI: 1. Navigate to Microsoft Teams admin center https://admin.teams.microsoft.com. 2. Click to expand Meetings select Meeting policies. 3. Click Global (Org-wide default). 4. Under meeting engagement set External meeting chat to Off. To remediate using PowerShell: 1. Connect to Teams PowerShell using Connect-MicrosoftTeams. 2. Run the following command to set the recommended state: Set-CsTeamsMeetingPolicy -Identity Global -AllowExternalNonTrustedMeetingChat $false
Ensure meeting recording is off by default
Manual Check
IMPACT
If there are no additional policies allowing anyone to record, then recording will effectively be disabled.
RECOMMENDATION
To remediate using the UI: 1. Navigate to Microsoft Teams admin center https://admin.teams.microsoft.com. 2. Click to expand Meetings select Meeting policies. 3. Click Global (Org-wide default). 4. Under Recording & transcription set Meeting recording to Off. To remediate using PowerShell: 1. Connect to Teams PowerShell using Connect-MicrosoftTeams. 2. Run the following command to set the recommended state: Set-CsTeamsMeetingPolicy -Identity Global -AllowCloudRecording $false
Microsoft Teams Admin Center-Messaging
Ensure users can report security concerns in Teams
Manual Check
IMPACT
Item does not meet all the requirements as per test. User reporting settings allow a user to report a message as malicious for further analysis. This recommendation is composed of 3 different settings and all be configured to pass: - In the Teams admin center: On by default and controls whether users are able to report messages from Teams. When this setting is turned off, users can not report messages within Teams, so the corresponding setting in the Microsoft 365 Defender portal is irrelevant. - In the Microsoft 365 Defender portal: On by default for new tenants. Existing tenants need to enable it. If user reporting of messages is turned on in the Teams admin center, it also needs to be turned on the Defender portal for user reported messages to show up correctly on the User reported tab on the Submissions page. - Defender - Report message destinations: This applies to more than just Microsoft Teams and allows for an organization to keep their reports contained. Due to how the parameters are configured on the backend it is included in this assessment as a requirement. Users will be able to more quickly and systematically alert administrators of suspicious malicious messages within Teams. The content of these messages may be sensitive in nature and therefore should be kept within the organization and not shared with Microsoft without first consulting company policy. Note: - The reported message remains visible to the user in the Teams client. - Users can report the same message multiple times. - The message sender is not notified that messages were reported. Enabling message reporting has an impact beyond just addressing security concerns. When users of the platform report a message, the content could include messages that are threatening or harassing in nature, possibly stemming from colleagues. Due to this the security staff responsible for reviewing and acting on these reports should be equipped with the skills to discern and appropriately direct such messages to the relevant departments, such as Human Resources (HR). None None
RECOMMENDATION
To remediate using the UI:
1. Navigate to Microsoft Teams admin center https://admin.teams.microsoft.com.
2. Click to expand Messaging select Messaging policies.
3. Click Global (Org-wide default).
4. Set Report a security concern to On.
5. Next, navigate to Microsoft 365 Defender https://security.microsoft.com/
6. Click on Settings > Email & collaboration > User reported settings.
7. Scroll to Microsoft Teams.
8. Check Monitor reported messages in Microsoft Teams and Save.
9. Set Send reported messages to: to My reporting mailbox only with reports configured to be sent to authorized staff.
To remediate using PowerShell:
1. Connect to Teams PowerShell using Connect-MicrosoftTeams.
2. Connect to Exchange Online PowerShell using Connect-ExchangeOnline.
3. Run the following cmdlet:
Set-CsTeamsMessagingPolicy -Identity Global -AllowSecurityEndUserReporting $true
4. To configure the Defender reporting policies, edit and run this script:
$usersub = # Change this.
$params = @{
Identity =
EnableReportToMicrosoft = $false
ReportChatMessageEnabled = $false
ReportChatMessageToCustomizedAddressEnabled = $true
ReportJunkToCustomizedAddress = $true
ReportNotJunkToCustomizedAddress = $true
ReportPhishToCustomizedAddress = $true
ReportJunkAddresses = $usersub
ReportNotJunkAddresses = $usersub
ReportPhishAddresses = $usersub
}
Set-ReportSubmissionPolicy @params
New-ReportSubmissionRule -Name DefaultReportSubmissionRule -ReportSubmissionPolicy DefaultReportSubmissionPolicy -SentTo $usersub
Microsoft Fabric-Tenant Settings
Ensure guest user access is restricted
Manual Check
IMPACT
Item does not meet all the requirements as per test. This setting allows business-to-business (B2B) guests access to Microsoft Fabric, and contents that they have permissions to. With the setting turned off, B2B guest users receive an error when trying to access Power BI. The recommended state is Enabled for a subset of the organization or Disabled. Establishing and enforcing a dedicated security group prevents unauthorized access to Microsoft Fabric for guests collaborating in Azure that are new or assigned guest status from other applications. This upholds the principle of least privilege and uses role-based access control (RBAC). These security groups can also be used for tasks like conditional access, enhancing risk management and user accountability across the organization. Security groups will need to be more closely tended to and monitored. None None
RECOMMENDATION
Restrict AAD guest user access: 1. Navigate to Microsoft Fabric https://app.powerbi.com/admin-portal 2. Select Tenant settings. 3. Scroll to Export and Sharing settings. 4. Set Allow Azure Active Directory guest users to access Microsoft Fabric to one of these states: - State 1: Disabled - State 2: Enabled with Specific security groups selected and defined. Important: If the organization doesn't actively use this feature it is recommended to keep it Disabled.
Ensure external user invitations are restricted
Manual Check
IMPACT
Item does not meet all the requirements as per test. The Invite external users setting helps organizations choose whether new external users can be invited to the organization through Power BI sharing, permissions, and subscription experiences. This setting only controls the ability to invite through Power BI. The recommended state is Enabled for a subset of the organization or Disabled. Note: To invite external users to the organization, the user must also have the Azure Active Directory Guest Inviter role. Establishing and enforcing a dedicated security group prevents unauthorized access to Microsoft Fabric for guests collaborating in Azure that are new or assigned guest status from other applications. This upholds the principle of least privilege and uses role-based access control (RBAC). These security groups can also be used for tasks like conditional access, enhancing risk management and user accountability across the organization. Guest user invitations will be limited to only specific employees. None None
RECOMMENDATION
Restrict external user invitations: 1. Navigate to Microsoft Fabric https://app.powerbi.com/admin-portal 2. Select Tenant settings. 3. Scroll to Export and Sharing settings. 4. Set Invite external users to your organization to one of these states: - State 1: Disabled - State 2: Enabled with Specific security groups selected and defined. Important: If the organization doesn't actively use this feature it is recommended to keep it Disabled.
Ensure guest access to content is restricted
Manual Check
IMPACT
Item does not meet all the requirements as per test. This setting allows Azure AD B2B guest users to have full access to the browsing experience using the left-hand navigation pane in the organization. Guest users who have been assigned workspace roles or specific item permissions will continue to have those roles and/or permissions, even if this setting is disabled. The recommended state is Enabled for a subset of the organization or Disabled. Establishing and enforcing a dedicated security group prevents unauthorized access to Microsoft Fabric for guests collaborating in Azure that are new or assigned guest status from other applications. This upholds the principle of least privilege and uses role-based access control (RBAC). These security groups can also be used for tasks like conditional access, enhancing risk management and user accountability across the organization. Security groups will need to be more closely tended to and monitored. None None
RECOMMENDATION
Restrict AAD guest user content access access: 1. Navigate to Microsoft Fabric https://app.powerbi.com/admin-portal 2. Select Tenant settings. 3. Scroll to Export and Sharing settings. 4. Set Allow Azure Active Directory guest users to edit and manage content in the organization to one of these states: - State 1: Disabled - State 2: Enabled with Specific security groups selected and defined. Important: If the organization doesn't actively use this feature it is recommended to keep it Disabled.
Ensure Publish to web is restricted
Manual Check
IMPACT
Item does not meet all the requirements as per test. Power BI enables users to share reports and materials directly on the internet from both the applications desktop version and its web user interface. This functionality generates a publicly reachable web link that doesn't necessitate authentication or the need to be an AAD user in order to access and view it. The recommended state is Enabled for a subset of the organization or Disabled. When using Publish to the Web anyone on the Internet can view a published report or visual. Viewing requires no authentication. It includes viewing detail-level data that your reports aggregate. By disabling the feature, restricting access to certain users and allowing existing embed codes organizations can mitigate the exposure of confidential or proprietary information. Depending on the organizations utilization administrators may experience more overhead managing embed codes, and requests. None None
RECOMMENDATION
Restrict Publish to the web: 1. Navigate to Microsoft Fabric https://app.powerbi.com/admin-portal 2. Select Tenant settings. 3. Scroll to Export and Sharing settings. 4. Set Publish to the web to one of these states: - State 1: Disabled - State 2: Enabled with Choose how embed codes work set to Only allow existing codes AND Specific security groups selected and defined Important: If the organization doesn't actively use this feature it is recommended to keep it Disabled.
Manual Check
IMPACT
Item does not meet all the requirements as per test. Power BI allows the integration of R and Python scripts directly into visuals. This feature allows data visualizations by incorporating custom calculations, statistical analyses, machine learning models, and more using R or Python scripts. Custom visuals can be created by embedding them directly into Power BI reports. Users can then interact with these visuals and see the results of the custom code within the Power BI interface. Disabling this feature can reduce the attack surface by preventing potential malicious code execution leading to data breaches, or unauthorized access. The potential for sensitive or confidential data being leaked to unintended users is also increased with the use of scripts. Use of R and Python scripting will require exceptions for developers, along with more stringent code review. None None
RECOMMENDATION
Configure the recommended state: 1. Navigate to Microsoft Fabric https://app.powerbi.com/admin-portal 2. Select Tenant settings. 3. Scroll to R and Python visuals settings. 4. Set Interact with and share R and Python visuals to Disabled
Ensure Allow users to apply sensitivity labels for content is Enabled
Manual Check
IMPACT
Item does not meet all the requirements as per test. Information protection tenant settings help to protect sensitive information in the Power BI tenant. Allowing and applying sensitivity labels to content ensures that information is only seen and accessed by the appropriate users. The recommended state is Enabled or Enabled for a subset of the organization. Note: Sensitivity labels and protection are only applied to files exported to Excel, PowerPoint, or PDF files, that are controlled by and settings. All other export and sharing options do not support the application of sensitivity labels and protection. Note 2: There are some prerequisite steps that need to be completed in order to fully utilize labeling. See [here](https://learn.microsoft.com/en-us/power-bi/enterprise/service-security-enable-data-sensitivity-labels#licensing-and-requirements). Establishing data classifications and affixing labels to data at creation enables organizations to discern the datas criticality, sensitivity, and value. This initial identification enables the implementation of appropriate protective measures, utilizing technologies like Data Loss Prevention (DLP) to avert inadvertent exposure and enforcing access controls to safeguard against unauthorized access. This practice can also promote user awareness and responsibility in regard to the nature of the data they interact with. Which in turn can foster awareness in other areas of data management across the organization. Additional license requirements like Power BI Pro are required, as outlined in the Licensed and requirements page linked in the description and references sections. None None
RECOMMENDATION
Enable sensitivity labels: 1. Navigate to Microsoft Fabric https://app.powerbi.com/admin-portal 2. Select Tenant settings. 3. Scroll to Information protection. 4. Set Allow users to apply sensitivity labels for content to one of these states: - State 1: Enabled - State 2: Enabled with Specific security groups selected and defined.
Manual Check
IMPACT
Item does not meet all the requirements as per test. Creating a shareable link allows a user to create a link to a report or dashboard, then add that link to an email or another messaging application. There are 3 options that can be selected when creating a shareable link: - People in your organization - People with existing access - Specific people This setting solely deals with restrictions to People in the organization. External users by default are not included in any of these categories, and therefore cannot use any of these links regardless of the state of this setting. The recommended state is Enabled for a subset of the organization or Disabled. While external users are unable to utilize shareable links, disabling or restricting this feature ensures that a user cannot generate a link accessible by individuals within the same organization who lack the necessary clearance to the shared data. For example, a member of Human Resources intends to share sensitive information with a particular employee or another colleague within their department. The owner would be prompted to specify either People with existing access or Specific people when generating the link requiring the person clicking the link to pass a first layer access control list. This measure along with proper file and folder permissions can help prevent unintended access and potential information leakage. If the setting is Enabled then only specific people in the organization would be allowed to create general links viewable by the entire organization. None None
RECOMMENDATION
Restrict shareable links: 1. Navigate to Microsoft Fabric https://app.powerbi.com/admin-portal 2. Select Tenant settings. 3. Scroll to Export and Sharing settings. 4. Set Allow shareable links to grant access to everyone in your organization to one of these states: - State 1: Disabled - State 2: Enabled with Specific security groups selected and defined. Important: If the organization doesn't actively use this feature it is recommended to keep it Disabled.
Ensure enabling of external data sharing is restricted
Manual Check
IMPACT
Item does not meet all the requirements as per test. Power BI admins can specify which users or user groups can share datasets externally with guests from a different tenant through the in-place mechanism. Disabling this setting prevents any user from sharing datasets externally by restricting the ability of users to turn on external sharing for datasets they own or manage. The recommended state is Enabled for a subset of the organization or Disabled. Establishing and enforcing a dedicated security group prevents unauthorized access to Microsoft Fabric for guests collaborating in Azure that are new or from other applications. This upholds the principle of least privilege and uses role-based access control (RBAC). These security groups can also be used for tasks like conditional access, enhancing risk management and user accountability across the organization. Security groups will need to be more closely tended to and monitored. None None
RECOMMENDATION
Restrict external data sharing: 1. Navigate to Microsoft Fabric https://app.powerbi.com/admin-portal 2. Select Tenant settings. 3. Scroll to Export and Sharing settings. 4. Set Allow specific users to turn on external data sharing to one of these states: - State 1: Disabled - State 2: Enabled with Specific security groups selected and defined. Important: If the organization doesn't actively use this feature it is recommended to keep it Disabled.
Ensure Block ResourceKey Authentication is Enabled
Manual Check
IMPACT
Item does not meet all the requirements as per test. This setting blocks the use of resource key based authentication. The Block ResourceKey Authentication setting applies to streaming and PUSH datasets. If blocked users will not be allowed send data to streaming and PUSH datasets using the API with a resource key. The recommended state is Enabled. Resource keys are a form of authentication that allows users to access Power BI resources (such as reports, dashboards, and datasets) without requiring individual user accounts. While convenient, this method bypasses the organizations centralized identity and access management controls. Enabling ensures that access to Power BI resources is tied to the organizations authentication mechanisms, providing a more secure and controlled environment. Developers will need to request a special exception in order to use this feature. None None
RECOMMENDATION
Ensure ResourceKey Authentication is Enabled: 1. Navigate to Microsoft Fabric https://app.powerbi.com/admin-portal 2. Select Tenant settings. 3. Scroll to Developer settings. 4. Set Block ResourceKey Authentication to Enabled
Ensure access to APIs by Service Principals is restricted
Manual Check
IMPACT
Disabled is the default behavior
RECOMMENDATION
To remediate using the UI: 1. Navigate to Microsoft Fabric https://app.powerbi.com/admin-portal 2. Select Tenant settings. 3. Scroll to Developer settings. 4. Set Service principals can use Fabric APIs to one of these states: State 1: Disabled State 2: Enabled with Specific security groups selected and defined. Important: If the organization doesnt actively use this feature it is recommended to keep it Disabled.
Ensure Service Principals cannot create and use profiles
Manual Check
IMPACT
Disabled is the default behavior.
RECOMMENDATION
To remediate using the UI: 1. Navigate to Microsoft Fabric https://app.powerbi.com/admin-portal 2. Select Tenant settings. 3. Scroll to Developer settings. 4. Set Allow service principals to create and use profiles to one of these states: State 1: Disabled State 2: Enabled with Specific security groups selected and defined. Important: If the organization doesnt actively use this feature it is recommended to keep it Disabled.
Microsoft M365 Users-Users
Ensure All Microsoft 365 Users are licensed
Manual Check
IMPACT
Some Microsoft 365 Users are not licensed. Unlicensed users will not be able to use Microsoft 365 Services. None None
RECOMMENDATION
It is recommended to assign Licenses to users.
Ensure Deleted Microsoft 365 Users are Identified
Manual Check
IMPACT
Some users found in Microsoft 365 Recycle Bin. These user accounts get deleted from Microsoft 365 Recycle Bin after some time. None None
RECOMMENDATION
Please check if any of these accounts are needed and restore them from Microsoft 365 Recycle Bin.
Ensure Disabled Microsoft 365 Users are Identified
Manual Check
IMPACT
Some users are disabled in Microsoft 365. Disabled users cannot use Microsoft 365 Services. None None
RECOMMENDATION
Please check if any of the user accounts need to be enabled to enable use of Microsoft 365 Services.
Ensure Microsoft 365 Users Password Expires
Manual Check
IMPACT
Some Microsoft 365 Users have their Password set to NOT Expire. These users can remain with a single password and if the password is compromised anyone can access Microsoft 365 Services. None None
RECOMMENDATION
Every user in Microsoft 365 must change their password according to Password Policies.
Ensure no Provisioning Errors for Microsoft 365 Users
Manual Check
IMPACT
Item does not meet all the requirements as per test. Please ensure no provisioning errors for Microsoft 365 users. None None
RECOMMENDATION
Please ensure no provisioning errors for Microsoft 365 users.
Ensure Microsoft 365 Blocked Users are Identified
Manual Check
IMPACT
Some Microsoft 365 Users are blocked. Blocked Users will not be able to sign in to use Microsoft 365 Services. None None
RECOMMENDATION
Please review the list and unblock these users if required.
Ensure Microsoft 365 Users Have Changed Passwords
Manual Check
IMPACT
Some Microsoft 365 users have not changed their passwords within 90 days. It is a security risk. Every user in Microsoft 365 Users must change their passwords within 90 days. None None
RECOMMENDATION
Please identify these users and make sure they change their passwords.
Ensure Microsoft 365 Company Administrators have less than 5 Admins
Manual Check
IMPACT
More than Five company Administrators were found in Microsoft 365. More users can have full control over Microsoft 365 Services. None None
RECOMMENDATION
Please review the list and make sure only designated members are part of Company Administrator User Role.
Ensure Microsoft 365 Deleted and Licensed Users are Identified
Manual Check
IMPACT
Item does not meet all the requirements as per test. Increase in licenses cost. None None
RECOMMENDATION
Please ensure to follow a SOP when deleting users from Microsoft 365 which includes revoking licenses before deleting.
Ensure Microsoft 365 Groups Without Members are Identified
Manual Check
IMPACT
Some Microsoft 365 Groups do not contain user members. If these Groups were created for some reason, then they should have members in it. None None
RECOMMENDATION
Please review the list of Groups provided by the test and add users or remove these groups.
Microsoft M365 Dangerous Defaults
Ensure Users can read all attributes in Azure AD is disabled
Manual Check
IMPACT
Item does not meet all the requirements as per test. Dangerous default configuration settings were found in the Tenant. By default, Azure tenants allow all users to access the Azure Active Directory blade, to read all other users' accounts, create groups, and invite guests. These default settings extend to guest accounts as well, allowing guests to perform these same actions. Other default configurations allow for Self-Service creation of accounts from accepted mail domains. None None
RECOMMENDATION
The excessive user permissions can be mitigated by running the listed PowerShell commands as a Global Admin. User access to the Azure AD blade can be restricted by navigating to the Azure Active Directory blade; User Settings and toggling the 'Restrict access to Azure AD administration portal' to Yes. Guest invites may be restricted by navigating to the Azure Active Directory blade; External Identities; External Collaboration Settings, or by going to the Azure Active Directory blade; User Settings; Manage external collaboration settings and toggling 'Members can invite' and 'Guests can invite' to No.
Ensure Users can create security groups is disabled
Manual Check
IMPACT
Item does not meet all the requirements as per test. Dangerous default configuration settings were found in the Tenant. By default, Azure tenants allow all users to access the Azure Active Directory blade, to read all other users' accounts, create groups, and invite guests. These default settings extend to guest accounts as well, allowing guests to perform these same actions. Other default configurations allow for Self-Service creation of accounts from accepted mail domains. None None
RECOMMENDATION
The excessive user permissions can be mitigated by running the listed PowerShell commands as a Global Admin. User access to the Azure AD blade can be restricted by navigating to the Azure Active Directory blade; User Settings and toggling the 'Restrict access to Azure AD administration portal' to Yes. Guest invites may be restricted by navigating to the Azure Active Directory blade; External Identities; External Collaboration Settings, or by going to the Azure Active Directory blade; User Settings; Manage external collaboration settings and toggling 'Members can invite' and 'Guests can invite' to No.
Ensure Users are allowed to create and register applications is disabled
Manual Check
IMPACT
Item does not meet all the requirements as per test. Dangerous default configuration settings were found in the Tenant. By default, Azure tenants allow all users to access the Azure Active Directory blade, to read all other users' accounts, create groups, and invite guests. These default settings extend to guest accounts as well, allowing guests to perform these same actions. Other default configurations allow for Self-Service creation of accounts from accepted mail domains. None None
RECOMMENDATION
The excessive user permissions can be mitigated by running the listed PowerShell commands as a Global Admin. User access to the Azure AD blade can be restricted by navigating to the Azure Active Directory blade; User Settings and toggling the 'Restrict access to Azure AD administration portal' to Yes. Guest invites may be restricted by navigating to the Azure Active Directory blade; External Identities; External Collaboration Settings, or by going to the Azure Active Directory blade; User Settings; Manage external collaboration settings and toggling 'Members can invite' and 'Guests can invite' to No.
Ensure Users with a verified mail domain can join the tenant is disabled
Manual Check
IMPACT
Item does not meet all the requirements as per test. Dangerous default configuration settings were found in the Tenant. By default, Azure tenants allow all users to access the Azure Active Directory blade, to read all other users' accounts, create groups, and invite guests. These default settings extend to guest accounts as well, allowing guests to perform these same actions. Other default configurations allow for Self-Service creation of accounts from accepted mail domains. None None
RECOMMENDATION
The excessive user permissions can be mitigated by running the listed PowerShell commands as a Global Admin. User access to the Azure AD blade can be restricted by navigating to the Azure Active Directory blade; User Settings and toggling the 'Restrict access to Azure AD administration portal' to Yes. Guest invites may be restricted by navigating to the Azure Active Directory blade; External Identities; External Collaboration Settings, or by going to the Azure Active Directory blade; User Settings; Manage external collaboration settings and toggling 'Members can invite' and 'Guests can invite' to No.
Ensure Guests can invite other guests into the tenant is disabled
Manual Check
IMPACT
Item does not meet all the requirements as per test. Dangerous default configuration settings were found in the Tenant. By default, Azure tenants allow all users to access the Azure Active Directory blade, to read all other users' accounts, create groups, and invite guests. These default settings extend to guest accounts as well, allowing guests to perform these same actions. Other default configurations allow for Self-Service creation of accounts from accepted mail domains. None None
RECOMMENDATION
The excessive user permissions can be mitigated by running the listed PowerShell commands as a Global Admin. User access to the Azure AD blade can be restricted by navigating to the Azure Active Directory blade; User Settings and toggling the 'Restrict access to Azure AD administration portal' to Yes. Guest invites may be restricted by navigating to the Azure Active Directory blade; External Identities; External Collaboration Settings, or by going to the Azure Active Directory blade; User Settings; Manage external collaboration settings and toggling 'Members can invite' and 'Guests can invite' to No.
Ensure Users are allowed to create new Azure Active Directory Tenants is disabled
Manual Check
IMPACT
Item does not meet all the requirements as per test. Dangerous default configuration settings were found in the Tenant. By default, Azure tenants allow all users to access the Azure Active Directory blade, to read all other users' accounts, create groups, and invite guests. These default settings extend to guest accounts as well, allowing guests to perform these same actions. Other default configurations allow for Self-Service creation of accounts from accepted mail domains. None None
RECOMMENDATION
The excessive user permissions can be mitigated by running the listed PowerShell commands as a Global Admin. User access to the Azure AD blade can be restricted by navigating to the Azure Active Directory blade; User Settings and toggling the 'Restrict access to Azure AD administration portal' to Yes. Guest invites may be restricted by navigating to the Azure Active Directory blade; External Identities; External Collaboration Settings, or by going to the Azure Active Directory blade; User Settings; Manage external collaboration settings and toggling 'Members can invite' and 'Guests can invite' to No.
Ensure Policy exists to restrict non-administrator access to Azure Active Directory or Entra
Manual Check
IMPACT
Item does not meet all the requirements as per test. Restrict non-privileged users from signing into the Azure Active Directory portal. Note: This recommendation only affects access to the Azure AD web portal. It does not prevent privileged users from using other methods such as Rest API or PowerShell to obtain information. Those channels are addressed elsewhere in this document. The Azure AD administrative (AAD) portal contains sensitive data and permission settings, which are still enforced based on the users role. However, an end user may inadvertently change properties or account settings that could result in increased administrative overhead. Additionally, a compromised end user account could be used by a malicious attacker as a means to gather additional information and escalate an attack. Note: Users will still be able to sign into Azure Active directory admin center but will be unable to see directory information. None None
RECOMMENDATION
Ensure access to the Azure AD portal is restricted: 1. Navigate to Microsoft Entra admin center https://entra.microsoft.com/ 2. Click to expand Identity> Users > User settings. 3. Set Restrict access to Microsoft Entra ID administration portal to Yes then Save.
Microsoft M365 Configuration
Ensure Microsoft 365 Licenses are consumed in SKUs
Manual Check
IMPACT
Some SKUs are not being used in Microsoft 365. Microsoft 365 Services are being charged for SKUs which are not in use. None None
RECOMMENDATION
Please review the SKU list and make sure users are licensed from unused SKUs.
Ensure All Microsoft 365 Domains Have been verified
Manual Check
IMPACT
Some Microsoft 365 Domains are not verified. Unverified domains will not be able to participate in Microsoft 365 Services. None None
RECOMMENDATION
Please review the list and verify each Microsoft 365 domain.
Ensure Microsoft 365 Domain Services Have Services Assigned
Manual Check
IMPACT
Some Office Domains do not have Services assigned. Refer issue details. None None
RECOMMENDATION
Please review the list provided.
Ensure Microsoft 365 Notification Email is configured
Manual Check
IMPACT
Technical Notification Emails are not configured in Microsoft 365. You will not receive any technical email notification from Microsoft. None None
RECOMMENDATION
Please configure at least one email to receive Technical Notifications from Microsoft.
Ensure Microsoft 365 Organization Level Mailbox Auditing is configured
Manual Check
IMPACT
Auditing is not enabled for organization. Refer issue details. None None
RECOMMENDATION
Please check and enable Organization Auditing.