SMART PROFILER
SECURITY ASSESSMENT REPORT
Technology: Microsoft 365 CIS v3.1.0
Tenant: Dynamicpacksnet.onmicrosoft.com
Assessment Date: 03/06/2025 18:22:25
This Introduction contains a global summary of the security scans performed on the company infrastructure with SmartProfiler-SecID. Detailed information about the scans can be found in the corresponding section in this report. The assessment was performed according to settings recommended by CIS. More Information about CIS can be found here: CIS Benchmarks. There are tests that also recommended by vendor have been performed too.
3Critical
111High
19Medium
2Low
71Passed
29Manual Check
Overall Security Score: 25.91%
OVERALL TENANT STATUS
22.14%
Shows overall score settings that need to be configured correctly in Tenant as per CIS Benchmark. These settings are recommended by CIS.
CIS SECURITY SCORE
40.38%
Shows overall score settings that need to be configured correctly in Tenant. These settings are recommended by Experts not included in CIS.
SP SECURITY SCORE
Technology Categories and Status
CRTIICAL
HIGH
MEDIUM
LOW
PASSED
| CIS Section | Test | Severity | Items | CIS Profile | Control Type | Configured Correctly? |
| Not Available | Ensure Guest Users are reviewed and disabled | Medium | 7 | SP v1.0 | NO |
X
TEST NAME Ensure Guest Users are reviewed and disabled Description Found Guest accounts found. Auditing Process needs to be created and followed. There is no impact if the auditing process is created and followed. None None Recommendation and Steps Guest users can be set up for those users not in your tenant to still be granted access to resources. It is important to maintain visibility for what guest users are established in the tenant. Periodic review of guest users ensures proper access to resources in your tenant. To verify the report is being reviewed at least biweekly, confirm that the necessary procedures are in place and being followed. Associated Objects 
Affected Objects
|
| 1.1.1 | Ensure Administrative accounts are separate and cloud-only | Passed | 0 | E3 Level 1 | CIS v4.0 | YES |
X
TEST NAME Ensure Administrative accounts are separate and cloud-only Description All Administrative Accounts are Cloud-Only. Recommendation and Steps Associated Objects
Affected Objects
|
| 1.1.3 | Ensure that between two and four global admins are designated | Passed | 3 | E3 Level 1 | CIS v4.0 | YES |
X
TEST NAME Ensure that between two and four global admins are designated Description Found more than two Global Administrators. Recommendation and Steps Associated Objects
Affected Objects
|
| 1.1.4 | Ensure administrative accounts use licenses with a reduced application footprint | Manual Check | NONE | E3 Level 1 | CIS v4.0 | NO |
X 
TEST NAME Ensure administrative accounts use licenses with a reduced application footprint Description Administrative users will have to switch accounts and utilize login/logout functionality when performing administrative tasks, as well as not benefiting from SSO. Note: Alerts will be sent to the TenantAdmins, including Global Administrators, by default. To ensure proper receipt, configure alerts to be sent to security or operations staff with valid email addresses or a security operations center. Otherwise, after adoption of this recommendation, alerts sent to TenantAdmins may go unreceived due to the lack of an application-based license assigned to the Global Administrator accounts. Recommendation and Steps Associated Objects
Affected Objects
|
| 1.1.2 | Ensure two emergency access accounts have been defined | Manual Check | NONE | E3 Level 1 | CIS v4.0 | NO |
X
TEST NAME Ensure two emergency access accounts have been defined Description Item does not meet all the requirements as per test. Emergency access or accounts are limited for emergency scenarios where normal administrative accounts are unavailable. They are not assigned to a specific user and will have a combination of physical and technical controls to prevent them from being accessed outside a true emergency. These emergencies could be due to several things, including: - Technical failures of a cellular provider or Microsoft related service such as MFA. - The last remaining Global Administrator account is inaccessible. Ensure two Emergency Access accounts have been defined. NOTE: Microsoft provides a number of recommendations for these accounts and how to configure them. For more information on this, please refer to the references section. The CIS Benchmark outlines the more critical things to consider. In various situations, an organization may require the use of a break glass account to gain emergency access. In the event of losing access to administrative functions, an organization may experience a significant loss in its ability to provide support, lose insight into its security posture, and potentially suffer financial losses. If care is not taken in properly implementing an emergency access account this could weaken security posture. Microsoft recommends excluding at least one of these accounts from all conditional access rules therefore passwords must have sufficient entropy and length to protect against random guesses. FIDO2 security keys may be used instead of a password for secure passwordless solution. None None Recommendation and Steps Step 1 - Create two emergency access accounts: 1. Navigate to Microsoft 365 admin center https://admin.microsoft.com 2. Expand Users > Active Users 3. Click Add user and create a new user with these criteria: - Name the account in a way that does NOT identify it with a particular person. - Assign the account to the default .onmicrosoft.com domain and not the organizations. - The password must be at least 16 characters and generated randomly. - Do not assign a license. - Assign the user the Global Administrator role. 4. Repeat the above steps for the second account. Step 2 - Exclude at least one account from conditional access policies: 1. Navigate Microsoft Entra admin center https://entra.microsoft.com/ 2. Expand Azure Active Directory > Protect & Secure > Conditional Access 3. Inspect the conditional access policies. 4. For each rule add an exclusion for at least one of the emergency access accounts. 5. Users > Exclude > Users and groups and select one emergency access account. Step 3 - Ensure the necessary procedures and policies are in place: - In order for accounts to be effectively used in a break glass situation the proper policies and procedures must be authorized and distributed by senior management. - FIDO2 Security Keys, if used, should be locked in a secure separate fireproof location. - Passwords should be at least 16 characters, randomly generated and MAY be separated in multiple pieces to be joined on emergency. NOTE: Microsoft documentation contains in-depth information on securing break glass accounts, please refer to the references section. Associated Objects
Affected Objects
|
| CIS Section | Test | Severity | Items | CIS Profile | Control Type | Configured Correctly? |
| Not Available | Ensure Microsoft 365 Exchange Online Privileged Access Management is Used | High | Not Enabled | SP v1.0 | NO |
X
TEST NAME Ensure Microsoft 365 Exchange Online Privileged Access Management is Used Description Microsoft 365 Privileged Access Management is NOT enabled. Refer issue details. None None Recommendation and Steps It is recommended to enable PAM in Microsoft 365. Associated Objects
Affected Objects
|
| Not Available | Ensure Microsoft 365 User Roles have less than 10 Admins | Passed | 0 | SP v1.0 | YES |
X
TEST NAME Ensure Microsoft 365 User Roles have less than 10 Admins Description All Microsoft 365 Roles have 10 or less members. Recommendation and Steps Associated Objects
Affected Objects
|
| Not Available | Ensure Microsoft 365 Users Have Strong Password Requirements Configured | Passed | 0 | SP v1.0 | YES |
X
TEST NAME Ensure Microsoft 365 Users Have Strong Password Requirements Configured Description All Microsoft 365 users are enabled with Strong Password Requirements. Recommendation and Steps Associated Objects
Affected Objects
|
| Not Available | Ensure self-service password reset is enabled | Passed | Enabled | SP v1.0 | YES |
X
TEST NAME Ensure self-service password reset is enabled Description Self Service Password Reset is enabled for Tenant. Recommendation and Steps Associated Objects
Affected Objects
|
| Not Available | Ensure that Microsoft 365 Passwords Are Not Set to Expire | Passed | 0 | SP v1.0 | YES |
X
TEST NAME Ensure that Microsoft 365 Passwords Are Not Set to Expire Description Microsoft 365 Password Policies are configured for domains. Recommendation and Steps Associated Objects
Affected Objects
|
| Not Available | Ensure Microsoft 365 Exchange Online Modern Authentication is Used | Passed | Enabled | SP v1.0 | YES |
X
TEST NAME Ensure Microsoft 365 Exchange Online Modern Authentication is Used Description Microsoft 365 Modern Authentication is enabled. Recommendation and Steps Associated Objects
Affected Objects
|
| CIS Section | Test | Severity | Items | CIS Profile | Control Type | Configured Correctly? |
| Not Available | Ensure Enterprise Applications Role Assignments are reviewed weekly | High | 14 | SP v1.0 | NO |
X
TEST NAME Ensure Enterprise Applications Role Assignments are reviewed weekly Description Found role assignments were not found for enterprise applications. Applications have an attack surface for security breaches and must be monitored. While not targeted as often as user accounts, breaches can occur. Because applications often run without human intervention, the attacks may be harder to detect. None None Recommendation and Steps It is recommended that the Security administrator reviews the list of role assignments to each Enterprise Application and removes them if they are not needed. Associated Objects
Affected Objects
|
| CIS Section | Test | Severity | Items | CIS Profile | Control Type | Configured Correctly? |
| 1.2.1 | Ensure that only organizationally managed-approved public groups exist | Medium | 14 | E3 Level 2 | CIS v4.0 | NO |
X
TEST NAME Ensure that only organizationally managed-approved public groups exist Description Public Groups found in Microsoft 365 Tenant. If the recommendation is applied, group owners could receive more access requests than usual, especially regarding groups originally meant to be public. None None Recommendation and Steps Ensure that only organizationally managed and approved public groups exist. When a group has public privacy. users may access data related to this group. Administrators are notified when a user uses the Azure Portal. Requesting access to the group forces users to send a message to the group owner. But they still have immediate access to the group. Public in this case means public to the identities within the organization. Associated Objects
Affected Objects
|
| 1.2.2 | Ensure sign-in to shared mailboxes is blocked | Passed | 0 | E3 Level 1 | CIS v4.0 | YES |
X
TEST NAME Ensure sign-in to shared mailboxes is blocked Description Item has met all the requirements as per test. Recommendation and Steps Associated Objects
Affected Objects
|
| CIS Section | Test | Severity | Items | CIS Profile | Control Type | Configured Correctly? |
| 1.3.3 | Ensure calendar details sharing with external users is disabled | High | Enabled | E3 Level 2 | CIS v4.0 | NO |
X
TEST NAME Ensure calendar details sharing with external users is disabled Description Calendar Details Sharing with External Users is not disabled. This functionality is not widely used. As a result, it is unlikely that implementation of this setting will have an impact to most users. Users that do utilize this functionality are likely to experience a minor inconvenience when scheduling meetings. None None Recommendation and Steps You should not allow your users to share the full details of their calendars with external users. Attackers often spend time learning about your organization before launching an attack. Publicly available calendars can help attackers understand organizational relationships and determine when specific users may be more vulnerable to an attack, such as when they are traveling. Associated Objects
Affected Objects
More Information TEST ID
|
| 1.3.7 | Ensure third-party storage services are restricted in Microsoft 365 on the web | High | Not Restricted | E3 Level 2 | CIS v4.0 | NO |
X
TEST NAME Ensure third-party storage services are restricted in Microsoft 365 on the web Description Item does not meet all the requirements as per test. Third-party storage can be enabled for users in Microsoft 365, allowing them to store and share documents using services such as Dropbox, alongside OneDrive and team sites. Ensure Microsoft 365 on the web third-party storage services are restricted. By using external storage services an organization may increase the risk of data breaches and unauthorized access to confidential information. Additionally, third-party services may not adhere to the same security standards as the organization, making it difficult to maintain data privacy and security. The Impact associated with this change is highly dependent upon current practices in the tenant. If users do not use other storage providers, then minimal impact is likely. However, if users do regularly utilize providers outside of the tenant this will affect their ability to continue to do so. None None Recommendation and Steps To restrict Microsoft 365 on the web: 1. Navigate to Microsoft 365 admin center https://admin.microsoft.com 2. Go to Settings > Org Settings > Services > Microsoft 365 on the web 3. Uncheck Let users open files stored in third-party storage services in Microsoft 365 on the web Associated Objects
Affected Objects
|
| 1.3.6 | Ensure the customer lockbox feature is enabled | Medium | Disabled | E5 Level 2 | CIS v4.0 | NO |
X
TEST NAME Ensure the customer lockbox feature is enabled Description Customer Lockbox Feature is not enabled. The impact associated with this setting is a requirement to grant Microsoft access to the tenant environment prior to a Microsoft engineer accessing the environment for support or troubleshooting. None None Recommendation and Steps You should enable the Customer Lockbox feature. It requires Microsoft to get your approval for any datacenter operation that grants a Microsoft support engineer or other employee direct access to any of your data. For example, in some cases a Microsoft support engineer might need access to your Microsoft 365 content in order to help troubleshoot and fix an issue for you. Customer lockbox requests also have an Associated Objects
Affected Objects
More Information TEST ID
|
| 1.3.1 | Ensure the Password expiration policy is set to Set passwords to never expire (recommended) | Passed | 0 | E3 Level 1 | CIS v4.0 | YES |
X
TEST NAME Ensure the Password expiration policy is set to Set passwords to never expire (recommended) Description Item has met all the requirements as per test. Recommendation and Steps Associated Objects
Affected Objects
|
| 1.3.4 | Ensure User owned apps and services is restricted | Passed | Restricted | E3 Level 1 | CIS v4.0 | YES |
| 1.3.2 | Ensure Idle session timeout is set to 3 hours (or less) for unmanaged devices | Manual Check | NONE | E3 Level 1 | CIS v4.0 | NO |
X
TEST NAME Ensure Idle session timeout is set to 3 hours (or less) for unmanaged devices Description Item does not meet all the requirements as per test. Idle session timeout allows the configuration of a setting which will timeout inactive users after a pre-determined amount of time. When a user reaches the set idle timeout session, they will get a notification that they are about to be signed out. They have to select to stay signed in or they will be automatically signed out of all Microsoft 365 web apps. Combined with a Conditional Access rule this will only impact unmanaged devices. A managed device is considered a device managed by Intune MDM. The following Microsoft 365 web apps are supported. - Outlook Web App - OneDrive for Business - SharePoint Online (SPO) - Office.com and other start pages - Office (Word, Excel, PowerPoint) on the web - Microsoft 365 Admin Center NOTE: Idle session timeout doesn't affect Microsoft 365 desktop and mobile apps. The recommended setting is 3 hours (or less) for unmanaged devices. Ending idle sessions through an automatic process can help protect sensitive company data and will add another layer of security for end users who work on unmanaged devices that can potentially be accessed by the public. Unauthorized individuals onsite or remotely can take advantage of systems left unattended over time. Automatic timing out of sessions makes this more difficult. If step 2 in the Audit/Remediation procedure is left out then there is no issue with this from a security standpoint. However, it will require users on trusted devices to sign in more frequently which could result in credential prompt fatigue. None None Recommendation and Steps To configure Idle session timeout: 1. Navigate to the Microsoft 365 admin center https://admin.microsoft.com/. 2. Click to expand Settings Select Org settings. 3. Click Security & Privacy tab. 4. Select Idle session timeout. 5. Check the box Turn on to set the period of inactivity for users to be signed off of Microsoft 365 web apps 6. Set a maximum value of 3 hours. 7. Click save. Step 2 - Ensure the Conditional Access policy is in place: 1. Navigate to Microsoft Entra admin center https://entra.microsoft.com/ 2. Expand Azure Active Directory > Protect & secure > Conditional Access 3. Click New policy and give the policy a name. 4. Select Users > All users. 5. Select Cloud apps or actions > Select apps and select Office 365 6. Select Conditions > Client apps > Yes check only Browser unchecking all other boxes. 7. Select Sessions and check Use app enforced restrictions. 8. Set Enable policy to On and click Create. NOTE: To ensure that idle timeouts affect only unmanaged devices, both steps must be completed. Associated Objects
Affected Objects
More Information TEST ID
|
| 1.3.5 | Ensure internal phishing protection for Forms is enabled | Manual Check | NONE | E3 Level 1 | CIS v4.0 | NO |
X
TEST NAME Ensure internal phishing protection for Forms is enabled Description Item does not meet all the requirements as per test. Microsoft Forms can be used for phishing attacks by asking personal or sensitive information and collecting the results. Microsoft 365 has built-in protection that will proactively scan for phishing attempt in forms such personal information request. Enabling internal phishing protection for Microsoft Forms will prevent attackers using forms for phishing attacks by asking personal or other sensitive information and URLs. If potential phishing was detected, the form will be temporarily blocked and cannot be distributed, and response collection will not happen until it is unblocked by the administrator or keywords were removed by the creator. None None Recommendation and Steps To enable internal phishing protection for Forms: 1. Navigate to Microsoft 365 admin center https://admin.microsoft.com. 2. Click to expand Settings then select Org settings. 3. Under Services select Microsoft Forms. 4. Click the checkbox labeled Add internal phishing protection under Phishing protection. 5. Click Save. Associated Objects
Affected Objects
|
| 1.3.8 | Ensure that Sways cannot be shared with people outside of your organization | Manual Check | NONE | E3 Level 2 | CIS v4.0 | NO |
X
TEST NAME Ensure that Sways cannot be shared with people outside of your organization Description Sways Cannot be shared with people outside of your organization is not configured. Interactive reports, presentations, newsletters, and other items created in Sway will not be shared outside the organization by users. None None Recommendation and Steps Disable external sharing of Sway items such as reports, newsletters, presentations etc. that could contain sensitive information. Disable external sharing of Sway documents that can contain sensitive information to prevent accidental or arbitrary data leaks. Associated Objects
Affected Objects
More Information TEST ID
|
| CIS Section | Test | Severity | Items | CIS Profile | Control Type | Configured Correctly? |
| 2.1.1 | Ensure Safe Links for Office Applications is Enabled | High | Not Enabled | E5 Level 2 | CIS v4.0 | NO |
X
TEST NAME Ensure Safe Links for Office Applications is Enabled Description Safe Links for Office Applications are not enabled. User impact associated with this change is minor - users may experience a very short delay when clicking on URLs in Office documents before being directed to the requested site. Users should be informed of the change as, in the event a link is unsafe and blocked, they will receive a message that it has been blocked. None None Recommendation and Steps Enabling Safe Links policy for Office applications allows URL's that exist inside of Office documents and email applications opened by Office, Office Online and Office mobile to be processed against Defender for Office time-of-click verification and rewritten if required. Note: E5 Licensing includes a number of Built-in Protection policies. When auditing policies note which policy you are viewing, and keep in mind CIS recommendations often extend the Default or Build-in Policies provided by MS. In order to Pass the highest priority policy must match all settings recommended. Safe Links for Office applications extends phishing protection to documents and emails that contain hyperlinks, even after they have been delivered to a user. Associated Objects
Affected Objects
|
| 2.1.2 | Ensure the Common Attachment Types Filter is enabled | High | Not Enabled | E3 Level 1 | CIS v4.0 | NO |
X
TEST NAME Ensure the Common Attachment Types Filter is enabled Description Common Attachment Filter is not enabled. Blocking common malicious file types should not have an impact in modern computing environments. None None Recommendation and Steps The Common Attachment Types Filter lets a user block known and custom malicious file types from being attached to emails. Blocking known malicious file types can help prevent malware-infested files from infecting a host. Associated Objects
Affected Objects
|
| 2.1.3 | Ensure notifications for internal users sending malware is Enabled | High | Not Enabled | E3 Level 1 | CIS v4.0 | NO |
X
TEST NAME Ensure notifications for internal users sending malware is Enabled Description Notifications for Internal Users Sending Malware is not enabled. Notification of account with potential issues should not cause an impact to the user. None None Recommendation and Steps Exchange Online Protection (EOP) is the cloud-based filtering service that protects your organization against spam, malware, and other email threats. EOP is included in all Microsoft 365 organizations with Exchange Online mailboxes. EOP uses flexible anti-malware policies for malware protection settings. These policies Associated Objects
Affected Objects
|
| 2.1.6 | Ensure Exchange Online Spam Policies are set correctly | High | Not Enabled | E3 Level 1 | CIS v4.0 | NO |
X
TEST NAME Ensure Exchange Online Spam Policies are set correctly Description Exchange Online Spam Policies are not set correctly. Notification of users that have been blocked should not cause an impact to the user. None None Recommendation and Steps In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, email messages are automatically protected against spam (junk email) by EOP. Configure Exchange Online Spam Policies to copy emails and notify someone when a sender in your tenant has been blocked for sending spam emails. A blocked account is a good indication that the account in question has been breached and an attacker is using it to send spam emails to other people. Associated Objects
Affected Objects
|
| Not Available | Ensure No Domains with SPF Soft Fail are Configured | High | Configured | SP v1.0 | NO |
X
TEST NAME Ensure No Domains with SPF Soft Fail are Configured Description Item does not meet all the requirements as per test. The domains listed above have SPF records that are configured with soft failure. Soft failure tells hosts receiving email that falsely purports to be from the organization that they should flag the email as failing a sender verification check but should still deliver the email. This means that adversaries still have significant leeway to imitate the organization's brand and domains when sending email because many users will still see the fake email even though it failed the sender verification check. None None Recommendation and Steps Consider setting the SPF qualifier in the SPF DNS record for the affected domains to '-' (fail) rather than '~' (soft fail). This will help ensure that mail that does not truly originate from the organization's servers will be rejected by the recipients. However, it should be noted that once this action is taken, any mail from the organization's domain which does not pass a sender verification check may automatically be blocked by the recipient's mail servers. This can lead to dropped emails in cases where the organization's own SPF record is not set up properly and has not been adequately tested, causing sender verification failures. For this reason, soft failure is often recommended as an intermediate step to test the benefits and configuration of SPF. Always proceed with appropriate caution during SPF rollouts and ensure that the difference between soft and hard failure is fully understood before implementing either. Associated Objects
Affected Objects
More Information TEST ID
|
| 2.1.9 | Ensure that DKIM is enabled for all Exchange Online Domains | High | 3 | E3 Level 1 | CIS v4.0 | NO |
X
TEST NAME Ensure that DKIM is enabled for all Exchange Online Domains Description DKIM is not enabled for all exchange domains. There should be no impact of setting up DKIM however organizations should ensure appropriate setup to ensure continuous mail-flow. None None Recommendation and Steps You should use DKIM in addition to SPF and DMARC to help prevent spoofers from sending messages that look like they are coming from your domain. By enabling DKIM with Microsoft 365, messages that are sent from Exchange Online will be cryptographically signed. This will allow the receiving email system to validate that the messages were generated by a server that the organization authorized and not being spoofed. Associated Objects
Affected Objects
|
| 2.1.10 | Ensure DMARC Records for all Exchange Online domains are published | High | 4 | E3 Level 1 | CIS v4.0 | NO |
X
TEST NAME Ensure DMARC Records for all Exchange Online domains are published Description DMARC Records for all Exchange Domains are not published. There should be no impact of setting up DMARC however organizations should ensure appropriate setup to ensure continuous mail-flow. None None Recommendation and Steps Publish Domain-Based Message Authentication, Reporting and Conformance (DMARC) records for each Exchange Online Accepted Domain. Domain-based Message Authentication, Reporting and Conformance (DMARC) work with Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) to authenticate mail senders and ensure that destination email systems trust messages sent from your domain. Associated Objects
Affected Objects
|
| Not Available | Ensure all security threats in the Threat protection status report are reviewed and actioned | High | Security Threats Found in Malware Report | SP v1.0 | NO |
X
TEST NAME Ensure all security threats in the Threat protection status report are reviewed and actioned Description All Security Threats are not reviewed by Microsoft 365 Engineer weekly. You should review all the security threats in the Threat protection status report at least weekly. This report shows specific instances of Microsoft blocking a malware attachment from reaching your users, phishing being blocked, impersonation attempts, etc. None None Recommendation and Steps While this report isn't strictly actionable, reviewing it will give you a sense of the overall volume of various security threats targeting your users, which may prompt you to adopt more aggressive threat mitigations. Associated Objects
Affected Objects
More Information TEST ID
|
| 2.1.12 | Ensure the connection filter IP allow list is not used | High | Used | E3 Level 1 | CIS v4.0 | NO |
X
TEST NAME Ensure the connection filter IP allow list is not used Description This is the default behavior. IP Allow lists may reduce false positives, however, this benefit is outweighed by the importance of a policy which scans all messages regardless of the origin. This supports the principle of zero trust. Recommendation and Steps Associated Objects
Affected Objects
|
| 2.1.5 | Ensure Safe Attachments for SharePoint-OneDrive-Microsoft Teams is Enabled | Medium | Not Enabled-Not Implemented | E5 Level 2 | CIS v4.0 | NO |
X
TEST NAME Ensure Safe Attachments for SharePoint-OneDrive-Microsoft Teams is Enabled Description Safe Attachments for SharePoint-OneDrive-Teams is not enabled. Impact associated with Safe Attachments is minimal, and equivalent to impact associated with anti-virus scanners in an environment. None None Recommendation and Steps Safe Attachments for SharePoint, OneDrive, and Microsoft Teams scans these services for malicious files. Associated Objects
Affected Objects
|
| 2.1.8 | Ensure that SPF records are published for all Exchange Domains | Medium | 4 | E3 Level 1 | CIS v4.0 | NO |
X
TEST NAME Ensure that SPF records are published for all Exchange Domains Description SPF Records are not published for all domains. There should be minimal impact of setting up SPF records. However, organizations should ensure proper SPF record setup as email could be flagged as spam if SPF is not setup appropriately. None None Recommendation and Steps For each domain that is configured in Exchange, a corresponding Sender Policy Framework (SPF) record should be created. SPF records allow Exchange Online Protection and other mail systems know where messages from your domains are allowed to originate. This information can be used to by that system to determine how to treat the message based on if it is being spoofed or is valid. Associated Objects
Affected Objects
|
| Not Available | Ensure the spoofed domains are reviewed and actioned | Medium | 5 | SP v1.0 | NO |
X
TEST NAME Ensure the spoofed domains are reviewed and actioned Description Found Spoofed domains. Please review the list and act accordingly. Auditing Process needs to be created and followed. None None Recommendation and Steps Use spoof intelligence in the Security Center on the Anti-spam settings page to review all senders who are spoofing either domains that are part of your organization or spoofing external domains. Spoof intelligence is available as part of Microsoft 365 Enterprise E5 or separately as part of Defender for Microsoft 365 and as of October 2018 Exchange Online Protection (EOP). Bad actors spoof domains to trick users into conducting actions they normally would not or should not via phishing emails. Running this report will inform the message administrators of current activities, and the phishing techniques used by bad actors. This information can be used to inform end users and plan against future campaigns. Associated Objects
Affected Objects
|
| 2.1.4 | Ensure Safe Attachments policy is enabled | Passed | Not Enabled-Not Implemented | E5 Level 2 | CIS v4.0 | YES |
| 2.1.7 | Ensure that an anti-phishing policy has been created | Passed | Created | E5 Level 1 | CIS v4.0 | YES |
X
TEST NAME Ensure that an anti-phishing policy has been created Description Anti-Phishing Policy has been created. Recommendation and Steps Associated Objects
Affected Objects
|
| Not Available | Ensure the Restricted entities are reviewed and actioned | Passed | There are no Restricted users at present | SP v1.0 | YES |
X
TEST NAME Ensure the Restricted entities are reviewed and actioned Description Item has met all the requirements as per test. Recommendation and Steps Associated Objects
Affected Objects
|
| 2.1.13 | Ensure the connection filter safe list is off | Passed | Turned Off | E3 Level 1 | CIS v4.0 | YES |
X
TEST NAME Ensure the connection filter safe list is off Description Recommendation and Steps Associated Objects
Affected Objects
|
| 2.1.14 | Ensure inbound anti-spam policies do not contain allowed domains | Passed | Not Allowed | E3 Level 1 | CIS v4.0 | YES |
X
TEST NAME Ensure inbound anti-spam policies do not contain allowed domains Description Recommendation and Steps Associated Objects
Affected Objects
|
| 2.1.11 | Ensure comprehensive attachment filtering is applied | Manual Check | NONE | E3 Level 1 | CIS v4.0 | NO |
X
TEST NAME Ensure comprehensive attachment filtering is applied Description For file types that are business necessary users will need to use other organizationally approved methods to transfer blocked extension types between business partners. Recommendation and Steps Associated Objects
Affected Objects
|
| CIS Section | Test | Severity | Items | CIS Profile | Control Type | Configured Correctly? |
| Not Available | Ensure the Account Provisioning Activity report is reviewed and actioned | Passed | 0 | SP v1.0 | YES |
|
| Not Available | Ensure non-global administrator role group assignments are reviewed and actioned | Passed | There are no non-admin Global Role assignments found in past 7 days | SP v1.0 | YES |
X
TEST NAME Ensure non-global administrator role group assignments are reviewed and actioned Description Auditing Process is created and followed. Recommendation and Steps Associated Objects
Affected Objects
|
| CIS Section | Test | Severity | Items | CIS Profile | Control Type | Configured Correctly? |
| 2.4.1 | Ensure Priority account protection is enabled and configured | High | Not Enabled-Not Implemented | E5 Level 1 | CIS v4.0 | NO |
X
TEST NAME Ensure Priority account protection is enabled and configured Description Item does not meet all the requirements as per test. Identify _priority accounts_ to utilize Microsoft 365s advanced custom security features. This is an essential tool to bolster protection for users who are frequently targeted due to their critical positions, such as executives, leaders, managers, or others who have access to sensitive, confidential, financial, or high-priority information. Once these accounts are identified, several services and features can be enabled, including threat policies, enhanced sign-in protection through conditional access policies, and alert policies, enabling faster response times for incident response teams. Enabling priority account protection for users in Microsoft 365 is necessary to enhance security for accounts with access to sensitive data and high privileges, such as CEOs, CISOs, CFOs, and IT admins. These priority accounts are often targeted by spear phishing or whaling attacks and require stronger protection to prevent account compromise. To address this, Microsoft 365 and Microsoft Defender for Microsoft 365 offer several key features that provide extra security, including the identification of incidents and alerts involving priority accounts and the use of built-in custom protections designed specifically for them. None None Recommendation and Steps _Remediate with a 3-step process_ Step 1: Enable Priority account protection in Microsoft 365 Defender: 1. Navigate to Microsoft 365 Defender https://security.microsoft.com/ 2. Select Settings > E-mail & Collaboration > Priority account protection 3. Ensure Priority account protection is set to On Step 2: Tag priority accounts: 4. Select User tags 5. Select the PRIORITY ACCOUNT tag and click Edit 6. Select Add members to add users, or groups. Groups are recommended. 7. Repeat the previous 2 steps for any additional tags needed, such as Finance or HR. 8. Next and Submit. Step 3: Configure E-mail alerts for Priority Accounts: 9. Expand E-mail & Collaboration on the left column. 10. Select New Alert Policy 11. Enter a valid policy Name & Description. Set Severity to High and Category to Threat management. 12. Set Activity is to Detected malware in an e-mail message 13. Mail direction is Inbound 14. Select Add Condition and User: recipient tags are 15. In the Selection option field add chosen priority tags such as Priority account. 16. Select Every time an activity matches the rule. 17. Next and Verify valid recipient(s) are selected. 18. Next and select Yes, turn it on right away. Click Submit to save the alert. 19. Repeat steps 10 - 18 for the Activity field Activity is: Phishing email detected at time of delivery NOTE: Any additional activity types may be added as needed. Above are the minimum recommended. Associated Objects
Affected Objects
|
| 2.4.2 | Ensure Priority accounts have Strict protection presets applied | High | Not Enabled-Not Implemented | E5 Level 1 | CIS v4.0 | NO |
X
TEST NAME Ensure Priority accounts have Strict protection presets applied Description Item does not meet all the requirements as per test. Preset security policies have been established by Microsoft, utilizing observations and experiences within datacenters to strike a balance between the exclusion of malicious content from users and limiting unwarranted disruptions. These policies can apply to all, or select users and encompass recommendations for addressing spam, malware, and phishing threats. The policy parameters are pre-determined and non-adjustable. Strict protection has the most aggressive protection of the 3 presets. - EOP: Anti-spam, Anti-malware and Anti-phishing - Defender: Spoof protection, Impersonation protection and Advanced phishing - Defender: Safe Links and Safe Attachments NOTE: The preset security polices cannot target Priority account TAGS currently, groups should be used instead. Enabling priority account protection for users in Microsoft 365 is necessary to enhance security for accounts with access to sensitive data and high privileges, such as CEOs, CISOs, CFOs, and IT admins. These priority accounts are often targeted by spear phishing or whaling attacks and require stronger protection to prevent account compromise. The implementation of stringent, pre-defined policies may result in instances of false positive, however, the benefit of requiring the end-user to preview junk email before accessing their inbox outweighs the potential risk of mistakenly perceiving a malicious email as safe due to its placement in the inbox. Strict policies are more likely to cause false positives in anti-spam, phishing, impersonation, spoofing and intelligence responses. None None Recommendation and Steps Enable strict preset security policies for Priority accounts: 1. Navigate to Microsoft 365 Defender https://security.microsoft.com/ 2. Select to expand E-mail & collaboration. 3. Select Policies & rules > Threat policies > Preset security policies. 4. Click to Manage protection settings for Strict protection preset. 5. For Apply Exchange Online Protection select at minimum Specific recipients and include the Accounts/Groups identified as Priority Accounts. 6. For Apply Defender for Microsoft 365 Protection select at minimum Specific recipients and include the Accounts/Groups identified as Priority Accounts. 7. For Impersonation protection click Next and add valid e-mails or priority accounts both internal and external that may be subject to impersonation. 8. For Protected custom domains add the organizations domain name, along side other key partners. 9. Click Next and finally Confirm Associated Objects
Affected Objects
|
| 2.4.4 | Ensure Zero-hour auto purge for Microsoft Teams is on | High | Mot Restricted | E5 Level 1 | CIS v4.0 | NO |
X
TEST NAME Ensure Zero-hour auto purge for Microsoft Teams is on Description As with any anti-malware or anti-phishing product, false positives may occur. Recommendation and Steps To remediate using the UI: 1. Navigate to Microsoft Defender https://security.microsoft.com/ 2. Click to expand System select Settings > Email & collaboration > Microsoft Teams protection. 3. Set Zero-hour auto purge (ZAP) to On (Default) Associated Objects
Affected Objects
|
| 2.4.3 | Ensure Microsoft Defender for Cloud Apps is Enabled | Passed | Enabled | E5 Level 2 | CIS v4.0 | YES |
X
TEST NAME Ensure Microsoft Defender for Cloud Apps is Enabled Description Microsoft Defender for Cloud App is enabled. Recommendation and Steps Associated Objects
Affected Objects
|
| CIS Section | Test | Severity | Items | CIS Profile | Control Type | Configured Correctly? |
| 3.1.1 | Ensure Microsoft 365 audit log search is Enabled | Medium | Not Enabled | E3 Level 1 | CIS v4.0 | NO |
X
TEST NAME Ensure Microsoft 365 audit log search is Enabled Description Microsoft 365 Audit Log Search is not enabled. Auditing Process needs to be created and followed. None None Recommendation and Steps When audit log search in the Microsoft Purview compliance portal is enabled, user and admin activity from your organization is recorded in the audit log and retained for 90 days. However, your organization might be using a third-party security information and event management (SIEM) application to access your auditing data. In that case, a global admin can turn off audit log search in Microsoft 365. Enabling Microsoft Purview audit log search helps Microsoft 365 back-office teams to investigate activities for regular security operational or forensic purposes. Associated Objects
Affected Objects
|
| Not Available | Ensure user role group changes are reviewed and actioned | Passed | There are no user role group changes found in past 7 days | SP v1.0 | YES |
X
TEST NAME Ensure user role group changes are reviewed and actioned Description Auditing Process is created and followed. Recommendation and Steps Associated Objects
Affected Objects
More Information TEST ID
|
| CIS Section | Test | Severity | Items | CIS Profile | Control Type | Configured Correctly? |
| 3.2.1 | Ensure DLP policies are enabled | High | The DLP Policy is NOT Enabled | E3 Level 1 | CIS v4.0 | NO |
X
TEST NAME Ensure DLP policies are enabled Description DLP Policies are not enabled. Enabling a Teams DLP policy will allow sensitive data in Exchange Online and SharePoint Online to be detected or blocked. Always ensure to follow appropriate procedures in regard to testing and implementation of DLP policies based on your organizational standards. None None Recommendation and Steps Enabling Data Loss Prevention (DLP) policies allow Exchange Online and SharePoint Online content to be scanned for specific types of data like social security numbers, credit card numbers, or passwords. Associated Objects
Affected Objects
More Information TEST ID
|
| 3.2.2 | Ensure DLP policies are enabled for Microsoft Teams | High | No DLP Policy Found | E5 Level 1 | CIS v4.0 | NO |
X
TEST NAME Ensure DLP policies are enabled for Microsoft Teams Description DLP Policies are not enabled for Microsoft Teams. Enabling a Teams DLP policy will allow sensitive data in Teams channels or chat messages to be detected or blocked. None None Recommendation and Steps Enabling Data Loss Prevention (DLP) policies for Microsoft Teams, blocks sensitive content when shared in teams or channels. Content to be scanned for specific types of data like social security numbers, credit card numbers, or passwords. Enabling DLP policies alerts users and administrators that specific types of data should not be exposed, helping to protect the data from accidental exposure. Associated Objects
Affected Objects
|
| Not Available | Ensure DLP Policy is enabled for OneDrive | High | Not Enabled | SP v1.0 | NO |
X
TEST NAME Ensure DLP Policy is enabled for OneDrive Description DLP for OneDrive is not enabled. Data Loss Prevention (DLP) capabilities protect your data where it is stored, when it is moved, and when it is shared. None None Recommendation and Steps It is recommended to enable DLP for OneDrive. Associated Objects
Affected Objects
|
| Not Available | Ensure DLP Policy is configured for SharePoint | High | Not Enabled | SP v1.0 | NO |
X
TEST NAME Ensure DLP Policy is configured for SharePoint Description DLP Policy for SharePoint is not enabled. As businesses continue to digitize their operations, data protection has become a top priority. Microsoft SharePoint Online, a cloud-based collaboration and document management solution, offers a built-in Data Loss Prevention (DLP) solution to help safeguard sensitive information. DLP in SharePoint Online is important because it helps organizations protect their sensitive information from being shared with unauthorized parties. This is especially critical in industries that are highly regulated, such as healthcare and finance. None None Recommendation and Steps It is recommended to enable DLP Policy for SharePoint. Associated Objects
Affected Objects
|
| Not Available | Ensure Custom Anti-Malware Policy is Present | High | Not Defined | SP v1.0 | NO |
X
TEST NAME Ensure Custom Anti-Malware Policy is Present Description Item does not meet all the requirements as per test. It is possible to create custom anti-malware policies in Exchange Online to provide additional protection against threats that may be received via email. No anti-malware policy besides the Microsoft Default Anti-Malware Policy was detected in the O365 Tenant. Although the default anti-malware policy can provide some protection, each organization should consider creating an anti-malware policy that is customized to suit the nature of their day-to-day activities. None None Recommendation and Steps Follow the 'Configure anti-malware policies in Exchange Online Protection' guide below for a full introduction to creating a custom anti-malware policy. It is possible to create an anti-malware policy and enable it through the Exchange administration center or via Exchange Online PowerShell using the Set-MalwareFilterPolicy or New-MalwareFilterPolicy commands. Associated Objects
Affected Objects
|
| Not Available | Ensure Custom Anti-Phishing Policy is Present | High | Not Defined | SP v1.0 | NO |
X
TEST NAME Ensure Custom Anti-Phishing Policy is Present Description Item does not meet all the requirements as per test. It is possible to create custom Anti-Phishing Policies in Exchange Online to provide additional protection against threats that may be received via email. No Anti-Phishing Policy besides the Microsoft Default Anti-Phishing Policy was detected in the O365 tenant. Although the default Anti-Phishing Policy can provide some protection, each organization should consider creating an Anti-Phishing Policy that is customized to suit the nature of their day-to-day activities. None None Recommendation and Steps Follow the 'Anti-Phishing Policies in Microsoft 365' article below to begin constructing a custom Anti-Phishing Policy. Associated Objects
Affected Objects
|
| Not Available | Ensure Custom DLP Policies are Present | High | Not Defined-Not Implemented | SP v1.0 | NO |
X
TEST NAME Ensure Custom DLP Policies are Present Description Item does not meet all the requirements as per test. Organizations have sensitive information under their control such as financial data, proprietary data, credit card numbers, health records, or social security numbers. To help protect this sensitive data and reduce risk, they need a way to prevent their users from inappropriately sharing it with people who should not have it. Default configurations may not meet the business needs, or compliance requirements of the organization. Custom policies can be configured to address any gaps that default settings do not remediate. None None Recommendation and Steps Determine if a custom DLP policy is beneficial for the Tenant, identify any gaps between desired end state and default policy configurations, and implement any new policies as needed. Associated Objects
Affected Objects
More Information TEST ID
|
| Not Available | Ensure Custom DLP Sensitive Information Types are Defined | High | No custom DLP sensitive information types defined. | SP v1.0 | NO |
X
TEST NAME Ensure Custom DLP Sensitive Information Types are Defined Description Item does not meet all the requirements as per test. Organizations have sensitive information under their control such as financial data, proprietary data, credit card numbers, health records, or social security numbers. Default configurations may not meet the business needs, or compliance requirements of the organization. Custom-defined information types may be configured to mitigate any gaps that default settings do not address. None None Recommendation and Steps Determine if there is a need for custom DLP Sensitive Information types and add as needed. Associated Objects
Affected Objects
|
| CIS Section | Test | Severity | Items | CIS Profile | Control Type | Configured Correctly? |
| 3.3.1 | Ensure SharePoint Online Information Protection policies are set up and used | High | Policies were published on 0 of the 8322 users | E3 Level 1 | CIS v4.0 | NO |
X
TEST NAME Ensure SharePoint Online Information Protection policies are set up and used Description SharePoint Online Information Protection Policies are not set up and used. The creation of data classification policies is unlikely to have a significant not impact on an organization. However, maintaining long-term adherence to policies may require ongoing training and compliance efforts across the organization. Therefore, organizations should include training and compliance planning as part of the data classification policy creation process. None None Recommendation and Steps To set up SharePoint Online Information Protection: 1. Navigate to Microsoft Purview compliance portal https://compliance.microsoft.com. 2. Under Solutions select Information protection. 3. Click on the Label policies tab. 4. Click Create a label to create a label. 5. Select the label and click on the Publish label. 6. Fill out the forms to create the policy. Associated Objects
Affected Objects
|
| CIS Section | Test | Severity | Items | CIS Profile | Control Type | Configured Correctly? |
| 5.1.1.1 | Ensure Security Defaults is disabled on Azure Active Directory | Passed | Security Defaults are disabled. | E3 Level 1 | CIS v4.0 | YES |
X
TEST NAME Ensure Security Defaults is disabled on Azure Active Directory Description Security Defaults is disabled in Azure AD. Recommendation and Steps Associated Objects
Affected Objects
|
| CIS Section | Test | Severity | Items | CIS Profile | Control Type | Configured Correctly? |
| 5.1.2.1 | Ensure Per-user MFA is disabled | High | 100 | E3 Level 1 | CIS v4.0 | NO |
X
TEST NAME Ensure Per-user MFA is disabled Description Item does not meet all the requirements as per test. Legacy per-user Multi-Factor Authentication (MFA) can be configured to require individual users to provide multiple authentication factors, such as passwords and additional verification codes, to access their accounts. It was introduced in earlier versions of Office 365, prior to the more comprehensive implementation of Conditional Access (CA). Both security defaults and conditional access with security defaults turned off are not compatible with per-user multi-factor authentication (MFA), which can lead to undesirable user authentication states. The CIS Microsoft 365 Benchmark explicitly employs Conditional Access for MFA as an enhancement over security defaults and as a replacement for the outdated per-user MFA. To ensure a consistent authentication state disable per-user MFA on all accounts. Accounts using per-user MFA will need to be migrated to use CA. Prior to disabling per-user MFA the organization must be prepared to implement conditional access MFA to avoid security gaps and allow for a smooth transition. This will help ensure relevant accounts are covered by MFA during the change phase from disabling per-user MFA to enabling CA MFA. Section 5.2.2 in this document covers the creation of a CA rule for both administrators and all users in the tenant. Microsoft has detailed documentation on migrating from per-user MFA including a PowerShell script titled [Convert users from per-user MFA to Conditional Access based MFA](https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-getstarted#convert-users-from-per-user-mfa-to-conditional-access-based-mfa) None None Recommendation and Steps Disable per-user MFA using the UI: 1. Navigate to Microsoft Entra admin center https://entra.microsoft.com/. 2. Click to expand Identity > Users select All users. 3. Click on Per-user MFA on the top row. 4. Click the empty box next to Display Name to select all accounts. 5. On the far right under _quick steps_ click Disable. Associated Objects
Affected Objects
|
| 5.1.2.4 | Ensure Restrict access to the Azure AD administration portal is set to Yes | High | No Policy Found | E3 Level 1 | CIS v4.0 | NO |
X
TEST NAME Ensure Restrict access to the Azure AD administration portal is set to Yes Description Item does not meet all the requirements as per test. Restrict non-privileged users from signing into the Azure Active Directory portal. Note: This recommendation only affects access to the Azure AD web portal. It does not prevent privileged users from using other methods such as Rest API or PowerShell to obtain information. Those channels are addressed elsewhere in this document. The Azure AD administrative (AAD) portal contains sensitive data and permission settings, which are still enforced based on the users role. However, an end user may inadvertently change properties or account settings that could result in increased administrative overhead. Additionally, a compromised end user account could be used by a malicious attacker as a means to gather additional information and escalate an attack. Note: Users will still be able to sign into Azure Active directory admin center but will be unable to see directory information. None None Recommendation and Steps Ensure access to the Azure AD portal is restricted: 1. Navigate to Microsoft Entra admin center https://entra.microsoft.com/ 2. Click to expand Identity> Users > User settings. 3. Set Restrict access to Microsoft Entra ID administration portal to Yes then Save. Associated Objects
Affected Objects
|
| 5.1.2.6 | Ensure LinkedIn account connections is disabled | High | Enabled | E3 Level 2 | CIS v4.0 | NO |
X
TEST NAME Ensure LinkedIn account connections is disabled Description Item does not meet all the requirements as per test. LinkedIn account connections allow users to connect their Microsoft work or school account with LinkedIn. After a user connects their accounts, information and highlights from LinkedIn are available in some Microsoft apps and services. Disabling LinkedIn integration prevents potential phishing attacks and risk scenarios where an external party could accidentally disclose sensitive information. Users will not be able to sync contacts or use LinkedIn integration. None None Recommendation and Steps To disable LinkedIn account connections: 1. Navigate to Microsoft Entra admin center https://entra.microsoft.com/. 2. Click to expand Identity > Users select User settings. 3. Under LinkedIn account connections select No. 4. Click Save. Associated Objects
Affected Objects
|
| 5.1.2.2 | Ensure third party integrated applications are not allowed | Passed | Not Allowed | E3 Level 2 | CIS v4.0 | YES |
X
TEST NAME Ensure third party integrated applications are not allowed Description Third party integrated applications are not allowed. Recommendation and Steps Associated Objects
Affected Objects
More Information TEST ID
|
| 5.1.2.3 | Ensure Restrict non-admin users from creating tenants is set to Yes | Passed | Disabled-Ok | E3 Level 1 | CIS v4.0 | YES |
X
TEST NAME Ensure Restrict non-admin users from creating tenants is set to Yes Description Item has met all the requirements as per test. Recommendation and Steps Associated Objects
Affected Objects
|
| 5.1.2.5 | Ensure the option to remain signed in is hidden | Manual Check | NONE | E3 Level 2 | CIS v4.0 | NO |
X
TEST NAME Ensure the option to remain signed in is hidden Description Option to remain signed in is not hidden and needs to be configured. Please see impact. Allowing users to select this option presents risk, especially in the event that the user signs into their account on a publicly accessible computer/web browser. In this case it would be trivial for an unauthorized person to gain access to any associated cloud data from that account. Once this setting is hidden users will no longer be prompted upon sign-in with the message Stay signed in. This may mean users will be forced to sign in more frequently. None None Recommendation and Steps The option for the user to Stay signed in or the Keep me signed in option will prompt a user after a successful login, when the user selects this option a persistent refresh token is created. Typically, this lasts for 90 days and does not prompt for sign-in or Multi-Factor. Associated Objects
Affected Objects
|
| 5.1.2.4 | Ensure access to the Entra admin center is restricted | Manual Check | NONE | E3 Level 1 | CIS v4.0 | NO |
X
TEST NAME Ensure access to the Entra admin center is restricted Description Recommendation and Steps To remediate using the UI: 1. Navigate to Microsoft Entra admin center https://entra.microsoft.com/ 2. Click to expand Identity> Users > User settings. 3. Set Restrict access to Microsoft Entra admin center to Yes then Save. Associated Objects
Affected Objects
|
| CIS Section | Test | Severity | Items | CIS Profile | Control Type | Configured Correctly? |
| 5.1.3.1 | Ensure a dynamic group for guest users is created | High | Dynamic Groups for Guest users not found | E3 Level 1 | CIS v4.0 | NO |
X
TEST NAME Ensure a dynamic group for guest users is created Description Item does not meet all the requirements as per test. A dynamic group is a dynamic configuration of security group membership for Azure Active Directory. Administrators can set rules to populate groups that are created in Azure AD based on user attributes (such as userType, department, or country/region). Members can be automatically added to or removed from a security group based on their attributes. The recommended state is to create a dynamic group that includes guest accounts. Dynamic groups allow for an automated method to assign group membership. Guest user accounts will be automatically added to this group and through this existing conditional access rules, access controls and other security measures will ensure that new guest accounts are restricted in the same manner as existing guest accounts. None None Recommendation and Steps Create a dynamic guest group:
1. Navigate to Microsoft Entra admin center https://entra.microsoft.com/.
2. Click to expand Identity > Groups select All groups.
3. Select New group and assign the following values:
- Group type: Security
- Azure AD Roles can be assigned: No
- Membership type: Dynamic User
4. Select Add dynamic query.
5. Above the Rule syntax text box, select Edit.
6. Place the following expression in the box:
(user.userType -eq )
7. Select OK and Save
Using PowerShell:
1. Connect to Microsoft Graph using Connect-MgGraph -Scopes
2. In the script below edit DisplayName and MailNickname as needed and run:
$params = @{
DisplayName =
MailNickname =
MailEnabled = $false
SecurityEnabled = $true
GroupTypes =
MembershipRule = (user.userType -eq )
MembershipRuleProcessingState =
}
New-MgGroup @params
Associated Objects
Affected Objects
|
| CIS Section | Test | Severity | Items | CIS Profile | Control Type | Configured Correctly? |
| 5.1.6.3 | Ensure guest user invitations are limited to the Guest Inviter role | High | Mot Restricted | E3 Level 1 | CIS v4.0 | NO |
X
TEST NAME Ensure guest user invitations are limited to the Guest Inviter role Description This introduces an obstacle to collaboration by restricting who can invite guest users to the organization. Designated Guest Inviters must be assigned, and an approval process established and clearly communicated to all users. Recommendation and Steps To remediate using the UI: 1. Navigate to Microsoft Entra admin center https://entra.microsoft.com/. 2. Click to expand Identity > External Identities select External collaboration settings. 3. Under Guest invite settings set Guest invite restrictions to Only users assigned to specific admin roles can invite guest users. Associated Objects
Affected Objects
|
| Not Available | Ensure the Application Usage report is reviewed and actioned | Medium | 17 | SP v1.0 | NO |
X
TEST NAME Ensure the Application Usage report is reviewed and actioned Description Application usage report review is not in place. Auditing Process needs to be created and followed. None None Recommendation and Steps The Application Usage report includes a usage summary for all Software as a Service (SaaS) applications that are integrated with your directory. Review the list of app registrations on a regular basis to look for risky apps that users have enabled that could cause data spillage or accidental elevation of privilege. Attackers can often get access to data illicitly through third-party SaaS applications. To verify the report is being reviewed at least weekly, confirm that the necessary procedures are in place and being followed. Associated Objects
Affected Objects
|
| 5.1.5.2 | Ensure user consent to apps accessing company data on their behalf is not allowed | Medium | E3 Level 2 | CIS v4.0 | NO |
X
TEST NAME Ensure user consent to apps accessing company data on their behalf is not allowed Description Consent to Apps accessing company data on their behalf is not allowed and is not configured. If user consent is disabled previous consent grants will still be honored but all future consent operations must be performed by an administrator. None None Recommendation and Steps By default, users can consent to applications accessing your organization's data, although only for some permissions. For example, by default a user can consent to allow an app to access their own mailbox or the Teams conversations for a team the user owns but cannot consent to allow an app unattended access to read and write to all SharePoint sites in your organization. Do not allow users to grant consent to apps accessing company data on their behalf. Attackers commonly use custom applications to trick users into granting them access to company data. Associated Objects
Affected Objects
|
| 5.1.5.3 | Ensure the admin consent workflow is enabled | Passed | Enabled | E3 Level 1 | CIS v4.0 | YES |
X
TEST NAME Ensure the admin consent workflow is enabled Description Admin Consent workflow is enabled. Recommendation and Steps Associated Objects
Affected Objects
More Information TEST ID
|
| 5.1.6.2 | Ensure that guest user access is restricted | Passed | Restricted | E3 Level 1 | CIS v4.0 | YES |
X
TEST NAME Ensure that guest user access is restricted Description Recommendation and Steps Associated Objects
Affected Objects
|
| CIS Section | Test | Severity | Items | CIS Profile | Control Type | Configured Correctly? |
| 5.1.6.1 | Ensure that collaboration invitations are sent to allowed domains only | Manual Check | NONE | E3 Level 2 | CIS v4.0 | NO |
X
TEST NAME Ensure that collaboration invitations are sent to allowed domains only Description Collaboration Invitations are not sent to allowed domains only. This could make harder collaboration if the setting is not quickly updated when a new domain is identified as allowed. None None Recommendation and Steps Users should be able to send collaboration invitations to allowed domains only. By specifying allowed domains for collaborations, external user companies are explicitly identified. Also, this prevents internal users from inviting unknown external users such as personal accounts and gives them access to resources. Associated Objects
Affected Objects
|
| CIS Section | Test | Severity | Items | CIS Profile | Control Type | Configured Correctly? |
| 5.1.8.1 | Ensure that password hash sync is enabled for hybrid deployments | Medium | Password Has Sync is not enabled. | E3 Level 1 | CIS v4.0 | NO |
X
TEST NAME Ensure that password hash sync is enabled for hybrid deployments Description Password Sync is not enabled for hybrid deployments. Compliance or regulatory restrictions may exist, depending on the organization's business sector, that preclude hashed versions of passwords from being securely transmitted to cloud data centers. None None Recommendation and Steps Password hash synchronization is one of the sign-in methods used to accomplish hybrid identity synchronization. Azure AD Connect synchronizes a hash, of the hash, of a user's password from an on-premises Active Directory instance to a cloud-based Azure AD instance. Applicable only to Hybrid Deployments. Password hash synchronization helps by reducing the number of passwords your users will need to remember. Associated Objects
Affected Objects
|
| CIS Section | Test | Severity | Items | CIS Profile | Control Type | Configured Correctly? |
| 5.2.2.1 | Ensure multifactor authentication is enabled for all users in administrative roles | High | You have 6 out of 6 users with administrative roles that aren?t registered and protected with MFA. | E3 Level 1 | CIS v4.0 | NO |
X
TEST NAME Ensure multifactor authentication is enabled for all users in administrative roles Description Some Admin Accounts are not MFA Enabled. Please review impact and enable. Implementation of multifactor authentication for all users in administrative roles will necessitate a change to user routine. All users in administrative roles will be required to enroll in multifactor authentication using phone, SMS, or an authentication application. After enrollment, use of multifactor authentication will be required for future access to the environment. None None Recommendation and Steps Enable multifactor authentication for all users who are members of administrative roles in Microsoft 365 Tenant. Associated Objects
Affected Objects
More Information TEST ID
|
| 5.2.2.2 | Ensure multifactor authentication is enabled for all users | High | Multifactor Authentication is not enabled for all users | E3 Level 1 | CIS v4.0 | NO |
X
TEST NAME Ensure multifactor authentication is enabled for all users Description Item does not meet all the requirements as per test. Enable multifactor authentication for all users in the Microsoft 365 tenant. Users will be prompted to authenticate with a second factor upon logging in to Microsoft 365 services. The second factor is most commonly a text message to a registered mobile phone number where they type in an authorization code, or with a mobile application like Microsoft Authenticator. Multifactor authentication requires an individual to present a minimum of two separate forms of authentication before access is granted. Multifactor authentication provides additional assurance that the individual attempting to gain access is who they claim to be. With multifactor authentication, an attacker would need to compromise at least two different authentication mechanisms, increasing the difficulty of compromise and thus reducing the risk. Implementation of multifactor authentication for all users will necessitate a change to user routine. All users will be required to enroll in multifactor authentication using phone, SMS, or an authentication application. After enrollment, use of multifactor authentication will be required for future authentication to the environment. NOTE: Organizations that have difficulty enforcing MFA globally due lack of the budget to provide company owned mobile devices to every user, or equally are unable to force end users to use their personal devices due to regulations, unions, or policy have another option. FIDO2 Security keys may be used as a stand in for this recommendation. They are more secure, phishing resistant, and are affordable for an organization to issue to every end user. None None Recommendation and Steps To enable multifactor authentication for all users: 1. Navigate to the Microsoft Entra admin center https://entra.microsoft.com. 2. Click expand Protection > Conditional Access select Policies. 3. Click New policy. 4. Go to Assignments > Users and groups > Include > select All users (and do not exclude any user). 5. Select Cloud apps or actions > All cloud apps (and don't exclude any apps). 6. Access Controls > Grant > Require multi-factor authentication (and nothing else). 7. Leave all other conditions blank. 8. Make sure the policy is Enabled/On. 9. Create. Associated Objects
Affected Objects
|
| 5.2.2.3 | Enable Conditional Access policies to block legacy authentication | High | You have 8330 of 8330 users that don't have legacy authentication blocked. | E3 Level 1 | CIS v4.0 | NO |
X
TEST NAME Enable Conditional Access policies to block legacy authentication Description No Conditional Access policies were found. Enabling this setting will prevent users from connecting with older versions of Office, ActiveSync or using protocols like IMAP, POP or SMTP and may require upgrades to older versions of Office, and use of mobile mail clients that support modern authentication. None None Recommendation and Steps Use Conditional Access to block legacy authentication protocols in Microsoft 365. Legacy authentication protocols do not support multi-factor authentication. These protocols are often used by attackers because of this deficiency. Blocking legacy authentication makes it harder for attackers to gain access. Associated Objects
Affected Objects
|
| 5.2.2.4 | Ensure Sign-in frequency is enabled and browser sessions are not persistent for Administrative users | High | Not Configured | E3 Level 1 | CIS v4.0 | NO |
X
TEST NAME Ensure Sign-in frequency is enabled and browser sessions are not persistent for Administrative users Description Item does not meet all the requirements as per test. In complex deployments, organizations might have a need to restrict authentication sessions. Conditional Access policies allow for the targeting of specific user accounts. Some scenarios might include: - Resource access from an unmanaged or shared device - Access to sensitive information from an external network - High-privileged users - Business-critical applications. Ensure Sign-in frequency does not exceed 4 hours for E3 tenants, or 24 hours for E5 tenants using Privileged Identity Management. Ensure Persistent browser session is set to Never persist. NOTE: This CA policy can be added to the previous CA policy in this benchmark Forcing a time out for MFA will help ensure that sessions are not kept alive for an indefinite period of time, ensuring that browser sessions are not persistent will help in prevention of drive-by attacks in web browsers, this also prevents creation and saving of session cookies leaving nothing for an attacker to take. Users with Administrative roles will be prompted at the frequency set for MFA. None None Recommendation and Steps To configure Sign-in frequency and browser sessions persistence for administrative users: 1. Navigate to Microsoft Entra admin center https://entra.microsoft.com/. 2. Click to expand Protection > Conditional Access Select Policies. 3. Click New policy 4. Click Users and groups 5. Under Include select -Select users and groups- and then select -Directory roles-. 6. At a minimum, select the roles in the section below. 7. Go to Cloud apps or actions > Cloud apps > Include > select All cloud apps (and don't exclude any apps). 8. Under Access controls > Grant > select Grant access > check Require multi-factor authentication (and nothing else). 9. Under Session select Sign-in frequency and set to at most 4 hours for E3 tenants. E5 tenants with PIM can be set to a maximum value of 24 hours. 10. Check Persistent browser session then select Never persistent in the drop-down menu. 11. For Enable Policy select On and click Save At minimum these directory roles should be included for MFA: - Application administrator - Authentication administrator - Billing administrator - Cloud application administrator - Conditional Access administrator - Exchange administrator - Global administrator - Global reader - Helpdesk administrator - Password administrator - Privileged authentication administrator - Privileged role administrator - Security administrator - SharePoint administrator - User administrator Associated Objects
Affected Objects
More Information TEST ID
|
| 5.2.2.5 | Ensure Phishing-resistant MFA strength is required for Administrators | High | Phishing-resistant MFA policy is not configured for administrators | E3 Level 2 | CIS v4.0 | NO |
X
TEST NAME Ensure Phishing-resistant MFA strength is required for Administrators Description Item does not meet all the requirements as per test. Authentication strength is a Conditional Access control that allows administrators to specify which combination of authentication methods can be used to access a resource. For example, they can make only phishing-resistant authentication methods available to access a sensitive resource. But to access a non-sensitive resource, they can allow less secure multifactor authentication (MFA) combinations, such as password + SMS. Microsoft has 3 built-in authentication strengths. MFA strength, password less MFA strength, and Phishing-resistant MFA strength. Ensure administrator roles are using a CA policy with Phishing-resistant MFA strength. Administrators can then enroll using one of 3 methods: - FIDO2 Security Key - Windows Hello for Business - Certificate-based authentication (Multi-Factor) NOTE: Additional steps to configure methods such as FIDO2 keys are not covered here but can be found in related MS articles in the references section. The Conditional Access policy only ensures 1 of the 3 methods is used. WARNING: Administrators should be pre-registered for a strong authentication mechanism before this Conditional Access Policy is enforced. Additionally, as stated elsewhere in the CIS Benchmark a break-glass administrator account should be excluded from this policy to ensure unfettered access in the case of an emergency. Sophisticated attacks targeting MFA are more prevalent as the use of it becomes more widespread. These 3 methods are considered phishing-resistant as they remove passwords from the login workflow. It also ensures that public/private key exchange can only happen between the devices and a registered provider which prevents login to fake or phishing websites. If administrators are not pre-registered for a strong authentication method prior to a conditional access policy is created, then a condition could occur where a user can not register for strong authentication because they don't meet the conditional access policy requirements and therefore are prevented from signing in. None None Recommendation and Steps To create a phishing-resistant MFA CA policy for users in administrative roles: 1. Navigate to the Microsoft Entra admin center https://entra.microsoft.com. 2. Click expand Protection > Conditional Access select Policies. 3. Click New policy. 4. Go to Users > Users and groups > Include > Select users and groups > Directory roles 5. Add at least the Directory roles listed after these steps. 6. Select Cloud apps or actions > All cloud apps (and don't exclude any apps). 7. Grant > Grant Access with Require authentication strength (Preview): Phishing-resistant MFA 8. Click Select 9. Set Enable policy to Report-only and click Create At minimum these directory roles should be included for the policy: - Application administrator - Authentication administrator - Billing administrator - Cloud application administrator - Conditional Access administrator - Exchange administrator - Global administrator - Global reader - Helpdesk administrator - Password administrator - Privileged authentication administrator - Privileged role administrator - Security administrator - SharePoint administrator - User administrator WARNING: Ensure administrators are pre-registered with strong authentication before enforcing the policy. After which the policy must be set to On. Associated Objects
Affected Objects
|
| 5.2.2.8 | Ensure Microsoft Azure Management is limited to administrative roles | High | No Policy Found | E3 Level 1 | CIS v4.0 | NO |
X
TEST NAME Ensure Microsoft Azure Management is limited to administrative roles Description Item does not meet all the requirements as per test. The Microsoft Azure Management application governs various Azure services and can be secured through the implementation of a Conditional Access policy. This policy can restrict specific user accounts from accessing the related portals and applications. When Conditional Access policy is targeted to the Microsoft Azure Management application, within the Conditional Access policy app picker the policy will be enforced for tokens issued to application IDs of a set of services closely bound to the portal. - Azure Resource Manager - Azure portal, which also covers the Microsoft Entra admin center - Azure Data Lake - Application Insights API - Log Analytics API Microsoft Azure Management should be restricted to specific pre-determined administrative roles. NOTE: Blocking Microsoft Azure Management will prevent non-privileged users from signing into most portals other than Microsoft 365 Defender and Microsoft Purview. Blocking sign-in to Azure Management applications and portals enhances security of sensitive data by restricting access to privileged users. This mitigates potential exposure due to administrative errors or software vulnerabilities, as well as acting as a defense in depth measure against security breaches. PIM functionality will be impacted unless non-privileged users are first assigned to a permanent group or role that is excluded from this policy. When attempting to checkout a role in the Entra ID PIM area they will receive the message Because the policy is applied to the Azure management portal and API, services, or clients with an Azure API service dependency, can indirectly be impacted: Classic deployment model APIs Azure PowerShell Azure CLI Azure DevOps Azure Data Factory portal Azure Event Hubs Azure Service Bus Azure SQL Database SQL Managed Instance Azure Synapse Visual Studio subscriptions administrator portal Microsoft IoT Central None None Recommendation and Steps To enable Microsoft Azure Management restrictions: 1. Navigate to the Microsoft Entra admin center https://entra.microsoft.com. 2. Click expand Protection > Conditional Access select Policies. 3. Click New Policy and then name the policy. 4. Select Users > Include > All Users 5. Select Users > Exclude > Directory roles and select only administrative roles. See audit section for more information. 6. Select Cloud apps or actions > Select apps > Select then click the box next to Microsoft Azure Management. 7. Click Select. 8. Select Grant > Block access and click Select. 9. Ensure Enable Policy is On then click Create. WARNING: Exclude Global Administrator at a minimum to avoid being locked out. Report-only is a good option to use when testing any Conditional Access policy for the first time. Associated Objects
Affected Objects
More Information TEST ID
|
| 5.2.2.6 | Enable Azure AD Identity Protection user risk policies | Passed | E5 Level 2 | CIS v4.0 | YES |
X
TEST NAME Enable Azure AD Identity Protection user risk policies Description Azure AD User Risk Policies are enabled. Recommendation and Steps Associated Objects
Affected Objects
|
| 5.2.2.7 | Enable Azure AD Identity Protection sign-in risk policies | Passed | E5 Level 2 | CIS v4.0 | YES |
X
TEST NAME Enable Azure AD Identity Protection sign-in risk policies Description Azure AD Identity Protection Sign-In Risk Policies are configured. Recommendation and Steps Associated Objects
Affected Objects
|
| 5.2.2.6 | Enable Identity Protection user risk policies | Manual Check | NONE | E3 Level 1 | CIS v4.0 | NO |
X
TEST NAME Enable Identity Protection user risk policies Description Upon policy activation, account access will be either blocked or the user will be required to use multi-factor authentication (MFA) and change their password. Users without registered MFA will be denied access, necessitating an admin to recover the account. To avoid inconvenience, it is advised to configure the MFA registration policy for all users under the User Risk policy. Additionally, users identified in the Risky Users section will be affected by this policy. To gain a better understanding of the impact on the organizations environment, the list of Risky Users should be reviewed before enforcing the policy. Recommendation and Steps To remediate using the UI: 1. Navigate to the Microsoft Entra admin center https://entra.microsoft.com. 2. Click expand Protection > Conditional Access select Policies. 3. Create a new policy by selecting New policy. 4. Set the following conditions within the policy: Under Users or workload identities choose All users Under Cloud apps or actions choose All cloud apps Under Conditions choose User risk then Yes and select the user risk level High. Under Access Controls select Grant then in the right pane click Grant access then select Require multifactor authentication and Require password change. Under Session ensure Sign-in frequency is set to Every time. Click Select. 5. Under Enable policy set it to Report Only until the organization is ready to enable it. 6. Click Create. Note: for more information regarding risk levels refer to Microsofts Identity Protection & Risk Doc Associated Objects
Affected Objects
|
| 5.2.2.7 | Enable Identity Protection sign-in risk policies | Manual Check | NONE | E5 Level 1 | CIS v4.0 | NO |
X
TEST NAME Enable Identity Protection sign-in risk policies Description When the policy triggers, the user will need MFA to access the account. In the case of a user who hasnt registered MFA on their account, they would be blocked from accessing their account. It is therefore recommended that the MFA registration policy be configured for all users who are a part of the Sign-in Risk policy. Recommendation and Steps To configure a Sign-In risk policy, use the following steps: 1. Navigate to the Microsoft Entra admin center https://entra.microsoft.com. 2. Click expand Protection > Conditional Access select Policies. 3. Create a new policy by selecting New policy. 4. Set the following conditions within the policy. Under Users or workload identities choose All users. Under Cloud apps or actions choose All cloud apps. Under Conditions choose Sign-in risk then Yes and check the risk level boxes High and Medium. Under Access Controls select Grant then in the right pane click Grant access then select Require multifactor authentication. Under Session select Sign-in Frequency and set to Every time. Click Select. 5. Under Enable policy set it to Report Only until the organization is ready to enable it. 6. Click Create. Note: For more information regarding risk levels refer to Microsofts Identity Protection & Risk Doc Associated Objects
Affected Objects
|
| 5.2.2.8 | Ensure admin center access is limited to administrative roles | Manual Check | NONE | E3 Level 2 | CIS v4.0 | NO |
X
TEST NAME Ensure admin center access is limited to administrative roles Description PIM functionality will be impacted unless non-privileged users are first assigned to a permanent group or role that is excluded from this policy. When attempting to checkout a role in the Entra ID PIM area they will receive the message You dont have access to this Your sign-in was successful but you dont have permission to access this resource. Users included in the policy will be unable to manually installs applications when clicking on Install Microsoft 365 apps. Users included in the policy will be unable to access the Quarantine in the Defender admin center at https://security.microsoft.com/quarantine Recommendation and Steps To remediate using the UI: 1. Navigate to the Microsoft Entra admin center https://entra.microsoft.com. 2. Click expand Protection > Conditional Access select Policies. 3. Click New Policy. Under Users include All Users. Under Users select Exclude and check Directory roles and select only administrative roles and a group of PIM eligible users. Under Target resources select Cloud apps and Select apps then select the Microsoft Admin Portals app. Confirm by clicking Select. Under Grant select Block access and click Select. 4. Under Enable policy set it to Report Only until the organization is ready to enable it. 5. Click Create. Warning: Exclude Global Administrator at a minimum to avoid being locked out. Report-only is a good option to use when testing any Conditional Access policy for the first time. Note: In order for PIM to function a group of users eligible for PIM roles must be excluded from the policy. Associated Objects
Affected Objects
|
| 5.2.2.9 | Ensure sign-in risk is blocked for medium and high risk | Manual Check | NONE | E5 Level 2 | CIS v4.0 | NO |
X
TEST NAME Ensure sign-in risk is blocked for medium and high risk Description Sign-in risk is heavily dependent on detecting risk based on atypical behaviors. Due to this it is important to run this policy in a report-only mode to better understand how the organizations environment and user activity may influence sign-in risk before turning the policy on. Once its understood what actions may trigger a medium or high sign-in risk event I.T. can then work to create an environment to reduce false positives. For example, employees might be required to notify security personnel when they intend to travel with intent to access work resources. Note: Break-glass accounts should always be excluded from risk detection. Recommendation and Steps To remediate using the UI: 1. Navigate to the Microsoft Entra admin center https://entra.microsoft.com. 2. Click expand Protection > Conditional Access select Policies. 3. Create a new policy by selecting New policy. 4. Set the following conditions within the policy. Under Users include All users and only exclude valid users. Under Target resources include All cloud apps and do not set any exclusions. Under Conditions choose Sign-in risk values of High and Medium and click Done. Under Grant choose Block access and click Select. 5. Under Enable policy set it to Report Only until the organization is ready to enable it. 6. Click Create. Note: Break-glass accounts should be excluded from sign-in risk policies. Associated Objects
Affected Objects
|
| 5.2.2.10 | Ensure a managed device is required for authentication | Manual Check | NONE | E3 Level 1 | CIS v4.0 | NO |
X
TEST NAME Ensure a managed device is required for authentication Description Unmanaged devices will not be permitted as a valid authenticator. As a result this may require the organization to mature their device enrollment and management. The following devices can be considered managed: Entra hybrid joined from Active Directory Entra joined and enrolled in Intune, with compliance policies Entra registered and enrolled in Intune, with compliances policies Recommendation and Steps To remediate using the UI: 1. Navigate to the Microsoft Entra admin center https://entra.microsoft.com. 2. Click expand Protection > Conditional Access select Policies. 3. Create a new policy by selecting New policy. -Under Users include All users. Under Target resources include All cloud apps. Under Grant select Grant access. Check Require multifactor authentication and Require Microsoft Entra hybrid joined device. Choose Require one of the selected controls and click Select at the bottom. Under Enable policy set it to Report Only until the organization is ready to enable it. Click Create. Associated Objects
Affected Objects
|
| 5.2.2.11 | Ensure a managed device is required for MFA registration | Manual Check | NONE | E3 Level 1 | CIS v4.0 | NO |
X
TEST NAME Ensure a managed device is required for MFA registration Description The organization will be required to have a mature device management process. New devices provided to users will need to be pre-enrolled in Intune, auto-enrolled or be Entra hybrid joined. Otherwise, the user will be unable to complete registration, requiring additional resources from I.T. This could be more disruptive in remote worker environments where the MDM maturity is low. In these cases where the person enrolling in MFA (enrollee) doesnt have physical access to a managed device, a help desk process can be created using a Teams meeting to complete enrollment using: 1) a durable process to verify the enrollees identity including government identification with a photograph held up to the camera, information only the enrollee should know, and verification by the enrollees direct manager in the same meeting; 2) complete enrollment in the same Teams meeting with the enrollee being granted screen and keyboard access to the help desk persons InPrivate Edge browser session. Recommendation and Steps To remediate using the UI: 1. Navigate to the Microsoft Entra admin center https://entra.microsoft.com. 2. Click expand Protection > Conditional Access select Policies. 3. Create a new policy by selecting New policy. Under Users include All users. Under Target resources select User actions and check Register security information. Under Grant select Grant access. Check Require multifactor authentication and Require Microsoft Entra hybrid joined device. Choose Require one of the selected controls and click Select at the bottom. Under Enable policy set it to Report Only until the organization is ready to enable it. Click Create. Associated Objects
Affected Objects
|
| CIS Section | Test | Severity | Items | CIS Profile | Control Type | Configured Correctly? |
| 5.2.3.1 | Ensure Microsoft Authenticator is configured to protect against MFA fatigue | High | Microsoft Authenticator is disabled. | E3 Level 1 | CIS v4.0 | NO |
X
TEST NAME Ensure Microsoft Authenticator is configured to protect against MFA fatigue Description Item does not meet all the requirements as per test. Microsoft has released additional settings to enhance the configuration of the Microsoft Authenticator application. These settings provide additional information and context to users who receive MFA passwordless and push requests, such as geographic location the request came from, the requesting application and requiring a number match. Ensure the following are Enabled. - Require number matching for push notifications - Show application name in push and passwordless notifications - Show geographic location in push and passwordless notifications NOTE: On February 27, 2023, Microsoft started enforcing number matching tenant-wide for all users using Microsoft Authenticator. As the use of strong authentication has become more widespread, attackers have started to exploit the tendency of users to experience. This occurs when users are repeatedly asked to provide additional forms of identification, leading them to eventually approve requests without fully verifying the source. To counteract this, number matching can be employed to ensure the security of the authentication process. With this method, users are prompted to confirm a number displayed on their original device and enter it into the device being used for MFA. Additionally, other information such as geolocation and application details are displayed to enhance the end users awareness. Among these 3 options, number matching provides the strongest net security gain. Additional interaction will be required by end users using number matching as opposed to simply pressing for login attempts. None None Recommendation and Steps To configure Microsoft Authenticator to protect against MFA fatigue: 1. Navigate to the Microsoft Entra admin center https://entra.microsoft.com. 2. Click to expand Protection > Authentication methods select Policies. 3. Select Microsoft Authenticator 4. Under Enable and Target ensure the setting is set to Enable. 5. Select Configure 6. Set the following Microsoft Authenticator settings: - Require number matching for push notifications Status is set to Enabled, Target All users - Show application name in push and passwordless notifications is set to Enabled, Target All users - Show geographic location in push and passwordless notifications is set to Enabled, Target All users Associated Objects
Affected Objects
|
| 5.2.3.2 | Ensure custom banned passwords lists are used | High | Custom banned passwords setting is disabled. | E3 Level 1 | CIS v4.0 | NO |
X
TEST NAME Ensure custom banned passwords lists are used Description Item does not meet all the requirements as per test. With Azure AD Password Protection, default global banned password lists are automatically applied to all users in an Azure AD tenant. To support business and security needs, custom banned password lists can be defined. When users change or reset their passwords, these banned password lists are checked to enforce the use of strong passwords. A custom banned password list should include some of the following examples: - Brand names - Product names - Locations, such as company headquarters - Company-specific internal terms - Abbreviations that have specific company meaning Creating a new password can be difficult regardless of ones technical background. It is common to look around ones environment for suggestions when building a password, however, this may include picking words specific to the organization as inspiration for a password. An adversary may employ what is called a mangler to create permutations of these specific words in an attempt to crack passwords or hashes making it easier to reach their goal. If a custom banned password list includes too many common dictionary words, or short words that are part of compound words, then perfectly secure passwords may be blocked. The organization should consider a balance between security and usability when creating a list. None None Recommendation and Steps Create a custom banned password list: 1. Navigate to Microsoft Entra admin center https://entra.microsoft.com/ 2. Click to expand Protection > Authentication methods 3. Select Password protection 4. Set Enforce custom list to Yes 5. In Custom banned password list create a list using suggestions outlined in this document. 6. Click Save NOTE: Below is a list of examples that can be used as a starting place. The references section contains more suggestions. - Brand names - Product names - Locations, such as company headquarters - Company-specific internal terms - Abbreviations that have specific company meaning Associated Objects
Affected Objects
|
| 5.2.3.3 | Ensure that password protection is enabled for Active Directory | Manual Check | NONE | E3 Level 1 | CIS v4.0 | NO |
X
TEST NAME Ensure that password protection is enabled for Active Directory Description Password Protection is not enabled. The potential impact associated with implementation of this setting is dependent upon the existing password policies in place in the environment. For environments that have strong password policies in place, the impact will be minimal. For organizations that do not have strong password policies in place, implementation of Azure Active Directory Password Protection may require users to change passwords and adhere to more stringent requirements than they have been accustomed to. None None Recommendation and Steps Enable Azure Active Directory Password Protection to Active Directory to protect against the use of common passwords. Note: This recommendation applies to Hybrid deployments only, and will have no Associated Objects
Affected Objects
More Information TEST ID
|
| CIS Section | Test | Severity | Items | CIS Profile | Control Type | Configured Correctly? |
| 5.2.4.1 | Ensure Self service password reset enabled is set to All | Passed | You have 8 of 8330 users who don't have self-service password reset enabled. | E3 Level 1 | CIS v4.0 | YES |
X
TEST NAME Ensure Self service password reset enabled is set to All Description Item has met all the requirements as per test. Recommendation and Steps Associated Objects
Affected Objects
|
| Not Available | Ensure the self-service password reset activity report is reviewed and actioned | Passed | Changed Password Found via SSPR | SP v1.0 | YES |
X
TEST NAME Ensure the self-service password reset activity report is reviewed and actioned Description Auditing is in place and report is being reviewed. Recommendation and Steps Associated Objects
Affected Objects
|
| CIS Section | Test | Severity | Items | CIS Profile | Control Type | Configured Correctly? |
| 5.2.6.1 | Ensure the Azure AD Risky sign-ins report is reviewed at least weekly | High | Risky users found | E3 Level 1 | CIS v4.0 | NO |
X
TEST NAME Ensure the Azure AD Risky sign-ins report is reviewed at least weekly Description Auditing is not in place and report is not being reviewed. Auditing Process needs to be created and followed. None None Recommendation and Steps Reviewing this report on a regular basis allows for identification and remediation of compromised accounts. Associated Objects
Affected Objects
|
| CIS Section | Test | Severity | Items | CIS Profile | Control Type | Configured Correctly? |
| 5.3.1 | Ensure Privileged Identity Management is used to manage roles | Medium | No permanent active role assignments found. | E5 Level 2 | CIS v4.0 | NO |
X
TEST NAME Ensure Privileged Identity Management is used to manage roles Description Item does not meet all the requirements as per test. Access reviews enable administrators to establish an efficient automated process for reviewing group memberships, access to enterprise applications, and role assignments. These reviews can be scheduled to recur regularly, with flexible options for delegating the task of reviewing membership to different members of the organization. Ensure Access reviews for Guest Users are configured to be performed no less frequently than monthly. Access to groups and applications for guests can change over time. If a guest users access to a particular folder goes unnoticed, they may unintentionally gain access to sensitive data if a member adds new files or data to the folder or application. Access reviews can help reduce the risks associated with outdated assignments by requiring a member of the organization to conduct the reviews. Furthermore, these reviews can enable a fail-closed mechanism to remove access to the subject if the reviewer does not respond to the review. Access reviews that are ignored may cause guest users to lose access to resources temporarily. None None Recommendation and Steps Create an access review for Guest Users: 1. Navigate to Microsoft Entra admin center https://entra.microsoft.com/ 2. Click to expand Identity Governance and select Access reviews 3. Click New access review. 4. Select what to review choose Teams + Groups. 5. Review Scope set to All Microsoft 365 groups with guest users, do not exclude groups. 6. Scope set to Guest users only then click Next: Reviews. 7. Select reviewer as an appropriate user that is NOT the guest user themselves. 8. Duration (in days) at most 3. 9. Review recurrence is Monthly or more frequent. 10. End is set to Never, then click Next: Settings. 11. Check Auto apply results to resource. 12. Set If reviewers don't respond to Remove access. 13. Check the following: Justification required, E-mail notifications, Reminders. 14. Click Next: Review + Create and finally click Create. Associated Objects
Affected Objects
|
| 5.3.2 | Ensure Access reviews for Guest Users are configured | Passed | Access Reviews were found | E5 Level 2 | CIS v4.0 | YES |
X
TEST NAME Ensure Access reviews for Guest Users are configured Description Item has met all the requirements as per test. Recommendation and Steps Associated Objects
Affected Objects
|
| 5.3.3 | Ensure Access reviews for high privileged Azure AD roles are configured | Passed | Access Reviews were found | E5 Level 1 | CIS v4.0 | YES |
X
TEST NAME Ensure Access reviews for high privileged Azure AD roles are configured Description Item has met all the requirements as per test. Recommendation and Steps Associated Objects
Affected Objects
|
| Not Available | Use Just In Time privileged access to Microsoft 365 roles | Manual Check | NONE | SP v1.0 | NO |
X
TEST NAME Use Just In Time privileged access to Microsoft 365 roles Description Just In Time Access is not enabled for Microsoft 365 Roles. Implementation of Just in Time privileged access is likely to necessitate changes to administrator routine. Administrators will only be granted access to administrative roles when required. When administrators request role activation, they will need to document the reason for requiring role access, anticipated time required to have the access, and to reauthenticate to enable role access. None None Recommendation and Steps Azure Active Directory Privileged Identity Management can be used to audit roles, allow just in time activation of roles and allow for periodic role attestation. Organizations should remove permanent members from privileged Microsoft 365 roles and instead make them eligible, through a JIT activation workflow. Organizations want to minimize the number of people who have access to secure information or resources, because that reduces the chance of a malicious actor getting that access, or an authorized user inadvertently impacting a sensitive resource. However, users still need to carry out privileged operations in Azure AD and Microsoft 365. Organizations can give users just-in-time (JIT) privileged access to roles. Associated Objects
Affected Objects
More Information TEST ID
|
| 5.3.4 | Ensure approval is required for Global Administrator role activation | Manual Check | NONE | E5 Level 1 | CIS v4.0 | NO |
X
TEST NAME Ensure approval is required for Global Administrator role activation Description Approvers do not need to be assigned the same role or be members of the same group. Its important to have at least two approvers and an emergency access (break-glass) account to prevent a scenario where no Global Administrators are available. For example, if the last active Global Administrator leaves the organization, and only eligible but inactive Global Administrators remain, a trusted approver without the Global Administrator role or an emergency access account would be essential to avoid delays in critical administrative tasks. Recommendation and Steps To remediate using the UI: 1.Navigate to Microsoft Entra admin center https://entra.microsoft.com/. 2. Click to expand Identity Governance select Privileged Identity Management. 3. Under Manage select Microsoft Entra Roles. 4. Under Manage select Roles. 5. Select Global Administrator in the list. 6. Select Role settings and click Edit. 7. Check the Require approval to activate box. 8. Add at least two approvers. 9. Click Update. Associated Objects
Affected Objects
|
| CIS Section | Test | Severity | Items | CIS Profile | Control Type | Configured Correctly? |
| 6.1.4 | Ensure AuditBypassEnabled is not enabled on mailboxes | High | AuditBypass is enabled on some mailboxes | E3 Level 1 | CIS v4.0 | NO |
X
TEST NAME Ensure AuditBypassEnabled is not enabled on mailboxes Description Item does not meet all the requirements as per test. When configuring a user or computer account to bypass mailbox audit logging, the system will not record any access or actions performed by the said user or computer account on any mailbox. Administratively this was introduced to reduce the volume of entries in the mailbox audit logs on trusted user or computer accounts. Ensure AuditBypassEnabled is not enabled on accounts without a written exception. If a mailbox audit bypass association is added for an account, the account can access any mailbox in the organization to which it has been assigned access permissions, without generating any mailbox audit logging entries for such access or recording any actions taken, such as message deletions. Enabling this parameter, whether intentionally or unintentionally, could allow insiders or malicious actors to conceal their activity on specific mailboxes. Ensuring proper logging of user actions and mailbox operations in the audit log will enable comprehensive incident response and forensics. None - this is the default behavior. None None Recommendation and Steps Disable Audit Bypass on all mailboxes using PowerShell:
1. Connect to Exchange Online using Connect-ExchangeOnline.
2. The following example PowerShell script will disable AuditBypass for all mailboxes which currently have it enabled:
# Get mailboxes with AuditBypassEnabled set to $true
$MBXAudit = Get-MailboxAuditBypassAssociation -ResultSize unlimited | Where-Object { $_.AuditBypassEnabled -eq $true }
foreach ($mailbox in $MBXAudit) {
$mailboxName = $mailbox.Name
Set-MailboxAuditBypassAssociation -Identity $mailboxName -AuditBypassEnabled $false
Write-Host -ForegroundColor Green
}
Associated Objects
Affected Objects
More Information TEST ID
|
| Not Available | Ensure Microsoft 365 Exchange Online Unified Auditing Is Enabled | High | Disabled | SP v1.0 | NO |
X
TEST NAME Ensure Microsoft 365 Exchange Online Unified Auditing Is Enabled Description Microsoft 365 Unified Auditing is disabled. It is a security risk and not compliance issue. None None Recommendation and Steps It is recommended to enable Unified Auditing so data can be audited, such as when someone changes the permissions on a mailbox. Associated Objects
Affected Objects
|
| 6.1.1 | Ensure AuditDisabled organizationally is set to False | Passed | Enabled | E3 Level 1 | CIS v4.0 | YES |
X
TEST NAME Ensure AuditDisabled organizationally is set to False Description Item has met all the requirements as per test. Recommendation and Steps Associated Objects
Affected Objects
|
| 6.1.2 | Ensure mailbox auditing for E3 users is Enabled | Passed | 0 | E3 Level 1 | CIS v4.0 | YES |
X
TEST NAME Ensure mailbox auditing for E3 users is Enabled Description Item has met all the requirements as per test. Recommendation and Steps Associated Objects
Affected Objects
More Information TEST ID
|
| 6.1.3 | Ensure mailbox auditing for E5 users is Enabled | Passed | 0 | E5 Level 1 | CIS v4.0 | YES |
X
TEST NAME Ensure mailbox auditing for E5 users is Enabled Description Item has met all the requirements as per test. Recommendation and Steps Associated Objects
Affected Objects
More Information TEST ID
|
| Not Available | Ensure Microsoft 365 Exchange Online Admin Auditing Is Enabled | Passed | Enabled | SP v1.0 | YES |
X
TEST NAME Ensure Microsoft 365 Exchange Online Admin Auditing Is Enabled Description Microsoft 365 Admin Auditing is enabled. Recommendation and Steps Associated Objects
Affected Objects
|
| CIS Section | Test | Severity | Items | CIS Profile | Control Type | Configured Correctly? |
| 6.2.3 | Ensure Tagging is enabled for External Emails | High | Disabled | E3 Level 1 | CIS v4.0 | NO |
X
TEST NAME Ensure Tagging is enabled for External Emails Description Tagging is not enabled for external emails. Since most scam emails originate from external sources, its better to create awareness among users before opening the external emails. With the External email tagging feature, an External tag can be added to the external emails. It helps Outlook users handle those emails with extra attention. None None Recommendation and Steps It is recommended to enable tagging for all external emails. Please use Set-ExternalInOutlook ?Enabled $true to enable tagging. Associated Objects
Affected Objects
|
| Not Available | Ensure Safe Attachments is Enabled | High | Not Configured - No ATP License | SP v1.0 | NO |
X
TEST NAME Ensure Safe Attachments is Enabled Description Item does not meet all the requirements as per test. The Microsoft Office 365 Safe Attachments feature is not enabled. Safe Attachments is a Microsoft feature that uses behavioral analysis and detonation in a virtual environment to add another layer of defense against malware on top of existing Exchange Online anti-malware policies. It is recommended to enable this feature. This finding may also indicate that the O365 license tier does not enable ATP features. None None Recommendation and Steps Safe Attachments can be configured by navigating to the Threat Management portal in the Office 365 Security and Compliance center. The first reference below is a detailed guide to configuring ATP Safe Attachments. Associated Objects
Affected Objects
|
| Not Available | Ensure Safe Links is Enabled | High | Not Configured - No ATP License | SP v1.0 | NO |
X
TEST NAME Ensure Safe Links is Enabled Description Item does not meet all the requirements as per test. Safe Links is a feature of O365 that enables real-time detection of malicious links in incoming Exchange emails and other Office 365 applications, such as Microsoft Teams. Safe Links is not enabled in the O365 tenant. This may be because the organization does not have the appropriate license level to use the feature, or because it has been disabled. This lowers the amount of built-in protection O365 offers the organization against phishing and other attacks. None None Recommendation and Steps Safe Links can be configured by navigating to the Threat Management portal in the Office 365 Security and Compliance center. The first guide below is a quick introduction to enabling Safe Links while the second is a detailed reference. Associated Objects
Affected Objects
More Information TEST ID
|
| Not Available | Ensure Safe Links Click-Through is Not Allowed | High | Not Configured - No ATP License | SP v1.0 | NO |
X
TEST NAME Ensure Safe Links Click-Through is Not Allowed Description Item does not meet all the requirements as per test. Advanced Threat Protection Safe Links (ATP Safe Links) is an Office 365 feature that enables the detection of suspicious links used in attacks delivered via Exchange Email and Teams, such as phishing attacks. ATP Safe Links is configured to allow users to click through a link flagged as unsafe if they choose. It is recommended to disable this ability, as users will often click through to potentially unsafe links if they are given the choice, partially negating the benefit of Safe Links. None None Recommendation and Steps Use the Set-SafeLinksPolicy function in the Exchange Online PowerShell module as follows Set-SafeLinksPolicy -AllowClickThrough $false. Associated Objects
Affected Objects
More Information TEST ID
|
| Not Available | Ensure Safe Links Flags Links in Real Time | High | Not Configured - No ATP License | SP v1.0 | NO |
X
TEST NAME Ensure Safe Links Flags Links in Real Time Description Item does not meet all the requirements as per test. Safe Links is an Office 365 feature that enables the detection of suspicious links used in attacks delivered via Exchange Email and Teams, such as phishing attacks. ATP Safe Links can be configured to flag dangerous links in email and guarantee that the email will not be delivered until the Safe Links scanning is complete. This is the ideal Safe Links setting. However, this setting is currently disabled, which means it is possible for emails to be delivered before Safe Links protections have been applied. It is also possible that this inspector finding was generated because ATP Safe Links is not enabled or the organization does not have an appropriate O365 license tier to use ATP Safe Links features, in which case the remediation described below would not apply. None None Recommendation and Steps Use the Set-SafeLinksPolicy function in the Exchange Online PowerShell module as follows Set-SafeLinksPolicy -DeliverMessageAfterScan $false. Associated Objects
Affected Objects
More Information TEST ID
|
| Not Available | Ensure SMTP Authentication is disabled Globally | High | Not Disabled | SP v1.0 | NO |
X
TEST NAME Ensure SMTP Authentication is disabled Globally Description Item does not meet all the requirements as per test. SMTP Authentication is a method of authenticating to an Exchange Online mailbox to deliver email. Cyber adversaries have used SMTP authentication as a workaround for subtly conducting password spraying attacks or other credential-related attacks and bypassing Multi-Factor Authentication protection because legacy authentication methods such as SMTP do not support MFA. There are two ways of disabling SMTP, globally and granularly on a per-user-mailbox level. It is recommended that SMTP Authentication be globally disabled if possible. Note that this may disrupt the functionality of legacy or other applications that require it for continued operations., None None Recommendation and Steps Use the Exchange Online administration module for PowerShell to execute the listed PowerShell command. Note that SMTP authentication for individual mailboxes may still need to be located and disabled using the Set-CASMailbox command with the -SmtpClientAuthenticationDisabled script., Associated Objects
Affected Objects
More Information TEST ID
|
| Not Available | Ensure automatic forwarding options are disabled | High | Not Disabled | SP v1.0 | NO |
X
TEST NAME Ensure automatic forwarding options are disabled Description Care should be taken before implementation to ensure there is no business need for case- by-case auto-forwarding. None None Recommendation and Steps Disabling auto-forwarding to remote domains will affect all users in an organization. Associated Objects
Affected Objects
More Information TEST ID
|
| Not Available | Ensure the Client Rules Forwarding Block is enabled | High | Disabled | SP v1.0 | NO |
X
TEST NAME Ensure the Client Rules Forwarding Block is enabled Description Client Rules Forwarding is not blocked. Care should be taken before implementation to ensure there is no business need for case- by-case auto-forwarding. Disabling auto-forwarding to remote domains will affect all users in an organization. None None Recommendation and Steps You should set your Exchange Online mail transport rules to not forward email to domains outside of your organization. Automatic forwarding to prevent users from auto-forwarding mail via Outlook or Outlook on the web should also be disabled. Alongside this Client Rules Forwarding Block, which prevents the use of any client-side rules that forward email to an external domain, should also be enabled. Associated Objects
Affected Objects
|
| 5.2.3.4 | Ensure all member users are MFA capable | High | Configured | E3 Level 1 | CIS v4.0 | NO |
X
TEST NAME Ensure all member users are MFA capable Description When using the UI audit method guest users will appear in the report and unless the organization is applying MFA rules to guests then they will need to be manually filtered. Accounts that provide on-premises directory synchronization also appear in these reports. Recommendation and Steps Remediation steps will depend on the status of the personnel in question or configuration of Conditional Access policies and will not be covered in detail. Administrators should review each user identified on a case-by-case basis using the conditions below. User has never signed on: Employment status should be reviewed, and appropriate action taken on the user accounts roles, licensing and enablement. Conditional Access policy applicability: Ensure a CA policy is in place requiring all users to use MFA. Ensure the user is not excluded from the CA MFA policy. Ensure the policys state is set to On Use What if to determine applicable CA policies. (Protection > Conditional Access > Policies) Review the user account in Sign-in logs. Under the Activity Details pane click the Conditional Access tab to view applied policies. Note: Conditional Access is covered step by step in section 5.2.2 Associated Objects
Affected Objects
|
| 6.2.3 | Ensure email from external senders is identified | High | Not Configured Correctly | E3 Level 1 | CIS v4.0 | NO |
X
TEST NAME Ensure email from external senders is identified Description Mail flow rules using external tagging will need to be disabled before enabling this to avoid duplicate [External] tags. The Outlook desktop client is the last to receive this update and the feature is only available for certain versions see below: Outlook for Windows: Update 4/26/23: External Tag view in Outlook for Windows (matching other clients) released to production for Current Channel and Monthly Enterprise Channel in Version 2211 for builds 15831.20190 and higher. We anticipate the External tag to reach Semi-Annual Preview Channel with Version 2308 on the September 12th 2023 public update and reach Semi-Annual Enterprise Channel with Version 2308 with the January 9th 2024 public update. Recommendation and Steps To remediate using PowerShell: 1. Connect to Exchange online using Connect-ExchangeOnline. 2. Run the following PowerShell command: Set-ExternalInOutlook -Enabled $true Associated Objects
Affected Objects
|
| 6.2.1 | Ensure all forms of mail forwarding are blocked and-or disabled | Passed | 0 | E3 Level 1 | CIS v4.0 | YES |
X
TEST NAME Ensure all forms of mail forwarding are blocked and-or disabled Description Item has met all the requirements as per test. Recommendation and Steps Associated Objects
Affected Objects
|
| 6.2.2 | Ensure mail transport rules do not whitelist specific domains | Passed | 0 | E3 Level 1 | CIS v4.0 | YES |
X
TEST NAME Ensure mail transport rules do not whitelist specific domains Description Mail Transport rules are configured not to forward to specific domains. Recommendation and Steps Associated Objects
Affected Objects
|
| NA | Ensure Tagging does not allow specific domains | Passed | 0 | E3 Level 1 | CIS v4.0 | YES |
X
TEST NAME Ensure Tagging does not allow specific domains Description Tagging does not allow specific domains. Recommendation and Steps Associated Objects
Affected Objects
|
| Not Available | Ensure Transport Rules to Block Exchange Auto-Forwarding is configured | Passed | Configured | SP v1.0 | YES |
|
| Not Available | Ensure Do Not Bypass the Safe Attachments Filter is not configured | Passed | Not Configured | SP v1.0 | YES |
X
TEST NAME Ensure Do Not Bypass the Safe Attachments Filter is not configured Description Item has met all the requirements as per test. Recommendation and Steps Associated Objects
Affected Objects
|
| Not Available | Ensure Do Not Bypass the Safe Links Feature is not configured | Passed | Not Configured | SP v1.0 | YES |
X
TEST NAME Ensure Do Not Bypass the Safe Links Feature is not configured Description Item has met all the requirements as per test. Recommendation and Steps Associated Objects
Affected Objects
|
| Not Available | Ensure Exchange Modern Authentication is Enabled | Passed | Enabled | SP v1.0 | YES |
X
TEST NAME Ensure Exchange Modern Authentication is Enabled Description Item has met all the requirements as per test. Recommendation and Steps Associated Objects
Affected Objects
More Information TEST ID
|
| Not Available | Ensure Transport Rules to Block Executable Attachments are configured | Passed | Configured | SP v1.0 | YES |
X
TEST NAME Ensure Transport Rules to Block Executable Attachments are configured Description Item has met all the requirements as per test. Recommendation and Steps Associated Objects
Affected Objects
More Information TEST ID
|
| Not Available | Ensure Malware Filter Policies Alert for Internal Users Sending Malware is configured | Passed | Configured | SP v1.0 | YES |
X
TEST NAME Ensure Malware Filter Policies Alert for Internal Users Sending Malware is configured Description Item has met all the requirements as per test. Recommendation and Steps Associated Objects
Affected Objects
More Information TEST ID
|
| Not Available | Ensure Transport Rules to Block Large Attachments are configured | Passed | Configured | SP v1.0 | YES |
X
TEST NAME Ensure Transport Rules to Block Large Attachments are configured Description Item has met all the requirements as per test. Recommendation and Steps Associated Objects
Affected Objects
More Information TEST ID
|
| Not Available | Ensure Mailbox Auditing is Enabled at Tenant Level | Passed | Enabled | SP v1.0 | YES |
X
TEST NAME Ensure Mailbox Auditing is Enabled at Tenant Level Description Item has met all the requirements as per test. Recommendation and Steps Associated Objects
Affected Objects
More Information TEST ID
|
| Not Available | Ensure Mailboxes without Mailbox Auditing are not present | Passed | 0 | SP v1.0 | YES |
X
TEST NAME Ensure Mailboxes without Mailbox Auditing are not present Description Item has met all the requirements as per test. Recommendation and Steps Associated Objects
Affected Objects
More Information TEST ID
|
| Not Available | Ensure mail transport rules do not forward email to external domains | Passed | 0 | SP v1.0 | YES |
X
TEST NAME Ensure mail transport rules do not forward email to external domains Description Mail Transport Rules are configured correctly not to forward to external domains. Recommendation and Steps Associated Objects
Affected Objects
More Information TEST ID
|
| Not Available | Ensure the Advanced Threat Protection Safe Links policy is enabled | Passed | Not Enabled-Not Implemented | SP v1.0 | YES |
X
TEST NAME Ensure the Advanced Threat Protection Safe Links policy is enabled Description Advanced Threat Protection Safe Links Policy is enabled. Recommendation and Steps Associated Objects
Affected Objects
More Information TEST ID
|
| Not Available | Ensure the Advanced Threat Protection SafeAttachments policy is enabled | Passed | Not Enabled-Not Implemented | SP v1.0 | YES |
X
TEST NAME Ensure the Advanced Threat Protection SafeAttachments policy is enabled Description Safe Attachment Policy is enabled. Recommendation and Steps Associated Objects
Affected Objects
|
| 2.1.7 | Ensure that an anti-phishing policy has been created | Passed | Created | E5 Level 1 | CIS v4.0 | YES |
X
TEST NAME Ensure that an anti-phishing policy has been created Description Anti-Phishing Policy has been created. Recommendation and Steps Associated Objects
Affected Objects
|
| Not Available | Ensure mailbox auditing for all users is Enabled | Passed | 0 | SP v1.0 | YES |
|
| 5.2.3.5 | Ensure weak authentication methods are disabled | Manual Check | NONE | E3 Level 1 | CIS v4.0 | NO |
X
TEST NAME Ensure weak authentication methods are disabled Description Disabling Email OTP will prevent one-time pass codes from being sent to unverified guest users accessing Microsoft 365 resources on the tenant. They will be required to use a personal Microsoft account, a managed Microsoft Entra account, be part of a federation or be configured as a guest in the host tenants Microsoft Entra ID. Recommendation and Steps To remediate using the UI: 1. Navigate to Microsoft Entra admin center https://entra.microsoft.com/. 2. Click to expand Protection select Authentication methods. 3. Select Policies. 4. Inspect each method that is out of compliance and remediate: Click on the method to open it. Change the Enable toggle to the off position. Click Save. Note: If the save button remains greyed out after toggling a method off, then first turn it back on and then change the position of the Target selection (all users or select groups). Turn the method off again and save. This was observed to be a bug in the UI at the time this document was published. Associated Objects
Affected Objects
|
| CIS Section | Test | Severity | Items | CIS Profile | Control Type | Configured Correctly? |
| 6.3.1 | Ensure users installing Outlook add-ins is not allowed | High | Allowed to Install Outlook Add-in | E3 Level 2 | CIS v4.0 | NO |
X
TEST NAME Ensure users installing Outlook add-ins is not allowed Description Outlook Add-Ins is allowed. Implementation of this change will impact both end users and administrators. End users will not be able to integrate third-party applications that they may wish to use. None None Recommendation and Steps By default, users can install add-ins in their Microsoft Outlook Desktop client, allowing data access within the client application. Do not allow users to install add-ins in Outlook. Attackers commonly use vulnerable and custom-built add-ins to access data in user applications. While allowing users to install add-ins by themselves does allow them to easily acquire useful add-ins that integrate with Microsoft applications, it can represent a risk if not used and monitored carefully. Disable future user's ability to install add-ins in Microsoft Outlook helps reduce your threat-surface and mitigate this risk. Associated Objects
Affected Objects
|
| CIS Section | Test | Severity | Items | CIS Profile | Control Type | Configured Correctly? | |||||||||||||
| Not Available | Ensure Mailboxes External Address Forwarding is not configured | High | 1 | SP v1.0 | NO |
X
TEST NAME Ensure Mailboxes External Address Forwarding is not configured Description Some Mailboxes are configured with External Forwarding. It is a security risk. Mailboxes must not be configured with forwarding to prevent data loss. None None Recommendation and Steps Please review the list and make sure to remove forwarding from these mailboxes. Associated Objects
Affected Objects
| |||||||||||||
| Not Available | Ensure Exchange Online Mailboxes on Litigation Hold | High | 1 | SP v1.0 | NO |
X
TEST NAME Ensure Exchange Online Mailboxes on Litigation Hold Description Some Mailboxes are in Litigation Hold. Refer issue details. None None Recommendation and Steps Please review the list provided. Associated Objects
Affected Objects
| |||||||||||||
| Not Available | Ensure Exchange Online SPAM Domains are identified | High | 2 | SP v1.0 | NO |
X
TEST NAME Ensure Exchange Online SPAM Domains are identified Description Found SPAM Items. It is a security risk. None None Recommendation and Steps Identify the SPAM domains and block them. Associated Objects
Affected Objects
| |||||||||||||
| Not Available | Ensure Microsoft 365 Hidden Mailboxes are Identified | Medium | 1 | SP v1.0 | NO |
X
TEST NAME Ensure Microsoft 365 Hidden Mailboxes are Identified Description Some mailboxes are hidden from the address list. These mailboxes will not appear in the address list. None None Recommendation and Steps Please review the list provided. Associated Objects
Affected Objects
| |||||||||||||
| Not Available | Ensure mail forwarding rules are reviewed and actioned | Passed | 0 | SP v1.0 | YES |
||||||||||||||
| Not Available | Ensure the Malware Detections report is reviewed at least weekly | Passed | 0 | SP v1.0 | YES |
X
TEST NAME Ensure the Malware Detections report is reviewed at least weekly Description Test has passed. Recommendation and Steps Associated Objects
Affected Objects
| |||||||||||||
| Not Available | Ensure Microsoft 365 Deleted Mailboxes are identified and Verified | Passed | 0 | SP v1.0 | YES |
||||||||||||||
| Not Available | Ensure Exchange Online Mailbox Auditing is enabled | Passed | 0 | SP v1.0 | YES |
||||||||||||||
| Not Available | Microsoft 365 Exchange Online Admin Success and Failure Attempts | Passed | 0 | SP v1.0 | YES |
||||||||||||||
| Not Available | Microsoft 365 Exchange Online External Access Admin Success and Failure Attempts | Passed | 0 | SP v1.0 | YES |
X
TEST NAME Microsoft 365 Exchange Online External Access Admin Success and Failure Attempts Description No Failure Attempts were found from external Admins. Recommendation and Steps Associated Objects
Affected Objects
|
| CIS Section | Test | Severity | Items | CIS Profile | Control Type | Configured Correctly? |
| Not Available | Ensure Email Security Checks are Bypassed Based on Sender Domain are not configured | High | Configured | SP v1.0 | NO |
X
TEST NAME Ensure Email Security Checks are Bypassed Based on Sender Domain are not configured Description Item does not meet all the requirements as per test. In the Exchange transport rules settings, it is possible to implement transport rules that bypass spam filtering and other email security capabilities (Exchange Online Protection) based on an IP address or domain (allowlisting). This makes a significan not assumption of trust that should be reviewed and reconsidered. The transport rules listed herein bypass email security based on a domain allowlist. None None Recommendation and Steps Locate the rules 365Inspect has identified (they are listed in this report) and determine who created the rules. Pursue a dialogue or analysis of whether the Exchange Online Protection is necessary for continued operations and whether another solution is possible. If the rules are not necessary, remove the rules. Associated Objects
Affected Objects
More Information TEST ID
|
| Not Available | Ensure Email Security Checks are Bypassed Based on Sender IP are not configured | High | Configured | SP v1.0 | NO |
X
TEST NAME Ensure Email Security Checks are Bypassed Based on Sender IP are not configured Description Item does not meet all the requirements as per test. In the Exchange transport rules settings, it is possible to implement transport rules that bypass spam filtering and other email security capabilities (Exchange Online Protection) based on an IP address or domain (allowlisting). This makes a significan not assumption of trust that should be reviewed and reconsidered. The transport rules listed herein bypass email security based on an IP address allowlist. None None Recommendation and Steps Locate the rules 365Inspect has identified (they are listed in this report) and determine who created the rules. Pursue a dialogue or analysis of whether the allowlisting is necessary for continued operations and whether another solution is possible. If the rules are not necessary, remove the rules. Associated Objects
Affected Objects
More Information TEST ID
|
| Not Available | Ensure No Exchange Mailboxes with FullAccess Delegates are present | High | 0 | SP v1.0 | NO |
X
TEST NAME Ensure No Exchange Mailboxes with FullAccess Delegates are present Description Item does not meet all the requirements as per test. The Exchange Online mailboxes listed above have delegated Full Access permissions to another account. None None Recommendation and Steps This finding refers to individual mailboxes that have Full Access delegated permissions. For these mailboxes, verify that the delegate access is expected, appropriate, and does not violate company policy. Remediation can be accomplished by running the listed PowerShell command. A list of affected email addresses is included in this report. Associated Objects
Affected Objects
More Information TEST ID
|
| Not Available | Ensure No Exchange Mailboxes with SendAs Delegates are present | High | SP v1.0 | NO |
X
TEST NAME Ensure No Exchange Mailboxes with SendAs Delegates are present Description Item does not meet all the requirements as per test. The Exchange Online mailboxes listed above have delegated SendAs permissions to another account. None None Recommendation and Steps This finding refers to individual mailboxes that have SendAs delegated permissions. For these mailboxes, verify that the delegate access is expected, appropriate, and does not violate company policy. Remediation can be accomplished by running the listed PowerShell command. A list of affected email addresses is included in this report. Associated Objects
Affected Objects
More Information TEST ID
| |
| Not Available | Ensure No Exchange Mailboxes with SendOnBehalfOf Delegates are present | High | 0 | SP v1.0 | NO |
X
TEST NAME Ensure No Exchange Mailboxes with SendOnBehalfOf Delegates are present Description Item does not meet all the requirements as per test. The Exchange Online mailboxes listed above have delegated SendOnBehalfOf permissions to another account. None None Recommendation and Steps This finding refers to individual mailboxes that have SendOnBehalfOf delegated permissions. For these mailboxes, verify that the delegate access is expected, appropriate, and does not violate company policy. Remediation can be accomplished by running the listed PowerShell command. A list of affected email addresses is included in this report. Associated Objects
Affected Objects
More Information TEST ID
|
| 6.5.2 | Ensure MailTips are enabled for end users | Medium | Not All MailTips Enabled | E3 Level 2 | CIS v4.0 | NO |
X
TEST NAME Ensure MailTips are enabled for end users Description MailTips are not enabled for end users. No impact. None None Recommendation and Steps MailTips assist end users with identifying strange patterns to emails they send. Setting up MailTips gives a visual aid to users when they send emails to large groups of recipients or send emails to recipients not within the tenant. Associated Objects
Affected Objects
|
| 6.5.3 | Ensure external storage providers available in Outlook on the Web are restricted | Medium | Not Restricted | E3 Level 2 | CIS v4.0 | NO |
X
TEST NAME Ensure external storage providers available in Outlook on the Web are restricted Description External Storage Providers in Outlook on the Web are not restricted. The impact associated with this change is highly dependent upon current practices in the tenant. If users do not use other storage providers, then minimal impact is likely. However, if users do regularly utilize providers outside of the tenant this will affect their ability to continue to do so. None None Recommendation and Steps You should restrict storage providers that are integrated with Outlook on the Web. If users do regularly utilize providers outside of the tenant this will affect their ability to continue to do so. By default, additional storage providers are allowed in Outlook on the Web (such as Box, Dropbox, Facebook, Google Drive, OneDrive Personal, etc.). This could lead to information leakage and additional risk of infection from organizational non-trusted storage providers. Restricting this will inherently reduce risk as it will narrow opportunities for infection and data leakage. Associated Objects
Affected Objects
|
| 6.5.1 | Ensure modern authentication for Exchange Online is enabled | Passed | Enabled | E3 Level 1 | CIS v4.0 | YES |
X
TEST NAME Ensure modern authentication for Exchange Online is enabled Description Modern Authentication is enabled for Exchange Online. Recommendation and Steps Associated Objects
Affected Objects
|
| CIS Section | Test | Severity | Items | CIS Profile | Control Type | Configured Correctly? |
| 7.2.1 | Ensure modern authentication for SharePoint applications is required | High | Disabled | E3 Level 1 | CIS v4.0 | NO |
X
TEST NAME Ensure modern authentication for SharePoint applications is required Description Basic Authentication is not enabled for SharePoint Online. Implementation of modern authentication for SharePoint will require users to authenticate to SharePoint using modern authentication. This may cause a minor impact to typical user behavior. None None Recommendation and Steps Strong authentication controls, such as the use of multifactor authentication, may be circumvented if basic authentication is used by SharePoint applications. Requiring modern authentication for SharePoint applications ensures strong authentication mechanisms are used when establishing sessions between these applications, SharePoint, and connecting users. Associated Objects
Affected Objects
More Information TEST ID
|
| 7.2.2 | Ensure SharePoint and OneDrive integration with Azure AD B2B is enabled | High | Disabled | E3 Level 1 | CIS v4.0 | NO |
X
TEST NAME Ensure SharePoint and OneDrive integration with Azure AD B2B is enabled Description Item does not meet all the requirements as per test. Azure AD B2B provides authentication and management of guests. Authentication happens via one-time passcode when they don't already have a work or school account or a Microsoft account. Integration with SharePoint and OneDrive allows for more granular control of how guest user accounts are managed in the organizations AAD, unifying a similar guest experience already deployed in other Microsoft 365 services such as Teams. Note: Global Reader role currently cannot access SharePoint using PowerShell. External users assigned guest accounts will be subject to Azure AD access policies, such as multi-factor authentication. This provides a way to manage guest identities and control access to SharePoint and OneDrive resources. Without this integration, files can be shared without account registration, making it more challenging to audit and manage who has access to the organizations data. Azure B2B collaboration is used with other Azure services so should not be new or unusual. Microsoft also has made the experience seamless when turning on integration on SharePoint sites that already have active files shared with guest users. The referenced Microsoft article on the subject has more details on this. None None Recommendation and Steps To remediate using PowerShell: 1. Connect to SharePoint Online using Connect-SPOService 2. Run the following command: Set-SPOTenant -EnableAzureADB2BIntegration $true Associated Objects
Affected Objects
|
| 7.2.3 | Ensure external content sharing is restricted | High | Not Configured Correctly | E3 Level 1 | CIS v4.0 | NO |
X
TEST NAME Ensure external content sharing is restricted Description Item does not meet all the requirements as per test. The external sharing settings govern sharing for the organization overall. Each site has its own sharing setting that can be set independently, though it must be at the same or more restrictive setting as the organization. The new and existing guests option requires people who have received invitations to sign in with their work or school account (if their organization uses Microsoft 365) or a Microsoft account, or to provide a code to verify their identity. Users can share with guests already in your organizations directory, and they can send invitations to people who will be added to the directory if they sign in. The recommended state is New and existing guests or less permissive. Forcing guest authentication on the organizations tenant enables the implementation of controls and oversight over external file sharing. When a guest is registered with the organization, they now have an identity which can be accounted for. This identity can also have other restrictions applied to it through group membership and conditional access rules. When using Azure AD B2B integration, Azure AD external collaboration settings, such as guest invite settings and collaboration restrictions apply. None None Recommendation and Steps To remediate using the UI: 1. Navigate to SharePoint admin center https://admin.microsoft.com/sharepoint 2. Click to expand Policies > Sharing. 3. Locate the External sharing section. 4. Under SharePoint, move the slider bar to New and existing guests or a less permissive level. - OneDrive will also be moved to the same level and can never be more permissive than SharePoint. To remediate using PowerShell: 1. Connect to SharePoint Online service using Connect-SPOService. 2. Run the following cmdlet to establish the minimum recommended state: Set-SPOTenant -SharingCapability ExternalUserSharingOnly Note: Other acceptable values for this parameter that are more restrictive include: Disabled and ExistingExternalUserSharingOnly. Associated Objects
Affected Objects
|
| 7.2.4 | Ensure OneDrive content sharing is restricted | High | Not Disabled | E3 Level 2 | CIS v4.0 | NO |
X
TEST NAME Ensure OneDrive content sharing is restricted Description Item does not meet all the requirements as per test. This setting governs the global permissiveness of OneDrive content sharing in the organization. OneDrive content sharing can be restricted independent of SharePoint but can never be more permissive than the level established with SharePoint. The recommended state is Only people in your organization. OneDrive, designed for end-user cloud storage, inherently provides less oversight and control compared to SharePoint, which often involves additional content overseers or site administrators. This autonomy can lead to potential risks such as inadvertent sharing of privileged information by end users. Restricting external OneDrive sharing will require users to transfer content to SharePoint folders first which have those tighter controls. Users will be required to take additional steps to share OneDrive content or use other official channels. None None Recommendation and Steps To remediate using the UI: 1. Navigate to SharePoint admin center https://admin.microsoft.com/sharepoint 2. Click to expand Policies > Sharing. 3. Locate the External sharing section. 4. Under OneDrive, set the slider bar to Only people in your organization. To remediate using PowerShell: 1. Connect to SharePoint Online service using Connect-SPOService. 2. Run the following cmdlet: Set-SPOTenant -OneDriveSharingCapability Disabled Associated Objects
Affected Objects
|
| 7.2.5 | Ensure that SharePoint guest users cannot share items they dont own | High | Not Enabled | E3 Level 2 | CIS v4.0 | NO |
X
TEST NAME Ensure that SharePoint guest users cannot share items they dont own Description Item does not meet all the requirements as per test. SharePoint gives users the ability to share files, folders, and site collections. Internal users can share with external collaborators, and with the right permissions could share to other external parties. Sharing and collaboration are key; however, file, folder, or site collection owners should have the authority over what external users get shared with to prevent unauthorized disclosures of information. The impact associated with this change is highly dependent upon current practices. If users do not regularly share with external parties, then minimal impact is likely. However, if users do regularly share with guests/externally, minimum impacts could occur as those external users will be unable to re-share content. None None Recommendation and Steps To remediate using the UI: 1. Navigate to SharePoint admin center https://admin.microsoft.com/sharepoint 2. Click to expand Policies then select Sharing. 3. Expand More external sharing settings, uncheck Allow guests to share items they don't own. 4. Click Save. To remediate using PowerShell: 1. Connect to SharePoint Online service using Connect-SPOService. 2. Run the following SharePoint Online PowerShell command: Set-SPOTenant -PreventExternalUsersFromResharing $True Associated Objects
Affected Objects
|
| Not Available | Ensure document sharing is being controlled by domains with whitelist or blacklist | High | Not Controlled | SP v1.0 | NO |
X
TEST NAME Ensure document sharing is being controlled by domains with whitelist or blacklist Description Document Sharing control for domains is not configured. Enabling this feature will prevent users from sharing documents with domains outside of the organization unless allowed. None None Recommendation and Steps You should control sharing of documents to external domains by either blocking domains or only allowing sharing with specific named domains. Enabling this feature will prevent users from sharing documents with domains outside of the organization unless allowed. Attackers will often attempt to expose sensitive information to external entities through sharing, and restricting the domains that your users can share documents with will reduce that surface area. Associated Objects
Affected Objects
|
| 7.2.7 | Ensure link sharing is restricted in SharePoint and OneDrive | High | Not Restricted-AnonymousAccess | E3 Level 1 | CIS v4.0 | NO |
X
TEST NAME Ensure link sharing is restricted in SharePoint and OneDrive Description Item does not meet all the requirements as per test. This setting sets the default link type that a user will see when sharing content in OneDrive or SharePoint. It does not restrict or exclude any other options. The recommended state is Specific people (only the people the user specifies) By defaulting to specific people, the user will first need to consider whether or not the content being shared should be accessible by the entire organization versus select individuals. This aids in reinforcing the concept of least privilege. None None Recommendation and Steps To audit using the UI: 1. Navigate to SharePoint admin center https://admin.microsoft.com/sharepoint 2. Click to expand Policies > Sharing. 3. Scroll to Filer and folder links. 4. Set Choose the type of link thats selected by default when users share files and folders in SharePoint and OneDrive to Specific people (only the people the user specifies) To remediate using PowerShell: 1. Connect to SharePoint Online using Connect-SPOService. 2. Run the following PowerShell command: Set-SPOTenant -DefaultSharingLinkType Direct Associated Objects
Affected Objects
More Information TEST ID
|
| 7.2.10 | Ensure reauthentication with verification code is restricted | High | Not Restricted-False | E3 Level 1 | CIS v4.0 | NO |
X
TEST NAME Ensure reauthentication with verification code is restricted Description Item does not meet all the requirements as per test. This setting configures if guests who use a verification code to access the site or links are required to reauthenticate after a set number of days. The recommended state is 15 or less. By increasing the frequency of times guests need to reauthenticate this ensures guest user access to data is not prolonged beyond an acceptable amount of time. Guests who use Microsoft 365 in their organization can sign in using their work or school account to access the site or document. After the one-time passcode for verification has been entered for the first time, guests will authenticate with their work or school account and have a guest account created in the hosts organization. Note: If OneDrive and SharePoint integration with Azure AD B2B is enabled as per the CIS Benchmark the one-time-passcode experience will be replaced. Please visit [Secure external sharing in SharePoint - SharePoint in Microsoft 365 | Microsoft Learn](https://learn.microsoft.com/en-US/sharepoint/what-s-new-in-sharing-in-targeted-release?WT.mc_id=365AdminCSH_spo) for more information. None None Recommendation and Steps To remediate using the UI: 1. Navigate to SharePoint admin center https://admin.microsoft.com/sharepoint 2. Click to expand Policies > Sharing. 3. Scroll to and expand More external sharing settings. 4. Set People who use a verification code must reauthenticate after this many days to 15 or less. To remediate using PowerShell: 1. Connect to SharePoint Online service using Connect-SPOService. 2. Run the following cmdlet: Set-SPOTenant -EmailAttestationRequired $true -EmailAttestationReAuthDays 15 Associated Objects
Affected Objects
|
| 7.2.9 | Ensure guest access to a site or OneDrive will expire automatically | High | Do not expire Automatically | E3 Level 1 | CIS v4.0 | NO |
X
TEST NAME Ensure guest access to a site or OneDrive will expire automatically Description Site collection administrators will have to renew access to guests who still need access after 30 days. They will receive an e-mail notification once per week about guest access that is about to expire. Note: The guest expiration policy only applies to guests who use sharing links or guests who have direct permissions to a SharePoint site after the guest policy is enabled. The guest policy does not apply to guest users that have pre-existing permissions or access through a sharing link before the guest expiration policy is applied. Recommendation and Steps To remediate using the UI: 1. Navigate to SharePoint admin center https://admin.microsoft.com/sharepoint 2. Click to expand Policies > Sharing. 3. Scroll to and expand More external sharing settings. 4. Set Guest access to a site or OneDrive will expire automatically after this many days to 30 To remediate using PowerShell: 1. Connect to SharePoint Online service using Connect-SPOService. 2. Run the following cmdlet: Set-SPOTenant -ExternalUserExpireInDays 30 -ExternalUserExpirationRequired $True Associated Objects
Affected Objects
|
| 7.2.11 | Ensure the SharePoint default sharing link permission is set | High | Not Restricted | E3 Level 1 | CIS v4.0 | NO |
X
TEST NAME Ensure the SharePoint default sharing link permission is set Description Not applicable Recommendation and Steps To remediate using the UI: 1. Navigate to SharePoint admin center https://admin.microsoft.com/sharepoint 2. Click to expand Policies > Sharing. 3. Scroll to File and folder links. 4. Set Choose the permission thats selected by default for sharing links to View. To remediate using PowerShell: 1. Connect to SharePoint Online service using Connect-SPOService. 2. Run the following cmdlet: Set-SPOTenant -DefaultLinkPermission View Associated Objects
Affected Objects
More Information TEST ID
|
| Not Available | Ensure expiration time for external sharing links is set | Medium | Expiration Time for Links NOT Set | SP v1.0 | NO |
X
TEST NAME Ensure expiration time for external sharing links is set Description Expiration time for External Sharing Links is not set. Enabling this feature will ensure that link expire within the defined number of days. This will have an effect on links that were previously not set with an expiration. None None Recommendation and Steps The external sharing features of Microsoft SharePoint let users in your organization share content with people outside the organization (such as partners, vendors, clients, or customers). External sharing in SharePoint is part of secure collaboration with Microsoft 365. An attacker can compromise a user account for a short period of time, send anonymous sharing links to an external account, then take their time accessing the data. They can also compromise external accounts and steal the anonymous sharing links sent to those external entities well after the data has been shared. Restricting how long the links are valid can reduce the window of opportunity for attackers. Associated Objects
Affected Objects
|
| 7.2.8 | Ensure external sharing is restricted by security group | Manual Check | NONE | E3 Level 2 | CIS v4.0 | NO |
X
TEST NAME Ensure external sharing is restricted by security group Description Item does not meet all the requirements as per test. External sharing of content can be restricted to specific security groups. This setting is global, applies to sharing in both SharePoint and OneDrive and cannot be set at the site level in SharePoint. The recommended state is Enabled or Checked. Note: Users in these security groups must be allowed to invite guests in the Azure Active Directory guest invite settings in Microsoft Entra. Identity > External Identities > External collaboration settings Organizations wishing to create tighter security controls for external sharing can set this to enforce role-based access control by using security groups already defined in Microsoft Entra. OneDrive will also be governed by this and there is no granular control at the SharePoint site level. None None Recommendation and Steps To remediate using the UI: 1. Navigate to SharePoint admin center https://admin.microsoft.com/sharepoint 2. Click to expand Policies > Sharing. 3. Scroll to and expand More external sharing settings. 4. Set the following: - Check Allow only users in specific security groups to share externally - Define Manage security groups in accordance with company procedure. Associated Objects
Affected Objects
|
| CIS Section | Test | Severity | Items | CIS Profile | Control Type | Configured Correctly? |
| Not Available | SharePoint External Sharing is not Enabled at Global Level | Critical | Enabled : Sharing capability is ExternalUserAndGuestSharing (Anyone). | SP v1.0 | NO |
X
TEST NAME SharePoint External Sharing is not Enabled at Global Level Description Item does not meet all the requirements as per test. SharePoint is the organization's hub for sharing files amongst each other. SharePoint can also permit users to share content with anonymous outsiders or members of other organizations (commonly referred to as \external users\). Sharing with external users and guests is currently enabled in this instance of SharePoint. This setting may increase the probability of sensitive information being shared outside of the organization, either accidentally or as a means of data exfiltration by a cyber adversary with access to the organizational environment. Consider disabling this setting for the sake of preventing such occurrences if there is no intention of sharing information outside of the organization as part of the organization's mission. However, note that some degree of external sharing is vital for many organizations. Furthermore, disabling external sharing is not necessarily a panacea for problems related to confidential information, as users may still mistakenly or maliciously share confidential information through a number of channels. Continue to apply good sense in data loss prevention and other forms of monitoring even if external sharing is disabled. None None Recommendation and Steps First, look at the \Affected Objects\ section of the report for this finding; it should indicate which global sharing permission level the organization has currently enabled in SharePoint. If this is too permissive for the organization's use cases, consider taking action. There are multiple ways to change this setting. Navigate to Settings; Services; Sites in the O365 Admin portal, or the Sharing page of the SharePoint Administration Center. Doing either should present a list of global sharing capabilities, where \Share with Anyone\ is the default; change this to a more restrictive setting. Before taking this action, it is advised to engage with other stakeholders in the organization to determine if SharePoint external sharing is used for an organizational function. An appropriate workaround or alternative course of action may need to be determined. Additionally, sharing settings besides the global-level settings are available; consider reading the \Limit sharing in Microsoft 365\ guide below if additional granularity in sharing settings is required. Associated Objects
Affected Objects
|
| Not Available | SharePoint External User Resharing is not Permitted | Critical | Permitted | SP v1.0 | NO |
X
TEST NAME SharePoint External User Resharing is not Permitted Description Item does not meet all the requirements as per test. SharePoint is the organization's hub for sharing files amongst each other. SharePoint can also permit users to share content with anonymous outsiders or members of other organizations (commonly referred to as \external users\). Current SharePoint settings are configured such that, if users share a file with an external user, that external user can re-share the file arbitrarily with other external users. This is a highly permissive setting that could result in the unsafe propagation of the organization's confidential information in ways that may not be fully intended. None None Recommendation and Steps Depending on the organization's use case, external user resharing may be disabled. This is most easily accomplished with the Set-SPOTenant PowerShell commandlet from the SharePoint Online administration module. Associated Objects
Affected Objects
|
| Not Available | SharePoint Legacy Authentication is not Enabled | Critical | Enabled | SP v1.0 | NO |
X
TEST NAME SharePoint Legacy Authentication is not Enabled Description Item does not meet all the requirements as per test. SharePoint legacy authentication is enabled. Cyber adversaries frequently attempt credential stuffing and other attacks against legacy authentication protocols because they are subject to less scrutiny and are typically exempt from Multi-Factor Authentication and other modern access requirements. It is recommended to globally disable SharePoint legacy authentication. None None Recommendation and Steps Consider using the SharePoint PowerShell module to disable legacy authentication protocols. Note that globally disabling legacy authentication could have an adverse effect on some users or applications that require legacy authentication to perform their functions. In such cases, it is possible to more granularly set up a Conditional Access Policy that blocks legacy authentication for only those users and applications who do not strictly require it. Documentation for both approaches is provided in the references below. Associated Objects
Affected Objects
|
| 7.3.1 | Ensure Microsoft 365 SharePoint infected files are disallowed for download | High | WARNING:Allowed | E5 Level 2 | CIS v4.0 | NO |
X
TEST NAME Ensure Microsoft 365 SharePoint infected files are disallowed for download Description SharePoint Infected Files are disallowed for download is not enabled. The only potential impact associated with implementation of this setting is potential inconvenience associated with the small percentage of false positive detections that may occur. None None Recommendation and Steps By default, SharePoint online allows files that Defender for Microsoft 365 has detected as infected to be downloaded. Defender for Microsoft 365 for SharePoint, OneDrive, and Microsoft Teams protects your Associated Objects
Affected Objects
|
| 7.3.2 | Block OneDrive for Business sync from unmanaged devices | High | WARNING:Not Blocked | E3 Level 2 | CIS v4.0 | NO |
X
TEST NAME Block OneDrive for Business sync from unmanaged devices Description OneDrive for Business Sync from unmanaged Devices is not blocked. Enabling this feature will prevent users from using the OneDrive for Business Sync client on devices that are not joined to the domains that were defined. Enabling this feature will prevent users from using the OneDrive for Business Sync client on devices that are not joined to the domains that were defined. None None Recommendation and Steps Unmanaged devices pose a risk, since their security cannot be verified through existing security policies, brokers, or endpoint protection. Allowing users to sync data to these devices takes that data out of the control of the organization. This increases the risk of the data either being intentionally or accidentally leaked. Note: This setting is only applicable to Active Directory domains when operating in a hybrid configuration. It does not apply to Azure AD domains. If you have devices which are only Azure AD joined, consider using a Conditional Access Policy instead. Associated Objects
Affected Objects
|
| 7.3.3 | Ensure custom script execution is restricted on personal sites | High | 49 | E3 Level 1 | CIS v4.0 | NO |
X
TEST NAME Ensure custom script execution is restricted on personal sites Description Item does not meet all the requirements as per test. This setting controls custom script execution on OneDrive or user-created sites. Custom scripts can allow users to change the look, feel and behavior of sites and pages. Every script that runs in a SharePoint page (whether its an HTML page in a document library or a JavaScript in a Script Editor Web Part) always runs in the context of the user visiting the page and the SharePoint application. This means: - Scripts have access to everything the user has access to. - Scripts can access content across several Microsoft 365 services and even beyond with Microsoft Graph integration. The recommended state is Prevent users from running custom script on personal sites and Prevent users from running custom script on self-service created sites. Custom scripts could contain malicious instructions unknown to the user or administrator. When users are allowed to run custom script, the organization can no longer enforce governance, scope the capabilities of inserted code, block specific parts of code, or block all custom code that has been deployed. If scripting is allowed the following things cannot be audited: - What code has been inserted - Where the code has been inserted - Who inserted the code Note: Microsoft recommends using the [SharePoint Framework](https://learn.microsoft.com/en-us/sharepoint/dev/spfx/sharepoint-framework-overview) instead of custom scripts. None - this is the default behavior. None None Recommendation and Steps To remediate using the UI: 1. Navigate to SharePoint admin center https://admin.microsoft.com/sharepoint 2. Select Settings. 3. At the bottom of the page click the classic settings page hyperlink. 4. Scroll to locate the Custom Script section. On the right set the following: - Select Prevent users from running custom script on personal sites. - Select Prevent users from running custom script on self-service created sites. Associated Objects
Affected Objects
|
| 7.3.4 | Ensure custom script execution is restricted on site collections | High | 2 | E3 Level 1 | CIS v4.0 | NO |
X
TEST NAME Ensure custom script execution is restricted on site collections Description Item does not meet all the requirements as per test. This setting controls custom script execution on a particulate site (previously called ). Custom scripts can allow users to change the look, feel and behavior of sites and pages. Every script that runs in a SharePoint page (whether its an HTML page in a document library or a JavaScript in a Script Editor Web Part) always runs in the context of the user visiting the page and the SharePoint application. This means: - Scripts have access to everything the user has access to. - Scripts can access content across several Microsoft 365 services and even beyond with Microsoft Graph integration. The recommended state is DenyAddAndCustomizePages set to $true. Custom scripts could contain malicious instructions unknown to the user or administrator. When users are allowed to run custom script, the organization can no longer enforce governance, scope the capabilities of inserted code, block specific parts of code, or block all custom code that has been deployed. If scripting is allowed the following things cannot be audited: - What code has been inserted - Where the code has been inserted - Who inserted the code Note: Microsoft recommends using the [SharePoint Framework](https://learn.microsoft.com/en-us/sharepoint/dev/spfx/sharepoint-framework-overview) instead of custom scripts. None - this is the default behavior. None None Recommendation and Steps To remediate using PowerShell: 1. Connect to SharePoint Online using Connect-SPOService. 2. Edit the below and run for each site as needeed: Set-SPOSite -Identity Associated Objects
Affected Objects
|
| Not Available | Ensure SharePoint sites are not enabled for both External and User Sharing | High | Enabled | SP v1.0 | NO |
X
TEST NAME Ensure SharePoint sites are not enabled for both External and User Sharing Description SharePoint Sites are enabled for both External and User Sharing. If you have confidential information that can be shared with external users. None None Recommendation and Steps Recommended action is to disable SharePoint sites for both external and user sharing. Associated Objects
Affected Objects
|
| Not Available | External user sharing-share by email-and guest link sharing are both disabled | High | Not Disabled | SP v1.0 | NO |
X
TEST NAME External user sharing-share by email-and guest link sharing are both disabled Description External User sharing - sharing by email - is not disabled. When users share with people outside the organization, an invitation is sent to the person in email, which contains a link to the shared item. If you have confidential information that should never be shared externally, we recommend storing the information in a site that has external sharing turned off. Create additional sites as needed to use for external sharing. This helps you to manage security risk by preventing external access to sensitive information. None None Recommendation and Steps It is recommended to review the sharing policy and adjust accordingly. Associated Objects
Affected Objects
|
| Not Available | Ensure that external users cannot share files folders and sites they do not own | High | Not Enabled | SP v1.0 | NO |
X
TEST NAME Ensure that external users cannot share files folders and sites they do not own Description Impact associated with this change is highly dependent upon current practices. If users do not regularly share with external parties, then minimal impact is likely. None None Recommendation and Steps If users do regularly share with guests/externally minimum impacts could occur as those external users will be unable to 're-share' content. Associated Objects
Affected Objects
|
| Not Available | SharePoint Anyone Shared Links Never Expire is not configured | High | Never Expires | SP v1.0 | NO |
X
TEST NAME SharePoint Anyone Shared Links Never Expire is not configured Description Item does not meet all the requirements as per test. The organization's instance of SharePoint is set to never expire links to documents accessible by the 'Anyone' group. 'Anyone' links that exists indefinitely could be abused by an adversary or enable leakage of sensitive information in multiple ways. A value of -1 indicates anonymous links never expire. It is suggested that these links expire eventually to control possible information disclosure. None None Recommendation and Steps In the SharePoint administration center, navigate to Sharing; Choose expiration and permissions options for Anyone links. Select a link expiry period and save the settings. Prior to taking this action, discuss amongst the organization whether anyone is using non-expiring Anyone links for a legitimate purpose. Associated Objects
Affected Objects
|
| Not Available | Ensure Sign out inactive users in SharePoint Online is Configured | High | The setting is not compliant. | SP v1.0 | NO |
X
TEST NAME Ensure Sign out inactive users in SharePoint Online is Configured Description Item does not meet all the requirements as per test. Idle session sign-out lets you specify a time at which users are warned and are later signed out of Microsoft 365 after a period of browser inactivity in SharePoint and OneDrive. None None Recommendation and Steps This policy is one of several you can use with SharePoint and OneDrive to balance security and user productivity and help keep your data safe, regardless of where users access the data from, what device they're working on, and how secure their network connection is. Associated Objects
Affected Objects
|
| Not Available | SharePoint Online Modern Authentication is Enabled | Passed | Enabled | SP v1.0 | YES |
| CIS Section | Test | Severity | Items | CIS Profile | Control Type | Configured Correctly? |
| 8.1.1 | Ensure external file sharing in Teams is enabled for only approved cloud storage services | High | Not Controlled | E3 Level 2 | CIS v4.0 | NO |
X
TEST NAME Ensure external file sharing in Teams is enabled for only approved cloud storage services Description External File Sharing in Teams is enabled. The impact associated with this change is highly dependent upon current practices in the tenant. If users do not use other storage providers, then minimal impact is likely. However, if users do regularly utilize providers outside of the tenant this will affect their ability to continue to do so. None None Recommendation and Steps Microsoft Teams enables collaboration via file sharing. This file sharing is conducted within Teams, using SharePoint Online, by default; however, third-party cloud services are allowed as well. Ensuring that only authorized cloud storage providers are accessible from Teams will help to dissuade the use of non-approved storage providers. Associated Objects
Affected Objects
|
| 8.1.2 | Ensure users cant send emails to a channel email address | High | Can Send Emails | E3 Level 1 | CIS v4.0 | NO |
X
TEST NAME Ensure users cant send emails to a channel email address Description Item does not meet all the requirements as per test. Teams channel email addresses are an optional feature that allows users to email the Teams channel directly. Channel email addresses are not under the tenants domain and organizations do not have control over the security settings for this email address. An attacker could email channels directly if they discover the channel email address. Users will not be able to email the channel directly. None None Recommendation and Steps To remediate using the UI: 1. Navigate to Microsoft Teams admin center https://admin.teams.microsoft.com. 2. Click to expand Teams select Teams settings. 3. Under email integration set Users can send emails to a channel email address to Off. To remediate using PowerShell: 1. Connect to Teams PowerShell using Connect-MicrosoftTeams. 2. Run the following command to set the recommended state: Set-CsTeamsClientConfiguration -Identity Global -AllowEmailIntoChannel $false Associated Objects
Affected Objects
|
| Not Available | Ensure End-to-end encryption for Microsoft Teams is enabled | High | Disabled | SP v1.0 | NO |
X
TEST NAME Ensure End-to-end encryption for Microsoft Teams is enabled Description End-To-End encryption is not enabled for Teams Calling. In recent times, Microsoft Teams has emerged as the ultimate workspace for real-time collaboration and communication. Since most of the business communication is carried out by MS teams, security has become a concern. By default, Teams calls over VOIP are encrypted using Transport Layer Security (TLS) and Secure Real-Time Transport Protocol (SRTP). However, these protocols allow admins to configure automatic recording and transcription of calls. None None Recommendation and Steps It is recommended to enable end-to-end calling encryption enabled for Teams calls. Associated Objects
Affected Objects
|
| Not Available | Ensure external domains are not allowed in Teams | High | Allowed All Domains | SP v1.0 | NO |
X
TEST NAME Ensure external domains are not allowed in Teams Description External Domains are not allowed in Teams is not configured. The impact associated with this change is highly dependent upon current practices in the tenant. If users do not regularly communicate with external parties using Skype or Teams channels, then minimal impact is likely. However, if users do regularly utilize Teams and Skype for client communication, potentially significant impacts could occur, and users should be contacts, and if necessary, alternate mechanisms to continue this communication should be identified prior to disabling external access to Teams and Skype. None None Recommendation and Steps As of December 2021 the default for Teams external communication is set to 'People in my organization can communicate with Teams users whose accounts aren't managed by an organization.' This means that users can communicate with personal Microsoft accounts (e.g. Hotmail, Outlook etc.), which presents data loss / phishing / social engineering risks. You should not allow your users to communicate with Skype or Teams users outside your organization. While there are legitimate, productivity-improving scenarios for this, it also represents a potential security threat because those external users will be able to interact with your users over Skype for Business or Teams. Users are prone to data loss / phishing / social engineering attacks via Teams. Associated Objects
Affected Objects
|
| CIS Section | Test | Severity | Items | CIS Profile | Control Type | Configured Correctly? | |||||||||
| Not Available | Ensure Microsoft Teams Users Allowed to Invite Anonymous Users is disabled | High | Enabled | SP v1.0 | NO |
X
TEST NAME Ensure Microsoft Teams Users Allowed to Invite Anonymous Users is disabled Description Item does not meet all the requirements as per test. Microsoft Teams by default enables and allows anonymous users to join Teams meetings. This finding returns the users within the Tenant that have the ability to invite anonymous users into the Teams environment. Some organizations may wish to disable this functionality, or restrict certain users, members, or roles from allowing anonymous users to join meetings. Changing these settings may have unintended consequences. Speak with shareholders and understand what functionality may be affected before disabling this access. None None Recommendation and Steps This can be mitigated by navigating to the Teams admin center and turning off 'Anonymous users can join a meeting' under Meeting settings. This disables anonymous access globally. Alternatively, specific users and groups can be targeted by creating a new Meeting Policy and issuing the listed command in PowerShell. Associated Objects
Affected Objects
| |||||||||
| Not Available | Ensure Microsoft Teams Policies Allow Anonymous Members is disabled | High | Enabled | SP v1.0 | NO |
X
TEST NAME Ensure Microsoft Teams Policies Allow Anonymous Members is disabled Description Item does not meet all the requirements as per test. Microsoft Teams by default enables and allows authenticated users to invite anonymous users to join Teams meetings. Some organizations may wish to disable this functionality, or restrict certain users, members, or roles from allowing anonymous users to join meetings. Changing these settings may have unintended consequences. Speak with shareholders and understand what functionality may be affected before disabling this access. None None Recommendation and Steps This can be mitigated by navigating to the Teams admin center and turning off 'Anonymous users can join a meeting' under Meeting settings. This disables anonymous access globally. Alternatively, specific users and groups can be targeted by creating a new Meeting Policy and issuing the listed command in PowerShell. Associated Objects
Affected Objects
| |||||||||
| Not Available | Ensure Microsoft Teams Consumer Communication Policies are configured | High | Not Configured | SP v1.0 | NO |
X
TEST NAME Ensure Microsoft Teams Consumer Communication Policies are configured Description Item does not meet all the requirements as per test. Microsoft Teams External Access Policies allow communication with Teams users not managed by an organization. None None Recommendation and Steps Review Microsoft Teams External Access Policies and validate that all results are expected, and no conflicting rules are in place. Associated Objects
Affected Objects
More Information TEST ID
| |||||||||
| Not Available | Ensure Microsoft Teams Users Allowed to Preview Links in Messages is disabled | High | 4 | SP v1.0 | NO |
X
TEST NAME Ensure Microsoft Teams Users Allowed to Preview Links in Messages is disabled Description Item does not meet all the requirements as per test. Microsoft Teams by default enables and allows users to preview links in messages. Some organizations may wish to disable this functionality. Changing these settings may have unintended consequences. Speak with stakeholders and understand what functionality may be affected before disabling this access. None None Recommendation and Steps This can be mitigated by navigating to the Teams admin center and turning off 'Allow URL Previews' under Messaging settings. This disables link previews globally. Alternatively, specific users and groups can be targeted by creating a new Messaging Policy and issuing the listed command in PowerShell. Associated Objects
Affected Objects
| |||||||||
| Not Available | Ensure Safe Links for Teams is Enabled | High | Not Configured - No ATP License | SP v1.0 | NO |
X
TEST NAME Ensure Safe Links for Teams is Enabled Description Item does not meet all the requirements as per test. Safe Links is a feature of O365 that enables real-time detection of malicious links in incoming Exchange emails and other Office 365 applications. The Safe Links feature can also be enabled for links shared via Microsoft Teams. However, this setting is disabled in the 365 instance. Enabling it can decrease the risk of phishing and other attacks that might utilize malicious links sent via Teams, although it is not a panacea for these attacks. None None Recommendation and Steps Perhaps the most convenient way to enable this feature is to use the Set-SafeLinksPolicy command in PowerShell as listed below. Note that some organizations may have chosen to disable Safe Links for Teams if it interferes with day-to-day operations, so key stakeholders should be surveyed before enabling Safe Links for Teams. Associated Objects
Affected Objects
| |||||||||
| Not Available | Ensure Microsoft Teams External Domain Communication Policies are configured | Medium | All Domains Allowed | SP v1.0 | NO |
X
TEST NAME Ensure Microsoft Teams External Domain Communication Policies are configured Description Item does not meet all the requirements as per test. Microsoft Teams External Domain Communication Policies. None None Recommendation and Steps Review Microsoft Teams External Access Policies and validate that all results are expected, and no conflicting rules are in place. Associated Objects
Affected Objects
More Information TEST ID
| |||||||||
| Not Available | Ensure Microsoft Teams External Access Policies are configured | Low | Not Configured:EnableFederationAccess is set to True | SP v1.0 | NO |
X
TEST NAME Ensure Microsoft Teams External Access Policies are configured Description Item does not meet all the requirements as per test. Microsoft Teams External Access Policies. None None Recommendation and Steps Review Microsoft Teams External Access Policies and validate that all results are expected, and no conflicting rules are in place. Associated Objects
Affected Objects
More Information TEST ID
|
| CIS Section | Test | Severity | Items | CIS Profile | Control Type | Configured Correctly? |
| 8.2.1 | Ensure external access is restricted in the Teams admin center | High | Not Restricted | E3 Level 2 | CIS v4.0 | NO |
X
TEST NAME Ensure external access is restricted in the Teams admin center Description Item does not meet all the requirements as per test. This policy setting controls chat with external unmanaged Skype and Teams users. Users in the organization will not be searchable by unmanaged Skype or Teams users and will have to initiate all communications with unmanaged users. Note: As of December 2021, the default for Teams external communication is set to People in my organization can communicate with Teams users whose accounts are not managed by an organization. Note #2: Skype for business is deprecated as of July 31, 2021, although these settings may still be valid for a period of time. See the link in the reference section for more information. Allowing users to communicate with Skype or Teams users outside of an organization presents a potential security threat as external users can interact with organization users over Skype for Business or Teams. While legitimate, productivity-improving scenarios exist, they are outweighed by the risk of data loss, phishing, and social engineering attacks against organization users via Teams. Therefore, it is recommended to restrict external communications in order to minimize the risk of security incidents. The impact of disabling external access to Teams and Skype for an organization is highly dependent on current usage practices. If users infrequently communicate with external parties using these channels, the impact is likely to be minimal. However, if users regularly use Teams and Skype for client communication, the impact could be significant. Therefore, before disabling external access, users should be notified, and alternate communication mechanisms should be identified to ensure continuity of communication. Note: Chat with external unmanaged Teams users is not available in GCC, GCC High, or DOD deployments, or in private cloud environments. None None Recommendation and Steps To remediate using the UI: 1. Navigate to Microsoft Teams admin center https://admin.teams.microsoft.com/. 2. Click to expand Users select External access. 3. Under Teams and Skype for Business users in external organizations Select Block all external domains - NOTE: If the organizations policy allows selecting any allowed external domains. 4. Under Teams accounts not managed by an organization move the slider to Off. 5. Under Skype users move the slider is to Off. 6. Click Save. To remediate using PowerShell: - Connect to Teams PowerShell using Connect-MicrosoftTeams - Run the following command: Set-CsTenantFederationConfiguration -AllowTeamsConsumer False -AllowPublicUsers False -AllowFederatedUsers $false - To allow only specific external domains run these commands replacing the example domains with approved domains: Set-CsTenantFederationConfiguration -AllowTeamsConsumer $false -AllowPublicUsers $false -AllowFederatedUsers $true $list = New-Object Collections.Generic.List[String] $list.add() $list.add() Set-CsTenantFederationConfiguration -AllowedDomainsAsAList $list Associated Objects
Affected Objects
|
| CIS Section | Test | Severity | Items | CIS Profile | Control Type | Configured Correctly? |
| 8.4.1 | Ensure app permission policies are configured | High | Either some or all settings are Not compliant | E3 Level 1 | CIS v4.0 | NO |
X
TEST NAME Ensure app permission policies are configured Description Item does not meet all the requirements as per test. This policy setting controls which class of apps are available for users to install. Allowing users to install third-party or unverified apps poses a potential risk of introducing malicious software to the environment. Users will only be able to install approved classes of apps. None None Recommendation and Steps To set app permission policies: 1. Navigate to Microsoft Teams admin center https://admin.teams.microsoft.com. 2. Click to expand Teams apps select Permission policies. 3. Click Global (Org-wide default). 4. For Microsoft apps set app permission policies to Allow all apps. 5. For Third-party apps set app permission policies to Block all apps OR Allow specific apps and block all others. 6. For Custom apps set app permission policies to Block all apps OR Allow specific apps and block all others. Associated Objects
Affected Objects
|
| 8.2.2 | Ensure communication with unmanaged Teams users is disabled | High | Not Restricted | E3 Level 1 | CIS v4.0 | NO |
X
TEST NAME Ensure communication with unmanaged Teams users is disabled Description Users will be unable to communicate with Teams users who are not managed by an organization. Note: The settings that govern chats and meetings with external unmanaged Teams users arent available in GCC, GCC High, or DOD deployments, or in private cloud environments. Recommendation and Steps To remediate using the UI: 1. Navigate to Microsoft Teams admin center https://admin.teams.microsoft.com/. 2. Click to expand Users select External access. 3. Scroll to Teams accounts not managed by an organization 4. Set People in my organization can communicate with Teams users whose accounts arent managed by an organization to Off. 5. Click Save. To remediate using PowerShell: 1. Connect to Teams PowerShell using Connect-MicrosoftTeams 2. Run the following command: Set-CsTenantFederationConfiguration -AllowTeamsConsumer $false Associated Objects
Affected Objects
|
| 8.2.3 | Ensure external Teams users cannot initiate conversations | High | Not Restricted | E3 Level 1 | CIS v4.0 | NO |
X
TEST NAME Ensure external Teams users cannot initiate conversations Description The impact of disabling this is very low. Note: Chats and meetings with external unmanaged Teams users isnt available in GCC, GCC High, or DOD deployments, or in private cloud environments. Recommendation and Steps To remediate using the UI: 1. Navigate to Microsoft Teams admin center https://admin.teams.microsoft.com/. 2. Click to expand Users select External access. 3. Scroll to Teams accounts not managed by an organization 4. Uncheck External users with Teams accounts not managed by an organization can contact users in my organization. 5. Click Save. Note: If People in my organization can communicate with Teams users whose accounts arent managed by an organization is already set to Off then this setting will not be visible and can be considered to be in a passing state. To remediate using PowerShell: 1. Connect to Teams PowerShell using Connect-MicrosoftTeams 2. Run the following command: Set-CsTenantFederationConfiguration -AllowTeamsConsumerInbound $false Associated Objects
Affected Objects
|
| 8.2.4 | Ensure communication with Skype users is disabled | High | Not Restricted | E3 Level 1 | CIS v4.0 | NO |
X
TEST NAME Ensure communication with Skype users is disabled Description Teams users will be unable to communicate with Skype users that are not in the same organization. Recommendation and Steps To remediate using the UI: 1. Navigate to Microsoft Teams admin center https://admin.teams.microsoft.com/. 2. Click to expand Users select External access. 3. Locate Skype users 4. Set Allow users in my organization to communicate with Skype users to Off. 5. Click Save. To remediate using PowerShell: Connect to Teams PowerShell using Connect-MicrosoftTeams Run the following command: Set-CsTenantFederationConfiguration -AllowPublicUsers $false Associated Objects
Affected Objects
|
| CIS Section | Test | Severity | Items | CIS Profile | Control Type | Configured Correctly? |
| 8.5.1 | Ensure anonymous users cant join a meeting | High | Not Restricted | E3 Level 2 | CIS v4.0 | NO |
X
TEST NAME Ensure anonymous users cant join a meeting Description Item does not meet all the requirements as per test. This policy setting can prevent anyone other than invited attendees (people directly invited by the organizer, or to whom an invitation was forwarded) from bypassing the lobby and entering the meeting. For more information on how to setup a sensitive meeting, please visit: [Configure Teams meetings with protection for sensitive data - Microsoft Teams | Microsoft Learn] (https://learn.microsoft.com/en-us/MicrosoftTeams/configure-meetings-sensitive-protection) For meetings that could contain sensitive information, it is best to allow the meeting organizer to vet anyone not directly sent an invite before admitting them to the meeting. This will also prevent the anonymous user from using the meeting link to have meetings at unscheduled times. Note: Those companies that don't normally operate at a Level 2 environment, but do deal with sensitive information, may want to consider this policy setting. Individuals who were not sent or forwarded a meeting invite will not be able to join the meeting automatically. None None Recommendation and Steps To remediate using the UI: 1. Navigate to Microsoft Teams admin center https://admin.teams.microsoft.com. 2. Click to expand Meetings select Meeting policies. 3. Click Global (Org-wide default) 3. Under meeting join & lobby set Anonymous users can join a meeting to Off. To remediate using PowerShell: 1. Connect to Teams PowerShell using Connect-MicrosoftTeams 2. Run the following command to set the recommended state: Set-CsTeamsMeetingPolicy -Identity Global -AllowAnonymousUsersToJoinMeeting $false Associated Objects
Affected Objects
More Information TEST ID
|
| 8.5.3 | Ensure only people in my org can bypass the lobby | High | Not Restricted: EveryoneInCompany | E3 Level 1 | CIS v4.0 | NO |
X
TEST NAME Ensure only people in my org can bypass the lobby Description Item does not meet all the requirements as per test. This policy setting controls who can join a meeting directly and who must wait in the lobby until they are admitted by an organizer, co-organizer, or presenter of the meeting. For meetings that could contain sensitive information, it is best to allow the meeting organizer to vet anyone not directly sent an invite before admitting them to the meeting. This will also prevent the anonymous user from using the meeting link to have meetings at unscheduled times. Individuals who were not part of the organization will have to wait in the lobby until they are admitted by an organizer, co-organizer, or presenter of the meeting. None None Recommendation and Steps To remediate using the UI: 1. Navigate to Microsoft Teams admin center https://admin.teams.microsoft.com. 2. Click to expand Meetings select Meeting policies. 3. Click Global (Org-wide default). 3. Under meeting join & lobby set Who can bypass the lobby to People in my org. To remediate using PowerShell: 1. Connect to Teams PowerShell using Connect-MicrosoftTeams. 2. Run the following command to set the recommended state: Set-CsTeamsMeetingPolicy -Identity Global -AutoAdmittedUsers Associated Objects
Affected Objects
|
| 8.5.4 | Ensure users dialing in cant bypass the lobby | High | Not Restricted | E3 Level 1 | CIS v4.0 | NO |
X
TEST NAME Ensure users dialing in cant bypass the lobby Description Item does not meet all the requirements as per test. This policy setting controls if users who dial in by phone can join the meeting directly or must wait in the lobby. Admittance to the meeting from the lobby is authorized by the meeting organizer, co-organizer, or presenter of the meeting. For meetings that could contain sensitive information, it is best to allow the meeting organizer to vet anyone not directly from the organization. Individuals who are dialing in to the meeting must wait in the lobby until a meeting organizer, co-organizer, or presenter admits them. None None Recommendation and Steps To remediate using the UI: 1. Navigate to Microsoft Teams admin center https://admin.teams.microsoft.com. 2. Click to expand Meetings select Meeting policies. 3. Click Global (Org-wide default). 3. Under meeting join & lobby set People dialing in can not bypass the lobby to Off. To remediate using PowerShell: 1. Connect to Teams PowerShell using Connect-MicrosoftTeams. 2. Run the following command to set the recommended state: Set-CsTeamsMeetingPolicy -Identity Global -AllowPSTNUsersToBypassLobby $false Associated Objects
Affected Objects
|
| 8.5.5 | Ensure meeting chat does not allow anonymous users | High | Not Restricted | E3 Level 1 | CIS v4.0 | NO |
X
TEST NAME Ensure meeting chat does not allow anonymous users Description Item does not meet all the requirements as per test. This policy setting controls who has access to read and write chat messages during a meeting. Ensuring that only authorized individuals can read and write chat messages during a meeting reduces the risk that a malicious user can inadvertently show content that is not appropriate or view sensitive information. Only authorized individuals will be able to read and write chat messages during a meeting. None None Recommendation and Steps To remediate using the UI: 1. Navigate to Microsoft Teams admin center https://admin.teams.microsoft.com. 2. Click to expand Meetings select Meeting policies. 3. Click Global (Org-wide default). 3. Under meeting engagement set Meeting chat to On for everyone but anonymous users. To remediate using PowerShell: 1. Connect to Teams PowerShell using Connect-MicrosoftTeams. 2. Run the following command to set the recommended state: Set-CsTeamsMeetingPolicy -Identity Global -MeetingChatEnabledType Associated Objects
Affected Objects
More Information TEST ID
|
| 8.5.6 | Ensure only organizers and co-organizers can present | High | Not Restricted | E3 Level 1 | CIS v4.0 | NO |
X
TEST NAME Ensure only organizers and co-organizers can present Description Item does not meet all the requirements as per test. This policy setting controls who can present in a Teams meeting. Note: Organizers and co-organizers can change this setting when the meeting is set up. Ensuring that only authorized individuals are able to present reduces the risk that a malicious user can inadvertently show content that is not appropriate. Only organizers and co-organizers will be able to present without being granted permission. None None Recommendation and Steps To remediate using the UI: 1. Navigate to Microsoft Teams admin center https://admin.teams.microsoft.com. 2. Click to expand Meetings select Meeting policies. 3. Click Global (Org-wide default). 3. Under content sharing set Who can present to Only organizers and co-organizers. To remediate using PowerShell: 1. Connect to Teams PowerShell using Connect-MicrosoftTeams. 2. Run the following command to set the recommended state: Set-CsTeamsMeetingPolicy -Identity Global -DesignatedPresenterRoleMode Associated Objects
Affected Objects
|
| 8.5.7 | Ensure external participants cant give or request control | High | Not Restricted | E3 Level 1 | CIS v4.0 | NO |
X
TEST NAME Ensure external participants cant give or request control Description Item does not meet all the requirements as per test. This policy setting allows control of who can present in meetings and who can request control of the presentation while a meeting is underway. Ensuring that only authorized individuals and not external participants are able to present and request control reduces the risk that a malicious user can inadvertently show content that is not appropriate. External participants are categorized as follows: external users, guests, and anonymous users. External participants will not be able to present or request control during the meeting. Warning: This setting also affects webinars. Note: At this time, to give and take control of shared content during a meeting, both parties must be using the Teams desktop client. Control is not supported when either party is running Teams in a browser. None None Recommendation and Steps To remediate using the UI: 1. Navigate to Microsoft Teams admin center https://admin.teams.microsoft.com. 2. Click to expand Meetings select Meeting policies. 3. Click Global (Org-wide default). 3. Under content sharing set External participants can give or request control to Off. To remediate using PowerShell: 1. Connect to Teams PowerShell using Connect-MicrosoftTeams. 2. Run the following command to set the recommended state: Set-CsTeamsMeetingPolicy -Identity Global -AllowExternalParticipantGiveRequestControl $false Associated Objects
Affected Objects
|
| 8.5.8 | Ensure external meeting chat is off | High | Not Restricted | E3 Level 2 | CIS v4.0 | NO |
X
TEST NAME Ensure external meeting chat is off Description When joining external meetings users will be unable to read or write chat messages in Teams meetings with organizations that they dont have a trust relationship with. This will completely remove the chat functionality in meetings. From an I.T. perspective both the upkeep of adding new organizations to the trusted list and the decision-making process behind whether to trust or not trust an external partner will increase time expenditure. Recommendation and Steps To remediate using the UI: 1. Navigate to Microsoft Teams admin center https://admin.teams.microsoft.com. 2. Click to expand Meetings select Meeting policies. 3. Click Global (Org-wide default). 4. Under meeting engagement set External meeting chat to Off. To remediate using PowerShell: 1. Connect to Teams PowerShell using Connect-MicrosoftTeams. 2. Run the following command to set the recommended state: Set-CsTeamsMeetingPolicy -Identity Global -AllowExternalNonTrustedMeetingChat $false Associated Objects
Affected Objects
More Information TEST ID
|
| 8.5.9 | Ensure meeting recording is off by default | High | Not Restricted | E3 Level 2 | CIS v4.0 | NO |
X
TEST NAME Ensure meeting recording is off by default Description If there are no additional policies allowing anyone to record, then recording will effectively be disabled. Recommendation and Steps To remediate using the UI: 1. Navigate to Microsoft Teams admin center https://admin.teams.microsoft.com. 2. Click to expand Meetings select Meeting policies. 3. Click Global (Org-wide default). 4. Under Recording & transcription set Meeting recording to Off. To remediate using PowerShell: 1. Connect to Teams PowerShell using Connect-MicrosoftTeams. 2. Run the following command to set the recommended state: Set-CsTeamsMeetingPolicy -Identity Global -AllowCloudRecording $false Associated Objects
Affected Objects
More Information TEST ID
|
| 8.5.2 | Ensure anonymous users and dial-in callers cant start a meeting | Passed | Restricted | E3 Level 1 | CIS v4.0 | YES |
X
TEST NAME Ensure anonymous users and dial-in callers cant start a meeting Description Item has met all the requirements as per test. Recommendation and Steps Associated Objects
Affected Objects
|
| CIS Section | Test | Severity | Items | CIS Profile | Control Type | Configured Correctly? |
| 8.6.1 | Ensure users can report security concerns in Teams | High | Cannot Report | E3 Level 1 | CIS v4.0 | NO |
X
TEST NAME Ensure users can report security concerns in Teams Description Item does not meet all the requirements as per test. User reporting settings allow a user to report a message as malicious for further analysis. This recommendation is composed of 3 different settings and all be configured to pass: - In the Teams admin center: On by default and controls whether users are able to report messages from Teams. When this setting is turned off, users can not report messages within Teams, so the corresponding setting in the Microsoft 365 Defender portal is irrelevant. - In the Microsoft 365 Defender portal: On by default for new tenants. Existing tenants need to enable it. If user reporting of messages is turned on in the Teams admin center, it also needs to be turned on the Defender portal for user reported messages to show up correctly on the User reported tab on the Submissions page. - Defender - Report message destinations: This applies to more than just Microsoft Teams and allows for an organization to keep their reports contained. Due to how the parameters are configured on the backend it is included in this assessment as a requirement. Users will be able to more quickly and systematically alert administrators of suspicious malicious messages within Teams. The content of these messages may be sensitive in nature and therefore should be kept within the organization and not shared with Microsoft without first consulting company policy. Note: - The reported message remains visible to the user in the Teams client. - Users can report the same message multiple times. - The message sender is not notified that messages were reported. Enabling message reporting has an impact beyond just addressing security concerns. When users of the platform report a message, the content could include messages that are threatening or harassing in nature, possibly stemming from colleagues. Due to this the security staff responsible for reviewing and acting on these reports should be equipped with the skills to discern and appropriately direct such messages to the relevant departments, such as Human Resources (HR). None None Recommendation and Steps To remediate using the UI:
1. Navigate to Microsoft Teams admin center https://admin.teams.microsoft.com.
2. Click to expand Messaging select Messaging policies.
3. Click Global (Org-wide default).
4. Set Report a security concern to On.
5. Next, navigate to Microsoft 365 Defender https://security.microsoft.com/
6. Click on Settings > Email & collaboration > User reported settings.
7. Scroll to Microsoft Teams.
8. Check Monitor reported messages in Microsoft Teams and Save.
9. Set Send reported messages to: to My reporting mailbox only with reports configured to be sent to authorized staff.
To remediate using PowerShell:
1. Connect to Teams PowerShell using Connect-MicrosoftTeams.
2. Connect to Exchange Online PowerShell using Connect-ExchangeOnline.
3. Run the following cmdlet:
Set-CsTeamsMessagingPolicy -Identity Global -AllowSecurityEndUserReporting $true
4. To configure the Defender reporting policies, edit and run this script:
$usersub = # Change this.
$params = @{
Identity =
EnableReportToMicrosoft = $false
ReportChatMessageEnabled = $false
ReportChatMessageToCustomizedAddressEnabled = $true
ReportJunkToCustomizedAddress = $true
ReportNotJunkToCustomizedAddress = $true
ReportPhishToCustomizedAddress = $true
ReportJunkAddresses = $usersub
ReportNotJunkAddresses = $usersub
ReportPhishAddresses = $usersub
}
Set-ReportSubmissionPolicy @params
New-ReportSubmissionRule -Name DefaultReportSubmissionRule -ReportSubmissionPolicy DefaultReportSubmissionPolicy -SentTo $usersub
Associated Objects
Affected Objects
More Information TEST ID
|
| CIS Section | Test | Severity | Items | CIS Profile | Control Type | Configured Correctly? |
| 9.1.1 | Ensure guest user access is restricted | High | Not Restricted: 10dae51f-b6af-4016-8d66-8c2a99b929b3 | E3 Level 1 | CIS v4.0 | NO |
X
TEST NAME Ensure guest user access is restricted Description Item does not meet all the requirements as per test. This setting allows business-to-business (B2B) guests access to Microsoft Fabric, and contents that they have permissions to. With the setting turned off, B2B guest users receive an error when trying to access Power BI. The recommended state is Enabled for a subset of the organization or Disabled. Establishing and enforcing a dedicated security group prevents unauthorized access to Microsoft Fabric for guests collaborating in Azure that are new or assigned guest status from other applications. This upholds the principle of least privilege and uses role-based access control (RBAC). These security groups can also be used for tasks like conditional access, enhancing risk management and user accountability across the organization. Security groups will need to be more closely tended to and monitored. None None Recommendation and Steps Restrict AAD guest user access: 1. Navigate to Microsoft Fabric https://app.powerbi.com/admin-portal 2. Select Tenant settings. 3. Scroll to Export and Sharing settings. 4. Set Allow Azure Active Directory guest users to access Microsoft Fabric to one of these states: - State 1: Disabled - State 2: Enabled with Specific security groups selected and defined. Important: If the organization doesn't actively use this feature it is recommended to keep it Disabled. Associated Objects
Affected Objects
More Information TEST ID
|
| 9.1.2 | Ensure external user invitations are restricted | High | Not Restricted: everyone | E3 Level 1 | CIS v4.0 | NO |
X
TEST NAME Ensure external user invitations are restricted Description Item does not meet all the requirements as per test. The Invite external users setting helps organizations choose whether new external users can be invited to the organization through Power BI sharing, permissions, and subscription experiences. This setting only controls the ability to invite through Power BI. The recommended state is Enabled for a subset of the organization or Disabled. Note: To invite external users to the organization, the user must also have the Azure Active Directory Guest Inviter role. Establishing and enforcing a dedicated security group prevents unauthorized access to Microsoft Fabric for guests collaborating in Azure that are new or assigned guest status from other applications. This upholds the principle of least privilege and uses role-based access control (RBAC). These security groups can also be used for tasks like conditional access, enhancing risk management and user accountability across the organization. Guest user invitations will be limited to only specific employees. None None Recommendation and Steps Restrict external user invitations: 1. Navigate to Microsoft Fabric https://app.powerbi.com/admin-portal 2. Select Tenant settings. 3. Scroll to Export and Sharing settings. 4. Set Invite external users to your organization to one of these states: - State 1: Disabled - State 2: Enabled with Specific security groups selected and defined. Important: If the organization doesn't actively use this feature it is recommended to keep it Disabled. Associated Objects
Affected Objects
|
| 9.1.6 | Ensure Allow users to apply sensitivity labels for content is Enabled | Passed | Allow users to apply sensitivity labels for content is enabled | E3 Level 1 | CIS v4.0 | YES |
X
TEST NAME Ensure Allow users to apply sensitivity labels for content is Enabled Description Item has met all the requirements as per test. Recommendation and Steps Associated Objects
Affected Objects
|
| 9.1.3 | Ensure guest access to content is restricted | Manual Check | NONE | E3 Level 1 | CIS v4.0 | NO |
X
TEST NAME Ensure guest access to content is restricted Description Item does not meet all the requirements as per test. This setting allows Azure AD B2B guest users to have full access to the browsing experience using the left-hand navigation pane in the organization. Guest users who have been assigned workspace roles or specific item permissions will continue to have those roles and/or permissions, even if this setting is disabled. The recommended state is Enabled for a subset of the organization or Disabled. Establishing and enforcing a dedicated security group prevents unauthorized access to Microsoft Fabric for guests collaborating in Azure that are new or assigned guest status from other applications. This upholds the principle of least privilege and uses role-based access control (RBAC). These security groups can also be used for tasks like conditional access, enhancing risk management and user accountability across the organization. Security groups will need to be more closely tended to and monitored. None None Recommendation and Steps Restrict AAD guest user content access access: 1. Navigate to Microsoft Fabric https://app.powerbi.com/admin-portal 2. Select Tenant settings. 3. Scroll to Export and Sharing settings. 4. Set Allow Azure Active Directory guest users to edit and manage content in the organization to one of these states: - State 1: Disabled - State 2: Enabled with Specific security groups selected and defined. Important: If the organization doesn't actively use this feature it is recommended to keep it Disabled. Associated Objects
Affected Objects
More Information TEST ID
|
| 9.1.4 | Ensure Publish to web is restricted | Manual Check | NONE | E3 Level 1 | CIS v4.0 | NO |
X
TEST NAME Ensure Publish to web is restricted Description Item does not meet all the requirements as per test. Power BI enables users to share reports and materials directly on the internet from both the applications desktop version and its web user interface. This functionality generates a publicly reachable web link that doesn't necessitate authentication or the need to be an AAD user in order to access and view it. The recommended state is Enabled for a subset of the organization or Disabled. When using Publish to the Web anyone on the Internet can view a published report or visual. Viewing requires no authentication. It includes viewing detail-level data that your reports aggregate. By disabling the feature, restricting access to certain users and allowing existing embed codes organizations can mitigate the exposure of confidential or proprietary information. Depending on the organizations utilization administrators may experience more overhead managing embed codes, and requests. None None Recommendation and Steps Restrict Publish to the web: 1. Navigate to Microsoft Fabric https://app.powerbi.com/admin-portal 2. Select Tenant settings. 3. Scroll to Export and Sharing settings. 4. Set Publish to the web to one of these states: - State 1: Disabled - State 2: Enabled with Choose how embed codes work set to Only allow existing codes AND Specific security groups selected and defined Important: If the organization doesn't actively use this feature it is recommended to keep it Disabled. Associated Objects
Affected Objects
|
| 9.1.5 | Ensure Interact with and share R and Python visuals is Disabled | Manual Check | NONE | E3 Level 2 | CIS v4.0 | NO |
X
TEST NAME Ensure Interact with and share R and Python visuals is Disabled Description Item does not meet all the requirements as per test. Power BI allows the integration of R and Python scripts directly into visuals. This feature allows data visualizations by incorporating custom calculations, statistical analyses, machine learning models, and more using R or Python scripts. Custom visuals can be created by embedding them directly into Power BI reports. Users can then interact with these visuals and see the results of the custom code within the Power BI interface. Disabling this feature can reduce the attack surface by preventing potential malicious code execution leading to data breaches, or unauthorized access. The potential for sensitive or confidential data being leaked to unintended users is also increased with the use of scripts. Use of R and Python scripting will require exceptions for developers, along with more stringent code review. None None Recommendation and Steps Configure the recommended state: 1. Navigate to Microsoft Fabric https://app.powerbi.com/admin-portal 2. Select Tenant settings. 3. Scroll to R and Python visuals settings. 4. Set Interact with and share R and Python visuals to Disabled Associated Objects
Affected Objects
|
| 9.1.7 | Ensure shareable links are restricted | Manual Check | NONE | E3 Level 1 | CIS v4.0 | NO |
X
TEST NAME Ensure shareable links are restricted Description Item does not meet all the requirements as per test. Creating a shareable link allows a user to create a link to a report or dashboard, then add that link to an email or another messaging application. There are 3 options that can be selected when creating a shareable link: - People in your organization - People with existing access - Specific people This setting solely deals with restrictions to People in the organization. External users by default are not included in any of these categories, and therefore cannot use any of these links regardless of the state of this setting. The recommended state is Enabled for a subset of the organization or Disabled. While external users are unable to utilize shareable links, disabling or restricting this feature ensures that a user cannot generate a link accessible by individuals within the same organization who lack the necessary clearance to the shared data. For example, a member of Human Resources intends to share sensitive information with a particular employee or another colleague within their department. The owner would be prompted to specify either People with existing access or Specific people when generating the link requiring the person clicking the link to pass a first layer access control list. This measure along with proper file and folder permissions can help prevent unintended access and potential information leakage. If the setting is Enabled then only specific people in the organization would be allowed to create general links viewable by the entire organization. None None Recommendation and Steps Restrict shareable links: 1. Navigate to Microsoft Fabric https://app.powerbi.com/admin-portal 2. Select Tenant settings. 3. Scroll to Export and Sharing settings. 4. Set Allow shareable links to grant access to everyone in your organization to one of these states: - State 1: Disabled - State 2: Enabled with Specific security groups selected and defined. Important: If the organization doesn't actively use this feature it is recommended to keep it Disabled. Associated Objects
Affected Objects
|
| 9.1.8 | Ensure enabling of external data sharing is restricted | Manual Check | NONE | E3 Level 1 | CIS v4.0 | NO |
X
TEST NAME Ensure enabling of external data sharing is restricted Description Item does not meet all the requirements as per test. Power BI admins can specify which users or user groups can share datasets externally with guests from a different tenant through the in-place mechanism. Disabling this setting prevents any user from sharing datasets externally by restricting the ability of users to turn on external sharing for datasets they own or manage. The recommended state is Enabled for a subset of the organization or Disabled. Establishing and enforcing a dedicated security group prevents unauthorized access to Microsoft Fabric for guests collaborating in Azure that are new or from other applications. This upholds the principle of least privilege and uses role-based access control (RBAC). These security groups can also be used for tasks like conditional access, enhancing risk management and user accountability across the organization. Security groups will need to be more closely tended to and monitored. None None Recommendation and Steps Restrict external data sharing: 1. Navigate to Microsoft Fabric https://app.powerbi.com/admin-portal 2. Select Tenant settings. 3. Scroll to Export and Sharing settings. 4. Set Allow specific users to turn on external data sharing to one of these states: - State 1: Disabled - State 2: Enabled with Specific security groups selected and defined. Important: If the organization doesn't actively use this feature it is recommended to keep it Disabled. Associated Objects
Affected Objects
More Information TEST ID
|
| 9.1.9 | Ensure Block ResourceKey Authentication is Enabled | Manual Check | NONE | E3 Level 1 | CIS v4.0 | NO |
X
TEST NAME Ensure Block ResourceKey Authentication is Enabled Description Item does not meet all the requirements as per test. This setting blocks the use of resource key based authentication. The Block ResourceKey Authentication setting applies to streaming and PUSH datasets. If blocked users will not be allowed send data to streaming and PUSH datasets using the API with a resource key. The recommended state is Enabled. Resource keys are a form of authentication that allows users to access Power BI resources (such as reports, dashboards, and datasets) without requiring individual user accounts. While convenient, this method bypasses the organizations centralized identity and access management controls. Enabling ensures that access to Power BI resources is tied to the organizations authentication mechanisms, providing a more secure and controlled environment. Developers will need to request a special exception in order to use this feature. None None Recommendation and Steps Ensure ResourceKey Authentication is Enabled: 1. Navigate to Microsoft Fabric https://app.powerbi.com/admin-portal 2. Select Tenant settings. 3. Scroll to Developer settings. 4. Set Block ResourceKey Authentication to Enabled Associated Objects
Affected Objects
|
| 9.1.10 | Ensure access to APIs by Service Principals is restricted | Manual Check | NONE | E3 Level 1 | CIS v4.0 | NO |
X
TEST NAME Ensure access to APIs by Service Principals is restricted Description Disabled is the default behavior Recommendation and Steps To remediate using the UI: 1. Navigate to Microsoft Fabric https://app.powerbi.com/admin-portal 2. Select Tenant settings. 3. Scroll to Developer settings. 4. Set Service principals can use Fabric APIs to one of these states: State 1: Disabled State 2: Enabled with Specific security groups selected and defined. Important: If the organization doesnt actively use this feature it is recommended to keep it Disabled. Associated Objects
Affected Objects
More Information TEST ID
|
| 9.1.11 | Ensure Service Principals cannot create and use profiles | Manual Check | NONE | E3 Level 1 | CIS v4.0 | NO |
X
TEST NAME Ensure Service Principals cannot create and use profiles Description Disabled is the default behavior. Recommendation and Steps To remediate using the UI: 1. Navigate to Microsoft Fabric https://app.powerbi.com/admin-portal 2. Select Tenant settings. 3. Scroll to Developer settings. 4. Set Allow service principals to create and use profiles to one of these states: State 1: Disabled State 2: Enabled with Specific security groups selected and defined. Important: If the organization doesnt actively use this feature it is recommended to keep it Disabled. Associated Objects
Affected Objects
|
| CIS Section | Test | Severity | Items | CIS Profile | Control Type | Configured Correctly? |
| Not Available | Ensure Microsoft 365 Users Have Changed Passwords | High | 8334 | SP v1.0 | NO |
X
TEST NAME Ensure Microsoft 365 Users Have Changed Passwords Description Some Microsoft 365 users have not changed their passwords within 90 days. It is a security risk. Every user in Microsoft 365 Users must change their passwords within 90 days. None None Recommendation and Steps Please identify these users and make sure they change their passwords. Associated Objects
Affected Objects
|
| Not Available | Ensure All Microsoft 365 Users are licensed | Medium | 8314 | SP v1.0 | NO |
X
TEST NAME Ensure All Microsoft 365 Users are licensed Description Some Microsoft 365 Users are not licensed. Unlicensed users will not be able to use Microsoft 365 Services. None None Recommendation and Steps It is recommended to assign Licenses to users. Associated Objects
Affected Objects
|
| Not Available | Ensure Microsoft 365 Users Password Expires | Medium | 0 | SP v1.0 | NO |
X
TEST NAME Ensure Microsoft 365 Users Password Expires Description Some Microsoft 365 Users have their Password set to NOT Expire. These users can remain with a single password and if the password is compromised anyone can access Microsoft 365 Services. None None Recommendation and Steps Every user in Microsoft 365 must change their password according to Password Policies. Associated Objects
Affected Objects
|
| Not Available | Ensure Microsoft 365 Groups Without Members are Identified | Low | 5 | SP v1.0 | NO |
X
TEST NAME Ensure Microsoft 365 Groups Without Members are Identified Description Some Microsoft 365 Groups do not contain user members. If these Groups were created for some reason, then they should have members in it. None None Recommendation and Steps Please review the list of Groups provided by the test and add users or remove these groups. Associated Objects
Affected Objects
|
| Not Available | Ensure Deleted Microsoft 365 Users are Identified | Passed | 0 | SP v1.0 | YES |
X
TEST NAME Ensure Deleted Microsoft 365 Users are Identified Description No users were found in Microsoft 365 Recycle Bin. Recommendation and Steps Associated Objects
Affected Objects
|
| Not Available | Ensure Disabled Microsoft 365 Users are Identified | Passed | 6 | SP v1.0 | YES |
X
TEST NAME Ensure Disabled Microsoft 365 Users are Identified Description No users are disabled. Recommendation and Steps Associated Objects
Affected Objects
|
| Not Available | Ensure Microsoft 365 Blocked Users are Identified | Passed | 0 | SP v1.0 | YES |
X
TEST NAME Ensure Microsoft 365 Blocked Users are Identified Description No Blocked Users were found in Microsoft 365. Recommendation and Steps Associated Objects
Affected Objects
|
| Not Available | Ensure Microsoft 365 Company Administrators have less than 5 Admins | Passed | 0 | SP v1.0 | YES |
|
| Not Available | Ensure Microsoft 365 Deleted and Licensed Users are Identified | Passed | 0 | SP v1.0 | YES |
X
TEST NAME Ensure Microsoft 365 Deleted and Licensed Users are Identified Description Item has met all the requirements as per test. Recommendation and Steps Associated Objects
Affected Objects
|
| Not Available | Ensure no Provisioning Errors for Microsoft 365 Users | Manual Check | NONE | SP v1.0 | NO |
X
TEST NAME Ensure no Provisioning Errors for Microsoft 365 Users Description Item does not meet all the requirements as per test. Please ensure no provisioning errors for Microsoft 365 users. None None Recommendation and Steps Please ensure no provisioning errors for Microsoft 365 users. Associated Objects
Affected Objects
|
| CIS Section | Test | Severity | Items | CIS Profile | Control Type | Configured Correctly? |
| Not Available | Ensure Users can create security groups is disabled | High | Enabled-Not Ok | SP v1.0 | NO |
X
TEST NAME Ensure Users can create security groups is disabled Description Item does not meet all the requirements as per test. Dangerous default configuration settings were found in the Tenant. By default, Azure tenants allow all users to access the Azure Active Directory blade, to read all other users' accounts, create groups, and invite guests. These default settings extend to guest accounts as well, allowing guests to perform these same actions. Other default configurations allow for Self-Service creation of accounts from accepted mail domains. None None Recommendation and Steps The excessive user permissions can be mitigated by running the listed PowerShell commands as a Global Admin. User access to the Azure AD blade can be restricted by navigating to the Azure Active Directory blade; User Settings and toggling the 'Restrict access to Azure AD administration portal' to Yes. Guest invites may be restricted by navigating to the Azure Active Directory blade; External Identities; External Collaboration Settings, or by going to the Azure Active Directory blade; User Settings; Manage external collaboration settings and toggling 'Members can invite' and 'Guests can invite' to No. Associated Objects
Affected Objects
More Information TEST ID
|
| Not Available | Ensure Users with a verified mail domain can join the tenant is disabled | High | Enabled-Not Ok | SP v1.0 | NO |
X
TEST NAME Ensure Users with a verified mail domain can join the tenant is disabled Description Item does not meet all the requirements as per test. Dangerous default configuration settings were found in the Tenant. By default, Azure tenants allow all users to access the Azure Active Directory blade, to read all other users' accounts, create groups, and invite guests. These default settings extend to guest accounts as well, allowing guests to perform these same actions. Other default configurations allow for Self-Service creation of accounts from accepted mail domains. None None Recommendation and Steps The excessive user permissions can be mitigated by running the listed PowerShell commands as a Global Admin. User access to the Azure AD blade can be restricted by navigating to the Azure Active Directory blade; User Settings and toggling the 'Restrict access to Azure AD administration portal' to Yes. Guest invites may be restricted by navigating to the Azure Active Directory blade; External Identities; External Collaboration Settings, or by going to the Azure Active Directory blade; User Settings; Manage external collaboration settings and toggling 'Members can invite' and 'Guests can invite' to No. Associated Objects
Affected Objects
More Information TEST ID
|
| Not Available | Ensure Guests can invite other guests into the tenant is disabled | High | Enabled-Not Ok | SP v1.0 | NO |
X
TEST NAME Ensure Guests can invite other guests into the tenant is disabled Description Item does not meet all the requirements as per test. Dangerous default configuration settings were found in the Tenant. By default, Azure tenants allow all users to access the Azure Active Directory blade, to read all other users' accounts, create groups, and invite guests. These default settings extend to guest accounts as well, allowing guests to perform these same actions. Other default configurations allow for Self-Service creation of accounts from accepted mail domains. None None Recommendation and Steps The excessive user permissions can be mitigated by running the listed PowerShell commands as a Global Admin. User access to the Azure AD blade can be restricted by navigating to the Azure Active Directory blade; User Settings and toggling the 'Restrict access to Azure AD administration portal' to Yes. Guest invites may be restricted by navigating to the Azure Active Directory blade; External Identities; External Collaboration Settings, or by going to the Azure Active Directory blade; User Settings; Manage external collaboration settings and toggling 'Members can invite' and 'Guests can invite' to No. Associated Objects
Affected Objects
More Information TEST ID
|
| Not Available | Ensure Users are allowed to create new Azure Active Directory Tenants is disabled | High | Enabled-Not Ok | SP v1.0 | NO |
X
TEST NAME Ensure Users are allowed to create new Azure Active Directory Tenants is disabled Description Item does not meet all the requirements as per test. Dangerous default configuration settings were found in the Tenant. By default, Azure tenants allow all users to access the Azure Active Directory blade, to read all other users' accounts, create groups, and invite guests. These default settings extend to guest accounts as well, allowing guests to perform these same actions. Other default configurations allow for Self-Service creation of accounts from accepted mail domains. None None Recommendation and Steps The excessive user permissions can be mitigated by running the listed PowerShell commands as a Global Admin. User access to the Azure AD blade can be restricted by navigating to the Azure Active Directory blade; User Settings and toggling the 'Restrict access to Azure AD administration portal' to Yes. Guest invites may be restricted by navigating to the Azure Active Directory blade; External Identities; External Collaboration Settings, or by going to the Azure Active Directory blade; User Settings; Manage external collaboration settings and toggling 'Members can invite' and 'Guests can invite' to No. Associated Objects
Affected Objects
More Information TEST ID
|
| Not Available | Ensure Policy exists to restrict non-administrator access to Azure Active Directory or Entra | High | No Policy Found | SP v1.0 | NO |
X
TEST NAME Ensure Policy exists to restrict non-administrator access to Azure Active Directory or Entra Description Item does not meet all the requirements as per test. Restrict non-privileged users from signing into the Azure Active Directory portal. Note: This recommendation only affects access to the Azure AD web portal. It does not prevent privileged users from using other methods such as Rest API or PowerShell to obtain information. Those channels are addressed elsewhere in this document. The Azure AD administrative (AAD) portal contains sensitive data and permission settings, which are still enforced based on the users role. However, an end user may inadvertently change properties or account settings that could result in increased administrative overhead. Additionally, a compromised end user account could be used by a malicious attacker as a means to gather additional information and escalate an attack. Note: Users will still be able to sign into Azure Active directory admin center but will be unable to see directory information. None None Recommendation and Steps Ensure access to the Azure AD portal is restricted: 1. Navigate to Microsoft Entra admin center https://entra.microsoft.com/ 2. Click to expand Identity> Users > User settings. 3. Set Restrict access to Microsoft Entra ID administration portal to Yes then Save. Associated Objects
Affected Objects
More Information TEST ID
|
| Not Available | Ensure Users can read all attributes in Azure AD is disabled | Medium | Enabled-Not Ok | SP v1.0 | NO |
X
TEST NAME Ensure Users can read all attributes in Azure AD is disabled Description Item does not meet all the requirements as per test. Dangerous default configuration settings were found in the Tenant. By default, Azure tenants allow all users to access the Azure Active Directory blade, to read all other users' accounts, create groups, and invite guests. These default settings extend to guest accounts as well, allowing guests to perform these same actions. Other default configurations allow for Self-Service creation of accounts from accepted mail domains. None None Recommendation and Steps The excessive user permissions can be mitigated by running the listed PowerShell commands as a Global Admin. User access to the Azure AD blade can be restricted by navigating to the Azure Active Directory blade; User Settings and toggling the 'Restrict access to Azure AD administration portal' to Yes. Guest invites may be restricted by navigating to the Azure Active Directory blade; External Identities; External Collaboration Settings, or by going to the Azure Active Directory blade; User Settings; Manage external collaboration settings and toggling 'Members can invite' and 'Guests can invite' to No. Associated Objects
Affected Objects
More Information TEST ID
|
| Not Available | Ensure Users are allowed to create and register applications is disabled | Passed | Disabled-Ok | SP v1.0 | YES |
X
TEST NAME Ensure Users are allowed to create and register applications is disabled Description Item has met all the requirements as per test. Recommendation and Steps Associated Objects
Affected Objects
More Information TEST ID
|
| CIS Section | Test | Severity | Items | CIS Profile | Control Type | Configured Correctly? |
| Not Available | Ensure Microsoft 365 Licenses are consumed in SKUs | High | 2 | SP v1.0 | NO |
X
TEST NAME Ensure Microsoft 365 Licenses are consumed in SKUs Description Some SKUs are not being used in Microsoft 365. Microsoft 365 Services are being charged for SKUs which are not in use. None None Recommendation and Steps Please review the SKU list and make sure users are licensed from unused SKUs. Associated Objects
Affected Objects
|
| Not Available | Ensure All Microsoft 365 Domains Have been verified | Passed | 0 | SP v1.0 | YES |
X
TEST NAME Ensure All Microsoft 365 Domains Have been verified Description All Microsoft 365 domains have been verified. Recommendation and Steps Associated Objects
Affected Objects
|
| Not Available | Ensure Microsoft 365 Domain Services Have Services Assigned | Passed | 0 | SP v1.0 | YES |
|
| Not Available | Ensure Microsoft 365 Notification Email is configured | Passed | SP v1.0 | YES |
X | |
| Not Available | Ensure Microsoft 365 Organization Level Mailbox Auditing is configured | Passed | Enabled | SP v1.0 | YES |
X
TEST NAME Ensure Microsoft 365 Organization Level Mailbox Auditing is configured Description Auditing is enabled for Organization. Recommendation and Steps Associated Objects
Affected Objects
|
#TABLE_M365-Admin-Center-Users1#TABLE_M365-Admin-Center-Accounts-and-Authentication2#TABLE_M365-Admin-Center-Auditing3#TABLE_M365-Admin-Center-Teams-and-Groups4#TABLE_M365-Admin-Center-Settings5#TABLE_Microsoft-365-Defender-Email-and-Collaboration6#TABLE_Microsoft-365-Defender-Audit7#TABLE_Microsoft-365-Defender-Settings8#TABLE_Microsoft-Purview-Audit9#TABLE_Microsoft-Purview-Data-Loss-Protection10#TABLE_Microsoft-Purview-Information-Protection11#TABLE_Microsoft-Entra-admin-center-Identity-Overview12#TABLE_Microsoft-Entra-admin-center-Identity-Users13#TABLE_Microsoft-Entra-admin-center-Identity-Groups14#TABLE_Microsoft-Entra-admin-center-Identity-Applications15#TABLE_Microsoft-Entra-admin-center-Identity-External-Identities16#TABLE_Microsoft-Entra-admin-center-Identity-Hybrid-Management17#TABLE_Microsoft-Entra-admin-center-Protection-Conditional-Access18#TABLE_Microsoft-Entra-admin-center-Protection-Authentication-Methods19#TABLE_Microsoft-Entra-admin-center-Protection-Password-Reset20#TABLE_Microsoft-Entra-admin-center-Protection-Risk-Activities21#TABLE_Microsoft-Entra-admin-center-Identity-Governance22#TABLE_Microsoft-Exchange-admin-center-Audit23#TABLE_Microsoft-Exchange-admin-center-Mailflow24#TABLE_Microsoft-Exchange-admin-center-Roles25#TABLE_Microsoft-Exchange-admin-center-Reports26#TABLE_Microsoft-Exchange-admin-center-Settings27#TABLE_Microsoft-SharePoint-Admin-Center-Policies28#TABLE_Microsoft-SharePoint-Admin-Center-Settings29#TABLE_Microsoft-Teams-Admin-Center-Teams30#TABLE_Microsoft-Teams-Admin-Center-Policies31#TABLE_Microsoft-Teams-Admin-Center-Users32#TABLE_Microsoft-Teams-Admin-Center-Teams-Apps33#TABLE_Microsoft-Teams-Admin-Center-Meetings34#TABLE_Microsoft-Teams-Admin-Center-Messaging35#TABLE_Microsoft-Fabric-Tenant-Settings36#TABLE_Microsoft-M365-Users-Users37#TABLE_Microsoft-M365-Dangerous-Defaults38#TABLE_Microsoft-M365-Configuration39
All Tests Table
Assessment Table satus contains status for both CIS Benchmark and SmartProfiler Tests.
| CIS Section | Test | Severity | Items | CIS Profile | Control Type | Configured Correctly? |
| Not Available | SharePoint External Sharing is not Enabled at Global Level | Critical | Enabled : Sharing capability is ExternalUserAndGuestSharing (Anyone). | SP v1.0 | NO |
|
| Not Available | SharePoint External User Resharing is not Permitted | Critical | Permitted | SP v1.0 | NO |
|
| Not Available | SharePoint Legacy Authentication is not Enabled | Critical | Enabled | SP v1.0 | NO |
|
| Not Available | Ensure Microsoft 365 Exchange Online Privileged Access Management is Used | High | Not Enabled | SP v1.0 | NO |
|
| Not Available | Ensure Enterprise Applications Role Assignments are reviewed weekly | High | 14 | SP v1.0 | NO |
|
| 1.3.3 | Ensure calendar details sharing with external users is disabled | High | Enabled | E3 Level 2 | CIS v4.0 | NO |
| 1.3.7 | Ensure third-party storage services are restricted in Microsoft 365 on the web | High | Not Restricted | E3 Level 2 | CIS v4.0 | NO |
| 2.1.1 | Ensure Safe Links for Office Applications is Enabled | High | Not Enabled | E5 Level 2 | CIS v4.0 | NO |
| 2.1.2 | Ensure the Common Attachment Types Filter is enabled | High | Not Enabled | E3 Level 1 | CIS v4.0 | NO |
| 2.1.3 | Ensure notifications for internal users sending malware is Enabled | High | Not Enabled | E3 Level 1 | CIS v4.0 | NO |
| 2.1.6 | Ensure Exchange Online Spam Policies are set correctly | High | Not Enabled | E3 Level 1 | CIS v4.0 | NO |
| Not Available | Ensure No Domains with SPF Soft Fail are Configured | High | Configured | SP v1.0 | NO |
|
| 2.1.9 | Ensure that DKIM is enabled for all Exchange Online Domains | High | 3 | E3 Level 1 | CIS v4.0 | NO |
| 2.1.10 | Ensure DMARC Records for all Exchange Online domains are published | High | 4 | E3 Level 1 | CIS v4.0 | NO |
| Not Available | Ensure all security threats in the Threat protection status report are reviewed and actioned | High | Security Threats Found in Malware Report | SP v1.0 | NO |
|
| 2.1.12 | Ensure the connection filter IP allow list is not used | High | Used | E3 Level 1 | CIS v4.0 | NO |
| 2.4.1 | Ensure Priority account protection is enabled and configured | High | Not Enabled-Not Implemented | E5 Level 1 | CIS v4.0 | NO |
| 2.4.2 | Ensure Priority accounts have Strict protection presets applied | High | Not Enabled-Not Implemented | E5 Level 1 | CIS v4.0 | NO |
| 2.4.4 | Ensure Zero-hour auto purge for Microsoft Teams is on | High | Mot Restricted | E5 Level 1 | CIS v4.0 | NO |
| 3.2.1 | Ensure DLP policies are enabled | High | The DLP Policy is NOT Enabled | E3 Level 1 | CIS v4.0 | NO |
| 3.2.2 | Ensure DLP policies are enabled for Microsoft Teams | High | No DLP Policy Found | E5 Level 1 | CIS v4.0 | NO |
| Not Available | Ensure DLP Policy is enabled for OneDrive | High | Not Enabled | SP v1.0 | NO |
|
| Not Available | Ensure DLP Policy is configured for SharePoint | High | Not Enabled | SP v1.0 | NO |
|
| Not Available | Ensure Custom Anti-Malware Policy is Present | High | Not Defined | SP v1.0 | NO |
|
| Not Available | Ensure Custom Anti-Phishing Policy is Present | High | Not Defined | SP v1.0 | NO |
|
| Not Available | Ensure Custom DLP Policies are Present | High | Not Defined-Not Implemented | SP v1.0 | NO |
|
| Not Available | Ensure Custom DLP Sensitive Information Types are Defined | High | No custom DLP sensitive information types defined. | SP v1.0 | NO |
|
| 3.3.1 | Ensure SharePoint Online Information Protection policies are set up and used | High | Policies were published on 0 of the 8322 users | E3 Level 1 | CIS v4.0 | NO |
| 5.1.2.1 | Ensure Per-user MFA is disabled | High | 100 | E3 Level 1 | CIS v4.0 | NO |
| 5.1.2.4 | Ensure Restrict access to the Azure AD administration portal is set to Yes | High | No Policy Found | E3 Level 1 | CIS v4.0 | NO |
| 5.1.2.6 | Ensure LinkedIn account connections is disabled | High | Enabled | E3 Level 2 | CIS v4.0 | NO |
| 5.1.3.1 | Ensure a dynamic group for guest users is created | High | Dynamic Groups for Guest users not found | E3 Level 1 | CIS v4.0 | NO |
| 5.1.6.3 | Ensure guest user invitations are limited to the Guest Inviter role | High | Mot Restricted | E3 Level 1 | CIS v4.0 | NO |
| 5.2.2.1 | Ensure multifactor authentication is enabled for all users in administrative roles | High | You have 6 out of 6 users with administrative roles that aren?t registered and protected with MFA. | E3 Level 1 | CIS v4.0 | NO |
| 5.2.2.2 | Ensure multifactor authentication is enabled for all users | High | Multifactor Authentication is not enabled for all users | E3 Level 1 | CIS v4.0 | NO |
| 5.2.2.3 | Enable Conditional Access policies to block legacy authentication | High | You have 8330 of 8330 users that don't have legacy authentication blocked. | E3 Level 1 | CIS v4.0 | NO |
| 5.2.2.4 | Ensure Sign-in frequency is enabled and browser sessions are not persistent for Administrative users | High | Not Configured | E3 Level 1 | CIS v4.0 | NO |
| 5.2.2.5 | Ensure Phishing-resistant MFA strength is required for Administrators | High | Phishing-resistant MFA policy is not configured for administrators | E3 Level 2 | CIS v4.0 | NO |
| 5.2.2.8 | Ensure Microsoft Azure Management is limited to administrative roles | High | No Policy Found | E3 Level 1 | CIS v4.0 | NO |
| 5.2.3.1 | Ensure Microsoft Authenticator is configured to protect against MFA fatigue | High | Microsoft Authenticator is disabled. | E3 Level 1 | CIS v4.0 | NO |
| 5.2.3.2 | Ensure custom banned passwords lists are used | High | Custom banned passwords setting is disabled. | E3 Level 1 | CIS v4.0 | NO |
| 5.2.6.1 | Ensure the Azure AD Risky sign-ins report is reviewed at least weekly | High | Risky users found | E3 Level 1 | CIS v4.0 | NO |
| 6.1.4 | Ensure AuditBypassEnabled is not enabled on mailboxes | High | AuditBypass is enabled on some mailboxes | E3 Level 1 | CIS v4.0 | NO |
| Not Available | Ensure Microsoft 365 Exchange Online Unified Auditing Is Enabled | High | Disabled | SP v1.0 | NO |
|
| 6.2.3 | Ensure Tagging is enabled for External Emails | High | Disabled | E3 Level 1 | CIS v4.0 | NO |
| Not Available | Ensure Safe Attachments is Enabled | High | Not Configured - No ATP License | SP v1.0 | NO |
|
| Not Available | Ensure Safe Links is Enabled | High | Not Configured - No ATP License | SP v1.0 | NO |
|
| Not Available | Ensure Safe Links Click-Through is Not Allowed | High | Not Configured - No ATP License | SP v1.0 | NO |
|
| Not Available | Ensure Safe Links Flags Links in Real Time | High | Not Configured - No ATP License | SP v1.0 | NO |
|
| Not Available | Ensure SMTP Authentication is disabled Globally | High | Not Disabled | SP v1.0 | NO |
|
| Not Available | Ensure automatic forwarding options are disabled | High | Not Disabled | SP v1.0 | NO |
|
| Not Available | Ensure the Client Rules Forwarding Block is enabled | High | Disabled | SP v1.0 | NO |
|
| 5.2.3.4 | Ensure all member users are MFA capable | High | Configured | E3 Level 1 | CIS v4.0 | NO |
| 6.2.3 | Ensure email from external senders is identified | High | Not Configured Correctly | E3 Level 1 | CIS v4.0 | NO |
| 6.3.1 | Ensure users installing Outlook add-ins is not allowed | High | Allowed to Install Outlook Add-in | E3 Level 2 | CIS v4.0 | NO |
| Not Available | Ensure Mailboxes External Address Forwarding is not configured | High | 1 | SP v1.0 | NO |
|
| Not Available | Ensure Exchange Online Mailboxes on Litigation Hold | High | 1 | SP v1.0 | NO |
|
| Not Available | Ensure Exchange Online SPAM Domains are identified | High | 2 | SP v1.0 | NO |
|
| Not Available | Ensure Email Security Checks are Bypassed Based on Sender Domain are not configured | High | Configured | SP v1.0 | NO |
|
| Not Available | Ensure Email Security Checks are Bypassed Based on Sender IP are not configured | High | Configured | SP v1.0 | NO |
|
| Not Available | Ensure No Exchange Mailboxes with FullAccess Delegates are present | High | 0 | SP v1.0 | NO |
|
| Not Available | Ensure No Exchange Mailboxes with SendAs Delegates are present | High | SP v1.0 | NO |
||
| Not Available | Ensure No Exchange Mailboxes with SendOnBehalfOf Delegates are present | High | 0 | SP v1.0 | NO |
|
| 7.2.1 | Ensure modern authentication for SharePoint applications is required | High | Disabled | E3 Level 1 | CIS v4.0 | NO |
| 7.2.2 | Ensure SharePoint and OneDrive integration with Azure AD B2B is enabled | High | Disabled | E3 Level 1 | CIS v4.0 | NO |
| 7.2.3 | Ensure external content sharing is restricted | High | Not Configured Correctly | E3 Level 1 | CIS v4.0 | NO |
| 7.2.4 | Ensure OneDrive content sharing is restricted | High | Not Disabled | E3 Level 2 | CIS v4.0 | NO |
| 7.2.5 | Ensure that SharePoint guest users cannot share items they dont own | High | Not Enabled | E3 Level 2 | CIS v4.0 | NO |
| Not Available | Ensure document sharing is being controlled by domains with whitelist or blacklist | High | Not Controlled | SP v1.0 | NO |
|
| 7.2.7 | Ensure link sharing is restricted in SharePoint and OneDrive | High | Not Restricted-AnonymousAccess | E3 Level 1 | CIS v4.0 | NO |
| 7.2.10 | Ensure reauthentication with verification code is restricted | High | Not Restricted-False | E3 Level 1 | CIS v4.0 | NO |
| 7.2.9 | Ensure guest access to a site or OneDrive will expire automatically | High | Do not expire Automatically | E3 Level 1 | CIS v4.0 | NO |
| 7.2.11 | Ensure the SharePoint default sharing link permission is set | High | Not Restricted | E3 Level 1 | CIS v4.0 | NO |
| 7.3.1 | Ensure Microsoft 365 SharePoint infected files are disallowed for download | High | WARNING:Allowed | E5 Level 2 | CIS v4.0 | NO |
| 7.3.2 | Block OneDrive for Business sync from unmanaged devices | High | WARNING:Not Blocked | E3 Level 2 | CIS v4.0 | NO |
| 7.3.3 | Ensure custom script execution is restricted on personal sites | High | 49 | E3 Level 1 | CIS v4.0 | NO |
| 7.3.4 | Ensure custom script execution is restricted on site collections | High | 2 | E3 Level 1 | CIS v4.0 | NO |
| Not Available | Ensure SharePoint sites are not enabled for both External and User Sharing | High | Enabled | SP v1.0 | NO |
|
| Not Available | External user sharing-share by email-and guest link sharing are both disabled | High | Not Disabled | SP v1.0 | NO |
|
| Not Available | Ensure that external users cannot share files folders and sites they do not own | High | Not Enabled | SP v1.0 | NO |
|
| Not Available | SharePoint Anyone Shared Links Never Expire is not configured | High | Never Expires | SP v1.0 | NO |
|
| Not Available | Ensure Sign out inactive users in SharePoint Online is Configured | High | The setting is not compliant. | SP v1.0 | NO |
|
| 8.1.1 | Ensure external file sharing in Teams is enabled for only approved cloud storage services | High | Not Controlled | E3 Level 2 | CIS v4.0 | NO |
| 8.1.2 | Ensure users cant send emails to a channel email address | High | Can Send Emails | E3 Level 1 | CIS v4.0 | NO |
| Not Available | Ensure End-to-end encryption for Microsoft Teams is enabled | High | Disabled | SP v1.0 | NO |
|
| Not Available | Ensure external domains are not allowed in Teams | High | Allowed All Domains | SP v1.0 | NO |
|
| Not Available | Ensure Microsoft Teams Users Allowed to Invite Anonymous Users is disabled | High | Enabled | SP v1.0 | NO |
|
| Not Available | Ensure Microsoft Teams Policies Allow Anonymous Members is disabled | High | Enabled | SP v1.0 | NO |
|
| Not Available | Ensure Microsoft Teams Consumer Communication Policies are configured | High | Not Configured | SP v1.0 | NO |
|
| Not Available | Ensure Microsoft Teams Users Allowed to Preview Links in Messages is disabled | High | 4 | SP v1.0 | NO |
|
| Not Available | Ensure Safe Links for Teams is Enabled | High | Not Configured - No ATP License | SP v1.0 | NO |
|
| 8.2.1 | Ensure external access is restricted in the Teams admin center | High | Not Restricted | E3 Level 2 | CIS v4.0 | NO |
| 8.4.1 | Ensure app permission policies are configured | High | Either some or all settings are Not compliant | E3 Level 1 | CIS v4.0 | NO |
| 8.2.2 | Ensure communication with unmanaged Teams users is disabled | High | Not Restricted | E3 Level 1 | CIS v4.0 | NO |
| 8.2.3 | Ensure external Teams users cannot initiate conversations | High | Not Restricted | E3 Level 1 | CIS v4.0 | NO |
| 8.2.4 | Ensure communication with Skype users is disabled | High | Not Restricted | E3 Level 1 | CIS v4.0 | NO |
| 8.5.1 | Ensure anonymous users cant join a meeting | High | Not Restricted | E3 Level 2 | CIS v4.0 | NO |
| 8.5.3 | Ensure only people in my org can bypass the lobby | High | Not Restricted: EveryoneInCompany | E3 Level 1 | CIS v4.0 | NO |
| 8.5.4 | Ensure users dialing in cant bypass the lobby | High | Not Restricted | E3 Level 1 | CIS v4.0 | NO |
| 8.5.5 | Ensure meeting chat does not allow anonymous users | High | Not Restricted | E3 Level 1 | CIS v4.0 | NO |
| 8.5.6 | Ensure only organizers and co-organizers can present | High | Not Restricted | E3 Level 1 | CIS v4.0 | NO |
| 8.5.7 | Ensure external participants cant give or request control | High | Not Restricted | E3 Level 1 | CIS v4.0 | NO |
| 8.5.8 | Ensure external meeting chat is off | High | Not Restricted | E3 Level 2 | CIS v4.0 | NO |
| 8.5.9 | Ensure meeting recording is off by default | High | Not Restricted | E3 Level 2 | CIS v4.0 | NO |
| 8.6.1 | Ensure users can report security concerns in Teams | High | Cannot Report | E3 Level 1 | CIS v4.0 | NO |
| 9.1.1 | Ensure guest user access is restricted | High | Not Restricted: 10dae51f-b6af-4016-8d66-8c2a99b929b3 | E3 Level 1 | CIS v4.0 | NO |
| 9.1.2 | Ensure external user invitations are restricted | High | Not Restricted: everyone | E3 Level 1 | CIS v4.0 | NO |
| Not Available | Ensure Microsoft 365 Users Have Changed Passwords | High | 8334 | SP v1.0 | NO |
|
| Not Available | Ensure Users can create security groups is disabled | High | Enabled-Not Ok | SP v1.0 | NO |
|
| Not Available | Ensure Users with a verified mail domain can join the tenant is disabled | High | Enabled-Not Ok | SP v1.0 | NO |
|
| Not Available | Ensure Guests can invite other guests into the tenant is disabled | High | Enabled-Not Ok | SP v1.0 | NO |
|
| Not Available | Ensure Users are allowed to create new Azure Active Directory Tenants is disabled | High | Enabled-Not Ok | SP v1.0 | NO |
|
| Not Available | Ensure Policy exists to restrict non-administrator access to Azure Active Directory or Entra | High | No Policy Found | SP v1.0 | NO |
|
| Not Available | Ensure Microsoft 365 Licenses are consumed in SKUs | High | 2 | SP v1.0 | NO |
|
| Not Available | Ensure Guest Users are reviewed and disabled | Medium | 7 | SP v1.0 | NO |
|
| 1.2.1 | Ensure that only organizationally managed-approved public groups exist | Medium | 14 | E3 Level 2 | CIS v4.0 | NO |
| 1.3.6 | Ensure the customer lockbox feature is enabled | Medium | Disabled | E5 Level 2 | CIS v4.0 | NO |
| 2.1.5 | Ensure Safe Attachments for SharePoint-OneDrive-Microsoft Teams is Enabled | Medium | Not Enabled-Not Implemented | E5 Level 2 | CIS v4.0 | NO |
| 2.1.8 | Ensure that SPF records are published for all Exchange Domains | Medium | 4 | E3 Level 1 | CIS v4.0 | NO |
| Not Available | Ensure the spoofed domains are reviewed and actioned | Medium | 5 | SP v1.0 | NO |
|
| 3.1.1 | Ensure Microsoft 365 audit log search is Enabled | Medium | Not Enabled | E3 Level 1 | CIS v4.0 | NO |
| Not Available | Ensure the Application Usage report is reviewed and actioned | Medium | 17 | SP v1.0 | NO |
|
| 5.1.5.2 | Ensure user consent to apps accessing company data on their behalf is not allowed | Medium | E3 Level 2 | CIS v4.0 | NO |
|
| 5.1.8.1 | Ensure that password hash sync is enabled for hybrid deployments | Medium | Password Has Sync is not enabled. | E3 Level 1 | CIS v4.0 | NO |
| 5.3.1 | Ensure Privileged Identity Management is used to manage roles | Medium | No permanent active role assignments found. | E5 Level 2 | CIS v4.0 | NO |
| Not Available | Ensure Microsoft 365 Hidden Mailboxes are Identified | Medium | 1 | SP v1.0 | NO |
|
| 6.5.2 | Ensure MailTips are enabled for end users | Medium | Not All MailTips Enabled | E3 Level 2 | CIS v4.0 | NO |
| 6.5.3 | Ensure external storage providers available in Outlook on the Web are restricted | Medium | Not Restricted | E3 Level 2 | CIS v4.0 | NO |
| Not Available | Ensure expiration time for external sharing links is set | Medium | Expiration Time for Links NOT Set | SP v1.0 | NO |
|
| Not Available | Ensure Microsoft Teams External Domain Communication Policies are configured | Medium | All Domains Allowed | SP v1.0 | NO |
|
| Not Available | Ensure All Microsoft 365 Users are licensed | Medium | 8314 | SP v1.0 | NO |
|
| Not Available | Ensure Microsoft 365 Users Password Expires | Medium | 0 | SP v1.0 | NO |
|
| Not Available | Ensure Users can read all attributes in Azure AD is disabled | Medium | Enabled-Not Ok | SP v1.0 | NO |
|
| Not Available | Ensure Microsoft Teams External Access Policies are configured | Low | Not Configured:EnableFederationAccess is set to True | SP v1.0 | NO |
|
| Not Available | Ensure Microsoft 365 Groups Without Members are Identified | Low | 5 | SP v1.0 | NO |
|
| 1.1.1 | Ensure Administrative accounts are separate and cloud-only | Passed | 0 | E3 Level 1 | CIS v4.0 | YES |
| 1.1.3 | Ensure that between two and four global admins are designated | Passed | 3 | E3 Level 1 | CIS v4.0 | YES |
| Not Available | Ensure Microsoft 365 User Roles have less than 10 Admins | Passed | 0 | SP v1.0 | YES |
|
| Not Available | Ensure Microsoft 365 Users Have Strong Password Requirements Configured | Passed | 0 | SP v1.0 | YES |
|
| Not Available | Ensure self-service password reset is enabled | Passed | Enabled | SP v1.0 | YES |
|
| Not Available | Ensure that Microsoft 365 Passwords Are Not Set to Expire | Passed | 0 | SP v1.0 | YES |
|
| Not Available | Ensure Microsoft 365 Exchange Online Modern Authentication is Used | Passed | Enabled | SP v1.0 | YES |
|
| 1.2.2 | Ensure sign-in to shared mailboxes is blocked | Passed | 0 | E3 Level 1 | CIS v4.0 | YES |
| 1.3.1 | Ensure the Password expiration policy is set to Set passwords to never expire (recommended) | Passed | 0 | E3 Level 1 | CIS v4.0 | YES |
| 1.3.4 | Ensure User owned apps and services is restricted | Passed | Restricted | E3 Level 1 | CIS v4.0 | YES |
| 2.1.4 | Ensure Safe Attachments policy is enabled | Passed | Not Enabled-Not Implemented | E5 Level 2 | CIS v4.0 | YES |
| 2.1.7 | Ensure that an anti-phishing policy has been created | Passed | Created | E5 Level 1 | CIS v4.0 | YES |
| Not Available | Ensure the Restricted entities are reviewed and actioned | Passed | There are no Restricted users at present | SP v1.0 | YES |
|
| 2.1.13 | Ensure the connection filter safe list is off | Passed | Turned Off | E3 Level 1 | CIS v4.0 | YES |
| 2.1.14 | Ensure inbound anti-spam policies do not contain allowed domains | Passed | Not Allowed | E3 Level 1 | CIS v4.0 | YES |
| Not Available | Ensure the Account Provisioning Activity report is reviewed and actioned | Passed | 0 | SP v1.0 | YES |
|
| Not Available | Ensure non-global administrator role group assignments are reviewed and actioned | Passed | There are no non-admin Global Role assignments found in past 7 days | SP v1.0 | YES |
|
| 2.4.3 | Ensure Microsoft Defender for Cloud Apps is Enabled | Passed | Enabled | E5 Level 2 | CIS v4.0 | YES |
| Not Available | Ensure user role group changes are reviewed and actioned | Passed | There are no user role group changes found in past 7 days | SP v1.0 | YES |
|
| 5.1.1.1 | Ensure Security Defaults is disabled on Azure Active Directory | Passed | Security Defaults are disabled. | E3 Level 1 | CIS v4.0 | YES |
| 5.1.2.2 | Ensure third party integrated applications are not allowed | Passed | Not Allowed | E3 Level 2 | CIS v4.0 | YES |
| 5.1.2.3 | Ensure Restrict non-admin users from creating tenants is set to Yes | Passed | Disabled-Ok | E3 Level 1 | CIS v4.0 | YES |
| 5.1.5.3 | Ensure the admin consent workflow is enabled | Passed | Enabled | E3 Level 1 | CIS v4.0 | YES |
| 5.1.6.2 | Ensure that guest user access is restricted | Passed | Restricted | E3 Level 1 | CIS v4.0 | YES |
| 5.2.2.6 | Enable Azure AD Identity Protection user risk policies | Passed | E5 Level 2 | CIS v4.0 | YES |
|
| 5.2.2.7 | Enable Azure AD Identity Protection sign-in risk policies | Passed | E5 Level 2 | CIS v4.0 | YES |
|
| 5.2.4.1 | Ensure Self service password reset enabled is set to All | Passed | You have 8 of 8330 users who don't have self-service password reset enabled. | E3 Level 1 | CIS v4.0 | YES |
| Not Available | Ensure the self-service password reset activity report is reviewed and actioned | Passed | Changed Password Found via SSPR | SP v1.0 | YES |
|
| 5.3.2 | Ensure Access reviews for Guest Users are configured | Passed | Access Reviews were found | E5 Level 2 | CIS v4.0 | YES |
| 5.3.3 | Ensure Access reviews for high privileged Azure AD roles are configured | Passed | Access Reviews were found | E5 Level 1 | CIS v4.0 | YES |
| 6.1.1 | Ensure AuditDisabled organizationally is set to False | Passed | Enabled | E3 Level 1 | CIS v4.0 | YES |
| 6.1.2 | Ensure mailbox auditing for E3 users is Enabled | Passed | 0 | E3 Level 1 | CIS v4.0 | YES |
| 6.1.3 | Ensure mailbox auditing for E5 users is Enabled | Passed | 0 | E5 Level 1 | CIS v4.0 | YES |
| Not Available | Ensure Microsoft 365 Exchange Online Admin Auditing Is Enabled | Passed | Enabled | SP v1.0 | YES |
|
| 6.2.1 | Ensure all forms of mail forwarding are blocked and-or disabled | Passed | 0 | E3 Level 1 | CIS v4.0 | YES |
| 6.2.2 | Ensure mail transport rules do not whitelist specific domains | Passed | 0 | E3 Level 1 | CIS v4.0 | YES |
| NA | Ensure Tagging does not allow specific domains | Passed | 0 | E3 Level 1 | CIS v4.0 | YES |
| Not Available | Ensure Transport Rules to Block Exchange Auto-Forwarding is configured | Passed | Configured | SP v1.0 | YES |
|
| Not Available | Ensure Do Not Bypass the Safe Attachments Filter is not configured | Passed | Not Configured | SP v1.0 | YES |
|
| Not Available | Ensure Do Not Bypass the Safe Links Feature is not configured | Passed | Not Configured | SP v1.0 | YES |
|
| Not Available | Ensure Exchange Modern Authentication is Enabled | Passed | Enabled | SP v1.0 | YES |
|
| Not Available | Ensure Transport Rules to Block Executable Attachments are configured | Passed | Configured | SP v1.0 | YES |
|
| Not Available | Ensure Malware Filter Policies Alert for Internal Users Sending Malware is configured | Passed | Configured | SP v1.0 | YES |
|
| Not Available | Ensure Transport Rules to Block Large Attachments are configured | Passed | Configured | SP v1.0 | YES |
|
| Not Available | Ensure Mailbox Auditing is Enabled at Tenant Level | Passed | Enabled | SP v1.0 | YES |
|
| Not Available | Ensure Mailboxes without Mailbox Auditing are not present | Passed | 0 | SP v1.0 | YES |
|
| Not Available | Ensure mail transport rules do not forward email to external domains | Passed | 0 | SP v1.0 | YES |
|
| Not Available | Ensure the Advanced Threat Protection Safe Links policy is enabled | Passed | Not Enabled-Not Implemented | SP v1.0 | YES |
|
| Not Available | Ensure the Advanced Threat Protection SafeAttachments policy is enabled | Passed | Not Enabled-Not Implemented | SP v1.0 | YES |
|
| 2.1.7 | Ensure that an anti-phishing policy has been created | Passed | Created | E5 Level 1 | CIS v4.0 | YES |
| Not Available | Ensure mailbox auditing for all users is Enabled | Passed | 0 | SP v1.0 | YES |
|
| Not Available | Ensure mail forwarding rules are reviewed and actioned | Passed | 0 | SP v1.0 | YES |
|
| Not Available | Ensure the Malware Detections report is reviewed at least weekly | Passed | 0 | SP v1.0 | YES |
|
| Not Available | Ensure Microsoft 365 Deleted Mailboxes are identified and Verified | Passed | 0 | SP v1.0 | YES |
|
| Not Available | Ensure Exchange Online Mailbox Auditing is enabled | Passed | 0 | SP v1.0 | YES |
|
| Not Available | Microsoft 365 Exchange Online Admin Success and Failure Attempts | Passed | 0 | SP v1.0 | YES |
|
| Not Available | Microsoft 365 Exchange Online External Access Admin Success and Failure Attempts | Passed | 0 | SP v1.0 | YES |
|
| 6.5.1 | Ensure modern authentication for Exchange Online is enabled | Passed | Enabled | E3 Level 1 | CIS v4.0 | YES |
| Not Available | SharePoint Online Modern Authentication is Enabled | Passed | Enabled | SP v1.0 | YES |
|
| 8.5.2 | Ensure anonymous users and dial-in callers cant start a meeting | Passed | Restricted | E3 Level 1 | CIS v4.0 | YES |
| 9.1.6 | Ensure Allow users to apply sensitivity labels for content is Enabled | Passed | Allow users to apply sensitivity labels for content is enabled | E3 Level 1 | CIS v4.0 | YES |
| Not Available | Ensure Deleted Microsoft 365 Users are Identified | Passed | 0 | SP v1.0 | YES |
|
| Not Available | Ensure Disabled Microsoft 365 Users are Identified | Passed | 6 | SP v1.0 | YES |
|
| Not Available | Ensure Microsoft 365 Blocked Users are Identified | Passed | 0 | SP v1.0 | YES |
|
| Not Available | Ensure Microsoft 365 Company Administrators have less than 5 Admins | Passed | 0 | SP v1.0 | YES |
|
| Not Available | Ensure Microsoft 365 Deleted and Licensed Users are Identified | Passed | 0 | SP v1.0 | YES |
|
| Not Available | Ensure Users are allowed to create and register applications is disabled | Passed | Disabled-Ok | SP v1.0 | YES |
|
| Not Available | Ensure All Microsoft 365 Domains Have been verified | Passed | 0 | SP v1.0 | YES |
|
| Not Available | Ensure Microsoft 365 Domain Services Have Services Assigned | Passed | 0 | SP v1.0 | YES |
|
| Not Available | Ensure Microsoft 365 Notification Email is configured | Passed | SP v1.0 | YES |
||
| Not Available | Ensure Microsoft 365 Organization Level Mailbox Auditing is configured | Passed | Enabled | SP v1.0 | YES |
|
| 1.1.4 | Ensure administrative accounts use licenses with a reduced application footprint | Manual Check | NONE | E3 Level 1 | CIS v4.0 | NO |
| 1.1.2 | Ensure two emergency access accounts have been defined | Manual Check | NONE | E3 Level 1 | CIS v4.0 | NO |
| 1.3.2 | Ensure Idle session timeout is set to 3 hours (or less) for unmanaged devices | Manual Check | NONE | E3 Level 1 | CIS v4.0 | NO |
| 1.3.5 | Ensure internal phishing protection for Forms is enabled | Manual Check | NONE | E3 Level 1 | CIS v4.0 | NO |
| 1.3.8 | Ensure that Sways cannot be shared with people outside of your organization | Manual Check | NONE | E3 Level 2 | CIS v4.0 | NO |
| 2.1.11 | Ensure comprehensive attachment filtering is applied | Manual Check | NONE | E3 Level 1 | CIS v4.0 | NO |
| 5.1.2.5 | Ensure the option to remain signed in is hidden | Manual Check | NONE | E3 Level 2 | CIS v4.0 | NO |
| 5.1.2.4 | Ensure access to the Entra admin center is restricted | Manual Check | NONE | E3 Level 1 | CIS v4.0 | NO |
| 5.1.6.1 | Ensure that collaboration invitations are sent to allowed domains only | Manual Check | NONE | E3 Level 2 | CIS v4.0 | NO |
| 5.2.2.6 | Enable Identity Protection user risk policies | Manual Check | NONE | E3 Level 1 | CIS v4.0 | NO |
| 5.2.2.7 | Enable Identity Protection sign-in risk policies | Manual Check | NONE | E5 Level 1 | CIS v4.0 | NO |
| 5.2.2.8 | Ensure admin center access is limited to administrative roles | Manual Check | NONE | E3 Level 2 | CIS v4.0 | NO |
| 5.2.2.9 | Ensure sign-in risk is blocked for medium and high risk | Manual Check | NONE | E5 Level 2 | CIS v4.0 | NO |
| 5.2.2.10 | Ensure a managed device is required for authentication | Manual Check | NONE | E3 Level 1 | CIS v4.0 | NO |
| 5.2.2.11 | Ensure a managed device is required for MFA registration | Manual Check | NONE | E3 Level 1 | CIS v4.0 | NO |
| 5.2.3.3 | Ensure that password protection is enabled for Active Directory | Manual Check | NONE | E3 Level 1 | CIS v4.0 | NO |
| Not Available | Use Just In Time privileged access to Microsoft 365 roles | Manual Check | NONE | SP v1.0 | NO |
|
| 5.3.4 | Ensure approval is required for Global Administrator role activation | Manual Check | NONE | E5 Level 1 | CIS v4.0 | NO |
| 5.2.3.5 | Ensure weak authentication methods are disabled | Manual Check | NONE | E3 Level 1 | CIS v4.0 | NO |
| 7.2.8 | Ensure external sharing is restricted by security group | Manual Check | NONE | E3 Level 2 | CIS v4.0 | NO |
| 9.1.3 | Ensure guest access to content is restricted | Manual Check | NONE | E3 Level 1 | CIS v4.0 | NO |
| 9.1.4 | Ensure Publish to web is restricted | Manual Check | NONE | E3 Level 1 | CIS v4.0 | NO |
| 9.1.5 | Ensure Interact with and share R and Python visuals is Disabled | Manual Check | NONE | E3 Level 2 | CIS v4.0 | NO |
| 9.1.7 | Ensure shareable links are restricted | Manual Check | NONE | E3 Level 1 | CIS v4.0 | NO |
| 9.1.8 | Ensure enabling of external data sharing is restricted | Manual Check | NONE | E3 Level 1 | CIS v4.0 | NO |
| 9.1.9 | Ensure Block ResourceKey Authentication is Enabled | Manual Check | NONE | E3 Level 1 | CIS v4.0 | NO |
| 9.1.10 | Ensure access to APIs by Service Principals is restricted | Manual Check | NONE | E3 Level 1 | CIS v4.0 | NO |
| 9.1.11 | Ensure Service Principals cannot create and use profiles | Manual Check | NONE | E3 Level 1 | CIS v4.0 | NO |
| Not Available | Ensure no Provisioning Errors for Microsoft 365 Users | Manual Check | NONE | SP v1.0 | NO |
CIS Assessment Status Table
Assessment Table satus contains status for CIS Benchmark Tests.
| CIS Section | Test | Severity | Items | CIS Profile | Control Type | Configured Correctly? |
| 1.3.3 | Ensure calendar details sharing with external users is disabled | High | Enabled | E3 Level 2 | CIS v4.0 | NO |
| 1.3.7 | Ensure third-party storage services are restricted in Microsoft 365 on the web | High | Not Restricted | E3 Level 2 | CIS v4.0 | NO |
| 2.1.1 | Ensure Safe Links for Office Applications is Enabled | High | Not Enabled | E5 Level 2 | CIS v4.0 | NO |
| 2.1.2 | Ensure the Common Attachment Types Filter is enabled | High | Not Enabled | E3 Level 1 | CIS v4.0 | NO |
| 2.1.3 | Ensure notifications for internal users sending malware is Enabled | High | Not Enabled | E3 Level 1 | CIS v4.0 | NO |
| 2.1.6 | Ensure Exchange Online Spam Policies are set correctly | High | Not Enabled | E3 Level 1 | CIS v4.0 | NO |
| 2.1.9 | Ensure that DKIM is enabled for all Exchange Online Domains | High | 3 | E3 Level 1 | CIS v4.0 | NO |
| 2.1.10 | Ensure DMARC Records for all Exchange Online domains are published | High | 4 | E3 Level 1 | CIS v4.0 | NO |
| 2.1.12 | Ensure the connection filter IP allow list is not used | High | Used | E3 Level 1 | CIS v4.0 | NO |
| 2.4.1 | Ensure Priority account protection is enabled and configured | High | Not Enabled-Not Implemented | E5 Level 1 | CIS v4.0 | NO |
| 2.4.2 | Ensure Priority accounts have Strict protection presets applied | High | Not Enabled-Not Implemented | E5 Level 1 | CIS v4.0 | NO |
| 2.4.4 | Ensure Zero-hour auto purge for Microsoft Teams is on | High | Mot Restricted | E5 Level 1 | CIS v4.0 | NO |
| 3.2.1 | Ensure DLP policies are enabled | High | The DLP Policy is NOT Enabled | E3 Level 1 | CIS v4.0 | NO |
| 3.2.2 | Ensure DLP policies are enabled for Microsoft Teams | High | No DLP Policy Found | E5 Level 1 | CIS v4.0 | NO |
| 3.3.1 | Ensure SharePoint Online Information Protection policies are set up and used | High | Policies were published on 0 of the 8322 users | E3 Level 1 | CIS v4.0 | NO |
| 5.1.2.1 | Ensure Per-user MFA is disabled | High | 100 | E3 Level 1 | CIS v4.0 | NO |
| 5.1.2.4 | Ensure Restrict access to the Azure AD administration portal is set to Yes | High | No Policy Found | E3 Level 1 | CIS v4.0 | NO |
| 5.1.2.6 | Ensure LinkedIn account connections is disabled | High | Enabled | E3 Level 2 | CIS v4.0 | NO |
| 5.1.3.1 | Ensure a dynamic group for guest users is created | High | Dynamic Groups for Guest users not found | E3 Level 1 | CIS v4.0 | NO |
| 5.1.6.3 | Ensure guest user invitations are limited to the Guest Inviter role | High | Mot Restricted | E3 Level 1 | CIS v4.0 | NO |
| 5.2.2.1 | Ensure multifactor authentication is enabled for all users in administrative roles | High | You have 6 out of 6 users with administrative roles that aren?t registered and protected with MFA. | E3 Level 1 | CIS v4.0 | NO |
| 5.2.2.2 | Ensure multifactor authentication is enabled for all users | High | Multifactor Authentication is not enabled for all users | E3 Level 1 | CIS v4.0 | NO |
| 5.2.2.3 | Enable Conditional Access policies to block legacy authentication | High | You have 8330 of 8330 users that don't have legacy authentication blocked. | E3 Level 1 | CIS v4.0 | NO |
| 5.2.2.4 | Ensure Sign-in frequency is enabled and browser sessions are not persistent for Administrative users | High | Not Configured | E3 Level 1 | CIS v4.0 | NO |
| 5.2.2.5 | Ensure Phishing-resistant MFA strength is required for Administrators | High | Phishing-resistant MFA policy is not configured for administrators | E3 Level 2 | CIS v4.0 | NO |
| 5.2.2.8 | Ensure Microsoft Azure Management is limited to administrative roles | High | No Policy Found | E3 Level 1 | CIS v4.0 | NO |
| 5.2.3.1 | Ensure Microsoft Authenticator is configured to protect against MFA fatigue | High | Microsoft Authenticator is disabled. | E3 Level 1 | CIS v4.0 | NO |
| 5.2.3.2 | Ensure custom banned passwords lists are used | High | Custom banned passwords setting is disabled. | E3 Level 1 | CIS v4.0 | NO |
| 5.2.6.1 | Ensure the Azure AD Risky sign-ins report is reviewed at least weekly | High | Risky users found | E3 Level 1 | CIS v4.0 | NO |
| 6.1.4 | Ensure AuditBypassEnabled is not enabled on mailboxes | High | AuditBypass is enabled on some mailboxes | E3 Level 1 | CIS v4.0 | NO |
| 6.2.3 | Ensure Tagging is enabled for External Emails | High | Disabled | E3 Level 1 | CIS v4.0 | NO |
| 5.2.3.4 | Ensure all member users are MFA capable | High | Configured | E3 Level 1 | CIS v4.0 | NO |
| 6.2.3 | Ensure email from external senders is identified | High | Not Configured Correctly | E3 Level 1 | CIS v4.0 | NO |
| 6.3.1 | Ensure users installing Outlook add-ins is not allowed | High | Allowed to Install Outlook Add-in | E3 Level 2 | CIS v4.0 | NO |
| 7.2.1 | Ensure modern authentication for SharePoint applications is required | High | Disabled | E3 Level 1 | CIS v4.0 | NO |
| 7.2.2 | Ensure SharePoint and OneDrive integration with Azure AD B2B is enabled | High | Disabled | E3 Level 1 | CIS v4.0 | NO |
| 7.2.3 | Ensure external content sharing is restricted | High | Not Configured Correctly | E3 Level 1 | CIS v4.0 | NO |
| 7.2.4 | Ensure OneDrive content sharing is restricted | High | Not Disabled | E3 Level 2 | CIS v4.0 | NO |
| 7.2.5 | Ensure that SharePoint guest users cannot share items they dont own | High | Not Enabled | E3 Level 2 | CIS v4.0 | NO |
| 7.2.7 | Ensure link sharing is restricted in SharePoint and OneDrive | High | Not Restricted-AnonymousAccess | E3 Level 1 | CIS v4.0 | NO |
| 7.2.10 | Ensure reauthentication with verification code is restricted | High | Not Restricted-False | E3 Level 1 | CIS v4.0 | NO |
| 7.2.9 | Ensure guest access to a site or OneDrive will expire automatically | High | Do not expire Automatically | E3 Level 1 | CIS v4.0 | NO |
| 7.2.11 | Ensure the SharePoint default sharing link permission is set | High | Not Restricted | E3 Level 1 | CIS v4.0 | NO |
| 7.3.1 | Ensure Microsoft 365 SharePoint infected files are disallowed for download | High | WARNING:Allowed | E5 Level 2 | CIS v4.0 | NO |
| 7.3.2 | Block OneDrive for Business sync from unmanaged devices | High | WARNING:Not Blocked | E3 Level 2 | CIS v4.0 | NO |
| 7.3.3 | Ensure custom script execution is restricted on personal sites | High | 49 | E3 Level 1 | CIS v4.0 | NO |
| 7.3.4 | Ensure custom script execution is restricted on site collections | High | 2 | E3 Level 1 | CIS v4.0 | NO |
| 8.1.1 | Ensure external file sharing in Teams is enabled for only approved cloud storage services | High | Not Controlled | E3 Level 2 | CIS v4.0 | NO |
| 8.1.2 | Ensure users cant send emails to a channel email address | High | Can Send Emails | E3 Level 1 | CIS v4.0 | NO |
| 8.2.1 | Ensure external access is restricted in the Teams admin center | High | Not Restricted | E3 Level 2 | CIS v4.0 | NO |
| 8.4.1 | Ensure app permission policies are configured | High | Either some or all settings are Not compliant | E3 Level 1 | CIS v4.0 | NO |
| 8.2.2 | Ensure communication with unmanaged Teams users is disabled | High | Not Restricted | E3 Level 1 | CIS v4.0 | NO |
| 8.2.3 | Ensure external Teams users cannot initiate conversations | High | Not Restricted | E3 Level 1 | CIS v4.0 | NO |
| 8.2.4 | Ensure communication with Skype users is disabled | High | Not Restricted | E3 Level 1 | CIS v4.0 | NO |
| 8.5.1 | Ensure anonymous users cant join a meeting | High | Not Restricted | E3 Level 2 | CIS v4.0 | NO |
| 8.5.3 | Ensure only people in my org can bypass the lobby | High | Not Restricted: EveryoneInCompany | E3 Level 1 | CIS v4.0 | NO |
| 8.5.4 | Ensure users dialing in cant bypass the lobby | High | Not Restricted | E3 Level 1 | CIS v4.0 | NO |
| 8.5.5 | Ensure meeting chat does not allow anonymous users | High | Not Restricted | E3 Level 1 | CIS v4.0 | NO |
| 8.5.6 | Ensure only organizers and co-organizers can present | High | Not Restricted | E3 Level 1 | CIS v4.0 | NO |
| 8.5.7 | Ensure external participants cant give or request control | High | Not Restricted | E3 Level 1 | CIS v4.0 | NO |
| 8.5.8 | Ensure external meeting chat is off | High | Not Restricted | E3 Level 2 | CIS v4.0 | NO |
| 8.5.9 | Ensure meeting recording is off by default | High | Not Restricted | E3 Level 2 | CIS v4.0 | NO |
| 8.6.1 | Ensure users can report security concerns in Teams | High | Cannot Report | E3 Level 1 | CIS v4.0 | NO |
| 9.1.1 | Ensure guest user access is restricted | High | Not Restricted: 10dae51f-b6af-4016-8d66-8c2a99b929b3 | E3 Level 1 | CIS v4.0 | NO |
| 9.1.2 | Ensure external user invitations are restricted | High | Not Restricted: everyone | E3 Level 1 | CIS v4.0 | NO |
| 1.2.1 | Ensure that only organizationally managed-approved public groups exist | Medium | 14 | E3 Level 2 | CIS v4.0 | NO |
| 1.3.6 | Ensure the customer lockbox feature is enabled | Medium | Disabled | E5 Level 2 | CIS v4.0 | NO |
| 2.1.5 | Ensure Safe Attachments for SharePoint-OneDrive-Microsoft Teams is Enabled | Medium | Not Enabled-Not Implemented | E5 Level 2 | CIS v4.0 | NO |
| 2.1.8 | Ensure that SPF records are published for all Exchange Domains | Medium | 4 | E3 Level 1 | CIS v4.0 | NO |
| 3.1.1 | Ensure Microsoft 365 audit log search is Enabled | Medium | Not Enabled | E3 Level 1 | CIS v4.0 | NO |
| 5.1.5.2 | Ensure user consent to apps accessing company data on their behalf is not allowed | Medium | E3 Level 2 | CIS v4.0 | NO |
|
| 5.1.8.1 | Ensure that password hash sync is enabled for hybrid deployments | Medium | Password Has Sync is not enabled. | E3 Level 1 | CIS v4.0 | NO |
| 5.3.1 | Ensure Privileged Identity Management is used to manage roles | Medium | No permanent active role assignments found. | E5 Level 2 | CIS v4.0 | NO |
| 6.5.2 | Ensure MailTips are enabled for end users | Medium | Not All MailTips Enabled | E3 Level 2 | CIS v4.0 | NO |
| 6.5.3 | Ensure external storage providers available in Outlook on the Web are restricted | Medium | Not Restricted | E3 Level 2 | CIS v4.0 | NO |
| 1.1.1 | Ensure Administrative accounts are separate and cloud-only | Passed | 0 | E3 Level 1 | CIS v4.0 | YES |
| 1.1.3 | Ensure that between two and four global admins are designated | Passed | 3 | E3 Level 1 | CIS v4.0 | YES |
| 1.2.2 | Ensure sign-in to shared mailboxes is blocked | Passed | 0 | E3 Level 1 | CIS v4.0 | YES |
| 1.3.1 | Ensure the Password expiration policy is set to Set passwords to never expire (recommended) | Passed | 0 | E3 Level 1 | CIS v4.0 | YES |
| 1.3.4 | Ensure User owned apps and services is restricted | Passed | Restricted | E3 Level 1 | CIS v4.0 | YES |
| 2.1.4 | Ensure Safe Attachments policy is enabled | Passed | Not Enabled-Not Implemented | E5 Level 2 | CIS v4.0 | YES |
| 2.1.7 | Ensure that an anti-phishing policy has been created | Passed | Created | E5 Level 1 | CIS v4.0 | YES |
| 2.1.13 | Ensure the connection filter safe list is off | Passed | Turned Off | E3 Level 1 | CIS v4.0 | YES |
| 2.1.14 | Ensure inbound anti-spam policies do not contain allowed domains | Passed | Not Allowed | E3 Level 1 | CIS v4.0 | YES |
| 2.4.3 | Ensure Microsoft Defender for Cloud Apps is Enabled | Passed | Enabled | E5 Level 2 | CIS v4.0 | YES |
| 5.1.1.1 | Ensure Security Defaults is disabled on Azure Active Directory | Passed | Security Defaults are disabled. | E3 Level 1 | CIS v4.0 | YES |
| 5.1.2.2 | Ensure third party integrated applications are not allowed | Passed | Not Allowed | E3 Level 2 | CIS v4.0 | YES |
| 5.1.2.3 | Ensure Restrict non-admin users from creating tenants is set to Yes | Passed | Disabled-Ok | E3 Level 1 | CIS v4.0 | YES |
| 5.1.5.3 | Ensure the admin consent workflow is enabled | Passed | Enabled | E3 Level 1 | CIS v4.0 | YES |
| 5.1.6.2 | Ensure that guest user access is restricted | Passed | Restricted | E3 Level 1 | CIS v4.0 | YES |
| 5.2.2.6 | Enable Azure AD Identity Protection user risk policies | Passed | E5 Level 2 | CIS v4.0 | YES |
|
| 5.2.2.7 | Enable Azure AD Identity Protection sign-in risk policies | Passed | E5 Level 2 | CIS v4.0 | YES |
|
| 5.2.4.1 | Ensure Self service password reset enabled is set to All | Passed | You have 8 of 8330 users who don't have self-service password reset enabled. | E3 Level 1 | CIS v4.0 | YES |
| 5.3.2 | Ensure Access reviews for Guest Users are configured | Passed | Access Reviews were found | E5 Level 2 | CIS v4.0 | YES |
| 5.3.3 | Ensure Access reviews for high privileged Azure AD roles are configured | Passed | Access Reviews were found | E5 Level 1 | CIS v4.0 | YES |
| 6.1.1 | Ensure AuditDisabled organizationally is set to False | Passed | Enabled | E3 Level 1 | CIS v4.0 | YES |
| 6.1.2 | Ensure mailbox auditing for E3 users is Enabled | Passed | 0 | E3 Level 1 | CIS v4.0 | YES |
| 6.1.3 | Ensure mailbox auditing for E5 users is Enabled | Passed | 0 | E5 Level 1 | CIS v4.0 | YES |
| 6.2.1 | Ensure all forms of mail forwarding are blocked and-or disabled | Passed | 0 | E3 Level 1 | CIS v4.0 | YES |
| 6.2.2 | Ensure mail transport rules do not whitelist specific domains | Passed | 0 | E3 Level 1 | CIS v4.0 | YES |
| NA | Ensure Tagging does not allow specific domains | Passed | 0 | E3 Level 1 | CIS v4.0 | YES |
| 2.1.7 | Ensure that an anti-phishing policy has been created | Passed | Created | E5 Level 1 | CIS v4.0 | YES |
| 6.5.1 | Ensure modern authentication for Exchange Online is enabled | Passed | Enabled | E3 Level 1 | CIS v4.0 | YES |
| 8.5.2 | Ensure anonymous users and dial-in callers cant start a meeting | Passed | Restricted | E3 Level 1 | CIS v4.0 | YES |
| 9.1.6 | Ensure Allow users to apply sensitivity labels for content is Enabled | Passed | Allow users to apply sensitivity labels for content is enabled | E3 Level 1 | CIS v4.0 | YES |
| 1.1.4 | Ensure administrative accounts use licenses with a reduced application footprint | Manual Check | NONE | E3 Level 1 | CIS v4.0 | NO |
| 1.1.2 | Ensure two emergency access accounts have been defined | Manual Check | NONE | E3 Level 1 | CIS v4.0 | NO |
| 1.3.2 | Ensure Idle session timeout is set to 3 hours (or less) for unmanaged devices | Manual Check | NONE | E3 Level 1 | CIS v4.0 | NO |
| 1.3.5 | Ensure internal phishing protection for Forms is enabled | Manual Check | NONE | E3 Level 1 | CIS v4.0 | NO |
| 1.3.8 | Ensure that Sways cannot be shared with people outside of your organization | Manual Check | NONE | E3 Level 2 | CIS v4.0 | NO |
| 2.1.11 | Ensure comprehensive attachment filtering is applied | Manual Check | NONE | E3 Level 1 | CIS v4.0 | NO |
| 5.1.2.5 | Ensure the option to remain signed in is hidden | Manual Check | NONE | E3 Level 2 | CIS v4.0 | NO |
| 5.1.2.4 | Ensure access to the Entra admin center is restricted | Manual Check | NONE | E3 Level 1 | CIS v4.0 | NO |
| 5.1.6.1 | Ensure that collaboration invitations are sent to allowed domains only | Manual Check | NONE | E3 Level 2 | CIS v4.0 | NO |
| 5.2.2.6 | Enable Identity Protection user risk policies | Manual Check | NONE | E3 Level 1 | CIS v4.0 | NO |
| 5.2.2.7 | Enable Identity Protection sign-in risk policies | Manual Check | NONE | E5 Level 1 | CIS v4.0 | NO |
| 5.2.2.8 | Ensure admin center access is limited to administrative roles | Manual Check | NONE | E3 Level 2 | CIS v4.0 | NO |
| 5.2.2.9 | Ensure sign-in risk is blocked for medium and high risk | Manual Check | NONE | E5 Level 2 | CIS v4.0 | NO |
| 5.2.2.10 | Ensure a managed device is required for authentication | Manual Check | NONE | E3 Level 1 | CIS v4.0 | NO |
| 5.2.2.11 | Ensure a managed device is required for MFA registration | Manual Check | NONE | E3 Level 1 | CIS v4.0 | NO |
| 5.2.3.3 | Ensure that password protection is enabled for Active Directory | Manual Check | NONE | E3 Level 1 | CIS v4.0 | NO |
| 5.3.4 | Ensure approval is required for Global Administrator role activation | Manual Check | NONE | E5 Level 1 | CIS v4.0 | NO |
| 5.2.3.5 | Ensure weak authentication methods are disabled | Manual Check | NONE | E3 Level 1 | CIS v4.0 | NO |
| 7.2.8 | Ensure external sharing is restricted by security group | Manual Check | NONE | E3 Level 2 | CIS v4.0 | NO |
| 9.1.3 | Ensure guest access to content is restricted | Manual Check | NONE | E3 Level 1 | CIS v4.0 | NO |
| 9.1.4 | Ensure Publish to web is restricted | Manual Check | NONE | E3 Level 1 | CIS v4.0 | NO |
| 9.1.5 | Ensure Interact with and share R and Python visuals is Disabled | Manual Check | NONE | E3 Level 2 | CIS v4.0 | NO |
| 9.1.7 | Ensure shareable links are restricted | Manual Check | NONE | E3 Level 1 | CIS v4.0 | NO |
| 9.1.8 | Ensure enabling of external data sharing is restricted | Manual Check | NONE | E3 Level 1 | CIS v4.0 | NO |
| 9.1.9 | Ensure Block ResourceKey Authentication is Enabled | Manual Check | NONE | E3 Level 1 | CIS v4.0 | NO |
| 9.1.10 | Ensure access to APIs by Service Principals is restricted | Manual Check | NONE | E3 Level 1 | CIS v4.0 | NO |
| 9.1.11 | Ensure Service Principals cannot create and use profiles | Manual Check | NONE | E3 Level 1 | CIS v4.0 | NO |
SmartProfiler Assessment Tests Status Table
Assessment Table satus contains status for SmartProfiler Tests.
| CIS Section | Test | Severity | Items | CIS Profile | Control Type | Configured Correctly? |
| Not Available | SharePoint External Sharing is not Enabled at Global Level | Critical | Enabled : Sharing capability is ExternalUserAndGuestSharing (Anyone). | SP v1.0 | NO |
|
| Not Available | SharePoint External User Resharing is not Permitted | Critical | Permitted | SP v1.0 | NO |
|
| Not Available | SharePoint Legacy Authentication is not Enabled | Critical | Enabled | SP v1.0 | NO |
|
| Not Available | Ensure Microsoft 365 Exchange Online Privileged Access Management is Used | High | Not Enabled | SP v1.0 | NO |
|
| Not Available | Ensure Enterprise Applications Role Assignments are reviewed weekly | High | 14 | SP v1.0 | NO |
|
| Not Available | Ensure No Domains with SPF Soft Fail are Configured | High | Configured | SP v1.0 | NO |
|
| Not Available | Ensure all security threats in the Threat protection status report are reviewed and actioned | High | Security Threats Found in Malware Report | SP v1.0 | NO |
|
| Not Available | Ensure DLP Policy is enabled for OneDrive | High | Not Enabled | SP v1.0 | NO |
|
| Not Available | Ensure DLP Policy is configured for SharePoint | High | Not Enabled | SP v1.0 | NO |
|
| Not Available | Ensure Custom Anti-Malware Policy is Present | High | Not Defined | SP v1.0 | NO |
|
| Not Available | Ensure Custom Anti-Phishing Policy is Present | High | Not Defined | SP v1.0 | NO |
|
| Not Available | Ensure Custom DLP Policies are Present | High | Not Defined-Not Implemented | SP v1.0 | NO |
|
| Not Available | Ensure Custom DLP Sensitive Information Types are Defined | High | No custom DLP sensitive information types defined. | SP v1.0 | NO |
|
| Not Available | Ensure Microsoft 365 Exchange Online Unified Auditing Is Enabled | High | Disabled | SP v1.0 | NO |
|
| Not Available | Ensure Safe Attachments is Enabled | High | Not Configured - No ATP License | SP v1.0 | NO |
|
| Not Available | Ensure Safe Links is Enabled | High | Not Configured - No ATP License | SP v1.0 | NO |
|
| Not Available | Ensure Safe Links Click-Through is Not Allowed | High | Not Configured - No ATP License | SP v1.0 | NO |
|
| Not Available | Ensure Safe Links Flags Links in Real Time | High | Not Configured - No ATP License | SP v1.0 | NO |
|
| Not Available | Ensure SMTP Authentication is disabled Globally | High | Not Disabled | SP v1.0 | NO |
|
| Not Available | Ensure automatic forwarding options are disabled | High | Not Disabled | SP v1.0 | NO |
|
| Not Available | Ensure the Client Rules Forwarding Block is enabled | High | Disabled | SP v1.0 | NO |
|
| Not Available | Ensure Mailboxes External Address Forwarding is not configured | High | 1 | SP v1.0 | NO |
|
| Not Available | Ensure Exchange Online Mailboxes on Litigation Hold | High | 1 | SP v1.0 | NO |
|
| Not Available | Ensure Exchange Online SPAM Domains are identified | High | 2 | SP v1.0 | NO |
|
| Not Available | Ensure Email Security Checks are Bypassed Based on Sender Domain are not configured | High | Configured | SP v1.0 | NO |
|
| Not Available | Ensure Email Security Checks are Bypassed Based on Sender IP are not configured | High | Configured | SP v1.0 | NO |
|
| Not Available | Ensure No Exchange Mailboxes with FullAccess Delegates are present | High | 0 | SP v1.0 | NO |
|
| Not Available | Ensure No Exchange Mailboxes with SendAs Delegates are present | High | SP v1.0 | NO |
||
| Not Available | Ensure No Exchange Mailboxes with SendOnBehalfOf Delegates are present | High | 0 | SP v1.0 | NO |
|
| Not Available | Ensure document sharing is being controlled by domains with whitelist or blacklist | High | Not Controlled | SP v1.0 | NO |
|
| Not Available | Ensure SharePoint sites are not enabled for both External and User Sharing | High | Enabled | SP v1.0 | NO |
|
| Not Available | External user sharing-share by email-and guest link sharing are both disabled | High | Not Disabled | SP v1.0 | NO |
|
| Not Available | Ensure that external users cannot share files folders and sites they do not own | High | Not Enabled | SP v1.0 | NO |
|
| Not Available | SharePoint Anyone Shared Links Never Expire is not configured | High | Never Expires | SP v1.0 | NO |
|
| Not Available | Ensure Sign out inactive users in SharePoint Online is Configured | High | The setting is not compliant. | SP v1.0 | NO |
|
| Not Available | Ensure End-to-end encryption for Microsoft Teams is enabled | High | Disabled | SP v1.0 | NO |
|
| Not Available | Ensure external domains are not allowed in Teams | High | Allowed All Domains | SP v1.0 | NO |
|
| Not Available | Ensure Microsoft Teams Users Allowed to Invite Anonymous Users is disabled | High | Enabled | SP v1.0 | NO |
|
| Not Available | Ensure Microsoft Teams Policies Allow Anonymous Members is disabled | High | Enabled | SP v1.0 | NO |
|
| Not Available | Ensure Microsoft Teams Consumer Communication Policies are configured | High | Not Configured | SP v1.0 | NO |
|
| Not Available | Ensure Microsoft Teams Users Allowed to Preview Links in Messages is disabled | High | 4 | SP v1.0 | NO |
|
| Not Available | Ensure Safe Links for Teams is Enabled | High | Not Configured - No ATP License | SP v1.0 | NO |
|
| Not Available | Ensure Microsoft 365 Users Have Changed Passwords | High | 8334 | SP v1.0 | NO |
|
| Not Available | Ensure Users can create security groups is disabled | High | Enabled-Not Ok | SP v1.0 | NO |
|
| Not Available | Ensure Users with a verified mail domain can join the tenant is disabled | High | Enabled-Not Ok | SP v1.0 | NO |
|
| Not Available | Ensure Guests can invite other guests into the tenant is disabled | High | Enabled-Not Ok | SP v1.0 | NO |
|
| Not Available | Ensure Users are allowed to create new Azure Active Directory Tenants is disabled | High | Enabled-Not Ok | SP v1.0 | NO |
|
| Not Available | Ensure Policy exists to restrict non-administrator access to Azure Active Directory or Entra | High | No Policy Found | SP v1.0 | NO |
|
| Not Available | Ensure Microsoft 365 Licenses are consumed in SKUs | High | 2 | SP v1.0 | NO |
|
| Not Available | Ensure Guest Users are reviewed and disabled | Medium | 7 | SP v1.0 | NO |
|
| Not Available | Ensure the spoofed domains are reviewed and actioned | Medium | 5 | SP v1.0 | NO |
|
| Not Available | Ensure the Application Usage report is reviewed and actioned | Medium | 17 | SP v1.0 | NO |
|
| Not Available | Ensure Microsoft 365 Hidden Mailboxes are Identified | Medium | 1 | SP v1.0 | NO |
|
| Not Available | Ensure expiration time for external sharing links is set | Medium | Expiration Time for Links NOT Set | SP v1.0 | NO |
|
| Not Available | Ensure Microsoft Teams External Domain Communication Policies are configured | Medium | All Domains Allowed | SP v1.0 | NO |
|
| Not Available | Ensure All Microsoft 365 Users are licensed | Medium | 8314 | SP v1.0 | NO |
|
| Not Available | Ensure Microsoft 365 Users Password Expires | Medium | 0 | SP v1.0 | NO |
|
| Not Available | Ensure Users can read all attributes in Azure AD is disabled | Medium | Enabled-Not Ok | SP v1.0 | NO |
|
| Not Available | Ensure Microsoft Teams External Access Policies are configured | Low | Not Configured:EnableFederationAccess is set to True | SP v1.0 | NO |
|
| Not Available | Ensure Microsoft 365 Groups Without Members are Identified | Low | 5 | SP v1.0 | NO |
|
| Not Available | Ensure Microsoft 365 User Roles have less than 10 Admins | Passed | 0 | SP v1.0 | YES |
|
| Not Available | Ensure Microsoft 365 Users Have Strong Password Requirements Configured | Passed | 0 | SP v1.0 | YES |
|
| Not Available | Ensure self-service password reset is enabled | Passed | Enabled | SP v1.0 | YES |
|
| Not Available | Ensure that Microsoft 365 Passwords Are Not Set to Expire | Passed | 0 | SP v1.0 | YES |
|
| Not Available | Ensure Microsoft 365 Exchange Online Modern Authentication is Used | Passed | Enabled | SP v1.0 | YES |
|
| Not Available | Ensure the Restricted entities are reviewed and actioned | Passed | There are no Restricted users at present | SP v1.0 | YES |
|
| Not Available | Ensure the Account Provisioning Activity report is reviewed and actioned | Passed | 0 | SP v1.0 | YES |
|
| Not Available | Ensure non-global administrator role group assignments are reviewed and actioned | Passed | There are no non-admin Global Role assignments found in past 7 days | SP v1.0 | YES |
|
| Not Available | Ensure user role group changes are reviewed and actioned | Passed | There are no user role group changes found in past 7 days | SP v1.0 | YES |
|
| Not Available | Ensure the self-service password reset activity report is reviewed and actioned | Passed | Changed Password Found via SSPR | SP v1.0 | YES |
|
| Not Available | Ensure Microsoft 365 Exchange Online Admin Auditing Is Enabled | Passed | Enabled | SP v1.0 | YES |
|
| Not Available | Ensure Transport Rules to Block Exchange Auto-Forwarding is configured | Passed | Configured | SP v1.0 | YES |
|
| Not Available | Ensure Do Not Bypass the Safe Attachments Filter is not configured | Passed | Not Configured | SP v1.0 | YES |
|
| Not Available | Ensure Do Not Bypass the Safe Links Feature is not configured | Passed | Not Configured | SP v1.0 | YES |
|
| Not Available | Ensure Exchange Modern Authentication is Enabled | Passed | Enabled | SP v1.0 | YES |
|
| Not Available | Ensure Transport Rules to Block Executable Attachments are configured | Passed | Configured | SP v1.0 | YES |
|
| Not Available | Ensure Malware Filter Policies Alert for Internal Users Sending Malware is configured | Passed | Configured | SP v1.0 | YES |
|
| Not Available | Ensure Transport Rules to Block Large Attachments are configured | Passed | Configured | SP v1.0 | YES |
|
| Not Available | Ensure Mailbox Auditing is Enabled at Tenant Level | Passed | Enabled | SP v1.0 | YES |
|
| Not Available | Ensure Mailboxes without Mailbox Auditing are not present | Passed | 0 | SP v1.0 | YES |
|
| Not Available | Ensure mail transport rules do not forward email to external domains | Passed | 0 | SP v1.0 | YES |
|
| Not Available | Ensure the Advanced Threat Protection Safe Links policy is enabled | Passed | Not Enabled-Not Implemented | SP v1.0 | YES |
|
| Not Available | Ensure the Advanced Threat Protection SafeAttachments policy is enabled | Passed | Not Enabled-Not Implemented | SP v1.0 | YES |
|
| Not Available | Ensure mailbox auditing for all users is Enabled | Passed | 0 | SP v1.0 | YES |
|
| Not Available | Ensure mail forwarding rules are reviewed and actioned | Passed | 0 | SP v1.0 | YES |
|
| Not Available | Ensure the Malware Detections report is reviewed at least weekly | Passed | 0 | SP v1.0 | YES |
|
| Not Available | Ensure Microsoft 365 Deleted Mailboxes are identified and Verified | Passed | 0 | SP v1.0 | YES |
|
| Not Available | Ensure Exchange Online Mailbox Auditing is enabled | Passed | 0 | SP v1.0 | YES |
|
| Not Available | Microsoft 365 Exchange Online Admin Success and Failure Attempts | Passed | 0 | SP v1.0 | YES |
|
| Not Available | Microsoft 365 Exchange Online External Access Admin Success and Failure Attempts | Passed | 0 | SP v1.0 | YES |
|
| Not Available | SharePoint Online Modern Authentication is Enabled | Passed | Enabled | SP v1.0 | YES |
|
| Not Available | Ensure Deleted Microsoft 365 Users are Identified | Passed | 0 | SP v1.0 | YES |
|
| Not Available | Ensure Disabled Microsoft 365 Users are Identified | Passed | 6 | SP v1.0 | YES |
|
| Not Available | Ensure Microsoft 365 Blocked Users are Identified | Passed | 0 | SP v1.0 | YES |
|
| Not Available | Ensure Microsoft 365 Company Administrators have less than 5 Admins | Passed | 0 | SP v1.0 | YES |
|
| Not Available | Ensure Microsoft 365 Deleted and Licensed Users are Identified | Passed | 0 | SP v1.0 | YES |
|
| Not Available | Ensure Users are allowed to create and register applications is disabled | Passed | Disabled-Ok | SP v1.0 | YES |
|
| Not Available | Ensure All Microsoft 365 Domains Have been verified | Passed | 0 | SP v1.0 | YES |
|
| Not Available | Ensure Microsoft 365 Domain Services Have Services Assigned | Passed | 0 | SP v1.0 | YES |
|
| Not Available | Ensure Microsoft 365 Notification Email is configured | Passed | SP v1.0 | YES |
||
| Not Available | Ensure Microsoft 365 Organization Level Mailbox Auditing is configured | Passed | Enabled | SP v1.0 | YES |
|
| Not Available | Use Just In Time privileged access to Microsoft 365 roles | Manual Check | NONE | SP v1.0 | NO |
|
| Not Available | Ensure no Provisioning Errors for Microsoft 365 Users | Manual Check | NONE | SP v1.0 | NO |
All Manual Checks Table
Contains Manual Checks for both CIS Benchmark and SmartProfiler Tests.
| CIS Section | Test | Severity | Items | CIS Profile | Control Type | Configured Correctly? |
| 1.1.4 | Ensure administrative accounts use licenses with a reduced application footprint | Manual Check | NONE | E3 Level 1 | CIS v4.0 | NO |
| 1.1.2 | Ensure two emergency access accounts have been defined | Manual Check | NONE | E3 Level 1 | CIS v4.0 | NO |
| 1.3.2 | Ensure Idle session timeout is set to 3 hours (or less) for unmanaged devices | Manual Check | NONE | E3 Level 1 | CIS v4.0 | NO |
| 1.3.5 | Ensure internal phishing protection for Forms is enabled | Manual Check | NONE | E3 Level 1 | CIS v4.0 | NO |
| 1.3.8 | Ensure that Sways cannot be shared with people outside of your organization | Manual Check | NONE | E3 Level 2 | CIS v4.0 | NO |
| 2.1.11 | Ensure comprehensive attachment filtering is applied | Manual Check | NONE | E3 Level 1 | CIS v4.0 | NO |
| 5.1.2.5 | Ensure the option to remain signed in is hidden | Manual Check | NONE | E3 Level 2 | CIS v4.0 | NO |
| 5.1.2.4 | Ensure access to the Entra admin center is restricted | Manual Check | NONE | E3 Level 1 | CIS v4.0 | NO |
| 5.1.6.1 | Ensure that collaboration invitations are sent to allowed domains only | Manual Check | NONE | E3 Level 2 | CIS v4.0 | NO |
| 5.2.2.6 | Enable Identity Protection user risk policies | Manual Check | NONE | E3 Level 1 | CIS v4.0 | NO |
| 5.2.2.7 | Enable Identity Protection sign-in risk policies | Manual Check | NONE | E5 Level 1 | CIS v4.0 | NO |
| 5.2.2.8 | Ensure admin center access is limited to administrative roles | Manual Check | NONE | E3 Level 2 | CIS v4.0 | NO |
| 5.2.2.9 | Ensure sign-in risk is blocked for medium and high risk | Manual Check | NONE | E5 Level 2 | CIS v4.0 | NO |
| 5.2.2.10 | Ensure a managed device is required for authentication | Manual Check | NONE | E3 Level 1 | CIS v4.0 | NO |
| 5.2.2.11 | Ensure a managed device is required for MFA registration | Manual Check | NONE | E3 Level 1 | CIS v4.0 | NO |
| 5.2.3.3 | Ensure that password protection is enabled for Active Directory | Manual Check | NONE | E3 Level 1 | CIS v4.0 | NO |
| Not Available | Use Just In Time privileged access to Microsoft 365 roles | Manual Check | NONE | SP v1.0 | NO |
|
| 5.3.4 | Ensure approval is required for Global Administrator role activation | Manual Check | NONE | E5 Level 1 | CIS v4.0 | NO |
| 5.2.3.5 | Ensure weak authentication methods are disabled | Manual Check | NONE | E3 Level 1 | CIS v4.0 | NO |
| 7.2.8 | Ensure external sharing is restricted by security group | Manual Check | NONE | E3 Level 2 | CIS v4.0 | NO |
| 9.1.3 | Ensure guest access to content is restricted | Manual Check | NONE | E3 Level 1 | CIS v4.0 | NO |
| 9.1.4 | Ensure Publish to web is restricted | Manual Check | NONE | E3 Level 1 | CIS v4.0 | NO |
| 9.1.5 | Ensure Interact with and share R and Python visuals is Disabled | Manual Check | NONE | E3 Level 2 | CIS v4.0 | NO |
| 9.1.7 | Ensure shareable links are restricted | Manual Check | NONE | E3 Level 1 | CIS v4.0 | NO |
| 9.1.8 | Ensure enabling of external data sharing is restricted | Manual Check | NONE | E3 Level 1 | CIS v4.0 | NO |
| 9.1.9 | Ensure Block ResourceKey Authentication is Enabled | Manual Check | NONE | E3 Level 1 | CIS v4.0 | NO |
| 9.1.10 | Ensure access to APIs by Service Principals is restricted | Manual Check | NONE | E3 Level 1 | CIS v4.0 | NO |
| 9.1.11 | Ensure Service Principals cannot create and use profiles | Manual Check | NONE | E3 Level 1 | CIS v4.0 | NO |
| Not Available | Ensure no Provisioning Errors for Microsoft 365 Users | Manual Check | NONE | SP v1.0 | NO |
All Passed Checks Table
Contains Passed Checks for both CIS Benchmark and SmartProfiler Tests.
| CIS Section | Test | Severity | Items | CIS Profile | Control Type | Configured Correctly? |
| 1.1.1 | Ensure Administrative accounts are separate and cloud-only | Passed | 0 | E3 Level 1 | CIS v4.0 | YES |
| 1.1.3 | Ensure that between two and four global admins are designated | Passed | 3 | E3 Level 1 | CIS v4.0 | YES |
| Not Available | Ensure Microsoft 365 User Roles have less than 10 Admins | Passed | 0 | SP v1.0 | YES |
|
| Not Available | Ensure Microsoft 365 Users Have Strong Password Requirements Configured | Passed | 0 | SP v1.0 | YES |
|
| Not Available | Ensure self-service password reset is enabled | Passed | Enabled | SP v1.0 | YES |
|
| Not Available | Ensure that Microsoft 365 Passwords Are Not Set to Expire | Passed | 0 | SP v1.0 | YES |
|
| Not Available | Ensure Microsoft 365 Exchange Online Modern Authentication is Used | Passed | Enabled | SP v1.0 | YES |
|
| 1.2.2 | Ensure sign-in to shared mailboxes is blocked | Passed | 0 | E3 Level 1 | CIS v4.0 | YES |
| 1.3.1 | Ensure the Password expiration policy is set to Set passwords to never expire (recommended) | Passed | 0 | E3 Level 1 | CIS v4.0 | YES |
| 1.3.4 | Ensure User owned apps and services is restricted | Passed | Restricted | E3 Level 1 | CIS v4.0 | YES |
| 2.1.4 | Ensure Safe Attachments policy is enabled | Passed | Not Enabled-Not Implemented | E5 Level 2 | CIS v4.0 | YES |
| 2.1.7 | Ensure that an anti-phishing policy has been created | Passed | Created | E5 Level 1 | CIS v4.0 | YES |
| Not Available | Ensure the Restricted entities are reviewed and actioned | Passed | There are no Restricted users at present | SP v1.0 | YES |
|
| 2.1.13 | Ensure the connection filter safe list is off | Passed | Turned Off | E3 Level 1 | CIS v4.0 | YES |
| 2.1.14 | Ensure inbound anti-spam policies do not contain allowed domains | Passed | Not Allowed | E3 Level 1 | CIS v4.0 | YES |
| Not Available | Ensure the Account Provisioning Activity report is reviewed and actioned | Passed | 0 | SP v1.0 | YES |
|
| Not Available | Ensure non-global administrator role group assignments are reviewed and actioned | Passed | There are no non-admin Global Role assignments found in past 7 days | SP v1.0 | YES |
|
| 2.4.3 | Ensure Microsoft Defender for Cloud Apps is Enabled | Passed | Enabled | E5 Level 2 | CIS v4.0 | YES |
| Not Available | Ensure user role group changes are reviewed and actioned | Passed | There are no user role group changes found in past 7 days | SP v1.0 | YES |
|
| 5.1.1.1 | Ensure Security Defaults is disabled on Azure Active Directory | Passed | Security Defaults are disabled. | E3 Level 1 | CIS v4.0 | YES |
| 5.1.2.2 | Ensure third party integrated applications are not allowed | Passed | Not Allowed | E3 Level 2 | CIS v4.0 | YES |
| 5.1.2.3 | Ensure Restrict non-admin users from creating tenants is set to Yes | Passed | Disabled-Ok | E3 Level 1 | CIS v4.0 | YES |
| 5.1.5.3 | Ensure the admin consent workflow is enabled | Passed | Enabled | E3 Level 1 | CIS v4.0 | YES |
| 5.1.6.2 | Ensure that guest user access is restricted | Passed | Restricted | E3 Level 1 | CIS v4.0 | YES |
| 5.2.2.6 | Enable Azure AD Identity Protection user risk policies | Passed | E5 Level 2 | CIS v4.0 | YES |
|
| 5.2.2.7 | Enable Azure AD Identity Protection sign-in risk policies | Passed | E5 Level 2 | CIS v4.0 | YES |
|
| 5.2.4.1 | Ensure Self service password reset enabled is set to All | Passed | You have 8 of 8330 users who don't have self-service password reset enabled. | E3 Level 1 | CIS v4.0 | YES |
| Not Available | Ensure the self-service password reset activity report is reviewed and actioned | Passed | Changed Password Found via SSPR | SP v1.0 | YES |
|
| 5.3.2 | Ensure Access reviews for Guest Users are configured | Passed | Access Reviews were found | E5 Level 2 | CIS v4.0 | YES |
| 5.3.3 | Ensure Access reviews for high privileged Azure AD roles are configured | Passed | Access Reviews were found | E5 Level 1 | CIS v4.0 | YES |
| 6.1.1 | Ensure AuditDisabled organizationally is set to False | Passed | Enabled | E3 Level 1 | CIS v4.0 | YES |
| 6.1.2 | Ensure mailbox auditing for E3 users is Enabled | Passed | 0 | E3 Level 1 | CIS v4.0 | YES |
| 6.1.3 | Ensure mailbox auditing for E5 users is Enabled | Passed | 0 | E5 Level 1 | CIS v4.0 | YES |
| Not Available | Ensure Microsoft 365 Exchange Online Admin Auditing Is Enabled | Passed | Enabled | SP v1.0 | YES |
|
| 6.2.1 | Ensure all forms of mail forwarding are blocked and-or disabled | Passed | 0 | E3 Level 1 | CIS v4.0 | YES |
| 6.2.2 | Ensure mail transport rules do not whitelist specific domains | Passed | 0 | E3 Level 1 | CIS v4.0 | YES |
| NA | Ensure Tagging does not allow specific domains | Passed | 0 | E3 Level 1 | CIS v4.0 | YES |
| Not Available | Ensure Transport Rules to Block Exchange Auto-Forwarding is configured | Passed | Configured | SP v1.0 | YES |
|
| Not Available | Ensure Do Not Bypass the Safe Attachments Filter is not configured | Passed | Not Configured | SP v1.0 | YES |
|
| Not Available | Ensure Do Not Bypass the Safe Links Feature is not configured | Passed | Not Configured | SP v1.0 | YES |
|
| Not Available | Ensure Exchange Modern Authentication is Enabled | Passed | Enabled | SP v1.0 | YES |
|
| Not Available | Ensure Transport Rules to Block Executable Attachments are configured | Passed | Configured | SP v1.0 | YES |
|
| Not Available | Ensure Malware Filter Policies Alert for Internal Users Sending Malware is configured | Passed | Configured | SP v1.0 | YES |
|
| Not Available | Ensure Transport Rules to Block Large Attachments are configured | Passed | Configured | SP v1.0 | YES |
|
| Not Available | Ensure Mailbox Auditing is Enabled at Tenant Level | Passed | Enabled | SP v1.0 | YES |
|
| Not Available | Ensure Mailboxes without Mailbox Auditing are not present | Passed | 0 | SP v1.0 | YES |
|
| Not Available | Ensure mail transport rules do not forward email to external domains | Passed | 0 | SP v1.0 | YES |
|
| Not Available | Ensure the Advanced Threat Protection Safe Links policy is enabled | Passed | Not Enabled-Not Implemented | SP v1.0 | YES |
|
| Not Available | Ensure the Advanced Threat Protection SafeAttachments policy is enabled | Passed | Not Enabled-Not Implemented | SP v1.0 | YES |
|
| 2.1.7 | Ensure that an anti-phishing policy has been created | Passed | Created | E5 Level 1 | CIS v4.0 | YES |
| Not Available | Ensure mailbox auditing for all users is Enabled | Passed | 0 | SP v1.0 | YES |
|
| Not Available | Ensure mail forwarding rules are reviewed and actioned | Passed | 0 | SP v1.0 | YES |
|
| Not Available | Ensure the Malware Detections report is reviewed at least weekly | Passed | 0 | SP v1.0 | YES |
|
| Not Available | Ensure Microsoft 365 Deleted Mailboxes are identified and Verified | Passed | 0 | SP v1.0 | YES |
|
| Not Available | Ensure Exchange Online Mailbox Auditing is enabled | Passed | 0 | SP v1.0 | YES |
|
| Not Available | Microsoft 365 Exchange Online Admin Success and Failure Attempts | Passed | 0 | SP v1.0 | YES |
|
| Not Available | Microsoft 365 Exchange Online External Access Admin Success and Failure Attempts | Passed | 0 | SP v1.0 | YES |
|
| 6.5.1 | Ensure modern authentication for Exchange Online is enabled | Passed | Enabled | E3 Level 1 | CIS v4.0 | YES |
| Not Available | SharePoint Online Modern Authentication is Enabled | Passed | Enabled | SP v1.0 | YES |
|
| 8.5.2 | Ensure anonymous users and dial-in callers cant start a meeting | Passed | Restricted | E3 Level 1 | CIS v4.0 | YES |
| 9.1.6 | Ensure Allow users to apply sensitivity labels for content is Enabled | Passed | Allow users to apply sensitivity labels for content is enabled | E3 Level 1 | CIS v4.0 | YES |
| Not Available | Ensure Deleted Microsoft 365 Users are Identified | Passed | 0 | SP v1.0 | YES |
|
| Not Available | Ensure Disabled Microsoft 365 Users are Identified | Passed | 6 | SP v1.0 | YES |
|
| Not Available | Ensure Microsoft 365 Blocked Users are Identified | Passed | 0 | SP v1.0 | YES |
|
| Not Available | Ensure Microsoft 365 Company Administrators have less than 5 Admins | Passed | 0 | SP v1.0 | YES |
|
| Not Available | Ensure Microsoft 365 Deleted and Licensed Users are Identified | Passed | 0 | SP v1.0 | YES |
|
| Not Available | Ensure Users are allowed to create and register applications is disabled | Passed | Disabled-Ok | SP v1.0 | YES |
|
| Not Available | Ensure All Microsoft 365 Domains Have been verified | Passed | 0 | SP v1.0 | YES |
|
| Not Available | Ensure Microsoft 365 Domain Services Have Services Assigned | Passed | 0 | SP v1.0 | YES |
|
| Not Available | Ensure Microsoft 365 Notification Email is configured | Passed | SP v1.0 | YES |
||
| Not Available | Ensure Microsoft 365 Organization Level Mailbox Auditing is configured | Passed | Enabled | SP v1.0 | YES |
Microsoft-Assessment.com
© 2025 DynamicPacks Technologies. All rights reserved.