Almost all tests are automated with SmartProfiler for Microsoft 365 CIS Assessment.
Detailed reporting includes information about each Test and Step-By-Step Recommendations to fix the issues.
Other than tests recommended by CIS, SmartProfiler for Microsoft 365 includes other tests. We offer 234 tests that cover every facet of Microsoft 365.
SecID for Microsoft 365 CIS Version 6.0 Assessment is an automated Health & Risk assessment solution to help you significantly improve your Microsoft 365 ecosystem health & security posture. SecID for Microsoft 365 Assessment follows industry standard controls and other tests designed by our Microsoft 365 experts. Services covered: MSOnline, EXO, Teams, SharePoint, OneDrive, and Azure AD.
The Center for Internet Security is a nonprofit entity whose mission is to ‘identify, develop, validate, promote, and sustain best practice solutions for cyberdefense.’ It draws on the expertise of cybersecurity and IT professionals from government, business, and academia from around the world. To develop standards and best practices, including CIS benchmarks, controls, and hardened images, they follow a consensus decision-making model. SmartProfiler is designed to support CIS Standards designed for Microsoft 365 and Azure Assessments.
SecID provides a centralized, intuitive console that brings Microsoft 365 CIS (Center for Internet Security) governance into full visibility. By integrating with your M365 environment, SecID continuously assesses your configuration against CIS benchmarks and best practices, surfacing compliance gaps and misconfigurations in real time.
Through the SecID console, security and IT teams can:
Monitor M365 CIS compliance status with visual dashboards and detailed reports.
Drill down into specific policy violations and understand the associated risk.
Prioritize and manage remediation efforts directly from the platform, with guided fixes or automated workflows.
Track progress over time and generate audit-ready evidence for compliance.
With SecID, M365 CIS governance becomes proactive and actionable—helping organizations reduce risk, ensure best practice alignment, and maintain compliance with confidence.
SecID simplifies M365 CIS governance by breaking down compliance issues into clearly defined CIS control categories. Within the console, you can easily explore each category—such as Access Control, Audit Logging, or Data Protection—and view all related findings in a structured, actionable format.
For every issue detected, SecID provides:
Detailed impact analysis to help you understand the security and compliance risks.
Clear, contextual recommendations aligned with CIS benchmarks.
Category-based filtering and reporting to streamline remediation planning and resource allocation.
This category-driven approach empowers security teams to prioritize efforts, track category-level compliance, and confidently move towards a secure and CIS-aligned Microsoft 365 environment.
SecID’s M365 CIS Assessment goes beyond basic checks by also pulling in Microsoft 365 Compliance data and intelligently mapping it to CIS M365 test cases. This powerful correlation gives you a unified view of both Microsoft’s built-in compliance insights and the CIS framework.
By aligning Microsoft 365 Compliance items with CIS controls, SecID enables:
Deeper visibility into your security posture across both native and CIS standards.
Streamlined auditing with clear traceability between Microsoft compliance signals and CIS requirements.
Smarter remediation, with context-rich insights tied to real test cases.
This integrated approach ensures a more complete and actionable governance strategy for your M365 environment.
SecID stands out as the best assessment tool for Microsoft 365 tenants by going beyond the standard CIS benchmarks. While it fully covers all CIS M365 test cases, it also includes additional security and compliance checks that CIS does not address—ensuring broader and deeper coverage.
The assessment report provides:
Status for each configuration item, including CIS test case alignment.
Additional insights on overlooked but critical security areas.
Actionable guidance to improve your M365 security posture holistically.
With SecID, you get a more complete view of your Microsoft 365 environment—making it the most effective tool for continuous CIS-based governance and beyond.
SmartProfiler for Microsoft 365 requires a Global Reader or Global Admin Account to perform all tests.
SmartProfiler needs a Global Admin or Reader Account in order to gather the information needed for analysis. An Azure Application does not need to be registered in order to collect data. Note that Global Reader Account will not have permissions to execute SharePoint tests.
PowerShell modules are already included in the product, so installing them is not necessary before running the assessment. Before beginning the assessment, the product automatically imports PowerShell modules.
SmartProfiler is a read-only product, and no write operation is ever made to the target while it is being assessed.
SmartProfiler for Microsoft 365 Assessment is simple to use and execute in four-steps.
SmartProfiler for Microsoft 365 supports all tests.
Performs several tests related to Office 365 users. There are more than 13 tests performed for all Office 365 Users.
Performs tests related to Exchange Online and Email. Policies, Email Forwarding, Mailboxes on Litigation hold, and several other tests are performed. Exchange Online category includes 30 tests.
All tests related to Azure Active Directory authentication, ensuring all MFA users and Office roles are using MFA. There are 23 tests performed.
There are 12 tests performed for Office 365 configuration. The tests range from License Consumption to Directory Synchronization configuration.
In the Data Management category tests related to DLP, external sharing, SharePoint Online protection and other relevant tests are performed. 7 Tests are available in Data Management Category.
Auditing tests include checking AD-Risky Sign-In reports, ensure mail-forwarding rules are reviewed and other relevant auditing tests are executed. However, some auditing items need to be checked weekly and require manual intervention. There are a total of 16 tests available in Auditing Category.
Tests such as Ensure document sharing is being controlled by domains with whitelist or blacklist, Block OneDrive for Business sync from unmanaged devices and other storage tests are checked and reported.
Mobile Device Management category includes more than 22 tests which are performed to ensure mobile devices have necessary policies configured.
There are more than 119 SmartProfiler Tests performed which are designed by our Microsoft 365 Expert Team.
It depends on the number of users and mailboxes in the Microsoft 365 Tenant. It typically takes 1-2 hours to perform Microsoft 365 Assessment for a Tenant having 8000 mailboxes.
SmartProfiler for M365 Assessment is a read-only product.
Since SmartProfiler generates reports in Microsoft Word format, you can re-brand reports.
SmartProfiler is designed to support multiple Microsoft 365 Tenants. You can add unlimited M365 Tenants in the tool. However, each M365 Tenant requires a license before the assessment can be done.
In these circumstances, we advise utilizing a Global Reader Account to run the assessment initially. This account will be able to run 90% of the tests automatically and will also produce a report. Please notify the Security Team that a Global Admin account is required in order to run SharePoint tests. If Security Team agrees to run the assessment using a Global Admin account, then select just “SharePoint Tests” in the execution console and then execute.
| PackCat | CISWB | CISProfile | DynamicPack | SmartProfiler Assessment Type |
| Microsoft 365 admin center-Users | CIS v6.0 | E3 Level 1-E5 Level 1 | Ensure Administrative accounts are separate and cloud-only | Automated |
| Microsoft 365 admin center-Users | CIS v6.0 | E3 Level 1-E5 Level 1 | Ensure two emergency access accounts have been defined | Manual |
| Microsoft 365 admin center-Users | CIS v6.0 | E3 Level 1-E5 Level 1 | Ensure that between two and four global admins are designated | Automated |
| Microsoft 365 admin center-Users | CIS v6.0 | E3 Level 1-E5 Level 1 | Ensure administrative accounts use licenses with a reduced application footprint | Automated |
| Microsoft 365 admin center-Teams & groups | CIS v6.0 | E3 Level 2-E5 Level 2 | Ensure that only organizationally managed-approved public groups exist | Automated |
| Microsoft 365 admin center-Teams & groups | CIS v6.0 | E3 Level 1-E5 Level 1 | Ensure sign-in to shared mailboxes is blocked | Automated |
| Microsoft 365 admin center-Settings | CIS v6.0 | E3 Level 1-E5 Level 1 | Ensure the Password expiration policy is set to Set passwords to never expire (recommended) | Automated |
| Microsoft 365 admin center-Settings | CIS v6.0 | E3 Level 2-E5 Level 2 | Ensure Idle session timeout is set to 3 hours (or less) for unmanaged devices | Automated |
| Microsoft 365 admin center-Settings | CIS v6.0 | E3 Level 2-E5 Level 2 | Ensure External sharing of calendars is not available | Automated |
| Microsoft 365 admin center-Settings | CIS v6.0 | E3 Level 1-E5 Level 1 | Ensure User owned apps and services is restricted | Automated |
| Microsoft 365 admin center-Settings | CIS v6.0 | E3 Level 1-E5 Level 1 | Ensure internal phishing protection for Forms is enabled | Automated |
| Microsoft 365 admin center-Settings | CIS v6.0 | E5 Level 2 | Ensure the customer lockbox feature is enabled | Automated |
| Microsoft 365 admin center-Settings | CIS v6.0 | E3 Level 2-E5 Level 2 | Ensure third-party storage services are restricted in Microsoft 365 on the web | Automated |
| Microsoft 365 admin center-Settings | CIS v6.0 | E3 Level 2-E5 Level 2 | Ensure that Sways cannot be shared with people outside of your organization | Manual |
| Microsoft 365 Defender-Email & collaboration | CIS v6.0 | E5 Level 2 | Ensure Safe Links for Office Applications is Enabled | Automated |
| Microsoft 365 Defender-Email & collaboration | CIS v6.0 | E3 Level 1-E5 Level 1 | Ensure the Common Attachment Types Filter is enabled | Automated |
| Microsoft 365 Defender-Email & collaboration | CIS v6.0 | E3 Level 1-E5 Level 1 | Ensure notifications for internal users sending malware is Enabled | Automated |
| Microsoft 365 Defender-Email & collaboration | CIS v6.0 | E5 Level 2 | Ensure Safe Attachments policy is enabled | Automated |
| Microsoft 365 Defender-Email & collaboration | CIS v6.0 | E5 Level 2 | Ensure Safe Attachments for SharePoint-OneDrive-Microsoft Teams is Enabled | Automated |
| Microsoft 365 Defender-Email & collaboration | CIS v6.0 | E3 Level 1-E5 Level 1 | Ensure Exchange Online Spam Policies are set correctly | Automated |
| Microsoft 365 Defender-Email & collaboration | CIS v6.0 | E5 Level 2 | Ensure that an anti-phishing policy has been created | Automated |
| Microsoft 365 Defender-Email & collaboration | CIS v6.0 | E3 Level 1-E5 Level 1 | Ensure that SPF records are published for all Exchange Domains | Automated |
| Microsoft 365 Defender-Email & collaboration | CIS v6.0 | E3 Level 1-E5 Level 1 | Ensure that DKIM is enabled for all Exchange Online Domains | Automated |
| Microsoft 365 Defender-Email & collaboration | CIS v6.0 | E3 Level 1-E5 Level 1 | Ensure DMARC Records for all Exchange Online domains are published | Automated |
| Microsoft 365 Defender-Email & collaboration | CIS v6.0 | E3 Level 2-E5 Level 2 | Ensure comprehensive attachment filtering is applied | Automated |
| Microsoft 365 Defender-Email & collaboration | CIS v6.0 | E3 Level 1-E5 Level 1 | Ensure the connection filter IP allow list is not used | Automated |
| Microsoft 365 Defender-Email & collaboration | CIS v6.0 | E3 Level 1-E5 Level 1 | Ensure the connection filter safe list is off | Automated |
| Microsoft 365 Defender-Email & collaboration | CIS v6.0 | E3 Level 1-E5 Level 1 | Ensure inbound anti-spam policies do not contain allowed domains | Automated |
| Microsoft 365 Defender-Cloud Apps | CIS v6.0 | E5 Level 1 | Ensure emergency access account activity is monitored | Manual |
| Microsoft 365 Defender-Audit | CIS v6.0 | E5 Level 1 | Ensure Priority account protection is enabled and configured | Automated |
| Microsoft 365 Defender-Audit | CIS v6.0 | E5 Level 1 | Ensure Priority accounts have Strict protection presets applied | Automated |
| Microsoft 365 Defender-Audit | CIS v6.0 | E5 Level 2 | Ensure Microsoft Defender for Cloud Apps is Enabled | Manual |
| Microsoft 365 Defender-Audit | CIS v6.0 | E5 Level 1 | Ensure Zero-hour auto purge for Microsoft Teams is on | Automated |
| Microsoft Purview-Audit | CIS v6.0 | E3 Level 1-E5 Level 1 | Ensure Microsoft 365 audit log search is Enabled | Automated |
| Microsoft Purview-Data Loss Protection | CIS v6.0 | E3 Level 1-E5 Level 1 | Ensure DLP policies are enabled | Automated |
| Microsoft Purview-Data Loss Protection | CIS v6.0 | E5 Level 1 | Ensure DLP policies are enabled for Microsoft Teams | Automated |
| Microsoft Purview-Information Protection | CIS v6.0 | E3 Level 1-E5 Level 1 | Ensure Information Protection sensitivity label policies are published | Manual |
| Microsoft Entra admin center-Identity-Overview | CIS v6.0 | E3 Level 2-E5 Level 2 | Ensure devices without a compliance policy are marked not compliant | Automated |
| Microsoft Entra admin center-Identity-Overview | CIS v6.0 | E3 Level 2-E5 Level 2 | Ensure device enrollment for personally owned devices is blocked by default | Automated |
| Microsoft Entra admin center-Identity-Users | CIS v6.0 | E3 Level 1-E5 Level 1 | Ensure Per-user MFA is disabled | Automated |
| Microsoft Entra admin center-Identity-Users | CIS v6.0 | E3 Level 2-E5 Level 2 | Ensure third party integrated applications are not allowed | Automated |
| Microsoft Entra admin center-Identity-Users | CIS v6.0 | E3 Level 1-E5 Level 1 | Ensure Restrict non-admin users from creating tenants is set to Yes | Automated |
| Microsoft Entra admin center-Identity-Users | CIS v6.0 | E3 Level 1-E5 Level 1 | Ensure access to the Entra admin center is restricted | Manual |
| Microsoft Entra admin center-Identity-Users | CIS v6.0 | E3 Level 2-E5 Level 2 | Ensure the option to remain signed in is hidden | Manual |
| Microsoft Entra admin center-Identity-Users | CIS v6.0 | E3 Level 2-E5 Level 2 | Ensure LinkedIn account connections is disabled | Automated |
| Microsoft Entra admin center-Identity-Groups | CIS v6.0 | E3 Level 1-E5 Level 1 | Ensure a dynamic group for guest users is created | Automated |
| Microsoft Entra admin center-Identity-Applications | CIS v6.0 | E3 Level 2-E5 Level 2 | Ensure user consent to apps accessing company data on their behalf is not allowed | Automated |
| Microsoft Entra admin center-Identity-Applications | CIS v6.0 | E3 Level 1-E5 Level 1 | Ensure the admin consent workflow is enabled | Automated |
| Microsoft Entra admin center-Identity-External Identities | CIS v6.0 | E3 Level 2-E5 Level 2 | Ensure that collaboration invitations are sent to allowed domains only | Manual |
| Microsoft Entra admin center-Identity-External Identities | CIS v6.0 | E3 Level 1-E5 Level 1 | Ensure that guest user access is restricted | Automated |
| Microsoft Entra admin center-Identity-External Identities | CIS v6.0 | E3 Level 2-E5 Level 2 | Ensure guest user invitations are limited to the Guest Inviter role | Automated |
| Microsoft Entra admin center-Identity-Hybrid Management | CIS v6.0 | E3 Level 1-E5 Level 1 | Ensure that password hash sync is enabled for hybrid deployments | Automated |
| Microsoft Entra admin center-Protection-Conditional Access | CIS v6.0 | E3 Level 1-E5 Level 1 | Ensure multifactor authentication is enabled for all users in administrative roles | Automated |
| Microsoft Entra admin center-Protection-Conditional Access | CIS v6.0 | E3 Level 1-E5 Level 1 | Ensure multifactor authentication is enabled for all users | Automated |
| Microsoft Entra admin center-Protection-Conditional Access | CIS v6.0 | E3 Level 1-E5 Level 1 | Enable Conditional Access policies to block legacy authentication | Automated |
| Microsoft Entra admin center-Protection-Conditional Access | CIS v6.0 | E3 Level 1-E5 Level 1 | Ensure Sign-in frequency is enabled and browser sessions are not persistent for Administrative users | Automated |
| Microsoft Entra admin center-Protection-Conditional Access | CIS v6.0 | E3 Level 2-E5 Level 2 | Ensure Phishing-resistant MFA strength is required for Administrators | Automated |
| Microsoft Entra admin center-Protection-Conditional Access | CIS v6.0 | E5 Level 1 | Enable Identity Protection user risk policies | Automated |
| Microsoft Entra admin center-Protection-Conditional Access | CIS v6.0 | E5 Level 1 | Enable Identity Protection sign-in risk policies | Automated |
| Microsoft Entra admin center-Protection-Conditional Access | CIS v6.0 | E5 Level 2 | Ensure sign-in risk is blocked for medium and high risk | Automated |
| Microsoft Entra admin center-Protection-Conditional Access | CIS v6.0 | E3 Level 1-E5 Level 1 | Ensure a managed device is required for authentication | Manual |
| Microsoft Entra admin center-Protection-Conditional Access | CIS v6.0 | E3 Level 1-E5 Level 1 | Ensure a managed device is required to register security information | Manual |
| Microsoft Entra admin center-Protection-Conditional Access | CIS v6.0 | E3 Level 1-E5 Level 1 | Ensure sign-in frequency for Intune Enrollment is set to Every time | Manual |
| Microsoft Entra admin center-Protection-Conditional Access | CIS v6.0 | E3 Level 1-E5 Level 1 | Ensure the device code sign-in flow is blocked | Manual |
| Microsoft Entra admin center-Protection-Authentication Methods | CIS v6.0 | E3 Level 1-E5 Level 1 | Ensure Microsoft Authenticator is configured to protect against MFA fatigue | Automated |
| Microsoft Entra admin center-Protection-Authentication Methods | CIS v6.0 | E3 Level 1-E5 Level 1 | Ensure custom banned passwords lists are used | Automated |
| Microsoft Entra admin center-Protection-Authentication Methods | CIS v6.0 | E3 Level 1-E5 Level 1 | Ensure that password protection is enabled for Active Directory | Automated |
| Microsoft Entra admin center-Protection-Authentication Methods | CIS v6.0 | E3 Level 1-E5 Level 1 | Ensure all member users are MFA capable | Automated |
| Microsoft Entra admin center-Protection-Authentication Methods | CIS v6.0 | E3 Level 1-E5 Level 1 | Ensure weak authentication methods are disabled | Automated |
| Microsoft Entra admin center-Protection-Authentication Methods | CIS v6.0 | E3 Level 1-E5 Level 1 | Ensure system-preferred multifactor authentication is enabled | Manual |
| Microsoft Entra admin center-Protection-Password Reset | CIS v6.0 | E3 Level 1-E5 Level 1 | Ensure Self service password reset enabled is set to All | Automated |
| Microsoft Entra admin center-Identity Governance | CIS v6.0 | E5 Level 2 | Ensure Privileged Identity Management is used to manage roles | Automated |
| Microsoft Entra admin center-Identity Governance | CIS v6.0 | E5 Level 1 | Ensure Access reviews for Guest Users are configured | Automated |
| Microsoft Entra admin center-Identity Governance | CIS v6.0 | E5 Level 1 | Ensure Access reviews for high privileged Azure AD roles are configured | Automated |
| Microsoft Entra admin center-Identity Governance | CIS v6.0 | E5 Level 1 | Ensure approval is required for Global Administrator role activation | Manual |
| Microsoft Entra admin center-Identity Governance | CIS v6.0 | E5 Level 1 | Ensure approval is required for Privileged Role Administrator activation | Manual |
| Microsoft Exchange admin center-Audit | CIS v6.0 | E3 Level 1-E5 Level 1 | Ensure AuditDisabled organizationally is set to False | Automated |
| Microsoft Exchange admin center-Audit | CIS v6.0 | E3 Level 1-E5 Level 1 | Ensure mailbox audit actions are configured | Automated |
| Microsoft Exchange admin center-Audit | CIS v6.0 | E3 Level 1-E5 Level 1 | Ensure AuditBypassEnabled is not enabled on mailboxes | Automated |
| Microsoft Exchange admin center-Mailflow | CIS v6.0 | E3 Level 1-E5 Level 1 | Ensure all forms of mail forwarding are blocked and-or disabled | Automated |
| Microsoft Exchange admin center-Mailflow | CIS v6.0 | E3 Level 1-E5 Level 1 | Ensure mail transport rules do not whitelist specific domains | Automated |
| Microsoft Exchange admin center-Mailflow | CIS v6.0 | E3 Level 1-E5 Level 1 | Ensure email from external senders is identified | Automated |
| Microsoft Exchange admin center-Roles | CIS v6.0 | E3 Level 2-E5 Level 2 | Ensure users installing Outlook add-ins is not allowed | Automated |
| Microsoft Exchange admin center-Settings | CIS v6.0 | E3 Level 1-E5 Level 1 | Ensure modern authentication for Exchange Online is enabled | Automated |
| Microsoft Exchange admin center-Settings | CIS v6.0 | E3 Level 1-E5 Level 1 | Ensure MailTips are enabled for end users | Automated |
| Microsoft Exchange admin center-Settings | CIS v6.0 | E3 Level 2-E5 Level 2 | Ensure external storage providers available in Outlook on the Web are restricted | Automated |
| Microsoft Exchange admin center-Settings | CIS v6.0 | E3 Level 1-E5 Level 1 | Ensure SMTP Authentication is disabled Globally | Automated |
| Microsoft SharePoint Admin Center-Policies | CIS v6.0 | E3 Level 1-E5 Level 1 | Ensure modern authentication for SharePoint applications is required | Automated |
| Microsoft SharePoint Admin Center-Policies | CIS v6.0 | E3 Level 1-E5 Level 1 | Ensure SharePoint and OneDrive integration with Azure AD B2B is enabled | Automated |
| Microsoft SharePoint Admin Center-Policies | CIS v6.0 | E3 Level 1-E5 Level 1 | Ensure external content sharing is restricted | Automated |
| Microsoft SharePoint Admin Center-Policies | CIS v6.0 | E3 Level 2-E5 Level 2 | Ensure OneDrive content sharing is restricted | Automated |
| Microsoft SharePoint Admin Center-Policies | CIS v6.0 | E3 Level 2-E5 Level 2 | Ensure that SharePoint guest users cannot share items they dont own | Automated |
| Microsoft SharePoint Admin Center-Policies | CIS v6.0 | E3 Level 2-E5 Level 2 | Ensure document sharing is being controlled by domains with whitelist or blacklist | Automated |
| Microsoft SharePoint Admin Center-Policies | CIS v6.0 | E3 Level 1-E5 Level 1 | Ensure link sharing is restricted in SharePoint and OneDrive | Automated |
| Microsoft SharePoint Admin Center-Policies | CIS v6.0 | E3 Level 2-E5 Level 2 | Ensure external sharing is restricted by security group | Manual |
| Microsoft SharePoint Admin Center-Policies | CIS v6.0 | E3 Level 1-E5 Level 1 | Ensure guest access to a site or OneDrive will expire automatically | Automated |
| Microsoft SharePoint Admin Center-Policies | CIS v6.0 | E3 Level 1-E5 Level 1 | Ensure reauthentication with verification code is restricted | Automated |
| Microsoft SharePoint Admin Center-Policies | CIS v6.0 | E3 Level 1-E5 Level 1 | Ensure the SharePoint default sharing link permission is set | Automated |
| Microsoft SharePoint Admin Center-Settings | CIS v6.0 | E5 Level 2 | Ensure Microsoft 365 SharePoint infected files are disallowed for download | Automated |
| Microsoft SharePoint Admin Center-Settings | CIS v6.0 | E3 Level 2-E5 Level 2 | Ensure OneDrive content sharing is restricted | Automated |
| Microsoft SharePoint Admin Center-Settings | CIS v6.0 | E3 Level 1-E5 Level 1 | Ensure custom script execution is restricted on personal sites | Automated |
| Microsoft SharePoint Admin Center-Settings | CIS v6.0 | E3 Level 1-E5 Level 1 | Ensure custom script execution is restricted on site collections | Automated |
| Microsoft Teams Admin Center-Teams | CIS v6.0 | E3 Level 2-E5 Level 2 | Ensure external file sharing in Teams is enabled for only approved cloud storage services | Automated |
| Microsoft Teams Admin Center-Teams | CIS v6.0 | E3 Level 1-E5 Level 1 | Ensure users cant send emails to a channel email address | Automated |
| Microsoft Teams Admin Center-Users | CIS v6.0 | E3 Level 2-E5 Level 2 | Ensure external domains are not allowed in Teams | Automated |
| Microsoft Teams Admin Center-Users | CIS v6.0 | E3 Level 1-E5 Level 1 | Ensure communication with unmanaged Teams users is disabled | Automated |
| Microsoft Teams Admin Center-Users | CIS v6.0 | E3 Level 1-E5 Level 1 | Ensure external Teams users cannot initiate conversations | Automated |
| Microsoft Teams Admin Center-Users | CIS v6.0 | E3 Level 1-E5 Level 1 | Ensure communication with Skype users is disabled | Automated |
| Microsoft Teams Admin Center-Teams Apps | CIS v6.0 | E3 Level 1-E5 Level 1 | Ensure app permission policies are configured | Automated |
| Microsoft Teams Admin Center-Meetings | CIS v6.0 | E3 Level 2-E5 Level 2 | Ensure anonymous users cant join a meeting | Automated |
| Microsoft Teams Admin Center-Meetings | CIS v6.0 | E3 Level 1-E5 Level 1 | Ensure anonymous users and dial-in callers cant start a meeting | Automated |
| Microsoft Teams Admin Center-Meetings | CIS v6.0 | E3 Level 1-E5 Level 1 | Ensure only people in my org can bypass the lobby | Automated |
| Microsoft Teams Admin Center-Meetings | CIS v6.0 | E3 Level 1-E5 Level 1 | Ensure users dialing in cant bypass the lobby | Automated |
| Microsoft Teams Admin Center-Meetings | CIS v6.0 | E3 Level 2-E5 Level 2 | Ensure meeting chat does not allow anonymous users | Automated |
| Microsoft Teams Admin Center-Meetings | CIS v6.0 | E3 Level 2-E5 Level 2 | Ensure only organizers and co-organizers can present | Automated |
| Microsoft Teams Admin Center-Meetings | CIS v6.0 | E3 Level 1-E5 Level 1 | Ensure external participants cant give or request control | Automated |
| Microsoft Teams Admin Center-Meetings | CIS v6.0 | E3 Level 2-E5 Level 2 | Ensure external meeting chat is off | Automated |
| Microsoft Teams Admin Center-Meetings | CIS v6.0 | E3 Level 2-E5 Level 2 | Ensure meeting recording is off by default | Automated |
| Microsoft Teams Admin Center-Messaging | CIS v6.0 | E3 Level 1-E5 Level 1 | Ensure users can report security concerns in Teams | Automated |
| Microsoft Fabric-Tenant Settings | CIS v6.0 | E3 Level 1-E5 Level 1 | Ensure guest user access is restricted | Automated |
| Microsoft Fabric-Tenant Settings | CIS v6.0 | E3 Level 1-E5 Level 1 | Ensure external user invitations are restricted | Automated |
| Microsoft Fabric-Tenant Settings | CIS v6.0 | E3 Level 1-E5 Level 1 | Ensure guest access to content is restricted | Manual |
| Microsoft Fabric-Tenant Settings | CIS v6.0 | E3 Level 1-E5 Level 1 | Ensure Publish to web is restricted | Manual |
| Microsoft Fabric-Tenant Settings | CIS v6.0 | E3 Level 2-E5 Level 2 | Ensure Interact with and share R and Python visuals is Disabled | Manual |
| Microsoft Fabric-Tenant Settings | CIS v6.0 | E3 Level 1-E5 Level 1 | Ensure Allow users to apply sensitivity labels for content is Enabled | Automated |
| Microsoft Fabric-Tenant Settings | CIS v6.0 | E3 Level 1-E5 Level 1 | Ensure shareable links are restricted | Manual |
| Microsoft Fabric-Tenant Settings | CIS v6.0 | E3 Level 1-E5 Level 1 | Ensure enabling of external data sharing is restricted | Manual |
| Microsoft Fabric-Tenant Settings | CIS v6.0 | E3 Level 1-E5 Level 1 | Ensure Block ResourceKey Authentication is Enabled | Manual |
| Microsoft Fabric-Tenant Settings | CIS v6.0 | E3 Level 1-E5 Level 1 | Ensure access to APIs by Service Principals is restricted | Manual |
| Microsoft Fabric-Tenant Settings | CIS v6.0 | E3 Level 1-E5 Level 1 | Ensure Service Principals cannot create and use profiles | Manual |
| M365 Admin Center-Users | SP v1.0 | Ensure Guest Users are reviewed and disabled | Automated | |
| M365 Admin Center-Accounts and Authentication | SP v1.0 | Ensure Microsoft 365 User Roles have less than 10 Admins | Automated | |
| M365 Admin Center-Accounts and Authentication | SP v1.0 | Ensure Microsoft 365 Users Have Strong Password Requirements Configured | Automated | |
| M365 Admin Center-Accounts and Authentication | SP v1.0 | Ensure self-service password reset is enabled | Automated | |
| M365 Admin Center-Accounts and Authentication | SP v1.0 | Ensure that Microsoft 365 Passwords Are Not Set to Expire | Automated | |
| M365 Admin Center-Accounts and Authentication | SP v1.0 | Ensure Microsoft 365 Exchange Online Modern Authentication is Used | Automated | |
| M365 Admin Center-Accounts and Authentication | SP v1.0 | Ensure Microsoft 365 Exchange Online Privileged Access Management is Used | Automated | |
| M365 Admin Center-Auditing | SP v1.0 | Ensure Enterprise Applications Role Assignments are reviewed weekly | Automated | |
| Microsoft 365 Defender-Email and Collaboration | SP v1.0 | Ensure No Domains with SPF Soft Fail are Configured | Automated | |
| Microsoft 365 Defender-Email and Collaboration | SP v1.0 | Ensure the spoofed domains are reviewed and actioned | Automated | |
| Microsoft 365 Defender-Email and Collaboration | SP v1.0 | Ensure the Restricted entities are reviewed and actioned | Automated | |
| Microsoft 365 Defender-Email and Collaboration | SP v1.0 | Ensure all security threats in the Threat protection status report are reviewed and actioned | Automated | |
| Microsoft 365 Defender-Audit | SP v1.0 | Ensure the Account Provisioning Activity report is reviewed and actioned | Automated | |
| Microsoft 365 Defender-Audit | SP v1.0 | Ensure non-global administrator role group assignments are reviewed and actioned | Automated | |
| Microsoft Purview-Audit | SP v1.0 | Ensure user role group changes are reviewed and actioned | Automated | |
| Microsoft Purview-Data Loss Protection | SP v1.0 | Ensure DLP Policy is enabled for OneDrive | Automated | |
| Microsoft Purview-Data Loss Protection | SP v1.0 | Ensure DLP Policy is configured for SharePoint | Automated | |
| Microsoft Purview-Data Loss Protection | SP v1.0 | Ensure Custom Anti-Malware Policy is Present | Automated | |
| Microsoft Purview-Data Loss Protection | SP v1.0 | Ensure Custom Anti-Phishing Policy is Present | Automated | |
| Microsoft Purview-Data Loss Protection | SP v1.0 | Ensure Custom DLP Policies are Present | Automated | |
| Microsoft Purview-Data Loss Protection | SP v1.0 | Ensure Custom DLP Sensitive Information Types are Defined | Automated | |
| Microsoft Entra admin center-Identity-Overview | SP v1.0 | Ensure Security Defaults is disabled on Azure Active Directory | Automated | |
| Microsoft Entra admin center-Identity-Applications | SP v1.0 | Ensure the Application Usage report is reviewed and actioned | Automated | |
| Microsoft Entra admin center-Protection-Conditional Access | SP v1.0 | Ensure Microsoft Azure Management is limited to administrative roles | Automated | |
| Microsoft Entra admin center-Protection-Password Reset | SP v1.0 | Ensure the self-service password reset activity report is reviewed and actioned | Automated | |
| Microsoft Entra admin center-Protection-Risk Activities | SP v1.0 | Ensure the Azure AD Risky sign-ins report is reviewed at least weekly | Automated | |
| Microsoft Entra admin center-Identity Governance | SP v1.0 | Use Just In Time privileged access to Microsoft 365 roles | Manual | |
| Microsoft Exchange admin center-Audit | SP v1.0 | Ensure mailbox auditing for E3 users is Enabled | Automated | |
| Microsoft Exchange admin center-Audit | SP v1.0 | Ensure mailbox auditing for E5 users is Enabled | Automated | |
| Microsoft Exchange admin center-Audit | SP v1.0 | Ensure AuditBypassEnabled is not enabled on mailboxes | Automated | |
| Microsoft Exchange admin center-Audit | SP v1.0 | Ensure Microsoft 365 Exchange Online Admin Auditing Is Enabled | Automated | |
| Microsoft Exchange admin center-Audit | SP v1.0 | Ensure Microsoft 365 Exchange Online Unified Auditing Is Enabled | Automated | |
| Microsoft Exchange admin center-Mailflow | SP v1.0 | Ensure Transport Rules to Block Exchange Auto-Forwarding is configured | Automated | |
| Microsoft Exchange admin center-Mailflow | SP v1.0 | Ensure Do Not Bypass the Safe Attachments Filter is not configured | Automated | |
| Microsoft Exchange admin center-Mailflow | SP v1.0 | Ensure Do Not Bypass the Safe Links Feature is not configured | Automated | |
| Microsoft Exchange admin center-Mailflow | SP v1.0 | Ensure Exchange Modern Authentication is Enabled | Automated | |
| Microsoft Exchange admin center-Mailflow | SP v1.0 | Ensure Transport Rules to Block Executable Attachments are configured | Automated | |
| Microsoft Exchange admin center-Mailflow | SP v1.0 | Ensure Malware Filter Policies Alert for Internal Users Sending Malware is configured | Automated | |
| Microsoft Exchange admin center-Mailflow | SP v1.0 | Ensure Transport Rules to Block Large Attachments are configured | Automated | |
| Microsoft Exchange admin center-Mailflow | SP v1.0 | Ensure Mailbox Auditing is Enabled at Tenant Level | Automated | |
| Microsoft Exchange admin center-Mailflow | SP v1.0 | Ensure Mailboxes without Mailbox Auditing are not present | Automated | |
| Microsoft Exchange admin center-Mailflow | SP v1.0 | Ensure Safe Attachments is Enabled | Automated | |
| Microsoft Exchange admin center-Mailflow | SP v1.0 | Ensure Safe Links is Enabled | Automated | |
| Microsoft Exchange admin center-Mailflow | SP v1.0 | Ensure Safe Links Click-Through is Not Allowed | Automated | |
| Microsoft Exchange admin center-Mailflow | SP v1.0 | Ensure Safe Links Flags Links in Real Time | Automated | |
| Microsoft Exchange admin center-Mailflow | SP v1.0 | Ensure SMTP Authentication is disabled Globally | Automated | |
| Microsoft Exchange admin center-Mailflow | SP v1.0 | Ensure mail transport rules do not forward email to external domains | Automated | |
| Microsoft Exchange admin center-Mailflow | SP v1.0 | Ensure automatic forwarding options are disabled | Automated | |
| Microsoft Exchange admin center-Mailflow | SP v1.0 | Ensure the Client Rules Forwarding Block is enabled | Automated | |
| Microsoft Exchange admin center-Mailflow | SP v1.0 | Ensure the Advanced Threat Protection Safe Links policy is enabled | Automated | |
| Microsoft Exchange admin center-Mailflow | SP v1.0 | Ensure the Advanced Threat Protection SafeAttachments policy is enabled | Automated | |
| Microsoft Exchange admin center-Mailflow | SP v1.0 | Ensure that an anti-phishing policy has been created | Automated | |
| Microsoft Exchange admin center-Mailflow | SP v1.0 | Ensure mailbox auditing for all users is Enabled | Automated | |
| Microsoft Exchange admin center-Reports | SP v1.0 | Ensure mail forwarding rules are reviewed and actioned | Automated | |
| Microsoft Exchange admin center-Reports | SP v1.0 | Ensure the Malware Detections report is reviewed at least weekly | Automated | |
| Microsoft Exchange admin center-Reports | SP v1.0 | Ensure Microsoft 365 Deleted Mailboxes are identified and Verified | Automated | |
| Microsoft Exchange admin center-Reports | SP v1.0 | Ensure Microsoft 365 Hidden Mailboxes are Identified | Automated | |
| Microsoft Exchange admin center-Reports | SP v1.0 | Ensure Mailboxes External Address Forwarding is not configured | Automated | |
| Microsoft Exchange admin center-Reports | SP v1.0 | Ensure Exchange Online Mailboxes on Litigation Hold | Automated | |
| Microsoft Exchange admin center-Reports | SP v1.0 | Ensure Exchange Online SPAM Domains are identified | Automated | |
| Microsoft Exchange admin center-Reports | SP v1.0 | Ensure Exchange Online Mailbox Auditing is enabled | Automated | |
| Microsoft Exchange admin center-Reports | SP v1.0 | Microsoft 365 Exchange Online Admin Success and Failure Attempts | Automated | |
| Microsoft Exchange admin center-Reports | SP v1.0 | Microsoft 365 Exchange Online External Access Admin Success and Failure Attempts | Automated | |
| Microsoft Exchange admin center-Settings | SP v1.0 | Ensure Email Security Checks are Bypassed Based on Sender Domain are not configured | Automated | |
| Microsoft Exchange admin center-Settings | SP v1.0 | Ensure Email Security Checks are Bypassed Based on Sender IP are not configured | Automated | |
| Microsoft Exchange admin center-Settings | SP v1.0 | Ensure No Exchange Mailboxes with FullAccess Delegates are present | Automated | |
| Microsoft Exchange admin center-Settings | SP v1.0 | Ensure No Exchange Mailboxes with SendAs Delegates are present | Automated | |
| Microsoft Exchange admin center-Settings | SP v1.0 | Ensure No Exchange Mailboxes with SendOnBehalfOf Delegates are present | Automated | |
| Microsoft SharePoint Admin Center-Policies | SP v1.0 | Ensure document sharing is being controlled by domains with whitelist or blacklist | Automated | |
| Microsoft SharePoint Admin Center-Policies | SP v1.0 | Ensure expiration time for external sharing links is set | Automated | |
| Microsoft SharePoint Admin Center-Settings | SP v1.0 | Ensure SharePoint sites are not enabled for both External and User Sharing | Automated | |
| Microsoft SharePoint Admin Center-Settings | SP v1.0 | External user sharing-share by email-and guest link sharing are both disabled | Automated | |
| Microsoft SharePoint Admin Center-Settings | SP v1.0 | Ensure that external users cannot share files folders and sites they do not own | Automated | |
| Microsoft SharePoint Admin Center-Settings | SP v1.0 | SharePoint External Sharing is not Enabled at Global Level | Automated | |
| Microsoft SharePoint Admin Center-Settings | SP v1.0 | SharePoint External User Resharing is not Permitted | Automated | |
| Microsoft SharePoint Admin Center-Settings | SP v1.0 | SharePoint Legacy Authentication is not Enabled | Automated | |
| Microsoft SharePoint Admin Center-Settings | SP v1.0 | SharePoint Anyone Shared Links Never Expire is not configured | Automated | |
| Microsoft SharePoint Admin Center-Settings | SP v1.0 | SharePoint Online Modern Authentication is Enabled | Automated | |
| Microsoft SharePoint Admin Center-Settings | SP v1.0 | Ensure Sign out inactive users in SharePoint Online is Configured | Automated | |
| Microsoft Teams Admin Center-Teams | SP v1.0 | Ensure End-to-end encryption for Microsoft Teams is enabled | Automated | |
| Microsoft Teams Admin Center-Teams | SP v1.0 | Ensure external domains are not allowed in Teams | Automated | |
| Microsoft Teams Admin Center-Policies | SP v1.0 | Ensure Microsoft Teams External Domain Communication Policies are configured | Automated | |
| Microsoft Teams Admin Center-Policies | SP v1.0 | Ensure Microsoft Teams Users Allowed to Invite Anonymous Users is disabled | Automated | |
| Microsoft Teams Admin Center-Policies | SP v1.0 | Ensure Microsoft Teams Policies Allow Anonymous Members is disabled | Automated | |
| Microsoft Teams Admin Center-Policies | SP v1.0 | Ensure Microsoft Teams Consumer Communication Policies are configured | Automated | |
| Microsoft Teams Admin Center-Policies | SP v1.0 | Ensure Microsoft Teams External Access Policies are configured | Automated | |
| Microsoft Teams Admin Center-Policies | SP v1.0 | Ensure Microsoft Teams Users Allowed to Preview Links in Messages is disabled | Automated | |
| Microsoft Teams Admin Center-Policies | SP v1.0 | Ensure Safe Links for Teams is Enabled | Automated | |
| Microsoft M365 Users-Users | SP v1.0 | Ensure All Microsoft 365 Users are licensed | Automated | |
| Microsoft M365 Users-Users | SP v1.0 | Ensure Deleted Microsoft 365 Users are Identified | Automated | |
| Microsoft M365 Users-Users | SP v1.0 | Ensure Disabled Microsoft 365 Users are Identified | Automated | |
| Microsoft M365 Users-Users | SP v1.0 | Ensure Microsoft 365 Users Password Expires | Automated | |
| Microsoft M365 Users-Users | SP v1.0 | Ensure Microsoft 365 Blocked Users are Identified | Automated | |
| Microsoft M365 Users-Users | SP v1.0 | Ensure Microsoft 365 Users Have Changed Passwords | Automated | |
| Microsoft M365 Users-Users | SP v1.0 | Ensure Microsoft 365 Company Administrators have less than 5 Admins | Automated | |
| Microsoft M365 Users-Users | SP v1.0 | Ensure Microsoft 365 Deleted and Licensed Users are Identified | Automated | |
| Microsoft M365 Users-Users | SP v1.0 | Ensure Microsoft 365 Groups Without Members are Identified | Automated | |
| Microsoft M365 Dangerous Defaults | SP v1.0 | Ensure Users can read all attributes in Azure AD is disabled | Automated | |
| Microsoft M365 Dangerous Defaults | SP v1.0 | Ensure Users can create security groups is disabled | Automated | |
| Microsoft M365 Dangerous Defaults | SP v1.0 | Ensure Users are allowed to create and register applications is disabled | Automated | |
| Microsoft M365 Dangerous Defaults | SP v1.0 | Ensure Users with a verified mail domain can join the tenant is disabled | Automated | |
| Microsoft M365 Dangerous Defaults | SP v1.0 | Ensure Guests can invite other guests into the tenant is disabled | Automated | |
| Microsoft M365 Dangerous Defaults | SP v1.0 | Ensure Users are allowed to create new Azure Active Directory Tenants is disabled | Automated | |
| Microsoft M365 Dangerous Defaults | SP v1.0 | Ensure Policy exists to restrict non-administrator access to Azure Active Directory or Entra | Automated | |
| Microsoft M365 Configuration | SP v1.0 | Ensure Microsoft 365 Licenses are consumed in SKUs | Automated | |
| Microsoft M365 Configuration | SP v1.0 | Ensure All Microsoft 365 Domains Have been verified | Automated | |
| Microsoft M365 Configuration | SP v1.0 | Ensure Microsoft 365 Domain Services Have Services Assigned | Automated | |
| Microsoft M365 Configuration | SP v1.0 | Ensure Microsoft 365 Notification Email is configured | Automated | |
| Microsoft M365 Configuration | SP v1.0 | Ensure Microsoft 365 Organization Level Mailbox Auditing is configured | Automated |
It depends on the number of users and mailboxes in the Microsoft 365 Tenant. It typically takes 1-2 hours to perform Microsoft 365 Assessment for a Tenant having 8000 mailboxes.
SmartProfiler for M365 Assessment is a read-only product.
Since SmartProfiler generates reports in Microsoft Word format, you can re-brand reports.
SmartProfiler is designed to support multiple Microsoft 365 Tenants. You can add unlimited M365 Tenants in the tool. However, each M365 Tenant requires a license before the assessment can be done.
In these circumstances, we advise utilizing a Global Reader Account to run the assessment initially. This account will be able to run 90% of the tests automatically and will also produce a report. Please notify the Security Team that a Global Admin account is required in order to run SharePoint tests. If Security Team agrees to run the assessment using a Global Admin account, then select just “SharePoint Tests” in the execution console and then execute.
Instead of manually gathering data, which could take a significant amount of time, SmartProfiler for M365 has automated all the tests to ensure that the assessment is completed in a matter of hours.