Microsoft 365 CIS Benchmark Hardening Guide

Why Microsoft 365 Needs Its Own Benchmark

A Microsoft 365 tenant is one of the highest-value targets in nearly any organization. It typically contains the bulk of internal email, document libraries, real-time collaboration content, identity infrastructure, and increasingly the business intelligence and automation platforms (Power BI, Power Automate, Power Apps). The breach impact of a fully compromised M365 tenant is comprehensive: every conversation, every document, every business process, all reachable from a single set of credentials.

Microsoft 365 is configured through a sprawling collection of admin centers, PowerShell endpoints, and unified configuration policies. The default configuration favors functionality and adoption rather than security. Many tenants are deployed with permissive defaults that the CIS Microsoft 365 Foundations Benchmark explicitly hardens.

This guide walks through the major sections of the benchmark, focusing on the controls with the highest practical impact for most enterprise tenants.

Section 1: Account / Authentication

The account section establishes the identity foundation. For Microsoft 365, identity is Microsoft Entra ID (formerly Azure AD), and the relevant controls are largely Entra ID configuration:

Ensure Security Defaults or Conditional Access is enabled. The tenant must have either Security Defaults or Conditional Access policies that achieve equivalent protection. Tenants with neither are exposed to credential stuffing.

Ensure multifactor authentication is enabled for all users. MFA must apply to all users, not just administrators.

Ensure that between two and four global administrators are designated. Too few global admins creates a single point of failure; too many expands the most-privileged group unnecessarily.

Ensure that "Self-service password reset" is enabled for users with appropriate registration.

Ensure that "Password write-back" is enabled if hybrid identity is in use.

Ensure that "Per-user MFA" is disabled in favor of Conditional Access. Per-user MFA is the legacy model; Conditional Access is current.

Ensure password protection is configured to block common and custom banned passwords.

Ensure account lockout duration is configured appropriately.

Ensure smart lockout threshold is configured appropriately.

Ensure that legacy authentication protocols are disabled. Legacy authentication (basic auth, IMAP, POP, MAPI, etc.) bypasses MFA. Modern authentication only.

The legacy authentication control deserves emphasis. Many tenants leave legacy authentication enabled because of a single legacy application or device. The result is that the tenant's MFA can be bypassed by any attacker who can replicate the legacy protocol.

Section 2: Application Permissions

The application permissions section governs how applications are granted access to tenant data:

Ensure that "User consent for applications" is restricted. Default user consent permits applications to receive permissions that users may not understand. Restricting consent requires admin review.

Ensure that "External users cannot send invites" except for designated roles.

Ensure that "Restrict access to Azure AD administration portal" is enabled for non-admin users.

Ensure that "Restrict guest user permissions" is set appropriately.

Ensure that custom-developed applications are documented with their purposes and permissions.

The consent control addresses the "OAuth app consent phishing" attack pattern that has been used in numerous M365 incidents. Restricting consent prevents low-effort credential abuse.

Section 3: Data Management (Exchange Online)

Exchange Online has its own configuration plane. The benchmark addresses:

Ensure that DKIM is enabled for all Exchange Online domains. DKIM signs outbound mail, protecting against spoofing.

Ensure that SPF records are configured for all sending domains.

Ensure that DMARC records are configured with at least a quarantine or reject policy.

Ensure that "auto-forwarding" of email outside the organization is disabled or restricted.

Ensure that "External in Outlook" indicator is enabled to flag external email visibly.

Ensure that "Block sign-in from unauthorized regions" is configured if the organization has geographic restrictions.

Ensure that mail tip is configured to warn users when sending to external recipients.

Ensure that anti-phishing policies are configured for impersonation protection, mailbox intelligence, and spoof intelligence.

Ensure that Safe Links is enabled to scan links in email.

Ensure that Safe Attachments is enabled to scan attachments before delivery.

The auto-forwarding control addresses a recurring breach pattern: attackers create mailbox forwarding rules to exfiltrate email after compromising credentials. Disabling external forwarding eliminates the easy version of this attack.

Section 4: Storage (OneDrive and SharePoint)

OneDrive and SharePoint controls govern how documents are stored, shared, and accessed:

Ensure that "Sharing capability" for SharePoint sites is set to the most restrictive level appropriate. The default permits sharing with anyone; production tenants should restrict to internal or authenticated guests.

Ensure that "Default link type" is set to "Specific people". Anonymous sharing links are the default in many tenants; restricting the default reduces accidental over-sharing.

Ensure that "External sharing" is restricted appropriately for the organization's risk profile.

Ensure that "Block download of files from sensitive labels" is configured for sensitivity-labeled content.

Ensure that "Information rights management" is enabled for SharePoint and OneDrive.

Ensure that "Expiration date for sharing links" is configured with a reasonable default.

Ensure that "Block re-sharing by external users" is configured.

The sharing controls are where data exposure most commonly originates. A SharePoint site shared with "Anyone with the link" is the M365 equivalent of a public S3 bucket.

Section 5: Email Security and Defender

Defender for Office 365 provides additional protection beyond Exchange Online's defaults. The benchmark addresses:

Ensure Microsoft Defender for Office 365 is configured with appropriate plan tier.

Ensure Safe Links policies are configured for Email, Teams, and Office apps.

Ensure Safe Attachments policies are configured for Email and SharePoint/OneDrive/Teams.

Ensure Anti-malware policies are configured with appropriate notification and action.

Ensure Anti-spam policies are configured appropriately.

Ensure Anti-phishing policies are configured with impersonation protection.

Ensure that "Common attachment types filter" is enabled to block dangerous file types.

The combination of Safe Links, Safe Attachments, anti-phishing, and anti-malware policies is the layered email security baseline most enterprises target. Sub-optimal configurations leave gaps in the layered defense.

Section 6: Teams

Teams adds collaboration-specific controls:

Ensure that Teams users can communicate with users outside the organization is restricted as appropriate.

Ensure that "Allow external users to communicate with users in this organization" is configured appropriately.

Ensure that "Storage permissions" for guest access is set to "Cannot edit" or other appropriate level.

Ensure that "Sensitivity labels" are applied to Teams with restricted access requirements.

Ensure that "App permission policies" restrict app installation to vetted apps.

Ensure that "Meeting policies" include security-relevant restrictions like meeting recording controls.

The Teams app installation control matters because Teams apps can have substantial access to tenant data. Allowing arbitrary apps creates an expanded attack surface.

Section 7: Auditing

The auditing section establishes the audit infrastructure for the tenant:

Ensure mailbox auditing is enabled for all mailboxes.

Ensure audit log search is enabled at the tenant level.

Ensure that "Unified audit logging" is enabled.

Ensure audit log retention is configured appropriately (the default 90 days may be insufficient for regulatory requirements).

Without unified audit logging, security investigations across M365 services become an exercise in correlation across disjoint logs. With it, every service contributes to a single audit stream.

Section 8: Information Protection

Microsoft Purview Information Protection provides data classification and DLP. The benchmark addresses:

Ensure that sensitivity labels are configured for the organization's data classification scheme.

Ensure that automatic labeling is configured for sensitive data patterns.

Ensure that DLP policies are configured for the categories of regulated data the tenant holds.

Ensure that DLP policy notifications and incident reports are configured.

Information Protection is opt-in; many tenants do not configure it. Where the organization has regulated data, configuring labels and DLP is part of the compliance baseline.

Common M365 Configuration Drift

Microsoft 365 tenants exhibit recurring drift patterns:

Sharing settings opened up for specific projects. A SharePoint site is opened to "Anyone with the link" for an external project and the setting is never reverted.

Legacy authentication re-enabled for a single device. An IT administrator enables legacy authentication for a printer or scanner, opening MFA bypass for the entire tenant.

Global admin role granted broadly. Global admins added during initial deployment and never trimmed; new global admins added without removing predecessors.

MFA exemptions accumulating. Specific users excluded from MFA for one reason or another, with exemptions never reviewed.

Conditional Access policies misordered. Policies layered without coherent ordering, with later policies inadvertently overriding earlier protective ones.

Auto-forwarding rules created by users. Despite the tenant policy, individual user mailbox rules may forward externally if the policy is configured only at the connector level.

Defender for Office 365 settings drifted. Initially configured settings degraded over time as exemptions are added and not reviewed.

How Continuous Compliance Supports M365

M365 tenants are managed through multiple admin centers, each with their own change cadence. Without continuous scanning, configuration drift is invisible until the next manual review.

Continuous compliance scanning provides:

Per-tenant compliance against the full benchmark

Real-time drift detection when configuration degrades

Per-setting detail identifying the specific configuration and the specific control violated

Trend reporting showing compliance posture over time

Multi-framework mapping showing each control's coverage of NIST 800-53, ISO 27001, SOC 2, HIPAA, GDPR

How CISGuard Supports Microsoft 365 CIS Benchmark Compliance

CISGuard's M365 scanner evaluates the full CIS Microsoft 365 Foundations Benchmark with patterns suited to enterprise tenant operations:

Multi-tenant scanning for organizations operating multiple M365 tenants

Continuous scanning at configurable cadence

Drift detection with timestamped baseline comparisons

Per-service detail across Entra ID, Exchange, SharePoint, OneDrive, Teams, Defender, and Purview

Multi-framework mapping showing how each M365 control satisfies NIST 800-53, ISO 27001, SOC 2, HIPAA, GDPR, FedRAMP, and other frameworks

Immutable audit trail for assessor and continuous monitoring evidence

See Microsoft 365 CIS Benchmark coverage in CISGuard or request an M365 compliance assessment.