{"id":22829,"date":"2026-03-26T09:05:00","date_gmt":"2026-03-26T16:05:00","guid":{"rendered":"https:\/\/www.microsoft.com\/insidetrack\/blog\/?p=22829"},"modified":"2026-04-02T15:02:10","modified_gmt":"2026-04-02T22:02:10","slug":"deploying-microsoft-baseline-security-mode-at-microsoft-our-virtuous-learning-cycle","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/insidetrack\/blog\/deploying-microsoft-baseline-security-mode-at-microsoft-our-virtuous-learning-cycle\/","title":{"rendered":"Deploying Microsoft Baseline Security Mode at Microsoft: Our virtuous learning cycle"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">The enterprise security frontier isn\u2019t just evolving. It\u2019s accelerating beyond the limits of traditional security models.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">AI acceleration, cloud adoption, and rapid growth of enterprise apps have dramatically expanded the attack surface. Every new app introduces a new identity. Every identity carries permissions. Over time, those permissions accumulate, often without clear ownership or regular review.<\/p>\n\n\n\n<figure class=\"wp-block-image alignright size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"500\" height=\"500\" src=\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2026\/03\/B-Ganti.png\" alt=\"A photo of Ganti. \" class=\"wp-image-22833\" style=\"width:150px\" srcset=\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2026\/03\/B-Ganti.png 500w, https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2026\/03\/B-Ganti-300x300.png 300w, https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2026\/03\/B-Ganti-150x150.png 150w\" sizes=\"auto, (max-width: 500px) 100vw, 500px\" \/><\/figure>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p class=\"wp-block-paragraph\">\u201cAn app is another form of identity. In a cloud-first, Zero Trust world, identity becomes the primary security perimeter, and access is governed by the principle of least privilege. Whether it is a user, an app, or an agent, when permissions are overly broad or elevated the blast radius expands dramatically, increasing risk exponentially.\u201d<\/p>\n<cite>B. Ganti, principal architect, Microsoft Digital<\/cite><\/blockquote>\n\n\n\n<p class=\"wp-block-paragraph\">Inside Microsoft Digital\u2014the company\u2019s IT organization\u2014we recognized this early. Many of our highest\u2011risk security scenarios didn\u2019t start with malware or phishing. They started with access. Specifically, apps running with permissions beyond what they required.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u201cAn app is another form of identity,\u201d says B. Ganti, principal architect in Microsoft Digital. \u201cIn a cloud-first, Zero Trust world, identity becomes the primary security perimeter, and access is governed by the principle of least privilege. Whether it is a user, an app, or an agent, when permissions are overly broad or elevated the blast radius expands dramatically, increasing risk exponentially.<strong>\u201d<\/strong><\/p>\n\n\n\n<aside class=\"wp-block-group aside-for-guide has-white-200-background-color has-background has-global-padding is-content-justification-right is-layout-constrained wp-container-core-group-is-layout-3f1abf08 wp-block-group-is-layout-constrained\" style=\"border-radius:10px;padding-top:var(--wp--preset--spacing--spacing-12);padding-right:var(--wp--preset--spacing--spacing-12);padding-bottom:var(--wp--preset--spacing--spacing-12);padding-left:var(--wp--preset--spacing--spacing-12)\">\n<div class=\"wp-block-group is-nowrap is-layout-flex wp-container-core-group-is-layout-298f84b7 wp-block-group-is-layout-flex\" style=\"margin-top:0;margin-bottom:0;padding-top:0;padding-bottom:0\">\n<figure class=\"wp-block-image size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"132\" height=\"132\" src=\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2025\/10\/Engage-with-our-experts_blogs.png\" alt=\"\" class=\"wp-image-20636\" style=\"width:48px\"\/><\/figure>\n\n\n\n<p class=\"has-body-lg-font-size wp-block-paragraph\"><strong>Engage with our experts!<\/strong><\/p>\n<\/div>\n\n\n\n<p class=\"wp-block-paragraph\" style=\"margin-top:var(--wp--preset--spacing--spacing-4)\">Customers or Microsoft account team representatives from Fortune 500 companies are welcome to <a href=\"mailto:msitstaff@microsoft.com\">request a virtual engagement<\/a> on this topic with experts from our Microsoft Digital team.<\/p>\n<\/aside>\n\n\n\n<p class=\"wp-block-paragraph\">Traditional security approaches such as periodic reviews, best\u2011practice guidance, and point\u2011in\u2011time hardening weren\u2019t enough in an environment that changes daily. Configurations drift, new apps appear, and risk grows quietly in places that are hard to see at scale.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">That reality forced a mindset shift internally here at Microsoft. Security couldn\u2019t be optional. It couldn\u2019t be advisory. And it couldn\u2019t be static.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Our team operates one of the largest enterprise environments in the world, with tens of thousands of apps and a culture built on self\u2011service and autonomy. That scale drives innovation, but it also amplifies risk.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Our application identities became one of the most complex governance challenges we faced. Our ownership wasn\u2019t always clear. Our permissions were often granted broadly to avoid disruption. And once approved, access rarely came under scrutiny again.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u201cAs a self\u2011service organization, we empower people to move fast,\u201d Ganti says. \u201cBut that also means apps get created, permissions get granted, and not everyone always remembers why.\u201d<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The rise of AI\u2011powered apps and agents\u2014often requiring access to large volumes of data\u2014increased our risk further.<\/p>\n\n\n\n<figure class=\"wp-block-image alignright size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"500\" height=\"500\" src=\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2025\/12\/Brian-Fielder.png\" alt=\"Photo of Fielder\" class=\"wp-image-21679\" style=\"width:150px\" srcset=\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2025\/12\/Brian-Fielder.png 500w, https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2025\/12\/Brian-Fielder-300x300.png 300w, https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2025\/12\/Brian-Fielder-150x150.png 150w\" sizes=\"auto, (max-width: 500px) 100vw, 500px\" \/><\/figure>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p class=\"wp-block-paragraph\">\u201cWe\u2019re using Microsoft Baseline Security Mode to move security from guidance to enforcement. It establishes secure\u2011by\u2011default configurations that scale across our environment, so teams can innovate quickly without inheriting unnecessary risk.\u201d<\/p>\n<cite><strong>Brian Fielder, vice president, Microsoft Digital<\/strong><\/cite><\/blockquote>\n\n\n\n<p class=\"wp-block-paragraph\">We needed a system to reduce that risk systematically, not one app at a time.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Microsoft Baseline Security Mode (BSM) became that system\u2014a prescriptive, enforceable baseline that defines what \u201csecure\u201d means and keeps it that way.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u201cWe\u2019re using Microsoft Baseline Security Mode to move security from guidance to enforcement,\u201d says Brian Fielder, vice president of Microsoft Digital. \u201cIt establishes secure\u2011by\u2011default configurations that scale across our environment, so teams can innovate quickly without inheriting unnecessary risk.\u201d<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Defining Microsoft Baseline Security Mode<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">BSM is more than just a checklist of recommended settings. It\u2019s an enforced security baseline built directly into the Microsoft 365 admin center, designed to reduce attack surface by default across core Microsoft 365 workloads. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">It was developed and then deployed internally at Microsoft, with our team in Microsoft Digital serving as a close design and deployment partner throughout the process.<\/p>\n\n\n\n<figure class=\"wp-block-image alignright size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"500\" height=\"500\" src=\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2026\/03\/Adriana-Wood.png\" alt=\"A photo of Wood.\" class=\"wp-image-22834\" style=\"width:150px\" srcset=\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2026\/03\/Adriana-Wood.png 500w, https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2026\/03\/Adriana-Wood-300x300.png 300w, https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2026\/03\/Adriana-Wood-150x150.png 150w\" sizes=\"auto, (max-width: 500px) 100vw, 500px\" \/><\/figure>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p class=\"wp-block-paragraph\">\u201cThe settings in the Microsoft Baseline Security Mode were informed by years of experience in running our planet-scale services, and by analyzing historical security incidents across Microsoft to harden the security posture of tenants. The team identified concrete security settings that would prevent or significantly reduce known security vulnerabilities.\u201d<\/p>\n<cite>Adriana Wood, principal product manager, Microsoft 365 security<\/cite><\/blockquote>\n\n\n\n<p class=\"wp-block-paragraph\">At a technical level, BSM establishes a minimum required security posture by applying Microsoft\u2011managed policies and configuration states across services including Exchange Online, SharePoint Online, OneDrive, Teams, and Entra ID. The focus is on eliminating common misconfigurations, rather than theoretical or edge\u2011case risks.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u201cThe settings in the Microsoft Baseline Security Mode were informed by years of experience in running our planet-scale services, and by analyzing historical security incidents across Microsoft to harden the security posture of tenants,\u201d says Adriana Wood, a principal product manager for Microsoft 365 security. \u201cThe team identified concrete security settings that would prevent or significantly reduce known security vulnerabilities. The resulting mitigation controls were implemented and validated in Microsoft\u2019s enterprise tenant, with Microsoft Digital evaluating operational impact, rollout characteristics, and failure modes before making it more broadly available to our customers.\u201d<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Legacy baselines rely on documentation and manual implementation. Administrators interpret guidance, apply settings where feasible, and revisit them periodically. In dynamic cloud environments, that model breaks down fast. Configurations drift, exceptions accumulate, and security degrades.<\/p>\n\n\n\n<figure class=\"wp-block-image alignright size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"500\" height=\"500\" src=\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2026\/03\/Keith-Bunge.png\" alt=\"A photo of Bunge. \" class=\"wp-image-22835\" style=\"width:150px\" srcset=\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2026\/03\/Keith-Bunge.png 500w, https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2026\/03\/Keith-Bunge-300x300.png 300w, https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2026\/03\/Keith-Bunge-150x150.png 150w\" sizes=\"auto, (max-width: 500px) 100vw, 500px\" \/><\/figure>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p class=\"wp-block-paragraph\">\u201cBefore enforcement, administrators can use reporting and simulation tools to understand how a baseline will affect users, apps, and workflows. That visibility allows teams to identify noncompliant assets, prioritize remediation by risk, and avoid unexpected disruptions.\u201d<\/p>\n<cite><strong>Keith Bunge, principal software engineer, Microsoft Digital<\/strong><\/cite><\/blockquote>\n\n\n\n<p class=\"wp-block-paragraph\">BSM replaces that approach with policy\u2011driven enforcement.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Now our controls are applied consistently across the tenant and continuously validated. When our configurations fall out of compliance, our risk surfaces immediately\u2014it\u2019s not discovered months later in an audit. The model is simple: get clean, stay clean.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Another key capability of BSM is impact awareness.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u201cBefore enforcement, administrators can use reporting and simulation tools to understand how a baseline will affect users, apps, and workflows,\u201d says Keith Bunge, a principal software engineer in Microsoft Digital. \u201cThat visibility allows teams to identify noncompliant assets, prioritize remediation by risk, and avoid unexpected disruptions. Our team in Microsoft Digital partnered closely with the product group to ensure these capabilities were practical for real enterprise deployments, not just greenfield environments.\u201d<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">BSM is also not static.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The baseline evolves on a regular cadence to reflect changes in the threat landscape, new Microsoft 365 capabilities, and lessons learned from operating at scale.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">From our perspective, BSM is not just a feature. It\u2019s a security operating model. It shifts the default from \u201csecure if configured correctly\u201d to \u201csecure by default.\u201d Security decisions move out of individual teams and into a consistent, centrally enforced baseline. The question is no longer whether a control should be applied, but whether an exception is truly necessary\u2014and how the associated risk will be mitigated.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">That shift is what makes BSM sustainable at scale. And it\u2019s why apps\u2014where identities, permissions, and data access converge\u2014became the next focus area for us in Microsoft Digital.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Addressing apps and high-risk surfaces<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">When we evaluated risk across our environment, one pattern was clear: Our apps represented both our most concentrated and least governed attack surface.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Apps are identities. They authenticate. They\u2019re granted permissions. And unlike human users, they often operate continuously, without reassessment or visibility.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">In a large, self\u2011service environment like ours, apps are created constantly by engineering teams, business groups, and automation workflows. Over time, many of those apps could accumulate permissions beyond what they actually needed, particularly within our Microsoft Graph. Our delegated permissions were especially risky, because they allow apps to act on our employees\u2019 behalf at machine speed across massive data sets.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u201cAs a user, I might not know where all my data lives,\u201d Ganti says. \u201cBut an app with delegated permissions doesn\u2019t have that limitation. It can search everything, everywhere, all at once.\u201d<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The challenge wasn\u2019t just volume\u2014it was inconsistency.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Our ownership was often unclear. Our permission reviews were infrequent or manual. And once we granted elevated access, we had few systemic controls in place requiring it to be revisited.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Microsoft Baseline Security Mode addresses this directly by treating apps explicitly as identities that must conform to least\u2011privilege principles.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">We started with visibility. We inventoried apps and analyzed permission scopes, authentication models, and potential blast radius. Our apps with broad Microsoft Graph permissions, access to large volumes of unstructured data, or unclear ownership were prioritized. In some cases, we reduced permissions to more granular scopes. In others, we rearchitected apps to use delegated access more safely\u2014or we retired them altogether.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">This work was intentionally structured as a burndown, not a one\u2011time cleanup.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Removing our excess permissions was only half the equation. Preventing them from coming back was just as critical. BSM introduced guardrails earlier in the app lifecycle, to surface and control elevated permission requests before they reached production. New or updated apps requesting high\u2011risk permissions now trigger consistent review, and in many cases are blocked outright unless they meet strict criteria.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Moving from &#8216;get clean&#8217; to &#8216;stay clean&#8217;<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Reducing risk once is hard. Keeping it reduced is harder.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">After our initial application burndown, we quickly learned that cleanup alone wouldn\u2019t scale. Even as we reduced permissions and remediated high\u2011risk apps, new apps continued to appear. Existing apps evolved, teams changed, and without structural controls, the same risks would inevitably return.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">BSM enabled us to shift from remediation to sustainability.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">It started with visibility.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">We needed a reliable way to detect when apps drifted out of compliance. That meant continuously monitoring permission changes, new consent grants, and scope expansions across our tenant. Instead of periodic reviews, we moved to continuous validation tied directly to the baseline.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Next came risk\u2011based prioritization.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Not every noncompliance carries equal impact. Our apps with broad Microsoft Graph permissions, access to large volumes of data, or unclear ownership were surfaced first. This ensured our security teams focused on material risk, rather than treating every deviation as equal.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">It was equally important for us to control how new risk entered the system.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">BSM introduces guardrails earlier in the application lifecycle. Our elevated permission requests are surfaced sooner and reviewed more consistently. In many cases, high\u2011risk permissions are blocked by default unless clear justification and mitigation are in place. Known\u2011bad patterns are stopped before our teams build or update apps.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Over time, this enforcement model fundamentally changed the operating posture.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Instead of recurring cleanup campaigns, we moved to continuous alignment. Our environment stays closer to the baseline by default. Our deviations are treated as exceptions that require explicit action, not silent drift.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">This \u201cstay clean\u201d capability also reduced operational overhead.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">As enforcement and validation moved into Microsoft Baseline Security Mode, we retired custom scripts, dashboards, and manual review processes that were difficult to maintain at scale. Our baseline became the source of truth for application security posture, not a snapshot taken after the fact.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Most importantly, we proved that BSM could scale.<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p class=\"wp-block-paragraph\">\u201cThis isn&#8217;t limited to Microsoft 365. This is Microsoft, and it expands over time as more services come into scope.\u201d<\/p>\n<cite>Jeff McDowell, principal program manager, OneDrive and SharePoint product group<\/cite><\/blockquote>\n\n\n\n<p class=\"wp-block-paragraph\">By combining continuous validation, risk\u2011based prioritization, and enforced guardrails, we established a repeatable model for sustaining security improvements over time.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">That model now serves as our foundation for extending BSM to additional workloads and security surfaces across the enterprise.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u201cThis isn\u2019t limited to Microsoft 365,\u201d says Jeff McDowell, a principal program manager in the OneDrive and SharePoint product group. \u201cThis is Microsoft, and it expands over time as more services come into scope.\u201d<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Operationalizing Microsoft Baseline Security Mode<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Defining a baseline is only the first step. Making it work day\u2011to\u2011day is the real challenge.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">For us in Microsoft Digital, operationalizing BSM meant embedding it directly into how we run security. That required clear ownership, repeatable processes, and tight integration with our existing workflows.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Governance came first.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">BSM creates a clear line between what is centrally enforced and what individual teams can influence. The baseline is owned and managed centrally to ensure consistency across the tenant. Our application owners and engineering teams still make design decisions, but within defined guardrails aligned to enterprise risk tolerance.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">This clarity reduces friction.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Instead of debating security settings app by app, our teams start from a shared default. Our security conversations shift away from \u201cCan we make an exception?\u201d to \u201cHow do we meet the baseline with the least disruption?\u201d<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Operationally, BSM is integrated into our application lifecycle.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">New apps are evaluated against baseline requirements early, before permissions are broadly granted or dependencies are established. Changes to existing apps, such as new permission requests or expanded scopes, are surfaced automatically and reviewed in context, rather than discovered months later during audits.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">In an environment where apps are constantly being created, updated, and retired, automation is essential. Without policy\u2011driven enforcement, our security teams would be managing a perpetual backlog of reviews. BSM allows us to focus on true exceptions instead of revalidating the baseline itself.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">That baseline is also embedded into our ongoing operations.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Our security posture is monitored continuously, not through periodic snapshots. When our configurations drift or new risks appear, we identify them early and address them while the blast radius is still small. Over time, this reduces both our operational effort and incident response overhead.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Perhaps our most important change was cultural.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">BSM normalizes the idea that security defaults are foundational. Our teams still innovate and move quickly\u2014but they do so in an environment where secure is expected, enforced, and sustained.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Embracing the feedback loop as Customer Zero<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">From the start, our team in Microsoft Digital deployed Microsoft Baseline Security Mode as Customer Zero: We applied early versions in our live, large\u2011scale enterprise environment, where we fed our real\u2011world learnings back to the product group. That feedback loop became central to how the platform evolved.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Running BSM at Microsoft scale quickly exposed challenges that don\u2019t appear in smaller tenants. Visibility was one of the first. With thousands of apps and constantly changing permissions, it was difficult to pinpoint which apps violated least\u2011privilege principles and where security teams should focus first.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Those gaps directly shaped the product. Reporting and analytics were refined to better surface elevated permissions, risky scopes, and noncompliant apps, helping teams move from investigation to action more quickly.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Scalability was another critical lesson.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Controls that worked for dozens of apps didn\u2019t automatically work for thousands. Our team needed policies that were opinionated, enforceable, and operationally sustainable without constant adjustment. That pushed BSM toward clearer defaults and stronger enforcement boundaries.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u201cWhat made the collaboration work is that Microsoft Digital was deploying this in a real tenant with real consequences,\u201d Wood says. \u201cTheir feedback helped us understand what enterprises actually need to adopt these controls successfully, not just what looks good on paper.\u201d<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Over time, this became a virtuous cycle. Our team surfaced friction and risk through deployment. The product group translated those insights into product improvements. We then adopted those same improvements to replace custom tooling and manual processes.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">For customers, this matters. The controls in BSM are shaped by operational reality, tested under scale and refined so other organizations don\u2019t have to learn the same lessons the hard way.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">What\u2019s next for Microsoft Baseline Security Mode<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Future iterations of BSM will expand coverage beyond traditional collaboration services to additional platforms and services, while maintaining the same opinionated approach. The goal is not to restrict environments indiscriminately, but to ensure new capabilities are introduced with security baked in from the start.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">As compliance requirements grow more complex and more global, organizations need a consistent, defensible security baseline. BSM provides a Microsoft\u2011managed standard informed by real\u2011world attack patterns and enterprise deployment realities.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Controls evolve. Scope expands. Feedback loops remain active. As new risks emerge, the baseline adapts, without requiring organizations to redefine their security posture from scratch.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">It\u2019s a foundation designed to support whatever comes next.<\/p>\n\n\n\n<div class=\"wp-block-group has-global-padding is-content-justification-left is-layout-constrained wp-container-core-group-is-layout-c0392459 wp-block-group-is-layout-constrained\" style=\"padding-right:0;padding-left:0\">\n<div class=\"wp-block-group has-global-padding is-layout-constrained wp-container-core-group-is-layout-7db9d80f wp-block-group-is-layout-constrained\" style=\"padding-right:0;padding-left:0\">\n<figure class=\"wp-block-image alignleft size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"190\" height=\"190\" src=\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2025\/07\/Key-takeaways-badge.png\" alt=\"\" class=\"wp-image-19493\" style=\"object-fit:cover;width:75px;height:75px\" srcset=\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2025\/07\/Key-takeaways-badge.png 190w, https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2025\/07\/Key-takeaways-badge-150x150.png 150w\" sizes=\"auto, (max-width: 190px) 100vw, 190px\" \/><\/figure>\n\n\n\n<p class=\"has-body-xl-font-size wp-block-paragraph\" style=\"margin-top:var(--wp--preset--spacing--spacing-24);margin-bottom:0;padding-top:var(--wp--preset--spacing--spacing-24)\">Key takeaways<\/p>\n<\/div>\n\n\n\n<p class=\"wp-block-paragraph\">If you\u2019re ready to strengthen your organization\u2019s security posture with Microsoft Baseline Security Mode, consider these immediate actions:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\"><strong>Establish clear ownership.<\/strong> Assign responsibility for baseline security management to ensure consistency and accountability.<\/li>\n\n\n\n<li class=\"wp-block-list-item\"><strong>Implement repeatable processes.<\/strong> Develop standardized procedures to evaluate and enforce baseline requirements throughout the app lifecycle.<\/li>\n\n\n\n<li class=\"wp-block-list-item\"><strong>Integrate with existing workflows.<\/strong> Embed security controls into daily operations to reduce friction and streamline compliance.<\/li>\n\n\n\n<li class=\"wp-block-list-item\"><strong>Prioritize automation and monitoring.<\/strong> Use automated enforcementand continuous validation for early risk detection and response.<\/li>\n\n\n\n<li class=\"wp-block-list-item\"><strong>Foster a security-first culture.<\/strong> Normalize secure defaults and encourage teams to innovate within defined guardrails.<\/li>\n\n\n\n<li class=\"wp-block-list-item\"><strong>Design for evolution.<\/strong> Design your baseline to adapt as new services, platforms, and compliance needs arise<strong>.<\/strong><\/li>\n<\/ul>\n<\/div>\n\n\n\n<div class=\"wp-block-group has-global-padding is-content-justification-left is-layout-constrained wp-container-core-group-is-layout-c0392459 wp-block-group-is-layout-constrained\" style=\"padding-right:0;padding-left:0\">\n<div class=\"wp-block-group has-global-padding is-layout-constrained wp-container-core-group-is-layout-7db9d80f wp-block-group-is-layout-constrained\" style=\"padding-right:0;padding-left:0\">\n<figure class=\"wp-block-image alignleft size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"190\" height=\"190\" src=\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2025\/07\/Try-it-out-badge.png\" alt=\"\" class=\"wp-image-19492\" style=\"object-fit:cover;width:75px;height:75px\" srcset=\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2025\/07\/Try-it-out-badge.png 190w, https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2025\/07\/Try-it-out-badge-150x150.png 150w\" sizes=\"auto, (max-width: 190px) 100vw, 190px\" \/><\/figure>\n\n\n\n<p class=\"has-body-xl-font-size wp-block-paragraph\" style=\"margin-top:var(--wp--preset--spacing--spacing-24);margin-bottom:0;padding-top:var(--wp--preset--spacing--spacing-24)\">Try it out<\/p>\n<\/div>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/learn.microsoft.com\/en-us\/microsoft-365\/baseline-security-mode\/baseline-security-mode-settings?view=o365-worldwide#how-to-access-baseline-security-mode-settings?OCID=InsideTrack_10825\" target=\"_blank\" rel=\"noreferrer noopener\">Learn how to access and implement Microsoft Baseline Security Mode<\/a>.<\/p>\n<\/div>\n\n\n\n<div class=\"wp-block-group has-global-padding is-content-justification-left is-layout-constrained wp-container-core-group-is-layout-c0392459 wp-block-group-is-layout-constrained\" style=\"padding-right:0;padding-left:0\">\n<div class=\"wp-block-group has-global-padding is-layout-constrained wp-container-core-group-is-layout-7db9d80f wp-block-group-is-layout-constrained\" style=\"padding-right:0;padding-left:0\">\n<figure class=\"wp-block-image alignleft size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"190\" height=\"190\" src=\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2025\/07\/Related-links-badge.png\" alt=\"\" class=\"wp-image-19491\" style=\"object-fit:cover;width:75px;height:75px\" srcset=\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2025\/07\/Related-links-badge.png 190w, https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2025\/07\/Related-links-badge-150x150.png 150w\" sizes=\"auto, (max-width: 190px) 100vw, 190px\" \/><\/figure>\n\n\n\n<p class=\"has-body-xl-font-size wp-block-paragraph\" style=\"margin-top:var(--wp--preset--spacing--spacing-24);margin-bottom:0;padding-top:var(--wp--preset--spacing--spacing-24)\">Related links<\/p>\n<\/div>\n\n\n\n<ul style=\"margin-top:var(--wp--preset--spacing--spacing-20)\" class=\"wp-block-list\">\n<li class=\"wp-block-list-item\"><a href=\"https:\/\/www.microsoft.com\/insidetrack\/blog\/hardening-our-digital-defenses-with-microsoft-baseline-security-mode\/\">Read more about how we\u2019re hardening our digital defenses with Microsoft Baseline Security Mode.<\/a><\/li>\n\n\n\n<li class=\"wp-block-list-item\"><a href=\"https:\/\/techcommunity.microsoft.com\/blog\/microsoft_365blog\/ignite%E2%80%9925-spotlight-announcing-microsoft-baseline-security-mode\/4469709\" target=\"_blank\" rel=\"noreferrer noopener\">Announcing Microsoft Baseline Security Mode<\/a>.<\/li>\n\n\n\n<li class=\"wp-block-list-item\"><a href=\"https:\/\/learn.microsoft.com\/en-us\/entra\/identity-platform\/secure-least-privileged-access\" target=\"_blank\" rel=\"noreferrer noopener\">Increase application security with the principle of least privilege<\/a>.<\/li>\n<\/ul>\n<\/div>\n\n\n\n<div class=\"wp-block-group has-global-padding is-content-justification-left is-layout-constrained wp-container-core-group-is-layout-c0392459 wp-block-group-is-layout-constrained\" style=\"padding-right:0;padding-left:0\">\n<div class=\"wp-block-group has-global-padding is-layout-constrained wp-container-core-group-is-layout-7db9d80f wp-block-group-is-layout-constrained\" style=\"padding-right:0;padding-left:0\">\n<figure class=\"wp-block-image alignleft size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"190\" height=\"190\" src=\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2025\/07\/Wed-like-to-hear-from-you-badge.png\" alt=\"\" class=\"wp-image-19490\" style=\"object-fit:cover;width:75px;height:75px\" srcset=\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2025\/07\/Wed-like-to-hear-from-you-badge.png 190w, https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2025\/07\/Wed-like-to-hear-from-you-badge-150x150.png 150w\" sizes=\"auto, (max-width: 190px) 100vw, 190px\" \/><\/figure>\n\n\n\n<p class=\"has-body-xl-font-size wp-block-paragraph\" style=\"margin-top:var(--wp--preset--spacing--spacing-24);margin-bottom:0;padding-top:var(--wp--preset--spacing--spacing-24)\">We&#8217;d like to hear from you!<\/p>\n<\/div>\n\n\n\n<ul style=\"margin-top:var(--wp--preset--spacing--spacing-20)\" class=\"wp-block-list is-style-list-no-bullets\">\n<li class=\"wp-block-list-item\"><a href=\"mailto:msitstaff@microsoft.com\">Want more information? Email us and include a link to this story and we\u2019ll get back to you.<\/a><\/li>\n<\/ul>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>The enterprise security frontier isn\u2019t just evolving. It\u2019s accelerating beyond the limits of traditional security models. AI acceleration, cloud adoption, and rapid growth of enterprise apps have dramatically expanded the attack surface. Every new app introduces a new identity. Every identity carries permissions. Over time, those permissions accumulate, often without clear ownership or regular review. [&hellip;]<\/p>\n","protected":false},"author":92,"featured_media":22831,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":true,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_hide_featured_on_single":false,"_show_featured_caption_on_single":true,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[71],"tags":[868,263,848,300,419],"coauthors":[550],"class_list":["post-22829","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-featured","tag-ai-deployment-and-adoption","tag-microsoft-365","tag-security-and-risk-management","tag-windows","tag-zero-trust","m-blog-post"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.3 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Deploying Microsoft Baseline Security Mode at Microsoft: Our virtuous learning cycle - Inside Track Blog<\/title>\n<meta name=\"description\" content=\"Learn how we implemented Microsoft Baseline Security Mode internally here at Microsoft.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.microsoft.com\/insidetrack\/blog\/deploying-microsoft-baseline-security-mode-at-microsoft-our-virtuous-learning-cycle\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Deploying Microsoft Baseline Security Mode at Microsoft: Our virtuous learning cycle - Inside Track Blog\" \/>\n<meta property=\"og:description\" content=\"Learn how we implemented Microsoft Baseline Security Mode internally here at Microsoft.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.microsoft.com\/insidetrack\/blog\/deploying-microsoft-baseline-security-mode-at-microsoft-our-virtuous-learning-cycle\/\" \/>\n<meta property=\"og:site_name\" content=\"Inside Track Blog\" \/>\n<meta property=\"article:published_time\" content=\"2026-03-26T16:05:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2026-04-02T22:02:10+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2026\/03\/10825-Hero_image.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"2300\" \/>\n\t<meta property=\"og:image:height\" content=\"1293\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Jason Kellington\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Jason Kellington\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"14 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.microsoft.com\\\/insidetrack\\\/blog\\\/deploying-microsoft-baseline-security-mode-at-microsoft-our-virtuous-learning-cycle\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.microsoft.com\\\/insidetrack\\\/blog\\\/deploying-microsoft-baseline-security-mode-at-microsoft-our-virtuous-learning-cycle\\\/\"},\"author\":{\"name\":\"Jason Kellington\",\"@id\":\"https:\\\/\\\/www.microsoft.com\\\/insidetrack\\\/blog\\\/#\\\/schema\\\/person\\\/873dfaa69644d9b2e9861bc6dac478b6\"},\"headline\":\"Deploying Microsoft Baseline Security Mode at Microsoft: Our virtuous learning cycle\",\"datePublished\":\"2026-03-26T16:05:00+00:00\",\"dateModified\":\"2026-04-02T22:02:10+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.microsoft.com\\\/insidetrack\\\/blog\\\/deploying-microsoft-baseline-security-mode-at-microsoft-our-virtuous-learning-cycle\\\/\"},\"wordCount\":2847,\"image\":{\"@id\":\"https:\\\/\\\/www.microsoft.com\\\/insidetrack\\\/blog\\\/deploying-microsoft-baseline-security-mode-at-microsoft-our-virtuous-learning-cycle\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.microsoft.com\\\/insidetrack\\\/blog\\\/uploads\\\/prod\\\/2026\\\/03\\\/10825-Hero_image.jpg\",\"keywords\":[\"AI deployment and adoption\",\"Microsoft 365\",\"Security and risk management\",\"Windows\",\"Zero Trust\"],\"articleSection\":[\"Featured\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.microsoft.com\\\/insidetrack\\\/blog\\\/deploying-microsoft-baseline-security-mode-at-microsoft-our-virtuous-learning-cycle\\\/\",\"url\":\"https:\\\/\\\/www.microsoft.com\\\/insidetrack\\\/blog\\\/deploying-microsoft-baseline-security-mode-at-microsoft-our-virtuous-learning-cycle\\\/\",\"name\":\"Deploying Microsoft Baseline Security Mode at Microsoft: Our virtuous learning cycle - Inside Track Blog\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.microsoft.com\\\/insidetrack\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.microsoft.com\\\/insidetrack\\\/blog\\\/deploying-microsoft-baseline-security-mode-at-microsoft-our-virtuous-learning-cycle\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.microsoft.com\\\/insidetrack\\\/blog\\\/deploying-microsoft-baseline-security-mode-at-microsoft-our-virtuous-learning-cycle\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.microsoft.com\\\/insidetrack\\\/blog\\\/uploads\\\/prod\\\/2026\\\/03\\\/10825-Hero_image.jpg\",\"datePublished\":\"2026-03-26T16:05:00+00:00\",\"dateModified\":\"2026-04-02T22:02:10+00:00\",\"author\":{\"@id\":\"https:\\\/\\\/www.microsoft.com\\\/insidetrack\\\/blog\\\/#\\\/schema\\\/person\\\/873dfaa69644d9b2e9861bc6dac478b6\"},\"description\":\"Learn how we implemented Microsoft Baseline Security Mode internally here at Microsoft.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.microsoft.com\\\/insidetrack\\\/blog\\\/deploying-microsoft-baseline-security-mode-at-microsoft-our-virtuous-learning-cycle\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.microsoft.com\\\/insidetrack\\\/blog\\\/deploying-microsoft-baseline-security-mode-at-microsoft-our-virtuous-learning-cycle\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.microsoft.com\\\/insidetrack\\\/blog\\\/deploying-microsoft-baseline-security-mode-at-microsoft-our-virtuous-learning-cycle\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.microsoft.com\\\/insidetrack\\\/blog\\\/uploads\\\/prod\\\/2026\\\/03\\\/10825-Hero_image.jpg\",\"contentUrl\":\"https:\\\/\\\/www.microsoft.com\\\/insidetrack\\\/blog\\\/uploads\\\/prod\\\/2026\\\/03\\\/10825-Hero_image.jpg\",\"width\":2300,\"height\":1293,\"caption\":\"We\u2019re using Microsoft Baseline Security Mode internally at Microsoft to establish secure-by-default configurations, prioritize least-privilege principles for application identities, and deliver sustainable, scalable protection.\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.microsoft.com\\\/insidetrack\\\/blog\\\/deploying-microsoft-baseline-security-mode-at-microsoft-our-virtuous-learning-cycle\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.microsoft.com\\\/insidetrack\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Deploying Microsoft Baseline Security Mode at Microsoft: Our virtuous learning cycle\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.microsoft.com\\\/insidetrack\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.microsoft.com\\\/insidetrack\\\/blog\\\/\",\"name\":\"Inside Track Blog\",\"description\":\"How Microsoft does IT\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.microsoft.com\\\/insidetrack\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.microsoft.com\\\/insidetrack\\\/blog\\\/#\\\/schema\\\/person\\\/873dfaa69644d9b2e9861bc6dac478b6\",\"name\":\"Jason Kellington\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/d4b158da36ed1724c7b9904b655dca8f848e188c9a11b293da2c41a62cd51391?s=96&d=mm&r=g194a4f0f478cef34134d870cc64e1068\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/d4b158da36ed1724c7b9904b655dca8f848e188c9a11b293da2c41a62cd51391?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/d4b158da36ed1724c7b9904b655dca8f848e188c9a11b293da2c41a62cd51391?s=96&d=mm&r=g\",\"caption\":\"Jason Kellington\"},\"url\":\"https:\\\/\\\/www.microsoft.com\\\/insidetrack\\\/blog\\\/author\\\/v-jaske\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Deploying Microsoft Baseline Security Mode at Microsoft: Our virtuous learning cycle - Inside Track Blog","description":"Learn how we implemented Microsoft Baseline Security Mode internally here at Microsoft.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.microsoft.com\/insidetrack\/blog\/deploying-microsoft-baseline-security-mode-at-microsoft-our-virtuous-learning-cycle\/","og_locale":"en_US","og_type":"article","og_title":"Deploying Microsoft Baseline Security Mode at Microsoft: Our virtuous learning cycle - Inside Track Blog","og_description":"Learn how we implemented Microsoft Baseline Security Mode internally here at Microsoft.","og_url":"https:\/\/www.microsoft.com\/insidetrack\/blog\/deploying-microsoft-baseline-security-mode-at-microsoft-our-virtuous-learning-cycle\/","og_site_name":"Inside Track Blog","article_published_time":"2026-03-26T16:05:00+00:00","article_modified_time":"2026-04-02T22:02:10+00:00","og_image":[{"width":2300,"height":1293,"url":"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2026\/03\/10825-Hero_image.jpg","type":"image\/jpeg"}],"author":"Jason Kellington","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Jason Kellington","Est. reading time":"14 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.microsoft.com\/insidetrack\/blog\/deploying-microsoft-baseline-security-mode-at-microsoft-our-virtuous-learning-cycle\/#article","isPartOf":{"@id":"https:\/\/www.microsoft.com\/insidetrack\/blog\/deploying-microsoft-baseline-security-mode-at-microsoft-our-virtuous-learning-cycle\/"},"author":{"name":"Jason Kellington","@id":"https:\/\/www.microsoft.com\/insidetrack\/blog\/#\/schema\/person\/873dfaa69644d9b2e9861bc6dac478b6"},"headline":"Deploying Microsoft Baseline Security Mode at Microsoft: Our virtuous learning cycle","datePublished":"2026-03-26T16:05:00+00:00","dateModified":"2026-04-02T22:02:10+00:00","mainEntityOfPage":{"@id":"https:\/\/www.microsoft.com\/insidetrack\/blog\/deploying-microsoft-baseline-security-mode-at-microsoft-our-virtuous-learning-cycle\/"},"wordCount":2847,"image":{"@id":"https:\/\/www.microsoft.com\/insidetrack\/blog\/deploying-microsoft-baseline-security-mode-at-microsoft-our-virtuous-learning-cycle\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2026\/03\/10825-Hero_image.jpg","keywords":["AI deployment and adoption","Microsoft 365","Security and risk management","Windows","Zero Trust"],"articleSection":["Featured"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.microsoft.com\/insidetrack\/blog\/deploying-microsoft-baseline-security-mode-at-microsoft-our-virtuous-learning-cycle\/","url":"https:\/\/www.microsoft.com\/insidetrack\/blog\/deploying-microsoft-baseline-security-mode-at-microsoft-our-virtuous-learning-cycle\/","name":"Deploying Microsoft Baseline Security Mode at Microsoft: Our virtuous learning cycle - Inside Track Blog","isPartOf":{"@id":"https:\/\/www.microsoft.com\/insidetrack\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.microsoft.com\/insidetrack\/blog\/deploying-microsoft-baseline-security-mode-at-microsoft-our-virtuous-learning-cycle\/#primaryimage"},"image":{"@id":"https:\/\/www.microsoft.com\/insidetrack\/blog\/deploying-microsoft-baseline-security-mode-at-microsoft-our-virtuous-learning-cycle\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2026\/03\/10825-Hero_image.jpg","datePublished":"2026-03-26T16:05:00+00:00","dateModified":"2026-04-02T22:02:10+00:00","author":{"@id":"https:\/\/www.microsoft.com\/insidetrack\/blog\/#\/schema\/person\/873dfaa69644d9b2e9861bc6dac478b6"},"description":"Learn how we implemented Microsoft Baseline Security Mode internally here at Microsoft.","breadcrumb":{"@id":"https:\/\/www.microsoft.com\/insidetrack\/blog\/deploying-microsoft-baseline-security-mode-at-microsoft-our-virtuous-learning-cycle\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.microsoft.com\/insidetrack\/blog\/deploying-microsoft-baseline-security-mode-at-microsoft-our-virtuous-learning-cycle\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.microsoft.com\/insidetrack\/blog\/deploying-microsoft-baseline-security-mode-at-microsoft-our-virtuous-learning-cycle\/#primaryimage","url":"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2026\/03\/10825-Hero_image.jpg","contentUrl":"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2026\/03\/10825-Hero_image.jpg","width":2300,"height":1293,"caption":"We\u2019re using Microsoft Baseline Security Mode internally at Microsoft to establish secure-by-default configurations, prioritize least-privilege principles for application identities, and deliver sustainable, scalable protection."},{"@type":"BreadcrumbList","@id":"https:\/\/www.microsoft.com\/insidetrack\/blog\/deploying-microsoft-baseline-security-mode-at-microsoft-our-virtuous-learning-cycle\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.microsoft.com\/insidetrack\/blog\/"},{"@type":"ListItem","position":2,"name":"Deploying Microsoft Baseline Security Mode at Microsoft: Our virtuous learning cycle"}]},{"@type":"WebSite","@id":"https:\/\/www.microsoft.com\/insidetrack\/blog\/#website","url":"https:\/\/www.microsoft.com\/insidetrack\/blog\/","name":"Inside Track Blog","description":"How Microsoft does IT","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.microsoft.com\/insidetrack\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/www.microsoft.com\/insidetrack\/blog\/#\/schema\/person\/873dfaa69644d9b2e9861bc6dac478b6","name":"Jason Kellington","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/d4b158da36ed1724c7b9904b655dca8f848e188c9a11b293da2c41a62cd51391?s=96&d=mm&r=g194a4f0f478cef34134d870cc64e1068","url":"https:\/\/secure.gravatar.com\/avatar\/d4b158da36ed1724c7b9904b655dca8f848e188c9a11b293da2c41a62cd51391?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/d4b158da36ed1724c7b9904b655dca8f848e188c9a11b293da2c41a62cd51391?s=96&d=mm&r=g","caption":"Jason Kellington"},"url":"https:\/\/www.microsoft.com\/insidetrack\/blog\/author\/v-jaske\/"}]}},"jetpack_featured_media_url":"https:\/\/www.microsoft.com\/insidetrack\/blog\/uploads\/prod\/2026\/03\/10825-Hero_image.jpg","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p9hcZA-5Wd","_links":{"self":[{"href":"https:\/\/www.microsoft.com\/insidetrack\/blog\/wp-json\/wp\/v2\/posts\/22829","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.microsoft.com\/insidetrack\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.microsoft.com\/insidetrack\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/insidetrack\/blog\/wp-json\/wp\/v2\/users\/92"}],"replies":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/insidetrack\/blog\/wp-json\/wp\/v2\/comments?post=22829"}],"version-history":[{"count":7,"href":"https:\/\/www.microsoft.com\/insidetrack\/blog\/wp-json\/wp\/v2\/posts\/22829\/revisions"}],"predecessor-version":[{"id":22850,"href":"https:\/\/www.microsoft.com\/insidetrack\/blog\/wp-json\/wp\/v2\/posts\/22829\/revisions\/22850"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/insidetrack\/blog\/wp-json\/wp\/v2\/media\/22831"}],"wp:attachment":[{"href":"https:\/\/www.microsoft.com\/insidetrack\/blog\/wp-json\/wp\/v2\/media?parent=22829"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.microsoft.com\/insidetrack\/blog\/wp-json\/wp\/v2\/categories?post=22829"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.microsoft.com\/insidetrack\/blog\/wp-json\/wp\/v2\/tags?post=22829"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.microsoft.com\/insidetrack\/blog\/wp-json\/wp\/v2\/coauthors?post=22829"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}