This post was cowritten by Jonathan Trull, Chief Security Advisor, Cybersecurity Solutions Group, and Sean Sweeney, Chief Security Advisor, Cybersecurity Solutions Group.
We’re excited to announce the availability of the Center for Internet Security’s (CIS) Microsoft 365 Foundations Benchmark—developed by CIS in partnership with Microsoft—to provide prescriptive guidance for establishing a secure baseline configuration for Microsoft 365. CIS is a nonprofit entity focused on developing global standards and recognized best practices for securing IT systems and data against the most pervasive attacks.
Microsoft 365 provides powerful online cloud services that enable collaboration, security, and compliance, mobility, intelligence, and analytics. Adopting cloud technologies requires a shared responsibility model for security, with Microsoft responsible for certain controls and the customer responsible for others, depending on the service delivery model chosen. To ensure that a customer’s cloud workloads are protected, it is important that they carefully consider and implement the appropriate architecture and enable the right set of configuration settings.
The CIS Microsoft 365 Foundations Benchmark is designed to assist organizations in establishing the foundation level of security for anyone adopting Microsoft 365. The benchmark should not be considered as an exhaustive list of all possible security configurations and architecture but as a starting point. Each organization must still evaluate their specific situation, workloads, and compliance requirements and tailor their environment accordingly.
The CIS benchmark contains two levels, each with slightly different technical specifications:
- Level 1—Recommended minimum security settings that should be configured on any system and should cause little or no interruption of service or reduced functionality.
- Level 2—Recommended security settings for highly secure environments and could result in some reduced functionality.
The CIS Microsoft 365 Security Benchmark is divided into the following sections:
| Section | Description | # of recommended controls |
| Account/Authentication policies | Recommendations related to setting the appropriate account and authentication policies. | 8 |
| Application permissions | Recommendations related to the configuration of application permissions within Microsoft 365. | 4 |
| Data management | Recommendations for setting data management policies. | 6 |
| Email security/Exchange Online | Recommendations related to the configuration of Exchange Online and email security. | 13 |
| Auditing policies | Recommendations for setting auditing policies on your Microsoft 365 tenant. | 14 |
| Storage policies | Recommendations for securely configuring storage policies. | 2 |
| Mobile device management | Recommendations for managing devices connecting to Microsoft 365. | 13 |
| Total recommendations | 60 | |
Each recommendation contains several sections, including a recommendation identification number, title, and description; level or profile applicability; rationale; instructions for auditing the control; remediation steps; impact of implementing the control; default value; and references. For example, the first control contained in the benchmark is under the Account/Authentication policies section and is titled: 1.1 (L1) Ensure multifactor authentication is enabled for all users in administrative roles (Scored).
A control is marked as “Scored” or “Not Scored” based on whether it can be programmatically tested. In this case, recommendation 1.1 can be audited leveraging the Microsoft Graph and PowerShell cmdlet. The specific steps for auditing the control are contained in the “Audit” section for this specific recommendation. This recommendation is listed as a Level 1 control because it is only applied to Microsoft 365 administrative users and would not have a company-wide impact or produce less functionality for users. The rationale for recommendation 1.1 is that Microsoft 365 administrative accounts need to be protected due to their powerful privileges and with Multiple Factor Authentication, an attacker would need to compromise at least two different authentication mechanisms, increasing the difficulty of compromise and thus reducing the risk to the Azure tenant.
Download the benchmark and provide your feedback
The CIS Microsoft 365 Security Benchmark is freely available for download in PDF format on the CIS website. In the continuity of their mission, feedback provided by those entrenched in using and implementing the benchmarks provides us the opportunity for continuous improvement of our products. Feedback can be made visible to CIS by creating a discussion thread or ticket within the CIS Microsoft 365 Foundations Benchmark community. In addition, Microsoft has developed a set of Office 365 security guidelines and best practices for our customers to follow. These guides can be found in Office 365 Security and Compliance documentation.
