CIS Microsoft 365 Foundations Benchmark

CIS 1.2.0 Security Controls for Microsoft 365: a curated list of the most important and least user-impacting security controls that can be audited and remediated.

Account / AuthenticationEnsure multifactor authentication is enabled for all users in administrative rolesEnsure that multi-factor authentication is enabled for all non-privileged usersEnsure that between two and four global admins are designatedEnsure self-service password reset is enabledEnsure that ‘Number of methods required to reset’ is set to ‘2’Ensure Azure Active Directory Password Protection for Active Directory is enabled in order to protect against the use of common passwords.Enable Conditional Access policies to block legacy authentication protocols in Office 365.Ensure that password hash sync is enabled for resiliency and leaked credential detection.Enabled Identity Protection to identify anomalous logon behavior: Azure Active Directory Identity Protection monitors account behaviors and enables organizations to configure automated responses to detected suspicious actions related to user identities.Ensure Security Defaults is disabled on Azure Active Directory. The use of Security Defaults however will prohibit custom settings which are being set with more advanced settings from this benchmark.Ensure

Related posts: