CIS Microsoft 365 Foundations v4.0.0 L1 E3

Audit Details

Name: CIS Microsoft 365 Foundations v4.0.0 L1 E3

Updated: 6/16/2025

Authority: CIS

Plugin: microsoft_azure

Revision: 1.0

Estimated Item Count: 79

File Details

Filename: CIS_Microsoft_365_Foundations_v4.0.0_L1_E3.audit

Size: 254 kB

MD5: b7c0f23111a777d044ae78d1fdf3e761
SHA256: 1d021cade1a74a0d369e5c611119da6f2ce688b6ac685acd4de4e0563ba22fa5

Audit Items

DescriptionCategories
1.1.1 (L1) Ensure Administrative accounts are cloud-only

ACCESS CONTROL

1.1.2 (L1) Ensure two emergency access accounts have been defined

ACCESS CONTROL

1.1.3 (L1) Ensure that between two and four global admins are designated

ACCESS CONTROL

1.1.4 (L1) Ensure administrative accounts use licenses with a reduced application footprint

ACCESS CONTROL

1.2.2 (L1) Ensure sign-in to shared mailboxes is blocked

CONFIGURATION MANAGEMENT

1.3.1 (L1) Ensure the 'Password expiration policy' is set to 'Set passwords to never expire (recommended)'

IDENTIFICATION AND AUTHENTICATION

1.3.2 (L1) Ensure 'Idle session timeout' is set to '3 hours (or less)' for unmanaged devices

ACCESS CONTROL

1.3.4 (L1) Ensure 'User owned apps and services' is restricted

CONFIGURATION MANAGEMENT

1.3.5 (L1) Ensure internal phishing protection for Forms is enabled

AWARENESS AND TRAINING, SYSTEM AND INFORMATION INTEGRITY

2.1.2 (L1) Ensure the Common Attachment Types Filter is enabled

SYSTEM AND INFORMATION INTEGRITY

2.1.3 (L1) Ensure notifications for internal users sending malware is Enabled

INCIDENT RESPONSE

2.1.6 (L1) Ensure Exchange Online Spam Policies are set to notify administrators

INCIDENT RESPONSE

2.1.8 (L1) Ensure that SPF records are published for all Exchange Domains

SYSTEM AND COMMUNICATIONS PROTECTION

2.1.9 (L1) Ensure that DKIM is enabled for all Exchange Online Domains

SYSTEM AND COMMUNICATIONS PROTECTION

2.1.10 (L1) Ensure DMARC Records for all Exchange Online domains are published

SYSTEM AND COMMUNICATIONS PROTECTION

2.1.12 (L1) Ensure the connection filter IP allow list is not used

SYSTEM AND INFORMATION INTEGRITY

2.1.13 (L1) Ensure the connection filter safe list is off

SYSTEM AND INFORMATION INTEGRITY

2.1.14 (L1) Ensure inbound anti-spam policies do not contain allowed domains

SYSTEM AND INFORMATION INTEGRITY

3.1.1 (L1) Ensure Microsoft 365 audit log search is Enabled

AUDIT AND ACCOUNTABILITY

3.2.1 (L1) Ensure DLP policies are enabled

AUDIT AND ACCOUNTABILITY, SYSTEM AND INFORMATION INTEGRITY

3.3.1 (L1) Ensure SharePoint Online Information Protection policies are set up and used

RISK ASSESSMENT

5.1.1.1 (L1) Ensure Security Defaults is disabled

CONFIGURATION MANAGEMENT

5.1.2.1 (L1) Ensure 'Per-user MFA' is disabled

IDENTIFICATION AND AUTHENTICATION

5.1.2.3 (L1) Ensure 'Restrict non-admin users from creating tenants' is set to 'Yes'

ACCESS CONTROL

5.1.2.4 (L1) Ensure access to the Entra admin center is restricted

ACCESS CONTROL

5.1.3.1 (L1) Ensure a dynamic group for guest users is created

ACCESS CONTROL, MEDIA PROTECTION

5.1.5.2 (L1) Ensure the admin consent workflow is enabled

CONFIGURATION MANAGEMENT

5.1.6.2 (L1) Ensure that guest user access is restricted

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION

5.1.8.1 (L1) Ensure that password hash sync is enabled for hybrid deployments

ACCESS CONTROL

5.2.2.1 (L1) Ensure multifactor authentication is enabled for all users in administrative roles

IDENTIFICATION AND AUTHENTICATION

5.2.2.2 (L1) Ensure multifactor authentication is enabled for all users

IDENTIFICATION AND AUTHENTICATION

5.2.2.3 (L1) Enable Conditional Access policies to block legacy authentication

CONFIGURATION MANAGEMENT

5.2.2.4 (L1) Ensure Sign-in frequency is enabled and browser sessions are not persistent for Administrative users

ACCESS CONTROL

5.2.2.10 (L1) Ensure a managed device is required for authentication

IDENTIFICATION AND AUTHENTICATION

5.2.2.11 (L1) Ensure a managed device is required for MFA registration

IDENTIFICATION AND AUTHENTICATION

5.2.3.1 (L1) Ensure Microsoft Authenticator is configured to protect against MFA fatigue

IDENTIFICATION AND AUTHENTICATION

5.2.3.2 (L1) Ensure custom banned passwords lists are used

IDENTIFICATION AND AUTHENTICATION

5.2.3.3 (L1) Ensure password protection is enabled for on-prem Active Directory

IDENTIFICATION AND AUTHENTICATION

5.2.3.4 (L1) Ensure all member users are 'MFA capable'

IDENTIFICATION AND AUTHENTICATION

5.2.3.5 (L1) Ensure weak authentication methods are disabled

IDENTIFICATION AND AUTHENTICATION

5.2.4.1 (L1) Ensure 'Self service password reset enabled' is set to 'All'

IDENTIFICATION AND AUTHENTICATION

6.1.1 (L1) Ensure 'AuditDisabled' organizationally is set to 'False'

AUDIT AND ACCOUNTABILITY

6.1.2 (L1) Ensure mailbox auditing for E3 users is Enabled

AUDIT AND ACCOUNTABILITY

6.1.4 (L1) Ensure 'AuditBypassEnabled' is not enabled on mailboxes

AUDIT AND ACCOUNTABILITY

6.2.1 (L1) Ensure all forms of mail forwarding are blocked and/or disabled

CONFIGURATION MANAGEMENT

6.2.2 (L1) Ensure mail transport rules do not whitelist specific domains

CONFIGURATION MANAGEMENT

6.2.3 (L1) Ensure email from external senders is identified

CONFIGURATION MANAGEMENT

6.5.1 (L1) Ensure modern authentication for Exchange Online is enabled

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

6.5.2 (L1) Ensure MailTips are enabled for end users

CONFIGURATION MANAGEMENT

6.5.4 (L1) Ensure SMTP AUTH is disabled

ACCESS CONTROL, SYSTEM AND COMMUNICATIONS PROTECTION