Detections
Analytics

CIS Microsoft 365 Foundations v4.0.0 L1 E3

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: CIS Microsoft 365 Foundations v4.0.0 L1 E3

Updated: 7/8/2025

Authority: CIS

Plugin: microsoft_azure

Revision: 1.1

Estimated Item Count: 79

File Details

Filename: CIS_Microsoft_365_Foundations_v4.0.0_L1_E3.audit

Size: 202 kB

MD5: 1d0a27975324b1239a486ad90e634e23
SHA256: 808c69a3f9d6cf7c15913e0fd0b8f46f6f42ac80d3387185dce905b145da30ae

Audit Items

DescriptionCategories
1.1.1 (L1) Ensure Administrative accounts are cloud-only
1.1.2 (L1) Ensure two emergency access accounts have been defined
1.1.3 (L1) Ensure that between two and four global admins are designated
1.1.4 (L1) Ensure administrative accounts use licenses with a reduced application footprint
1.2.2 (L1) Ensure sign-in to shared mailboxes is blocked
1.3.1 (L1) Ensure the 'Password expiration policy' is set to 'Set passwords to never expire (recommended)'
1.3.2 (L1) Ensure 'Idle session timeout' is set to '3 hours (or less)' for unmanaged devices
1.3.4 (L1) Ensure 'User owned apps and services' is restricted
1.3.5 (L1) Ensure internal phishing protection for Forms is enabled
2.1.2 (L1) Ensure the Common Attachment Types Filter is enabled
2.1.3 (L1) Ensure notifications for internal users sending malware is Enabled
2.1.6 (L1) Ensure Exchange Online Spam Policies are set to notify administrators
2.1.8 (L1) Ensure that SPF records are published for all Exchange Domains
2.1.9 (L1) Ensure that DKIM is enabled for all Exchange Online Domains
2.1.10 (L1) Ensure DMARC Records for all Exchange Online domains are published
2.1.12 (L1) Ensure the connection filter IP allow list is not used
2.1.13 (L1) Ensure the connection filter safe list is off
2.1.14 (L1) Ensure inbound anti-spam policies do not contain allowed domains
3.1.1 (L1) Ensure Microsoft 365 audit log search is Enabled
3.2.1 (L1) Ensure DLP policies are enabled
3.3.1 (L1) Ensure SharePoint Online Information Protection policies are set up and used
5.1.1.1 (L1) Ensure Security Defaults is disabled
5.1.2.1 (L1) Ensure 'Per-user MFA' is disabled
5.1.2.3 (L1) Ensure 'Restrict non-admin users from creating tenants' is set to 'Yes'
5.1.2.4 (L1) Ensure access to the Entra admin center is restricted
5.1.3.1 (L1) Ensure a dynamic group for guest users is created
5.1.5.2 (L1) Ensure the admin consent workflow is enabled
5.1.6.2 (L1) Ensure that guest user access is restricted
5.1.8.1 (L1) Ensure that password hash sync is enabled for hybrid deployments
5.2.2.1 (L1) Ensure multifactor authentication is enabled for all users in administrative roles
5.2.2.2 (L1) Ensure multifactor authentication is enabled for all users
5.2.2.3 (L1) Enable Conditional Access policies to block legacy authentication
5.2.2.4 (L1) Ensure Sign-in frequency is enabled and browser sessions are not persistent for Administrative users
5.2.2.10 (L1) Ensure a managed device is required for authentication
5.2.2.11 (L1) Ensure a managed device is required for MFA registration
5.2.3.1 (L1) Ensure Microsoft Authenticator is configured to protect against MFA fatigue
5.2.3.2 (L1) Ensure custom banned passwords lists are used
5.2.3.3 (L1) Ensure password protection is enabled for on-prem Active Directory
5.2.3.4 (L1) Ensure all member users are 'MFA capable'
5.2.3.5 (L1) Ensure weak authentication methods are disabled
5.2.4.1 (L1) Ensure 'Self service password reset enabled' is set to 'All'
6.1.1 (L1) Ensure 'AuditDisabled' organizationally is set to 'False'
6.1.2 (L1) Ensure mailbox auditing for E3 users is Enabled
6.1.4 (L1) Ensure 'AuditBypassEnabled' is not enabled on mailboxes
6.2.1 (L1) Ensure all forms of mail forwarding are blocked and/or disabled
6.2.2 (L1) Ensure mail transport rules do not whitelist specific domains
6.2.3 (L1) Ensure email from external senders is identified
6.5.1 (L1) Ensure modern authentication for Exchange Online is enabled
6.5.2 (L1) Ensure MailTips are enabled for end users
6.5.4 (L1) Ensure SMTP AUTH is disabled