| 1.1.1 (L1) Ensure Administrative accounts are cloud-only | ACCESS CONTROL |
| 1.1.2 (L1) Ensure two emergency access accounts have been defined | ACCESS CONTROL |
| 1.1.3 (L1) Ensure that between two and four global admins are designated | ACCESS CONTROL |
| 1.1.4 (L1) Ensure administrative accounts use licenses with a reduced application footprint | ACCESS CONTROL |
| 1.2.2 (L1) Ensure sign-in to shared mailboxes is blocked | CONFIGURATION MANAGEMENT |
| 1.3.1 (L1) Ensure the 'Password expiration policy' is set to 'Set passwords to never expire (recommended)' | IDENTIFICATION AND AUTHENTICATION |
| 1.3.2 (L1) Ensure 'Idle session timeout' is set to '3 hours (or less)' for unmanaged devices | ACCESS CONTROL |
| 1.3.4 (L1) Ensure 'User owned apps and services' is restricted | CONFIGURATION MANAGEMENT |
| 1.3.5 (L1) Ensure internal phishing protection for Forms is enabled | AWARENESS AND TRAINING, SYSTEM AND INFORMATION INTEGRITY |
| 2.1.2 (L1) Ensure the Common Attachment Types Filter is enabled | SYSTEM AND INFORMATION INTEGRITY |
| 2.1.3 (L1) Ensure notifications for internal users sending malware is Enabled | INCIDENT RESPONSE |
| 2.1.6 (L1) Ensure Exchange Online Spam Policies are set to notify administrators | INCIDENT RESPONSE |
| 2.1.8 (L1) Ensure that SPF records are published for all Exchange Domains | SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.1.9 (L1) Ensure that DKIM is enabled for all Exchange Online Domains | SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.1.10 (L1) Ensure DMARC Records for all Exchange Online domains are published | SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.1.12 (L1) Ensure the connection filter IP allow list is not used | SYSTEM AND INFORMATION INTEGRITY |
| 2.1.13 (L1) Ensure the connection filter safe list is off | SYSTEM AND INFORMATION INTEGRITY |
| 2.1.14 (L1) Ensure inbound anti-spam policies do not contain allowed domains | SYSTEM AND INFORMATION INTEGRITY |
| 3.1.1 (L1) Ensure Microsoft 365 audit log search is Enabled | AUDIT AND ACCOUNTABILITY |
| 3.2.1 (L1) Ensure DLP policies are enabled | AUDIT AND ACCOUNTABILITY, SYSTEM AND INFORMATION INTEGRITY |
| 3.3.1 (L1) Ensure SharePoint Online Information Protection policies are set up and used | RISK ASSESSMENT |
| 5.1.1.1 (L1) Ensure Security Defaults is disabled | CONFIGURATION MANAGEMENT |
| 5.1.2.1 (L1) Ensure 'Per-user MFA' is disabled | IDENTIFICATION AND AUTHENTICATION |
| 5.1.2.3 (L1) Ensure 'Restrict non-admin users from creating tenants' is set to 'Yes' | ACCESS CONTROL |
| 5.1.2.4 (L1) Ensure access to the Entra admin center is restricted | ACCESS CONTROL |
| 5.1.3.1 (L1) Ensure a dynamic group for guest users is created | ACCESS CONTROL, MEDIA PROTECTION |
| 5.1.5.2 (L1) Ensure the admin consent workflow is enabled | CONFIGURATION MANAGEMENT |
| 5.1.6.2 (L1) Ensure that guest user access is restricted | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION |
| 5.1.8.1 (L1) Ensure that password hash sync is enabled for hybrid deployments | ACCESS CONTROL |
| 5.2.2.1 (L1) Ensure multifactor authentication is enabled for all users in administrative roles | IDENTIFICATION AND AUTHENTICATION |
| 5.2.2.2 (L1) Ensure multifactor authentication is enabled for all users | IDENTIFICATION AND AUTHENTICATION |
| 5.2.2.3 (L1) Enable Conditional Access policies to block legacy authentication | CONFIGURATION MANAGEMENT |
| 5.2.2.4 (L1) Ensure Sign-in frequency is enabled and browser sessions are not persistent for Administrative users | ACCESS CONTROL |
| 5.2.2.10 (L1) Ensure a managed device is required for authentication | IDENTIFICATION AND AUTHENTICATION |
| 5.2.2.11 (L1) Ensure a managed device is required for MFA registration | IDENTIFICATION AND AUTHENTICATION |
| 5.2.3.1 (L1) Ensure Microsoft Authenticator is configured to protect against MFA fatigue | IDENTIFICATION AND AUTHENTICATION |
| 5.2.3.2 (L1) Ensure custom banned passwords lists are used | IDENTIFICATION AND AUTHENTICATION |
| 5.2.3.3 (L1) Ensure password protection is enabled for on-prem Active Directory | IDENTIFICATION AND AUTHENTICATION |
| 5.2.3.4 (L1) Ensure all member users are 'MFA capable' | IDENTIFICATION AND AUTHENTICATION |
| 5.2.3.5 (L1) Ensure weak authentication methods are disabled | IDENTIFICATION AND AUTHENTICATION |
| 5.2.4.1 (L1) Ensure 'Self service password reset enabled' is set to 'All' | IDENTIFICATION AND AUTHENTICATION |
| 6.1.1 (L1) Ensure 'AuditDisabled' organizationally is set to 'False' | AUDIT AND ACCOUNTABILITY |
| 6.1.2 (L1) Ensure mailbox auditing for E3 users is Enabled | AUDIT AND ACCOUNTABILITY |
| 6.1.4 (L1) Ensure 'AuditBypassEnabled' is not enabled on mailboxes | AUDIT AND ACCOUNTABILITY |
| 6.2.1 (L1) Ensure all forms of mail forwarding are blocked and/or disabled | CONFIGURATION MANAGEMENT |
| 6.2.2 (L1) Ensure mail transport rules do not whitelist specific domains | CONFIGURATION MANAGEMENT |
| 6.2.3 (L1) Ensure email from external senders is identified | CONFIGURATION MANAGEMENT |
| 6.5.1 (L1) Ensure modern authentication for Exchange Online is enabled | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 6.5.2 (L1) Ensure MailTips are enabled for end users | CONFIGURATION MANAGEMENT |
| 6.5.4 (L1) Ensure SMTP AUTH is disabled | ACCESS CONTROL, SYSTEM AND COMMUNICATIONS PROTECTION |
