Detections
Analytics

CIS Microsoft 365 Foundations v4.0.0 L1 E5

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: CIS Microsoft 365 Foundations v4.0.0 L1 E5

Updated: 7/8/2025

Authority: CIS

Plugin: microsoft_azure

Revision: 1.1

Estimated Item Count: 89

File Details

Filename: CIS_Microsoft_365_Foundations_v4.0.0_L1_E5.audit

Size: 228 kB

MD5: 7c523841ad6587ee2c9874187fe8d2af
SHA256: f33d4a1eb8430d2cdbb9274563bdcc5f0335824cbf53bb8feb0cef92ef7f272e

Audit Items

DescriptionCategories
1.1.1 (L1) Ensure Administrative accounts are cloud-only
1.1.2 (L1) Ensure two emergency access accounts have been defined
1.1.3 (L1) Ensure that between two and four global admins are designated
1.1.4 (L1) Ensure administrative accounts use licenses with a reduced application footprint
1.2.2 (L1) Ensure sign-in to shared mailboxes is blocked
1.3.1 (L1) Ensure the 'Password expiration policy' is set to 'Set passwords to never expire (recommended)'
1.3.2 (L1) Ensure 'Idle session timeout' is set to '3 hours (or less)' for unmanaged devices
1.3.4 (L1) Ensure 'User owned apps and services' is restricted
1.3.5 (L1) Ensure internal phishing protection for Forms is enabled
2.1.2 (L1) Ensure the Common Attachment Types Filter is enabled
2.1.3 (L1) Ensure notifications for internal users sending malware is Enabled
2.1.6 (L1) Ensure Exchange Online Spam Policies are set to notify administrators
2.1.8 (L1) Ensure that SPF records are published for all Exchange Domains
2.1.9 (L1) Ensure that DKIM is enabled for all Exchange Online Domains
2.1.10 (L1) Ensure DMARC Records for all Exchange Online domains are published
2.1.12 (L1) Ensure the connection filter IP allow list is not used
2.1.13 (L1) Ensure the connection filter safe list is off
2.1.14 (L1) Ensure inbound anti-spam policies do not contain allowed domains
2.4.1 (L1) Ensure Priority account protection is enabled and configured
2.4.2 (L1) Ensure Priority accounts have 'Strict protection' presets applied
2.4.4 (L1) Ensure Zero-hour auto purge for Microsoft Teams is on
3.1.1 (L1) Ensure Microsoft 365 audit log search is Enabled
3.2.1 (L1) Ensure DLP policies are enabled
3.2.2 (L1) Ensure DLP policies are enabled for Microsoft Teams
3.3.1 (L1) Ensure SharePoint Online Information Protection policies are set up and used
5.1.1.1 (L1) Ensure Security Defaults is disabled
5.1.2.1 (L1) Ensure 'Per-user MFA' is disabled
5.1.2.3 (L1) Ensure 'Restrict non-admin users from creating tenants' is set to 'Yes'
5.1.2.4 (L1) Ensure access to the Entra admin center is restricted
5.1.3.1 (L1) Ensure a dynamic group for guest users is created
5.1.5.2 (L1) Ensure the admin consent workflow is enabled
5.1.6.2 (L1) Ensure that guest user access is restricted
5.1.8.1 (L1) Ensure that password hash sync is enabled for hybrid deployments
5.2.2.1 (L1) Ensure multifactor authentication is enabled for all users in administrative roles
5.2.2.2 (L1) Ensure multifactor authentication is enabled for all users
5.2.2.3 (L1) Enable Conditional Access policies to block legacy authentication
5.2.2.4 (L1) Ensure Sign-in frequency is enabled and browser sessions are not persistent for Administrative users
5.2.2.6 (L1) Enable Identity Protection user risk policies
5.2.2.7 (L1) Enable Identity Protection sign-in risk policies
5.2.2.10 (L1) Ensure a managed device is required for authentication
5.2.2.11 (L1) Ensure a managed device is required for MFA registration
5.2.3.1 (L1) Ensure Microsoft Authenticator is configured to protect against MFA fatigue
5.2.3.2 (L1) Ensure custom banned passwords lists are used
5.2.3.3 (L1) Ensure password protection is enabled for on-prem Active Directory
5.2.3.4 (L1) Ensure all member users are 'MFA capable'
5.2.3.5 (L1) Ensure weak authentication methods are disabled
5.2.4.1 (L1) Ensure 'Self service password reset enabled' is set to 'All'
5.3.2 (L1) Ensure 'Access reviews' for Guest Users are configured
5.3.3 (L1) Ensure 'Access reviews' for privileged roles are configured
5.3.4 (L1) Ensure approval is required for Global Administrator role activation