Detections
Analytics

CIS Microsoft 365 Foundations v5.0.0 L1 E3

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: CIS Microsoft 365 Foundations v5.0.0 L1 E3

Updated: 2/25/2026

Authority: CIS

Plugin: microsoft_azure

Revision: 1.3

Estimated Item Count: 80

File Details

Filename: CIS_Microsoft_365_Foundations_v5.0.0_L1_E3.audit

Size: 214 kB

MD5: fb0c21999662db6f550e3426fa62aae5
SHA256: e9e211764f9c500f5fcccdc99b92eb10fdeea73d7d7ff932a5678cbb14d66171

Audit Items

DescriptionCategories
1.1.1 (L1) Ensure Administrative accounts are cloud-only
1.1.2 (L1) Ensure two emergency access accounts have been defined
1.1.3 (L1) Ensure that between two and four global admins are designated
1.1.4 (L1) Ensure administrative accounts use licenses with a reduced application footprint
1.2.2 (L1) Ensure sign-in to shared mailboxes is blocked
1.3.1 (L1) Ensure the 'Password expiration policy' is set to 'Set passwords to never expire (recommended)'
1.3.4 (L1) Ensure 'User owned apps and services' is restricted
1.3.5 (L1) Ensure internal phishing protection for Forms is enabled
2.1.2 (L1) Ensure the Common Attachment Types Filter is enabled
2.1.3 (L1) Ensure notifications for internal users sending malware is Enabled
2.1.6 (L1) Ensure Exchange Online Spam Policies are set to notify administrators
2.1.8 (L1) Ensure that SPF records are published for all Exchange Domains
2.1.9 (L1) Ensure that DKIM is enabled for all Exchange Online Domains
2.1.10 (L1) Ensure DMARC Records for all Exchange Online domains are published
2.1.12 (L1) Ensure the connection filter IP allow list is not used
2.1.13 (L1) Ensure the connection filter safe list is off
2.1.14 (L1) Ensure inbound anti-spam policies do not contain allowed domains
3.1.1 (L1) Ensure Microsoft 365 audit log search is Enabled
3.2.1 (L1) Ensure DLP policies are enabled
3.3.1 (L1) Ensure Information Protection sensitivity label policies are published
5.1.2.1 (L1) Ensure 'Per-user MFA' is disabled
5.1.2.3 (L1) Ensure 'Restrict non-admin users from creating tenants' is set to 'Yes'
5.1.2.4 (L1) Ensure access to the Entra admin center is restricted
5.1.3.1 (L1) Ensure a dynamic group for guest users is created
5.1.5.2 (L1) Ensure the admin consent workflow is enabled
5.1.6.2 (L1) Ensure that guest user access is restricted
5.1.8.1 (L1) Ensure that password hash sync is enabled for hybrid deployments
5.2.2.1 (L1) Ensure multifactor authentication is enabled for all users in administrative roles
5.2.2.2 (L1) Ensure multifactor authentication is enabled for all users
5.2.2.3 (L1) Enable Conditional Access policies to block legacy authentication
5.2.2.4 (L1) Ensure Sign-in frequency is enabled and browser sessions are not persistent for Administrative users
5.2.2.9 (L1) Ensure a managed device is required for authentication
5.2.2.10 (L1) Ensure a managed device is required to register security information
5.2.2.11 (L1) Ensure sign-in frequency for Intune Enrollment is set to 'Every time'
5.2.2.12 (L1) Ensure the device code sign-in flow is blocked
5.2.3.1 (L1) Ensure Microsoft Authenticator is configured to protect against MFA fatigue
5.2.3.2 (L1) Ensure custom banned passwords lists are used
5.2.3.3 (L1) Ensure password protection is enabled for on-prem Active Directory
5.2.3.4 (L1) Ensure all member users are 'MFA capable'
5.2.3.5 (L1) Ensure weak authentication methods are disabled
5.2.3.6 (L1) Ensure system-preferred multifactor authentication is enabled
5.2.4.1 (L1) Ensure 'Self service password reset enabled' is set to 'All'
6.1.1 (L1) Ensure 'AuditDisabled' organizationally is set to 'False'
6.1.2 (L1) Ensure mailbox audit actions are configured
6.1.3 (L1) Ensure 'AuditBypassEnabled' is not enabled on mailboxes
6.2.1 (L1) Ensure all forms of mail forwarding are blocked and/or disabled
6.2.2 (L1) Ensure mail transport rules do not whitelist specific domains
6.2.3 (L1) Ensure email from external senders is identified
6.5.1 (L1) Ensure modern authentication for Exchange Online is enabled
6.5.2 (L1) Ensure MailTips are enabled for end users