Oct 22, 2025 Functional Update- 5.1.3.1 (L1) Ensure a dynamic group for guest users is created
Informational Update- 1.1.2 (L1) Ensure two emergency access accounts have been defined
- 1.1.3 (L1) Ensure that between two and four global admins are designated
- 1.1.4 (L1) Ensure administrative accounts use licenses with a reduced application footprint
- 1.2.2 (L1) Ensure sign-in to shared mailboxes is blocked
- 1.3.1 (L1) Ensure the 'Password expiration policy' is set to 'Set passwords to never expire (recommended)'
- 1.3.4 (L1) Ensure 'User owned apps and services' is restricted
- 1.3.5 (L1) Ensure internal phishing protection for Forms is enabled
- 2.1.10 (L1) Ensure DMARC Records for all Exchange Online domains are published
- 2.1.12 (L1) Ensure the connection filter IP allow list is not used
- 2.1.13 (L1) Ensure the connection filter safe list is off
- 2.1.14 (L1) Ensure inbound anti-spam policies do not contain allowed domains
- 2.1.2 (L1) Ensure the Common Attachment Types Filter is enabled
- 2.1.3 (L1) Ensure notifications for internal users sending malware is Enabled
- 2.1.6 (L1) Ensure Exchange Online Spam Policies are set to notify administrators
- 2.1.8 (L1) Ensure that SPF records are published for all Exchange Domains
- 2.1.9 (L1) Ensure that DKIM is enabled for all Exchange Online Domains
- 3.1.1 (L1) Ensure Microsoft 365 audit log search is Enabled
- 3.2.1 (L1) Ensure DLP policies are enabled
- 3.3.1 (L1) Ensure Information Protection sensitivity label policies are published
- 5.1.2.1 (L1) Ensure 'Per-user MFA' is disabled
- 5.1.2.3 (L1) Ensure 'Restrict non-admin users from creating tenants' is set to 'Yes'
- 5.1.2.4 (L1) Ensure access to the Entra admin center is restricted
- 5.1.3.1 (L1) Ensure a dynamic group for guest users is created
- 5.1.5.2 (L1) Ensure the admin consent workflow is enabled
- 5.1.6.2 (L1) Ensure that guest user access is restricted
- 5.2.2.1 (L1) Ensure multifactor authentication is enabled for all users in administrative roles
- 5.2.2.10 (L1) Ensure a managed device is required to register security information
- 5.2.2.11 (L1) Ensure sign-in frequency for Intune Enrollment is set to 'Every time'
- 5.2.2.12 (L1) Ensure the device code sign-in flow is blocked
- 5.2.2.2 (L1) Ensure multifactor authentication is enabled for all users
- 5.2.2.3 (L1) Enable Conditional Access policies to block legacy authentication
- 5.2.2.4 (L1) Ensure Sign-in frequency is enabled and browser sessions are not persistent for Administrative users
- 5.2.2.9 (L1) Ensure a managed device is required for authentication
- 5.2.3.1 (L1) Ensure Microsoft Authenticator is configured to protect against MFA fatigue
- 5.2.3.2 (L1) Ensure custom banned passwords lists are used
- 5.2.3.3 (L1) Ensure password protection is enabled for on-prem Active Directory
- 5.2.3.5 (L1) Ensure weak authentication methods are disabled
- 5.2.3.6 (L1) Ensure system-preferred multifactor authentication is enabled
- 5.2.4.1 (L1) Ensure 'Self service password reset enabled' is set to 'All'
- 6.1.2 (L1) Ensure mailbox audit actions are configured
- 6.2.1 (L1) Ensure all forms of mail forwarding are blocked and/or disabled
- 6.2.2 (L1) Ensure mail transport rules do not whitelist specific domains
- 6.2.3 (L1) Ensure email from external senders is identified
- 6.5.1 (L1) Ensure modern authentication for Exchange Online is enabled
- 6.5.4 (L1) Ensure SMTP AUTH is disabled
- 7.2.1 (L1) Ensure modern authentication for SharePoint applications is required
- 7.2.10 (L1) Ensure reauthentication with verification code is restricted
- 7.2.11 (L1) Ensure the SharePoint default sharing link permission is set
- 7.2.3 (L1) Ensure external content sharing is restricted
- 7.2.7 (L1) Ensure link sharing is restricted in SharePoint and OneDrive
- 7.2.9 (L1) Ensure guest access to a site or OneDrive will expire automatically
- 7.3.3 (L1) Ensure custom script execution is restricted on personal sites
- 7.3.4 (L1) Ensure custom script execution is restricted on site collections
- 8.1.2 (L1) Ensure users can't send emails to a channel email address
- 8.2.2 (L1) Ensure communication with unmanaged Teams users is disabled
- 8.2.3 (L1) Ensure external Teams users cannot initiate conversations
- 8.2.4 (L1) Ensure communication with Skype users is disabled
- 8.4.1 (L1) Ensure app permission policies are configured
- 8.5.2 (L1) Ensure anonymous users and dial-in callers can't start a meeting
- 8.5.3 (L1) Ensure only people in my org can bypass the lobby
- 8.5.4 (L1) Ensure users dialing in can't bypass the lobby
- 8.5.7 (L1) Ensure external participants can't give or request control
- 8.6.1 (L1) Ensure users can report security concerns in Teams
- 9.1.1 (L1) Ensure guest user access is restricted
- 9.1.10 (L1) Ensure access to APIs by Service Principals is restricted
- 9.1.11 (L1) Ensure Service Principals cannot create and use profiles
- 9.1.2 (L1) Ensure external user invitations are restricted
- 9.1.3 (L1) Ensure guest access to content is restricted
- 9.1.4 (L1) Ensure 'Publish to web' is restricted
- 9.1.6 (L1) Ensure 'Allow users to apply sensitivity labels for content' is 'Enabled'
- 9.1.7 (L1) Ensure shareable links are restricted
- 9.1.8 (L1) Ensure enabling of external data sharing is restricted
- 9.1.9 (L1) Ensure 'Block ResourceKey Authentication' is 'Enabled'
|
