Detections
Analytics

CIS Microsoft 365 Foundations v5.0.0 L1 E5

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: CIS Microsoft 365 Foundations v5.0.0 L1 E5

Updated: 2/25/2026

Authority: CIS

Plugin: microsoft_azure

Revision: 1.3

Estimated Item Count: 91

Audit Items

DescriptionCategories
1.1.1 (L1) Ensure Administrative accounts are cloud-only
1.1.2 (L1) Ensure two emergency access accounts have been defined
1.1.3 (L1) Ensure that between two and four global admins are designated
1.1.4 (L1) Ensure administrative accounts use licenses with a reduced application footprint
1.2.2 (L1) Ensure sign-in to shared mailboxes is blocked
1.3.1 (L1) Ensure the 'Password expiration policy' is set to 'Set passwords to never expire (recommended)'
1.3.4 (L1) Ensure 'User owned apps and services' is restricted
1.3.5 (L1) Ensure internal phishing protection for Forms is enabled
2.1.2 (L1) Ensure the Common Attachment Types Filter is enabled
2.1.3 (L1) Ensure notifications for internal users sending malware is Enabled
2.1.6 (L1) Ensure Exchange Online Spam Policies are set to notify administrators
2.1.8 (L1) Ensure that SPF records are published for all Exchange Domains
2.1.9 (L1) Ensure that DKIM is enabled for all Exchange Online Domains
2.1.10 (L1) Ensure DMARC Records for all Exchange Online domains are published
2.1.12 (L1) Ensure the connection filter IP allow list is not used
2.1.13 (L1) Ensure the connection filter safe list is off
2.1.14 (L1) Ensure inbound anti-spam policies do not contain allowed domains
2.2.1 (L1) Ensure emergency access account activity is monitored
2.4.1 (L1) Ensure Priority account protection is enabled and configured
2.4.2 (L1) Ensure Priority accounts have 'Strict protection' presets applied
2.4.4 (L1) Ensure Zero-hour auto purge for Microsoft Teams is on
3.1.1 (L1) Ensure Microsoft 365 audit log search is Enabled
3.2.1 (L1) Ensure DLP policies are enabled
3.2.2 (L1) Ensure DLP policies are enabled for Microsoft Teams
3.3.1 (L1) Ensure Information Protection sensitivity label policies are published
5.1.2.1 (L1) Ensure 'Per-user MFA' is disabled
5.1.2.3 (L1) Ensure 'Restrict non-admin users from creating tenants' is set to 'Yes'
5.1.2.4 (L1) Ensure access to the Entra admin center is restricted
5.1.3.1 (L1) Ensure a dynamic group for guest users is created
5.1.5.2 (L1) Ensure the admin consent workflow is enabled
5.1.6.2 (L1) Ensure that guest user access is restricted
5.1.8.1 (L1) Ensure that password hash sync is enabled for hybrid deployments
5.2.2.1 (L1) Ensure multifactor authentication is enabled for all users in administrative roles
5.2.2.2 (L1) Ensure multifactor authentication is enabled for all users
5.2.2.3 (L1) Enable Conditional Access policies to block legacy authentication
5.2.2.4 (L1) Ensure Sign-in frequency is enabled and browser sessions are not persistent for Administrative users
5.2.2.6 (L1) Enable Identity Protection user risk policies
5.2.2.7 (L1) Enable Identity Protection sign-in risk policies
5.2.2.9 (L1) Ensure a managed device is required for authentication
5.2.2.10 (L1) Ensure a managed device is required to register security information
5.2.2.11 (L1) Ensure sign-in frequency for Intune Enrollment is set to 'Every time'
5.2.2.12 (L1) Ensure the device code sign-in flow is blocked
5.2.3.1 (L1) Ensure Microsoft Authenticator is configured to protect against MFA fatigue
5.2.3.2 (L1) Ensure custom banned passwords lists are used
5.2.3.3 (L1) Ensure password protection is enabled for on-prem Active Directory
5.2.3.4 (L1) Ensure all member users are 'MFA capable'
5.2.3.5 (L1) Ensure weak authentication methods are disabled
5.2.3.6 (L1) Ensure system-preferred multifactor authentication is enabled
5.2.4.1 (L1) Ensure 'Self service password reset enabled' is set to 'All'
5.3.2 (L1) Ensure 'Access reviews' for Guest Users are configured