CIS Microsoft 365 Foundations v5.0.0 L1 E5

Audit Details

Name: CIS Microsoft 365 Foundations v5.0.0 L1 E5

Updated: 7/8/2025

Authority: CIS

Plugin: microsoft_azure

Revision: 1.0

Estimated Item Count: 91

File Details

Filename: CIS_Microsoft_365_Foundations_v5.0.0_L1_E5.audit

Size: 309 kB

MD5: 4cc6198ed6bd189526e7ef3c0fc7ea63
SHA256: 73dd8092d86bd805fbc1385b07f1fad80e2da0fc33195b0611af97e6a4f8bf94

Audit Items

DescriptionCategories
1.1.1 (L1) Ensure Administrative accounts are cloud-only

ACCESS CONTROL

1.1.2 (L1) Ensure two emergency access accounts have been defined

ACCESS CONTROL

1.1.3 (L1) Ensure that between two and four global admins are designated

ACCESS CONTROL

1.1.4 (L1) Ensure administrative accounts use licenses with a reduced application footprint

ACCESS CONTROL

1.2.2 (L1) Ensure sign-in to shared mailboxes is blocked

CONFIGURATION MANAGEMENT

1.3.1 (L1) Ensure the 'Password expiration policy' is set to 'Set passwords to never expire (recommended)'

IDENTIFICATION AND AUTHENTICATION

1.3.4 (L1) Ensure 'User owned apps and services' is restricted

CONFIGURATION MANAGEMENT

1.3.5 (L1) Ensure internal phishing protection for Forms is enabled

AWARENESS AND TRAINING, SYSTEM AND INFORMATION INTEGRITY

2.1.2 (L1) Ensure the Common Attachment Types Filter is enabled

SYSTEM AND INFORMATION INTEGRITY

2.1.3 (L1) Ensure notifications for internal users sending malware is Enabled

INCIDENT RESPONSE

2.1.6 (L1) Ensure Exchange Online Spam Policies are set to notify administrators

INCIDENT RESPONSE

2.1.8 (L1) Ensure that SPF records are published for all Exchange Domains

SYSTEM AND COMMUNICATIONS PROTECTION

2.1.9 (L1) Ensure that DKIM is enabled for all Exchange Online Domains

SYSTEM AND COMMUNICATIONS PROTECTION

2.1.10 (L1) Ensure DMARC Records for all Exchange Online domains are published

SYSTEM AND COMMUNICATIONS PROTECTION

2.1.12 (L1) Ensure the connection filter IP allow list is not used

SYSTEM AND INFORMATION INTEGRITY

2.1.13 (L1) Ensure the connection filter safe list is off

SYSTEM AND INFORMATION INTEGRITY

2.1.14 (L1) Ensure inbound anti-spam policies do not contain allowed domains

SYSTEM AND INFORMATION INTEGRITY

2.2.1 (L1) Ensure emergency access account activity is monitored

AUDIT AND ACCOUNTABILITY

2.4.1 (L1) Ensure Priority account protection is enabled and configured

SYSTEM AND INFORMATION INTEGRITY

2.4.2 (L1) Ensure Priority accounts have 'Strict protection' presets applied

SYSTEM AND INFORMATION INTEGRITY

2.4.4 (L1) Ensure Zero-hour auto purge for Microsoft Teams is on

SYSTEM AND INFORMATION INTEGRITY

3.1.1 (L1) Ensure Microsoft 365 audit log search is Enabled

AUDIT AND ACCOUNTABILITY

3.2.1 (L1) Ensure DLP policies are enabled

AUDIT AND ACCOUNTABILITY, SYSTEM AND INFORMATION INTEGRITY

3.2.2 (L1) Ensure DLP policies are enabled for Microsoft Teams

AUDIT AND ACCOUNTABILITY, SYSTEM AND INFORMATION INTEGRITY

3.3.1 (L1) Ensure Information Protection sensitivity label policies are published

RISK ASSESSMENT

5.1.2.1 (L1) Ensure 'Per-user MFA' is disabled

IDENTIFICATION AND AUTHENTICATION

5.1.2.3 (L1) Ensure 'Restrict non-admin users from creating tenants' is set to 'Yes'

ACCESS CONTROL

5.1.2.4 (L1) Ensure access to the Entra admin center is restricted

ACCESS CONTROL

5.1.3.1 (L1) Ensure a dynamic group for guest users is created

ACCESS CONTROL, MEDIA PROTECTION

5.1.5.2 (L1) Ensure the admin consent workflow is enabled

CONFIGURATION MANAGEMENT

5.1.6.2 (L1) Ensure that guest user access is restricted

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION

5.1.8.1 (L1) Ensure that password hash sync is enabled for hybrid deployments

ACCESS CONTROL

5.2.2.1 (L1) Ensure multifactor authentication is enabled for all users in administrative roles

IDENTIFICATION AND AUTHENTICATION

5.2.2.2 (L1) Ensure multifactor authentication is enabled for all users

IDENTIFICATION AND AUTHENTICATION

5.2.2.3 (L1) Enable Conditional Access policies to block legacy authentication

CONFIGURATION MANAGEMENT

5.2.2.4 (L1) Ensure Sign-in frequency is enabled and browser sessions are not persistent for Administrative users

ACCESS CONTROL

5.2.2.6 (L1) Enable Identity Protection user risk policies

SYSTEM AND INFORMATION INTEGRITY

5.2.2.7 (L1) Enable Identity Protection sign-in risk policies

SYSTEM AND INFORMATION INTEGRITY

5.2.2.9 (L1) Ensure a managed device is required for authentication

IDENTIFICATION AND AUTHENTICATION

5.2.2.10 (L1) Ensure a managed device is required to register security information

IDENTIFICATION AND AUTHENTICATION

5.2.2.11 (L1) Ensure sign-in frequency for Intune Enrollment is set to 'Every time'

IDENTIFICATION AND AUTHENTICATION

5.2.2.12 (L1) Ensure the device code sign-in flow is blocked

CONFIGURATION MANAGEMENT

5.2.3.1 (L1) Ensure Microsoft Authenticator is configured to protect against MFA fatigue

IDENTIFICATION AND AUTHENTICATION

5.2.3.2 (L1) Ensure custom banned passwords lists are used

IDENTIFICATION AND AUTHENTICATION

5.2.3.3 (L1) Ensure password protection is enabled for on-prem Active Directory

IDENTIFICATION AND AUTHENTICATION

5.2.3.4 (L1) Ensure all member users are 'MFA capable'

IDENTIFICATION AND AUTHENTICATION

5.2.3.5 (L1) Ensure weak authentication methods are disabled

IDENTIFICATION AND AUTHENTICATION

5.2.3.6 (L1) Ensure system-preferred multifactor authentication is enabled

IDENTIFICATION AND AUTHENTICATION

5.2.4.1 (L1) Ensure 'Self service password reset enabled' is set to 'All'

IDENTIFICATION AND AUTHENTICATION

5.3.2 (L1) Ensure 'Access reviews' for Guest Users are configured

ACCESS CONTROL