| 1.2.1 (L2) Ensure that only organizationally managed/approved public groups exist | ACCESS CONTROL, MEDIA PROTECTION |
| 1.3.2 (L2) Ensure 'Idle session timeout' is set to '3 hours (or less)' for unmanaged devices | ACCESS CONTROL |
| 1.3.3 (L2) Ensure 'External sharing' of calendars is not available | CONFIGURATION MANAGEMENT |
| 1.3.7 (L2) Ensure 'third-party storage services' are restricted in 'Microsoft 365 on the web' | ACCESS CONTROL, MEDIA PROTECTION |
| 1.3.8 (L2) Ensure that Sways cannot be shared with people outside of your organization | CONFIGURATION MANAGEMENT |
| 2.1.11 (L2) Ensure comprehensive attachment filtering is applied | SYSTEM AND INFORMATION INTEGRITY |
| 4.1 (L2) Ensure devices without a compliance policy are marked 'not compliant' | CONFIGURATION MANAGEMENT |
| 4.2 (L2) Ensure device enrollment for personally owned devices is blocked by default | ACCESS CONTROL, CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.1.2.2 (L2) Ensure third party integrated applications are not allowed | CONFIGURATION MANAGEMENT |
| 5.1.2.5 (L2) Ensure the option to remain signed in is hidden | ACCESS CONTROL |
| 5.1.2.6 (L2) Ensure 'LinkedIn account connections' is disabled | CONFIGURATION MANAGEMENT |
| 5.1.5.1 (L2) Ensure user consent to apps accessing company data on their behalf is not allowed | ACCESS CONTROL, MEDIA PROTECTION |
| 5.1.6.1 (L2) Ensure that collaboration invitations are sent to allowed domains only | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION |
| 5.1.6.3 (L2) Ensure guest user invitations are limited to the Guest Inviter role | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION |
| 5.2.2.5 (L2) Ensure 'Phishing-resistant MFA strength' is required for Administrators | IDENTIFICATION AND AUTHENTICATION |
| 6.3.1 (L2) Ensure users installing Outlook add-ins is not allowed | CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION |
| 6.5.3 (L2) Ensure additional storage providers are restricted in Outlook on the web | ACCESS CONTROL, MEDIA PROTECTION |
| 7.2.4 (L2) Ensure OneDrive content sharing is restricted | ACCESS CONTROL, MEDIA PROTECTION |
| 7.2.5 (L2) Ensure that SharePoint guest users cannot share items they don't own | ACCESS CONTROL, MEDIA PROTECTION |
| 7.2.6 (L2) Ensure SharePoint external sharing is managed through domain whitelist/blacklists | ACCESS CONTROL, MEDIA PROTECTION |
| 7.2.8 (L2) Ensure external sharing is restricted by security group | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 7.3.2 (L2) Ensure OneDrive sync is restricted for unmanaged devices | CONFIGURATION MANAGEMENT |
| 8.1.1 (L2) Ensure external file sharing in Teams is enabled for only approved cloud storage services | ACCESS CONTROL, MEDIA PROTECTION |
| 8.2.1 (L2) Ensure external domains are restricted in the Teams admin center | CONFIGURATION MANAGEMENT |
| 8.5.1 (L2) Ensure anonymous users can't join a meeting | ACCESS CONTROL |
| 8.5.5 (L2) Ensure meeting chat does not allow anonymous users | ACCESS CONTROL |
| 8.5.6 (L2) Ensure only organizers and co-organizers can present | ACCESS CONTROL |
| 8.5.8 (L2) Ensure external meeting chat is off | PLANNING, SYSTEM AND SERVICES ACQUISITION |
| 8.5.9 (L2) Ensure meeting recording is off by default | PLANNING, SYSTEM AND SERVICES ACQUISITION |
| 9.1.5 (L2) Ensure 'Interact with and share R and Python' visuals is 'Disabled' | CONFIGURATION MANAGEMENT |
