| 1.1.1 (L1) Ensure Administrative accounts are cloud-only | ACCESS CONTROL |
| 1.1.2 (L1) Ensure two emergency access accounts have been defined | ACCESS CONTROL |
| 1.1.3 (L1) Ensure that between two and four global admins are designated | ACCESS CONTROL |
| 1.1.4 (L1) Ensure administrative accounts use licenses with a reduced application footprint | ACCESS CONTROL |
| 1.2.2 (L1) Ensure sign-in to shared mailboxes is blocked | CONFIGURATION MANAGEMENT |
| 1.3.1 (L1) Ensure the 'Password expiration policy' is set to 'Set passwords to never expire (recommended)' | IDENTIFICATION AND AUTHENTICATION |
| 1.3.4 (L1) Ensure 'User owned apps and services' is restricted | CONFIGURATION MANAGEMENT |
| 1.3.5 (L1) Ensure internal phishing protection for Forms is enabled | AWARENESS AND TRAINING, SYSTEM AND INFORMATION INTEGRITY |
| 1.3.9 (L1) Ensure shared bookings paged are restricted to select users | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 2.1.2 (L1) Ensure the Common Attachment Types Filter is enabled | SYSTEM AND INFORMATION INTEGRITY |
| 2.1.3 (L1) Ensure notifications for internal users sending malware is Enabled | INCIDENT RESPONSE |
| 2.1.6 (L1) Ensure Exchange Online Spam Policies are set to notify administrators | INCIDENT RESPONSE |
| 2.1.8 (L1) Ensure that SPF records are published for all Exchange Domains | SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.1.9 (L1) Ensure that DKIM is enabled for all Exchange Online Domains | SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.1.10 (L1) Ensure DMARC Records for all Exchange Online domains are published | SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.1.12 (L1) Ensure the connection filter IP allow list is not used | SYSTEM AND INFORMATION INTEGRITY |
| 2.1.13 (L1) Ensure the connection filter safe list is off | SYSTEM AND INFORMATION INTEGRITY |
| 2.1.14 (L1) Ensure inbound anti-spam policies do not contain allowed domains | SYSTEM AND INFORMATION INTEGRITY |
| 2.1.15 (L1) Ensure outbound anti-spam message limits are in place | SYSTEM AND INFORMATION INTEGRITY |
| 2.2.1 (L1) Ensure emergency access account activity is monitored | AUDIT AND ACCOUNTABILITY |
| 2.4.1 (L1) Ensure Priority account protection is enabled and configured | SYSTEM AND INFORMATION INTEGRITY |
| 2.4.2 (L1) Ensure Priority accounts have 'Strict protection' presets applied | SYSTEM AND INFORMATION INTEGRITY |
| 2.4.4 (L1) Ensure Zero-hour auto purge for Microsoft Teams is on | SYSTEM AND INFORMATION INTEGRITY |
| 3.1.1 (L1) Ensure Microsoft 365 audit log search is Enabled | AUDIT AND ACCOUNTABILITY |
| 3.2.1 (L1) Ensure DLP policies are enabled | AUDIT AND ACCOUNTABILITY, SYSTEM AND INFORMATION INTEGRITY |
| 3.2.2 (L1) Ensure DLP policies are enabled for Microsoft Teams | AUDIT AND ACCOUNTABILITY, SYSTEM AND INFORMATION INTEGRITY |
| 3.3.1 (L1) Ensure Information Protection sensitivity label policies are published | RISK ASSESSMENT |
| 5.1.2.1 (L1) Ensure 'Per-user MFA' is disabled | IDENTIFICATION AND AUTHENTICATION |
| 5.1.2.3 (L1) Ensure 'Restrict non-admin users from creating tenants' is set to 'Yes' | ACCESS CONTROL |
| 5.1.2.4 (L1) Ensure access to the Entra admin center is restricted | ACCESS CONTROL |
| 5.1.3.1 (L1) Ensure a dynamic group for guest users is created | ACCESS CONTROL, MEDIA PROTECTION |
| 5.1.3.2 (L1) Ensure users cannot create security groups | ACCESS CONTROL, MEDIA PROTECTION |
| 5.1.4.2 (L1) Ensure the maximum number of devices per user is limited | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 5.1.4.3 (L1) Ensure the GA role is not added as a local administrator during Entra join | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 5.1.4.4 (L1) Ensure local administrator assignment is limited during Entra join | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 5.1.4.5 (L1) Ensure Local Administrator Password Solution is enabled | IDENTIFICATION AND AUTHENTICATION |
| 5.1.5.2 (L1) Ensure the admin consent workflow is enabled | CONFIGURATION MANAGEMENT |
| 5.1.6.2 (L1) Ensure that guest user access is restricted | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION |
| 5.1.8.1 (L1) Ensure that password hash sync is enabled for hybrid deployments | ACCESS CONTROL |
| 5.2.2.1 (L1) Ensure multifactor authentication is enabled for all users in administrative roles | IDENTIFICATION AND AUTHENTICATION |
| 5.2.2.2 (L1) Ensure multifactor authentication is enabled for all users | IDENTIFICATION AND AUTHENTICATION |
| 5.2.2.3 (L1) Enable Conditional Access policies to block legacy authentication | CONFIGURATION MANAGEMENT |
| 5.2.2.4 (L1) Ensure Sign-in frequency is enabled and browser sessions are not persistent for Administrative users | ACCESS CONTROL |
| 5.2.2.6 (L1) Enable Identity Protection user risk policies | SYSTEM AND INFORMATION INTEGRITY |
| 5.2.2.7 (L1) Enable Identity Protection sign-in risk policies | SYSTEM AND INFORMATION INTEGRITY |
| 5.2.2.9 (L1) Ensure a managed device is required for authentication | IDENTIFICATION AND AUTHENTICATION |
| 5.2.2.10 (L1) Ensure a managed device is required to register security information | IDENTIFICATION AND AUTHENTICATION |
| 5.2.2.11 (L1) Ensure sign-in frequency for Intune Enrollment is set to 'Every time' | IDENTIFICATION AND AUTHENTICATION |
| 5.2.2.12 (L1) Ensure the device code sign-in flow is blocked | CONFIGURATION MANAGEMENT |
| 5.2.3.1 (L1) Ensure Microsoft Authenticator is configured to protect against MFA fatigue | IDENTIFICATION AND AUTHENTICATION |
