Detections
Analytics

CIS Microsoft 365 Foundations v6.0.0 L1 E5

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: CIS Microsoft 365 Foundations v6.0.0 L1 E5

Updated: 4/15/2026

Authority: CIS

Plugin: microsoft_azure

Revision: 1.1

Estimated Item Count: 97

File Details

Filename: CIS_Microsoft_365_Foundations_v6.0.0_L1_E5.audit

Size: 281 kB

MD5: c505ce2e28189b8726fa41630fa1e45c
SHA256: d0a887214605b8db7705f466e5b4443a12c92ee80b61ef5ad6e438a438557f2c

Audit Items

DescriptionCategories
1.1.1 (L1) Ensure Administrative accounts are cloud-only
1.1.2 (L1) Ensure two emergency access accounts have been defined
1.1.3 (L1) Ensure that between two and four global admins are designated
1.1.4 (L1) Ensure administrative accounts use licenses with a reduced application footprint
1.2.2 (L1) Ensure sign-in to shared mailboxes is blocked
1.3.1 (L1) Ensure the 'Password expiration policy' is set to 'Set passwords to never expire (recommended)'
1.3.4 (L1) Ensure 'User owned apps and services' is restricted
1.3.5 (L1) Ensure internal phishing protection for Forms is enabled
1.3.9 (L1) Ensure shared bookings paged are restricted to select users
2.1.2 (L1) Ensure the Common Attachment Types Filter is enabled
2.1.3 (L1) Ensure notifications for internal users sending malware is Enabled
2.1.6 (L1) Ensure Exchange Online Spam Policies are set to notify administrators
2.1.8 (L1) Ensure that SPF records are published for all Exchange Domains
2.1.9 (L1) Ensure that DKIM is enabled for all Exchange Online Domains
2.1.10 (L1) Ensure DMARC Records for all Exchange Online domains are published
2.1.12 (L1) Ensure the connection filter IP allow list is not used
2.1.13 (L1) Ensure the connection filter safe list is off
2.1.14 (L1) Ensure inbound anti-spam policies do not contain allowed domains
2.1.15 (L1) Ensure outbound anti-spam message limits are in place
2.2.1 (L1) Ensure emergency access account activity is monitored
2.4.1 (L1) Ensure Priority account protection is enabled and configured
2.4.2 (L1) Ensure Priority accounts have 'Strict protection' presets applied
2.4.4 (L1) Ensure Zero-hour auto purge for Microsoft Teams is on
3.1.1 (L1) Ensure Microsoft 365 audit log search is Enabled
3.2.1 (L1) Ensure DLP policies are enabled
3.2.2 (L1) Ensure DLP policies are enabled for Microsoft Teams
3.3.1 (L1) Ensure Information Protection sensitivity label policies are published
5.1.2.1 (L1) Ensure 'Per-user MFA' is disabled
5.1.2.3 (L1) Ensure 'Restrict non-admin users from creating tenants' is set to 'Yes'
5.1.2.4 (L1) Ensure access to the Entra admin center is restricted
5.1.3.1 (L1) Ensure a dynamic group for guest users is created
5.1.3.2 (L1) Ensure users cannot create security groups
5.1.4.2 (L1) Ensure the maximum number of devices per user is limited
5.1.4.3 (L1) Ensure the GA role is not added as a local administrator during Entra join
5.1.4.4 (L1) Ensure local administrator assignment is limited during Entra join
5.1.4.5 (L1) Ensure Local Administrator Password Solution is enabled
5.1.5.2 (L1) Ensure the admin consent workflow is enabled
5.1.6.2 (L1) Ensure that guest user access is restricted
5.1.8.1 (L1) Ensure that password hash sync is enabled for hybrid deployments
5.2.2.1 (L1) Ensure multifactor authentication is enabled for all users in administrative roles
5.2.2.2 (L1) Ensure multifactor authentication is enabled for all users
5.2.2.3 (L1) Enable Conditional Access policies to block legacy authentication
5.2.2.4 (L1) Ensure Sign-in frequency is enabled and browser sessions are not persistent for Administrative users
5.2.2.6 (L1) Enable Identity Protection user risk policies
5.2.2.7 (L1) Enable Identity Protection sign-in risk policies
5.2.2.9 (L1) Ensure a managed device is required for authentication
5.2.2.10 (L1) Ensure a managed device is required to register security information
5.2.2.11 (L1) Ensure sign-in frequency for Intune Enrollment is set to 'Every time'
5.2.2.12 (L1) Ensure the device code sign-in flow is blocked
5.2.3.1 (L1) Ensure Microsoft Authenticator is configured to protect against MFA fatigue