| 1.1.1 Ensure multifactor authentication is enabled for all users in administrative roles | IDENTIFICATION AND AUTHENTICATION |
| 1.1.3 Ensure that between two and four global admins are designated | ACCESS CONTROL |
| 1.1.4 Ensure self-service password reset is enabled | AWARENESS AND TRAINING |
| 1.1.5 Ensure that password protection is enabled for Active Directory | IDENTIFICATION AND AUTHENTICATION |
| 1.1.6 Enable Conditional Access policies to block legacy authentication | CONFIGURATION MANAGEMENT |
| 1.1.7 Ensure that password hash sync is enabled for hybrid deployments | ACCESS CONTROL |
| 1.1.11 Ensure Security Defaults is disabled on Azure Active Directory | CONFIGURATION MANAGEMENT |
| 1.1.15 Ensure Sign-in frequency is enabled and browser sessions are not persistent for Administrative users. | ACCESS CONTROL |
| 1.2 Ensure modern authentication for Exchange Online is enabled | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 1.3 Ensure modern authentication for SharePoint applications is required | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 1.4 Ensure that Office 365 Passwords Are Not Set to Expire | IDENTIFICATION AND AUTHENTICATION |
| 1.5 Ensure Administrative accounts are separate and cloud-only | ACCESS CONTROL |
| 2.9 - Ensure users installing Word, Excel, and PowerPoint add-ins is not allowed | CONFIGURATION MANAGEMENT |
| 2.10 Ensure internal phishing protection for Forms is enabled | AWARENESS AND TRAINING, SYSTEM AND INFORMATION INTEGRITY |
| 2.11 Ensure that Sways cannot be shared with people outside of your organization | CONFIGURATION MANAGEMENT |
| 3.4 Ensure DLP policies are enabled | AUDIT AND ACCOUNTABILITY, SYSTEM AND INFORMATION INTEGRITY |
| 4.1 Ensure the Common Attachment Types Filter is enabled | SYSTEM AND INFORMATION INTEGRITY |
| 4.2 Ensure Exchange Online Spam Policies are set to notify administrators | INCIDENT RESPONSE |
| 4.3 Ensure all forms of mail forwarding are blocked and/or disabled | ACCESS CONTROL |
| 4.4 Ensure mail transport rules do not whitelist specific domains | SYSTEM AND INFORMATION INTEGRITY |
| 4.7 Ensure that DKIM is enabled for all Exchange Online Domains | SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.8 Ensure that SPF records are published for all Exchange Domains | SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.9 Ensure DMARC Records for all Exchange Online domains are published | SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.10 Ensure notifications for internal users sending malware is Enabled | INCIDENT RESPONSE |
| 5.1 Ensure Microsoft 365 audit log search is Enabled | AUDIT AND ACCOUNTABILITY |
| 5.2 Ensure mailbox auditing for all users is Enabled | AUDIT AND ACCOUNTABILITY |
| 5.3 Ensure the Azure AD 'Risky sign-ins' report is reviewed at least weekly | AUDIT AND ACCOUNTABILITY |
| 5.5 Ensure the self-service password reset activity report is reviewed at least weekly | AUDIT AND ACCOUNTABILITY |
| 5.6 Ensure user role group changes are reviewed at least weekly | AUDIT AND ACCOUNTABILITY |
| 5.7 Ensure mail forwarding rules are reviewed at least weekly | AUDIT AND ACCOUNTABILITY |
| 5.8 Ensure all security threats in the Threat protection status report are reviewed at least weekly | AUDIT AND ACCOUNTABILITY |
| 5.9 Ensure the Account Provisioning Activity report is reviewed at least weekly | AUDIT AND ACCOUNTABILITY |
| 5.10 Ensure non-global administrator role group assignments are reviewed at least weekly | AUDIT AND ACCOUNTABILITY |
| 5.13 Ensure the report of users who have had their email privileges restricted due to spamming is reviewed | AUDIT AND ACCOUNTABILITY |
| 5.14 Ensure Guest Users are reviewed at least biweekly | ACCESS CONTROL |
| 6.3 Ensure expiration time for external sharing links is set | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| 7.1 Ensure mobile device management policies are set to require advanced security configurations | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 7.2 Ensure that mobile device password reuse is prohibited | IDENTIFICATION AND AUTHENTICATION |
| 7.3 Ensure that mobile devices are set to never expire passwords | IDENTIFICATION AND AUTHENTICATION |
| 7.4 Ensure that users cannot connect from devices that are jail broken or rooted | CONFIGURATION MANAGEMENT |
| 7.6 Ensure that mobile devices require a minimum password length to prevent brute force attacks | IDENTIFICATION AND AUTHENTICATION |
| 7.7 Ensure devices lock after a period of inactivity to prevent unauthorized access | ACCESS CONTROL |
| 7.8 Ensure that mobile device encryption is enabled to prevent unauthorized access to mobile data | SYSTEM AND COMMUNICATIONS PROTECTION |
| 7.9 Ensure that mobile devices require complex passwords (Type = Alphanumeric) | IDENTIFICATION AND AUTHENTICATION |
| 7.10 Ensure that mobile devices require complex passwords (Simple Passwords = Blocked) | IDENTIFICATION AND AUTHENTICATION |
| 7.11 Ensure that devices connecting have AV and a local firewall enabled | SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
| 7.13 Ensure mobile devices require the use of a password | IDENTIFICATION AND AUTHENTICATION |
