Detections
Analytics

CIS Microsoft 365 Foundations E3 L1 v3.0.0

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: CIS Microsoft 365 Foundations E3 L1 v3.0.0

Updated: 6/24/2024

Authority: CIS

Plugin: microsoft_azure

Revision: 1.2

Estimated Item Count: 74

Audit Items

DescriptionCategories
1.1.1 Ensure Administrative accounts are separate and cloud-only
1.1.2 Ensure two emergency access accounts have been defined
1.1.3 Ensure that between two and four global admins are designated
1.1.4 Ensure Guest Users are reviewed at least biweekly
1.2.2 Ensure sign-in to shared mailboxes is blocked

CONFIGURATION MANAGEMENT

1.3.1 Ensure the 'Password expiration policy' is set to 'Set passwords to never expire (recommended)'
1.3.2 Ensure 'Idle session timeout' is set to '3 hours (or less)' for unmanaged devices
1.3.4 Ensure 'User owned apps and services' is restricted
1.3.5 Ensure internal phishing protection for Forms is enabled
2.1.2 Ensure the Common Attachment Types Filter is enabled
2.1.3 Ensure notifications for internal users sending malware is Enabled
2.1.6 Ensure Exchange Online Spam Policies are set to notify administrators
2.1.8 Ensure that SPF records are published for all Exchange Domains
2.1.9 Ensure that DKIM is enabled for all Exchange Online Domains
2.1.10 Ensure DMARC Records for all Exchange Online domains are published
2.1.12 Ensure the 'Restricted entities' report is reviewed weekly
2.1.13 Ensure all security threats in the Threat protection status report are reviewed at least weekly
2.3.1 Ensure the Account Provisioning Activity report is reviewed at least weekly
2.3.2 Ensure non-global administrator role group assignments are reviewed at least weekly
3.1.1 Ensure Microsoft 365 audit log search is Enabled
3.1.2 Ensure user role group changes are reviewed at least weekly
3.2.1 Ensure DLP policies are enabled
3.3.1 Ensure SharePoint Online Information Protection policies are set up and used
5.1.1.1 Ensure Security Defaults is disabled on Azure Active Directory
5.1.2.1 Ensure 'Per-user MFA' is disabled
5.1.2.3 Ensure 'Restrict non-admin users from creating tenants' is set to 'Yes'

ACCESS CONTROL

5.1.2.4 Ensure 'Restrict access to the Azure AD administration portal' is set to 'Yes'
5.1.3.1 Ensure a dynamic group for guest users is created
5.1.5.1 Ensure the Application Usage report is reviewed at least weekly
5.1.5.3 Ensure the admin consent workflow is enabled
5.1.8.1 Ensure that password hash sync is enabled for hybrid deployments
5.2.2.1 Ensure multifactor authentication is enabled for all users in administrative roles
5.2.2.2 Ensure multifactor authentication is enabled for all users
5.2.2.3 Enable Conditional Access policies to block legacy authentication
5.2.2.4 Ensure Sign-in frequency is enabled and browser sessions are not persistent for Administrative users
5.2.2.8 Ensure 'Microsoft Azure Management' is limited to administrative roles

ACCESS CONTROL

5.2.3.1 Ensure Microsoft Authenticator is configured to protect against MFA fatigue
5.2.3.2 Ensure custom banned passwords lists are used
5.2.3.3 Ensure password protection is enabled for on-prem Active Directory
5.2.4.1 Ensure 'Self service password reset enabled' is set to 'All'

AWARENESS AND TRAINING

5.2.4.2 Ensure the self-service password reset activity report is reviewed at least weekly
6.1.1 Ensure 'AuditDisabled' organizationally is set to 'False'
6.1.2 Ensure mailbox auditing for E3 users is Enabled
6.1.4 Ensure 'AuditBypassEnabled' is not enabled on mailboxes
6.2.1 Ensure all forms of mail forwarding are blocked and/or disabled

CONFIGURATION MANAGEMENT

6.2.2 Ensure mail transport rules do not whitelist specific domains
6.2.3 Ensure email from external senders is identified

CONFIGURATION MANAGEMENT

6.4.1 Ensure mail forwarding rules are reviewed at least weekly
6.5.1 Ensure modern authentication for Exchange Online is enabled
7.2.1 Ensure modern authentication for SharePoint applications is required