Skip to main content
Version: 2.1.1-preview

CIS Microsoft 365 Foundations Benchmark Tests

These tests verify Microsoft 365 tenant configuration against CIS Microsoft 365 Foundations Benchmark recommendations.

Tests

Test IDTitleSeverityCategory
CIS.M365.1.1.1(L1) Ensure Administrative accounts are cloud-onlyHighCIS E3 Level 1
CIS.M365.1.1.3(L1) Ensure that between two and four global admins are designatedHighCIS E3 Level 1
CIS.M365.1.2.1(L2) Ensure that only organizationally managed/approved public groups existMediumCIS E3 Level 2
CIS.M365.1.2.2(L1) Ensure sign-in to shared mailboxes is blockedHighCIS E3 Level 1
CIS.M365.1.3.1(L1) Ensure the 'Password expiration policy' is set to 'Set passwords to never expire (recommended)'HighCIS E3 Level 1
CIS.M365.1.3.3(L2) Ensure 'External sharing' of calendars is not availableMediumCIS E3 Level 2
CIS.M365.1.3.4EnsureUnknownCIS E3 Level 1
CIS.M365.1.3.5Ensure internal phishing protection for Forms is enabledUnknownCIS E3 Level 1
CIS.M365.1.3.6(L2) Ensure the customer lockbox feature is enabledHighCIS E5 Level 2
CIS.M365.1.3.7EnsureUnknownCIS E3 Level 2
CIS.M365.2.1.1(L2) Ensure Safe Links for Office Applications is Enabled (Only Checks Default Policy)MediumCIS E5 Level 2
CIS.M365.2.1.2(L1) Ensure the Common Attachment Types Filter is enabled (Only Checks Default Policy)MediumCIS E3 Level 1
CIS.M365.2.1.3(L1) Ensure notifications for internal users sending malware is Enabled (Only Checks Default Policy)MediumCIS E3 Level 1
CIS.M365.2.1.4(L2) Ensure Safe Attachments policy is enabled (Only Checks Default Policy)HighCIS E5 Level 2
CIS.M365.2.1.5(L2) Ensure Safe Attachments for SharePoint, OneDrive, and Microsoft Teams is EnabledHighCIS E5 Level 2
CIS.M365.2.1.6(L1) Ensure Exchange Online Spam Policies are set to notify administrators (Only Checks Default Policy)MediumCIS E3 Level 1
CIS.M365.2.1.7(L1) Ensure that an anti-phishing policy has been created (Only Checks Default Policy)MediumCIS E5 Level 1
CIS.M365.2.1.9(L1) Ensure that DKIM is enabled for all Exchange Online DomainsHighCIS E3 Level 1
CIS.M365.2.1.11(L2) Ensure comprehensive attachment filtering is appliedHighCIS E3 Level 2
CIS.M365.2.1.12(L1) Ensure the connection filter IP allow list is not used (Only Checks Default Policy)MediumCIS E3 Level 1
CIS.M365.2.1.13(L1) Ensure the connection filter safe list is off (Only Checks Default Policy)MediumCIS E3 Level 1
CIS.M365.2.4.4(L1) Ensure Zero-hour auto purge for Microsoft Teams is on (Only Checks ZAP is enabled)MediumCIS E5 Level 1
CIS.M365.3.1.1(L1) Ensure Microsoft 365 audit log search is EnabledHighCIS E3 Level 1
CIS.M365.4.1Ensure devices without a compliance policy are markedUnknownCIS E3 Level 2
CIS.M365.5.1.2.2Ensure third party integrated applications are not allowedUnknownCIS E3 Level 2
CIS.M365.5.1.2.3EnsureUnknownCIS E3 Level 1
CIS.M365.5.1.3.1Ensure a dynamic group for guest users is createdUnknownCIS E3 Level 1
CIS.M365.5.1.5.1Ensure user consent to apps accessing company data on their behalf is not allowedUnknownCIS E3 Level 2
CIS.M365.5.1.5.2Ensure the admin consent workflow is enabledUnknownCIS E3 Level 1
CIS.M365.5.1.6.2Ensure that guest user access is restrictedUnknownCIS E3 Level 1
CIS.M365.5.2.3.5Ensure weak authentication methods are disabledUnknownCIS E3 Level 1
CIS.M365.6.5.3Ensure additional storage providers are restricted in Outlook on the webUnknownCIS E3 Level 2
CIS.M365.8.1.1(L2) Ensure external file sharing in Teams is enabled for only approved cloud storage servicesMediumCIS M365 v6.0.1
CIS.M365.8.2.2(L1) Ensure communication with unmanaged Teams users is disabledMediumCIS M365 v6.0.1
CIS.M365.8.2.3Ensure external Teams users cannot initiate conversationsUnknownCIS M365 v6.0.1
CIS.M365.8.4.1(L1) Ensure all or a majority of third-party and custom apps are blockedHighCIS M365 v6.0.1
CIS.M365.8.5.3(L1) Ensure only people in my org can bypass the lobbyMediumCIS E3 Level 1
CIS.M365.8.6.1(L1) Ensure users can report security concerns in Teams to internal destinationMediumCIS E3 Level 1