CISA Tests
These tests verify Microsoft 365 tenant configuration against CISA Secure Cloud Business Applications baseline guidance.
Tests
| Test ID | Title | Severity | Category |
|---|---|---|---|
| CISA.MS.AAD.1.1 | Legacy authentication SHALL be blocked. | High | Entra ID P1 |
| CISA.MS.AAD.2.1 | Users detected as high risk SHALL be blocked. | High | Entra ID P2 |
| CISA.MS.AAD.2.2 | A notification SHOULD be sent to the administrator when high-risk users are detected. | High | Entra ID P2 |
| CISA.MS.AAD.2.3 | Sign-ins detected as high risk SHALL be blocked. | High | Entra ID P2 |
| CISA.MS.AAD.3.1 | Phishing-resistant MFA SHALL be enforced for all users. | High | Entra ID P1 |
| CISA.MS.AAD.3.2 | If phishing-resistant MFA has not been enforced, an alternative MFA method SHALL be enforced for all users. | High | Entra ID P1 |
| CISA.MS.AAD.3.3 | If Microsoft Authenticator is enabled, it SHALL be configured to show login context information. | Medium | Entra ID P1 |
| CISA.MS.AAD.3.4 | The Authentication Methods Manage Migration feature SHALL be set to Migration Complete. | High | Entra ID P1 |
| CISA.MS.AAD.3.5 | The authentication methods SMS, Voice Call, and Email One-Time Passcode (OTP) SHALL be disabled. | High | Entra ID P1 |
| CISA.MS.AAD.3.6 | Phishing-resistant MFA SHALL be required for highly privileged roles. | High | Entra ID P1 |
| CISA.MS.AAD.3.7 | Managed devices SHOULD be required for authentication. | High | Entra ID P1 |
| CISA.MS.AAD.3.8 | Managed Devices SHOULD be required to register MFA. | High | Entra ID P1 |
| CISA.MS.AAD.4.1 | Security logs SHALL be sent to the agency's security operations center for monitoring. | High | Entra ID P1 |
| CISA.MS.AAD.5.1 | Only administrators SHALL be allowed to register applications. | High | Entra ID Free |
| CISA.MS.AAD.5.2 | Only administrators SHALL be allowed to consent to applications. | High | Entra ID Free |
| CISA.MS.AAD.5.3 | An admin consent workflow SHALL be configured for applications. | High | Entra ID Free |
| CISA.MS.AAD.5.4 | Group owners SHALL NOT be allowed to consent to applications. | High | Entra ID Free |
| CISA.MS.AAD.6.1 | User passwords SHALL NOT expire. | High | Entra ID Free |
| CISA.MS.AAD.7.1 | A minimum of two users and a maximum of eight users SHALL be provisioned with the Global Administrator role. | High | Entra ID Free |
| CISA.MS.AAD.7.2 | Privileged users SHALL be provisioned with finer-grained roles instead of Global Administrator. | High | Entra ID Free |
| CISA.MS.AAD.7.3 | Privileged users SHALL be provisioned cloud-only accounts separate from an on-premises directory or other federated identity providers. | High | Entra ID Free |
| CISA.MS.AAD.7.4 | Permanent active role assignments SHALL NOT be allowed for highly privileged roles. | High | Entra ID P2 |
| CISA.MS.AAD.7.5 | Provisioning users to highly privileged roles SHALL NOT occur outside of a PAM system. | High | Entra ID P2 |
| CISA.MS.AAD.7.6 | Activation of the Global Administrator role SHALL require approval. | High | Entra ID P2 |
| CISA.MS.AAD.7.7 | Eligible and Active highly privileged role assignments SHALL trigger an alert. | High | Entra ID P2 |
| CISA.MS.AAD.7.8 | User activation of the Global Administrator role SHALL trigger an alert. | High | Entra ID P2 |
| CISA.MS.AAD.7.9 | User activation of other highly privileged roles SHOULD trigger an alert. | High | Entra ID P2 |
| CISA.MS.AAD.8.1 | Guest users SHOULD have limited or restricted access to Azure AD directory objects. | Medium | Entra ID Free |
| CISA.MS.AAD.8.2 | Only users with the Guest Inviter role SHOULD be able to invite guest users. | High | Entra ID Free |
| CISA.MS.AAD.8.3 | Guest invites SHOULD only be allowed to specific external domains that have been authorized by the agency for legitimate business purposes. | Medium | Entra ID Free |
| CISA.MS.EXO.1.1 | Automatic forwarding to external domains SHALL be disabled. | High | exchange |
| CISA.MS.EXO.2.1 | A list of approved IP addresses for sending mail SHALL be maintained. | Medium | Deprecated |
| CISA.MS.EXO.2.2 | An SPF policy SHALL be published for each domain, designating only these addresses as approved senders. | Medium | exchange |
| CISA.MS.EXO.3.1 | DKIM SHOULD be enabled for all domains. | Medium | exchange |
| CISA.MS.EXO.4.1 | A DMARC policy SHALL be published for every second-level domain. | Medium | exchange |
| CISA.MS.EXO.4.2 | The DMARC message rejection option SHALL be p=reject. | High | exchange |
| CISA.MS.EXO.4.3 | The DMARC point of contact for aggregate reports SHALL include reports@dmarc.cyber.dhs.gov. | Medium | exchange |
| CISA.MS.EXO.5.1 | SMTP AUTH SHALL be disabled. | High | exchange |
| CISA.MS.EXO.6.1 | Contact folders SHALL NOT be shared with all domains. | Medium | exchange |
| CISA.MS.EXO.6.2 | Calendar details SHALL NOT be shared with all domains. | Medium | exchange |
| CISA.MS.EXO.7.1 | External sender warnings SHALL be implemented. | Medium | exchange |
| CISA.MS.EXO.8.1 | A DLP solution SHALL be used. | High | exchange |
| CISA.MS.EXO.8.2 | The DLP solution SHALL protect personally identifiable information (PII) and sensitive information, as defined by the agency. | Medium | exchange |
| CISA.MS.EXO.8.3 | The selected DLP solution SHOULD offer services comparable to the native DLP solution offered by Microsoft. | Medium | exchange |
| CISA.MS.EXO.8.4 | At a minimum, the DLP solution SHALL restrict sharing credit card numbers, U.S. Individual Taxpayer Identification Numbers (ITIN), and U.S. Social Security numbers (SSN) via email. | High | exchange |
| CISA.MS.EXO.9.1 | Emails SHALL be filtered by attachment file types. | Medium | exchange |
| CISA.MS.EXO.9.2 | The attachment filter SHOULD attempt to determine the true file type and assess the file extension. | Medium | exchange |
| CISA.MS.EXO.9.3 | Disallowed file types SHALL be determined and enforced. | High | exchange |
| CISA.MS.EXO.9.4 | Alternatively chosen filtering solutions SHOULD offer services comparable to Microsoft Defender's Common Attachment Filter. | Medium | exchange |
| CISA.MS.EXO.9.5 | At a minimum, click-to-run files SHOULD be blocked (e.g., .exe, .cmd, and .vbe). | High | exchange |
| CISA.MS.EXO.10.1 | Emails SHALL be scanned for malware. | High | exchange |
| CISA.MS.EXO.10.2 | Emails identified as containing malware SHALL be quarantined or dropped. | High | exchange |
| CISA.MS.EXO.10.3 | Email scanning SHALL be capable of reviewing emails after delivery. | High | exchange |
| CISA.MS.EXO.11.1 | Impersonation protection checks SHOULD be used. | High | exchange |
| CISA.MS.EXO.11.2 | User warnings, comparable to the user safety tips included with EOP, SHOULD be displayed. | Medium | exchange |
| CISA.MS.EXO.11.3 | The phishing protection solution SHOULD include an AI-based phishing detection tool comparable to EOP Mailbox Intelligence. | Medium | exchange |
| CISA.MS.EXO.12.1 | IP allow lists SHOULD NOT be created. | Medium | exchange |
| CISA.MS.EXO.12.2 | Safe lists SHOULD NOT be enabled. | Medium | exchange |
| CISA.MS.EXO.13.1 | Mailbox auditing SHALL be enabled. | High | exchange |
| CISA.MS.EXO.14.1 | A spam filter SHALL be enabled. | High | exchange |
| CISA.MS.EXO.14.2 | Spam and high confidence spam SHALL be moved to either the junk email folder or the quarantine folder. | Medium | exchange |
| CISA.MS.EXO.14.3 | Allowed domains SHALL NOT be added to inbound anti-spam protection policies. | Medium | exchange |
| CISA.MS.EXO.14.4 | If a third-party party filtering solution is used, the solution SHOULD offer services comparable to the native spam filtering offered by Microsoft. | Medium | exchange |
| CISA.MS.EXO.15.1 | URL comparison with a block-list SHOULD be enabled. | Medium | exchange |
| CISA.MS.EXO.15.2 | Direct download links SHOULD be scanned for malware. | High | exchange |
| CISA.MS.EXO.15.3 | User click tracking SHOULD be enabled. | Medium | exchange |
| CISA.MS.EXO.16.1 | Alerts SHALL be enabled. | High | exchange |
| CISA.MS.EXO.16.2 | Alerts SHOULD be sent to a monitored address or incorporated into a security information and event management (SIEM) system. | Medium | exchange |
| CISA.MS.EXO.17.1 | Microsoft Purview Audit (Standard) logging SHALL be enabled. | High | exchange |
| CISA.MS.EXO.17.2 | Microsoft Purview Audit (Premium) logging SHALL be enabled. | Medium | Deprecated |
| CISA.MS.EXO.17.3 | Audit logs SHALL be maintained for at least the minimum duration dictated by OMB M-21-31 (Appendix C). | Medium | exchange |
| CISA.MS.SHAREPOINT.1.1 | External sharing for SharePoint SHALL be limited to Existing guests or Only People in your organization. | Medium | spo |
| CISA.MS.SHAREPOINT.1.3 | External sharing SHALL be restricted to approved external domains and/or users in approved security groups per interagency collaboration needs. | High | spo |