CIS Microsoft 365 Foundations Benchmark Tests
These tests verify Microsoft 365 tenant configuration against CIS Microsoft 365 Foundations Benchmark recommendations.
Tests
| Test ID | Title | Severity | Category |
|---|---|---|---|
| CIS.M365.1.1.1 | Ensure Administrative accounts are cloud-only | High | CIS E3 Level 1 |
| CIS.M365.1.1.3 | Ensure that between two and four global admins are designated | High | CIS E3 Level 1 |
| CIS.M365.1.2.1 | Ensure that only organizationally managed/approved public groups exist | Medium | CIS E3 Level 2 |
| CIS.M365.1.2.2 | Ensure sign-in to shared mailboxes is blocked | High | CIS E3 Level 1 |
| CIS.M365.1.3.1 | Ensure the 'Password expiration policy' is set to 'Set passwords to never expire (recommended)' | High | CIS E3 Level 1 |
| CIS.M365.1.3.3 | Ensure 'External sharing' of calendars is not available | Medium | CIS E3 Level 2 |
| CIS.M365.1.3.4 | Ensure 'User owned apps and services' is restricted | Unknown | CIS E3 Level 1 |
| CIS.M365.1.3.5 | Ensure internal phishing protection for Forms is enabled | Unknown | CIS E3 Level 1 |
| CIS.M365.1.3.6 | Ensure the customer lockbox feature is enabled | High | CIS E5 Level 2 |
| CIS.M365.1.3.7 | Ensure 'third-party storage services' are restricted in 'Microsoft 365 on the web' | Unknown | CIS E3 Level 2 |
| CIS.M365.2.1.1 | Ensure Safe Links for Office Applications is Enabled (Only Checks Default Policy) | Medium | CIS E5 Level 2 |
| CIS.M365.2.1.2 | Ensure the Common Attachment Types Filter is enabled (Only Checks Default Policy) | Medium | CIS E3 Level 1 |
| CIS.M365.2.1.3 | Ensure notifications for internal users sending malware is Enabled (Only Checks Default Policy) | Medium | CIS E3 Level 1 |
| CIS.M365.2.1.4 | Ensure Safe Attachments policy is enabled (Only Checks Default Policy) | High | CIS E5 Level 2 |
| CIS.M365.2.1.5 | Ensure Safe Attachments for SharePoint, OneDrive, and Microsoft Teams is Enabled | High | CIS E5 Level 2 |
| CIS.M365.2.1.6 | Ensure Exchange Online Spam Policies are set to notify administrators (Only Checks Default Policy) | Medium | CIS E3 Level 1 |
| CIS.M365.2.1.7 | Ensure that an anti-phishing policy has been created (Only Checks Default Policy) | Medium | CIS E5 Level 1 |
| CIS.M365.2.1.9 | Ensure that DKIM is enabled for all Exchange Online Domains | High | CIS E3 Level 1 |
| CIS.M365.2.1.11 | Ensure comprehensive attachment filtering is applied | High | CIS E3 Level 2 |
| CIS.M365.2.1.12 | Ensure the connection filter IP allow list is not used (Only Checks Default Policy) | Medium | CIS E3 Level 1 |
| CIS.M365.2.1.13 | Ensure the connection filter safe list is off (Only Checks Default Policy) | Medium | CIS E3 Level 1 |
| CIS.M365.2.4.4 | Ensure Zero-hour auto purge for Microsoft Teams is on (Only Checks ZAP is enabled) | Medium | CIS E5 Level 1 |
| CIS.M365.3.1.1 | Ensure Microsoft 365 audit log search is Enabled | High | CIS E3 Level 1 |
| CIS.M365.4.1 | Ensure devices without a compliance policy are marked | Unknown | CIS E3 Level 2 |
| CIS.M365.5.1.2.2 | Ensure third party integrated applications are not allowed | Unknown | CIS E3 Level 2 |
| CIS.M365.5.1.2.3 | Ensure 'Restrict non-admin users from creating tenants' is set to 'Yes' | Unknown | CIS E3 Level 1 |
| CIS.M365.5.1.3.1 | Ensure a dynamic group for guest users is created | Unknown | CIS E3 Level 1 |
| CIS.M365.5.1.5.1 | Ensure user consent to apps accessing company data on their behalf is not allowed | Unknown | CIS E3 Level 2 |
| CIS.M365.5.1.5.2 | Ensure the admin consent workflow is enabled | Unknown | CIS E3 Level 1 |
| CIS.M365.5.1.6.2 | Ensure that guest user access is restricted | Unknown | CIS E3 Level 1 |
| CIS.M365.5.2.3.5 | Ensure weak authentication methods are disabled | Unknown | CIS E3 Level 1 |
| CIS.M365.6.5.3 | Ensure additional storage providers are restricted in Outlook on the web | Unknown | CIS E3 Level 2 |
| CIS.M365.8.1.1 | Ensure external file sharing in Teams is enabled for only approved cloud storage services | Medium | CIS E5 Level 2 |
| CIS.M365.8.2.2 | Ensure communication with unmanaged Teams users is disabled | Medium | CIS E5 Level 1 |
| CIS.M365.8.2.3 | Ensure external Teams users cannot initiate conversations | Unknown | CIS E5 Level 1 |
| CIS.M365.8.4.1 | Ensure all or a majority of third-party and custom apps are blocked | High | CIS E5 Level 1 |
| CIS.M365.8.5.3 | Ensure only people in my org can bypass the lobby | Medium | CIS E3 Level 1 |
| CIS.M365.8.6.1 | Ensure users can report security concerns in Teams to internal destination | Medium | CIS E3 Level 1 |