Src/Compliance/CIS.M365.json
|
{ "_meta": { "framework": "CIS Microsoft 365 Foundations Benchmark", "version": "6.0.1", "source": "CIS Microsoft 365 Foundations Benchmark v6.0.1", "reference": "https://www.cisecurity.org/benchmark/microsoft_365", "lastReviewed": "2026-03-01", "notes": "Controls mapped to SharePoint Online and OneDrive for Business. L1 = basic hygiene, L2 = defence-in-depth. Status tokens: [OK] [WARN] [FAIL] [INFO]." }, "SharingPolicy": { "_section": "SharePoint Online -- Sharing Policies", "_cisChapter": "7.2, 7.3", "_source": "CIS M365 v6.0.1", "checks": [ { "id": "CIS-M365-7.2.1", "CISControl": "7.2.1", "Level": "L1", "source": "CIS Microsoft 365 Foundations Benchmark v6.0.1", "title": "SharePoint external sharing set to 'New and existing guests' or more restrictive", "staticStatus": null, "statusExpression": "if ($SPExternalSharingLevel -eq 'Disabled' -or $SPExternalSharingLevel -eq 'ExistingExternalUserSharingOnly') { '[OK]' } elseif ($SPExternalSharingLevel -eq 'ExternalUserSharingOnly') { '[WARN]' } else { '[FAIL]' }", "detailTemplate": "SharePoint external sharing: {SPExternalSharingLevel}. CIS L1 requires 'New and existing guests' or more restrictive (not 'Anyone').", "remediation": "In SharePoint Admin Center > Policies > Sharing, set SharePoint sharing to 'New and existing guests' or 'Only people in your organisation'.", "tags": ["sharing", "external", "l1"] }, { "id": "CIS-M365-7.2.2", "CISControl": "7.2.2", "Level": "L1", "source": "CIS Microsoft 365 Foundations Benchmark v6.0.1", "title": "OneDrive external sharing set to 'New and existing guests' or more restrictive", "staticStatus": null, "statusExpression": "if ($ODExternalSharingLevel -eq 'Disabled' -or $ODExternalSharingLevel -eq 'ExistingExternalUserSharingOnly') { '[OK]' } elseif ($ODExternalSharingLevel -eq 'ExternalUserSharingOnly') { '[WARN]' } else { '[FAIL]' }", "detailTemplate": "OneDrive external sharing: {ODExternalSharingLevel}. CIS L1 requires 'New and existing guests' or more restrictive.", "remediation": "In SharePoint Admin Center > Policies > Sharing, set OneDrive sharing to 'New and existing guests' or 'Only people in your organisation'.", "tags": ["sharing", "onedrive", "external", "l1"] }, { "id": "CIS-M365-7.2.3", "CISControl": "7.2.3", "Level": "L1", "source": "CIS Microsoft 365 Foundations Benchmark v6.0.1", "title": "Guest access expiry enforced for shared items", "staticStatus": null, "statusExpression": "if ($ExternalUserExpireInDays -gt 0 -and $ExternalUserExpireInDays -le 30) { '[OK]' } elseif ($ExternalUserExpireInDays -gt 30) { '[WARN]' } else { '[FAIL]' }", "detailTemplate": "Guest access expiry: {ExternalUserExpireInDays} days. CIS recommends expiry of 30 days or less to prevent stale guest accounts from retaining access.", "remediation": "Enable 'Guest access to a site or OneDrive will expire automatically after this many days' and set to 30 days or less in SharePoint Admin Center > Policies > Sharing.", "tags": ["guest", "expiry", "external-access", "l1"] }, { "id": "CIS-M365-7.2.4", "CISControl": "7.2.4", "Level": "L2", "source": "CIS Microsoft 365 Foundations Benchmark v6.0.1", "title": "Anyone links disabled or restricted with expiry and view-only permissions", "staticStatus": null, "statusExpression": "if (-not $AnyoneLinkEnabled) { '[OK]' } elseif ($AnyoneLinkEnabled -and $AnyoneLinkExpiryDays -gt 0 -and $AnyoneLinkExpiryDays -le 7) { '[WARN]' } else { '[FAIL]' }", "detailTemplate": "Anyone links enabled: {AnyoneLinkEnabled}. Expiry: {AnyoneLinkExpiryDays} days. Anonymous unauthenticated sharing is a significant data loss risk.", "remediation": "Disable Anyone links entirely, or restrict to view-only with a maximum 7-day expiry in SharePoint Admin Center > Policies > Sharing.", "tags": ["sharing", "anyone-links", "anonymous", "l2"] }, { "id": "CIS-M365-7.2.5", "CISControl": "7.2.5", "Level": "L1", "source": "CIS Microsoft 365 Foundations Benchmark v6.0.1", "title": "Require re-authentication for external sharing invitations", "staticStatus": null, "statusExpression": "if ($RequireAcceptingAccountMatchInvitedAccount) { '[OK]' } else { '[WARN]' }", "detailTemplate": "Require accepting account match invited account: {RequireAcceptingAccountMatchInvitedAccount}. Prevents invitation hijacking where another user accepts a shared link.", "remediation": "Enable 'Guests must sign in using the same account to which sharing invitations are sent' in SharePoint Admin Center > Policies > Sharing.", "tags": ["sharing", "invitations", "authentication", "l1"] } ] }, "ExternalAccess": { "_section": "SharePoint Online -- External Access Controls", "_cisChapter": "7.3", "_source": "CIS M365 v6.0.1", "checks": [ { "id": "CIS-M365-7.3.1", "CISControl": "7.3.1", "Level": "L2", "source": "CIS Microsoft 365 Foundations Benchmark v6.0.1", "title": "Unmanaged device access restricted to limited web-only or blocked", "staticStatus": null, "statusExpression": "if ($ConditionalAccessPolicy -eq 'BlockAccess') { '[OK]' } elseif ($ConditionalAccessPolicy -eq 'AllowLimitedAccess') { '[WARN]' } else { '[FAIL]' }", "detailTemplate": "Unmanaged device access policy: {ConditionalAccessPolicy}. Full access from personal/unmanaged devices increases data exfiltration risk.", "remediation": "Set to 'Allow limited, web-only access' or 'Block access' in SharePoint Admin Center > Policies > Access Control > Unmanaged devices.", "tags": ["unmanaged-devices", "access-control", "l2"] }, { "id": "CIS-M365-7.3.2", "CISControl": "7.3.2", "Level": "L1", "source": "CIS Microsoft 365 Foundations Benchmark v6.0.1", "title": "SharePoint idle session sign-out configured", "staticStatus": null, "statusExpression": "if ($SignOutInactiveUsersAfter -and $SignOutInactiveUsersAfter -le 60) { '[OK]' } elseif ($SignOutInactiveUsersAfter -gt 60) { '[WARN]' } else { '[FAIL]' }", "detailTemplate": "Idle session sign-out: {SignOutInactiveUsersAfter} minutes. Without sign-out, unattended browsers retain authenticated sessions.", "remediation": "Enable idle session sign-out in SharePoint Admin Center > Policies > Access Control > Idle session sign-out. Set to 60 minutes or less with a 5-minute warning.", "tags": ["session", "idle-timeout", "access-control", "l1"] }, { "id": "CIS-M365-7.3.3", "CISControl": "7.3.3", "Level": "L1", "source": "CIS Microsoft 365 Foundations Benchmark v6.0.1", "title": "Network location policy restricts access to approved IP ranges", "staticStatus": "[INFO]", "detailTemplate": "Verify that SharePoint access is restricted to known IP ranges via network location policy if applicable to your organisation. This reduces attack surface from unknown networks.", "remediation": "Configure network location policy in SharePoint Admin Center > Policies > Access Control > Network location. Add approved IP ranges for corporate networks.", "tags": ["network", "ip-restriction", "access-control", "l1"] }, { "id": "CIS-M365-7.3.4", "CISControl": "7.3.4", "Level": "L2", "source": "CIS Microsoft 365 Foundations Benchmark v6.0.1", "title": "Default link sharing set to specific people only", "staticStatus": null, "statusExpression": "if ($DefaultSharingLinkType -eq 'None' -or $DefaultSharingLinkType -eq 'Direct') { '[OK]' } elseif ($DefaultSharingLinkType -eq 'Internal') { '[WARN]' } else { '[FAIL]' }", "detailTemplate": "Default sharing link type: {DefaultSharingLinkType}. 'Specific people' links minimise accidental over-sharing. 'Anyone' or 'Organisation' defaults lead to broader than intended sharing.", "remediation": "Set default sharing link type to 'Specific people' in SharePoint Admin Center > Policies > Sharing > Default link type.", "tags": ["sharing", "default-link", "l2"] } ] }, "Compliance": { "_section": "SharePoint Online -- Compliance and Data Governance", "_cisChapter": "7.4", "_source": "CIS M365 v6.0.1", "checks": [ { "id": "CIS-M365-7.4.1", "CISControl": "7.4.1", "Level": "L1", "source": "CIS Microsoft 365 Foundations Benchmark v6.0.1", "title": "Unified audit log enabled for SharePoint and OneDrive", "staticStatus": null, "statusExpression": "if ($AuditEnabled) { '[OK]' } else { '[FAIL]' }", "detailTemplate": "Unified audit log enabled: {AuditEnabledStr}. Audit logging is required for investigating security incidents, compliance reporting, and detecting suspicious activity.", "remediation": "Enable unified audit logging in Microsoft Purview Compliance portal > Audit > Start recording. Note: this may take up to 60 minutes to take effect.", "tags": ["audit", "logging", "compliance", "l1"] }, { "id": "CIS-M365-7.4.2", "CISControl": "7.4.2", "Level": "L1", "source": "CIS Microsoft 365 Foundations Benchmark v6.0.1", "title": "Versioning enabled to support recovery from ransomware/accidental deletion", "staticStatus": "[INFO]", "detailTemplate": "Verify document versioning is enabled on all SharePoint document libraries. Versioning is the primary defence against ransomware-induced file corruption in SharePoint.", "remediation": "Enable versioning on document libraries with a minimum of 500 major versions. Use PowerShell (PnP or CSOM) to enforce this across all sites at scale.", "tags": ["versioning", "backup", "recovery", "l1"] }, { "id": "CIS-M365-7.4.3", "CISControl": "7.4.3", "Level": "L2", "source": "CIS Microsoft 365 Foundations Benchmark v6.0.1", "title": "Microsoft Purview Data Loss Prevention (DLP) policies applied to SharePoint", "staticStatus": "[INFO]", "detailTemplate": "Verify DLP policies are configured in Microsoft Purview covering SharePoint and OneDrive. DLP prevents sensitive data (PII, credit card numbers, etc.) from being shared externally.", "remediation": "Create DLP policies in Microsoft Purview Compliance portal > Data Loss Prevention > Policies targeting SharePoint and OneDrive locations with appropriate sensitive information types.", "tags": ["dlp", "data-loss-prevention", "compliance", "l2"] }, { "id": "CIS-M365-7.4.4", "CISControl": "7.4.4", "Level": "L2", "source": "CIS Microsoft 365 Foundations Benchmark v6.0.1", "title": "Sensitivity labels enabled and enforced on SharePoint sites", "staticStatus": "[INFO]", "detailTemplate": "Verify Microsoft Purview sensitivity labels are enabled for SharePoint and OneDrive and published to users. Labels enable data classification-based access control and encryption.", "remediation": "Enable sensitivity labels for SharePoint and OneDrive via PowerShell: Set-SPOTenant -EnableAIPIntegration $true. Publish labels via Microsoft Purview > Information Protection.", "tags": ["sensitivity-labels", "information-protection", "l2"] } ] }, "OneDrive": { "_section": "OneDrive for Business -- Security and Sync Controls", "_cisChapter": "7.5", "_source": "CIS M365 v6.0.1", "checks": [ { "id": "CIS-M365-7.5.1", "CISControl": "7.5.1", "Level": "L1", "source": "CIS Microsoft 365 Foundations Benchmark v6.0.1", "title": "OneDrive sync restricted to domain-joined or Intune-compliant devices", "staticStatus": null, "statusExpression": "if ($AllowedDomainGuidsForSyncApp -and $AllowedDomainGuidsForSyncApp.Count -gt 0) { '[OK]' } else { '[WARN]' }", "detailTemplate": "OneDrive sync domain restriction: {SyncDomainRestrictionEnabled}. Allowing sync from any device increases risk of bulk data download to unmanaged machines.", "remediation": "Enable sync domain restrictions in SharePoint Admin Center > Settings > Sync. Add all managed domain GUIDs to enforce sync from corporate devices only.", "tags": ["onedrive", "sync", "domain-restriction", "l1"] }, { "id": "CIS-M365-7.5.3", "CISControl": "7.5.3", "Level": "L2", "source": "CIS Microsoft 365 Foundations Benchmark v6.0.1", "title": "Personal site creation restricted to specific users/groups", "staticStatus": null, "statusExpression": "if ($DisablePersonalListCreation -eq $false) { '[WARN]' } else { '[OK]' }", "detailTemplate": "Personal list/site creation disabled: {DisablePersonalListCreation}. Unrestricted OneDrive creation can lead to sprawl and ungoverned data stores.", "remediation": "In SharePoint Admin Center, restrict who can create personal sites (OneDrive) to specific security groups if not all users require OneDrive.", "tags": ["onedrive", "personal-site", "governance", "l2"] } ] }, "SiteCollections": { "_section": "SharePoint Online -- Site Collection Governance", "_cisChapter": "7.6", "_source": "CIS M365 v6.0.1", "checks": [ { "id": "CIS-M365-7.6.1", "CISControl": "7.6.1", "Level": "L1", "source": "CIS Microsoft 365 Foundations Benchmark v6.0.1", "title": "All site collections have at least two site collection administrators", "staticStatus": "[INFO]", "detailTemplate": "Verify all SharePoint site collections have at least two administrators. Single-admin sites risk becoming inaccessible if the admin account is disabled or deleted.", "remediation": "Audit site collection admins via PowerShell or SharePoint Admin Center. Add a second admin (ideally a service account or shared mailbox) to any site with only one admin.", "tags": ["site-collections", "administration", "resilience", "l1"] }, { "id": "CIS-M365-7.6.2", "CISControl": "7.6.2", "Level": "L1", "source": "CIS Microsoft 365 Foundations Benchmark v6.0.1", "title": "Storage quotas configured per site collection to prevent runaway consumption", "staticStatus": null, "statusExpression": "if ($StorageQuotaAutoGrowEnabled -eq $false) { '[WARN]' } else { '[OK]' }", "detailTemplate": "Auto-grow storage quotas: {StorageQuotaAutoGrowEnabled}. Without quotas, individual sites can consume disproportionate storage and trigger throttling.", "remediation": "Configure per-site storage quotas in SharePoint Admin Center > Active sites. Disable auto-grow for production sites to enforce governance.", "tags": ["site-collections", "storage", "quota", "l1"] }, { "id": "CIS-M365-7.6.3", "CISControl": "7.6.3", "Level": "L2", "source": "CIS Microsoft 365 Foundations Benchmark v6.0.1", "title": "Inactive sites identified and reviewed for decommissioning", "staticStatus": "[INFO]", "detailTemplate": "Verify inactive site collections are identified and reviewed regularly. Abandoned sites with sensitive content pose an ongoing data exposure risk.", "remediation": "Use SharePoint Admin Center > Reports > Usage to identify sites with no recent activity. Engage site owners to confirm whether sites should be retained, archived, or deleted.", "tags": ["site-collections", "lifecycle", "governance", "l2"] } ] } } |