{"frameworkId":"cis-m365-v6","label":"CIS Microsoft 365 v6.0.1","version":"6.0.1","css":"fw-cis","totalControls":139,"registryKey":"cis-m365-v6","csvColumn":"Cis","displayOrder":1,"scoring":{"method":"profile-compliance","profiles":{"E3-L1":{"label":"CIS E3 Level 1","css":"fw-cis","profileKey":"E3-L1"},"E3-L2":{"label":"CIS E3 Level 2","css":"fw-cis-l2","profileKey":"E3-L2","colors":{"light":{"background":"#dbeafe","color":"#1e40af"},"dark":{"background":"#1E3A5F","color":"#60A5FA"}}},"E5-L1":{"label":"CIS E5 Level 1","css":"fw-cis","profileKey":"E5-L1"},"E5-L2":{"label":"CIS E5 Level 2","css":"fw-cis-l2","profileKey":"E5-L2","colors":{"light":{"background":"#dbeafe","color":"#1e40af"},"dark":{"background":"#1E3A5F","color":"#60A5FA"}}}}},"colors":{"light":{"background":"#e8f0fe","color":"#1a56db"},"dark":{"background":"#1E3A5F","color":"#93C5FD"}},"groupBy":"section-prefix","sections":{"1":"Identity","2":"Defender","3":"Purview","5":"Entra ID","6":"Exchange Online","7":"SharePoint & OneDrive","8":"Teams"},"controls":[{"controlId":"1.1.1","title":"Ensure Security Defaults is disabled on Azure Active Directory","section":"1","profiles":["E3-L1","E5-L1"],"ig":"IG1"},{"controlId":"1.1.2","title":"Ensure that only organizationally managed/approved public groups exist","section":"1","profiles":["E3-L1","E5-L1"],"ig":"IG1"},{"controlId":"1.1.3","title":"Ensure that between two and four global admins are designated","section":"1","profiles":["E3-L1","E5-L1"],"ig":"IG1"},{"controlId":"1.1.4","title":"Ensure Guest Users are reviewed at least biweekly","section":"1","profiles":["E3-L1","E5-L1"],"ig":"IG1"},{"controlId":"1.1.5","title":"Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to 0","section":"1","profiles":["E3-L1","E5-L1"],"ig":"IG1"},{"controlId":"1.1.6","title":"Ensure that 'Require re-registration when MFA is reestablished' is set to Yes","section":"1","profiles":["E3-L1","E5-L1"],"ig":"IG1"},{"controlId":"1.1.7","title":"Ensure that account 'Lockout Threshold' is less than or equal to 10 invalid login attempts","section":"1","profiles":["E3-L1","E5-L1"],"ig":"IG1"},{"controlId":"1.1.8","title":"Ensure the option to remain signed in is hidden","section":"1","profiles":["E3-L1","E5-L1"],"ig":"IG1"},{"controlId":"1.1.9","title":"Ensure that 'Restrict access to Microsoft Entra admin center' is set to Yes","section":"1","profiles":["E3-L1","E5-L1"],"ig":"IG1"},{"controlId":"1.1.10","title":"Ensure that 'Users can consent to apps accessing company data on their behalf' is set to No","section":"1","profiles":["E3-L1","E5-L1"],"ig":"IG1"},{"controlId":"1.1.11","title":"Ensure that 'Users can add gallery apps to their Access Panel' is set to No","section":"1","profiles":["E3-L1","E5-L1"],"ig":"IG1"},{"controlId":"1.1.12","title":"Ensure that 'User consent for applications' is set to Do not allow user consent","section":"1","profiles":["E3-L1","E5-L1"],"ig":"IG1"},{"controlId":"1.1.13","title":"Ensure 'Password expiration policy' is set to 'Set passwords to never expire (recommended)'","section":"1","profiles":["E3-L1","E5-L1"],"ig":"IG1"},{"controlId":"1.1.14","title":"Ensure a dynamic group for guest users is created","section":"1","profiles":["E3-L1","E5-L1"],"ig":"IG2"},{"controlId":"1.1.15","title":"Ensure that 'Guest users permissions are limited' is set to Yes","section":"1","profiles":["E3-L1","E5-L1"],"ig":"IG1"},{"controlId":"1.2.1","title":"Ensure that 'Multi-Factor Authentication Status' is 'Enabled' for all Privileged Users","section":"1","profiles":["E3-L1","E5-L1"],"ig":"IG1"},{"controlId":"1.2.2","title":"Ensure that 'Multi-Factor Authentication Status' is 'Enabled' for all Non-Privileged Users","section":"1","profiles":["E3-L1","E5-L1"],"ig":"IG1"},{"controlId":"1.2.3","title":"Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is disabled","section":"1","profiles":["E3-L1","E5-L1"],"ig":"IG1"},{"controlId":"1.3.1","title":"Ensure the 'Password Hash Sync' is enabled for hybrid deployments","section":"1","profiles":["E3-L1","E5-L1"],"ig":"IG1"},{"controlId":"1.3.2","title":"Ensure Sign-in frequency is enabled and browser sessions are not persistent for Administrative users","section":"1","profiles":["E3-L2","E5-L1"],"ig":"IG2"},{"controlId":"1.3.3","title":"Ensure that Microsoft Entra ID 'Phishing-resistant MFA strength' is required for Administrators","section":"1","profiles":["E3-L2","E5-L1"],"ig":"IG2"},{"controlId":"1.3.4","title":"Ensure that 'Require Compliant Device' or 'Require Hybrid Azure AD joined device' is selected for all cloud apps","section":"1","profiles":["E5-L1"],"ig":"IG2"},{"controlId":"1.3.5","title":"Ensure the 'Password Hash Sync' feature is enabled for Hybrid environments","section":"1","profiles":["E3-L1","E5-L1"],"ig":"IG1"},{"controlId":"1.3.6","title":"Enable Conditional Access policies to block legacy authentication","section":"1","profiles":["E3-L1","E5-L1"],"ig":"IG1"},{"controlId":"1.3.7","title":"Ensure that a Conditional Access Policy exists to restrict access to the Microsoft Azure Management portal","section":"1","profiles":["E3-L2","E5-L1"],"ig":"IG2"},{"controlId":"2.1.1","title":"Ensure that Microsoft Defender for Office 365 protection is enabled","section":"2","profiles":["E5-L1"],"ig":"IG2"},{"controlId":"2.1.2","title":"Ensure Safe Attachments policy is enabled","section":"2","profiles":["E5-L1"],"ig":"IG2"},{"controlId":"2.1.3","title":"Ensure Safe Links policy is enabled","section":"2","profiles":["E5-L1"],"ig":"IG2"},{"controlId":"2.1.4","title":"Ensure the anti-phishing policy is set to a standard or strict preset security policy","section":"2","profiles":["E3-L1","E5-L1"],"ig":"IG1"},{"controlId":"2.1.5","title":"Ensure that Microsoft Defender for Office 365 is configured for SharePoint, OneDrive, and Microsoft Teams","section":"2","profiles":["E5-L1"],"ig":"IG2"},{"controlId":"2.1.6","title":"Ensure Exchange Online Spam Policies are set to notify administrators","section":"2","profiles":["E3-L1","E5-L1"],"ig":"IG1"},{"controlId":"2.1.7","title":"Ensure the Common Attachment Types Filter is enabled","section":"2","profiles":["E3-L1","E5-L1"],"ig":"IG1"},{"controlId":"2.1.8","title":"Ensure that SPF records are published for all Exchange Domains","section":"2","profiles":["E3-L1","E5-L1"],"ig":"IG1"},{"controlId":"2.1.9","title":"Ensure DKIM is enabled for all Exchange Online Domains","section":"2","profiles":["E3-L1","E5-L1"],"ig":"IG1"},{"controlId":"2.1.10","title":"Ensure DMARC Records for all Exchange Online domains are published","section":"2","profiles":["E3-L1","E5-L1"],"ig":"IG1"},{"controlId":"2.1.11","title":"Ensure notifications for internal users sending malware is configured","section":"2","profiles":["E3-L1","E5-L1"],"ig":"IG1"},{"controlId":"2.1.12","title":"Ensure the connection filter safe list is turned off","section":"2","profiles":["E3-L1","E5-L1"],"ig":"IG1"},{"controlId":"2.1.13","title":"Ensure Priority account protection is enabled and configured for priority users","section":"2","profiles":["E5-L1"],"ig":"IG2"},{"controlId":"3.1.1","title":"Ensure Microsoft 365 audit log search is enabled","section":"3","profiles":["E3-L1","E5-L1"],"ig":"IG1"},{"controlId":"3.2.1","title":"Ensure DLP policies are enabled","section":"3","profiles":["E3-L2","E5-L1"],"ig":"IG2"},{"controlId":"3.2.2","title":"Ensure DLP policies are enabled for Microsoft Teams","section":"3","profiles":["E5-L1"],"ig":"IG2"},{"controlId":"3.3.1","title":"Ensure the customer lockbox feature is enabled","section":"3","profiles":["E5-L1"],"ig":"IG2"},{"controlId":"4.1.1","title":"Ensure the Common Attachment Types Filter is enabled","section":"4","profiles":["E3-L1","E5-L1"],"ig":"IG1"},{"controlId":"4.2.1","title":"Ensure Exchange Online Spam Policies are set appropriately","section":"4","profiles":["E3-L1","E5-L1"],"ig":"IG1"},{"controlId":"4.2.2","title":"Ensure mail transport rules do not whitelist specific domains","section":"4","profiles":["E3-L1","E5-L1"],"ig":"IG1"},{"controlId":"4.3.1","title":"Ensure 'External sharing' of calendars is not available","section":"4","profiles":["E3-L1","E5-L1"],"ig":"IG1"},{"controlId":"4.4.1","title":"Ensure that DKIM is enabled for all Exchange Online Domains","section":"4","profiles":["E3-L1","E5-L1"],"ig":"IG1"},{"controlId":"4.5.1","title":"Ensure modern authentication for Exchange Online is enabled","section":"4","profiles":["E3-L1","E5-L1"],"ig":"IG1"},{"controlId":"4.6.1","title":"Ensure MailTips are enabled for end users","section":"4","profiles":["E3-L1","E5-L1"],"ig":"IG1"},{"controlId":"4.7.1","title":"Ensure additional storage providers are restricted in Outlook on the web","section":"4","profiles":["E3-L2","E5-L1"],"ig":"IG1"},{"controlId":"4.8.1","title":"Ensure that an anti-phishing policy has been created","section":"4","profiles":["E3-L1","E5-L1"],"ig":"IG1"},{"controlId":"5.1.1.1","title":"Ensure Administrative accounts are separate and cloud-only","section":"5","profiles":["E3-L1","E5-L1"],"ig":"IG1"},{"controlId":"5.1.2.1","title":"Ensure two emergency access accounts have been defined","section":"5","profiles":["E3-L1","E5-L1"],"ig":"IG1"},{"controlId":"5.1.2.2","title":"Ensure privileged accounts are cloud-only","section":"5","profiles":["E3-L1","E5-L1"],"ig":"IG1"},{"controlId":"5.1.3.1","title":"Ensure that 'Privileged Identity Management' is used to manage roles","section":"5","profiles":["E5-L1"],"ig":"IG2"},{"controlId":"5.1.5.1","title":"Ensure user 'Consent Policy' is configured to require user consent for admin-confirmed apps","section":"5","profiles":["E3-L1","E5-L1"],"ig":"IG1"},{"controlId":"5.1.6.1","title":"Ensure the admin consent workflow is enabled","section":"5","profiles":["E3-L1","E5-L1"],"ig":"IG1"},{"controlId":"5.1.7.1","title":"Ensure that 'Users can register applications' is set to No","section":"5","profiles":["E3-L1","E5-L1"],"ig":"IG1"},{"controlId":"5.1.8.1","title":"Ensure that 'Restrict non-admin users from creating tenants' is set to Yes","section":"5","profiles":["E3-L1","E5-L1"],"ig":"IG1"},{"controlId":"5.1.9.1","title":"Ensure a Microsoft Entra ID P2 or Microsoft Entra ID Governance license is in use","section":"5","profiles":["E5-L1"],"ig":"IG2"},{"controlId":"5.2.1","title":"Ensure Security Defaults is disabled","section":"5","profiles":["E3-L1","E5-L1"],"ig":"IG1"},{"controlId":"5.2.2","title":"Ensure Conditional Access policies are used to protect all authentication","section":"5","profiles":["E3-L1","E5-L1"],"ig":"IG1"},{"controlId":"6.1.1","title":"Ensure 'AuditDisabled' organizationally is set to 'False'","section":"6","profiles":["E3-L1","E5-L1"],"ig":"IG1"},{"controlId":"6.1.2","title":"Ensure SharePoint Online audit log search is enabled","section":"6","profiles":["E3-L1","E5-L1"],"ig":"IG1"},{"controlId":"6.1.3","title":"Ensure Microsoft 365 audit log search is enabled","section":"6","profiles":["E3-L1","E5-L1"],"ig":"IG1"},{"controlId":"6.2.1","title":"Ensure user role group changes are reviewed at least weekly","section":"6","profiles":["E3-L1","E5-L1"],"ig":"IG1"},{"controlId":"6.2.2","title":"Ensure SharePoint and OneDrive sharing settings are reviewed at least monthly","section":"6","profiles":["E3-L1","E5-L1"],"ig":"IG1"},{"controlId":"6.3.1","title":"Ensure the Azure AD 'Risky sign-ins' report is reviewed at least weekly","section":"6","profiles":["E3-L1","E5-L1"],"ig":"IG1"},{"controlId":"6.4.1","title":"Ensure that Microsoft Purview Audit is configured appropriately","section":"6","profiles":["E3-L1","E5-L1"],"ig":"IG1"},{"controlId":"6.5.1","title":"Ensure Microsoft Defender for Cloud Apps is enabled","section":"6","profiles":["E5-L1"],"ig":"IG2"},{"controlId":"7.2.1","title":"Ensure modern authentication for SharePoint applications is required","section":"7","profiles":["E3-L1","E5-L1"],"ig":"IG1"},{"controlId":"7.2.2","title":"Ensure SharePoint and OneDrive integration with Azure AD B2B is enabled","section":"7","profiles":["E3-L1","E5-L1"],"ig":"IG1"},{"controlId":"7.2.3","title":"Ensure external content sharing is restricted","section":"7","profiles":["E3-L1","E5-L1"],"ig":"IG1"},{"controlId":"7.2.4","title":"Ensure that SharePoint guest users cannot share items they don't own","section":"7","profiles":["E3-L1","E5-L1"],"ig":"IG1"},{"controlId":"7.2.5","title":"Ensure that SharePoint guest users cannot share items not owned by them","section":"7","profiles":["E3-L1","E5-L1"],"ig":"IG1"},{"controlId":"7.2.6","title":"Ensure SharePoint and OneDrive are configured for encrypted sharing","section":"7","profiles":["E3-L1","E5-L1"],"ig":"IG1"},{"controlId":"7.2.7","title":"Ensure that document sharing is being controlled by domains with allowlist or blocklist","section":"7","profiles":["E3-L2","E5-L1"],"ig":"IG2"},{"controlId":"7.2.8","title":"Ensure OneDrive content sharing is restricted to internal users only","section":"7","profiles":["E3-L1","E5-L1"],"ig":"IG1"},{"controlId":"7.2.9","title":"Ensure link sharing is restricted in SharePoint and OneDrive","section":"7","profiles":["E3-L1","E5-L1"],"ig":"IG1"},{"controlId":"7.2.10","title":"Ensure that SharePoint Online 'Allow members to share' is turned off","section":"7","profiles":["E3-L1","E5-L1"],"ig":"IG1"},{"controlId":"7.3.1","title":"Ensure custom script execution is restricted on personal sites","section":"7","profiles":["E3-L2","E5-L1"],"ig":"IG1"},{"controlId":"7.3.2","title":"Ensure custom script execution is restricted on site collections","section":"7","profiles":["E3-L2","E5-L1"],"ig":"IG1"},{"controlId":"8.1.1","title":"Ensure that only organizationally managed/approved public groups exist in Teams","section":"8","profiles":["E3-L1","E5-L1"],"ig":"IG1"},{"controlId":"8.1.2","title":"Ensure Microsoft Teams is enabled only for authorized users","section":"8","profiles":["E3-L1","E5-L1"],"ig":"IG1"},{"controlId":"8.2.1","title":"Ensure anonymous users can't join a meeting","section":"8","profiles":["E3-L1","E5-L1"],"ig":"IG1"},{"controlId":"8.2.2","title":"Ensure that a 'Dial-in' passcode is required for external calls to meetings","section":"8","profiles":["E3-L1","E5-L1"],"ig":"IG1"},{"controlId":"8.5.1","title":"Ensure external file sharing in Teams is enabled for only approved cloud storage services","section":"8","profiles":["E3-L1","E5-L1"],"ig":"IG1"},{"controlId":"8.5.2","title":"Ensure that Teams is integrated with Microsoft Defender for Endpoint","section":"8","profiles":["E5-L1"],"ig":"IG2"},{"controlId":"8.5.3","title":"Ensure external domains are restricted in Teams","section":"8","profiles":["E3-L1","E5-L1"],"ig":"IG1"},{"controlId":"8.5.4","title":"Ensure communication with unmanaged Teams users is disabled","section":"8","profiles":["E3-L1","E5-L1"],"ig":"IG1"},{"controlId":"8.5.5","title":"Ensure that Skype users cannot interact with Teams users","section":"8","profiles":["E3-L1","E5-L1"],"ig":"IG1"},{"controlId":"8.5.6","title":"Ensure Teams meeting recording is disabled by default","section":"8","profiles":["E3-L2","E5-L1"],"ig":"IG1"},{"controlId":"8.6.1","title":"Ensure users can report security concerns in Teams","section":"8","profiles":["E3-L1","E5-L1"],"ig":"IG1"},{"controlId":"9.1.1","title":"Ensure Microsoft Intune is used to manage mobile devices","section":"9","profiles":["E3-L1","E5-L1"],"ig":"IG1"},{"controlId":"9.1.2","title":"Ensure that mobile device password reuse is prohibited","section":"9","profiles":["E3-L1","E5-L1"],"ig":"IG1"},{"controlId":"9.1.3","title":"Ensure that mobile devices use 'Approved apps'","section":"9","profiles":["E3-L1","E5-L1"],"ig":"IG1"},{"controlId":"9.1.4","title":"Ensure mobile device management policies are set to require advanced security configurations","section":"9","profiles":["E3-L1","E5-L1"],"ig":"IG1"},{"controlId":"9.1.5","title":"Ensure that devices connecting have local firewall enabled","section":"9","profiles":["E3-L1","E5-L1"],"ig":"IG1"},{"controlId":"9.1.6","title":"Ensure mobile device management policies are required for email access","section":"9","profiles":["E3-L1","E5-L1"],"ig":"IG1"},{"controlId":"9.1.7","title":"Ensure that settings are configured to require devices to be encrypted","section":"9","profiles":["E3-L1","E5-L1"],"ig":"IG1"},{"controlId":"9.1.8","title":"Ensure mobile devices are set to wipe on multiple sign-in failures","section":"9","profiles":["E3-L1","E5-L1"],"ig":"IG1"},{"controlId":"9.1.9","title":"Ensure that users cannot connect from devices that are jail broken or rooted","section":"9","profiles":["E3-L1","E5-L1"],"ig":"IG1"},{"controlId":"9.1.10","title":"Ensure mobile device management policies are set to require advanced security configurations to protect against basic internet attacks","section":"9","profiles":["E3-L1","E5-L1"],"ig":"IG1"},{"controlId":"9.1.11","title":"Ensure that the number of days for device storage is not greater than 90","section":"9","profiles":["E3-L1","E5-L1"],"ig":"IG1"},{"controlId":"9.1.12","title":"Ensure mobile device password policies are set to expire passwords","section":"9","profiles":["E3-L1","E5-L1"],"ig":"IG1"},{"controlId":"9.1.13","title":"Ensure that mobile devices require a complex password to prevent brute force attacks","section":"9","profiles":["E3-L1","E5-L1"],"ig":"IG1"},{"controlId":"9.1.14","title":"Ensure that 'Mobile device management' is required for email access","section":"9","profiles":["E3-L1","E5-L1"],"ig":"IG1"},{"controlId":"9.2.1","title":"Ensure that Windows devices are joined to Microsoft Entra ID","section":"9","profiles":["E3-L1","E5-L1"],"ig":"IG1"},{"controlId":"9.2.2","title":"Ensure Intune 'Compliance' policies are configured for Windows 10/11 devices","section":"9","profiles":["E3-L1","E5-L1"],"ig":"IG1"},{"controlId":"9.3.1","title":"Ensure endpoint spam filters are enabled","section":"9","profiles":["E3-L1","E5-L1"],"ig":"IG1"},{"controlId":"9.3.2","title":"Ensure devices are set to prevent users from bypassing SmartScreen warnings","section":"9","profiles":["E3-L1","E5-L1"],"ig":"IG1"},{"controlId":"9.4.1","title":"Ensure Microsoft Defender Antivirus 'Scan removable drives during a full scan' is set to Enabled","section":"9","profiles":["E3-L1","E5-L1"],"ig":"IG1"},{"controlId":"9.4.2","title":"Ensure Microsoft Defender Antivirus is configured to always run real-time protection","section":"9","profiles":["E3-L1","E5-L1"],"ig":"IG1"},{"controlId":"9.4.3","title":"Ensure Microsoft Defender Antivirus protection updates are configured to update daily","section":"9","profiles":["E3-L1","E5-L1"],"ig":"IG1"},{"controlId":"9.5.1","title":"Ensure that Microsoft Defender SmartScreen is configured for Microsoft Edge","section":"9","profiles":["E3-L1","E5-L1"],"ig":"IG1"},{"controlId":"9.6.1","title":"Ensure Microsoft Defender Firewall is enabled for all profiles","section":"9","profiles":["E3-L1","E5-L1"],"ig":"IG1"},{"controlId":"9.6.2","title":"Ensure inbound connections are blocked by default in Microsoft Defender Firewall","section":"9","profiles":["E3-L1","E5-L1"],"ig":"IG1"},{"controlId":"9.7.1","title":"Ensure a Vulnerability Assessment solution is configured for endpoint devices","section":"9","profiles":["E5-L1"],"ig":"IG2"},{"controlId":"9.8.1","title":"Ensure Microsoft Defender for Endpoint is configured for device discovery","section":"9","profiles":["E5-L1"],"ig":"IG2"},{"controlId":"9.9.1","title":"Ensure Microsoft Defender for Endpoint integration with Microsoft Defender for Cloud Apps is selected","section":"9","profiles":["E5-L1"],"ig":"IG2"}]}
|