# ===================================================================== # CIS Microsoft 365 Foundations Benchmark v7.0.0 (Draft) # GENERATED from PDF — review before deploying # ===================================================================== baseline: name: CIS-M365-v7-Generated conflictResolution: Skip whatIf: false tenantMutation: prefix: "CIS-v7-" groups: - displayName: "CIS-BreakGlass" mailNickname: "CISBreakGlass" securityEnabled: true - displayName: "CIS-Pilot-Users" mailNickname: "CISPilotUsers" securityEnabled: true tenantConfig: # =============================================================== # Section 1: adminCenter # =============================================================== adminCenter: # 1.1.2 (Manual): Ensure two emergency access accounts have been defined # TODO: Implement manually per PDF instructions # 1.1.3 (Automated): Ensure that between two and four global admins are designated # TODO: Map this control to YAML — see PDF for details # 1.1.4 (Automated): Ensure administrative accounts use licenses with a reduced application footprint # TODO: Map this control to YAML — see PDF for details # 1.2.1 (Automated): Ensure that only organizationally managed/approved public groups exist # TODO: Map this control to YAML — see PDF for details # 1.2.2: Ensure sign-in to shared mailboxes is blocked blockSharedMailboxSignIn: true # 1.3.1: Ensure the 'Password expiration policy' is set to 'Set passwords to never expire (recommended)' passwordExpiration: "NeverExpire" # 1.3.2: Ensure 'Idle session timeout' is set to '3 hours (or less)' for unmanaged devices idleSessionTimeoutHours: 3 # 1.3.3: Ensure 'External sharing' of calendars is not available externalCalendarSharing: "Disabled" # 1.3.4: Ensure 'User owned apps and services' is restricted restrictUserOwnedApps: true # 1.3.5: Ensure internal phishing protection for Forms is enabled formsPhishingProtection: true # 1.3.6: Ensure the customer lockbox feature is enabled customerLockbox: true # 1.3.7: Ensure 'third-party storage services' are restricted in 'Microsoft 365 on the web' restrictThirdPartyStorage: true # 1.3.8 (Manual): Ensure that Sways cannot be shared with people outside of your organization # TODO: Implement manually per PDF instructions # 1.3.9: Ensure shared bookings pages are restricted to select users restrictSharedBookings: true # =============================================================== # Section 5: entraId # =============================================================== entraId: # 5.1.2.1 (Manual): Ensure 'Per-user MFA' is disabled # TODO: Implement manually per PDF instructions # 5.1.2.2: Ensure users cannot register applications blockUserConsent: true # 5.1.2.3: Ensure 'Restrict non-admin users from creating tenants' is set to 'Yes' blockTenantCreation: true # 5.1.2.4 (Manual): Ensure access to the Entra admin center is restricted # TODO: Implement manually per PDF instructions # 5.1.2.5 (Manual): Ensure the option to remain signed in is hidden # TODO: Implement manually per PDF instructions # 5.1.2.6 (Manual): Ensure 'LinkedIn account connections' is disabled # TODO: Implement manually per PDF instructions # 5.1.3.1: Ensure users cannot create security groups blockSecurityGroupCreation: true # 5.1.3.2 (Manual): Ensure that 'Restrict user ability to access groups features in My Groups' is set to 'Yes' # TODO: Implement manually per PDF instructions # 5.1.3.3 (Manual): Ensure that 'Owners can manage group membership requests in My Groups' is set to 'No' # TODO: Implement manually per PDF instructions # 5.1.3.4: Ensure that 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No' blockM365GroupCreation: true # 5.1.4.1: Ensure the ability to join devices to Entra is restricted restrictDeviceJoin: true # 5.1.4.2: Ensure the maximum number of devices per user is limited maxDevicesPerUser: 5 # 5.1.4.3: Ensure the GA role is not added as a local administrator during Entra join gaLocalAdminDisabled: true # 5.1.4.4: Ensure local administrator assignment is limited during Entra join limitLocalAdminAssignment: true # 5.1.4.5: Ensure Local Administrator Password Solution is enabled enableLAPS: true # 5.1.4.6: Ensure users are restricted from recovering BitLocker keys restrictBitLockerRecovery: true # 5.1.5.1: Ensure user consent to apps accessing company data on their behalf is not allowed blockUserConsent: true # 5.1.5.2: Ensure the admin consent workflow is enabled enableAdminConsentWorkflow: true # 5.1.5.3: Ensure password addition is blocked for applications blockPasswordCredentials: true # 5.1.5.4: Ensure password lifetime for applications does not exceed 180 days maxPasswordLifetimeDays: 180 # 5.1.5.5: Ensure new application passwords are system-generated systemGeneratedPasswords: true # 5.1.5.6: Ensure maximum certificate lifetime for applications does not exceed 180 days maxCertificateLifetimeDays: 180 # 5.1.6.1: Ensure that collaboration invitations are sent to allowed domains only restrictCollaborationDomains: true # 5.1.6.2: Ensure that guest user access is restricted restrictGuestAccess: true # 5.1.6.3: Ensure guest user invitations are limited limitGuestInvitations: true # 5.1.8.1: Ensure that password hash sync is enabled for hybrid deployments enablePasswordHashSync: true # 5.2.3.1: Ensure Microsoft Authenticator is configured to protect against MFA fatigue authenticatorNumberMatching: true # 5.2.3.3 (Automated): Ensure password protection is enabled for on-prem Active Directory # NOTE: Hybrid-only control — requires on-premises Active Directory # 5.2.3.4: Ensure all member users are 'MFA capable' mfaCapableUsers: true # 5.2.3.5: Ensure weak authentication methods are disabled disableWeakAuthMethods: true # 5.2.3.6: Ensure system-preferred multifactor authentication is enabled systemPreferredMFA: true # 5.2.3.7: Ensure the email OTP authentication method is disabled disableEmailOTP: true # 5.2.3.8: Ensure that Account 'Lockout threshold' is '10' or less lockoutThreshold: 10 # 5.2.3.9: Ensure that Account 'Lockout duration in seconds' is at least 60 seconds lockoutDurationSeconds: 60 # 5.2.3.10: Ensure Microsoft Authenticator on companion applications is disabled disableAuthenticatorCompanionApps: true # 5.2.4.1 (Manual): Ensure 'Self service password reset enabled' is set to 'All' # TODO: Implement manually per PDF instructions # 5.2.4.2 (Manual): Ensure that 2 methods are required for password reset # TODO: Implement manually per PDF instructions # 5.2.4.3 (Manual): Ensure SSPR registration and authentication re- confirmation are required # TODO: Implement manually per PDF instructions # 5.2.4.4 (Manual): Ensure that users are notified on password resets # TODO: Implement manually per PDF instructions # 5.2.4.5 (Manual): Ensure all admins are notified when other admins reset their password # TODO: Implement manually per PDF instructions # 5.3.1: Ensure privileged role assignments are activated and not assigned pimRoleActivationRequired: true # 5.3.2: Ensure 'Access reviews' for guest users are configured accessReviewsForGuests: true # 5.3.3: Ensure 'Access reviews' for privileged roles are configured accessReviewsForPrivilegedRoles: true # 5.3.4: Ensure approval is required for Global Administrator role activation requireApprovalForGAActivation: true # 5.3.5: Ensure approval is required for Privileged Role Administrator activation requireApprovalForPRAActivation: true # =============================================================== # Section 6: exchange # =============================================================== exchange: # 6.1.1: Ensure 'AuditDisabled' organizationally is set to 'False' enableMailboxAuditOrgWide: true # 6.1.2: Ensure mailbox audit actions are configured configureMailboxAuditActions: true # 6.1.3: Ensure 'AuditBypassEnabled' is not enabled on mailboxes disableAuditBypass: true # 6.2.1: Ensure all forms of mail forwarding are blocked and/or disabled blockExternalForwarding: true # 6.2.2: Ensure mail transport rules do not whitelist specific domains noDomainWhitelistTransportRules: true # 6.2.3: Ensure email from external senders is identified enableExternalSenderBanner: true # 6.3.1: Ensure users installing Outlook add-ins is not allowed blockOutlookAddIns: true # 6.3.2: Ensure the ability to add personal email accounts and calendars is disabled disablePersonalEmailAccounts: true # 6.5.1: Ensure modern authentication for Exchange Online is enabled enableModernAuthExchange: true # 6.5.2: Ensure MailTips are enabled for end users enableMailTips: true # 6.5.3: Ensure additional storage providers are restricted in Outlook on the web restrictAdditionalStorageProviders: true # 6.5.4: Ensure SMTP AUTH is disabled disableSMTPAuth: true # 6.5.5: Ensure Direct Send submissions are rejected rejectDirectSend: true # =============================================================== # Section 7: sharePoint # =============================================================== sharePoint: # 7.2.1: Ensure modern authentication for SharePoint applications is required requireModernAuthSharePoint: true # 7.2.2: Ensure SharePoint and OneDrive integration with Azure AD B2B is enabled enableAADB2BIntegration: true # 7.2.3: Ensure external content sharing is restricted sharePointExternalSharing: "Disabled" # 7.2.4: Ensure OneDrive content sharing is restricted oneDriveExternalSharing: "Disabled" # 7.2.5: Ensure that SharePoint guest users cannot share items they don't own preventGuestResharing: true # 7.2.6: Ensure SharePoint external sharing is restricted restrictSharePointExternalSharing: true # 7.2.7: Ensure link sharing is restricted in SharePoint and OneDrive restrictLinkSharing: true # 7.2.8: Ensure external sharing is restricted by security group restrictSharingBySecurityGroup: true # 7.2.9: Ensure guest access to a site or OneDrive will expire automatically guestAccessExpirationDays: 30 # 7.2.10: Ensure reauthentication with verification code is restricted restrictReauthenticationVerificationCode: true # 7.2.11: Ensure the SharePoint default sharing link permission is set defaultSharingLinkPermission: "View" # 7.3.1: Ensure Office 365 SharePoint infected files are disallowed for download disallowInfectedFileDownload: true # =============================================================== # Section 8: teams # =============================================================== teams: # 8.1.1: Ensure external file sharing in Teams is enabled for only approved cloud storage services restrictExternalFileSharing: true # 8.1.2: Ensure users can't send emails to a channel email address blockChannelEmail: true # 8.2.1: Ensure external domains are restricted in the Teams admin center restrictExternalDomains: true # 8.2.2: Ensure communication with unmanaged Teams users is disabled disableUnmanagedUserCommunication: true # 8.2.3: Ensure external Teams users cannot initiate conversations blockExternalUserInitiation: true # 8.2.4: Ensure the organization cannot communicate with accounts in trial Teams tenants blockTrialTenantCommunication: true # 8.4.1 (Manual): Ensure app permission policies are configured # TODO: Implement manually per PDF instructions # 8.5.1: Ensure anonymous users can't join a meeting allowAnonymousUsersToJoinMeeting: false # 8.5.2: Ensure anonymous users and dial-in callers can't start a meeting allowAnonymousUsersToStartMeeting: false # 8.5.3: Ensure only people in my org can bypass the lobby orgOnlyBypassLobby: true # 8.5.4: Ensure users dialing in can't bypass the lobby dialInCantBypassLobby: true # 8.5.5: Ensure meeting chat does not allow anonymous users noAnonymousMeetingChat: true # 8.5.6: Ensure only organizers and co-organizers can present onlyOrganizersCanPresent: true # 8.5.7: Ensure external participants can't give or request control noExternalControl: true # 8.5.8: Ensure external meeting chat is off externalMeetingChatOff: true # 8.5.9: Ensure meeting recording is off by default meetingRecordingOffByDefault: true # 8.6.1: Ensure users can report security concerns in Teams enableSecurityConcernsReporting: true # =============================================================== # Section 9: powerBI # =============================================================== powerBI: # 9.1.1: Ensure guest user access is restricted restrictGuestAccess: true # 9.1.2: Ensure external user invitations are restricted restrictExternalInvitations: true # 9.1.3: Ensure guest access to content is restricted restrictGuestContentAccess: true # 9.1.4: Ensure 'Publish to web' is restricted restrictPublishToWeb: true # 9.1.5: Ensure 'Interact with and share R and Python' visuals is 'Disabled' disableRPythonVisuals: true # 9.1.6: Ensure 'Allow users to apply sensitivity labels for content' is 'Enabled' enableSensitivityLabels: true # 9.1.7: Ensure shareable links are restricted restrictShareableLinks: true # 9.1.8: Ensure enabling of external data sharing is restricted restrictExternalDataSharing: true # 9.1.9: Ensure 'Block ResourceKey Authentication' is 'Enabled' blockResourceKeyAuth: true # 9.1.10: Ensure access to APIs by service principals is restricted restrictServicePrincipalAPIAccess: true # 9.1.11: Ensure service principals cannot create and use profiles blockServicePrincipalProfiles: true # 9.1.12: Ensure service principals ability to create workspaces, connections and deployment pipelines is restricted restrictServicePrincipalWorkspaceCreation: true # =============================================================== # Section 3: purview # =============================================================== purview: # 3.1.1: Ensure Microsoft 365 audit log search is Enabled enableAuditLogSearch: true # 3.2.1 (Automated): Ensure DLP policies are enabled # TODO: Map this control to YAML — see PDF for details # 3.2.2 (Automated): Ensure DLP policies are enabled for Microsoft Teams # TODO: Map this control to YAML — see PDF for details # 3.2.3 (Automated): Ensure DLP policies are published for Copilot users # TODO: Map this control to YAML — see PDF for details # 3.3.1 (Automated): Ensure Information Protection sensitivity label policies are published # TODO: Map this control to YAML — see PDF for details # =============================================================== # Section 2: Defender for Office 365 # =============================================================== defender: # 2.1.1: Ensure Safe Links for Office Applications is Enabled safeLinks: name: "SafeLinks-Default" enabled: true trackClicks: true allowClickThrough: false scanUrls: true enableForInternalSenders: true # 2.1.2: Ensure the Common Attachment Types Filter is enabled antiMalware: name: "AntiMalware-Default" enabled: true enableInternalNotifications: true fileTypes: ["ace", "ani", "app", "docm", "exe", "jar", "jnlp", "msi", "ps1", "scr", "vbs", "wsf"] # 2.1.3: Ensure notifications for internal users sending malware is Enabled antiMalware: name: "AntiMalware-InternalNotify" enabled: true enableInternalNotifications: true # 2.1.4: Ensure Safe Attachments policy is enabled safeAttachments: name: "SafeAttachments-Default" enabled: true action: "Block" quarantineMessages: true # 2.1.5: Ensure Safe Attachments for SharePoint, OneDrive, and Microsoft Teams is Enabled safeAttachments: name: "SafeAttachments-SPO-Teams" enabled: true action: "Block" enableForSharePoint: true enableForTeams: true # 2.1.6: Ensure Exchange Online Spam Policies are set to notify administrators antiSpam: name: "AntiSpam-Notify-Admins" enabled: true notifyAdmins: true # 2.1.7: Ensure that an anti-phishing policy has been created antiPhish: name: "AntiPhish-Default" enabled: true enableMailboxIntelligence: true enableSpoofIntelligence: true mailboxIntelligenceProtectionAction: "Quarantine" # 2.1.8 (Automated): Ensure that SPF records are published for all Exchange Domains # NOTE: DNS-level control — configure via DNS provider, not M365 tenant # 2.1.9 (Automated): Ensure that DKIM is enabled for all Exchange Online Domains # NOTE: DNS-level control — configure via DNS provider, not M365 tenant # 2.1.10 (Automated): Ensure DMARC records for all Exchange Online domains are published # NOTE: DNS-level control — configure via DNS provider, not M365 tenant # 2.1.11: Ensure comprehensive attachment filtering is applied antiMalware: name: "AntiMalware-Comprehensive" enabled: true enableFileFilter: true # 2.1.12: Ensure the connection filter IP allow list is not used connectionFilterIPAllowListEmpty: true # 2.1.13: Ensure the connection filter safe list is off connectionFilterSafeListOff: true # 2.1.14: Ensure inbound anti-spam policies do not contain allowed domains inboundAntiSpamNoAllowedDomains: true # 2.1.15: Ensure outbound anti-spam message limits are in place outboundAntiSpamLimits: true # 2.2.1 (Manual): Ensure emergency access account activity is monitored # 2.4.1: Ensure Priority account protection is enabled and configured priorityAccount: enabled: true # 2.4.2: Ensure Priority accounts have 'Strict protection' presets applied priorityAccount: strictProtection: true # 2.4.3 (Manual): Ensure Microsoft Defender for Cloud Apps is enabled and configured # 2.4.4: Ensure Zero-hour auto purge for Microsoft Teams is on zap: enabledForTeams: true # 2.4.5 (Manual): Ensure 'AIR' remediation is enabled # =============================================================== # Section 5.2.2: Conditional Access # =============================================================== conditionalAccess: reportOnly: true breakGlassGroup: "CIS-BreakGlass" policies: - name: "Ensure-multifactor-authentication-is-enabled-for-all-us" cisControl: "5.2.2.1" description: "Ensure multifactor authentication is enabled for all users in administrative roles" state: enabledForReportingButNotEnforced conditions: applications: includeApplications: ["All"] users: includeRoles: - "Global Administrator" - "Privileged Role Administrator" - "Security Administrator" - "Exchange Administrator" - "SharePoint Administrator" - "Conditional Access Administrator" - "Application Administrator" - "Cloud Application Administrator" - "User Administrator" - "Helpdesk Administrator" - "Billing Administrator" - "Authentication Administrator" - "Password Administrator" - "Global Reader" grantControls: builtInControls: ["mfa"] operator: "OR" - name: "Ensure-multifactor-authentication-is-enabled-for-all-us" cisControl: "5.2.2.2" description: "Ensure multifactor authentication is enabled for all users" state: enabledForReportingButNotEnforced conditions: applications: includeApplications: ["All"] users: includeUsers: ["All"] grantControls: builtInControls: ["mfa"] operator: "OR" - name: "Enable-Conditional-Access-policies-to-block-legacy-auth" cisControl: "5.2.2.3" description: "Enable Conditional Access policies to block legacy authentication" state: enabledForReportingButNotEnforced conditions: applications: includeApplications: ["All"] users: includeUsers: ["All"] clientAppTypes: ["exchangeActiveSync", "other"] grantControls: builtInControls: ["block"] operator: "OR" - name: "Ensure-Signin-frequency-is-enabled-and-browser-sessions" cisControl: "5.2.2.4" description: "Ensure Sign-in frequency is enabled and browser sessions are not persistent for Administrative users" state: enabledForReportingButNotEnforced conditions: applications: includeApplications: ["All"] users: includeRoles: - "Global Administrator" - "Privileged Role Administrator" - "Security Administrator" - "Exchange Administrator" - "SharePoint Administrator" - "Conditional Access Administrator" - "Application Administrator" - "Cloud Application Administrator" - "User Administrator" - "Helpdesk Administrator" - "Billing Administrator" - "Authentication Administrator" - "Password Administrator" - "Global Reader" grantControls: builtInControls: ["mfa"] operator: "OR" sessionControls: signInFrequency: value: 12 type: hours isEnabled: true persistentBrowser: mode: never isEnabled: true - name: "Ensure-Phishingresistant-MFA-strength-is-required-for-A" cisControl: "5.2.2.5" description: "Ensure 'Phishing-resistant MFA strength' is required for Administrators" state: enabledForReportingButNotEnforced conditions: applications: includeApplications: ["All"] users: includeRoles: - "Global Administrator" - "Privileged Role Administrator" - "Security Administrator" - "Exchange Administrator" - "SharePoint Administrator" - "Conditional Access Administrator" - "Application Administrator" - "Cloud Application Administrator" - "User Administrator" - "Helpdesk Administrator" - "Billing Administrator" - "Authentication Administrator" - "Password Administrator" - "Global Reader" grantControls: builtInControls: ["authenticationStrength"] authenticationStrength: id: "00000000-0000-0000-0000-000000000004" operator: "OR" - name: "Enable-Identity-Protection-user-risk-policies" cisControl: "5.2.2.6" description: "Enable Identity Protection user risk policies" state: enabledForReportingButNotEnforced conditions: applications: includeApplications: ["All"] users: includeUsers: ["All"] signInRiskLevels: ["medium", "high"] grantControls: builtInControls: ["mfa"] operator: "OR" - name: "Enable-Identity-Protection-signin-risk-policies" cisControl: "5.2.2.7" description: "Enable Identity Protection sign-in risk policies" state: enabledForReportingButNotEnforced conditions: applications: includeApplications: ["All"] users: includeUsers: ["All"] signInRiskLevels: ["medium", "high"] grantControls: builtInControls: ["mfa"] operator: "OR" - name: "Ensure-signin-risk-is-blocked-for-medium-and-high-risk" cisControl: "5.2.2.8" description: "Ensure 'sign-in risk' is blocked for medium and high risk" state: enabledForReportingButNotEnforced conditions: applications: includeApplications: ["All"] users: includeUsers: ["All"] signInRiskLevels: ["medium", "high"] grantControls: builtInControls: ["block"] operator: "OR" - name: "Ensure-a-managed-device-is-required-for-authentication" cisControl: "5.2.2.9" description: "Ensure a managed device is required for authentication" state: enabledForReportingButNotEnforced conditions: applications: includeApplications: ["All"] users: includeUsers: ["All"] grantControls: builtInControls: ["compliantDevice", "domainJoinedDevice"] operator: "OR" - name: "Ensure-a-managed-device-is-required-to-register-securit" cisControl: "5.2.2.10" description: "Ensure a managed device is required to register security information" state: enabledForReportingButNotEnforced conditions: applications: includeUserActions: ["urn:user:registersecurityinfo"] users: includeUsers: ["All"] grantControls: builtInControls: ["compliantDevice", "domainJoinedDevice"] operator: "OR" - name: "Ensure-signin-frequency-for-Intune-Enrollment-is-set-to" cisControl: "5.2.2.11" description: "Ensure sign-in frequency for Intune Enrollment is set to 'Every time'" state: enabledForReportingButNotEnforced conditions: applications: includeApplications: ["0000000a-0000-0000-c000-000000000000"] users: includeUsers: ["All"] grantControls: builtInControls: ["mfa"] operator: "OR" sessionControls: signInFrequency: value: 12 type: hours isEnabled: true persistentBrowser: mode: never isEnabled: true - name: "Ensure-the-device-code-signin-flow-is-blocked" cisControl: "5.2.2.12" description: "Ensure the device code sign-in flow is blocked" state: enabledForReportingButNotEnforced conditions: applications: includeApplications: ["All"] users: includeUsers: ["All"] authenticationFlows: deviceCodeFlow: isEnabled: true grantControls: builtInControls: ["block"] operator: "OR" - name: "Ensure-that-periodic-reauthentication-is-required-for-a" cisControl: "5.2.2.13" description: "Ensure that periodic reauthentication is required for all users" state: enabledForReportingButNotEnforced conditions: applications: includeApplications: ["All"] users: includeUsers: ["All"] grantControls: builtInControls: ["mfa"] operator: "OR" - name: "Ensure-trusted-named-locations-are-defined" cisControl: "5.2.2.14" description: "Ensure trusted 'named locations' are defined" state: enabledForReportingButNotEnforced conditions: applications: includeApplications: ["All"] users: includeUsers: ["All"] # TODO: Define named locations in Entra admin center grantControls: builtInControls: ["mfa"] operator: "OR" - name: "Ensure-exclusionary-geographic-access-controls-are-util" cisControl: "5.2.2.15" description: "Ensure exclusionary geographic access controls are utilized" state: enabledForReportingButNotEnforced conditions: applications: includeApplications: ["All"] users: includeUsers: ["All"] # TODO: Define named locations in Entra admin center grantControls: builtInControls: ["mfa"] operator: "OR" - name: "Ensure-Token-Protection-is-enforced-for-session-tokens" cisControl: "5.2.2.16" description: "Ensure Token Protection is enforced for session tokens" state: enabledForReportingButNotEnforced conditions: applications: includeApplications: ["All"] users: includeUsers: ["All"] grantControls: builtInControls: ["mfa"] operator: "OR" # TODO: Enable Token Protection via Authentication Strength policy - name: "Ensure-authentication-transfer-is-blocked" cisControl: "5.2.2.17" description: "Ensure authentication transfer is blocked" state: enabledForReportingButNotEnforced conditions: applications: includeApplications: ["All"] users: includeUsers: ["All"] grantControls: builtInControls: ["block"] operator: "OR"