ben.carrasco/prowler
1
0
Fork 0
mirror of https://github.com/prowler-cloud/prowler.git synced 2026-03-22 03:08:23 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
20b26bc7d09eee390ede599be1eaac57792b2195
prowler/prowler/compliance/m365/cis_4.0_m365.json
Hugo Pereira Brito 20b26bc7d0 feat(m365): add entra_app_registration_no_unused_privileged_permissions security check (#10080) 
Co-authored-by: Daniel Barranquero <74871504+danibarranqueroo@users.noreply.github.com>
Co-authored-by: Daniel Barranquero <danielbo2001@gmail.com>
2026-02-19 17:12:50 +01:00

2805 lines
483 KiB
JSON
Raw Blame History

This file contains invisible Unicode characters
This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
{
"Framework": "CIS",
"Name": "CIS Microsoft 365 Foundations Benchmark v4.0.0",
"Version": "4.0",
"Provider": "M365",
"Description": "The CIS Microsoft 365 Foundations Benchmark provides prescriptive guidance for establishing a secure configuration posture for Microsoft 365 Cloud offerings running on any OS.",
"Requirements": [
{
"Id": "1.1.1",
"Description": "Administrative accounts are special privileged accounts that could have varying levels of access to data, users, and settings. Regular user accounts should never be utilized for administrative tasks and care should be taken, in the case of a hybrid environment, to keep Administrative accounts separated from on-prem accounts. Administrative accounts should not have applications assigned so that they have no access to potentially vulnerable services (EX. email, Teams, SharePoint, etc.) and only access to perform tasks as needed for administrative purposes.Ensure administrative accounts are not `On-premises sync enabled`.",
"Checks": [
"entra_admin_account_cloud_only"
],
"Attributes": [
{
"Section": "1 Microsoft 365 admin center",
"SubSection": "1.1 Users",
"Profile": "E3 Level 1",
"AssessmentStatus": "Automated",
"Description": "Administrative accounts are special privileged accounts that could have varying levels of access to data, users, and settings. Regular user accounts should never be utilized for administrative tasks and care should be taken, in the case of a hybrid environment, to keep Administrative accounts separated from on-prem accounts. Administrative accounts should not have applications assigned so that they have no access to potentially vulnerable services (EX. email, Teams, SharePoint, etc.) and only access to perform tasks as needed for administrative purposes.Ensure administrative accounts are not `On-premises sync enabled`.",
"RationaleStatement": "In a hybrid environment, having separate accounts will help ensure that in the event of a breach in the cloud, that the breach does not affect the on-prem environment and vice versa.",
"ImpactStatement": "Administrative users will have to switch accounts and utilizing login/logout functionality when performing administrative tasks, as well as not benefiting from SSO. This will require a migration process from the 'daily driver' account to a dedicated admin account.When migrating permissions to the admin account, both M365 and Azure RBAC roles should be migrated as well. Once the new admin accounts are created both of these permission sets should be moved from the daily driver account to the new admin account. Failure to migrate Azure RBAC roles can cause an admin to not be able to see their subscriptions/resources while using their admin accounts.",
"RemediationProcedure": "Remediation will require first identifying the privileged accounts that are synced from on-premises and then creating a new cloud-only account for that user. Once a replacement account is established, the hybrid account should have its role reduced to that of a non-privileged user or removed depending on the need.",
"AuditProcedure": "**To audit using the UI:** 1. Navigate to `Microsoft Entra admin center` https://entra.microsoft.com/.2. Click to expand `Identity` > `Users` select `All users`.3. To the right of the search box click the `Add filter` button.4. Add the `On-premises sync enabled` filter and click `Apply.`5. For each user account known to be in an administrative role verify it is not present in the filtered list.**To audit using PowerShell:** 1. Connect to Microsoft Graph using `Connect-MgGraph -Scopes \"RoleManagement.Read.Directory\",\"User.Read.All\"`2. Run the following PowerShell script:```# Get privileged role IDs$PrivilegedRoles = $DirectoryRoles | Where-Object { $_.DisplayName -like \"*Administrator*\" -or $_.DisplayName -eq \"Global Reader\"}# Get the members of these various roles$RoleMembers = $PrivilegedRoles | ForEach-Object { Get-MgDirectoryRoleMember -DirectoryRoleId $_.Id } | Select-Object Id -Unique# Retrieve details about the members in these roles$PrivilegedUsers = $RoleMembers | ForEach-Object { Get-MgUser -UserId $_.Id -Property UserPrincipalName, DisplayName, Id, OnPremisesSyncEnabled}$PrivilegedUsers | Where-Object { $_.OnPremisesSyncEnabled -eq $true } | ft DisplayName,UserPrincipalName,OnPremisesSyncEnabled```3. The script will output any hybrid users that are also members of privileged roles. If nothing returns then no users with that criteria exist.",
"AdditionalInformation": "",
"References": "https://learn.microsoft.com/en-us/microsoft-365/admin/add-users/add-users?view=o365-worldwide:https://learn.microsoft.com/en-us/microsoft-365/enterprise/protect-your-global-administrator-accounts?view=o365-worldwide:https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/best-practices#9-use-cloud-native-accounts-for-microsoft-entra-roles:https://learn.microsoft.com/en-us/entra/fundamentals/whatis:https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference",
"DefaultValue": "N/A"
}
]
},
{
"Id": "1.1.2",
"Description": "Emergency access or \"break glass\" accounts are limited for emergency scenarios where normal administrative accounts are unavailable. They are not assigned to a specific user and will have a combination of physical and technical controls to prevent them from being accessed outside a true emergency. These emergencies could be due to several things, including:- Technical failures of a cellular provider or Microsoft related service such as MFA.- The last remaining Global Administrator account is inaccessible.Ensure two `Emergency Access` accounts have been defined.**Note:** Microsoft provides several recommendations for these accounts and how to configure them. For more information on this, please refer to the references section. The CIS Benchmark outlines the more critical things to consider.",
"Checks": [],
"Attributes": [
{
"Section": "1 Microsoft 365 admin center",
"SubSection": "1.1 Users",
"Profile": "E3 Level 1",
"AssessmentStatus": "Manual",
"Description": "Emergency access or \"break glass\" accounts are limited for emergency scenarios where normal administrative accounts are unavailable. They are not assigned to a specific user and will have a combination of physical and technical controls to prevent them from being accessed outside a true emergency. These emergencies could be due to several things, including:- Technical failures of a cellular provider or Microsoft related service such as MFA.- The last remaining Global Administrator account is inaccessible.Ensure two `Emergency Access` accounts have been defined.**Note:** Microsoft provides several recommendations for these accounts and how to configure them. For more information on this, please refer to the references section. The CIS Benchmark outlines the more critical things to consider.",
"RationaleStatement": "In various situations, an organization may require the use of a break glass account to gain emergency access. In the event of losing access to administrative functions, an organization may experience a significant loss in its ability to provide support, lose insight into its security posture, and potentially suffer financial losses.",
"ImpactStatement": "If care is not taken in properly implementing an emergency access account this could weaken security posture. Microsoft recommends to excluding at least one of these accounts from all conditional access rules therefore passwords must have sufficient entropy and length to protect against random guesses. FIDO2 security keys may be used instead of a password for secure passwordless solution.",
"RemediationProcedure": "**Step 1 - Create two emergency access accounts:**1. Navigate to `Microsoft 365 admin center` https://admin.microsoft.com2. Expand `Users` > `Active Users`3. Click `Add user` and create a new user with this criteria: - Name the account in a way that does NOT identify it with a particular person. - Assign the account to the default `.onmicrosoft.com` domain and not the organization's. - The password must be at least 16 characters and generated randomly. - Do not assign a license. - Assign the user the `Global Administrator` role.4. Repeat the above steps for the second account.**Step 2 - Exclude at least one account from conditional access policies:**1. Navigate `Microsoft Entra admin center` https://entra.microsoft.com/2. Expand `Protection` > `Conditional Access`.3. Inspect the conditional access policies.4. For each rule add an exclusion for at least one of the emergency access accounts.5. `Users` > `Exclude` > `Users and groups` and select one emergency access account.**Step 3 - Ensure the necessary procedures and policies are in place:**- In order for accounts to be effectively used in a break glass situation the proper policies and procedures must be authorized and distributed by senior management.- FIDO2 Security Keys should be locked in a secure separate fireproof location. - Passwords should be at least 16 characters, randomly generated and MAY be separated in multiple pieces to be joined on emergency.**Warning:** As of 10/15/2024 MFA is required for all users including Break Glass Accounts. It is recommended to update these accounts to usepasskey (FIDO2)orconfigure certificate-based authentication for MFA.Both methods satisfy the MFA requirement.**Additional suggestions for emergency account management:**- Create access reviews for these users.- Exclude users from conditional access rules.- Add the account to a [restricted management administrative unit](https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/admin-units-restricted-management).**Warning**: If CA (conditional access) exclusion is managed by a group, this group should be added to PIM for groups (licensing required) or be created as a role-assignable group. If it is a regular security group, then users with the Group Administrators role are able to bypass CA entirely.",
"AuditProcedure": "**Step 1 - Ensure a policy and procedure is in place at the organization:**- In order for accounts to be effectively used in a break-glass situation the proper policies and procedures must be authorized and distributed by senior management.- FIDO2 Security Keys should be locked in a secure separate fireproof location. - Passwords should be at least 16 characters, randomly generated and MAY be separated in multiple pieces to be joined on emergency.**Step 2 - Ensure two emergency access accounts are defined:**1. Navigate to `Microsoft 365 admin center` https://admin.microsoft.com2. Expand `Users` > `Active Users`3. Inspect the designated emergency access accounts and ensure the following: - The accounts are named correctly, and do NOT identify with a particular person. - The accounts use the default `.onmicrosoft.com` domain and not the organization's. - The accounts are cloud-only. - The accounts are unlicensed. - The accounts are assigned the `Global Administrator` directory role.**Step 3 - Ensure at least one account is excluded from all conditional access rules:**1. Navigate `Microsoft Entra admin center` https://entra.microsoft.com/2. Expand `Protection` > `Conditional Access`.3. Inspect the conditional access rules.4. Ensure one of the emergency access accounts is excluded from all rules.**Warning:** As of 10/15/2024 MFA is required for all users including Break Glass Accounts. It is recommended to update these accounts to usepasskey (FIDO2)orconfigure certificate-based authentication for MFA.Both methods satisfy the MFA requirement.",
"AdditionalInformation": "Microsoft has additional instructions regarding using Azure Monitor to capture events in the Log Analytics workspace, and then generate alerts for Emergency Access accounts. This requires an Azure subscription but should be strongly considered as a method of monitoring activity on these accounts:https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/security-emergency-access#monitor-sign-in-and-audit-logs",
"References": "https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/security-planning#stage-1-critical-items-to-do-right-now:https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/security-emergency-access:https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/admin-units-restricted-management:https://learn.microsoft.com/en-us/entra/identity/authentication/concept-mandatory-multifactor-authentication#accounts",
"DefaultValue": "Not defined."
}
]
},
{
"Id": "1.1.3",
"Description": "More than one global administrator should be designated so a single admin can be monitored and to provide redundancy should a single admin leave an organization. Additionally, there should be no more than four global admins set for any tenant. Ideally global administrators will have no licenses assigned to them.",
"Checks": [
"admincenter_users_between_two_and_four_global_admins"
],
"Attributes": [
{
"Section": "1 Microsoft 365 admin center",
"SubSection": "1.1 Users",
"Profile": "E3 Level 1",
"AssessmentStatus": "Automated",
"Description": "More than one global administrator should be designated so a single admin can be monitored and to provide redundancy should a single admin leave an organization. Additionally, there should be no more than four global admins set for any tenant. Ideally global administrators will have no licenses assigned to them.",
"RationaleStatement": "If there is only one global tenant administrator, he or she can perform malicious activity without the possibility of being discovered by another admin. If there are numerous global tenant administrators, the more likely it is that one of their accounts will be successfully breached by an external attacker.",
"ImpactStatement": "The potential impact associated with ensuring compliance with this requirement is dependent upon the current number of global administrators configured in the tenant. If there is only one global administrator in a tenant, an additional global administrator will need to be identified and configured. If there are more than four global administrators, a review of role requirements for current global administrators will be required to identify which of the users require global administrator access.",
"RemediationProcedure": "**To remediate using the UI:**1. Navigate to the `Microsoft 365 admin center` https://admin.microsoft.com2. Select `Users` > `Active Users`.3. In the `Search` field enter the name of the user to be made a Global Administrator.4. To create a new Global Admin: 1. Select the user's name. 2. A window will appear to the right. 3. Select `Manage roles`. 4. Select `Admin center access`. 4. Check `Global Administrator`. 5. Click `Save changes`.5. To remove Global Admins: 1. Select User. 2. Under `Roles` select `Manage roles` 3. De-Select the appropriate role. 4. Click `Save changes`.",
"AuditProcedure": "**To audit using the UI:** 1. Navigate to the `Microsoft 365 admin center` https://admin.microsoft.com2. Select `Users` > `Active Users`.3. Select `Filter` then select `Global Admins`.4. Review the list of `Global Admins` to confirm there are from two to four such accounts.**To audit using PowerShell:** 1. Connect to Microsoft Graph using `Connect-MgGraph -Scopes Directory.Read.All`2. Run the following PowerShell script:```# Determine Id of role using the immutable RoleTemplateId value.$globalAdminRole = Get-MgDirectoryRole -Filter \"RoleTemplateId eq '62e90394-69f5-4237-9190-012177145e10'\"$globalAdmins = Get-MgDirectoryRoleMember -DirectoryRoleId $globalAdminRole.IdWrite-Host \"*** There are\" $globalAdmins.AdditionalProperties.Count \"Global Administrators assigned.\"```This information is also available via the Microsoft Graph Security API: ```GET https://graph.microsoft.com/beta/security/secureScores```**Note:** When tallying the number of Global Administrators the above does not account for Partner relationships. Those are located under `Settings` > `Partner Relationships` and should be reviewed on a reoccurring basis.",
"AdditionalInformation": "",
"References": "https://learn.microsoft.com/en-us/powershell/module/microsoft.graph.identity.directorymanagement/get-mgdirectoryrole?view=graph-powershell-1.0:https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference#all-roles",
"DefaultValue": ""
}
]
},
{
"Id": "1.1.4",
"Description": "Administrative accounts are special privileged accounts that could have varying levels of access to data, users, and settings. A license can enable an account to gain access to a variety of different applications, depending on the license assigned.The recommended state is to not license a privileged account or use `Microsoft Entra ID P1` or `Microsoft Entra ID P2` licenses.",
"Checks": [
"admincenter_users_admins_reduced_license_footprint"
],
"Attributes": [
{
"Section": "1 Microsoft 365 admin center",
"SubSection": "1.1 Users",
"Profile": "E3 Level 1",
"AssessmentStatus": "Automated",
"Description": "Administrative accounts are special privileged accounts that could have varying levels of access to data, users, and settings. A license can enable an account to gain access to a variety of different applications, depending on the license assigned.The recommended state is to not license a privileged account or use `Microsoft Entra ID P1` or `Microsoft Entra ID P2` licenses.",
"RationaleStatement": "Ensuring administrative accounts do not use licenses with applications assigned to them will reduce the attack surface of high privileged identities in the organization's environment. Granting access to a mailbox or other collaborative tools increases the likelihood that privileged users might interact with these applications, raising the risk of exposure to social engineering attacks or malicious content. These activities should be restricted to an unprivileged 'daily driver' account.**Note:** In order to participate in Microsoft 365 security services such as Identity Protection, PIM and Conditional Access an administrative account will need a license attached to it. Ensure that the license used does not include any applications with potentially vulnerable services by using either **Microsoft Entra ID P1** or **Microsoft Entra ID P2** for the cloud-only account with administrator roles.",
"ImpactStatement": "Administrative users will have to switch accounts and utilize login/logout functionality when performing administrative tasks, as well as not benefiting from SSO.**Note:** Alerts will be sent to the **TenantAdmins**, including Global Administrators, by default. To ensure proper receipt, configure alerts to be sent to security or operations staff with valid email addresses or a security operations center. Otherwise, after adoption of this recommendation, alerts sent to **TenantAdmins** may go unreceived due to the lack of an application-based license assigned to the Global Administrator accounts.",
"RemediationProcedure": "**To remediate using the UI:** 1. Navigate to `Microsoft 365 admin center` https://admin.microsoft.com.2. Click to expand `Users` select `Active users`3. Click `Add a user`.4. Fill out the appropriate fields for Name, user, etc.5. When prompted to assign licenses select as needed `Microsoft Entra ID P1` or `Microsoft Entra ID P2`, then click `Next`.6. Under the `Option settings` screen you may choose from several types of privileged roles. Choose `Admin center access` followed by the appropriate role then click `Next`.7. Select `Finish adding`.",
"AuditProcedure": "**To audit using the UI:** 1. Navigate to `Microsoft 365 admin center` https://admin.microsoft.com.2. Click to expand `Users` select `Active users`.3. Sort by the `Licenses` column.4. For each user account in an administrative role verify the account is assigned a license that is not associated with applications i.e. (Microsoft Entra ID P1, Microsoft Entra ID P2).**To audit using PowerShell:** 1. Connect to Microsoft Graph using `Connect-MgGraph -Scopes \"RoleManagement.Read.Directory\",\"User.Read.All\"`2. Run the following PowerShell script:```$DirectoryRoles = Get-MgDirectoryRole# Get privileged role IDs$PrivilegedRoles = $DirectoryRoles | Where-Object { $_.DisplayName -like \"*Administrator*\" -or $_.DisplayName -eq \"Global Reader\"}# Get the members of these various roles$RoleMembers = $PrivilegedRoles | ForEach-Object { Get-MgDirectoryRoleMember -DirectoryRoleId $_.Id } | Select-Object Id -Unique# Retrieve details about the members in these roles$PrivilegedUsers = $RoleMembers | ForEach-Object { Get-MgUser -UserId $_.Id -Property UserPrincipalName, DisplayName, Id}$Report = [System.Collections.Generic.List[Object]]::new()foreach ($Admin in $PrivilegedUsers) { $License = $null $License = (Get-MgUserLicenseDetail -UserId $Admin.id).SkuPartNumber -join \", \" $Object = [pscustomobject][ordered]@{ DisplayName = $Admin.DisplayName UserPrincipalName = $Admin.UserPrincipalName License = $License } $Report.Add($Object)}$Report```3. The output will display users assigned privileged roles alongside their assigned licenses. Additional manual assessment is required to determine if the licensing is appropriate for the user.",
"AdditionalInformation": "",
"References": "https://learn.microsoft.com/en-us/microsoft-365/admin/add-users/add-users?view=o365-worldwide:https://learn.microsoft.com/en-us/microsoft-365/enterprise/protect-your-global-administrator-accounts?view=o365-worldwide:https://learn.microsoft.com/en-us/entra/fundamentals/whatis:https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference",
"DefaultValue": "N/A"
}
]
},
{
"Id": "1.2.1",
"Description": "Microsoft 365 Groups is the foundational membership service that drives all teamwork across Microsoft 365. With Microsoft 365 Groups, you can give a group of people access to a collection of shared resources. While there are several different group types this recommendation concerns **Microsoft 365 Groups**.In the Administration panel, when a group is created, the default privacy value is \"Public\".",
"Checks": [
"admincenter_groups_not_public_visibility"
],
"Attributes": [
{
"Section": "1 Microsoft 365 admin center",
"SubSection": "1.2 Teams & groups",
"Profile": "E3 Level 2",
"AssessmentStatus": "Automated",
"Description": "Microsoft 365 Groups is the foundational membership service that drives all teamwork across Microsoft 365. With Microsoft 365 Groups, you can give a group of people access to a collection of shared resources. While there are several different group types this recommendation concerns **Microsoft 365 Groups**.In the Administration panel, when a group is created, the default privacy value is \"Public\".",
"RationaleStatement": "Ensure that only organizationally managed and approved public groups exist. When a group has a \"public\" privacy, users may access data related to this group (e.g. SharePoint), through three methods:- By using the Azure portal, and adding themselves into the public group- By requesting access to the group from the Group application of the Access Panel- By accessing the SharePoint URLAdministrators are notified when a user uses the Azure Portal. Requesting access to the group forces users to send a message to the group owner, but they still have immediate access to the group. The SharePoint URL is usually guessable and can be found from the Group application of the Access Panel. If group privacy is not controlled, any user may access sensitive information, according to the group they try to access.**Note:** Public in this case means public to the identities within the organization.",
"ImpactStatement": "If the recommendation is applied, group owners could receive more access requests than usual, especially regarding groups originally meant to be public.",
"RemediationProcedure": "**To remediate using the UI:**1. Navigate to `Microsoft 365 admin center` https://admin.microsoft.com.2. Click to expand `Teams & groups` select `Active teams & groups`..3. On the **Active teams and groups page**, select the group's name that is public.4. On the popup **groups name page**, Select `Settings`.5. Under Privacy, select `Private`.",
"AuditProcedure": "**To audit using the UI:** 1. Navigate to `Microsoft 365 admin center` https://admin.microsoft.com.2. Click to expand `Teams & groups` select `Active teams & groups`.3. On the **Active teams and groups page**, check that no groups have the status 'Public' in the privacy column.**To audit using PowerShell:** 1. Connect to the Microsoft Graph service using `Connect-MgGraph -Scopes \"Group.Read.All\"`.2. Run the following Microsoft Graph PowerShell command:```Get-MgGroup | where {$_.Visibility -eq \"Public\"} | select DisplayName,Visibility```3. Ensure `Visibility` is `Private` for each group.",
"AdditionalInformation": "",
"References": "https://learn.microsoft.com/en-us/entra/identity/users/groups-self-service-management:https://learn.microsoft.com/en-us/microsoft-365/admin/create-groups/compare-groups?view=o365-worldwide",
"DefaultValue": "Public when created from the Administration portal; private otherwise."
}
]
},
{
"Id": "1.2.2",
"Description": "Shared mailboxes are used when multiple people need access to the same mailbox, such as a company information or support email address, reception desk, or other function that might be shared by multiple people.Users with permissions to the group mailbox can send as or send on behalf of the mailbox email address if the administrator has given that user permissions to do that. This is particularly useful for help and support mailboxes because users can send emails from \"Contoso Support\" or \"Building A Reception Desk.\"Shared mailboxes are created with a corresponding user account using a system generated password that is unknown at the time of creation.The recommended state is `Sign in blocked` for `Shared mailboxes`.",
"Checks": [
"exchange_shared_mailbox_sign_in_disabled"
],
"Attributes": [
{
"Section": "1 Microsoft 365 admin center",
"SubSection": "1.2 Teams & groups",
"Profile": "E3 Level 1",
"AssessmentStatus": "Automated",
"Description": "Shared mailboxes are used when multiple people need access to the same mailbox, such as a company information or support email address, reception desk, or other function that might be shared by multiple people.Users with permissions to the group mailbox can send as or send on behalf of the mailbox email address if the administrator has given that user permissions to do that. This is particularly useful for help and support mailboxes because users can send emails from \"Contoso Support\" or \"Building A Reception Desk.\"Shared mailboxes are created with a corresponding user account using a system generated password that is unknown at the time of creation.The recommended state is `Sign in blocked` for `Shared mailboxes`.",
"RationaleStatement": "The intent of the shared mailbox is the only allow delegated access from other mailboxes. An admin could reset the password, or an attacker could potentially gain access to the shared mailbox allowing the direct sign-in to the shared mailbox and subsequently the sending of email from a sender that does not have a unique identity. To prevent this, block sign-in for the account that is associated with the shared mailbox.",
"ImpactStatement": "",
"RemediationProcedure": "**To remediate using the UI:**1. Navigate to `Microsoft 365 admin center` https://admin.microsoft.com/2. Click to expand `Teams & groups` and select `Shared mailboxes`.3. Take note of all shared mailboxes.4. Click to expand `Users` and select `Active users`.5. Select a shared mailbox account to open it's properties pane and then select `Block sign-in`.6. Check the box for `Block this user from signing in`.7. Repeat for any additional shared mailboxes.**To remediate using PowerShell:**1. Connect to Microsoft Graph using `Connect-MgGraph -Scopes \"User.ReadWrite.All\"`2. Connect to Exchange Online using `Connect-ExchangeOnline`.3. To disable sign-in for a single account:```$MBX = Get-EXOMailbox -Identity TestUser@example.comUpdate-MgUser -UserId $MBX.ExternalDirectoryObjectId -AccountEnabled:$false```3. The following will block sign-in to all Shared Mailboxes.```$MBX = Get-EXOMailbox -RecipientTypeDetails SharedMailbox$MBX | ForEach-Object { Update-MgUser -UserId $_.ExternalDirectoryObjectId -AccountEnabled:$false }```",
"AuditProcedure": "**To audit using the UI:** 1. Navigate to `Microsoft 365 admin center` https://admin.microsoft.com/2. Click to expand `Teams & groups` and select `Shared mailboxes`.3. Take note of all shared mailboxes.4. Click to expand `Users` and select `Active users`.5. Select a shared mailbox account to open its properties pane, and review.6. Ensure the text under the name reads `Sign-in blocked`.7. Repeat for any additional shared mailboxes.**Note:** If sign-in is not blocked where will be an option to `Block sign-in`. This means the shared mailbox is out of compliance with this recommendation.**To audit using PowerShell:** 1. Connect to Exchange Online using `Connect-ExchangeOnline`2. Connect to Microsoft Graph using `Connect-MgGraph -Scopes \"Policy.Read.All\"`3. Run the following PowerShell commands:```$MBX = Get-EXOMailbox -RecipientTypeDetails SharedMailbox$MBX | ForEach-Object { Get-MgUser -UserId $_.ExternalDirectoryObjectId ` -Property DisplayName, UserPrincipalName, AccountEnabled } | Format-Table DisplayName, UserPrincipalName, AccountEnabled```4. Ensure `AccountEnabled` is set to `False` for all Shared Mailboxes.",
"AdditionalInformation": "",
"References": "https://learn.microsoft.com/en-us/microsoft-365/admin/email/about-shared-mailboxes?view=o365-worldwide:https://learn.microsoft.com/en-us/microsoft-365/admin/email/create-a-shared-mailbox?view=o365-worldwide#block-sign-in-for-the-shared-mailbox-account:https://learn.microsoft.com/en-us/microsoft-365/enterprise/block-user-accounts-with-microsoft-365-powershell?view=o365-worldwide#block-individual-user-accounts",
"DefaultValue": "AccountEnabled: `True`"
}
]
},
{
"Id": "1.3.1",
"Description": "Microsoft cloud-only accounts have a pre-defined password policy that cannot be changed. The only items that can change are the number of days until a password expires and whether or whether passwords expire at all.",
"Checks": [
"admincenter_settings_password_never_expire"
],
"Attributes": [
{
"Section": "1 Microsoft 365 admin center",
"SubSection": "1.3 Settings",
"Profile": "E3 Level 1",
"AssessmentStatus": "Automated",
"Description": "Microsoft cloud-only accounts have a pre-defined password policy that cannot be changed. The only items that can change are the number of days until a password expires and whether or whether passwords expire at all.",
"RationaleStatement": "Organizations such as NIST and Microsoft have updated their password policy recommendations to not arbitrarily require users to change their passwords after a specific amount of time, unless there is evidence that the password is compromised, or the user forgot it. They suggest this even for single factor (Password Only) use cases, with a reasoning that forcing arbitrary password changes on users actually make the passwords less secure. Other recommendations within this Benchmark suggest the use of MFA authentication for at least critical accounts (at minimum), which makes password expiration even less useful as well as password protection for Entra ID.",
"ImpactStatement": "When setting passwords not to expire it is important to have other controls in place to supplement this setting. See below for related recommendations and user guidance.- Ban common passwords.- Educate users to not reuse organization passwords anywhere else.- Enforce Multi-Factor Authentication registration for all users.",
"RemediationProcedure": "**To remediate using the UI:**1. Navigate to `Microsoft 365 admin center` https://admin.microsoft.com.2. Click to expand `Settings` select `Org Settings`.3. Click on `Security & privacy`.4. Check the `Set passwords to never expire (recommended)` box.5. Click `Save`.**To remediate using PowerShell:**1. Connect to the Microsoft Graph service using `Connect-MgGraph -Scopes \"Domain.ReadWrite.All\"`.2. Run the following Microsoft Graph PowerShell command:```Update-MgDomain -DomainId <Domain> -PasswordValidityPeriodInDays 2147483647```",
"AuditProcedure": "**To audit using the UI:**1. Navigate to `Microsoft 365 admin center` https://admin.microsoft.com.2. Click to expand `Settings` select `Org Settings`.3. Click on `Security & privacy`.4. Select `Password expiration policy` ensure that `Set passwords to never expire (recommended)` has been checked.**To audit using PowerShell:**1. Connect to the Microsoft Graph service using `Connect-MgGraph -Scopes \"Domain.Read.All\"`.2. Run the following Microsoft Online PowerShell command:```Get-MgDomain | ft id,PasswordValidityPeriodInDays```3. Verify the value returned for valid domains is `2147483647`",
"AdditionalInformation": "",
"References": "https://pages.nist.gov/800-63-3/sp800-63b.html:https://www.cisecurity.org/white-papers/cis-password-policy-guide/:https://learn.microsoft.com/en-us/microsoft-365/admin/misc/password-policy-recommendations?view=o365-worldwide",
"DefaultValue": "If the property is not set, a default value of 90 days will be used"
}
]
},
{
"Id": "1.3.2",
"Description": "Idle session timeout allows the configuration of a setting which will timeout inactive users after a pre-determined amount of time. When a user reaches the set idle timeout session, they'll get a notification that they're about to be signed out. They have to select to stay signed in or they'll be automatically signed out of all Microsoft 365 web apps. Combined with a Conditional Access rule this will only impact unmanaged devices. A managed device is considered a device managed that is compliant or joined to a domain and using a supported browser like Microsoft Edge or Google Chrome (with the Microsoft Single Sign On) extension.The following Microsoft 365 web apps are supported.- Outlook Web App- OneDrive- SharePoint- Microsoft Fabric- Microsoft365.com and other start pages- Microsoft 365 web apps (Word, Excel, PowerPoint)- Microsoft 365 Admin Center- M365 Defender Portal- Microsoft Purview Compliance PortalThe recommended setting is `3 hours` (or less) for unmanaged devices. **Note:** Idle session timeout doesn't affect Microsoft 365 desktop and mobile apps.",
"Checks": [],
"Attributes": [
{
"Section": "1 Microsoft 365 admin center",
"SubSection": "1.3 Settings",
"Profile": "E3 Level 1",
"AssessmentStatus": "Manual",
"Description": "Idle session timeout allows the configuration of a setting which will timeout inactive users after a pre-determined amount of time. When a user reaches the set idle timeout session, they'll get a notification that they're about to be signed out. They have to select to stay signed in or they'll be automatically signed out of all Microsoft 365 web apps. Combined with a Conditional Access rule this will only impact unmanaged devices. A managed device is considered a device managed that is compliant or joined to a domain and using a supported browser like Microsoft Edge or Google Chrome (with the Microsoft Single Sign On) extension.The following Microsoft 365 web apps are supported.- Outlook Web App- OneDrive- SharePoint- Microsoft Fabric- Microsoft365.com and other start pages- Microsoft 365 web apps (Word, Excel, PowerPoint)- Microsoft 365 Admin Center- M365 Defender Portal- Microsoft Purview Compliance PortalThe recommended setting is `3 hours` (or less) for unmanaged devices. **Note:** Idle session timeout doesn't affect Microsoft 365 desktop and mobile apps.",
"RationaleStatement": "Ending idle sessions through an automatic process can help protect sensitive company data and will add another layer of security for end users who work on unmanaged devices that can potentially be accessed by the public. Unauthorized individuals onsite or remotely can take advantage of systems left unattended over time. Automatic timing out of sessions makes this more difficult.",
"ImpactStatement": "If step 2 in the Audit/Remediation procedure is left out, then there is no issue with this from a security standpoint. However, it will require users on trusted devices to sign in more frequently which could result in credential prompt fatigue.**Note:** Idle session timeout also affects the Azure Portal idle timeout if this is not explicitly set to a different timeout. The Azure Portal idle timeout applies to all kind of devices, not just unmanaged. See : [change the directory timeout setting admin](https://learn.microsoft.com/en-us/azure/azure-portal/set-preferences#change-the-directory-timeout-setting-admin)",
"RemediationProcedure": "**Step 1 - Configure Idle session timeout:**1. Navigate to the `Microsoft 365 admin center` https://admin.microsoft.com/.2. Click to expand `Settings` Select `Org settings`.3. Click `Security & Privacy` tab.4. Select `Idle session timeout`.5. Check the box `Turn on to set the period of inactivity for users to be signed off of Microsoft 365 web apps` 6. Set a maximum value of `3 hours`.7. Click save.**Step 2 - Ensure the Conditional Access policy is in place:**1. Navigate to `Microsoft Entra admin center` https://entra.microsoft.com/2. Expand `Protect` > `Conditional Access`.3. Click `New policy` and give the policy a name. - Select `Users` > `All users`. - Select `Cloud apps or actions` > `Select apps` and select `Office 365` - Select `Conditions` > `Client apps` > `Yes` check only `Browser` unchecking all other boxes. - Select `Sessions` and check `Use app enforced restrictions`.4. Set `Enable policy` to `On` and click `Create`.**Note:** To ensure that idle timeouts affect only unmanaged devices, both steps must be completed.",
"AuditProcedure": "**Step 1 - Ensure Idle session timeout is configured:**1. Navigate to the `Microsoft 365 admin center` https://admin.microsoft.com/.2. Click to expand `Settings` Select `Org settings`.3. Click `Security & Privacy` tab.4. Select `Idle session timeout`.5. Verify `Turn on to set the period of inactivity for users to be signed off of Microsoft 365 web apps` is set to `3 hours` (or less).**Step 2 - Ensure the Conditional Access policy is in place:**1. Navigate to `Microsoft Entra admin center` https://entra.microsoft.com/2. Expand `Protect` > `Conditional Access`.3. Inspect existing conditional access rules for one that meets the below conditions: - `Users` is set to `All users`. - `Cloud apps or actions` > `Select apps` is set to `Office 365`. - `Conditions` > `Client apps` is `Browser` and nothing else. - `Session` is set to `Use app enforced restrictions`. - `Enable Policy` is set to `On`**Note:** To ensure that idle timeouts affect only unmanaged devices, both steps must be completed.",
"AdditionalInformation": "According to Microsoft idle session timeout isn't supported when third party cookies are disabled in the browser. Users won't see any sign-out prompts.",
"References": "https://learn.microsoft.com/en-us/microsoft-365/admin/manage/idle-session-timeout-web-apps?view=o365-worldwide",
"DefaultValue": "Not configured. (Idle sessions will not timeout.)"
}
]
},
{
"Id": "1.3.3",
"Description": "External calendar sharing allows an administrator to enable the ability for users to share calendars with anyone outside of the organization. Outside users will be sent a URL that can be used to view the calendar.",
"Checks": [
"admincenter_external_calendar_sharing_disabled"
],
"Attributes": [
{
"Section": "1 Microsoft 365 admin center",
"SubSection": "1.3 Settings",
"Profile": "E3 Level 2",
"AssessmentStatus": "Automated",
"Description": "External calendar sharing allows an administrator to enable the ability for users to share calendars with anyone outside of the organization. Outside users will be sent a URL that can be used to view the calendar.",
"RationaleStatement": "Attackers often spend time learning about organizations before launching an attack. Publicly available calendars can help attackers understand organizational relationships and determine when specific users may be more vulnerable to an attack, such as when they are traveling.",
"ImpactStatement": "This functionality is not widely used. As a result, it is unlikely that implementation of this setting will cause an impact to most users. Users that do utilize this functionality are likely to experience a minor inconvenience when scheduling meetings or synchronizing calendars with people outside the tenant.",
"RemediationProcedure": "**To remediate using the UI:**1. Navigate to `Microsoft 365 admin center` https://admin.microsoft.com.2. Click to expand `Settings` select `Org settings`.3. In the `Services` section click `Calendar`.4. Uncheck `Let your users share their calendars with people outside of your organization who have Office 365 or Exchange`.5. Click `Save`.**To remediate using PowerShell:**1. Connect to Exchange Online using `Connect-ExchangeOnline`.2. Run the following Exchange Online PowerShell command:```Set-SharingPolicy -Identity \"Default Sharing Policy\" -Enabled $False```",
"AuditProcedure": "**To audit using the UI:** 1. Navigate to `Microsoft 365 admin center` https://admin.microsoft.com.2. Click to expand `Settings` select `Org settings`.3. In the `Services` section click `Calendar`.4. Verify `Let your users share their calendars with people outside of your organization who have Office 365 or Exchange` is unchecked.**To audit using PowerShell:**1. Connect to Exchange Online using `Connect-ExchangeOnline`.2. Run the following Exchange Online PowerShell command:```Get-SharingPolicy -Identity \"Default Sharing Policy\"```3. Verify `Enabled` is set to `False`",
"AdditionalInformation": "**The following script can be used to audit any mailboxes that might be sharing calendars prior to disabling the feature globally:**```$mailboxes = Get-Mailbox -ResultSize Unlimited foreach ($mailbox in $mailboxes) { # Get the name of the default calendar folder (depends on the mailbox's language) $calendarFolder = [string](Get-ExoMailboxFolderStatistics $mailbox.PrimarySmtpAddress -FolderScope Calendar| Where-Object { $_.FolderType -eq 'Calendar' }).Name # Get users calendar folder settings for their default Calendar folder # calendar has the format identity:\\<calendar folder name> $calendar = Get-MailboxCalendarFolder -Identity \"$($mailbox.PrimarySmtpAddress):\\$calendarFolder\" if ($calendar.PublishEnabled) { Write-Host -ForegroundColor Yellow \"Calendar publishing is enabled for $($mailbox.PrimarySmtpAddress) on $($calendar.PublishedCalendarUrl)\" }}```",
"References": "https://learn.microsoft.com/en-us/microsoft-365/admin/manage/share-calendars-with-external-users?view=o365-worldwide",
"DefaultValue": "Enabled (True)"
}
]
},
{
"Id": "1.3.4",
"Description": "By default, users can install add-ins in their Microsoft Word, Excel, and PowerPoint applications, allowing data access within the application.Do not allow users to install add-ins in Word, Excel, or PowerPoint.",
"Checks": [],
"Attributes": [
{
"Section": "1 Microsoft 365 admin center",
"SubSection": "1.3 Settings",
"Profile": "E3 Level 1",
"AssessmentStatus": "Manual",
"Description": "By default, users can install add-ins in their Microsoft Word, Excel, and PowerPoint applications, allowing data access within the application.Do not allow users to install add-ins in Word, Excel, or PowerPoint.",
"RationaleStatement": "Attackers commonly use vulnerable and custom-built add-ins to access data in user applications.While allowing users to install add-ins by themselves does allow them to easily acquire useful add-ins that integrate with Microsoft applications, it can represent a risk if not used and monitored carefully.Disable future user's ability to install add-ins in Microsoft Word, Excel, or PowerPoint helps reduce your threat-surface and mitigate this risk.",
"ImpactStatement": "Implementation of this change will impact both end users and administrators. End users will not be able to install add-ins that they may want to install.",
"RemediationProcedure": "**To remediate using the UI:** 1. Navigate to `Microsoft 365 admin center` https://admin.microsoft.com.2. Click to expand `Settings` > `Org settings`.3. In `Services` select `User owned apps and services`.4. Uncheck `Let users access the Office Store` and `Let users start trials on behalf of your organization`.5. Click `Save`.",
"AuditProcedure": "**To audit using the UI:** 1. Navigate to `Microsoft 365 admin center` https://admin.microsoft.com.2. Click to expand `Settings` > `Org settings`.3. In `Services` select `User owned apps and services`.4. Verify `Let users access the Office Store` and `Let users start trials on behalf of your organization` are **not checked**.",
"AdditionalInformation": "",
"References": "https://learn.microsoft.com/en-us/microsoft-365/admin/manage/manage-addins-in-the-admin-center?view=o365-worldwide#manage-add-in-downloads-by-turning-onoff-the-office-store-across-all-apps-except-outlook",
"DefaultValue": "`Let users access the Office Store` is `Checked``Let users start trials on behalf of your organization` is `Checked`"
}
]
},
{
"Id": "1.3.5",
"Description": "Microsoft Forms can be used for phishing attacks by asking personal or sensitive information and collecting the results. Microsoft 365 has built-in protection that will proactively scan for phishing attempt in forms such personal information request.",
"Checks": [],
"Attributes": [
{
"Section": "1 Microsoft 365 admin center",
"SubSection": "1.3 Settings",
"Profile": "E3 Level 1",
"AssessmentStatus": "Manual",
"Description": "Microsoft Forms can be used for phishing attacks by asking personal or sensitive information and collecting the results. Microsoft 365 has built-in protection that will proactively scan for phishing attempt in forms such personal information request.",
"RationaleStatement": "Enabling internal phishing protection for Microsoft Forms will prevent attackers using forms for phishing attacks by asking personal or other sensitive information and URLs.",
"ImpactStatement": "If potential phishing was detected, the form will be temporarily blocked and cannot be distributed, and response collection will not happen until it is unblocked by the administrator or keywords were removed by the creator.",
"RemediationProcedure": "**To remediate using the UI:**1. Navigate to `Microsoft 365 admin center` https://admin.microsoft.com.2. Click to expand `Settings` then select `Org settings`.3. Under Services select `Microsoft Forms`.4. Click the checkbox labeled `Add internal phishing protection` under `Phishing protection`.5. Click Save.",
"AuditProcedure": "**To audit using the UI:**1. Navigate to `Microsoft 365 admin` center https://admin.microsoft.com.2. Click to expand `Settings` then select `Org settings`.3. Under Services select `Microsoft Forms`.4. Ensure the checkbox labeled `Add internal phishing protection` is checked under `Phishing protection`.",
"AdditionalInformation": "",
"References": "https://learn.microsoft.com/en-US/microsoft-forms/administrator-settings-microsoft-forms:https://learn.microsoft.com/en-US/microsoft-forms/review-unblock-forms-users-detected-blocked-potential-phishing",
"DefaultValue": "Internal Phishing Protection is enabled."
}
]
},
{
"Id": "1.3.6",
"Description": "Customer Lockbox is a security feature that provides an additional layer of control and transparency to customer data in Microsoft 365. It offers an approval process for Microsoft support personnel to access organization data and creates an audited trail to meet compliance requirements.",
"Checks": [
"admincenter_organization_customer_lockbox_enabled"
],
"Attributes": [
{
"Section": "1 Microsoft 365 admin center",
"SubSection": "1.3 Settings",
"Profile": "E5 Level 2",
"AssessmentStatus": "Automated",
"Description": "Customer Lockbox is a security feature that provides an additional layer of control and transparency to customer data in Microsoft 365. It offers an approval process for Microsoft support personnel to access organization data and creates an audited trail to meet compliance requirements.",
"RationaleStatement": "Enabling this feature protects organizational data against data spillage and exfiltration.",
"ImpactStatement": "Administrators will need to grant Microsoft access to the tenant environment prior to a Microsoft engineer accessing the environment for support or troubleshooting.",
"RemediationProcedure": "**To remediate using the UI:**1. Navigate to `Microsoft 365 admin center` https://admin.microsoft.com.2. Click to expand `Settings` then select `Org settings`.3. Select `Security & privacy` tab.4. Click `Customer lockbox`.5. Check the box `Require approval for all data access requests`. 6. Click `Save`.**To remediate using PowerShell:**1. Connect to Exchange Online using `Connect-ExchangeOnline`.2. Run the following PowerShell command\\:```Set-OrganizationConfig -CustomerLockBoxEnabled $true```",
"AuditProcedure": "**To audit using the UI:** 1. Navigate to `Microsoft 365 admin center` https://admin.microsoft.com.2. Click to expand `Settings` then select `Org settings`.3. Select `Security & privacy` tab.4. Click `Customer lockbox`.5. Ensure the box labeled `Require approval for all data access requests` is checked. **To audit using SecureScore:** 1. Navigate to the Microsoft 365 SecureScore portal. https://securescore.microsoft.com2. Search for `Turn on customer lockbox feature` under `Improvement actions`.**To audit using PowerShell:** 1. Connect to Exchange Online using `Connect-ExchangeOnline`.2. Run the following PowerShell command:```Get-OrganizationConfig | Select-Object CustomerLockBoxEnabled```3. Verify the value is set to `True`.",
"AdditionalInformation": "",
"References": "https://learn.microsoft.com/en-us/azure/security/fundamentals/customer-lockbox-overview",
"DefaultValue": "`Require approval for all data access requests` - `Unchecked``CustomerLockboxEnabled` - `False`"
}
]
},
{
"Id": "1.3.7",
"Description": "Third-party storage can be enabled for users in Microsoft 365, allowing them to store and share documents using services such as Dropbox, alongside OneDrive and team sites.Ensure `Microsoft 365 on the web` third-party storage services are restricted.",
"Checks": [],
"Attributes": [
{
"Section": "1 Microsoft 365 admin center",
"SubSection": "1.3 Settings",
"Profile": "E3 Level 2",
"AssessmentStatus": "Manual",
"Description": "Third-party storage can be enabled for users in Microsoft 365, allowing them to store and share documents using services such as Dropbox, alongside OneDrive and team sites.Ensure `Microsoft 365 on the web` third-party storage services are restricted.",
"RationaleStatement": "By using external storage services an organization may increase the risk of data breaches and unauthorized access to confidential information. Additionally, third-party services may not adhere to the same security standards as the organization, making it difficult to maintain data privacy and security.",
"ImpactStatement": "Impact associated with this change is highly dependent upon current practices in the tenant. If users do not use other storage providers, then minimal impact is likely. However, if users do regularly utilize providers outside of the tenant this will affect their ability to continue to do so.",
"RemediationProcedure": "**To remediate using the UI:**1. Navigate to `Microsoft 365 admin center` https://admin.microsoft.com2. Go to `Settings` > `Org Settings` > `Services` > `Microsoft 365 on the web` 3. Uncheck `Let users open files stored in third-party storage services in Microsoft 365 on the web`",
"AuditProcedure": "**To audit using the UI:**1. Navigate to `Microsoft 365 admin center` https://admin.microsoft.com2. Go to `Settings` > `Org Settings` > `Services` > `Microsoft 365 on the web` 3. Ensure `Let users open files stored in third-party storage services in Microsoft 365 on the web` is not checked.",
"AdditionalInformation": "",
"References": "https://learn.microsoft.com/en-us/microsoft-365/admin/setup/set-up-file-storage-and-sharing?view=o365-worldwide#enable-or-disable-third-party-storage-services",
"DefaultValue": "Enabled - Users are able to open files stored in third-party storage services"
}
]
},
{
"Id": "1.3.8",
"Description": "Sway is a Microsoft 365 app that lets organizations create interactive, web-based presentations using images, text, videos and other media. Its design engine simplifies the process, allowing for quick customization. Presentations can then be shared via a link.This setting controls user Sway sharing capability, both within and outside of the organization. By default, Sway is enabled for everyone in the organization.",
"Checks": [],
"Attributes": [
{
"Section": "1 Microsoft 365 admin center",
"SubSection": "1.3 Settings",
"Profile": "E3 Level 2",
"AssessmentStatus": "Manual",
"Description": "Sway is a Microsoft 365 app that lets organizations create interactive, web-based presentations using images, text, videos and other media. Its design engine simplifies the process, allowing for quick customization. Presentations can then be shared via a link.This setting controls user Sway sharing capability, both within and outside of the organization. By default, Sway is enabled for everyone in the organization.",
"RationaleStatement": "Disable external sharing of Sway documents that can contain sensitive information to prevent accidental or arbitrary data leaks.",
"ImpactStatement": "Interactive reports, presentations, newsletters, and other items created in Sway will not be shared outside the organization by users.",
"RemediationProcedure": "**To remediate using the UI:**1. Navigate to `Microsoft 365 admin center` https://admin.microsoft.com.2. Click to expand `Settings` then select `Org settings`.3. Under Services select `Sway` - Uncheck: `Let people in your organization share their sways with people outside your organization`.4. Click `Save`.",
"AuditProcedure": "**To audit using the UI:** 1. Navigate to `Microsoft 365 admin center` https://admin.microsoft.com.2. Click to expand `Settings` then select `Org settings`.3. Under Services select `Sway`.4. Confirm that under `Sharing` the following is not checked - Option: `Let people in your organization share their sways with people outside your organization`.",
"AdditionalInformation": "",
"References": "https://support.microsoft.com/en-us/office/administrator-settings-for-sway-d298e79b-b6ab-44c6-9239-aa312f5784d4:https://learn.microsoft.com/en-us/office365/servicedescriptions/microsoft-sway-service-description",
"DefaultValue": "`Let people in your organization share their sways with people outside your organization` - Enabled"
}
]
},
{
"Id": "2.1.1",
"Description": "Enabling Safe Links policy for Office applications allows URL's that exist inside of Office documents and email applications opened by Office, Office Online and Office mobile to be processed against Defender for Office time-of-click verification and rewritten if required.**Note:** E5 Licensing includes a number of Built-in Protection policies. When auditing policies note which policy you are viewing, and keep in mind CIS recommendations often extend the Default or Build-in Policies provided by MS. In order to **Pass** the highest priority policy must match all settings recommended.",
"Checks": [
"defender_safelinks_policy_enabled"
],
"Attributes": [
{
"Section": "2 Microsoft 365 Defender",
"SubSection": "2.1 Email & collaboration",
"Profile": "E5 Level 2",
"AssessmentStatus": "Automated",
"Description": "Enabling Safe Links policy for Office applications allows URL's that exist inside of Office documents and email applications opened by Office, Office Online and Office mobile to be processed against Defender for Office time-of-click verification and rewritten if required.**Note:** E5 Licensing includes a number of Built-in Protection policies. When auditing policies note which policy you are viewing, and keep in mind CIS recommendations often extend the Default or Build-in Policies provided by MS. In order to **Pass** the highest priority policy must match all settings recommended.",
"RationaleStatement": "Safe Links for Office applications extends phishing protection to documents and emails that contain hyperlinks, even after they have been delivered to a user.",
"ImpactStatement": "User impact associated with this change is minor - users may experience a very short delay when clicking on URLs in Office documents before being directed to the requested site. Users should be informed of the change as, in the event a link is unsafe and blocked, they will receive a message that it has been blocked.",
"RemediationProcedure": "**To remediate using the UI:**1. Navigate to `Microsoft 365 Defender` https://security.microsoft.com2. Under `Email & collaboration` select `Policies & rules`3. Select `Threat policies` then `Safe Links`4. Click on `+Create`5. Name the policy then click `Next`6. In `Domains` select all valid domains for the organization and `Next`7. Ensure the following `URL & click protection settings` are defined: **Email** - Checked `On: Safe Links checks a list of known, malicious links when users click links in email. URLs are rewritten by default` - Checked `Apply Safe Links to email messages sent within the organization` - Checked `Apply real-time URL scanning for suspicious links and links that point to files` - Checked `Wait for URL scanning to complete before delivering the message` - Unchecked `Do not rewrite URLs, do checks via Safe Links API only.` **Teams** - Checked `On: Safe Links checks a list of known, malicious links when users click links in Microsoft Teams. URLs are not rewritten` **Office 365 Apps** - Checked `On: Safe Links checks a list of known, malicious links when users click links in Microsoft Office apps. URLs are not rewritten` **Click protection settings** - Checked `Track user clicks` - Unchecked `Let users click through the original URL` - There is no recommendation for organization branding.8. Click `Next` twice and finally `Submit`**To remediate using PowerShell:**1. Connect using `Connect-ExchangeOnline`.2. Run the following PowerShell script to create a policy at highest priority that will apply to all valid domains on the tenant:```# Create the Policy$params = @{ Name = \"CIS SafeLinks Policy\" EnableSafeLinksForEmail = $true EnableSafeLinksForTeams = $true EnableSafeLinksForOffice = $true TrackClicks = $true AllowClickThrough = $false ScanUrls = $true EnableForInternalSenders = $true DeliverMessageAfterScan = $true DisableUrlRewrite = $false}New-SafeLinksPolicy @params# Create the rule for all users in all valid domains and associate with PolicyNew-SafeLinksRule -Name \"CIS SafeLinks\" -SafeLinksPolicy \"CIS SafeLinks Policy\" -RecipientDomainIs (Get-AcceptedDomain).Name -Priority 0```",
"AuditProcedure": "**To audit using the UI:**1. Navigate to `Microsoft 365 Defender` https://security.microsoft.com2. Under `Email & collaboration` select `Policies & rules`3. Select `Threat policies` then `Safe Links`4. Inspect each policy and attempt to identify one that matches the parameters outlined below.5. Scroll down the pane and click on `Edit Protection settings` (Global Readers will look for on or off values)6. Ensure the following protection settings are set as outlined: **Email** - Checked `On: Safe Links checks a list of known, malicious links when users click links in email. URLs are rewritten by default` - Checked `Apply Safe Links to email messages sent within the organization` - Checked `Apply real-time URL scanning for suspicious links and links that point to files` - Checked `Wait for URL scanning to complete before delivering the message` - Unchecked `Do not rewrite URLs, do checks via Safe Links API only.` **Teams** - Checked `On: Safe Links checks a list of known, malicious links when users click links in Microsoft Teams. URLs are not rewritten` **Office 365 Apps** - Checked `On: Safe Links checks a list of known, malicious links when users click links in Microsoft Office apps. URLs are not rewritten` **Click protection settings** - Checked `Track user clicks` - Unchecked `Let users click through the original URL`7. There is no recommendation for organization branding.8. Click close**To audit using PowerShell:**1. Connect using `Connect-ExchangeOnline`.2. Run the following PowerShell command:```Get-SafeLinksPolicy | Format-Table Name```3. Once this returns the list of policies run the following command to view the policies.```Get-SafeLinksPolicy -Identity \"Policy Name\"```4. Verify the value for the following. - `EnableSafeLinksForEmail: True` - `EnableSafeLinksForTeams: True` - `EnableSafeLinksForOffice: True` - `TrackClicks: True` - `AllowClickThrough: False` - `ScanUrls: True` - `EnableForInternalSenders: True` - `DeliverMessageAfterScan: True` - `DisableUrlRewrite: False`",
"AdditionalInformation": "",
"References": "https://learn.microsoft.com/en-us/defender-office-365/safe-links-policies-configure?view=o365-worldwide:https://learn.microsoft.com/en-us/powershell/module/exchange/set-safelinkspolicy?view=exchange-ps:https://learn.microsoft.com/en-us/defender-office-365/preset-security-policies?view=o365-worldwide",
"DefaultValue": ""
}
]
},
{
"Id": "2.1.2",
"Description": "The Common Attachment Types Filter lets a user block known and custom malicious file types from being attached to emails.",
"Checks": [
"defender_malware_policy_common_attachments_filter_enabled"
],
"Attributes": [
{
"Section": "2 Microsoft 365 Defender",
"SubSection": "2.1 Email & collaboration",
"Profile": "E3 Level 1",
"AssessmentStatus": "Automated",
"Description": "The Common Attachment Types Filter lets a user block known and custom malicious file types from being attached to emails.",
"RationaleStatement": "Blocking known malicious file types can help prevent malware-infested files from infecting a host.",
"ImpactStatement": "Blocking common malicious file types should not cause an impact in modern computing environments.",
"RemediationProcedure": "**To remediate using the UI:** 1. Navigate to `Microsoft 365 Defender` https://security.microsoft.com.2. Click to expand `Email & collaboration` select `Policies & rules`. 3. On the Policies & rules page select `Threat policies`.4. Under polices select `Anti-malware` and click on the `Default (Default)` policy.5. On the Policy page that appears on the right hand pane scroll to the bottom and click on `Edit protection settings`, check the `Enable the common attachments filter`.6. Click Save.**To remediate using PowerShell:**1. Connect to Exchange Online using `Connect-ExchangeOnline`.2. Run the following Exchange Online PowerShell command:```Set-MalwareFilterPolicy -Identity Default -EnableFileFilter $true```**Note:** Audit and Remediation guidance may focus on the **Default policy** however, if a Custom Policy exists in the organization's tenant, then ensure the setting is set as outlined in the highest priority policy listed.",
"AuditProcedure": "**To audit using the UI:**1. Navigate to `Microsoft 365 Defender` https://security.microsoft.com.2. Click to expand `Email & collaboration` select `Policies & rules`. 3. On the Policies & rules page select `Threat policies`.4. Under **Policies** select `Anti-malware` and click on the `Default (Default)` policy.5. On the policy page that appears on the righthand pane, under `Protection settings`, verify that the `Enable the common attachments filter` has the value of `On`. **To audit using PowerShell:**1. Connect to Exchange Online using `Connect-ExchangeOnline`.2. Run the following Exchange Online PowerShell command:```Get-MalwareFilterPolicy -Identity Default | Select-Object EnableFileFilter```3. Verify `EnableFileFilter` is set to `True`.**Note:** Audit and Remediation guidance may focus on the **Default policy** however, if a Custom Policy exists in the organization's tenant, then ensure the setting is set as outlined in the highest priority policy listed.",
"AdditionalInformation": "",
"References": "https://learn.microsoft.com/en-us/powershell/module/exchange/get-malwarefilterpolicy?view=exchange-ps:https://learn.microsoft.com/en-us/defender-office-365/anti-malware-policies-configure?view=o365-worldwide",
"DefaultValue": "Always on"
}
]
},
{
"Id": "2.1.3",
"Description": "Exchange Online Protection (EOP) is the cloud-based filtering service that protects organizations against spam, malware, and other email threats. EOP is included in all Microsoft 365 organizations with Exchange Online mailboxes.EOP uses flexible anti-malware policies for malware protection settings. These policies can be set to notify Admins of malicious activity.",
"Checks": [
"defender_malware_policy_notifications_internal_users_malware_enabled"
],
"Attributes": [
{
"Section": "2 Microsoft 365 Defender",
"SubSection": "2.1 Email & collaboration",
"Profile": "E3 Level 1",
"AssessmentStatus": "Automated",
"Description": "Exchange Online Protection (EOP) is the cloud-based filtering service that protects organizations against spam, malware, and other email threats. EOP is included in all Microsoft 365 organizations with Exchange Online mailboxes.EOP uses flexible anti-malware policies for malware protection settings. These policies can be set to notify Admins of malicious activity.",
"RationaleStatement": "This setting alerts administrators that an internal user sent a message that contained malware. This may indicate an account or machine compromise that would need to be investigated.",
"ImpactStatement": "Notification of account with potential issues should not have an impact on the user.",
"RemediationProcedure": "**To remediate using the UI:**1. Navigate to `Microsoft 365 Defender` https://security.microsoft.com.2. Click to expand `E-mail & Collaboration` select `Policies & rules`. 3. On the Policies & rules page select `Threat policies`.4. Under Policies select `Anti-malware`.5. Click on the `Default (Default)` policy.6. Click on `Edit protection settings` and change the settings for `Notify an admin about undelivered messages from internal senders` to `On` and enter the email address of the administrator who should be notified under `Administrator email address`.7. Click Save.**To remediate using PowerShell:**1. Connect to Exchange Online using `Connect-ExchangeOnline`.2. Run the following command: ```Set-MalwareFilterPolicy -Identity '{Identity Name}' -EnableInternalSenderAdminNotifications $True -InternalSenderAdminAddress {admin@domain1.com}```**Note:** Audit and Remediation guidance may focus on the **Default policy** however, if a Custom Policy exists in the organization's tenant, then ensure the setting is set as outlined in the highest priority policy listed.",
"AuditProcedure": "**To audit using the UI:**1. Navigate to `Microsoft 365 Defender` https://security.microsoft.com.2. Click to expand `E-mail & Collaboration` select `Policies & rules`. 3. On the Policies & rules page select `Threat policies`.4. Under Policies select `Anti-malware`.5. Click on the `Default (Default)` policy.6. Ensure the setting `Notify an admin about undelivered messages from internal senders` is set to `On` and that there is at least one email address under `Administrator email address`.**To audit using PowerShell:**1. Connect to Exchange Online using `Connect-ExchangeOnline`.2. Run the following command: ```Get-MalwareFilterPolicy | fl Identity, EnableInternalSenderAdminNotifications, InternalSenderAdminAddress```**Note:** Audit and Remediation guidance may focus on the **Default policy** however, if a Custom Policy exists in the organization's tenant, then ensure the setting is set as outlined in the highest priority policy listed.",
"AdditionalInformation": "",
"References": "https://learn.microsoft.com/en-us/defender-office-365/anti-malware-protection-about:https://learn.microsoft.com/en-us/defender-office-365/anti-malware-policies-configure",
"DefaultValue": "```EnableInternalSenderAdminNotifications : FalseInternalSenderAdminAddress : $null```"
}
]
},
{
"Id": "2.1.4",
"Description": "The Safe Attachments policy helps protect users from malware in email attachments by scanning attachments for viruses, malware, and other malicious content. When an email attachment is received by a user, Safe Attachments will scan the attachment in a secure environment and provide a verdict on whether the attachment is safe or not.",
"Checks": [
"defender_safe_attachments_policy_enabled"
],
"Attributes": [
{
"Section": "2 Microsoft 365 Defender",
"SubSection": "2.1 Email & collaboration",
"Profile": "E5 Level 2",
"AssessmentStatus": "Automated",
"Description": "The Safe Attachments policy helps protect users from malware in email attachments by scanning attachments for viruses, malware, and other malicious content. When an email attachment is received by a user, Safe Attachments will scan the attachment in a secure environment and provide a verdict on whether the attachment is safe or not.",
"RationaleStatement": "Enabling Safe Attachments policy helps protect against malware threats in email attachments by analyzing suspicious attachments in a secure, cloud-based environment before they are delivered to the user's inbox. This provides an additional layer of security and can prevent new or unseen types of malware from infiltrating the organization's network.",
"ImpactStatement": "Delivery of email with attachments may be delayed while scanning is occurring.",
"RemediationProcedure": "**To remediate using the UI:**1. Navigate to `Microsoft 365 Defender` https://security.microsoft.com.2. Click to expand `E-mail & Collaboration` select `Policies & rules`. 3. On the Policies & rules page select `Threat policies`.4. Under `Policies` select `Safe Attachments`.5. Click `+ Create`.6. Create a Policy Name and Description, and then click `Next`.7. Select all valid domains and click `Next`.8. Select `Block`.9. Quarantine policy is `AdminOnlyAccessPolicy`.10. Leave `Enable redirect` unchecked.11. Click `Next` and finally `Submit`.",
"AuditProcedure": "**To audit using the UI:**1. Navigate to `Microsoft 365 Defender` https://security.microsoft.com.2. Click to expand `E-mail & Collaboration` select `Policies & rules`. 3. On the Policies & rules page select `Threat policies`.4. Under `Policies` select `Safe Attachments`.5. Inspect the highest priority policy.6. Ensure `Users and domains` and `Included recipient domains` are in scope for the organization.7. Ensure `Safe Attachments detection response:` is set to `Block - Block current and future messages and attachments with detected malware`.8. Ensure the `Quarantine Policy` is set to `AdminOnlyAccessPolicy`.9. Ensure the policy is not disabled.**To audit using PowerShell:**1. Connect to Exchange Online using `Connect-ExchangeOnline`.2. Run the following PowerShell command:```Get-SafeAttachmentPolicy | where-object {$_.Enable -eq \"True\"}```",
"AdditionalInformation": "",
"References": "https://learn.microsoft.com/en-us/defender-office-365/safe-attachments-about:https://learn.microsoft.com/en-us/defender-office-365/safe-attachments-policies-configure",
"DefaultValue": "disabled"
}
]
},
{
"Id": "2.1.5",
"Description": "Safe Attachments for SharePoint, OneDrive, and Microsoft Teams scans these services for malicious files.",
"Checks": [
"defender_atp_safe_attachments_and_docs_configured"
],
"Attributes": [
{
"Section": "2 Microsoft 365 Defender",
"SubSection": "2.1 Email & collaboration",
"Profile": "E5 Level 2",
"AssessmentStatus": "Automated",
"Description": "Safe Attachments for SharePoint, OneDrive, and Microsoft Teams scans these services for malicious files.",
"RationaleStatement": "Safe Attachments for SharePoint, OneDrive, and Microsoft Teams protect organizations from inadvertently sharing malicious files. When a malicious file is detected that file is blocked so that no one can open, copy, move, or share it until further actions are taken by the organization's security team.",
"ImpactStatement": "Impact associated with Safe Attachments is minimal, and equivalent to impact associated with anti-virus scanners in an environment.",
"RemediationProcedure": "**To remediate using the UI:**1. Navigate to `Microsoft 365 Defender` https://security.microsoft.com2. Under `Email & collaboration` select `Policies & rules`3. Select Threat policies then `Safe Attachments`.4. Click on `Global settings`5. Click to `Enable` `Turn on Defender for Office 365 for SharePoint, OneDrive, and Microsoft Teams`6. Click to `Enable` `Turn on Safe Documents for Office clients`7. Click to `Disable` `Allow people to click through Protected View even if Safe Documents identified the file as malicious`.8. Click `Save`**To remediate using PowerShell:**1. Connect to Exchange Online using `Connect-ExchangeOnline`. 2. Run the following PowerShell command: ```Set-AtpPolicyForO365 -EnableATPForSPOTeamsODB $true -EnableSafeDocs $true -AllowSafeDocsOpen $false```",
"AuditProcedure": "**To audit using the UI:**1. Navigate to `Microsoft 365 Defender` https://security.microsoft.com2. Under `Email & collaboration` select `Policies & rules`3. Select Threat policies then `Safe Attachments`.4. Click on `Global settings`5. Ensure the toggle is `Enabled` to `Turn on Defender for Office 365 for SharePoint, OneDrive, and Microsoft Teams`.6. Ensure the toggle is `Enabled` to `Turn on Safe Documents for Office clients`. 6. Ensure the toggle is `Deselected/Disabled` to `Allow people to click through Protected View even if Safe Documents identified the file as malicious`. **To audit using PowerShell:**1. Connect to Exchange Online using `Connect-ExchangeOnline`. 2. Run the following PowerShell command: ```Get-AtpPolicyForO365 | fl Name,EnableATPForSPOTeamsODB,EnableSafeDocs,AllowSafeDocsOpen```Verify the values for each parameter as below: EnableATPForSPOTeamsODB : True EnableSafeDocs : True AllowSafeDocsOpen : False",
"AdditionalInformation": "",
"References": "https://learn.microsoft.com/en-us/defender-office-365/safe-attachments-for-spo-odfb-teams-about",
"DefaultValue": ""
}
]
},
{
"Id": "2.1.6",
"Description": "In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, email messages are automatically protected against spam (junk email) by EOP.Configure Exchange Online Spam Policies to copy emails and notify someone when a sender in the organization has been blocked for sending spam emails.",
"Checks": [
"defender_antispam_outbound_policy_configured"
],
"Attributes": [
{
"Section": "2 Microsoft 365 Defender",
"SubSection": "2.1 Email & collaboration",
"Profile": "E3 Level 1",
"AssessmentStatus": "Automated",
"Description": "In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, email messages are automatically protected against spam (junk email) by EOP.Configure Exchange Online Spam Policies to copy emails and notify someone when a sender in the organization has been blocked for sending spam emails.",
"RationaleStatement": "A blocked account is a good indication that the account in question has been breached and an attacker is using it to send spam emails to other people.",
"ImpactStatement": "Notification of users that have been blocked should not cause an impact to the user.",
"RemediationProcedure": "**To remediate using the UI:**1. Navigate to `Microsoft 365 Defender` https://security.microsoft.com.2. Click to expand `Email & collaboration` select `Policies & rules`> `Threat policies`. 3. Under Policies select `Anti-spam`.4. Click on the `Anti-spam outbound policy (default)`.5. Select `Edit protection settings` then under `Notifications`6. Check `Send a copy of suspicious outbound messages or message that exceed these limits to these users and groups` then enter the desired email addresses.7. Check `Notify these users and groups if a sender is blocked due to sending outbound spam` then enter the desired email addresses.8. Click `Save`.**To remediate using PowerShell:**1. Connect to Exchange Online using `Connect-ExchangeOnline`.2. Run the following PowerShell command:```$BccEmailAddress = @(\"<INSERT-EMAIL>\")$NotifyEmailAddress = @(\"<INSERT-EMAIL>\")Set-HostedOutboundSpamFilterPolicy -Identity Default -BccSuspiciousOutboundAdditionalRecipients $BccEmailAddress -BccSuspiciousOutboundMail $true -NotifyOutboundSpam $true -NotifyOutboundSpamRecipients $NotifyEmailAddress```**Note:** Audit and Remediation guidance may focus on the **Default policy** however, if a Custom Policy exists in the organization's tenant, then ensure the setting is set as outlined in the highest priority policy listed.",
"AuditProcedure": "**To audit using the UI:**1. Navigate to `Microsoft 365 Defender` https://security.microsoft.com.2. Click to expand `Email & collaboration` select `Policies & rules` > `Threat policies`. 3. Under Policies select `Anti-spam`.4. Click on the `Anti-spam outbound policy (default)`.5. Verify that `Send a copy of suspicious outbound messages or message that exceed these limits to these users and groups` is set to `On`, ensure the email address is correct.**To audit using PowerShell:**1. Connect to Exchange Online using `Connect-ExchangeOnline`.2. Run the following PowerShell command:```Get-HostedOutboundSpamFilterPolicy | Select-Object Bcc*, Notify*```3. Verify both `BccSuspiciousOutboundMail` and `NotifyOutboundSpam` are set to `True` and the email addresses to be notified are correct.**Note:** Audit and Remediation guidance may focus on the **Default policy** however, if a Custom Policy exists in the organization's tenant, then ensure the setting is set as outlined in the highest priority policy listed.",
"AdditionalInformation": "",
"References": "https://learn.microsoft.com/en-us/defender-office-365/outbound-spam-protection-about",
"DefaultValue": "```BccSuspiciousOutboundAdditionalRecipients : {}BccSuspiciousOutboundMail : FalseNotifyOutboundSpamRecipients : {}NotifyOutboundSpam : False```"
}
]
},
{
"Id": "2.1.7",
"Description": "By default, Office 365 includes built-in features that help protect users from phishing attacks. Set up anti-phishing polices to increase this protection, for example by refining settings to better detect and prevent impersonation and spoofing attacks. The default policy applies to all users within the organization and is a single view to fine-tune anti-phishing protection. Custom policies can be created and configured for specific users, groups or domains within the organization and will take precedence over the default policy for the scoped users.",
"Checks": [
"defender_antiphishing_policy_configured"
],
"Attributes": [
{
"Section": "2 Microsoft 365 Defender",
"SubSection": "2.1 Email & collaboration",
"Profile": "E5 Level 2",
"AssessmentStatus": "Automated",
"Description": "By default, Office 365 includes built-in features that help protect users from phishing attacks. Set up anti-phishing polices to increase this protection, for example by refining settings to better detect and prevent impersonation and spoofing attacks. The default policy applies to all users within the organization and is a single view to fine-tune anti-phishing protection. Custom policies can be created and configured for specific users, groups or domains within the organization and will take precedence over the default policy for the scoped users.",
"RationaleStatement": "Protects users from phishing attacks (like impersonation and spoofing) and uses safety tips to warn users about potentially harmful messages.",
"ImpactStatement": "Mailboxes that are used for support systems such as helpdesk and billing systems send mail to internal users and are often not suitable candidates for impersonation protection. Care should be taken to ensure that these systems are excluded from Impersonation Protection.",
"RemediationProcedure": "**To remediate using the UI:**1. Navigate to `Microsoft 365 Defender` https://security.microsoft.com.2. Click to expand `Email & collaboration` select `Policies & rules` 3. Select `Threat policies`.4. Under Policies select `Anti-phishing` and click `Create`.5. Name the policy, continuing and clicking `Next` as needed: - Add `Groups` and/or `Domains` that contain a majority of the organization. - Set `Phishing email threshold` to `3 - More Aggressive` - Check `Enable users to protect` and add up to 350 users. - Check `Enable domains to protect` and check `Include domains I own`. - Check `Enable mailbox intelligence (Recommended)`. - Check `Enable Intelligence for impersonation protection (Recommended)`. - Check `Enable spoof intelligence (Recommended).`6. Under **Actions** configure the following: - Set `If a message is detected as user impersonation` to `Quarantine the message`. - Set `If a message is detected as domain impersonation` to `Quarantine the message`. - Set `If Mailbox Intelligence detects an impersonated user` to `Quarantine the message`. - Leave `Honor DMARC record policy when the message is detected as spoof` checked. - Check `Show first contact safety tip (Recommended)`. - Check `Show user impersonation safety tip`. - Check `Show domain impersonation safety tip`. - Check `Show user impersonation unusual characters safety tip`.7. Finally click `Next` and `Submit` the policy.**Note:** `DefaultFullAccessWithNotificationPolicy` is suggested but not required. Users will be notified that impersonation emails are in the Quarantine.**To remediate using PowerShell:**1. Connect to Exchange Online service using `Connect-ExchangeOnline`.2. Run the following Exchange Online PowerShell script to create an AntiPhish policy:```# Create the Policy$params = @{ Name = \"CIS AntiPhish Policy\" PhishThresholdLevel = 3 EnableTargetedUserProtection = $true EnableOrganizationDomainsProtection = $true EnableMailboxIntelligence = $true EnableMailboxIntelligenceProtection = $true EnableSpoofIntelligence = $true TargetedUserProtectionAction = 'Quarantine' TargetedDomainProtectionAction = 'Quarantine' MailboxIntelligenceProtectionAction = 'Quarantine' TargetedUserQuarantineTag = 'DefaultFullAccessWithNotificationPolicy' MailboxIntelligenceQuarantineTag = 'DefaultFullAccessWithNotificationPolicy' TargetedDomainQuarantineTag = 'DefaultFullAccessWithNotificationPolicy' EnableFirstContactSafetyTips = $true EnableSimilarUsersSafetyTips = $true EnableSimilarDomainsSafetyTips = $true EnableUnusualCharactersSafetyTips = $true HonorDmarcPolicy = $true}New-AntiPhishPolicy @params# Create the rule for all users in all valid domains and associate with PolicyNew-AntiPhishRule -Name $params.Name -AntiPhishPolicy $params.Name -RecipientDomainIs (Get-AcceptedDomain).Name -Priority 0```3. The new policy can be edited in the UI or via PowerShell.**Note:** Remediation guidance is intended to help create a qualifying AntiPhish policy that meets the recommended criteria while protecting the majority of the organization. It's understood some individual user exceptions may exist or exceptions for the entire policy if another product acts as a similiar control.",
"AuditProcedure": "**To audit using the UI:**1. Navigate to `Microsoft 365 Defender` https://security.microsoft.com.2. Click to expand `Email & collaboration` select `Policies & rules` 3. Select `Threat policies`.4. Under Policies select `Anti-phishing`.5. Ensure an AntiPhish policy exists that is `On` and meets the following criteria:6. Under **Users, groups, and domains**. - Verify that the included domains and groups includes a majority of the organization.7. Under **Phishing threshold & protection** - Verify `Phishing email threshold` is at least `3 - More Aggressive`. - Verify `User impersonation protection` is `On` and contains a subset of users. - Verify `Domain impersonation protection` is `On for owned domains`. - Verify `Mailbox intelligence` and `Mailbox intelligence for impersonations` and `Spoof intelligence` are `On`.8. Under **Actions** review the following: - Verify `If a message is detected as user impersonation` is set to `Quarantine the message`. - Verify `If a message is detected as domain impersonation` is set to `Quarantine the message`. - Verify `If Mailbox Intelligence detects an impersonated user` is set to `Quarantine the message`. - Verify `First contact safety tip` is `On`. - Verify `User impersonation safety tip` is `On`. - Verify `Domain impersonation safety tip` is `On`. - Verify `Unusual characters safety tip` is `On`. - Verify `Honor DMARC record policy when the message is detected as spoof` is `On`.**Note:** `DefaultFullAccessWithNotificationPolicy` is suggested but not required. Users will be notified that impersonation emails are in the Quarantine.**To audit using PowerShell:**1. Connect to Exchange Online service using `Connect-ExchangeOnline`.2. Run the following Exchange Online PowerShell commands:```$params = @( \"name\",\"Enabled\",\"PhishThresholdLevel\",\"EnableTargetedUserProtection\" \"EnableOrganizationDomainsProtection\",\"EnableMailboxIntelligence\" \"EnableMailboxIntelligenceProtection\",\"EnableSpoofIntelligence\" \"TargetedUserProtectionAction\",\"TargetedDomainProtectionAction\" \"MailboxIntelligenceProtectionAction\",\"EnableFirstContactSafetyTips\" \"EnableSimilarUsersSafetyTips\",\"EnableSimilarDomainsSafetyTips\" \"EnableUnusualCharactersSafetyTips\",\"TargetedUsersToProtect\" \"HonorDmarcPolicy\")Get-AntiPhishPolicy | fl $params```3. Verify there is a policy created the matches the values for the following parameters:```Enabled : TruePhishThresholdLevel : 3EnableTargetedUserProtection : TrueEnableOrganizationDomainsProtection : TrueEnableMailboxIntelligence : TrueEnableMailboxIntelligenceProtection : TrueEnableSpoofIntelligence : TrueTargetedUserProtectionAction : QuarantineTargetedDomainProtectionAction : QuarantineMailboxIntelligenceProtectionAction : QuarantineEnableFirstContactSafetyTips : TrueEnableSimilarUsersSafetyTips : TrueEnableSimilarDomainsSafetyTips : TrueEnableUnusualCharactersSafetyTips : TrueTargetedUsersToProtect : {<contains users>}HonorDmarcPolicy : True```4. Verify that `TargetedUsersToProtect` contains a subset of the organization, up to 350 users, for targeted Impersonation Protection.5. Use PowerShell to verify the AntiPhishRule is configured and enabled.```Get-AntiPhishRule | ft AntiPhishPolicy,Priority,State,SentToMemberOf,RecipientDomainIs```6. Identity correct rule from the matching `AntiPhishPolicy` name in step 3. Ensure the rule defines groups or domains that include the majority of the organization by inspecting `SentToMemberOf` or `RecipientDomainIs`.**Note:** Audit guidance is intended to help identify a qualifying AntiPhish policy+rule that meets the recommended criteria while protecting the majority of the organization. It's understood some individual user exceptions may exist or exceptions for the entire policy if another product stands in as an equivalent control.",
"AdditionalInformation": "",
"References": "https://learn.microsoft.com/en-us/defender-office-365/anti-phishing-protection-about:https://learn.microsoft.com/en-us/defender-office-365/anti-phishing-policies-eop-configure",
"DefaultValue": ""
}
]
},
{
"Id": "2.1.8",
"Description": "For each domain that is configured in Exchange, a corresponding Sender Policy Framework (SPF) record should be created.",
"Checks": [],
"Attributes": [
{
"Section": "2 Microsoft 365 Defender",
"SubSection": "2.1 Email & collaboration",
"Profile": "E3 Level 1",
"AssessmentStatus": "Manual",
"Description": "For each domain that is configured in Exchange, a corresponding Sender Policy Framework (SPF) record should be created.",
"RationaleStatement": "SPF records allow Exchange Online Protection and other mail systems to know where messages from domains are allowed to originate. This information can be used by that system to determine how to treat the message based on if it is being spoofed or is valid.",
"ImpactStatement": "There should be minimal impact of setting up SPF records however, organizations should ensure proper SPF record setup as email could be flagged as spam if SPF is not setup appropriately.",
"RemediationProcedure": "**To remediate using a DNS Provider:**1. If all email in your domain is sent from and received by Exchange Online, add the following TXT record for each Accepted Domain:```v=spf1 include:spf.protection.outlook.com -all```2. If there are other systems that send email in the environment, refer to this article for the proper SPF configuration: [https://docs.microsoft.com/en-us/office365/SecurityCompliance/set-up-spf-in-office-365-to-help-prevent-spoofing](https://docs.microsoft.com/en-us/office365/SecurityCompliance/set-up-spf-in-office-365-to-help-prevent-spoofing).",
"AuditProcedure": "**To audit using PowerShell:**1. Open a command prompt.2. Type the following command in PowerShell:```Resolve-DnsName [domain1.com] txt | fl```3. Ensure that a value exists and that it includes `v=spf1 include:spf.protection.outlook.com`. This designates Exchange Online as a designated sender.**To verify the SPF records are published, use the REST API for each domain:**```https://graph.microsoft.com/v1.0/domains/[DOMAIN.COM]/serviceConfigurationRecords```1. Ensure that a value exists that includes `v=spf1 include:spf.protection.outlook.com`. This designates Exchange Online as a designated sender.**Note:** Resolve-DnsName is not available on older versions of Windows prior to Windows 8 and Server 2012.",
"AdditionalInformation": "",
"References": "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/email-authentication-spf-configure?view=o365-worldwide",
"DefaultValue": ""
}
]
},
{
"Id": "2.1.9",
"Description": "DKIM is one of the trio of Authentication methods (SPF, DKIM and DMARC) that help prevent attackers from sending messages that look like they come from your domain. DKIM lets an organization add a digital signature to outbound email messages in the message header. When DKIM is configured, the organization authorizes it's domain to associate, or sign, its name to an email message using cryptographic authentication. Email systems that get email from this domain can use a digital signature to help verify whether incoming email is legitimate.Use of DKIM in addition to SPF and DMARC to help prevent malicious actors using spoofing techniques from sending messages that look like they are coming from your domain.",
"Checks": [
"defender_domain_dkim_enabled"
],
"Attributes": [
{
"Section": "2 Microsoft 365 Defender",
"SubSection": "2.1 Email & collaboration",
"Profile": "E3 Level 1",
"AssessmentStatus": "Automated",
"Description": "DKIM is one of the trio of Authentication methods (SPF, DKIM and DMARC) that help prevent attackers from sending messages that look like they come from your domain. DKIM lets an organization add a digital signature to outbound email messages in the message header. When DKIM is configured, the organization authorizes it's domain to associate, or sign, its name to an email message using cryptographic authentication. Email systems that get email from this domain can use a digital signature to help verify whether incoming email is legitimate.Use of DKIM in addition to SPF and DMARC to help prevent malicious actors using spoofing techniques from sending messages that look like they are coming from your domain.",
"RationaleStatement": "By enabling DKIM with Office 365, messages that are sent from Exchange Online will be cryptographically signed. This will allow the receiving email system to validate that the messages were generated by a server that the organization authorized and not being spoofed.",
"ImpactStatement": "There should be no impact of setting up DKIM however, organizations should ensure appropriate setup to ensure continuous mail-flow.",
"RemediationProcedure": "**To remediate using a DNS Provider:**1. For each accepted domain in Exchange Online, two DNS entries are required.```Host name: selector1._domainkeyPoints to address or value: selector1-<domainGUID>._domainkey.<initialDomain> TTL: 3600Host name: selector2._domainkeyPoints to address or value: selector2-<domainGUID>._domainkey.<initialDomain> TTL: 3600```For Office 365, the selectors will always be `selector1` or `selector2`.domainGUID is the same as the domainGUID in the customized MX record for your custom domain that appears before mail.protection.outlook.com. For example, in the following MX record for the domain contoso.com, the domainGUID is contoso-com:```contoso.com. 3600 IN MX 5 contoso-com.mail.protection.outlook.com```The initial domain is the domain that you used when you signed up for Office 365. Initial domains always end with on.microsoft.com.1. After the DNS records are created, enable DKIM signing in Defender.2. Navigate to `Microsoft 365 Defender` https://security.microsoft.com/3. Expand `Email & collaboration` > `Policies & rules` > `Threat policies`.4. Under `Rules` section click `Email authentication settings`.5. Select `DKIM`6. Click on each domain and click `Enable` next to `Sign messages for this domain with DKIM signature`.**Final remediation step using the Exchange Online PowerShell Module:**1. Connect to Exchange Online service using `Connect-ExchangeOnline`.2. Run the following Exchange Online PowerShell command:```Set-DkimSigningConfig -Identity < domainName > -Enabled $True```",
"AuditProcedure": "**To audit using the UI:**1. Navigate to `Microsoft 365 Defender` https://security.microsoft.com/2. Expand `Email & collaboration` > `Policies & rules` > `Threat policies`.3. Under `Rules` section click `Email authentication settings`.4. Select `DKIM`5. Click on each domain and confirm that `Sign messages for this domain with DKIM signatures` is `Enabled`.6. A status of `Not signing DKIM signatures for this domain` is an audit fail.**To audit using PowerShell:**1. Connect to Exchange Online service using `Connect-ExchangeOnline`.2. Run the following Exchange Online PowerShell command:```Get-DkimSigningConfig```3. Verify `Enabled` is set to True",
"AdditionalInformation": "",
"References": "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/email-authentication-dkim-configure?view=o365-worldwide",
"DefaultValue": ""
}
]
},
{
"Id": "2.1.10",
"Description": "DMARC, or Domain-based Message Authentication, Reporting, and Conformance, assists recipient mail systems in determining the appropriate action to take when messages from a domain fail to meet SPF or DKIM authentication criteria.",
"Checks": [],
"Attributes": [
{
"Section": "2 Microsoft 365 Defender",
"SubSection": "2.1 Email & collaboration",
"Profile": "E3 Level 1",
"AssessmentStatus": "Manual",
"Description": "DMARC, or Domain-based Message Authentication, Reporting, and Conformance, assists recipient mail systems in determining the appropriate action to take when messages from a domain fail to meet SPF or DKIM authentication criteria.",
"RationaleStatement": "DMARC strengthens the trustworthiness of messages sent from an organization's domain to destination email systems. By integrating DMARC with SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail), organizations can significantly enhance their defenses against email spoofing and phishing attempts.Leaving a DMARC policy set to `p=none` can result in failed action when a spear phishing email fails DMARC but passes SPF and DKIM checks. Having DMARC fully configured is a critical part in preventing business email compromise.",
"ImpactStatement": "There should be no impact of setting up DMARC however, organizations should ensure appropriate setup to ensure continuous mail-flow.",
"RemediationProcedure": "**To remediate using a DNS Provider:**1. For each Exchange Online Accepted Domain, add the following record to DNS:``` Record: _dmarc.domain1.comType: TXTValue: v=DMARC1; p=none; rua=mailto:<rua-report@example.com>; ruf=mailto:<ruf-report@example.com>```2. This will create a basic DMARC policy that will allow the organization to start monitoring message statistics.3. One week is enough time for data generated by the reports to be useful in understanding email trends and traffic. The final step requires implementing a policy of `p=reject` OR `p=quarantine` and `pct=100` with the necessary `rua` and `ruf` email addresses defined:```Record: _dmarc.domain1.comType: TXTValue: v=DMARC1; p=reject; pct=100; rua=mailto:<rua-report@example.com>; ruf=mailto:<ruf-report@example.com>```**Also remediate the MOREA domain using the UI:**1. Navigate to the Microsoft 365 admin center https://admin.microsoft.com/2. Expand `Settings` and select `Domains`.3. Select your tenant domain (for example, contoso.onmicrosoft.com).4. Select `DNS records` and click `+ Add record`.5. Add a new record with the TXT name of `_dmarc` with the appropriate values outlined above.**Note:** The remediation portion involves a multi-staged approach over a period of time. First, a baseline of the current state of email will be established with `p=none` and `rua` and `ruf`. Once the environment is better understood and reports have been analyzed an organization will move to the final state with dmarc record values as outlined in the audit section.Microsoft has a list of [best practices for implementing DMARC](https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/email-authentication-dmarc-configure?view=o365-worldwide#best-practices-for-implementing-dmarc-in-microsoft-365) that cover these steps in detail.",
"AuditProcedure": "**To audit using PowerShell:**1. Open a command prompt.2. For each of the Accepted Domains in Exchange Online run the following in PowerShell:```Resolve-DnsName _dmarc.[domain1.com] txt```3. Ensure that the record exists and has at minimum the following flags defined as follows: `v=DMARC1;` (`p=quarantine` OR `p=reject`), `pct=100`, `rua=mailto:<reporting email address>` and `ruf=mailto:<reporting email address>`The below example records would pass as they contain a policy that would either `quarantine` or `reject` messages failing DMARC, the policy affects 100% of mail `pct=100` as well as containing valid reporting addresses:```v=DMARC1; p=reject; pct=100; rua=mailto:rua@contoso.com; ruf=mailto:ruf@contoso.com; fo=1v=DMARC1; p=reject; pct=100; fo=1; ri=3600; rua=mailto:rua@contoso.com; ruf=mailto:ruf@contoso.comv=DMARC1; p=quarantine; pct=100; sp=none; fo=1; ri=3600; rua=mailto:rua@contoso.com; ruf=ruf@contoso.com;```4. Ensure the Microsoft MOERA domain is also configured.```Resolve-DnsName _dmarc.[tenant].onmicrosoft.com txt```5. Ensure the record meets the same criteria listed in step #3.**Note:** Resolve-DnsName is not available on older versions of Windows prior to Windows 8 and Server 2012.",
"AdditionalInformation": "",
"References": "https://learn.microsoft.com/en-us/defender-office-365/email-authentication-dmarc-configure?view=o365-worldwide:https://learn.microsoft.com/en-us/defender-office-365/step-by-step-guides/how-to-enable-dmarc-reporting-for-microsoft-online-email-routing-address-moera-and-parked-domains?view=o365-worldwide:https://media.defense.gov/2024/May/02/2003455483/-1/-1/0/CSA-NORTH-KOREAN-ACTORS-EXPLOIT-WEAK-DMARC.PDF",
"DefaultValue": ""
}
]
},
{
"Id": "2.1.11",
"Description": "The Common Attachment Types Filter lets a user block known and custom malicious file types from being attached to emails. The policy provided by Microsoft covers 53 extensions, and an additional custom list of extensions can be defined.The list of 186 extensions provided in this recommendation is comprehensive but not exhaustive.",
"Checks": [
"defender_malware_policy_comprehensive_attachments_filter_applied"
],
"Attributes": [
{
"Section": "2 Microsoft 365 Defender",
"SubSection": "2.1 Email & collaboration",
"Profile": "E3 Level 2",
"AssessmentStatus": "Automated",
"Description": "The Common Attachment Types Filter lets a user block known and custom malicious file types from being attached to emails. The policy provided by Microsoft covers 53 extensions, and an additional custom list of extensions can be defined.The list of 186 extensions provided in this recommendation is comprehensive but not exhaustive.",
"RationaleStatement": "Blocking known malicious file types can help prevent malware-infested files from infecting a host or performing other malicious attacks such as phishing and data extraction.Defining a comprehensive list of attachments can help protect against additional unknown and known threats. Many legacy file formats, binary files and compressed files have been used as delivery mechanisms for malicious software. Organizations can protect themselves from Business E-mail Compromise (BEC) by allow-listing only the file types relevant to their line of business and blocking all others.",
"ImpactStatement": "For file types that are business necessary users will need to use other organizationally approved methods to transfer blocked extension types between business partners.",
"RemediationProcedure": "**To Remediate using PowerShell:**1. Connect to Exchange Online using `Connect-ExchangeOnline`.2. Run the following script:```# Create an attachment policy and associated rule. The rule is# intentionally disabled allowing the org to enable it when ready$Policy = @{ Name = \"CIS L2 Attachment Policy\" EnableFileFilter = $true ZapEnabled = $true EnableInternalSenderAdminNotifications = $true InternalSenderAdminAddress = 'admin@contoso.com' # Change this.}$L2Extensions = @( \"7z\", \"a3x\", \"ace\", \"ade\", \"adp\", \"ani\", \"app\", \"appinstaller\", \"applescript\", \"application\", \"appref-ms\", \"appx\", \"appxbundle\", \"arj\", \"asd\", \"asx\", \"bas\", \"bat\", \"bgi\", \"bz2\", \"cab\", \"chm\", \"cmd\", \"com\", \"cpl\", \"crt\", \"cs\", \"csh\", \"daa\", \"dbf\", \"dcr\", \"deb\", \"desktopthemepackfile\", \"dex\", \"diagcab\", \"dif\", \"dir\", \"dll\", \"dmg\", \"doc\", \"docm\", \"dot\", \"dotm\", \"elf\", \"eml\", \"exe\", \"fxp\", \"gadget\", \"gz\", \"hlp\", \"hta\", \"htc\", \"htm\", \"htm\", \"html\", \"html\", \"hwpx\", \"ics\", \"img\", \"inf\", \"ins\", \"iqy\", \"iso\", \"isp\", \"jar\", \"jnlp\", \"js\", \"jse\", \"kext\", \"ksh\", \"lha\", \"lib\", \"library-ms\", \"lnk\", \"lzh\", \"macho\", \"mam\", \"mda\", \"mdb\", \"mde\", \"mdt\", \"mdw\", \"mdz\", \"mht\", \"mhtml\", \"mof\", \"msc\", \"msi\", \"msix\", \"msp\", \"msrcincident\", \"mst\", \"ocx\", \"odt\", \"ops\", \"oxps\", \"pcd\", \"pif\", \"plg\", \"pot\", \"potm\", \"ppa\", \"ppam\", \"ppkg\", \"pps\", \"ppsm\", \"ppt\", \"pptm\", \"prf\", \"prg\", \"ps1\", \"ps11\", \"ps11xml\", \"ps1xml\", \"ps2\", \"ps2xml\", \"psc1\", \"psc2\", \"pub\", \"py\", \"pyc\", \"pyo\", \"pyw\", \"pyz\", \"pyzw\", \"rar\", \"reg\", \"rev\", \"rtf\", \"scf\", \"scpt\", \"scr\", \"sct\", \"searchConnector-ms\", \"service\", \"settingcontent-ms\", \"sh\", \"shb\", \"shs\", \"shtm\", \"shtml\", \"sldm\", \"slk\", \"so\", \"spl\", \"stm\", \"svg\", \"swf\", \"sys\", \"tar\", \"theme\", \"themepack\", \"timer\", \"uif\", \"url\", \"uue\", \"vb\", \"vbe\", \"vbs\", \"vhd\", \"vhdx\", \"vxd\", \"wbk\", \"website\", \"wim\", \"wiz\", \"ws\", \"wsc\", \"wsf\", \"wsh\", \"xla\", \"xlam\", \"xlc\", \"xll\", \"xlm\", \"xls\", \"xlsb\", \"xlsm\", \"xlt\", \"xltm\", \"xlw\", \"xnk\", \"xps\", \"xsl\", \"xz\", \"z\")# Create the policyNew-MalwareFilterPolicy @Policy -FileTypes $L2Extensions# Create the rule for all accepted domains$Rule = @{ Name = $Policy.Name Enabled = $false MalwareFilterPolicy = $Policy.Name RecipientDomainIs = (Get-AcceptedDomain).Name Priority = 0}New-MalwareFilterRule @Rule```3. When prepared enable the rule either through the UI or PowerShell.**Note:** Due to the number of extensions the UI method is not covered. The objects can however be edited in the UI or manually added using the list from the script.1. Navigate to `Microsoft Defender` at https://security.microsoft.com/2. Browse to `Policies & rules` > `Threat policies` > `Anti-malware`.",
"AuditProcedure": "**Note:** Utilizing the UI for auditing Anti-malware policies can be very time consuming so it is recommended to use a script like the one supplied below.**To Audit using PowerShell:**1. Connect to Exchange Online using `Connect-ExchangeOnline`.2. Run the following script:```# Evaluate each Malware policy. If one exist with more than 120 extensions then # the script will output a report showing a list of missing extensions along with# other parameters.$L2Extensions = @( \"7z\", \"a3x\", \"ace\", \"ade\", \"adp\", \"ani\", \"app\", \"appinstaller\", \"applescript\", \"application\", \"appref-ms\", \"appx\", \"appxbundle\", \"arj\", \"asd\", \"asx\", \"bas\", \"bat\", \"bgi\", \"bz2\", \"cab\", \"chm\", \"cmd\", \"com\", \"cpl\", \"crt\", \"cs\", \"csh\", \"daa\", \"dbf\", \"dcr\", \"deb\", \"desktopthemepackfile\", \"dex\", \"diagcab\", \"dif\", \"dir\", \"dll\", \"dmg\", \"doc\", \"docm\", \"dot\", \"dotm\", \"elf\", \"eml\", \"exe\", \"fxp\", \"gadget\", \"gz\", \"hlp\", \"hta\", \"htc\", \"htm\", \"htm\", \"html\", \"html\", \"hwpx\", \"ics\", \"img\", \"inf\", \"ins\", \"iqy\", \"iso\", \"isp\", \"jar\", \"jnlp\", \"js\", \"jse\", \"kext\", \"ksh\", \"lha\", \"lib\", \"library-ms\", \"lnk\", \"lzh\", \"macho\", \"mam\", \"mda\", \"mdb\", \"mde\", \"mdt\", \"mdw\", \"mdz\", \"mht\", \"mhtml\", \"mof\", \"msc\", \"msi\", \"msix\", \"msp\", \"msrcincident\", \"mst\", \"ocx\", \"odt\", \"ops\", \"oxps\", \"pcd\", \"pif\", \"plg\", \"pot\", \"potm\", \"ppa\", \"ppam\", \"ppkg\", \"pps\", \"ppsm\", \"ppt\", \"pptm\", \"prf\", \"prg\", \"ps1\", \"ps11\", \"ps11xml\", \"ps1xml\", \"ps2\", \"ps2xml\", \"psc1\", \"psc2\", \"pub\", \"py\", \"pyc\", \"pyo\", \"pyw\", \"pyz\", \"pyzw\", \"rar\", \"reg\", \"rev\", \"rtf\", \"scf\", \"scpt\", \"scr\", \"sct\", \"searchConnector-ms\", \"service\", \"settingcontent-ms\", \"sh\", \"shb\", \"shs\", \"shtm\", \"shtml\", \"sldm\", \"slk\", \"so\", \"spl\", \"stm\", \"svg\", \"swf\", \"sys\", \"tar\", \"theme\", \"themepack\", \"timer\", \"uif\", \"url\", \"uue\", \"vb\", \"vbe\", \"vbs\", \"vhd\", \"vhdx\", \"vxd\", \"wbk\", \"website\", \"wim\", \"wiz\", \"ws\", \"wsc\", \"wsf\", \"wsh\", \"xla\", \"xlam\", \"xlc\", \"xll\", \"xlm\", \"xls\", \"xlsb\", \"xlsm\", \"xlt\", \"xltm\", \"xlw\", \"xnk\", \"xps\", \"xsl\", \"xz\", \"z\")$MissingCount = 0$ExtensionPolicies = $null$RLine = $ExtensionReport = @()$FilterRules = Get-MalwareFilterRule$DateTime = $(((Get-Date).ToUniversalTime()).ToString(\"yyyyMMddTHHmmssZ\"))$OutputFilePath = \"$PWD\\CIS-Report_$($DateTime).txt\"$RLine += \"$(Get-Date)`n\"function Test-MalwarePolicy { param ( $PolicyId ) # Find the matching rule for custom policies $FoundRule = $null $FoundRule = $FilterRules | Where-Object { $_.MalwareFilterPolicy -eq $PolicyId } if ($PolicyId.EnableFileFilter -eq $false) { $script:RLine += \"WARNING: Common attachments filter is disabled.\" } if ($FoundRule.State -eq 'Disabled') { $script:RLine += \"WARNING: The Anti-malware rule is disabled.\" } $script:RLine += \"`nManual review needed - Domains, inclusions and exclusions must be valid:\" $script:RLine += $FoundRule | Format-List Name, RecipientDomainIs, Sent*, Except*}# Match any policy that has over 120 extensions defined$ExtensionPolicies = Get-MalwareFilterPolicy | Where-Object {$_.FileTypes.Count -gt 120 }if (!$ExtensionPolicies) { Write-Host \"`nFAIL: A policy containing the minimum number of extensions was not found.\" -ForegroundColor Red Write-Host \"Only policies with over 120 extensions defined will be evaluated.\" -ForegroundColor Red Exit}# Check each policy for missing extensionsforeach ($policy in $ExtensionPolicies) { $MissingExtensions = $L2Extensions | Where-Object { $extension = $_; -not $policy.FileTypes.Contains($extension) } if ($MissingExtensions.Count -eq 0) { $RLine += \"-\" * 60 $RLine += \"[FOUND] $($policy.Identity)\" $RLine += \"-\" * 60 $RLine += \"PASS: Policy contains all extensions\" Test-MalwarePolicy -PolicyId $policy } else { $MissingCount++ $ExtensionReport += @{ Identity = $policy.Identity MissingExtensions = $MissingExtensions -join ', ' } }}if ($MissingCount -gt 0) { foreach ($fpolicy in $ExtensionReport) { $RLine += \"-\" * 60 $RLine += \"[PARTIAL] $($fpolicy.Identity)\" $RLine += \"-\" * 60 $RLine += \"NOTICE - The following extensions were not found:`n\" $RLine += \"$($fpolicy.MissingExtensions)`n\" Test-MalwarePolicy -PolicyId $fpolicy.Identity }}# Output the report to a text fileOut-File -FilePath $OutputFilePath -InputObject $RLineGet-Content $OutputFilePathWrite-Host \"`nLog file exported to\" $OutputFilePath```3. Review the exported results which are stored in the present working directory.4. A pass for this recommendation is made when an active policy is in place that covers all extensions except for those explicitly defined as an exception by the organization. A passing policy must also be `enabled` and have the `EnableFileFilter` parameter enabled.5. Review any manual steps listed in the output, exceptions and inclusions are organizational specific.**Note:** The audit procedure intentionally does not include the action taken for matched extensions, e.g. Reject with NDR or Quarantine the message. These are considered organization specific and are not scored. When `FileTypeAction` is not specified the action will default to `Reject the message with a non-delivery receipt (NDR)`. The Quarantine Policy is also considered organization specific.**Note 2:** Weighting by individual extension risk is beyond the scope of this document. Organizations should evaluate these both independently and based on business need.",
"AdditionalInformation": "",
"References": "https://learn.microsoft.com/en-us/powershell/module/exchange/get-malwarefilterpolicy?view=exchange-ps:https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-malware-policies-configure?view=o365-worldwide:https://learn.microsoft.com/en-us/office/compatibility/office-file-format-reference",
"DefaultValue": "The following extensions are blocked by default:ace, ani, apk, app, appx, arj, bat, cab, cmd, com, deb, dex, dll, docm, elf, exe, hta, img, iso, jar, jnlp, kext, lha, lib, library, lnk, lzh, macho, msc, msi, msix, msp, mst, pif, ppa, ppam, reg, rev, scf, scr, sct, sys, uif, vb, vbe, vbs, vxd, wsc, wsf, wsh, xll, xz, z"
}
]
},
{
"Id": "2.1.12",
"Description": "In Microsoft 365 organizations with Exchange Online mailboxes or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, connection filtering and the default connection filter policy identify good or bad source email servers by IP addresses. The key components of the default connection filter policy are **IP Allow List**, **IP Block List** and **Safe list**.The recommended state is `IP Allow List` empty or undefined.",
"Checks": [
"defender_antispam_connection_filter_policy_empty_ip_allowlist"
],
"Attributes": [
{
"Section": "2 Microsoft 365 Defender",
"SubSection": "2.1 Email & collaboration",
"Profile": "E3 Level 1",
"AssessmentStatus": "Automated",
"Description": "In Microsoft 365 organizations with Exchange Online mailboxes or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, connection filtering and the default connection filter policy identify good or bad source email servers by IP addresses. The key components of the default connection filter policy are **IP Allow List**, **IP Block List** and **Safe list**.The recommended state is `IP Allow List` empty or undefined.",
"RationaleStatement": "Without additional verification like mail flow rules, email from sources in the IP Allow List skips spam filtering and sender authentication (SPF, DKIM, DMARC) checks. This method creates a high risk of attackers successfully delivering email to the Inbox that would otherwise be filtered. Messages that are determined to be malware or high confidence phishing are filtered.",
"ImpactStatement": "This is the default behavior. IP Allow lists may reduce false positives, however, this benefit is outweighed by the importance of a policy which scans all messages regardless of the origin. This supports the principle of zero trust.",
"RemediationProcedure": "**To remediate using the UI:**1. Navigate to `Microsoft 365 Defender` https://security.microsoft.com.2. Click to expand `Email & collaboration` select `Policies & rules`> `Threat policies`. 3. Under Policies select `Anti-spam`.4. Click on the `Connection filter policy (Default)`.5. Click `Edit connection filter policy`.6. Remove any IP entries from `Always allow messages from the following IP addresses or address range:`.7. Click `Save`.**To remediate using PowerShell:**1. Connect to Exchange Online using `Connect-ExchangeOnline`.2. Run the following PowerShell command:```Set-HostedConnectionFilterPolicy -Identity Default -IPAllowList @{}```",
"AuditProcedure": "**To audit using the UI:**1. Navigate to `Microsoft 365 Defender` https://security.microsoft.com.2. Click to expand `Email & collaboration` select `Policies & rules` > `Threat policies`. 3. Under Policies select `Anti-spam`.4. Click on the `Connection filter policy (Default)`.5. Ensure `IP Allow list` contains no entries.**To audit using PowerShell:**1. Connect to Exchange Online using `Connect-ExchangeOnline`.2. Run the following PowerShell command:```Get-HostedConnectionFilterPolicy -Identity Default | fl IPAllowList```3. Ensure `IPAllowList` is empty or `{}`",
"AdditionalInformation": "",
"References": "https://learn.microsoft.com/en-us/defender-office-365/connection-filter-policies-configure:https://learn.microsoft.com/en-us/defender-office-365/create-safe-sender-lists-in-office-365#use-the-ip-allow-list:https://learn.microsoft.com/en-us/defender-office-365/how-policies-and-protections-are-combined#user-and-tenant-settings-conflict",
"DefaultValue": "IPAllowList : {}"
}
]
},
{
"Id": "2.1.13",
"Description": "In Microsoft 365 organizations with Exchange Online mailboxes or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, connection filtering and the default connection filter policy identify good or bad source email servers by IP addresses. The key components of the default connection filter policy are **IP Allow List**, **IP Block List** and **Safe list**.The safe list is a pre-configured allow list that is dynamically updated by Microsoft.The recommended safe list state is: `Off` or `False`",
"Checks": [
"defender_antispam_connection_filter_policy_safe_list_off"
],
"Attributes": [
{
"Section": "2 Microsoft 365 Defender",
"SubSection": "2.1 Email & collaboration",
"Profile": "E3 Level 1",
"AssessmentStatus": "Automated",
"Description": "In Microsoft 365 organizations with Exchange Online mailboxes or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, connection filtering and the default connection filter policy identify good or bad source email servers by IP addresses. The key components of the default connection filter policy are **IP Allow List**, **IP Block List** and **Safe list**.The safe list is a pre-configured allow list that is dynamically updated by Microsoft.The recommended safe list state is: `Off` or `False`",
"RationaleStatement": "Without additional verification like mail flow rules, email from sources in the IP Allow List skips spam filtering and sender authentication (SPF, DKIM, DMARC) checks. This method creates a high risk of attackers successfully delivering email to the Inbox that would otherwise be filtered. Messages that are determined to be malware or high confidence phishing are filtered.The safe list is managed dynamically by Microsoft, and administrators do not have visibility into which sender are included. Incoming messages from email servers on the safe list bypass spam filtering.",
"ImpactStatement": "This is the default behavior. IP Allow lists may reduce false positives, however, this benefit is outweighed by the importance of a policy which scans all messages regardless of the origin. This supports the principle of zero trust.",
"RemediationProcedure": "**To remediate using the UI:**1. Navigate to `Microsoft 365 Defender` https://security.microsoft.com.2. Click to expand `Email & collaboration` select `Policies & rules`> `Threat policies`. 3. Under Policies select `Anti-spam`.4. Click on the `Connection filter policy (Default)`.5. Click `Edit connection filter policy`.6. Uncheck `Turn on safe list`.7. Click `Save`.**To remediate using PowerShell:**1. Connect to Exchange Online using `Connect-ExchangeOnline`.2. Run the following PowerShell command:```Set-HostedConnectionFilterPolicy -Identity Default -EnableSafeList $false```",
"AuditProcedure": "**To audit using the UI:**1. Navigate to `Microsoft 365 Defender` https://security.microsoft.com.2. Click to expand `Email & collaboration` select `Policies & rules` > `Threat policies`. 3. Under Policies select `Anti-spam`.4. Click on the `Connection filter policy (Default)`.5. Ensure `Safe list` is `Off`. **To audit using PowerShell:**1. Connect to Exchange Online using `Connect-ExchangeOnline`.2. Run the following PowerShell command:```Get-HostedConnectionFilterPolicy -Identity Default | fl EnableSafeList```3. Ensure `EnableSafeList` is `False`",
"AdditionalInformation": "",
"References": "https://learn.microsoft.com/en-us/defender-office-365/connection-filter-policies-configure:https://learn.microsoft.com/en-us/defender-office-365/create-safe-sender-lists-in-office-365#use-the-ip-allow-list:https://learn.microsoft.com/en-us/defender-office-365/how-policies-and-protections-are-combined#user-and-tenant-settings-conflict",
"DefaultValue": "EnableSafeList : False"
}
]
},
{
"Id": "2.1.14",
"Description": "Anti-spam protection is a feature of Exchange Online that utilizes policies to help to reduce the amount of junk email, bulk and phishing emails a mailbox receives. These policies contain lists to allow or block specific senders or domains. - The allowed senders list- The allowed domains list- The blocked senders list- The blocked domains listThe recommended state is: Do not define any `Allowed domains`",
"Checks": [
"defender_antispam_policy_inbound_no_allowed_domains"
],
"Attributes": [
{
"Section": "2 Microsoft 365 Defender",
"SubSection": "2.1 Email & collaboration",
"Profile": "E3 Level 1",
"AssessmentStatus": "Automated",
"Description": "Anti-spam protection is a feature of Exchange Online that utilizes policies to help to reduce the amount of junk email, bulk and phishing emails a mailbox receives. These policies contain lists to allow or block specific senders or domains. - The allowed senders list- The allowed domains list- The blocked senders list- The blocked domains listThe recommended state is: Do not define any `Allowed domains`",
"RationaleStatement": "Messages from entries in the allowed senders list or the allowed domains list bypass most email protection (except malware and high confidence phishing) and email authentication checks (SPF, DKIM and DMARC). Entries in the allowed senders list or the allowed domains list create a high risk of attackers successfully delivering email to the Inbox that would otherwise be filtered. The risk is increased even more when allowing common domain names as these can be easily spoofed by attackers.Microsoft specifies in its documentation that allowed domains should be used for testing purposes only.",
"ImpactStatement": "This is the default behavior. Allowed domains may reduce false positives, however, this benefit is outweighed by the importance of having a policy which scans all messages regardless of the origin. As an alternative consider sender based lists. This supports the principle of zero trust.",
"RemediationProcedure": "**To remediate using the UI:**1. Navigate to `Microsoft 365 Defender` https://security.microsoft.com.2. Click to expand `Email & collaboration` select `Policies & rules`> `Threat policies`. 3. Under Policies select `Anti-spam`.4. Open each out of compliance inbound anti-spam policy by clicking on it.5. Click `Edit allowed and blocked senders and domains`.6. Select `Allow domains`.7. Delete each domain from the domains list.8. Click `Done` > `Save`.9. Repeat as needed.**To remediate using PowerShell:**1. Connect to Exchange Online using `Connect-ExchangeOnline`.2. Run the following PowerShell command:```Set-HostedContentFilterPolicy -Identity <Policy name> -AllowedSenderDomains @{}```Or, run this to remove allowed domains from all inbound anti-spam policies:```$AllowedDomains = Get-HostedContentFilterPolicy | Where-Object {$_.AllowedSenderDomains}$AllowedDomains | Set-HostedContentFilterPolicy -AllowedSenderDomains @{}```",
"AuditProcedure": "**To audit using the UI:**1. Navigate to `Microsoft 365 Defender` https://security.microsoft.com.2. Click to expand `Email & collaboration` select `Policies & rules` > `Threat policies`. 3. Under Policies select `Anti-spam`.4. Inspect each **inbound anti-spam** policy5. Ensure `Allowed domains` does not contain any domain names.6. Repeat as needed for any additional inbound anti-spam policy.**To audit using PowerShell:**1. Connect to Exchange Online using `Connect-ExchangeOnline`.2. Run the following PowerShell command:```Get-HostedContentFilterPolicy | ft Identity,AllowedSenderDomains```3. Ensure `AllowedSenderDomains` is undefined for each inbound policy.**Note:** Each inbound policy must pass for this recommendation to be considered to be in a passing state.",
"AdditionalInformation": "",
"References": "https://learn.microsoft.com/en-us/defender-office-365/anti-spam-protection-about#allow-and-block-lists-in-anti-spam-policies",
"DefaultValue": "AllowedSenderDomains : {}"
}
]
},
{
"Id": "2.4.1",
"Description": "Identify _priority accounts_ to utilize Microsoft 365's advanced custom security features. This is an essential tool to bolster protection for users who are frequently targeted due to their critical positions, such as executives, leaders, managers, or others who have access to sensitive, confidential, financial, or high-priority information.Once these accounts are identified, several services and features can be enabled, including threat policies, enhanced sign-in protection through conditional access policies, and alert policies, enabling faster response times for incident response teams.",
"Checks": [],
"Attributes": [
{
"Section": "2 Microsoft 365 Defender",
"SubSection": "2.4 System",
"Profile": "E5 Level 1",
"AssessmentStatus": "Manual",
"Description": "Identify _priority accounts_ to utilize Microsoft 365's advanced custom security features. This is an essential tool to bolster protection for users who are frequently targeted due to their critical positions, such as executives, leaders, managers, or others who have access to sensitive, confidential, financial, or high-priority information.Once these accounts are identified, several services and features can be enabled, including threat policies, enhanced sign-in protection through conditional access policies, and alert policies, enabling faster response times for incident response teams.",
"RationaleStatement": "Enabling priority account protection for users in Microsoft 365 is necessary to enhance security for accounts with access to sensitive data and high privileges, such as CEOs, CISOs, CFOs, and IT admins. These priority accounts are often targeted by spear phishing or whaling attacks and require stronger protection to prevent account compromise. To address this, Microsoft 365 and Microsoft Defender for Office 365 offer several key features that provide extra security, including the identification of incidents and alerts involving priority accounts and the use of built-in custom protections designed specifically for them.",
"ImpactStatement": "",
"RemediationProcedure": "_Remediate with a 3-step process_**Step 1: Enable Priority account protection in Microsoft 365 Defender:**1. Navigate to `Microsoft 365 Defender` https://security.microsoft.com/2. Click to expand `System` select `Settings`.3. Select `E-mail & Collaboration` > `Priority account protection`4. Ensure `Priority account protection` is set to `On`**Step 2: Tag priority accounts:**5. Select `User tags`6. Select the `PRIORITY ACCOUNT` tag and click `Edit`7. Select `Add members` to add users, or groups. **Groups are recommended.**8. Repeat the previous 2 steps for any additional tags needed, such as Finance or HR.9. `Next` and `Submit`.**Step 3: Configure E-mail alerts for Priority Accounts:**10. Expand `E-mail & Collaboration` on the left column. 11. Select `New Alert Policy`12. Enter a valid policy Name & Description. Set `Severity` to `High` and `Category` to `Threat management`.13. Set `Activity is` to `Detected malware in an e-mail message`14. Mail direction is `Inbound`15. Select `Add Condition` and `User: recipient tags are` 16. In the `Selection option` field add chosen priority tags such as Priority account.17. Select `Every time an activity matches the rule`.18. `Next` and verify valid recipient(s) are selected.19. `Next` and select `Yes, turn it on right away.` Click `Submit` to save the alert.20. Repeat steps 10 - 18 for the Activity field `Activity is`: `Phishing email detected at time of delivery`**NOTE:** Any additional activity types may be added as needed. Above are the minimum recommended.",
"AuditProcedure": "_Audit with a 3-step process_**Step 1: Verify Priority account protection is enabled:**1. Navigate to `Microsoft 365 Defender` https://security.microsoft.com/2. Click to expand `System` select `Settings`.3. Select `E-mail & collaboration` > `Priority account protection`4. Ensure `Priority account protection` is set to `On`**Step 2: Verify that priority accounts are identified and tagged accordingly:**5. Select `User tags`6. Select the `PRIORITY ACCOUNT` tag and click `Edit`7. Verify the assigned members match the organization's defined priority accounts or groups.8. Repeat the previous 2 steps for any additional tags identified, such as Finance or HR.**Step 3: Ensure alerts are configured:**9. Expand `E-mail & Collaboration` on the left column. 10. Select `Policies & rules` > `Alert policy`11. Ensure alert policies are configured for priority accounts, enabled and have a valid recipient. The tags column can be used to identify policies using a specific tag.",
"AdditionalInformation": "",
"References": "https://learn.microsoft.com/en-us/microsoft-365/admin/setup/priority-accounts:https://learn.microsoft.com/en-us/defender-office-365/priority-accounts-security-recommendations",
"DefaultValue": "By default, priority accounts are undefined."
}
]
},
{
"Id": "2.4.2",
"Description": "Preset security policies have been established by Microsoft, utilizing observations and experiences within datacenters to strike a balance between the exclusion of malicious content from users and limiting unwarranted disruptions. These policies can apply to all, or select users and encompass recommendations for addressing spam, malware, and phishing threats. The policy parameters are pre-determined and non-adjustable.`Strict protection` has the most aggressive protection of the 3 presets.- EOP: Anti-spam, Anti-malware and Anti-phishing- Defender: Spoof protection, Impersonation protection and Advanced phishing- Defender: Safe Links and Safe Attachments**NOTE: The preset security polices cannot target Priority account TAGS currently, groups should be used instead.**",
"Checks": [],
"Attributes": [
{
"Section": "2 Microsoft 365 Defender",
"SubSection": "2.4 System",
"Profile": "E5 Level 1",
"AssessmentStatus": "Manual",
"Description": "Preset security policies have been established by Microsoft, utilizing observations and experiences within datacenters to strike a balance between the exclusion of malicious content from users and limiting unwarranted disruptions. These policies can apply to all, or select users and encompass recommendations for addressing spam, malware, and phishing threats. The policy parameters are pre-determined and non-adjustable.`Strict protection` has the most aggressive protection of the 3 presets.- EOP: Anti-spam, Anti-malware and Anti-phishing- Defender: Spoof protection, Impersonation protection and Advanced phishing- Defender: Safe Links and Safe Attachments**NOTE: The preset security polices cannot target Priority account TAGS currently, groups should be used instead.**",
"RationaleStatement": "Enabling priority account protection for users in Microsoft 365 is necessary to enhance security for accounts with access to sensitive data and high privileges, such as CEOs, CISOs, CFOs, and IT admins. These priority accounts are often targeted by spear phishing or whaling attacks and require stronger protection to prevent account compromise.The implementation of stringent, pre-defined policies may result in instances of false positive, however, the benefit of requiring the end-user to preview junk email before accessing their inbox outweighs the potential risk of mistakenly perceiving a malicious email as safe due to its placement in the inbox.",
"ImpactStatement": "Strict policies are more likely to cause false positives in anti-spam, phishing, impersonation, spoofing and intelligence responses.",
"RemediationProcedure": "**To remediate using the UI:**1. Navigate to `Microsoft 365 Defender` https://security.microsoft.com/2. Select to expand `E-mail & collaboration`.3. Select `Policies & rules` > `Threat policies` > `Preset security policies`.4. Click to `Manage protection settings` for `Strict protection` preset.5. For `Apply Exchange Online Protection` select at minimum `Specific recipients` and include the Accounts/Groups identified as Priority Accounts.6. For `Apply Defender for Office 365 Protection` select at minimum `Specific recipients` and include the Accounts/Groups identified as Priority Accounts.7. For `Impersonation protection` click `Next` and add valid e-mails or priority accounts both internal and external that may be subject to impersonation.8. For `Protected custom domains` add the organization's domain name, along side other key partners.9. Click `Next` and finally `Confirm`",
"AuditProcedure": "**To audit using the UI:**1. Navigate to `Microsoft 365 Defender` https://security.microsoft.com/2. Select to expand `E-mail & collaboration`.3. Select `Policies & rules` > `Threat policies`.4. From here visit each section in turn: `Anti-phishing` `Anti-spam` `Anti-malware` `Safe Attachments` `Safe Links`5. Ensure in each there is a policy named `Strict Preset Security Policy` which includes the organization's priority Accounts/Groups.",
"AdditionalInformation": "",
"References": "https://learn.microsoft.com/en-us/defender-office-365/preset-security-policies?view=o365-worldwide:https://learn.microsoft.com/en-us/defender-office-365/priority-accounts-security-recommendations:https://learn.microsoft.com/en-us/defender-office-365/recommended-settings-for-eop-and-office365?view=o365-worldwide#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365",
"DefaultValue": "By default, presets are not applied to any users or groups."
}
]
},
{
"Id": "2.4.3",
"Description": "Microsoft Defender for Cloud Apps is a Cloud Access Security Broker (CASB). It provides visibility into suspicious activity in Microsoft 365, enabling investigation into potential security issues and facilitating the implementation of remediation measures if necessary.Some risk detection methods provided by Entra Identity Protection also require Microsoft Defender for Cloud Apps:- Suspicious manipulation of inbox rules- Suspicious inbox forwarding- New country detection- Impossible travel detection- Activity from anonymous IP addresses- Mass access to sensitive files",
"Checks": [],
"Attributes": [
{
"Section": "2 Microsoft 365 Defender",
"SubSection": "2.4 System",
"Profile": "E5 Level 2",
"AssessmentStatus": "Manual",
"Description": "Microsoft Defender for Cloud Apps is a Cloud Access Security Broker (CASB). It provides visibility into suspicious activity in Microsoft 365, enabling investigation into potential security issues and facilitating the implementation of remediation measures if necessary.Some risk detection methods provided by Entra Identity Protection also require Microsoft Defender for Cloud Apps:- Suspicious manipulation of inbox rules- Suspicious inbox forwarding- New country detection- Impossible travel detection- Activity from anonymous IP addresses- Mass access to sensitive files",
"RationaleStatement": "Security teams can receive notifications of triggered alerts for atypical or suspicious activities, see how the organization's data in Microsoft 365 is accessed and used, suspend user accounts exhibiting suspicious activity, and require users to log back in to Microsoft 365 apps after an alert has been triggered.",
"ImpactStatement": "",
"RemediationProcedure": "**To remediate using the UI:**1. Navigate to `Microsoft 365 Defender` https://security.microsoft.com/2. Click to expand `System` select `Settings` > `Cloud apps`.3. Scroll to `Information Protection` and select `Files`.4. Check `Enable file monitoring`.5. Scroll up to `Cloud Discovery` and select `Microsoft Defender for Endpoint.`6. Check `Enforce app access`, configure a Notification URL and `Save`.**Note:** Defender for Endpoint requires a Defender for Endpoint license.**Configure App Connectors:** 1. Scroll to `Connected apps` and select `App connectors`. 2. Click on `Connect an app` and select `Microsoft 365`.3. Check all Azure and Office 365 boxes then click `Connect Office 365`.4. Repeat for the `Microsoft Azure` application.",
"AuditProcedure": "**To audit using the UI:**1. Navigate to `Microsoft 365 Defender` https://security.microsoft.com/2. Click to expand `System` select `Settings` > `Cloud apps`.3. Scroll to `Connected apps` and select `App connectors`. 4. Ensure that **Microsoft 365** and **Microsoft Azure** both show in the list as `Connected`.5. Go to `Cloud Discovery` > `Microsoft Defender for Endpoint` and check if the integration is enabled.6. Go to `Information Protection` > `Files` and verify `Enable file monitoring` is checked.",
"AdditionalInformation": "Additional Microsoft 365 Defender features include:- The option to use Defender for cloud apps as a reverse proxy, allowing for the application of access or session controls through the definition of a conditional access policy.- The purchase and implementation of the \"App Governance\" add-on, which provides more precise control over OAuth app permissions and includes additional built-in policies.A list of Defender for Cloud Apps built-in policies for Office 365 can be found at https://learn.microsoft.com/en-us/defender-cloud-apps/protect-office-365.",
"References": "https://learn.microsoft.com/en-us/defender-cloud-apps/protect-office-365#connect-microsoft-365-to-microsoft-defender-for-cloud-apps:https://learn.microsoft.com/en-us/defender-cloud-apps/protect-azure#connect-azure-to-microsoft-defender-for-cloud-apps:https://learn.microsoft.com/en-us/defender-cloud-apps/best-practices:https://learn.microsoft.com/en-us/defender-cloud-apps/get-started:https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks",
"DefaultValue": "Disabled"
}
]
},
{
"Id": "2.4.4",
"Description": "Zero-hour auto purge (ZAP) is a protection feature that retroactively detects and neutralizes malware and high confidence phishing. When ZAP for Teams protection blocks a message, the message is blocked for everyone in the chat. The initial block happens right after delivery, but ZAP occurs up to 48 hours after delivery.",
"Checks": [
"defender_zap_for_teams_enabled"
],
"Attributes": [
{
"Section": "2 Microsoft 365 Defender",
"SubSection": "2.4 System",
"Profile": "E5 Level 1",
"AssessmentStatus": "Automated",
"Description": "Zero-hour auto purge (ZAP) is a protection feature that retroactively detects and neutralizes malware and high confidence phishing. When ZAP for Teams protection blocks a message, the message is blocked for everyone in the chat. The initial block happens right after delivery, but ZAP occurs up to 48 hours after delivery.",
"RationaleStatement": "ZAP is intended to protect users that have received zero-day malware messages or content that is weaponized after being delivered to users. It does this by continually monitoring spam and malware signatures taking automated retroactive action on messages that have already been delivered.",
"ImpactStatement": "As with any anti-malware or anti-phishing product, false positives may occur.",
"RemediationProcedure": "**To remediate using the UI:**1. Navigate to `Microsoft Defender` https://security.microsoft.com/2. Click to expand `System` select `Settings` > `Email & collaboration` > `Microsoft Teams protection`.3. Set `Zero-hour auto purge (ZAP)` to `On (Default)`**To remediate using PowerShell:**1. Connect to Exchange Online using `Connect-ExchangeOnline`.2. Run the following cmdlet:```Set-TeamsProtectionPolicy -Identity \"Teams Protection Policy\" -ZapEnabled $true```",
"AuditProcedure": "**To audit using the UI:**1. Navigate to `Microsoft Defender` https://security.microsoft.com/2. Click to expand `System` select `Settings` > `Email & collaboration` > `Microsoft Teams protection`.3. Ensure `Zero-hour auto purge (ZAP)` is set to `On (Default)`4. Under `Exclude these participants` review the list of exclusions and ensure they are justified and within tolerance for the organization.**To audit using PowerShell:**1. Connect to Exchange Online using `Connect-ExchangeOnline`.2. Run the following cmdlets:```Get-TeamsProtectionPolicy | fl ZapEnabledGet-TeamsProtectionPolicyRule | fl ExceptIf*```3. Ensure `ZapEnabled` is `True`.4. Review the list of exclusions and ensure they are justified and within tolerance for the organization. If nothing returns from the 2nd cmdlet then there are no exclusions defined.",
"AdditionalInformation": "",
"References": "https://learn.microsoft.com/en-us/defender-office-365/zero-hour-auto-purge?view=o365-worldwide#zero-hour-auto-purge-zap-in-microsoft-teams:https://learn.microsoft.com/en-us/defender-office-365/mdo-support-teams-about?view=o365-worldwide#configure-zap-for-teams-protection-in-defender-for-office-365-plan-2",
"DefaultValue": "On (Default)"
}
]
},
{
"Id": "3.1.1",
"Description": "When audit log search is enabled in the Microsoft Purview compliance portal, user and admin activity within the organization is recorded in the audit log and retained for 90 days. However, some organizations may prefer to use a third-party security information and event management (SIEM) application to access their auditing data. In this scenario, a global admin can choose to turn off audit log search in Microsoft 365.",
"Checks": [
"purview_audit_log_search_enabled"
],
"Attributes": [
{
"Section": "3 Microsoft Purview",
"SubSection": "3.1 Audit",
"Profile": "E3 Level 1",
"AssessmentStatus": "Automated",
"Description": "When audit log search is enabled in the Microsoft Purview compliance portal, user and admin activity within the organization is recorded in the audit log and retained for 90 days. However, some organizations may prefer to use a third-party security information and event management (SIEM) application to access their auditing data. In this scenario, a global admin can choose to turn off audit log search in Microsoft 365.",
"RationaleStatement": "Enabling audit log search in the Microsoft Purview compliance portal can help organizations improve their security posture, meet regulatory compliance requirements, respond to security incidents, and gain valuable operational insights.",
"ImpactStatement": "",
"RemediationProcedure": "**To remediate using the UI:**1. Navigate to `Microsoft Purview` https://compliance.microsoft.com.2. Select `Audit` to open the audit search.3. Click `Start recording user and admin activity` next to the information warning at the top.4. Click `Yes` on the dialog box to confirm.**To remediate using PowerShell:**1. Connect to Exchange Online using `Connect-ExchangeOnline`.2. Run the following PowerShell command:```Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true```",
"AuditProcedure": "**To audit using the UI:**1. Navigate to `Microsoft Purview` https://compliance.microsoft.com.2. Select `Audit` to open the audit search.3. Choose a date and time frame in the past 30 days.4. Verify search capabilities (e.g. try searching for Activities as `Accessed file` and results should be displayed).**To audit using PowerShell:**1. Connect to Exchange Online using `Connect-ExchangeOnline`.2. Run the following PowerShell command:```Get-AdminAuditLogConfig | Select-Object UnifiedAuditLogIngestionEnabled```3. Ensure `UnifiedAuditLogIngestionEnabled` is set to `True`.",
"AdditionalInformation": "",
"References": "https://learn.microsoft.com/en-us/purview/audit-log-enable-disable?view=o365-worldwide&tabs=microsoft-purview-portal:https://learn.microsoft.com/en-us/powershell/module/exchange/set-adminauditlogconfig?view=exchange-ps",
"DefaultValue": ""
}
]
},
{
"Id": "3.2.1",
"Description": "Data Loss Prevention (DLP) policies allow Exchange Online and SharePoint Online content to be scanned for specific types of data like social security numbers, credit card numbers, or passwords.",
"Checks": [],
"Attributes": [
{
"Section": "3 Microsoft Purview",
"SubSection": "3.1 Audit",
"Profile": "E3 Level 1",
"AssessmentStatus": "Manual",
"Description": "Data Loss Prevention (DLP) policies allow Exchange Online and SharePoint Online content to be scanned for specific types of data like social security numbers, credit card numbers, or passwords.",
"RationaleStatement": "Enabling DLP policies alerts users and administrators that specific types of data should not be exposed, helping to protect the data from accidental exposure.",
"ImpactStatement": "Enabling a Teams DLP policy will allow sensitive data in Exchange Online and SharePoint Online to be detected or blocked. Always ensure to follow appropriate procedures during testing and implementation of DLP policies based on organizational standards.",
"RemediationProcedure": "**To remediate using the UI:**1. Navigate to `Microsoft Purview` https://compliance.microsoft.com.2. Under `Solutions` select `Data loss prevention` then `Policies`. 3. Click `Create policy`.",
"AuditProcedure": "**To audit using the UI:**1. Navigate to `Microsoft Purview` https://compliance.microsoft.com.2. Under `Solutions` select `Data loss prevention` then `Policies`. 3. Verify that policies exist and are enabled.",
"AdditionalInformation": "",
"References": "https://learn.microsoft.com/en-us/purview/dlp-learn-about-dlp?view=o365-worldwide",
"DefaultValue": ""
}
]
},
{
"Id": "3.2.2",
"Description": "The default Teams Data Loss Prevention (DLP) policy rule in Microsoft 365 is a preconfigured rule that is automatically applied to all Teams conversations and channels. The default rule helps prevent accidental sharing of sensitive information by detecting and blocking certain types of content that are deemed sensitive or inappropriate by the organization. By default, the rule includes a check for the sensitive info type _Credit Card Number_ which is pre-defined by Microsoft.",
"Checks": [],
"Attributes": [
{
"Section": "3 Microsoft Purview",
"SubSection": "3.1 Audit",
"Profile": "E5 Level 1",
"AssessmentStatus": "Manual",
"Description": "The default Teams Data Loss Prevention (DLP) policy rule in Microsoft 365 is a preconfigured rule that is automatically applied to all Teams conversations and channels. The default rule helps prevent accidental sharing of sensitive information by detecting and blocking certain types of content that are deemed sensitive or inappropriate by the organization. By default, the rule includes a check for the sensitive info type _Credit Card Number_ which is pre-defined by Microsoft.",
"RationaleStatement": "Enabling the default Teams DLP policy rule in Microsoft 365 helps protect an organization's sensitive information by preventing accidental sharing or leakage Credit Card information in Teams conversations and channels.DLP rules are not one size fits all, but at a minimum something should be defined. The organization should identify sensitive information important to them and seek to intercept it using DLP.",
"ImpactStatement": "End-users may be prevented from sharing certain types of content, which may require them to adjust their behavior or seek permission from administrators to share specific content. Administrators may receive requests from end-users for permission to share certain types of content or to modify the policy to better fit the needs of their teams.",
"RemediationProcedure": "**To remediate using the UI:** 1. Navigate to `Microsoft Purview` compliance portal https://compliance.microsoft.com.2. Under `Solutions` select `Data loss prevention` then `Policies`. 3. Click `Policies` tab.4. Check `Default policy for Teams` then click `Edit policy`.5. The edit policy window will appear click Next6. At the `Choose locations to apply the policy` page, turn the status toggle to `On` for `Teams chat and channel messages` location and then click Next.7. On Customized advanced DLP rules page, ensure the `Default Teams DLP policy rule` Status is `On` and click Next.9. On the Policy mode page, select the radial for `Turn it on right away` and click Next.10. Review all the settings for the created policy on the Review your policy and create it page, and then click submit.11. Once the policy has been successfully submitted click Done.**Note:** Some tenants may not have a default policy for teams as Microsoft started creating these by default at a particular point in time. In this case a new policy will have to be created that includes a rule to protect data important to the organization such as credit cards and PII.",
"AuditProcedure": "**To audit the using the UI:**1. Navigate to `Microsoft Purview` compliance portal https://compliance.microsoft.com.2. Under `Solutions` select `Data loss prevention` then `Policies`. 3. Locate the `Default policy for Teams`.4. Verify the `Status` is `On`.5. Verify `Locations` include `Teams chat and channel messages - All accounts`.6. Verify `Policy settings` incudes the Default Teams DLP policy rule or one specific to the organization.**Note:** If there is not a default policy for teams inspect existing policies starting with step 4. DLP rules are specific to the organization and each organization should take steps to protect the data that matters to them. The default teams DLP rule will only alert on Credit Card matches.**To audit using PowerShell:**1. Connect to the Security & Compliance PowerShell using `Connect-IPPSSession`.2. Run the following to return policies that include Teams chat and channel messages:```$DlpPolicy = Get-DlpCompliancePolicy$DlpPolicy | Where-Object {$_.Workload -match \"Teams\"} | ft Name,Mode,TeamsLocation*```3. If nothing returns then there are no policies that include Teams and remediation is required.4. For any returned policy verify `Mode` is set to `Enable`.5. Verify `TeamsLocation` includes `All`.6. Verify `TeamsLocationException` includes only permitted exceptions. **Note:** Some tenants may not have a default policy for teams as Microsoft started creating these by default at a particular point in time. In this case a new policy will have to be created that includes a rule to protect data important to the organization such as credit cards and PII.",
"AdditionalInformation": "",
"References": "https://learn.microsoft.com/en-us/powershell/exchange/connect-to-scc-powershell?view=exchange-ps:https://learn.microsoft.com/en-us/purview/dlp-teams-default-policy:https://learn.microsoft.com/en-us/powershell/module/exchange/connect-ippssession?view=exchange-ps",
"DefaultValue": "Enabled (On)"
}
]
},
{
"Id": "3.3.1",
"Description": "SharePoint Online Data Classification Policies enables organizations to classify and label content in SharePoint Online based on its sensitivity and business impact. This setting helps organizations to manage and protect sensitive data by automatically applying labels to content, which can then be used to apply policy-based protection and governance controls.",
"Checks": [],
"Attributes": [
{
"Section": "3 Microsoft Purview",
"SubSection": "3.3 Information protection",
"Profile": "E3 Level 1",
"AssessmentStatus": "Manual",
"Description": "SharePoint Online Data Classification Policies enables organizations to classify and label content in SharePoint Online based on its sensitivity and business impact. This setting helps organizations to manage and protect sensitive data by automatically applying labels to content, which can then be used to apply policy-based protection and governance controls.",
"RationaleStatement": "By categorizing and applying policy-based protection, SharePoint Online Data Classification Policies can help reduce the risk of data loss or exposure and enable more effective incident response if a breach does occur.",
"ImpactStatement": "The creation of data classification policies is unlikely to have a significant impact on an organization. However, maintaining long-term adherence to policies may require ongoing training and compliance efforts across the organization. Therefore, organizations should include training and compliance planning as part of the data classification policy creation process.",
"RemediationProcedure": "**To remediate using the UI:** 1. Navigate to `Microsoft Purview` compliance portal https://compliance.microsoft.com.2. Under `Solutions` select `Information protection`.3. Click on the `Label policies` tab.4. Click `Create a label` to create a label.5. Select the label and click on the `Publish label`.6. Fill out the forms to create the policy.",
"AuditProcedure": "**To audit using the UI:** 1. Navigate to `Microsoft Purview` compliance portal https://compliance.microsoft.com.2. Under `Solutions` select `Information protection`.3. Click on the `Label policies` tab.4. Ensure that a Label policy exists and is published accordingly.",
"AdditionalInformation": "",
"References": "https://learn.microsoft.com/en-us/purview/data-classification-overview?view=o365-worldwide#top-sensitivity-labels-applied-to-content:https://learn.microsoft.com/en-us/purview/sensitivity-labels-sharepoint-onedrive-files",
"DefaultValue": ""
}
]
},
{
"Id": "5.1.1.1",
"Description": "Security defaults in Microsoft Entra ID make it easier to be secure and help protect the organization. Security defaults contain preconfigured security settings for common attacks.By default, Microsoft enables security defaults. The goal is to ensure that all organizations have a basic level of security enabled. The security default setting is manipulated in the Entra admin center.The use of security defaults, however, will prohibit custom settings which are being set with more advanced settings from this benchmark.",
"Checks": [],
"Attributes": [
{
"Section": "5 Microsoft Entra admin center",
"SubSection": "5.1 Identity",
"Profile": "E3 Level 1",
"AssessmentStatus": "Manual",
"Description": "Security defaults in Microsoft Entra ID make it easier to be secure and help protect the organization. Security defaults contain preconfigured security settings for common attacks.By default, Microsoft enables security defaults. The goal is to ensure that all organizations have a basic level of security enabled. The security default setting is manipulated in the Entra admin center.The use of security defaults, however, will prohibit custom settings which are being set with more advanced settings from this benchmark.",
"RationaleStatement": "Security defaults provide secure default settings that are managed on behalf of organizations to keep customers safe until they are ready to manage their own identity security settings.For example, doing the following:- Requiring all users and admins to register for MFA.- Challenging users with MFA - mostly when they show up on a new device or app, but more often for critical roles and tasks.- Disabling authentication from legacy authentication clients, which cant do MFA.",
"ImpactStatement": "The potential impact associated with disabling of Security Defaults is dependent upon the security controls implemented in the environment. It is likely that most organizations disabling Security Defaults plan to implement equivalent controls to replace Security Defaults.It may be necessary to check settings in other Microsoft products, such as Azure, to ensure settings and functionality are as expected when disabling security defaults for MS365.",
"RemediationProcedure": "**To remediate using the UI:**1. Navigate to the`Microsoft Entra admin center` https://entra.microsoft.com. 2. Click to expand`Identity` select`Overview`3. Click `Properties`.4. Click `Manage security defaults`.5. Set the `Security defaults` dropdown to `Disabled`.6. Select Save.**To remediate using PowerShell:**1. Connect to the Microsoft Graph service using `Connect-MgGraph -Scopes \"Policy.ReadWrite.ConditionalAccess\"`.2. Run the following Microsoft Graph PowerShell command:```$params = @{ IsEnabled = $false }Update-MgPolicyIdentitySecurityDefaultEnforcementPolicy -BodyParameter $params```**Warning:** It is recommended not to disable security defaults until you are ready to implement conditional access rules in the benchmark. Rules such as requiring MFA for all users and blocking legacy protocols are required in CA to make up for the gap created by disabling defaults. Plan accordingly. See the reference section for more details on what coverage Security Defaults provide.",
"AuditProcedure": "**To audit using the UI:**1. Navigate to`Microsoft Entra admin center` https://entra.microsoft.com. 2. Click to expand`Identity` select`Overview`3. Click `Properties`.3. Review the section **Security Defaults** near the bottom4. If `Manage security defaults` appears clickable then proceed to the remediation section, otherwise read the note below.**Note:** If `Manage Conditional Access` appears in blue then Security defaults are already disabled, and CA is in use. The audit can be considered a Pass.**To audit using PowerShell:**1. Connect to the Microsoft Graph service using `Connect-MgGraph -Scopes \"Policy.Read.All\"`.2. Run the following Microsoft Graph PowerShell command:```Get-MgPolicyIdentitySecurityDefaultEnforcementPolicy | ft IsEnabled ```3. If the value is false then Security Defaults is disabled.",
"AdditionalInformation": "",
"References": "https://learn.microsoft.com/en-us/entra/fundamentals/security-defaults:https://techcommunity.microsoft.com/t5/microsoft-entra-blog/introducing-security-defaults/ba-p/1061414",
"DefaultValue": "Enabled."
}
]
},
{
"Id": "5.1.2.1",
"Description": "Legacy per-user Multi-Factor Authentication (MFA) can be configured to require individual users to provide multiple authentication factors, such as passwords and additional verification codes, to access their accounts. It was introduced in earlier versions of Office 365, prior to the more comprehensive implementation of Conditional Access (CA).",
"Checks": [],
"Attributes": [
{
"Section": "5 Microsoft Entra admin center",
"SubSection": "5.1 Identity",
"Profile": "E3 Level 1",
"AssessmentStatus": "Manual",
"Description": "Legacy per-user Multi-Factor Authentication (MFA) can be configured to require individual users to provide multiple authentication factors, such as passwords and additional verification codes, to access their accounts. It was introduced in earlier versions of Office 365, prior to the more comprehensive implementation of Conditional Access (CA).",
"RationaleStatement": "Both security defaults and conditional access with security defaults turned off are not compatible with per-user multi-factor authentication (MFA), which can lead to undesirable user authentication states. The CIS Microsoft 365 Benchmark explicitly employs Conditional Access for MFA as an enhancement over security defaults and as a replacement for the outdated per-user MFA. To ensure a consistent authentication state disable per-user MFA on all accounts.",
"ImpactStatement": "Accounts using per-user MFA will need to be migrated to use CA.Prior to disabling per-user MFA the organization must be prepared to implement conditional access MFA to avoid security gaps and allow for a smooth transition. This will help ensure relevant accounts are covered by MFA during the change phase from disabling per-user MFA to enabling CA MFA. Section 5.2.2 in this document covers creating of a CA rule for both administrators and all users in the tenant.Microsoft has documentation on migrating from per-user MFA [Convert users from per-user MFA to Conditional Access based MFA](https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-getstarted#convert-users-from-per-user-mfa-to-conditional-access-based-mfa)",
"RemediationProcedure": "**To remediate using the UI:**1. Navigate to `Microsoft Entra admin center` https://entra.microsoft.com/.2. Click to expand `Identity` > `Users` select `All users`.3. Click on `Per-user MFA` on the top row.4. Click the empty box next to `Display Name` to select all accounts.5. On the far right under _quick steps_ click `Disable`.",
"AuditProcedure": "**To audit using the UI:**1. Navigate to `Microsoft Entra admin center` https://entra.microsoft.com/.2. Click to expand `Identity` > `Users` select `All users`.3. Click on `Per-user MFA` on the top row.4. Ensure under the column `Multi-factor Auth Status` that each account is set to `Disabled`",
"AdditionalInformation": "",
"References": "https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-userstates#convert-users-from-per-user-mfa-to-conditional-access:https://learn.microsoft.com/en-us/microsoft-365/admin/security-and-compliance/set-up-multi-factor-authentication?view=o365-worldwide#use-conditional-access-policies:https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-userstates#convert-per-user-mfa-enabled-and-enforced-users-to-disabled",
"DefaultValue": "Disabled"
}
]
},
{
"Id": "5.1.2.2",
"Description": "App registration allows users to register custom-developed applications for use within the directory.",
"Checks": [
"entra_thirdparty_integrated_apps_not_allowed"
],
"Attributes": [
{
"Section": "5 Microsoft Entra admin center",
"SubSection": "5.1 Identity",
"Profile": "E3 Level 2",
"AssessmentStatus": "Automated",
"Description": "App registration allows users to register custom-developed applications for use within the directory.",
"RationaleStatement": "Third-party integrated applications connection to services should be disabled unless there is a very clear value and robust security controls are in place. While there are legitimate uses, attackers can grant access from breached accounts to third party applications to exfiltrate data from your tenancy without having to maintain the breached account.",
"ImpactStatement": "Implementation of this change will impact both end users and administrators. End users will not be able to integrate third-party applications that they may wish to use. Administrators are likely to receive requests from end users to grant them permission to necessary third-party applications.",
"RemediationProcedure": "**To remediate using the UI:** 1. Navigate to `Microsoft Entra admin center` https://entra.microsoft.com/.2. Click to expand `Identity` > `Users` select `Users settings`.3. Set `Users can register applications` to `No`.4. Click Save.**To remediate using PowerShell:** 1. Connect to Microsoft Graph using `Connect-MgGraph -Scopes \"Policy.ReadWrite.Authorization\"`2. Run the following commands:```$param = @{ AllowedToCreateApps = \"$false\" }Update-MgPolicyAuthorizationPolicy -DefaultUserRolePermissions $param```",
"AuditProcedure": "**To audit using the UI:** 1. Navigate to `Microsoft Entra admin center` https://entra.microsoft.com/.2. Click to expand `Identity` > `Users` select `Users settings`.3. Verify `Users can register applications` is set to `No`.**To audit using PowerShell:** 1. Connect to Microsoft Graph using `Connect-MgGraph -Scopes \"Policy.Read.All\"`2. Run the following command:```(Get-MgPolicyAuthorizationPolicy).DefaultUserRolePermissions | fl AllowedToCreateApps```3. Ensure the returned value is `False`.",
"AdditionalInformation": "",
"References": "https://learn.microsoft.com/en-us/entra/identity-platform/how-applications-are-added",
"DefaultValue": "Yes (Users can register applications.)"
}
]
},
{
"Id": "5.1.2.3",
"Description": "Non-privileged users can create tenants in the Entra administration portal under Manage tenant. The creation of a tenant is recorded in the Audit log as category \"DirectoryManagement\" and activity \"Create Company\". Anyone who creates a tenant becomes the Global Administrator of that tenant. The newly created tenant doesn't inherit any settings or configurations.",
"Checks": [
"entra_policy_ensure_default_user_cannot_create_tenants"
],
"Attributes": [
{
"Section": "5 Microsoft Entra admin center",
"SubSection": "5.1 Identity",
"Profile": "E3 Level 1",
"AssessmentStatus": "Automated",
"Description": "Non-privileged users can create tenants in the Entra administration portal under Manage tenant. The creation of a tenant is recorded in the Audit log as category \"DirectoryManagement\" and activity \"Create Company\". Anyone who creates a tenant becomes the Global Administrator of that tenant. The newly created tenant doesn't inherit any settings or configurations.",
"RationaleStatement": "Restricting tenant creation prevents unauthorized or uncontrolled deployment of resources and ensures that the organization retains control over its infrastructure. User generation of shadow IT could lead to multiple, disjointed environments that can make it difficult for IT to manage and secure the organization's data, especially if other users in the organization began using these tenants for business purposes under the misunderstanding that they were secured by the organization's security team.",
"ImpactStatement": "Non-admin users will need to contact I.T. if they have a valid reason to create a tenant.",
"RemediationProcedure": "**To remediate using the UI:**1. Navigate to `Microsoft Entra admin center` https://entra.microsoft.com/2. Click to expand `Identity`> `Users` > `User settings`.3. Set `Restrict non-admin users from creating tenants` to `Yes` then `Save`.**To remediate using PowerShell:**1. Connect to Microsoft Graph using `Connect-MgGraph -Scopes \"Policy.ReadWrite.Authorization\"`2. Run the following commands:```# Create hashtable and update the auth policy$params = @{ AllowedToCreateTenants = $false }Update-MgPolicyAuthorizationPolicy -DefaultUserRolePermissions $params```",
"AuditProcedure": "**To audit using the UI:**1. Navigate to `Microsoft Entra admin center` https://entra.microsoft.com/2. Click to expand `Identity`> `Users` > `User settings`.3. Ensure `Restrict non-admin users from creating tenants` is set to `Yes`**To audit using PowerShell:**1. Connect to Microsoft Graph using `Connect-MgGraph -Scopes \"Policy.Read.All\"`2. Run the following commands:```(Get-MgPolicyAuthorizationPolicy).DefaultUserRolePermissions | Select-Object AllowedToCreateTenants```3. Ensure the returned value is `False`",
"AdditionalInformation": "",
"References": "https://learn.microsoft.com/en-us/entra/fundamentals/users-default-permissions#restrict-member-users-default-permissions",
"DefaultValue": "No - Non-administrators can create tenants.`AllowedToCreateTenants` is `True`"
}
]
},
{
"Id": "5.1.2.4",
"Description": "Restrict non-privileged users from signing into the Microsoft Entra admin center.**Note:** This recommendation only affects access to the web portal. It does not prevent privileged users from using other methods such as Rest API or PowerShell to obtain information. Those channels are addressed elsewhere in this document.",
"Checks": [],
"Attributes": [
{
"Section": "5 Microsoft Entra admin center",
"SubSection": "5.1 Identity",
"Profile": "E3 Level 1",
"AssessmentStatus": "Manual",
"Description": "Restrict non-privileged users from signing into the Microsoft Entra admin center.**Note:** This recommendation only affects access to the web portal. It does not prevent privileged users from using other methods such as Rest API or PowerShell to obtain information. Those channels are addressed elsewhere in this document.",
"RationaleStatement": "The Microsoft Entra admin center contains sensitive data and permission settings, which are still enforced based on the user's role. However, an end user may inadvertently change properties or account settings that could result in increased administrative overhead. Additionally, a compromised end user account could be used by a malicious attacker as a means to gather additional information and escalate an attack.**Note:** Users will still be able to sign into Microsoft Entra admin center but will be unable to see directory information.",
"ImpactStatement": "",
"RemediationProcedure": "**To remediate using the UI:**1. Navigate to `Microsoft Entra admin center` https://entra.microsoft.com/2. Click to expand `Identity`> `Users` > `User settings`.3. Set `Restrict access to Microsoft Entra admin center` to `Yes` then `Save`.",
"AuditProcedure": "**To audit using the UI:**1. Navigate to `Microsoft Entra admin center` https://entra.microsoft.com/2. Click to expand `Identity`> `Users` > `User settings`.3. Verify under the **Administration center** section that `Restrict access to Microsoft Entra admin center` is set to `Yes`.",
"AdditionalInformation": "",
"References": "https://learn.microsoft.com/en-us/entra/fundamentals/users-default-permissions#restrict-member-users-default-permissions",
"DefaultValue": "No - Non-administrators can access the Microsoft Entra admin center."
}
]
},
{
"Id": "5.1.2.5",
"Description": "The option for the user to `Stay signed in`, or the `Keep me signed in` option, will prompt a user after a successful login. When the user selects this option, a persistent refresh token is created. The refresh token lasts for 90 days by default and does not prompt for sign-in or multifactor.",
"Checks": [],
"Attributes": [
{
"Section": "5 Microsoft Entra admin center",
"SubSection": "5.1 Identity",
"Profile": "E3 Level 2",
"AssessmentStatus": "Manual",
"Description": "The option for the user to `Stay signed in`, or the `Keep me signed in` option, will prompt a user after a successful login. When the user selects this option, a persistent refresh token is created. The refresh token lasts for 90 days by default and does not prompt for sign-in or multifactor.",
"RationaleStatement": "Allowing users to select this option presents risk, especially if the user signs into their account on a publicly accessible computer/web browser. In this case it would be trivial for an unauthorized person to gain access to any associated cloud data from that account.",
"ImpactStatement": "Once this setting is hidden users will no longer be prompted upon sign-in with the message `Stay signed in?`. This may mean users will be forced to sign in more frequently. Important: some features of SharePoint Online and Office 2010 have a dependency on users remaining signed in. If you hide this option, users may get additional and unexpected sign in prompts.",
"RemediationProcedure": "**To remediate using the UI:**1. Navigate to `Microsoft Entra admin center` https://entra.microsoft.com/.2. Click to expand `Identity`> `Users` > `User settings`.3. Set `Show keep user signed in` to `No`.4. Click `Save`.",
"AuditProcedure": "**To audit using the UI:**1. Navigate to `Microsoft Entra admin center` https://entra.microsoft.com/.2. Click to expand `Identity`> `Users` > `User settings`.3. Ensure `Show keep user signed in` is highlighted `No`.",
"AdditionalInformation": "",
"References": "https://learn.microsoft.com/en-us/entra/identity/authentication/concepts-azure-multi-factor-authentication-prompts-session-lifetime:https://learn.microsoft.com/en-us/entra/fundamentals/how-to-manage-stay-signed-in-prompt",
"DefaultValue": "Users may select `stay signed in`"
}
]
},
{
"Id": "5.1.2.6",
"Description": "LinkedIn account connections allow users to connect their Microsoft work or school account with LinkedIn. After a user connects their accounts, information and highlights from LinkedIn are available in some Microsoft apps and services.",
"Checks": [],
"Attributes": [
{
"Section": "5 Microsoft Entra admin center",
"SubSection": "5.1 Identity",
"Profile": "E3 Level 2",
"AssessmentStatus": "Manual",
"Description": "LinkedIn account connections allow users to connect their Microsoft work or school account with LinkedIn. After a user connects their accounts, information and highlights from LinkedIn are available in some Microsoft apps and services.",
"RationaleStatement": "Disabling LinkedIn integration prevents potential phishing attacks and risk scenarios where an external party could accidentally disclose sensitive information.",
"ImpactStatement": "Users will not be able to sync contacts or use LinkedIn integration.",
"RemediationProcedure": "**To remediate using the UI:**1. Navigate to `Microsoft Entra admin center` https://entra.microsoft.com/.2. Click to expand `Identity` > `Users` select `User settings`.3. Under `LinkedIn account connections` select `No`.4. Click `Save`.",
"AuditProcedure": "**To audit using the UI:**1. Navigate to `Microsoft Entra admin center` https://entra.microsoft.com/.2. Click to expand `Identity` > `Users` select `User settings`.3. Under `LinkedIn account connections` ensure `No` is highlighted.",
"AdditionalInformation": "",
"References": "https://learn.microsoft.com/en-us/entra/identity/users/linkedin-integration:https://learn.microsoft.com/en-us/entra/identity/users/linkedin-user-consent",
"DefaultValue": "LinkedIn integration is enabled by default."
}
]
},
{
"Id": "5.1.3.1",
"Description": "A dynamic group is a dynamic configuration of security group membership for Microsoft Entra ID. Administrators can set rules to populate groups that are created in Entra ID based on user attributes (such as userType, department, or country/region). Members can be automatically added to or removed from a security group based on their attributes.The recommended state is to create a dynamic group that includes guest accounts.",
"Checks": [
"entra_dynamic_group_for_guests_created"
],
"Attributes": [
{
"Section": "5 Microsoft Entra admin center",
"SubSection": "5.1 Identity",
"Profile": "E3 Level 1",
"AssessmentStatus": "Automated",
"Description": "A dynamic group is a dynamic configuration of security group membership for Microsoft Entra ID. Administrators can set rules to populate groups that are created in Entra ID based on user attributes (such as userType, department, or country/region). Members can be automatically added to or removed from a security group based on their attributes.The recommended state is to create a dynamic group that includes guest accounts.",
"RationaleStatement": "Dynamic groups allow for an automated method to assign group membership.Guest user accounts will be automatically added to this group and through this existing conditional access rules, access controls and other security measures will ensure that new guest accounts are restricted in the same manner as existing guest accounts.",
"ImpactStatement": "",
"RemediationProcedure": "**To remediate using the UI:**1. Navigate to `Microsoft Entra admin center` https://entra.microsoft.com/.2. Click to expand `Identity` > `Groups` select `All groups`.3. Select `New group` and assign the following values: - Group type: `Security` - Microsoft Entra roles can be assigned to the group: `No` - Membership type: `Dynamic User`4. Select `Add dynamic query`.5. Above the `Rule syntax` text box, select `Edit`. 6. Place the following expression in the box:```(user.userType -eq \"Guest\")```7. Select `OK` and `Save`**To remediate using PowerShell:**1. Connect to Microsoft Graph using `Connect-MgGraph -Scopes \"Group.ReadWrite.All\"`2. In the script below edit `DisplayName` and `MailNickname` as needed and run:```$params = @{ DisplayName = \"Dynamic Test Group\" MailNickname = \"DynGuestUsers\" MailEnabled = $false SecurityEnabled = $true GroupTypes = \"DynamicMembership\" MembershipRule = '(user.userType -eq \"Guest\")' MembershipRuleProcessingState = \"On\"}New-MgGroup @params```",
"AuditProcedure": "**To audit using the UI:**1. Navigate to `Microsoft Entra admin center` https://entra.microsoft.com/.2. Click to expand `Identity` > `Groups` select `All groups`.3. On the right of the search field click `Add filter`.4. Set `Filter` to `Membership type` and `Value` to `Dynamic` then apply.5. Identify a dynamic group and select it.6. Under manage, select `Dynamic membership rules` and ensure the rule syntax contains `(user.userType -eq \"Guest\")`7. If necessary, inspect other dynamic groups for the value above.**To audit using PowerShell:**1. Connect to Microsoft Graph using `Connect-MgGraph -Scopes \"Group.Read.All\"`2. Run the following commands:```$groups = Get-MgGroup | Where-Object { $_.GroupTypes -contains \"DynamicMembership\" }$groups | ft DisplayName,GroupTypes,MembershipRule```3. Look for a dynamic group containing the rule `(user.userType -eq \"Guest\")`",
"AdditionalInformation": "",
"References": "https://learn.microsoft.com/en-us/entra/identity/users/groups-create-rule:https://learn.microsoft.com/en-us/entra/identity/users/groups-dynamic-membership:https://learn.microsoft.com/en-us/entra/external-id/use-dynamic-groups",
"DefaultValue": "Undefined"
}
]
},
{
"Id": "5.1.5.1",
"Description": "Control when end users and group owners are allowed to grant consent to applications, and when they will be required to request administrator review and approval. Allowing users to grant apps access to data helps them acquire useful applications and be productive but can represent a risk in some situations if it's not monitored and controlled carefully.",
"Checks": [
"entra_app_registration_no_unused_privileged_permissions",
"entra_policy_restricts_user_consent_for_apps"
],
"Attributes": [
{
"Section": "5 Microsoft Entra admin center",
"SubSection": "5.1 Identity",
"Profile": "E3 Level 2",
"AssessmentStatus": "Automated",
"Description": "Control when end users and group owners are allowed to grant consent to applications, and when they will be required to request administrator review and approval. Allowing users to grant apps access to data helps them acquire useful applications and be productive but can represent a risk in some situations if it's not monitored and controlled carefully.",
"RationaleStatement": "Attackers commonly use custom applications to trick users into granting them access to company data. Disabling future user consent operations setting mitigates this risk and helps to reduce the threat-surface. If user consent is disabled previous consent grants will still be honored but all future consent operations must be performed by an administrator.",
"ImpactStatement": "If user consent is disabled, previous consent grants will still be honored but all future consent operations must be performed by an administrator. Tenant-wide admin consent can be requested by users through an integrated administrator consent request workflow or through organizational support processes.",
"RemediationProcedure": "**To remediate using the UI:**1. Navigate to `Microsoft Entra admin center` https://entra.microsoft.com/.2. Click to expand `Identity` > `Applications` select `Enterprise applications`.3. Under `Security` select `Consent and permissions` > `User consent settings`.4. Under `User consent for applications` select `Do not allow user consent`.5. Click the `Save` option at the top of the window.",
"AuditProcedure": "**To audit using the UI:**1. Navigate to `Microsoft Entra admin center` https://entra.microsoft.com/.2. Click to expand `Identity` > `Applications` select `Enterprise applications`.3. Under `Security` select `Consent and permissions` > `User consent settings`.4. Verify `User consent for applications` is set to `Do not allow user consent`.**To audit using PowerShell:**1. Connect to Microsoft Graph using `Connect-MgGraph -Scopes \"Policy.Read.All\"`2. Run the following command:```(Get-MgPolicyAuthorizationPolicy).DefaultUserRolePermissions | Select-Object -ExpandProperty PermissionGrantPoliciesAssigned```3. Ensure `ManagePermissionGrantsForSelf.microsoft-user-default-low` is not present OR that nothing is returned.",
"AdditionalInformation": "",
"References": "https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/configure-user-consent?pivots=portal",
"DefaultValue": "UI - `Allow user consent for apps`"
}
]
},
{
"Id": "5.1.5.2",
"Description": "The admin consent workflow gives admins a secure way to grant access to applications that require admin approval. When a user tries to access an application but is unable to provide consent, they can send a request for admin approval. The request is sent via email to admins who have been designated as reviewers. A reviewer takes action on the request, and the user is notified of the action.",
"Checks": [
"entra_admin_consent_workflow_enabled"
],
"Attributes": [
{
"Section": "5 Microsoft Entra admin center",
"SubSection": "5.1 Identity",
"Profile": "E3 Level 1",
"AssessmentStatus": "Manual",
"Description": "The admin consent workflow gives admins a secure way to grant access to applications that require admin approval. When a user tries to access an application but is unable to provide consent, they can send a request for admin approval. The request is sent via email to admins who have been designated as reviewers. A reviewer takes action on the request, and the user is notified of the action.",
"RationaleStatement": "The admin consent workflow (Preview) gives admins a secure way to grant access to applications that require admin approval. When a user tries to access an application but is unable to provide consent, they can send a request for admin approval. The request is sent via email to admins who have been designated as reviewers. A reviewer acts on the request, and the user is notified of the action.",
"ImpactStatement": "To approve requests, a reviewer must be a global administrator, cloud application administrator, or application administrator. The reviewer must already have one of these admin roles assigned; simply designating them as a reviewer doesn't elevate their privileges.",
"RemediationProcedure": "**To remediate using the UI:** 1. Navigate to `Microsoft Entra admin center` https://entra.microsoft.com/.2. Click to expand `Identity` > `Applications` select `Enterprise applications`.3. Under Security select `Consent and permissions`.4. Under Manage select `Admin consent settings`.5. Set `Users can request admin consent to apps they are unable to consent to",
"AuditProcedure": "**To audit using the UI:** 1. Navigate to `Microsoft Entra admin center` https://entra.microsoft.com/.2. Click to expand `Identity` > `Applications` select `Enterprise applications`.3. Under Security select `Consent and permissions`.4. Under Manage select `Admin consent settings`.5. Verify that `Users can request admin consent to apps they are unable to consent to",
"AdditionalInformation": "",
"References": "https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/configure-admin-consent-workflow",
"DefaultValue": "'- `Users can request admin consent to apps they are unable to consent to`: `No`- `Selected users to review admin consent requests`: `None`- `Selected users will receive email notifications for requests`: `Yes`- `Selected users will receive request expiration reminders`: `Yes`- `Consent request expires after (days)`: `30`"
}
]
},
{
"Id": "5.1.6.1",
"Description": "B2B collaboration is a feature within Microsoft Entra External ID that allows for guest invitations to an organization.Ensure users can only send invitations to `specified domains`.**Note:** This list works independently from OneDrive for Business and SharePoint Online allow/block lists. To restrict individual file sharing in SharePoint Online, set up an allow or blocklist for OneDrive for Business and SharePoint Online. For instance, in SharePoint or OneDrive users can still share with external users from prohibited domains by using Anyone links if they haven't been disabled.",
"Checks": [],
"Attributes": [
{
"Section": "5 Microsoft Entra admin center",
"SubSection": "5.1 Identity",
"Profile": "E3 Level 2",
"AssessmentStatus": "Manual",
"Description": "B2B collaboration is a feature within Microsoft Entra External ID that allows for guest invitations to an organization.Ensure users can only send invitations to `specified domains`.**Note:** This list works independently from OneDrive for Business and SharePoint Online allow/block lists. To restrict individual file sharing in SharePoint Online, set up an allow or blocklist for OneDrive for Business and SharePoint Online. For instance, in SharePoint or OneDrive users can still share with external users from prohibited domains by using Anyone links if they haven't been disabled.",
"RationaleStatement": "By specifying allowed domains for collaborations, external user's companies are explicitly identified. Also, this prevents internal users from inviting unknown external users such as personal accounts and granting them access to resources.",
"ImpactStatement": "This could make harder collaboration if the setting is not quickly updated when a new domain is identified as \"allowed\".",
"RemediationProcedure": "**To remediate using the UI:**1. Navigate to `Microsoft Entra admin center` https://entra.microsoft.com/.2. Click to expand `Identity` > `External Identities` select `External collaboration settings`.3. Under **Collaboration restrictions**, select `Allow invitations only to the specified domains (most restrictive)` is selected. Then specify the allowed domains under `Target domains`.",
"AuditProcedure": "**To audit using the UI:**1. Navigate to `Microsoft Entra admin center` https://entra.microsoft.com/.2. Click to expand `Identity` > `External Identities` select `External collaboration settings`.3. Under **Collaboration restrictions**, verify that `Allow invitations only to the specified domains (most restrictive)` is selected. Then verify allowed domains are specified under `Target domains`.",
"AdditionalInformation": "",
"References": "https://learn.microsoft.com/en-us/entra/external-id/allow-deny-list:https://learn.microsoft.com/en-us/entra/external-id/what-is-b2b",
"DefaultValue": "Allow invitations to be sent to any domain (most inclusive)"
}
]
},
{
"Id": "5.1.6.2",
"Description": "Microsoft Entra ID, part of Microsoft Entra, allows you to restrict what external guest users can see in their organization in Microsoft Entra ID. Guest users are set to a limited permission level by default in Microsoft Entra ID, while the default for member users is the full set of user permissions. These directory level permissions are enforced across Microsoft Entra services including Microsoft Graph, PowerShell v2, the Azure portal, and My Apps portal. Microsoft 365 services leveraging Microsoft 365 groups for collaboration scenarios are also affected, specifically Outlook, Microsoft Teams, and SharePoint. They do not override the SharePoint or Microsoft Teams guest settings.The recommended state is at least `Guest users have limited access to properties and memberships of directory objects` or more restrictive.",
"Checks": [
"entra_policy_guest_users_access_restrictions"
],
"Attributes": [
{
"Section": "5 Microsoft Entra admin center",
"SubSection": "5.1 Identity",
"Profile": "E3 Level 1",
"AssessmentStatus": "Automated",
"Description": "Microsoft Entra ID, part of Microsoft Entra, allows you to restrict what external guest users can see in their organization in Microsoft Entra ID. Guest users are set to a limited permission level by default in Microsoft Entra ID, while the default for member users is the full set of user permissions. These directory level permissions are enforced across Microsoft Entra services including Microsoft Graph, PowerShell v2, the Azure portal, and My Apps portal. Microsoft 365 services leveraging Microsoft 365 groups for collaboration scenarios are also affected, specifically Outlook, Microsoft Teams, and SharePoint. They do not override the SharePoint or Microsoft Teams guest settings.The recommended state is at least `Guest users have limited access to properties and memberships of directory objects` or more restrictive.",
"RationaleStatement": "By limiting guest access to the _most restrictive_ state this helps prevent malicious group and user object enumeration in the Microsoft 365 environment. This first step, known as _reconnaissance_ in The Cyber Kill Chain, is often conducted by attackers prior to more advanced targeted attacks.",
"ImpactStatement": "The default is `Guest users have limited access to properties and memberships of directory objects`. When using the 'most restrictive' setting, guests will only be able to access their own profiles and will not be allowed to see other users' profiles, groups, or group memberships.There are some known issues with Yammer that will prevent guests that are signed in from leaving the group.",
"RemediationProcedure": "**To remediate using the UI:** 1. Navigate to `Microsoft Entra admin center` https://entra.microsoft.com/.2. Click to expand `Identity` > `External Identities` select `External collaboration settings`.3. Under **Guest user access** set `Guest user access restrictions` to one of the following: - State: `Guest users have limited access to properties and memberships of directory objects` - State: `Guest user access is restricted to properties and memberships of their own directory objects (most restrictive)`**To remediate using PowerShell:**1. Connect to Microsoft Graph using `Connect-MgGraph -Scopes \"Policy.ReadWrite.Authorization\"`2. Run the following command to set the guest user access restrictions to default:```# Guest users have limited access to properties and memberships of directory objectsUpdate-MgPolicyAuthorizationPolicy -GuestUserRoleId '10dae51f-b6af-4016-8d66-8c2a99b929b3'```3. Or, run the following command to set it to the \"most restrictive\":```# Guest user access is restricted to properties and memberships of their own directory objects (most restrictive)Update-MgPolicyAuthorizationPolicy -GuestUserRoleId '2af84b1e-32c8-42b7-82bc-daa82404023b'```**Note:** Either setting allows for a passing state.",
"AuditProcedure": "**To audit using the UI:** 1. Navigate to `Microsoft Entra admin center` https://entra.microsoft.com/.2. Click to expand `Identity` > `External Identities` select `External collaboration settings`.3. Under **Guest user access** verify that `Guest user access restrictions` is set to one of the following: - State: `Guest users have limited access to properties and memberships of directory objects` - State: `Guest user access is restricted to properties and memberships of their own directory objects (most restrictive)`**To audit using PowerShell:**1. Connect to Microsoft Graph using `Connect-MgGraph -Scopes \"Policy.Read.All\"`2. Run the following command:```Get-MgPolicyAuthorizationPolicy | fl GuestUserRoleId```3. Ensure the value returned is `10dae51f-b6af-4016-8d66-8c2a99b929b3` or `2af84b1e-32c8-42b7-82bc-daa82404023b` (most restrictive)**Note:** Either setting allows for a passing state.**Note 2:** The value of `a0b1b346-4d3e-4e8b-98f8-753987be4970` is equal to `Guest users have the same access as members (most inclusive)` and should not be used.",
"AdditionalInformation": "",
"References": "https://learn.microsoft.com/en-us/entra/identity/users/users-restrict-guest-permissions:https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html",
"DefaultValue": "'- UI: `Guest users have limited access to properties and memberships of directory objects` - PowerShell: `10dae51f-b6af-4016-8d66-8c2a99b929b3`"
}
]
},
{
"Id": "5.1.6.3",
"Description": "By default, all users in the organization, including B2B collaboration guest users, can invite external users to B2B collaboration. The ability to send invitations can be limited by turning it on or off for everyone, or by restricting invitations to certain roles.The recommended state for guest invite restrictions is `Only users assigned to specific admin roles can invite guest users`.",
"Checks": [
"entra_policy_guest_invite_only_for_admin_roles"
],
"Attributes": [
{
"Section": "5 Microsoft Entra admin center",
"SubSection": "5.1 Identity",
"Profile": "E3 Level 2",
"AssessmentStatus": "Automated",
"Description": "By default, all users in the organization, including B2B collaboration guest users, can invite external users to B2B collaboration. The ability to send invitations can be limited by turning it on or off for everyone, or by restricting invitations to certain roles.The recommended state for guest invite restrictions is `Only users assigned to specific admin roles can invite guest users`.",
"RationaleStatement": "Restricting who can invite guests limits the exposure the organization might face from unauthorized accounts.",
"ImpactStatement": "This introduces an obstacle to collaboration by restricting who can invite guest users to the organization. Designated Guest Inviters must be assigned, and an approval process established and clearly communicated to all users.",
"RemediationProcedure": "**To remediate using the UI:** 1. Navigate to `Microsoft Entra admin center` https://entra.microsoft.com/.2. Click to expand `Identity` > `External Identities` select `External collaboration settings`.3. Under **Guest invite settings** set `Guest invite restrictions` to `Only users assigned to specific admin roles can invite guest users`.**To remediate using PowerShell:**1. Connect to Microsoft Graph using `Connect-MgGraph -Scopes \"Policy.ReadWrite.Authorization\"`2. Run the following command:```Update-MgPolicyAuthorizationPolicy -AllowInvitesFrom 'adminsAndGuestInviters'```**Note:** The more restrictive position of the value will also pass audit, it is however not required.",
"AuditProcedure": "**To audit using the UI:** 1. Navigate to `Microsoft Entra admin center` https://entra.microsoft.com/.2. Click to expand `Identity` > `External Identities` select `External collaboration settings`.3. Under **Guest invite settings** verify that `Guest invite restrictions` is set to `Only users assigned to specific admin roles can invite guest users` or more restrictive.**To audit using PowerShell:**1. Connect to Microsoft Graph using `Connect-MgGraph -Scopes \"Policy.Read.All\"`2. Run the following command:```Get-MgPolicyAuthorizationPolicy | fl AllowInvitesFrom```3. Ensure the value returned is `adminsAndGuestInviters` or more restrictive.",
"AdditionalInformation": "",
"References": "https://learn.microsoft.com/en-us/entra/external-id/external-collaboration-settings-configure:https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference#guest-inviter",
"DefaultValue": "'- UI: `Anyone in the organization can invite guest users including guests and non-admins (most inclusive)` - PowerShell: `everyone`"
}
]
},
{
"Id": "5.1.8.1",
"Description": "Password hash synchronization is one of the sign-in methods used to accomplish hybrid identity synchronization. Microsoft Entra Connect synchronizes a hash, of the hash, of a user's password from an on-premises Active Directory instance to a cloud-based Entra ID instance.**Note:** Audit and remediation procedures in this recommendation only apply to Microsoft 365 tenants operating in a hybrid configuration using Entra Connect sync, and does not apply to federated domains.",
"Checks": [
"entra_password_hash_sync_enabled"
],
"Attributes": [
{
"Section": "5 Microsoft Entra admin center",
"SubSection": "5.1 Identity",
"Profile": "E3 Level 1",
"AssessmentStatus": "Automated",
"Description": "Password hash synchronization is one of the sign-in methods used to accomplish hybrid identity synchronization. Microsoft Entra Connect synchronizes a hash, of the hash, of a user's password from an on-premises Active Directory instance to a cloud-based Entra ID instance.**Note:** Audit and remediation procedures in this recommendation only apply to Microsoft 365 tenants operating in a hybrid configuration using Entra Connect sync, and does not apply to federated domains.",
"RationaleStatement": "Password hash synchronization helps by reducing the number of passwords your users need to maintain to just one and enables leaked credential detection for your hybrid accounts. Leaked credential protection is leveraged through Entra ID Protection and is a subset of that feature which can help identify if an organization's user account passwords have appeared on the dark web or public spaces.Using other options for your directory synchronization may be less resilient as Microsoft can still process sign-ins to 365 with Hash Sync even if a network connection to your on-premises environment is not available.",
"ImpactStatement": "Compliance or regulatory restrictions may exist, depending on the organization's business sector, that preclude hashed versions of passwords from being securely transmitted to cloud data centers.",
"RemediationProcedure": "**To remediate using the on-prem Microsoft Entra Connect tool:**1. Log in to the on premises server that hosts the Microsoft Entra Connect tool2. Double-click the `Azure AD Connect` icon that was created on the desktop3. Click `Configure`.4. On the `Additional tasks` page, select `Customize synchronization options` and click `Next`.5. Enter the username and password for your global administrator. 6. On the `Connect your directories` screen, click `Next`.7. On the `Domain and OU filtering` screen, click `Next`.8. On the `Optional features` screen, check `Password hash synchronization` and click `Next`. 9. On the `Ready to configure` screen click `Configure`.10. Once the configuration completes, click `Exit`.",
"AuditProcedure": "**To audit using the UI:**1. Navigate to `Microsoft Entra admin center` https://entra.microsoft.com/.2. Click to expand `Identity` > `Hybrid management` > `Microsoft Entra Connect`.3. Select `Connect Sync`4. Under **Microsoft Entra Connect sync**, verify Password Hash Sync is `Enabled`.**To audit for the on-prem tool:**1. Log in to the server that hosts the Microsoft Entra Connect tool.2. Run `Azure AD Connect`, and then click `Configure` and `View or export current configuration`.3. Determine whether `PASSWORD HASH SYNCHRONIZATION` is enabled on your tenant.**This information is also available via the Microsoft Graph Security API:** ```GET https://graph.microsoft.com/beta/security/secureScores```**To audit using PowerShell:**1. Connect to the Microsoft Graph service using `Connect-MgGraph -Scopes \"Organization.Read.All\"`.2. Run the following Microsoft Graph PowerShell command:```Get-MgOrganization | ft OnPremisesSyncEnabled```3. If nothing returns then password sync is not enabled for the on premises AD.",
"AdditionalInformation": "",
"References": "https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/whatis-phs:https://www.microsoft.com/en-us/download/details.aspx?id=47594",
"DefaultValue": "'- Microsoft Entra Connect sync `disabled` by default - Password Hash Sync is Microsoft's recommended setting for new deployments"
}
]
},
{
"Id": "5.2.2.1",
"Description": "Multifactor authentication is a process that requires an additional form of identification during the sign-in process, such as a code from a mobile device or a fingerprint scan, to enhance security.Ensure users in administrator roles have MFA capabilities enabled.",
"Checks": [
"entra_admin_users_mfa_enabled"
],
"Attributes": [
{
"Section": "5 Microsoft Entra admin center",
"SubSection": "5.2 Protection",
"Profile": "E3 Level 1",
"AssessmentStatus": "Manual",
"Description": "Multifactor authentication is a process that requires an additional form of identification during the sign-in process, such as a code from a mobile device or a fingerprint scan, to enhance security.Ensure users in administrator roles have MFA capabilities enabled.",
"RationaleStatement": "Multifactor authentication requires an individual to present a minimum of two separate forms of authentication before access is granted. Multifactor authentication provides additional assurance that the individual attempting to gain access is who they claim to be. With multifactor authentication, an attacker would need to compromise at least two different authentication mechanisms, increasing the difficulty of compromise and thus reducing the risk.",
"ImpactStatement": "Implementation of multifactor authentication for all users in administrative roles will necessitate a change to user routine. All users in administrative roles will be required to enroll in multifactor authentication using phone, SMS, or an authentication application. After enrollment, use of multifactor authentication will be required for future access to the environment.",
"RemediationProcedure": "**To remediate using the UI:** 1. Navigate to the `Microsoft Entra admin center` https://entra.microsoft.com.2. Click expand `Protection` > `Conditional Access` select `Policies`.3. Click `New policy`. - Under `Users` include `Select users and groups` and check `Directory roles`. - At a minimum, include the directory roles listed below in this section of the document. - Under `Target resources` include `All cloud apps` and do not create any exclusions. - Under `Grant` select `Grant Access` and check `Require multifactor authentication`. - Click `Select` at the bottom of the pane.4. Under `Enable policy` set it to `Report Only` until the organization is ready to enable it.5. Click `Create`.**At minimum these directory roles should be included for MFA:**- Application administrator- Authentication administrator- Billing administrator- Cloud application administrator- Conditional Access administrator- Exchange administrator- Global administrator- Global reader- Helpdesk administrator- Password administrator- Privileged authentication administrator- Privileged role administrator- Security administrator- SharePoint administrator- User administrator**Note:** Report-only is an acceptable first stage when introducing any CA policy. The control, however, is not complete until the policy is on.",
"AuditProcedure": "**To audit using the UI:** 1. Navigate to the `Microsoft Entra admin center` https://entra.microsoft.com.2. Click to expand `Protection` > `Conditional Access` select `Policies`.3. Ensure that a policy exists with the following criteria and is set to `On`: - Under `Users` verify `Directory roles` specific to administrators are included. - Under `Target resources` verify `All cloud apps` is selected with no exclusions. - Under `Grant` verify `Grant Access` and `Require multifactor authentication` checked.4. Ensure `Enable policy` is set to `On`.**To audit using SecureScore:** 1. Navigate to `Microsoft 365 Defender` https://security.microsoft.com.2. Select `Secure score`.3. Select `Recommended actions`.4. Click on `Ensure multifactor authentication is enabled for all users in administrative roles`. 5. Review the number of Admin users who do not have MFA configured. **This information is also available via the Microsoft Graph Security API:**```GET https://graph.microsoft.com/beta/security/secureScores```**Note:** A list of required `Directory roles` can be found in the Remediation section.",
"AdditionalInformation": "",
"References": "https://learn.microsoft.com/en-us/entra/identity/conditional-access/howto-conditional-access-policy-admin-mfa",
"DefaultValue": ""
}
]
},
{
"Id": "5.2.2.2",
"Description": "Enable multifactor authentication for all users in the Microsoft 365 tenant. Users will be prompted to authenticate with a second factor upon logging in to Microsoft 365 services. The second factor is most commonly a text message to a registered mobile phone number where they type in an authorization code, or with a mobile application like Microsoft Authenticator.",
"Checks": [
"entra_users_mfa_enabled"
],
"Attributes": [
{
"Section": "5 Microsoft Entra admin center",
"SubSection": "5.2 Protection",
"Profile": "E3 Level 1",
"AssessmentStatus": "Manual",
"Description": "Enable multifactor authentication for all users in the Microsoft 365 tenant. Users will be prompted to authenticate with a second factor upon logging in to Microsoft 365 services. The second factor is most commonly a text message to a registered mobile phone number where they type in an authorization code, or with a mobile application like Microsoft Authenticator.",
"RationaleStatement": "Multifactor authentication requires an individual to present a minimum of two separate forms of authentication before access is granted. Multifactor authentication provides additional assurance that the individual attempting to gain access is who they claim to be. With multifactor authentication, an attacker would need to compromise at least two different authentication mechanisms, increasing the difficulty of compromise and thus reducing the risk.",
"ImpactStatement": "Implementation of multifactor authentication for all users will necessitate a change to user routine. All users will be required to enroll in multifactor authentication using phone, SMS, or an authentication application. After enrollment, use of multifactor authentication will be required for future authentication to the environment.**Note:** Organizations that have difficulty enforcing MFA globally due lack of the budget to provide company owned mobile devices to every user, or equally are unable to force end users to use their personal devices due to regulations, unions, or policy have another option. FIDO2 Security keys may be used as a stand in for this recommendation. They are more secure, phishing resistant, and are affordable for an organization to issue to every end user.",
"RemediationProcedure": "**To remediate using the UI:**1. Navigate to the `Microsoft Entra admin center` https://entra.microsoft.com.2. Click expand `Protection` > `Conditional Access` select `Policies`.3. Click `New policy`. - Under `Users` include `All users` (and do not exclude any user). - Under `Target resources` include `All cloud apps` and do not create any exclusions. - Under `Grant` select `Grant Access` and check `Require multifactor authentication`. - Click `Select` at the bottom of the pane.4. Under `Enable policy` set it to `Report Only` until the organization is ready to enable it.5. Click `Create`.**Note:** Report-only is an acceptable first stage when introducing any CA policy. The control, however, is not complete until the policy is on.",
"AuditProcedure": "**To audit using the UI:** 1. Navigate to the `Microsoft Entra admin center` https://entra.microsoft.com.2. Click expand `Protection` > `Conditional Access` select `Policies`.3. Ensure that a policy exists with the following criteria and is set to `On`: - Under `Users` verify `All users` is included. - Under `Target resources` verify `All cloud apps` is selected with no exclusions. - Under `Grant` verify `Grant Access` and `Require multifactor authentication` checked.4. Ensure `Enable policy` is set to `On`.**To audit using SecureScore:** 1. Navigate to `Microsoft 365 Defender` https://security.microsoft.com.2. Select `Secure score`.3. Select `Recommended actions`.4. Click on `Ensure multifactor authentication is enabled for all users`. 5. Review the list of users who do not have MFA configured.",
"AdditionalInformation": "",
"References": "https://learn.microsoft.com/en-us/entra/identity/conditional-access/howto-conditional-access-policy-all-users-mfa",
"DefaultValue": "Disabled"
}
]
},
{
"Id": "5.2.2.3",
"Description": "Entra ID supports the most widely used authentication and authorization protocols including legacy authentication. This authentication pattern includes basic authentication, a widely used industry-standard method for collecting username and password information.The following messaging protocols support legacy authentication:- Authenticated SMTP - Used to send authenticated email messages.- Autodiscover - Used by Outlook and EAS clients to find and connect to mailboxes in Exchange Online.- Exchange ActiveSync (EAS) - Used to connect to mailboxes in Exchange Online.- Exchange Online PowerShell - Used to connect to Exchange Online with remote PowerShell. If you block Basic authentication for Exchange Online PowerShell, you need to use the Exchange Online PowerShell Module to connect. For instructions, see Connect to Exchange Online PowerShell using multifactor authentication.- Exchange Web Services (EWS) - A programming interface that's used by Outlook, Outlook for Mac, and third-party apps.- IMAP4 - Used by IMAP email clients.- MAPI over HTTP (MAPI/HTTP) - Primary mailbox access protocol used by Outlook 2010 SP2 and later.- Offline Address Book (OAB) - A copy of address list collections that are downloaded and used by Outlook.- Outlook Anywhere (RPC over HTTP) - Legacy mailbox access protocol supported by all current Outlook versions.- POP3 - Used by POP email clients.- Reporting Web Services - Used to retrieve report data in Exchange Online.- Universal Outlook - Used by the Mail and Calendar app for Windows 10.- Other clients - Other protocols identified as utilizing legacy authentication.",
"Checks": [
"entra_legacy_authentication_blocked"
],
"Attributes": [
{
"Section": "5 Microsoft Entra admin center",
"SubSection": "5.2 Protection",
"Profile": "E3 Level 1",
"AssessmentStatus": "Manual",
"Description": "Entra ID supports the most widely used authentication and authorization protocols including legacy authentication. This authentication pattern includes basic authentication, a widely used industry-standard method for collecting username and password information.The following messaging protocols support legacy authentication:- Authenticated SMTP - Used to send authenticated email messages.- Autodiscover - Used by Outlook and EAS clients to find and connect to mailboxes in Exchange Online.- Exchange ActiveSync (EAS) - Used to connect to mailboxes in Exchange Online.- Exchange Online PowerShell - Used to connect to Exchange Online with remote PowerShell. If you block Basic authentication for Exchange Online PowerShell, you need to use the Exchange Online PowerShell Module to connect. For instructions, see Connect to Exchange Online PowerShell using multifactor authentication.- Exchange Web Services (EWS) - A programming interface that's used by Outlook, Outlook for Mac, and third-party apps.- IMAP4 - Used by IMAP email clients.- MAPI over HTTP (MAPI/HTTP) - Primary mailbox access protocol used by Outlook 2010 SP2 and later.- Offline Address Book (OAB) - A copy of address list collections that are downloaded and used by Outlook.- Outlook Anywhere (RPC over HTTP) - Legacy mailbox access protocol supported by all current Outlook versions.- POP3 - Used by POP email clients.- Reporting Web Services - Used to retrieve report data in Exchange Online.- Universal Outlook - Used by the Mail and Calendar app for Windows 10.- Other clients - Other protocols identified as utilizing legacy authentication.",
"RationaleStatement": "Legacy authentication protocols do not support multi-factor authentication. These protocols are often used by attackers because of this deficiency. Blocking legacy authentication makes it harder for attackers to gain access.**Note:** Basic authentication is now disabled in all tenants. Before December 31 2022, you could re-enable the affected protocols if users and apps in your tenant couldn't connect. Now no one (you or Microsoft support) can re-enable Basic authentication in your tenant.",
"ImpactStatement": "Enabling this setting will prevent users from connecting with older versions of Office, ActiveSync or using protocols like IMAP, POP or SMTP and may require upgrades to older versions of Office, and use of mobile mail clients that support modern authentication.This will also cause multifunction devices such as printers from using scan to e-mail function if they are using a legacy authentication method. Microsoft has mail flow best practices in the link below which can be used to configure a MFP to work with modern authentication:https://learn.microsoft.com/en-us/exchange/mail-flow-best-practices/how-to-set-up-a-multifunction-device-or-application-to-send-email-using-microsoft-365-or-office-365",
"RemediationProcedure": "**To remediate using the UI:**1. Navigate to the `Microsoft Entra admin center` https://entra.microsoft.com.2. Click expand `Protection` > `Conditional Access` select `Policies`.3. Create a new policy by selecting `New policy`. - Under `Users` include `All users`. - Under `Target resources` include `All cloud apps` and do not create any exclusions. - Under `Conditions` select `Client apps` and check the boxes for `Exchange ActiveSync clients` and `Other clients`. - Under `Grant` select `Block Access`. - Click `Select`.4. Set the policy `On` and click `Create`.",
"AuditProcedure": "**To audit using the UI:**1. Navigate to the `Microsoft Entra admin center` https://entra.microsoft.com.2. Click expand `Protection` > `Conditional Access` select `Policies`.3. Ensure that a policy exists with the following criteria and is set to `On`: - Under `Users` verify `All users` is included and that there are only valid exclusions. - Under `Target resources` verify `All cloud apps` is selected with no exclusions. - Under `Conditions` select `Client apps` then verify `Exchange ActiveSync clients` and `Other clients` is checked. - Under `Grant` verify `Block access` is selected.4. Ensure `Enable policy` is set to `On`.This information is also available via the Microsoft Graph Security API: ```GET https://graph.microsoft.com/beta/security/secureScores```",
"AdditionalInformation": "",
"References": "https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/disable-basic-authentication-in-exchange-online:https://learn.microsoft.com/en-us/exchange/mail-flow-best-practices/how-to-set-up-a-multifunction-device-or-application-to-send-email-using-microsoft-365-or-office-365:https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/deprecation-of-basic-authentication-exchange-online",
"DefaultValue": "Basic authentication is disabled by default as of January 2023."
}
]
},
{
"Id": "5.2.2.4",
"Description": "In complex deployments, organizations might have a need to restrict authentication sessions. Conditional Access policies allow for the targeting of specific user accounts. Some scenarios might include:- Resource access from an unmanaged or shared device- Access to sensitive information from an external network- High-privileged users- Business-critical applicationsEnsure Sign-in frequency periodic reauthentication does not exceed `4 hours` for E3 tenants, or `24 hours` for E5 tenants using Privileged Identity Management.Ensure `Persistent browser session` is set to `Never persistent`**Note:** This CA policy can be added to the previous CA policy in this benchmark \"Ensure multifactor authentication is enabled for all users in administrative roles\"",
"Checks": [
"entra_admin_users_sign_in_frequency_enabled"
],
"Attributes": [
{
"Section": "5 Microsoft Entra admin center",
"SubSection": "5.2 Protection",
"Profile": "E3 Level 1",
"AssessmentStatus": "Manual",
"Description": "In complex deployments, organizations might have a need to restrict authentication sessions. Conditional Access policies allow for the targeting of specific user accounts. Some scenarios might include:- Resource access from an unmanaged or shared device- Access to sensitive information from an external network- High-privileged users- Business-critical applicationsEnsure Sign-in frequency periodic reauthentication does not exceed `4 hours` for E3 tenants, or `24 hours` for E5 tenants using Privileged Identity Management.Ensure `Persistent browser session` is set to `Never persistent`**Note:** This CA policy can be added to the previous CA policy in this benchmark \"Ensure multifactor authentication is enabled for all users in administrative roles\"",
"RationaleStatement": "Forcing a time out for MFA will help ensure that sessions are not kept alive for an indefinite period of time, ensuring that browser sessions are not persistent will help in prevention of drive-by attacks in web browsers, this also prevents creation and saving of session cookies leaving nothing for an attacker to take.",
"ImpactStatement": "Users with Administrative roles will be prompted at the frequency set for MFA.",
"RemediationProcedure": "**To remediate using the UI:** 1. Navigate to `Microsoft Entra admin center` https://entra.microsoft.com/.2. Click to expand `Protection` > `Conditional Access` Select `Policies`.3. Click `New policy`. - Under `Users` include `Select users and groups` and check `Directory roles`. - At a minimum, include the directory roles listed below in this section of the document. - Under `Target resources` include `All cloud apps` and do not create any exclusions. - Under `Grant` select `Grant Access` and check `Require multifactor authentication`. - Under `Session` select `Sign-in frequency` select `Periodic reauthentication` and set it to `4` `hours` for E3 tenants. E5 tenants with PIM can be set to a maximum value of `24` `hours`. - Check `Persistent browser session` then select `Never persistent` in the drop-down menu.4. Under `Enable policy` set it to `Report Only` until the organization is ready to enable it.**At minimum these directory roles should be included in the policy:**- Application administrator- Authentication administrator- Billing administrator- Cloud application administrator- Conditional Access administrator- Exchange administrator- Global administrator- Global reader- Helpdesk administrator- Password administrator- Privileged authentication administrator- Privileged role administrator- Security administrator- SharePoint administrator- User administrator",
"AuditProcedure": "**To audit using the UI:** 1. Navigate to `Microsoft Entra admin center` https://entra.microsoft.com/.2. Click to expand `Protection` > `Conditional Access` Select `Policies`.3. Ensure that a policy exists with the following criteria and is set to `On`: - Under `Users` verify `Directory roles` specific to administrators are included. - Under `Session` verify `Sign-in frequency` is checked and set to `Periodic reauthentication`. - Verify the timeframe is set to the time determined by the organization. - Ensure `Periodic reauthentication` does not exceed `4` `hours` for E3 tenants. E5 tenants using PIM may be set to a maximum of `24` `hours`. - Verify `Persistent browser session` is set to `Never persistent`.4. Ensure `Enable policy` is set to `On`**Note:** A list of directory roles applying to Administrators can be found in the remediation section.",
"AdditionalInformation": "",
"References": "https://learn.microsoft.com/en-us/entra/identity/conditional-access/howto-conditional-access-session-lifetime",
"DefaultValue": "The default configuration for user sign-in frequency is a rolling window of 90 days."
}
]
},
{
"Id": "5.2.2.5",
"Description": "Authentication strength is a Conditional Access control that allows administrators to specify which combination of authentication methods can be used to access a resource. For example, they can make only phishing-resistant authentication methods available to access a sensitive resource. But to access a non-sensitive resource, they can allow less secure multifactor authentication (MFA) combinations, such as password + SMS.Microsoft has 3 built-in authentication strengths. MFA strength, Passwordless MFA strength, and Phishing-resistant MFA strength. Ensure administrator roles are using a CA policy with `Phishing-resistant MFA strength`.Administrators can then enroll using one of 3 methods:- FIDO2 Security Key- Windows Hello for Business- Certificate-based authentication (Multi-Factor)**Note:** Additional steps to configure methods such as FIDO2 keys are not covered here but can be found in related MS articles in the references section. The Conditional Access policy only ensures 1 of the 3 methods is used.**Warning:** Administrators should be pre-registered for a strong authentication mechanism before this Conditional Access Policy is enforced. Additionally, as stated elsewhere in the CIS Benchmark a break-glass administrator account should be excluded from this policy to ensure unfettered access in the case of an emergency.",
"Checks": [
"entra_admin_users_phishing_resistant_mfa_enabled"
],
"Attributes": [
{
"Section": "5 Microsoft Entra admin center",
"SubSection": "5.2 Protection",
"Profile": "E3 Level 2",
"AssessmentStatus": "Manual",
"Description": "Authentication strength is a Conditional Access control that allows administrators to specify which combination of authentication methods can be used to access a resource. For example, they can make only phishing-resistant authentication methods available to access a sensitive resource. But to access a non-sensitive resource, they can allow less secure multifactor authentication (MFA) combinations, such as password + SMS.Microsoft has 3 built-in authentication strengths. MFA strength, Passwordless MFA strength, and Phishing-resistant MFA strength. Ensure administrator roles are using a CA policy with `Phishing-resistant MFA strength`.Administrators can then enroll using one of 3 methods:- FIDO2 Security Key- Windows Hello for Business- Certificate-based authentication (Multi-Factor)**Note:** Additional steps to configure methods such as FIDO2 keys are not covered here but can be found in related MS articles in the references section. The Conditional Access policy only ensures 1 of the 3 methods is used.**Warning:** Administrators should be pre-registered for a strong authentication mechanism before this Conditional Access Policy is enforced. Additionally, as stated elsewhere in the CIS Benchmark a break-glass administrator account should be excluded from this policy to ensure unfettered access in the case of an emergency.",
"RationaleStatement": "Sophisticated attacks targeting MFA are more prevalent as the use of it becomes more widespread. These 3 methods are considered phishing-resistant as they remove passwords from the login workflow. It also ensures that public/private key exchange can only happen between the devices and a registered provider which prevents login to fake or phishing websites.",
"ImpactStatement": "If administrators aren't pre-registered for a strong authentication method prior to a conditional access policy being created, then a condition could occur where a user can't register for strong authentication because they don't meet the conditional access policy requirements and therefore are prevented from signing in.Additionally, Internet Explorer based credential prompts in PowerShell do not support prompting for a security key. Implementing phishing-resistant MFA with a security key may prevent admins from running their existing sets of PowerShell scripts. Device Authorization Grant Flow can be used as a workaround in some instances.",
"RemediationProcedure": "**To remediate using the UI:**1. Navigate to the `Microsoft Entra admin center` https://entra.microsoft.com.2. Click expand `Protection` > `Conditional Access` select `Policies`.3. Click `New policy`. - Under `Users` include `Select users and groups` and check `Directory roles`. - At a minimum, include the directory roles listed below in this section of the document. - Under `Target resources` include `All cloud apps` and do not create any exclusions. - Under `Grant` select `Grant Access` and check `Require authentication strength` and set `Phishing-resistant MFA` in the dropdown box. - Click `Select`.4. Under `Enable policy` set it to `Report Only` until the organization is ready to enable it.5. Click `Create`.**At minimum these directory roles should be included for the policy:**- Application administrator- Authentication administrator- Billing administrator- Cloud application administrator- Conditional Access administrator- Exchange administrator- Global administrator- Global reader- Helpdesk administrator- Password administrator- Privileged authentication administrator- Privileged role administrator- Security administrator- SharePoint administrator- User administrator**Warning:** Ensure administrators are pre-registered with strong authentication before enforcing the policy. After which the policy must be set to `On`.",
"AuditProcedure": "**To audit using the UI:** 1. Navigate to the `Microsoft Entra admin center` https://entra.microsoft.com.2. Click expand `Protection` > `Conditional Access` select `Policies`.3. Ensure that a policy exists with the following criteria and is set to `On`: - Under `Users` verify `Directory roles` specific to administrators are included. - Directory Roles should include at minimum the roles listed in the remediation section. - Under `Target resources` verify `All cloud apps` is selected with no exclusions. - Under `Grant` verify `Grant Access` is selected and `Require authentication strength` is checked with `Phishing-resistant MFA` set as the value.4. Ensure `Enable policy` is set to `On`.",
"AdditionalInformation": "",
"References": "https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-passwordless#fido2-security-keys:https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-enable-passkey-fido2:https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-strengths:https://learn.microsoft.com/en-us/entra/id-protection/howto-identity-protection-configure-mfa-policy",
"DefaultValue": ""
}
]
},
{
"Id": "5.2.2.6",
"Description": "Microsoft Entra ID Protection user risk policies detect the probability that a user account has been compromised. **Note:** While Identity Protection also provides two risk policies with limited conditions, Microsoft highly recommends setting up risk-based policies in Conditional Access as opposed to the \"legacy method\" for the following benefits:- Enhanced diagnostic data- Report-only mode integration- Graph API support- Use more Conditional Access attributes like sign-in frequency in the policy",
"Checks": [
"entra_identity_protection_user_risk_enabled"
],
"Attributes": [
{
"Section": "5 Microsoft Entra admin center",
"SubSection": "5.2 Protection",
"Profile": "E5 Level 1",
"AssessmentStatus": "Manual",
"Description": "Microsoft Entra ID Protection user risk policies detect the probability that a user account has been compromised. **Note:** While Identity Protection also provides two risk policies with limited conditions, Microsoft highly recommends setting up risk-based policies in Conditional Access as opposed to the \"legacy method\" for the following benefits:- Enhanced diagnostic data- Report-only mode integration- Graph API support- Use more Conditional Access attributes like sign-in frequency in the policy",
"RationaleStatement": "With the user risk policy turned on, Entra ID protection detects the probability that a user account has been compromised. Administrators can configure a user risk conditional access policy to automatically respond to a specific user risk level.",
"ImpactStatement": "Upon policy activation, account access will be either blocked or the user will be required to use multi-factor authentication (MFA) and change their password. Users without registered MFA will be denied access, necessitating an admin to recover the account. To avoid inconvenience, it is advised to configure the MFA registration policy for all users under the User Risk policy. Additionally, users identified in the Risky Users section will be affected by this policy. To gain a better understanding of the impact on the organization's environment, the list of Risky Users should be reviewed before enforcing the policy.",
"RemediationProcedure": "**To remediate using the UI:**1. Navigate to the `Microsoft Entra admin center` https://entra.microsoft.com.2. Click expand `Protection` > `Conditional Access` select `Policies`.3. Create a new policy by selecting `New policy`.4. Set the following conditions within the policy: - Under `Users or workload identities` choose `All users` - Under `Cloud apps or actions` choose `All cloud apps` - Under `Conditions` choose `User risk` then `Yes` and select the user risk level `High`. - Under `Access Controls` select `Grant` then in the right pane click `Grant access` then select `Require multifactor authentication` and `Require password change`. - Under `Session` ensure `Sign-in frequency` is set to `Every time`. - Click `Select`.6. Under `Enable policy` set it to `Report Only` until the organization is ready to enable it.7. Click `Create`.**Note:** for more information regarding risk levels refer to [Microsoft's Identity Protection & Risk Doc](https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks)",
"AuditProcedure": "**To audit using the UI:**1. Navigate to the `Microsoft Entra admin center` https://entra.microsoft.com.2. Click expand `Protection` > `Conditional Access` select `Policies`.3. Ensure that a policy exists with the following criteria and is set to `On`: - Under `Users or workload identities` choose `All users` - Under `Cloud apps or actions` choose `All cloud apps` - Under `Conditions` choose `User risk` then `Yes` is set to `High`. - Under `Access Controls` select `Grant` then in the right pane click `Grant access`, then select `Require multifactor authentication` and `Require password change`. - Under `Session` ensure `Sign-in frequency` is set to `Every time`.4. Ensure `Enable policy` is set to `On`.",
"AdditionalInformation": "",
"References": "https://learn.microsoft.com/en-us/entra/id-protection/howto-identity-protection-risk-feedback:https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks",
"DefaultValue": ""
}
]
},
{
"Id": "5.2.2.7",
"Description": "Microsoft Entra ID Protection sign-in risk detects risks in real-time and offline. A risky sign-in is an indicator for a sign-in attempt that might not have been performed by the legitimate owner of a user account.**Note:** While Identity Protection also provides two risk policies with limited conditions, Microsoft highly recommends setting up risk-based policies in Conditional Access as opposed to the \"legacy method\" for the following benefits:- Enhanced diagnostic data- Report-only mode integration- Graph API support- Use more Conditional Access attributes like sign-in frequency in the policy",
"Checks": [
"entra_identity_protection_sign_in_risk_enabled"
],
"Attributes": [
{
"Section": "5 Microsoft Entra admin center",
"SubSection": "5.2 Protection",
"Profile": "E5 Level 1",
"AssessmentStatus": "Manual",
"Description": "Microsoft Entra ID Protection sign-in risk detects risks in real-time and offline. A risky sign-in is an indicator for a sign-in attempt that might not have been performed by the legitimate owner of a user account.**Note:** While Identity Protection also provides two risk policies with limited conditions, Microsoft highly recommends setting up risk-based policies in Conditional Access as opposed to the \"legacy method\" for the following benefits:- Enhanced diagnostic data- Report-only mode integration- Graph API support- Use more Conditional Access attributes like sign-in frequency in the policy",
"RationaleStatement": "Turning on the sign-in risk policy ensures that suspicious sign-ins are challenged for multi-factor authentication.",
"ImpactStatement": "When the policy triggers, the user will need MFA to access the account. In the case of a user who hasn't registered MFA on their account, they would be blocked from accessing their account. It is therefore recommended that the MFA registration policy be configured for all users who are a part of the Sign-in Risk policy.",
"RemediationProcedure": "**To configure a Sign-In risk policy, use the following steps:**1. Navigate to the `Microsoft Entra admin center` https://entra.microsoft.com.2. Click expand `Protection` > `Conditional Access` select `Policies`.3. Create a new policy by selecting `New policy`.4. Set the following conditions within the policy. - Under `Users or workload identities` choose `All users`. - Under `Cloud apps or actions` choose `All cloud apps`. - Under `Conditions` choose `Sign-in risk` then `Yes` and check the risk level boxes `High` and `Medium`. - Under `Access Controls` select `Grant` then in the right pane click `Grant access` then select `Require multifactor authentication`. - Under `Session` select `Sign-in Frequency` and set to `Every time`. - Click `Select`.5. Under `Enable policy` set it to `Report Only` until the organization is ready to enable it.6. Click `Create`.**Note:** For more information regarding risk levels refer to [Microsoft's Identity Protection & Risk Doc](https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks)",
"AuditProcedure": "**To ensure Sign-In a risk policy is enabled:**1. Navigate to the `Microsoft Entra admin center` https://entra.microsoft.com.2. Click expand `Protection` > `Conditional Access` select `Policies`.3. Ensure that a policy exists with the following criteria and is set to `On`: - Under `Users or workload identities` choose `All users` - Under `Cloud apps or actions` choose `All cloud apps` - Under `Conditions` choose `Sign-in risk` then `Yes` ensuring `High` and `Medium` are selected. - Under `Access Controls` select `Grant` then in the right pane click `Grant access` then select `Require multifactor authentication`. - Under `Session` select `Sign-in Frequency` is set to `Every time`.4. Ensure `Enable policy` is set to `On`.",
"AdditionalInformation": "",
"References": "https://learn.microsoft.com/en-us/entra/id-protection/howto-identity-protection-risk-feedback:https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks",
"DefaultValue": ""
}
]
},
{
"Id": "5.2.2.8",
"Description": "When a Conditional Access policy targets the Microsoft Admin Portals cloud app, the policy is enforced for tokens issued to application IDs of the following Microsoft administrative portals:- Azure portal- Exchange admin center- Microsoft 365 admin center- Microsoft 365 Defender portal- Microsoft Entra admin center- Microsoft Intune admin center- Microsoft Purview compliance portal- Power Platform admin center- SharePoint admin center- Microsoft Teams admin center`Microsoft Admin Portals` should be restricted to specific pre-determined administrative roles.",
"Checks": [
"entra_admin_portals_role_limited_access"
],
"Attributes": [
{
"Section": "5 Microsoft Entra admin center",
"SubSection": "5.2 Protection",
"Profile": "E3 Level 2",
"AssessmentStatus": "Manual",
"Description": "When a Conditional Access policy targets the Microsoft Admin Portals cloud app, the policy is enforced for tokens issued to application IDs of the following Microsoft administrative portals:- Azure portal- Exchange admin center- Microsoft 365 admin center- Microsoft 365 Defender portal- Microsoft Entra admin center- Microsoft Intune admin center- Microsoft Purview compliance portal- Power Platform admin center- SharePoint admin center- Microsoft Teams admin center`Microsoft Admin Portals` should be restricted to specific pre-determined administrative roles.",
"RationaleStatement": "Conditional Access (CA) policies are not enforced for other role types, including administrative unit-scoped or custom roles. By restricting access to built-in directory roles, users granted privileged permissions outside of these roles will be blocked from accessing admin centers. For example, the **Organization Management** admin role in Exchange Online has equivalent permissions to the built-in directory role **Exchange Administrator**. A user assigned only the Organization Management role would not be subject to CA policies targeting the Exchange Administrator role, or any and all Directory Roles. This could also allow a user with high privileges to be excluded from access reviews and other technical or management controls.Restricting access to `Microsoft Admin Portals` while impactful, covers a gap that is otherwise not bridged by Conditional Access.",
"ImpactStatement": "PIM functionality will be impacted unless non-privileged users are first assigned to a permanent group or role that is excluded from this policy. When attempting to checkout a role in the Entra ID PIM area they will receive the message \"You don't have access to this Your sign-in was successful but you don't have permission to access this resource.\"- Users included in the policy will be unable to manually installs applications when clicking on `Install Microsoft 365 apps`.- Users included in the policy will be unable to access the Quarantine in the Defender admin center at https://security.microsoft.com/quarantine",
"RemediationProcedure": "**To remediate using the UI:**1. Navigate to the `Microsoft Entra admin center` https://entra.microsoft.com.2. Click expand `Protection` > `Conditional Access` select `Policies`.3. Click `New Policy`. - Under `Users` include `All Users`. - Under `Users` select `Exclude` and check `Directory roles` and select only administrative roles and a group of PIM eligible users. - Under `Target resources` select `Cloud apps` and `Select apps` then select the `Microsoft Admin Portals` app. - Confirm by clicking `Select`. - Under `Grant` select `Block access` and click `Select`.4. Under `Enable policy` set it to `Report Only` until the organization is ready to enable it.5. Click `Create`.**Warning:** Exclude `Global Administrator` at a minimum to avoid being locked out. Report-only is a good option to use when testing any Conditional Access policy for the first time.**Note:** In order for PIM to function a group of users eligible for PIM roles must be excluded from the policy.",
"AuditProcedure": "**To audit using the UI:**1. Navigate to the `Microsoft Entra admin center` https://entra.microsoft.com.2. Click expand `Protection` > `Conditional Access` select `Policies`.3. Ensure that a policy exists with the following criteria and is set to `On`: - Under `Users` verify `All Users` is included. - Under `Users` > `Exclude` verify `Guest or external users` is checked and `Users and groups` contain only a group of PIM eligible users. - Under `Users` > `Exclude` verify `Directory Roles` contains only administrative roles. See below for details on roles. - Under `Target resources` verify `Cloud apps` is selected and includes `Microsoft Admin Portals`. - Under `Grant` verify `Block Access` is selected.4. Ensure `Enable policy` is set to `On`.**_Directory Roles and Exclusions_**In `Directory roles` > `Exclude` the role `Global Administrator` at a minimum should be selected to avoid I.T. being locked out. The organization should pre-determine roles in the exclusion list as there is not a one size fits all. Auditors and system administrators should exercise due diligence balancing operation while exercising least privilege. As the size of the organization increases so will the number of roles being utilized.A an example starting list of Administrator roles can be found under **Additional Information****Note:** In order for PIM to function a group of users eligible for PIM roles must be excluded from the policy.",
"AdditionalInformation": "**Below is an example list of Administrator roles that could be excluded**- Application administrator- Authentication administrator- Billing administrator- Cloud application administrator- Conditional Access administrator- Exchange administrator- Global administrator- Global reader- Helpdesk administrator- Password administrator- Privileged authentication administrator- Privileged role administrator- Security administrator- SharePoint administrator- User administrator",
"References": "https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-cloud-apps#microsoft-admin-portals",
"DefaultValue": "No - Non-administrators can access the Microsoft admin portals."
}
]
},
{
"Id": "5.2.2.9",
"Description": "Microsoft Entra ID Protection sign-in risk detects risks in real-time and offline. A risky sign-in is an indicator for a sign-in attempt that might not have been performed by the legitimate owner of a user account.**Note:** While Identity Protection also provides two risk policies with limited conditions, Microsoft highly recommends setting up risk-based policies in Conditional Access as opposed to the \"legacy method\" for the following benefits:- Enhanced diagnostic data- Report-only mode integration- Graph API support- Use more Conditional Access attributes like sign-in frequency in the policy",
"Checks": [],
"Attributes": [
{
"Section": "5 Microsoft Entra admin center",
"SubSection": "5.2 Protection",
"Profile": "E5 Level 2",
"AssessmentStatus": "Manual",
"Description": "Microsoft Entra ID Protection sign-in risk detects risks in real-time and offline. A risky sign-in is an indicator for a sign-in attempt that might not have been performed by the legitimate owner of a user account.**Note:** While Identity Protection also provides two risk policies with limited conditions, Microsoft highly recommends setting up risk-based policies in Conditional Access as opposed to the \"legacy method\" for the following benefits:- Enhanced diagnostic data- Report-only mode integration- Graph API support- Use more Conditional Access attributes like sign-in frequency in the policy",
"RationaleStatement": "Sign-in risk is determined at the time of sign-in and includes criteria across both real-time and offline detections for risk. Blocking sign-in to accounts that have risk can prevent undesired access from potentially compromised devices or unauthorized users.",
"ImpactStatement": "Sign-in risk is heavily dependent on detecting risk based on atypical behaviors. Due to this it is important to run this policy in a report-only mode to better understand how the organization's environment and user activity may influence sign-in risk before turning the policy on. Once it's understood what actions may trigger a medium or high sign-in risk event I.T. can then work to create an environment to reduce false positives. For example, employees might be required to notify security personnel when they intend to travel with intent to access work resources.**Note:** Break-glass accounts should always be excluded from risk detection.",
"RemediationProcedure": "**To remediate using the UI:**1. Navigate to the `Microsoft Entra admin center` https://entra.microsoft.com.2. Click expand `Protection` > `Conditional Access` select `Policies`.3. Create a new policy by selecting `New policy`.4. Set the following conditions within the policy. - Under `Users` include `All users` and only exclude valid users. - Under `Target resources` include `All cloud apps` and do not set any exclusions. - Under `Conditions` choose `Sign-in risk` values of `High` and `Medium` and click `Done`. - Under `Grant` choose `Block access` and click `Select`.5. Under `Enable policy` set it to `Report Only` until the organization is ready to enable it.6. Click `Create`.**Note:** Break-glass accounts should be excluded from sign-in risk policies.",
"AuditProcedure": "**To audit using the UI:**1. Navigate to the `Microsoft Entra admin center` https://entra.microsoft.com.2. Click expand `Protection` > `Conditional Access` select `Policies`.3. Ensure that a policy exists with the following criteria and is set to `On`: - Under `Users` verify `All users` are included and only valid users are excluded. - Under `Target resources` verify `All cloud apps` is selected with no exclusions. - Under `Conditions` verify `Sign-in risk` values of `High` and `Medium` are selected. - Under `Grant` verify `Block access` is selected.4. Ensure `Enable policy` is set to `On`.**Note:** Break-glass accounts should be excluded from sign-in risk policies",
"AdditionalInformation": "",
"References": "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#risk-detections-mapped-to-riskeventtype",
"DefaultValue": ""
}
]
},
{
"Id": "5.2.2.10",
"Description": "Conditional Access (CA) can be configured to enforce access based on the device's compliance status or whether it is Entra hybrid joined. Collectively this allows CA to classify devices as managed or unmanaged, providing more granular control over authentication policies.When using `Require device to be marked as compliant`, the device must pass checks configured in **Compliance** policies defined within Intune (Endpoint Manager). Before these checks can be applied, the device must first be enrolled in Intune MDM.By selecting `Require Microsoft Entra hybrid joined device` this means the device must first be synchronized from an on-premises Active Directory to qualify for authentication.When configured to the recommended state below only one condition needs to be met for the user to authenticate from the device. This functions as an \"OR\" operator.The recommended state is:- `Require device to be marked as compliant`- `Require Microsoft Entra hybrid joined device`- `Require one of the selected controls`",
"Checks": [
"entra_managed_device_required_for_authentication"
],
"Attributes": [
{
"Section": "5 Microsoft Entra admin center",
"SubSection": "5.2 Protection",
"Profile": "E3 Level 1",
"AssessmentStatus": "Manual",
"Description": "Conditional Access (CA) can be configured to enforce access based on the device's compliance status or whether it is Entra hybrid joined. Collectively this allows CA to classify devices as managed or unmanaged, providing more granular control over authentication policies.When using `Require device to be marked as compliant`, the device must pass checks configured in **Compliance** policies defined within Intune (Endpoint Manager). Before these checks can be applied, the device must first be enrolled in Intune MDM.By selecting `Require Microsoft Entra hybrid joined device` this means the device must first be synchronized from an on-premises Active Directory to qualify for authentication.When configured to the recommended state below only one condition needs to be met for the user to authenticate from the device. This functions as an \"OR\" operator.The recommended state is:- `Require device to be marked as compliant`- `Require Microsoft Entra hybrid joined device`- `Require one of the selected controls`",
"RationaleStatement": "\"Managed\" devices are considered more secure because they often have additional configuration hardening enforced through centralized management such as Intune or Group Policy. These devices are also typically equipped with MDR/EDR, managed patching and alerting systems. As a result, they provide a safer environment for users to authenticate and operate from.This policy also ensures that attackers must first gain access to a compliant or trusted device before authentication is permitted, reducing the risk posed by compromised account credentials. When combined with other distinct Conditional Access (CA) policies, such as requiring multi-factor authentication, this adds one additional factor before authentication is permitted. **Note:** Avoid combining these two settings with other `Grant` settings in the same policy. In a single policy you can only choose between `Require all the selected controls` or `Require one of the selected controls`, which limits the ability to integrate this recommendation with others in this benchmark. CA policies function as an \"AND\" operator across multiple policies. The goal here is to both (Require MFA for all users) **AND** (Require device to be marked as compliant **OR** Require Microsoft Entra hybrid joined device).",
"ImpactStatement": "Unmanaged devices will not be permitted as a valid authenticator. As a result this may require the organization to mature their device enrollment and management. The following devices can be considered managed:- Entra hybrid joined from Active Directory- Entra joined and enrolled in Intune, with compliance policies- Entra registered and enrolled in Intune, with compliances policies",
"RemediationProcedure": "**To remediate using the UI:**1. Navigate to the `Microsoft Entra admin center` https://entra.microsoft.com.2. Click expand `Protection` > `Conditional Access` select `Policies`.3. Create a new policy by selecting `New policy`. - Under `Users` include `All users`. - Under `Target resources` include `All cloud apps`. - Under `Grant` select `Grant access`. - Check `Require multifactor authentication` and `Require Microsoft Entra hybrid joined device`. - Choose `Require one of the selected controls` and click `Select` at the bottom.4. Under `Enable policy` set it to `Report Only` until the organization is ready to enable it.5. Click `Create`.",
"AuditProcedure": "**To audit using the UI:**1. Navigate to the `Microsoft Entra admin center` https://entra.microsoft.com.2. Click expand `Protection` > `Conditional Access` select `Policies`.3. Ensure that a policy exists with the following criteria and is set to `On`: - Under `Users` verify `All users` is included. - Under `Target resources` verify `All cloud apps` is selected. - Under `Grant` verify `Require device to be marked as compliant` and `Require Microsoft Entra hybrid joined device` are checked. - Under `Grant` verify `Require one of the selected controls` is selected.4. Ensure `Enable policy` is set to `On`.",
"AdditionalInformation": "",
"References": "https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-grant#require-device-to-be-marked-as-compliant:https://learn.microsoft.com/en-us/entra/identity/devices/concept-hybrid-join:https://learn.microsoft.com/en-us/mem/intune/fundamentals/deployment-guide-enrollment",
"DefaultValue": ""
}
]
},
{
"Id": "5.2.2.11",
"Description": "Conditional Access (CA) can be configured to enforce access based on the device's compliance status or whether it is Entra hybrid joined. Collectively this allows CA to classify devices as managed or not, providing more granular control over whether or not a user can register MFA on a device.When using `Require device to be marked as compliant`, the device must pass checks configured in **Compliance** policies defined within Intune (Endpoint Manager). Before these checks can be applied, the device must first be enrolled in Intune MDM.By selecting `Require Microsoft Entra hybrid joined device` this means the device must first be synchronized from an on-premises Active Directory to qualify for authentication.When configured to the recommended state below only one condition needs to be met for the user to register MFA from the device. This functions as an \"OR\" operator.The recommended state is to restrict `Register security information` to a device that is marked as compliant or Entra hybrid joined.",
"Checks": [
"entra_managed_device_required_for_mfa_registration"
],
"Attributes": [
{
"Section": "5 Microsoft Entra admin center",
"SubSection": "5.2 Protection",
"Profile": "E3 Level 1",
"AssessmentStatus": "Manual",
"Description": "Conditional Access (CA) can be configured to enforce access based on the device's compliance status or whether it is Entra hybrid joined. Collectively this allows CA to classify devices as managed or not, providing more granular control over whether or not a user can register MFA on a device.When using `Require device to be marked as compliant`, the device must pass checks configured in **Compliance** policies defined within Intune (Endpoint Manager). Before these checks can be applied, the device must first be enrolled in Intune MDM.By selecting `Require Microsoft Entra hybrid joined device` this means the device must first be synchronized from an on-premises Active Directory to qualify for authentication.When configured to the recommended state below only one condition needs to be met for the user to register MFA from the device. This functions as an \"OR\" operator.The recommended state is to restrict `Register security information` to a device that is marked as compliant or Entra hybrid joined.",
"RationaleStatement": "Requiring registration on a managed device significantly reduces the risk of bad actors using stolen credentials to register security information. Accounts that are created but never registered with an MFA method are particularly vulnerable to this type of attack. Enforcing this requirement will both reduce the attack surface for fake registrations and ensure that legitimate users register using trusted devices which typically have additional security measures in place already.",
"ImpactStatement": "The organization will be required to have a mature device management process. New devices provided to users will need to be pre-enrolled in Intune, auto-enrolled or be Entra hybrid joined. Otherwise, the user will be unable to complete registration, requiring additional resources from I.T. This could be more disruptive in remote worker environments where the MDM maturity is low.In these cases where the person enrolling in MFA (enrollee) doesn't have physical access to a managed device, a help desk process can be created using a Teams meeting to complete enrollment using: 1) a durable process to verify the enrollee's identity including government identification with a photograph held up to the camera, information only the enrollee should know, and verification by the enrollee's direct manager in the same meeting; 2) complete enrollment in the same Teams meeting with the enrollee being granted screen and keyboard access to the help desk person's InPrivate Edge browser session.",
"RemediationProcedure": "**To remediate using the UI:**1. Navigate to the `Microsoft Entra admin center` https://entra.microsoft.com.2. Click expand `Protection` > `Conditional Access` select `Policies`.3. Create a new policy by selecting `New policy`. - Under `Users` include `All users`. - Under `Target resources` select `User actions` and check `Register security information`. - Under `Grant` select `Grant access`. - Check `Require multifactor authentication` and `Require Microsoft Entra hybrid joined device`. - Choose `Require one of the selected controls` and click `Select` at the bottom.4. Under `Enable policy` set it to `Report Only` until the organization is ready to enable it.5. Click `Create`.",
"AuditProcedure": "**To audit using the UI:**1. Navigate to the `Microsoft Entra admin center` https://entra.microsoft.com.2. Click expand `Protection` > `Conditional Access` select `Policies`.3. Ensure that a policy exists with the following criteria and is set to `On`: - Under `Users` verify `All users` is included. - Under `Target resources` verify `User actions` is selected with `Register security information` checked. - Under `Grant` verify `Require device to be marked as compliant` and `Require Microsoft Entra hybrid joined device` are checked. - Under `Grant` verify `Require one of the selected controls` is selected.4. Ensure `Enable policy` is set to `On`.",
"AdditionalInformation": "",
"References": "https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-grant#require-device-to-be-marked-as-compliant:https://learn.microsoft.com/en-us/entra/identity/devices/concept-hybrid-join:https://learn.microsoft.com/en-us/mem/intune/fundamentals/deployment-guide-enrollment:https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-cloud-apps#user-actions",
"DefaultValue": ""
}
]
},
{
"Id": "5.2.3.1",
"Description": "Microsoft has released additional settings to enhance the configuration of the Microsoft Authenticator application. These settings provide additional information and context to users who receive MFA passwordless and push requests, such as geographic location the request came from, the requesting application and requiring a number match.Ensure the following are `Enabled`.- `Require number matching for push notifications`- `Show application name in push and passwordless notifications`- `Show geographic location in push and passwordless notifications`**NOTE:** On February 27, 2023 Microsoft started enforcing number matching tenant-wide for all users using Microsoft Authenticator.",
"Checks": [],
"Attributes": [
{
"Section": "5 Microsoft Entra admin center",
"SubSection": "5.2 Protection",
"Profile": "E3 Level 1",
"AssessmentStatus": "Manual",
"Description": "Microsoft has released additional settings to enhance the configuration of the Microsoft Authenticator application. These settings provide additional information and context to users who receive MFA passwordless and push requests, such as geographic location the request came from, the requesting application and requiring a number match.Ensure the following are `Enabled`.- `Require number matching for push notifications`- `Show application name in push and passwordless notifications`- `Show geographic location in push and passwordless notifications`**NOTE:** On February 27, 2023 Microsoft started enforcing number matching tenant-wide for all users using Microsoft Authenticator.",
"RationaleStatement": "As the use of strong authentication has become more widespread, attackers have started to exploit the tendency of users to experience \"MFA fatigue.\" This occurs when users are repeatedly asked to provide additional forms of identification, leading them to eventually approve requests without fully verifying the source. To counteract this, number matching can be employed to ensure the security of the authentication process. With this method, users are prompted to confirm a number displayed on their original device and enter it into the device being used for MFA. Additionally, other information such as geolocation and application details are displayed to enhance the end user's awareness. Among these 3 options, number matching provides the strongest net security gain.",
"ImpactStatement": "Additional interaction will be required by end users using number matching as opposed to simply pressing \"Approve\" for login attempts.",
"RemediationProcedure": "**To remediate using the UI:**1. Navigate to the `Microsoft Entra admin center` https://entra.microsoft.com.2. Click to expand `Protection` > `Authentication methods` select `Policies`.3. Select `Microsoft Authenticator`4. Under `Enable and Target` ensure the setting is set to `Enable`.5. Select `Configure`6. Set the following Microsoft Authenticator settings: - `Require number matching for push notifications` Status is set to `Enabled`, Target `All users` - `Show application name in push and passwordless notifications` is set to `Enabled`, Target `All users` - `Show geographic location in push and passwordless notifications` is set to `Enabled`, Target `All users`**Note:** Valid groups such as break glass accounts can be excluded per organization policy.",
"AuditProcedure": "**To audit using the UI:**1. Navigate to the `Microsoft Entra admin center` https://entra.microsoft.com.2. Click to expand `Protection` > `Authentication methods` select `Policies`.3. Under **Method** select `Microsoft Authenticator`.4. Under `Enable and Target` verify the setting is set to `Enable`.5. In the `Include` tab ensure `All users` is selected.6. In the `Exclude` tab ensure only valid groups are present (i.e. Break Glass accounts).7. Select `Configure`8. Verify the following Microsoft Authenticator settings: - `Require number matching for push notifications` Status is set to `Enabled`, Target `All users` - `Show application name in push and passwordless notifications` is set to `Enabled`, Target `All users` - `Show geographic location in push and passwordless notifications` is set to `Enabled`, Target `All users`9. In each setting select `Exclude` and verify only groups are present (i.e. Break Glass accounts).",
"AdditionalInformation": "",
"References": "https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-default-enablement:https://techcommunity.microsoft.com/t5/microsoft-entra-blog/defend-your-users-from-mfa-fatigue-attacks/ba-p/2365677:https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-mfa-number-match",
"DefaultValue": "Microsoft-managed"
}
]
},
{
"Id": "5.2.3.2",
"Description": "With Entra Password Protection, default global banned password lists are automatically applied to all users in an Entra ID tenant. To support business and security needs, custom banned password lists can be defined. When users change or reset their passwords, these banned password lists are checked to enforce the use of strong passwords.A custom banned password list should include some of the following examples:- Brand names- Product names- Locations, such as company headquarters- Company-specific internal terms- Abbreviations that have specific company meaning",
"Checks": [],
"Attributes": [
{
"Section": "5 Microsoft Entra admin center",
"SubSection": "5.2 Protection",
"Profile": "E3 Level 1",
"AssessmentStatus": "Manual",
"Description": "With Entra Password Protection, default global banned password lists are automatically applied to all users in an Entra ID tenant. To support business and security needs, custom banned password lists can be defined. When users change or reset their passwords, these banned password lists are checked to enforce the use of strong passwords.A custom banned password list should include some of the following examples:- Brand names- Product names- Locations, such as company headquarters- Company-specific internal terms- Abbreviations that have specific company meaning",
"RationaleStatement": "Creating a new password can be difficult regardless of one's technical background. It is common to look around one's environment for suggestions when building a password, however, this may include picking words specific to the organization as inspiration for a password. An adversary may employ what is called a 'mangler' to create permutations of these specific words in an attempt to crack passwords or hashes making it easier to reach their goal.",
"ImpactStatement": "If a custom banned password list includes too many common dictionary words, or short words that are part of compound words, then perfectly secure passwords may be blocked. The organization should consider a balance between security and usability when creating a list.",
"RemediationProcedure": "**To remediate using the UI:**1. Navigate to `Microsoft Entra admin center` https://entra.microsoft.com/2. Click to expand `Protection` > `Authentication methods`3. Select `Password protection`4. Set `Enforce custom list` to `Yes`5. In `Custom banned password list` create a list using suggestions outlined in this document.6. Click `Save`**Note:** Below is a list of examples that can be used as a starting place. The references section contains more suggestions.- Brand names- Product names- Locations, such as company headquarters- Company-specific internal terms- Abbreviations that have specific company meaning",
"AuditProcedure": "**To audit using the UI:**1. Navigate to `Microsoft Entra admin center` https://entra.microsoft.com/2. Click to expand `Protection` > `Authentication methods`3. Select `Password protection`4. Verify `Enforce custom list` is set to `Yes`5. Verify `Custom banned password list` contains entries specific to the organization or matches a pre-determined list.",
"AdditionalInformation": "",
"References": "https://learn.microsoft.com/en-us/entra/identity/authentication/concept-password-ban-bad#custom-banned-password-list:https://learn.microsoft.com/en-us/entra/identity/authentication/tutorial-configure-custom-password-protection",
"DefaultValue": ""
}
]
},
{
"Id": "5.2.3.3",
"Description": "Microsoft Entra Password Protection provides a global and custom banned password list. A password change request fails if there's a match in these banned password list. To protect on-premises Active Directory Domain Services (AD DS) environment, install and configure Entra Password Protection.**Note**: This recommendation applies to Hybrid deployments only and will have no impact unless working with on-premises Active Directory.",
"Checks": [],
"Attributes": [
{
"Section": "5 Microsoft Entra admin center",
"SubSection": "5.2 Protection",
"Profile": "E3 Level 1",
"AssessmentStatus": "Manual",
"Description": "Microsoft Entra Password Protection provides a global and custom banned password list. A password change request fails if there's a match in these banned password list. To protect on-premises Active Directory Domain Services (AD DS) environment, install and configure Entra Password Protection.**Note**: This recommendation applies to Hybrid deployments only and will have no impact unless working with on-premises Active Directory.",
"RationaleStatement": "This feature protects an organization by prohibiting the use of weak or leaked passwords. In addition, organizations can create custom banned password lists to prevent their users from using easily guessed passwords that are specific to their industry. Deploying this feature to Active Directory will strengthen the passwords that are used in the environment.",
"ImpactStatement": "The potential impact associated with implementation of this setting is dependent upon the existing password policies in place in the environment. For environments that have strong password policies in place, the impact will be minimal. For organizations that do not have strong password policies in place, implementation of Microsoft Entra Password Protection may require users to change passwords and adhere to more stringent requirements than they have been accustomed to.",
"RemediationProcedure": "**To remediate using the UI:**- Download and install the `Azure AD Password Proxies` and `DC Agents` from the following location: https://www.microsoft.com/download/details.aspx?id=57071 After installed follow the steps below.1. Navigate to `Microsoft Entra admin center` https://entra.microsoft.com/.2. Click to expand `Protection` select `Authentication methods`.3. Select `Password protection` and set `Enable password protection on Windows Server Active Directory` to `Yes` and `Mode` to `Enforced`.",
"AuditProcedure": "**To audit using the UI:**1. Navigate to `Microsoft Entra admin center` https://entra.microsoft.com/.2. Click to expand `Protection` select `Authentication methods`.3. Select `Password protection` and ensure that `Enable password protection on Windows Server Active Directory` is set to `Yes` and that `Mode` is set to `Enforced`.",
"AdditionalInformation": "",
"References": "https://learn.microsoft.com/en-us/entra/identity/authentication/howto-password-ban-bad-on-premises-operations",
"DefaultValue": "Enable - YesMode - Audit"
}
]
},
{
"Id": "5.2.3.4",
"Description": "Microsoft defines Multifactor authentication capable as being registered and enabled for a strong authentication method. The method must also be allowed by the authentication methods policy.Ensure all member users are `MFA capable`.",
"Checks": [
"entra_users_mfa_capable"
],
"Attributes": [
{
"Section": "5 Microsoft Entra admin center",
"SubSection": "5.2 Protection",
"Profile": "E3 Level 1",
"AssessmentStatus": "Manual",
"Description": "Microsoft defines Multifactor authentication capable as being registered and enabled for a strong authentication method. The method must also be allowed by the authentication methods policy.Ensure all member users are `MFA capable`.",
"RationaleStatement": "Multifactor authentication requires an individual to present a minimum of two separate forms of authentication before access is granted. Users who are not `MFA Capable` have never registered a strong authentication method for multifactor authentication that is within policy and may not be using MFA. This could be a result of having never signed in, exclusion from a Conditional Access (CA) policy requiring MFA, or a CA policy does not exist. Reviewing this list of users will help identify possible lapses in policy or procedure.",
"ImpactStatement": "When using the UI audit method guest users will appear in the report and unless the organization is applying MFA rules to guests then they will need to be manually filtered. Accounts that provide on-premises directory synchronization also appear in these reports.",
"RemediationProcedure": "Remediation steps will depend on the status of the personnel in question or configuration of Conditional Access policies and will not be covered in detail. Administrators should review each user identified on a case-by-case basis using the conditions below.**User has never signed on:**- Employment status should be reviewed, and appropriate action taken on the user account's roles, licensing and enablement.**Conditional Access policy applicability:**- Ensure a CA policy is in place requiring all users to use MFA.- Ensure the user is not excluded from the CA MFA policy.- Ensure the policy's state is set to `On`.- Use `What if` to determine applicable CA policies. (Protection > Conditional Access > Policies)- Review the user account in `Sign-in logs`. Under the `Activity Details` pane click the `Conditional Access` tab to view applied policies.**Note:** Conditional Access is covered step by step in section 5.2.2",
"AuditProcedure": "**To audit using the UI:**1. Navigate to `Microsoft Entra admin center` https://entra.microsoft.com/.2. Click to expand `Protection` select `Authentication methods`.3. Select `User registration details`.4. Set the filter option `Multifactor authentication capable` to `Not Capable`.5. Review the non-guest users in this list.6. Excluding any exceptions users found in this report may require remediation.**To audit using PowerShell:**1. Connect to Graph using `Connect-MgGraph -Scopes \"UserAuthenticationMethod.Read.All,AuditLog.Read.All\"`2. Run the following:```Get-MgReportAuthenticationMethodUserRegistrationDetail ` -Filter \"IsMfaCapable eq false and UserType eq 'Member'\" | ft UserPrincipalName,IsMfaCapable,IsAdmin```3. Ensure `IsMfaCapable` is set to `True`.4. Excluding any exceptions users found in this report may require remediation.**Note:** The CA rule must be in place for a successful deployment of Multifactor Authentication. This policy is outlined in the conditional access section 5.2.2**Note 2:** Possible exceptions include on-premises synchronization accounts.",
"AdditionalInformation": "",
"References": "https://learn.microsoft.com/en-us/powershell/module/microsoft.graph.reports/update-mgreportauthenticationmethoduserregistrationdetail?view=graph-powershell-1.0#-ismfacapable:https://learn.microsoft.com/en-us/entra/identity/monitoring-health/how-to-view-applied-conditional-access-policies:https://learn.microsoft.com/en-us/entra/identity/conditional-access/what-if-tool:https://learn.microsoft.com/en-us/entra/identity/authentication/howto-authentication-methods-activity",
"DefaultValue": ""
}
]
},
{
"Id": "5.2.3.5",
"Description": "Authentication methods support a wide variety of scenarios for signing in to Microsoft 365 resources. Some of these methods are inherently more secure than others but require more investment in time to get users enrolled and operational.SMS and Voice Call rely on telephony carrier communication methods to deliver the authenticating factor.The email one-time passcode feature is a way to authenticate B2B collaboration users when they can't be authenticated through other means, such as Microsoft Entra ID, Microsoft account (MSA), or social identity providers. When a B2B guest user tries to redeem your invitation or sign in to your shared resources, they can request a temporary passcode, which is sent to their email address. Then they enter this passcode to continue signing in.The recommended state is to `Disable` these methods:- SMS- Voice Call- Email OTP",
"Checks": [],
"Attributes": [
{
"Section": "5 Microsoft Entra admin center",
"SubSection": "5.2 Protection",
"Profile": "E3 Level 1",
"AssessmentStatus": "Manual",
"Description": "Authentication methods support a wide variety of scenarios for signing in to Microsoft 365 resources. Some of these methods are inherently more secure than others but require more investment in time to get users enrolled and operational.SMS and Voice Call rely on telephony carrier communication methods to deliver the authenticating factor.The email one-time passcode feature is a way to authenticate B2B collaboration users when they can't be authenticated through other means, such as Microsoft Entra ID, Microsoft account (MSA), or social identity providers. When a B2B guest user tries to redeem your invitation or sign in to your shared resources, they can request a temporary passcode, which is sent to their email address. Then they enter this passcode to continue signing in.The recommended state is to `Disable` these methods:- SMS- Voice Call- Email OTP",
"RationaleStatement": "The SMS and Voice call methods are vulnerable to SIM swapping which could allow an attacker to gain access to your Microsoft 365 account.",
"ImpactStatement": "Disabling Email OTP will prevent one-time pass codes from being sent to unverified guest users accessing Microsoft 365 resources on the tenant. They will be required to use a personal Microsoft account, a managed Microsoft Entra account, be part of a federation or be configured as a guest in the host tenant's Microsoft Entra ID.",
"RemediationProcedure": "**To remediate using the UI:**1. Navigate to `Microsoft Entra admin center` https://entra.microsoft.com/.2. Click to expand `Protection` select `Authentication methods`.3. Select `Policies`.4. Inspect each method that is out of compliance and remediate: - Click on the method to open it. - Change the `Enable` toggle to the off position. - Click `Save`.**Note:** If the save button remains greyed out after toggling a method off, then first turn it back on and then change the position of the `Target` selection (all users or select groups). Turn the method off again and save. This was observed to be a bug in the UI at the time this document was published.",
"AuditProcedure": "**To audit using the UI:**1. Navigate to `Microsoft Entra admin center` https://entra.microsoft.com/.2. Click to expand `Protection` select `Authentication methods`.3. Select `Policies`.4. Verify that the following methods in the `Enabled` column or set to `No`. - Method: `SMS` - Method: `Voice call` - Method: `Email OTP`",
"AdditionalInformation": "",
"References": "https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-methods-manage:https://learn.microsoft.com/en-us/entra/external-id/one-time-passcode:https://www.microsoft.com/en-us/microsoft-365-life-hacks/privacy-and-safety/what-is-sim-swapping",
"DefaultValue": "'- SMS : Disabled- Voice Call : Disabled- Email OTP : Enabled"
}
]
},
{
"Id": "5.2.4.1",
"Description": "Enabling self-service password reset allows users to reset their own passwords in Entra ID. When users sign in to Microsoft 365, they will be prompted to enter additional contact information that will help them reset their password in the future. If combined registration is enabled additional information, outside of multi-factor, will not be needed. **Note:** Effective Oct. 1st, 2022, Microsoft will begin to enable combined registration for all users in Entra ID tenants created before August 15th, 2020. Tenants created after this date are enabled with combined registration by default.",
"Checks": [],
"Attributes": [
{
"Section": "5 Microsoft Entra admin center",
"SubSection": "5.2 Protection",
"Profile": "E3 Level 1",
"AssessmentStatus": "Manual",
"Description": "Enabling self-service password reset allows users to reset their own passwords in Entra ID. When users sign in to Microsoft 365, they will be prompted to enter additional contact information that will help them reset their password in the future. If combined registration is enabled additional information, outside of multi-factor, will not be needed. **Note:** Effective Oct. 1st, 2022, Microsoft will begin to enable combined registration for all users in Entra ID tenants created before August 15th, 2020. Tenants created after this date are enabled with combined registration by default.",
"RationaleStatement": "Users will no longer need to engage the helpdesk for password resets, and the password reset mechanism will automatically block common, easily guessable passwords.",
"ImpactStatement": "Users will be required to provide additional contact information to enroll in self-service password reset. Additionally, minor user education may be required for users that are used to calling a help desk for assistance with password resets. **Note:** This is unavailable if using Entra Connect / Sync in a hybrid environment.",
"RemediationProcedure": "**To remediate using the UI:**1. Navigate to `Microsoft Entra admin center` https://entra.microsoft.com/.2. Click to expand `Protection` > `Password reset` select `Properties`.3. Set `Self service password reset enabled` to `All`",
"AuditProcedure": "**To audit using the UI:**1. Navigate to `Microsoft Entra admin center` https://entra.microsoft.com/.2. Click to expand `Protection` > `Password reset` select `Properties`.3. Ensure `Self service password reset enabled` is set to `All`",
"AdditionalInformation": "",
"References": "https://learn.microsoft.com/en-us/microsoft-365/admin/add-users/let-users-reset-passwords?view=o365-worldwide:https://learn.microsoft.com/en-us/entra/identity/authentication/tutorial-enable-sspr:https://learn.microsoft.com/en-us/entra/identity/authentication/howto-registration-mfa-sspr-combined",
"DefaultValue": ""
}
]
},
{
"Id": "5.3.1",
"Description": "Microsoft Entra Privileged Identity Management can be used to audit roles, allow just in time activation of roles and allow for periodic role attestation. Organizations should remove permanent members from privileged Office 365 roles and instead make them eligible, through a JIT activation workflow.",
"Checks": [],
"Attributes": [
{
"Section": "5 Microsoft Entra admin center",
"SubSection": "5.3 Identity Governance",
"Profile": "E5 Level 2",
"AssessmentStatus": "Manual",
"Description": "Microsoft Entra Privileged Identity Management can be used to audit roles, allow just in time activation of roles and allow for periodic role attestation. Organizations should remove permanent members from privileged Office 365 roles and instead make them eligible, through a JIT activation workflow.",
"RationaleStatement": "Organizations want to minimize the number of people who have access to secure information or resources, because that reduces the chance of a malicious actor getting that access, or an authorized user inadvertently impacting a sensitive resource. However, users still need to carry out privileged operations in Entra ID. Organizations can give users just-in-time (JIT) privileged access to roles. There is a need for oversight for what those users are doing with their administrator privileges. PIM helps to mitigate the risk of excessive, unnecessary, or misused access rights.",
"ImpactStatement": "Implementation of Just in Time privileged access is likely to necessitate changes to administrator routine. Administrators will only be granted access to administrative roles when required. When administrators request role activation, they will need to document the reason for requiring role access, anticipated time required to have the access, and to reauthenticate to enable role access.",
"RemediationProcedure": "**To remediate using the UI:**1. Navigate to `Microsoft Entra admin center` https://entra.microsoft.com/.2. Click to expand `Identity Governance` select `Privileged Identity Management`.3. Under **Manage** select `Microsoft Entra Roles`.4. Under **Manage** select `Roles`.5. Inspect at a minimum the following sensitive roles. For each of the members that have an `ASSIGNMENT TYPE` of `Permanent`, click on the `...` and choose `Make eligible`:- `Application Administrator`- `Authentication Administrator`- `Azure Information Protection Administrator`- `Billing Administrator`- `Cloud Application Administrator`- `Cloud Device Administrator`- `Compliance Administrator`- `Customer LockBox Access Approver`- `Exchange Administrator`- `Fabric Administrator`- `Global Administrator`- `HelpDesk Administrator`- `Intune Administrator`- `Kaizala Administrator`- `License Administrator`- `Microsoft Entra Joined Device Local Administrator`- `Password Administrator`- `Privileged Authentication Administrator`- `Privileged Role Administrator`- `Security Administrator`- `SharePoint Administrator`- `Skype for Business Administrator`- `Teams Administrator`- `User Administrator`",
"AuditProcedure": "**To audit using the UI:**1. Navigate to `Microsoft Entra admin center` https://entra.microsoft.com/.2. Click to expand `Identity Governance` select `Privileged Identity Management`.3. Under **Manage** select `Microsoft Entra Roles`.4. Under **Manage** select `Roles`.5. Inspect at a minimum the following sensitive roles to ensure the members are `Eligible` and not `Permanent`:- `Application Administrator`- `Authentication Administrator`- `Azure Information Protection Administrator`- `Billing Administrator`- `Cloud Application Administrator`- `Cloud Device Administrator`- `Compliance Administrator`- `Customer LockBox Access Approver`- `Exchange Administrator`- `Fabric Administrator`- `Global Administrator`- `HelpDesk Administrator`- `Intune Administrator`- `Kaizala Administrator`- `License Administrator`- `Microsoft Entra Joined Device Local Administrator`- `Password Administrator`- `Privileged Authentication Administrator`- `Privileged Role Administrator`- `Security Administrator`- `SharePoint Administrator`- `Skype for Business Administrator`- `Teams Administrator`- `User Administrator`",
"AdditionalInformation": "",
"References": "https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-configure",
"DefaultValue": ""
}
]
},
{
"Id": "5.3.2",
"Description": "Access reviews enable administrators to establish an efficient automated process for reviewing group memberships, access to enterprise applications, and role assignments. These reviews can be scheduled to recur regularly, with flexible options for delegating the task of reviewing membership to different members of the organization.Ensure `Access reviews` for Guest Users are configured to be performed no less frequently than `monthly`.",
"Checks": [],
"Attributes": [
{
"Section": "5 Microsoft Entra admin center",
"SubSection": "5.3 Identity Governance",
"Profile": "E5 Level 1",
"AssessmentStatus": "Manual",
"Description": "Access reviews enable administrators to establish an efficient automated process for reviewing group memberships, access to enterprise applications, and role assignments. These reviews can be scheduled to recur regularly, with flexible options for delegating the task of reviewing membership to different members of the organization.Ensure `Access reviews` for Guest Users are configured to be performed no less frequently than `monthly`.",
"RationaleStatement": "Access to groups and applications for guests can change over time. If a guest user's access to a particular folder goes unnoticed, they may unintentionally gain access to sensitive data if a member adds new files or data to the folder or application. Access reviews can help reduce the risks associated with outdated assignments by requiring a member of the organization to conduct the reviews. Furthermore, these reviews can enable a fail-closed mechanism to remove access to the subject if the reviewer does not respond to the review.",
"ImpactStatement": "Access reviews that are ignored may cause guest users to lose access to resources temporarily.",
"RemediationProcedure": "**To remediate using the UI:**1. Navigate to `Microsoft Entra admin center` https://entra.microsoft.com/2. Click to expand `Identity Governance` and select `Access reviews`3. Click `New access review`.4. `Select what to review` choose `Teams + Groups`.5. `Review Scope` set to `All Microsoft 365 groups with guest users`, do not exclude groups.6. `Scope` set to `Guest users only` then click `Next: Reviews`.7. `Select reviewers` an appropriate user that is NOT the guest user themselves.8. `Duration (in days)` at most `3`.9. `Review recurrence` is `Monthly` or more frequent.10. `End` is set to `Never`, then click `Next: Settings`.11. Check `Auto apply results to resource`.12. Set `If reviewers don't respond` to `Remove access`.13. Check the following: `Justification required`, `E-mail notifications`, `Reminders`.14. Click `Next: Review + Create` and finally click `Create`.",
"AuditProcedure": "**To audit using the UI:**1. Navigate to `Microsoft Entra admin center` https://entra.microsoft.com/2. Click to expand `Identity Governance` and select `Access reviews`3. Inspect the access reviews, and ensure an access review is created with the following criteria: - `Overview`: `Scope` is set to `Guest users only` and status is `Active` - `Reviewers`: Ensure appropriate reviewer(s) are designated. - `Settings` > `General`: `Mail notifications` and `Reminders` are set to `Enable` - `Reviewers`: `Require reason on approval` is set to `Enable` - `Scheduling`: `Frequency` is `Monthly` or more frequent. - `When completed`: `Auto apply results to resource` is set to `Enable` - `When completed`: `If reviewers don't respond` is set to `Remove access`",
"AdditionalInformation": "",
"References": "https://learn.microsoft.com/en-us/entra/id-governance/access-reviews-overview:https://learn.microsoft.com/en-us/entra/id-governance/create-access-review",
"DefaultValue": "By default access reviews are not configured."
}
]
},
{
"Id": "5.3.3",
"Description": "Access reviews enable administrators to establish an efficient automated process for reviewing group memberships, access to enterprise applications, and role assignments. These reviews can be scheduled to recur regularly, with flexible options for delegating the task of reviewing membership to different members of the organization.Ensure `Access reviews` for high privileged Entra ID roles are done `monthly` or more frequently. These reviews should include **at a minimum** the roles listed below:- Global Administrator- Exchange Administrator- SharePoint Administrator- Teams Administrator- Security Administrator**Note:** An access review is created for each role selected after completing the process.",
"Checks": [],
"Attributes": [
{
"Section": "5 Microsoft Entra admin center",
"SubSection": "5.3 Identity Governance",
"Profile": "E5 Level 1",
"AssessmentStatus": "Manual",
"Description": "Access reviews enable administrators to establish an efficient automated process for reviewing group memberships, access to enterprise applications, and role assignments. These reviews can be scheduled to recur regularly, with flexible options for delegating the task of reviewing membership to different members of the organization.Ensure `Access reviews` for high privileged Entra ID roles are done `monthly` or more frequently. These reviews should include **at a minimum** the roles listed below:- Global Administrator- Exchange Administrator- SharePoint Administrator- Teams Administrator- Security Administrator**Note:** An access review is created for each role selected after completing the process.",
"RationaleStatement": "Regular review of critical high privileged roles in Entra ID will help identify role drift, or potential malicious activity. This will enable the practice and application of \"separation of duties\" where even non-privileged users like security auditors can be assigned to review assigned roles in an organization. Furthermore, if configured these reviews can enable a fail-closed mechanism to remove access to the subject if the reviewer does not respond to the review.",
"ImpactStatement": "",
"RemediationProcedure": "**To remediate using the UI:**1. Navigate to `Microsoft Entra admin center` https://entra.microsoft.com/2. Click to expand `Identity Governance` and select `Privileged Identity Management`3. Select `Microsoft Entra Roles` under Manage4. Select `Access reviews` and click `New access review`.5. Provide a name and description.6. `Frequency` set to `Monthly` or more frequently.7. `Duration (in days)` is set to at most `3`.8. `End` set to `Never`.9. `Role` select these roles: `Global Administrator`,`Exchange Administrator`,`SharePoint Administrator`,`Teams Administrator`,`Security Administrator`9. `Assignment type` set to `All active and eligible assignments`.10. `Reviewers` set to `Selected user(s) or group(s)`11. `Select reviewers` are member(s) responsible for this type of review.12. `Auto apply results to resource` set to `Enable`13. `If reviewers don't respond` is set to `No change`14. `Show recommendations` set to `Enable`15. `Require reason or approval` set to `Enable`16. `Mail notifications` set to `Enable`17. `Reminders` set to `Enable`18. Click `Start` to save the review.**Note:** Reviewers will have the ability to revoke roles should be trusted individuals who understand the impact of the access reviews. The principle of separation of duties should be considered so that no one administrator is reviewing their own access levels.",
"AuditProcedure": "**To audit using the UI:**1. Navigate to `Microsoft Entra admin center` https://entra.microsoft.com/2. Click to expand `Identity Governance` and select `Privileged Identity Management`3. Select `Microsoft Entra Roles` under Manage4. Select `Access reviews`5. Ensure there are access reviews configured for each high privileged roles and each meets the criteria laid out below: - `Scope` - `Everyone` - `Status` - `Active` - `Reviewers` - Role reviewers should be designated personnel. Preferably not a self-review. - `Mail notifications` - `Enable` - `Reminders` - `Enable` - `Require reason on approval` - `Enable` - `Frequency` - `Monthly` or more frequently. - `Duration (in days)` - `4` at most - `Auto apply results to resource` - `Enable` - `If reviewers don't respond` - `No change`Any remaining settings are discretionary.**Note:** Reviewers will have the ability to revoke roles should be trusted individuals who understand the impact of the access reviews. The principle of separation of duties should be considered so that no one administrator is reviewing their own access levels.**Note2:** The setting `If reviewers don't respond` is recommended to be set to `Remove access` due to the potential of all Global Administrators being unassigned if the review is not addressed.",
"AdditionalInformation": "",
"References": "https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-create-roles-and-resource-roles-review:https://learn.microsoft.com/en-us/entra/id-governance/access-reviews-overview",
"DefaultValue": "By default access reviews are not configured."
}
]
},
{
"Id": "5.3.4",
"Description": "Microsoft Entra Privileged Identity Management can be used to audit roles, allow just in time activation of roles and allow for periodic role attestation. Requiring approval before activation allows one of the selected approvers to first review and then approve the activation prior to PIM granted the role. The approver doesn't have to be a group member or owner.The recommended state is `Require approval to activate` for the Global Administrator role.",
"Checks": [],
"Attributes": [
{
"Section": "5 Microsoft Entra admin center",
"SubSection": "5.3 Identity Governance",
"Profile": "E5 Level 1",
"AssessmentStatus": "Manual",
"Description": "Microsoft Entra Privileged Identity Management can be used to audit roles, allow just in time activation of roles and allow for periodic role attestation. Requiring approval before activation allows one of the selected approvers to first review and then approve the activation prior to PIM granted the role. The approver doesn't have to be a group member or owner.The recommended state is `Require approval to activate` for the Global Administrator role.",
"RationaleStatement": "Requiring approval for Global Administrator role activation enhances visibility and accountability every time this highly privileged role is used. This process reduces the risk of an attacker elevating a compromised account to the highest privilege level, as any activation must first be reviewed and approved by a trusted party.**Note:** This only acts as protection for eligible users that are activating a role. Directly assigning a role does require an approval workflow so therefore it is important to implement and use PIM correctly.",
"ImpactStatement": "Approvers do not need to be assigned the same role or be members of the same group. It's important to have at least two approvers and an emergency access (break-glass) account to prevent a scenario where no Global Administrators are available. For example, if the last active Global Administrator leaves the organization, and only eligible but inactive Global Administrators remain, a trusted approver without the Global Administrator role or an emergency access account would be essential to avoid delays in critical administrative tasks.",
"RemediationProcedure": "**To remediate using the UI:**1. Navigate to `Microsoft Entra admin center` https://entra.microsoft.com/.2. Click to expand `Identity Governance` select `Privileged Identity Management`.3. Under **Manage** select `Microsoft Entra Roles`.4. Under **Manage** select `Roles`.5. Select `Global Administrator` in the list.6. Select `Role settings` and click `Edit`.7. Check the `Require approval to activate` box.8. Add at least two approvers.9. Click `Update`.",
"AuditProcedure": "**To audit using the UI:**1. Navigate to `Microsoft Entra admin center` https://entra.microsoft.com/.2. Click to expand `Identity Governance` select `Privileged Identity Management`.3. Under **Manage** select `Microsoft Entra Roles`.4. Under **Manage** select `Roles`.5. Select `Global Administrator` in the list.6. Select `Role settings` and click `Edit`.7. Verify `Require approval to activate` is set.8. Verify there are at least two approvers selected.9. Click `Update`.",
"AdditionalInformation": "",
"References": "https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-configure:https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/groups-role-settings#require-approval-to-activate",
"DefaultValue": "`Require approval to activate` is unchecked."
}
]
},
{
"Id": "6.1.1",
"Description": "The value False indicates that mailbox auditing on by default is turned on for the organization. Mailbox auditing on by default in the organization overrides the mailbox auditing settings on individual mailboxes. For example, if mailbox auditing is turned off for a mailbox (the AuditEnabled property on the mailbox is False), the default mailbox actions are still audited for the mailbox, because mailbox auditing on by default is turned on for the organization.Turning off mailbox auditing on by default ($true) has the following results:- Mailbox auditing is turned off for your organization.- From the time you turn off mailbox auditing on by default, no mailbox actions are audited, even if mailbox auditing is enabled on a mailbox (the AuditEnabled property on the mailbox is True).- Mailbox auditing isn't turned on for new mailboxes and setting the AuditEnabled property on a new or existing mailbox to True is ignored.- Any mailbox audit bypass association settings (configured by using the Set-MailboxAuditBypassAssociation cmdlet) are ignored.- Existing mailbox audit records are retained until the audit log age limit for the record expires.The recommended state for this setting is `False` at the organization level. This will enable auditing and enforce the default.",
"Checks": [
"exchange_organization_mailbox_auditing_enabled"
],
"Attributes": [
{
"Section": "6 Exchange admin center",
"SubSection": "6.1 Audit",
"Profile": "E3 Level 1",
"AssessmentStatus": "Automated",
"Description": "The value False indicates that mailbox auditing on by default is turned on for the organization. Mailbox auditing on by default in the organization overrides the mailbox auditing settings on individual mailboxes. For example, if mailbox auditing is turned off for a mailbox (the AuditEnabled property on the mailbox is False), the default mailbox actions are still audited for the mailbox, because mailbox auditing on by default is turned on for the organization.Turning off mailbox auditing on by default ($true) has the following results:- Mailbox auditing is turned off for your organization.- From the time you turn off mailbox auditing on by default, no mailbox actions are audited, even if mailbox auditing is enabled on a mailbox (the AuditEnabled property on the mailbox is True).- Mailbox auditing isn't turned on for new mailboxes and setting the AuditEnabled property on a new or existing mailbox to True is ignored.- Any mailbox audit bypass association settings (configured by using the Set-MailboxAuditBypassAssociation cmdlet) are ignored.- Existing mailbox audit records are retained until the audit log age limit for the record expires.The recommended state for this setting is `False` at the organization level. This will enable auditing and enforce the default.",
"RationaleStatement": "Enforcing the default ensures auditing was not turned off intentionally or accidentally. Auditing mailbox actions will allow forensics and IR teams to trace various malicious activities that can generate TTPs caused by inbox access and tampering.**Note:** Without advanced auditing (E5 function) the logs are limited to 90 days.",
"ImpactStatement": "None - this is the default behavior as of 2019.",
"RemediationProcedure": "**To remediate using PowerShell:**1. Connect to Exchange Online using `Connect-ExchangeOnline`.2. Run the following PowerShell command:```Set-OrganizationConfig -AuditDisabled $false```",
"AuditProcedure": "**To audit using PowerShell:**1. Connect to Exchange Online using `Connect-ExchangeOnline`.2. Run the following PowerShell command:```Get-OrganizationConfig | Format-List AuditDisabled```3. Ensure `AuditDisabled` is set to `False`.",
"AdditionalInformation": "",
"References": "https://learn.microsoft.com/en-us/purview/audit-mailboxes?view=o365-worldwide:https://learn.microsoft.com/en-us/powershell/module/exchange/set-organizationconfig?view=exchange-ps#-auditdisabled",
"DefaultValue": "False"
}
]
},
{
"Id": "6.1.2",
"Description": "Mailbox audit logging is turned on by default in all organizations. This effort started in January 2019, and means that certain actions performed by mailbox owners, delegates, and admins are automatically logged. The corresponding mailbox audit records are available for admins to search in the mailbox audit log. Mailboxes and shared mailboxes have actions assigned to them individually in order to audit the data the organization determines valuable at the mailbox level.The recommended state is `AuditEnabled` to `True` on all user mailboxes along with additional audit actions beyond the Microsoft defaults.**Note:** Due to some differences in defaults for audit actions this recommendation is specific to users assigned an E3 license only.",
"Checks": [
"exchange_user_mailbox_auditing_enabled"
],
"Attributes": [
{
"Section": "6 Exchange admin center",
"SubSection": "6.1 Audit",
"Profile": "E3 Level 1",
"AssessmentStatus": "Automated",
"Description": "Mailbox audit logging is turned on by default in all organizations. This effort started in January 2019, and means that certain actions performed by mailbox owners, delegates, and admins are automatically logged. The corresponding mailbox audit records are available for admins to search in the mailbox audit log. Mailboxes and shared mailboxes have actions assigned to them individually in order to audit the data the organization determines valuable at the mailbox level.The recommended state is `AuditEnabled` to `True` on all user mailboxes along with additional audit actions beyond the Microsoft defaults.**Note:** Due to some differences in defaults for audit actions this recommendation is specific to users assigned an E3 license only.",
"RationaleStatement": "Whether it is for regulatory compliance or for tracking unauthorized configuration changes in Microsoft 365, enabling mailbox auditing, and ensuring the proper mailbox actions are accounted for allows for Microsoft 365 teams to run security operations, forensics or general investigations on mailbox activities. The following mailbox types ignore the organizational default and must have `AuditEnabled` set to `True` at the mailbox level in order to capture relevant audit data.- Resource Mailboxes- Public Folder Mailboxes- DiscoverySearch Mailbox **Note:** Without advanced auditing (E5 function) the logs are limited to 90 days.",
"ImpactStatement": "None - this is the default behavior.",
"RemediationProcedure": "**To remediate using PowerShell:**1. Connect to Exchange Online using `Connect-ExchangeOnline`.2. Run the following PowerShell script:```$AuditAdmin = @( \"ApplyRecord\", \"Copy\", \"Create\", \"FolderBind\", \"HardDelete\", \"Move\", \"MoveToDeletedItems\", \"SendAs\", \"SendOnBehalf\", \"SoftDelete\", \"Update\", \"UpdateCalendarDelegation\", \"UpdateFolderPermissions\", \"UpdateInboxRules\")$AuditDelegate = @( \"ApplyRecord\", \"Create\", \"FolderBind\", \"HardDelete\", \"Move\", \"MoveToDeletedItems\", \"SendAs\", \"SendOnBehalf\", \"SoftDelete\", \"Update\", \"UpdateFolderPermissions\", \"UpdateInboxRules\")$AuditOwner = @( \"ApplyRecord\", \"Create\", \"HardDelete\", \"MailboxLogin\", \"Move\", \"MoveToDeletedItems\", \"SoftDelete\", \"Update\", \"UpdateCalendarDelegation\", \"UpdateFolderPermissions\", \"UpdateInboxRules\")$MBX = Get-EXOMailbox -ResultSize Unlimited | Where-Object { $_.RecipientTypeDetails -eq \"UserMailbox\" }$MBX | Set-Mailbox -AuditEnabled $true `-AuditLogAgeLimit 90 -AuditAdmin $AuditAdmin -AuditDelegate $AuditDelegate `-AuditOwner $AuditOwner```",
"AuditProcedure": "**To audit using PowerShell:**1. Connect to Exchange Online using `Connect-ExchangeOnline`.2. Run the following PowerShell script:```$MailAudit = Get-EXOMailbox -PropertySets Audit -ResultSize Unlimited | Select-Object UserPrincipalName, AuditEnabled, AuditAdmin, AuditDelegate, AuditOwner$MailAudit | Export-Csv -Path C:\\CIS\\AuditSettings.csv -NoTypeInformation```3. Analyze the output and verify `AuditEnabled` is set to `True` and all audit actions are included in what is defined in the script in the remediation section.**Optionally, this more comprehensive script can assess each user mailbox:**1. Connect to Exchange Online using `Connect-ExchangeOnline`.2. Run the following script:```$AdminActions = @( \"ApplyRecord\", \"Copy\", \"Create\", \"FolderBind\", \"HardDelete\", \"Move\", \"MoveToDeletedItems\", \"SendAs\", \"SendOnBehalf\", \"SoftDelete\", \"Update\", \"UpdateCalendarDelegation\", \"UpdateFolderPermissions\", \"UpdateInboxRules\" )$DelegateActions = @( \"ApplyRecord\", \"Create\", \"FolderBind\", \"HardDelete\", \"Move\", \"MoveToDeletedItems\", \"SendAs\", \"SendOnBehalf\", \"SoftDelete\", \"Update\", \"UpdateFolderPermissions\", \"UpdateInboxRules\")$OwnerActions = @( \"ApplyRecord\", \"Create\", \"HardDelete\", \"MailboxLogin\", \"Move\", \"MoveToDeletedItems\", \"SoftDelete\", \"Update\", \"UpdateCalendarDelegation\", \"UpdateFolderPermissions\", \"UpdateInboxRules\")function VerifyActions { param ( [string]$type, [array]$actions, [array]$auditProperty, [string]$mailboxName ) $missingActions = @() $actionCount = 0 foreach ($action in $actions) { if ($auditProperty -notcontains $action) { $missingActions += \" Failure: Audit action '$action' missing from $type\" $actionCount++ } } if ($actionCount -eq 0) { Write-Host \"[$mailboxName]: $type actions are verified.\" -ForegroundColor Green } else { Write-Host \"[$mailboxName]: $type actions are not all verified.\" -ForegroundColor Red foreach ($missingAction in $missingActions) { Write-Host \" $missingAction\" -ForegroundColor Red } }}$mailboxes = Get-EXOMailbox -PropertySets Audit,Minimum -ResultSize Unlimited | Where-Object { $_.RecipientTypeDetails -eq \"UserMailbox\" }foreach ($mailbox in $mailboxes) { Write-Host \"--- Now assessing [$($mailbox.UserPrincipalName)] ---\" if ($mailbox.AuditEnabled) { Write-Host \"[$($mailbox.UserPrincipalName)]: AuditEnabled is true\" -ForegroundColor Green } else { Write-Host \"[$($mailbox.UserPrincipalName)]: AuditEnabled is false\" -ForegroundColor Red } VerifyActions -type \"AuditAdmin\" -actions $AdminActions -auditProperty $mailbox.AuditAdmin ` -mailboxName $mailbox.UserPrincipalName VerifyActions -type \"AuditDelegate\" -actions $DelegateActions -auditProperty $mailbox.AuditDelegate ` -mailboxName $mailbox.UserPrincipalName VerifyActions -type \"AuditOwner\" -actions $OwnerActions -auditProperty $mailbox.AuditOwner ` -mailboxName $mailbox.UserPrincipalName Write-Host}```",
"AdditionalInformation": "Additional mailbox actions outside of the scope of this recommendations that can be audited for with an E5 license include: - MailItemsAccessed- SearchQueryInitiated- Send",
"References": "https://learn.microsoft.com/en-us/purview/audit-mailboxes?view=o365-worldwide",
"DefaultValue": "`AuditEnabled`: `True` for all mailboxes except below:- Resource Mailboxes- Public Folder Mailboxes- DiscoverySearch Mailbox**AuditAdmin:** ApplyRecord, Create, HardDelete, MoveToDeletedItems, SendAs, SendOnBehalf, SoftDelete, Update, UpdateCalendarDelegation, UpdateFolderPermissions, UpdateInboxRules**AuditDelegate:** ApplyRecord, Create, HardDelete, MoveToDeletedItems, SendAs, SendOnBehalf, SoftDelete, Update, UpdateFolderPermissions, UpdateInboxRules**AuditOwner:** ApplyRecord, HardDelete, MoveToDeletedItems, SoftDelete, Update, UpdateCalendarDelegation, UpdateFolderPermissions, UpdateInboxRules"
}
]
},
{
"Id": "6.1.3",
"Description": "Mailbox audit logging is turned on by default in all organizations. This effort started in January 2019, and means that certain actions performed by mailbox owners, delegates, and admins are automatically logged. The corresponding mailbox audit records are available for admins to search in the mailbox audit log. Mailboxes and shared mailboxes have actions assigned to them individually in order to audit the data the organization determines valuable at the mailbox level.The recommended state is `AuditEnabled` to `True` on all user mailboxes along with additional audit actions beyond the Microsoft defaults.Note: Due to some differences in defaults for audit actions this recommendation is specific to users assigned an E5 license, or auditing addon license, only.",
"Checks": [
"exchange_user_mailbox_auditing_enabled"
],
"Attributes": [
{
"Section": "6 Exchange admin center",
"SubSection": "6.1 Audit",
"Profile": "E5 Level 1",
"AssessmentStatus": "Automated",
"Description": "Mailbox audit logging is turned on by default in all organizations. This effort started in January 2019, and means that certain actions performed by mailbox owners, delegates, and admins are automatically logged. The corresponding mailbox audit records are available for admins to search in the mailbox audit log. Mailboxes and shared mailboxes have actions assigned to them individually in order to audit the data the organization determines valuable at the mailbox level.The recommended state is `AuditEnabled` to `True` on all user mailboxes along with additional audit actions beyond the Microsoft defaults.Note: Due to some differences in defaults for audit actions this recommendation is specific to users assigned an E5 license, or auditing addon license, only.",
"RationaleStatement": "Whether it is for regulatory compliance or for tracking unauthorized configuration changes in Microsoft 365, enabling mailbox auditing and ensuring the proper mailbox actions are accounted for allows for Microsoft 365 teams to run security operations, forensics or general investigations on mailbox activities. The following mailbox types ignore the organizational default and must have `AuditEnabled` set to `True` at the mailbox level in order to capture relevant audit data.- Resource Mailboxes- Public Folder Mailboxes- DiscoverySearch Mailbox **NOTE:** Without advanced auditing (E5 function) the logs are limited to 90 days.",
"ImpactStatement": "None - this is the default behavior.",
"RemediationProcedure": "**To remediate using PowerShell:**1. Connect to Exchange Online using `Connect-ExchangeOnline`.2. Run the following PowerShell script:```$AuditAdmin = @( \"ApplyRecord\", \"Copy\", \"Create\", \"FolderBind\", \"HardDelete\", \"MailItemsAccessed\", \"Move\", \"MoveToDeletedItems\", \"SendAs\", \"SendOnBehalf\", \"Send\", \"SoftDelete\", \"Update\", \"UpdateCalendarDelegation\", \"UpdateFolderPermissions\", \"UpdateInboxRules\")$AuditDelegate = @( \"ApplyRecord\", \"Create\", \"FolderBind\", \"HardDelete\", \"Move\", \"MailItemsAccessed\", \"MoveToDeletedItems\", \"SendAs\", \"SendOnBehalf\", \"SoftDelete\", \"Update\", \"UpdateFolderPermissions\", \"UpdateInboxRules\")$AuditOwner = @( \"ApplyRecord\", \"Create\", \"HardDelete\", \"MailboxLogin\", \"Move\", \"MailItemsAccessed\", \"MoveToDeletedItems\", \"Send\", \"SoftDelete\", \"Update\", \"UpdateCalendarDelegation\", \"UpdateFolderPermissions\", \"UpdateInboxRules\")$MBX = Get-EXOMailbox -ResultSize Unlimited | Where-Object { $_.RecipientTypeDetails -eq \"UserMailbox\" }$MBX | Set-Mailbox -AuditEnabled $true `-AuditLogAgeLimit 180 -AuditAdmin $AuditAdmin -AuditDelegate $AuditDelegate `-AuditOwner $AuditOwner```**Note:** When running this script mailboxes without an E5 or Azure Audit Premium license applied will generate an error as they are not licensed for the additional actions which come default with E5.",
"AuditProcedure": "**To audit using PowerShell:**1. Connect to Exchange Online using `Connect-ExchangeOnline`.2. Run the following PowerShell script:```$MailAudit = Get-EXOMailbox -PropertySets Audit -ResultSize Unlimited | Select-Object UserPrincipalName, AuditEnabled, AuditAdmin, AuditDelegate, AuditOwner$MailAudit | Export-Csv -Path C:\\CIS\\AuditSettings.csv -NoTypeInformation```3. Analyze the output and verify `AuditEnabled` is set to `True` and all audit actions are included in what is defined in the script in the remediation section.**Optionally, this more comprehensive script can assess each user mailbox:**1. Connect to Exchange Online using `Connect-ExchangeOnline`.2. Run the following script:```$AdminActions = @( \"ApplyRecord\", \"Copy\", \"Create\", \"FolderBind\", \"HardDelete\", \"MailItemsAccessed\", \"Move\", \"MoveToDeletedItems\", \"SendAs\", \"SendOnBehalf\", \"Send\", \"SoftDelete\", \"Update\", \"UpdateCalendarDelegation\", \"UpdateFolderPermissions\", \"UpdateInboxRules\" )$DelegateActions = @( \"ApplyRecord\", \"Create\", \"FolderBind\", \"HardDelete\", \"Move\", \"MailItemsAccessed\", \"MoveToDeletedItems\", \"SendAs\", \"SendOnBehalf\", \"SoftDelete\", \"Update\", \"UpdateFolderPermissions\", \"UpdateInboxRules\")$OwnerActions = @( \"ApplyRecord\", \"Create\", \"HardDelete\", \"MailboxLogin\", \"Move\", \"MailItemsAccessed\", \"MoveToDeletedItems\", \"Send\", \"SoftDelete\", \"Update\", \"UpdateCalendarDelegation\", \"UpdateFolderPermissions\", \"UpdateInboxRules\")function VerifyActions { param ( [string]$type, [array]$actions, [array]$auditProperty, [string]$mailboxName ) $missingActions = @() $actionCount = 0 foreach ($action in $actions) { if ($auditProperty -notcontains $action) { $missingActions += \" Failure: Audit action '$action' missing from $type\" $actionCount++ } } if ($actionCount -eq 0) { Write-Host \"[$mailboxName]: $type actions are verified.\" -ForegroundColor Green } else { Write-Host \"[$mailboxName]: $type actions are not all verified.\" -ForegroundColor Red foreach ($missingAction in $missingActions) { Write-Host \" $missingAction\" -ForegroundColor Red } }}$mailboxes = Get-EXOMailbox -PropertySets Audit,Minimum -ResultSize Unlimited | Where-Object { $_.RecipientTypeDetails -eq \"UserMailbox\" }foreach ($mailbox in $mailboxes) { Write-Host \"--- Now assessing [$($mailbox.UserPrincipalName)] ---\" if ($mailbox.AuditEnabled) { Write-Host \"[$($mailbox.UserPrincipalName)]: AuditEnabled is true\" -ForegroundColor Green } else { Write-Host \"[$($mailbox.UserPrincipalName)]: AuditEnabled is false\" -ForegroundColor Red } VerifyActions -type \"AuditAdmin\" -actions $AdminActions -auditProperty $mailbox.AuditAdmin ` -mailboxName $mailbox.UserPrincipalName VerifyActions -type \"AuditDelegate\" -actions $DelegateActions -auditProperty $mailbox.AuditDelegate ` -mailboxName $mailbox.UserPrincipalName VerifyActions -type \"AuditOwner\" -actions $OwnerActions -auditProperty $mailbox.AuditOwner ` -mailboxName $mailbox.UserPrincipalName Write-Host}```**Note:** In order for a mailbox to pass the above it must have an E5 or Microsoft Purview Audit Premium addon license assigned to it. For the purposes of this recommendation shared mailboxes are ignored.",
"AdditionalInformation": "",
"References": "https://learn.microsoft.com/en-us/purview/audit-mailboxes?view=o365-worldwide",
"DefaultValue": "`AuditEnabled`: `True` for all mailboxes except below:- Resource Mailboxes- Public Folder Mailboxes- DiscoverySearch Mailbox**AuditAdmin:** ApplyRecord, Create, HardDelete, MailItemsAccessed, MoveToDeletedItems, Send, SendAs, SendOnBehalf, SoftDelete, Update, UpdateCalendarDelegation, UpdateFolderPermissions, UpdateInboxRules**AuditDelegate:** ApplyRecord, Create, HardDelete, MailItemsAccessed, MoveToDeletedItems, SendAs, SendOnBehalf, SoftDelete, Update, UpdateFolderPermissions, UpdateInboxRules**AuditOwner:** ApplyRecord, HardDelete, MailItemsAccessed, MoveToDeletedItems, Send, SoftDelete, Update, UpdateCalendarDelegation, UpdateFolderPermissions, UpdateInboxRules"
}
]
},
{
"Id": "6.1.4",
"Description": "When configuring a user or computer account to bypass mailbox audit logging, the system will not record any access, or actions performed by the said user or computer account on any mailbox. Administratively this was introduced to reduce the volume of entries in the mailbox audit logs on trusted user or computer accounts.Ensure `AuditBypassEnabled` is not enabled on accounts without a written exception.",
"Checks": [
"exchange_mailbox_audit_bypass_disabled"
],
"Attributes": [
{
"Section": "6 Exchange admin center",
"SubSection": "6.1 Audit",
"Profile": "E3 Level 1",
"AssessmentStatus": "Automated",
"Description": "When configuring a user or computer account to bypass mailbox audit logging, the system will not record any access, or actions performed by the said user or computer account on any mailbox. Administratively this was introduced to reduce the volume of entries in the mailbox audit logs on trusted user or computer accounts.Ensure `AuditBypassEnabled` is not enabled on accounts without a written exception.",
"RationaleStatement": "If a mailbox audit bypass association is added for an account, the account can access any mailbox in the organization to which it has been assigned access permissions, without generating any mailbox audit logging entries for such access or recording any actions taken, such as message deletions.Enabling this parameter, whether intentionally or unintentionally, could allow insiders or malicious actors to conceal their activity on specific mailboxes. Ensuring proper logging of user actions and mailbox operations in the audit log will enable comprehensive incident response and forensics.",
"ImpactStatement": "None - this is the default behavior.",
"RemediationProcedure": "**To remediate using PowerShell:**1. Connect to Exchange Online using `Connect-ExchangeOnline`.2. The following example PowerShell script will disable AuditBypass for all mailboxes which currently have it enabled:```# Get mailboxes with AuditBypassEnabled set to $true$MBXAudit = Get-MailboxAuditBypassAssociation -ResultSize unlimited | Where-Object { $_.AuditBypassEnabled -eq $true }foreach ($mailbox in $MBXAudit) { $mailboxName = $mailbox.Name Set-MailboxAuditBypassAssociation -Identity $mailboxName -AuditBypassEnabled $false Write-Host \"Audit Bypass disabled for mailbox Identity: $mailboxName\" -ForegroundColor Green}```",
"AuditProcedure": "**To audit using PowerShell:**1. Connect to Exchange Online using `Connect-ExchangeOnline`.2. Run the following PowerShell command:```$MBX = Get-MailboxAuditBypassAssociation -ResultSize unlimited$MBX | where {$_.AuditBypassEnabled -eq $true} | Format-Table Name,AuditBypassEnabled```3. If nothing is returned, then there are no accounts with Audit Bypass enabled.",
"AdditionalInformation": "",
"References": "https://learn.microsoft.com/en-us/powershell/module/exchange/get-mailboxauditbypassassociation?view=exchange-ps",
"DefaultValue": "AuditBypassEnabled `False`"
}
]
},
{
"Id": "6.2.1",
"Description": "Exchange Online offers several methods of managing the flow of email messages. These are Remote domain, Transport Rules, and Anti-spam outbound policies. These methods work together to provide comprehensive coverage for potential automatic forwarding channels:- Outlook forwarding using inbox rules.- Outlook forwarding configured using OOF rule.- OWA forwarding setting (ForwardingSmtpAddress).- Forwarding set by the admin using EAC (ForwardingAddress).- Forwarding using Power Automate / Flow.Ensure a `Transport rule` and `Anti-spam outbound policy` are used to block mail forwarding.**NOTE:** Any exclusions should be implemented based on organizational policy.",
"Checks": [
"defender_antispam_outbound_policy_forwarding_disabled",
"exchange_transport_rules_mail_forwarding_disabled"
],
"Attributes": [
{
"Section": "6 Exchange admin center",
"SubSection": "6.2 Mail Flow",
"Profile": "E3 Level 1",
"AssessmentStatus": "Automated",
"Description": "Exchange Online offers several methods of managing the flow of email messages. These are Remote domain, Transport Rules, and Anti-spam outbound policies. These methods work together to provide comprehensive coverage for potential automatic forwarding channels:- Outlook forwarding using inbox rules.- Outlook forwarding configured using OOF rule.- OWA forwarding setting (ForwardingSmtpAddress).- Forwarding set by the admin using EAC (ForwardingAddress).- Forwarding using Power Automate / Flow.Ensure a `Transport rule` and `Anti-spam outbound policy` are used to block mail forwarding.**NOTE:** Any exclusions should be implemented based on organizational policy.",
"RationaleStatement": "Attackers often create these rules to exfiltrate data from your tenancy, this could be accomplished via access to an end-user account or otherwise. An insider could also use one of these methods as a secondary channel to exfiltrate sensitive data.",
"ImpactStatement": "Care should be taken before implementation to ensure there is no business need for case-by-case auto-forwarding. Disabling auto-forwarding to remote domains will affect all users and in an organization. Any exclusions should be implemented based on organizational policy.",
"RemediationProcedure": "**Note:** _Remediation is a two step procedure as follows:_**STEP 1: Transport rules****To remediate using the UI:** 1. Select `Exchange` to open the Exchange admin center.2. Select `Mail Flow` then `Rules`.3. For each rule that redirects email to external domains, select the rule and click the 'Delete' icon.**To remediate using PowerShell:**1. Connect to Exchange Online using `Connect-ExchangeOnline`.2. Run the following PowerShell command:```Remove-TransportRule {RuleName}```**STEP 2: Anti-spam outbound policy****To remediate using the UI:**1. Navigate to `Microsoft 365 Defender` https://security.microsoft.com/2. Expand `E-mail & collaboration` then select `Policies & rules`.3. Select `Threat policies` > `Anti-spam`.4. Select `Anti-spam outbound policy (default)` 5. Click `Edit protection settings`6. Set `Automatic forwarding rules` dropdown to `Off - Forwarding is disabled` and click `Save`7. Repeat steps 4-6 for any additional higher priority, custom policies.**To remediate using PowerShell:**1. Connect to Exchange Online using `Connect-ExchangeOnline`.2. Run the following PowerShell command:```Set-HostedOutboundSpamFilterPolicy -Identity {policyName} -AutoForwardingMode Off```3. To remove AutoForwarding from all outbound policies you can also run:```Get-HostedOutboundSpamFilterPolicy | Set-HostedOutboundSpamFilterPolicy -AutoForwardingMode Off```",
"AuditProcedure": "**Note:** _Audit is a two step procedure as follows:_**STEP 1: Transport rules****To audit using the UI:** 1. Select `Exchange` to open the Exchange admin center.2. Select `Mail Flow` then `Rules`.3. Review the rules and verify that none of them are forwards or redirects e-mail to external domains.**To audit using PowerShell:**1. Connect to Exchange online using `Connect-ExchangeOnline`.2. Run the following PowerShell command to review the Transport Rules that are redirecting email:```Get-TransportRule | Where-Object {$_.RedirectMessageTo -ne $null} | ft Name,RedirectMessageTo```3. Verify that none of the addresses listed belong to external domains outside of the organization. If nothing returns then there are no transport rules set to redirect messages.**STEP 2: Anti-spam outbound policy****To audit using the UI:**1. Navigate to `Microsoft 365 Defender` https://security.microsoft.com/2. Expand `E-mail & collaboration` then select `Policies & rules`.3. Select `Threat policies` > `Anti-spam`.4. Inspect `Anti-spam outbound policy (default)` and ensure `Automatic forwarding` is set to `Off - Forwarding is disabled`5. Inspect any additional custom outbound policies and ensure `Automatic forwarding` is set to `Off - Forwarding is disabled`, in accordance with the organization's exclusion policies.**To audit using PowerShell:**1. Connect to Exchange online using `Connect-ExchangeOnline`.2. Run the following PowerShell cmdlet:```Get-HostedOutboundSpamFilterPolicy | ft Name, AutoForwardingMode```3. In each outbound policy verify `AutoForwardingMode` is `Off`.**Note:** According to Microsoft if a recipient is defined in multiple policies of the same type (anti-spam, anti-phishing, etc.), only the policy with the highest priority is applied to the recipient. Any remaining policies of that type are not evaluated for the recipient (including the default policy). However, it is our recommendation to audit the default policy as well in the case a higher priority custom policy is removed. This will keep the organization's security posture strong.",
"AdditionalInformation": "",
"References": "https://learn.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules:https://techcommunity.microsoft.com/t5/exchange-team-blog/all-you-need-to-know-about-automatic-email-forwarding-in/ba-p/2074888#:~:text=%20%20%20Automatic%20forwarding%20option%20%20,%:https://learn.microsoft.com/en-us/defender-office-365/outbound-spam-policies-external-email-forwarding?view=o365-worldwide",
"DefaultValue": ""
}
]
},
{
"Id": "6.2.2",
"Description": "Mail flow rules (transport rules) in Exchange Online are used to identify and take action on messages that flow through the organization.",
"Checks": [
"exchange_transport_rules_whitelist_disabled"
],
"Attributes": [
{
"Section": "6 Exchange admin center",
"SubSection": "6.2 Mail Flow",
"Profile": "E3 Level 1",
"AssessmentStatus": "Automated",
"Description": "Mail flow rules (transport rules) in Exchange Online are used to identify and take action on messages that flow through the organization.",
"RationaleStatement": "Whitelisting domains in transport rules bypasses regular malware and phishing scanning, which can enable an attacker to launch attacks against your users from a safe haven domain.",
"ImpactStatement": "Care should be taken before implementation to ensure there is no business need for case-by-case whitelisting. Removing all whitelisted domains could affect incoming mail flow to an organization although modern systems sending legitimate mail should have no issue with this.",
"RemediationProcedure": "**To remediate using the UI:**1. Navigate to `Exchange admin center` https://admin.exchange.microsoft.com..2. Click to expand `Mail Flow` and then select `Rules`.3. For each rule that whitelists specific domains, select the rule and click the 'Delete' icon.**To remediate using PowerShell:**1. Connect to Exchange online using `Connect-ExchangeOnline`.2. Run the following PowerShell command:```Remove-TransportRule {RuleName}```3. Verify the rules no longer exists.```Get-TransportRule | Where-Object {($_.setscl -eq -1 -and $_.SenderDomainIs -ne $null)} | ft Name,SenderDomainIs```",
"AuditProcedure": "**To audit using the UI:**1. Navigate to `Exchange admin center` https://admin.exchange.microsoft.com..2. Click to expand `Mail Flow` and then select `Rules`.3. Review the rules and verify that none of them whitelist any specific domains.**To audit using PowerShell:**1. Connect to Exchange online using `Connect-ExchangeOnline`.2. Run the following PowerShell command:```Get-TransportRule | Where-Object {($_.setscl -eq -1 -and $_.SenderDomainIs -ne $null)} | ft Name,SenderDomainIs```",
"AdditionalInformation": "",
"References": "https://learn.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/configuration-best-practices:https://learn.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules",
"DefaultValue": ""
}
]
},
{
"Id": "6.2.3",
"Description": "External callouts provide a native experience to identify emails from senders outside the organization. This is achieved by presenting a new tag on emails called \"External\" (the string is localized based on the client language setting) and exposing related user interface at the top of the message reading view to see and verify the real sender's email address.Once this feature is enabled via PowerShell, it might take 24-48 hours for users to start seeing the External sender tag in email messages received from external sources (outside of your organization), providing their Outlook version supports it.The recommended state is `ExternalInOutlook` set to `Enabled` `True`**Note:** Mail flow rules are often used by Exchange administrators to accomplish the External email tagging by appending a tag to the front of a subject line. There are limitations to this outlined [here.](https://techcommunity.microsoft.com/t5/exchange-team-blog/native-external-sender-callouts-on-email-in-outlook/ba-p/2250098) The preferred method in the CIS Benchmark is to use the native experience.",
"Checks": [
"exchange_external_email_tagging_enabled"
],
"Attributes": [
{
"Section": "6 Exchange admin center",
"SubSection": "6.2 Mail Flow",
"Profile": "E3 Level 1",
"AssessmentStatus": "Automated",
"Description": "External callouts provide a native experience to identify emails from senders outside the organization. This is achieved by presenting a new tag on emails called \"External\" (the string is localized based on the client language setting) and exposing related user interface at the top of the message reading view to see and verify the real sender's email address.Once this feature is enabled via PowerShell, it might take 24-48 hours for users to start seeing the External sender tag in email messages received from external sources (outside of your organization), providing their Outlook version supports it.The recommended state is `ExternalInOutlook` set to `Enabled` `True`**Note:** Mail flow rules are often used by Exchange administrators to accomplish the External email tagging by appending a tag to the front of a subject line. There are limitations to this outlined [here.](https://techcommunity.microsoft.com/t5/exchange-team-blog/native-external-sender-callouts-on-email-in-outlook/ba-p/2250098) The preferred method in the CIS Benchmark is to use the native experience.",
"RationaleStatement": "Tagging emails from external senders helps to inform end users about the origin of the email. This can allow them to proceed with more caution and make informed decisions when it comes to identifying spam or phishing emails.**Note:** Existing emails in a user's inbox from external senders are not tagged retroactively.",
"ImpactStatement": "Mail flow rules using external tagging will need to be disabled before enabling this to avoid duplicate [External] tags. The Outlook desktop client is the last to receive this update and the feature is only available for certain versions see below:Outlook for Windows: **Update 4/26/23:** _External Tag view in Outlook for Windows (matching other clients) released to production for Current Channel and Monthly Enterprise Channel in Version 2211 for builds 15831.20190 and higher. We anticipate the External tag to reach Semi-Annual Preview Channel with Version 2308 on the September 12th 2023 public update and reach Semi-Annual Enterprise Channel with Version 2308 with the January 9th 2024 public update._",
"RemediationProcedure": "**To remediate using PowerShell:**1. Connect to Exchange online using `Connect-ExchangeOnline`.2. Run the following PowerShell command:```Set-ExternalInOutlook -Enabled $true```",
"AuditProcedure": "**To audit using PowerShell:**1. Connect to Exchange online using `Connect-ExchangeOnline`.2. Run the following PowerShell command:```Get-ExternalInOutlook```3. For each identity verify `Enabled` is set to `True` and the `AllowList` only contains email addresses the organization has permitted to bypass external tagging.",
"AdditionalInformation": "",
"References": "https://techcommunity.microsoft.com/t5/exchange-team-blog/native-external-sender-callouts-on-email-in-outlook/ba-p/2250098:https://learn.microsoft.com/en-us/powershell/module/exchange/set-externalinoutlook?view=exchange-ps",
"DefaultValue": "Disabled (False)"
}
]
},
{
"Id": "6.3.1",
"Description": "Specify the administrators and users who can install and manage add-ins for Outlook in Exchange OnlineBy default, users can install add-ins in their Microsoft Outlook Desktop client, allowing data access within the client application.",
"Checks": [
"exchange_roles_assignment_policy_addins_disabled"
],
"Attributes": [
{
"Section": "6 Exchange admin center",
"SubSection": "6.3 Roles",
"Profile": "E3 Level 2",
"AssessmentStatus": "Automated",
"Description": "Specify the administrators and users who can install and manage add-ins for Outlook in Exchange OnlineBy default, users can install add-ins in their Microsoft Outlook Desktop client, allowing data access within the client application.",
"RationaleStatement": "Attackers exploit vulnerable or custom add-ins to access user data. Disabling user-installed add-ins in Microsoft Outlook reduces this threat surface.",
"ImpactStatement": "Implementing this change will impact both end users and administrators. End users will be unable to integrate third-party applications they desire, and administrators may receive requests to grant permission for necessary third-party apps.",
"RemediationProcedure": "**To remediate using the UI:**1. Navigate to `Exchange admin center` https://admin.exchange.microsoft.com.2. Click to expand `Roles` select `User roles`.3. Select `Default Role Assignment Policy`.4. In the properties pane on the right click on `Manage permissions`.5. Under _Other roles_ uncheck `My Custom Apps`, `My Marketplace Apps` and `My ReadWriteMailboxApps`.6. Click `Save changes`.**To remediate using PowerShell:**1. Connect to Exchange Online using `Connect-ExchangeOnline`.2. Run the following command:```$policy = \"Role Assignment Policy - Prevent Add-ins\"$roles = \"MyTextMessaging\", \"MyDistributionGroups\", ` \"MyMailSubscriptions\", \"MyBaseOptions\", \"MyVoiceMail\", ` \"MyProfileInformation\", \"MyContactInformation\", \"MyRetentionPolicies\", ` \"MyDistributionGroupMembership\"New-RoleAssignmentPolicy -Name $policy -Roles $rolesSet-RoleAssignmentPolicy -id $policy -IsDefault# Assign new policy to all mailboxesGet-EXOMailbox -ResultSize Unlimited | Set-Mailbox -RoleAssignmentPolicy $policy``` **If you have other Role Assignment Policies modify the last line to filter out your custom policies**",
"AuditProcedure": "**To audit using the UI:**1. Navigate to `Exchange admin center` https://admin.exchange.microsoft.com.2. Click to expand `Roles` select `User roles`.3. Select `Default Role Assignment Policy`.4. In the properties pane on the right click on `Manage permissions`.5. Under _Other roles_ verify `My Custom Apps`, `My Marketplace Apps` and `My ReadWriteMailboxApps` are **unchecked**.**To audit using PowerShell:**1. Connect to Exchange Online using `Connect-ExchangeOnline`.2. Run the following command:```Get-EXOMailbox | Select-Object -Unique RoleAssignmentPolicy | ForEach-Object { Get-RoleAssignmentPolicy -Identity $_.RoleAssignmentPolicy | Where-Object {$_.AssignedRoles -like \"*Apps*\"}} | Select-Object Identity, @{Name=\"AssignedRoles\"; Expression={ Get-Mailbox | Select-Object -Unique RoleAssignmentPolicy | ForEach-Object { Get-RoleAssignmentPolicy -Identity $_.RoleAssignmentPolicy | Select-Object -ExpandProperty AssignedRoles | Where-Object {$_ -like \"*Apps*\"} }}}```3. Verify `My Custom Apps`, `My Marketplace Apps` and `My ReadWriteMailboxApps` are not present.**Note:** As of the current release the manage permissions link no longer displays anything when a user assigned the Global Reader role clicks on it. Global Readers as an alternative can inspect the Roles column or use the PowerShell method to perform the audit.",
"AdditionalInformation": "",
"References": "https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/add-ins-for-outlook/specify-who-can-install-and-manage-add-ins?source=recommendations:https://learn.microsoft.com/en-us/exchange/permissions-exo/role-assignment-policies",
"DefaultValue": "UI - `My Custom Apps`, `My Marketplace Apps`, and `My ReadWriteMailboxApps` are checkedPowerShell - `My Custom Apps` `My Marketplace Apps` and `My ReadWriteMailboxApps` are assigned"
}
]
},
{
"Id": "6.5.1",
"Description": "Modern authentication in Microsoft 365 enables authentication features like multifactor authentication (MFA) using smart cards, certificate-based authentication (CBA), and third-party SAML identity providers. When you enable modern authentication in Exchange Online, Outlook 2016 and Outlook 2013 use modern authentication to log in to Microsoft 365 mailboxes. When you disable modern authentication in Exchange Online, Outlook 2016 and Outlook 2013 use basic authentication to log in to Microsoft 365 mailboxes.When users initially configure certain email clients, like Outlook 2013 and Outlook 2016, they may be required to authenticate using enhanced authentication mechanisms, such as multifactor authentication. Other Outlook clients that are available in Microsoft 365 (for example, Outlook Mobile and Outlook for Mac 2016) always use modern authentication to log in to Microsoft 365 mailboxes.",
"Checks": [
"exchange_organization_modern_authentication_enabled"
],
"Attributes": [
{
"Section": "6 Exchange admin center",
"SubSection": "6.5 Settings",
"Profile": "E3 Level 1",
"AssessmentStatus": "Automated",
"Description": "Modern authentication in Microsoft 365 enables authentication features like multifactor authentication (MFA) using smart cards, certificate-based authentication (CBA), and third-party SAML identity providers. When you enable modern authentication in Exchange Online, Outlook 2016 and Outlook 2013 use modern authentication to log in to Microsoft 365 mailboxes. When you disable modern authentication in Exchange Online, Outlook 2016 and Outlook 2013 use basic authentication to log in to Microsoft 365 mailboxes.When users initially configure certain email clients, like Outlook 2013 and Outlook 2016, they may be required to authenticate using enhanced authentication mechanisms, such as multifactor authentication. Other Outlook clients that are available in Microsoft 365 (for example, Outlook Mobile and Outlook for Mac 2016) always use modern authentication to log in to Microsoft 365 mailboxes.",
"RationaleStatement": "Strong authentication controls, such as the use of multifactor authentication, may be circumvented if basic authentication is used by Exchange Online email clients such as Outlook 2016 and Outlook 2013. Enabling modern authentication for Exchange Online ensures strong authentication mechanisms are used when establishing sessions between email clients and Exchange Online.",
"ImpactStatement": "Users of older email clients, such as Outlook 2013 and Outlook 2016, will no longer be able to authenticate to Exchange using Basic Authentication, which will necessitate migration to modern authentication practices.",
"RemediationProcedure": "**To remediate using PowerShell:**1. Run the Microsoft Exchange Online PowerShell Module.2. Connect to Exchange Online using `Connect-ExchangeOnline`.3. Run the following PowerShell command:```Set-OrganizationConfig -OAuth2ClientProfileEnabled $True```",
"AuditProcedure": "**To audit using PowerShell:**1. Run the Microsoft Exchange Online PowerShell Module.2. Connect to Exchange Online using `Connect-ExchangeOnline`.3. Run the following PowerShell command:```Get-OrganizationConfig | Format-Table -Auto Name, OAuth*```4. Verify `OAuth2ClientProfileEnabled` is `True`.",
"AdditionalInformation": "",
"References": "https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/enable-or-disable-modern-authentication-in-exchange-online",
"DefaultValue": "True"
}
]
},
{
"Id": "6.5.2",
"Description": "MailTips are informative messages displayed to users while they're composing a message. While a new message is open and being composed, Exchange analyzes the message (including recipients). If a potential problem is detected, the user is notified with a MailTip prior to sending the message. Using the information in the MailTip, the user can adjust the message to avoid undesirable situations or non-delivery reports (also known as NDRs or bounce messages).",
"Checks": [
"exchange_organization_mailtips_enabled"
],
"Attributes": [
{
"Section": "6 Exchange admin center",
"SubSection": "6.5 Settings",
"Profile": "E3 Level 1",
"AssessmentStatus": "Automated",
"Description": "MailTips are informative messages displayed to users while they're composing a message. While a new message is open and being composed, Exchange analyzes the message (including recipients). If a potential problem is detected, the user is notified with a MailTip prior to sending the message. Using the information in the MailTip, the user can adjust the message to avoid undesirable situations or non-delivery reports (also known as NDRs or bounce messages).",
"RationaleStatement": "Setting up MailTips gives a visual aid to users when they send emails to large groups of recipients or send emails to recipients not within the tenant.",
"ImpactStatement": "Not applicable.",
"RemediationProcedure": "**To remediate using PowerShell:**1. Connect to Exchange Online using `Connect-ExchangeOnline`.2. Run the following PowerShell command:```$TipsParams = @{ MailTipsAllTipsEnabled = $true MailTipsExternalRecipientsTipsEnabled = $true MailTipsGroupMetricsEnabled = $true MailTipsLargeAudienceThreshold = '25'}Set-OrganizationConfig @TipsParams```",
"AuditProcedure": "**To audit using PowerShell:**1. Connect to Exchange Online using `Connect-ExchangeOnline`.2. Run the following PowerShell command:```Get-OrganizationConfig | fl MailTips*```3. Verify the values for `MailTipsAllTipsEnabled`, `MailTipsExternalRecipientsTipsEnabled`, and `MailTipsGroupMetricsEnabled` are set to `True` and `MailTipsLargeAudienceThreshold` is set to an acceptable value; `25` is the default value.",
"AdditionalInformation": "",
"References": "https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/mailtips/mailtips:https://learn.microsoft.com/en-us/powershell/module/exchange/set-organizationconfig?view=exchange-ps",
"DefaultValue": "MailTipsAllTipsEnabled: TrueMailTipsExternalRecipientsTipsEnabled: FalseMailTipsGroupMetricsEnabled: TrueMailTipsLargeAudienceThreshold: 25"
}
]
},
{
"Id": "6.5.3",
"Description": "This setting allows users to open certain external files while working in Outlook on the web. If allowed, keep in mind that ",
"Checks": [
"exchange_mailbox_policy_additional_storage_restricted"
],
"Attributes": [
{
"Section": "6 Exchange admin center",
"SubSection": "6.5 Settings",
"Profile": "E3 Level 2",
"AssessmentStatus": "Automated",
"Description": "This setting allows users to open certain external files while working in Outlook on the web. If allowed, keep in mind that ",
"RationaleStatement": "By default, additional storage providers are allowed in Office on the Web (such as Box, Dropbox, Facebook, Google Drive, OneDrive Personal, etc.). This could lead to information leakage and additional risk of infection from organizational non-trusted storage providers. Restricting this will inherently reduce risk as it will narrow opportunities for infection and data leakage.",
"ImpactStatement": "The impact associated with this change is highly dependent upon current practices in the tenant. If users do not use other storage providers, then minimal impact is likely. However, if users do regularly utilize providers outside of the tenant this will affect their ability to continue to do so.",
"RemediationProcedure": "**To remediate using PowerShell:**1. Connect to Exchange Online using `Connect-ExchangeOnline`.2. Run the following PowerShell command:```Set-OwaMailboxPolicy -Identity OwaMailboxPolicy-Default -AdditionalStorageProvidersAvailable $false```",
"AuditProcedure": "**To audit using PowerShell:**1. Connect to Exchange Online using `Connect-ExchangeOnline`.2. Run the following PowerShell command:```Get-OwaMailboxPolicy | Format-Table Name, AdditionalStorageProvidersAvailable```3. Verify that the value returned is `False`.",
"AdditionalInformation": "",
"References": "https://learn.microsoft.com/en-us/powershell/module/exchange/set-owamailboxpolicy?view=exchange-ps:https://support.microsoft.com/en-us/topic/3rd-party-cloud-storage-services-supported-by-office-apps-fce12782-eccc-4cf5-8f4b-d1ebec513f72",
"DefaultValue": "`Additional Storage Providers` - `True`"
}
]
},
{
"Id": "6.5.4",
"Description": "This setting enables or disables authenticated client SMTP submission (SMTP AUTH) at an organization level in Exchange Online. The recommended state is `Turn off SMTP AUTH protocol for your organization` (checked).",
"Checks": [
"exchange_transport_config_smtp_auth_disabled"
],
"Attributes": [
{
"Section": "6 Exchange admin center",
"SubSection": "6.5 Settings",
"Profile": "E3 Level 1",
"AssessmentStatus": "Automated",
"Description": "This setting enables or disables authenticated client SMTP submission (SMTP AUTH) at an organization level in Exchange Online. The recommended state is `Turn off SMTP AUTH protocol for your organization` (checked).",
"RationaleStatement": "SMTP AUTH is a legacy protocol. Disabling it at the organization level supports the principle of least functionality and serves to further back additional controls that block legacy protocols, such as in Conditional Access. Virtually all modern email clients that connect to Exchange Online mailboxes in Microsoft 365 can do so without using SMTP AUTH.",
"ImpactStatement": "This enforces the default behavior, so no impact is expected unless the organization is using it globally. A per-mailbox setting exists that overrides the tenant-wide setting, allowing an individual mailbox SMTP AUTH capability for special cases.",
"RemediationProcedure": "**To remediate using the UI:**1. Navigate to `Exchange admin center` https://admin.exchange.microsoft.com.2. Select `Settings` > `Mail flow`.3. Uncheck `Turn off SMTP AUTH protocol for your organization`.**To remediate using PowerShell:**1. Connect to Exchange Online using `Connect-ExchangeOnline`.2. Run the following PowerShell command:```Set-TransportConfig -SmtpClientAuthenticationDisabled $true```",
"AuditProcedure": "**To audit using the UI:**1. Navigate to `Exchange admin center` https://admin.exchange.microsoft.com.2. Select `Settings` > `Mail flow`.3. Ensure `Turn off SMTP AUTH protocol for your organization` is checked.**To audit using PowerShell:**1. Connect to Exchange Online using `Connect-ExchangeOnline`.2. Run the following PowerShell command:```Get-TransportConfig | Format-List SmtpClientAuthenticationDisabled```3. Verify that the value returned is `True`.",
"AdditionalInformation": "",
"References": "https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/authenticated-client-smtp-submission",
"DefaultValue": "SmtpClientAuthenticationDisabled : True"
}
]
},
{
"Id": "7.2.1",
"Description": "Modern authentication in Microsoft 365 enables authentication features like multifactor authentication (MFA) using smart cards, certificate-based authentication (CBA), and third-party SAML identity providers.",
"Checks": [
"sharepoint_modern_authentication_required"
],
"Attributes": [
{
"Section": "7 SharePoint admin center",
"SubSection": "7.2 Policies",
"Profile": "E3 Level 1",
"AssessmentStatus": "Automated",
"Description": "Modern authentication in Microsoft 365 enables authentication features like multifactor authentication (MFA) using smart cards, certificate-based authentication (CBA), and third-party SAML identity providers.",
"RationaleStatement": "Strong authentication controls, such as the use of multifactor authentication, may be circumvented if basic authentication is used by SharePoint applications. Requiring modern authentication for SharePoint applications ensures strong authentication mechanisms are used when establishing sessions between these applications, SharePoint, and connecting users.",
"ImpactStatement": "Implementation of modern authentication for SharePoint will require users to authenticate to SharePoint using modern authentication. This may cause a minor impact to typical user behavior.This may also prevent third-party apps from accessing SharePoint Online resources. Also, this will also block apps using the SharePointOnlineCredentials class to access SharePoint Online resources.",
"RemediationProcedure": "**To remediate using the UI:** 1. Navigate to `SharePoint admin center` https://admin.microsoft.com/sharepoint.2. Click to expand `Policies` select `Access control`.3. Select `Apps that don't use modern authentication`. 4. Select the radio button for `Block access`.5. Click `Save`.**To remediate using PowerShell:**1. Connect to SharePoint Online using `Connect-SPOService -Url https://tenant-admin.sharepoint.com` replacing tenant with your value.2. Run the following SharePoint Online PowerShell command:```Set-SPOTenant -LegacyAuthProtocolsEnabled $false```",
"AuditProcedure": "**To audit using the UI:** 1. Navigate to `SharePoint admin center` https://admin.microsoft.com/sharepoint.2. Click to expand `Policies` select `Access control`.3. Select `Apps that don't use modern authentication` and ensure that it is set to `Block access`.**To audit using PowerShell:**1. Connect to SharePoint Online using `Connect-SPOService -Url https://tenant-admin.sharepoint.com` replacing tenant with your value.2. Run the following SharePoint Online PowerShell command:```Get-SPOTenant | ft LegacyAuthProtocolsEnabled```3. Ensure the returned value is `False`.",
"AdditionalInformation": "",
"References": "https://learn.microsoft.com/en-us/powershell/module/sharepoint-online/set-spotenant?view=sharepoint-ps",
"DefaultValue": "True (Apps that don't use modern authentication are allowed)"
}
]
},
{
"Id": "7.2.2",
"Description": "Entra ID B2B provides authentication and management of guests. Authentication happens via one-time passcode when they don't already have a work or school account or a Microsoft account. Integration with SharePoint and OneDrive allows for more granular control of how guest user accounts are managed in the organization's AAD, unifying a similar guest experience already deployed in other Microsoft 365 services such as Teams.**Note:** Global Reader role currently can't access SharePoint using PowerShell.",
"Checks": [],
"Attributes": [
{
"Section": "7 SharePoint admin center",
"SubSection": "7.2 Policies",
"Profile": "E3 Level 1",
"AssessmentStatus": "Automated",
"Description": "Entra ID B2B provides authentication and management of guests. Authentication happens via one-time passcode when they don't already have a work or school account or a Microsoft account. Integration with SharePoint and OneDrive allows for more granular control of how guest user accounts are managed in the organization's AAD, unifying a similar guest experience already deployed in other Microsoft 365 services such as Teams.**Note:** Global Reader role currently can't access SharePoint using PowerShell.",
"RationaleStatement": "External users assigned guest accounts will be subject to Entra ID access policies, such as multi-factor authentication. This provides a way to manage guest identities and control access to SharePoint and OneDrive resources. Without this integration, files can be shared without account registration, making it more challenging to audit and manage who has access to the organization's data.",
"ImpactStatement": "B2B collaboration is used with other Entra services so should not be new or unusual. Microsoft also has made the experience seamless when turning on integration on SharePoint sites that already have active files shared with guest users. The referenced Microsoft article on the subject has more details on this.",
"RemediationProcedure": "**To remediate using PowerShell:**1. Connect to SharePoint Online using `Connect-SPOService`2. Run the following command:```Set-SPOTenant -EnableAzureADB2BIntegration $true```",
"AuditProcedure": "**To audit using PowerShell:**1. Connect to SharePoint Online using `Connect-SPOService`2. Run the following command:```Get-SPOTenant | ft EnableAzureADB2BIntegration```3. Ensure the returned value is `True`.",
"AdditionalInformation": "",
"References": "https://learn.microsoft.com/en-us/sharepoint/sharepoint-azureb2b-integration#enabling-the-integration:https://learn.microsoft.com/en-us/entra/external-id/what-is-b2b:https://learn.microsoft.com/en-us/powershell/module/sharepoint-online/set-spotenant?view=sharepoint-ps",
"DefaultValue": "False"
}
]
},
{
"Id": "7.2.3",
"Description": "The external sharing settings govern sharing for the organization overall. Each site has its own sharing setting that can be set independently, though it must be at the same or more restrictive setting as the organization. The new and existing guests option requires people who have received invitations to sign in with their work or school account (if their organization uses Microsoft 365) or a Microsoft account, or to provide a code to verify their identity. Users can share with guests already in your organization's directory, and they can send invitations to people who will be added to the directory if they sign in.The recommended state is `New and existing guests` or less permissive.",
"Checks": [
"sharepoint_external_sharing_restricted"
],
"Attributes": [
{
"Section": "7 SharePoint admin center",
"SubSection": "7.2 Policies",
"Profile": "E3 Level 1",
"AssessmentStatus": "Automated",
"Description": "The external sharing settings govern sharing for the organization overall. Each site has its own sharing setting that can be set independently, though it must be at the same or more restrictive setting as the organization. The new and existing guests option requires people who have received invitations to sign in with their work or school account (if their organization uses Microsoft 365) or a Microsoft account, or to provide a code to verify their identity. Users can share with guests already in your organization's directory, and they can send invitations to people who will be added to the directory if they sign in.The recommended state is `New and existing guests` or less permissive.",
"RationaleStatement": "Forcing guest authentication on the organization's tenant enables the implementation of controls and oversight over external file sharing. When a guest is registered with the organization, they now have an identity which can be accounted for. This identity can also have other restrictions applied to it through group membership and conditional access rules.",
"ImpactStatement": "When using B2B integration, Entra ID external collaboration settings, such as guest invite settings and collaboration restrictions apply.",
"RemediationProcedure": "**To remediate using the UI:**1. Navigate to `SharePoint admin center` https://admin.microsoft.com/sharepoint2. Click to expand `Policies` > `Sharing`.3. Locate the `External sharing section`.4. Under SharePoint, move the slider bar to `New and existing guests` or a less permissive level. - OneDrive will also be moved to the same level and can never be more permissive than SharePoint.**To remediate using PowerShell:**1. Connect to SharePoint Online service using `Connect-SPOService`.2. Run the following cmdlet to establish the minimum recommended state:```Set-SPOTenant -SharingCapability ExternalUserSharingOnly```**Note:** Other acceptable values for this parameter that are more restrictive include: `Disabled` and `ExistingExternalUserSharingOnly`.",
"AuditProcedure": "**To audit using the UI:**1. Navigate to `SharePoint admin center` https://admin.microsoft.com/sharepoint2. Click to expand `Policies` > `Sharing`.3. Locate the `External sharing section`.4. Under SharePoint, ensure the slider bar is set to `New and existing guests` or a less permissive level.**To audit using PowerShell:**1. Connect to SharePoint Online service using `Connect-SPOService`.2. Run the following cmdlet:```Get-SPOTenant | fl SharingCapability```3. Ensure `SharingCapability` is set to one of the following values: - Value1: `ExternalUserSharingOnly` - Value2: `ExistingExternalUserSharingOnly` - Value3: `Disabled`",
"AdditionalInformation": "",
"References": "https://learn.microsoft.com/en-us/sharepoint/turn-external-sharing-on-or-off:https://learn.microsoft.com/en-us/powershell/module/sharepoint-online/set-spotenant?view=sharepoint-ps",
"DefaultValue": "Anyone (ExternalUserAndGuestSharing)"
}
]
},
{
"Id": "7.2.4",
"Description": "This setting governs the global permissiveness of OneDrive content sharing in the organization. OneDrive content sharing can be restricted independent of SharePoint but can never be more permissive than the level established with SharePoint.The recommended state is `Only people in your organization`.",
"Checks": [],
"Attributes": [
{
"Section": "7 SharePoint admin center",
"SubSection": "7.2 Policies",
"Profile": "E3 Level 2",
"AssessmentStatus": "Automated",
"Description": "This setting governs the global permissiveness of OneDrive content sharing in the organization. OneDrive content sharing can be restricted independent of SharePoint but can never be more permissive than the level established with SharePoint.The recommended state is `Only people in your organization`.",
"RationaleStatement": "OneDrive, designed for end-user cloud storage, inherently provides less oversight and control compared to SharePoint, which often involves additional content overseers or site administrators. This autonomy can lead to potential risks such as inadvertent sharing of privileged information by end users. Restricting external OneDrive sharing will require users to transfer content to SharePoint folders first which have those tighter controls.",
"ImpactStatement": "Users will be required to take additional steps to share OneDrive content or use other official channels.",
"RemediationProcedure": "**To remediate using the UI:**1. Navigate to `SharePoint admin center` https://admin.microsoft.com/sharepoint2. Click to expand `Policies` > `Sharing`.3. Locate the `External sharing section`.4. Under OneDrive, set the slider bar to `Only people in your organization`.**To remediate using PowerShell:**1. Connect to SharePoint Online service using `Connect-SPOService`.2. Run the following cmdlet:```Set-SPOTenant -OneDriveSharingCapability Disabled```**Alternative remediation method using PowerShell:**1. Connect to SharePoint Online.2. Run one of the following:```# Replace [tenant] with your tenant idSet-SPOSite -Identity https://[tenant]-my.sharepoint.com/ -SharingCapability Disabled# Or run this to filter to the specific site without supplying the tenant name.$OneDriveSite = Get-SPOSite -Filter { Url -like \"*-my.sharepoint.com/\" }Set-SPOSite -Identity $OneDriveSite -SharingCapability Disabled```",
"AuditProcedure": "**To audit using the UI:**1. Navigate to `SharePoint admin center` https://admin.microsoft.com/sharepoint2. Click to expand `Policies` > `Sharing`.3. Locate the `External sharing section`.4. Under OneDrive, ensure the slider bar is set to `Only people in your organization`.**To audit using PowerShell:**1. Connect to SharePoint Online service using `Connect-SPOService`.2. Run the following cmdlet:```Get-SPOTenant | fl OneDriveSharingCapability```3. Ensure the returned value is `Disabled`.**Alternative audit method using PowerShell:**1. Connect to SharePoint Online.2. Use one of the following methods:```# Replace [tenant] with your tenant idGet-SPOSite -Identity https://[tenant]-my.sharepoint.com/ | fl Url,SharingCapability# Or run this to filter to the specific site without supplying the tenant name.$OneDriveSite = Get-SPOSite -Filter { Url -like \"*-my.sharepoint.com/\" }Get-SPOSite -Identity $OneDriveSite | fl Url,SharingCapability```2. Ensure the returned value for `SharingCapability` is `Disabled`**Note:** As of March 2024, using `Get-SPOSite` with Where-Object or filtering against the entire site and then returning the `SharingCapability` parameter can result in a different value as opposed to running the cmdlet specifically against the OneDrive specific site using the -Identity switch as shown in the example.**Note 2:** The parameter `OneDriveSharingCapability` may not be yet fully available in all tenants. It is demonstrated in official Microsoft documentation as linked in the references section but not in the Set-SPOTenant cmdlet itself. If the parameter is unavailable, then either use the UI method or alternative PowerShell audit method.",
"AdditionalInformation": "",
"References": "https://learn.microsoft.com/en-us/powershell/module/sharepoint-online/set-spotenant?view=sharepoint-ps#-onedrivesharingcapability",
"DefaultValue": "Anyone (ExternalUserAndGuestSharing)"
}
]
},
{
"Id": "7.2.5",
"Description": "SharePoint gives users the ability to share files, folders, and site collections. Internal users can share with external collaborators, and with the right permissions could share to other external parties.",
"Checks": [
"sharepoint_guest_sharing_restricted"
],
"Attributes": [
{
"Section": "7 SharePoint admin center",
"SubSection": "7.2 Policies",
"Profile": "E3 Level 2",
"AssessmentStatus": "Automated",
"Description": "SharePoint gives users the ability to share files, folders, and site collections. Internal users can share with external collaborators, and with the right permissions could share to other external parties.",
"RationaleStatement": "Sharing and collaboration are key; however, file, folder, or site collection owners should have the authority over what external users get shared with to prevent unauthorized disclosures of information.",
"ImpactStatement": "The impact associated with this change is highly dependent upon current practices. If users do not regularly share with external parties, then minimal impact is likely. However, if users do regularly share with guests/externally, minimum impacts could occur as those external users will be unable to 're-share' content.",
"RemediationProcedure": "**To remediate using the UI:** 1. Navigate to `SharePoint admin center` https://admin.microsoft.com/sharepoint2. Click to expand `Policies` then select `Sharing`.3. Expand `More external sharing settings`, uncheck `Allow guests to share items they don't own`.4. Click `Save`.**To remediate using PowerShell:**1. Connect to SharePoint Online service using `Connect-SPOService`.2. Run the following SharePoint Online PowerShell command:```Set-SPOTenant -PreventExternalUsersFromResharing $True```",
"AuditProcedure": "**To audit using the UI:** 1. Navigate to `SharePoint admin center` https://admin.microsoft.com/sharepoint2. Click to expand `Policies` then select `Sharing`.3. Expand `More external sharing settings`, verify that `Allow guests to share items they don't own` is unchecked.**To audit using PowerShell:**1. Connect to SharePoint Online service using `Connect-SPOService`.2. Run the following SharePoint Online PowerShell command:```Get-SPOTenant | ft PreventExternalUsersFromResharing```3. Ensure the returned value is `True`.",
"AdditionalInformation": "",
"References": "https://learn.microsoft.com/en-us/sharepoint/turn-external-sharing-on-or-off:https://learn.microsoft.com/en-us/sharepoint/external-sharing-overview",
"DefaultValue": "Checked (False)"
}
]
},
{
"Id": "7.2.6",
"Description": "Control sharing of documents to external domains by either blocking domains or only allowing sharing with specific named domains.",
"Checks": [
"sharepoint_external_sharing_managed"
],
"Attributes": [
{
"Section": "7 SharePoint admin center",
"SubSection": "7.2 Policies",
"Profile": "E3 Level 2",
"AssessmentStatus": "Automated",
"Description": "Control sharing of documents to external domains by either blocking domains or only allowing sharing with specific named domains.",
"RationaleStatement": "Attackers will often attempt to expose sensitive information to external entities through sharing, and restricting the domains that users can share documents with will reduce that surface area.",
"ImpactStatement": "Enabling this feature will prevent users from sharing documents with domains outside of the organization unless allowed.",
"RemediationProcedure": "**To remediate using the UI:**1. Navigate to `SharePoint admin center` https://admin.microsoft.com/sharepoint.2. Expand `Policies` then click `Sharing`.3. Expand `More external sharing settings` and check `Limit external sharing by domain`.4. Select `Add domains` to add a list of approved domains.5. Click `Save` at the bottom of the page.**To remediate using PowerShell:**1. Connect to SharePoint Online using `Connect-SPOService`.2. Run the following PowerShell command:```Set-SPOTenant -SharingDomainRestrictionMode AllowList -SharingAllowedDomainList \"domain1.com domain2.com\"```",
"AuditProcedure": "**To audit using the UI:** 1. Navigate to `SharePoint admin center` https://admin.microsoft.com/sharepoint2. Expand `Policies` then click `Sharing`.3. Expand `More external sharing settings` and confirm that `Limit external sharing by domain` is checked.4. Verify that an accurate list of allowed domains is listed.**To audit using PowerShell:**1. Connect to SharePoint Online using `Connect-SPOService`.2. Run the following PowerShell command:```Get-SPOTenant | fl SharingDomainRestrictionMode,SharingAllowedDomainList```3. Ensure that `SharingDomainRestrictionMode` is set to `AllowList` and `SharingAllowedDomainList` contains domains trusted by the organization for external sharing.",
"AdditionalInformation": "",
"References": "",
"DefaultValue": "Limit external sharing by domain is uncheckedSharingDomainRestrictionMode: `None`SharingDomainRestrictionMode: <Undefined>"
}
]
},
{
"Id": "7.2.7",
"Description": "This setting sets the default link type that a user will see when sharing content in OneDrive or SharePoint. It does not restrict or exclude any other options.The recommended state is `Specific people (only the people the user specifies)`",
"Checks": [],
"Attributes": [
{
"Section": "7 SharePoint admin center",
"SubSection": "7.2 Policies",
"Profile": "E3 Level 1",
"AssessmentStatus": "Automated",
"Description": "This setting sets the default link type that a user will see when sharing content in OneDrive or SharePoint. It does not restrict or exclude any other options.The recommended state is `Specific people (only the people the user specifies)`",
"RationaleStatement": "By defaulting to specific people, the user will first need to consider whether or not the content being shared should be accessible by the entire organization versus select individuals. This aids in reinforcing the concept of least privilege.",
"ImpactStatement": "",
"RemediationProcedure": "**To remediate using the UI:**1. Navigate to `SharePoint admin center` https://admin.microsoft.com/sharepoint2. Click to expand `Policies` > `Sharing`.3. Scroll to `File and folder links`.4. Set `Choose the type of link that's selected by default when users share files and folders in SharePoint and OneDrive` to `Specific people (only the people the user specifies)`**To remediate using PowerShell:**1. Connect to SharePoint Online using `Connect-SPOService`.2. Run the following PowerShell command:```Set-SPOTenant -DefaultSharingLinkType Direct```",
"AuditProcedure": "**To audit using the UI:**1. Navigate to `SharePoint admin center` https://admin.microsoft.com/sharepoint2. Click to expand `Policies` > `Sharing`.3. Scroll to `File and folder links`.4. Ensure that the setting `Choose the type of link that's selected by default when users share files and folders in SharePoint and OneDrive` is set to `Specific people (only the people the user specifies)`**To audit using PowerShell:**1. Connect to SharePoint Online using `Connect-SPOService`.2. Run the following PowerShell command:```Get-SPOTenant | fl DefaultSharingLinkType```3. Ensure the returned value is `Direct`.",
"AdditionalInformation": "",
"References": "https://learn.microsoft.com/en-us/powershell/module/sharepoint-online/set-spotenant?view=sharepoint-ps",
"DefaultValue": "Only people in your organization (Internal)"
}
]
},
{
"Id": "7.2.8",
"Description": "External sharing of content can be restricted to specific security groups. This setting is global, applies to sharing in both SharePoint and OneDrive and cannot be set at the site level in SharePoint.The recommended state is `Enabled` or `Checked`.**Note:** Users in these security groups must be allowed to invite guests in the guest invite settings in Microsoft Entra. Identity > External Identities > External collaboration settings",
"Checks": [],
"Attributes": [
{
"Section": "7 SharePoint admin center",
"SubSection": "7.2 Policies",
"Profile": "E3 Level 2",
"AssessmentStatus": "Manual",
"Description": "External sharing of content can be restricted to specific security groups. This setting is global, applies to sharing in both SharePoint and OneDrive and cannot be set at the site level in SharePoint.The recommended state is `Enabled` or `Checked`.**Note:** Users in these security groups must be allowed to invite guests in the guest invite settings in Microsoft Entra. Identity > External Identities > External collaboration settings",
"RationaleStatement": "Organizations wishing to create tighter security controls for external sharing can set this to enforce role-based access control by using security groups already defined in Microsoft Entra.",
"ImpactStatement": "OneDrive will also be governed by this and there is no granular control at the SharePoint site level.",
"RemediationProcedure": "**To remediate using the UI:**1. Navigate to `SharePoint admin center` https://admin.microsoft.com/sharepoint2. Click to expand `Policies` > `Sharing`.3. Scroll to and expand `More external sharing settings`.4. Set the following: - Check `Allow only users in specific security groups to share externally` - Define `Manage security groups` in accordance with company procedure.",
"AuditProcedure": "**To audit using the UI:**1. Navigate to `SharePoint admin center` https://admin.microsoft.com/sharepoint2. Click to expand `Policies` > `Sharing`.3. Scroll to and expand `More external sharing settings`.4. Ensure the following: - Verify `Allow only users in specific security groups to share externally` is checked - Verify `Manage security groups` is defined and accordance with company procedure.",
"AdditionalInformation": "",
"References": "https://learn.microsoft.com/en-us/sharepoint/manage-security-groups",
"DefaultValue": "Unchecked/Undefined"
}
]
},
{
"Id": "7.2.9",
"Description": "This policy setting configures the expiration time for each guest that is invited to the SharePoint site or with whom users share individual files and folders with.The recommended state is `30` or less.",
"Checks": [],
"Attributes": [
{
"Section": "7 SharePoint admin center",
"SubSection": "7.2 Policies",
"Profile": "E3 Level 1",
"AssessmentStatus": "Automated",
"Description": "This policy setting configures the expiration time for each guest that is invited to the SharePoint site or with whom users share individual files and folders with.The recommended state is `30` or less.",
"RationaleStatement": "This setting ensures that guests who no longer need access to the site or link no longer have access after a set period of time. Allowing guest access for an indefinite amount of time could lead to loss of data confidentiality and oversight. **Note:** Guest membership applies at the Microsoft 365 group level. Guests who have permission to view a SharePoint site or use a sharing link may also have access to a Microsoft Teams team or security group.",
"ImpactStatement": "Site collection administrators will have to renew access to guests who still need access after 30 days. They will receive an e-mail notification once per week about guest access that is about to expire. **Note:** The guest expiration policy only applies to guests who use sharing links or guests who have direct permissions to a SharePoint site after the guest policy is enabled. The guest policy does not apply to guest users that have pre-existing permissions or access through a sharing link before the guest expiration policy is applied.",
"RemediationProcedure": "**To remediate using the UI:**1. Navigate to `SharePoint admin center` https://admin.microsoft.com/sharepoint2. Click to expand `Policies` > `Sharing`.3. Scroll to and expand `More external sharing settings`.4. Set `Guest access to a site or OneDrive will expire automatically after this many days` to `30`**To remediate using PowerShell:**1. Connect to SharePoint Online service using `Connect-SPOService`.2. Run the following cmdlet:```Set-SPOTenant -ExternalUserExpireInDays 30 -ExternalUserExpirationRequired $True```",
"AuditProcedure": "**To audit using the UI:**1. Navigate to `SharePoint admin center` https://admin.microsoft.com/sharepoint2. Click to expand `Policies` > `Sharing`.3. Scroll to and expand `More external sharing settings`.4. Ensure `Guest access to a site or OneDrive will expire automatically after this many days` is checked and set to `30` or less.**To audit using PowerShell:**1. Connect to SharePoint Online service using `Connect-SPOService`.2. Run the following cmdlet:```Get-SPOTenant | fl ExternalUserExpirationRequired,ExternalUserExpireInDays```3. Ensure the following values are returned: - ExternalUserExpirationRequired is `True`. - ExternalUserExpireInDays is `30` or less.",
"AdditionalInformation": "",
"References": "https://learn.microsoft.com/en-us/sharepoint/turn-external-sharing-on-or-off#change-the-organization-level-external-sharing-setting:https://learn.microsoft.com/en-us/microsoft-365/community/sharepoint-security-a-team-effort",
"DefaultValue": "ExternalUserExpirationRequired `$false`ExternalUserExpireInDays `60` days"
}
]
},
{
"Id": "7.2.10",
"Description": "This setting configures if guests who use a verification code to access the site or links are required to reauthenticate after a set number of days.The recommended state is `15` or less.",
"Checks": [],
"Attributes": [
{
"Section": "7 SharePoint admin center",
"SubSection": "7.2 Policies",
"Profile": "E3 Level 1",
"AssessmentStatus": "Automated",
"Description": "This setting configures if guests who use a verification code to access the site or links are required to reauthenticate after a set number of days.The recommended state is `15` or less.",
"RationaleStatement": "By increasing the frequency of times guests need to reauthenticate this ensures guest user access to data is not prolonged beyond an acceptable amount of time.",
"ImpactStatement": "Guests who use Microsoft 365 in their organization can sign in using their work or school account to access the site or document. After the one-time passcode for verification has been entered for the first time, guests will authenticate with their work or school account and have a guest account created in the host's organization.**Note:** If OneDrive and SharePoint integration with Entra ID B2B is enabled as per the CIS Benchmark the one-time-passcode experience will be replaced. Please visit [Secure external sharing in SharePoint - SharePoint in Microsoft 365 | Microsoft Learn](https://learn.microsoft.com/en-US/sharepoint/what-s-new-in-sharing-in-targeted-release?WT.mc_id=365AdminCSH_spo) for more information.",
"RemediationProcedure": "**To remediate using the UI:**1. Navigate to `SharePoint admin center` https://admin.microsoft.com/sharepoint2. Click to expand `Policies` > `Sharing`.3. Scroll to and expand `More external sharing settings`.4. Set `People who use a verification code must reauthenticate after this many days` to `15` or less.**To remediate using PowerShell:**1. Connect to SharePoint Online service using `Connect-SPOService`.2. Run the following cmdlet:```Set-SPOTenant -EmailAttestationRequired $true -EmailAttestationReAuthDays 15```",
"AuditProcedure": "**To audit using the UI:**1. Navigate to `SharePoint admin center` https://admin.microsoft.com/sharepoint2. Click to expand `Policies` > `Sharing`.3. Scroll to and expand `More external sharing settings`.4. Ensure `People who use a verification code must reauthenticate after this many days` is set to `15` or less.**To audit using PowerShell:**1. Connect to SharePoint Online service using `Connect-SPOService`.2. Run the following cmdlet:```Get-SPOTenant | fl EmailAttestationRequired,EmailAttestationReAuthDays```3. Ensure the following values are returned: - EmailAttestationRequired `True` - EmailAttestationReAuthDays `15` or less days.",
"AdditionalInformation": "",
"References": "https://learn.microsoft.com/en-us/sharepoint/what-s-new-in-sharing-in-targeted-release:https://learn.microsoft.com/en-us/sharepoint/turn-external-sharing-on-or-off#change-the-organization-level-external-sharing-setting:https://learn.microsoft.com/en-us/entra/external-id/one-time-passcode",
"DefaultValue": "EmailAttestationRequired : `False`EmailAttestationReAuthDays : `30`"
}
]
},
{
"Id": "7.2.11",
"Description": "This setting configures the permission that is selected by default for sharing link from a SharePoint site.The recommended state is `View`.",
"Checks": [],
"Attributes": [
{
"Section": "7 SharePoint admin center",
"SubSection": "7.2 Policies",
"Profile": "E3 Level 1",
"AssessmentStatus": "Automated",
"Description": "This setting configures the permission that is selected by default for sharing link from a SharePoint site.The recommended state is `View`.",
"RationaleStatement": "Setting the view permission as the default ensures that users must deliberately select the edit permission when sharing a link. This approach reduces the risk of unintentionally granting edit privileges to a resource that only requires read access, supporting the principle of least privilege.",
"ImpactStatement": "Not applicable.",
"RemediationProcedure": "**To remediate using the UI:**1. Navigate to `SharePoint admin center` https://admin.microsoft.com/sharepoint2. Click to expand `Policies` > `Sharing`.3. Scroll to **File and folder links**.4. Set `Choose the permission that's selected by default for sharing links` to `View`.**To remediate using PowerShell:**1. Connect to SharePoint Online service using `Connect-SPOService`.2. Run the following cmdlet:```Set-SPOTenant -DefaultLinkPermission View```",
"AuditProcedure": "**To audit using the UI:**1. Navigate to `SharePoint admin center` https://admin.microsoft.com/sharepoint2. Click to expand `Policies` > `Sharing`.3. Scroll to **File and folder links**.4. Ensure `Choose the permission that's selected by default for sharing links` is set to `View`.**To audit using PowerShell:**1. Connect to SharePoint Online service using `Connect-SPOService`.2. Run the following cmdlet:```Get-SPOTenant | fl DefaultLinkPermission```3. Ensure the returned value is `View`.",
"AdditionalInformation": "",
"References": "https://learn.microsoft.com/en-us/sharepoint/turn-external-sharing-on-or-off#file-and-folder-links",
"DefaultValue": "DefaultLinkPermission : Edit"
}
]
},
{
"Id": "7.3.1",
"Description": "By default, SharePoint online allows files that Defender for Office 365 has detected as infected to be downloaded.",
"Checks": [],
"Attributes": [
{
"Section": "7 SharePoint admin center",
"SubSection": "7.3 Settings",
"Profile": "E5 Level 2",
"AssessmentStatus": "Automated",
"Description": "By default, SharePoint online allows files that Defender for Office 365 has detected as infected to be downloaded.",
"RationaleStatement": "Defender for Office 365 for SharePoint, OneDrive, and Microsoft Teams protects your organization from inadvertently sharing malicious files. When an infected file is detected that file is blocked so that no one can open, copy, move, or share it until further actions are taken by the organization's security team.",
"ImpactStatement": "The only potential impact associated with implementation of this setting is potential inconvenience associated with the small percentage of false positive detections that may occur.",
"RemediationProcedure": "**To remediate using PowerShell:**1. Connect to SharePoint Online using `Connect-SPOService -Url https://tenant-admin.sharepoint.com`, replacing \"tenant\" with the appropriate value.2. Run the following PowerShell command to set the recommended value:```Set-SPOTenant DisallowInfectedFileDownload $true```**Note:** The Global Reader role cannot access SharePoint using PowerShell according to Microsoft. See the reference section for more information.",
"AuditProcedure": "**To audit using PowerShell:**1. Connect to SharePoint Online using `Connect-SPOService -Url https://tenant-admin.sharepoint.com`, replacing \"tenant\" with the appropriate value.2. Run the following PowerShell command:```Get-SPOTenant | Select-Object DisallowInfectedFileDownload```3. Ensure the value for `DisallowInfectedFileDownload` is set to `True`.**Note:** According to Microsoft, SharePoint cannot be accessed through PowerShell by users with the Global Reader role. For further information, please refer to the reference section.",
"AdditionalInformation": "",
"References": "https://learn.microsoft.com/en-us/defender-office-365/safe-attachments-for-spo-odfb-teams-configure?view=o365-worldwide:https://learn.microsoft.com/en-us/defender-office-365/anti-malware-protection-for-spo-odfb-teams-about?view=o365-worldwide:https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference#global-reader",
"DefaultValue": "False"
}
]
},
{
"Id": "7.3.2",
"Description": "Microsoft OneDrive allows users to sign in their cloud tenant account and begin syncing select folders or the entire contents of OneDrive to a local computer. By default, this includes any computer with OneDrive already installed, whether it is Entra Joined , Entra Hybrid Joined or Active Directory Domain joined.The recommended state for this setting is `Allow syncing only on computers joined to specific domains` `Enabled: Specify the AD domain GUID(s)`",
"Checks": [
"sharepoint_onedrive_sync_restricted_unmanaged_devices"
],
"Attributes": [
{
"Section": "7 SharePoint admin center",
"SubSection": "7.3 Settings",
"Profile": "E3 Level 2",
"AssessmentStatus": "Automated",
"Description": "Microsoft OneDrive allows users to sign in their cloud tenant account and begin syncing select folders or the entire contents of OneDrive to a local computer. By default, this includes any computer with OneDrive already installed, whether it is Entra Joined , Entra Hybrid Joined or Active Directory Domain joined.The recommended state for this setting is `Allow syncing only on computers joined to specific domains` `Enabled: Specify the AD domain GUID(s)`",
"RationaleStatement": "Unmanaged devices pose a risk, since their security cannot be verified through existing security policies, brokers or endpoint protection. Allowing users to sync data to these devices takes that data out of the control of the organization. This increases the risk of the data either being intentionally or accidentally leaked.**Note:** This setting is only applicable to **Active Directory domains** when operating in a hybrid configuration. It does not apply to Entra domains. If there are devices which are only Entra ID joined, consider using a Conditional Access Policy instead.",
"ImpactStatement": "Enabling this feature will prevent users from using the OneDrive for Business Sync client on devices that are not joined to the domains that were defined.",
"RemediationProcedure": "**To remediate using the UI:** 1. Navigate to `SharePoint admin center` https://admin.microsoft.com/sharepoint2. Click `Settings` then select `OneDrive - Sync`.3. Check the `Allow syncing only on computers joined to specific domains`.4. Use the `Get-ADDomain` PowerShell command on the on-premises server to obtain the GUID for each on-premises domain.5. Click `Save`.**To remediate using PowerShell:**1. Connect to SharePoint Online using `Connect-SPOService`2. Run the following PowerShell command and provide the DomainGuids from the Get-AADomain command:```Set-SPOTenantSyncClientRestriction -Enable -DomainGuids \"786548DD-877B-4760-A749-6B1EFBC1190A; 877564FF-877B-4760-A749-6B1EFBC1190A\"```**Note:** Utilize the `-BlockMacSync:$true` parameter if you are not using conditional access to ensure Macs cannot sync.",
"AuditProcedure": "**To audit using the UI:** 1. Navigate to `SharePoint admin center` https://admin.microsoft.com/sharepoint2. Click `Settings` followed by `OneDrive - Sync`3. Verify that `Allow syncing only on computers joined to specific domains` is checked.4. Verify that the Active Directory domain GUIDS are listed in the box. - Use the `Get-ADDomain` PowerShell command on the on-premises server to obtain the GUID for each on-premises domain.**To audit using PowerShell:**1. Connect to SharePoint Online using `Connect-SPOService -Url https://tenant-admin.sharepoint.com`, replacing \"tenant\" with the appropriate value.2. Run the following PowerShell command:```Get-SPOTenantSyncClientRestriction | fl TenantRestrictionEnabled,AllowedDomainList```3. Ensure `TenantRestrictionEnabled` is set to `True` and `AllowedDomainList` contains the trusted domains GUIDs from the on premises environment.",
"AdditionalInformation": "",
"References": "https://learn.microsoft.com/en-us/sharepoint/allow-syncing-only-on-specific-domains:https://learn.microsoft.com/en-us/powershell/module/sharepoint-online/set-spotenantsyncclientrestriction?view=sharepoint-ps",
"DefaultValue": "By default there are no restrictions applied to the syncing of OneDrive.TenantRestrictionEnabled : `False`AllowedDomainList : `{}`"
}
]
},
{
"Id": "7.3.3",
"Description": "This setting controls custom script execution on self-service created sites.Custom scripts can allow users to change the look, feel and behavior of sites and pages. Every script that runs in a SharePoint page (whether it's an HTML page in a document library or a JavaScript in a Script Editor Web Part) always runs in the context of the user visiting the page and the SharePoint application. This means:- Scripts have access to everything the user has access to.- Scripts can access content across several Microsoft 365 services and even beyond with Microsoft Graph integration.The recommended state is `Prevent users from running custom script on self-service created sites`.",
"Checks": [],
"Attributes": [
{
"Section": "7 SharePoint admin center",
"SubSection": "7.3 Settings",
"Profile": "E3 Level 1",
"AssessmentStatus": "Manual",
"Description": "This setting controls custom script execution on self-service created sites.Custom scripts can allow users to change the look, feel and behavior of sites and pages. Every script that runs in a SharePoint page (whether it's an HTML page in a document library or a JavaScript in a Script Editor Web Part) always runs in the context of the user visiting the page and the SharePoint application. This means:- Scripts have access to everything the user has access to.- Scripts can access content across several Microsoft 365 services and even beyond with Microsoft Graph integration.The recommended state is `Prevent users from running custom script on self-service created sites`.",
"RationaleStatement": "Custom scripts could contain malicious instructions unknown to the user or administrator. When users are allowed to run custom script, the organization can no longer enforce governance, scope the capabilities of inserted code, block specific parts of code, or block all custom code that has been deployed. If scripting is allowed the following things can't be audited:- What code has been inserted- Where the code has been inserted- Who inserted the code**Note:** Microsoft recommends using the [SharePoint Framework](https://learn.microsoft.com/en-us/sharepoint/dev/spfx/sharepoint-framework-overview) instead of custom scripts.",
"ImpactStatement": "None - this is the default behavior.",
"RemediationProcedure": "**To remediate using the UI:**1. Navigate to `SharePoint admin center` https://admin.microsoft.com/sharepoint2. Select `Settings`.3. At the bottom of the page click the `classic settings page` hyperlink.4. Scroll to locate the **Custom Script** section. On the right set the following: - Select `Prevent users from running custom script on self-service created sites`.",
"AuditProcedure": "**To audit using the UI:**1. Navigate to `SharePoint admin center` https://admin.microsoft.com/sharepoint2. Select `Settings`.3. At the bottom of the page click the `classic settings page` hyperlink.4. Scroll to locate the **Custom Script** section. On the right ensure the following: - Verify `Prevent users from running custom script on self-service created sites` is set.",
"AdditionalInformation": "",
"References": "https://learn.microsoft.com/en-us/sharepoint/allow-or-prevent-custom-script:https://learn.microsoft.com/en-us/sharepoint/security-considerations-of-allowing-custom-script:https://learn.microsoft.com/en-us/powershell/module/sharepoint-online/set-sposite?view=sharepoint-ps",
"DefaultValue": "Selected `Prevent users from running custom script on self-service created sites`"
}
]
},
{
"Id": "7.3.4",
"Description": "This setting controls custom script execution on a particular site (previously called \"site collection\").Custom scripts can allow users to change the look, feel and behavior of sites and pages. Every script that runs in a SharePoint page (whether it's an HTML page in a document library or a JavaScript in a Script Editor Web Part) always runs in the context of the user visiting the page and the SharePoint application. This means:- Scripts have access to everything the user has access to.- Scripts can access content across several Microsoft 365 services and even beyond with Microsoft Graph integration.The recommended state is `DenyAddAndCustomizePages` set to `$true`.",
"Checks": [],
"Attributes": [
{
"Section": "7 SharePoint admin center",
"SubSection": "7.3 Settings",
"Profile": "E3 Level 1",
"AssessmentStatus": "Automated",
"Description": "This setting controls custom script execution on a particular site (previously called \"site collection\").Custom scripts can allow users to change the look, feel and behavior of sites and pages. Every script that runs in a SharePoint page (whether it's an HTML page in a document library or a JavaScript in a Script Editor Web Part) always runs in the context of the user visiting the page and the SharePoint application. This means:- Scripts have access to everything the user has access to.- Scripts can access content across several Microsoft 365 services and even beyond with Microsoft Graph integration.The recommended state is `DenyAddAndCustomizePages` set to `$true`.",
"RationaleStatement": "Custom scripts could contain malicious instructions unknown to the user or administrator. When users are allowed to run custom script, the organization can no longer enforce governance, scope the capabilities of inserted code, block specific parts of code, or block all custom code that has been deployed. If scripting is allowed the following things can't be audited:- What code has been inserted- Where the code has been inserted- Who inserted the code**Note:** Microsoft recommends using the [SharePoint Framework](https://learn.microsoft.com/en-us/sharepoint/dev/spfx/sharepoint-framework-overview) instead of custom scripts.",
"ImpactStatement": "None - this is the default behavior.",
"RemediationProcedure": "**To remediate using PowerShell:**1. Connect to SharePoint Online using `Connect-SPOService`.2. Edit the below and run for each site as needed:```Set-SPOSite -Identity <SiteUrl> -DenyAddAndCustomizePages $true```**Note:** The property `DenyAddAndCustomizePages` cannot be set on the MySite host, which is displayed with a URL like https://`tenant id`-my.sharepoint.com/",
"AuditProcedure": "**To audit using PowerShell:**1. Connect to SharePoint Online using `Connect-SPOService`.2. Run the following PowerShell command to show non-compliant results:```Get-SPOSite | Where-Object { $_.DenyAddAndCustomizePages -eq \"Disabled\" ` -and $_.Url -notlike \"*-my.sharepoint.com/\" } | ft Title, Url, DenyAddAndCustomizePages```3. Ensure the returned value is for `DenyAddAndCustomizePages` is `Enabled` for each site.**Note:** The property `DenyAddAndCustomizePages` cannot be set on the MySite host, which is displayed with a URL like https://`tenant id`-my.sharepoint.com/",
"AdditionalInformation": "",
"References": "https://learn.microsoft.com/en-us/sharepoint/allow-or-prevent-custom-script:https://learn.microsoft.com/en-us/sharepoint/security-considerations-of-allowing-custom-script:https://learn.microsoft.com/en-us/powershell/module/sharepoint-online/set-sposite?view=sharepoint-ps",
"DefaultValue": "DenyAddAndCustomizePages `$true` or `Enabled`"
}
]
},
{
"Id": "8.1.1",
"Description": "Microsoft Teams enables collaboration via file sharing. This file sharing is conducted within Teams, using SharePoint Online, by default; however, third-party cloud services are allowed as well.**Note:** Skype for business is deprecated as of July 31, 2021 although these settings may still be valid for a period of time. See the link in the references section for more information.",
"Checks": [
"teams_external_file_sharing_restricted"
],
"Attributes": [
{
"Section": "8 Microsoft Teams admin center",
"SubSection": "8.1 Teams",
"Profile": "E3 Level 2",
"AssessmentStatus": "Automated",
"Description": "Microsoft Teams enables collaboration via file sharing. This file sharing is conducted within Teams, using SharePoint Online, by default; however, third-party cloud services are allowed as well.**Note:** Skype for business is deprecated as of July 31, 2021 although these settings may still be valid for a period of time. See the link in the references section for more information.",
"RationaleStatement": "Ensuring that only authorized cloud storage providers are accessible from Teams will help to dissuade the use of non-approved storage providers.",
"ImpactStatement": "The impact associated with this change is highly dependent upon current practices in the tenant. If users do not use other storage providers, then minimal impact is likely. However, if users do regularly utilize providers outside of the tenant this will affect their ability to continue to do so.",
"RemediationProcedure": "**To remediate using the UI:**1. Navigate to `Microsoft Teams admin center` https://admin.teams.microsoft.com.2. Click to expand `Teams` select `Teams settings`.3. Set any unauthorized providers to `Off`.**To remediate using PowerShell:**1. Connect to Teams PowerShell using `Connect-MicrosoftTeams`2. Run the following PowerShell command to disable external providers that are not authorized. (the example disables Citrix Files, DropBox, Box, Google Drive and Egnyte)```$storageParams = @{ AllowGoogleDrive = $false AllowShareFile = $false AllowBox = $false AllowDropBox = $false AllowEgnyte = $false}Set-CsTeamsClientConfiguration @storageParams```",
"AuditProcedure": "**To audit using the UI:**1. Navigate to `Microsoft Teams admin center` https://admin.teams.microsoft.com.2. Click to expand `Teams` select `Teams settings`.3. Under files verify that only authorized cloud storage options are set to `On` and all others `Off`.**To audit using PowerShell:**1. Connect to Teams PowerShell using `Connect-MicrosoftTeams`2. Run the following to verify the recommended state:```Get-CsTeamsClientConfiguration | fl AllowDropbox,AllowBox,AllowGoogleDrive,AllowShareFile,AllowEgnyte```3. Verify that only authorized providers are set to `True` and all others `False.`",
"AdditionalInformation": "",
"References": "https://learn.microsoft.com/en-us/microsoft-365/enterprise/manage-skype-for-business-online-with-microsoft-365-powershell?view=o365-worldwide",
"DefaultValue": "AllowDropBox : `True`AllowBox : `True`AllowGoogleDrive : `True`AllowShareFile : `True`AllowEgnyte : `True`"
}
]
},
{
"Id": "8.1.2",
"Description": "Teams channel email addresses are an optional feature that allows users to email the Teams channel directly.",
"Checks": [
"teams_email_sending_to_channel_disabled"
],
"Attributes": [
{
"Section": "8 Microsoft Teams admin center",
"SubSection": "8.1 Teams",
"Profile": "E3 Level 1",
"AssessmentStatus": "Automated",
"Description": "Teams channel email addresses are an optional feature that allows users to email the Teams channel directly.",
"RationaleStatement": "Channel email addresses are not under the tenants domain and organizations do not have control over the security settings for this email address. An attacker could email channels directly if they discover the channel email address.",
"ImpactStatement": "Users will not be able to email the channel directly.",
"RemediationProcedure": "**To remediate using the UI:** 1. Navigate to `Microsoft Teams admin center` https://admin.teams.microsoft.com.2. Click to expand `Teams` select `Teams settings`.3. Under email integration set `Users can send emails to a channel email address` to `Off`.**To remediate using PowerShell:**1. Connect to Teams PowerShell using `Connect-MicrosoftTeams`.2. Run the following command to set the recommended state:```Set-CsTeamsClientConfiguration -Identity Global -AllowEmailIntoChannel $false```",
"AuditProcedure": "**To audit using the UI:** 1. Navigate to `Microsoft Teams admin center` https://admin.teams.microsoft.com.2. Click to expand `Teams` select `Teams settings`.3. Under email integration verify that `Users can send emails to a channel email address` is `Off`.**To audit using PowerShell:**1. Connect to Teams PowerShell using `Connect-MicrosoftTeams`.2. Run the following command to verify the recommended state:```Get-CsTeamsClientConfiguration -Identity Global | fl AllowEmailIntoChannel```3. Ensure the returned value is `False`.",
"AdditionalInformation": "",
"References": "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/step-by-step-guides/reducing-attack-surface-in-microsoft-teams?view=o365-worldwide#restricting-channel-email-messages-to-approved-domains:https://learn.microsoft.com/en-us/powershell/module/skype/set-csteamsclientconfiguration?view=skype-ps:https://support.microsoft.com/en-us/office/send-an-email-to-a-channel-in-microsoft-teams-d91db004-d9d7-4a47-82e6-fb1b16dfd51e",
"DefaultValue": "On (True)"
}
]
},
{
"Id": "8.2.1",
"Description": "This policy controls whether external domains are allowed, blocked or permitted based on an allowlist or denylist. When external domains are allowed, users in your organization can chat, add users to meetings, and use audio video conferencing with users in external organizations.The recommended state is `Allow only specific external domains` or `Block all external domains`.",
"Checks": [
"teams_external_domains_restricted"
],
"Attributes": [
{
"Section": "8 Microsoft Teams admin center",
"SubSection": "8.2 Users",
"Profile": "E3 Level 2",
"AssessmentStatus": "Automated",
"Description": "This policy controls whether external domains are allowed, blocked or permitted based on an allowlist or denylist. When external domains are allowed, users in your organization can chat, add users to meetings, and use audio video conferencing with users in external organizations.The recommended state is `Allow only specific external domains` or `Block all external domains`.",
"RationaleStatement": "Allowlisting external domains that an organization is collaborating with allows for stringent controls over who an organization's users are allowed to make contact with.Some real-world attacks and exploits delivered via Teams over external access channels include:- DarkGate malware- Social engineering / Phishing attacks by \"Midnight Blizzard\"- GIFShell- Username enumeration",
"ImpactStatement": "The impact in terms of the type of collaboration users are allowed to participate in and the I.T. resources expended to manage an allowlist will increase. If a user attempts to join the inviting organization's meeting they will be prevented from joining unless they were created as a guest in EntraID or their domain was added to the allowed external domains list.",
"RemediationProcedure": "**To remediate using the UI:** 1. Navigate to `Microsoft Teams admin center` https://admin.teams.microsoft.com/.2. Click to expand `Users` select `External access`.3. Under **Teams and Skype for Business users in external organizations** set `Choose which external domains your users have access to` to one of the following: - `Allow only specific external domains` - `Block all external domains` 4. Click `Save`.**To remediate using PowerShell:**1. Connect to Teams PowerShell using `Connect-MicrosoftTeams`2. Run one of the following commands:- To allow only specific external domains run these commands replacing the example domains with approved domains:```$list = New-Object Collections.Generic.List[String]$list.add(\"contoso.com\")$list.add(\"fabrikam.com\")Set-CsTenantFederationConfiguration -AllowFederatedUsers $true -AllowedDomainsAsAList $list```- To block all external domains:```Set-CsTenantFederationConfiguration -AllowFederatedUsers $false```",
"AuditProcedure": "**To audit using the UI:** 1. Navigate to `Microsoft Teams admin center` https://admin.teams.microsoft.com/.2. Click to expand `Users` select `External access`.3. Under **Teams and Skype for Business users in external organization** ensure `Choose which external domains your users have access to` is set to one of the following: - `Allow only specific external domains` - `Block all external domains` **To audit using PowerShell:**1. Connect to Teams PowerShell using `Connect-MicrosoftTeams`2. Run the following command:```Get-CsTenantFederationConfiguration | fl AllowFederatedUsers,AllowedDomains```Ensure the following conditions:- State: `AllowFederatedUsers` is set to `False` **OR**, - If: `AllowFederatedUsers` is `True` then ensure `AllowedDomains` contains authorized domain names and is _not_ set to `AllowAllKnownDomains`.",
"AdditionalInformation": "",
"References": "https://learn.microsoft.com/en-us/microsoftteams/trusted-organizations-external-meetings-chat?tabs=organization-settings:https://cybersecurity.att.com/blogs/security-essentials/darkgate-malware-delivered-via-microsoft-teams-detection-and-response:https://www.microsoft.com/en-us/security/blog/2023/08/02/midnight-blizzard-conducts-targeted-social-engineering-over-microsoft-teams/:https://www.bitdefender.com/blog/hotforsecurity/gifshell-attack-lets-hackers-create-reverse-shell-through-microsoft-teams-gifs/",
"DefaultValue": "'- AllowFederatedUsers : `True`- AllowedDomains : `AllowAllKnownDomains`"
}
]
},
{
"Id": "8.2.2",
"Description": "This policy setting controls chats and meetings with external unmanaged Teams users (those not managed by an organization, such as Microsoft Teams (free)). The recommended state is: `People in my organization can communicate with Teams users whose accounts aren't managed by an organization` set to `Off`.",
"Checks": [
"teams_unmanaged_communication_disabled"
],
"Attributes": [
{
"Section": "8 Microsoft Teams admin center",
"SubSection": "8.2 Users",
"Profile": "E3 Level 1",
"AssessmentStatus": "Automated",
"Description": "This policy setting controls chats and meetings with external unmanaged Teams users (those not managed by an organization, such as Microsoft Teams (free)). The recommended state is: `People in my organization can communicate with Teams users whose accounts aren't managed by an organization` set to `Off`.",
"RationaleStatement": "Allowing users to communicate with unmanaged Teams users presents a potential security threat as little effort is required by threat actors to gain access to a trial or free Microsoft Teams account.Some real-world attacks and exploits delivered via Teams over external access channels include:- DarkGate malware- Social engineering / Phishing attacks by \"Midnight Blizzard\"- GIFShell- Username enumeration",
"ImpactStatement": "Users will be unable to communicate with Teams users who are not managed by an organization.**Note:** The settings that govern chats and meetings with external unmanaged Teams users aren't available in GCC, GCC High, or DOD deployments, or in private cloud environments.",
"RemediationProcedure": "**To remediate using the UI:** 1. Navigate to `Microsoft Teams admin center` https://admin.teams.microsoft.com/.2. Click to expand `Users` select `External access`.3. Scroll to **Teams accounts not managed by an organization** 4. Set `People in my organization can communicate with Teams users whose accounts aren't managed by an organization` to `Off`.5. Click `Save`.**To remediate using PowerShell:**1. Connect to Teams PowerShell using `Connect-MicrosoftTeams`2. Run the following command:```Set-CsTenantFederationConfiguration -AllowTeamsConsumer $false```",
"AuditProcedure": "**To audit using the UI:** 1. Navigate to `Microsoft Teams admin center` https://admin.teams.microsoft.com/.2. Click to expand `Users` select `External access`.3. Scroll to **Teams accounts not managed by an organization** 4. Ensure `People in my organization can communicate with Teams users whose accounts aren't managed by an organization` is set to `Off`.**To audit using PowerShell:**1. Connect to Teams PowerShell using `Connect-MicrosoftTeams`2. Run the following command:```Get-CsTenantFederationConfiguration | fl AllowTeamsConsumer```Ensure `AllowTeamsConsumer` is `False`",
"AdditionalInformation": "",
"References": "https://learn.microsoft.com/en-us/microsoftteams/trusted-organizations-external-meetings-chat?tabs=organization-settings:https://cybersecurity.att.com/blogs/security-essentials/darkgate-malware-delivered-via-microsoft-teams-detection-and-response:https://www.microsoft.com/en-us/security/blog/2023/08/02/midnight-blizzard-conducts-targeted-social-engineering-over-microsoft-teams/:https://www.bitdefender.com/blog/hotforsecurity/gifshell-attack-lets-hackers-create-reverse-shell-through-microsoft-teams-gifs/",
"DefaultValue": "'- AllowTeamsConsumer : `True`"
}
]
},
{
"Id": "8.2.3",
"Description": "This setting prevents external users who are not managed by an organization from initiating contact with users in the protected organization.The recommended state is to uncheck `External users with Teams accounts not managed by an organization can contact users in my organization`.**Note:** Disabling this setting is used as an additional stop gap for the previous setting which disables communication with unmanaged Teams users entirely. If an organization chooses to have an exception to **(L1) Ensure communication with unmanaged Teams users is disabled** they can do so while also disabling the ability for the same group of users to initiate contact. Disabling communication entirely will also disable the ability for unmanaged users to initiate contact.",
"Checks": [
"teams_external_users_cannot_start_conversations"
],
"Attributes": [
{
"Section": "8 Microsoft Teams admin center",
"SubSection": "8.2 Users",
"Profile": "E3 Level 1",
"AssessmentStatus": "Automated",
"Description": "This setting prevents external users who are not managed by an organization from initiating contact with users in the protected organization.The recommended state is to uncheck `External users with Teams accounts not managed by an organization can contact users in my organization`.**Note:** Disabling this setting is used as an additional stop gap for the previous setting which disables communication with unmanaged Teams users entirely. If an organization chooses to have an exception to **(L1) Ensure communication with unmanaged Teams users is disabled** they can do so while also disabling the ability for the same group of users to initiate contact. Disabling communication entirely will also disable the ability for unmanaged users to initiate contact.",
"RationaleStatement": "Allowing users to communicate with unmanaged Teams users presents a potential security threat as little effort is required by threat actors to gain access to a trial or free Microsoft Teams account.Some real-world attacks and exploits delivered via Teams over external access channels include:- DarkGate malware- Social engineering / Phishing attacks by \"Midnight Blizzard\"- GIFShell- Username enumeration",
"ImpactStatement": "The impact of disabling this is very low.**Note:** Chats and meetings with external unmanaged Teams users isn't available in GCC, GCC High, or DOD deployments, or in private cloud environments.",
"RemediationProcedure": "**To remediate using the UI:** 1. Navigate to `Microsoft Teams admin center` https://admin.teams.microsoft.com/.2. Click to expand `Users` select `External access`.3. Scroll to **Teams accounts not managed by an organization** 4. Uncheck `External users with Teams accounts not managed by an organization can contact users in my organization`.5. Click `Save`.**Note:** If `People in my organization can communicate with Teams users whose accounts aren't managed by an organization` is already set to `Off` then this setting will not be visible and can be considered to be in a passing state.**To remediate using PowerShell:**1. Connect to Teams PowerShell using `Connect-MicrosoftTeams`2. Run the following command:```Set-CsTenantFederationConfiguration -AllowTeamsConsumerInbound $false```",
"AuditProcedure": "**To audit using the UI:** 1. Navigate to `Microsoft Teams admin center` https://admin.teams.microsoft.com/.2. Click to expand `Users` select `External access`.3. Scroll to **Teams accounts not managed by an organization** 4. Ensure `External users with Teams accounts not managed by an organization can contact users in my organization` is set to `Unchecked`.**Note:** If `People in my organization can communicate with Teams users whose accounts aren't managed by an organization` is already set to `Off` then this setting will not be visible and can be considered to be in a passing state.**To audit using PowerShell:**1. Connect to Teams PowerShell using `Connect-MicrosoftTeams`2. Run the following command:```Get-CsTenantFederationConfiguration | fl AllowTeamsConsumerInbound```Ensure `AllowTeamsConsumerInbound` is `False`**Note:** If the previous setting `AllowTeamsConsumer` is already false then this setting is ignored and can be considered to be in a passing state.",
"AdditionalInformation": "",
"References": "https://learn.microsoft.com/en-us/microsoftteams/trusted-organizations-external-meetings-chat?tabs=organization-settings:https://cybersecurity.att.com/blogs/security-essentials/darkgate-malware-delivered-via-microsoft-teams-detection-and-response:https://www.microsoft.com/en-us/security/blog/2023/08/02/midnight-blizzard-conducts-targeted-social-engineering-over-microsoft-teams/:https://www.bitdefender.com/blog/hotforsecurity/gifshell-attack-lets-hackers-create-reverse-shell-through-microsoft-teams-gifs/",
"DefaultValue": "'- AllowTeamsConsumerInbound : `True`"
}
]
},
{
"Id": "8.2.4",
"Description": "This policy setting controls chat with external unmanaged Skype users.**Note:** Skype for business is deprecated as of July 31, 2021, although these settings may still be valid for a period of time. See the link in the reference section for more information.",
"Checks": [],
"Attributes": [
{
"Section": "8 Microsoft Teams admin center",
"SubSection": "8.2 Users",
"Profile": "E3 Level 1",
"AssessmentStatus": "Automated",
"Description": "This policy setting controls chat with external unmanaged Skype users.**Note:** Skype for business is deprecated as of July 31, 2021, although these settings may still be valid for a period of time. See the link in the reference section for more information.",
"RationaleStatement": "Skype was deprecated July 31, 2021. Disabling communication with skype users reduces the attack surface of the organization. If a partner organization or satellite office wishes to collaborate and has not yet moved off of Skype, then a valid exception will need to be considered for this recommendation.",
"ImpactStatement": "Teams users will be unable to communicate with Skype users that are not in the same organization.",
"RemediationProcedure": "**To remediate using the UI:** 1. Navigate to `Microsoft Teams admin center` https://admin.teams.microsoft.com/.2. Click to expand `Users` select `External access`.3. Locate **Skype users**4. Set `Allow users in my organization to communicate with Skype users` to `Off`.5. Click `Save`.**To remediate using PowerShell:**- Connect to Teams PowerShell using `Connect-MicrosoftTeams`- Run the following command:```Set-CsTenantFederationConfiguration -AllowPublicUsers $false```",
"AuditProcedure": "**To audit using the UI:** 1. Navigate to `Microsoft Teams admin center` https://admin.teams.microsoft.com/.2. Click to expand `Users` select `External access`.3. Locate **Skype users**4. Ensure `Allow users in my organization to communicate with Skype users` is `Off`.**To audit using PowerShell:**1. Connect to Teams PowerShell using `Connect-MicrosoftTeams`2. Run the following command:```Get-CsTenantFederationConfiguration | fl AllowPublicUsers```Ensure `AllowPublicUsers` is `False`",
"AdditionalInformation": "",
"References": "https://learn.microsoft.com/en-us/microsoftteams/trusted-organizations-external-meetings-chat:https://learn.microsoft.com/en-US/microsoftteams/manage-external-access?WT.mc_id=TeamsAdminCenterCSH",
"DefaultValue": "'- AllowPublicUsers : `True`"
}
]
},
{
"Id": "8.4.1",
"Description": "This policy setting controls which class of apps are available for users to install.",
"Checks": [],
"Attributes": [
{
"Section": "8 Microsoft Teams admin center",
"SubSection": "8.4 Teams apps",
"Profile": "E3 Level 1",
"AssessmentStatus": "Manual",
"Description": "This policy setting controls which class of apps are available for users to install.",
"RationaleStatement": "Allowing users to install third-party or unverified apps poses a potential risk of introducing malicious software to the environment.",
"ImpactStatement": "Users will only be able to install approved classes of apps.",
"RemediationProcedure": "**To remediate using the UI:** 1. Navigate to `Microsoft Teams admin center` https://admin.teams.microsoft.com.2. Click to expand `Teams apps` select `Manage apps`.3. In the upper right click `Actions` > `Org-wide app settings`.4. For `Microsoft apps` set `Let users install and use available apps by default` to `On` or less permissive.5. For `Third-party apps` set `Let users install and use available apps by default` to `Off`.6. For `Custom apps` set `Let users install and use available apps by default` to `Off`.7. For `Custom apps` set `Upload custom apps for personal use` to `Off`.",
"AuditProcedure": "**To audit using the UI:** 1. Navigate to `Microsoft Teams admin center` https://admin.teams.microsoft.com.2. Click to expand `Teams apps` select `Manage apps`.3. In the upper right click `Actions` > `Org-wide app settings`.4. For `Microsoft apps` verify that `Let users install and use available apps by default` is `On` or less permissive.5. For `Third-party apps` verify `Let users install and use available apps by default` is `Off`.6. For `Custom apps` verify `Let users install and use available apps by default` is `Off`.7. For `Custom apps` verify `Upload custom apps for personal use` is `Off`.**Note:** The _Global Reader_ role is not able to view the `Teams apps` blade, _Teams Administrator_ or higher is required.",
"AdditionalInformation": "",
"References": "https://learn.microsoft.com/en-us/microsoftteams/app-centric-management:https://learn.microsoft.com/en-us/defender-office-365/step-by-step-guides/reducing-attack-surface-in-microsoft-teams?view=o365-worldwide#disabling-third-party--custom-apps",
"DefaultValue": "Microsoft apps: OnThird-party apps: OnCustom apps: On"
}
]
},
{
"Id": "8.5.1",
"Description": "This policy setting can prevent anyone other than invited attendees (people directly invited by the organizer, or to whom an invitation was forwarded) from bypassing the lobby and entering the meeting.For more information on how to setup a sensitive meeting, please visit **Configure Teams meetings with protection for sensitive data - Microsoft Teams:** https://learn.microsoft.com/en-us/MicrosoftTeams/configure-meetings-sensitive-protection",
"Checks": [
"teams_meeting_anonymous_user_join_disabled"
],
"Attributes": [
{
"Section": "8 Microsoft Teams admin center",
"SubSection": "8.5 Meetings",
"Profile": "E3 Level 2",
"AssessmentStatus": "Automated",
"Description": "This policy setting can prevent anyone other than invited attendees (people directly invited by the organizer, or to whom an invitation was forwarded) from bypassing the lobby and entering the meeting.For more information on how to setup a sensitive meeting, please visit **Configure Teams meetings with protection for sensitive data - Microsoft Teams:** https://learn.microsoft.com/en-us/MicrosoftTeams/configure-meetings-sensitive-protection",
"RationaleStatement": "For meetings that could contain sensitive information, it is best to allow the meeting organizer to vet anyone not directly sent an invite before admitting them to the meeting. This will also prevent the anonymous user from using the meeting link to have meetings at unscheduled times.**Note:** Those companies that don't normally operate at a Level 2 environment, but do deal with sensitive information, may want to consider this policy setting.",
"ImpactStatement": "Individuals who were not sent or forwarded a meeting invite will not be able to join the meeting automatically.",
"RemediationProcedure": "**To remediate using the UI:**1. Navigate to `Microsoft Teams admin center` https://admin.teams.microsoft.com.2. Click to expand `Meetings` select `Meeting policies`.3. Click `Global (Org-wide default)`3. Under meeting join & lobby set `Anonymous users can join a meeting` to `Off`.**To remediate using PowerShell:**1. Connect to Teams PowerShell using `Connect-MicrosoftTeams`2. Run the following command to set the recommended state:```Set-CsTeamsMeetingPolicy -Identity Global -AllowAnonymousUsersToJoinMeeting $false```",
"AuditProcedure": "**To audit using the UI:**1. Navigate to `Microsoft Teams admin center` https://admin.teams.microsoft.com.2. Click to expand `Meetings` select `Meeting policies`.3. Click `Global (Org-wide default)`.3. Under meeting join & lobby verify that `Anonymous users can join a meeting` is set to `Off`.**To audit using PowerShell:**1. Connect to Teams PowerShell using `Connect-MicrosoftTeams`.2. Run the following command to verify the recommended state:```Get-CsTeamsMeetingPolicy -Identity Global | fl AllowAnonymousUsersToJoinMeeting```3. Ensure the returned value is `False`.",
"AdditionalInformation": "",
"References": "https://learn.microsoft.com/en-us/MicrosoftTeams/configure-meetings-sensitive-protection",
"DefaultValue": "On (True)"
}
]
},
{
"Id": "8.5.2",
"Description": "This policy setting controls if an anonymous participant can start a Microsoft Teams meeting without someone in attendance. Anonymous users and dial-in callers must wait in the lobby until the meeting is started by someone in the organization or an external user from a trusted organization.Anonymous participants are classified as:- Participants who are not logged in to Teams with a work or school account.- Participants from non-trusted organizations (as configured in external access).- Participants from organizations where there is not mutual trust.**Note:** This setting only applies when `Who can bypass the lobby` is set to `Everyone`. If the `anonymous users can join a meeting` organization-level setting or meeting policy is `Off`, this setting only applies to dial-in callers.",
"Checks": [
"teams_meeting_anonymous_user_start_disabled"
],
"Attributes": [
{
"Section": "8 Microsoft Teams admin center",
"SubSection": "8.5 Meetings",
"Profile": "E3 Level 1",
"AssessmentStatus": "Automated",
"Description": "This policy setting controls if an anonymous participant can start a Microsoft Teams meeting without someone in attendance. Anonymous users and dial-in callers must wait in the lobby until the meeting is started by someone in the organization or an external user from a trusted organization.Anonymous participants are classified as:- Participants who are not logged in to Teams with a work or school account.- Participants from non-trusted organizations (as configured in external access).- Participants from organizations where there is not mutual trust.**Note:** This setting only applies when `Who can bypass the lobby` is set to `Everyone`. If the `anonymous users can join a meeting` organization-level setting or meeting policy is `Off`, this setting only applies to dial-in callers.",
"RationaleStatement": "Not allowing anonymous participants to automatically join a meeting reduces the risk of meeting spamming.",
"ImpactStatement": "Anonymous participants will not be able to start a Microsoft Teams meeting.",
"RemediationProcedure": "**To remediate using the UI:**1. Navigate to `Microsoft Teams admin center` https://admin.teams.microsoft.com.2. Click to expand `Meetings` select `Meeting policies`.3. Click `Global (Org-wide default)`.3. Under meeting join & lobby set `Anonymous users and dial-in callers can start a meeting` to `Off`.**To remediate using PowerShell:**1. Connect to Teams PowerShell using `Connect-MicrosoftTeams`.2. Run the following command to set the recommended state:```Set-CsTeamsMeetingPolicy -Identity Global -AllowAnonymousUsersToStartMeeting $false```",
"AuditProcedure": "**To audit using the UI:**1. Navigate to `Microsoft Teams admin center` https://admin.teams.microsoft.com.2. Click to expand `Meetings` select `Meeting policies`.3. Click `Global (Org-wide default)`.3. Under meeting join & lobby verify that `Anonymous users and dial-in callers can start a meeting` is set to `Off`.**To audit using PowerShell:**1. Connect to Teams PowerShell using `Connect-MicrosoftTeams`.2. Run the following command to verify the recommended state:```Get-CsTeamsMeetingPolicy -Identity Global | fl AllowAnonymousUsersToStartMeeting```3. Ensure the returned value is `False`.",
"AdditionalInformation": "",
"References": "https://learn.microsoft.com/en-us/microsoftteams/anonymous-users-in-meetings:https://learn.microsoft.com/en-us/microsoftteams/who-can-bypass-meeting-lobby#overview-of-lobby-settings-and-policies",
"DefaultValue": "Off (False)"
}
]
},
{
"Id": "8.5.3",
"Description": "This policy setting controls who can join a meeting directly and who must wait in the lobby until they're admitted by an organizer, co-organizer, or presenter of the meeting.",
"Checks": [
"teams_meeting_external_lobby_bypass_disabled"
],
"Attributes": [
{
"Section": "8 Microsoft Teams admin center",
"SubSection": "8.5 Meetings",
"Profile": "E3 Level 1",
"AssessmentStatus": "Automated",
"Description": "This policy setting controls who can join a meeting directly and who must wait in the lobby until they're admitted by an organizer, co-organizer, or presenter of the meeting.",
"RationaleStatement": "For meetings that could contain sensitive information, it is best to allow the meeting organizer to vet anyone not directly sent an invite before admitting them to the meeting. This will also prevent the anonymous user from using the meeting link to have meetings at unscheduled times.",
"ImpactStatement": "Individuals who are not part of the organization will have to wait in the lobby until they're admitted by an organizer, co-organizer, or presenter of the meeting. Any individual who dials into the meeting regardless of status will also have to wait in the lobby. This includes internal users who are considered unauthenticated when dialing in.",
"RemediationProcedure": "**To remediate using the UI:**1. Navigate to `Microsoft Teams admin center` https://admin.teams.microsoft.com.2. Click to expand `Meetings` select `Meeting policies`.3. Click `Global (Org-wide default)`.3. Under meeting join & lobby set `Who can bypass the lobby` to `People in my org`.**To remediate using PowerShell:**1. Connect to Teams PowerShell using `Connect-MicrosoftTeams`.2. Run the following command to set the recommended state:```Set-CsTeamsMeetingPolicy -Identity Global -AutoAdmittedUsers \"EveryoneInCompanyExcludingGuests\"```",
"AuditProcedure": "**To audit using the UI:**1. Navigate to `Microsoft Teams admin center` https://admin.teams.microsoft.com.2. Click to expand `Meetings` select `Meeting policies`.3. Click `Global (Org-wide default)`.3. Under meeting join & lobby verify `Who can bypass the lobby` is set to `People in my org`.**To audit using PowerShell:**1. Connect to Teams PowerShell using `Connect-MicrosoftTeams`.2. Run the following command to verify the recommended state:```Get-CsTeamsMeetingPolicy -Identity Global | fl AutoAdmittedUsers```3. Ensure the returned value is `EveryoneInCompanyExcludingGuests`",
"AdditionalInformation": "",
"References": "https://learn.microsoft.com/en-us/microsoftteams/who-can-bypass-meeting-lobby#overview-of-lobby-settings-and-policies:https://learn.microsoft.com/en-us/powershell/module/skype/set-csteamsmeetingpolicy?view=skype-ps",
"DefaultValue": "People in my org and guests (EveryoneInCompany)"
}
]
},
{
"Id": "8.5.4",
"Description": "This policy setting controls if users who dial in by phone can join the meeting directly or must wait in the lobby. Admittance to the meeting from the lobby is authorized by the meeting organizer, co-organizer, or presenter of the meeting.",
"Checks": [
"teams_meeting_dial_in_lobby_bypass_disabled"
],
"Attributes": [
{
"Section": "8 Microsoft Teams admin center",
"SubSection": "8.5 Meetings",
"Profile": "E3 Level 1",
"AssessmentStatus": "Automated",
"Description": "This policy setting controls if users who dial in by phone can join the meeting directly or must wait in the lobby. Admittance to the meeting from the lobby is authorized by the meeting organizer, co-organizer, or presenter of the meeting.",
"RationaleStatement": "For meetings that could contain sensitive information, it is best to allow the meeting organizer to vet anyone not directly from the organization.",
"ImpactStatement": "Individuals who are dialing in to the meeting must wait in the lobby until a meeting organizer, co-organizer, or presenter admits them.",
"RemediationProcedure": "**To remediate using the UI:** 1. Navigate to `Microsoft Teams admin center` https://admin.teams.microsoft.com.2. Click to expand `Meetings` select `Meeting policies`.3. Click `Global (Org-wide default)`.3. Under meeting join & lobby set `People dialing in can bypass the lobby` to `Off`.**To remediate using PowerShell:**1. Connect to Teams PowerShell using `Connect-MicrosoftTeams`.2. Run the following command to set the recommended state:```Set-CsTeamsMeetingPolicy -Identity Global -AllowPSTNUsersToBypassLobby $false```",
"AuditProcedure": "**To audit using the UI:**1. Navigate to `Microsoft Teams admin center` https://admin.teams.microsoft.com.2. Click to expand `Meetings` select `Meeting policies`.3. Click `Global (Org-wide default)`.3. Under meeting join & lobby verify that `People dialing in can bypass the lobby` is set to `Off`.**To audit using PowerShell:**1. Connect to Teams PowerShell using `Connect-MicrosoftTeams`.2. Run the following command to verify the recommended state:```Get-CsTeamsMeetingPolicy -Identity Global | fl AllowPSTNUsersToBypassLobby```3. Ensure the value is `False`.",
"AdditionalInformation": "",
"References": "https://learn.microsoft.com/en-us/microsoftteams/who-can-bypass-meeting-lobby#overview-of-lobby-settings-and-policies:https://learn.microsoft.com/en-us/powershell/module/skype/set-csteamsmeetingpolicy?view=skype-ps",
"DefaultValue": "Off (False)"
}
]
},
{
"Id": "8.5.5",
"Description": "This policy setting controls who has access to read and write chat messages during a meeting.",
"Checks": [
"teams_meeting_chat_anonymous_users_disabled"
],
"Attributes": [
{
"Section": "8 Microsoft Teams admin center",
"SubSection": "8.5 Meetings",
"Profile": "E3 Level 2",
"AssessmentStatus": "Automated",
"Description": "This policy setting controls who has access to read and write chat messages during a meeting.",
"RationaleStatement": "Ensuring that only authorized individuals can read and write chat messages during a meeting reduces the risk that a malicious user can inadvertently show content that is not appropriate or view sensitive information.",
"ImpactStatement": "Only authorized individuals will be able to read and write chat messages during a meeting.",
"RemediationProcedure": "**To remediate using the UI:**1. Navigate to `Microsoft Teams admin center` https://admin.teams.microsoft.com.2. Click to expand `Meetings` select `Meeting policies`.3. Click `Global (Org-wide default)`.3. Under meeting engagement set `Meeting chat` to `On for everyone but anonymous users`.**To remediate using PowerShell:**1. Connect to Teams PowerShell using `Connect-MicrosoftTeams`.2. Run the following command to set the recommended state:```Set-CsTeamsMeetingPolicy -Identity Global -MeetingChatEnabledType \"EnabledExceptAnonymous\"```",
"AuditProcedure": "**To audit using the UI:**1. Navigate to `Microsoft Teams admin center` https://admin.teams.microsoft.com.2. Click to expand `Meetings` select `Meeting policies`.3. Click `Global (Org-wide default)`.3. Under meeting engagement verify that `Meeting chat` is set to `On for everyone but anonymous users`.**To audit using PowerShell:**1. Connect to Teams PowerShell using `Connect-MicrosoftTeams`.2. Run the following command to verify the recommended state:```Get-CsTeamsMeetingPolicy -Identity Global | fl MeetingChatEnabledType```3. Ensure the returned value is `EnabledExceptAnonymous`.",
"AdditionalInformation": "",
"References": "https://learn.microsoft.com/en-us/powershell/module/skype/set-csteamsmeetingpolicy?view=skype-ps#-meetingchatenabledtype",
"DefaultValue": "On for everyone (Enabled)"
}
]
},
{
"Id": "8.5.6",
"Description": "This policy setting controls who can present in a Teams meeting. **Note:** Organizers and co-organizers can change this setting when the meeting is set up.",
"Checks": [
"teams_meeting_presenters_restricted"
],
"Attributes": [
{
"Section": "8 Microsoft Teams admin center",
"SubSection": "8.5 Meetings",
"Profile": "E3 Level 2",
"AssessmentStatus": "Automated",
"Description": "This policy setting controls who can present in a Teams meeting. **Note:** Organizers and co-organizers can change this setting when the meeting is set up.",
"RationaleStatement": "Ensuring that only authorized individuals are able to present reduces the risk that a malicious user can inadvertently show content that is not appropriate.",
"ImpactStatement": "Only organizers and co-organizers will be able to present without being granted permission.",
"RemediationProcedure": "**To remediate using the UI:**1. Navigate to `Microsoft Teams admin center` https://admin.teams.microsoft.com.2. Click to expand `Meetings` select `Meeting policies`.3. Click `Global (Org-wide default)`.3. Under content sharing set `Who can present` to `Only organizers and co-organizers`.**To remediate using PowerShell:**1. Connect to Teams PowerShell using `Connect-MicrosoftTeams`.2. Run the following command to set the recommended state:```Set-CsTeamsMeetingPolicy -Identity Global -DesignatedPresenterRoleMode \"OrganizerOnlyUserOverride\"```",
"AuditProcedure": "**To audit using the UI:**1. Navigate to `Microsoft Teams admin center` https://admin.teams.microsoft.com.2. Click to expand `Meetings` select `Meeting policies`.3. Click `Global (Org-wide default)`.3. Under content sharing verify `Who can present` is set to `Only organizers and co-organizers`.**To audit using PowerShell:**1. Connect to Teams PowerShell using `Connect-MicrosoftTeams`.2. Run the following command to verify the recommended state:```Get-CsTeamsMeetingPolicy -Identity Global | fl DesignatedPresenterRoleMode```3. Ensure the returned value is `OrganizerOnlyUserOverride`.",
"AdditionalInformation": "",
"References": "https://learn.microsoft.com/en-US/microsoftteams/meeting-who-present-request-control:https://learn.microsoft.com/en-us/microsoftteams/meeting-who-present-request-control#manage-who-can-present:https://learn.microsoft.com/en-us/defender-office-365/step-by-step-guides/reducing-attack-surface-in-microsoft-teams?view=o365-worldwide#configure-meeting-settings-restrict-presenters:https://learn.microsoft.com/en-us/powershell/module/skype/set-csteamsmeetingpolicy?view=skype-ps",
"DefaultValue": "Everyone (EveryoneUserOverride)"
}
]
},
{
"Id": "8.5.7",
"Description": "This policy setting allows control of who can present in meetings and who can request control of the presentation while a meeting is underway.",
"Checks": [
"teams_meeting_external_control_disabled"
],
"Attributes": [
{
"Section": "8 Microsoft Teams admin center",
"SubSection": "8.5 Meetings",
"Profile": "E3 Level 1",
"AssessmentStatus": "Automated",
"Description": "This policy setting allows control of who can present in meetings and who can request control of the presentation while a meeting is underway.",
"RationaleStatement": "Ensuring that only authorized individuals and not external participants are able to present and request control reduces the risk that a malicious user can inadvertently show content that is not appropriate. External participants are categorized as follows: external users, guests, and anonymous users.",
"ImpactStatement": "External participants will not be able to present or request control during the meeting.**Warning:** This setting also affects webinars.**Note:** At this time, to give and take control of shared content during a meeting, both parties must be using the Teams desktop client. Control isn't supported when either party is running Teams in a browser.",
"RemediationProcedure": "**To remediate using the UI:** 1. Navigate to `Microsoft Teams admin center` https://admin.teams.microsoft.com.2. Click to expand `Meetings` select `Meeting policies`.3. Click `Global (Org-wide default)`.4. Under content sharing set `External participants can give or request control` to `Off`.**To remediate using PowerShell:**1. Connect to Teams PowerShell using `Connect-MicrosoftTeams`.2. Run the following command to set the recommended state:```Set-CsTeamsMeetingPolicy -Identity Global -AllowExternalParticipantGiveRequestControl $false```",
"AuditProcedure": "**To audit using the UI:**1. Navigate to `Microsoft Teams admin center` https://admin.teams.microsoft.com.2. Click to expand `Meetings` select `Meeting policies`.3. Click `Global (Org-wide default)`.4. Under content sharing verify that `External participants can give or request control` is `Off`.**To audit using PowerShell:**1. Connect to Teams PowerShell using `Connect-MicrosoftTeams`.2. Run the following command to verify the recommended state:```Get-CsTeamsMeetingPolicy -Identity Global | fl AllowExternalParticipantGiveRequestControl```3. Ensure the returned value is `False`.",
"AdditionalInformation": "",
"References": "https://learn.microsoft.com/en-us/microsoftteams/meeting-who-present-request-control:https://learn.microsoft.com/en-us/powershell/module/skype/set-csteamsmeetingpolicy?view=skype-ps",
"DefaultValue": "Off (False)"
}
]
},
{
"Id": "8.5.8",
"Description": "This meeting policy setting controls whether users can read or write messages in external meeting chats with untrusted organizations. If an external organization is on the list of trusted organizations this setting will be ignored.",
"Checks": [
"teams_meeting_external_chat_disabled"
],
"Attributes": [
{
"Section": "8 Microsoft Teams admin center",
"SubSection": "8.5 Meetings",
"Profile": "E3 Level 2",
"AssessmentStatus": "Automated",
"Description": "This meeting policy setting controls whether users can read or write messages in external meeting chats with untrusted organizations. If an external organization is on the list of trusted organizations this setting will be ignored.",
"RationaleStatement": "Restricting access to chat in meetings hosted by external organizations limits the opportunity for an exploit like GIFShell or DarkGate malware from being delivered to users.",
"ImpactStatement": "When joining external meetings users will be unable to read or write chat messages in Teams meetings with organizations that they don't have a trust relationship with. This will completely remove the chat functionality in meetings. From an I.T. perspective both the upkeep of adding new organizations to the trusted list and the decision-making process behind whether to trust or not trust an external partner will increase time expenditure.",
"RemediationProcedure": "**To remediate using the UI:** 1. Navigate to `Microsoft Teams admin center` https://admin.teams.microsoft.com.2. Click to expand `Meetings` select `Meeting policies`.3. Click `Global (Org-wide default)`.4. Under meeting engagement set `External meeting chat` to `Off`.**To remediate using PowerShell:**1. Connect to Teams PowerShell using `Connect-MicrosoftTeams`.2. Run the following command to set the recommended state:```Set-CsTeamsMeetingPolicy -Identity Global -AllowExternalNonTrustedMeetingChat $false```",
"AuditProcedure": "**To audit using the UI:**1. Navigate to `Microsoft Teams admin center` https://admin.teams.microsoft.com.2. Click to expand `Meetings` select `Meeting policies`.3. Click `Global (Org-wide default)`.4. Under meeting engagement verify that `External meeting chat` is set to `Off`.**To audit using PowerShell:**1. Connect to Teams PowerShell using `Connect-MicrosoftTeams`.2. Run the following command to verify the recommended state:```Get-CsTeamsMeetingPolicy -Identity Global | fl AllowExternalNonTrustedMeetingChat```3. Ensure the returned value is `False`.",
"AdditionalInformation": "",
"References": "https://learn.microsoft.com/en-us/microsoftteams/settings-policies-reference#meeting-engagement",
"DefaultValue": "On(True)"
}
]
},
{
"Id": "8.5.9",
"Description": "This setting controls the ability for a user to initiate a recording of a meeting in progress.The recommended state is `Off` for the `Global (Org-wide default)` meeting policy.",
"Checks": [
"teams_meeting_recording_disabled"
],
"Attributes": [
{
"Section": "8 Microsoft Teams admin center",
"SubSection": "8.5 Meetings",
"Profile": "E3 Level 2",
"AssessmentStatus": "Automated",
"Description": "This setting controls the ability for a user to initiate a recording of a meeting in progress.The recommended state is `Off` for the `Global (Org-wide default)` meeting policy.",
"RationaleStatement": "Disabling meeting recordings in the Global meeting policy ensures that only authorized users, such as organizers, co-organizers, and leads, can initiate a recording. This measure helps safeguard sensitive information by preventing unauthorized individuals from capturing and potentially sharing meeting content. Restricting recording capabilities to specific roles allows organizations to exercise greater control over what is recorded, aligning it with the meeting's confidentiality requirements.**Note:** Creating a separate policy for users or groups who are allowed to record is expected and in compliance. This control is only for the default meeting policy.",
"ImpactStatement": "If there are no additional policies allowing anyone to record, then recording will effectively be disabled.",
"RemediationProcedure": "**To remediate using the UI:** 1. Navigate to `Microsoft Teams admin center` https://admin.teams.microsoft.com.2. Click to expand `Meetings` select `Meeting policies`.3. Click `Global (Org-wide default)`.4. Under **Recording & transcription** set `Meeting recording` to `Off`.**To remediate using PowerShell:**1. Connect to Teams PowerShell using `Connect-MicrosoftTeams`.2. Run the following command to set the recommended state:```Set-CsTeamsMeetingPolicy -Identity Global -AllowCloudRecording $false```",
"AuditProcedure": "**To audit using the UI:**1. Navigate to `Microsoft Teams admin center` https://admin.teams.microsoft.com.2. Click to expand `Meetings` select `Meeting policies`.3. Click `Global (Org-wide default)`.4. Under **Recording & transcription** verify that `Meeting recording` is set to `Off`.**To audit using PowerShell:**1. Connect to Teams PowerShell using `Connect-MicrosoftTeams`.2. Run the following command to verify the recommended state:```Get-CsTeamsMeetingPolicy -Identity Global | fl AllowCloudRecording```3. Ensure the returned value is `False`.",
"AdditionalInformation": "",
"References": "https://learn.microsoft.com/en-us/microsoftteams/settings-policies-reference#recording--transcription",
"DefaultValue": "On (True)"
}
]
},
{
"Id": "8.6.1",
"Description": "User reporting settings allow a user to report a message as malicious for further analysis. This recommendation is composed of 3 different settings and all be configured to pass:- **In the Teams admin center:** On by default and controls whether users are able to report messages from Teams. When this setting is turned off, users can't report messages within Teams, so the corresponding setting in the Microsoft 365 Defender portal is irrelevant.- **In the Microsoft 365 Defender portal:** On by default for new tenants. Existing tenants need to enable it. If user reporting of messages is turned on in the Teams admin center, it also needs to be turned on the Defender portal for user reported messages to show up correctly on the User reported tab on the Submissions page.- **Defender - Report message destinations:** This applies to more than just Microsoft Teams and allows for an organization to keep their reports contained. Due to how the parameters are configured on the backend it is included in this assessment as a requirement.",
"Checks": [
"teams_security_reporting_enabled",
"defender_chat_report_policy_configured"
],
"Attributes": [
{
"Section": "8 Microsoft Teams admin center",
"SubSection": "8.6 Messaging",
"Profile": "E3 Level 1",
"AssessmentStatus": "Automated",
"Description": "User reporting settings allow a user to report a message as malicious for further analysis. This recommendation is composed of 3 different settings and all be configured to pass:- **In the Teams admin center:** On by default and controls whether users are able to report messages from Teams. When this setting is turned off, users can't report messages within Teams, so the corresponding setting in the Microsoft 365 Defender portal is irrelevant.- **In the Microsoft 365 Defender portal:** On by default for new tenants. Existing tenants need to enable it. If user reporting of messages is turned on in the Teams admin center, it also needs to be turned on the Defender portal for user reported messages to show up correctly on the User reported tab on the Submissions page.- **Defender - Report message destinations:** This applies to more than just Microsoft Teams and allows for an organization to keep their reports contained. Due to how the parameters are configured on the backend it is included in this assessment as a requirement.",
"RationaleStatement": "Users will be able to more quickly and systematically alert administrators of suspicious malicious messages within Teams. The content of these messages may be sensitive in nature and therefore should be kept within the organization and not shared with Microsoft without first consulting company policy.**Note:** - The reported message remains visible to the user in the Teams client.- Users can report the same message multiple times.- The message sender isn't notified that messages were reported.",
"ImpactStatement": "Enabling message reporting has an impact beyond just addressing security concerns. When users of the platform report a message, the content could include messages that are threatening or harassing in nature, possibly stemming from colleagues.Due to this the security staff responsible for reviewing and acting on these reports should be equipped with the skills to discern and appropriately direct such messages to the relevant departments, such as Human Resources (HR).",
"RemediationProcedure": "**To remediate using the UI:**1. Navigate to `Microsoft Teams admin center` https://admin.teams.microsoft.com.2. Click to expand `Messaging` select `Messaging policies`.3. Click `Global (Org-wide default)`.4. Set `Report a security concern` to `On`.5. Next, navigate to `Microsoft 365 Defender` https://security.microsoft.com/6. Click on `Settings` > `Email & collaboration` > `User reported settings`.7. Scroll to `Microsoft Teams`.8. Check `Monitor reported messages in Microsoft Teams` and `Save`.9. Set `Send reported messages to:` to `My reporting mailbox only` with reports configured to be sent to authorized staff.**To remediate using PowerShell:**1. Connect to Teams PowerShell using `Connect-MicrosoftTeams`.2. Connect to Exchange Online PowerShell using `Connect-ExchangeOnline`.3. Run the following cmdlet:```Set-CsTeamsMessagingPolicy -Identity Global -AllowSecurityEndUserReporting $true```4. To configure the Defender reporting policies, edit and run this script:```$usersub = \"userreportedmessages@fabrikam.com\" # Change this.$params = @{ Identity = \"DefaultReportSubmissionPolicy\" EnableReportToMicrosoft = $false ReportChatMessageEnabled = $false ReportChatMessageToCustomizedAddressEnabled = $true ReportJunkToCustomizedAddress = $true ReportNotJunkToCustomizedAddress = $true ReportPhishToCustomizedAddress = $true ReportJunkAddresses = $usersub ReportNotJunkAddresses = $usersub ReportPhishAddresses = $usersub}Set-ReportSubmissionPolicy @paramsNew-ReportSubmissionRule -Name DefaultReportSubmissionRule -ReportSubmissionPolicy DefaultReportSubmissionPolicy -SentTo $usersub```",
"AuditProcedure": "**To audit using the UI:**1. Navigate to `Microsoft Teams admin center` https://admin.teams.microsoft.com.2. Click to expand `Messaging` select `Messaging policies`.3. Click `Global (Org-wide default)`.4. Ensure `Report a security concern` is `On`.5. Next, navigate to `Microsoft 365 Defender` https://security.microsoft.com/6. Click on `Settings` > `Email & collaboration` > `User reported settings`.7. Scroll to `Microsoft Teams`.8. Ensure `Monitor reported messages in Microsoft Teams` is checked.9. Ensure `Send reported messages to:` is set to `My reporting mailbox only` with report email addresses defined for authorized staff.**To audit using PowerShell:**1. Connect to Teams PowerShell using `Connect-MicrosoftTeams`.2. Connect to Exchange Online PowerShell using `Connect-ExchangeOnline`.3. Run the following cmdlet for to assess Teams:```Get-CsTeamsMessagingPolicy -Identity Global | fl AllowSecurityEndUserReporting```4. Ensure the value returned is `True`.5. Run this cmdlet to assess Defender:```Get-ReportSubmissionPolicy | fl Report*```6. Ensure the output matches the following values with organization specific email addresses:```ReportJunkToCustomizedAddress : TrueReportNotJunkToCustomizedAddress : TrueReportPhishToCustomizedAddress : TrueReportJunkAddresses : {SOC@contoso.com}ReportNotJunkAddresses : {SOC@contoso.com}ReportPhishAddresses : {SOC@contoso.com}ReportChatMessageEnabled : FalseReportChatMessageToCustomizedAddressEnabled : True```",
"AdditionalInformation": "",
"References": "https://learn.microsoft.com/en-us/defender-office-365/submissions-teams?view=o365-worldwide",
"DefaultValue": "On (`True`)Report message destination: `Microsoft Only`"
}
]
},
{
"Id": "9.1.1",
"Description": "This setting allows business-to-business (B2B) guests access to Microsoft Fabric, and contents that they have permissions to. With the setting turned off, B2B guest users receive an error when trying to access Power BI.The recommended state is `Enabled for a subset of the organization` or `Disabled`.",
"Checks": [],
"Attributes": [
{
"Section": "9 Microsoft Fabric",
"SubSection": "9.1 Teams settings",
"Profile": "E3 Level 1",
"AssessmentStatus": "Manual",
"Description": "This setting allows business-to-business (B2B) guests access to Microsoft Fabric, and contents that they have permissions to. With the setting turned off, B2B guest users receive an error when trying to access Power BI.The recommended state is `Enabled for a subset of the organization` or `Disabled`.",
"RationaleStatement": "Establishing and enforcing a dedicated security group prevents unauthorized access to Microsoft Fabric for guests collaborating in Azure that are new or assigned guest status from other applications. This upholds the principle of least privilege and uses role-based access control (RBAC). These security groups can also be used for tasks like conditional access, enhancing risk management and user accountability across the organization.",
"ImpactStatement": "Security groups will need to be more closely tended to and monitored.",
"RemediationProcedure": "**To remediate using the UI:**1. Navigate to `Microsoft Fabric` https://app.powerbi.com/admin-portal2. Select `Tenant settings`.3. Scroll to `Export and Sharing settings`.4. Set `Guest users can access Microsoft Fabric` to one of these states: - State 1: `Disabled` - State 2: `Enabled` with `Specific security groups` selected and defined.**Important:** If the organization doesn't actively use this feature it is recommended to keep it `Disabled`.",
"AuditProcedure": "**To audit using the UI:**1. Navigate to `Microsoft Fabric` https://app.powerbi.com/admin-portal2. Select `Tenant settings`.3. Scroll to `Export and Sharing settings`.4. Ensure that `Guest users can access Microsoft Fabric` adheres to one of these states: - State 1: `Disabled` - State 2: `Enabled` with `Specific security groups` selected and defined.**Important:** If the organization doesn't actively use this feature it is recommended to keep it `Disabled`.",
"AdditionalInformation": "",
"References": "https://learn.microsoft.com/en-us/fabric/admin/service-admin-portal-export-sharing",
"DefaultValue": "Enabled for Entire Organization"
}
]
},
{
"Id": "9.1.2",
"Description": "This setting helps organizations choose whether new external users can be invited to the organization through Power BI sharing, permissions, and subscription experiences. This setting only controls the ability to invite through Power BI.The recommended state is `Enabled for a subset of the organization` or `Disabled`.**Note:** To invite external users to the organization, the user must also have the Microsoft Entra Guest Inviter role.",
"Checks": [],
"Attributes": [
{
"Section": "9 Microsoft Fabric",
"SubSection": "9.1 Teams settings",
"Profile": "E3 Level 1",
"AssessmentStatus": "Manual",
"Description": "This setting helps organizations choose whether new external users can be invited to the organization through Power BI sharing, permissions, and subscription experiences. This setting only controls the ability to invite through Power BI.The recommended state is `Enabled for a subset of the organization` or `Disabled`.**Note:** To invite external users to the organization, the user must also have the Microsoft Entra Guest Inviter role.",
"RationaleStatement": "Establishing and enforcing a dedicated security group prevents unauthorized access to Microsoft Fabric for guests collaborating in Azure that are new or assigned guest status from other applications. This upholds the principle of least privilege and uses role-based access control (RBAC). These security groups can also be used for tasks like conditional access, enhancing risk management and user accountability across the organization.",
"ImpactStatement": "Guest user invitations will be limited to only specific employees.",
"RemediationProcedure": "**To remediate using the UI:**1. Navigate to `Microsoft Fabric` https://app.powerbi.com/admin-portal2. Select `Tenant settings`.3. Scroll to `Export and Sharing settings`.4. Set `Users can invite guest users to collaborate through item sharing and permissions` to one of these states: - State 1: `Disabled` - State 2: `Enabled` with `Specific security groups` selected and defined.**Important:** If the organization doesn't actively use this feature it is recommended to keep it `Disabled`.",
"AuditProcedure": "**To audit using the UI:**1. Navigate to `Microsoft Fabric` https://app.powerbi.com/admin-portal2. Select `Tenant settings`.3. Scroll to `Export and Sharing settings`.4. Ensure that `Users can invite guest users to collaborate through item sharing and permissions` adheres to one of these states: - State 1: `Disabled` - State 2: `Enabled` with `Specific security groups` selected and defined.**Important:** If the organization doesn't actively use this feature it is recommended to keep it `Disabled`.",
"AdditionalInformation": "",
"References": "https://learn.microsoft.com/en-us/fabric/admin/service-admin-portal-export-sharing:https://learn.microsoft.com/en-us/power-bi/enterprise/service-admin-azure-ad-b2b#invite-guest-users",
"DefaultValue": "Enabled for the entire organization"
}
]
},
{
"Id": "9.1.3",
"Description": "This setting allows Microsoft Entra B2B guest users to have full access to the browsing experience using the left-hand navigation pane in the organization. Guest users who have been assigned workspace roles or specific item permissions will continue to have those roles and/or permissions, even if this setting is disabled.The recommended state is `Enabled for a subset of the organization` or `Disabled`.",
"Checks": [],
"Attributes": [
{
"Section": "9 Microsoft Fabric",
"SubSection": "9.1 Teams settings",
"Profile": "E3 Level 1",
"AssessmentStatus": "Manual",
"Description": "This setting allows Microsoft Entra B2B guest users to have full access to the browsing experience using the left-hand navigation pane in the organization. Guest users who have been assigned workspace roles or specific item permissions will continue to have those roles and/or permissions, even if this setting is disabled.The recommended state is `Enabled for a subset of the organization` or `Disabled`.",
"RationaleStatement": "Establishing and enforcing a dedicated security group prevents unauthorized access to Microsoft Fabric for guests collaborating in Entra that are new or assigned guest status from other applications. This upholds the principle of least privilege and uses role-based access control (RBAC). These security groups can also be used for tasks like conditional access, enhancing risk management and user accountability across the organization.",
"ImpactStatement": "Security groups will need to be more closely tended to and monitored.",
"RemediationProcedure": "**To remediate using the UI:** 1. Navigate to `Microsoft Fabric` https://app.powerbi.com/admin-portal2. Select `Tenant settings`.3. Scroll to `Export and Sharing settings`.4. Set `Guest users can browse and access Fabric content` to one of these states: - State 1: `Disabled` - State 2: `Enabled` with `Specific security groups` selected and defined.**Important:** If the organization doesn't actively use this feature it is recommended to keep it `Disabled`.",
"AuditProcedure": "**To audit using the UI:** 1. Navigate to `Microsoft Fabric` https://app.powerbi.com/admin-portal2. Select `Tenant settings`.3. Scroll to `Export and Sharing settings`.4. Ensure that `Guest users can browse and access Fabric content` adheres to one of these states: - State 1: `Disabled` - State 2: `Enabled` with `Specific security groups` selected and defined.**Important:** If the organization doesn't actively use this feature it is recommended to keep it `Disabled`.",
"AdditionalInformation": "",
"References": "https://learn.microsoft.com/en-us/fabric/admin/service-admin-portal-export-sharing",
"DefaultValue": "Disabled"
}
]
},
{
"Id": "9.1.4",
"Description": "Power BI enables users to share reports and materials directly on the internet from both the application's desktop version and its web user interface. This functionality generates a publicly reachable web link that doesn't necessitate authentication or the need to be an Entra ID user in order to access and view it.The recommended state is `Enabled for a subset of the organization` or `Disabled`.",
"Checks": [],
"Attributes": [
{
"Section": "9 Microsoft Fabric",
"SubSection": "9.1 Teams settings",
"Profile": "E3 Level 1",
"AssessmentStatus": "Manual",
"Description": "Power BI enables users to share reports and materials directly on the internet from both the application's desktop version and its web user interface. This functionality generates a publicly reachable web link that doesn't necessitate authentication or the need to be an Entra ID user in order to access and view it.The recommended state is `Enabled for a subset of the organization` or `Disabled`.",
"RationaleStatement": "When using Publish to Web anyone on the Internet can view a published report or visual. Viewing requires no authentication. It includes viewing detail-level data that your reports aggregate. By disabling the feature, restricting access to certain users and allowing existing embed codes organizations can mitigate the exposure of confidential or proprietary information.",
"ImpactStatement": "Depending on the organization's utilization administrators may experience more overhead managing embed codes, and requests.",
"RemediationProcedure": "**To remediate using the UI:**1. Navigate to `Microsoft Fabric` https://app.powerbi.com/admin-portal2. Select `Tenant settings`.3. Scroll to `Export and Sharing settings`.4. Set `Publish to web` to one of these states: - State 1: `Disabled` - State 2: `Enabled` with `Choose how embed codes work` set to `Only allow existing codes` **AND** `Specific security groups` selected and defined**Important:** If the organization doesn't actively use this feature it is recommended to keep it `Disabled`.",
"AuditProcedure": "**To audit using the UI:**1. Navigate to `Microsoft Fabric` https://app.powerbi.com/admin-portal2. Select `Tenant settings`.3. Scroll to `Export and Sharing settings`.4. Ensure that `Publish to web` adheres to one of these states: - State 1: `Disabled` - State 2: `Enabled` with `Choose how embed codes work` set to `Only allow existing codes` **AND** `Specific security groups` selected and defined**Important:** If the organization doesn't actively use this feature it is recommended to keep it `Disabled`.",
"AdditionalInformation": "",
"References": "https://learn.microsoft.com/en-us/power-bi/collaborate-share/service-publish-to-web:https://learn.microsoft.com/en-us/fabric/admin/service-admin-portal-export-sharing#publish-to-web",
"DefaultValue": "Enabled for the entire organizationOnly allow existing codes"
}
]
},
{
"Id": "9.1.5",
"Description": "Power BI allows the integration of R and Python scripts directly into visuals. This feature allows data visualizations by incorporating custom calculations, statistical analyses, machine learning models, and more using R or Python scripts. Custom visuals can be created by embedding them directly into Power BI reports. Users can then interact with these visuals and see the results of the custom code within the Power BI interface.",
"Checks": [],
"Attributes": [
{
"Section": "9 Microsoft Fabric",
"SubSection": "9.1 Teams settings",
"Profile": "E3 Level 2",
"AssessmentStatus": "Manual",
"Description": "Power BI allows the integration of R and Python scripts directly into visuals. This feature allows data visualizations by incorporating custom calculations, statistical analyses, machine learning models, and more using R or Python scripts. Custom visuals can be created by embedding them directly into Power BI reports. Users can then interact with these visuals and see the results of the custom code within the Power BI interface.",
"RationaleStatement": "Disabling this feature can reduce the attack surface by preventing potential malicious code execution leading to data breaches, or unauthorized access. The potential for sensitive or confidential data being leaked to unintended users is also increased with the use of scripts.",
"ImpactStatement": "Use of R and Python scripting will require exceptions for developers, along with more stringent code review.",
"RemediationProcedure": "**To remediate using the UI:** 1. Navigate to `Microsoft Fabric` https://app.powerbi.com/admin-portal2. Select `Tenant settings`.3. Scroll to `R and Python visuals settings`.4. Set `Interact with and share R and Python visuals` to `Disabled`",
"AuditProcedure": "**To audit using the UI:**1. Navigate to `Microsoft Fabric` https://app.powerbi.com/admin-portal2. Select `Tenant settings`.3. Scroll to `R and Python visuals settings`.4. Ensure that `Interact with and share R and Python visuals` is `Disabled`",
"AdditionalInformation": "",
"References": "https://learn.microsoft.com/en-us/fabric/admin/service-admin-portal-r-python-visuals:https://learn.microsoft.com/en-us/power-bi/visuals/service-r-visuals:https://www.r-project.org/",
"DefaultValue": "Enabled"
}
]
},
{
"Id": "9.1.6",
"Description": "Information protection tenant settings help to protect sensitive information in the Power BI tenant. Allowing and applying sensitivity labels to content ensures that information is only seen and accessed by the appropriate users.The recommended state is `Enabled` or `Enabled for a subset of the organization`.**Note:** Sensitivity labels and protection are only applied to files exported to Excel, PowerPoint, or PDF files, that are controlled by \"Export to Excel\" and \"Export reports as PowerPoint presentation or PDF documents\" settings. All other export and sharing options do not support the application of sensitivity labels and protection.**Note 2:** There are some prerequisite steps that need to be completed in order to fully utilize labeling. See [here](https://learn.microsoft.com/en-us/power-bi/enterprise/service-security-enable-data-sensitivity-labels#licensing-and-requirements).",
"Checks": [],
"Attributes": [
{
"Section": "9 Microsoft Fabric",
"SubSection": "9.1 Teams settings",
"Profile": "E3 Level 1",
"AssessmentStatus": "Manual",
"Description": "Information protection tenant settings help to protect sensitive information in the Power BI tenant. Allowing and applying sensitivity labels to content ensures that information is only seen and accessed by the appropriate users.The recommended state is `Enabled` or `Enabled for a subset of the organization`.**Note:** Sensitivity labels and protection are only applied to files exported to Excel, PowerPoint, or PDF files, that are controlled by \"Export to Excel\" and \"Export reports as PowerPoint presentation or PDF documents\" settings. All other export and sharing options do not support the application of sensitivity labels and protection.**Note 2:** There are some prerequisite steps that need to be completed in order to fully utilize labeling. See [here](https://learn.microsoft.com/en-us/power-bi/enterprise/service-security-enable-data-sensitivity-labels#licensing-and-requirements).",
"RationaleStatement": "Establishing data classifications and affixing labels to data at creation enables organizations to discern the data's criticality, sensitivity, and value. This initial identification enables the implementation of appropriate protective measures, utilizing technologies like Data Loss Prevention (DLP) to avert inadvertent exposure and enforcing access controls to safeguard against unauthorized access.This practice can also promote user awareness and responsibility in regard to the nature of the data they interact with. Which in turn can foster awareness in other areas of data management across the organization.",
"ImpactStatement": "Additional license requirements like Power BI Pro are required, as outlined in the Licensed and requirements page linked in the description and references sections.",
"RemediationProcedure": "**To remediate using the UI:**1. Navigate to `Microsoft Fabric` https://app.powerbi.com/admin-portal2. Select `Tenant settings`.3. Scroll to `Information protection`.4. Set `Allow users to apply sensitivity labels for content` to one of these states: - State 1: `Enabled` - State 2: `Enabled` with `Specific security groups` selected and defined.",
"AuditProcedure": "**To audit using the UI:** 1. Navigate to `Microsoft Fabric` https://app.powerbi.com/admin-portal2. Select `Tenant settings`.3. Scroll to `Information protection`.4. Ensure that `Allow users to apply sensitivity labels for content` adheres to one of these states: - State 1: `Enabled` - State 2: `Enabled` with `Specific security groups` selected and defined.",
"AdditionalInformation": "",
"References": "https://learn.microsoft.com/en-us/power-bi/enterprise/service-security-enable-data-sensitivity-labels:https://learn.microsoft.com/en-us/fabric/governance/data-loss-prevention-overview:https://learn.microsoft.com/en-us/power-bi/enterprise/service-security-enable-data-sensitivity-labels#licensing-and-requirements",
"DefaultValue": "Disabled"
}
]
},
{
"Id": "9.1.7",
"Description": "Creating a shareable link allows a user to create a link to a report or dashboard, then add that link to an email or another messaging application. There are 3 options that can be selected when creating a shareable link:- People in your organization- People with existing access- Specific peopleThis setting solely deals with restrictions to `People in the organization`. External users by default are not included in any of these categories, and therefore cannot use any of these links regardless of the state of this setting.The recommended state is `Enabled for a subset of the organization` or `Disabled`.",
"Checks": [],
"Attributes": [
{
"Section": "9 Microsoft Fabric",
"SubSection": "9.1 Teams settings",
"Profile": "E3 Level 1",
"AssessmentStatus": "Manual",
"Description": "Creating a shareable link allows a user to create a link to a report or dashboard, then add that link to an email or another messaging application. There are 3 options that can be selected when creating a shareable link:- People in your organization- People with existing access- Specific peopleThis setting solely deals with restrictions to `People in the organization`. External users by default are not included in any of these categories, and therefore cannot use any of these links regardless of the state of this setting.The recommended state is `Enabled for a subset of the organization` or `Disabled`.",
"RationaleStatement": "While external users are unable to utilize shareable links, disabling or restricting this feature ensures that a user cannot generate a link accessible by individuals within the same organization who lack the necessary clearance to the shared data. For example, a member of Human Resources intends to share sensitive information with a particular employee or another colleague within their department. The owner would be prompted to specify either `People with existing access` or `Specific people` when generating the link requiring the person clicking the link to pass a first layer access control list. This measure along with proper file and folder permissions can help prevent unintended access and potential information leakage.",
"ImpactStatement": "If the setting is `Enabled` then only specific people in the organization would be allowed to create general links viewable by the entire organization.",
"RemediationProcedure": "**To remediate using the UI:**1. Navigate to `Microsoft Fabric` https://app.powerbi.com/admin-portal2. Select `Tenant settings`.3. Scroll to `Export and Sharing settings`.4. Set `Allow shareable links to grant access to everyone in your organization` to one of these states: - State 1: `Disabled` - State 2: `Enabled` with `Specific security groups` selected and defined.**Important:** If the organization doesn't actively use this feature it is recommended to keep it `Disabled`.",
"AuditProcedure": "**To audit using the UI:** 1. Navigate to `Microsoft Fabric` https://app.powerbi.com/admin-portal2. Select `Tenant settings`.3. Scroll to `Export and Sharing settings`.4. Ensure that `Allow shareable links to grant access to everyone in your organization` adheres to one of these states: - State 1: `Disabled` - State 2: `Enabled` with `Specific security groups` selected and defined.**Important:** If the organization doesn't actively use this feature it is recommended to keep it `Disabled`.",
"AdditionalInformation": "",
"References": "https://learn.microsoft.com/en-us/power-bi/collaborate-share/service-share-dashboards?wt.mc_id=powerbi_inproduct_sharedialog#link-settings:https://learn.microsoft.com/en-us/fabric/admin/service-admin-portal-export-sharing",
"DefaultValue": "Enabled for Entire Organization"
}
]
},
{
"Id": "9.1.8",
"Description": "Power BI admins can specify which users or user groups can share datasets externally with guests from a different tenant through the in-place mechanism. Disabling this setting prevents any user from sharing datasets externally by restricting the ability of users to turn on external sharing for datasets they own or manage.The recommended state is `Enabled for a subset of the organization` or `Disabled`.",
"Checks": [],
"Attributes": [
{
"Section": "9 Microsoft Fabric",
"SubSection": "9.1 Teams settings",
"Profile": "E3 Level 1",
"AssessmentStatus": "Manual",
"Description": "Power BI admins can specify which users or user groups can share datasets externally with guests from a different tenant through the in-place mechanism. Disabling this setting prevents any user from sharing datasets externally by restricting the ability of users to turn on external sharing for datasets they own or manage.The recommended state is `Enabled for a subset of the organization` or `Disabled`.",
"RationaleStatement": "Establishing and enforcing a dedicated security group prevents unauthorized access to Microsoft Fabric for guests collaborating in Azure that are new or from other applications. This upholds the principle of least privilege and uses role-based access control (RBAC). These security groups can also be used for tasks like conditional access, enhancing risk management and user accountability across the organization.",
"ImpactStatement": "Security groups will need to be more closely tended to and monitored.",
"RemediationProcedure": "**To remediate using the UI:** 1. Navigate to `Microsoft Fabric` https://app.powerbi.com/admin-portal2. Select `Tenant settings`.3. Scroll to `Export and Sharing settings`.4. Set `Allow specific users to turn on external data sharing` to one of these states: - State 1: `Disabled` - State 2: `Enabled` with `Specific security groups` selected and defined.**Important:** If the organization doesn't actively use this feature it is recommended to keep it `Disabled`.",
"AuditProcedure": "**To audit using the UI:**1. Navigate to `Microsoft Fabric` https://app.powerbi.com/admin-portal2. Select `Tenant settings`.3. Scroll to `Export and Sharing settings`.4. Ensure that `Allow specific users to turn on external data sharing` adheres to one of these states: - State 1: `Disabled` - State 2: `Enabled` with `Specific security groups` selected and defined.**Important:** If the organization doesn't actively use this feature it is recommended to keep it `Disabled`.",
"AdditionalInformation": "",
"References": "https://learn.microsoft.com/en-us/fabric/admin/service-admin-portal-export-sharing",
"DefaultValue": "Enabled for the entire organization"
}
]
},
{
"Id": "9.1.9",
"Description": "This setting blocks the use of resource key based authentication. The Block ResourceKey Authentication setting applies to streaming and PUSH datasets. If blocked users will not be allowed send data to streaming and PUSH datasets using the API with a resource key.The recommended state is `Enabled`.",
"Checks": [],
"Attributes": [
{
"Section": "9 Microsoft Fabric",
"SubSection": "9.1 Teams settings",
"Profile": "E3 Level 1",
"AssessmentStatus": "Manual",
"Description": "This setting blocks the use of resource key based authentication. The Block ResourceKey Authentication setting applies to streaming and PUSH datasets. If blocked users will not be allowed send data to streaming and PUSH datasets using the API with a resource key.The recommended state is `Enabled`.",
"RationaleStatement": "Resource keys are a form of authentication that allows users to access Power BI resources (such as reports, dashboards, and datasets) without requiring individual user accounts. While convenient, this method bypasses the organization's centralized identity and access management controls. Enabling ensures that access to Power BI resources is tied to the organization's authentication mechanisms, providing a more secure and controlled environment.",
"ImpactStatement": "Developers will need to request a special exception in order to use this feature.",
"RemediationProcedure": "**To remediate using the UI:**1. Navigate to `Microsoft Fabric` https://app.powerbi.com/admin-portal2. Select `Tenant settings`.3. Scroll to `Developer settings`.4. Set `Block ResourceKey Authentication` to `Enabled`",
"AuditProcedure": "**To audit using the UI:**1. Navigate to `Microsoft Fabric` https://app.powerbi.com/admin-portal2. Select `Tenant settings`.3. Scroll to `Developer settings`.4. Ensure that `Block ResourceKey Authentication` is `Enabled`",
"AdditionalInformation": "",
"References": "https://learn.microsoft.com/en-us/fabric/admin/service-admin-portal-developer:https://learn.microsoft.com/en-us/power-bi/connect-data/service-real-time-streaming",
"DefaultValue": "Disabled for the entire organization"
}
]
},
{
"Id": "9.1.10",
"Description": "Web apps registered in Microsoft Entra ID use an assigned service principal to access Power BI APIs without a signed-in user. This setting allows an app to use service principal authentication.The recommended state is `Enabled for a subset of the organization` or `Disabled`.",
"Checks": [],
"Attributes": [
{
"Section": "9 Microsoft Fabric",
"SubSection": "9.1 Teams settings",
"Profile": "E3 Level 1",
"AssessmentStatus": "Manual",
"Description": "Web apps registered in Microsoft Entra ID use an assigned service principal to access Power BI APIs without a signed-in user. This setting allows an app to use service principal authentication.The recommended state is `Enabled for a subset of the organization` or `Disabled`.",
"RationaleStatement": "Leaving API access unrestricted increases the attack surface in the event an adversary gains access to a Service Principal. APIs are a feature-rich method for programmatic access to many areas of Power Bi and should be guarded closely.",
"ImpactStatement": "Disabled is the default behavior.",
"RemediationProcedure": "**To remediate using the UI:** 1. Navigate to `Microsoft Fabric` https://app.powerbi.com/admin-portal2. Select `Tenant settings`.3. Scroll to `Developer settings`.4. Set `Service principals can use Fabric APIs` to one of these states: - State 1: `Disabled` - State 2: `Enabled` with `Specific security groups` selected and defined.**Important:** If the organization doesn't actively use this feature it is recommended to keep it `Disabled`.",
"AuditProcedure": "**To audit using the UI:** 1. Navigate to `Microsoft Fabric` https://app.powerbi.com/admin-portal2. Select `Tenant settings`.3. Scroll to `Developer settings`.4. Ensure that `Service principals can use Fabric APIs` adheres to one of these states: - State 1: `Disabled` - State 2: `Enabled` with `Specific security groups` selected and defined.**Important:** If the organization doesn't actively use this feature it is recommended to keep it `Disabled`.",
"AdditionalInformation": "",
"References": "https://learn.microsoft.com/en-us/fabric/admin/service-admin-portal-developer",
"DefaultValue": "Disabled for the entire organization"
}
]
},
{
"Id": "9.1.11",
"Description": "Service principal profiles provide a flexible solution for apps used in a multitenancy deployment. The profiles enable customer data isolation and tighter security boundaries between customers that are utilizing the app.The recommended state is `Enabled for a subset of the organization` or `Disabled`.",
"Checks": [],
"Attributes": [
{
"Section": "9 Microsoft Fabric",
"SubSection": "9.1 Teams settings",
"Profile": "E3 Level 1",
"AssessmentStatus": "Manual",
"Description": "Service principal profiles provide a flexible solution for apps used in a multitenancy deployment. The profiles enable customer data isolation and tighter security boundaries between customers that are utilizing the app.The recommended state is `Enabled for a subset of the organization` or `Disabled`.",
"RationaleStatement": "Service Principals should be restricted to a security group to limit which Service Principals can interact with profiles. This supports the principle of least privilege",
"ImpactStatement": "Disabled is the default behavior.",
"RemediationProcedure": "**To remediate using the UI:** 1. Navigate to `Microsoft Fabric` https://app.powerbi.com/admin-portal2. Select `Tenant settings`.3. Scroll to `Developer settings`.4. Set `Allow service principals to create and use profiles` to one of these states: - State 1: `Disabled` - State 2: `Enabled` with `Specific security groups` selected and defined.**Important:** If the organization doesn't actively use this feature it is recommended to keep it `Disabled`.",
"AuditProcedure": "**To audit using the UI:** 1. Navigate to `Microsoft Fabric` https://app.powerbi.com/admin-portal2. Select `Tenant settings`.3. Scroll to `Developer settings`.4. Ensure that `Allow service principals to create and use profiles` adheres to one of these states: - State 1: `Disabled` - State 2: `Enabled` with `Specific security groups` selected and defined.**Important:** If the organization doesn't actively use this feature it is recommended to keep it `Disabled`.",
"AdditionalInformation": "",
"References": "https://learn.microsoft.com/en-us/fabric/admin/service-admin-portal-developer:https://learn.microsoft.com/en-us/power-bi/developer/embedded/embed-multi-tenancy",
"DefaultValue": "Disabled for the entire organization"
}
]
}
]
}
Reference in New Issue View Git Blame Copy Permalink