Benchmark: CIS v1.5.0

To obtain the latest version of the official guide, please visit http://benchmarks.cisecurity.org.

Overview

This document, Security Configuration Benchmark for Microsoft 365, provides prescriptive guidance for establishing a secure configuration posture for Microsoft 365 Cloud offerings running on any OS. This guide was tested against Microsoft 365, and includes recommendations for Exchange Online, SharePoint Online, OneDrive for Business, Skype/Teams, Azure Active Directory, and inTune. If you have questions, comments, or have identified ways to improve this guide, please write us at feedback@cisecurity.org.

Profiles

The following configuration profiles are defined by this Benchmark:

E3 Level 1

Items in this profile apply to customer deployments of Microsoft M365 with an E3 license and intend to:

• be practical and prudent;
• provide a clear security benefit; and
• not inhibit the utility of the technology beyond acceptable means.

E3 Level 2

This profile extends the "E3 Level 1" profile. Items in this profile exhibit one or more of the following characteristics and is focused on customer deployments of Microsoft M365 E3:

• are intended for environments or use cases where security is paramount
• acts as defense in depth measure
• may negatively inhibit the utility or performance of the technology.

E5 Level 1

Items in this profile extend what is provided by the "E3 Level 1" profile for customer deployments of Microsoft M365 with an E5 license and intend to:

• be practical and prudent;
• provide a clear security benefit; and
• not inhibit the utility of the technology beyond acceptable means.

E5 Level 2

This profile extends the "E3 Level 1" and "E5 Level 1" profiles. Items in this profile exhibit one or more of the following characteristics and is focused on customer deployments of Microsoft M365 E5:

• are intended for environments or use cases where security is paramount
• acts as defense in depth measure
• may negatively inhibit the utility or performance of the technology.