| 1.1.1 Ensure Administrative accounts are separate and cloud-only | ACCESS CONTROL |
| 1.1.2 Ensure two emergency access accounts have been defined | ACCESS CONTROL |
| 1.1.3 Ensure that between two and four global admins are designated | ACCESS CONTROL |
| 1.1.4 Ensure Guest Users are reviewed at least biweekly | ACCESS CONTROL |
| 1.2.2 Ensure sign-in to shared mailboxes is blocked | CONFIGURATION MANAGEMENT |
| 1.3.1 Ensure the 'Password expiration policy' is set to 'Set passwords to never expire (recommended)' | IDENTIFICATION AND AUTHENTICATION |
| 1.3.2 Ensure 'Idle session timeout' is set to '3 hours (or less)' for unmanaged devices | ACCESS CONTROL |
| 1.3.4 Ensure 'User owned apps and services' is restricted | CONFIGURATION MANAGEMENT |
| 1.3.5 Ensure internal phishing protection for Forms is enabled | AWARENESS AND TRAINING, SYSTEM AND INFORMATION INTEGRITY |
| 2.1.2 Ensure the Common Attachment Types Filter is enabled | SYSTEM AND INFORMATION INTEGRITY |
| 2.1.3 Ensure notifications for internal users sending malware is Enabled | INCIDENT RESPONSE |
| 2.1.6 Ensure Exchange Online Spam Policies are set to notify administrators | INCIDENT RESPONSE |
| 2.1.8 Ensure that SPF records are published for all Exchange Domains | SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.1.9 Ensure that DKIM is enabled for all Exchange Online Domains | SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.1.10 Ensure DMARC Records for all Exchange Online domains are published | SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.1.12 Ensure the 'Restricted entities' report is reviewed weekly | AUDIT AND ACCOUNTABILITY |
| 2.1.13 Ensure malware trends are reviewed at least weekly | AUDIT AND ACCOUNTABILITY |
| 2.3.1 Ensure the Account Provisioning Activity report is reviewed at least weekly | AUDIT AND ACCOUNTABILITY |
| 2.3.2 Ensure non-global administrator role group assignments are reviewed at least weekly | AUDIT AND ACCOUNTABILITY |
| 3.1.1 Ensure Microsoft 365 audit log search is Enabled | AUDIT AND ACCOUNTABILITY |
| 3.1.2 Ensure user role group changes are reviewed at least weekly | AUDIT AND ACCOUNTABILITY |
| 3.2.1 Ensure DLP policies are enabled | AUDIT AND ACCOUNTABILITY, SYSTEM AND INFORMATION INTEGRITY |
| 3.3.1 Ensure SharePoint Online Information Protection policies are set up and used | RISK ASSESSMENT |
| 5.1.1.1 Ensure Security Defaults is disabled on Azure Active Directory | CONFIGURATION MANAGEMENT |
| 5.1.2.1 Ensure 'Per-user MFA' is disabled | IDENTIFICATION AND AUTHENTICATION |
| 5.1.2.3 Ensure 'Restrict non-admin users from creating tenants' is set to 'Yes' | ACCESS CONTROL |
| 5.1.2.4 Ensure 'Restrict access to the Azure AD administration portal' is set to 'Yes' | ACCESS CONTROL |
| 5.1.3.1 Ensure a dynamic group for guest users is created | ACCESS CONTROL, MEDIA PROTECTION |
| 5.1.5.1 Ensure the Application Usage report is reviewed at least weekly | AUDIT AND ACCOUNTABILITY |
| 5.1.5.3 Ensure the admin consent workflow is enabled | CONFIGURATION MANAGEMENT |
| 5.1.8.1 Ensure that password hash sync is enabled for hybrid deployments | ACCESS CONTROL |
| 5.2.2.1 Ensure multifactor authentication is enabled for all users in administrative roles | IDENTIFICATION AND AUTHENTICATION |
| 5.2.2.2 Ensure multifactor authentication is enabled for all users | IDENTIFICATION AND AUTHENTICATION |
| 5.2.2.3 Enable Conditional Access policies to block legacy authentication | CONFIGURATION MANAGEMENT |
| 5.2.2.4 Ensure Sign-in frequency is enabled and browser sessions are not persistent for Administrative users | ACCESS CONTROL |
| 5.2.2.8 Ensure admin center access is limited to administrative roles | ACCESS CONTROL |
| 5.2.3.1 Ensure Microsoft Authenticator is configured to protect against MFA fatigue | IDENTIFICATION AND AUTHENTICATION |
| 5.2.3.2 Ensure custom banned passwords lists are used | IDENTIFICATION AND AUTHENTICATION |
| 5.2.3.3 Ensure password protection is enabled for on-prem Active Directory | IDENTIFICATION AND AUTHENTICATION |
| 5.2.3.4 Ensure all member users are 'MFA capable' | IDENTIFICATION AND AUTHENTICATION |
| 5.2.4.1 Ensure 'Self service password reset enabled' is set to 'All' | AWARENESS AND TRAINING |
| 5.2.4.2 Ensure the self-service password reset activity report is reviewed at least weekly | AUDIT AND ACCOUNTABILITY |
| 6.1.1 Ensure 'AuditDisabled' organizationally is set to 'False' | AUDIT AND ACCOUNTABILITY |
| 6.1.2 Ensure mailbox auditing for E3 users is Enabled | AUDIT AND ACCOUNTABILITY |
| 6.1.4 Ensure 'AuditBypassEnabled' is not enabled on mailboxes | AUDIT AND ACCOUNTABILITY |
| 6.2.1 Ensure all forms of mail forwarding are blocked and/or disabled | CONFIGURATION MANAGEMENT |
| 6.2.2 Ensure mail transport rules do not whitelist specific domains | CONFIGURATION MANAGEMENT |
| 6.2.3 Ensure email from external senders is identified | CONFIGURATION MANAGEMENT |
| 6.4.1 Ensure mail forwarding rules are reviewed at least weekly | AUDIT AND ACCOUNTABILITY |
| 6.5.1 Ensure modern authentication for Exchange Online is enabled | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
