CIS Microsoft 365 Foundations E3 L1 v3.1.0

Audit Details

Name: CIS Microsoft 365 Foundations E3 L1 v3.1.0

Updated: 6/24/2024

Authority: CIS

Plugin: microsoft_azure

Revision: 1.0

Estimated Item Count: 75

File Details

Filename: CIS_Microsoft_365_v3.1.0_E3_Level_1.audit

Size: 202 kB

MD5: ef15f047cd6efdb85f3550117e43bfcb
SHA256: 2524f91f1dc4d1e7f50f9e564e349ea9fd2baf0979cdecc9b9b814f4bd87bb7f

Audit Items

DescriptionCategories
1.1.1 Ensure Administrative accounts are separate and cloud-only

ACCESS CONTROL

1.1.2 Ensure two emergency access accounts have been defined

ACCESS CONTROL

1.1.3 Ensure that between two and four global admins are designated

ACCESS CONTROL

1.1.4 Ensure Guest Users are reviewed at least biweekly

ACCESS CONTROL

1.2.2 Ensure sign-in to shared mailboxes is blocked

CONFIGURATION MANAGEMENT

1.3.1 Ensure the 'Password expiration policy' is set to 'Set passwords to never expire (recommended)'

IDENTIFICATION AND AUTHENTICATION

1.3.2 Ensure 'Idle session timeout' is set to '3 hours (or less)' for unmanaged devices

ACCESS CONTROL

1.3.4 Ensure 'User owned apps and services' is restricted

CONFIGURATION MANAGEMENT

1.3.5 Ensure internal phishing protection for Forms is enabled

AWARENESS AND TRAINING, SYSTEM AND INFORMATION INTEGRITY

2.1.2 Ensure the Common Attachment Types Filter is enabled

SYSTEM AND INFORMATION INTEGRITY

2.1.3 Ensure notifications for internal users sending malware is Enabled

INCIDENT RESPONSE

2.1.6 Ensure Exchange Online Spam Policies are set to notify administrators

INCIDENT RESPONSE

2.1.8 Ensure that SPF records are published for all Exchange Domains

SYSTEM AND COMMUNICATIONS PROTECTION

2.1.9 Ensure that DKIM is enabled for all Exchange Online Domains

SYSTEM AND COMMUNICATIONS PROTECTION

2.1.10 Ensure DMARC Records for all Exchange Online domains are published

SYSTEM AND COMMUNICATIONS PROTECTION

2.1.12 Ensure the 'Restricted entities' report is reviewed weekly

AUDIT AND ACCOUNTABILITY

2.1.13 Ensure malware trends are reviewed at least weekly

AUDIT AND ACCOUNTABILITY

2.3.1 Ensure the Account Provisioning Activity report is reviewed at least weekly

AUDIT AND ACCOUNTABILITY

2.3.2 Ensure non-global administrator role group assignments are reviewed at least weekly

AUDIT AND ACCOUNTABILITY

3.1.1 Ensure Microsoft 365 audit log search is Enabled

AUDIT AND ACCOUNTABILITY

3.1.2 Ensure user role group changes are reviewed at least weekly

AUDIT AND ACCOUNTABILITY

3.2.1 Ensure DLP policies are enabled

AUDIT AND ACCOUNTABILITY, SYSTEM AND INFORMATION INTEGRITY

3.3.1 Ensure SharePoint Online Information Protection policies are set up and used

RISK ASSESSMENT

5.1.1.1 Ensure Security Defaults is disabled on Azure Active Directory

CONFIGURATION MANAGEMENT

5.1.2.1 Ensure 'Per-user MFA' is disabled

IDENTIFICATION AND AUTHENTICATION

5.1.2.3 Ensure 'Restrict non-admin users from creating tenants' is set to 'Yes'

ACCESS CONTROL

5.1.2.4 Ensure 'Restrict access to the Azure AD administration portal' is set to 'Yes'

ACCESS CONTROL

5.1.3.1 Ensure a dynamic group for guest users is created

ACCESS CONTROL, MEDIA PROTECTION

5.1.5.1 Ensure the Application Usage report is reviewed at least weekly

AUDIT AND ACCOUNTABILITY

5.1.5.3 Ensure the admin consent workflow is enabled

CONFIGURATION MANAGEMENT

5.1.8.1 Ensure that password hash sync is enabled for hybrid deployments

ACCESS CONTROL

5.2.2.1 Ensure multifactor authentication is enabled for all users in administrative roles

IDENTIFICATION AND AUTHENTICATION

5.2.2.2 Ensure multifactor authentication is enabled for all users

IDENTIFICATION AND AUTHENTICATION

5.2.2.3 Enable Conditional Access policies to block legacy authentication

CONFIGURATION MANAGEMENT

5.2.2.4 Ensure Sign-in frequency is enabled and browser sessions are not persistent for Administrative users

ACCESS CONTROL

5.2.2.8 Ensure admin center access is limited to administrative roles

ACCESS CONTROL

5.2.3.1 Ensure Microsoft Authenticator is configured to protect against MFA fatigue

IDENTIFICATION AND AUTHENTICATION

5.2.3.2 Ensure custom banned passwords lists are used

IDENTIFICATION AND AUTHENTICATION

5.2.3.3 Ensure password protection is enabled for on-prem Active Directory

IDENTIFICATION AND AUTHENTICATION

5.2.3.4 Ensure all member users are 'MFA capable'

IDENTIFICATION AND AUTHENTICATION

5.2.4.1 Ensure 'Self service password reset enabled' is set to 'All'

AWARENESS AND TRAINING

5.2.4.2 Ensure the self-service password reset activity report is reviewed at least weekly

AUDIT AND ACCOUNTABILITY

6.1.1 Ensure 'AuditDisabled' organizationally is set to 'False'

AUDIT AND ACCOUNTABILITY

6.1.2 Ensure mailbox auditing for E3 users is Enabled

AUDIT AND ACCOUNTABILITY

6.1.4 Ensure 'AuditBypassEnabled' is not enabled on mailboxes

AUDIT AND ACCOUNTABILITY

6.2.1 Ensure all forms of mail forwarding are blocked and/or disabled

CONFIGURATION MANAGEMENT

6.2.2 Ensure mail transport rules do not whitelist specific domains

CONFIGURATION MANAGEMENT

6.2.3 Ensure email from external senders is identified

CONFIGURATION MANAGEMENT

6.4.1 Ensure mail forwarding rules are reviewed at least weekly

AUDIT AND ACCOUNTABILITY

6.5.1 Ensure modern authentication for Exchange Online is enabled

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION