The CIS Microsoft 365 Foundations Benchmark and Best Practices

Center for Internet Security’s (CIS) Microsoft 365 Foundations Benchmark—developed by CIS in partnership with Microsoft—to provide prescriptive guidance for establishing a secure baseline configuration for Microsoft 365. CIS is a nonprofit entity focused on developing global standards and recognized best practices for securing IT systems and data against the most pervasive attacks.

The CIS Microsoft 365 Foundations Benchmark is designed to assist organizations in establishing the foundation level of security for anyone adopting Microsoft 365. The benchmark should not be considered as an exhaustive list of all possible security configurations and architecture but as a starting point. Each organization must still evaluate their specific situation, workloads, and compliance requirements and tailor their environment accordingly.

The CIS benchmark contains two levels, each with slightly different technical specifications:

  • Level 1—Recommended minimum security settings that should be configured on any system and should cause little or no interruption of service or reduced functionality.
  • Level 2—Recommended security settings for highly secure environments and could result in some reduced functionality.

The CIS Microsoft 365 Security Benchmark is divided into the following sections:



# of recommended controls

Account/Authentication policies

Recommendations related to setting the appropriate account and authentication policies.


Application permissions

Recommendations related to the configuration of application permissions within Microsoft 365.


Data management

Recommendations for setting data management policies.


Email security/Exchange Online

Recommendations related to the configuration of Exchange Online and email security.


Auditing policies

Recommendations for setting auditing policies on your Microsoft 365 tenant.


Storage policies

Recommendations for securely configuring storage policies.


Mobile device management

Recommendations for managing devices connecting to Microsoft 365.


Total recommendations


The CIS Microsoft 365 Security Benchmark is freely available for download in PDF format on the CIS website.

This guide was tested against Microsoft 365, and includes recommendations for Exchange Online, SharePoint Online, OneDrive for Business, Skype/Teams, Azure Active Directory, and Intune.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s