The CIS Microsoft 365 Foundations Benchmark and Best Practices

Center for Internet Security’s (CIS) Microsoft 365 Foundations Benchmark—developed by CIS in partnership with Microsoft—to provide prescriptive guidance for establishing a secure baseline configuration for Microsoft 365. CIS is a nonprofit entity focused on developing global standards and recognized best practices for securing IT systems and data against the most pervasive attacks.

The CIS Microsoft 365 Foundations Benchmark is designed to assist organizations in establishing the foundation level of security for anyone adopting Microsoft 365. The benchmark should not be considered as an exhaustive list of all possible security configurations and architecture but as a starting point. Each organization must still evaluate their specific situation, workloads, and compliance requirements and tailor their environment accordingly.

The CIS benchmark contains two levels, each with slightly different technical specifications:

• Level 1—Recommended minimum security settings that should be configured on any system and should cause little or no interruption of service or reduced functionality.
• Level 2—Recommended security settings for highly secure environments and could result in some reduced functionality.

The CIS Microsoft 365 Security Benchmark is divided into the following sections:

The CIS Microsoft 365 Security Benchmark is freely available for download in PDF format on the CIS website.

This guide was tested against Microsoft 365, and includes recommendations for Exchange Online, SharePoint Online, OneDrive for Business, Skype/Teams, Azure Active Directory, and Intune.