Measure Your Microsoft O365 Security Benchmarks

Pallavi Varanasi Cloud Security Expert - CloudCodes Software
  • November 30th, 2020

In terms of security, it is always important to safeguard the company’s data and measure security. It is crucial to have the necessary tools. The Center for Internet Security (CIS) provides free security benchmarks (PDF Form) for various platforms such as Windows Desktop, Windows Server, Linux, and Cloud Providers. In a recent announcement, CIS has partnered with Microsoft to release Microsoft O365 Security Benchmarks, allowing instituting a secure configuration posture on any operating system, running Microsoft Office 365. There are seven sections with about 60 recommendations in the benchmark. 

Microsoft O365 Security Benchmarks:

1. Account/Authentication Policies 

These are the recommendations concerning the execution of suitable account and authentication policies. These policies ensure: 

  • Authorization of multi-factor authentication for 
  • Every user in an administrative role 
  • Every user in any role 
  • Designation of 2, 4 global admins 
  • Enabling the self-service password reset 
  • Enabling of modern authentication for Exchange Online, SharePoint applications, and Skype for Business Online 
  • Passwords Should Not Expire 

2. Application Permissions within Microsoft 365 

These permissions of Microsoft Security Baseline ensure that all the following features are enabled: 

  • O365 ATP SafeLink for Office Applications 
  • Office 365 ATP for SharePoint, OneDrive, and Microsoft Teams 
  • Ensures to disallow integrated Third-Party Applications
  • Disabling of sharing of calendar details with external users 

3. Data Management Policies 

These ensure that the following features are enabled: 

  • Customer lockbox 
  • DLP policies 
  • External file sharing in Teams only for the authorized cloud storage services 
  • Disallowing External Domains in Teams or Skype 
  • Establishment and execution of SharePoint Online data classification policies 

4. Email security/Exchange Online 

Microsoft Office Benchmarks ensure that the following configurations are enabled: 

  • Common Attachment Types Filter 
  • Client Rules Forwarding Block 
  • Advanced Threat Protection Safe Links policy·
  • Advanced Threat Protection Safe Attachments policy 
  • Notifications for sending malware by in-house employees 

5. Auditing Policies 

  • Audit log Azure AD ‘Risky sign-ins’ report, 
  • Microsoft Cloud App Security Self-service password reset activity report. 
  • User role group changes 
  • Mail forwarding rules 

6. Storage Policies 

CIS Microsoft 365 Benchmarks are related to recommendations concerning the secure configuration of the storage policies. Herein, it is ensured that the expiration time is finalized to share links externally. Also, the controlling of document sharing is done via domains with a whitelist or blacklist. 

7. Mobile Device Management 

These recommendations of the Microsoft O365 Security Benchmarks are related to the management of devices connected to Microsoft 365. These ensure the following features: 

  • Innovative security configurations are present to provide security from basic internet attacks 
  • Reuse of password of mobile devices is impermissible 
  • Rooted or jailbroken devices are not allowed to connect 
  • Anti-Virus and a local firewall are enabled on devices that are connecting (Windows 10) 
  • Mobile device encryption is active 


As your cloud security partner, the CloudCodes CASB solution can help your organization in executing, measuring, and ensuring the above-mentioned Microsoft O365 Security Benchmarks and also help you to improve your organization’s cloud security