Netskope

Office 365 Predefined Rules



🔍
Name Description Service Rule
All users should be registered and signed up for MFA Multi-factor authentication (MFA) helps protect devices and data that are accessible to these users. Adding more authentication methods, such as the Microsoft Authenticator app or a phone number, increases the level of protection if one factor is compromised. SecureScore should have atleast one controlScores with [controlName eq "MFARegistrationV2" and scoreInPercentage eq 100 ]
Ensure at least one anti-phishing policy exists Ensure that at least one anti-phishing policy exists. Azure Active Directory
O365 should have AntiPhishPolicies len() gt 0
Ensure an authentication policy exists Ensure an authentication policy exists. O365 should have AuthenticationPolicies len() gt 0
Ensure automatic forwarding options are disabled Disable automatic forwarding to prevent users from auto-forwarding mail through Outlook and Outlook on the Web. In the event that an attacker gains control of an end-user account they could create rules to exfiltrate data from your environment. RemoteDomain should have AutoForwardEnabled eq false
Ensure the Azure AD 'Risky sign-ins' report is reviewed at least weekly This report contains records of accounts that have had activity that could indicate they are compromised, such as accounts that have successfully signed in after multiple failures, which is an indication that the accounts have cracked passwords, account that have signed in to your tenancy from a client IP address that has been recognized by Microsoft as an anonymous proxy IP address (such as a TOR network), and successful sign-ins from users where two sign-ins appeared to originate from different regions and the time between sign-ins makes it impossible for the user to have traveled between those regions. Azure Active Directory
O365Tenant should have unreviewedRiskEventsExist eq false
Enable Azure AD Identity Protection sign-in risk policies Azure Active Directory Identity Protection sign-in risk detects risks in real-time and offline. A risky sign-in is an indicator for a sign-in attempt that might not have been performed by the legitimate owner of a user account. Azure Active Directory
SecureScore should have atleast one controlScores with [controlName eq "SigninRiskPolicy" and scoreInPercentage eq 100 ]
Enable Azure AD Identity Protection user risk policies Azure Active Directory Identity Protection user risk policies detect the probability that a user account has been compromised. Azure Active Directory
SecureScore should have atleast one controlScores with [ controlName eq "UserRiskPolicy" and scoreInPercentage eq 100 ]
Ensure basic authentication for Exchange Online is disabled Ensure basic authentication for Exchange Online is disabled. Azure Active Directory
AuthenticationPolicy should have AllowBasicAuthActiveSync eq false and AllowBasicAuthAutodiscover eq false and AllowBasicAuthImap eq false and AllowBasicAuthMapi eq false and AllowBasicAuthOfflineAddressBook eq false and AllowBasicAuthOutlookService eq false and AllowBasicAuthPop eq false and AllowBasicAuthPowershell eq false and AllowBasicAuthReportingWebServices eq false and AllowBasicAuthRest eq false and AllowBasicAuthRpc eq false and AllowBasicAuthSmtp eq false and AllowBasicAuthWebServices eq false
Enable Conditional Access policies to block legacy authentication Enable Conditional Access policies to block legacy authentication. Azure Active Directory
O365 should have any ConditionalAccessPolicies with [ conditions.users.includeUsers has ("All") and conditions.users.excludeUsers len() >= 1 and conditions.clientAppTypes has ("exchangeActiveSync") and conditions.clientAppTypes has ("other") and grantControls.builtInControls has ("block") and grantControls.builtInControls len() = 1]
Block OneDrive for Business sync from unmanaged devices Prevent company data from OneDrive for Business from being synchronized to non-corporate managed devices. Unmanaged devices pose a risk, since their security cannot be verified. Allowing users to sync data to these devices, takes that data out of the control of the organization. This increases the risk of the data either being intentionally or accidentally leaked. SharepointTenant should have isUnmanagedSyncClientForTenantRestricted eq true
Ensure that sharing full calendar details with external users is disabled Do not allow your users to share the full details of their calendars with external users. Attackers often spend time learning about your organization before launching an attack. Publicly available calendars can help attackers understand organizational relationships and determine when specific users may be more vulnerable to an attack, such as when they are traveling. SharingPolicy should have sharingEnabled eq false or every domains with [ sharingAllowedDetails eq "ContactsSharing" ]
Ensure that client-side rules that automatically forward email to external domains are blocked Block client-side rules that automatically forward email to external domains. The use of client-side forwarding rules to exfiltrate data to external recipients is an increasingly used vector for data exfiltration by bad actors. O365 should have atleast one TransportRules with [ State eq "Enabled" and Priority eq 0 and SentToScope eq "NotInOrganization" and FromScope eq "InOrganization" and MessageTypeMatches eq "AutoForward" and RejectMessageEnhancedStatusCode eq "5.7.1" ]
Ensure DKIM is enabled for all Exchange Online Domains DKIM lets you add a digital signature to outbound email messages in the message header. This signature is used to verify that the messages are really coming from you and not coming from someone spoofing your domain. Azure Active Directory
DkimSigningConfig should have Enabled eq true
Ensure a DomainKeys Identified Mail (DKIM) signing policy exists Ensure a DomainKeys Identified Mail (DKIM) signing policy exists. O365 should have DkimSigningConfig len() gt 0
Ensure DMARC Records for all Exchange Online domains are published Domain-based Message Authentication, Reporting, and Conformance (DMARC) works with Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) to authenticate mail senders and ensure that destination email systems trust messages sent from your domain. When you use DMARC, the receiving server performs a check against the From address. Azure Active Directory
AcceptedDomain should have DMARCRecordPublished eq true
Do not allow users to grant consent to unmanaged applications Tighten the security of your services by regulating the access of third-party integrated apps. Only allow access to necessary apps that support robust security controls. Third-party applications are not created by Microsoft, so there is a possibility they could be used for malicious purposes like exfiltrating data from your tenancy. Attackers can maintain persistent access to your services through these integrated apps, without relying on compromised accounts. SecureScore should have atleast one controlScores with [controlName eq "IntegratedApps" and scoreInPercentage eq 100 ]
Ensure document sharing is controlled by domains with sharing restrictions configured Control sharing of documents to external domains by either blocking domains or only allowing sharing with specific named domains. Attackers will often attempt to expose sensitive information to external entities through sharing, and restricting the domains that your users can share documents with will reduce that surface area. SharepointTenant should have sharingDomainRestrictionMode neq 0
Ensure audit log search is enabled Enabling Microsoft 365 audit log search helps Office 365 back office teams to investigate activities for regular security operational or forensic purposes. Azure Active Directory
AdminAuditLogConfig should have AdminAuditLogEnabled eq true and UnifiedAuditLogIngestionEnabled eq true
Ensure the Common Attachment Types Filter is enabled Ensure the Common Attachment Types Filter is enabled. Azure Active Directory
MalwareFilterPolicy should have EnableFileFilter eq true
Ensure mailbox auditing for all users is enabled By turning on mailbox auditing, Microsoft 365 back office teams can track logons to a mailbox as well as what actions are taken while the user is logged on. After you turn on mailbox audit logging for a mailbox, you can search the audit log for mailbox activity. Additionally, when mailbox audit logging is turned on, some actions performed by administrators, delegates, and owners are logged by default. Azure Active Directory
OrganizationConfig should have userMailboxAuditEnabled eq true and nonUserMailboxAuditEnabled eq true
Ensure expiration time for external sharing links is set Restrict the length of time that anonymous access links are valid. Azure Active Directory
SharepointTenant should have requireAnonymousLinksExpireInDays > 0
Ensure that external users cannot share files, folders, and sites they do not own SharePoint gives users the ability to share files, folder, and site collections. Internal users can share with external collaborators, who with the right permissions, could share those to another external party. Sharing and collaboration are key; however, file, folder, or site collection owners should have the authority over what external users get shared with to prevent unauthorized disclosures of information. SharepointTenant should have preventExternalUsersFromResharing eq true
Ensure that Facebook contact synchronization is disabled Disable integration with Facebook as a measure to help prevent phishing scams. OwaMailboxPolicy should have FacebookEnabled eq false
Ensure that LinkedIn contact synchronization is disabled Disable integration with LinkedIn as a measure to help prevent phishing scams. OwaMailboxPolicy should have LinkedInEnabled eq false
Ensure mail transport rules do not forward email to external domains Ensure mail transport rules do not forward email to external domains. Azure Active Directory
O365Tenant should not have AnyMailTransportRuleRedirectMessageToExternalDomain eq True
Ensure mail transport rules do not whitelist specific domains Ensure mail transport rules do not whitelist specific domains. Azure Active Directory
TransportRule should not have SetScl = -1 and SenderDomainIs len() > 0
Ensure MailTips are enabled for end users MailTips assist end users with identifying strange patterns to emails they send. Setting up MailTips gives a visual aid to users when they send emails to large groups of recipients or send emails to recipients not within the tenant. OrganizationConfig should have MailTipsAllTipsEnabled eq true and MailTipsExternalRecipientsTipsEnabled eq true and MailTipsGroupMetricsEnabled eq true and MailTipsLargeAudienceThreshold gt 0
Ensure a malware filter policy exists Ensure a malware filter policy exists. O365 should have MalwareFilterPolicies len() gt 0
Ensure multi-factor authentication is enabled for all users in administrative roles Ensure multi-factor authentication is enabled for all users in administrative roles Azure Active Directory
O365 should have O365Tenant len() gt 0 and atleast one ConditionalAccessPolicies with [ conditions.users.includeRoles has ("b0f54661-2d74-4c50-afa3-1ec803f12efe","b1be1c3e-b65d-4f19-8427-f6fa0d97feb9","29232cdf-9323-42fd-ade2-1d097af3e4de","62e90394-69f5-4237-9190-012177145e10","729827e3-9c14-49f7-bb1b-9608f156bbb8","194ae4cb-b126-40b2-bd5b-6091b380977d","f28a1f50-f6e7-4571-818b-6a12f2af6b6c","fe930be7-5e62-47db-91af-98c3a49a38b1") and conditions.clientAppTypes has ("all") and grantControls.builtInControls has ("mfa") ]
Ensure multi-factor authentication is enabled for all users in all roles Ensure multi-factor authentication is enabled for all users in all roles. Azure Active Directory
O365 should have O365Tenant len() gt 0 and any ConditionalAccessPolicies with [ conditions.users has ("all") and conditions.clientAppTypes has ("all") and grantControls.builtInControls has ("mfa") ]
Mobile devices passwords should be at least 6 characters Require your users to use a complex password with a minimum password length of at least six characters to unlock their mobile devices. Azure Active Directory
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passcodeMinimumLength eq 6 and passcodeBlockSimple eq true ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows10GeneralConfiguration" and passwordMinimumLength eq 6 and passwordBlockSimple eq true ]
Ensure that mobile devices require complex passwords (Type = Alphanumeric) Require your users to use a complex password with a at least two character sets (letters and numbers, for example) to unlock their mobile devices Azure Active Directory
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows81GeneralConfiguration" and passwordRequiredType eq "alphanumeric" ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows10GeneralConfiguration" and passwordRequiredType eq "alphanumeric"] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidDeviceOwnerGeneralDeviceConfiguration" and passwordRequiredType eq "alphanumeric"] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passcodeRequiredType eq "alphanumeric"] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidGeneralDeviceConfiguration" and passwordRequiredType eq "alphanumeric"]
Ensure that mobile device encryption is enabled Require your users to use encryption on their mobile devices to prevent unauthorized access to mobile data. Azure Active Directory
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidGeneralDeviceConfiguration" and storageRequireDeviceEncryption eq true] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows81GeneralConfiguration" and storageRequireDeviceEncryption eq true]
Ensure that users cannot connect from jailbroken or rooted devices Do not allow your users to use to connect with mobile devices that have been jailbroken or rooted. These devices have had basic protections disabled to run software that is often malicious and could very easily lead to an account or data breach. Azure Active Directory
O365 should have O365Tenant len() gt 0 and atleast one DeviceCompliancePolicies with [ odatatype eq "#microsoft.graph.iosCompliancePolicy" and securityBlockJailbrokenDevices eq true ] and atleast one DeviceCompliancePolicies with [ odatatype eq "#microsoft.graph.androidCompliancePolicy" and securityBlockJailbrokenDevices eq true ]
Lock mobile devices after a period of inactivity Users should be required to configure their mobile devices to lock after a period of inactivity to prevent unauthorized access. Azure Active Directory
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidGeneralDeviceConfiguration" and passwordMinutesOfInactivityBeforeScreenTimeout eq 5 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidDeviceOwnerGeneralDeviceConfiguration" and passwordMinutesOfInactivityBeforeScreenTimeout eq 5 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows10GeneralConfiguration" and passwordMinutesOfInactivityBeforeScreenTimeout eq 5 and passwordRequireWhenResumeFromIdleState eq true ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows81GeneralConfiguration" and passwordMinutesOfInactivityBeforeScreenTimeout eq 5 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passcodeMinutesOfInactivityBeforeScreenTimeout eq 5 ]
Ensure mobile device management polices are set to require advanced security configurations Configure your mobile device management policies to require advanced security configurations. If you do not require this, users will be able to connect from devices that are vulnerable to basic internet attacks, leading to potential breaches of accounts and data. Azure Active Directory
O365 should have atleast one O365Domain with [ supportedServices has("Intune") ]
Ensure mobile device management policies are required for email profiles Configure your mobile device management policies to require the policy to manage the email profile of the user. If you do not require this, users will be able to setup and configure email accounts without the protections of the mobile device management policy, leading to potential breaches of accounts and data. O365 should have atleast one DeviceCompliancePolicies with [ odatatype eq "#microsoft.graph.iosCompliancePolicy" and managedEmailProfileRequired eq true ]
Ensure that mobile devices require complex passwords (Simple Passwords = Blocked) Require your users to use a complex password to unlock their mobile devices. Azure Active Directory
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passcodeBlockSimple eq true] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows10GeneralConfiguration" and passwordBlockSimple eq true]
Ensure that mobile device passwords never expire Ensure that user passwords on mobile devices never expire. Azure Active Directory
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidGeneralDeviceConfiguration" and passwordExpirationDays eq -1 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passwordExpirationDays eq -1 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidDeviceOwnerGeneralDeviceConfiguration" and passwordExpirationDays eq -1 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows10GeneralConfiguration" and passwordExpirationDays eq -1 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passcodeExpirationDays eq -1 ]
Ensure mobile devices require the use of a password Require your users to use a password to unlock their mobile devices. Azure Active Directory
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidGeneralDeviceConfiguration" and passwordRequired eq true ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passcodeRequired eq true ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows10GeneralConfiguration" and passwordRequired eq true] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows10GeneralConfiguration" and passwordRequired eq true] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows81GeneralConfiguration" and passwordRequired eq true]
Ensure that mobile device password reuse is prohibited Do not allow your users to reuse the same password on their mobile devices. Azure Active Directory
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidGeneralDeviceConfiguration" and passwordPreviousPasswordBlockCount eq 5 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passcodePreviousPasscodeBlockCount eq 5 ]
Ensure mobile devices are set to wipe on multiple sign-in failures Require mobile devices to wipe on multiple sign-in failures to prevent brute force compromise. Devices without this protection are vulnerable to being accessed physically by attackers who can then steal account credentials, data, or install malware on the device. O365 should have atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passcodeSignInFailureCountBeforeWipe lte 10 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidDeviceOwnerGeneralDeviceConfiguration" and passwordSignInFailureCountBeforeFactoryReset lte 10 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows10GeneralConfiguration" and passwordSignInFailureCountBeforeFactoryReset lte 10 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows81GeneralConfiguration" and passwordSignInFailureCountBeforeFactoryReset lte 10 ]
Ensure modern authentication for Exchange Online is enabled Ensure modern authentication for Exchange Online is enabled. Exchange
OrganizationConfig should have OAuth2ClientProfileEnabled eq true
Notify the administrator when internal users send malware Set a malware filter policy that notifies an administrator when malware is detected in message from an internal user. Azure Active Directory
MalwareFilterPolicy should have EnableInternalSenderAdminNotifications eq true
Ensure that OAuth 2.0 permission grants to third-party apps do not give permission to modify app role assignments. OAuth 2.0 permission grants enable a third-party connected app to access data based on the permissions granted. Do not grant third-party apps the ability to modify app role assignments. This would enable the third-party app to give users or apps access to resources that they should not have access to. OAuth2PermissionGrant should not have scope like "AppRoleAssignment.ReadWrite.All"
Ensure that Office 365 SharePoint infected files cannot be downloaded Office 365 Advanced Threat Protection (ATP) for SharePoint, OneDrive, and Microsoft Teams protects your organization from inadvertently sharing malicious files. When an infected file is detected, that file is blocked so that no one can open, copy, move, or share it until further actions are taken by the organization's security team. SharepointTenant should have disallowInfectedFileDownload eq true
Ensure external storage providers available in Outlook on the Web are restricted Restrict storage providers that are integrated with Outlook on the Web. By default additional storage providers are allowed in Outlook on the Web (such as Box, Dropbox, Facebook, Google Drive, OneDrive Personal, etc.). This could lead to information leakage and additional risk of infection from organizational non-trusted storage providers. Restricting this will inherently reduce risk as it will narrow opportunities for infection and data leakage. OwaMailboxPolicy should have AdditionalStorageProvidersAvailable eq false
Ensure an Outlook on the web mailbox policy exists Ensure an Outlook on the web mailbox policy exists. O365 should have OwaMailboxPolicies len() gt 0
Ensure that password hash sync is enabled for resiliency and leaked credential detection Ensure that password hash sync is enabled for resiliency and leaked credential detection. Microsoft 365 security
SecureScore should have atleast one controlScores with [ controlName eq "PasswordHashSync" and on eq true ]
Ensure that Office 365 passwords are not set to expire Ensure that Office 365 passwords are not set to expire. Azure Active Directory
SecureScore should have atleast one controlScores with [ controlName eq "PWAgePolicyNew" and scoreInPercentage eq 100 and IsApplicable eq true ]
Ensure modern authentication for SharePoint applications is required Strong authentication controls, such as the use of multi-factor authentication, may be circumvented if basic authentication is used by SharePoint applications. Requiring modern authentication for SharePoint applications ensures strong authentication mechanisms are used when establishing sessions between these applications, SharePoint, and connecting users. SharepointTenant should have legacyAuthProtocolsEnabled eq false
Ensure SPF records are published for all Exchange domains Ensure that Sender Policy Framework (SPF) records are published for all Exchange domains. Using SPF helps to validate outbound email sent from your custom domain by determining whether or not a sender is permitted to send on behalf of a domain. Azure Active Directory
AcceptedDomain should have spfRecordPublished eq true
Ensure a transport rule exists Ensure a transport rule exists. O365 should have TransportRules len() gt 0
Use limited administrative roles Limited administrators are users who have more privileges than standard users, but not as many privileges as global admins. Leveraging limited administrator roles to perform required administrative work reduces the number of high value, high impact global admin role holders you have. Assigning users roles like Password Administrator or Exchange Online Administrator, instead of Global Administrator, reduces the likelihood of a global administrative privileged account being breached. SecureScore should have atleast one controlScores with [controlName eq "RoleOverlap" and scoreInPercentage eq 100 ]
Ensure that users do not have the default strong password policy disabled. In Azure, users by default have a strong password policy enabled. However, admin users are able to disable the default strong password policy for individual users. This functionality should not be used and all individual users' password policies should require a strong password. User should not have passwordPolicies like "DisableStrongPassword"
Ensure that users cannot install Outlook add-ins Attackers commonly use vulnerable and custom-built add-ins to access data in user applications. While allowing users to install add-ins by themselves does allow them to easily acquire useful add-ins that integrate with Microsoft applications, it can represent a risk if not used and monitored carefully. Disabling future users' ability to install add-ins in Microsoft Outlook helps reduce your threat-surface and mitigate this risk. O365 should not have any RoleAssignmentPolicies with [ AssignedRoles has ( "My Custom Apps" ) or AssignedRoles has ( "My Marketplace Apps" ) or AssignedRoles has ( "My ReadWriteMailbox Apps" ) ]
Name Description Service Rule
Ensure at least one anti-phishing policy exists Ensure that at least one anti-phishing policy exists. Azure Active Directory
O365 should have AntiPhishPolicies len() gt 0
Ensure the Azure AD 'Risky sign-ins' report is reviewed at least weekly This report contains records of accounts that have had activity that could indicate they are compromised, such as accounts that have successfully signed in after multiple failures, which is an indication that the accounts have cracked passwords, account that have signed in to your tenancy from a client IP address that has been recognized by Microsoft as an anonymous proxy IP address (such as a TOR network), and successful sign-ins from users where two sign-ins appeared to originate from different regions and the time between sign-ins makes it impossible for the user to have traveled between those regions. Azure Active Directory
O365Tenant should have unreviewedRiskEventsExist eq false
Enable Azure AD Identity Protection sign-in risk policies Azure Active Directory Identity Protection sign-in risk detects risks in real-time and offline. A risky sign-in is an indicator for a sign-in attempt that might not have been performed by the legitimate owner of a user account. Azure Active Directory
SecureScore should have atleast one controlScores with [controlName eq "SigninRiskPolicy" and scoreInPercentage eq 100 ]
Enable Azure AD Identity Protection user risk policies Azure Active Directory Identity Protection user risk policies detect the probability that a user account has been compromised. Azure Active Directory
SecureScore should have atleast one controlScores with [ controlName eq "UserRiskPolicy" and scoreInPercentage eq 100 ]
Ensure basic authentication for Exchange Online is disabled Ensure basic authentication for Exchange Online is disabled. Azure Active Directory
AuthenticationPolicy should have AllowBasicAuthActiveSync eq false and AllowBasicAuthAutodiscover eq false and AllowBasicAuthImap eq false and AllowBasicAuthMapi eq false and AllowBasicAuthOfflineAddressBook eq false and AllowBasicAuthOutlookService eq false and AllowBasicAuthPop eq false and AllowBasicAuthPowershell eq false and AllowBasicAuthReportingWebServices eq false and AllowBasicAuthRest eq false and AllowBasicAuthRpc eq false and AllowBasicAuthSmtp eq false and AllowBasicAuthWebServices eq false
Enable Conditional Access policies to block legacy authentication Enable Conditional Access policies to block legacy authentication. Azure Active Directory
O365 should have any ConditionalAccessPolicies with [ conditions.users.includeUsers has ("All") and conditions.users.excludeUsers len() >= 1 and conditions.clientAppTypes has ("exchangeActiveSync") and conditions.clientAppTypes has ("other") and grantControls.builtInControls has ("block") and grantControls.builtInControls len() = 1]
Ensure DKIM is enabled for all Exchange Online Domains DKIM lets you add a digital signature to outbound email messages in the message header. This signature is used to verify that the messages are really coming from you and not coming from someone spoofing your domain. Azure Active Directory
DkimSigningConfig should have Enabled eq true
Ensure DMARC Records for all Exchange Online domains are published Domain-based Message Authentication, Reporting, and Conformance (DMARC) works with Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) to authenticate mail senders and ensure that destination email systems trust messages sent from your domain. When you use DMARC, the receiving server performs a check against the From address. Azure Active Directory
AcceptedDomain should have DMARCRecordPublished eq true
Ensure audit log search is enabled Enabling Microsoft 365 audit log search helps Office 365 back office teams to investigate activities for regular security operational or forensic purposes. Azure Active Directory
AdminAuditLogConfig should have AdminAuditLogEnabled eq true and UnifiedAuditLogIngestionEnabled eq true
Ensure the Common Attachment Types Filter is enabled Ensure the Common Attachment Types Filter is enabled. Azure Active Directory
MalwareFilterPolicy should have EnableFileFilter eq true
Ensure mailbox auditing for all users is enabled By turning on mailbox auditing, Microsoft 365 back office teams can track logons to a mailbox as well as what actions are taken while the user is logged on. After you turn on mailbox audit logging for a mailbox, you can search the audit log for mailbox activity. Additionally, when mailbox audit logging is turned on, some actions performed by administrators, delegates, and owners are logged by default. Azure Active Directory
OrganizationConfig should have userMailboxAuditEnabled eq true and nonUserMailboxAuditEnabled eq true
Ensure Exchange Online outbound spam filter policies are properly configured Ensure the Exchange Online outbound spam filter policy is properly configured. Set your Exchange Online Spam Policies to copy emails and notify someone when a sender in your tenant has been blocked for sending spam emails. Azure Active Directory
HostedOutboundSpamFilterPolicy should have NotifyOutboundSpam eq true and BccSuspiciousOutboundMail eq true and Identity eq "Default" and Enabled eq true
Ensure expiration time for external sharing links is set Restrict the length of time that anonymous access links are valid. Azure Active Directory
SharepointTenant should have requireAnonymousLinksExpireInDays > 0
Ensure mail transport rules do not forward email to external domains Ensure mail transport rules do not forward email to external domains. Azure Active Directory
O365Tenant should not have AnyMailTransportRuleRedirectMessageToExternalDomain eq True
Ensure mail transport rules do not whitelist specific domains Ensure mail transport rules do not whitelist specific domains. Azure Active Directory
TransportRule should not have SetScl = -1 and SenderDomainIs len() > 0
Ensure multi-factor authentication is enabled for all users in administrative roles Ensure multi-factor authentication is enabled for all users in administrative roles Azure Active Directory
O365 should have O365Tenant len() gt 0 and atleast one ConditionalAccessPolicies with [ conditions.users.includeRoles has ("b0f54661-2d74-4c50-afa3-1ec803f12efe","b1be1c3e-b65d-4f19-8427-f6fa0d97feb9","29232cdf-9323-42fd-ade2-1d097af3e4de","62e90394-69f5-4237-9190-012177145e10","729827e3-9c14-49f7-bb1b-9608f156bbb8","194ae4cb-b126-40b2-bd5b-6091b380977d","f28a1f50-f6e7-4571-818b-6a12f2af6b6c","fe930be7-5e62-47db-91af-98c3a49a38b1") and conditions.clientAppTypes has ("all") and grantControls.builtInControls has ("mfa") ]
Ensure multi-factor authentication is enabled for all users in all roles Ensure multi-factor authentication is enabled for all users in all roles. Azure Active Directory
O365 should have O365Tenant len() gt 0 and any ConditionalAccessPolicies with [ conditions.users has ("all") and conditions.clientAppTypes has ("all") and grantControls.builtInControls has ("mfa") ]
Mobile devices passwords should be at least 6 characters Require your users to use a complex password with a minimum password length of at least six characters to unlock their mobile devices. Azure Active Directory
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passcodeMinimumLength eq 6 and passcodeBlockSimple eq true ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows10GeneralConfiguration" and passwordMinimumLength eq 6 and passwordBlockSimple eq true ]
Ensure that mobile devices require complex passwords (Type = Alphanumeric) Require your users to use a complex password with a at least two character sets (letters and numbers, for example) to unlock their mobile devices Azure Active Directory
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows81GeneralConfiguration" and passwordRequiredType eq "alphanumeric" ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows10GeneralConfiguration" and passwordRequiredType eq "alphanumeric"] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidDeviceOwnerGeneralDeviceConfiguration" and passwordRequiredType eq "alphanumeric"] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passcodeRequiredType eq "alphanumeric"] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidGeneralDeviceConfiguration" and passwordRequiredType eq "alphanumeric"]
Ensure that mobile device encryption is enabled Require your users to use encryption on their mobile devices to prevent unauthorized access to mobile data. Azure Active Directory
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidGeneralDeviceConfiguration" and storageRequireDeviceEncryption eq true] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows81GeneralConfiguration" and storageRequireDeviceEncryption eq true]
Ensure that users cannot connect from jailbroken or rooted devices Do not allow your users to use to connect with mobile devices that have been jailbroken or rooted. These devices have had basic protections disabled to run software that is often malicious and could very easily lead to an account or data breach. Azure Active Directory
O365 should have O365Tenant len() gt 0 and atleast one DeviceCompliancePolicies with [ odatatype eq "#microsoft.graph.iosCompliancePolicy" and securityBlockJailbrokenDevices eq true ] and atleast one DeviceCompliancePolicies with [ odatatype eq "#microsoft.graph.androidCompliancePolicy" and securityBlockJailbrokenDevices eq true ]
Lock mobile devices after a period of inactivity Users should be required to configure their mobile devices to lock after a period of inactivity to prevent unauthorized access. Azure Active Directory
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidGeneralDeviceConfiguration" and passwordMinutesOfInactivityBeforeScreenTimeout eq 5 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidDeviceOwnerGeneralDeviceConfiguration" and passwordMinutesOfInactivityBeforeScreenTimeout eq 5 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows10GeneralConfiguration" and passwordMinutesOfInactivityBeforeScreenTimeout eq 5 and passwordRequireWhenResumeFromIdleState eq true ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows81GeneralConfiguration" and passwordMinutesOfInactivityBeforeScreenTimeout eq 5 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passcodeMinutesOfInactivityBeforeScreenTimeout eq 5 ]
Ensure mobile device management polices are set to require advanced security configurations Configure your mobile device management policies to require advanced security configurations. If you do not require this, users will be able to connect from devices that are vulnerable to basic internet attacks, leading to potential breaches of accounts and data. Azure Active Directory
O365 should have atleast one O365Domain with [ supportedServices has("Intune") ]
Ensure that mobile devices require complex passwords (Simple Passwords = Blocked) Require your users to use a complex password to unlock their mobile devices. Azure Active Directory
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passcodeBlockSimple eq true] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows10GeneralConfiguration" and passwordBlockSimple eq true]
Ensure that mobile device passwords never expire Ensure that user passwords on mobile devices never expire. Azure Active Directory
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidGeneralDeviceConfiguration" and passwordExpirationDays eq -1 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passwordExpirationDays eq -1 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidDeviceOwnerGeneralDeviceConfiguration" and passwordExpirationDays eq -1 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows10GeneralConfiguration" and passwordExpirationDays eq -1 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passcodeExpirationDays eq -1 ]
Ensure mobile devices require the use of a password Require your users to use a password to unlock their mobile devices. Azure Active Directory
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidGeneralDeviceConfiguration" and passwordRequired eq true ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passcodeRequired eq true ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows10GeneralConfiguration" and passwordRequired eq true] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows10GeneralConfiguration" and passwordRequired eq true] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows81GeneralConfiguration" and passwordRequired eq true]
Ensure that mobile device password reuse is prohibited Do not allow your users to reuse the same password on their mobile devices. Azure Active Directory
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidGeneralDeviceConfiguration" and passwordPreviousPasswordBlockCount eq 5 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passcodePreviousPasscodeBlockCount eq 5 ]
Ensure modern authentication for Exchange Online is enabled Ensure modern authentication for Exchange Online is enabled. Exchange
OrganizationConfig should have OAuth2ClientProfileEnabled eq true
Notify the administrator when internal users send malware Set a malware filter policy that notifies an administrator when malware is detected in message from an internal user. Azure Active Directory
MalwareFilterPolicy should have EnableInternalSenderAdminNotifications eq true
Ensure that password hash sync is enabled for resiliency and leaked credential detection Ensure that password hash sync is enabled for resiliency and leaked credential detection. Microsoft 365 security
SecureScore should have atleast one controlScores with [ controlName eq "PasswordHashSync" and on eq true ]
Ensure that Office 365 passwords are not set to expire Ensure that Office 365 passwords are not set to expire. Azure Active Directory
SecureScore should have atleast one controlScores with [ controlName eq "PWAgePolicyNew" and scoreInPercentage eq 100 and IsApplicable eq true ]
Ensure self-service password reset is enabled Ensure self-service password reset is enabled. Microsoft 365 security
SecureScore should have atleast one controlScores with [ controlName eq "SelfServicePasswordReset" and scoreInPercentage eq 100]
Ensure SPF records are published for all Exchange domains Ensure that Sender Policy Framework (SPF) records are published for all Exchange domains. Using SPF helps to validate outbound email sent from your custom domain by determining whether or not a sender is permitted to send on behalf of a domain. Azure Active Directory
AcceptedDomain should have spfRecordPublished eq true
Ensure that between two and four global admins are designated Ensure that between two and four global admins are designated. Azure Active Directory
O365Tenant should have globalAdminUserCount >= 2 and globalAdminUserCount <= 4
Ensure automatic forwarding options are disabled Disable automatic forwarding to prevent users from auto-forwarding mail through Outlook and Outlook on the Web. In the event that an attacker gains control of an end-user account they could create rules to exfiltrate data from your environment. RemoteDomain should have AutoForwardEnabled eq false
Block OneDrive for Business sync from unmanaged devices Prevent company data from OneDrive for Business from being synchronized to non-corporate managed devices. Unmanaged devices pose a risk, since their security cannot be verified. Allowing users to sync data to these devices, takes that data out of the control of the organization. This increases the risk of the data either being intentionally or accidentally leaked. SharepointTenant should have isUnmanagedSyncClientForTenantRestricted eq true
Ensure that sharing full calendar details with external users is disabled Do not allow your users to share the full details of their calendars with external users. Attackers often spend time learning about your organization before launching an attack. Publicly available calendars can help attackers understand organizational relationships and determine when specific users may be more vulnerable to an attack, such as when they are traveling. SharingPolicy should have sharingEnabled eq false or every domains with [ sharingAllowedDetails eq "ContactsSharing" ]
Ensure that client-side rules that automatically forward email to external domains are blocked Block client-side rules that automatically forward email to external domains. The use of client-side forwarding rules to exfiltrate data to external recipients is an increasingly used vector for data exfiltration by bad actors. O365 should have atleast one TransportRules with [ State eq "Enabled" and Priority eq 0 and SentToScope eq "NotInOrganization" and FromScope eq "InOrganization" and MessageTypeMatches eq "AutoForward" and RejectMessageEnhancedStatusCode eq "5.7.1" ]
Ensure document sharing is controlled by domains with sharing restrictions configured Control sharing of documents to external domains by either blocking domains or only allowing sharing with specific named domains. Attackers will often attempt to expose sensitive information to external entities through sharing, and restricting the domains that your users can share documents with will reduce that surface area. SharepointTenant should have sharingDomainRestrictionMode neq 0
Ensure that external users cannot share files, folders, and sites they do not own SharePoint gives users the ability to share files, folder, and site collections. Internal users can share with external collaborators, who with the right permissions, could share those to another external party. Sharing and collaboration are key; however, file, folder, or site collection owners should have the authority over what external users get shared with to prevent unauthorized disclosures of information. SharepointTenant should have preventExternalUsersFromResharing eq true
Ensure that Facebook contact synchronization is disabled Disable integration with Facebook as a measure to help prevent phishing scams. OwaMailboxPolicy should have FacebookEnabled eq false
Ensure that LinkedIn contact synchronization is disabled Disable integration with LinkedIn as a measure to help prevent phishing scams. OwaMailboxPolicy should have LinkedInEnabled eq false
Ensure MailTips are enabled for end users MailTips assist end users with identifying strange patterns to emails they send. Setting up MailTips gives a visual aid to users when they send emails to large groups of recipients or send emails to recipients not within the tenant. OrganizationConfig should have MailTipsAllTipsEnabled eq true and MailTipsExternalRecipientsTipsEnabled eq true and MailTipsGroupMetricsEnabled eq true and MailTipsLargeAudienceThreshold gt 0
Ensure mobile device management policies are required for email profiles Configure your mobile device management policies to require the policy to manage the email profile of the user. If you do not require this, users will be able to setup and configure email accounts without the protections of the mobile device management policy, leading to potential breaches of accounts and data. O365 should have atleast one DeviceCompliancePolicies with [ odatatype eq "#microsoft.graph.iosCompliancePolicy" and managedEmailProfileRequired eq true ]
Ensure mobile devices are set to wipe on multiple sign-in failures Require mobile devices to wipe on multiple sign-in failures to prevent brute force compromise. Devices without this protection are vulnerable to being accessed physically by attackers who can then steal account credentials, data, or install malware on the device. O365 should have atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passcodeSignInFailureCountBeforeWipe lte 10 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidDeviceOwnerGeneralDeviceConfiguration" and passwordSignInFailureCountBeforeFactoryReset lte 10 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows10GeneralConfiguration" and passwordSignInFailureCountBeforeFactoryReset lte 10 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows81GeneralConfiguration" and passwordSignInFailureCountBeforeFactoryReset lte 10 ]
Ensure that Office 365 SharePoint infected files cannot be downloaded Office 365 Advanced Threat Protection (ATP) for SharePoint, OneDrive, and Microsoft Teams protects your organization from inadvertently sharing malicious files. When an infected file is detected, that file is blocked so that no one can open, copy, move, or share it until further actions are taken by the organization's security team. SharepointTenant should have disallowInfectedFileDownload eq true
Ensure external storage providers available in Outlook on the Web are restricted Restrict storage providers that are integrated with Outlook on the Web. By default additional storage providers are allowed in Outlook on the Web (such as Box, Dropbox, Facebook, Google Drive, OneDrive Personal, etc.). This could lead to information leakage and additional risk of infection from organizational non-trusted storage providers. Restricting this will inherently reduce risk as it will narrow opportunities for infection and data leakage. OwaMailboxPolicy should have AdditionalStorageProvidersAvailable eq false
Ensure modern authentication for SharePoint applications is required Strong authentication controls, such as the use of multi-factor authentication, may be circumvented if basic authentication is used by SharePoint applications. Requiring modern authentication for SharePoint applications ensures strong authentication mechanisms are used when establishing sessions between these applications, SharePoint, and connecting users. SharepointTenant should have legacyAuthProtocolsEnabled eq false
Ensure that users cannot install Outlook add-ins Attackers commonly use vulnerable and custom-built add-ins to access data in user applications. While allowing users to install add-ins by themselves does allow them to easily acquire useful add-ins that integrate with Microsoft applications, it can represent a risk if not used and monitored carefully. Disabling future users' ability to install add-ins in Microsoft Outlook helps reduce your threat-surface and mitigate this risk. O365 should not have any RoleAssignmentPolicies with [ AssignedRoles has ( "My Custom Apps" ) or AssignedRoles has ( "My Marketplace Apps" ) or AssignedRoles has ( "My ReadWriteMailbox Apps" ) ]
Name Description Service Rule
All users should be registered and signed up for MFA Multi-factor authentication (MFA) helps protect devices and data that are accessible to these users. Adding more authentication methods, such as the Microsoft Authenticator app or a phone number, increases the level of protection if one factor is compromised. SecureScore should have atleast one controlScores with [controlName eq "MFARegistrationV2" and scoreInPercentage eq 100 ]
Ensure at least one anti-phishing policy exists Ensure that at least one anti-phishing policy exists. Azure Active Directory
O365 should have AntiPhishPolicies len() gt 0
Ensure an authentication policy exists Ensure an authentication policy exists. O365 should have AuthenticationPolicies len() gt 0
Ensure automatic forwarding options are disabled Disable automatic forwarding to prevent users from auto-forwarding mail through Outlook and Outlook on the Web. In the event that an attacker gains control of an end-user account they could create rules to exfiltrate data from your environment. RemoteDomain should have AutoForwardEnabled eq false
Ensure the Azure AD 'Risky sign-ins' report is reviewed at least weekly This report contains records of accounts that have had activity that could indicate they are compromised, such as accounts that have successfully signed in after multiple failures, which is an indication that the accounts have cracked passwords, account that have signed in to your tenancy from a client IP address that has been recognized by Microsoft as an anonymous proxy IP address (such as a TOR network), and successful sign-ins from users where two sign-ins appeared to originate from different regions and the time between sign-ins makes it impossible for the user to have traveled between those regions. Azure Active Directory
O365Tenant should have unreviewedRiskEventsExist eq false
Enable Azure AD Identity Protection sign-in risk policies Azure Active Directory Identity Protection sign-in risk detects risks in real-time and offline. A risky sign-in is an indicator for a sign-in attempt that might not have been performed by the legitimate owner of a user account. Azure Active Directory
SecureScore should have atleast one controlScores with [controlName eq "SigninRiskPolicy" and scoreInPercentage eq 100 ]
Enable Azure AD Identity Protection user risk policies Azure Active Directory Identity Protection user risk policies detect the probability that a user account has been compromised. Azure Active Directory
SecureScore should have atleast one controlScores with [ controlName eq "UserRiskPolicy" and scoreInPercentage eq 100 ]
Ensure basic authentication for Exchange Online is disabled Ensure basic authentication for Exchange Online is disabled. Azure Active Directory
AuthenticationPolicy should have AllowBasicAuthActiveSync eq false and AllowBasicAuthAutodiscover eq false and AllowBasicAuthImap eq false and AllowBasicAuthMapi eq false and AllowBasicAuthOfflineAddressBook eq false and AllowBasicAuthOutlookService eq false and AllowBasicAuthPop eq false and AllowBasicAuthPowershell eq false and AllowBasicAuthReportingWebServices eq false and AllowBasicAuthRest eq false and AllowBasicAuthRpc eq false and AllowBasicAuthSmtp eq false and AllowBasicAuthWebServices eq false
Enable Conditional Access policies to block legacy authentication Enable Conditional Access policies to block legacy authentication. Azure Active Directory
O365 should have any ConditionalAccessPolicies with [ conditions.users.includeUsers has ("All") and conditions.users.excludeUsers len() >= 1 and conditions.clientAppTypes has ("exchangeActiveSync") and conditions.clientAppTypes has ("other") and grantControls.builtInControls has ("block") and grantControls.builtInControls len() = 1]
Block OneDrive for Business sync from unmanaged devices Prevent company data from OneDrive for Business from being synchronized to non-corporate managed devices. Unmanaged devices pose a risk, since their security cannot be verified. Allowing users to sync data to these devices, takes that data out of the control of the organization. This increases the risk of the data either being intentionally or accidentally leaked. SharepointTenant should have isUnmanagedSyncClientForTenantRestricted eq true
Ensure that sharing full calendar details with external users is disabled Do not allow your users to share the full details of their calendars with external users. Attackers often spend time learning about your organization before launching an attack. Publicly available calendars can help attackers understand organizational relationships and determine when specific users may be more vulnerable to an attack, such as when they are traveling. SharingPolicy should have sharingEnabled eq false or every domains with [ sharingAllowedDetails eq "ContactsSharing" ]
Ensure that client-side rules that automatically forward email to external domains are blocked Block client-side rules that automatically forward email to external domains. The use of client-side forwarding rules to exfiltrate data to external recipients is an increasingly used vector for data exfiltration by bad actors. O365 should have atleast one TransportRules with [ State eq "Enabled" and Priority eq 0 and SentToScope eq "NotInOrganization" and FromScope eq "InOrganization" and MessageTypeMatches eq "AutoForward" and RejectMessageEnhancedStatusCode eq "5.7.1" ]
Ensure DKIM is enabled for all Exchange Online Domains DKIM lets you add a digital signature to outbound email messages in the message header. This signature is used to verify that the messages are really coming from you and not coming from someone spoofing your domain. Azure Active Directory
DkimSigningConfig should have Enabled eq true
Ensure a DomainKeys Identified Mail (DKIM) signing policy exists Ensure a DomainKeys Identified Mail (DKIM) signing policy exists. O365 should have DkimSigningConfig len() gt 0
Ensure DMARC Records for all Exchange Online domains are published Domain-based Message Authentication, Reporting, and Conformance (DMARC) works with Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) to authenticate mail senders and ensure that destination email systems trust messages sent from your domain. When you use DMARC, the receiving server performs a check against the From address. Azure Active Directory
AcceptedDomain should have DMARCRecordPublished eq true
Do not allow users to grant consent to unmanaged applications Tighten the security of your services by regulating the access of third-party integrated apps. Only allow access to necessary apps that support robust security controls. Third-party applications are not created by Microsoft, so there is a possibility they could be used for malicious purposes like exfiltrating data from your tenancy. Attackers can maintain persistent access to your services through these integrated apps, without relying on compromised accounts. SecureScore should have atleast one controlScores with [controlName eq "IntegratedApps" and scoreInPercentage eq 100 ]
Ensure document sharing is controlled by domains with sharing restrictions configured Control sharing of documents to external domains by either blocking domains or only allowing sharing with specific named domains. Attackers will often attempt to expose sensitive information to external entities through sharing, and restricting the domains that your users can share documents with will reduce that surface area. SharepointTenant should have sharingDomainRestrictionMode neq 0
Ensure audit log search is enabled Enabling Microsoft 365 audit log search helps Office 365 back office teams to investigate activities for regular security operational or forensic purposes. Azure Active Directory
AdminAuditLogConfig should have AdminAuditLogEnabled eq true and UnifiedAuditLogIngestionEnabled eq true
Ensure the Common Attachment Types Filter is enabled Ensure the Common Attachment Types Filter is enabled. Azure Active Directory
MalwareFilterPolicy should have EnableFileFilter eq true
Ensure mailbox auditing for all users is enabled By turning on mailbox auditing, Microsoft 365 back office teams can track logons to a mailbox as well as what actions are taken while the user is logged on. After you turn on mailbox audit logging for a mailbox, you can search the audit log for mailbox activity. Additionally, when mailbox audit logging is turned on, some actions performed by administrators, delegates, and owners are logged by default. Azure Active Directory
OrganizationConfig should have userMailboxAuditEnabled eq true and nonUserMailboxAuditEnabled eq true
Ensure expiration time for external sharing links is set Restrict the length of time that anonymous access links are valid. Azure Active Directory
SharepointTenant should have requireAnonymousLinksExpireInDays > 0
Ensure that external users cannot share files, folders, and sites they do not own SharePoint gives users the ability to share files, folder, and site collections. Internal users can share with external collaborators, who with the right permissions, could share those to another external party. Sharing and collaboration are key; however, file, folder, or site collection owners should have the authority over what external users get shared with to prevent unauthorized disclosures of information. SharepointTenant should have preventExternalUsersFromResharing eq true
Ensure mail transport rules do not forward email to external domains Ensure mail transport rules do not forward email to external domains. Azure Active Directory
O365Tenant should not have AnyMailTransportRuleRedirectMessageToExternalDomain eq True
Ensure mail transport rules do not whitelist specific domains Ensure mail transport rules do not whitelist specific domains. Azure Active Directory
TransportRule should not have SetScl = -1 and SenderDomainIs len() > 0
Ensure MailTips are enabled for end users MailTips assist end users with identifying strange patterns to emails they send. Setting up MailTips gives a visual aid to users when they send emails to large groups of recipients or send emails to recipients not within the tenant. OrganizationConfig should have MailTipsAllTipsEnabled eq true and MailTipsExternalRecipientsTipsEnabled eq true and MailTipsGroupMetricsEnabled eq true and MailTipsLargeAudienceThreshold gt 0
Ensure a malware filter policy exists Ensure a malware filter policy exists. O365 should have MalwareFilterPolicies len() gt 0
Ensure multi-factor authentication is enabled for all users in administrative roles Ensure multi-factor authentication is enabled for all users in administrative roles Azure Active Directory
O365 should have O365Tenant len() gt 0 and atleast one ConditionalAccessPolicies with [ conditions.users.includeRoles has ("b0f54661-2d74-4c50-afa3-1ec803f12efe","b1be1c3e-b65d-4f19-8427-f6fa0d97feb9","29232cdf-9323-42fd-ade2-1d097af3e4de","62e90394-69f5-4237-9190-012177145e10","729827e3-9c14-49f7-bb1b-9608f156bbb8","194ae4cb-b126-40b2-bd5b-6091b380977d","f28a1f50-f6e7-4571-818b-6a12f2af6b6c","fe930be7-5e62-47db-91af-98c3a49a38b1") and conditions.clientAppTypes has ("all") and grantControls.builtInControls has ("mfa") ]
Ensure multi-factor authentication is enabled for all users in all roles Ensure multi-factor authentication is enabled for all users in all roles. Azure Active Directory
O365 should have O365Tenant len() gt 0 and any ConditionalAccessPolicies with [ conditions.users has ("all") and conditions.clientAppTypes has ("all") and grantControls.builtInControls has ("mfa") ]
Mobile devices passwords should be at least 6 characters Require your users to use a complex password with a minimum password length of at least six characters to unlock their mobile devices. Azure Active Directory
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passcodeMinimumLength eq 6 and passcodeBlockSimple eq true ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows10GeneralConfiguration" and passwordMinimumLength eq 6 and passwordBlockSimple eq true ]
Ensure that mobile devices require complex passwords (Type = Alphanumeric) Require your users to use a complex password with a at least two character sets (letters and numbers, for example) to unlock their mobile devices Azure Active Directory
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows81GeneralConfiguration" and passwordRequiredType eq "alphanumeric" ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows10GeneralConfiguration" and passwordRequiredType eq "alphanumeric"] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidDeviceOwnerGeneralDeviceConfiguration" and passwordRequiredType eq "alphanumeric"] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passcodeRequiredType eq "alphanumeric"] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidGeneralDeviceConfiguration" and passwordRequiredType eq "alphanumeric"]
Ensure that mobile device encryption is enabled Require your users to use encryption on their mobile devices to prevent unauthorized access to mobile data. Azure Active Directory
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidGeneralDeviceConfiguration" and storageRequireDeviceEncryption eq true] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows81GeneralConfiguration" and storageRequireDeviceEncryption eq true]
Ensure that users cannot connect from jailbroken or rooted devices Do not allow your users to use to connect with mobile devices that have been jailbroken or rooted. These devices have had basic protections disabled to run software that is often malicious and could very easily lead to an account or data breach. Azure Active Directory
O365 should have O365Tenant len() gt 0 and atleast one DeviceCompliancePolicies with [ odatatype eq "#microsoft.graph.iosCompliancePolicy" and securityBlockJailbrokenDevices eq true ] and atleast one DeviceCompliancePolicies with [ odatatype eq "#microsoft.graph.androidCompliancePolicy" and securityBlockJailbrokenDevices eq true ]
Lock mobile devices after a period of inactivity Users should be required to configure their mobile devices to lock after a period of inactivity to prevent unauthorized access. Azure Active Directory
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidGeneralDeviceConfiguration" and passwordMinutesOfInactivityBeforeScreenTimeout eq 5 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidDeviceOwnerGeneralDeviceConfiguration" and passwordMinutesOfInactivityBeforeScreenTimeout eq 5 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows10GeneralConfiguration" and passwordMinutesOfInactivityBeforeScreenTimeout eq 5 and passwordRequireWhenResumeFromIdleState eq true ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows81GeneralConfiguration" and passwordMinutesOfInactivityBeforeScreenTimeout eq 5 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passcodeMinutesOfInactivityBeforeScreenTimeout eq 5 ]
Ensure mobile device management polices are set to require advanced security configurations Configure your mobile device management policies to require advanced security configurations. If you do not require this, users will be able to connect from devices that are vulnerable to basic internet attacks, leading to potential breaches of accounts and data. Azure Active Directory
O365 should have atleast one O365Domain with [ supportedServices has("Intune") ]
Ensure that mobile devices require complex passwords (Simple Passwords = Blocked) Require your users to use a complex password to unlock their mobile devices. Azure Active Directory
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passcodeBlockSimple eq true] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows10GeneralConfiguration" and passwordBlockSimple eq true]
Ensure that mobile device passwords never expire Ensure that user passwords on mobile devices never expire. Azure Active Directory
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidGeneralDeviceConfiguration" and passwordExpirationDays eq -1 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passwordExpirationDays eq -1 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidDeviceOwnerGeneralDeviceConfiguration" and passwordExpirationDays eq -1 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows10GeneralConfiguration" and passwordExpirationDays eq -1 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passcodeExpirationDays eq -1 ]
Ensure mobile devices require the use of a password Require your users to use a password to unlock their mobile devices. Azure Active Directory
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidGeneralDeviceConfiguration" and passwordRequired eq true ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passcodeRequired eq true ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows10GeneralConfiguration" and passwordRequired eq true] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows10GeneralConfiguration" and passwordRequired eq true] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows81GeneralConfiguration" and passwordRequired eq true]
Ensure that mobile device password reuse is prohibited Do not allow your users to reuse the same password on their mobile devices. Azure Active Directory
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidGeneralDeviceConfiguration" and passwordPreviousPasswordBlockCount eq 5 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passcodePreviousPasscodeBlockCount eq 5 ]
Ensure modern authentication for Exchange Online is enabled Ensure modern authentication for Exchange Online is enabled. Exchange
OrganizationConfig should have OAuth2ClientProfileEnabled eq true
Notify the administrator when internal users send malware Set a malware filter policy that notifies an administrator when malware is detected in message from an internal user. Azure Active Directory
MalwareFilterPolicy should have EnableInternalSenderAdminNotifications eq true
Ensure that OAuth 2.0 permission grants to third-party apps do not give permission to modify app role assignments. OAuth 2.0 permission grants enable a third-party connected app to access data based on the permissions granted. Do not grant third-party apps the ability to modify app role assignments. This would enable the third-party app to give users or apps access to resources that they should not have access to. OAuth2PermissionGrant should not have scope like "AppRoleAssignment.ReadWrite.All"
Ensure that Office 365 SharePoint infected files cannot be downloaded Office 365 Advanced Threat Protection (ATP) for SharePoint, OneDrive, and Microsoft Teams protects your organization from inadvertently sharing malicious files. When an infected file is detected, that file is blocked so that no one can open, copy, move, or share it until further actions are taken by the organization's security team. SharepointTenant should have disallowInfectedFileDownload eq true
Ensure external storage providers available in Outlook on the Web are restricted Restrict storage providers that are integrated with Outlook on the Web. By default additional storage providers are allowed in Outlook on the Web (such as Box, Dropbox, Facebook, Google Drive, OneDrive Personal, etc.). This could lead to information leakage and additional risk of infection from organizational non-trusted storage providers. Restricting this will inherently reduce risk as it will narrow opportunities for infection and data leakage. OwaMailboxPolicy should have AdditionalStorageProvidersAvailable eq false
Ensure that password hash sync is enabled for resiliency and leaked credential detection Ensure that password hash sync is enabled for resiliency and leaked credential detection. Microsoft 365 security
SecureScore should have atleast one controlScores with [ controlName eq "PasswordHashSync" and on eq true ]
Ensure that Office 365 passwords are not set to expire Ensure that Office 365 passwords are not set to expire. Azure Active Directory
SecureScore should have atleast one controlScores with [ controlName eq "PWAgePolicyNew" and scoreInPercentage eq 100 and IsApplicable eq true ]
Ensure modern authentication for SharePoint applications is required Strong authentication controls, such as the use of multi-factor authentication, may be circumvented if basic authentication is used by SharePoint applications. Requiring modern authentication for SharePoint applications ensures strong authentication mechanisms are used when establishing sessions between these applications, SharePoint, and connecting users. SharepointTenant should have legacyAuthProtocolsEnabled eq false
Ensure SPF records are published for all Exchange domains Ensure that Sender Policy Framework (SPF) records are published for all Exchange domains. Using SPF helps to validate outbound email sent from your custom domain by determining whether or not a sender is permitted to send on behalf of a domain. Azure Active Directory
AcceptedDomain should have spfRecordPublished eq true
Ensure a transport rule exists Ensure a transport rule exists. O365 should have TransportRules len() gt 0
Use limited administrative roles Limited administrators are users who have more privileges than standard users, but not as many privileges as global admins. Leveraging limited administrator roles to perform required administrative work reduces the number of high value, high impact global admin role holders you have. Assigning users roles like Password Administrator or Exchange Online Administrator, instead of Global Administrator, reduces the likelihood of a global administrative privileged account being breached. SecureScore should have atleast one controlScores with [controlName eq "RoleOverlap" and scoreInPercentage eq 100 ]
Ensure that users do not have the default strong password policy disabled. In Azure, users by default have a strong password policy enabled. However, admin users are able to disable the default strong password policy for individual users. This functionality should not be used and all individual users' password policies should require a strong password. User should not have passwordPolicies like "DisableStrongPassword"
Ensure that users cannot install Outlook add-ins Attackers commonly use vulnerable and custom-built add-ins to access data in user applications. While allowing users to install add-ins by themselves does allow them to easily acquire useful add-ins that integrate with Microsoft applications, it can represent a risk if not used and monitored carefully. Disabling future users' ability to install add-ins in Microsoft Outlook helps reduce your threat-surface and mitigate this risk. O365 should not have any RoleAssignmentPolicies with [ AssignedRoles has ( "My Custom Apps" ) or AssignedRoles has ( "My Marketplace Apps" ) or AssignedRoles has ( "My ReadWriteMailbox Apps" ) ]
Name Description Service Rule
All users should be registered and signed up for MFA Multi-factor authentication (MFA) helps protect devices and data that are accessible to these users. Adding more authentication methods, such as the Microsoft Authenticator app or a phone number, increases the level of protection if one factor is compromised. SecureScore should have atleast one controlScores with [controlName eq "MFARegistrationV2" and scoreInPercentage eq 100 ]
Ensure at least one anti-phishing policy exists Ensure that at least one anti-phishing policy exists. Azure Active Directory
O365 should have AntiPhishPolicies len() gt 0
Ensure an authentication policy exists Ensure an authentication policy exists. O365 should have AuthenticationPolicies len() gt 0
Ensure automatic forwarding options are disabled Disable automatic forwarding to prevent users from auto-forwarding mail through Outlook and Outlook on the Web. In the event that an attacker gains control of an end-user account they could create rules to exfiltrate data from your environment. RemoteDomain should have AutoForwardEnabled eq false
Ensure the Azure AD 'Risky sign-ins' report is reviewed at least weekly This report contains records of accounts that have had activity that could indicate they are compromised, such as accounts that have successfully signed in after multiple failures, which is an indication that the accounts have cracked passwords, account that have signed in to your tenancy from a client IP address that has been recognized by Microsoft as an anonymous proxy IP address (such as a TOR network), and successful sign-ins from users where two sign-ins appeared to originate from different regions and the time between sign-ins makes it impossible for the user to have traveled between those regions. Azure Active Directory
O365Tenant should have unreviewedRiskEventsExist eq false
Enable Azure AD Identity Protection sign-in risk policies Azure Active Directory Identity Protection sign-in risk detects risks in real-time and offline. A risky sign-in is an indicator for a sign-in attempt that might not have been performed by the legitimate owner of a user account. Azure Active Directory
SecureScore should have atleast one controlScores with [controlName eq "SigninRiskPolicy" and scoreInPercentage eq 100 ]
Enable Azure AD Identity Protection user risk policies Azure Active Directory Identity Protection user risk policies detect the probability that a user account has been compromised. Azure Active Directory
SecureScore should have atleast one controlScores with [ controlName eq "UserRiskPolicy" and scoreInPercentage eq 100 ]
Ensure basic authentication for Exchange Online is disabled Ensure basic authentication for Exchange Online is disabled. Azure Active Directory
AuthenticationPolicy should have AllowBasicAuthActiveSync eq false and AllowBasicAuthAutodiscover eq false and AllowBasicAuthImap eq false and AllowBasicAuthMapi eq false and AllowBasicAuthOfflineAddressBook eq false and AllowBasicAuthOutlookService eq false and AllowBasicAuthPop eq false and AllowBasicAuthPowershell eq false and AllowBasicAuthReportingWebServices eq false and AllowBasicAuthRest eq false and AllowBasicAuthRpc eq false and AllowBasicAuthSmtp eq false and AllowBasicAuthWebServices eq false
Enable Conditional Access policies to block legacy authentication Enable Conditional Access policies to block legacy authentication. Azure Active Directory
O365 should have any ConditionalAccessPolicies with [ conditions.users.includeUsers has ("All") and conditions.users.excludeUsers len() >= 1 and conditions.clientAppTypes has ("exchangeActiveSync") and conditions.clientAppTypes has ("other") and grantControls.builtInControls has ("block") and grantControls.builtInControls len() = 1]
Block OneDrive for Business sync from unmanaged devices Prevent company data from OneDrive for Business from being synchronized to non-corporate managed devices. Unmanaged devices pose a risk, since their security cannot be verified. Allowing users to sync data to these devices, takes that data out of the control of the organization. This increases the risk of the data either being intentionally or accidentally leaked. SharepointTenant should have isUnmanagedSyncClientForTenantRestricted eq true
Ensure that sharing full calendar details with external users is disabled Do not allow your users to share the full details of their calendars with external users. Attackers often spend time learning about your organization before launching an attack. Publicly available calendars can help attackers understand organizational relationships and determine when specific users may be more vulnerable to an attack, such as when they are traveling. SharingPolicy should have sharingEnabled eq false or every domains with [ sharingAllowedDetails eq "ContactsSharing" ]
Ensure that client-side rules that automatically forward email to external domains are blocked Block client-side rules that automatically forward email to external domains. The use of client-side forwarding rules to exfiltrate data to external recipients is an increasingly used vector for data exfiltration by bad actors. O365 should have atleast one TransportRules with [ State eq "Enabled" and Priority eq 0 and SentToScope eq "NotInOrganization" and FromScope eq "InOrganization" and MessageTypeMatches eq "AutoForward" and RejectMessageEnhancedStatusCode eq "5.7.1" ]
Do not allow users to grant consent to unmanaged applications Tighten the security of your services by regulating the access of third-party integrated apps. Only allow access to necessary apps that support robust security controls. Third-party applications are not created by Microsoft, so there is a possibility they could be used for malicious purposes like exfiltrating data from your tenancy. Attackers can maintain persistent access to your services through these integrated apps, without relying on compromised accounts. SecureScore should have atleast one controlScores with [controlName eq "IntegratedApps" and scoreInPercentage eq 100 ]
Ensure document sharing is controlled by domains with sharing restrictions configured Control sharing of documents to external domains by either blocking domains or only allowing sharing with specific named domains. Attackers will often attempt to expose sensitive information to external entities through sharing, and restricting the domains that your users can share documents with will reduce that surface area. SharepointTenant should have sharingDomainRestrictionMode neq 0
Ensure audit log search is enabled Enabling Microsoft 365 audit log search helps Office 365 back office teams to investigate activities for regular security operational or forensic purposes. Azure Active Directory
AdminAuditLogConfig should have AdminAuditLogEnabled eq true and UnifiedAuditLogIngestionEnabled eq true
Ensure the Common Attachment Types Filter is enabled Ensure the Common Attachment Types Filter is enabled. Azure Active Directory
MalwareFilterPolicy should have EnableFileFilter eq true
Ensure mailbox auditing for all users is enabled By turning on mailbox auditing, Microsoft 365 back office teams can track logons to a mailbox as well as what actions are taken while the user is logged on. After you turn on mailbox audit logging for a mailbox, you can search the audit log for mailbox activity. Additionally, when mailbox audit logging is turned on, some actions performed by administrators, delegates, and owners are logged by default. Azure Active Directory
OrganizationConfig should have userMailboxAuditEnabled eq true and nonUserMailboxAuditEnabled eq true
Ensure expiration time for external sharing links is set Restrict the length of time that anonymous access links are valid. Azure Active Directory
SharepointTenant should have requireAnonymousLinksExpireInDays > 0
Ensure that external users cannot share files, folders, and sites they do not own SharePoint gives users the ability to share files, folder, and site collections. Internal users can share with external collaborators, who with the right permissions, could share those to another external party. Sharing and collaboration are key; however, file, folder, or site collection owners should have the authority over what external users get shared with to prevent unauthorized disclosures of information. SharepointTenant should have preventExternalUsersFromResharing eq true
Ensure that Facebook contact synchronization is disabled Disable integration with Facebook as a measure to help prevent phishing scams. OwaMailboxPolicy should have FacebookEnabled eq false
Ensure that LinkedIn contact synchronization is disabled Disable integration with LinkedIn as a measure to help prevent phishing scams. OwaMailboxPolicy should have LinkedInEnabled eq false
Ensure mail transport rules do not forward email to external domains Ensure mail transport rules do not forward email to external domains. Azure Active Directory
O365Tenant should not have AnyMailTransportRuleRedirectMessageToExternalDomain eq True
Ensure mail transport rules do not whitelist specific domains Ensure mail transport rules do not whitelist specific domains. Azure Active Directory
TransportRule should not have SetScl = -1 and SenderDomainIs len() > 0
Ensure MailTips are enabled for end users MailTips assist end users with identifying strange patterns to emails they send. Setting up MailTips gives a visual aid to users when they send emails to large groups of recipients or send emails to recipients not within the tenant. OrganizationConfig should have MailTipsAllTipsEnabled eq true and MailTipsExternalRecipientsTipsEnabled eq true and MailTipsGroupMetricsEnabled eq true and MailTipsLargeAudienceThreshold gt 0
Ensure a malware filter policy exists Ensure a malware filter policy exists. O365 should have MalwareFilterPolicies len() gt 0
Ensure multi-factor authentication is enabled for all users in administrative roles Ensure multi-factor authentication is enabled for all users in administrative roles Azure Active Directory
O365 should have O365Tenant len() gt 0 and atleast one ConditionalAccessPolicies with [ conditions.users.includeRoles has ("b0f54661-2d74-4c50-afa3-1ec803f12efe","b1be1c3e-b65d-4f19-8427-f6fa0d97feb9","29232cdf-9323-42fd-ade2-1d097af3e4de","62e90394-69f5-4237-9190-012177145e10","729827e3-9c14-49f7-bb1b-9608f156bbb8","194ae4cb-b126-40b2-bd5b-6091b380977d","f28a1f50-f6e7-4571-818b-6a12f2af6b6c","fe930be7-5e62-47db-91af-98c3a49a38b1") and conditions.clientAppTypes has ("all") and grantControls.builtInControls has ("mfa") ]
Ensure multi-factor authentication is enabled for all users in all roles Ensure multi-factor authentication is enabled for all users in all roles. Azure Active Directory
O365 should have O365Tenant len() gt 0 and any ConditionalAccessPolicies with [ conditions.users has ("all") and conditions.clientAppTypes has ("all") and grantControls.builtInControls has ("mfa") ]
Mobile devices passwords should be at least 6 characters Require your users to use a complex password with a minimum password length of at least six characters to unlock their mobile devices. Azure Active Directory
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passcodeMinimumLength eq 6 and passcodeBlockSimple eq true ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows10GeneralConfiguration" and passwordMinimumLength eq 6 and passwordBlockSimple eq true ]
Ensure that mobile devices require complex passwords (Type = Alphanumeric) Require your users to use a complex password with a at least two character sets (letters and numbers, for example) to unlock their mobile devices Azure Active Directory
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows81GeneralConfiguration" and passwordRequiredType eq "alphanumeric" ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows10GeneralConfiguration" and passwordRequiredType eq "alphanumeric"] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidDeviceOwnerGeneralDeviceConfiguration" and passwordRequiredType eq "alphanumeric"] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passcodeRequiredType eq "alphanumeric"] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidGeneralDeviceConfiguration" and passwordRequiredType eq "alphanumeric"]
Ensure that mobile device encryption is enabled Require your users to use encryption on their mobile devices to prevent unauthorized access to mobile data. Azure Active Directory
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidGeneralDeviceConfiguration" and storageRequireDeviceEncryption eq true] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows81GeneralConfiguration" and storageRequireDeviceEncryption eq true]
Ensure that users cannot connect from jailbroken or rooted devices Do not allow your users to use to connect with mobile devices that have been jailbroken or rooted. These devices have had basic protections disabled to run software that is often malicious and could very easily lead to an account or data breach. Azure Active Directory
O365 should have O365Tenant len() gt 0 and atleast one DeviceCompliancePolicies with [ odatatype eq "#microsoft.graph.iosCompliancePolicy" and securityBlockJailbrokenDevices eq true ] and atleast one DeviceCompliancePolicies with [ odatatype eq "#microsoft.graph.androidCompliancePolicy" and securityBlockJailbrokenDevices eq true ]
Lock mobile devices after a period of inactivity Users should be required to configure their mobile devices to lock after a period of inactivity to prevent unauthorized access. Azure Active Directory
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidGeneralDeviceConfiguration" and passwordMinutesOfInactivityBeforeScreenTimeout eq 5 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidDeviceOwnerGeneralDeviceConfiguration" and passwordMinutesOfInactivityBeforeScreenTimeout eq 5 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows10GeneralConfiguration" and passwordMinutesOfInactivityBeforeScreenTimeout eq 5 and passwordRequireWhenResumeFromIdleState eq true ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows81GeneralConfiguration" and passwordMinutesOfInactivityBeforeScreenTimeout eq 5 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passcodeMinutesOfInactivityBeforeScreenTimeout eq 5 ]
Ensure mobile device management polices are set to require advanced security configurations Configure your mobile device management policies to require advanced security configurations. If you do not require this, users will be able to connect from devices that are vulnerable to basic internet attacks, leading to potential breaches of accounts and data. Azure Active Directory
O365 should have atleast one O365Domain with [ supportedServices has("Intune") ]
Ensure that mobile devices require complex passwords (Simple Passwords = Blocked) Require your users to use a complex password to unlock their mobile devices. Azure Active Directory
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passcodeBlockSimple eq true] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows10GeneralConfiguration" and passwordBlockSimple eq true]
Ensure that mobile device passwords never expire Ensure that user passwords on mobile devices never expire. Azure Active Directory
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidGeneralDeviceConfiguration" and passwordExpirationDays eq -1 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passwordExpirationDays eq -1 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidDeviceOwnerGeneralDeviceConfiguration" and passwordExpirationDays eq -1 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows10GeneralConfiguration" and passwordExpirationDays eq -1 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passcodeExpirationDays eq -1 ]
Ensure mobile devices require the use of a password Require your users to use a password to unlock their mobile devices. Azure Active Directory
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidGeneralDeviceConfiguration" and passwordRequired eq true ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passcodeRequired eq true ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows10GeneralConfiguration" and passwordRequired eq true] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows10GeneralConfiguration" and passwordRequired eq true] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows81GeneralConfiguration" and passwordRequired eq true]
Ensure that mobile device password reuse is prohibited Do not allow your users to reuse the same password on their mobile devices. Azure Active Directory
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidGeneralDeviceConfiguration" and passwordPreviousPasswordBlockCount eq 5 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passcodePreviousPasscodeBlockCount eq 5 ]
Ensure mobile devices are set to wipe on multiple sign-in failures Require mobile devices to wipe on multiple sign-in failures to prevent brute force compromise. Devices without this protection are vulnerable to being accessed physically by attackers who can then steal account credentials, data, or install malware on the device. O365 should have atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passcodeSignInFailureCountBeforeWipe lte 10 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidDeviceOwnerGeneralDeviceConfiguration" and passwordSignInFailureCountBeforeFactoryReset lte 10 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows10GeneralConfiguration" and passwordSignInFailureCountBeforeFactoryReset lte 10 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows81GeneralConfiguration" and passwordSignInFailureCountBeforeFactoryReset lte 10 ]
Ensure modern authentication for Exchange Online is enabled Ensure modern authentication for Exchange Online is enabled. Exchange
OrganizationConfig should have OAuth2ClientProfileEnabled eq true
Notify the administrator when internal users send malware Set a malware filter policy that notifies an administrator when malware is detected in message from an internal user. Azure Active Directory
MalwareFilterPolicy should have EnableInternalSenderAdminNotifications eq true
Ensure that OAuth 2.0 permission grants to third-party apps do not give permission to modify app role assignments. OAuth 2.0 permission grants enable a third-party connected app to access data based on the permissions granted. Do not grant third-party apps the ability to modify app role assignments. This would enable the third-party app to give users or apps access to resources that they should not have access to. OAuth2PermissionGrant should not have scope like "AppRoleAssignment.ReadWrite.All"
Ensure that Office 365 SharePoint infected files cannot be downloaded Office 365 Advanced Threat Protection (ATP) for SharePoint, OneDrive, and Microsoft Teams protects your organization from inadvertently sharing malicious files. When an infected file is detected, that file is blocked so that no one can open, copy, move, or share it until further actions are taken by the organization's security team. SharepointTenant should have disallowInfectedFileDownload eq true
Ensure external storage providers available in Outlook on the Web are restricted Restrict storage providers that are integrated with Outlook on the Web. By default additional storage providers are allowed in Outlook on the Web (such as Box, Dropbox, Facebook, Google Drive, OneDrive Personal, etc.). This could lead to information leakage and additional risk of infection from organizational non-trusted storage providers. Restricting this will inherently reduce risk as it will narrow opportunities for infection and data leakage. OwaMailboxPolicy should have AdditionalStorageProvidersAvailable eq false
Ensure an Outlook on the web mailbox policy exists Ensure an Outlook on the web mailbox policy exists. O365 should have OwaMailboxPolicies len() gt 0
Ensure that password hash sync is enabled for resiliency and leaked credential detection Ensure that password hash sync is enabled for resiliency and leaked credential detection. Microsoft 365 security
SecureScore should have atleast one controlScores with [ controlName eq "PasswordHashSync" and on eq true ]
Ensure that Office 365 passwords are not set to expire Ensure that Office 365 passwords are not set to expire. Azure Active Directory
SecureScore should have atleast one controlScores with [ controlName eq "PWAgePolicyNew" and scoreInPercentage eq 100 and IsApplicable eq true ]
Ensure self-service password reset is enabled Ensure self-service password reset is enabled. Microsoft 365 security
SecureScore should have atleast one controlScores with [ controlName eq "SelfServicePasswordReset" and scoreInPercentage eq 100]
Ensure modern authentication for SharePoint applications is required Strong authentication controls, such as the use of multi-factor authentication, may be circumvented if basic authentication is used by SharePoint applications. Requiring modern authentication for SharePoint applications ensures strong authentication mechanisms are used when establishing sessions between these applications, SharePoint, and connecting users. SharepointTenant should have legacyAuthProtocolsEnabled eq false
Ensure a transport rule exists Ensure a transport rule exists. O365 should have TransportRules len() gt 0
Use limited administrative roles Limited administrators are users who have more privileges than standard users, but not as many privileges as global admins. Leveraging limited administrator roles to perform required administrative work reduces the number of high value, high impact global admin role holders you have. Assigning users roles like Password Administrator or Exchange Online Administrator, instead of Global Administrator, reduces the likelihood of a global administrative privileged account being breached. SecureScore should have atleast one controlScores with [controlName eq "RoleOverlap" and scoreInPercentage eq 100 ]
Ensure that users do not have the default strong password policy disabled. In Azure, users by default have a strong password policy enabled. However, admin users are able to disable the default strong password policy for individual users. This functionality should not be used and all individual users' password policies should require a strong password. User should not have passwordPolicies like "DisableStrongPassword"
Ensure that users cannot install Outlook add-ins Attackers commonly use vulnerable and custom-built add-ins to access data in user applications. While allowing users to install add-ins by themselves does allow them to easily acquire useful add-ins that integrate with Microsoft applications, it can represent a risk if not used and monitored carefully. Disabling future users' ability to install add-ins in Microsoft Outlook helps reduce your threat-surface and mitigate this risk. O365 should not have any RoleAssignmentPolicies with [ AssignedRoles has ( "My Custom Apps" ) or AssignedRoles has ( "My Marketplace Apps" ) or AssignedRoles has ( "My ReadWriteMailbox Apps" ) ]
Name Description Service Rule
All users should be registered and signed up for MFA Multi-factor authentication (MFA) helps protect devices and data that are accessible to these users. Adding more authentication methods, such as the Microsoft Authenticator app or a phone number, increases the level of protection if one factor is compromised. SecureScore should have atleast one controlScores with [controlName eq "MFARegistrationV2" and scoreInPercentage eq 100 ]
Ensure at least one anti-phishing policy exists Ensure that at least one anti-phishing policy exists. Azure Active Directory
O365 should have AntiPhishPolicies len() gt 0
Ensure an authentication policy exists Ensure an authentication policy exists. O365 should have AuthenticationPolicies len() gt 0
Ensure the Azure AD 'Risky sign-ins' report is reviewed at least weekly This report contains records of accounts that have had activity that could indicate they are compromised, such as accounts that have successfully signed in after multiple failures, which is an indication that the accounts have cracked passwords, account that have signed in to your tenancy from a client IP address that has been recognized by Microsoft as an anonymous proxy IP address (such as a TOR network), and successful sign-ins from users where two sign-ins appeared to originate from different regions and the time between sign-ins makes it impossible for the user to have traveled between those regions. Azure Active Directory
O365Tenant should have unreviewedRiskEventsExist eq false
Enable Azure AD Identity Protection sign-in risk policies Azure Active Directory Identity Protection sign-in risk detects risks in real-time and offline. A risky sign-in is an indicator for a sign-in attempt that might not have been performed by the legitimate owner of a user account. Azure Active Directory
SecureScore should have atleast one controlScores with [controlName eq "SigninRiskPolicy" and scoreInPercentage eq 100 ]
Enable Azure AD Identity Protection user risk policies Azure Active Directory Identity Protection user risk policies detect the probability that a user account has been compromised. Azure Active Directory
SecureScore should have atleast one controlScores with [ controlName eq "UserRiskPolicy" and scoreInPercentage eq 100 ]
Ensure basic authentication for Exchange Online is disabled Ensure basic authentication for Exchange Online is disabled. Azure Active Directory
AuthenticationPolicy should have AllowBasicAuthActiveSync eq false and AllowBasicAuthAutodiscover eq false and AllowBasicAuthImap eq false and AllowBasicAuthMapi eq false and AllowBasicAuthOfflineAddressBook eq false and AllowBasicAuthOutlookService eq false and AllowBasicAuthPop eq false and AllowBasicAuthPowershell eq false and AllowBasicAuthReportingWebServices eq false and AllowBasicAuthRest eq false and AllowBasicAuthRpc eq false and AllowBasicAuthSmtp eq false and AllowBasicAuthWebServices eq false
Enable Conditional Access policies to block legacy authentication Enable Conditional Access policies to block legacy authentication. Azure Active Directory
O365 should have any ConditionalAccessPolicies with [ conditions.users.includeUsers has ("All") and conditions.users.excludeUsers len() >= 1 and conditions.clientAppTypes has ("exchangeActiveSync") and conditions.clientAppTypes has ("other") and grantControls.builtInControls has ("block") and grantControls.builtInControls len() = 1]
Block OneDrive for Business sync from unmanaged devices Prevent company data from OneDrive for Business from being synchronized to non-corporate managed devices. Unmanaged devices pose a risk, since their security cannot be verified. Allowing users to sync data to these devices, takes that data out of the control of the organization. This increases the risk of the data either being intentionally or accidentally leaked. SharepointTenant should have isUnmanagedSyncClientForTenantRestricted eq true
Ensure that sharing full calendar details with external users is disabled Do not allow your users to share the full details of their calendars with external users. Attackers often spend time learning about your organization before launching an attack. Publicly available calendars can help attackers understand organizational relationships and determine when specific users may be more vulnerable to an attack, such as when they are traveling. SharingPolicy should have sharingEnabled eq false or every domains with [ sharingAllowedDetails eq "ContactsSharing" ]
Ensure DKIM is enabled for all Exchange Online Domains DKIM lets you add a digital signature to outbound email messages in the message header. This signature is used to verify that the messages are really coming from you and not coming from someone spoofing your domain. Azure Active Directory
DkimSigningConfig should have Enabled eq true
Ensure a DomainKeys Identified Mail (DKIM) signing policy exists Ensure a DomainKeys Identified Mail (DKIM) signing policy exists. O365 should have DkimSigningConfig len() gt 0
Ensure DMARC Records for all Exchange Online domains are published Domain-based Message Authentication, Reporting, and Conformance (DMARC) works with Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) to authenticate mail senders and ensure that destination email systems trust messages sent from your domain. When you use DMARC, the receiving server performs a check against the From address. Azure Active Directory
AcceptedDomain should have DMARCRecordPublished eq true
Do not allow users to grant consent to unmanaged applications Tighten the security of your services by regulating the access of third-party integrated apps. Only allow access to necessary apps that support robust security controls. Third-party applications are not created by Microsoft, so there is a possibility they could be used for malicious purposes like exfiltrating data from your tenancy. Attackers can maintain persistent access to your services through these integrated apps, without relying on compromised accounts. SecureScore should have atleast one controlScores with [controlName eq "IntegratedApps" and scoreInPercentage eq 100 ]
Ensure document sharing is controlled by domains with sharing restrictions configured Control sharing of documents to external domains by either blocking domains or only allowing sharing with specific named domains. Attackers will often attempt to expose sensitive information to external entities through sharing, and restricting the domains that your users can share documents with will reduce that surface area. SharepointTenant should have sharingDomainRestrictionMode neq 0
Ensure audit log search is enabled Enabling Microsoft 365 audit log search helps Office 365 back office teams to investigate activities for regular security operational or forensic purposes. Azure Active Directory
AdminAuditLogConfig should have AdminAuditLogEnabled eq true and UnifiedAuditLogIngestionEnabled eq true
Ensure the Common Attachment Types Filter is enabled Ensure the Common Attachment Types Filter is enabled. Azure Active Directory
MalwareFilterPolicy should have EnableFileFilter eq true
Ensure mailbox auditing for all users is enabled By turning on mailbox auditing, Microsoft 365 back office teams can track logons to a mailbox as well as what actions are taken while the user is logged on. After you turn on mailbox audit logging for a mailbox, you can search the audit log for mailbox activity. Additionally, when mailbox audit logging is turned on, some actions performed by administrators, delegates, and owners are logged by default. Azure Active Directory
OrganizationConfig should have userMailboxAuditEnabled eq true and nonUserMailboxAuditEnabled eq true
Ensure expiration time for external sharing links is set Restrict the length of time that anonymous access links are valid. Azure Active Directory
SharepointTenant should have requireAnonymousLinksExpireInDays > 0
Ensure that external users cannot share files, folders, and sites they do not own SharePoint gives users the ability to share files, folder, and site collections. Internal users can share with external collaborators, who with the right permissions, could share those to another external party. Sharing and collaboration are key; however, file, folder, or site collection owners should have the authority over what external users get shared with to prevent unauthorized disclosures of information. SharepointTenant should have preventExternalUsersFromResharing eq true
Ensure mail transport rules do not forward email to external domains Ensure mail transport rules do not forward email to external domains. Azure Active Directory
O365Tenant should not have AnyMailTransportRuleRedirectMessageToExternalDomain eq True
Ensure mail transport rules do not whitelist specific domains Ensure mail transport rules do not whitelist specific domains. Azure Active Directory
TransportRule should not have SetScl = -1 and SenderDomainIs len() > 0
Ensure MailTips are enabled for end users MailTips assist end users with identifying strange patterns to emails they send. Setting up MailTips gives a visual aid to users when they send emails to large groups of recipients or send emails to recipients not within the tenant. OrganizationConfig should have MailTipsAllTipsEnabled eq true and MailTipsExternalRecipientsTipsEnabled eq true and MailTipsGroupMetricsEnabled eq true and MailTipsLargeAudienceThreshold gt 0
Ensure a malware filter policy exists Ensure a malware filter policy exists. O365 should have MalwareFilterPolicies len() gt 0
Ensure multi-factor authentication is enabled for all users in administrative roles Ensure multi-factor authentication is enabled for all users in administrative roles Azure Active Directory
O365 should have O365Tenant len() gt 0 and atleast one ConditionalAccessPolicies with [ conditions.users.includeRoles has ("b0f54661-2d74-4c50-afa3-1ec803f12efe","b1be1c3e-b65d-4f19-8427-f6fa0d97feb9","29232cdf-9323-42fd-ade2-1d097af3e4de","62e90394-69f5-4237-9190-012177145e10","729827e3-9c14-49f7-bb1b-9608f156bbb8","194ae4cb-b126-40b2-bd5b-6091b380977d","f28a1f50-f6e7-4571-818b-6a12f2af6b6c","fe930be7-5e62-47db-91af-98c3a49a38b1") and conditions.clientAppTypes has ("all") and grantControls.builtInControls has ("mfa") ]
Ensure multi-factor authentication is enabled for all users in all roles Ensure multi-factor authentication is enabled for all users in all roles. Azure Active Directory
O365 should have O365Tenant len() gt 0 and any ConditionalAccessPolicies with [ conditions.users has ("all") and conditions.clientAppTypes has ("all") and grantControls.builtInControls has ("mfa") ]
Mobile devices passwords should be at least 6 characters Require your users to use a complex password with a minimum password length of at least six characters to unlock their mobile devices. Azure Active Directory
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passcodeMinimumLength eq 6 and passcodeBlockSimple eq true ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows10GeneralConfiguration" and passwordMinimumLength eq 6 and passwordBlockSimple eq true ]
Ensure that mobile devices require complex passwords (Type = Alphanumeric) Require your users to use a complex password with a at least two character sets (letters and numbers, for example) to unlock their mobile devices Azure Active Directory
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows81GeneralConfiguration" and passwordRequiredType eq "alphanumeric" ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows10GeneralConfiguration" and passwordRequiredType eq "alphanumeric"] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidDeviceOwnerGeneralDeviceConfiguration" and passwordRequiredType eq "alphanumeric"] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passcodeRequiredType eq "alphanumeric"] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidGeneralDeviceConfiguration" and passwordRequiredType eq "alphanumeric"]
Ensure that mobile device encryption is enabled Require your users to use encryption on their mobile devices to prevent unauthorized access to mobile data. Azure Active Directory
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidGeneralDeviceConfiguration" and storageRequireDeviceEncryption eq true] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows81GeneralConfiguration" and storageRequireDeviceEncryption eq true]
Ensure that users cannot connect from jailbroken or rooted devices Do not allow your users to use to connect with mobile devices that have been jailbroken or rooted. These devices have had basic protections disabled to run software that is often malicious and could very easily lead to an account or data breach. Azure Active Directory
O365 should have O365Tenant len() gt 0 and atleast one DeviceCompliancePolicies with [ odatatype eq "#microsoft.graph.iosCompliancePolicy" and securityBlockJailbrokenDevices eq true ] and atleast one DeviceCompliancePolicies with [ odatatype eq "#microsoft.graph.androidCompliancePolicy" and securityBlockJailbrokenDevices eq true ]
Lock mobile devices after a period of inactivity Users should be required to configure their mobile devices to lock after a period of inactivity to prevent unauthorized access. Azure Active Directory
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidGeneralDeviceConfiguration" and passwordMinutesOfInactivityBeforeScreenTimeout eq 5 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidDeviceOwnerGeneralDeviceConfiguration" and passwordMinutesOfInactivityBeforeScreenTimeout eq 5 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows10GeneralConfiguration" and passwordMinutesOfInactivityBeforeScreenTimeout eq 5 and passwordRequireWhenResumeFromIdleState eq true ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows81GeneralConfiguration" and passwordMinutesOfInactivityBeforeScreenTimeout eq 5 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passcodeMinutesOfInactivityBeforeScreenTimeout eq 5 ]
Ensure mobile device management polices are set to require advanced security configurations Configure your mobile device management policies to require advanced security configurations. If you do not require this, users will be able to connect from devices that are vulnerable to basic internet attacks, leading to potential breaches of accounts and data. Azure Active Directory
O365 should have atleast one O365Domain with [ supportedServices has("Intune") ]
Ensure that mobile devices require complex passwords (Simple Passwords = Blocked) Require your users to use a complex password to unlock their mobile devices. Azure Active Directory
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passcodeBlockSimple eq true] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows10GeneralConfiguration" and passwordBlockSimple eq true]
Ensure mobile devices require the use of a password Require your users to use a password to unlock their mobile devices. Azure Active Directory
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidGeneralDeviceConfiguration" and passwordRequired eq true ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passcodeRequired eq true ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows10GeneralConfiguration" and passwordRequired eq true] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows10GeneralConfiguration" and passwordRequired eq true] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows81GeneralConfiguration" and passwordRequired eq true]
Ensure that mobile device password reuse is prohibited Do not allow your users to reuse the same password on their mobile devices. Azure Active Directory
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidGeneralDeviceConfiguration" and passwordPreviousPasswordBlockCount eq 5 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passcodePreviousPasscodeBlockCount eq 5 ]
Ensure modern authentication for Exchange Online is enabled Ensure modern authentication for Exchange Online is enabled. Exchange
OrganizationConfig should have OAuth2ClientProfileEnabled eq true
Notify the administrator when internal users send malware Set a malware filter policy that notifies an administrator when malware is detected in message from an internal user. Azure Active Directory
MalwareFilterPolicy should have EnableInternalSenderAdminNotifications eq true
Ensure that OAuth 2.0 permission grants to third-party apps do not give permission to modify app role assignments. OAuth 2.0 permission grants enable a third-party connected app to access data based on the permissions granted. Do not grant third-party apps the ability to modify app role assignments. This would enable the third-party app to give users or apps access to resources that they should not have access to. OAuth2PermissionGrant should not have scope like "AppRoleAssignment.ReadWrite.All"
Ensure that Office 365 SharePoint infected files cannot be downloaded Office 365 Advanced Threat Protection (ATP) for SharePoint, OneDrive, and Microsoft Teams protects your organization from inadvertently sharing malicious files. When an infected file is detected, that file is blocked so that no one can open, copy, move, or share it until further actions are taken by the organization's security team. SharepointTenant should have disallowInfectedFileDownload eq true
Ensure external storage providers available in Outlook on the Web are restricted Restrict storage providers that are integrated with Outlook on the Web. By default additional storage providers are allowed in Outlook on the Web (such as Box, Dropbox, Facebook, Google Drive, OneDrive Personal, etc.). This could lead to information leakage and additional risk of infection from organizational non-trusted storage providers. Restricting this will inherently reduce risk as it will narrow opportunities for infection and data leakage. OwaMailboxPolicy should have AdditionalStorageProvidersAvailable eq false
Ensure that password hash sync is enabled for resiliency and leaked credential detection Ensure that password hash sync is enabled for resiliency and leaked credential detection. Microsoft 365 security
SecureScore should have atleast one controlScores with [ controlName eq "PasswordHashSync" and on eq true ]
Ensure modern authentication for SharePoint applications is required Strong authentication controls, such as the use of multi-factor authentication, may be circumvented if basic authentication is used by SharePoint applications. Requiring modern authentication for SharePoint applications ensures strong authentication mechanisms are used when establishing sessions between these applications, SharePoint, and connecting users. SharepointTenant should have legacyAuthProtocolsEnabled eq false
Ensure SPF records are published for all Exchange domains Ensure that Sender Policy Framework (SPF) records are published for all Exchange domains. Using SPF helps to validate outbound email sent from your custom domain by determining whether or not a sender is permitted to send on behalf of a domain. Azure Active Directory
AcceptedDomain should have spfRecordPublished eq true
Use limited administrative roles Limited administrators are users who have more privileges than standard users, but not as many privileges as global admins. Leveraging limited administrator roles to perform required administrative work reduces the number of high value, high impact global admin role holders you have. Assigning users roles like Password Administrator or Exchange Online Administrator, instead of Global Administrator, reduces the likelihood of a global administrative privileged account being breached. SecureScore should have atleast one controlScores with [controlName eq "RoleOverlap" and scoreInPercentage eq 100 ]
Ensure that users do not have the default strong password policy disabled. In Azure, users by default have a strong password policy enabled. However, admin users are able to disable the default strong password policy for individual users. This functionality should not be used and all individual users' password policies should require a strong password. User should not have passwordPolicies like "DisableStrongPassword"
Ensure that users cannot install Outlook add-ins Attackers commonly use vulnerable and custom-built add-ins to access data in user applications. While allowing users to install add-ins by themselves does allow them to easily acquire useful add-ins that integrate with Microsoft applications, it can represent a risk if not used and monitored carefully. Disabling future users' ability to install add-ins in Microsoft Outlook helps reduce your threat-surface and mitigate this risk. O365 should not have any RoleAssignmentPolicies with [ AssignedRoles has ( "My Custom Apps" ) or AssignedRoles has ( "My Marketplace Apps" ) or AssignedRoles has ( "My ReadWriteMailbox Apps" ) ]
Name Description Service Rule
All users should be registered and signed up for MFA Multi-factor authentication (MFA) helps protect devices and data that are accessible to these users. Adding more authentication methods, such as the Microsoft Authenticator app or a phone number, increases the level of protection if one factor is compromised. SecureScore should have atleast one controlScores with [controlName eq "MFARegistrationV2" and scoreInPercentage eq 100 ]
Ensure at least one anti-phishing policy exists Ensure that at least one anti-phishing policy exists. Azure Active Directory
O365 should have AntiPhishPolicies len() gt 0
Ensure an authentication policy exists Ensure an authentication policy exists. O365 should have AuthenticationPolicies len() gt 0
Ensure automatic forwarding options are disabled Disable automatic forwarding to prevent users from auto-forwarding mail through Outlook and Outlook on the Web. In the event that an attacker gains control of an end-user account they could create rules to exfiltrate data from your environment. RemoteDomain should have AutoForwardEnabled eq false
Ensure the Azure AD 'Risky sign-ins' report is reviewed at least weekly This report contains records of accounts that have had activity that could indicate they are compromised, such as accounts that have successfully signed in after multiple failures, which is an indication that the accounts have cracked passwords, account that have signed in to your tenancy from a client IP address that has been recognized by Microsoft as an anonymous proxy IP address (such as a TOR network), and successful sign-ins from users where two sign-ins appeared to originate from different regions and the time between sign-ins makes it impossible for the user to have traveled between those regions. Azure Active Directory
O365Tenant should have unreviewedRiskEventsExist eq false
Enable Azure AD Identity Protection sign-in risk policies Azure Active Directory Identity Protection sign-in risk detects risks in real-time and offline. A risky sign-in is an indicator for a sign-in attempt that might not have been performed by the legitimate owner of a user account. Azure Active Directory
SecureScore should have atleast one controlScores with [controlName eq "SigninRiskPolicy" and scoreInPercentage eq 100 ]
Enable Azure AD Identity Protection user risk policies Azure Active Directory Identity Protection user risk policies detect the probability that a user account has been compromised. Azure Active Directory
SecureScore should have atleast one controlScores with [ controlName eq "UserRiskPolicy" and scoreInPercentage eq 100 ]
Ensure basic authentication for Exchange Online is disabled Ensure basic authentication for Exchange Online is disabled. Azure Active Directory
AuthenticationPolicy should have AllowBasicAuthActiveSync eq false and AllowBasicAuthAutodiscover eq false and AllowBasicAuthImap eq false and AllowBasicAuthMapi eq false and AllowBasicAuthOfflineAddressBook eq false and AllowBasicAuthOutlookService eq false and AllowBasicAuthPop eq false and AllowBasicAuthPowershell eq false and AllowBasicAuthReportingWebServices eq false and AllowBasicAuthRest eq false and AllowBasicAuthRpc eq false and AllowBasicAuthSmtp eq false and AllowBasicAuthWebServices eq false
Enable Conditional Access policies to block legacy authentication Enable Conditional Access policies to block legacy authentication. Azure Active Directory
O365 should have any ConditionalAccessPolicies with [ conditions.users.includeUsers has ("All") and conditions.users.excludeUsers len() >= 1 and conditions.clientAppTypes has ("exchangeActiveSync") and conditions.clientAppTypes has ("other") and grantControls.builtInControls has ("block") and grantControls.builtInControls len() = 1]
Block OneDrive for Business sync from unmanaged devices Prevent company data from OneDrive for Business from being synchronized to non-corporate managed devices. Unmanaged devices pose a risk, since their security cannot be verified. Allowing users to sync data to these devices, takes that data out of the control of the organization. This increases the risk of the data either being intentionally or accidentally leaked. SharepointTenant should have isUnmanagedSyncClientForTenantRestricted eq true
Ensure that sharing full calendar details with external users is disabled Do not allow your users to share the full details of their calendars with external users. Attackers often spend time learning about your organization before launching an attack. Publicly available calendars can help attackers understand organizational relationships and determine when specific users may be more vulnerable to an attack, such as when they are traveling. SharingPolicy should have sharingEnabled eq false or every domains with [ sharingAllowedDetails eq "ContactsSharing" ]
Ensure that client-side rules that automatically forward email to external domains are blocked Block client-side rules that automatically forward email to external domains. The use of client-side forwarding rules to exfiltrate data to external recipients is an increasingly used vector for data exfiltration by bad actors. O365 should have atleast one TransportRules with [ State eq "Enabled" and Priority eq 0 and SentToScope eq "NotInOrganization" and FromScope eq "InOrganization" and MessageTypeMatches eq "AutoForward" and RejectMessageEnhancedStatusCode eq "5.7.1" ]
Do not allow users to grant consent to unmanaged applications Tighten the security of your services by regulating the access of third-party integrated apps. Only allow access to necessary apps that support robust security controls. Third-party applications are not created by Microsoft, so there is a possibility they could be used for malicious purposes like exfiltrating data from your tenancy. Attackers can maintain persistent access to your services through these integrated apps, without relying on compromised accounts. SecureScore should have atleast one controlScores with [controlName eq "IntegratedApps" and scoreInPercentage eq 100 ]
Ensure document sharing is controlled by domains with sharing restrictions configured Control sharing of documents to external domains by either blocking domains or only allowing sharing with specific named domains. Attackers will often attempt to expose sensitive information to external entities through sharing, and restricting the domains that your users can share documents with will reduce that surface area. SharepointTenant should have sharingDomainRestrictionMode neq 0
Ensure audit log search is enabled Enabling Microsoft 365 audit log search helps Office 365 back office teams to investigate activities for regular security operational or forensic purposes. Azure Active Directory
AdminAuditLogConfig should have AdminAuditLogEnabled eq true and UnifiedAuditLogIngestionEnabled eq true
Ensure the Common Attachment Types Filter is enabled Ensure the Common Attachment Types Filter is enabled. Azure Active Directory
MalwareFilterPolicy should have EnableFileFilter eq true
Ensure mailbox auditing for all users is enabled By turning on mailbox auditing, Microsoft 365 back office teams can track logons to a mailbox as well as what actions are taken while the user is logged on. After you turn on mailbox audit logging for a mailbox, you can search the audit log for mailbox activity. Additionally, when mailbox audit logging is turned on, some actions performed by administrators, delegates, and owners are logged by default. Azure Active Directory
OrganizationConfig should have userMailboxAuditEnabled eq true and nonUserMailboxAuditEnabled eq true
Ensure expiration time for external sharing links is set Restrict the length of time that anonymous access links are valid. Azure Active Directory
SharepointTenant should have requireAnonymousLinksExpireInDays > 0
Ensure that external users cannot share files, folders, and sites they do not own SharePoint gives users the ability to share files, folder, and site collections. Internal users can share with external collaborators, who with the right permissions, could share those to another external party. Sharing and collaboration are key; however, file, folder, or site collection owners should have the authority over what external users get shared with to prevent unauthorized disclosures of information. SharepointTenant should have preventExternalUsersFromResharing eq true
Ensure that Facebook contact synchronization is disabled Disable integration with Facebook as a measure to help prevent phishing scams. OwaMailboxPolicy should have FacebookEnabled eq false
Ensure that LinkedIn contact synchronization is disabled Disable integration with LinkedIn as a measure to help prevent phishing scams. OwaMailboxPolicy should have LinkedInEnabled eq false
Ensure mail transport rules do not forward email to external domains Ensure mail transport rules do not forward email to external domains. Azure Active Directory
O365Tenant should not have AnyMailTransportRuleRedirectMessageToExternalDomain eq True
Ensure mail transport rules do not whitelist specific domains Ensure mail transport rules do not whitelist specific domains. Azure Active Directory
TransportRule should not have SetScl = -1 and SenderDomainIs len() > 0
Ensure MailTips are enabled for end users MailTips assist end users with identifying strange patterns to emails they send. Setting up MailTips gives a visual aid to users when they send emails to large groups of recipients or send emails to recipients not within the tenant. OrganizationConfig should have MailTipsAllTipsEnabled eq true and MailTipsExternalRecipientsTipsEnabled eq true and MailTipsGroupMetricsEnabled eq true and MailTipsLargeAudienceThreshold gt 0
Ensure a malware filter policy exists Ensure a malware filter policy exists. O365 should have MalwareFilterPolicies len() gt 0
Ensure multi-factor authentication is enabled for all users in administrative roles Ensure multi-factor authentication is enabled for all users in administrative roles Azure Active Directory
O365 should have O365Tenant len() gt 0 and atleast one ConditionalAccessPolicies with [ conditions.users.includeRoles has ("b0f54661-2d74-4c50-afa3-1ec803f12efe","b1be1c3e-b65d-4f19-8427-f6fa0d97feb9","29232cdf-9323-42fd-ade2-1d097af3e4de","62e90394-69f5-4237-9190-012177145e10","729827e3-9c14-49f7-bb1b-9608f156bbb8","194ae4cb-b126-40b2-bd5b-6091b380977d","f28a1f50-f6e7-4571-818b-6a12f2af6b6c","fe930be7-5e62-47db-91af-98c3a49a38b1") and conditions.clientAppTypes has ("all") and grantControls.builtInControls has ("mfa") ]
Ensure multi-factor authentication is enabled for all users in all roles Ensure multi-factor authentication is enabled for all users in all roles. Azure Active Directory
O365 should have O365Tenant len() gt 0 and any ConditionalAccessPolicies with [ conditions.users has ("all") and conditions.clientAppTypes has ("all") and grantControls.builtInControls has ("mfa") ]
Mobile devices passwords should be at least 6 characters Require your users to use a complex password with a minimum password length of at least six characters to unlock their mobile devices. Azure Active Directory
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passcodeMinimumLength eq 6 and passcodeBlockSimple eq true ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows10GeneralConfiguration" and passwordMinimumLength eq 6 and passwordBlockSimple eq true ]
Ensure that mobile devices require complex passwords (Type = Alphanumeric) Require your users to use a complex password with a at least two character sets (letters and numbers, for example) to unlock their mobile devices Azure Active Directory
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows81GeneralConfiguration" and passwordRequiredType eq "alphanumeric" ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows10GeneralConfiguration" and passwordRequiredType eq "alphanumeric"] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidDeviceOwnerGeneralDeviceConfiguration" and passwordRequiredType eq "alphanumeric"] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passcodeRequiredType eq "alphanumeric"] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidGeneralDeviceConfiguration" and passwordRequiredType eq "alphanumeric"]
Ensure that mobile device encryption is enabled Require your users to use encryption on their mobile devices to prevent unauthorized access to mobile data. Azure Active Directory
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidGeneralDeviceConfiguration" and storageRequireDeviceEncryption eq true] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows81GeneralConfiguration" and storageRequireDeviceEncryption eq true]
Ensure that users cannot connect from jailbroken or rooted devices Do not allow your users to use to connect with mobile devices that have been jailbroken or rooted. These devices have had basic protections disabled to run software that is often malicious and could very easily lead to an account or data breach. Azure Active Directory
O365 should have O365Tenant len() gt 0 and atleast one DeviceCompliancePolicies with [ odatatype eq "#microsoft.graph.iosCompliancePolicy" and securityBlockJailbrokenDevices eq true ] and atleast one DeviceCompliancePolicies with [ odatatype eq "#microsoft.graph.androidCompliancePolicy" and securityBlockJailbrokenDevices eq true ]
Lock mobile devices after a period of inactivity Users should be required to configure their mobile devices to lock after a period of inactivity to prevent unauthorized access. Azure Active Directory
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidGeneralDeviceConfiguration" and passwordMinutesOfInactivityBeforeScreenTimeout eq 5 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidDeviceOwnerGeneralDeviceConfiguration" and passwordMinutesOfInactivityBeforeScreenTimeout eq 5 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows10GeneralConfiguration" and passwordMinutesOfInactivityBeforeScreenTimeout eq 5 and passwordRequireWhenResumeFromIdleState eq true ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows81GeneralConfiguration" and passwordMinutesOfInactivityBeforeScreenTimeout eq 5 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passcodeMinutesOfInactivityBeforeScreenTimeout eq 5 ]
Ensure mobile device management polices are set to require advanced security configurations Configure your mobile device management policies to require advanced security configurations. If you do not require this, users will be able to connect from devices that are vulnerable to basic internet attacks, leading to potential breaches of accounts and data. Azure Active Directory
O365 should have atleast one O365Domain with [ supportedServices has("Intune") ]
Ensure that mobile devices require complex passwords (Simple Passwords = Blocked) Require your users to use a complex password to unlock their mobile devices. Azure Active Directory
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passcodeBlockSimple eq true] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows10GeneralConfiguration" and passwordBlockSimple eq true]
Ensure that mobile device passwords never expire Ensure that user passwords on mobile devices never expire. Azure Active Directory
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidGeneralDeviceConfiguration" and passwordExpirationDays eq -1 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passwordExpirationDays eq -1 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidDeviceOwnerGeneralDeviceConfiguration" and passwordExpirationDays eq -1 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows10GeneralConfiguration" and passwordExpirationDays eq -1 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passcodeExpirationDays eq -1 ]
Ensure mobile devices require the use of a password Require your users to use a password to unlock their mobile devices. Azure Active Directory
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidGeneralDeviceConfiguration" and passwordRequired eq true ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passcodeRequired eq true ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows10GeneralConfiguration" and passwordRequired eq true] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows10GeneralConfiguration" and passwordRequired eq true] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows81GeneralConfiguration" and passwordRequired eq true]
Ensure that mobile device password reuse is prohibited Do not allow your users to reuse the same password on their mobile devices. Azure Active Directory
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidGeneralDeviceConfiguration" and passwordPreviousPasswordBlockCount eq 5 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passcodePreviousPasscodeBlockCount eq 5 ]
Ensure mobile devices are set to wipe on multiple sign-in failures Require mobile devices to wipe on multiple sign-in failures to prevent brute force compromise. Devices without this protection are vulnerable to being accessed physically by attackers who can then steal account credentials, data, or install malware on the device. O365 should have atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passcodeSignInFailureCountBeforeWipe lte 10 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidDeviceOwnerGeneralDeviceConfiguration" and passwordSignInFailureCountBeforeFactoryReset lte 10 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows10GeneralConfiguration" and passwordSignInFailureCountBeforeFactoryReset lte 10 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows81GeneralConfiguration" and passwordSignInFailureCountBeforeFactoryReset lte 10 ]
Ensure modern authentication for Exchange Online is enabled Ensure modern authentication for Exchange Online is enabled. Exchange
OrganizationConfig should have OAuth2ClientProfileEnabled eq true
Notify the administrator when internal users send malware Set a malware filter policy that notifies an administrator when malware is detected in message from an internal user. Azure Active Directory
MalwareFilterPolicy should have EnableInternalSenderAdminNotifications eq true
Ensure that OAuth 2.0 permission grants to third-party apps do not give permission to modify app role assignments. OAuth 2.0 permission grants enable a third-party connected app to access data based on the permissions granted. Do not grant third-party apps the ability to modify app role assignments. This would enable the third-party app to give users or apps access to resources that they should not have access to. OAuth2PermissionGrant should not have scope like "AppRoleAssignment.ReadWrite.All"
Ensure that Office 365 SharePoint infected files cannot be downloaded Office 365 Advanced Threat Protection (ATP) for SharePoint, OneDrive, and Microsoft Teams protects your organization from inadvertently sharing malicious files. When an infected file is detected, that file is blocked so that no one can open, copy, move, or share it until further actions are taken by the organization's security team. SharepointTenant should have disallowInfectedFileDownload eq true
Ensure external storage providers available in Outlook on the Web are restricted Restrict storage providers that are integrated with Outlook on the Web. By default additional storage providers are allowed in Outlook on the Web (such as Box, Dropbox, Facebook, Google Drive, OneDrive Personal, etc.). This could lead to information leakage and additional risk of infection from organizational non-trusted storage providers. Restricting this will inherently reduce risk as it will narrow opportunities for infection and data leakage. OwaMailboxPolicy should have AdditionalStorageProvidersAvailable eq false
Ensure an Outlook on the web mailbox policy exists Ensure an Outlook on the web mailbox policy exists. O365 should have OwaMailboxPolicies len() gt 0
Ensure that password hash sync is enabled for resiliency and leaked credential detection Ensure that password hash sync is enabled for resiliency and leaked credential detection. Microsoft 365 security
SecureScore should have atleast one controlScores with [ controlName eq "PasswordHashSync" and on eq true ]
Ensure that Office 365 passwords are not set to expire Ensure that Office 365 passwords are not set to expire. Azure Active Directory
SecureScore should have atleast one controlScores with [ controlName eq "PWAgePolicyNew" and scoreInPercentage eq 100 and IsApplicable eq true ]
Ensure modern authentication for SharePoint applications is required Strong authentication controls, such as the use of multi-factor authentication, may be circumvented if basic authentication is used by SharePoint applications. Requiring modern authentication for SharePoint applications ensures strong authentication mechanisms are used when establishing sessions between these applications, SharePoint, and connecting users. SharepointTenant should have legacyAuthProtocolsEnabled eq false
Ensure a transport rule exists Ensure a transport rule exists. O365 should have TransportRules len() gt 0
Use limited administrative roles Limited administrators are users who have more privileges than standard users, but not as many privileges as global admins. Leveraging limited administrator roles to perform required administrative work reduces the number of high value, high impact global admin role holders you have. Assigning users roles like Password Administrator or Exchange Online Administrator, instead of Global Administrator, reduces the likelihood of a global administrative privileged account being breached. SecureScore should have atleast one controlScores with [controlName eq "RoleOverlap" and scoreInPercentage eq 100 ]
Ensure that users do not have the default strong password policy disabled. In Azure, users by default have a strong password policy enabled. However, admin users are able to disable the default strong password policy for individual users. This functionality should not be used and all individual users' password policies should require a strong password. User should not have passwordPolicies like "DisableStrongPassword"
Ensure that users cannot install Outlook add-ins Attackers commonly use vulnerable and custom-built add-ins to access data in user applications. While allowing users to install add-ins by themselves does allow them to easily acquire useful add-ins that integrate with Microsoft applications, it can represent a risk if not used and monitored carefully. Disabling future users' ability to install add-ins in Microsoft Outlook helps reduce your threat-surface and mitigate this risk. O365 should not have any RoleAssignmentPolicies with [ AssignedRoles has ( "My Custom Apps" ) or AssignedRoles has ( "My Marketplace Apps" ) or AssignedRoles has ( "My ReadWriteMailbox Apps" ) ]
Name Description Service Rule
All users should be registered and signed up for MFA Multi-factor authentication (MFA) helps protect devices and data that are accessible to these users. Adding more authentication methods, such as the Microsoft Authenticator app or a phone number, increases the level of protection if one factor is compromised. SecureScore should have atleast one controlScores with [controlName eq "MFARegistrationV2" and scoreInPercentage eq 100 ]
Ensure at least one anti-phishing policy exists Ensure that at least one anti-phishing policy exists. Azure Active Directory
O365 should have AntiPhishPolicies len() gt 0
Ensure an authentication policy exists Ensure an authentication policy exists. O365 should have AuthenticationPolicies len() gt 0
Ensure automatic forwarding options are disabled Disable automatic forwarding to prevent users from auto-forwarding mail through Outlook and Outlook on the Web. In the event that an attacker gains control of an end-user account they could create rules to exfiltrate data from your environment. RemoteDomain should have AutoForwardEnabled eq false
Ensure the Azure AD 'Risky sign-ins' report is reviewed at least weekly This report contains records of accounts that have had activity that could indicate they are compromised, such as accounts that have successfully signed in after multiple failures, which is an indication that the accounts have cracked passwords, account that have signed in to your tenancy from a client IP address that has been recognized by Microsoft as an anonymous proxy IP address (such as a TOR network), and successful sign-ins from users where two sign-ins appeared to originate from different regions and the time between sign-ins makes it impossible for the user to have traveled between those regions. Azure Active Directory
O365Tenant should have unreviewedRiskEventsExist eq false
Enable Azure AD Identity Protection sign-in risk policies Azure Active Directory Identity Protection sign-in risk detects risks in real-time and offline. A risky sign-in is an indicator for a sign-in attempt that might not have been performed by the legitimate owner of a user account. Azure Active Directory
SecureScore should have atleast one controlScores with [controlName eq "SigninRiskPolicy" and scoreInPercentage eq 100 ]
Enable Azure AD Identity Protection user risk policies Azure Active Directory Identity Protection user risk policies detect the probability that a user account has been compromised. Azure Active Directory
SecureScore should have atleast one controlScores with [ controlName eq "UserRiskPolicy" and scoreInPercentage eq 100 ]
Ensure basic authentication for Exchange Online is disabled Ensure basic authentication for Exchange Online is disabled. Azure Active Directory
AuthenticationPolicy should have AllowBasicAuthActiveSync eq false and AllowBasicAuthAutodiscover eq false and AllowBasicAuthImap eq false and AllowBasicAuthMapi eq false and AllowBasicAuthOfflineAddressBook eq false and AllowBasicAuthOutlookService eq false and AllowBasicAuthPop eq false and AllowBasicAuthPowershell eq false and AllowBasicAuthReportingWebServices eq false and AllowBasicAuthRest eq false and AllowBasicAuthRpc eq false and AllowBasicAuthSmtp eq false and AllowBasicAuthWebServices eq false
Enable Conditional Access policies to block legacy authentication Enable Conditional Access policies to block legacy authentication. Azure Active Directory
O365 should have any ConditionalAccessPolicies with [ conditions.users.includeUsers has ("All") and conditions.users.excludeUsers len() >= 1 and conditions.clientAppTypes has ("exchangeActiveSync") and conditions.clientAppTypes has ("other") and grantControls.builtInControls has ("block") and grantControls.builtInControls len() = 1]
Block OneDrive for Business sync from unmanaged devices Prevent company data from OneDrive for Business from being synchronized to non-corporate managed devices. Unmanaged devices pose a risk, since their security cannot be verified. Allowing users to sync data to these devices, takes that data out of the control of the organization. This increases the risk of the data either being intentionally or accidentally leaked. SharepointTenant should have isUnmanagedSyncClientForTenantRestricted eq true
Ensure that sharing full calendar details with external users is disabled Do not allow your users to share the full details of their calendars with external users. Attackers often spend time learning about your organization before launching an attack. Publicly available calendars can help attackers understand organizational relationships and determine when specific users may be more vulnerable to an attack, such as when they are traveling. SharingPolicy should have sharingEnabled eq false or every domains with [ sharingAllowedDetails eq "ContactsSharing" ]
Ensure that client-side rules that automatically forward email to external domains are blocked Block client-side rules that automatically forward email to external domains. The use of client-side forwarding rules to exfiltrate data to external recipients is an increasingly used vector for data exfiltration by bad actors. O365 should have atleast one TransportRules with [ State eq "Enabled" and Priority eq 0 and SentToScope eq "NotInOrganization" and FromScope eq "InOrganization" and MessageTypeMatches eq "AutoForward" and RejectMessageEnhancedStatusCode eq "5.7.1" ]
Ensure DKIM is enabled for all Exchange Online Domains DKIM lets you add a digital signature to outbound email messages in the message header. This signature is used to verify that the messages are really coming from you and not coming from someone spoofing your domain. Azure Active Directory
DkimSigningConfig should have Enabled eq true
Ensure a DomainKeys Identified Mail (DKIM) signing policy exists Ensure a DomainKeys Identified Mail (DKIM) signing policy exists. O365 should have DkimSigningConfig len() gt 0
Ensure DMARC Records for all Exchange Online domains are published Domain-based Message Authentication, Reporting, and Conformance (DMARC) works with Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) to authenticate mail senders and ensure that destination email systems trust messages sent from your domain. When you use DMARC, the receiving server performs a check against the From address. Azure Active Directory
AcceptedDomain should have DMARCRecordPublished eq true
Do not allow users to grant consent to unmanaged applications Tighten the security of your services by regulating the access of third-party integrated apps. Only allow access to necessary apps that support robust security controls. Third-party applications are not created by Microsoft, so there is a possibility they could be used for malicious purposes like exfiltrating data from your tenancy. Attackers can maintain persistent access to your services through these integrated apps, without relying on compromised accounts. SecureScore should have atleast one controlScores with [controlName eq "IntegratedApps" and scoreInPercentage eq 100 ]
Ensure document sharing is controlled by domains with sharing restrictions configured Control sharing of documents to external domains by either blocking domains or only allowing sharing with specific named domains. Attackers will often attempt to expose sensitive information to external entities through sharing, and restricting the domains that your users can share documents with will reduce that surface area. SharepointTenant should have sharingDomainRestrictionMode neq 0
Ensure audit log search is enabled Enabling Microsoft 365 audit log search helps Office 365 back office teams to investigate activities for regular security operational or forensic purposes. Azure Active Directory
AdminAuditLogConfig should have AdminAuditLogEnabled eq true and UnifiedAuditLogIngestionEnabled eq true
Ensure the Common Attachment Types Filter is enabled Ensure the Common Attachment Types Filter is enabled. Azure Active Directory
MalwareFilterPolicy should have EnableFileFilter eq true
Ensure mailbox auditing for all users is enabled By turning on mailbox auditing, Microsoft 365 back office teams can track logons to a mailbox as well as what actions are taken while the user is logged on. After you turn on mailbox audit logging for a mailbox, you can search the audit log for mailbox activity. Additionally, when mailbox audit logging is turned on, some actions performed by administrators, delegates, and owners are logged by default. Azure Active Directory
OrganizationConfig should have userMailboxAuditEnabled eq true and nonUserMailboxAuditEnabled eq true
Ensure Exchange Online outbound spam filter policies are properly configured Ensure the Exchange Online outbound spam filter policy is properly configured. Set your Exchange Online Spam Policies to copy emails and notify someone when a sender in your tenant has been blocked for sending spam emails. Azure Active Directory
HostedOutboundSpamFilterPolicy should have NotifyOutboundSpam eq true and BccSuspiciousOutboundMail eq true and Identity eq "Default" and Enabled eq true
Ensure expiration time for external sharing links is set Restrict the length of time that anonymous access links are valid. Azure Active Directory
SharepointTenant should have requireAnonymousLinksExpireInDays > 0
Ensure that external users cannot share files, folders, and sites they do not own SharePoint gives users the ability to share files, folder, and site collections. Internal users can share with external collaborators, who with the right permissions, could share those to another external party. Sharing and collaboration are key; however, file, folder, or site collection owners should have the authority over what external users get shared with to prevent unauthorized disclosures of information. SharepointTenant should have preventExternalUsersFromResharing eq true
Ensure that Facebook contact synchronization is disabled Disable integration with Facebook as a measure to help prevent phishing scams. OwaMailboxPolicy should have FacebookEnabled eq false
Ensure that LinkedIn contact synchronization is disabled Disable integration with LinkedIn as a measure to help prevent phishing scams. OwaMailboxPolicy should have LinkedInEnabled eq false
Ensure mail transport rules do not forward email to external domains Ensure mail transport rules do not forward email to external domains. Azure Active Directory
O365Tenant should not have AnyMailTransportRuleRedirectMessageToExternalDomain eq True
Ensure mail transport rules do not whitelist specific domains Ensure mail transport rules do not whitelist specific domains. Azure Active Directory
TransportRule should not have SetScl = -1 and SenderDomainIs len() > 0
Ensure MailTips are enabled for end users MailTips assist end users with identifying strange patterns to emails they send. Setting up MailTips gives a visual aid to users when they send emails to large groups of recipients or send emails to recipients not within the tenant. OrganizationConfig should have MailTipsAllTipsEnabled eq true and MailTipsExternalRecipientsTipsEnabled eq true and MailTipsGroupMetricsEnabled eq true and MailTipsLargeAudienceThreshold gt 0
Ensure a malware filter policy exists Ensure a malware filter policy exists. O365 should have MalwareFilterPolicies len() gt 0
Ensure multi-factor authentication is enabled for all users in administrative roles Ensure multi-factor authentication is enabled for all users in administrative roles Azure Active Directory
O365 should have O365Tenant len() gt 0 and atleast one ConditionalAccessPolicies with [ conditions.users.includeRoles has ("b0f54661-2d74-4c50-afa3-1ec803f12efe","b1be1c3e-b65d-4f19-8427-f6fa0d97feb9","29232cdf-9323-42fd-ade2-1d097af3e4de","62e90394-69f5-4237-9190-012177145e10","729827e3-9c14-49f7-bb1b-9608f156bbb8","194ae4cb-b126-40b2-bd5b-6091b380977d","f28a1f50-f6e7-4571-818b-6a12f2af6b6c","fe930be7-5e62-47db-91af-98c3a49a38b1") and conditions.clientAppTypes has ("all") and grantControls.builtInControls has ("mfa") ]
Ensure multi-factor authentication is enabled for all users in all roles Ensure multi-factor authentication is enabled for all users in all roles. Azure Active Directory
O365 should have O365Tenant len() gt 0 and any ConditionalAccessPolicies with [ conditions.users has ("all") and conditions.clientAppTypes has ("all") and grantControls.builtInControls has ("mfa") ]
Mobile devices passwords should be at least 6 characters Require your users to use a complex password with a minimum password length of at least six characters to unlock their mobile devices. Azure Active Directory
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passcodeMinimumLength eq 6 and passcodeBlockSimple eq true ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows10GeneralConfiguration" and passwordMinimumLength eq 6 and passwordBlockSimple eq true ]
Ensure that mobile devices require complex passwords (Type = Alphanumeric) Require your users to use a complex password with a at least two character sets (letters and numbers, for example) to unlock their mobile devices Azure Active Directory
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows81GeneralConfiguration" and passwordRequiredType eq "alphanumeric" ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows10GeneralConfiguration" and passwordRequiredType eq "alphanumeric"] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidDeviceOwnerGeneralDeviceConfiguration" and passwordRequiredType eq "alphanumeric"] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passcodeRequiredType eq "alphanumeric"] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidGeneralDeviceConfiguration" and passwordRequiredType eq "alphanumeric"]
Ensure that mobile device encryption is enabled Require your users to use encryption on their mobile devices to prevent unauthorized access to mobile data. Azure Active Directory
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidGeneralDeviceConfiguration" and storageRequireDeviceEncryption eq true] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows81GeneralConfiguration" and storageRequireDeviceEncryption eq true]
Ensure that users cannot connect from jailbroken or rooted devices Do not allow your users to use to connect with mobile devices that have been jailbroken or rooted. These devices have had basic protections disabled to run software that is often malicious and could very easily lead to an account or data breach. Azure Active Directory
O365 should have O365Tenant len() gt 0 and atleast one DeviceCompliancePolicies with [ odatatype eq "#microsoft.graph.iosCompliancePolicy" and securityBlockJailbrokenDevices eq true ] and atleast one DeviceCompliancePolicies with [ odatatype eq "#microsoft.graph.androidCompliancePolicy" and securityBlockJailbrokenDevices eq true ]
Lock mobile devices after a period of inactivity Users should be required to configure their mobile devices to lock after a period of inactivity to prevent unauthorized access. Azure Active Directory
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidGeneralDeviceConfiguration" and passwordMinutesOfInactivityBeforeScreenTimeout eq 5 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidDeviceOwnerGeneralDeviceConfiguration" and passwordMinutesOfInactivityBeforeScreenTimeout eq 5 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows10GeneralConfiguration" and passwordMinutesOfInactivityBeforeScreenTimeout eq 5 and passwordRequireWhenResumeFromIdleState eq true ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows81GeneralConfiguration" and passwordMinutesOfInactivityBeforeScreenTimeout eq 5 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passcodeMinutesOfInactivityBeforeScreenTimeout eq 5 ]
Ensure mobile device management polices are set to require advanced security configurations Configure your mobile device management policies to require advanced security configurations. If you do not require this, users will be able to connect from devices that are vulnerable to basic internet attacks, leading to potential breaches of accounts and data. Azure Active Directory
O365 should have atleast one O365Domain with [ supportedServices has("Intune") ]
Ensure that mobile devices require complex passwords (Simple Passwords = Blocked) Require your users to use a complex password to unlock their mobile devices. Azure Active Directory
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passcodeBlockSimple eq true] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows10GeneralConfiguration" and passwordBlockSimple eq true]
Ensure that mobile device passwords never expire Ensure that user passwords on mobile devices never expire. Azure Active Directory
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidGeneralDeviceConfiguration" and passwordExpirationDays eq -1 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passwordExpirationDays eq -1 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidDeviceOwnerGeneralDeviceConfiguration" and passwordExpirationDays eq -1 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows10GeneralConfiguration" and passwordExpirationDays eq -1 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passcodeExpirationDays eq -1 ]
Ensure mobile devices require the use of a password Require your users to use a password to unlock their mobile devices. Azure Active Directory
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidGeneralDeviceConfiguration" and passwordRequired eq true ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passcodeRequired eq true ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows10GeneralConfiguration" and passwordRequired eq true] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows10GeneralConfiguration" and passwordRequired eq true] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows81GeneralConfiguration" and passwordRequired eq true]
Ensure that mobile device password reuse is prohibited Do not allow your users to reuse the same password on their mobile devices. Azure Active Directory
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidGeneralDeviceConfiguration" and passwordPreviousPasswordBlockCount eq 5 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passcodePreviousPasscodeBlockCount eq 5 ]
Ensure modern authentication for Exchange Online is enabled Ensure modern authentication for Exchange Online is enabled. Exchange
OrganizationConfig should have OAuth2ClientProfileEnabled eq true
Notify the administrator when internal users send malware Set a malware filter policy that notifies an administrator when malware is detected in message from an internal user. Azure Active Directory
MalwareFilterPolicy should have EnableInternalSenderAdminNotifications eq true
Ensure that OAuth 2.0 permission grants to third-party apps do not give permission to modify app role assignments. OAuth 2.0 permission grants enable a third-party connected app to access data based on the permissions granted. Do not grant third-party apps the ability to modify app role assignments. This would enable the third-party app to give users or apps access to resources that they should not have access to. OAuth2PermissionGrant should not have scope like "AppRoleAssignment.ReadWrite.All"
Ensure that Office 365 SharePoint infected files cannot be downloaded Office 365 Advanced Threat Protection (ATP) for SharePoint, OneDrive, and Microsoft Teams protects your organization from inadvertently sharing malicious files. When an infected file is detected, that file is blocked so that no one can open, copy, move, or share it until further actions are taken by the organization's security team. SharepointTenant should have disallowInfectedFileDownload eq true
Ensure external storage providers available in Outlook on the Web are restricted Restrict storage providers that are integrated with Outlook on the Web. By default additional storage providers are allowed in Outlook on the Web (such as Box, Dropbox, Facebook, Google Drive, OneDrive Personal, etc.). This could lead to information leakage and additional risk of infection from organizational non-trusted storage providers. Restricting this will inherently reduce risk as it will narrow opportunities for infection and data leakage. OwaMailboxPolicy should have AdditionalStorageProvidersAvailable eq false
Ensure an Outlook on the web mailbox policy exists Ensure an Outlook on the web mailbox policy exists. O365 should have OwaMailboxPolicies len() gt 0
Ensure that password hash sync is enabled for resiliency and leaked credential detection Ensure that password hash sync is enabled for resiliency and leaked credential detection. Microsoft 365 security
SecureScore should have atleast one controlScores with [ controlName eq "PasswordHashSync" and on eq true ]
Ensure that Office 365 passwords are not set to expire Ensure that Office 365 passwords are not set to expire. Azure Active Directory
SecureScore should have atleast one controlScores with [ controlName eq "PWAgePolicyNew" and scoreInPercentage eq 100 and IsApplicable eq true ]
Ensure modern authentication for SharePoint applications is required Strong authentication controls, such as the use of multi-factor authentication, may be circumvented if basic authentication is used by SharePoint applications. Requiring modern authentication for SharePoint applications ensures strong authentication mechanisms are used when establishing sessions between these applications, SharePoint, and connecting users. SharepointTenant should have legacyAuthProtocolsEnabled eq false
Ensure SPF records are published for all Exchange domains Ensure that Sender Policy Framework (SPF) records are published for all Exchange domains. Using SPF helps to validate outbound email sent from your custom domain by determining whether or not a sender is permitted to send on behalf of a domain. Azure Active Directory
AcceptedDomain should have spfRecordPublished eq true
Ensure a transport rule exists Ensure a transport rule exists. O365 should have TransportRules len() gt 0
Use limited administrative roles Limited administrators are users who have more privileges than standard users, but not as many privileges as global admins. Leveraging limited administrator roles to perform required administrative work reduces the number of high value, high impact global admin role holders you have. Assigning users roles like Password Administrator or Exchange Online Administrator, instead of Global Administrator, reduces the likelihood of a global administrative privileged account being breached. SecureScore should have atleast one controlScores with [controlName eq "RoleOverlap" and scoreInPercentage eq 100 ]
Ensure that users do not have the default strong password policy disabled. In Azure, users by default have a strong password policy enabled. However, admin users are able to disable the default strong password policy for individual users. This functionality should not be used and all individual users' password policies should require a strong password. User should not have passwordPolicies like "DisableStrongPassword"
Ensure that users cannot install Outlook add-ins Attackers commonly use vulnerable and custom-built add-ins to access data in user applications. While allowing users to install add-ins by themselves does allow them to easily acquire useful add-ins that integrate with Microsoft applications, it can represent a risk if not used and monitored carefully. Disabling future users' ability to install add-ins in Microsoft Outlook helps reduce your threat-surface and mitigate this risk. O365 should not have any RoleAssignmentPolicies with [ AssignedRoles has ( "My Custom Apps" ) or AssignedRoles has ( "My Marketplace Apps" ) or AssignedRoles has ( "My ReadWriteMailbox Apps" ) ]
Name Description Service Rule
All users should be registered and signed up for MFA Multi-factor authentication (MFA) helps protect devices and data that are accessible to these users. Adding more authentication methods, such as the Microsoft Authenticator app or a phone number, increases the level of protection if one factor is compromised. SecureScore should have atleast one controlScores with [controlName eq "MFARegistrationV2" and scoreInPercentage eq 100 ]
Ensure at least one anti-phishing policy exists Ensure that at least one anti-phishing policy exists. Azure Active Directory
O365 should have AntiPhishPolicies len() gt 0
Ensure an authentication policy exists Ensure an authentication policy exists. O365 should have AuthenticationPolicies len() gt 0
Ensure automatic forwarding options are disabled Disable automatic forwarding to prevent users from auto-forwarding mail through Outlook and Outlook on the Web. In the event that an attacker gains control of an end-user account they could create rules to exfiltrate data from your environment. RemoteDomain should have AutoForwardEnabled eq false
Ensure the Azure AD 'Risky sign-ins' report is reviewed at least weekly This report contains records of accounts that have had activity that could indicate they are compromised, such as accounts that have successfully signed in after multiple failures, which is an indication that the accounts have cracked passwords, account that have signed in to your tenancy from a client IP address that has been recognized by Microsoft as an anonymous proxy IP address (such as a TOR network), and successful sign-ins from users where two sign-ins appeared to originate from different regions and the time between sign-ins makes it impossible for the user to have traveled between those regions. Azure Active Directory
O365Tenant should have unreviewedRiskEventsExist eq false
Enable Azure AD Identity Protection sign-in risk policies Azure Active Directory Identity Protection sign-in risk detects risks in real-time and offline. A risky sign-in is an indicator for a sign-in attempt that might not have been performed by the legitimate owner of a user account. Azure Active Directory
SecureScore should have atleast one controlScores with [controlName eq "SigninRiskPolicy" and scoreInPercentage eq 100 ]
Enable Azure AD Identity Protection user risk policies Azure Active Directory Identity Protection user risk policies detect the probability that a user account has been compromised. Azure Active Directory
SecureScore should have atleast one controlScores with [ controlName eq "UserRiskPolicy" and scoreInPercentage eq 100 ]
Ensure basic authentication for Exchange Online is disabled Ensure basic authentication for Exchange Online is disabled. Azure Active Directory
AuthenticationPolicy should have AllowBasicAuthActiveSync eq false and AllowBasicAuthAutodiscover eq false and AllowBasicAuthImap eq false and AllowBasicAuthMapi eq false and AllowBasicAuthOfflineAddressBook eq false and AllowBasicAuthOutlookService eq false and AllowBasicAuthPop eq false and AllowBasicAuthPowershell eq false and AllowBasicAuthReportingWebServices eq false and AllowBasicAuthRest eq false and AllowBasicAuthRpc eq false and AllowBasicAuthSmtp eq false and AllowBasicAuthWebServices eq false
Enable Conditional Access policies to block legacy authentication Enable Conditional Access policies to block legacy authentication. Azure Active Directory
O365 should have any ConditionalAccessPolicies with [ conditions.users.includeUsers has ("All") and conditions.users.excludeUsers len() >= 1 and conditions.clientAppTypes has ("exchangeActiveSync") and conditions.clientAppTypes has ("other") and grantControls.builtInControls has ("block") and grantControls.builtInControls len() = 1]
Block OneDrive for Business sync from unmanaged devices Prevent company data from OneDrive for Business from being synchronized to non-corporate managed devices. Unmanaged devices pose a risk, since their security cannot be verified. Allowing users to sync data to these devices, takes that data out of the control of the organization. This increases the risk of the data either being intentionally or accidentally leaked. SharepointTenant should have isUnmanagedSyncClientForTenantRestricted eq true
Ensure that sharing full calendar details with external users is disabled Do not allow your users to share the full details of their calendars with external users. Attackers often spend time learning about your organization before launching an attack. Publicly available calendars can help attackers understand organizational relationships and determine when specific users may be more vulnerable to an attack, such as when they are traveling. SharingPolicy should have sharingEnabled eq false or every domains with [ sharingAllowedDetails eq "ContactsSharing" ]
Ensure DKIM is enabled for all Exchange Online Domains DKIM lets you add a digital signature to outbound email messages in the message header. This signature is used to verify that the messages are really coming from you and not coming from someone spoofing your domain. Azure Active Directory
DkimSigningConfig should have Enabled eq true
Ensure a DomainKeys Identified Mail (DKIM) signing policy exists Ensure a DomainKeys Identified Mail (DKIM) signing policy exists. O365 should have DkimSigningConfig len() gt 0
Ensure DMARC Records for all Exchange Online domains are published Domain-based Message Authentication, Reporting, and Conformance (DMARC) works with Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) to authenticate mail senders and ensure that destination email systems trust messages sent from your domain. When you use DMARC, the receiving server performs a check against the From address. Azure Active Directory
AcceptedDomain should have DMARCRecordPublished eq true
Do not allow users to grant consent to unmanaged applications Tighten the security of your services by regulating the access of third-party integrated apps. Only allow access to necessary apps that support robust security controls. Third-party applications are not created by Microsoft, so there is a possibility they could be used for malicious purposes like exfiltrating data from your tenancy. Attackers can maintain persistent access to your services through these integrated apps, without relying on compromised accounts. SecureScore should have atleast one controlScores with [controlName eq "IntegratedApps" and scoreInPercentage eq 100 ]
Ensure document sharing is controlled by domains with sharing restrictions configured Control sharing of documents to external domains by either blocking domains or only allowing sharing with specific named domains. Attackers will often attempt to expose sensitive information to external entities through sharing, and restricting the domains that your users can share documents with will reduce that surface area. SharepointTenant should have sharingDomainRestrictionMode neq 0
Ensure audit log search is enabled Enabling Microsoft 365 audit log search helps Office 365 back office teams to investigate activities for regular security operational or forensic purposes. Azure Active Directory
AdminAuditLogConfig should have AdminAuditLogEnabled eq true and UnifiedAuditLogIngestionEnabled eq true
Ensure the Common Attachment Types Filter is enabled Ensure the Common Attachment Types Filter is enabled. Azure Active Directory
MalwareFilterPolicy should have EnableFileFilter eq true
Ensure mailbox auditing for all users is enabled By turning on mailbox auditing, Microsoft 365 back office teams can track logons to a mailbox as well as what actions are taken while the user is logged on. After you turn on mailbox audit logging for a mailbox, you can search the audit log for mailbox activity. Additionally, when mailbox audit logging is turned on, some actions performed by administrators, delegates, and owners are logged by default. Azure Active Directory
OrganizationConfig should have userMailboxAuditEnabled eq true and nonUserMailboxAuditEnabled eq true
Ensure Exchange Online outbound spam filter policies are properly configured Ensure the Exchange Online outbound spam filter policy is properly configured. Set your Exchange Online Spam Policies to copy emails and notify someone when a sender in your tenant has been blocked for sending spam emails. Azure Active Directory
HostedOutboundSpamFilterPolicy should have NotifyOutboundSpam eq true and BccSuspiciousOutboundMail eq true and Identity eq "Default" and Enabled eq true
Ensure that external users cannot share files, folders, and sites they do not own SharePoint gives users the ability to share files, folder, and site collections. Internal users can share with external collaborators, who with the right permissions, could share those to another external party. Sharing and collaboration are key; however, file, folder, or site collection owners should have the authority over what external users get shared with to prevent unauthorized disclosures of information. SharepointTenant should have preventExternalUsersFromResharing eq true
Ensure MailTips are enabled for end users MailTips assist end users with identifying strange patterns to emails they send. Setting up MailTips gives a visual aid to users when they send emails to large groups of recipients or send emails to recipients not within the tenant. OrganizationConfig should have MailTipsAllTipsEnabled eq true and MailTipsExternalRecipientsTipsEnabled eq true and MailTipsGroupMetricsEnabled eq true and MailTipsLargeAudienceThreshold gt 0
Ensure a malware filter policy exists Ensure a malware filter policy exists. O365 should have MalwareFilterPolicies len() gt 0
Ensure multi-factor authentication is enabled for all users in administrative roles Ensure multi-factor authentication is enabled for all users in administrative roles Azure Active Directory
O365 should have O365Tenant len() gt 0 and atleast one ConditionalAccessPolicies with [ conditions.users.includeRoles has ("b0f54661-2d74-4c50-afa3-1ec803f12efe","b1be1c3e-b65d-4f19-8427-f6fa0d97feb9","29232cdf-9323-42fd-ade2-1d097af3e4de","62e90394-69f5-4237-9190-012177145e10","729827e3-9c14-49f7-bb1b-9608f156bbb8","194ae4cb-b126-40b2-bd5b-6091b380977d","f28a1f50-f6e7-4571-818b-6a12f2af6b6c","fe930be7-5e62-47db-91af-98c3a49a38b1") and conditions.clientAppTypes has ("all") and grantControls.builtInControls has ("mfa") ]
Ensure multi-factor authentication is enabled for all users in all roles Ensure multi-factor authentication is enabled for all users in all roles. Azure Active Directory
O365 should have O365Tenant len() gt 0 and any ConditionalAccessPolicies with [ conditions.users has ("all") and conditions.clientAppTypes has ("all") and grantControls.builtInControls has ("mfa") ]
Mobile devices passwords should be at least 6 characters Require your users to use a complex password with a minimum password length of at least six characters to unlock their mobile devices. Azure Active Directory
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passcodeMinimumLength eq 6 and passcodeBlockSimple eq true ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows10GeneralConfiguration" and passwordMinimumLength eq 6 and passwordBlockSimple eq true ]
Ensure that mobile devices require complex passwords (Type = Alphanumeric) Require your users to use a complex password with a at least two character sets (letters and numbers, for example) to unlock their mobile devices Azure Active Directory
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows81GeneralConfiguration" and passwordRequiredType eq "alphanumeric" ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows10GeneralConfiguration" and passwordRequiredType eq "alphanumeric"] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidDeviceOwnerGeneralDeviceConfiguration" and passwordRequiredType eq "alphanumeric"] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passcodeRequiredType eq "alphanumeric"] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidGeneralDeviceConfiguration" and passwordRequiredType eq "alphanumeric"]
Ensure that mobile device encryption is enabled Require your users to use encryption on their mobile devices to prevent unauthorized access to mobile data. Azure Active Directory
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidGeneralDeviceConfiguration" and storageRequireDeviceEncryption eq true] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows81GeneralConfiguration" and storageRequireDeviceEncryption eq true]
Ensure that users cannot connect from jailbroken or rooted devices Do not allow your users to use to connect with mobile devices that have been jailbroken or rooted. These devices have had basic protections disabled to run software that is often malicious and could very easily lead to an account or data breach. Azure Active Directory
O365 should have O365Tenant len() gt 0 and atleast one DeviceCompliancePolicies with [ odatatype eq "#microsoft.graph.iosCompliancePolicy" and securityBlockJailbrokenDevices eq true ] and atleast one DeviceCompliancePolicies with [ odatatype eq "#microsoft.graph.androidCompliancePolicy" and securityBlockJailbrokenDevices eq true ]
Lock mobile devices after a period of inactivity Users should be required to configure their mobile devices to lock after a period of inactivity to prevent unauthorized access. Azure Active Directory
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidGeneralDeviceConfiguration" and passwordMinutesOfInactivityBeforeScreenTimeout eq 5 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidDeviceOwnerGeneralDeviceConfiguration" and passwordMinutesOfInactivityBeforeScreenTimeout eq 5 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows10GeneralConfiguration" and passwordMinutesOfInactivityBeforeScreenTimeout eq 5 and passwordRequireWhenResumeFromIdleState eq true ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows81GeneralConfiguration" and passwordMinutesOfInactivityBeforeScreenTimeout eq 5 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passcodeMinutesOfInactivityBeforeScreenTimeout eq 5 ]
Ensure mobile device management polices are set to require advanced security configurations Configure your mobile device management policies to require advanced security configurations. If you do not require this, users will be able to connect from devices that are vulnerable to basic internet attacks, leading to potential breaches of accounts and data. Azure Active Directory
O365 should have atleast one O365Domain with [ supportedServices has("Intune") ]
Ensure that mobile devices require complex passwords (Simple Passwords = Blocked) Require your users to use a complex password to unlock their mobile devices. Azure Active Directory
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passcodeBlockSimple eq true] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows10GeneralConfiguration" and passwordBlockSimple eq true]
Ensure mobile devices require the use of a password Require your users to use a password to unlock their mobile devices. Azure Active Directory
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidGeneralDeviceConfiguration" and passwordRequired eq true ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passcodeRequired eq true ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows10GeneralConfiguration" and passwordRequired eq true] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows10GeneralConfiguration" and passwordRequired eq true] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows81GeneralConfiguration" and passwordRequired eq true]
Ensure that mobile device password reuse is prohibited Do not allow your users to reuse the same password on their mobile devices. Azure Active Directory
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidGeneralDeviceConfiguration" and passwordPreviousPasswordBlockCount eq 5 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passcodePreviousPasscodeBlockCount eq 5 ]
Ensure mobile devices are set to wipe on multiple sign-in failures Require mobile devices to wipe on multiple sign-in failures to prevent brute force compromise. Devices without this protection are vulnerable to being accessed physically by attackers who can then steal account credentials, data, or install malware on the device. O365 should have atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passcodeSignInFailureCountBeforeWipe lte 10 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidDeviceOwnerGeneralDeviceConfiguration" and passwordSignInFailureCountBeforeFactoryReset lte 10 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows10GeneralConfiguration" and passwordSignInFailureCountBeforeFactoryReset lte 10 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows81GeneralConfiguration" and passwordSignInFailureCountBeforeFactoryReset lte 10 ]
Ensure modern authentication for Exchange Online is enabled Ensure modern authentication for Exchange Online is enabled. Exchange
OrganizationConfig should have OAuth2ClientProfileEnabled eq true
Notify the administrator when internal users send malware Set a malware filter policy that notifies an administrator when malware is detected in message from an internal user. Azure Active Directory
MalwareFilterPolicy should have EnableInternalSenderAdminNotifications eq true
Ensure that OAuth 2.0 permission grants to third-party apps do not give permission to modify app role assignments. OAuth 2.0 permission grants enable a third-party connected app to access data based on the permissions granted. Do not grant third-party apps the ability to modify app role assignments. This would enable the third-party app to give users or apps access to resources that they should not have access to. OAuth2PermissionGrant should not have scope like "AppRoleAssignment.ReadWrite.All"
Ensure that Office 365 SharePoint infected files cannot be downloaded Office 365 Advanced Threat Protection (ATP) for SharePoint, OneDrive, and Microsoft Teams protects your organization from inadvertently sharing malicious files. When an infected file is detected, that file is blocked so that no one can open, copy, move, or share it until further actions are taken by the organization's security team. SharepointTenant should have disallowInfectedFileDownload eq true
Ensure external storage providers available in Outlook on the Web are restricted Restrict storage providers that are integrated with Outlook on the Web. By default additional storage providers are allowed in Outlook on the Web (such as Box, Dropbox, Facebook, Google Drive, OneDrive Personal, etc.). This could lead to information leakage and additional risk of infection from organizational non-trusted storage providers. Restricting this will inherently reduce risk as it will narrow opportunities for infection and data leakage. OwaMailboxPolicy should have AdditionalStorageProvidersAvailable eq false
Ensure that password hash sync is enabled for resiliency and leaked credential detection Ensure that password hash sync is enabled for resiliency and leaked credential detection. Microsoft 365 security
SecureScore should have atleast one controlScores with [ controlName eq "PasswordHashSync" and on eq true ]
Ensure modern authentication for SharePoint applications is required Strong authentication controls, such as the use of multi-factor authentication, may be circumvented if basic authentication is used by SharePoint applications. Requiring modern authentication for SharePoint applications ensures strong authentication mechanisms are used when establishing sessions between these applications, SharePoint, and connecting users. SharepointTenant should have legacyAuthProtocolsEnabled eq false
Ensure SPF records are published for all Exchange domains Ensure that Sender Policy Framework (SPF) records are published for all Exchange domains. Using SPF helps to validate outbound email sent from your custom domain by determining whether or not a sender is permitted to send on behalf of a domain. Azure Active Directory
AcceptedDomain should have spfRecordPublished eq true
Ensure a transport rule exists Ensure a transport rule exists. O365 should have TransportRules len() gt 0
Use limited administrative roles Limited administrators are users who have more privileges than standard users, but not as many privileges as global admins. Leveraging limited administrator roles to perform required administrative work reduces the number of high value, high impact global admin role holders you have. Assigning users roles like Password Administrator or Exchange Online Administrator, instead of Global Administrator, reduces the likelihood of a global administrative privileged account being breached. SecureScore should have atleast one controlScores with [controlName eq "RoleOverlap" and scoreInPercentage eq 100 ]
Ensure that users do not have the default strong password policy disabled. In Azure, users by default have a strong password policy enabled. However, admin users are able to disable the default strong password policy for individual users. This functionality should not be used and all individual users' password policies should require a strong password. User should not have passwordPolicies like "DisableStrongPassword"
Ensure that users cannot install Outlook add-ins Attackers commonly use vulnerable and custom-built add-ins to access data in user applications. While allowing users to install add-ins by themselves does allow them to easily acquire useful add-ins that integrate with Microsoft applications, it can represent a risk if not used and monitored carefully. Disabling future users' ability to install add-ins in Microsoft Outlook helps reduce your threat-surface and mitigate this risk. O365 should not have any RoleAssignmentPolicies with [ AssignedRoles has ( "My Custom Apps" ) or AssignedRoles has ( "My Marketplace Apps" ) or AssignedRoles has ( "My ReadWriteMailbox Apps" ) ]
Name Description Service Rule
All users should be registered and signed up for MFA Multi-factor authentication (MFA) helps protect devices and data that are accessible to these users. Adding more authentication methods, such as the Microsoft Authenticator app or a phone number, increases the level of protection if one factor is compromised. SecureScore should have atleast one controlScores with [controlName eq "MFARegistrationV2" and scoreInPercentage eq 100 ]
Ensure at least one anti-phishing policy exists Ensure that at least one anti-phishing policy exists. Azure Active Directory
O365 should have AntiPhishPolicies len() gt 0
Ensure an authentication policy exists Ensure an authentication policy exists. O365 should have AuthenticationPolicies len() gt 0
Ensure automatic forwarding options are disabled Disable automatic forwarding to prevent users from auto-forwarding mail through Outlook and Outlook on the Web. In the event that an attacker gains control of an end-user account they could create rules to exfiltrate data from your environment. RemoteDomain should have AutoForwardEnabled eq false
Ensure the Azure AD 'Risky sign-ins' report is reviewed at least weekly This report contains records of accounts that have had activity that could indicate they are compromised, such as accounts that have successfully signed in after multiple failures, which is an indication that the accounts have cracked passwords, account that have signed in to your tenancy from a client IP address that has been recognized by Microsoft as an anonymous proxy IP address (such as a TOR network), and successful sign-ins from users where two sign-ins appeared to originate from different regions and the time between sign-ins makes it impossible for the user to have traveled between those regions. Azure Active Directory
O365Tenant should have unreviewedRiskEventsExist eq false
Enable Azure AD Identity Protection sign-in risk policies Azure Active Directory Identity Protection sign-in risk detects risks in real-time and offline. A risky sign-in is an indicator for a sign-in attempt that might not have been performed by the legitimate owner of a user account. Azure Active Directory
SecureScore should have atleast one controlScores with [controlName eq "SigninRiskPolicy" and scoreInPercentage eq 100 ]
Enable Azure AD Identity Protection user risk policies Azure Active Directory Identity Protection user risk policies detect the probability that a user account has been compromised. Azure Active Directory
SecureScore should have atleast one controlScores with [ controlName eq "UserRiskPolicy" and scoreInPercentage eq 100 ]
Ensure basic authentication for Exchange Online is disabled Ensure basic authentication for Exchange Online is disabled. Azure Active Directory
AuthenticationPolicy should have AllowBasicAuthActiveSync eq false and AllowBasicAuthAutodiscover eq false and AllowBasicAuthImap eq false and AllowBasicAuthMapi eq false and AllowBasicAuthOfflineAddressBook eq false and AllowBasicAuthOutlookService eq false and AllowBasicAuthPop eq false and AllowBasicAuthPowershell eq false and AllowBasicAuthReportingWebServices eq false and AllowBasicAuthRest eq false and AllowBasicAuthRpc eq false and AllowBasicAuthSmtp eq false and AllowBasicAuthWebServices eq false
Enable Conditional Access policies to block legacy authentication Enable Conditional Access policies to block legacy authentication. Azure Active Directory
O365 should have any ConditionalAccessPolicies with [ conditions.users.includeUsers has ("All") and conditions.users.excludeUsers len() >= 1 and conditions.clientAppTypes has ("exchangeActiveSync") and conditions.clientAppTypes has ("other") and grantControls.builtInControls has ("block") and grantControls.builtInControls len() = 1]
Block OneDrive for Business sync from unmanaged devices Prevent company data from OneDrive for Business from being synchronized to non-corporate managed devices. Unmanaged devices pose a risk, since their security cannot be verified. Allowing users to sync data to these devices, takes that data out of the control of the organization. This increases the risk of the data either being intentionally or accidentally leaked. SharepointTenant should have isUnmanagedSyncClientForTenantRestricted eq true
Ensure that sharing full calendar details with external users is disabled Do not allow your users to share the full details of their calendars with external users. Attackers often spend time learning about your organization before launching an attack. Publicly available calendars can help attackers understand organizational relationships and determine when specific users may be more vulnerable to an attack, such as when they are traveling. SharingPolicy should have sharingEnabled eq false or every domains with [ sharingAllowedDetails eq "ContactsSharing" ]
Ensure that client-side rules that automatically forward email to external domains are blocked Block client-side rules that automatically forward email to external domains. The use of client-side forwarding rules to exfiltrate data to external recipients is an increasingly used vector for data exfiltration by bad actors. O365 should have atleast one TransportRules with [ State eq "Enabled" and Priority eq 0 and SentToScope eq "NotInOrganization" and FromScope eq "InOrganization" and MessageTypeMatches eq "AutoForward" and RejectMessageEnhancedStatusCode eq "5.7.1" ]
Ensure DKIM is enabled for all Exchange Online Domains DKIM lets you add a digital signature to outbound email messages in the message header. This signature is used to verify that the messages are really coming from you and not coming from someone spoofing your domain. Azure Active Directory
DkimSigningConfig should have Enabled eq true
Ensure a DomainKeys Identified Mail (DKIM) signing policy exists Ensure a DomainKeys Identified Mail (DKIM) signing policy exists. O365 should have DkimSigningConfig len() gt 0
Ensure DMARC Records for all Exchange Online domains are published Domain-based Message Authentication, Reporting, and Conformance (DMARC) works with Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) to authenticate mail senders and ensure that destination email systems trust messages sent from your domain. When you use DMARC, the receiving server performs a check against the From address. Azure Active Directory
AcceptedDomain should have DMARCRecordPublished eq true
Do not allow users to grant consent to unmanaged applications Tighten the security of your services by regulating the access of third-party integrated apps. Only allow access to necessary apps that support robust security controls. Third-party applications are not created by Microsoft, so there is a possibility they could be used for malicious purposes like exfiltrating data from your tenancy. Attackers can maintain persistent access to your services through these integrated apps, without relying on compromised accounts. SecureScore should have atleast one controlScores with [controlName eq "IntegratedApps" and scoreInPercentage eq 100 ]
Ensure document sharing is controlled by domains with sharing restrictions configured Control sharing of documents to external domains by either blocking domains or only allowing sharing with specific named domains. Attackers will often attempt to expose sensitive information to external entities through sharing, and restricting the domains that your users can share documents with will reduce that surface area. SharepointTenant should have sharingDomainRestrictionMode neq 0
Ensure audit log search is enabled Enabling Microsoft 365 audit log search helps Office 365 back office teams to investigate activities for regular security operational or forensic purposes. Azure Active Directory
AdminAuditLogConfig should have AdminAuditLogEnabled eq true and UnifiedAuditLogIngestionEnabled eq true
Ensure the Common Attachment Types Filter is enabled Ensure the Common Attachment Types Filter is enabled. Azure Active Directory
MalwareFilterPolicy should have EnableFileFilter eq true
Ensure mailbox auditing for all users is enabled By turning on mailbox auditing, Microsoft 365 back office teams can track logons to a mailbox as well as what actions are taken while the user is logged on. After you turn on mailbox audit logging for a mailbox, you can search the audit log for mailbox activity. Additionally, when mailbox audit logging is turned on, some actions performed by administrators, delegates, and owners are logged by default. Azure Active Directory
OrganizationConfig should have userMailboxAuditEnabled eq true and nonUserMailboxAuditEnabled eq true
Ensure expiration time for external sharing links is set Restrict the length of time that anonymous access links are valid. Azure Active Directory
SharepointTenant should have requireAnonymousLinksExpireInDays > 0
Ensure that external users cannot share files, folders, and sites they do not own SharePoint gives users the ability to share files, folder, and site collections. Internal users can share with external collaborators, who with the right permissions, could share those to another external party. Sharing and collaboration are key; however, file, folder, or site collection owners should have the authority over what external users get shared with to prevent unauthorized disclosures of information. SharepointTenant should have preventExternalUsersFromResharing eq true
Ensure mail transport rules do not forward email to external domains Ensure mail transport rules do not forward email to external domains. Azure Active Directory
O365Tenant should not have AnyMailTransportRuleRedirectMessageToExternalDomain eq True
Ensure mail transport rules do not whitelist specific domains Ensure mail transport rules do not whitelist specific domains. Azure Active Directory
TransportRule should not have SetScl = -1 and SenderDomainIs len() > 0
Ensure MailTips are enabled for end users MailTips assist end users with identifying strange patterns to emails they send. Setting up MailTips gives a visual aid to users when they send emails to large groups of recipients or send emails to recipients not within the tenant. OrganizationConfig should have MailTipsAllTipsEnabled eq true and MailTipsExternalRecipientsTipsEnabled eq true and MailTipsGroupMetricsEnabled eq true and MailTipsLargeAudienceThreshold gt 0
Ensure a malware filter policy exists Ensure a malware filter policy exists. O365 should have MalwareFilterPolicies len() gt 0
Ensure multi-factor authentication is enabled for all users in administrative roles Ensure multi-factor authentication is enabled for all users in administrative roles Azure Active Directory
O365 should have O365Tenant len() gt 0 and atleast one ConditionalAccessPolicies with [ conditions.users.includeRoles has ("b0f54661-2d74-4c50-afa3-1ec803f12efe","b1be1c3e-b65d-4f19-8427-f6fa0d97feb9","29232cdf-9323-42fd-ade2-1d097af3e4de","62e90394-69f5-4237-9190-012177145e10","729827e3-9c14-49f7-bb1b-9608f156bbb8","194ae4cb-b126-40b2-bd5b-6091b380977d","f28a1f50-f6e7-4571-818b-6a12f2af6b6c","fe930be7-5e62-47db-91af-98c3a49a38b1") and conditions.clientAppTypes has ("all") and grantControls.builtInControls has ("mfa") ]
Ensure multi-factor authentication is enabled for all users in all roles Ensure multi-factor authentication is enabled for all users in all roles. Azure Active Directory
O365 should have O365Tenant len() gt 0 and any ConditionalAccessPolicies with [ conditions.users has ("all") and conditions.clientAppTypes has ("all") and grantControls.builtInControls has ("mfa") ]
Mobile devices passwords should be at least 6 characters Require your users to use a complex password with a minimum password length of at least six characters to unlock their mobile devices. Azure Active Directory
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passcodeMinimumLength eq 6 and passcodeBlockSimple eq true ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows10GeneralConfiguration" and passwordMinimumLength eq 6 and passwordBlockSimple eq true ]
Ensure that mobile devices require complex passwords (Type = Alphanumeric) Require your users to use a complex password with a at least two character sets (letters and numbers, for example) to unlock their mobile devices Azure Active Directory
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows81GeneralConfiguration" and passwordRequiredType eq "alphanumeric" ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows10GeneralConfiguration" and passwordRequiredType eq "alphanumeric"] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidDeviceOwnerGeneralDeviceConfiguration" and passwordRequiredType eq "alphanumeric"] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passcodeRequiredType eq "alphanumeric"] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidGeneralDeviceConfiguration" and passwordRequiredType eq "alphanumeric"]
Ensure that mobile device encryption is enabled Require your users to use encryption on their mobile devices to prevent unauthorized access to mobile data. Azure Active Directory
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidGeneralDeviceConfiguration" and storageRequireDeviceEncryption eq true] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows81GeneralConfiguration" and storageRequireDeviceEncryption eq true]
Ensure that users cannot connect from jailbroken or rooted devices Do not allow your users to use to connect with mobile devices that have been jailbroken or rooted. These devices have had basic protections disabled to run software that is often malicious and could very easily lead to an account or data breach. Azure Active Directory
O365 should have O365Tenant len() gt 0 and atleast one DeviceCompliancePolicies with [ odatatype eq "#microsoft.graph.iosCompliancePolicy" and securityBlockJailbrokenDevices eq true ] and atleast one DeviceCompliancePolicies with [ odatatype eq "#microsoft.graph.androidCompliancePolicy" and securityBlockJailbrokenDevices eq true ]
Lock mobile devices after a period of inactivity Users should be required to configure their mobile devices to lock after a period of inactivity to prevent unauthorized access. Azure Active Directory
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidGeneralDeviceConfiguration" and passwordMinutesOfInactivityBeforeScreenTimeout eq 5 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidDeviceOwnerGeneralDeviceConfiguration" and passwordMinutesOfInactivityBeforeScreenTimeout eq 5 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows10GeneralConfiguration" and passwordMinutesOfInactivityBeforeScreenTimeout eq 5 and passwordRequireWhenResumeFromIdleState eq true ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows81GeneralConfiguration" and passwordMinutesOfInactivityBeforeScreenTimeout eq 5 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passcodeMinutesOfInactivityBeforeScreenTimeout eq 5 ]
Ensure mobile device management polices are set to require advanced security configurations Configure your mobile device management policies to require advanced security configurations. If you do not require this, users will be able to connect from devices that are vulnerable to basic internet attacks, leading to potential breaches of accounts and data. Azure Active Directory
O365 should have atleast one O365Domain with [ supportedServices has("Intune") ]
Ensure mobile device management policies are required for email profiles Configure your mobile device management policies to require the policy to manage the email profile of the user. If you do not require this, users will be able to setup and configure email accounts without the protections of the mobile device management policy, leading to potential breaches of accounts and data. O365 should have atleast one DeviceCompliancePolicies with [ odatatype eq "#microsoft.graph.iosCompliancePolicy" and managedEmailProfileRequired eq true ]
Ensure that mobile devices require complex passwords (Simple Passwords = Blocked) Require your users to use a complex password to unlock their mobile devices. Azure Active Directory
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passcodeBlockSimple eq true] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows10GeneralConfiguration" and passwordBlockSimple eq true]
Ensure that mobile device passwords never expire Ensure that user passwords on mobile devices never expire. Azure Active Directory
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidGeneralDeviceConfiguration" and passwordExpirationDays eq -1 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passwordExpirationDays eq -1 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidDeviceOwnerGeneralDeviceConfiguration" and passwordExpirationDays eq -1 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows10GeneralConfiguration" and passwordExpirationDays eq -1 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passcodeExpirationDays eq -1 ]
Ensure mobile devices require the use of a password Require your users to use a password to unlock their mobile devices. Azure Active Directory
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidGeneralDeviceConfiguration" and passwordRequired eq true ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passcodeRequired eq true ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows10GeneralConfiguration" and passwordRequired eq true] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows10GeneralConfiguration" and passwordRequired eq true] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows81GeneralConfiguration" and passwordRequired eq true]
Ensure that mobile device password reuse is prohibited Do not allow your users to reuse the same password on their mobile devices. Azure Active Directory
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidGeneralDeviceConfiguration" and passwordPreviousPasswordBlockCount eq 5 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passcodePreviousPasscodeBlockCount eq 5 ]
Ensure mobile devices are set to wipe on multiple sign-in failures Require mobile devices to wipe on multiple sign-in failures to prevent brute force compromise. Devices without this protection are vulnerable to being accessed physically by attackers who can then steal account credentials, data, or install malware on the device. O365 should have atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passcodeSignInFailureCountBeforeWipe lte 10 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidDeviceOwnerGeneralDeviceConfiguration" and passwordSignInFailureCountBeforeFactoryReset lte 10 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows10GeneralConfiguration" and passwordSignInFailureCountBeforeFactoryReset lte 10 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows81GeneralConfiguration" and passwordSignInFailureCountBeforeFactoryReset lte 10 ]
Ensure modern authentication for Exchange Online is enabled Ensure modern authentication for Exchange Online is enabled. Exchange
OrganizationConfig should have OAuth2ClientProfileEnabled eq true
Notify the administrator when internal users send malware Set a malware filter policy that notifies an administrator when malware is detected in message from an internal user. Azure Active Directory
MalwareFilterPolicy should have EnableInternalSenderAdminNotifications eq true
Ensure that OAuth 2.0 permission grants to third-party apps do not give permission to modify app role assignments. OAuth 2.0 permission grants enable a third-party connected app to access data based on the permissions granted. Do not grant third-party apps the ability to modify app role assignments. This would enable the third-party app to give users or apps access to resources that they should not have access to. OAuth2PermissionGrant should not have scope like "AppRoleAssignment.ReadWrite.All"
Ensure that Office 365 SharePoint infected files cannot be downloaded Office 365 Advanced Threat Protection (ATP) for SharePoint, OneDrive, and Microsoft Teams protects your organization from inadvertently sharing malicious files. When an infected file is detected, that file is blocked so that no one can open, copy, move, or share it until further actions are taken by the organization's security team. SharepointTenant should have disallowInfectedFileDownload eq true
Ensure external storage providers available in Outlook on the Web are restricted Restrict storage providers that are integrated with Outlook on the Web. By default additional storage providers are allowed in Outlook on the Web (such as Box, Dropbox, Facebook, Google Drive, OneDrive Personal, etc.). This could lead to information leakage and additional risk of infection from organizational non-trusted storage providers. Restricting this will inherently reduce risk as it will narrow opportunities for infection and data leakage. OwaMailboxPolicy should have AdditionalStorageProvidersAvailable eq false
Ensure that password hash sync is enabled for resiliency and leaked credential detection Ensure that password hash sync is enabled for resiliency and leaked credential detection. Microsoft 365 security
SecureScore should have atleast one controlScores with [ controlName eq "PasswordHashSync" and on eq true ]
Ensure that Office 365 passwords are not set to expire Ensure that Office 365 passwords are not set to expire. Azure Active Directory
SecureScore should have atleast one controlScores with [ controlName eq "PWAgePolicyNew" and scoreInPercentage eq 100 and IsApplicable eq true ]
Ensure modern authentication for SharePoint applications is required Strong authentication controls, such as the use of multi-factor authentication, may be circumvented if basic authentication is used by SharePoint applications. Requiring modern authentication for SharePoint applications ensures strong authentication mechanisms are used when establishing sessions between these applications, SharePoint, and connecting users. SharepointTenant should have legacyAuthProtocolsEnabled eq false
Ensure SPF records are published for all Exchange domains Ensure that Sender Policy Framework (SPF) records are published for all Exchange domains. Using SPF helps to validate outbound email sent from your custom domain by determining whether or not a sender is permitted to send on behalf of a domain. Azure Active Directory
AcceptedDomain should have spfRecordPublished eq true
Ensure a transport rule exists Ensure a transport rule exists. O365 should have TransportRules len() gt 0
Use limited administrative roles Limited administrators are users who have more privileges than standard users, but not as many privileges as global admins. Leveraging limited administrator roles to perform required administrative work reduces the number of high value, high impact global admin role holders you have. Assigning users roles like Password Administrator or Exchange Online Administrator, instead of Global Administrator, reduces the likelihood of a global administrative privileged account being breached. SecureScore should have atleast one controlScores with [controlName eq "RoleOverlap" and scoreInPercentage eq 100 ]
Ensure that users do not have the default strong password policy disabled. In Azure, users by default have a strong password policy enabled. However, admin users are able to disable the default strong password policy for individual users. This functionality should not be used and all individual users' password policies should require a strong password. User should not have passwordPolicies like "DisableStrongPassword"
Ensure that users cannot install Outlook add-ins Attackers commonly use vulnerable and custom-built add-ins to access data in user applications. While allowing users to install add-ins by themselves does allow them to easily acquire useful add-ins that integrate with Microsoft applications, it can represent a risk if not used and monitored carefully. Disabling future users' ability to install add-ins in Microsoft Outlook helps reduce your threat-surface and mitigate this risk. O365 should not have any RoleAssignmentPolicies with [ AssignedRoles has ( "My Custom Apps" ) or AssignedRoles has ( "My Marketplace Apps" ) or AssignedRoles has ( "My ReadWriteMailbox Apps" ) ]