| Description |
Service |
Rule |
| All users should be registered and signed up for MFA |
Multi-factor authentication (MFA) helps protect devices and data that are accessible to these users. Adding more authentication methods, such as the Microsoft Authenticator app or a phone number, increases the level of protection if one factor is compromised. |
|
SecureScore should have atleast one controlScores with [controlName eq "MFARegistrationV2" and scoreInPercentage eq 100 ] |
| Ensure at least one anti-phishing policy exists |
Ensure that at least one anti-phishing policy exists. |
Azure Active Directory
|
O365 should have AntiPhishPolicies len() gt 0 |
| Ensure an authentication policy exists |
Ensure an authentication policy exists. |
|
O365 should have AuthenticationPolicies len() gt 0 |
| Ensure automatic forwarding options are disabled |
Disable automatic forwarding to prevent users from auto-forwarding mail through Outlook and Outlook on the Web. In the event that an attacker gains control of an end-user account they could create rules to exfiltrate data from your environment. |
|
RemoteDomain should have AutoForwardEnabled eq false |
| Ensure the Azure AD 'Risky sign-ins' report is reviewed at least weekly |
This report contains records of accounts that have had activity that could indicate they are compromised, such as accounts that have successfully signed in after multiple failures, which is an indication that the accounts have cracked passwords, account that have signed in to your tenancy from a client IP address that has been recognized by Microsoft as an anonymous proxy IP address (such as a TOR network), and successful sign-ins from users where two sign-ins appeared to originate from different regions and the time between sign-ins makes it impossible for the user to have traveled between those regions. |
Azure Active Directory
|
O365Tenant should have unreviewedRiskEventsExist eq false |
| Enable Azure AD Identity Protection sign-in risk policies |
Azure Active Directory Identity Protection sign-in risk detects risks in real-time and offline. A risky sign-in is an indicator for a sign-in attempt that might not have been performed by the legitimate owner of a user account. |
Azure Active Directory
|
SecureScore should have atleast one controlScores with [controlName eq "SigninRiskPolicy" and scoreInPercentage eq 100 ] |
| Enable Azure AD Identity Protection user risk policies |
Azure Active Directory Identity Protection user risk policies detect the probability that a user account has been compromised. |
Azure Active Directory
|
SecureScore should have atleast one controlScores with [ controlName eq "UserRiskPolicy" and scoreInPercentage eq 100 ] |
| Ensure basic authentication for Exchange Online is disabled |
Ensure basic authentication for Exchange Online is disabled. |
Azure Active Directory
|
AuthenticationPolicy should have AllowBasicAuthActiveSync eq false and AllowBasicAuthAutodiscover eq false and AllowBasicAuthImap eq false and AllowBasicAuthMapi eq false and AllowBasicAuthOfflineAddressBook eq false and AllowBasicAuthOutlookService eq false and AllowBasicAuthPop eq false and AllowBasicAuthPowershell eq false and AllowBasicAuthReportingWebServices eq false and AllowBasicAuthRest eq false and AllowBasicAuthRpc eq false and AllowBasicAuthSmtp eq false and AllowBasicAuthWebServices eq false |
| Enable Conditional Access policies to block legacy authentication |
Enable Conditional Access policies to block legacy authentication. |
Azure Active Directory
|
O365 should have any ConditionalAccessPolicies with [ conditions.users.includeUsers has ("All") and conditions.users.excludeUsers len() >= 1 and conditions.clientAppTypes has ("exchangeActiveSync") and conditions.clientAppTypes has ("other") and grantControls.builtInControls has ("block") and grantControls.builtInControls len() = 1 and state eq "enabled"] |
| Block OneDrive for Business sync from unmanaged devices |
Prevent company data from OneDrive for Business from being synchronized to non-corporate managed devices. Unmanaged devices pose a risk, since their security cannot be verified. Allowing users to sync data to these devices, takes that data out of the control of the organization. This increases the risk of the data either being intentionally or accidentally leaked. |
|
SharepointTenant should have isUnmanagedSyncClientForTenantRestricted eq true |
| Ensure that sharing full calendar details with external users is disabled |
Do not allow your users to share the full details of their calendars with external users. Attackers often spend time learning about your organization before launching an attack. Publicly available calendars can help attackers understand organizational relationships and determine when specific users may be more vulnerable to an attack, such as when they are traveling. |
|
SharingPolicy should have sharingEnabled eq false or every domains with [ sharingAllowedDetails eq "ContactsSharing" ] |
| Ensure that client-side rules that automatically forward email to external domains are blocked |
Block client-side rules that automatically forward email to external domains. The use of client-side forwarding rules to exfiltrate data to external recipients is an increasingly used vector for data exfiltration by bad actors. |
|
O365 should have atleast one TransportRules with [ State eq "Enabled" and Priority eq 0 and SentToScope eq "NotInOrganization" and FromScope eq "InOrganization" and MessageTypeMatches eq "AutoForward" and RejectMessageEnhancedStatusCode eq "5.7.1" ] |
| Ensure DKIM is enabled for all Exchange Online Domains |
DKIM lets you add a digital signature to outbound email messages in the message header. This signature is used to verify that the messages are really coming from you and not coming from someone spoofing your domain. |
Azure Active Directory
|
DkimSigningConfig should have Enabled eq true |
| Ensure a DomainKeys Identified Mail (DKIM) signing policy exists |
Ensure a DomainKeys Identified Mail (DKIM) signing policy exists. |
|
O365 should have DkimSigningConfig len() gt 0 |
| Ensure DMARC Records for all Exchange Online domains are published |
Domain-based Message Authentication, Reporting, and Conformance (DMARC) works with Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) to authenticate mail senders and ensure that destination email systems trust messages sent from your domain. When you use DMARC, the receiving server performs a check against the From address. |
Azure Active Directory
|
AcceptedDomain should have DMARCRecordPublished eq true |
| Do not allow users to grant consent to unmanaged applications |
Tighten the security of your services by regulating the access of third-party integrated apps. Only allow access to necessary apps that support robust security controls. Third-party applications are not created by Microsoft, so there is a possibility they could be used for malicious purposes like exfiltrating data from your tenancy. Attackers can maintain persistent access to your services through these integrated apps, without relying on compromised accounts. |
|
SecureScore should have atleast one controlScores with [controlName eq "IntegratedApps" and scoreInPercentage eq 100 ] |
| Ensure document sharing is controlled by domains with sharing restrictions configured |
Control sharing of documents to external domains by either blocking domains or only allowing sharing with specific named domains. Attackers will often attempt to expose sensitive information to external entities through sharing, and restricting the domains that your users can share documents with will reduce that surface area. |
|
SharepointTenant should have sharingDomainRestrictionMode neq 0 |
| Ensure audit log search is enabled |
Enabling Microsoft 365 audit log search helps Office 365 back office teams to investigate activities for regular security operational or forensic purposes. |
Azure Active Directory
|
AdminAuditLogConfig should have AdminAuditLogEnabled eq true and UnifiedAuditLogIngestionEnabled eq true |
| Ensure the Common Attachment Types Filter is enabled |
Ensure the Common Attachment Types Filter is enabled. |
Azure Active Directory
|
MalwareFilterPolicy should have EnableFileFilter eq true |
| Ensure mailbox auditing for all users is enabled |
By turning on mailbox auditing, Microsoft 365 back office teams can track logons to a mailbox as well as what actions are taken while the user is logged on. After you turn on mailbox audit logging for a mailbox, you can search the audit log for mailbox activity. Additionally, when mailbox audit logging is turned on, some actions performed by administrators, delegates, and owners are logged by default. |
Azure Active Directory
|
OrganizationConfig should have userMailboxAuditEnabled eq true and nonUserMailboxAuditEnabled eq true |
| Ensure expiration time for external sharing links is set |
Restrict the length of time that anonymous access links are valid. |
Azure Active Directory
|
SharepointTenant should have requireAnonymousLinksExpireInDays > 0 |
| Ensure that external users cannot share files, folders, and sites they do not own |
SharePoint gives users the ability to share files, folder, and site collections. Internal users can share with external collaborators, who with the right permissions, could share those to another external party. Sharing and collaboration are key; however, file, folder, or site collection owners should have the authority over what external users get shared with to prevent unauthorized disclosures of information. |
|
SharepointTenant should have preventExternalUsersFromResharing eq true |
| Ensure a hosted outbound spam filter policy exists. |
Ensure a hosted outbound spam filter policy exists. |
|
O365 should have HostedOutboundSpamFilterPolicies len() gt 0 |
| Ensure mail transport rules do not forward email to external domains |
Ensure mail transport rules do not forward email to external domains. |
Azure Active Directory
|
O365Tenant should not have AnyMailTransportRuleRedirectMessageToExternalDomain eq True |
| Ensure mail transport rules do not whitelist specific domains |
Ensure mail transport rules do not whitelist specific domains. |
Azure Active Directory
|
TransportRule should not have SetScl = -1 and SenderDomainIs len() > 0 |
| Ensure MailTips are enabled for end users |
MailTips assist end users with identifying strange patterns to emails they send. Setting up MailTips gives a visual aid to users when they send emails to large groups of recipients or send emails to recipients not within the tenant. |
|
OrganizationConfig should have MailTipsAllTipsEnabled eq true and MailTipsExternalRecipientsTipsEnabled eq true and MailTipsGroupMetricsEnabled eq true and MailTipsLargeAudienceThreshold gt 0 |
| Ensure a malware filter policy exists |
Ensure a malware filter policy exists. |
|
O365 should have MalwareFilterPolicies len() gt 0 |
| Ensure multi-factor authentication is enabled for all users in administrative roles |
Ensure multi-factor authentication is enabled for all users in administrative roles |
Azure Active Directory
|
O365 should have O365Tenant len() gt 0 and atleast one ConditionalAccessPolicies with [ conditions.users.includeRoles has ("b0f54661-2d74-4c50-afa3-1ec803f12efe","b1be1c3e-b65d-4f19-8427-f6fa0d97feb9","29232cdf-9323-42fd-ade2-1d097af3e4de","62e90394-69f5-4237-9190-012177145e10","729827e3-9c14-49f7-bb1b-9608f156bbb8","194ae4cb-b126-40b2-bd5b-6091b380977d","f28a1f50-f6e7-4571-818b-6a12f2af6b6c","fe930be7-5e62-47db-91af-98c3a49a38b1") and conditions.clientAppTypes has ("all") and grantControls.builtInControls has ("mfa") and state eq "enabled"] |
| Ensure multi-factor authentication is enabled for all users in all roles |
Ensure multi-factor authentication is enabled for all users in all roles. |
Azure Active Directory
|
O365 should have O365Tenant len() gt 0 and atleast one ConditionalAccessPolicies with [ conditions.users.includeUsers has ("All") and conditions.clientAppTypes has ("all") and grantControls.builtInControls has ("mfa") and state eq "enabled"] |
| Mobile devices passwords should be at least 6 characters |
Require your users to use a complex password with a minimum password length of at least six characters to unlock their mobile devices. |
Azure Active Directory
|
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "microsoft.graph.aospDeviceOwnerDeviceConfiguration" and passwordMinimumLength eq 6 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidGeneralDeviceConfiguration" and passwordMinimumLength eq 6 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidDeviceOwnerGeneralDeviceConfiguration" and passwordMinimumLength eq 6 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidWorkProfileGeneralDeviceConfiguration" and passwordMinimumLength eq 6 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passcodeMinimumLength eq 6 and passcodeBlockSimple eq true ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.macOSGeneralDeviceConfiguration" and passwordMinimumLength eq 6 and passwordBlockSimple eq true ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows10GeneralConfiguration" and passwordMinimumLength eq 6 and passwordBlockSimple eq true ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows81GeneralConfiguration" and passwordMinimumLength eq 6 ] |
| Ensure that mobile devices require complex passwords (Type = Alphanumeric) |
Require your users to use a complex password with a at least two character sets (letters and numbers, for example) to unlock their mobile devices |
Azure Active Directory
|
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows81GeneralConfiguration" and passwordRequiredType eq "alphanumeric" ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows10GeneralConfiguration" and passwordRequiredType eq "alphanumeric"] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidDeviceOwnerGeneralDeviceConfiguration" and passwordRequiredType eq "alphanumeric"] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passcodeRequiredType eq "alphanumeric"] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidGeneralDeviceConfiguration" and passwordRequiredType eq "alphanumeric"] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.aospDeviceOwnerDeviceConfiguration" and passwordRequiredType eq "alphanumeric" ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidWorkProfileGeneralDeviceConfiguration" and passwordRequiredType eq "atLeastAlphanumeric" ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.macOSGeneralDeviceConfiguration" and passwordRequiredType eq "alphanumeric" ] |
| Ensure that mobile device encryption is enabled |
Require your users to use encryption on their mobile devices to prevent unauthorized access to mobile data. |
Azure Active Directory
|
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidGeneralDeviceConfiguration" and storageRequireDeviceEncryption eq true] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows81GeneralConfiguration" and storageRequireDeviceEncryption eq true] |
| Ensure that users cannot connect from jailbroken or rooted devices |
Do not allow your users to use to connect with mobile devices that have been jailbroken or rooted. These devices have had basic protections disabled to run software that is often malicious and could very easily lead to an account or data breach. |
Azure Active Directory
|
O365 should have O365Tenant len() gt 0 and atleast one DeviceCompliancePolicies with [ odatatype eq "#microsoft.graph.iosCompliancePolicy" and securityBlockJailbrokenDevices eq true ] and atleast one DeviceCompliancePolicies with [ odatatype eq "#microsoft.graph.androidCompliancePolicy" and securityBlockJailbrokenDevices eq true ] |
| Lock mobile devices after a period of inactivity |
Users should be required to configure their mobile devices to lock after a period of inactivity to prevent unauthorized access. |
Azure Active Directory
|
MobileDeviceMailboxPolicy should have MaxInactivityTimeLock eq "00:15:00" |
| Ensure device management polices are set to require advanced security configurations |
Configure your device management policies to require advanced security configurations. If you do not require this, users will be able to connect from devices that are vulnerable to basic internet attacks, leading to potential breaches of accounts and data. |
Azure Active Directory
|
O365 should have DeviceConfigurations len() gt 0 |
| Ensure mobile device management policies are required for email profiles |
Configure your mobile device management policies to require the policy to manage the email profile of the user. If you do not require this, users will be able to setup and configure email accounts without the protections of the mobile device management policy, leading to potential breaches of accounts and data. |
|
O365 should have atleast one DeviceCompliancePolicies with [ odatatype eq "#microsoft.graph.iosCompliancePolicy" and managedEmailProfileRequired eq true ] |
| Ensure that mobile devices require complex passwords (Simple Passwords = Blocked) |
Require your users to use a complex password to unlock their mobile devices. |
Azure Active Directory
|
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passcodeBlockSimple eq true] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows10GeneralConfiguration" and passwordBlockSimple eq true] |
| Ensure that mobile device passwords never expire |
Ensure that user passwords on mobile devices never expire. |
Azure Active Directory
|
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidGeneralDeviceConfiguration" and passwordExpirationDays eq -1 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passwordExpirationDays eq -1 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidDeviceOwnerGeneralDeviceConfiguration" and passwordExpirationDays eq -1 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows10GeneralConfiguration" and passwordExpirationDays eq -1 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows81GeneralConfiguration" and passcodeExpirationDays eq -1 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidWorkProfileGeneralDeviceConfiguration" and passwordExpirationDays eq -1 ] |
| Ensure mobile devices require the use of a password |
Require your users to use a password to unlock their mobile devices. |
Azure Active Directory
|
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidGeneralDeviceConfiguration" and passwordRequired eq true ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passcodeRequired eq true ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows10GeneralConfiguration" and passwordRequired eq true] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows81GeneralConfiguration" and passwordRequired eq true] |
| Ensure that mobile device password reuse is prohibited |
Do not allow your users to reuse the same password on their mobile devices. |
Azure Active Directory
|
MobileDeviceMailboxPolicy should have PasswordHistory eq 50 |
| Ensure mobile devices are set to wipe on multiple sign-in failures |
Require mobile devices to wipe on multiple sign-in failures to prevent brute force compromise. Devices without this protection are vulnerable to being accessed physically by attackers who can then steal account credentials, data, or install malware on the device. |
|
O365 should have atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passcodeSignInFailureCountBeforeWipe lte 10 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidDeviceOwnerGeneralDeviceConfiguration" and passwordSignInFailureCountBeforeFactoryReset lte 10 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows10GeneralConfiguration" and passwordSignInFailureCountBeforeFactoryReset lte 10 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows81GeneralConfiguration" and passwordSignInFailureCountBeforeFactoryReset lte 10 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidGeneralDeviceConfiguration" and passwordSignInFailureCountBeforeFactoryReset lte 10 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidWorkProfileGeneralDeviceConfiguration" and passwordSignInFailureCountBeforeFactoryReset lte 10 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.aospDeviceOwnerDeviceConfiguration" and passwordSignInFailureCountBeforeFactoryReset lte 10 ] |
| Ensure modern authentication for Exchange Online is enabled |
Ensure modern authentication for Exchange Online is enabled. |
Exchange
|
OrganizationConfig should have OAuth2ClientProfileEnabled eq true |
| Notify the administrator when internal users send malware |
Set a malware filter policy that notifies an administrator when malware is detected in message from an internal user. |
Azure Active Directory
|
MalwareFilterPolicy should have EnableInternalSenderAdminNotifications eq true |
| Ensure that OAuth 2.0 permission grants to third-party apps do not give permission to modify app role assignments. |
OAuth 2.0 permission grants enable a third-party connected app to access data based on the permissions granted. Do not grant third-party apps the ability to modify app role assignments. This would enable the third-party app to give users or apps access to resources that they should not have access to. |
|
OAuth2PermissionGrant should not have scope like "AppRoleAssignment.ReadWrite.All" |
| Ensure that Office 365 SharePoint infected files cannot be downloaded |
Office 365 Advanced Threat Protection (ATP) for SharePoint, OneDrive, and Microsoft Teams protects your organization from inadvertently sharing malicious files. When an infected file is detected, that file is blocked so that no one can open, copy, move, or share it until further actions are taken by the organization's security team. |
|
SharepointTenant should have disallowInfectedFileDownload eq true |
| Ensure external storage providers available in Outlook on the Web are restricted |
Restrict storage providers that are integrated with Outlook on the Web. By default additional storage providers are allowed in Outlook on the Web (such as Box,
Dropbox, Facebook, Google Drive, OneDrive Personal, etc.). This could lead to information leakage and additional risk of infection from organizational non-trusted storage providers. Restricting this will inherently reduce risk as it will narrow opportunities for infection and data leakage. |
|
OwaMailboxPolicy should have AdditionalStorageProvidersAvailable eq false |
| Ensure that password hash sync is enabled for resiliency and leaked credential detection |
Ensure that password hash sync is enabled for resiliency and leaked credential detection. |
Microsoft 365 security
|
SecureScore should have atleast one controlScores with [ controlName eq "PasswordHashSync" and on eq true ] |
| Ensure that Office 365 passwords are not set to expire |
Ensure that Office 365 passwords are not set to expire. |
Azure Active Directory
|
SecureScore should have atleast one controlScores with [ controlName eq "PWAgePolicyNew" and scoreInPercentage eq 100 and IsApplicable eq true ] |
| Ensure modern authentication for SharePoint applications is required |
Strong authentication controls, such as the use of multi-factor authentication, may be circumvented if basic authentication is used by SharePoint applications. Requiring modern authentication for SharePoint applications ensures strong authentication mechanisms are used when establishing sessions between these applications, SharePoint, and connecting users. |
|
SharepointTenant should have legacyAuthProtocolsEnabled eq false |
| Ensure SPF records are published for all Exchange domains |
Ensure that Sender Policy Framework (SPF) records are published for all Exchange domains. Using SPF helps to validate outbound email sent from your custom domain by determining whether or not a sender is permitted to send on behalf of a domain. |
Azure Active Directory
|
AcceptedDomain should have spfRecordPublished eq true |
| Ensure a transport rule exists |
Ensure a transport rule exists. |
|
O365 should have TransportRules len() gt 0 |
| Use limited administrative roles |
Limited administrators are users who have more privileges than standard users, but not as many privileges as global admins. Leveraging limited administrator roles to perform required administrative work reduces the number of high value, high impact global admin role holders you have. Assigning users roles like Password Administrator or Exchange Online Administrator, instead of Global Administrator, reduces the likelihood of a global administrative privileged account being breached. |
|
SecureScore should have atleast one controlScores with [controlName eq "RoleOverlap" and scoreInPercentage eq 100 ] |
| Ensure that users do not have the default strong password policy disabled. |
In Azure, users by default have a strong password policy enabled. However, admin users are able to disable the default strong password policy for individual users. This functionality should not be used and all individual users' password policies should require a strong password. |
|
User should not have passwordPolicies like "DisableStrongPassword" |
| Ensure that users cannot install Outlook add-ins |
Attackers commonly use vulnerable and custom-built add-ins to access data in user applications. While allowing users to install add-ins by themselves does allow them to easily acquire useful add-ins that integrate with Microsoft applications, it can represent a risk if not used and monitored carefully. Disabling future users' ability to install add-ins in Microsoft Outlook helps reduce your threat-surface and mitigate this risk. |
|
O365 should not have any RoleAssignmentPolicies with [ AssignedRoles has ( "My Custom Apps" ) or AssignedRoles has ( "My Marketplace Apps" ) or AssignedRoles has ( "My ReadWriteMailbox Apps" ) ] |
| Description |
Service |
Rule |
| All users should be registered and signed up for MFA |
Multi-factor authentication (MFA) helps protect devices and data that are accessible to these users. Adding more authentication methods, such as the Microsoft Authenticator app or a phone number, increases the level of protection if one factor is compromised. |
|
SecureScore should have atleast one controlScores with [controlName eq "MFARegistrationV2" and scoreInPercentage eq 100 ] |
| Ensure at least one anti-phishing policy exists |
Ensure that at least one anti-phishing policy exists. |
Azure Active Directory
|
O365 should have AntiPhishPolicies len() gt 0 |
| Ensure an authentication policy exists |
Ensure an authentication policy exists. |
|
O365 should have AuthenticationPolicies len() gt 0 |
| Ensure automatic forwarding options are disabled |
Disable automatic forwarding to prevent users from auto-forwarding mail through Outlook and Outlook on the Web. In the event that an attacker gains control of an end-user account they could create rules to exfiltrate data from your environment. |
|
RemoteDomain should have AutoForwardEnabled eq false |
| Ensure the Azure AD 'Risky sign-ins' report is reviewed at least weekly |
This report contains records of accounts that have had activity that could indicate they are compromised, such as accounts that have successfully signed in after multiple failures, which is an indication that the accounts have cracked passwords, account that have signed in to your tenancy from a client IP address that has been recognized by Microsoft as an anonymous proxy IP address (such as a TOR network), and successful sign-ins from users where two sign-ins appeared to originate from different regions and the time between sign-ins makes it impossible for the user to have traveled between those regions. |
Azure Active Directory
|
O365Tenant should have unreviewedRiskEventsExist eq false |
| Enable Azure AD Identity Protection sign-in risk policies |
Azure Active Directory Identity Protection sign-in risk detects risks in real-time and offline. A risky sign-in is an indicator for a sign-in attempt that might not have been performed by the legitimate owner of a user account. |
Azure Active Directory
|
SecureScore should have atleast one controlScores with [controlName eq "SigninRiskPolicy" and scoreInPercentage eq 100 ] |
| Enable Azure AD Identity Protection user risk policies |
Azure Active Directory Identity Protection user risk policies detect the probability that a user account has been compromised. |
Azure Active Directory
|
SecureScore should have atleast one controlScores with [ controlName eq "UserRiskPolicy" and scoreInPercentage eq 100 ] |
| Ensure basic authentication for Exchange Online is disabled |
Ensure basic authentication for Exchange Online is disabled. |
Azure Active Directory
|
AuthenticationPolicy should have AllowBasicAuthActiveSync eq false and AllowBasicAuthAutodiscover eq false and AllowBasicAuthImap eq false and AllowBasicAuthMapi eq false and AllowBasicAuthOfflineAddressBook eq false and AllowBasicAuthOutlookService eq false and AllowBasicAuthPop eq false and AllowBasicAuthPowershell eq false and AllowBasicAuthReportingWebServices eq false and AllowBasicAuthRest eq false and AllowBasicAuthRpc eq false and AllowBasicAuthSmtp eq false and AllowBasicAuthWebServices eq false |
| Enable Conditional Access policies to block legacy authentication |
Enable Conditional Access policies to block legacy authentication. |
Azure Active Directory
|
O365 should have any ConditionalAccessPolicies with [ conditions.users.includeUsers has ("All") and conditions.users.excludeUsers len() >= 1 and conditions.clientAppTypes has ("exchangeActiveSync") and conditions.clientAppTypes has ("other") and grantControls.builtInControls has ("block") and grantControls.builtInControls len() = 1 and state eq "enabled"] |
| Block OneDrive for Business sync from unmanaged devices |
Prevent company data from OneDrive for Business from being synchronized to non-corporate managed devices. Unmanaged devices pose a risk, since their security cannot be verified. Allowing users to sync data to these devices, takes that data out of the control of the organization. This increases the risk of the data either being intentionally or accidentally leaked. |
|
SharepointTenant should have isUnmanagedSyncClientForTenantRestricted eq true |
| Ensure that sharing full calendar details with external users is disabled |
Do not allow your users to share the full details of their calendars with external users. Attackers often spend time learning about your organization before launching an attack. Publicly available calendars can help attackers understand organizational relationships and determine when specific users may be more vulnerable to an attack, such as when they are traveling. |
|
SharingPolicy should have sharingEnabled eq false or every domains with [ sharingAllowedDetails eq "ContactsSharing" ] |
| Ensure that client-side rules that automatically forward email to external domains are blocked |
Block client-side rules that automatically forward email to external domains. The use of client-side forwarding rules to exfiltrate data to external recipients is an increasingly used vector for data exfiltration by bad actors. |
|
O365 should have atleast one TransportRules with [ State eq "Enabled" and Priority eq 0 and SentToScope eq "NotInOrganization" and FromScope eq "InOrganization" and MessageTypeMatches eq "AutoForward" and RejectMessageEnhancedStatusCode eq "5.7.1" ] |
| Ensure DKIM is enabled for all Exchange Online Domains |
DKIM lets you add a digital signature to outbound email messages in the message header. This signature is used to verify that the messages are really coming from you and not coming from someone spoofing your domain. |
Azure Active Directory
|
DkimSigningConfig should have Enabled eq true |
| Ensure a DomainKeys Identified Mail (DKIM) signing policy exists |
Ensure a DomainKeys Identified Mail (DKIM) signing policy exists. |
|
O365 should have DkimSigningConfig len() gt 0 |
| Ensure DMARC Records for all Exchange Online domains are published |
Domain-based Message Authentication, Reporting, and Conformance (DMARC) works with Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) to authenticate mail senders and ensure that destination email systems trust messages sent from your domain. When you use DMARC, the receiving server performs a check against the From address. |
Azure Active Directory
|
AcceptedDomain should have DMARCRecordPublished eq true |
| Do not allow users to grant consent to unmanaged applications |
Tighten the security of your services by regulating the access of third-party integrated apps. Only allow access to necessary apps that support robust security controls. Third-party applications are not created by Microsoft, so there is a possibility they could be used for malicious purposes like exfiltrating data from your tenancy. Attackers can maintain persistent access to your services through these integrated apps, without relying on compromised accounts. |
|
SecureScore should have atleast one controlScores with [controlName eq "IntegratedApps" and scoreInPercentage eq 100 ] |
| Ensure document sharing is controlled by domains with sharing restrictions configured |
Control sharing of documents to external domains by either blocking domains or only allowing sharing with specific named domains. Attackers will often attempt to expose sensitive information to external entities through sharing, and restricting the domains that your users can share documents with will reduce that surface area. |
|
SharepointTenant should have sharingDomainRestrictionMode neq 0 |
| Ensure audit log search is enabled |
Enabling Microsoft 365 audit log search helps Office 365 back office teams to investigate activities for regular security operational or forensic purposes. |
Azure Active Directory
|
AdminAuditLogConfig should have AdminAuditLogEnabled eq true and UnifiedAuditLogIngestionEnabled eq true |
| Ensure the Common Attachment Types Filter is enabled |
Ensure the Common Attachment Types Filter is enabled. |
Azure Active Directory
|
MalwareFilterPolicy should have EnableFileFilter eq true |
| Ensure mailbox auditing for all users is enabled |
By turning on mailbox auditing, Microsoft 365 back office teams can track logons to a mailbox as well as what actions are taken while the user is logged on. After you turn on mailbox audit logging for a mailbox, you can search the audit log for mailbox activity. Additionally, when mailbox audit logging is turned on, some actions performed by administrators, delegates, and owners are logged by default. |
Azure Active Directory
|
OrganizationConfig should have userMailboxAuditEnabled eq true and nonUserMailboxAuditEnabled eq true |
| Ensure Exchange Online outbound spam filter policies are properly configured |
Ensure the Exchange Online outbound spam filter policy is properly configured. Set your Exchange Online Spam Policies to copy emails and notify someone when a sender in your tenant has been blocked for sending spam emails. |
Azure Active Directory
|
HostedOutboundSpamFilterPolicy should have NotifyOutboundSpam eq true and BccSuspiciousOutboundMail eq true and Enabled eq true |
| Ensure expiration time for external sharing links is set |
Restrict the length of time that anonymous access links are valid. |
Azure Active Directory
|
SharepointTenant should have requireAnonymousLinksExpireInDays > 0 |
| Ensure that external users cannot share files, folders, and sites they do not own |
SharePoint gives users the ability to share files, folder, and site collections. Internal users can share with external collaborators, who with the right permissions, could share those to another external party. Sharing and collaboration are key; however, file, folder, or site collection owners should have the authority over what external users get shared with to prevent unauthorized disclosures of information. |
|
SharepointTenant should have preventExternalUsersFromResharing eq true |
| Ensure that Facebook contact synchronization is disabled |
Disable integration with Facebook as a measure to help prevent phishing scams. |
|
OwaMailboxPolicy should have FacebookEnabled eq false |
| Ensure a hosted outbound spam filter policy exists. |
Ensure a hosted outbound spam filter policy exists. |
|
O365 should have HostedOutboundSpamFilterPolicies len() gt 0 |
| Ensure that LinkedIn contact synchronization is disabled |
Disable integration with LinkedIn as a measure to help prevent phishing scams. |
|
OwaMailboxPolicy should have LinkedInEnabled eq false |
| Ensure mail transport rules do not forward email to external domains |
Ensure mail transport rules do not forward email to external domains. |
Azure Active Directory
|
O365Tenant should not have AnyMailTransportRuleRedirectMessageToExternalDomain eq True |
| Ensure mail transport rules do not whitelist specific domains |
Ensure mail transport rules do not whitelist specific domains. |
Azure Active Directory
|
TransportRule should not have SetScl = -1 and SenderDomainIs len() > 0 |
| Ensure MailTips are enabled for end users |
MailTips assist end users with identifying strange patterns to emails they send. Setting up MailTips gives a visual aid to users when they send emails to large groups of recipients or send emails to recipients not within the tenant. |
|
OrganizationConfig should have MailTipsAllTipsEnabled eq true and MailTipsExternalRecipientsTipsEnabled eq true and MailTipsGroupMetricsEnabled eq true and MailTipsLargeAudienceThreshold gt 0 |
| Ensure a malware filter policy exists |
Ensure a malware filter policy exists. |
|
O365 should have MalwareFilterPolicies len() gt 0 |
| Ensure multi-factor authentication is enabled for all users in administrative roles |
Ensure multi-factor authentication is enabled for all users in administrative roles |
Azure Active Directory
|
O365 should have O365Tenant len() gt 0 and atleast one ConditionalAccessPolicies with [ conditions.users.includeRoles has ("b0f54661-2d74-4c50-afa3-1ec803f12efe","b1be1c3e-b65d-4f19-8427-f6fa0d97feb9","29232cdf-9323-42fd-ade2-1d097af3e4de","62e90394-69f5-4237-9190-012177145e10","729827e3-9c14-49f7-bb1b-9608f156bbb8","194ae4cb-b126-40b2-bd5b-6091b380977d","f28a1f50-f6e7-4571-818b-6a12f2af6b6c","fe930be7-5e62-47db-91af-98c3a49a38b1") and conditions.clientAppTypes has ("all") and grantControls.builtInControls has ("mfa") and state eq "enabled"] |
| Ensure multi-factor authentication is enabled for all users in all roles |
Ensure multi-factor authentication is enabled for all users in all roles. |
Azure Active Directory
|
O365 should have O365Tenant len() gt 0 and atleast one ConditionalAccessPolicies with [ conditions.users.includeUsers has ("All") and conditions.clientAppTypes has ("all") and grantControls.builtInControls has ("mfa") and state eq "enabled"] |
| Mobile devices passwords should be at least 6 characters |
Require your users to use a complex password with a minimum password length of at least six characters to unlock their mobile devices. |
Azure Active Directory
|
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "microsoft.graph.aospDeviceOwnerDeviceConfiguration" and passwordMinimumLength eq 6 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidGeneralDeviceConfiguration" and passwordMinimumLength eq 6 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidDeviceOwnerGeneralDeviceConfiguration" and passwordMinimumLength eq 6 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidWorkProfileGeneralDeviceConfiguration" and passwordMinimumLength eq 6 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passcodeMinimumLength eq 6 and passcodeBlockSimple eq true ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.macOSGeneralDeviceConfiguration" and passwordMinimumLength eq 6 and passwordBlockSimple eq true ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows10GeneralConfiguration" and passwordMinimumLength eq 6 and passwordBlockSimple eq true ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows81GeneralConfiguration" and passwordMinimumLength eq 6 ] |
| Ensure that mobile devices require complex passwords (Type = Alphanumeric) |
Require your users to use a complex password with a at least two character sets (letters and numbers, for example) to unlock their mobile devices |
Azure Active Directory
|
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows81GeneralConfiguration" and passwordRequiredType eq "alphanumeric" ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows10GeneralConfiguration" and passwordRequiredType eq "alphanumeric"] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidDeviceOwnerGeneralDeviceConfiguration" and passwordRequiredType eq "alphanumeric"] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passcodeRequiredType eq "alphanumeric"] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidGeneralDeviceConfiguration" and passwordRequiredType eq "alphanumeric"] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.aospDeviceOwnerDeviceConfiguration" and passwordRequiredType eq "alphanumeric" ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidWorkProfileGeneralDeviceConfiguration" and passwordRequiredType eq "atLeastAlphanumeric" ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.macOSGeneralDeviceConfiguration" and passwordRequiredType eq "alphanumeric" ] |
| Ensure that mobile device encryption is enabled |
Require your users to use encryption on their mobile devices to prevent unauthorized access to mobile data. |
Azure Active Directory
|
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidGeneralDeviceConfiguration" and storageRequireDeviceEncryption eq true] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows81GeneralConfiguration" and storageRequireDeviceEncryption eq true] |
| Ensure that users cannot connect from jailbroken or rooted devices |
Do not allow your users to use to connect with mobile devices that have been jailbroken or rooted. These devices have had basic protections disabled to run software that is often malicious and could very easily lead to an account or data breach. |
Azure Active Directory
|
O365 should have O365Tenant len() gt 0 and atleast one DeviceCompliancePolicies with [ odatatype eq "#microsoft.graph.iosCompliancePolicy" and securityBlockJailbrokenDevices eq true ] and atleast one DeviceCompliancePolicies with [ odatatype eq "#microsoft.graph.androidCompliancePolicy" and securityBlockJailbrokenDevices eq true ] |
| Lock mobile devices after a period of inactivity |
Users should be required to configure their mobile devices to lock after a period of inactivity to prevent unauthorized access. |
Azure Active Directory
|
MobileDeviceMailboxPolicy should have MaxInactivityTimeLock eq "00:15:00" |
| Ensure device management polices are set to require advanced security configurations |
Configure your device management policies to require advanced security configurations. If you do not require this, users will be able to connect from devices that are vulnerable to basic internet attacks, leading to potential breaches of accounts and data. |
Azure Active Directory
|
O365 should have DeviceConfigurations len() gt 0 |
| Ensure mobile device management policies are required for email profiles |
Configure your mobile device management policies to require the policy to manage the email profile of the user. If you do not require this, users will be able to setup and configure email accounts without the protections of the mobile device management policy, leading to potential breaches of accounts and data. |
|
O365 should have atleast one DeviceCompliancePolicies with [ odatatype eq "#microsoft.graph.iosCompliancePolicy" and managedEmailProfileRequired eq true ] |
| Ensure that mobile devices require complex passwords (Simple Passwords = Blocked) |
Require your users to use a complex password to unlock their mobile devices. |
Azure Active Directory
|
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passcodeBlockSimple eq true] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows10GeneralConfiguration" and passwordBlockSimple eq true] |
| Ensure that mobile device passwords never expire |
Ensure that user passwords on mobile devices never expire. |
Azure Active Directory
|
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidGeneralDeviceConfiguration" and passwordExpirationDays eq -1 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passwordExpirationDays eq -1 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidDeviceOwnerGeneralDeviceConfiguration" and passwordExpirationDays eq -1 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows10GeneralConfiguration" and passwordExpirationDays eq -1 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows81GeneralConfiguration" and passcodeExpirationDays eq -1 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidWorkProfileGeneralDeviceConfiguration" and passwordExpirationDays eq -1 ] |
| Ensure mobile devices require the use of a password |
Require your users to use a password to unlock their mobile devices. |
Azure Active Directory
|
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidGeneralDeviceConfiguration" and passwordRequired eq true ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passcodeRequired eq true ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows10GeneralConfiguration" and passwordRequired eq true] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows81GeneralConfiguration" and passwordRequired eq true] |
| Ensure that mobile device password reuse is prohibited |
Do not allow your users to reuse the same password on their mobile devices. |
Azure Active Directory
|
MobileDeviceMailboxPolicy should have PasswordHistory eq 50 |
| Ensure mobile devices are set to wipe on multiple sign-in failures |
Require mobile devices to wipe on multiple sign-in failures to prevent brute force compromise. Devices without this protection are vulnerable to being accessed physically by attackers who can then steal account credentials, data, or install malware on the device. |
|
O365 should have atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passcodeSignInFailureCountBeforeWipe lte 10 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidDeviceOwnerGeneralDeviceConfiguration" and passwordSignInFailureCountBeforeFactoryReset lte 10 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows10GeneralConfiguration" and passwordSignInFailureCountBeforeFactoryReset lte 10 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows81GeneralConfiguration" and passwordSignInFailureCountBeforeFactoryReset lte 10 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidGeneralDeviceConfiguration" and passwordSignInFailureCountBeforeFactoryReset lte 10 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidWorkProfileGeneralDeviceConfiguration" and passwordSignInFailureCountBeforeFactoryReset lte 10 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.aospDeviceOwnerDeviceConfiguration" and passwordSignInFailureCountBeforeFactoryReset lte 10 ] |
| Ensure modern authentication for Exchange Online is enabled |
Ensure modern authentication for Exchange Online is enabled. |
Exchange
|
OrganizationConfig should have OAuth2ClientProfileEnabled eq true |
| Notify the administrator when internal users send malware |
Set a malware filter policy that notifies an administrator when malware is detected in message from an internal user. |
Azure Active Directory
|
MalwareFilterPolicy should have EnableInternalSenderAdminNotifications eq true |
| Ensure that OAuth 2.0 permission grants to third-party apps do not give permission to modify app role assignments. |
OAuth 2.0 permission grants enable a third-party connected app to access data based on the permissions granted. Do not grant third-party apps the ability to modify app role assignments. This would enable the third-party app to give users or apps access to resources that they should not have access to. |
|
OAuth2PermissionGrant should not have scope like "AppRoleAssignment.ReadWrite.All" |
| Ensure that Office 365 SharePoint infected files cannot be downloaded |
Office 365 Advanced Threat Protection (ATP) for SharePoint, OneDrive, and Microsoft Teams protects your organization from inadvertently sharing malicious files. When an infected file is detected, that file is blocked so that no one can open, copy, move, or share it until further actions are taken by the organization's security team. |
|
SharepointTenant should have disallowInfectedFileDownload eq true |
| Ensure external storage providers available in Outlook on the Web are restricted |
Restrict storage providers that are integrated with Outlook on the Web. By default additional storage providers are allowed in Outlook on the Web (such as Box,
Dropbox, Facebook, Google Drive, OneDrive Personal, etc.). This could lead to information leakage and additional risk of infection from organizational non-trusted storage providers. Restricting this will inherently reduce risk as it will narrow opportunities for infection and data leakage. |
|
OwaMailboxPolicy should have AdditionalStorageProvidersAvailable eq false |
| Ensure an Outlook on the web mailbox policy exists |
Ensure an Outlook on the web mailbox policy exists. |
|
O365 should have OwaMailboxPolicies len() gt 0 |
| Ensure that password hash sync is enabled for resiliency and leaked credential detection |
Ensure that password hash sync is enabled for resiliency and leaked credential detection. |
Microsoft 365 security
|
SecureScore should have atleast one controlScores with [ controlName eq "PasswordHashSync" and on eq true ] |
| Ensure that Office 365 passwords are not set to expire |
Ensure that Office 365 passwords are not set to expire. |
Azure Active Directory
|
SecureScore should have atleast one controlScores with [ controlName eq "PWAgePolicyNew" and scoreInPercentage eq 100 and IsApplicable eq true ] |
| Ensure the Advanced Threat Protection Safe Attachments policy is enabled |
Enabling the Advanced Threat Protection Safe Attachments policy extends malware protections to include routing all messages and attachments without a known malware signature to a special hypervisor environment. In that environment, a behavior analysis is performed using a variety of machine learning and analysis techniques to detect malicious intent. |
|
SafeAttachmentPolicy should have Enable eq true |
| Ensure self-service password reset is enabled |
Ensure self-service password reset is enabled. |
Microsoft 365 security
|
SecureScore should have atleast one controlScores with [ controlName eq "SelfServicePasswordReset" and scoreInPercentage eq 100] |
| Ensure modern authentication for SharePoint applications is required |
Strong authentication controls, such as the use of multi-factor authentication, may be circumvented if basic authentication is used by SharePoint applications. Requiring modern authentication for SharePoint applications ensures strong authentication mechanisms are used when establishing sessions between these applications, SharePoint, and connecting users. |
|
SharepointTenant should have legacyAuthProtocolsEnabled eq false |
| Ensure SPF records are published for all Exchange domains |
Ensure that Sender Policy Framework (SPF) records are published for all Exchange domains. Using SPF helps to validate outbound email sent from your custom domain by determining whether or not a sender is permitted to send on behalf of a domain. |
Azure Active Directory
|
AcceptedDomain should have spfRecordPublished eq true |
| Ensure a transport rule exists |
Ensure a transport rule exists. |
|
O365 should have TransportRules len() gt 0 |
| Ensure that between two and four global admins are designated |
Ensure that between two and four global admins are designated. |
Azure Active Directory
|
O365Tenant should have globalAdminUserCount >= 2 and globalAdminUserCount <= 4 |
| Use limited administrative roles |
Limited administrators are users who have more privileges than standard users, but not as many privileges as global admins. Leveraging limited administrator roles to perform required administrative work reduces the number of high value, high impact global admin role holders you have. Assigning users roles like Password Administrator or Exchange Online Administrator, instead of Global Administrator, reduces the likelihood of a global administrative privileged account being breached. |
|
SecureScore should have atleast one controlScores with [controlName eq "RoleOverlap" and scoreInPercentage eq 100 ] |
| Ensure that users do not have the default strong password policy disabled. |
In Azure, users by default have a strong password policy enabled. However, admin users are able to disable the default strong password policy for individual users. This functionality should not be used and all individual users' password policies should require a strong password. |
|
User should not have passwordPolicies like "DisableStrongPassword" |
| Ensure that users cannot install Outlook add-ins |
Attackers commonly use vulnerable and custom-built add-ins to access data in user applications. While allowing users to install add-ins by themselves does allow them to easily acquire useful add-ins that integrate with Microsoft applications, it can represent a risk if not used and monitored carefully. Disabling future users' ability to install add-ins in Microsoft Outlook helps reduce your threat-surface and mitigate this risk. |
|
O365 should not have any RoleAssignmentPolicies with [ AssignedRoles has ( "My Custom Apps" ) or AssignedRoles has ( "My Marketplace Apps" ) or AssignedRoles has ( "My ReadWriteMailbox Apps" ) ] |
| Ensure syncing of a pre-determined list of files to OneDrive is blocked |
Block potentially malicious file types from clients automatically syncing to OneDrive. |
|
SharepointTenant should have (excludedFileExtensionsForSyncClient has ("rar") and excludedFileExtensionsForSyncClient has ("zip") and excludedFileExtensionsForSyncClient has ("7z") and excludedFileExtensionsForSyncClient has ("gzip") and excludedFileExtensionsForSyncClient has ("bzip") and excludedFileExtensionsForSyncClient has ("exe") and excludedFileExtensionsForSyncClient has ("bat") and excludedFileExtensionsForSyncClient has ("run") and excludedFileExtensionsForSyncClient has ("vbs") and excludedFileExtensionsForSyncClient has ("vb") and excludedFileExtensionsForSyncClient has ("psd1") and excludedFileExtensionsForSyncClient has ("psm1")) |
| Ensure Bookings is set to off for the entire organization |
Disable Microsoft Bookings for the entire organization. |
|
OrganizationConfig should not have BookingsEnabled eq true |
| Ensure Safe Documents for Office Client setting is turned on |
Enable Safe Documents across the organization and prevent users from leaving protected view when the document has been identified as malicious. |
|
AtpPolicyForO365 should have EnableSafeDocs eq true and AllowSafeDocsOpen eq false |
| Ensure zero-hour auto purge (ZAP) for spam is turned on |
For unread messages that are identified as spam after delivery, the Zero-hour auto purge (ZAP) moves those messages to Junk Email folder. The outcome depends on the action that's configured for the Spam filtering verdict in the applicable anti-spam policy |
|
O365 should have atleast one HostedContentFilterRules with [ State eq "Enabled" and IsValid eq true and HostedContentFilterPolicy.ZapEnabled eq true and HostedContentFilterPolicy.SpamZapEnabled eq true and HostedContentFilterPolicy.IsValid eq true ] |
| Ensure zero-hour auto purge (ZAP) is turned on for malware |
Zero-hour auto purge (ZAP) helps quarantine messages that contain potentially malicious attachments before users can view them. |
|
O365 should have atleast one MalwareFilterRules with [ State eq "Enabled" and IsValid eq true and MalwareFilterPolicy.ZapEnabled eq true and MalwareFilterPolicy.IsValid eq true ] |
| Ensure Safe Link setup is configured in email messages and Office documents |
Safe Links can help protect your organization by providing time-of-click verification of web addresses (URLs) in email messages and Office documents. Disabling user-click-through ensures your organization has maximum protection against malicious links. |
|
SafeLinksPolicy should have AllowClickThrough eq false and EnableSafeLinksForEmail eq true and EnableSafeLinksForOffice eq true |
| Description |
Service |
Rule |
| Ensure at least one anti-phishing policy exists |
Ensure that at least one anti-phishing policy exists. |
Azure Active Directory
|
O365 should have AntiPhishPolicies len() gt 0 |
| Ensure Safe Attachments for SharePoint, OneDrive, and Microsoft Teams is enabled |
Enable Safe Attachments for SharePoint, OneDrive, and Microsoft Teams to prevent users from opening and downloading files that are identified as malicious. |
|
AtpPolicyForO365 should have EnableATPForSPOTeamsODB eq true |
| Ensure automatic forwarding options are disabled |
Disable automatic forwarding to prevent users from auto-forwarding mail through Outlook and Outlook on the Web. In the event that an attacker gains control of an end-user account they could create rules to exfiltrate data from your environment. |
|
RemoteDomain should have AutoForwardEnabled eq false |
| Ensure the Azure AD 'Risky sign-ins' report is reviewed at least weekly |
This report contains records of accounts that have had activity that could indicate they are compromised, such as accounts that have successfully signed in after multiple failures, which is an indication that the accounts have cracked passwords, account that have signed in to your tenancy from a client IP address that has been recognized by Microsoft as an anonymous proxy IP address (such as a TOR network), and successful sign-ins from users where two sign-ins appeared to originate from different regions and the time between sign-ins makes it impossible for the user to have traveled between those regions. |
Azure Active Directory
|
O365Tenant should have unreviewedRiskEventsExist eq false |
| Enable Azure AD Identity Protection sign-in risk policies |
Azure Active Directory Identity Protection sign-in risk detects risks in real-time and offline. A risky sign-in is an indicator for a sign-in attempt that might not have been performed by the legitimate owner of a user account. |
Azure Active Directory
|
SecureScore should have atleast one controlScores with [controlName eq "SigninRiskPolicy" and scoreInPercentage eq 100 ] |
| Enable Azure AD Identity Protection user risk policies |
Azure Active Directory Identity Protection user risk policies detect the probability that a user account has been compromised. |
Azure Active Directory
|
SecureScore should have atleast one controlScores with [ controlName eq "UserRiskPolicy" and scoreInPercentage eq 100 ] |
| Ensure basic authentication for Exchange Online is disabled |
Ensure basic authentication for Exchange Online is disabled. |
Azure Active Directory
|
AuthenticationPolicy should have AllowBasicAuthActiveSync eq false and AllowBasicAuthAutodiscover eq false and AllowBasicAuthImap eq false and AllowBasicAuthMapi eq false and AllowBasicAuthOfflineAddressBook eq false and AllowBasicAuthOutlookService eq false and AllowBasicAuthPop eq false and AllowBasicAuthPowershell eq false and AllowBasicAuthReportingWebServices eq false and AllowBasicAuthRest eq false and AllowBasicAuthRpc eq false and AllowBasicAuthSmtp eq false and AllowBasicAuthWebServices eq false |
| Enable Conditional Access policies to block legacy authentication |
Enable Conditional Access policies to block legacy authentication. |
Azure Active Directory
|
O365 should have any ConditionalAccessPolicies with [ conditions.users.includeUsers has ("All") and conditions.users.excludeUsers len() >= 1 and conditions.clientAppTypes has ("exchangeActiveSync") and conditions.clientAppTypes has ("other") and grantControls.builtInControls has ("block") and grantControls.builtInControls len() = 1 and state eq "enabled"] |
| Block OneDrive for Business sync from unmanaged devices |
Prevent company data from OneDrive for Business from being synchronized to non-corporate managed devices. Unmanaged devices pose a risk, since their security cannot be verified. Allowing users to sync data to these devices, takes that data out of the control of the organization. This increases the risk of the data either being intentionally or accidentally leaked. |
|
SharepointTenant should have isUnmanagedSyncClientForTenantRestricted eq true |
| Ensure that sharing full calendar details with external users is disabled |
Do not allow your users to share the full details of their calendars with external users. Attackers often spend time learning about your organization before launching an attack. Publicly available calendars can help attackers understand organizational relationships and determine when specific users may be more vulnerable to an attack, such as when they are traveling. |
|
SharingPolicy should have sharingEnabled eq false or every domains with [ sharingAllowedDetails eq "ContactsSharing" ] |
| Ensure that client-side rules that automatically forward email to external domains are blocked |
Block client-side rules that automatically forward email to external domains. The use of client-side forwarding rules to exfiltrate data to external recipients is an increasingly used vector for data exfiltration by bad actors. |
|
O365 should have atleast one TransportRules with [ State eq "Enabled" and Priority eq 0 and SentToScope eq "NotInOrganization" and FromScope eq "InOrganization" and MessageTypeMatches eq "AutoForward" and RejectMessageEnhancedStatusCode eq "5.7.1" ] |
| Ensure DKIM is enabled for all Exchange Online Domains |
DKIM lets you add a digital signature to outbound email messages in the message header. This signature is used to verify that the messages are really coming from you and not coming from someone spoofing your domain. |
Azure Active Directory
|
DkimSigningConfig should have Enabled eq true |
| Ensure DMARC Records for all Exchange Online domains are published |
Domain-based Message Authentication, Reporting, and Conformance (DMARC) works with Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) to authenticate mail senders and ensure that destination email systems trust messages sent from your domain. When you use DMARC, the receiving server performs a check against the From address. |
Azure Active Directory
|
AcceptedDomain should have DMARCRecordPublished eq true |
| Ensure document sharing is controlled by domains with sharing restrictions configured |
Control sharing of documents to external domains by either blocking domains or only allowing sharing with specific named domains. Attackers will often attempt to expose sensitive information to external entities through sharing, and restricting the domains that your users can share documents with will reduce that surface area. |
|
SharepointTenant should have sharingDomainRestrictionMode neq 0 |
| Ensure audit log search is enabled |
Enabling Microsoft 365 audit log search helps Office 365 back office teams to investigate activities for regular security operational or forensic purposes. |
Azure Active Directory
|
AdminAuditLogConfig should have AdminAuditLogEnabled eq true and UnifiedAuditLogIngestionEnabled eq true |
| Ensure the Common Attachment Types Filter is enabled |
Ensure the Common Attachment Types Filter is enabled. |
Azure Active Directory
|
MalwareFilterPolicy should have EnableFileFilter eq true |
| Ensure mailbox auditing for all users is enabled |
By turning on mailbox auditing, Microsoft 365 back office teams can track logons to a mailbox as well as what actions are taken while the user is logged on. After you turn on mailbox audit logging for a mailbox, you can search the audit log for mailbox activity. Additionally, when mailbox audit logging is turned on, some actions performed by administrators, delegates, and owners are logged by default. |
Azure Active Directory
|
OrganizationConfig should have userMailboxAuditEnabled eq true and nonUserMailboxAuditEnabled eq true |
| Ensure Exchange Online outbound spam filter policies are properly configured |
Ensure the Exchange Online outbound spam filter policy is properly configured. Set your Exchange Online Spam Policies to copy emails and notify someone when a sender in your tenant has been blocked for sending spam emails. |
Azure Active Directory
|
HostedOutboundSpamFilterPolicy should have NotifyOutboundSpam eq true and BccSuspiciousOutboundMail eq true and Enabled eq true |
| Ensure expiration time for external sharing links is set |
Restrict the length of time that anonymous access links are valid. |
Azure Active Directory
|
SharepointTenant should have requireAnonymousLinksExpireInDays > 0 |
| Ensure that external users cannot share files, folders, and sites they do not own |
SharePoint gives users the ability to share files, folder, and site collections. Internal users can share with external collaborators, who with the right permissions, could share those to another external party. Sharing and collaboration are key; however, file, folder, or site collection owners should have the authority over what external users get shared with to prevent unauthorized disclosures of information. |
|
SharepointTenant should have preventExternalUsersFromResharing eq true |
| Ensure that Facebook contact synchronization is disabled |
Disable integration with Facebook as a measure to help prevent phishing scams. |
|
OwaMailboxPolicy should have FacebookEnabled eq false |
| Ensure that LinkedIn contact synchronization is disabled |
Disable integration with LinkedIn as a measure to help prevent phishing scams. |
|
OwaMailboxPolicy should have LinkedInEnabled eq false |
| Ensure mail transport rules do not forward email to external domains |
Ensure mail transport rules do not forward email to external domains. |
Azure Active Directory
|
O365Tenant should not have AnyMailTransportRuleRedirectMessageToExternalDomain eq True |
| Ensure mail transport rules do not whitelist specific domains |
Ensure mail transport rules do not whitelist specific domains. |
Azure Active Directory
|
TransportRule should not have SetScl = -1 and SenderDomainIs len() > 0 |
| Ensure MailTips are enabled for end users |
MailTips assist end users with identifying strange patterns to emails they send. Setting up MailTips gives a visual aid to users when they send emails to large groups of recipients or send emails to recipients not within the tenant. |
|
OrganizationConfig should have MailTipsAllTipsEnabled eq true and MailTipsExternalRecipientsTipsEnabled eq true and MailTipsGroupMetricsEnabled eq true and MailTipsLargeAudienceThreshold gt 0 |
| Ensure multi-factor authentication is enabled for all users in administrative roles |
Ensure multi-factor authentication is enabled for all users in administrative roles |
Azure Active Directory
|
O365 should have O365Tenant len() gt 0 and atleast one ConditionalAccessPolicies with [ conditions.users.includeRoles has ("b0f54661-2d74-4c50-afa3-1ec803f12efe","b1be1c3e-b65d-4f19-8427-f6fa0d97feb9","29232cdf-9323-42fd-ade2-1d097af3e4de","62e90394-69f5-4237-9190-012177145e10","729827e3-9c14-49f7-bb1b-9608f156bbb8","194ae4cb-b126-40b2-bd5b-6091b380977d","f28a1f50-f6e7-4571-818b-6a12f2af6b6c","fe930be7-5e62-47db-91af-98c3a49a38b1") and conditions.clientAppTypes has ("all") and grantControls.builtInControls has ("mfa") and state eq "enabled"] |
| Ensure multi-factor authentication is enabled for all users in all roles |
Ensure multi-factor authentication is enabled for all users in all roles. |
Azure Active Directory
|
O365 should have O365Tenant len() gt 0 and atleast one ConditionalAccessPolicies with [ conditions.users.includeUsers has ("All") and conditions.clientAppTypes has ("all") and grantControls.builtInControls has ("mfa") and state eq "enabled"] |
| Mobile devices passwords should be at least 6 characters |
Require your users to use a complex password with a minimum password length of at least six characters to unlock their mobile devices. |
Azure Active Directory
|
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "microsoft.graph.aospDeviceOwnerDeviceConfiguration" and passwordMinimumLength eq 6 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidGeneralDeviceConfiguration" and passwordMinimumLength eq 6 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidDeviceOwnerGeneralDeviceConfiguration" and passwordMinimumLength eq 6 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidWorkProfileGeneralDeviceConfiguration" and passwordMinimumLength eq 6 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passcodeMinimumLength eq 6 and passcodeBlockSimple eq true ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.macOSGeneralDeviceConfiguration" and passwordMinimumLength eq 6 and passwordBlockSimple eq true ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows10GeneralConfiguration" and passwordMinimumLength eq 6 and passwordBlockSimple eq true ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows81GeneralConfiguration" and passwordMinimumLength eq 6 ] |
| Ensure that mobile devices require complex passwords (Type = Alphanumeric) |
Require your users to use a complex password with a at least two character sets (letters and numbers, for example) to unlock their mobile devices |
Azure Active Directory
|
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows81GeneralConfiguration" and passwordRequiredType eq "alphanumeric" ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows10GeneralConfiguration" and passwordRequiredType eq "alphanumeric"] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidDeviceOwnerGeneralDeviceConfiguration" and passwordRequiredType eq "alphanumeric"] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passcodeRequiredType eq "alphanumeric"] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidGeneralDeviceConfiguration" and passwordRequiredType eq "alphanumeric"] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.aospDeviceOwnerDeviceConfiguration" and passwordRequiredType eq "alphanumeric" ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidWorkProfileGeneralDeviceConfiguration" and passwordRequiredType eq "atLeastAlphanumeric" ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.macOSGeneralDeviceConfiguration" and passwordRequiredType eq "alphanumeric" ] |
| Ensure that mobile device encryption is enabled |
Require your users to use encryption on their mobile devices to prevent unauthorized access to mobile data. |
Azure Active Directory
|
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidGeneralDeviceConfiguration" and storageRequireDeviceEncryption eq true] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows81GeneralConfiguration" and storageRequireDeviceEncryption eq true] |
| Ensure that users cannot connect from jailbroken or rooted devices |
Do not allow your users to use to connect with mobile devices that have been jailbroken or rooted. These devices have had basic protections disabled to run software that is often malicious and could very easily lead to an account or data breach. |
Azure Active Directory
|
O365 should have O365Tenant len() gt 0 and atleast one DeviceCompliancePolicies with [ odatatype eq "#microsoft.graph.iosCompliancePolicy" and securityBlockJailbrokenDevices eq true ] and atleast one DeviceCompliancePolicies with [ odatatype eq "#microsoft.graph.androidCompliancePolicy" and securityBlockJailbrokenDevices eq true ] |
| Lock mobile devices after a period of inactivity |
Users should be required to configure their mobile devices to lock after a period of inactivity to prevent unauthorized access. |
Azure Active Directory
|
MobileDeviceMailboxPolicy should have MaxInactivityTimeLock eq "00:15:00" |
| Ensure device management polices are set to require advanced security configurations |
Configure your device management policies to require advanced security configurations. If you do not require this, users will be able to connect from devices that are vulnerable to basic internet attacks, leading to potential breaches of accounts and data. |
Azure Active Directory
|
O365 should have DeviceConfigurations len() gt 0 |
| Ensure mobile device management policies are required for email profiles |
Configure your mobile device management policies to require the policy to manage the email profile of the user. If you do not require this, users will be able to setup and configure email accounts without the protections of the mobile device management policy, leading to potential breaches of accounts and data. |
|
O365 should have atleast one DeviceCompliancePolicies with [ odatatype eq "#microsoft.graph.iosCompliancePolicy" and managedEmailProfileRequired eq true ] |
| Ensure that mobile devices require complex passwords (Simple Passwords = Blocked) |
Require your users to use a complex password to unlock their mobile devices. |
Azure Active Directory
|
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passcodeBlockSimple eq true] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows10GeneralConfiguration" and passwordBlockSimple eq true] |
| Ensure that mobile device passwords never expire |
Ensure that user passwords on mobile devices never expire. |
Azure Active Directory
|
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidGeneralDeviceConfiguration" and passwordExpirationDays eq -1 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passwordExpirationDays eq -1 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidDeviceOwnerGeneralDeviceConfiguration" and passwordExpirationDays eq -1 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows10GeneralConfiguration" and passwordExpirationDays eq -1 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows81GeneralConfiguration" and passcodeExpirationDays eq -1 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidWorkProfileGeneralDeviceConfiguration" and passwordExpirationDays eq -1 ] |
| Ensure mobile devices require the use of a password |
Require your users to use a password to unlock their mobile devices. |
Azure Active Directory
|
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidGeneralDeviceConfiguration" and passwordRequired eq true ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passcodeRequired eq true ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows10GeneralConfiguration" and passwordRequired eq true] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows81GeneralConfiguration" and passwordRequired eq true] |
| Ensure that mobile device password reuse is prohibited |
Do not allow your users to reuse the same password on their mobile devices. |
Azure Active Directory
|
MobileDeviceMailboxPolicy should have PasswordHistory eq 50 |
| Ensure mobile devices are set to wipe on multiple sign-in failures |
Require mobile devices to wipe on multiple sign-in failures to prevent brute force compromise. Devices without this protection are vulnerable to being accessed physically by attackers who can then steal account credentials, data, or install malware on the device. |
|
O365 should have atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passcodeSignInFailureCountBeforeWipe lte 10 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidDeviceOwnerGeneralDeviceConfiguration" and passwordSignInFailureCountBeforeFactoryReset lte 10 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows10GeneralConfiguration" and passwordSignInFailureCountBeforeFactoryReset lte 10 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows81GeneralConfiguration" and passwordSignInFailureCountBeforeFactoryReset lte 10 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidGeneralDeviceConfiguration" and passwordSignInFailureCountBeforeFactoryReset lte 10 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidWorkProfileGeneralDeviceConfiguration" and passwordSignInFailureCountBeforeFactoryReset lte 10 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.aospDeviceOwnerDeviceConfiguration" and passwordSignInFailureCountBeforeFactoryReset lte 10 ] |
| Ensure modern authentication for Exchange Online is enabled |
Ensure modern authentication for Exchange Online is enabled. |
Exchange
|
OrganizationConfig should have OAuth2ClientProfileEnabled eq true |
| Notify the administrator when internal users send malware |
Set a malware filter policy that notifies an administrator when malware is detected in message from an internal user. |
Azure Active Directory
|
MalwareFilterPolicy should have EnableInternalSenderAdminNotifications eq true |
| Ensure O365 ATP SafeLinks for Office Applications is Enabled |
Enabling the Advanced Threat Protection (ATP) Safe Links policy for Office applications allows URLs that exist inside of Office documents opened by Office, Office Online and Office mobile to be processed against ATP time-of-click verification. |
|
AtpPolicyForO365 should have AllowClickThrough eq false and EnableSafeLinksForO365Clients eq true |
| Ensure that Office 365 SharePoint infected files cannot be downloaded |
Office 365 Advanced Threat Protection (ATP) for SharePoint, OneDrive, and Microsoft Teams protects your organization from inadvertently sharing malicious files. When an infected file is detected, that file is blocked so that no one can open, copy, move, or share it until further actions are taken by the organization's security team. |
|
SharepointTenant should have disallowInfectedFileDownload eq true |
| Ensure external storage providers available in Outlook on the Web are restricted |
Restrict storage providers that are integrated with Outlook on the Web. By default additional storage providers are allowed in Outlook on the Web (such as Box,
Dropbox, Facebook, Google Drive, OneDrive Personal, etc.). This could lead to information leakage and additional risk of infection from organizational non-trusted storage providers. Restricting this will inherently reduce risk as it will narrow opportunities for infection and data leakage. |
|
OwaMailboxPolicy should have AdditionalStorageProvidersAvailable eq false |
| Ensure that password hash sync is enabled for resiliency and leaked credential detection |
Ensure that password hash sync is enabled for resiliency and leaked credential detection. |
Microsoft 365 security
|
SecureScore should have atleast one controlScores with [ controlName eq "PasswordHashSync" and on eq true ] |
| Ensure that Office 365 passwords are not set to expire |
Ensure that Office 365 passwords are not set to expire. |
Azure Active Directory
|
SecureScore should have atleast one controlScores with [ controlName eq "PWAgePolicyNew" and scoreInPercentage eq 100 and IsApplicable eq true ] |
| Ensure the Advanced Threat Protection Safe Attachments policy is enabled |
Enabling the Advanced Threat Protection Safe Attachments policy extends malware protections to include routing all messages and attachments without a known malware signature to a special hypervisor environment. In that environment, a behavior analysis is performed using a variety of machine learning and analysis techniques to detect malicious intent. |
|
SafeAttachmentPolicy should have Enable eq true |
| Ensure self-service password reset is enabled |
Ensure self-service password reset is enabled. |
Microsoft 365 security
|
SecureScore should have atleast one controlScores with [ controlName eq "SelfServicePasswordReset" and scoreInPercentage eq 100] |
| Ensure modern authentication for SharePoint applications is required |
Strong authentication controls, such as the use of multi-factor authentication, may be circumvented if basic authentication is used by SharePoint applications. Requiring modern authentication for SharePoint applications ensures strong authentication mechanisms are used when establishing sessions between these applications, SharePoint, and connecting users. |
|
SharepointTenant should have legacyAuthProtocolsEnabled eq false |
| Ensure SPF records are published for all Exchange domains |
Ensure that Sender Policy Framework (SPF) records are published for all Exchange domains. Using SPF helps to validate outbound email sent from your custom domain by determining whether or not a sender is permitted to send on behalf of a domain. |
Azure Active Directory
|
AcceptedDomain should have spfRecordPublished eq true |
| Ensure that between two and four global admins are designated |
Ensure that between two and four global admins are designated. |
Azure Active Directory
|
O365Tenant should have globalAdminUserCount >= 2 and globalAdminUserCount <= 4 |
| Ensure that users cannot install Outlook add-ins |
Attackers commonly use vulnerable and custom-built add-ins to access data in user applications. While allowing users to install add-ins by themselves does allow them to easily acquire useful add-ins that integrate with Microsoft applications, it can represent a risk if not used and monitored carefully. Disabling future users' ability to install add-ins in Microsoft Outlook helps reduce your threat-surface and mitigate this risk. |
|
O365 should not have any RoleAssignmentPolicies with [ AssignedRoles has ( "My Custom Apps" ) or AssignedRoles has ( "My Marketplace Apps" ) or AssignedRoles has ( "My ReadWriteMailbox Apps" ) ] |
| Description |
Service |
Rule |
| All users should be registered and signed up for MFA |
Multi-factor authentication (MFA) helps protect devices and data that are accessible to these users. Adding more authentication methods, such as the Microsoft Authenticator app or a phone number, increases the level of protection if one factor is compromised. |
|
SecureScore should have atleast one controlScores with [controlName eq "MFARegistrationV2" and scoreInPercentage eq 100 ] |
| Ensure at least one anti-phishing policy exists |
Ensure that at least one anti-phishing policy exists. |
Azure Active Directory
|
O365 should have AntiPhishPolicies len() gt 0 |
| Ensure an authentication policy exists |
Ensure an authentication policy exists. |
|
O365 should have AuthenticationPolicies len() gt 0 |
| Ensure automatic forwarding options are disabled |
Disable automatic forwarding to prevent users from auto-forwarding mail through Outlook and Outlook on the Web. In the event that an attacker gains control of an end-user account they could create rules to exfiltrate data from your environment. |
|
RemoteDomain should have AutoForwardEnabled eq false |
| Ensure the Azure AD 'Risky sign-ins' report is reviewed at least weekly |
This report contains records of accounts that have had activity that could indicate they are compromised, such as accounts that have successfully signed in after multiple failures, which is an indication that the accounts have cracked passwords, account that have signed in to your tenancy from a client IP address that has been recognized by Microsoft as an anonymous proxy IP address (such as a TOR network), and successful sign-ins from users where two sign-ins appeared to originate from different regions and the time between sign-ins makes it impossible for the user to have traveled between those regions. |
Azure Active Directory
|
O365Tenant should have unreviewedRiskEventsExist eq false |
| Enable Azure AD Identity Protection sign-in risk policies |
Azure Active Directory Identity Protection sign-in risk detects risks in real-time and offline. A risky sign-in is an indicator for a sign-in attempt that might not have been performed by the legitimate owner of a user account. |
Azure Active Directory
|
SecureScore should have atleast one controlScores with [controlName eq "SigninRiskPolicy" and scoreInPercentage eq 100 ] |
| Enable Azure AD Identity Protection user risk policies |
Azure Active Directory Identity Protection user risk policies detect the probability that a user account has been compromised. |
Azure Active Directory
|
SecureScore should have atleast one controlScores with [ controlName eq "UserRiskPolicy" and scoreInPercentage eq 100 ] |
| Ensure basic authentication for Exchange Online is disabled |
Ensure basic authentication for Exchange Online is disabled. |
Azure Active Directory
|
AuthenticationPolicy should have AllowBasicAuthActiveSync eq false and AllowBasicAuthAutodiscover eq false and AllowBasicAuthImap eq false and AllowBasicAuthMapi eq false and AllowBasicAuthOfflineAddressBook eq false and AllowBasicAuthOutlookService eq false and AllowBasicAuthPop eq false and AllowBasicAuthPowershell eq false and AllowBasicAuthReportingWebServices eq false and AllowBasicAuthRest eq false and AllowBasicAuthRpc eq false and AllowBasicAuthSmtp eq false and AllowBasicAuthWebServices eq false |
| Enable Conditional Access policies to block legacy authentication |
Enable Conditional Access policies to block legacy authentication. |
Azure Active Directory
|
O365 should have any ConditionalAccessPolicies with [ conditions.users.includeUsers has ("All") and conditions.users.excludeUsers len() >= 1 and conditions.clientAppTypes has ("exchangeActiveSync") and conditions.clientAppTypes has ("other") and grantControls.builtInControls has ("block") and grantControls.builtInControls len() = 1 and state eq "enabled"] |
| Block OneDrive for Business sync from unmanaged devices |
Prevent company data from OneDrive for Business from being synchronized to non-corporate managed devices. Unmanaged devices pose a risk, since their security cannot be verified. Allowing users to sync data to these devices, takes that data out of the control of the organization. This increases the risk of the data either being intentionally or accidentally leaked. |
|
SharepointTenant should have isUnmanagedSyncClientForTenantRestricted eq true |
| Ensure that sharing full calendar details with external users is disabled |
Do not allow your users to share the full details of their calendars with external users. Attackers often spend time learning about your organization before launching an attack. Publicly available calendars can help attackers understand organizational relationships and determine when specific users may be more vulnerable to an attack, such as when they are traveling. |
|
SharingPolicy should have sharingEnabled eq false or every domains with [ sharingAllowedDetails eq "ContactsSharing" ] |
| Ensure that client-side rules that automatically forward email to external domains are blocked |
Block client-side rules that automatically forward email to external domains. The use of client-side forwarding rules to exfiltrate data to external recipients is an increasingly used vector for data exfiltration by bad actors. |
|
O365 should have atleast one TransportRules with [ State eq "Enabled" and Priority eq 0 and SentToScope eq "NotInOrganization" and FromScope eq "InOrganization" and MessageTypeMatches eq "AutoForward" and RejectMessageEnhancedStatusCode eq "5.7.1" ] |
| Ensure DKIM is enabled for all Exchange Online Domains |
DKIM lets you add a digital signature to outbound email messages in the message header. This signature is used to verify that the messages are really coming from you and not coming from someone spoofing your domain. |
Azure Active Directory
|
DkimSigningConfig should have Enabled eq true |
| Ensure a DomainKeys Identified Mail (DKIM) signing policy exists |
Ensure a DomainKeys Identified Mail (DKIM) signing policy exists. |
|
O365 should have DkimSigningConfig len() gt 0 |
| Ensure DMARC Records for all Exchange Online domains are published |
Domain-based Message Authentication, Reporting, and Conformance (DMARC) works with Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) to authenticate mail senders and ensure that destination email systems trust messages sent from your domain. When you use DMARC, the receiving server performs a check against the From address. |
Azure Active Directory
|
AcceptedDomain should have DMARCRecordPublished eq true |
| Do not allow users to grant consent to unmanaged applications |
Tighten the security of your services by regulating the access of third-party integrated apps. Only allow access to necessary apps that support robust security controls. Third-party applications are not created by Microsoft, so there is a possibility they could be used for malicious purposes like exfiltrating data from your tenancy. Attackers can maintain persistent access to your services through these integrated apps, without relying on compromised accounts. |
|
SecureScore should have atleast one controlScores with [controlName eq "IntegratedApps" and scoreInPercentage eq 100 ] |
| Ensure document sharing is controlled by domains with sharing restrictions configured |
Control sharing of documents to external domains by either blocking domains or only allowing sharing with specific named domains. Attackers will often attempt to expose sensitive information to external entities through sharing, and restricting the domains that your users can share documents with will reduce that surface area. |
|
SharepointTenant should have sharingDomainRestrictionMode neq 0 |
| Ensure audit log search is enabled |
Enabling Microsoft 365 audit log search helps Office 365 back office teams to investigate activities for regular security operational or forensic purposes. |
Azure Active Directory
|
AdminAuditLogConfig should have AdminAuditLogEnabled eq true and UnifiedAuditLogIngestionEnabled eq true |
| Ensure the Common Attachment Types Filter is enabled |
Ensure the Common Attachment Types Filter is enabled. |
Azure Active Directory
|
MalwareFilterPolicy should have EnableFileFilter eq true |
| Ensure mailbox auditing for all users is enabled |
By turning on mailbox auditing, Microsoft 365 back office teams can track logons to a mailbox as well as what actions are taken while the user is logged on. After you turn on mailbox audit logging for a mailbox, you can search the audit log for mailbox activity. Additionally, when mailbox audit logging is turned on, some actions performed by administrators, delegates, and owners are logged by default. |
Azure Active Directory
|
OrganizationConfig should have userMailboxAuditEnabled eq true and nonUserMailboxAuditEnabled eq true |
| Ensure expiration time for external sharing links is set |
Restrict the length of time that anonymous access links are valid. |
Azure Active Directory
|
SharepointTenant should have requireAnonymousLinksExpireInDays > 0 |
| Ensure that external users cannot share files, folders, and sites they do not own |
SharePoint gives users the ability to share files, folder, and site collections. Internal users can share with external collaborators, who with the right permissions, could share those to another external party. Sharing and collaboration are key; however, file, folder, or site collection owners should have the authority over what external users get shared with to prevent unauthorized disclosures of information. |
|
SharepointTenant should have preventExternalUsersFromResharing eq true |
| Ensure that Facebook contact synchronization is disabled |
Disable integration with Facebook as a measure to help prevent phishing scams. |
|
OwaMailboxPolicy should have FacebookEnabled eq false |
| Ensure a hosted outbound spam filter policy exists. |
Ensure a hosted outbound spam filter policy exists. |
|
O365 should have HostedOutboundSpamFilterPolicies len() gt 0 |
| Ensure that LinkedIn contact synchronization is disabled |
Disable integration with LinkedIn as a measure to help prevent phishing scams. |
|
OwaMailboxPolicy should have LinkedInEnabled eq false |
| Ensure mail transport rules do not forward email to external domains |
Ensure mail transport rules do not forward email to external domains. |
Azure Active Directory
|
O365Tenant should not have AnyMailTransportRuleRedirectMessageToExternalDomain eq True |
| Ensure mail transport rules do not whitelist specific domains |
Ensure mail transport rules do not whitelist specific domains. |
Azure Active Directory
|
TransportRule should not have SetScl = -1 and SenderDomainIs len() > 0 |
| Ensure MailTips are enabled for end users |
MailTips assist end users with identifying strange patterns to emails they send. Setting up MailTips gives a visual aid to users when they send emails to large groups of recipients or send emails to recipients not within the tenant. |
|
OrganizationConfig should have MailTipsAllTipsEnabled eq true and MailTipsExternalRecipientsTipsEnabled eq true and MailTipsGroupMetricsEnabled eq true and MailTipsLargeAudienceThreshold gt 0 |
| Ensure a malware filter policy exists |
Ensure a malware filter policy exists. |
|
O365 should have MalwareFilterPolicies len() gt 0 |
| Ensure multi-factor authentication is enabled for all users in administrative roles |
Ensure multi-factor authentication is enabled for all users in administrative roles |
Azure Active Directory
|
O365 should have O365Tenant len() gt 0 and atleast one ConditionalAccessPolicies with [ conditions.users.includeRoles has ("b0f54661-2d74-4c50-afa3-1ec803f12efe","b1be1c3e-b65d-4f19-8427-f6fa0d97feb9","29232cdf-9323-42fd-ade2-1d097af3e4de","62e90394-69f5-4237-9190-012177145e10","729827e3-9c14-49f7-bb1b-9608f156bbb8","194ae4cb-b126-40b2-bd5b-6091b380977d","f28a1f50-f6e7-4571-818b-6a12f2af6b6c","fe930be7-5e62-47db-91af-98c3a49a38b1") and conditions.clientAppTypes has ("all") and grantControls.builtInControls has ("mfa") and state eq "enabled"] |
| Ensure multi-factor authentication is enabled for all users in all roles |
Ensure multi-factor authentication is enabled for all users in all roles. |
Azure Active Directory
|
O365 should have O365Tenant len() gt 0 and atleast one ConditionalAccessPolicies with [ conditions.users.includeUsers has ("All") and conditions.clientAppTypes has ("all") and grantControls.builtInControls has ("mfa") and state eq "enabled"] |
| Mobile devices passwords should be at least 6 characters |
Require your users to use a complex password with a minimum password length of at least six characters to unlock their mobile devices. |
Azure Active Directory
|
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "microsoft.graph.aospDeviceOwnerDeviceConfiguration" and passwordMinimumLength eq 6 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidGeneralDeviceConfiguration" and passwordMinimumLength eq 6 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidDeviceOwnerGeneralDeviceConfiguration" and passwordMinimumLength eq 6 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidWorkProfileGeneralDeviceConfiguration" and passwordMinimumLength eq 6 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passcodeMinimumLength eq 6 and passcodeBlockSimple eq true ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.macOSGeneralDeviceConfiguration" and passwordMinimumLength eq 6 and passwordBlockSimple eq true ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows10GeneralConfiguration" and passwordMinimumLength eq 6 and passwordBlockSimple eq true ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows81GeneralConfiguration" and passwordMinimumLength eq 6 ] |
| Ensure that mobile devices require complex passwords (Type = Alphanumeric) |
Require your users to use a complex password with a at least two character sets (letters and numbers, for example) to unlock their mobile devices |
Azure Active Directory
|
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows81GeneralConfiguration" and passwordRequiredType eq "alphanumeric" ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows10GeneralConfiguration" and passwordRequiredType eq "alphanumeric"] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidDeviceOwnerGeneralDeviceConfiguration" and passwordRequiredType eq "alphanumeric"] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passcodeRequiredType eq "alphanumeric"] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidGeneralDeviceConfiguration" and passwordRequiredType eq "alphanumeric"] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.aospDeviceOwnerDeviceConfiguration" and passwordRequiredType eq "alphanumeric" ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidWorkProfileGeneralDeviceConfiguration" and passwordRequiredType eq "atLeastAlphanumeric" ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.macOSGeneralDeviceConfiguration" and passwordRequiredType eq "alphanumeric" ] |
| Ensure that mobile device encryption is enabled |
Require your users to use encryption on their mobile devices to prevent unauthorized access to mobile data. |
Azure Active Directory
|
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidGeneralDeviceConfiguration" and storageRequireDeviceEncryption eq true] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows81GeneralConfiguration" and storageRequireDeviceEncryption eq true] |
| Ensure that users cannot connect from jailbroken or rooted devices |
Do not allow your users to use to connect with mobile devices that have been jailbroken or rooted. These devices have had basic protections disabled to run software that is often malicious and could very easily lead to an account or data breach. |
Azure Active Directory
|
O365 should have O365Tenant len() gt 0 and atleast one DeviceCompliancePolicies with [ odatatype eq "#microsoft.graph.iosCompliancePolicy" and securityBlockJailbrokenDevices eq true ] and atleast one DeviceCompliancePolicies with [ odatatype eq "#microsoft.graph.androidCompliancePolicy" and securityBlockJailbrokenDevices eq true ] |
| Lock mobile devices after a period of inactivity |
Users should be required to configure their mobile devices to lock after a period of inactivity to prevent unauthorized access. |
Azure Active Directory
|
MobileDeviceMailboxPolicy should have MaxInactivityTimeLock eq "00:15:00" |
| Ensure device management polices are set to require advanced security configurations |
Configure your device management policies to require advanced security configurations. If you do not require this, users will be able to connect from devices that are vulnerable to basic internet attacks, leading to potential breaches of accounts and data. |
Azure Active Directory
|
O365 should have DeviceConfigurations len() gt 0 |
| Ensure mobile device management policies are required for email profiles |
Configure your mobile device management policies to require the policy to manage the email profile of the user. If you do not require this, users will be able to setup and configure email accounts without the protections of the mobile device management policy, leading to potential breaches of accounts and data. |
|
O365 should have atleast one DeviceCompliancePolicies with [ odatatype eq "#microsoft.graph.iosCompliancePolicy" and managedEmailProfileRequired eq true ] |
| Ensure that mobile devices require complex passwords (Simple Passwords = Blocked) |
Require your users to use a complex password to unlock their mobile devices. |
Azure Active Directory
|
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passcodeBlockSimple eq true] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows10GeneralConfiguration" and passwordBlockSimple eq true] |
| Ensure that mobile device passwords never expire |
Ensure that user passwords on mobile devices never expire. |
Azure Active Directory
|
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidGeneralDeviceConfiguration" and passwordExpirationDays eq -1 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passwordExpirationDays eq -1 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidDeviceOwnerGeneralDeviceConfiguration" and passwordExpirationDays eq -1 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows10GeneralConfiguration" and passwordExpirationDays eq -1 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows81GeneralConfiguration" and passcodeExpirationDays eq -1 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidWorkProfileGeneralDeviceConfiguration" and passwordExpirationDays eq -1 ] |
| Ensure mobile devices require the use of a password |
Require your users to use a password to unlock their mobile devices. |
Azure Active Directory
|
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidGeneralDeviceConfiguration" and passwordRequired eq true ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passcodeRequired eq true ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows10GeneralConfiguration" and passwordRequired eq true] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows81GeneralConfiguration" and passwordRequired eq true] |
| Ensure that mobile device password reuse is prohibited |
Do not allow your users to reuse the same password on their mobile devices. |
Azure Active Directory
|
MobileDeviceMailboxPolicy should have PasswordHistory eq 50 |
| Ensure mobile devices are set to wipe on multiple sign-in failures |
Require mobile devices to wipe on multiple sign-in failures to prevent brute force compromise. Devices without this protection are vulnerable to being accessed physically by attackers who can then steal account credentials, data, or install malware on the device. |
|
O365 should have atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passcodeSignInFailureCountBeforeWipe lte 10 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidDeviceOwnerGeneralDeviceConfiguration" and passwordSignInFailureCountBeforeFactoryReset lte 10 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows10GeneralConfiguration" and passwordSignInFailureCountBeforeFactoryReset lte 10 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows81GeneralConfiguration" and passwordSignInFailureCountBeforeFactoryReset lte 10 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidGeneralDeviceConfiguration" and passwordSignInFailureCountBeforeFactoryReset lte 10 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidWorkProfileGeneralDeviceConfiguration" and passwordSignInFailureCountBeforeFactoryReset lte 10 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.aospDeviceOwnerDeviceConfiguration" and passwordSignInFailureCountBeforeFactoryReset lte 10 ] |
| Ensure modern authentication for Exchange Online is enabled |
Ensure modern authentication for Exchange Online is enabled. |
Exchange
|
OrganizationConfig should have OAuth2ClientProfileEnabled eq true |
| Notify the administrator when internal users send malware |
Set a malware filter policy that notifies an administrator when malware is detected in message from an internal user. |
Azure Active Directory
|
MalwareFilterPolicy should have EnableInternalSenderAdminNotifications eq true |
| Ensure that OAuth 2.0 permission grants to third-party apps do not give permission to modify app role assignments. |
OAuth 2.0 permission grants enable a third-party connected app to access data based on the permissions granted. Do not grant third-party apps the ability to modify app role assignments. This would enable the third-party app to give users or apps access to resources that they should not have access to. |
|
OAuth2PermissionGrant should not have scope like "AppRoleAssignment.ReadWrite.All" |
| Ensure that Office 365 SharePoint infected files cannot be downloaded |
Office 365 Advanced Threat Protection (ATP) for SharePoint, OneDrive, and Microsoft Teams protects your organization from inadvertently sharing malicious files. When an infected file is detected, that file is blocked so that no one can open, copy, move, or share it until further actions are taken by the organization's security team. |
|
SharepointTenant should have disallowInfectedFileDownload eq true |
| Ensure external storage providers available in Outlook on the Web are restricted |
Restrict storage providers that are integrated with Outlook on the Web. By default additional storage providers are allowed in Outlook on the Web (such as Box,
Dropbox, Facebook, Google Drive, OneDrive Personal, etc.). This could lead to information leakage and additional risk of infection from organizational non-trusted storage providers. Restricting this will inherently reduce risk as it will narrow opportunities for infection and data leakage. |
|
OwaMailboxPolicy should have AdditionalStorageProvidersAvailable eq false |
| Ensure an Outlook on the web mailbox policy exists |
Ensure an Outlook on the web mailbox policy exists. |
|
O365 should have OwaMailboxPolicies len() gt 0 |
| Ensure that password hash sync is enabled for resiliency and leaked credential detection |
Ensure that password hash sync is enabled for resiliency and leaked credential detection. |
Microsoft 365 security
|
SecureScore should have atleast one controlScores with [ controlName eq "PasswordHashSync" and on eq true ] |
| Ensure that Office 365 passwords are not set to expire |
Ensure that Office 365 passwords are not set to expire. |
Azure Active Directory
|
SecureScore should have atleast one controlScores with [ controlName eq "PWAgePolicyNew" and scoreInPercentage eq 100 and IsApplicable eq true ] |
| Ensure modern authentication for SharePoint applications is required |
Strong authentication controls, such as the use of multi-factor authentication, may be circumvented if basic authentication is used by SharePoint applications. Requiring modern authentication for SharePoint applications ensures strong authentication mechanisms are used when establishing sessions between these applications, SharePoint, and connecting users. |
|
SharepointTenant should have legacyAuthProtocolsEnabled eq false |
| Ensure SPF records are published for all Exchange domains |
Ensure that Sender Policy Framework (SPF) records are published for all Exchange domains. Using SPF helps to validate outbound email sent from your custom domain by determining whether or not a sender is permitted to send on behalf of a domain. |
Azure Active Directory
|
AcceptedDomain should have spfRecordPublished eq true |
| Ensure a transport rule exists |
Ensure a transport rule exists. |
|
O365 should have TransportRules len() gt 0 |
| Use limited administrative roles |
Limited administrators are users who have more privileges than standard users, but not as many privileges as global admins. Leveraging limited administrator roles to perform required administrative work reduces the number of high value, high impact global admin role holders you have. Assigning users roles like Password Administrator or Exchange Online Administrator, instead of Global Administrator, reduces the likelihood of a global administrative privileged account being breached. |
|
SecureScore should have atleast one controlScores with [controlName eq "RoleOverlap" and scoreInPercentage eq 100 ] |
| Ensure that users do not have the default strong password policy disabled. |
In Azure, users by default have a strong password policy enabled. However, admin users are able to disable the default strong password policy for individual users. This functionality should not be used and all individual users' password policies should require a strong password. |
|
User should not have passwordPolicies like "DisableStrongPassword" |
| Ensure that users cannot install Outlook add-ins |
Attackers commonly use vulnerable and custom-built add-ins to access data in user applications. While allowing users to install add-ins by themselves does allow them to easily acquire useful add-ins that integrate with Microsoft applications, it can represent a risk if not used and monitored carefully. Disabling future users' ability to install add-ins in Microsoft Outlook helps reduce your threat-surface and mitigate this risk. |
|
O365 should not have any RoleAssignmentPolicies with [ AssignedRoles has ( "My Custom Apps" ) or AssignedRoles has ( "My Marketplace Apps" ) or AssignedRoles has ( "My ReadWriteMailbox Apps" ) ] |
| Description |
Service |
Rule |
| All users should be registered and signed up for MFA |
Multi-factor authentication (MFA) helps protect devices and data that are accessible to these users. Adding more authentication methods, such as the Microsoft Authenticator app or a phone number, increases the level of protection if one factor is compromised. |
|
SecureScore should have atleast one controlScores with [controlName eq "MFARegistrationV2" and scoreInPercentage eq 100 ] |
| Ensure at least one anti-phishing policy exists |
Ensure that at least one anti-phishing policy exists. |
Azure Active Directory
|
O365 should have AntiPhishPolicies len() gt 0 |
| Ensure an authentication policy exists |
Ensure an authentication policy exists. |
|
O365 should have AuthenticationPolicies len() gt 0 |
| Ensure automatic forwarding options are disabled |
Disable automatic forwarding to prevent users from auto-forwarding mail through Outlook and Outlook on the Web. In the event that an attacker gains control of an end-user account they could create rules to exfiltrate data from your environment. |
|
RemoteDomain should have AutoForwardEnabled eq false |
| Ensure the Azure AD 'Risky sign-ins' report is reviewed at least weekly |
This report contains records of accounts that have had activity that could indicate they are compromised, such as accounts that have successfully signed in after multiple failures, which is an indication that the accounts have cracked passwords, account that have signed in to your tenancy from a client IP address that has been recognized by Microsoft as an anonymous proxy IP address (such as a TOR network), and successful sign-ins from users where two sign-ins appeared to originate from different regions and the time between sign-ins makes it impossible for the user to have traveled between those regions. |
Azure Active Directory
|
O365Tenant should have unreviewedRiskEventsExist eq false |
| Enable Azure AD Identity Protection sign-in risk policies |
Azure Active Directory Identity Protection sign-in risk detects risks in real-time and offline. A risky sign-in is an indicator for a sign-in attempt that might not have been performed by the legitimate owner of a user account. |
Azure Active Directory
|
SecureScore should have atleast one controlScores with [controlName eq "SigninRiskPolicy" and scoreInPercentage eq 100 ] |
| Enable Azure AD Identity Protection user risk policies |
Azure Active Directory Identity Protection user risk policies detect the probability that a user account has been compromised. |
Azure Active Directory
|
SecureScore should have atleast one controlScores with [ controlName eq "UserRiskPolicy" and scoreInPercentage eq 100 ] |
| Ensure basic authentication for Exchange Online is disabled |
Ensure basic authentication for Exchange Online is disabled. |
Azure Active Directory
|
AuthenticationPolicy should have AllowBasicAuthActiveSync eq false and AllowBasicAuthAutodiscover eq false and AllowBasicAuthImap eq false and AllowBasicAuthMapi eq false and AllowBasicAuthOfflineAddressBook eq false and AllowBasicAuthOutlookService eq false and AllowBasicAuthPop eq false and AllowBasicAuthPowershell eq false and AllowBasicAuthReportingWebServices eq false and AllowBasicAuthRest eq false and AllowBasicAuthRpc eq false and AllowBasicAuthSmtp eq false and AllowBasicAuthWebServices eq false |
| Enable Conditional Access policies to block legacy authentication |
Enable Conditional Access policies to block legacy authentication. |
Azure Active Directory
|
O365 should have any ConditionalAccessPolicies with [ conditions.users.includeUsers has ("All") and conditions.users.excludeUsers len() >= 1 and conditions.clientAppTypes has ("exchangeActiveSync") and conditions.clientAppTypes has ("other") and grantControls.builtInControls has ("block") and grantControls.builtInControls len() = 1 and state eq "enabled"] |
| Block OneDrive for Business sync from unmanaged devices |
Prevent company data from OneDrive for Business from being synchronized to non-corporate managed devices. Unmanaged devices pose a risk, since their security cannot be verified. Allowing users to sync data to these devices, takes that data out of the control of the organization. This increases the risk of the data either being intentionally or accidentally leaked. |
|
SharepointTenant should have isUnmanagedSyncClientForTenantRestricted eq true |
| Ensure that sharing full calendar details with external users is disabled |
Do not allow your users to share the full details of their calendars with external users. Attackers often spend time learning about your organization before launching an attack. Publicly available calendars can help attackers understand organizational relationships and determine when specific users may be more vulnerable to an attack, such as when they are traveling. |
|
SharingPolicy should have sharingEnabled eq false or every domains with [ sharingAllowedDetails eq "ContactsSharing" ] |
| Ensure that client-side rules that automatically forward email to external domains are blocked |
Block client-side rules that automatically forward email to external domains. The use of client-side forwarding rules to exfiltrate data to external recipients is an increasingly used vector for data exfiltration by bad actors. |
|
O365 should have atleast one TransportRules with [ State eq "Enabled" and Priority eq 0 and SentToScope eq "NotInOrganization" and FromScope eq "InOrganization" and MessageTypeMatches eq "AutoForward" and RejectMessageEnhancedStatusCode eq "5.7.1" ] |
| Ensure DKIM is enabled for all Exchange Online Domains |
DKIM lets you add a digital signature to outbound email messages in the message header. This signature is used to verify that the messages are really coming from you and not coming from someone spoofing your domain. |
Azure Active Directory
|
DkimSigningConfig should have Enabled eq true |
| Ensure a DomainKeys Identified Mail (DKIM) signing policy exists |
Ensure a DomainKeys Identified Mail (DKIM) signing policy exists. |
|
O365 should have DkimSigningConfig len() gt 0 |
| Ensure DMARC Records for all Exchange Online domains are published |
Domain-based Message Authentication, Reporting, and Conformance (DMARC) works with Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) to authenticate mail senders and ensure that destination email systems trust messages sent from your domain. When you use DMARC, the receiving server performs a check against the From address. |
Azure Active Directory
|
AcceptedDomain should have DMARCRecordPublished eq true |
| Do not allow users to grant consent to unmanaged applications |
Tighten the security of your services by regulating the access of third-party integrated apps. Only allow access to necessary apps that support robust security controls. Third-party applications are not created by Microsoft, so there is a possibility they could be used for malicious purposes like exfiltrating data from your tenancy. Attackers can maintain persistent access to your services through these integrated apps, without relying on compromised accounts. |
|
SecureScore should have atleast one controlScores with [controlName eq "IntegratedApps" and scoreInPercentage eq 100 ] |
| Ensure document sharing is controlled by domains with sharing restrictions configured |
Control sharing of documents to external domains by either blocking domains or only allowing sharing with specific named domains. Attackers will often attempt to expose sensitive information to external entities through sharing, and restricting the domains that your users can share documents with will reduce that surface area. |
|
SharepointTenant should have sharingDomainRestrictionMode neq 0 |
| Ensure audit log search is enabled |
Enabling Microsoft 365 audit log search helps Office 365 back office teams to investigate activities for regular security operational or forensic purposes. |
Azure Active Directory
|
AdminAuditLogConfig should have AdminAuditLogEnabled eq true and UnifiedAuditLogIngestionEnabled eq true |
| Ensure the Common Attachment Types Filter is enabled |
Ensure the Common Attachment Types Filter is enabled. |
Azure Active Directory
|
MalwareFilterPolicy should have EnableFileFilter eq true |
| Ensure mailbox auditing for all users is enabled |
By turning on mailbox auditing, Microsoft 365 back office teams can track logons to a mailbox as well as what actions are taken while the user is logged on. After you turn on mailbox audit logging for a mailbox, you can search the audit log for mailbox activity. Additionally, when mailbox audit logging is turned on, some actions performed by administrators, delegates, and owners are logged by default. |
Azure Active Directory
|
OrganizationConfig should have userMailboxAuditEnabled eq true and nonUserMailboxAuditEnabled eq true |
| Ensure expiration time for external sharing links is set |
Restrict the length of time that anonymous access links are valid. |
Azure Active Directory
|
SharepointTenant should have requireAnonymousLinksExpireInDays > 0 |
| Ensure that external users cannot share files, folders, and sites they do not own |
SharePoint gives users the ability to share files, folder, and site collections. Internal users can share with external collaborators, who with the right permissions, could share those to another external party. Sharing and collaboration are key; however, file, folder, or site collection owners should have the authority over what external users get shared with to prevent unauthorized disclosures of information. |
|
SharepointTenant should have preventExternalUsersFromResharing eq true |
| Ensure a hosted outbound spam filter policy exists. |
Ensure a hosted outbound spam filter policy exists. |
|
O365 should have HostedOutboundSpamFilterPolicies len() gt 0 |
| Ensure mail transport rules do not forward email to external domains |
Ensure mail transport rules do not forward email to external domains. |
Azure Active Directory
|
O365Tenant should not have AnyMailTransportRuleRedirectMessageToExternalDomain eq True |
| Ensure mail transport rules do not whitelist specific domains |
Ensure mail transport rules do not whitelist specific domains. |
Azure Active Directory
|
TransportRule should not have SetScl = -1 and SenderDomainIs len() > 0 |
| Ensure MailTips are enabled for end users |
MailTips assist end users with identifying strange patterns to emails they send. Setting up MailTips gives a visual aid to users when they send emails to large groups of recipients or send emails to recipients not within the tenant. |
|
OrganizationConfig should have MailTipsAllTipsEnabled eq true and MailTipsExternalRecipientsTipsEnabled eq true and MailTipsGroupMetricsEnabled eq true and MailTipsLargeAudienceThreshold gt 0 |
| Ensure a malware filter policy exists |
Ensure a malware filter policy exists. |
|
O365 should have MalwareFilterPolicies len() gt 0 |
| Ensure multi-factor authentication is enabled for all users in administrative roles |
Ensure multi-factor authentication is enabled for all users in administrative roles |
Azure Active Directory
|
O365 should have O365Tenant len() gt 0 and atleast one ConditionalAccessPolicies with [ conditions.users.includeRoles has ("b0f54661-2d74-4c50-afa3-1ec803f12efe","b1be1c3e-b65d-4f19-8427-f6fa0d97feb9","29232cdf-9323-42fd-ade2-1d097af3e4de","62e90394-69f5-4237-9190-012177145e10","729827e3-9c14-49f7-bb1b-9608f156bbb8","194ae4cb-b126-40b2-bd5b-6091b380977d","f28a1f50-f6e7-4571-818b-6a12f2af6b6c","fe930be7-5e62-47db-91af-98c3a49a38b1") and conditions.clientAppTypes has ("all") and grantControls.builtInControls has ("mfa") and state eq "enabled"] |
| Ensure multi-factor authentication is enabled for all users in all roles |
Ensure multi-factor authentication is enabled for all users in all roles. |
Azure Active Directory
|
O365 should have O365Tenant len() gt 0 and atleast one ConditionalAccessPolicies with [ conditions.users.includeUsers has ("All") and conditions.clientAppTypes has ("all") and grantControls.builtInControls has ("mfa") and state eq "enabled"] |
| Mobile devices passwords should be at least 6 characters |
Require your users to use a complex password with a minimum password length of at least six characters to unlock their mobile devices. |
Azure Active Directory
|
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "microsoft.graph.aospDeviceOwnerDeviceConfiguration" and passwordMinimumLength eq 6 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidGeneralDeviceConfiguration" and passwordMinimumLength eq 6 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidDeviceOwnerGeneralDeviceConfiguration" and passwordMinimumLength eq 6 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidWorkProfileGeneralDeviceConfiguration" and passwordMinimumLength eq 6 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passcodeMinimumLength eq 6 and passcodeBlockSimple eq true ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.macOSGeneralDeviceConfiguration" and passwordMinimumLength eq 6 and passwordBlockSimple eq true ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows10GeneralConfiguration" and passwordMinimumLength eq 6 and passwordBlockSimple eq true ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows81GeneralConfiguration" and passwordMinimumLength eq 6 ] |
| Ensure that mobile devices require complex passwords (Type = Alphanumeric) |
Require your users to use a complex password with a at least two character sets (letters and numbers, for example) to unlock their mobile devices |
Azure Active Directory
|
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows81GeneralConfiguration" and passwordRequiredType eq "alphanumeric" ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows10GeneralConfiguration" and passwordRequiredType eq "alphanumeric"] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidDeviceOwnerGeneralDeviceConfiguration" and passwordRequiredType eq "alphanumeric"] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passcodeRequiredType eq "alphanumeric"] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidGeneralDeviceConfiguration" and passwordRequiredType eq "alphanumeric"] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.aospDeviceOwnerDeviceConfiguration" and passwordRequiredType eq "alphanumeric" ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidWorkProfileGeneralDeviceConfiguration" and passwordRequiredType eq "atLeastAlphanumeric" ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.macOSGeneralDeviceConfiguration" and passwordRequiredType eq "alphanumeric" ] |
| Ensure that mobile device encryption is enabled |
Require your users to use encryption on their mobile devices to prevent unauthorized access to mobile data. |
Azure Active Directory
|
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidGeneralDeviceConfiguration" and storageRequireDeviceEncryption eq true] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows81GeneralConfiguration" and storageRequireDeviceEncryption eq true] |
| Ensure that users cannot connect from jailbroken or rooted devices |
Do not allow your users to use to connect with mobile devices that have been jailbroken or rooted. These devices have had basic protections disabled to run software that is often malicious and could very easily lead to an account or data breach. |
Azure Active Directory
|
O365 should have O365Tenant len() gt 0 and atleast one DeviceCompliancePolicies with [ odatatype eq "#microsoft.graph.iosCompliancePolicy" and securityBlockJailbrokenDevices eq true ] and atleast one DeviceCompliancePolicies with [ odatatype eq "#microsoft.graph.androidCompliancePolicy" and securityBlockJailbrokenDevices eq true ] |
| Lock mobile devices after a period of inactivity |
Users should be required to configure their mobile devices to lock after a period of inactivity to prevent unauthorized access. |
Azure Active Directory
|
MobileDeviceMailboxPolicy should have MaxInactivityTimeLock eq "00:15:00" |
| Ensure device management polices are set to require advanced security configurations |
Configure your device management policies to require advanced security configurations. If you do not require this, users will be able to connect from devices that are vulnerable to basic internet attacks, leading to potential breaches of accounts and data. |
Azure Active Directory
|
O365 should have DeviceConfigurations len() gt 0 |
| Ensure that mobile devices require complex passwords (Simple Passwords = Blocked) |
Require your users to use a complex password to unlock their mobile devices. |
Azure Active Directory
|
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passcodeBlockSimple eq true] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows10GeneralConfiguration" and passwordBlockSimple eq true] |
| Ensure that mobile device passwords never expire |
Ensure that user passwords on mobile devices never expire. |
Azure Active Directory
|
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidGeneralDeviceConfiguration" and passwordExpirationDays eq -1 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passwordExpirationDays eq -1 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidDeviceOwnerGeneralDeviceConfiguration" and passwordExpirationDays eq -1 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows10GeneralConfiguration" and passwordExpirationDays eq -1 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows81GeneralConfiguration" and passcodeExpirationDays eq -1 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidWorkProfileGeneralDeviceConfiguration" and passwordExpirationDays eq -1 ] |
| Ensure mobile devices require the use of a password |
Require your users to use a password to unlock their mobile devices. |
Azure Active Directory
|
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidGeneralDeviceConfiguration" and passwordRequired eq true ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passcodeRequired eq true ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows10GeneralConfiguration" and passwordRequired eq true] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows81GeneralConfiguration" and passwordRequired eq true] |
| Ensure that mobile device password reuse is prohibited |
Do not allow your users to reuse the same password on their mobile devices. |
Azure Active Directory
|
MobileDeviceMailboxPolicy should have PasswordHistory eq 50 |
| Ensure modern authentication for Exchange Online is enabled |
Ensure modern authentication for Exchange Online is enabled. |
Exchange
|
OrganizationConfig should have OAuth2ClientProfileEnabled eq true |
| Notify the administrator when internal users send malware |
Set a malware filter policy that notifies an administrator when malware is detected in message from an internal user. |
Azure Active Directory
|
MalwareFilterPolicy should have EnableInternalSenderAdminNotifications eq true |
| Ensure that OAuth 2.0 permission grants to third-party apps do not give permission to modify app role assignments. |
OAuth 2.0 permission grants enable a third-party connected app to access data based on the permissions granted. Do not grant third-party apps the ability to modify app role assignments. This would enable the third-party app to give users or apps access to resources that they should not have access to. |
|
OAuth2PermissionGrant should not have scope like "AppRoleAssignment.ReadWrite.All" |
| Ensure that Office 365 SharePoint infected files cannot be downloaded |
Office 365 Advanced Threat Protection (ATP) for SharePoint, OneDrive, and Microsoft Teams protects your organization from inadvertently sharing malicious files. When an infected file is detected, that file is blocked so that no one can open, copy, move, or share it until further actions are taken by the organization's security team. |
|
SharepointTenant should have disallowInfectedFileDownload eq true |
| Ensure external storage providers available in Outlook on the Web are restricted |
Restrict storage providers that are integrated with Outlook on the Web. By default additional storage providers are allowed in Outlook on the Web (such as Box,
Dropbox, Facebook, Google Drive, OneDrive Personal, etc.). This could lead to information leakage and additional risk of infection from organizational non-trusted storage providers. Restricting this will inherently reduce risk as it will narrow opportunities for infection and data leakage. |
|
OwaMailboxPolicy should have AdditionalStorageProvidersAvailable eq false |
| Ensure that password hash sync is enabled for resiliency and leaked credential detection |
Ensure that password hash sync is enabled for resiliency and leaked credential detection. |
Microsoft 365 security
|
SecureScore should have atleast one controlScores with [ controlName eq "PasswordHashSync" and on eq true ] |
| Ensure that Office 365 passwords are not set to expire |
Ensure that Office 365 passwords are not set to expire. |
Azure Active Directory
|
SecureScore should have atleast one controlScores with [ controlName eq "PWAgePolicyNew" and scoreInPercentage eq 100 and IsApplicable eq true ] |
| Ensure modern authentication for SharePoint applications is required |
Strong authentication controls, such as the use of multi-factor authentication, may be circumvented if basic authentication is used by SharePoint applications. Requiring modern authentication for SharePoint applications ensures strong authentication mechanisms are used when establishing sessions between these applications, SharePoint, and connecting users. |
|
SharepointTenant should have legacyAuthProtocolsEnabled eq false |
| Ensure SPF records are published for all Exchange domains |
Ensure that Sender Policy Framework (SPF) records are published for all Exchange domains. Using SPF helps to validate outbound email sent from your custom domain by determining whether or not a sender is permitted to send on behalf of a domain. |
Azure Active Directory
|
AcceptedDomain should have spfRecordPublished eq true |
| Ensure a transport rule exists |
Ensure a transport rule exists. |
|
O365 should have TransportRules len() gt 0 |
| Use limited administrative roles |
Limited administrators are users who have more privileges than standard users, but not as many privileges as global admins. Leveraging limited administrator roles to perform required administrative work reduces the number of high value, high impact global admin role holders you have. Assigning users roles like Password Administrator or Exchange Online Administrator, instead of Global Administrator, reduces the likelihood of a global administrative privileged account being breached. |
|
SecureScore should have atleast one controlScores with [controlName eq "RoleOverlap" and scoreInPercentage eq 100 ] |
| Ensure that users do not have the default strong password policy disabled. |
In Azure, users by default have a strong password policy enabled. However, admin users are able to disable the default strong password policy for individual users. This functionality should not be used and all individual users' password policies should require a strong password. |
|
User should not have passwordPolicies like "DisableStrongPassword" |
| Ensure that users cannot install Outlook add-ins |
Attackers commonly use vulnerable and custom-built add-ins to access data in user applications. While allowing users to install add-ins by themselves does allow them to easily acquire useful add-ins that integrate with Microsoft applications, it can represent a risk if not used and monitored carefully. Disabling future users' ability to install add-ins in Microsoft Outlook helps reduce your threat-surface and mitigate this risk. |
|
O365 should not have any RoleAssignmentPolicies with [ AssignedRoles has ( "My Custom Apps" ) or AssignedRoles has ( "My Marketplace Apps" ) or AssignedRoles has ( "My ReadWriteMailbox Apps" ) ] |
| Description |
Service |
Rule |
| All users should be registered and signed up for MFA |
Multi-factor authentication (MFA) helps protect devices and data that are accessible to these users. Adding more authentication methods, such as the Microsoft Authenticator app or a phone number, increases the level of protection if one factor is compromised. |
|
SecureScore should have atleast one controlScores with [controlName eq "MFARegistrationV2" and scoreInPercentage eq 100 ] |
| Ensure at least one anti-phishing policy exists |
Ensure that at least one anti-phishing policy exists. |
Azure Active Directory
|
O365 should have AntiPhishPolicies len() gt 0 |
| Ensure an authentication policy exists |
Ensure an authentication policy exists. |
|
O365 should have AuthenticationPolicies len() gt 0 |
| Ensure automatic forwarding options are disabled |
Disable automatic forwarding to prevent users from auto-forwarding mail through Outlook and Outlook on the Web. In the event that an attacker gains control of an end-user account they could create rules to exfiltrate data from your environment. |
|
RemoteDomain should have AutoForwardEnabled eq false |
| Ensure the Azure AD 'Risky sign-ins' report is reviewed at least weekly |
This report contains records of accounts that have had activity that could indicate they are compromised, such as accounts that have successfully signed in after multiple failures, which is an indication that the accounts have cracked passwords, account that have signed in to your tenancy from a client IP address that has been recognized by Microsoft as an anonymous proxy IP address (such as a TOR network), and successful sign-ins from users where two sign-ins appeared to originate from different regions and the time between sign-ins makes it impossible for the user to have traveled between those regions. |
Azure Active Directory
|
O365Tenant should have unreviewedRiskEventsExist eq false |
| Enable Azure AD Identity Protection sign-in risk policies |
Azure Active Directory Identity Protection sign-in risk detects risks in real-time and offline. A risky sign-in is an indicator for a sign-in attempt that might not have been performed by the legitimate owner of a user account. |
Azure Active Directory
|
SecureScore should have atleast one controlScores with [controlName eq "SigninRiskPolicy" and scoreInPercentage eq 100 ] |
| Enable Azure AD Identity Protection user risk policies |
Azure Active Directory Identity Protection user risk policies detect the probability that a user account has been compromised. |
Azure Active Directory
|
SecureScore should have atleast one controlScores with [ controlName eq "UserRiskPolicy" and scoreInPercentage eq 100 ] |
| Ensure basic authentication for Exchange Online is disabled |
Ensure basic authentication for Exchange Online is disabled. |
Azure Active Directory
|
AuthenticationPolicy should have AllowBasicAuthActiveSync eq false and AllowBasicAuthAutodiscover eq false and AllowBasicAuthImap eq false and AllowBasicAuthMapi eq false and AllowBasicAuthOfflineAddressBook eq false and AllowBasicAuthOutlookService eq false and AllowBasicAuthPop eq false and AllowBasicAuthPowershell eq false and AllowBasicAuthReportingWebServices eq false and AllowBasicAuthRest eq false and AllowBasicAuthRpc eq false and AllowBasicAuthSmtp eq false and AllowBasicAuthWebServices eq false |
| Enable Conditional Access policies to block legacy authentication |
Enable Conditional Access policies to block legacy authentication. |
Azure Active Directory
|
O365 should have any ConditionalAccessPolicies with [ conditions.users.includeUsers has ("All") and conditions.users.excludeUsers len() >= 1 and conditions.clientAppTypes has ("exchangeActiveSync") and conditions.clientAppTypes has ("other") and grantControls.builtInControls has ("block") and grantControls.builtInControls len() = 1 and state eq "enabled"] |
| Block OneDrive for Business sync from unmanaged devices |
Prevent company data from OneDrive for Business from being synchronized to non-corporate managed devices. Unmanaged devices pose a risk, since their security cannot be verified. Allowing users to sync data to these devices, takes that data out of the control of the organization. This increases the risk of the data either being intentionally or accidentally leaked. |
|
SharepointTenant should have isUnmanagedSyncClientForTenantRestricted eq true |
| Ensure that sharing full calendar details with external users is disabled |
Do not allow your users to share the full details of their calendars with external users. Attackers often spend time learning about your organization before launching an attack. Publicly available calendars can help attackers understand organizational relationships and determine when specific users may be more vulnerable to an attack, such as when they are traveling. |
|
SharingPolicy should have sharingEnabled eq false or every domains with [ sharingAllowedDetails eq "ContactsSharing" ] |
| Ensure that client-side rules that automatically forward email to external domains are blocked |
Block client-side rules that automatically forward email to external domains. The use of client-side forwarding rules to exfiltrate data to external recipients is an increasingly used vector for data exfiltration by bad actors. |
|
O365 should have atleast one TransportRules with [ State eq "Enabled" and Priority eq 0 and SentToScope eq "NotInOrganization" and FromScope eq "InOrganization" and MessageTypeMatches eq "AutoForward" and RejectMessageEnhancedStatusCode eq "5.7.1" ] |
| Do not allow users to grant consent to unmanaged applications |
Tighten the security of your services by regulating the access of third-party integrated apps. Only allow access to necessary apps that support robust security controls. Third-party applications are not created by Microsoft, so there is a possibility they could be used for malicious purposes like exfiltrating data from your tenancy. Attackers can maintain persistent access to your services through these integrated apps, without relying on compromised accounts. |
|
SecureScore should have atleast one controlScores with [controlName eq "IntegratedApps" and scoreInPercentage eq 100 ] |
| Ensure document sharing is controlled by domains with sharing restrictions configured |
Control sharing of documents to external domains by either blocking domains or only allowing sharing with specific named domains. Attackers will often attempt to expose sensitive information to external entities through sharing, and restricting the domains that your users can share documents with will reduce that surface area. |
|
SharepointTenant should have sharingDomainRestrictionMode neq 0 |
| Ensure audit log search is enabled |
Enabling Microsoft 365 audit log search helps Office 365 back office teams to investigate activities for regular security operational or forensic purposes. |
Azure Active Directory
|
AdminAuditLogConfig should have AdminAuditLogEnabled eq true and UnifiedAuditLogIngestionEnabled eq true |
| Ensure the Common Attachment Types Filter is enabled |
Ensure the Common Attachment Types Filter is enabled. |
Azure Active Directory
|
MalwareFilterPolicy should have EnableFileFilter eq true |
| Ensure mailbox auditing for all users is enabled |
By turning on mailbox auditing, Microsoft 365 back office teams can track logons to a mailbox as well as what actions are taken while the user is logged on. After you turn on mailbox audit logging for a mailbox, you can search the audit log for mailbox activity. Additionally, when mailbox audit logging is turned on, some actions performed by administrators, delegates, and owners are logged by default. |
Azure Active Directory
|
OrganizationConfig should have userMailboxAuditEnabled eq true and nonUserMailboxAuditEnabled eq true |
| Ensure expiration time for external sharing links is set |
Restrict the length of time that anonymous access links are valid. |
Azure Active Directory
|
SharepointTenant should have requireAnonymousLinksExpireInDays > 0 |
| Ensure that external users cannot share files, folders, and sites they do not own |
SharePoint gives users the ability to share files, folder, and site collections. Internal users can share with external collaborators, who with the right permissions, could share those to another external party. Sharing and collaboration are key; however, file, folder, or site collection owners should have the authority over what external users get shared with to prevent unauthorized disclosures of information. |
|
SharepointTenant should have preventExternalUsersFromResharing eq true |
| Ensure that Facebook contact synchronization is disabled |
Disable integration with Facebook as a measure to help prevent phishing scams. |
|
OwaMailboxPolicy should have FacebookEnabled eq false |
| Ensure a hosted outbound spam filter policy exists. |
Ensure a hosted outbound spam filter policy exists. |
|
O365 should have HostedOutboundSpamFilterPolicies len() gt 0 |
| Ensure that LinkedIn contact synchronization is disabled |
Disable integration with LinkedIn as a measure to help prevent phishing scams. |
|
OwaMailboxPolicy should have LinkedInEnabled eq false |
| Ensure mail transport rules do not forward email to external domains |
Ensure mail transport rules do not forward email to external domains. |
Azure Active Directory
|
O365Tenant should not have AnyMailTransportRuleRedirectMessageToExternalDomain eq True |
| Ensure mail transport rules do not whitelist specific domains |
Ensure mail transport rules do not whitelist specific domains. |
Azure Active Directory
|
TransportRule should not have SetScl = -1 and SenderDomainIs len() > 0 |
| Ensure MailTips are enabled for end users |
MailTips assist end users with identifying strange patterns to emails they send. Setting up MailTips gives a visual aid to users when they send emails to large groups of recipients or send emails to recipients not within the tenant. |
|
OrganizationConfig should have MailTipsAllTipsEnabled eq true and MailTipsExternalRecipientsTipsEnabled eq true and MailTipsGroupMetricsEnabled eq true and MailTipsLargeAudienceThreshold gt 0 |
| Ensure a malware filter policy exists |
Ensure a malware filter policy exists. |
|
O365 should have MalwareFilterPolicies len() gt 0 |
| Ensure multi-factor authentication is enabled for all users in administrative roles |
Ensure multi-factor authentication is enabled for all users in administrative roles |
Azure Active Directory
|
O365 should have O365Tenant len() gt 0 and atleast one ConditionalAccessPolicies with [ conditions.users.includeRoles has ("b0f54661-2d74-4c50-afa3-1ec803f12efe","b1be1c3e-b65d-4f19-8427-f6fa0d97feb9","29232cdf-9323-42fd-ade2-1d097af3e4de","62e90394-69f5-4237-9190-012177145e10","729827e3-9c14-49f7-bb1b-9608f156bbb8","194ae4cb-b126-40b2-bd5b-6091b380977d","f28a1f50-f6e7-4571-818b-6a12f2af6b6c","fe930be7-5e62-47db-91af-98c3a49a38b1") and conditions.clientAppTypes has ("all") and grantControls.builtInControls has ("mfa") and state eq "enabled"] |
| Ensure multi-factor authentication is enabled for all users in all roles |
Ensure multi-factor authentication is enabled for all users in all roles. |
Azure Active Directory
|
O365 should have O365Tenant len() gt 0 and atleast one ConditionalAccessPolicies with [ conditions.users.includeUsers has ("All") and conditions.clientAppTypes has ("all") and grantControls.builtInControls has ("mfa") and state eq "enabled"] |
| Mobile devices passwords should be at least 6 characters |
Require your users to use a complex password with a minimum password length of at least six characters to unlock their mobile devices. |
Azure Active Directory
|
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "microsoft.graph.aospDeviceOwnerDeviceConfiguration" and passwordMinimumLength eq 6 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidGeneralDeviceConfiguration" and passwordMinimumLength eq 6 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidDeviceOwnerGeneralDeviceConfiguration" and passwordMinimumLength eq 6 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidWorkProfileGeneralDeviceConfiguration" and passwordMinimumLength eq 6 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passcodeMinimumLength eq 6 and passcodeBlockSimple eq true ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.macOSGeneralDeviceConfiguration" and passwordMinimumLength eq 6 and passwordBlockSimple eq true ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows10GeneralConfiguration" and passwordMinimumLength eq 6 and passwordBlockSimple eq true ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows81GeneralConfiguration" and passwordMinimumLength eq 6 ] |
| Ensure that mobile devices require complex passwords (Type = Alphanumeric) |
Require your users to use a complex password with a at least two character sets (letters and numbers, for example) to unlock their mobile devices |
Azure Active Directory
|
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows81GeneralConfiguration" and passwordRequiredType eq "alphanumeric" ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows10GeneralConfiguration" and passwordRequiredType eq "alphanumeric"] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidDeviceOwnerGeneralDeviceConfiguration" and passwordRequiredType eq "alphanumeric"] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passcodeRequiredType eq "alphanumeric"] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidGeneralDeviceConfiguration" and passwordRequiredType eq "alphanumeric"] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.aospDeviceOwnerDeviceConfiguration" and passwordRequiredType eq "alphanumeric" ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidWorkProfileGeneralDeviceConfiguration" and passwordRequiredType eq "atLeastAlphanumeric" ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.macOSGeneralDeviceConfiguration" and passwordRequiredType eq "alphanumeric" ] |
| Ensure that mobile device encryption is enabled |
Require your users to use encryption on their mobile devices to prevent unauthorized access to mobile data. |
Azure Active Directory
|
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidGeneralDeviceConfiguration" and storageRequireDeviceEncryption eq true] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows81GeneralConfiguration" and storageRequireDeviceEncryption eq true] |
| Ensure that users cannot connect from jailbroken or rooted devices |
Do not allow your users to use to connect with mobile devices that have been jailbroken or rooted. These devices have had basic protections disabled to run software that is often malicious and could very easily lead to an account or data breach. |
Azure Active Directory
|
O365 should have O365Tenant len() gt 0 and atleast one DeviceCompliancePolicies with [ odatatype eq "#microsoft.graph.iosCompliancePolicy" and securityBlockJailbrokenDevices eq true ] and atleast one DeviceCompliancePolicies with [ odatatype eq "#microsoft.graph.androidCompliancePolicy" and securityBlockJailbrokenDevices eq true ] |
| Lock mobile devices after a period of inactivity |
Users should be required to configure their mobile devices to lock after a period of inactivity to prevent unauthorized access. |
Azure Active Directory
|
MobileDeviceMailboxPolicy should have MaxInactivityTimeLock eq "00:15:00" |
| Ensure device management polices are set to require advanced security configurations |
Configure your device management policies to require advanced security configurations. If you do not require this, users will be able to connect from devices that are vulnerable to basic internet attacks, leading to potential breaches of accounts and data. |
Azure Active Directory
|
O365 should have DeviceConfigurations len() gt 0 |
| Ensure that mobile devices require complex passwords (Simple Passwords = Blocked) |
Require your users to use a complex password to unlock their mobile devices. |
Azure Active Directory
|
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passcodeBlockSimple eq true] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows10GeneralConfiguration" and passwordBlockSimple eq true] |
| Ensure that mobile device passwords never expire |
Ensure that user passwords on mobile devices never expire. |
Azure Active Directory
|
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidGeneralDeviceConfiguration" and passwordExpirationDays eq -1 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passwordExpirationDays eq -1 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidDeviceOwnerGeneralDeviceConfiguration" and passwordExpirationDays eq -1 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows10GeneralConfiguration" and passwordExpirationDays eq -1 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows81GeneralConfiguration" and passcodeExpirationDays eq -1 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidWorkProfileGeneralDeviceConfiguration" and passwordExpirationDays eq -1 ] |
| Ensure mobile devices require the use of a password |
Require your users to use a password to unlock their mobile devices. |
Azure Active Directory
|
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidGeneralDeviceConfiguration" and passwordRequired eq true ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passcodeRequired eq true ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows10GeneralConfiguration" and passwordRequired eq true] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows81GeneralConfiguration" and passwordRequired eq true] |
| Ensure that mobile device password reuse is prohibited |
Do not allow your users to reuse the same password on their mobile devices. |
Azure Active Directory
|
MobileDeviceMailboxPolicy should have PasswordHistory eq 50 |
| Ensure mobile devices are set to wipe on multiple sign-in failures |
Require mobile devices to wipe on multiple sign-in failures to prevent brute force compromise. Devices without this protection are vulnerable to being accessed physically by attackers who can then steal account credentials, data, or install malware on the device. |
|
O365 should have atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passcodeSignInFailureCountBeforeWipe lte 10 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidDeviceOwnerGeneralDeviceConfiguration" and passwordSignInFailureCountBeforeFactoryReset lte 10 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows10GeneralConfiguration" and passwordSignInFailureCountBeforeFactoryReset lte 10 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows81GeneralConfiguration" and passwordSignInFailureCountBeforeFactoryReset lte 10 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidGeneralDeviceConfiguration" and passwordSignInFailureCountBeforeFactoryReset lte 10 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidWorkProfileGeneralDeviceConfiguration" and passwordSignInFailureCountBeforeFactoryReset lte 10 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.aospDeviceOwnerDeviceConfiguration" and passwordSignInFailureCountBeforeFactoryReset lte 10 ] |
| Ensure modern authentication for Exchange Online is enabled |
Ensure modern authentication for Exchange Online is enabled. |
Exchange
|
OrganizationConfig should have OAuth2ClientProfileEnabled eq true |
| Notify the administrator when internal users send malware |
Set a malware filter policy that notifies an administrator when malware is detected in message from an internal user. |
Azure Active Directory
|
MalwareFilterPolicy should have EnableInternalSenderAdminNotifications eq true |
| Ensure that OAuth 2.0 permission grants to third-party apps do not give permission to modify app role assignments. |
OAuth 2.0 permission grants enable a third-party connected app to access data based on the permissions granted. Do not grant third-party apps the ability to modify app role assignments. This would enable the third-party app to give users or apps access to resources that they should not have access to. |
|
OAuth2PermissionGrant should not have scope like "AppRoleAssignment.ReadWrite.All" |
| Ensure that Office 365 SharePoint infected files cannot be downloaded |
Office 365 Advanced Threat Protection (ATP) for SharePoint, OneDrive, and Microsoft Teams protects your organization from inadvertently sharing malicious files. When an infected file is detected, that file is blocked so that no one can open, copy, move, or share it until further actions are taken by the organization's security team. |
|
SharepointTenant should have disallowInfectedFileDownload eq true |
| Ensure external storage providers available in Outlook on the Web are restricted |
Restrict storage providers that are integrated with Outlook on the Web. By default additional storage providers are allowed in Outlook on the Web (such as Box,
Dropbox, Facebook, Google Drive, OneDrive Personal, etc.). This could lead to information leakage and additional risk of infection from organizational non-trusted storage providers. Restricting this will inherently reduce risk as it will narrow opportunities for infection and data leakage. |
|
OwaMailboxPolicy should have AdditionalStorageProvidersAvailable eq false |
| Ensure an Outlook on the web mailbox policy exists |
Ensure an Outlook on the web mailbox policy exists. |
|
O365 should have OwaMailboxPolicies len() gt 0 |
| Ensure that password hash sync is enabled for resiliency and leaked credential detection |
Ensure that password hash sync is enabled for resiliency and leaked credential detection. |
Microsoft 365 security
|
SecureScore should have atleast one controlScores with [ controlName eq "PasswordHashSync" and on eq true ] |
| Ensure that Office 365 passwords are not set to expire |
Ensure that Office 365 passwords are not set to expire. |
Azure Active Directory
|
SecureScore should have atleast one controlScores with [ controlName eq "PWAgePolicyNew" and scoreInPercentage eq 100 and IsApplicable eq true ] |
| Ensure self-service password reset is enabled |
Ensure self-service password reset is enabled. |
Microsoft 365 security
|
SecureScore should have atleast one controlScores with [ controlName eq "SelfServicePasswordReset" and scoreInPercentage eq 100] |
| Ensure modern authentication for SharePoint applications is required |
Strong authentication controls, such as the use of multi-factor authentication, may be circumvented if basic authentication is used by SharePoint applications. Requiring modern authentication for SharePoint applications ensures strong authentication mechanisms are used when establishing sessions between these applications, SharePoint, and connecting users. |
|
SharepointTenant should have legacyAuthProtocolsEnabled eq false |
| Ensure a transport rule exists |
Ensure a transport rule exists. |
|
O365 should have TransportRules len() gt 0 |
| Use limited administrative roles |
Limited administrators are users who have more privileges than standard users, but not as many privileges as global admins. Leveraging limited administrator roles to perform required administrative work reduces the number of high value, high impact global admin role holders you have. Assigning users roles like Password Administrator or Exchange Online Administrator, instead of Global Administrator, reduces the likelihood of a global administrative privileged account being breached. |
|
SecureScore should have atleast one controlScores with [controlName eq "RoleOverlap" and scoreInPercentage eq 100 ] |
| Ensure that users do not have the default strong password policy disabled. |
In Azure, users by default have a strong password policy enabled. However, admin users are able to disable the default strong password policy for individual users. This functionality should not be used and all individual users' password policies should require a strong password. |
|
User should not have passwordPolicies like "DisableStrongPassword" |
| Ensure that users cannot install Outlook add-ins |
Attackers commonly use vulnerable and custom-built add-ins to access data in user applications. While allowing users to install add-ins by themselves does allow them to easily acquire useful add-ins that integrate with Microsoft applications, it can represent a risk if not used and monitored carefully. Disabling future users' ability to install add-ins in Microsoft Outlook helps reduce your threat-surface and mitigate this risk. |
|
O365 should not have any RoleAssignmentPolicies with [ AssignedRoles has ( "My Custom Apps" ) or AssignedRoles has ( "My Marketplace Apps" ) or AssignedRoles has ( "My ReadWriteMailbox Apps" ) ] |
| Description |
Service |
Rule |
| All users should be registered and signed up for MFA |
Multi-factor authentication (MFA) helps protect devices and data that are accessible to these users. Adding more authentication methods, such as the Microsoft Authenticator app or a phone number, increases the level of protection if one factor is compromised. |
|
SecureScore should have atleast one controlScores with [controlName eq "MFARegistrationV2" and scoreInPercentage eq 100 ] |
| Ensure at least one anti-phishing policy exists |
Ensure that at least one anti-phishing policy exists. |
Azure Active Directory
|
O365 should have AntiPhishPolicies len() gt 0 |
| Ensure an authentication policy exists |
Ensure an authentication policy exists. |
|
O365 should have AuthenticationPolicies len() gt 0 |
| Ensure the Azure AD 'Risky sign-ins' report is reviewed at least weekly |
This report contains records of accounts that have had activity that could indicate they are compromised, such as accounts that have successfully signed in after multiple failures, which is an indication that the accounts have cracked passwords, account that have signed in to your tenancy from a client IP address that has been recognized by Microsoft as an anonymous proxy IP address (such as a TOR network), and successful sign-ins from users where two sign-ins appeared to originate from different regions and the time between sign-ins makes it impossible for the user to have traveled between those regions. |
Azure Active Directory
|
O365Tenant should have unreviewedRiskEventsExist eq false |
| Enable Azure AD Identity Protection sign-in risk policies |
Azure Active Directory Identity Protection sign-in risk detects risks in real-time and offline. A risky sign-in is an indicator for a sign-in attempt that might not have been performed by the legitimate owner of a user account. |
Azure Active Directory
|
SecureScore should have atleast one controlScores with [controlName eq "SigninRiskPolicy" and scoreInPercentage eq 100 ] |
| Enable Azure AD Identity Protection user risk policies |
Azure Active Directory Identity Protection user risk policies detect the probability that a user account has been compromised. |
Azure Active Directory
|
SecureScore should have atleast one controlScores with [ controlName eq "UserRiskPolicy" and scoreInPercentage eq 100 ] |
| Ensure basic authentication for Exchange Online is disabled |
Ensure basic authentication for Exchange Online is disabled. |
Azure Active Directory
|
AuthenticationPolicy should have AllowBasicAuthActiveSync eq false and AllowBasicAuthAutodiscover eq false and AllowBasicAuthImap eq false and AllowBasicAuthMapi eq false and AllowBasicAuthOfflineAddressBook eq false and AllowBasicAuthOutlookService eq false and AllowBasicAuthPop eq false and AllowBasicAuthPowershell eq false and AllowBasicAuthReportingWebServices eq false and AllowBasicAuthRest eq false and AllowBasicAuthRpc eq false and AllowBasicAuthSmtp eq false and AllowBasicAuthWebServices eq false |
| Enable Conditional Access policies to block legacy authentication |
Enable Conditional Access policies to block legacy authentication. |
Azure Active Directory
|
O365 should have any ConditionalAccessPolicies with [ conditions.users.includeUsers has ("All") and conditions.users.excludeUsers len() >= 1 and conditions.clientAppTypes has ("exchangeActiveSync") and conditions.clientAppTypes has ("other") and grantControls.builtInControls has ("block") and grantControls.builtInControls len() = 1 and state eq "enabled"] |
| Block OneDrive for Business sync from unmanaged devices |
Prevent company data from OneDrive for Business from being synchronized to non-corporate managed devices. Unmanaged devices pose a risk, since their security cannot be verified. Allowing users to sync data to these devices, takes that data out of the control of the organization. This increases the risk of the data either being intentionally or accidentally leaked. |
|
SharepointTenant should have isUnmanagedSyncClientForTenantRestricted eq true |
| Ensure that sharing full calendar details with external users is disabled |
Do not allow your users to share the full details of their calendars with external users. Attackers often spend time learning about your organization before launching an attack. Publicly available calendars can help attackers understand organizational relationships and determine when specific users may be more vulnerable to an attack, such as when they are traveling. |
|
SharingPolicy should have sharingEnabled eq false or every domains with [ sharingAllowedDetails eq "ContactsSharing" ] |
| Ensure DKIM is enabled for all Exchange Online Domains |
DKIM lets you add a digital signature to outbound email messages in the message header. This signature is used to verify that the messages are really coming from you and not coming from someone spoofing your domain. |
Azure Active Directory
|
DkimSigningConfig should have Enabled eq true |
| Ensure a DomainKeys Identified Mail (DKIM) signing policy exists |
Ensure a DomainKeys Identified Mail (DKIM) signing policy exists. |
|
O365 should have DkimSigningConfig len() gt 0 |
| Ensure DMARC Records for all Exchange Online domains are published |
Domain-based Message Authentication, Reporting, and Conformance (DMARC) works with Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) to authenticate mail senders and ensure that destination email systems trust messages sent from your domain. When you use DMARC, the receiving server performs a check against the From address. |
Azure Active Directory
|
AcceptedDomain should have DMARCRecordPublished eq true |
| Do not allow users to grant consent to unmanaged applications |
Tighten the security of your services by regulating the access of third-party integrated apps. Only allow access to necessary apps that support robust security controls. Third-party applications are not created by Microsoft, so there is a possibility they could be used for malicious purposes like exfiltrating data from your tenancy. Attackers can maintain persistent access to your services through these integrated apps, without relying on compromised accounts. |
|
SecureScore should have atleast one controlScores with [controlName eq "IntegratedApps" and scoreInPercentage eq 100 ] |
| Ensure document sharing is controlled by domains with sharing restrictions configured |
Control sharing of documents to external domains by either blocking domains or only allowing sharing with specific named domains. Attackers will often attempt to expose sensitive information to external entities through sharing, and restricting the domains that your users can share documents with will reduce that surface area. |
|
SharepointTenant should have sharingDomainRestrictionMode neq 0 |
| Ensure audit log search is enabled |
Enabling Microsoft 365 audit log search helps Office 365 back office teams to investigate activities for regular security operational or forensic purposes. |
Azure Active Directory
|
AdminAuditLogConfig should have AdminAuditLogEnabled eq true and UnifiedAuditLogIngestionEnabled eq true |
| Ensure the Common Attachment Types Filter is enabled |
Ensure the Common Attachment Types Filter is enabled. |
Azure Active Directory
|
MalwareFilterPolicy should have EnableFileFilter eq true |
| Ensure mailbox auditing for all users is enabled |
By turning on mailbox auditing, Microsoft 365 back office teams can track logons to a mailbox as well as what actions are taken while the user is logged on. After you turn on mailbox audit logging for a mailbox, you can search the audit log for mailbox activity. Additionally, when mailbox audit logging is turned on, some actions performed by administrators, delegates, and owners are logged by default. |
Azure Active Directory
|
OrganizationConfig should have userMailboxAuditEnabled eq true and nonUserMailboxAuditEnabled eq true |
| Ensure expiration time for external sharing links is set |
Restrict the length of time that anonymous access links are valid. |
Azure Active Directory
|
SharepointTenant should have requireAnonymousLinksExpireInDays > 0 |
| Ensure that external users cannot share files, folders, and sites they do not own |
SharePoint gives users the ability to share files, folder, and site collections. Internal users can share with external collaborators, who with the right permissions, could share those to another external party. Sharing and collaboration are key; however, file, folder, or site collection owners should have the authority over what external users get shared with to prevent unauthorized disclosures of information. |
|
SharepointTenant should have preventExternalUsersFromResharing eq true |
| Ensure a hosted outbound spam filter policy exists. |
Ensure a hosted outbound spam filter policy exists. |
|
O365 should have HostedOutboundSpamFilterPolicies len() gt 0 |
| Ensure mail transport rules do not forward email to external domains |
Ensure mail transport rules do not forward email to external domains. |
Azure Active Directory
|
O365Tenant should not have AnyMailTransportRuleRedirectMessageToExternalDomain eq True |
| Ensure mail transport rules do not whitelist specific domains |
Ensure mail transport rules do not whitelist specific domains. |
Azure Active Directory
|
TransportRule should not have SetScl = -1 and SenderDomainIs len() > 0 |
| Ensure MailTips are enabled for end users |
MailTips assist end users with identifying strange patterns to emails they send. Setting up MailTips gives a visual aid to users when they send emails to large groups of recipients or send emails to recipients not within the tenant. |
|
OrganizationConfig should have MailTipsAllTipsEnabled eq true and MailTipsExternalRecipientsTipsEnabled eq true and MailTipsGroupMetricsEnabled eq true and MailTipsLargeAudienceThreshold gt 0 |
| Ensure a malware filter policy exists |
Ensure a malware filter policy exists. |
|
O365 should have MalwareFilterPolicies len() gt 0 |
| Ensure multi-factor authentication is enabled for all users in administrative roles |
Ensure multi-factor authentication is enabled for all users in administrative roles |
Azure Active Directory
|
O365 should have O365Tenant len() gt 0 and atleast one ConditionalAccessPolicies with [ conditions.users.includeRoles has ("b0f54661-2d74-4c50-afa3-1ec803f12efe","b1be1c3e-b65d-4f19-8427-f6fa0d97feb9","29232cdf-9323-42fd-ade2-1d097af3e4de","62e90394-69f5-4237-9190-012177145e10","729827e3-9c14-49f7-bb1b-9608f156bbb8","194ae4cb-b126-40b2-bd5b-6091b380977d","f28a1f50-f6e7-4571-818b-6a12f2af6b6c","fe930be7-5e62-47db-91af-98c3a49a38b1") and conditions.clientAppTypes has ("all") and grantControls.builtInControls has ("mfa") and state eq "enabled"] |
| Ensure multi-factor authentication is enabled for all users in all roles |
Ensure multi-factor authentication is enabled for all users in all roles. |
Azure Active Directory
|
O365 should have O365Tenant len() gt 0 and atleast one ConditionalAccessPolicies with [ conditions.users.includeUsers has ("All") and conditions.clientAppTypes has ("all") and grantControls.builtInControls has ("mfa") and state eq "enabled"] |
| Mobile devices passwords should be at least 6 characters |
Require your users to use a complex password with a minimum password length of at least six characters to unlock their mobile devices. |
Azure Active Directory
|
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "microsoft.graph.aospDeviceOwnerDeviceConfiguration" and passwordMinimumLength eq 6 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidGeneralDeviceConfiguration" and passwordMinimumLength eq 6 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidDeviceOwnerGeneralDeviceConfiguration" and passwordMinimumLength eq 6 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidWorkProfileGeneralDeviceConfiguration" and passwordMinimumLength eq 6 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passcodeMinimumLength eq 6 and passcodeBlockSimple eq true ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.macOSGeneralDeviceConfiguration" and passwordMinimumLength eq 6 and passwordBlockSimple eq true ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows10GeneralConfiguration" and passwordMinimumLength eq 6 and passwordBlockSimple eq true ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows81GeneralConfiguration" and passwordMinimumLength eq 6 ] |
| Ensure that mobile devices require complex passwords (Type = Alphanumeric) |
Require your users to use a complex password with a at least two character sets (letters and numbers, for example) to unlock their mobile devices |
Azure Active Directory
|
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows81GeneralConfiguration" and passwordRequiredType eq "alphanumeric" ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows10GeneralConfiguration" and passwordRequiredType eq "alphanumeric"] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidDeviceOwnerGeneralDeviceConfiguration" and passwordRequiredType eq "alphanumeric"] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passcodeRequiredType eq "alphanumeric"] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidGeneralDeviceConfiguration" and passwordRequiredType eq "alphanumeric"] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.aospDeviceOwnerDeviceConfiguration" and passwordRequiredType eq "alphanumeric" ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidWorkProfileGeneralDeviceConfiguration" and passwordRequiredType eq "atLeastAlphanumeric" ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.macOSGeneralDeviceConfiguration" and passwordRequiredType eq "alphanumeric" ] |
| Ensure that mobile device encryption is enabled |
Require your users to use encryption on their mobile devices to prevent unauthorized access to mobile data. |
Azure Active Directory
|
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidGeneralDeviceConfiguration" and storageRequireDeviceEncryption eq true] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows81GeneralConfiguration" and storageRequireDeviceEncryption eq true] |
| Ensure that users cannot connect from jailbroken or rooted devices |
Do not allow your users to use to connect with mobile devices that have been jailbroken or rooted. These devices have had basic protections disabled to run software that is often malicious and could very easily lead to an account or data breach. |
Azure Active Directory
|
O365 should have O365Tenant len() gt 0 and atleast one DeviceCompliancePolicies with [ odatatype eq "#microsoft.graph.iosCompliancePolicy" and securityBlockJailbrokenDevices eq true ] and atleast one DeviceCompliancePolicies with [ odatatype eq "#microsoft.graph.androidCompliancePolicy" and securityBlockJailbrokenDevices eq true ] |
| Lock mobile devices after a period of inactivity |
Users should be required to configure their mobile devices to lock after a period of inactivity to prevent unauthorized access. |
Azure Active Directory
|
MobileDeviceMailboxPolicy should have MaxInactivityTimeLock eq "00:15:00" |
| Ensure device management polices are set to require advanced security configurations |
Configure your device management policies to require advanced security configurations. If you do not require this, users will be able to connect from devices that are vulnerable to basic internet attacks, leading to potential breaches of accounts and data. |
Azure Active Directory
|
O365 should have DeviceConfigurations len() gt 0 |
| Ensure that mobile devices require complex passwords (Simple Passwords = Blocked) |
Require your users to use a complex password to unlock their mobile devices. |
Azure Active Directory
|
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passcodeBlockSimple eq true] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows10GeneralConfiguration" and passwordBlockSimple eq true] |
| Ensure mobile devices require the use of a password |
Require your users to use a password to unlock their mobile devices. |
Azure Active Directory
|
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidGeneralDeviceConfiguration" and passwordRequired eq true ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passcodeRequired eq true ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows10GeneralConfiguration" and passwordRequired eq true] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows81GeneralConfiguration" and passwordRequired eq true] |
| Ensure that mobile device password reuse is prohibited |
Do not allow your users to reuse the same password on their mobile devices. |
Azure Active Directory
|
MobileDeviceMailboxPolicy should have PasswordHistory eq 50 |
| Ensure modern authentication for Exchange Online is enabled |
Ensure modern authentication for Exchange Online is enabled. |
Exchange
|
OrganizationConfig should have OAuth2ClientProfileEnabled eq true |
| Notify the administrator when internal users send malware |
Set a malware filter policy that notifies an administrator when malware is detected in message from an internal user. |
Azure Active Directory
|
MalwareFilterPolicy should have EnableInternalSenderAdminNotifications eq true |
| Ensure that OAuth 2.0 permission grants to third-party apps do not give permission to modify app role assignments. |
OAuth 2.0 permission grants enable a third-party connected app to access data based on the permissions granted. Do not grant third-party apps the ability to modify app role assignments. This would enable the third-party app to give users or apps access to resources that they should not have access to. |
|
OAuth2PermissionGrant should not have scope like "AppRoleAssignment.ReadWrite.All" |
| Ensure that Office 365 SharePoint infected files cannot be downloaded |
Office 365 Advanced Threat Protection (ATP) for SharePoint, OneDrive, and Microsoft Teams protects your organization from inadvertently sharing malicious files. When an infected file is detected, that file is blocked so that no one can open, copy, move, or share it until further actions are taken by the organization's security team. |
|
SharepointTenant should have disallowInfectedFileDownload eq true |
| Ensure external storage providers available in Outlook on the Web are restricted |
Restrict storage providers that are integrated with Outlook on the Web. By default additional storage providers are allowed in Outlook on the Web (such as Box,
Dropbox, Facebook, Google Drive, OneDrive Personal, etc.). This could lead to information leakage and additional risk of infection from organizational non-trusted storage providers. Restricting this will inherently reduce risk as it will narrow opportunities for infection and data leakage. |
|
OwaMailboxPolicy should have AdditionalStorageProvidersAvailable eq false |
| Ensure that password hash sync is enabled for resiliency and leaked credential detection |
Ensure that password hash sync is enabled for resiliency and leaked credential detection. |
Microsoft 365 security
|
SecureScore should have atleast one controlScores with [ controlName eq "PasswordHashSync" and on eq true ] |
| Ensure modern authentication for SharePoint applications is required |
Strong authentication controls, such as the use of multi-factor authentication, may be circumvented if basic authentication is used by SharePoint applications. Requiring modern authentication for SharePoint applications ensures strong authentication mechanisms are used when establishing sessions between these applications, SharePoint, and connecting users. |
|
SharepointTenant should have legacyAuthProtocolsEnabled eq false |
| Ensure SPF records are published for all Exchange domains |
Ensure that Sender Policy Framework (SPF) records are published for all Exchange domains. Using SPF helps to validate outbound email sent from your custom domain by determining whether or not a sender is permitted to send on behalf of a domain. |
Azure Active Directory
|
AcceptedDomain should have spfRecordPublished eq true |
| Use limited administrative roles |
Limited administrators are users who have more privileges than standard users, but not as many privileges as global admins. Leveraging limited administrator roles to perform required administrative work reduces the number of high value, high impact global admin role holders you have. Assigning users roles like Password Administrator or Exchange Online Administrator, instead of Global Administrator, reduces the likelihood of a global administrative privileged account being breached. |
|
SecureScore should have atleast one controlScores with [controlName eq "RoleOverlap" and scoreInPercentage eq 100 ] |
| Ensure that users do not have the default strong password policy disabled. |
In Azure, users by default have a strong password policy enabled. However, admin users are able to disable the default strong password policy for individual users. This functionality should not be used and all individual users' password policies should require a strong password. |
|
User should not have passwordPolicies like "DisableStrongPassword" |
| Ensure that users cannot install Outlook add-ins |
Attackers commonly use vulnerable and custom-built add-ins to access data in user applications. While allowing users to install add-ins by themselves does allow them to easily acquire useful add-ins that integrate with Microsoft applications, it can represent a risk if not used and monitored carefully. Disabling future users' ability to install add-ins in Microsoft Outlook helps reduce your threat-surface and mitigate this risk. |
|
O365 should not have any RoleAssignmentPolicies with [ AssignedRoles has ( "My Custom Apps" ) or AssignedRoles has ( "My Marketplace Apps" ) or AssignedRoles has ( "My ReadWriteMailbox Apps" ) ] |
| Description |
Service |
Rule |
| All users should be registered and signed up for MFA |
Multi-factor authentication (MFA) helps protect devices and data that are accessible to these users. Adding more authentication methods, such as the Microsoft Authenticator app or a phone number, increases the level of protection if one factor is compromised. |
|
SecureScore should have atleast one controlScores with [controlName eq "MFARegistrationV2" and scoreInPercentage eq 100 ] |
| Ensure at least one anti-phishing policy exists |
Ensure that at least one anti-phishing policy exists. |
Azure Active Directory
|
O365 should have AntiPhishPolicies len() gt 0 |
| Ensure an authentication policy exists |
Ensure an authentication policy exists. |
|
O365 should have AuthenticationPolicies len() gt 0 |
| Ensure automatic forwarding options are disabled |
Disable automatic forwarding to prevent users from auto-forwarding mail through Outlook and Outlook on the Web. In the event that an attacker gains control of an end-user account they could create rules to exfiltrate data from your environment. |
|
RemoteDomain should have AutoForwardEnabled eq false |
| Ensure the Azure AD 'Risky sign-ins' report is reviewed at least weekly |
This report contains records of accounts that have had activity that could indicate they are compromised, such as accounts that have successfully signed in after multiple failures, which is an indication that the accounts have cracked passwords, account that have signed in to your tenancy from a client IP address that has been recognized by Microsoft as an anonymous proxy IP address (such as a TOR network), and successful sign-ins from users where two sign-ins appeared to originate from different regions and the time between sign-ins makes it impossible for the user to have traveled between those regions. |
Azure Active Directory
|
O365Tenant should have unreviewedRiskEventsExist eq false |
| Enable Azure AD Identity Protection sign-in risk policies |
Azure Active Directory Identity Protection sign-in risk detects risks in real-time and offline. A risky sign-in is an indicator for a sign-in attempt that might not have been performed by the legitimate owner of a user account. |
Azure Active Directory
|
SecureScore should have atleast one controlScores with [controlName eq "SigninRiskPolicy" and scoreInPercentage eq 100 ] |
| Enable Azure AD Identity Protection user risk policies |
Azure Active Directory Identity Protection user risk policies detect the probability that a user account has been compromised. |
Azure Active Directory
|
SecureScore should have atleast one controlScores with [ controlName eq "UserRiskPolicy" and scoreInPercentage eq 100 ] |
| Ensure basic authentication for Exchange Online is disabled |
Ensure basic authentication for Exchange Online is disabled. |
Azure Active Directory
|
AuthenticationPolicy should have AllowBasicAuthActiveSync eq false and AllowBasicAuthAutodiscover eq false and AllowBasicAuthImap eq false and AllowBasicAuthMapi eq false and AllowBasicAuthOfflineAddressBook eq false and AllowBasicAuthOutlookService eq false and AllowBasicAuthPop eq false and AllowBasicAuthPowershell eq false and AllowBasicAuthReportingWebServices eq false and AllowBasicAuthRest eq false and AllowBasicAuthRpc eq false and AllowBasicAuthSmtp eq false and AllowBasicAuthWebServices eq false |
| Enable Conditional Access policies to block legacy authentication |
Enable Conditional Access policies to block legacy authentication. |
Azure Active Directory
|
O365 should have any ConditionalAccessPolicies with [ conditions.users.includeUsers has ("All") and conditions.users.excludeUsers len() >= 1 and conditions.clientAppTypes has ("exchangeActiveSync") and conditions.clientAppTypes has ("other") and grantControls.builtInControls has ("block") and grantControls.builtInControls len() = 1 and state eq "enabled"] |
| Block OneDrive for Business sync from unmanaged devices |
Prevent company data from OneDrive for Business from being synchronized to non-corporate managed devices. Unmanaged devices pose a risk, since their security cannot be verified. Allowing users to sync data to these devices, takes that data out of the control of the organization. This increases the risk of the data either being intentionally or accidentally leaked. |
|
SharepointTenant should have isUnmanagedSyncClientForTenantRestricted eq true |
| Ensure that sharing full calendar details with external users is disabled |
Do not allow your users to share the full details of their calendars with external users. Attackers often spend time learning about your organization before launching an attack. Publicly available calendars can help attackers understand organizational relationships and determine when specific users may be more vulnerable to an attack, such as when they are traveling. |
|
SharingPolicy should have sharingEnabled eq false or every domains with [ sharingAllowedDetails eq "ContactsSharing" ] |
| Ensure that client-side rules that automatically forward email to external domains are blocked |
Block client-side rules that automatically forward email to external domains. The use of client-side forwarding rules to exfiltrate data to external recipients is an increasingly used vector for data exfiltration by bad actors. |
|
O365 should have atleast one TransportRules with [ State eq "Enabled" and Priority eq 0 and SentToScope eq "NotInOrganization" and FromScope eq "InOrganization" and MessageTypeMatches eq "AutoForward" and RejectMessageEnhancedStatusCode eq "5.7.1" ] |
| Ensure DKIM is enabled for all Exchange Online Domains |
DKIM lets you add a digital signature to outbound email messages in the message header. This signature is used to verify that the messages are really coming from you and not coming from someone spoofing your domain. |
Azure Active Directory
|
DkimSigningConfig should have Enabled eq true |
| Ensure a DomainKeys Identified Mail (DKIM) signing policy exists |
Ensure a DomainKeys Identified Mail (DKIM) signing policy exists. |
|
O365 should have DkimSigningConfig len() gt 0 |
| Ensure DMARC Records for all Exchange Online domains are published |
Domain-based Message Authentication, Reporting, and Conformance (DMARC) works with Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) to authenticate mail senders and ensure that destination email systems trust messages sent from your domain. When you use DMARC, the receiving server performs a check against the From address. |
Azure Active Directory
|
AcceptedDomain should have DMARCRecordPublished eq true |
| Do not allow users to grant consent to unmanaged applications |
Tighten the security of your services by regulating the access of third-party integrated apps. Only allow access to necessary apps that support robust security controls. Third-party applications are not created by Microsoft, so there is a possibility they could be used for malicious purposes like exfiltrating data from your tenancy. Attackers can maintain persistent access to your services through these integrated apps, without relying on compromised accounts. |
|
SecureScore should have atleast one controlScores with [controlName eq "IntegratedApps" and scoreInPercentage eq 100 ] |
| Ensure document sharing is controlled by domains with sharing restrictions configured |
Control sharing of documents to external domains by either blocking domains or only allowing sharing with specific named domains. Attackers will often attempt to expose sensitive information to external entities through sharing, and restricting the domains that your users can share documents with will reduce that surface area. |
|
SharepointTenant should have sharingDomainRestrictionMode neq 0 |
| Ensure audit log search is enabled |
Enabling Microsoft 365 audit log search helps Office 365 back office teams to investigate activities for regular security operational or forensic purposes. |
Azure Active Directory
|
AdminAuditLogConfig should have AdminAuditLogEnabled eq true and UnifiedAuditLogIngestionEnabled eq true |
| Ensure the Common Attachment Types Filter is enabled |
Ensure the Common Attachment Types Filter is enabled. |
Azure Active Directory
|
MalwareFilterPolicy should have EnableFileFilter eq true |
| Ensure mailbox auditing for all users is enabled |
By turning on mailbox auditing, Microsoft 365 back office teams can track logons to a mailbox as well as what actions are taken while the user is logged on. After you turn on mailbox audit logging for a mailbox, you can search the audit log for mailbox activity. Additionally, when mailbox audit logging is turned on, some actions performed by administrators, delegates, and owners are logged by default. |
Azure Active Directory
|
OrganizationConfig should have userMailboxAuditEnabled eq true and nonUserMailboxAuditEnabled eq true |
| Ensure Exchange Online outbound spam filter policies are properly configured |
Ensure the Exchange Online outbound spam filter policy is properly configured. Set your Exchange Online Spam Policies to copy emails and notify someone when a sender in your tenant has been blocked for sending spam emails. |
Azure Active Directory
|
HostedOutboundSpamFilterPolicy should have NotifyOutboundSpam eq true and BccSuspiciousOutboundMail eq true and Enabled eq true |
| Ensure expiration time for external sharing links is set |
Restrict the length of time that anonymous access links are valid. |
Azure Active Directory
|
SharepointTenant should have requireAnonymousLinksExpireInDays > 0 |
| Ensure that external users cannot share files, folders, and sites they do not own |
SharePoint gives users the ability to share files, folder, and site collections. Internal users can share with external collaborators, who with the right permissions, could share those to another external party. Sharing and collaboration are key; however, file, folder, or site collection owners should have the authority over what external users get shared with to prevent unauthorized disclosures of information. |
|
SharepointTenant should have preventExternalUsersFromResharing eq true |
| Ensure that Facebook contact synchronization is disabled |
Disable integration with Facebook as a measure to help prevent phishing scams. |
|
OwaMailboxPolicy should have FacebookEnabled eq false |
| Ensure a hosted outbound spam filter policy exists. |
Ensure a hosted outbound spam filter policy exists. |
|
O365 should have HostedOutboundSpamFilterPolicies len() gt 0 |
| Ensure that LinkedIn contact synchronization is disabled |
Disable integration with LinkedIn as a measure to help prevent phishing scams. |
|
OwaMailboxPolicy should have LinkedInEnabled eq false |
| Ensure mail transport rules do not forward email to external domains |
Ensure mail transport rules do not forward email to external domains. |
Azure Active Directory
|
O365Tenant should not have AnyMailTransportRuleRedirectMessageToExternalDomain eq True |
| Ensure mail transport rules do not whitelist specific domains |
Ensure mail transport rules do not whitelist specific domains. |
Azure Active Directory
|
TransportRule should not have SetScl = -1 and SenderDomainIs len() > 0 |
| Ensure MailTips are enabled for end users |
MailTips assist end users with identifying strange patterns to emails they send. Setting up MailTips gives a visual aid to users when they send emails to large groups of recipients or send emails to recipients not within the tenant. |
|
OrganizationConfig should have MailTipsAllTipsEnabled eq true and MailTipsExternalRecipientsTipsEnabled eq true and MailTipsGroupMetricsEnabled eq true and MailTipsLargeAudienceThreshold gt 0 |
| Ensure a malware filter policy exists |
Ensure a malware filter policy exists. |
|
O365 should have MalwareFilterPolicies len() gt 0 |
| Ensure multi-factor authentication is enabled for all users in administrative roles |
Ensure multi-factor authentication is enabled for all users in administrative roles |
Azure Active Directory
|
O365 should have O365Tenant len() gt 0 and atleast one ConditionalAccessPolicies with [ conditions.users.includeRoles has ("b0f54661-2d74-4c50-afa3-1ec803f12efe","b1be1c3e-b65d-4f19-8427-f6fa0d97feb9","29232cdf-9323-42fd-ade2-1d097af3e4de","62e90394-69f5-4237-9190-012177145e10","729827e3-9c14-49f7-bb1b-9608f156bbb8","194ae4cb-b126-40b2-bd5b-6091b380977d","f28a1f50-f6e7-4571-818b-6a12f2af6b6c","fe930be7-5e62-47db-91af-98c3a49a38b1") and conditions.clientAppTypes has ("all") and grantControls.builtInControls has ("mfa") and state eq "enabled"] |
| Ensure multi-factor authentication is enabled for all users in all roles |
Ensure multi-factor authentication is enabled for all users in all roles. |
Azure Active Directory
|
O365 should have O365Tenant len() gt 0 and atleast one ConditionalAccessPolicies with [ conditions.users.includeUsers has ("All") and conditions.clientAppTypes has ("all") and grantControls.builtInControls has ("mfa") and state eq "enabled"] |
| Mobile devices passwords should be at least 6 characters |
Require your users to use a complex password with a minimum password length of at least six characters to unlock their mobile devices. |
Azure Active Directory
|
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "microsoft.graph.aospDeviceOwnerDeviceConfiguration" and passwordMinimumLength eq 6 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidGeneralDeviceConfiguration" and passwordMinimumLength eq 6 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidDeviceOwnerGeneralDeviceConfiguration" and passwordMinimumLength eq 6 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidWorkProfileGeneralDeviceConfiguration" and passwordMinimumLength eq 6 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passcodeMinimumLength eq 6 and passcodeBlockSimple eq true ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.macOSGeneralDeviceConfiguration" and passwordMinimumLength eq 6 and passwordBlockSimple eq true ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows10GeneralConfiguration" and passwordMinimumLength eq 6 and passwordBlockSimple eq true ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows81GeneralConfiguration" and passwordMinimumLength eq 6 ] |
| Ensure that mobile devices require complex passwords (Type = Alphanumeric) |
Require your users to use a complex password with a at least two character sets (letters and numbers, for example) to unlock their mobile devices |
Azure Active Directory
|
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows81GeneralConfiguration" and passwordRequiredType eq "alphanumeric" ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows10GeneralConfiguration" and passwordRequiredType eq "alphanumeric"] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidDeviceOwnerGeneralDeviceConfiguration" and passwordRequiredType eq "alphanumeric"] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passcodeRequiredType eq "alphanumeric"] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidGeneralDeviceConfiguration" and passwordRequiredType eq "alphanumeric"] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.aospDeviceOwnerDeviceConfiguration" and passwordRequiredType eq "alphanumeric" ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidWorkProfileGeneralDeviceConfiguration" and passwordRequiredType eq "atLeastAlphanumeric" ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.macOSGeneralDeviceConfiguration" and passwordRequiredType eq "alphanumeric" ] |
| Ensure that mobile device encryption is enabled |
Require your users to use encryption on their mobile devices to prevent unauthorized access to mobile data. |
Azure Active Directory
|
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidGeneralDeviceConfiguration" and storageRequireDeviceEncryption eq true] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows81GeneralConfiguration" and storageRequireDeviceEncryption eq true] |
| Ensure that users cannot connect from jailbroken or rooted devices |
Do not allow your users to use to connect with mobile devices that have been jailbroken or rooted. These devices have had basic protections disabled to run software that is often malicious and could very easily lead to an account or data breach. |
Azure Active Directory
|
O365 should have O365Tenant len() gt 0 and atleast one DeviceCompliancePolicies with [ odatatype eq "#microsoft.graph.iosCompliancePolicy" and securityBlockJailbrokenDevices eq true ] and atleast one DeviceCompliancePolicies with [ odatatype eq "#microsoft.graph.androidCompliancePolicy" and securityBlockJailbrokenDevices eq true ] |
| Lock mobile devices after a period of inactivity |
Users should be required to configure their mobile devices to lock after a period of inactivity to prevent unauthorized access. |
Azure Active Directory
|
MobileDeviceMailboxPolicy should have MaxInactivityTimeLock eq "00:15:00" |
| Ensure device management polices are set to require advanced security configurations |
Configure your device management policies to require advanced security configurations. If you do not require this, users will be able to connect from devices that are vulnerable to basic internet attacks, leading to potential breaches of accounts and data. |
Azure Active Directory
|
O365 should have DeviceConfigurations len() gt 0 |
| Ensure that mobile devices require complex passwords (Simple Passwords = Blocked) |
Require your users to use a complex password to unlock their mobile devices. |
Azure Active Directory
|
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passcodeBlockSimple eq true] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows10GeneralConfiguration" and passwordBlockSimple eq true] |
| Ensure that mobile device passwords never expire |
Ensure that user passwords on mobile devices never expire. |
Azure Active Directory
|
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidGeneralDeviceConfiguration" and passwordExpirationDays eq -1 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passwordExpirationDays eq -1 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidDeviceOwnerGeneralDeviceConfiguration" and passwordExpirationDays eq -1 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows10GeneralConfiguration" and passwordExpirationDays eq -1 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows81GeneralConfiguration" and passcodeExpirationDays eq -1 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidWorkProfileGeneralDeviceConfiguration" and passwordExpirationDays eq -1 ] |
| Ensure mobile devices require the use of a password |
Require your users to use a password to unlock their mobile devices. |
Azure Active Directory
|
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidGeneralDeviceConfiguration" and passwordRequired eq true ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passcodeRequired eq true ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows10GeneralConfiguration" and passwordRequired eq true] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows81GeneralConfiguration" and passwordRequired eq true] |
| Ensure that mobile device password reuse is prohibited |
Do not allow your users to reuse the same password on their mobile devices. |
Azure Active Directory
|
MobileDeviceMailboxPolicy should have PasswordHistory eq 50 |
| Ensure modern authentication for Exchange Online is enabled |
Ensure modern authentication for Exchange Online is enabled. |
Exchange
|
OrganizationConfig should have OAuth2ClientProfileEnabled eq true |
| Notify the administrator when internal users send malware |
Set a malware filter policy that notifies an administrator when malware is detected in message from an internal user. |
Azure Active Directory
|
MalwareFilterPolicy should have EnableInternalSenderAdminNotifications eq true |
| Ensure that OAuth 2.0 permission grants to third-party apps do not give permission to modify app role assignments. |
OAuth 2.0 permission grants enable a third-party connected app to access data based on the permissions granted. Do not grant third-party apps the ability to modify app role assignments. This would enable the third-party app to give users or apps access to resources that they should not have access to. |
|
OAuth2PermissionGrant should not have scope like "AppRoleAssignment.ReadWrite.All" |
| Ensure that Office 365 SharePoint infected files cannot be downloaded |
Office 365 Advanced Threat Protection (ATP) for SharePoint, OneDrive, and Microsoft Teams protects your organization from inadvertently sharing malicious files. When an infected file is detected, that file is blocked so that no one can open, copy, move, or share it until further actions are taken by the organization's security team. |
|
SharepointTenant should have disallowInfectedFileDownload eq true |
| Ensure external storage providers available in Outlook on the Web are restricted |
Restrict storage providers that are integrated with Outlook on the Web. By default additional storage providers are allowed in Outlook on the Web (such as Box,
Dropbox, Facebook, Google Drive, OneDrive Personal, etc.). This could lead to information leakage and additional risk of infection from organizational non-trusted storage providers. Restricting this will inherently reduce risk as it will narrow opportunities for infection and data leakage. |
|
OwaMailboxPolicy should have AdditionalStorageProvidersAvailable eq false |
| Ensure an Outlook on the web mailbox policy exists |
Ensure an Outlook on the web mailbox policy exists. |
|
O365 should have OwaMailboxPolicies len() gt 0 |
| Ensure that password hash sync is enabled for resiliency and leaked credential detection |
Ensure that password hash sync is enabled for resiliency and leaked credential detection. |
Microsoft 365 security
|
SecureScore should have atleast one controlScores with [ controlName eq "PasswordHashSync" and on eq true ] |
| Ensure that Office 365 passwords are not set to expire |
Ensure that Office 365 passwords are not set to expire. |
Azure Active Directory
|
SecureScore should have atleast one controlScores with [ controlName eq "PWAgePolicyNew" and scoreInPercentage eq 100 and IsApplicable eq true ] |
| Ensure modern authentication for SharePoint applications is required |
Strong authentication controls, such as the use of multi-factor authentication, may be circumvented if basic authentication is used by SharePoint applications. Requiring modern authentication for SharePoint applications ensures strong authentication mechanisms are used when establishing sessions between these applications, SharePoint, and connecting users. |
|
SharepointTenant should have legacyAuthProtocolsEnabled eq false |
| Ensure SPF records are published for all Exchange domains |
Ensure that Sender Policy Framework (SPF) records are published for all Exchange domains. Using SPF helps to validate outbound email sent from your custom domain by determining whether or not a sender is permitted to send on behalf of a domain. |
Azure Active Directory
|
AcceptedDomain should have spfRecordPublished eq true |
| Ensure a transport rule exists |
Ensure a transport rule exists. |
|
O365 should have TransportRules len() gt 0 |
| Use limited administrative roles |
Limited administrators are users who have more privileges than standard users, but not as many privileges as global admins. Leveraging limited administrator roles to perform required administrative work reduces the number of high value, high impact global admin role holders you have. Assigning users roles like Password Administrator or Exchange Online Administrator, instead of Global Administrator, reduces the likelihood of a global administrative privileged account being breached. |
|
SecureScore should have atleast one controlScores with [controlName eq "RoleOverlap" and scoreInPercentage eq 100 ] |
| Ensure that users do not have the default strong password policy disabled. |
In Azure, users by default have a strong password policy enabled. However, admin users are able to disable the default strong password policy for individual users. This functionality should not be used and all individual users' password policies should require a strong password. |
|
User should not have passwordPolicies like "DisableStrongPassword" |
| Ensure that users cannot install Outlook add-ins |
Attackers commonly use vulnerable and custom-built add-ins to access data in user applications. While allowing users to install add-ins by themselves does allow them to easily acquire useful add-ins that integrate with Microsoft applications, it can represent a risk if not used and monitored carefully. Disabling future users' ability to install add-ins in Microsoft Outlook helps reduce your threat-surface and mitigate this risk. |
|
O365 should not have any RoleAssignmentPolicies with [ AssignedRoles has ( "My Custom Apps" ) or AssignedRoles has ( "My Marketplace Apps" ) or AssignedRoles has ( "My ReadWriteMailbox Apps" ) ] |
| Description |
Service |
Rule |
| All users should be registered and signed up for MFA |
Multi-factor authentication (MFA) helps protect devices and data that are accessible to these users. Adding more authentication methods, such as the Microsoft Authenticator app or a phone number, increases the level of protection if one factor is compromised. |
|
SecureScore should have atleast one controlScores with [controlName eq "MFARegistrationV2" and scoreInPercentage eq 100 ] |
| Ensure at least one anti-phishing policy exists |
Ensure that at least one anti-phishing policy exists. |
Azure Active Directory
|
O365 should have AntiPhishPolicies len() gt 0 |
| Ensure an authentication policy exists |
Ensure an authentication policy exists. |
|
O365 should have AuthenticationPolicies len() gt 0 |
| Ensure automatic forwarding options are disabled |
Disable automatic forwarding to prevent users from auto-forwarding mail through Outlook and Outlook on the Web. In the event that an attacker gains control of an end-user account they could create rules to exfiltrate data from your environment. |
|
RemoteDomain should have AutoForwardEnabled eq false |
| Ensure the Azure AD 'Risky sign-ins' report is reviewed at least weekly |
This report contains records of accounts that have had activity that could indicate they are compromised, such as accounts that have successfully signed in after multiple failures, which is an indication that the accounts have cracked passwords, account that have signed in to your tenancy from a client IP address that has been recognized by Microsoft as an anonymous proxy IP address (such as a TOR network), and successful sign-ins from users where two sign-ins appeared to originate from different regions and the time between sign-ins makes it impossible for the user to have traveled between those regions. |
Azure Active Directory
|
O365Tenant should have unreviewedRiskEventsExist eq false |
| Enable Azure AD Identity Protection sign-in risk policies |
Azure Active Directory Identity Protection sign-in risk detects risks in real-time and offline. A risky sign-in is an indicator for a sign-in attempt that might not have been performed by the legitimate owner of a user account. |
Azure Active Directory
|
SecureScore should have atleast one controlScores with [controlName eq "SigninRiskPolicy" and scoreInPercentage eq 100 ] |
| Enable Azure AD Identity Protection user risk policies |
Azure Active Directory Identity Protection user risk policies detect the probability that a user account has been compromised. |
Azure Active Directory
|
SecureScore should have atleast one controlScores with [ controlName eq "UserRiskPolicy" and scoreInPercentage eq 100 ] |
| Ensure basic authentication for Exchange Online is disabled |
Ensure basic authentication for Exchange Online is disabled. |
Azure Active Directory
|
AuthenticationPolicy should have AllowBasicAuthActiveSync eq false and AllowBasicAuthAutodiscover eq false and AllowBasicAuthImap eq false and AllowBasicAuthMapi eq false and AllowBasicAuthOfflineAddressBook eq false and AllowBasicAuthOutlookService eq false and AllowBasicAuthPop eq false and AllowBasicAuthPowershell eq false and AllowBasicAuthReportingWebServices eq false and AllowBasicAuthRest eq false and AllowBasicAuthRpc eq false and AllowBasicAuthSmtp eq false and AllowBasicAuthWebServices eq false |
| Enable Conditional Access policies to block legacy authentication |
Enable Conditional Access policies to block legacy authentication. |
Azure Active Directory
|
O365 should have any ConditionalAccessPolicies with [ conditions.users.includeUsers has ("All") and conditions.users.excludeUsers len() >= 1 and conditions.clientAppTypes has ("exchangeActiveSync") and conditions.clientAppTypes has ("other") and grantControls.builtInControls has ("block") and grantControls.builtInControls len() = 1 and state eq "enabled"] |
| Block OneDrive for Business sync from unmanaged devices |
Prevent company data from OneDrive for Business from being synchronized to non-corporate managed devices. Unmanaged devices pose a risk, since their security cannot be verified. Allowing users to sync data to these devices, takes that data out of the control of the organization. This increases the risk of the data either being intentionally or accidentally leaked. |
|
SharepointTenant should have isUnmanagedSyncClientForTenantRestricted eq true |
| Ensure that sharing full calendar details with external users is disabled |
Do not allow your users to share the full details of their calendars with external users. Attackers often spend time learning about your organization before launching an attack. Publicly available calendars can help attackers understand organizational relationships and determine when specific users may be more vulnerable to an attack, such as when they are traveling. |
|
SharingPolicy should have sharingEnabled eq false or every domains with [ sharingAllowedDetails eq "ContactsSharing" ] |
| Ensure that client-side rules that automatically forward email to external domains are blocked |
Block client-side rules that automatically forward email to external domains. The use of client-side forwarding rules to exfiltrate data to external recipients is an increasingly used vector for data exfiltration by bad actors. |
|
O365 should have atleast one TransportRules with [ State eq "Enabled" and Priority eq 0 and SentToScope eq "NotInOrganization" and FromScope eq "InOrganization" and MessageTypeMatches eq "AutoForward" and RejectMessageEnhancedStatusCode eq "5.7.1" ] |
| Do not allow users to grant consent to unmanaged applications |
Tighten the security of your services by regulating the access of third-party integrated apps. Only allow access to necessary apps that support robust security controls. Third-party applications are not created by Microsoft, so there is a possibility they could be used for malicious purposes like exfiltrating data from your tenancy. Attackers can maintain persistent access to your services through these integrated apps, without relying on compromised accounts. |
|
SecureScore should have atleast one controlScores with [controlName eq "IntegratedApps" and scoreInPercentage eq 100 ] |
| Ensure document sharing is controlled by domains with sharing restrictions configured |
Control sharing of documents to external domains by either blocking domains or only allowing sharing with specific named domains. Attackers will often attempt to expose sensitive information to external entities through sharing, and restricting the domains that your users can share documents with will reduce that surface area. |
|
SharepointTenant should have sharingDomainRestrictionMode neq 0 |
| Ensure audit log search is enabled |
Enabling Microsoft 365 audit log search helps Office 365 back office teams to investigate activities for regular security operational or forensic purposes. |
Azure Active Directory
|
AdminAuditLogConfig should have AdminAuditLogEnabled eq true and UnifiedAuditLogIngestionEnabled eq true |
| Ensure the Common Attachment Types Filter is enabled |
Ensure the Common Attachment Types Filter is enabled. |
Azure Active Directory
|
MalwareFilterPolicy should have EnableFileFilter eq true |
| Ensure mailbox auditing for all users is enabled |
By turning on mailbox auditing, Microsoft 365 back office teams can track logons to a mailbox as well as what actions are taken while the user is logged on. After you turn on mailbox audit logging for a mailbox, you can search the audit log for mailbox activity. Additionally, when mailbox audit logging is turned on, some actions performed by administrators, delegates, and owners are logged by default. |
Azure Active Directory
|
OrganizationConfig should have userMailboxAuditEnabled eq true and nonUserMailboxAuditEnabled eq true |
| Ensure expiration time for external sharing links is set |
Restrict the length of time that anonymous access links are valid. |
Azure Active Directory
|
SharepointTenant should have requireAnonymousLinksExpireInDays > 0 |
| Ensure that external users cannot share files, folders, and sites they do not own |
SharePoint gives users the ability to share files, folder, and site collections. Internal users can share with external collaborators, who with the right permissions, could share those to another external party. Sharing and collaboration are key; however, file, folder, or site collection owners should have the authority over what external users get shared with to prevent unauthorized disclosures of information. |
|
SharepointTenant should have preventExternalUsersFromResharing eq true |
| Ensure that Facebook contact synchronization is disabled |
Disable integration with Facebook as a measure to help prevent phishing scams. |
|
OwaMailboxPolicy should have FacebookEnabled eq false |
| Ensure a hosted outbound spam filter policy exists. |
Ensure a hosted outbound spam filter policy exists. |
|
O365 should have HostedOutboundSpamFilterPolicies len() gt 0 |
| Ensure that LinkedIn contact synchronization is disabled |
Disable integration with LinkedIn as a measure to help prevent phishing scams. |
|
OwaMailboxPolicy should have LinkedInEnabled eq false |
| Ensure mail transport rules do not forward email to external domains |
Ensure mail transport rules do not forward email to external domains. |
Azure Active Directory
|
O365Tenant should not have AnyMailTransportRuleRedirectMessageToExternalDomain eq True |
| Ensure mail transport rules do not whitelist specific domains |
Ensure mail transport rules do not whitelist specific domains. |
Azure Active Directory
|
TransportRule should not have SetScl = -1 and SenderDomainIs len() > 0 |
| Ensure MailTips are enabled for end users |
MailTips assist end users with identifying strange patterns to emails they send. Setting up MailTips gives a visual aid to users when they send emails to large groups of recipients or send emails to recipients not within the tenant. |
|
OrganizationConfig should have MailTipsAllTipsEnabled eq true and MailTipsExternalRecipientsTipsEnabled eq true and MailTipsGroupMetricsEnabled eq true and MailTipsLargeAudienceThreshold gt 0 |
| Ensure a malware filter policy exists |
Ensure a malware filter policy exists. |
|
O365 should have MalwareFilterPolicies len() gt 0 |
| Ensure multi-factor authentication is enabled for all users in administrative roles |
Ensure multi-factor authentication is enabled for all users in administrative roles |
Azure Active Directory
|
O365 should have O365Tenant len() gt 0 and atleast one ConditionalAccessPolicies with [ conditions.users.includeRoles has ("b0f54661-2d74-4c50-afa3-1ec803f12efe","b1be1c3e-b65d-4f19-8427-f6fa0d97feb9","29232cdf-9323-42fd-ade2-1d097af3e4de","62e90394-69f5-4237-9190-012177145e10","729827e3-9c14-49f7-bb1b-9608f156bbb8","194ae4cb-b126-40b2-bd5b-6091b380977d","f28a1f50-f6e7-4571-818b-6a12f2af6b6c","fe930be7-5e62-47db-91af-98c3a49a38b1") and conditions.clientAppTypes has ("all") and grantControls.builtInControls has ("mfa") and state eq "enabled"] |
| Ensure multi-factor authentication is enabled for all users in all roles |
Ensure multi-factor authentication is enabled for all users in all roles. |
Azure Active Directory
|
O365 should have O365Tenant len() gt 0 and atleast one ConditionalAccessPolicies with [ conditions.users.includeUsers has ("All") and conditions.clientAppTypes has ("all") and grantControls.builtInControls has ("mfa") and state eq "enabled"] |
| Mobile devices passwords should be at least 6 characters |
Require your users to use a complex password with a minimum password length of at least six characters to unlock their mobile devices. |
Azure Active Directory
|
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "microsoft.graph.aospDeviceOwnerDeviceConfiguration" and passwordMinimumLength eq 6 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidGeneralDeviceConfiguration" and passwordMinimumLength eq 6 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidDeviceOwnerGeneralDeviceConfiguration" and passwordMinimumLength eq 6 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidWorkProfileGeneralDeviceConfiguration" and passwordMinimumLength eq 6 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passcodeMinimumLength eq 6 and passcodeBlockSimple eq true ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.macOSGeneralDeviceConfiguration" and passwordMinimumLength eq 6 and passwordBlockSimple eq true ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows10GeneralConfiguration" and passwordMinimumLength eq 6 and passwordBlockSimple eq true ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows81GeneralConfiguration" and passwordMinimumLength eq 6 ] |
| Ensure that mobile devices require complex passwords (Type = Alphanumeric) |
Require your users to use a complex password with a at least two character sets (letters and numbers, for example) to unlock their mobile devices |
Azure Active Directory
|
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows81GeneralConfiguration" and passwordRequiredType eq "alphanumeric" ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows10GeneralConfiguration" and passwordRequiredType eq "alphanumeric"] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidDeviceOwnerGeneralDeviceConfiguration" and passwordRequiredType eq "alphanumeric"] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passcodeRequiredType eq "alphanumeric"] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidGeneralDeviceConfiguration" and passwordRequiredType eq "alphanumeric"] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.aospDeviceOwnerDeviceConfiguration" and passwordRequiredType eq "alphanumeric" ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidWorkProfileGeneralDeviceConfiguration" and passwordRequiredType eq "atLeastAlphanumeric" ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.macOSGeneralDeviceConfiguration" and passwordRequiredType eq "alphanumeric" ] |
| Ensure that mobile device encryption is enabled |
Require your users to use encryption on their mobile devices to prevent unauthorized access to mobile data. |
Azure Active Directory
|
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidGeneralDeviceConfiguration" and storageRequireDeviceEncryption eq true] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows81GeneralConfiguration" and storageRequireDeviceEncryption eq true] |
| Ensure that users cannot connect from jailbroken or rooted devices |
Do not allow your users to use to connect with mobile devices that have been jailbroken or rooted. These devices have had basic protections disabled to run software that is often malicious and could very easily lead to an account or data breach. |
Azure Active Directory
|
O365 should have O365Tenant len() gt 0 and atleast one DeviceCompliancePolicies with [ odatatype eq "#microsoft.graph.iosCompliancePolicy" and securityBlockJailbrokenDevices eq true ] and atleast one DeviceCompliancePolicies with [ odatatype eq "#microsoft.graph.androidCompliancePolicy" and securityBlockJailbrokenDevices eq true ] |
| Lock mobile devices after a period of inactivity |
Users should be required to configure their mobile devices to lock after a period of inactivity to prevent unauthorized access. |
Azure Active Directory
|
MobileDeviceMailboxPolicy should have MaxInactivityTimeLock eq "00:15:00" |
| Ensure device management polices are set to require advanced security configurations |
Configure your device management policies to require advanced security configurations. If you do not require this, users will be able to connect from devices that are vulnerable to basic internet attacks, leading to potential breaches of accounts and data. |
Azure Active Directory
|
O365 should have DeviceConfigurations len() gt 0 |
| Ensure that mobile devices require complex passwords (Simple Passwords = Blocked) |
Require your users to use a complex password to unlock their mobile devices. |
Azure Active Directory
|
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passcodeBlockSimple eq true] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows10GeneralConfiguration" and passwordBlockSimple eq true] |
| Ensure that mobile device passwords never expire |
Ensure that user passwords on mobile devices never expire. |
Azure Active Directory
|
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidGeneralDeviceConfiguration" and passwordExpirationDays eq -1 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passwordExpirationDays eq -1 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidDeviceOwnerGeneralDeviceConfiguration" and passwordExpirationDays eq -1 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows10GeneralConfiguration" and passwordExpirationDays eq -1 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows81GeneralConfiguration" and passcodeExpirationDays eq -1 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidWorkProfileGeneralDeviceConfiguration" and passwordExpirationDays eq -1 ] |
| Ensure mobile devices require the use of a password |
Require your users to use a password to unlock their mobile devices. |
Azure Active Directory
|
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidGeneralDeviceConfiguration" and passwordRequired eq true ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passcodeRequired eq true ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows10GeneralConfiguration" and passwordRequired eq true] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows81GeneralConfiguration" and passwordRequired eq true] |
| Ensure that mobile device password reuse is prohibited |
Do not allow your users to reuse the same password on their mobile devices. |
Azure Active Directory
|
MobileDeviceMailboxPolicy should have PasswordHistory eq 50 |
| Ensure mobile devices are set to wipe on multiple sign-in failures |
Require mobile devices to wipe on multiple sign-in failures to prevent brute force compromise. Devices without this protection are vulnerable to being accessed physically by attackers who can then steal account credentials, data, or install malware on the device. |
|
O365 should have atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passcodeSignInFailureCountBeforeWipe lte 10 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidDeviceOwnerGeneralDeviceConfiguration" and passwordSignInFailureCountBeforeFactoryReset lte 10 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows10GeneralConfiguration" and passwordSignInFailureCountBeforeFactoryReset lte 10 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows81GeneralConfiguration" and passwordSignInFailureCountBeforeFactoryReset lte 10 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidGeneralDeviceConfiguration" and passwordSignInFailureCountBeforeFactoryReset lte 10 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidWorkProfileGeneralDeviceConfiguration" and passwordSignInFailureCountBeforeFactoryReset lte 10 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.aospDeviceOwnerDeviceConfiguration" and passwordSignInFailureCountBeforeFactoryReset lte 10 ] |
| Ensure modern authentication for Exchange Online is enabled |
Ensure modern authentication for Exchange Online is enabled. |
Exchange
|
OrganizationConfig should have OAuth2ClientProfileEnabled eq true |
| Notify the administrator when internal users send malware |
Set a malware filter policy that notifies an administrator when malware is detected in message from an internal user. |
Azure Active Directory
|
MalwareFilterPolicy should have EnableInternalSenderAdminNotifications eq true |
| Ensure that OAuth 2.0 permission grants to third-party apps do not give permission to modify app role assignments. |
OAuth 2.0 permission grants enable a third-party connected app to access data based on the permissions granted. Do not grant third-party apps the ability to modify app role assignments. This would enable the third-party app to give users or apps access to resources that they should not have access to. |
|
OAuth2PermissionGrant should not have scope like "AppRoleAssignment.ReadWrite.All" |
| Ensure that Office 365 SharePoint infected files cannot be downloaded |
Office 365 Advanced Threat Protection (ATP) for SharePoint, OneDrive, and Microsoft Teams protects your organization from inadvertently sharing malicious files. When an infected file is detected, that file is blocked so that no one can open, copy, move, or share it until further actions are taken by the organization's security team. |
|
SharepointTenant should have disallowInfectedFileDownload eq true |
| Ensure external storage providers available in Outlook on the Web are restricted |
Restrict storage providers that are integrated with Outlook on the Web. By default additional storage providers are allowed in Outlook on the Web (such as Box,
Dropbox, Facebook, Google Drive, OneDrive Personal, etc.). This could lead to information leakage and additional risk of infection from organizational non-trusted storage providers. Restricting this will inherently reduce risk as it will narrow opportunities for infection and data leakage. |
|
OwaMailboxPolicy should have AdditionalStorageProvidersAvailable eq false |
| Ensure an Outlook on the web mailbox policy exists |
Ensure an Outlook on the web mailbox policy exists. |
|
O365 should have OwaMailboxPolicies len() gt 0 |
| Ensure that password hash sync is enabled for resiliency and leaked credential detection |
Ensure that password hash sync is enabled for resiliency and leaked credential detection. |
Microsoft 365 security
|
SecureScore should have atleast one controlScores with [ controlName eq "PasswordHashSync" and on eq true ] |
| Ensure that Office 365 passwords are not set to expire |
Ensure that Office 365 passwords are not set to expire. |
Azure Active Directory
|
SecureScore should have atleast one controlScores with [ controlName eq "PWAgePolicyNew" and scoreInPercentage eq 100 and IsApplicable eq true ] |
| Ensure modern authentication for SharePoint applications is required |
Strong authentication controls, such as the use of multi-factor authentication, may be circumvented if basic authentication is used by SharePoint applications. Requiring modern authentication for SharePoint applications ensures strong authentication mechanisms are used when establishing sessions between these applications, SharePoint, and connecting users. |
|
SharepointTenant should have legacyAuthProtocolsEnabled eq false |
| Ensure a transport rule exists |
Ensure a transport rule exists. |
|
O365 should have TransportRules len() gt 0 |
| Use limited administrative roles |
Limited administrators are users who have more privileges than standard users, but not as many privileges as global admins. Leveraging limited administrator roles to perform required administrative work reduces the number of high value, high impact global admin role holders you have. Assigning users roles like Password Administrator or Exchange Online Administrator, instead of Global Administrator, reduces the likelihood of a global administrative privileged account being breached. |
|
SecureScore should have atleast one controlScores with [controlName eq "RoleOverlap" and scoreInPercentage eq 100 ] |
| Ensure that users do not have the default strong password policy disabled. |
In Azure, users by default have a strong password policy enabled. However, admin users are able to disable the default strong password policy for individual users. This functionality should not be used and all individual users' password policies should require a strong password. |
|
User should not have passwordPolicies like "DisableStrongPassword" |
| Ensure that users cannot install Outlook add-ins |
Attackers commonly use vulnerable and custom-built add-ins to access data in user applications. While allowing users to install add-ins by themselves does allow them to easily acquire useful add-ins that integrate with Microsoft applications, it can represent a risk if not used and monitored carefully. Disabling future users' ability to install add-ins in Microsoft Outlook helps reduce your threat-surface and mitigate this risk. |
|
O365 should not have any RoleAssignmentPolicies with [ AssignedRoles has ( "My Custom Apps" ) or AssignedRoles has ( "My Marketplace Apps" ) or AssignedRoles has ( "My ReadWriteMailbox Apps" ) ] |
| Description |
Service |
Rule |
| All users should be registered and signed up for MFA |
Multi-factor authentication (MFA) helps protect devices and data that are accessible to these users. Adding more authentication methods, such as the Microsoft Authenticator app or a phone number, increases the level of protection if one factor is compromised. |
|
SecureScore should have atleast one controlScores with [controlName eq "MFARegistrationV2" and scoreInPercentage eq 100 ] |
| Ensure at least one anti-phishing policy exists |
Ensure that at least one anti-phishing policy exists. |
Azure Active Directory
|
O365 should have AntiPhishPolicies len() gt 0 |
| Ensure an authentication policy exists |
Ensure an authentication policy exists. |
|
O365 should have AuthenticationPolicies len() gt 0 |
| Ensure automatic forwarding options are disabled |
Disable automatic forwarding to prevent users from auto-forwarding mail through Outlook and Outlook on the Web. In the event that an attacker gains control of an end-user account they could create rules to exfiltrate data from your environment. |
|
RemoteDomain should have AutoForwardEnabled eq false |
| Ensure the Azure AD 'Risky sign-ins' report is reviewed at least weekly |
This report contains records of accounts that have had activity that could indicate they are compromised, such as accounts that have successfully signed in after multiple failures, which is an indication that the accounts have cracked passwords, account that have signed in to your tenancy from a client IP address that has been recognized by Microsoft as an anonymous proxy IP address (such as a TOR network), and successful sign-ins from users where two sign-ins appeared to originate from different regions and the time between sign-ins makes it impossible for the user to have traveled between those regions. |
Azure Active Directory
|
O365Tenant should have unreviewedRiskEventsExist eq false |
| Enable Azure AD Identity Protection sign-in risk policies |
Azure Active Directory Identity Protection sign-in risk detects risks in real-time and offline. A risky sign-in is an indicator for a sign-in attempt that might not have been performed by the legitimate owner of a user account. |
Azure Active Directory
|
SecureScore should have atleast one controlScores with [controlName eq "SigninRiskPolicy" and scoreInPercentage eq 100 ] |
| Enable Azure AD Identity Protection user risk policies |
Azure Active Directory Identity Protection user risk policies detect the probability that a user account has been compromised. |
Azure Active Directory
|
SecureScore should have atleast one controlScores with [ controlName eq "UserRiskPolicy" and scoreInPercentage eq 100 ] |
| Ensure basic authentication for Exchange Online is disabled |
Ensure basic authentication for Exchange Online is disabled. |
Azure Active Directory
|
AuthenticationPolicy should have AllowBasicAuthActiveSync eq false and AllowBasicAuthAutodiscover eq false and AllowBasicAuthImap eq false and AllowBasicAuthMapi eq false and AllowBasicAuthOfflineAddressBook eq false and AllowBasicAuthOutlookService eq false and AllowBasicAuthPop eq false and AllowBasicAuthPowershell eq false and AllowBasicAuthReportingWebServices eq false and AllowBasicAuthRest eq false and AllowBasicAuthRpc eq false and AllowBasicAuthSmtp eq false and AllowBasicAuthWebServices eq false |
| Enable Conditional Access policies to block legacy authentication |
Enable Conditional Access policies to block legacy authentication. |
Azure Active Directory
|
O365 should have any ConditionalAccessPolicies with [ conditions.users.includeUsers has ("All") and conditions.users.excludeUsers len() >= 1 and conditions.clientAppTypes has ("exchangeActiveSync") and conditions.clientAppTypes has ("other") and grantControls.builtInControls has ("block") and grantControls.builtInControls len() = 1 and state eq "enabled"] |
| Block OneDrive for Business sync from unmanaged devices |
Prevent company data from OneDrive for Business from being synchronized to non-corporate managed devices. Unmanaged devices pose a risk, since their security cannot be verified. Allowing users to sync data to these devices, takes that data out of the control of the organization. This increases the risk of the data either being intentionally or accidentally leaked. |
|
SharepointTenant should have isUnmanagedSyncClientForTenantRestricted eq true |
| Ensure that sharing full calendar details with external users is disabled |
Do not allow your users to share the full details of their calendars with external users. Attackers often spend time learning about your organization before launching an attack. Publicly available calendars can help attackers understand organizational relationships and determine when specific users may be more vulnerable to an attack, such as when they are traveling. |
|
SharingPolicy should have sharingEnabled eq false or every domains with [ sharingAllowedDetails eq "ContactsSharing" ] |
| Ensure DKIM is enabled for all Exchange Online Domains |
DKIM lets you add a digital signature to outbound email messages in the message header. This signature is used to verify that the messages are really coming from you and not coming from someone spoofing your domain. |
Azure Active Directory
|
DkimSigningConfig should have Enabled eq true |
| Ensure a DomainKeys Identified Mail (DKIM) signing policy exists |
Ensure a DomainKeys Identified Mail (DKIM) signing policy exists. |
|
O365 should have DkimSigningConfig len() gt 0 |
| Ensure DMARC Records for all Exchange Online domains are published |
Domain-based Message Authentication, Reporting, and Conformance (DMARC) works with Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) to authenticate mail senders and ensure that destination email systems trust messages sent from your domain. When you use DMARC, the receiving server performs a check against the From address. |
Azure Active Directory
|
AcceptedDomain should have DMARCRecordPublished eq true |
| Do not allow users to grant consent to unmanaged applications |
Tighten the security of your services by regulating the access of third-party integrated apps. Only allow access to necessary apps that support robust security controls. Third-party applications are not created by Microsoft, so there is a possibility they could be used for malicious purposes like exfiltrating data from your tenancy. Attackers can maintain persistent access to your services through these integrated apps, without relying on compromised accounts. |
|
SecureScore should have atleast one controlScores with [controlName eq "IntegratedApps" and scoreInPercentage eq 100 ] |
| Ensure document sharing is controlled by domains with sharing restrictions configured |
Control sharing of documents to external domains by either blocking domains or only allowing sharing with specific named domains. Attackers will often attempt to expose sensitive information to external entities through sharing, and restricting the domains that your users can share documents with will reduce that surface area. |
|
SharepointTenant should have sharingDomainRestrictionMode neq 0 |
| Ensure audit log search is enabled |
Enabling Microsoft 365 audit log search helps Office 365 back office teams to investigate activities for regular security operational or forensic purposes. |
Azure Active Directory
|
AdminAuditLogConfig should have AdminAuditLogEnabled eq true and UnifiedAuditLogIngestionEnabled eq true |
| Ensure the Common Attachment Types Filter is enabled |
Ensure the Common Attachment Types Filter is enabled. |
Azure Active Directory
|
MalwareFilterPolicy should have EnableFileFilter eq true |
| Ensure mailbox auditing for all users is enabled |
By turning on mailbox auditing, Microsoft 365 back office teams can track logons to a mailbox as well as what actions are taken while the user is logged on. After you turn on mailbox audit logging for a mailbox, you can search the audit log for mailbox activity. Additionally, when mailbox audit logging is turned on, some actions performed by administrators, delegates, and owners are logged by default. |
Azure Active Directory
|
OrganizationConfig should have userMailboxAuditEnabled eq true and nonUserMailboxAuditEnabled eq true |
| Ensure Exchange Online outbound spam filter policies are properly configured |
Ensure the Exchange Online outbound spam filter policy is properly configured. Set your Exchange Online Spam Policies to copy emails and notify someone when a sender in your tenant has been blocked for sending spam emails. |
Azure Active Directory
|
HostedOutboundSpamFilterPolicy should have NotifyOutboundSpam eq true and BccSuspiciousOutboundMail eq true and Enabled eq true |
| Ensure that external users cannot share files, folders, and sites they do not own |
SharePoint gives users the ability to share files, folder, and site collections. Internal users can share with external collaborators, who with the right permissions, could share those to another external party. Sharing and collaboration are key; however, file, folder, or site collection owners should have the authority over what external users get shared with to prevent unauthorized disclosures of information. |
|
SharepointTenant should have preventExternalUsersFromResharing eq true |
| Ensure a hosted outbound spam filter policy exists. |
Ensure a hosted outbound spam filter policy exists. |
|
O365 should have HostedOutboundSpamFilterPolicies len() gt 0 |
| Ensure MailTips are enabled for end users |
MailTips assist end users with identifying strange patterns to emails they send. Setting up MailTips gives a visual aid to users when they send emails to large groups of recipients or send emails to recipients not within the tenant. |
|
OrganizationConfig should have MailTipsAllTipsEnabled eq true and MailTipsExternalRecipientsTipsEnabled eq true and MailTipsGroupMetricsEnabled eq true and MailTipsLargeAudienceThreshold gt 0 |
| Ensure a malware filter policy exists |
Ensure a malware filter policy exists. |
|
O365 should have MalwareFilterPolicies len() gt 0 |
| Ensure multi-factor authentication is enabled for all users in administrative roles |
Ensure multi-factor authentication is enabled for all users in administrative roles |
Azure Active Directory
|
O365 should have O365Tenant len() gt 0 and atleast one ConditionalAccessPolicies with [ conditions.users.includeRoles has ("b0f54661-2d74-4c50-afa3-1ec803f12efe","b1be1c3e-b65d-4f19-8427-f6fa0d97feb9","29232cdf-9323-42fd-ade2-1d097af3e4de","62e90394-69f5-4237-9190-012177145e10","729827e3-9c14-49f7-bb1b-9608f156bbb8","194ae4cb-b126-40b2-bd5b-6091b380977d","f28a1f50-f6e7-4571-818b-6a12f2af6b6c","fe930be7-5e62-47db-91af-98c3a49a38b1") and conditions.clientAppTypes has ("all") and grantControls.builtInControls has ("mfa") and state eq "enabled"] |
| Ensure multi-factor authentication is enabled for all users in all roles |
Ensure multi-factor authentication is enabled for all users in all roles. |
Azure Active Directory
|
O365 should have O365Tenant len() gt 0 and atleast one ConditionalAccessPolicies with [ conditions.users.includeUsers has ("All") and conditions.clientAppTypes has ("all") and grantControls.builtInControls has ("mfa") and state eq "enabled"] |
| Mobile devices passwords should be at least 6 characters |
Require your users to use a complex password with a minimum password length of at least six characters to unlock their mobile devices. |
Azure Active Directory
|
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "microsoft.graph.aospDeviceOwnerDeviceConfiguration" and passwordMinimumLength eq 6 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidGeneralDeviceConfiguration" and passwordMinimumLength eq 6 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidDeviceOwnerGeneralDeviceConfiguration" and passwordMinimumLength eq 6 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidWorkProfileGeneralDeviceConfiguration" and passwordMinimumLength eq 6 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passcodeMinimumLength eq 6 and passcodeBlockSimple eq true ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.macOSGeneralDeviceConfiguration" and passwordMinimumLength eq 6 and passwordBlockSimple eq true ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows10GeneralConfiguration" and passwordMinimumLength eq 6 and passwordBlockSimple eq true ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows81GeneralConfiguration" and passwordMinimumLength eq 6 ] |
| Ensure that mobile devices require complex passwords (Type = Alphanumeric) |
Require your users to use a complex password with a at least two character sets (letters and numbers, for example) to unlock their mobile devices |
Azure Active Directory
|
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows81GeneralConfiguration" and passwordRequiredType eq "alphanumeric" ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows10GeneralConfiguration" and passwordRequiredType eq "alphanumeric"] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidDeviceOwnerGeneralDeviceConfiguration" and passwordRequiredType eq "alphanumeric"] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passcodeRequiredType eq "alphanumeric"] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidGeneralDeviceConfiguration" and passwordRequiredType eq "alphanumeric"] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.aospDeviceOwnerDeviceConfiguration" and passwordRequiredType eq "alphanumeric" ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidWorkProfileGeneralDeviceConfiguration" and passwordRequiredType eq "atLeastAlphanumeric" ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.macOSGeneralDeviceConfiguration" and passwordRequiredType eq "alphanumeric" ] |
| Ensure that mobile device encryption is enabled |
Require your users to use encryption on their mobile devices to prevent unauthorized access to mobile data. |
Azure Active Directory
|
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidGeneralDeviceConfiguration" and storageRequireDeviceEncryption eq true] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows81GeneralConfiguration" and storageRequireDeviceEncryption eq true] |
| Ensure that users cannot connect from jailbroken or rooted devices |
Do not allow your users to use to connect with mobile devices that have been jailbroken or rooted. These devices have had basic protections disabled to run software that is often malicious and could very easily lead to an account or data breach. |
Azure Active Directory
|
O365 should have O365Tenant len() gt 0 and atleast one DeviceCompliancePolicies with [ odatatype eq "#microsoft.graph.iosCompliancePolicy" and securityBlockJailbrokenDevices eq true ] and atleast one DeviceCompliancePolicies with [ odatatype eq "#microsoft.graph.androidCompliancePolicy" and securityBlockJailbrokenDevices eq true ] |
| Lock mobile devices after a period of inactivity |
Users should be required to configure their mobile devices to lock after a period of inactivity to prevent unauthorized access. |
Azure Active Directory
|
MobileDeviceMailboxPolicy should have MaxInactivityTimeLock eq "00:15:00" |
| Ensure device management polices are set to require advanced security configurations |
Configure your device management policies to require advanced security configurations. If you do not require this, users will be able to connect from devices that are vulnerable to basic internet attacks, leading to potential breaches of accounts and data. |
Azure Active Directory
|
O365 should have DeviceConfigurations len() gt 0 |
| Ensure that mobile devices require complex passwords (Simple Passwords = Blocked) |
Require your users to use a complex password to unlock their mobile devices. |
Azure Active Directory
|
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passcodeBlockSimple eq true] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows10GeneralConfiguration" and passwordBlockSimple eq true] |
| Ensure mobile devices require the use of a password |
Require your users to use a password to unlock their mobile devices. |
Azure Active Directory
|
O365 should have O365Tenant len() gt 0 and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidGeneralDeviceConfiguration" and passwordRequired eq true ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passcodeRequired eq true ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows10GeneralConfiguration" and passwordRequired eq true] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows81GeneralConfiguration" and passwordRequired eq true] |
| Ensure that mobile device password reuse is prohibited |
Do not allow your users to reuse the same password on their mobile devices. |
Azure Active Directory
|
MobileDeviceMailboxPolicy should have PasswordHistory eq 50 |
| Ensure mobile devices are set to wipe on multiple sign-in failures |
Require mobile devices to wipe on multiple sign-in failures to prevent brute force compromise. Devices without this protection are vulnerable to being accessed physically by attackers who can then steal account credentials, data, or install malware on the device. |
|
O365 should have atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.iosGeneralDeviceConfiguration" and passcodeSignInFailureCountBeforeWipe lte 10 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidDeviceOwnerGeneralDeviceConfiguration" and passwordSignInFailureCountBeforeFactoryReset lte 10 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows10GeneralConfiguration" and passwordSignInFailureCountBeforeFactoryReset lte 10 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.windows81GeneralConfiguration" and passwordSignInFailureCountBeforeFactoryReset lte 10 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidGeneralDeviceConfiguration" and passwordSignInFailureCountBeforeFactoryReset lte 10 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.androidWorkProfileGeneralDeviceConfiguration" and passwordSignInFailureCountBeforeFactoryReset lte 10 ] and atleast one DeviceConfigurations with [ odatatype eq "#microsoft.graph.aospDeviceOwnerDeviceConfiguration" and passwordSignInFailureCountBeforeFactoryReset lte 10 ] |
| Ensure modern authentication for Exchange Online is enabled |
Ensure modern authentication for Exchange Online is enabled. |
Exchange
|
OrganizationConfig should have OAuth2ClientProfileEnabled eq true |
| Notify the administrator when internal users send malware |
Set a malware filter policy that notifies an administrator when malware is detected in message from an internal user. |
Azure Active Directory
|
MalwareFilterPolicy should have EnableInternalSenderAdminNotifications eq true |
| Ensure that OAuth 2.0 permission grants to third-party apps do not give permission to modify app role assignments. |
OAuth 2.0 permission grants enable a third-party connected app to access data based on the permissions granted. Do not grant third-party apps the ability to modify app role assignments. This would enable the third-party app to give users or apps access to resources that they should not have access to. |
|
OAuth2PermissionGrant should not have scope like "AppRoleAssignment.ReadWrite.All" |
| Ensure that Office 365 SharePoint infected files cannot be downloaded |
Office 365 Advanced Threat Protection (ATP) for SharePoint, OneDrive, and Microsoft Teams protects your organization from inadvertently sharing malicious files. When an infected file is detected, that file is blocked so that no one can open, copy, move, or share it until further actions are taken by the organization's security team. |
|
SharepointTenant should have disallowInfectedFileDownload eq true |
| Ensure external storage providers available in Outlook on the Web are restricted |
Restrict storage providers that are integrated with Outlook on the Web. By default additional storage providers are allowed in Outlook on the Web (such as Box,
Dropbox, Facebook, Google Drive, OneDrive Personal, etc.). This could lead to information leakage and additional risk of infection from organizational non-trusted storage providers. Restricting this will inherently reduce risk as it will narrow opportunities for infection and data leakage. |
|
OwaMailboxPolicy should have AdditionalStorageProvidersAvailable eq false |
| Ensure that password hash sync is enabled for resiliency and leaked credential detection |
Ensure that password hash sync is enabled for resiliency and leaked credential detection. |
Microsoft 365 security
|
SecureScore should have atleast one controlScores with [ controlName eq "PasswordHashSync" and on eq true ] |
| Ensure modern authentication for SharePoint applications is required |
Strong authentication controls, such as the use of multi-factor authentication, may be circumvented if basic authentication is used by SharePoint applications. Requiring modern authentication for SharePoint applications ensures strong authentication mechanisms are used when establishing sessions between these applications, SharePoint, and connecting users. |
|
SharepointTenant should have legacyAuthProtocolsEnabled eq false |
| Ensure SPF records are published for all Exchange domains |
Ensure that Sender Policy Framework (SPF) records are published for all Exchange domains. Using SPF helps to validate outbound email sent from your custom domain by determining whether or not a sender is permitted to send on behalf of a domain. |
Azure Active Directory
|
AcceptedDomain should have spfRecordPublished eq true |
| Ensure a transport rule exists |
Ensure a transport rule exists. |
|
O365 should have TransportRules len() gt 0 |
| Use limited administrative roles |
Limited administrators are users who have more privileges than standard users, but not as many privileges as global admins. Leveraging limited administrator roles to perform required administrative work reduces the number of high value, high impact global admin role holders you have. Assigning users roles like Password Administrator or Exchange Online Administrator, instead of Global Administrator, reduces the likelihood of a global administrative privileged account being breached. |
|
SecureScore should have atleast one controlScores with [controlName eq "RoleOverlap" and scoreInPercentage eq 100 ] |
| Ensure that users do not have the default strong password policy disabled. |
In Azure, users by default have a strong password policy enabled. However, admin users are able to disable the default strong password policy for individual users. This functionality should not be used and all individual users' password policies should require a strong password. |
|
User should not have passwordPolicies like "DisableStrongPassword" |
| Ensure that users cannot install Outlook add-ins |
Attackers commonly use vulnerable and custom-built add-ins to access data in user applications. While allowing users to install add-ins by themselves does allow them to easily acquire useful add-ins that integrate with Microsoft applications, it can represent a risk if not used and monitored carefully. Disabling future users' ability to install add-ins in Microsoft Outlook helps reduce your threat-surface and mitigate this risk. |
|
O365 should not have any RoleAssignmentPolicies with [ AssignedRoles has ( "My Custom Apps" ) or AssignedRoles has ( "My Marketplace Apps" ) or AssignedRoles has ( "My ReadWriteMailbox Apps" ) ] |
