Microsoft 365 Security Checks
All security checks Aether365 performs for Microsoft 365.
| ID | Title | Severity | Framework |
|---|---|---|---|
| AE.1001 | At least one Conditional Access policy is configured with device compliance | Medium | Other |
| AE.1002 | Enforce credential configurations on apps and service principals | Medium | Other |
| AE.1003 | At least one Conditional Access policy is configured with All cloud apps | Medium | Other |
| AE.1004 | At least one Conditional Access policy is configured with All Cloud Apps and All Users | Medium | Other |
| AE.1005 | All Conditional Access policies are configured to exclude at least one emergency account or group. | Medium | Other |
| AE.1006 | At least one Conditional Access policy is configured to require MFA for users with administrator roles | Medium | Other |
| AE.1007 | At least one Conditional Access policy is configured to require MFA for all users | Medium | Other |
| AE.1008 | At least one Conditional Access policy is configured to require MFA for Azure management | Medium | Other |
| AE.1009 | At least one Conditional Access policy is configured to block other legacy authentication | Medium | Other |
| AE.1010 | At least one Conditional Access policy is configured to block legacy authentication for Exchange ActiveSync | Medium | Other |
| AE.1011 | At least one Conditional Access policy is configured to secure security info registration only from a trusted location | Medium | Other |
| AE.1012 | At least one Conditional Access policy is configured to require MFA for risky sign-ins | Medium | Other |
| AE.1013 | At least one Conditional Access policy is configured to require new password when user risk is high | Medium | Other |
| AE.1014 | At least one Conditional Access policy is configured to require compliant or Entra hybrid joined devices for admins | Medium | Other |
| AE.1015 | At least one Conditional Access policy is configured to block access for unknown or unsupported device platforms | Medium | Other |
| AE.1016 | At least one Conditional Access policy is configured to require MFA for guest access | Medium | Other |
| AE.1017 | At least one Conditional Access policy is configured to enforce non persistent browser session for non-corporate devices | Medium | Other |
| AE.1018 | At least one Conditional Access policy is configured to enforce sign-in frequency for non-corporate devices | Medium | Other |
| AE.1019 | At least one Conditional Access policy is configured to enable application enforced restrictions | Medium | Other |
| AE.1020 | All Conditional Access policies are configured to exclude directory synchronization accounts or do not scope them | Medium | Other |
| AE.1021 | Security Defaults are enabled | Medium | Other |
| AE.1022 | All users utilizing a P1 license should be licensed | Medium | Other |
| AE.1023 | All users utilizing a P2 license should be licensed | Medium | Other |
| AE.1024 | Microsoft Entra recommendations | Medium | Other |
| AE.1025 | No external user with permanent role assignment on Control Plane | Medium | Other |
| AE.1026 | No hybrid user with permanent role assignment on Control Plane | Medium | Other |
| AE.1027 | No Service Principal with Client Secret and permanent role assignment on Control Plane | Medium | Other |
| AE.1028 | No user with mailbox and permanent role assignment on Control Plane | Medium | Other |
| AE.1029 | Stale accounts are not assigned to privileged roles | Medium | Other |
| AE.1030 | Eligible role assignments on Control Plane are in use by administrators | Medium | Other |
| AE.1031 | Privileged role on Control Plane are managed by PIM only | Medium | Other |
| AE.1032 | Limited number of Global Admins are assigned | Medium | Other |
| AE.1033 | User should be blocked from using legacy authentication | Medium | Other |
| AE.1034 | Emergency access users should not be blocked | Medium | Other |
| AE.1035 | All security groups assigned to Conditional Access Policies should be protected by RMAU | Medium | Other |
| AE.1036 | All excluded objects should have a fallback include in another policy. | Medium | Other |
| AE.1038 | Conditional Access policies should not include or exclude deleted groups. | Medium | Other |
| AE.1039 | Ensure MailTips are enabled for end users | Medium | Other |
| AE.1041 | Ensure users installing Outlook add-ins is not allowed | Medium | Other |
| AE.1043 | Ensure Spam confidence level (SCL) is configured in mail transport rules with specific domains | Medium | Other |
| AE.1044 | Ensure modern authentication for Exchange Online is enabled | Medium | Other |
| AE.1049 | Sign-in risk and user risk conditions should be configured in separate Conditional Access policies | Medium | Other |
| AE.1050 | Apps with high-risk permissions having a direct path to Global Admin | Medium | Other |
| AE.1051 | Apps with high-risk permissions having an indirect path to Global Admin | Medium | Other |
| AE.1052 | At least one Conditional Access policy is targeting the Device Code authentication flow. | Medium | Other |
| AE.1055 | Microsoft 365 Group (and Team) creation should be restricted to approved users | Medium | Other |
| AE.1056 | User Access Administrator permission should not be permanently assigned on the root scope | Medium | Other |
| AE.1057 | App registrations should no longer use secrets | Medium | Other |
| AE.1058 | Exchange Application Access Policies should be configured | Medium | Other |
| AE.1059 | Microsoft Defender for Identity health issues should be resolved | Medium | Other |
| AE.1060 | Drift tests | Medium | Other |
| AE.1061 | Device registration MFA control conflicts with Conditional Access policies. | Medium | Other |
| AE.1062 | Ensure Direct Send is set to be rejected | Medium | Other |
| AE.1064 | Ensure that write permissions are required to create new management groups | Medium | Other |
| AE.1065 | Ensure all Recovery Services Vaults have soft delete enabled | Medium | Other |
| AE.1066 | Conditional Access policies should not reference non-existent users, groups, or roles. | Medium | Other |
| AE.1067 | Authentication method policies should not reference non-existent groups. | Medium | Other |
| AE.1071 | At least one Conditional Access policy explicitly includes Azure DevOps. | Medium | Other |
| AE.1072 | No conditional access policy should require an approved client app. | Medium | Other |
| AE.1073 | Soft- and hard-matching of synchronized objects should be blocked. | Medium | Other |
| AE.1074 | Mailbox should not use the .onmicrosoft.com domain as primary SMTP address. | Medium | Other |
| AE.1076 | MOERA SHOULD NOT be used for sent mail. | Medium | Other |
| AE.1083 | Ensure Delicensing Resiliency is enabled | Medium | Other |
| AE.1086 | Devices should not share both critical and non-critical user credentials. | Medium | Other |
| AE.1087 | Devices should not be publicly exposed with remotely exploitable, highly likely to be exploited, high or critical severity CVE's. | Medium | Other |
| AE.1088 | Devices with critical credentials should be protected by TPM. | Medium | Other |
| AE.1089 | Devices with critical credentials should be protected by Credential Guard. | Medium | Other |
| AE.1113 | AI agents should not be shared with broad access control policies | Medium | Other |
| AE.1114 | AI agents should require user authentication | Medium | Other |
| AE.1115 | AI agents should not have risky HTTP configurations | Medium | Other |
| AE.1116 | AI agents should not send email with AI-controlled inputs | Medium | Other |
| AE.1117 | Published AI agents should not be dormant | Medium | Other |
| AE.1118 | AI agents should not use author (maker) authentication for connections | Medium | Other |
| AE.1119 | AI agents should not have hard-coded credentials in topics | Medium | Other |
| AE.1120 | AI agents should not use MCP server tools without review | Medium | Other |
| AE.1121 | AI agents with generative orchestration should have custom instructions | Medium | Other |
| AE.1122 | AI agents should not have orphaned ownership | Medium | Other |
| AE.1147 | Do not sync krbtgt_AzureAD to Entra ID | Medium | Other |
| AZDO.1000 | Azure DevOps OAuth apps can access resources in your organization through OAuth. | Medium | Other |
| AZDO.1001 | Identities can connect to your organization's Git repos through SSH. | Medium | Other |
| AZDO.1002 | Log Audit Events. | Medium | Other |
| AZDO.1003 | Restrict public projects. | Medium | Other |
| AZDO.1004 | Additional protections when using public package registries. | Medium | Other |
| AZDO.1005 | IP Conditional Access policy validation. | Medium | Other |
| AZDO.1006 | External Users access. | Medium | Other |
| AZDO.1007 | Team and project administrator are allowed to invite new users. | Medium | Other |
| AZDO.1008 | Request access to Azure DevOps by e-mail notifications to administrators. | Medium | Other |
| AZDO.1009 | Feedback Collection. | Medium | Other |
| AZDO.1010 | Audit streaming. | Medium | Other |
| AZDO.1011 | Project Resource Limits. | Medium | Other |
| AZDO.1012 | Work Items Tags Limits. | Medium | Other |
| AZDO.1013 | Organization Owner should not be an individual. | Medium | Other |
| AZDO.1014 | Anonymous access to pipeline badges. | Medium | Other |
| AZDO.1015 | Limit variables that can be set at queue time. | Medium | Other |
| AZDO.1016 | Limit job authorization scope to current project for non-release pipelines. | Medium | Other |
| AZDO.1017 | Limit job authorization scope to current project for classic release pipelines. | Medium | Other |
| AZDO.1018 | Protect access to repositories in YAML pipelines. | Medium | Other |
| AZDO.1019 | Stage chooser. | Medium | Other |
| AZDO.1020 | Creation of classic build pipelines. | Medium | Other |
| AZDO.1021 | Creation of classic release pipelines. | Medium | Other |
| AZDO.1022 | Limit building pull requests from forked GitHub repositories. | Medium | Other |
| AZDO.1023 | Disable Marketplace tasks. | Medium | Other |
| AZDO.1024 | Disable Node 6 tasks. | Medium | Other |
| AZDO.1025 | Enable shell tasks arguments validation. | Medium | Other |
| AZDO.1026 | Enable automatic enrollment to Advanced Security for Azure DevOps. | Medium | Other |
| AZDO.1027 | Disable showing Gravatar images for users outside of your enterprise. | Medium | Other |
| AZDO.1028 | Disable creation of TFVC repositories. | Medium | Other |
| AZDO.1029 | Storage Usage Limit. | Medium | Other |
| AZDO.1030 | Project Collection Administrators. | Medium | Other |
| AZDO.1031 | Validate SSH Key Expiration. | Medium | Other |
| AZDO.1032 | (Tenant) Restrict creation of global Personal Access Tokens. | Medium | Other |
| AZDO.1033 | (Tenant) Enable automatic revocation of leaked Personal Access Tokens. | Medium | Other |
| AZDO.1034 | (Tenant) Restrict creation of new Azure DevOps organizations. | Medium | Other |
| AZDO.1035 | (Tenant) Restrict Personal Access Token lifespan. | Medium | Other |
| AZDO.1036 | (Tenant) Restrict Personal Access Token full scope. | Medium | Other |
| AZDO.1037 | (Organization) Restrict Personal Access Token creation. | Medium | Other |
| AZDO.1038 | (Organization) Disallow extensions from accessing resources on the local network. | Medium | Other |
| CIS.M365.1.1.1 | Ensure Administrative accounts are cloud-only | Medium | CIS |
| CIS.M365.1.1.3 | Ensure that between two and four global admins are designated | Medium | CIS |
| CIS.M365.1.2.1 | Ensure that only organizationally managed/approved public groups exist | High | CIS |
| CIS.M365.1.2.2 | Ensure sign-in to shared mailboxes is blocked | Medium | CIS |
| CIS.M365.1.3.1 | Ensure the 'Password expiration policy' is set to 'Set passwords to never expire (recommended)' | Medium | CIS |
| CIS.M365.1.3.3 | Ensure 'External sharing' of calendars is not available | High | CIS |
| CIS.M365.1.3.4 | Ensure 'User owned apps and services' is restricted | Medium | CIS |
| CIS.M365.1.3.5 | Ensure internal phishing protection for Forms is enabled | Medium | CIS |
| CIS.M365.1.3.6 | Ensure the customer lockbox feature is enabled | Medium | Other |
| CIS.M365.1.3.7 | Ensure 'third-party storage services' are restricted in 'Microsoft 365 on the web' | High | CIS |
| CIS.M365.2.1.1 | Ensure Safe Links for Office Applications is Enabled (Only Checks Priority 0 Policy) | High | CIS |
| CIS.M365.2.1.11 | Ensure comprehensive attachment filtering is applied | High | CIS |
| CIS.M365.2.1.12 | Ensure the connection filter IP allow list is not used (Only Checks Default Policy) | Medium | CIS |
| CIS.M365.2.1.13 | Ensure the connection filter safe list is off (Only Checks Default Policy) | Medium | CIS |
| CIS.M365.2.1.2 | Ensure the Common Attachment Types Filter is enabled (Only Checks Default Policy) | Medium | CIS |
| CIS.M365.2.1.3 | Ensure notifications for internal users sending malware is Enabled (Only Checks Default Policy) | Medium | CIS |
| CIS.M365.2.1.4 | Ensure Safe Attachments policy is enabled (Only Checks Default Policy) | High | CIS |
| CIS.M365.2.1.5 | Ensure Safe Attachments for SharePoint, OneDrive, and Microsoft Teams is Enabled | High | CIS |
| CIS.M365.2.1.6 | Ensure Exchange Online Spam Policies are set to notify administrators (Only Checks Default Policy) | Medium | CIS |
| CIS.M365.2.1.7 | Ensure that an anti-phishing policy has been created (Only Checks Default Policy) | Medium | CIS |
| CIS.M365.2.1.9 | Ensure that DKIM is enabled for all Exchange Online Domains | Medium | CIS |
| CIS.M365.2.4.4 | Ensure Zero-hour auto purge for Microsoft Teams is on (Only Checks ZAP is enabled) | Medium | CIS |
| CIS.M365.3.1.1 | Ensure Microsoft 365 audit log search is Enabled | Medium | CIS |
| CIS.M365.4.1 | Ensure devices without a compliance policy are marked 'not compliant' | High | CIS |
| CIS.M365.5.1.2.2 | Ensure third party integrated applications are not allowed | High | CIS |
| CIS.M365.5.1.2.3 | Ensure 'Restrict non-admin users from creating tenants' is set to 'Yes' | Medium | CIS |
| CIS.M365.5.1.3.1 | Ensure a dynamic group for guest users is created | Medium | CIS |
| CIS.M365.5.1.5.1 | Ensure user consent to apps accessing company data on their behalf is not allowed | High | CIS |
| CIS.M365.5.1.5.2 | Ensure the admin consent workflow is enabled | Medium | CIS |
| CIS.M365.5.1.6.2 | Ensure that guest user access is restricted | Medium | CIS |
| CIS.M365.5.2.3.5 | Ensure weak authentication methods are disabled | Medium | CIS |
| CIS.M365.6.5.3 | Ensure additional storage providers are restricted in Outlook on the web | High | CIS |
| CIS.M365.8.1.1 | Ensure external file sharing in Teams is enabled for only approved cloud storage services | Medium | CIS |
| CIS.M365.8.2.2 | Ensure communication with unmanaged Teams users is disabled | Medium | CIS |
| CIS.M365.8.2.3 | Ensure external Teams users cannot initiate conversations | Medium | CIS |
| CIS.M365.8.4.1 | Ensure all or a majority of third-party and custom apps are blocked | Medium | CIS |
| CIS.M365.8.5.3 | Ensure only people in my org can bypass the lobby | Medium | CIS |
| CIS.M365.8.6.1 | Ensure users can report security concerns in Teams to internal destination | Medium | CIS |
| CISA.MS.EXO.1.1 | Automatic forwarding to external domains SHALL be disabled. | Medium | CIS |
| CISA.MS.EXO.10.1 | Emails SHALL be scanned for malware. | Medium | CIS |
| CISA.MS.EXO.10.2 | Emails identified as containing malware SHALL be quarantined or dropped. | Medium | CIS |
| CISA.MS.EXO.10.3 | Email scanning SHALL be capable of reviewing emails after delivery. | Medium | CIS |
| CISA.MS.EXO.11.1 | Impersonation protection checks SHOULD be used. | Medium | CIS |
| CISA.MS.EXO.11.2 | User warnings, comparable to the user safety tips included with EOP, SHOULD be displayed. | Medium | CIS |
| CISA.MS.EXO.11.3 | The phishing protection solution SHOULD include an AI-based phishing detection tool comparable to EOP Mailbox Intelligence. | Medium | CIS |
| CISA.MS.EXO.12.1 | IP allow lists SHOULD NOT be created. | Medium | CIS |
| CISA.MS.EXO.12.2 | Safe lists SHOULD NOT be enabled. | Medium | CIS |
| CISA.MS.EXO.13.1 | Mailbox auditing SHALL be enabled. | Medium | CIS |
| CISA.MS.EXO.14.1 | A spam filter SHALL be enabled. | Medium | CIS |
| CISA.MS.EXO.14.2 | Spam and high confidence spam SHALL be moved to either the junk email folder or the quarantine folder. | Medium | CIS |
| CISA.MS.EXO.14.3 | Allowed domains SHALL NOT be added to inbound anti-spam protection policies. | Medium | CIS |
| CISA.MS.EXO.14.4 | If a third-party party filtering solution is used, the solution SHOULD offer services comparable to the native spam filtering offered by Microsoft. | Medium | CIS |
| CISA.MS.EXO.15.1 | URL comparison with a block-list SHOULD be enabled. | Medium | CIS |
| CISA.MS.EXO.15.2 | Direct download links SHOULD be scanned for malware. | Medium | CIS |
| CISA.MS.EXO.15.3 | User click tracking SHOULD be enabled. | Medium | CIS |
| CISA.MS.EXO.16.1 | Alerts SHALL be enabled. | Medium | CIS |
| CISA.MS.EXO.16.2 | Alerts SHOULD be sent to a monitored address or incorporated into a security information and event management (SIEM) system. | Medium | CIS |
| CISA.MS.EXO.17.1 | Microsoft Purview Audit (Standard) logging SHALL be enabled. | Medium | CIS |
| CISA.MS.EXO.17.2 | Microsoft Purview Audit (Premium) logging SHALL be enabled. | Medium | CIS |
| CISA.MS.EXO.17.3 | Audit logs SHALL be maintained for at least the minimum duration dictated by OMB M-21-31 (Appendix C). | Medium | CIS |
| CISA.MS.EXO.2.1 | A list of approved IP addresses for sending mail SHALL be maintained. | Medium | CIS |
| CISA.MS.EXO.2.2 | An SPF policy SHALL be published for each domain, designating only these addresses as approved senders. | Medium | CIS |
| CISA.MS.EXO.3.1 | DKIM SHOULD be enabled for all domains. | Medium | CIS |
| CISA.MS.EXO.4.1 | A DMARC policy SHALL be published for every second-level domain. | Medium | CIS |
| CISA.MS.EXO.4.2 | The DMARC message rejection option SHALL be p=reject. | Medium | CIS |
| CISA.MS.EXO.4.3 | The DMARC point of contact for aggregate reports SHALL include reports@dmarc.cyber.dhs.gov. | Medium | CIS |
| CISA.MS.EXO.5.1 | SMTP AUTH SHALL be disabled. | Medium | CIS |
| CISA.MS.EXO.6.1 | Contact folders SHALL NOT be shared with all domains. | Medium | CIS |
| CISA.MS.EXO.6.2 | Calendar details SHALL NOT be shared with all domains. | Medium | CIS |
| CISA.MS.EXO.7.1 | External sender warnings SHALL be implemented. | Medium | CIS |
| CISA.MS.EXO.8.1 | A DLP solution SHALL be used. | Medium | CIS |
| CISA.MS.EXO.8.2 | The DLP solution SHALL protect personally identifiable information (PII) and sensitive information, as defined by the agency. | Medium | CIS |
| CISA.MS.EXO.8.3 | The selected DLP solution SHOULD offer services comparable to the native DLP solution offered by Microsoft. | Medium | CIS |
| CISA.MS.EXO.8.4 | At a minimum, the DLP solution SHALL restrict sharing credit card numbers, U.S. Individual Taxpayer Identification Numbers (ITIN), and U.S. Social Security numbers (SSN) via email. | Medium | CIS |
| CISA.MS.EXO.9.1 | Emails SHALL be filtered by attachment file types. | Medium | CIS |
| CISA.MS.EXO.9.2 | The attachment filter SHOULD attempt to determine the true file type and assess the file extension. | Medium | CIS |
| CISA.MS.EXO.9.3 | Disallowed file types SHALL be determined and enforced. | Medium | CIS |
| CISA.MS.EXO.9.4 | Alternatively chosen filtering solutions SHOULD offer services comparable to Microsoft Defender's Common Attachment Filter. | Medium | CIS |
| CISA.MS.EXO.9.5 | At a minimum, click-to-run files SHOULD be blocked (e.g., .exe, .cmd, and .vbe). | Medium | CIS |
| CISA.MS.SHAREPOINT.1.1 | External sharing for SharePoint SHALL be limited to Existing guests or Only People in your organization. | Medium | CIS |
| CISA.MS.SHAREPOINT.1.3 | External sharing SHALL be restricted to approved external domains and/or users in approved security groups per interagency collaboration needs. | Medium | CIS |
| M365.2102 | Ensure Safe Attachments for SharePoint, OneDrive, and Microsoft Teams is Enabled | Medium | CIS Microsoft 365 Foundations Benchmark |
| M365.2103 | Ensure Safe Attachments policy is enabled | Medium | CIS Microsoft 365 Foundations Benchmark |
| M365.2104 | Ensure Safe Links for Office Applications is Enabled | Medium | CIS Microsoft 365 Foundations Benchmark |
| M365.2106 | Ensure the connection filter IP allow list is not used | Medium | CIS Microsoft 365 Foundations Benchmark |
| M365.2107 | Ensure the connection filter safe list is off | Medium | CIS Microsoft 365 Foundations Benchmark |
| M365.2108 | Ensure Exchange Online Spam Policies are set to notify administrators | Medium | CIS Microsoft 365 Foundations Benchmark |
| M365.2109 | Ensure inbound anti-spam policies do not contain allowed domains | Medium | CIS Microsoft 365 Foundations Benchmark |
| M365.2110 | Ensure Microsoft Defender for Cloud Apps is enabled and configured | Low | CIS Microsoft 365 Foundations Benchmark |
| M365.2111 | Ensure Zero-hour auto purge for Microsoft Teams is on | Medium | CIS Microsoft 365 Foundations Benchmark |
| M365.2112 | Ensure that DKIM is enabled for all Exchange Online Domains | Medium | CIS Microsoft 365 Foundations Benchmark |
| M365.2113 | Ensure DMARC Records for all Exchange Online domains are published | Medium | CIS Microsoft 365 Foundations Benchmark |
| M365.2114 | Ensure that SPF records are published for all Exchange Domains | Medium | CIS Microsoft 365 Foundations Benchmark |
| M365.2115 | Ensure that an anti-phishing policy has been created | Medium | CIS Microsoft 365 Foundations Benchmark |
| M365.2116 | Ensure 'AuditDisabled' organizationally is set to 'False' | Medium | CIS Microsoft 365 Foundations Benchmark |
| M365.2117 | Ensure 'External sharing' of calendars is not available | Medium | CIS Microsoft 365 Foundations |
| M365.2118 | Ensure the customer lockbox feature is enabled | Medium | CIS Microsoft 365 Foundations Benchmark |
| M365.2119 | Ensure MailTips are enabled for end users | Medium | CIS Microsoft 365 Foundations Benchmark |
| M365.2120 | Ensure modern authentication for Exchange Online is enabled | Medium | CIS Microsoft 365 Foundations Benchmark |
| M365.2121 | Ensure additional storage providers are restricted in Outlook on the web | Medium | CIS Microsoft 365 Foundations Benchmark |
| M365.2122 | Ensure Priority account protection is enabled and configured | Medium | CIS Microsoft 365 Foundations Benchmark |
| M365.2123 | Ensure Priority accounts have 'Strict protection' presets applied | Medium | CIS Microsoft 365 Foundations Benchmark |
| M365.2124 | Ensure users installing Outlook add-ins is not allowed | Medium | CIS Microsoft 365 Foundations Benchmark |
| M365.2125 | Ensure 'third-party storage services' are restricted in 'Microsoft 365 on the web' | Low | CIS Microsoft 365 Foundations Benchmark |
| M365.2126 | Ensure email from external senders is identified | Medium | CIS Microsoft 365 Foundations Benchmark |
| M365.2127 | Ensure all forms of mail forwarding are blocked and/or disabled | Medium | CIS Microsoft 365 Foundations Benchmark |
| M365.2128 | Ensure mail transport rules do not whitelist specific domains | Medium | CIS Microsoft 365 Foundations Benchmark |
| M365.2129 | Ensure SMTP AUTH is disabled | Medium | CIS Microsoft 365 Foundations Benchmark |
| M365.2130 | Ensure the Common Attachment Types Filter is enabled | Medium | CIS Microsoft 365 Foundations Benchmark |
| M365.2131 | Ensure comprehensive attachment filtering is applied | Low | CIS Microsoft 365 Foundations Benchmark |
| M365.2132 | Ensure notifications for internal users sending malware is Enabled | Medium | CIS Microsoft 365 Foundations Benchmark |
| M365.2133 | Ensure Zero-hour auto purge for Microsoft Teams is on | Medium | CIS Microsoft 365 Foundations Benchmark |
| M365.2134 | Ensure the Account Provisioning Activity report is reviewed at least weekly | Low | CIS Microsoft 365 Foundations Benchmark |
| M365.2135 | Ensure mail forwarding rules are reviewed at least weekly | Medium | CIS Microsoft 365 Foundations Benchmark |
| M365.2136 | Ensure malware trends are reviewed at least weekly | Low | CIS Microsoft 365 Foundations Benchmark |
| M365.2137 | Ensure the Account Provisioning Activity report is reviewed at least weekly | Low | CIS Microsoft 365 Foundations Benchmark |
| M365.2138 | Ensure the 'Restricted entities' report is reviewed weekly | Low | CIS Microsoft 365 Foundations Benchmark |
| M365.2139 | Ensure the spoofed domains report is reviewed weekly | Low | CIS Microsoft 365 Foundations Benchmark |
| M365.2140 | Ensure 'AuditBypassEnabled' is not enabled on mailboxes | Medium | CIS Microsoft 365 Foundations Benchmark |
| M365.2143 | Ensure 'User owned apps and services' is restricted | Low | CIS Microsoft 365 Foundations Benchmark |
| M365.2144 | Ensure emergency access account activity is monitored | Medium | CIS Microsoft 365 Foundations Benchmark |
| M365.2145 | Ensure 'Allow users to apply sensitivity labels for content' is 'Enabled' | Medium | CIS Microsoft 365 Foundations Benchmark |
| M365.2146 | Ensure 'Block ResourceKey Authentication' is 'Enabled' | Medium | CIS Microsoft 365 Foundations Benchmark |
| M365.2147 | Ensure enabling of external data sharing is restricted | Medium | CIS Microsoft 365 Foundations Benchmark |
| M365.2148 | Ensure external user invitations are restricted | Medium | CIS Microsoft 365 Foundations Benchmark |
| M365.2149 | Ensure guest access to content is restricted | Medium | CIS Microsoft 365 Foundations Benchmark |
| M365.2150 | Ensure guest user access is restricted | Medium | CIS Microsoft 365 Foundations Benchmark |
| M365.2151 | Ensure 'Interact with and share R and Python' visuals is 'Disabled' | Medium | CIS Microsoft 365 Foundations Benchmark |
| M365.2152 | Ensure 'Publish to web' is restricted | Medium | CIS Microsoft 365 Foundations Benchmark |
| M365.2153 | Ensure shareable links are restricted | Medium | CIS Microsoft 365 Foundations Benchmark |
| M365.2154 | Ensure access to APIs by Service Principals is restricted | Medium | CIS Microsoft 365 Foundations Benchmark |
| M365.2155 | Ensure Service Principals cannot create and use profiles | Medium | CIS Microsoft 365 Foundations Benchmark |
| M365.2156 | Ensure internal phishing protection for Forms is enabled | Medium | CIS Microsoft 365 Foundations Benchmark |
| M365.2157 | Ensure device enrollment for personally owned devices is blocked by default | Medium | CIS Microsoft 365 Foundations Benchmark |
| M365.2158 | Ensure devices without a compliance policy are marked 'not compliant' | Medium | CIS Microsoft 365 Foundations Benchmark |
| M365.2159 | Ensure DLP policies are enabled | Medium | CIS Microsoft 365 Foundations Benchmark |
| M365.2160 | Ensure DLP policies are enabled for Microsoft Teams | Medium | CIS Microsoft 365 Foundations Benchmark |
| M365.2161 | Ensure Microsoft 365 audit log search is Enabled | Medium | CIS Microsoft 365 Foundations Benchmark |
| M365.2163 | Ensure user role group changes are reviewed at least weekly | Low | CIS Microsoft 365 Foundations Benchmark |
| M365.2164 | Ensure that Sways cannot be shared with people outside of your organization | Medium | CIS Microsoft 365 Foundations Benchmark |
| M365.2165 | Ensure anonymous users and dial-in callers can't start a meeting | Medium | CIS Microsoft 365 Foundations Benchmark |
| M365.2166 | Ensure anonymous users can't join a meeting | Medium | CIS Microsoft 365 Foundations Benchmark |
| M365.2167 | Ensure app permission policies are configured | Medium | CIS Microsoft 365 Foundations Benchmark |
| M365.2168 | Ensure users can't send emails to a channel email address | Medium | CIS Microsoft 365 Foundations Benchmark |
| M365.2169 | Ensure 'external access' is restricted in the Teams admin center | Medium | CIS Microsoft 365 Foundations Benchmark |
| M365.2170 | Ensure external domains are restricted in the Teams admin center | Medium | CIS Microsoft 365 Foundations Benchmark |
| M365.2171 | Ensure external file sharing in Teams is enabled for only approved cloud storage services | Medium | CIS Microsoft 365 Foundations Benchmark |
| M365.2172 | Ensure external meeting chat is off | Medium | CIS Microsoft 365 Foundations Benchmark |
| M365.2173 | Ensure external participants can't give or request control | Medium | CIS Microsoft 365 Foundations Benchmark |
| M365.2174 | Ensure meeting chat does not allow anonymous users | Medium | CIS Microsoft 365 Foundations Benchmark |
| M365.2175 | Ensure only people in my org can bypass the lobby | Medium | CIS Microsoft 365 Foundations Benchmark |
| M365.2176 | Ensure only organizers and co-organizers can present | Medium | CIS Microsoft 365 Foundations Benchmark |
| M365.2177 | Ensure users can report security concerns in Teams | Medium | CIS Microsoft 365 Foundations Benchmark |
| M365.2178 | Ensure users dialing in can't bypass the lobby | Medium | CIS Microsoft 365 Foundations Benchmark |
| M365.2179 | Ensure communication with Skype users is disabled | Medium | CIS Microsoft 365 Foundations Benchmark |
| M365.2180 | Ensure external Teams users cannot initiate conversations | Medium | CIS Microsoft 365 Foundations Benchmark |
| M365.2181 | Ensure meeting recording is off by default | Medium | CIS Microsoft 365 Foundations Benchmark |
| M365.2182 | Ensure SharePoint and OneDrive integration with Azure AD B2B is enabled | Low | CIS Microsoft 365 Foundations Benchmark |
| M365.2183 | Ensure custom script execution is restricted on site collections | Medium | CIS Microsoft 365 Foundations Benchmark |
| M365.2184 | Ensure custom script execution is restricted on personal sites | Medium | CIS Microsoft 365 Foundations Benchmark |
| M365.2185 | Ensure external content sharing is restricted | Medium | CIS Microsoft 365 Foundations Benchmark |
| M365.2186 | Ensure SharePoint external sharing is managed through domain allow/deny lists | Medium | CIS Microsoft 365 Foundations Benchmark |
| M365.2187 | Ensure external sharing is restricted by security group | Medium | CIS Microsoft 365 Foundations Benchmark |
| M365.2188 | Ensure guest access to a site or OneDrive will expire automatically | Medium | CIS Microsoft 365 Foundations Benchmark |
| M365.2189 | Ensure that SharePoint guest users cannot share items they don't own | Medium | CIS Microsoft 365 Foundations Benchmark |
| M365.2190 | Ensure link sharing is restricted in SharePoint and OneDrive | Medium | CIS Microsoft 365 Foundations Benchmark |
| M365.2191 | Ensure Office 365 SharePoint infected files are disallowed for download | Medium | CIS Microsoft 365 Foundations Benchmark |
| M365.2192 | Ensure modern authentication for SharePoint applications is required | Medium | CIS Microsoft 365 Foundations Benchmark |
| M365.2193 | Ensure OneDrive content sharing is restricted | Medium | CIS Microsoft 365 Foundations Benchmark |
| M365.2194 | Ensure OneDrive sync is restricted for unmanaged devices | Medium | CIS Microsoft 365 Foundations Benchmark |
| M365.2195 | Ensure reauthentication with verification code is restricted | Medium | CIS Microsoft 365 Foundations Benchmark |
| M365.2196 | Ensure the SharePoint default sharing link permission is set | Medium | CIS Microsoft 365 Foundations Benchmark |
| ORCA.100 | Bulk Complaint Level threshold is between 4 and 6. | Medium | Other |
| ORCA.101 | Bulk is marked as spam. | Medium | Other |
| ORCA.102 | Advanced Spam filter options are turned off. | Medium | Other |
| ORCA.103 | Outbound spam filter policy settings configured. | Medium | Other |
| ORCA.104 | High Confidence Phish action set to Quarantine message. | Medium | Other |
| ORCA.105 | Safe Links Synchronous URL detonation is enabled. | Medium | Other |
| ORCA.106 | Quarantine retention period is 30 days. | Medium | Other |
| ORCA.107 | End-user spam notification is enabled. | Medium | Other |
| ORCA.108 | DKIM signing is set up for all your custom domains. | Medium | Other |
| ORCA.108.1 | DNS Records have been set up to support DKIM. | Medium | Other |
| ORCA.109 | Senders are not being allow listed in an unsafe manner. | Medium | Other |
| ORCA.110 | Internal Sender notifications are disabled. | Medium | Other |
| ORCA.111 | Anti-phishing policy exists and EnableUnauthenticatedSender is true. | Medium | Other |
| ORCA.112 | Anti-spoofing protection action is configured to Move message to the recipients' Junk Email folders in Anti-phishing policy. | Medium | Other |
| ORCA.113 | AllowClickThrough is disabled in Safe Links policies. | Medium | Other |
| ORCA.114 | No IP Allow Lists have been configured. | Medium | Other |
| ORCA.115 | Mailbox intelligence based impersonation protection is enabled in anti-phishing policies. | Medium | Other |
| ORCA.116 | Mailbox intelligence based impersonation protection action set to move message to junk mail folder. | Medium | Other |
| ORCA.118.1 | Domains are not being allow listed in an unsafe manner in Anti-Spam Policies. | Medium | Other |
| ORCA.118.2 | Domains are not being allow listed in an unsafe manner in Transport Rules. | Medium | Other |
| ORCA.118.3 | Your own domains are not being allow listed in an unsafe manner in Anti-Spam Policies. | Medium | Other |
| ORCA.118.4 | Your own domains are not being allow listed in an unsafe manner in Transport Rules. | Medium | Other |
| ORCA.119 | Similar Domains Safety Tips is enabled. | Medium | Other |
| ORCA.120.1 | Zero Hour Autopurge Enabled for Phish. | Medium | Other |
| ORCA.120.2 | Zero Hour Autopurge Enabled for Malware. | Medium | Other |
| ORCA.120.3 | Zero Hour Autopurge Enabled for Spam. | Medium | Other |
| ORCA.121 | Supported filter policy action used. | Medium | Other |
| ORCA.123 | Unusual Characters Safety Tips is enabled. | Medium | Other |
| ORCA.124 | Safe attachments unknown malware response set to block messages. | Medium | Other |
| ORCA.139 | Spam action set to move message to junk mail folder or quarantine. | Medium | Other |
| ORCA.140 | High Confidence Spam action set to Quarantine message. | Medium | Other |
| ORCA.141 | Bulk action set to Move message to Junk Email Folder. | Medium | Other |
| ORCA.142 | Phish action set to Quarantine message. | Medium | Other |
| ORCA.143 | Safety Tips are enabled. | Medium | Other |
| ORCA.156 | Safe Links Policies are tracking when user clicks on safe links. | Medium | Other |
| ORCA.158 | Safe Attachments is enabled for SharePoint and Teams. | Medium | Other |
| ORCA.179 | Safe Links is enabled intra-organization. | Medium | Other |
| ORCA.180 | Anti-phishing policy exists and EnableSpoofIntelligence is true. | Medium | Other |
| ORCA.189 | Safe Attachments is not bypassed. | Medium | Other |
| ORCA.189.2 | Safe Links is not bypassed. | Medium | Other |
| ORCA.205 | Common attachment type filter is enabled. | Medium | Other |
| ORCA.220 | Advanced Phish filter Threshold level is adequate. | Medium | Other |
| ORCA.221 | Mailbox intelligence is enabled in anti-phishing policies. | Medium | Other |
| ORCA.222 | Domain Impersonation action is set to move to Quarantine. | Medium | Other |
| ORCA.223 | User impersonation action is set to move to Quarantine. | Medium | Other |
| ORCA.224 | Similar Users Safety Tips is enabled. | Medium | Other |
| ORCA.225 | Safe Documents is enabled for Office clients. | Medium | Other |
| ORCA.226 | Each domain has a Safe Link policy applied to it. | Medium | Other |
| ORCA.227 | Each domain has a Safe Attachments policy applied to it. | Medium | Other |
| ORCA.228 | No trusted senders in Anti-phishing policy. | Medium | Other |
| ORCA.229 | No trusted domains in Anti-phishing policy. | Medium | Other |
| ORCA.230 | Each domain has a Anti-phishing policy applied to it, or the default policy is being used. | Medium | Other |
| ORCA.231 | Each domain has a anti-spam policy applied to it, or the default policy is being used. | Medium | Other |
| ORCA.232 | Each domain has a malware filter policy applied to it, or the default policy is being used. | Medium | Other |
| ORCA.233 | Domains are pointed directly at EOP or enhanced filtering is used. | Medium | Other |
| ORCA.233.1 | Domains are pointed directly at EOP or enhanced filtering is configured on all default connectors. | Medium | Other |
| ORCA.234 | Click through is disabled for Safe Documents. | Medium | Other |
| ORCA.235 | SPF records is set up for all your custom domains. | Medium | Other |
| ORCA.236 | Safe Links is enabled for emails. | Medium | Other |
| ORCA.237 | Safe Links is enabled for teams messages. | Medium | Other |
| ORCA.238 | Safe Links is enabled for office documents. | Medium | Other |
| ORCA.239 | No exclusions for the built-in protection policies. | Medium | Other |
| ORCA.240 | Outlook is configured to display external tags for external emails. | Medium | Other |
| ORCA.241 | Anti-phishing policy exists and EnableFirstContactSafetyTips is true. | Medium | Other |
| ORCA.242 | Important protection alerts responsible for AIR activities are enabled. | Medium | Other |
| ORCA.243 | Authenticated Receive Chain is set up for domains not pointing to EOP/MDO, or all domains point to EOP/MDO. | Medium | Other |
| ORCA.244 | Policies are configured to honor sending domains DMARC. | Medium | Other |
| readme | Entra ID - Security Config Analyzer Tests | Medium | Other |