Padrões abrangentes e práticas recomendadas para ambientes Microsoft 365 e Azure.
Click to filter by severity level
Click to filter by category
Matching your criteria
143
Showing all standards
Added in last 30 days
8
6% of filtered
Disables Exchange Online PowerShell access for non-admin users by setting the RemotePowerShellEnabled property to false for each user. This helps prevent attackers from using PowerShell to run malicious commands, access file systems, registry, and distribute ransomware throughout networks. Users with admin roles are automatically excluded.
Note: requires 'Domain Name Administrator' GDAP role. This should be enabled even if the MOERA (onmicrosoft.com) domains is not used for sending. Enabling this prevents email spoofing. The default value is 'v=DMARC1; p=reject;' recommended because the domain is only used within M365 and reporting is not needed. Omitting pct tag default to 100%
Configures CAPTCHA verification for external users joining Teams meetings. This helps prevent unauthorized AI notetakers and bots from joining meetings.
Configures the two-click confirmation requirement for viewing encrypted/protected emails in OWA and new Outlook. When enabled, users must click "View message" before accessing protected content, providing an additional layer of privacy protection.
Entra P1 required. Block or limit access to SharePoint and OneDrive content from unmanaged devices (those not hybrid AD joined or compliant in Intune). These controls rely on Microsoft Entra Conditional Access policies and can take up to 24 hours to take effect.
Restricts third-party storage services in Microsoft 365 on the web by managing the Microsoft 365 on the web service principal. This disables integrations with services like Dropbox, Google Drive, Box, and other third-party storage providers.
Enables the Name Pronunciation feature for the tenant. This allows users to set their name pronunciation in their profile.
Enables internal phishing protection for Microsoft Forms to help prevent malicious forms from being created and shared within the organization. This feature scans forms created by internal users for potential phishing content and suspicious patterns.
Allow guest users access to teams.
Blocks login for all accounts that are marked as a resource mailbox and does not have a license assigned. Accounts that are synced from on-premises AD are excluded, as account state is managed in the on-premises AD.
Creates new mail contacts in Exchange Online across all selected tenants based on the selected templates. The contact will be visible in the Global Address List unless hidden.
Sets the state of Direct Send in Exchange Online. Direct Send allows applications to send emails directly to Exchange Online mailboxes as the tenants domains, without requiring authentication.
Sets the maximum number of recipients that can be specified in the To, Cc, and Bcc fields of a message for all mailboxes in the tenant.
This standard creates a Custom Quarantine Policies that can be used in Anti-Spam and all MDO365 policies. Quarantine Policies can be used to specify recipients permissions, enable end-user spam notifications, and specify the release action preference
Configures the outbound spam recipient limits (external per hour, internal per hour, per day) and the action to take when a limit is reached. The 'Set Outbound Spam Alert e-mail' standard is recommended to configure together with this one.
Deploy and manage SafeLinks policy templates to protect against malicious URLs in emails and Office documents.
Sets the default number of days after which Teams meeting recordings automatically expire. Valid values are -1 (Never Expire) or between 1 and 99999. The default value is 120 days.
Sets the default platform restrictions for enrolling devices into Intune. Note: Do not block personally owned if platform is blocked.
This adds allowed domains to the Spoof Intelligence Allow/Block List.
This creates a phishing simulation policy that enables phishing simulations for the entire tenant.
Sets the preferred language property for all users in the tenant. This will override the user's language settings.
Configures the MDM user scope. This also sets the terms of use, discovery and compliance URL to default URLs.
Sets the anti-spam connection filter policy option 'safe list' in Defender.
Configures the report suspicious activity settings and system credential preferences in the authentication methods policy.
Automatically adds all available domains as a proxy address.
Creates a Solo Network - Deleted Items retention policy tag that permanently deletes items in the Deleted Items folder after X days.
Controls whether users can set their own profile photos in Microsoft 365.
Remediate is currently not available. Cleans up Entra devices that have not connected/signed in for the specified number of days.
Sets the properties of the Global messaging policy.
This setting controls who can invite guests to your directory to collaborate on resources secured by your company, such as SharePoint sites or Azure resources.
Sets the mark devices with no compliance policy assigned as compliance/non compliant and Compliance status validity period.
Defines the CIS recommended global meeting policy for Teams. This includes AllowAnonymousUsersToJoinMeeting, AllowAnonymousUsersToStartMeeting, AutoAdmittedUsers, AllowPSTNUsersToBypassLobby, MeetingChatEnabledType, DesignatedPresenterRoleMode, AllowExternalParticipantGiveRequestControl
Controls whether users with this policy can set the voice profile capture and enrollment through the Recognition tab in their Teams client settings.
Sets the properties of the Global federation configuration.
Should users be allowed to send emails directly to a channel email addresses?
Sets the properties of the Global external access policy.
Ensure external file sharing in Teams is enabled for only approved cloud storage services.
Disables the ability for users to automatically forward e-mails to external recipients.
Sets a e-mail address to alert when a User requests to release a quarantined message.
This standard creates a Spam filter policy similar to the default strict policy.
Disables the creation of new SharePoint 2010 and 2013 classic workflows and removes the 'Return to classic SharePoint' link on modern SharePoint list and library pages.
Ensure SharePoint and OneDrive integration with Azure AD B2B is enabled
Ensure Office 365 SharePoint infected files are disallowed for download
Ensure default link sharing is set to Direct in SharePoint and OneDrive
Ensure guest access to a site or OneDrive will expire automatically
Ensure re-authentication with verification code is restricted
Deploys selected applications to the tenant. Use a comma separated list of application IDs to deploy multiple applications. Permissions will be copied from the source application.
Set the state of the spam submission button in Outlook
Enables litigation hold for all UserMailboxes with a valid license.
Sets the branding profile for the Intune Company Portal app. This is a tenant wide setting and overrules any settings set on the app level.
Restricts sharing to only users with the specified domain. This is useful for organizations that only want to share with their own domain.
Enables per user MFA for all users.
Enables the Pronouns feature for the tenant. This allows users to set their pronouns in their profile.
Sets the Cloud Message Recall state for the tenant. This allows users to recall messages from the cloud.
Sets the default state for automatically turning meetings into Teams meetings for the tenant. This can be overridden by the user in Outlook.
Sets the state of Bookings on the tenant. Bookings is a scheduling tool that allows users to book appointments with others both internal and external.
Sets the shorten meetings settings on a tenant level. This will shorten meetings by the selected amount of minutes. Valid values are 0 to 29. Short meetings are under 60 minutes, long meetings are over 60 minutes.
Sets the branding for the tenant. This includes the login page, and the Office 365 portal.
Sets the Global Quarantine Notification Interval to the selected value. Determines how often the quarantine notification is sent to users.
Disables Transport Neutral Encapsulation Format (TNEF)/winmail.dat for the tenant. TNEF can cause issues if the recipient is not using a client supporting TNEF.
Sets the default Focused Inbox state for the tenant. This can be overridden by the user.
Sets the default timezone for the tenant. This will be used for all new users and sites.
Sets the state of the Cross-tenant access setting to trust external MFA. This allows guest users to use their home tenant MFA to access your tenant.
This creates a Safe Links policy that automatically scans, tracks, and and enables safe links for Email, Office, and Teams for both external and internal senders
This creates a Anti-Phishing policy that automatically enables Mailbox Intelligence and spoofing, optional switches for Mail tips.
This creates a Safe Attachment policy
This creates a Atp policy that enables Defender for Office 365 for SharePoint, OneDrive and Microsoft Teams.
This creates a Malware filter policy that enables the default File filter and Zero-hour auto purge for malware.
Disables the ability for users to create App registrations in the tenant.
Creates a new mail contact in Exchange Online across all selected tenants. The contact will be visible in the Global Address List.
Sets the transport message configuration to timeout a message at 12 hours.
This blocks users from using QR Code Pin as an MFA method. If a user only has QR Code Pin as a MFA method, they will be unable to log in.
Disables the ability for users to install add-ins in Outlook. This is to prevent users from installing malicious add-ins.
Adds branding to the logon page that only appears if the url is not login.microsoftonline.com. This potentially prevents AITM attacks via EvilNginx. This will also automatically generate alerts if a clone of your login page has been found when set to Remediate.
Enables the In-Place Online Archive for all UserMailboxes with a valid license.
Disables the ability for users to open files in Outlook on the Web, from other providers such as Box, Dropbox, Facebook, Google Drive, OneDrive Personal, etc.
Enables all MailTips in Outlook. MailTips are the notifications Outlook and Outlook on the web shows when an email you create, meets some requirements
Enables Customer Lockbox that offers an approval process for Microsoft support to access organization data
Enables Mailbox auditing for all mailboxes and on tenant level. Disables audit bypass on all mailboxes. Unified Audit Log needs to be enabled for this standard to function.
Disables the ability for users to share their calendar with external users. Only for the default policy, so exclusions can be made if needed.
Deploy the Autopilot Status Page, which shows progress during device setup through Autopilot.
Assign the appropriate Autopilot profile to streamline device deployment.
Deploy and manage Intune templates across devices.
Deploy transport rules to manage email flow.
Manage conditional access policies for better security.
Deploy and manage Exchange connectors.
Deploy and manage group templates.
Enables the HardwareOath authenticationMethod for the tenant. This allows you to use hardware tokens for generating 6 digit MFA codes.
This blocks users from using SMS as an MFA method. If a user only has SMS as a MFA method, they will be unable to log in.
This blocks users from using Voice call as an MFA method. If a user only has Voice as a MFA method, they will be unable to log in.
This blocks users from using email as an MFA method. This disables the email OTP option for guest users, and instead prompts them to create a Microsoft account.
This blocks users from using Certificates as an MFA method.
Allows you to use MS authenticator OTP token generator
Enables App consent admin requests for the tenant via the GA role. Does not overwrite existing reviewer settings
Sets the Send and Receive limits for new users. Valid values are 1MB to 150MB
Loops through all users and removes the Safe Senders list. This is to prevent SPF bypass attacks, as the Safe Senders list is not checked by SPF.
Requires MFA for all users to register devices with Intune. This is useful when not using Conditional Access.
If disabled, the button Add shortcut to OneDrive will be removed and users in the tenant will no longer be able to add new shortcuts to their OneDrive. Existing shortcuts will remain functional
A value between 0 and 270 is supported. A value of 0 disables retirement, retired devices are removed from Intune after the specified number of days.
Sets the state of Authenticator Lite, Authenticator lite is a companion app for passwordless authentication.
Set the Outbound Spam Alert e-mail address
Sets the default sharing level for the default calendar, for all users
Enables the tenant to use LAPS. You must still create a policy for LAPS to be active on all devices. Use the template standards to deploy this by default.
Sets the maximum number of devices that can be registered by a user. A value of 0 disables device registration by users
Rotate DKIM keys that are 1024 bit to 2048 bit
Enables DKIM for all domains that currently support it
Allows you to use any software OAuth token generator
Enables the FIDO2 authenticationMethod for the tenant
Sets the state of the registration campaign for the tenant
Restricts creation of M365 tenants to the Global Administrator or Tenant Creator roles.
Blocks login for guest users that have not logged in for 90 days
Sets the default oauth consent level so users can consent to applications that have low risks.
Restricts M365 group creation to certain admin roles. This disables the ability to create Teams, SharePoint sites, Planner, etc
Completely disables the creation of security groups by users. This also breaks the ability to manage groups themselves, or create Teams
Sets the retention period for deleted users OneDrive to the specified period of time. The default is 30 days.
Sets the default sharing level for OneDrive and SharePoint. This is a tenant wide setting and overrules any settings set on the site level
Disables users from creating new SharePoint sites
Sets the file extensions that are excluded from syncing with OneDrive. These files will be blocked from upload. '*.' is automatically added to the extension and can be omitted.
Disables the ability for Mac devices to sync with OneDrive.
Disables the daily viva reports for all users. This standard requires the CIPP-SAM application to have the Company Administrator (Global Admin) role in the tenant. Enable this using CIPP > Advanced > Super Admin > SAM App Roles. Activate the roles with a CPV refresh.
Enables the ability for users to send from their alias addresses.
Disables Guest access to enumerate directory objects. This prevents guest users from seeing other users or guests in the directory.
Enables and sets Idle session timeout for Microsoft 365 to 1 hour. This policy affects most M365 web apps
Enables TAP and sets the default TAP lifetime to 1 hour. This configuration also allows you to select if a TAP is single use or multi-logon.
Defines the email address to receive general updates and information related to M365 subscriptions. Leave a contact field blank if you do not want to update the contact information.
Disables App consent and set to Allow user consent for apps
Enables security defaults for the tenant, for newer tenants this is enabled by default. Do not enable this feature if you use Conditional Access.
Enables the Unified Audit Log for tracking and auditing activities. Also runs Enable-OrganizationCustomization if necessary.
Shows usernames instead of pseudo anonymised names in reports. This standard is required for reporting to work correctly.
Disables SMTP AUTH for the organization and all users. This is the default for new tenants.
Enables the MS authenticator app to display information about the app that is requesting authentication. This displays the application name.
Disables the expiration of passwords for the tenant by setting the password expiration policy to never expire for any user.
This standard currently does not function and can be safely disabled
Note: requires 'Billing Administrator' GDAP role. This standard disables all self service licenses and enables all exclusions
Disables users from being able to consent to applications, except for those specified in the field below
Enables auto-expanding archives for the tenant
Adds or removes indicators to e-mail messages received from external senders in Outlook. Works on all Outlook clients/OWA
Sets emails sent as and on behalf of shared mailboxes to also be stored in the shared mailbox sent items folder