Solo Standards

Padrões abrangentes e práticas recomendadas para ambientes Microsoft 365 e Azure.

Impact Distribution

Click to filter by severity level

Category Distribution

Click to filter by category

Filtered Standards

Matching your criteria

143

Showing all standards

New Standards

Added in last 30 days

8

6% of filtered

Disable Exchange Online PowerShell for non-admin users

Medium ImpactCIS M365 5.0 (6.1.1)SecurityNIST CSF 2.0 (PR.AA-05)18/06/2025

Disables Exchange Online PowerShell access for non-admin users by setting the RemotePowerShellEnabled property to false for each user. This helps prevent attackers from using PowerShell to run malicious commands, access file systems, registry, and distribute ransomware throughout networks. Users with admin roles are automatically excluded.

Enables DMARC on MOERA (onmicrosoft.com) domains

Low ImpactCIS M365 5.0 (2.1.10)SecurityPhishingProtection15/06/2025

Note: requires 'Domain Name Administrator' GDAP role. This should be enabled even if the MOERA (onmicrosoft.com) domains is not used for sending. Enabling this prevents email spoofing. The default value is 'v=DMARC1; p=reject;' recommended because the domain is only used within M365 and reporting is not needed. Omitting pct tag default to 100%

Teams Meeting Verification (CAPTCHA)

Low Impact13/06/2025

Configures CAPTCHA verification for external users joining Teams meetings. This helps prevent unauthorized AI notetakers and bots from joining meetings.

Set two-click confirmation for encrypted emails in New Outlook

Low Impact12/06/2025

Configures the two-click confirmation requirement for viewing encrypted/protected emails in OWA and new Outlook. When enabled, users must click "View message" before accessing protected content, providing an additional layer of privacy protection.

Restrict access to SharePoint and OneDrive from unmanaged devices

High ImpactCIS M365 5.0 (7.2.3)CISA (MS.SPO.2.1v1)NIST CSF 2.0 (PR.AA-05)12/06/2025

Entra P1 required. Block or limit access to SharePoint and OneDrive content from unmanaged devices (those not hybrid AD joined or compliant in Intune). These controls rely on Microsoft Entra Conditional Access policies and can take up to 24 hours to take effect.

Restrict third-party storage services in Microsoft 365 on the web

Medium ImpactCIS M365 5.0 (1.3.7)05/06/2025

Restricts third-party storage services in Microsoft 365 on the web by managing the Microsoft 365 on the web service principal. This disables integrations with services like Dropbox, Google Drive, Box, and other third-party storage providers.

Enable Name Pronunciation

Low Impact05/06/2025

Enables the Name Pronunciation feature for the tenant. This allows users to set their name pronunciation in their profile.

Enable internal phishing protection for Forms

Low ImpactCIS M365 5.0 (1.3.5)SecurityPhishingProtection05/06/2025

Enables internal phishing protection for Microsoft Forms to help prevent malicious forms from being created and shared within the organization. This feature scans forms created by internal users for potential phishing content and suspicious patterns.

Allow guest users in Teams

Low Impact02/06/2025

Allow guest users access to teams.

Disable Unlicensed Resource Mailbox Entra accounts

Medium ImpactNIST CSF 2.0 (PR.AA-01)31/05/2025

Blocks login for all accounts that are marked as a resource mailbox and does not have a license assigned. Accounts that are synced from on-premises AD are excluded, as account state is managed in the on-premises AD.

Deploy Mail Contact Template

Low Impact30/05/2025

Creates new mail contacts in Exchange Online across all selected tenants based on the selected templates. The contact will be visible in the Global Address List unless hidden.

Set Direct Send state

Medium Impact27/05/2025

Sets the state of Direct Send in Exchange Online. Direct Send allows applications to send emails directly to Exchange Online mailboxes as the tenants domains, without requiring authentication.

Set Mailbox Recipient Limits

Low Impact27/05/2025

Sets the maximum number of recipients that can be specified in the To, Cc, and Bcc fields of a message for all mailboxes in the tenant.

Custom Quarantine Policy

Low Impact15/05/2025

This standard creates a Custom Quarantine Policies that can be used in Anti-Spam and all MDO365 policies. Quarantine Policies can be used to specify recipients permissions, enable end-user spam notifications, and specify the release action preference

Set Exchange Outbound Spam Limits

Low ImpactCIS M365 5.0 (2.1.6)12/05/2025

Configures the outbound spam recipient limits (external per hour, internal per hour, per day) and the action to take when a limit is reached. The 'Set Outbound Spam Alert e-mail' standard is recommended to configure together with this one.

SafeLinks Policy Template

Medium Impact28/04/2025

Deploy and manage SafeLinks policy templates to protect against malicious URLs in emails and Office documents.

Set Teams Meeting Recording Expiration

Medium Impact16/04/2025

Sets the default number of days after which Teams meeting recordings automatically expire. Valid values are -1 (Never Expire) or between 1 and 99999. The default value is 120 days.

SharePoint Mass Deletion Alert

Low Impact06/04/2025

Sets a e-mail address to alert when a User deletes more than 20 SharePoint files within 60 minutes. NB: Requires a Office 365 E5 subscription, Office 365 E3 with Threat Intelligence or Office 365 EquivioAnalytics add-on.

Device enrollment restrictions

Low ImpactCISA (MS.AAD.19.1v1)31/03/2025

Sets the default platform restrictions for enrolling devices into Intune. Note: Do not block personally owned if platform is blocked.

Add allowed domains to Spoof Intelligence

Medium Impact27/03/2025

This adds allowed domains to the Spoof Intelligence Allow/Block List.

Phishing Simulation Configuration

Medium Impact26/03/2025

This creates a phishing simulation policy that enables phishing simulations for the entire tenant.

Preferred language for all users

High Impact25/02/2025

Sets the preferred language property for all users in the tenant. This will override the user's language settings.

Configure MDM user scope

Low Impact17/02/2025

Configures the MDM user scope. This also sets the terms of use, discovery and compliance URL to default URLs.

Set Anti-Spam Connection Filter Safe List

Medium ImpactCIS M365 5.0 (2.1.13)14/02/2025

Sets the anti-spam connection filter policy option 'safe list' in Defender.

Configure Authentication Methods Policy Settings

Low ImpactEIDSCA.AG01EIDSCA.AG02EIDSCA.AG0309/02/2025

Configures the report suspicious activity settings and system credential preferences in the authentication methods policy.

Automatically deploy proxy addresses

Medium Impact06/02/2025

Automatically adds all available domains as a proxy address.

Retention Policy, permanently delete items in Deleted Items after X days

High ImpactCIS M365 5.0 (6.4.1)01/02/2025

Creates a Solo Network - Deleted Items retention policy tag that permanently deletes items in the Deleted Items folder after X days.

Allow users to set profile photos

Low Impact18/01/2025

Controls whether users can set their own profile photos in Microsoft 365.

Cleanup stale Entra devices

High ImpactEssential 8 (1501)NIST CSF 2.0 (ID.AM-08)NIST CSF 2.0 (PR.PS-03)18/01/2025

Remediate is currently not available. Cleans up Entra devices that have not connected/signed in for the specified number of days.

Global Messaging Policy for Microsoft Teams

Medium Impact09/01/2025

Sets the properties of the Global messaging policy.

Guest Invite setting

Medium ImpactCISA (MS.AAD.18.1v1)EIDSCA.AP04EIDSCA.AP0711/11/2024

This setting controls who can invite guests to your directory to collaborate on resources secured by your company, such as SharePoint sites or Azure resources.

Set Intune Compliance Settings

Low Impact11/11/2024

Sets the mark devices with no compliance policy assigned as compliance/non compliant and Compliance status validity period.

Define Global Meeting Policy for Teams

Low ImpactCIS M365 5.0 (8.5.1)CIS M365 5.0 (8.5.2)CIS M365 5.0 (8.5.3)CIS M365 5.0 (8.5.4)CIS M365 5.0 (8.5.5)CIS M365 5.0 (8.5.6)11/11/2024

Defines the CIS recommended global meeting policy for Teams. This includes AllowAnonymousUsersToJoinMeeting, AllowAnonymousUsersToStartMeeting, AutoAdmittedUsers, AllowPSTNUsersToBypassLobby, MeetingChatEnabledType, DesignatedPresenterRoleMode, AllowExternalParticipantGiveRequestControl

Default voice and face enrollment

Low Impact11/11/2024

Controls whether users with this policy can set the voice profile capture and enrollment through the Recognition tab in their Teams client settings.

Federation Configuration for Microsoft Teams

Medium Impact30/07/2024

Sets the properties of the Global federation configuration.

Disallow emails to be sent to channel email addresses

Low ImpactCIS M365 5.0 (8.1.2)29/07/2024

Should users be allowed to send emails directly to a channel email addresses?

External Access Settings for Microsoft Teams

Medium Impact29/07/2024

Sets the properties of the Global external access policy.

Define approved cloud storage services for external file sharing in Teams

Low ImpactCIS M365 5.0 (8.4.1)27/07/2024

Ensure external file sharing in Teams is enabled for only approved cloud storage services.

Disable automatic forwarding to external recipients

High ImpactCIS M365 5.0 (6.2.1)mdo_autoforwardingmodemdo_blockmailforwardCISA (MS.EXO.4.1v1)NIST CSF 2.0 (PR.DS-02)25/07/2024

Disables the ability for users to automatically forward e-mails to external recipients.

Set SharePoint sync button state

Medium Impact25/07/2024

If disabled, users in the tenant will no longer be able to use the Sync button to sync SharePoint content on all sites. However, existing synced content will remain functional on the user's computer.

Quarantine Release Request Alert

Low Impact14/07/2024

Sets a e-mail address to alert when a User requests to release a quarantined message.

Default Spam Filter Policy

Medium Impact14/07/2024

This standard creates a Spam filter policy similar to the default strict policy.

Disable Legacy Workflows

Low Impact14/07/2024

Disables the creation of new SharePoint 2010 and 2013 classic workflows and removes the 'Return to classic SharePoint' link on modern SharePoint list and library pages.

Enable SharePoint and OneDrive integration with Azure AD B2B

Low ImpactCIS M365 5.0 (7.2.2)08/07/2024

Ensure SharePoint and OneDrive integration with Azure AD B2B is enabled

Disallow downloading infected files from SharePoint

Low ImpactCIS M365 5.0 (7.3.1)CISA (MS.SPO.3.1v1)NIST CSF 2.0 (DE.CM-09)08/07/2024

Ensure Office 365 SharePoint infected files are disallowed for download

Default sharing to Direct users

Medium ImpactCIS M365 5.0 (7.2.7)CISA (MS.SPO.1.4v1)08/07/2024

Ensure default link sharing is set to Direct in SharePoint and OneDrive

Set guest access to expire automatically

Medium ImpactCIS M365 5.0 (7.2.9)CISA (MS.SPO.1.5v1)08/07/2024

Ensure guest access to a site or OneDrive will expire automatically

Require re-authentication with verification code

Medium ImpactCIS M365 5.0 (7.2.10)CISA (MS.SPO.1.6v1)08/07/2024

Ensure re-authentication with verification code is restricted

Deploy Application

Low Impact06/07/2024

Deploys selected applications to the tenant. Use a comma separated list of application IDs to deploy multiple applications. Permissions will be copied from the source application.

Set the state of the built-in Report button in Outlook

Medium Impact27/06/2024

Set the state of the spam submission button in Outlook

Enable Litigation Hold for all users

Low Impact24/06/2024

Enables litigation hold for all UserMailboxes with a valid license.

Set Intune Company Portal branding profile

Low Impact19/06/2024

Sets the branding profile for the Intune Company Portal app. This is a tenant wide setting and overrules any settings set on the app level.

Restrict sharing to a specific domain

High ImpactCIS M365 5.0 (7.2.6)CISA (MS.AAD.14.3v1)CISA (MS.SPO.1.3v1)19/06/2024

Restricts sharing to only users with the specified domain. This is useful for organizations that only want to share with their own domain.

Enables per user MFA for all users.

High ImpactCIS M365 5.0 (1.2.1)CIS M365 5.0 (1.1.1)CIS M365 5.0 (1.1.2)CISA (MS.AAD.1.1v1)CISA (MS.AAD.1.2v1)Essential 8 (1504)Essential 8 (1173)Essential 8 (1401)NIST CSF 2.0 (PR.AA-03)13/06/2024

Enables per user MFA for all users.

Enable Pronouns

Low Impact04/06/2024

Enables the Pronouns feature for the tenant. This allows users to set their pronouns in their profile.

Set Cloud Message Recall state

Low Impact30/05/2024

Sets the Cloud Message Recall state for the tenant. This allows users to recall messages from the cloud.

Set Teams Meetings by default state

Low Impact30/05/2024

Sets the default state for automatically turning meetings into Teams meetings for the tenant. This can be overridden by the user in Outlook.

Set Bookings state

Medium Impact30/05/2024

Sets the state of Bookings on the tenant. Bookings is a scheduling tool that allows users to book appointments with others both internal and external.

Set shorten meetings state

Medium Impact26/05/2024

Sets the shorten meetings settings on a tenant level. This will shorten meetings by the selected amount of minutes. Valid values are 0 to 29. Short meetings are under 60 minutes, long meetings are over 60 minutes.

Set branding for the tenant

Low Impact12/05/2024

Sets the branding for the tenant. This includes the login page, and the Office 365 portal.

Set Global Quarantine Notification Interval

Low Impact02/05/2024

Sets the Global Quarantine Notification Interval to the selected value. Determines how often the quarantine notification is sent to users.

Disable TNEF/winmail.dat

Low Impact25/04/2024

Disables Transport Neutral Encapsulation Format (TNEF)/winmail.dat for the tenant. TNEF can cause issues if the recipient is not using a client supporting TNEF.

Set Focused Inbox state

Low Impact25/04/2024

Sets the default Focused Inbox state for the tenant. This can be overridden by the user.

Set Default Timezone for Tenant

Low Impact19/04/2024

Sets the default timezone for the tenant. This will be used for all new users and sites.

Sets the Cross-tenant access setting to trust external MFA

Low Impact25/03/2024

Sets the state of the Cross-tenant access setting to trust external MFA. This allows guest users to use their home tenant MFA to access your tenant.

Default Safe Links Policy

Low ImpactCIS M365 5.0 (2.1.1)mdo_safelinksforemailmdo_safelinksforOfficeAppsNIST CSF 2.0 (DE.CM-09)24/03/2024

This creates a Safe Links policy that automatically scans, tracks, and and enables safe links for Email, Office, and Teams for both external and internal senders

Default Anti-Phishing Policy

Low Impactmdo_safeattachmentsmdo_highconfidencespamactionmdo_highconfidencephishactionmdo_phisspamacationmdo_spam_notifications_only_for_adminsmdo_antiphishingpoliciesmdo_phishthresholdlevelCIS M365 5.0 (2.1.7)NIST CSF 2.0 (DE.CM-09)24/03/2024

This creates a Anti-Phishing policy that automatically enables Mailbox Intelligence and spoofing, optional switches for Mail tips.

Default Safe Attachment Policy

Low ImpactCIS M365 5.0 (2.1.4)mdo_safedocumentsmdo_commonattachmentsfiltermdo_safeattachmentpolicyNIST CSF 2.0 (DE.CM-09)24/03/2024

This creates a Safe Attachment policy

Default Atp Policy For O365

Low ImpactCIS M365 5.0 (2.1.5)NIST CSF 2.0 (DE.CM-09)24/03/2024

This creates a Atp policy that enables Defender for Office 365 for SharePoint, OneDrive and Microsoft Teams.

Default Malware Filter Policy

Low ImpactCIS M365 5.0 (2.1.2)CIS M365 5.0 (2.1.3)mdo_zapspammdo_zapphishmdo_zapmalwareNIST CSF 2.0 (DE.CM-09)24/03/2024

This creates a Malware filter policy that enables the default File filter and Zero-hour auto purge for malware.

Disable App creation by users

Low ImpactCIS M365 5.0 (1.2.2)CISA (MS.AAD.4.1v1)EIDSCA.AP10Essential 8 (1175)NIST CSF 2.0 (PR.AA-05)19/03/2024

Disables the ability for users to create App registrations in the tenant.

Deploy Mail Contact

Low Impact18/03/2024

Creates a new mail contact in Exchange Online across all selected tenants. The contact will be visible in the Global Address List.

Lower Transport Message Expiration to 12 hours

Low Impact22/02/2024

Sets the transport message configuration to timeout a message at 12 hours.

Disables QR Code Pin as an MFA method

High Impact09/02/2024

This blocks users from using QR Code Pin as an MFA method. If a user only has QR Code Pin as a MFA method, they will be unable to log in.

Disable users from installing add-ins in Outlook

Medium ImpactCIS M365 5.0 (6.3.1)exo_outlookaddinsNIST CSF 2.0 (PR.AA-05)NIST CSF 2.0 (PR.PS-05)04/02/2024

Disables the ability for users to install add-ins in Outlook. This is to prevent users from installing malicious add-ins.

Disable legacy basic authentication for SharePoint

Medium ImpactCIS M365 5.0 (6.5.1)CIS M365 5.0 (7.2.1)spo_legacy_authCISA (MS.AAD.3.1v1)NIST CSF 2.0 (PR.IR-01)04/02/2024

Disables the ability to authenticate with SharePoint using legacy authentication methods. Any applications that use legacy authentication will need to be updated to use modern authentication.

Enable Phishing Protection system via branding CSS

Low Impact21/01/2024

Adds branding to the logon page that only appears if the url is not login.microsoftonline.com. This potentially prevents AITM attacks via EvilNginx. This will also automatically generate alerts if a clone of your login page has been found when set to Remediate.

Enable Online Archive for all users

Low ImpactEssential 8 (1511)NIST CSF 2.0 (PR.DS-11)19/01/2024

Enables the In-Place Online Archive for all UserMailboxes with a valid license.

Disable additional storage providers in OWA

Low ImpactCIS M365 5.0 (6.5.3)exo_storageproviderrestricted16/01/2024

Disables the ability for users to open files in Outlook on the Web, from other providers such as Box, Dropbox, Facebook, Google Drive, OneDrive Personal, etc.

Enable all MailTips

Low ImpactCIS M365 5.0 (6.5.2)exo_mailtipsenabled13/01/2024

Enables all MailTips in Outlook. MailTips are the notifications Outlook and Outlook on the web shows when an email you create, meets some requirements

Enable Customer Lockbox

Low ImpactCIS M365 5.0 (1.3.6)CustomerLockBoxEnabled07/01/2024

Enables Customer Lockbox that offers an approval process for Microsoft support to access organization data

Enable Mailbox auditing

Low ImpactCIS M365 5.0 (6.1.1)CIS M365 5.0 (6.1.2)CIS M365 5.0 (6.1.3)exo_mailboxauditEssential 8 (1509)Essential 8 (1683)NIST CSF 2.0 (DE.CM-09)07/01/2024

Enables Mailbox auditing for all mailboxes and on tenant level. Disables audit bypass on all mailboxes. Unified Audit Log needs to be enabled for this standard to function.

Disable external calendar sharing

Low ImpactCIS M365 5.0 (1.3.3)exo_individualsharing07/01/2024

Disables the ability for users to share their calendar with external users. Only for the default policy, so exclusions can be made if needed.

Enable Autopilot Status Page

Low Impact29/12/2023

Deploy the Autopilot Status Page, which shows progress during device setup through Autopilot.

Enable Autopilot Profile

Low Impact29/12/2023

Assign the appropriate Autopilot profile to streamline device deployment.

Intune Template

High Impact29/12/2023

Deploy and manage Intune templates across devices.

Transport Rule Template

Medium Impact29/12/2023

Deploy transport rules to manage email flow.

Conditional Access Template

High Impact29/12/2023

Manage conditional access policies for better security.

Exchange Connector Template

Medium Impact29/12/2023

Deploy and manage Exchange connectors.

Group Template

Medium Impact29/12/2023

Deploy and manage group templates.

Enable Hardware OAuth tokens

Low Impact17/12/2023

Enables the HardwareOath authenticationMethod for the tenant. This allows you to use hardware tokens for generating 6 digit MFA codes.

Disables SMS as an MFA method

High ImpactCIS M365 5.0 (2.3.5)EIDSCA.AS04NIST CSF 2.0 (PR.AA-03)17/12/2023

This blocks users from using SMS as an MFA method. If a user only has SMS as a MFA method, they will be unable to log in.

Disables Voice call as an MFA method

High ImpactCIS M365 5.0 (2.3.5)EIDSCA.AV01NIST CSF 2.0 (PR.AA-03)17/12/2023

This blocks users from using Voice call as an MFA method. If a user only has Voice as a MFA method, they will be unable to log in.

Disables Email as an MFA method

High ImpactCIS M365 5.0 (2.3.5)NIST CSF 2.0 (PR.AA-03)17/12/2023

This blocks users from using email as an MFA method. This disables the email OTP option for guest users, and instead prompts them to create a Microsoft account.

Disables Certificates as an MFA method

High Impact17/12/2023

This blocks users from using Certificates as an MFA method.

Enable OTP via Authenticator

Low ImpactEIDSCA.AM0205/12/2023

Allows you to use MS authenticator OTP token generator

Enable App consent admin requests

Low ImpactCIS M365 5.0 (1.5.2)CISA (MS.AAD.9.1v1)EIDSCA.CP04EIDSCA.CR01EIDSCA.CR02EIDSCA.CR03EIDSCA.CR04Essential 8 (1507)NIST CSF 2.0 (PR.AA-05)26/11/2023

Enables App consent admin requests for the tenant via the GA role. Does not overwrite existing reviewer settings

Set send/receive size limits

Low Impact15/11/2023

Sets the Send and Receive limits for new users. Valid values are 1MB to 150MB

Remove Safe Senders to prevent SPF bypass

Medium Impact25/10/2023

Loops through all users and removes the Safe Senders list. This is to prevent SPF bypass attacks, as the Safe Senders list is not checked by SPF.

Require Multi-factor Authentication to register or join devices with Microsoft Entra

Medium Impact22/10/2023

Requires MFA for all users to register devices with Intune. This is useful when not using Conditional Access.

Set Add Shortcuts To OneDrive button state

Medium Impact24/07/2023

If disabled, the button Add shortcut to OneDrive will be removed and users in the tenant will no longer be able to add new shortcuts to their OneDrive. Existing shortcuts will remain functional

Set inactive device retirement days

Low Impact18/05/2023

A value between 0 and 270 is supported. A value of 0 disables retirement, retired devices are removed from Intune after the specified number of days.

Set Authenticator Lite state

Low ImpactEIDSCA.AM0117/05/2023

Sets the state of Authenticator Lite, Authenticator lite is a companion app for passwordless authentication.

Set Outbound Spam Alert e-mail

Low ImpactCIS M365 5.0 (2.1.6)02/05/2023

Set the Outbound Spam Alert e-mail address

Set Sharing Level for Default calendar

Low Impact26/04/2023

Sets the default sharing level for the default calendar, for all users

Enable LAPS on the tenant

Low Impact24/04/2023

Enables the tenant to use LAPS. You must still create a policy for LAPS to be active on all devices. Use the template standards to deploy this by default.

Set Maximum Number of Devices per user

Medium ImpactCISA (MS.AAD.17.1v1)26/03/2023

Sets the maximum number of devices that can be registered by a user. A value of 0 disables device registration by users

Rotate DKIM keys that are 1024 bit to 2048 bit

Low ImpactCIS M365 5.0 (2.1.9)13/03/2023

Rotate DKIM keys that are 1024 bit to 2048 bit

Enables DKIM for all domains that currently support it

Low ImpactCIS M365 5.0 (2.1.9)13/03/2023

Enables DKIM for all domains that currently support it

Enable OTP Software OAuth tokens

Low ImpactEIDSCA.AT01EIDSCA.AT0217/12/2022

Allows you to use any software OAuth token generator

Enable FIDO2 capabilities

Low ImpactEIDSCA.AF01EIDSCA.AF02EIDSCA.AF03EIDSCA.AF04EIDSCA.AF05EIDSCA.AF06NIST CSF 2.0 (PR.AA-03)07/12/2022

Enables the FIDO2 authenticationMethod for the tenant

Sets the state for the request to setup Authenticator

Low Impact07/12/2022

Sets the state of the registration campaign for the tenant

Disable M365 Tenant creation by users

Low ImpactCIS M365 5.0 (1.2.3)CISA (MS.AAD.6.1v1)28/11/2022

Restricts creation of M365 tenants to the Global Administrator or Tenant Creator roles.

Disable Guest accounts that have not logged on for 90 days

Medium Impact19/10/2022

Blocks login for guest users that have not logged in for 90 days

Allow users to consent to applications with low security risk (Prevent OAuth phishing. Lower impact, less secure)

Medium ImpactIntegratedApps15/08/2022

Sets the default oauth consent level so users can consent to applications that have low risks.

Disable M365 Group creation by users

Low ImpactCISA (MS.AAD.21.1v1)16/07/2022

Restricts M365 group creation to certain admin roles. This disables the ability to create Teams, SharePoint sites, Planner, etc

Disable Security Group creation by users

Medium ImpactCISA (MS.AAD.20.1v1)NIST CSF 2.0 (PR.AA-05)16/07/2022

Completely disables the creation of security groups by users. This also breaks the ability to manage groups themselves, or create Teams

Set deleted user retention time in OneDrive

Low Impact14/06/2022

Sets the retention period for deleted users OneDrive to the specified period of time. The default is 30 days.

Set Sharing Level for OneDrive and SharePoint

High ImpactCIS M365 5.0 (7.2.3)CISA (MS.AAD.14.1v1)CISA (MS.SPO.1.1v1)14/06/2022

Sets the default sharing level for OneDrive and SharePoint. This is a tenant wide setting and overrules any settings set on the site level

Disable Re-sharing by External Users

High ImpactCIS M365 5.0 (7.2.5)CISA (MS.AAD.14.2v1)CISA (MS.SPO.1.2v1)14/06/2022

Disables the ability for external users to share files they don't own. Sharing links can only be made for People with existing access

Disable site creation by standard users

High Impact14/06/2022

Disables users from creating new SharePoint sites

Exclude File Extensions from Syncing

High Impact14/06/2022

Sets the file extensions that are excluded from syncing with OneDrive. These files will be blocked from upload. '*.' is automatically added to the extension and can be omitted.

Do not allow Mac devices to sync using OneDrive

High Impact14/06/2022

Disables the ability for Mac devices to sync with OneDrive.

Disable daily Insight/Viva reports

Low Impact24/05/2022

Disables the daily viva reports for all users. This standard requires the CIPP-SAM application to have the Company Administrator (Global Admin) role in the tenant. Enable this using CIPP > Advanced > Super Admin > SAM App Roles. Activate the roles with a CPV refresh.

Allow users to send from their alias addresses

Medium Impact24/05/2022

Enables the ability for users to send from their alias addresses.

Restrict guest user access to directory objects

Low ImpactCIS M365 5.0 (5.1.6.2)CISA (MS.AAD.5.1v1)EIDSCA.AP14EIDSCA.ST08EIDSCA.ST09NIST CSF 2.0 (PR.AA-05)03/05/2022

Disables Guest access to enumerate directory objects. This prevents guest users from seeing other users or guests in the directory.

Enable Activity based Timeout

Medium ImpactCIS M365 5.0 (1.3.2)spo_idle_session_timeoutNIST CSF 2.0 (PR.AA-03)12/04/2022

Enables and sets Idle session timeout for Microsoft 365 to 1 hour. This policy affects most M365 web apps

Enable Temporary Access Passwords

Low Impact14/03/2022

Enables TAP and sets the default TAP lifetime to 1 hour. This configuration also allows you to select if a TAP is single use or multi-logon.

Set contact e-mails

Low Impact12/03/2022

Defines the email address to receive general updates and information related to M365 subscriptions. Leave a contact field blank if you do not want to update the contact information.

Undo App Consent Standard

High Impact06/01/2022

Disables App consent and set to Allow user consent for apps

Enable Security Defaults

High ImpactCISA (MS.AAD.11.1v1)18/11/2021

Enables security defaults for the tenant, for newer tenants this is enabled by default. Do not enable this feature if you use Conditional Access.

Enable the Unified Audit Log

Low ImpactCIS M365 5.0 (3.1.1)mip_search_auditlogNIST CSF 2.0 (DE.CM-09)15/11/2021

Enables the Unified Audit Log for tracking and auditing activities. Also runs Enable-OrganizationCustomization if necessary.

Enable Usernames instead of pseudo anonymised names in reports

Low Impact15/11/2021

Shows usernames instead of pseudo anonymised names in reports. This standard is required for reporting to work correctly.

Disable SMTP Basic Authentication

Medium ImpactCIS M365 5.0 (6.5.4)NIST CSF 2.0 (PR.IR-01)15/11/2021

Disables SMTP AUTH for the organization and all users. This is the default for new tenants.

Enable Passwordless with Location information and Number Matching

Low ImpactCIS M365 5.0 (2.3.1)CIS M365 5.0 (5.2.3.2)EIDSCA.AM03EIDSCA.AM04EIDSCA.AM06EIDSCA.AM07EIDSCA.AM09EIDSCA.AM10NIST CSF 2.0 (PR.AA-03)15/11/2021

Enables the MS authenticator app to display information about the app that is requesting authentication. This displays the application name.

Do not expire passwords

Low ImpactCIS M365 5.0 (1.3.1)PWAgePolicyNew15/11/2021

Disables the expiration of passwords for the tenant by setting the password expiration policy to never expire for any user.

Remove Legacy MFA if SD or CA is active

Medium Impact15/11/2021

This standard currently does not function and can be safely disabled

Disable Self Service Licensing

Medium Impact15/11/2021

Note: requires 'Billing Administrator' GDAP role. This standard disables all self service licenses and enables all exclusions

Require admin consent for applications (Prevent OAuth phishing)

Medium ImpactCIS M365 5.0 (1.5.1)CISA (MS.AAD.4.2v1)EIDSCA.AP08EIDSCA.AP09Essential 8 (1175)NIST CSF 2.0 (PR.AA-05)15/11/2021

Disables users from being able to consent to applications, except for those specified in the field below

Enable Auto-expanding archives

Low Impact15/11/2021

Enables auto-expanding archives for the tenant

Enable or disable 'external' warning in Outlook

Low ImpactCIS M365 5.0 (6.2.3)15/11/2021

Adds or removes indicators to e-mail messages received from external senders in Outlook. Works on all Outlook clients/OWA

Set mailbox Sent Items delegation (Sent items for shared mailboxes)

Medium Impact15/11/2021

Sets emails sent as and on behalf of shared mailboxes to also be stored in the shared mailbox sent items folder

Disable Shared Mailbox Entra accounts

Medium ImpactCIS M365 5.0 (1.2.2)CISA (MS.AAD.10.1v1)NIST CSF 2.0 (PR.AA-01)15/11/2021

Blocks login for all accounts that are marked as a shared mailbox. This is Microsoft best practice to prevent direct logons to shared mailboxes.