What is the CIS Microsoft 365 Benchmark?
CIS (Center for Internet Security) benchmarks are essential guidelines for establishing and maintaining security configurations. The recent update to the CIS Microsoft 365 Foundations Benchmark (v4.0.0), released on 31st October 2024, introduces several critical updates from the previous v3.1.0. These changes reflect evolving security practices, new Microsoft 365 features, and enhancements to streamline the benchmark’s usability.
Version 4.0.0 now includes enhanced guidance for several Microsoft 365 services, like Power BI (Fabric), Microsoft Entra ID, and Defender for Cloud Apps. Below, we’ll dive into the most significant updates and what they mean for your Microsoft 365 security.
What are the key changes in October 2024?
1. Licensed administrator accounts
A new control that has been recommended is to not license administrator accounts or to only use Microsoft Entra ID P1 or Microsoft Entra P2 licenses.
1.1.4 (L1) Ensure administrative accounts use licenses with a reduced application footprint
The impact to keep in mind is by default alerts are sent to Tenant Admins, including Global Administrators. To ensure proper receipt, configure alerts to be sent to accounts with valid email addresses.
2. The Principal of zero Trust with anti-spam policies in Defender
The anti-spam settings have had three additional controls added within the Defender portal.
2.1.12 (L1) Ensure the connection filter IP allow list is not used
Without additional verification the risk of attackers successfully delivering emails to an Inbox that would otherwise be filtered is significantly increased. Following the principal of zero trust, all messages should be scanned regardless of the origin.
2.1.13 (L1) Ensure the connection filter safe list is off
With the control 2.1.13, the safe list is managed dynamically by Microsoft, and administrators do not have visibility into which senders are included. Incoming messages from senders on the safe list bypass spam filtering.
2.1.14 (L1) Ensure inbound anti-spam policies do not contain allowed domains
For 2.1.14 Microsoft specifies that allowed domains should only be used for testing purposes.
3. Microsoft Entra
Microsoft Entra has seen the most changes with the new benchmark. These changes can be seen in all 3 subcategories: Identity, Protection and Identity governance.
5.1.6.2 (L1) Ensure that guest user access is restricted
Guests will only be able to access their own profiles and will not be allowed to see other users’ profiles, groups or group memberships. This is the most restrictive setting and helps prevent reconnaissance from threat actors.
5.1.6.3 (L2) Ensure guest user invitations are limited to the Guest Inviter role
By default, all users can invite external users to B2B collaboration. Designated guest inviters should be assisted with a formal approval process. This is a level 2 recommendation.
5.2.2.9 (L2) Ensure 'sign-in risk' is blocked for medium and high-risk sign-ins
Sign-in risk is heavily dependent on detecting risk based on atypical behaviours. Consequently, it is important to run this policy in a report-only mode to better understand the impact of this setting within your tenant. Once it's understood what actions may trigger a medium or high sign-in risk event you should look to reduce false positives. Once completed you can then look to enable this via conditional access. This is a level 2 recommendation.
5.2.2.10 (L1) Ensure a managed device is required for authentication
Unmanaged devices should not be permitted as a valid authenticator. The following devices could be considered managed:
- Entra hybrid joined from Active Directory
- Entra joined and enrolled in Intune, with compliance policies
- Entra registered and enrolled in Intune, with compliances policies
5.2.2.11 (L1) Ensure a managed device is required for MFA registration
Requiring registration on a managed device significantly reduces the risk of bad actors using stolen credentials to register security information. Accounts that are created but never registered with an MFA method are particularly vulnerable to this type of attack. Enforcing this requirement will both reduce the attack surface for fake registrations and ensure that legitimate users register using trusted devices which typically have additional security measures in place already. New devices provided to users will need to be pre-enrolled in Intune, auto enrolled or be Entra hybrid joined. Otherwise, the user will be unable to complete registration.
5.2.3.5 (L1) Ensure weak authentication methods are disabled
The SMS and Voice call methods are vulnerable to SIM swapping which could allow a threat actor to gain access. The recommended state is to Disable these methods:
- SMS
- Voice Call
- Email OTP
5.3.4 (L1) Ensure approval is required for Global Administrator role activation
Requiring approval for Global Administrator role activation enhances visibility and accountability every time this high privileged role is used. This process reduces the risk of an attacker elevating a compromised account to the highest privilege level, as any activation must first be reviewed and approved by a trusted party. This will also enforce good practices of using the least privileged role to complete tasks and only using Global Administrator when required.
4. SMTP Auth in Exchange Online
There is a new recommendation to turn off SMTP AUTH protocol within Exchange Online mail flow.
6.5.4 (L1) Ensure SMTP AUTH is disabled
SMTP AUTH is a legacy protocol. Disabling it at the tenant level supports the principle of least functionality. A per-mailbox setting exists that overrides the tenant-wide setting, allowing an individual mailbox SMTP AUTH capability for special cases.
5. Link sharing permissions in SharePoint
This additional control sets the default permissions when sharing links in SharePoint.
7.2.11 (L1) Ensure the SharePoint default sharing link permission is set
Ensure this setting is set to ‘View’. This approach reduces the risk of unintentionally granting edit privileges to a resource that only requires read access, supporting the principle of least privilege.
6. Microsoft Teams
Microsoft Teams receives several new controls with the new benchmark.
8.2.2 (L1) Ensure communication with unmanaged Teams users is disabled
Users will be unable to communicate with Teams users who are not managed by an organisation. Allowing users to communicate with unmanaged Teams users presents a potential security threat by a threat actor.
8.2.3 (L1) Ensure external Teams users cannot initiate conversations
This setting prevents external users who are not managed by an organisation from initiating contact with users in the protected organisation. Note: This recommendation is superseded if recommendation 8.2.2 is met, however is recommended as a stop gap if recommendation 8.2.2 is not yet implemented.
8.2.4 (L1) Ensure communication with Skype users is disabled
Skype was deprecated July 31, 2021. Disabling communication with skype users reduces the attack surface of the organisation. A review will need to be completed to identify any internal or external organisations where collaboration is still required.
8.5.9 (L2) Ensure meeting recording is off by default
Disabling meeting recordings in the Global meeting policy ensures that only authorised users - such as organisers, co-organisers, and leads - can initiate a recording. This measure helps safeguard sensitive information by preventing unauthorised individuals from capturing and potentially sharing meeting content. A separate policy should be created for users who are allowed to record meetings.
7. Service principals in Microsoft Fabric
The new benchmark introduces two additional security recommendations for Microsoft Fabric, emphasising access control of Service Principals within Fabric.
9.1.10 (L1) Ensure access to APIs by Service Principals is restricted
Leaving API access unrestricted increased the attack surface in the event of a breach from a threat actor.
9.1.11 (L1) Ensure Service Principals cannot create and use profiles
Service Principals should be restricted to a security group to limit which Service Principals can interact with profiles. This supports the principle of least privilege.
If your organisation doesn’t actively use either of these features, it is recommended to keep them Disabled.
8. Amended controls
There have been two controls that have had a significant change from version 3.1.0.
1.1.2 (L1) Ensure two emergency access accounts have been defined
An additional warning has been added to this control around break glass accounts and new MFA requirements. It is recommended to update these accounts to use passkey (FIDO2) or configure certificate-based authentication for MFA.
5.3.3 (L1) Ensure 'Access reviews' for privileged roles are configured
The frequency has changed for this control for the access review to be completed Monthly, from Weekly. There have been no other changes to this control.
9. Profile level changes
As part of the new benchmark, some of the controls have changed their recommended level. Level 1 is the default recommended controls. Level 2 is intended for environments where security is paramount and may negatively affect utility or performance.
The following controls have been moved from Level 1 to Level 2 as part of the new benchmark:
- 2.1.7 (L2) Ensure that an anti-phishing policy has been created
- 5.2.2.8 (L2) Ensure admin centre access is limited to administrative roles
- 8.2.1 (L2) Ensure external domains are restricted in the Teams admin centre
The following controls have been moved from Level 2 to Level 1 as part of the new benchmark:
- 5.2.2.6 (L1) Enable Identity Protection user risk policies
- 5.2.2.7 (L1) Enable Identity Protection sign-in risk policies
10. Removed controls
Several controls have been removed as part of the major update to the recommendations they are listed below:
- 1.1.4 (L1) Ensure Guest Users are reviewed at least biweekly
- 2.1.11 (L1) Ensure the spoofed domains report is reviewed weekly
- 2.1.12 (L1) Ensure the 'Restricted entities' report is reviewed weekly
- 2.1.13 (L1) Ensure malware trends are reviewed at least weekly
- 2.3.1 (L1) Ensure the Account Provisioning Activity report is reviewed at least weekly
- 2.3.2 (L1) Ensure non-global administrator role group assignments are reviewed at least weekly
- 3.1.2 (L1) Ensure user role group changes are reviewed at least weekly
- 5.1.5.1 (L1) Ensure the Application Usage report is reviewed at least weekly
- 5.2.4.2 (L1) Ensure the self-service password reset activity report is reviewed at least weekly
- 5.2.6.1 (L1) Ensure the Azure AD 'Risky sign-ins' report is reviewed at least weekly
- 6.4.1 (L1) Ensure mail forwarding rules are reviewed at least weekly
In summary
Version 4.0.0 of the CIS Microsoft 365 Foundations Benchmark introduces significant changes in administrative identity protection, collaboration security, and data compliance. With these updates, CIS strengthens its guidance to keep up with an evolving cybersecurity landscape, making it critical for organisations to adopt these practices promptly to maintain a robust security posture in their Microsoft 365 environment.
Implementing these changes can help organisations stay ahead of potential threats, particularly in a world where cyber risks continue to evolve. If you’re currently operating on CIS Microsoft 365 v3.1.0, review these changes and begin updating your configurations to meet the new benchmarks.
Need additional support?
OneAdvanced's relationship with Microsoft goes back over 30 years, over which our Modern Workplace experts have helped numerous organisations digitally transform and embrace a better way of working. Get in touch with our team today to see how we can help!