What is a CIS benchmark?

A CIS (Center for Internet Security) benchmark is a set of best practice guidelines developed to help organizations securely configure their IT systems, cloud services, SaaS products, and network devices. These benchmarks are created through a collaborative process involving cybersecurity experts, government agencies, and industry professionals. Each benchmark provides detailed, step-by-step recommendations for securely configuring a specific technology—such as operating systems, cloud services, or applications—to reduce vulnerabilities and improve overall security posture. 

In a CIS Benchmark, there are two different levels of security hardening, with increasing strictness and impact:

• Level 1: Designed to be practical and minimally disruptive, this level provides essential security settings that protect against common threats while maintaining usability and compatibility.

• Level 2: This level is more stringent and intended for environments that require a higher level of security, such as those handling sensitive data or subject to strict compliance requirements. Level 2 settings often involve more aggressive changes—such as disabling services or enforcing strict access controls—that may reduce convenience or require additional resources to manage.

What is the CIS Microsoft 365 Foundations Benchmark?

The CIS Microsoft 365 Foundations Benchmark is a set of prescriptive guidelines and best practices for securely configuring a Microsoft 365 environment. Developed through a consensus-driven process involving cybersecurity experts from various fields, the benchmark provides a comprehensive framework for establishing a secure baseline for Microsoft 365 services. It is designed to be a practical and actionable guide for organizations of all sizes to protect their data and infrastructure in the cloud.

The first CIS Microsoft 365 Foundation Benchmark was released in December 2018. On April 30th, 2025 the latest version 5.0.0 was released, representing six months of new security guidance from CIS. 

Why is it important?

In today's threat landscape, a default Microsoft 365 configuration may not be sufficient to ward off sophisticated attacks. The CIS Benchmark provides a roadmap for hardening your Microsoft 365 tenant, reducing the attack surface, and aligning with industry best practices and regulatory compliance frameworks. By implementing the benchmark's recommendations, organizations can significantly improve their security posture, mitigate common risks, and demonstrate due diligence in protecting sensitive information. For security researchers, the benchmark serves as a valuable tool for assessing the security of Microsoft 365 environments and identifying potential vulnerabilities.

Key best practices from M365 CIS Benchmark 5.0

The Microsoft 365 benchmark focuses on five key areas for security, each with a set of critical best practices:

#1. Identity and Access Management

• Multi-Factor Authentication (MFA) enforcement: Ensuring that MFA is enabled for all users, especially those with administrative privileges, is a cornerstone of a secure identity and access management strategy.
• Strong password policies: Enforcing strong password requirements and regular password rotations helps prevent unauthorized access to user accounts.
• Least privilege access: Granting users only the minimum level of access necessary to perform their job functions limits the potential damage from a compromised account.
• Regular review of user permissions: Periodically reviewing and revoking unnecessary permissions helps maintain a secure and compliant environment.

#2. Data Protection

• Data Loss Prevention (DLP) policies: Implementing DLP policies helps prevent the accidental or intentional leakage of sensitive data.
• Data encryption (at rest and in transit): Encrypting data both when it is stored and when it is being transmitted is essential for protecting its confidentiality and integrity.
• Retention policies and archiving: Establishing clear data retention and archiving policies ensures that data is kept for as long as it is needed and securely disposed of when it is not.

#3. Device Management

• Mobile Device Management (MDM) / Mobile Application Management (MAM): Implementing MDM and MAM policies helps secure corporate data on mobile devices, whether they are company-owned or personally owned.
• Conditional Access policies: Conditional Access policies allow organizations to enforce granular access controls based on user, device, location, and other factors.
• Endpoint protection: Ensuring that all endpoints accessing Microsoft 365 are protected with up-to-date antivirus and anti-malware software is critical for preventing the spread of malware.

#4. Threat Protection

• Anti-malware and anti-phishing configurations: Properly configuring anti-malware and anti-phishing settings in Microsoft 365 helps protect against common email-based threats.
• Safe attachments and safe links: Enabling safe attachments and safe links provides an additional layer of protection by scanning email attachments and URLs for malicious content.

#5. Auditing and Logging

• Enablement of audit logs for various services: Enabling and retaining audit logs for all relevant Microsoft 365 services is essential for detecting and investigating security incidents.
• Regular review and analysis of logs: Regularly reviewing and analyzing audit logs can help identify suspicious activities and potential security threats.
• Alerting on suspicious activities: Configuring alerts for suspicious activities ensures that security teams are promptly notified of potential security incidents.

‍

What’s new in CIS Microsoft 365 Foundations 5.0?

The latest version is a significant update from the previous version and adds many new guidelines and remediations:

New level 1 best practices

Level 1 recommendations are considered essential for all environments and are designed to be practical to implement without causing significant disruption. The following are the additional configurations that are now recommended by CIS:

• Ensure emergency access account activity is monitored: This emphasizes the importance of closely tracking the usage of "break-glass" accounts to prevent their misuse.
• Ensure sign-in frequency for Intune Enrollment is set to 'Every time': By requiring re-authentication for every Intune enrollment attempt, this control helps mitigate the risk of unauthorized device enrollment.

• Ensure the device code sign-in flow is blocked: The device code flow can be a vector for phishing attacks, and this new recommendation advises disabling it to reduce the attack surface.
• Ensure system-preferred multifactor authentication is enabled: This check encourages the use of the most secure MFA methods available to users, moving away from less secure options like SMS.
• Ensure approval is required for Privileged Role Administrator activation: Adding an approval workflow for the activation of highly privileged roles adds a crucial layer of oversight and helps prevent privilege escalation.

If you don’t have these settings enabled, we highly recommend that you implement the recommendations above.

New level 2 best practices

Level 2 recommendations are intended for environments where security is paramount and may require more planning and testing to implement. The following are the additional level 2 recommendations in CIS 5.0:

• Ensure devices without a compliance policy are marked 'not compliant': This check helps enforce device compliance by ensuring that any device without a defined policy is treated as non-compliant, restricting its access to corporate resources.
• Ensure device enrollment for personally owned devices is blocked by default: For organizations with a strict corporate-owned device policy, this control helps prevent the enrollment of personal devices, reducing the risk of data leakage.

Removed recommendations

As the security landscape and Microsoft 365 platform evolve, some recommendations become obsolete or are superseded by newer controls. The following recommendations have been removed in CIS 5.0:

• Ensure security defaults is disabled: This recommendation was removed as Conditional Access policies now offer more granular and effective security controls.
• Ensure admin center access is limited to administrative roles: This check was removed as its intent is now better covered by more specific privileged access management controls.
• Ensure mailbox auditing for E3 users is enabled: This is now enabled by default for all users, making the check redundant.

Significantly enhanced remediation guidance

A significant improvement in version 5.0 is the enhanced remediation guidance for 25 recommended configurations that were previously considered "manual” remediations. These recommendations now include PowerShell-based audit and remediation steps, making it easier for organizations to automate their compliance and security assessments. This is a welcome change for security teams, as it allows for more efficient and consistent implementation of the benchmark's recommendations.

Implementing CIS Benchmark 5.0

However, implementing these best practices may not be as easy as it seems. Microsoft 365 includes several different applications, and each can be pretty complex. Manual implementation can be time-consuming and error-prone. In order to be effective, configurations have to be continuously checked against the recommendations to ensure that they continue to meet them. This is where Mondoo can help.

How Mondoo automates CIS M365 compliance

Mondoo continuously assesses, monitors, and enhances the security configuration of Microsoft 365 E3 and E5 by identifying and remediating potential risks and ensuring compliance with industry best practices, including 80+ CIS Microsoft 365 5.0 checks. This proactive approach helps you safeguard sensitive data, minimize security threats, and maintain a secure and compliant M365 environment through automated and repeatable processes.

Mondoo doesn’t just tell you what's wrong, but actually helps you fix it by providing detailed, step-by-step remediation guidance and code snippets for each misconfiguration. Mondoo integrates with IT service management (ITSM) systems like Jira, Zendesk, GitHub Issues, GitLab, and Azure DevOps, so users can create tickets for remediation with just one click, including all the data and remediation instructions that the platform engineering team needs to take fast action.

Want to learn more? Schedule a demo with one of our experts.