• United States



Contributing Writer

Center for Internet Security releases Microsoft 365 benchmarks

Jan 23, 20192 mins
SecuritySmall and Medium BusinessWindows

Follow the guidance in this CIS document to configure Microsoft 365 security settings to the level that suits your organization.

Microsoft Office logo within an environment of abstract binary code with shield and lock.
Credit: ivanastar / Getty Iimages

The Center for Internet Security (CIS) is a non-profit organization that puts forth security benchmarks and checklists. Recently as noted in the Microsoft Secure blog, CIS released its CIS Microsoft 365 Foundations Benchmark version 1.0.0. It includes two levels of instructions that allow you to choose if you want “light” security or “heavy” security.

  • Level 1—Recommended minimum security settings that should be configured on any system and should cause little or no interruption of service or reduced functionality.
  • Level 2—Recommended security settings for highly secure environments and could result in some reduced functionality.

For example, the benchmark gives you actionable items to implement in your organization such as multifactor authentication (MFA):

bradley cis bench 1 Center for Internet Security

Implement MFA

To obtain these documents, log into the website and download the guides. They are also requesting feedback. You can sign up on the site and then provide feedback where the settings have or have not worked for you.

The document sets forth the recommendation and then provides the rationale for the recommendation. For example, the recommendation currently on password expirations is not to not expire passwords and add two-factor authentication (2FA) as a protection device:

Review the password expiration policy to ensure that user passwords in Office 365 are not set to expire.
NIST has updated their recommendation to not arbitrarily require users to change their passwords after a specific amount of time, unless there is evidence that the password is compromised or the user forgot it.

Then it provides information about how you can confirm that the policy you chose was set properly. In the case of passwords, you can audit the setting as shown:

bradley cis bench 2 Center for Internet Security

Audit password policy

The final section is a checklist of all the recommended settings in the document.

bradley cis bench 3 Center for Internet Security

Checklist for recommended Microsoft 365 security settings

I highly recommend downloading the document and reviewing the recommended settings. I guarantee you will find some settings you never knew about.

If you run Office 365 rather than Microsoft 365, the CIS guidance still has value, as many of the same concepts apply. Additional resources for Office 365 can be found on the Office 365 Security and Compliance site.

Contributing Writer

Susan Bradley has been patching since before the Code Red/Nimda days and remembers exactly where she was when SQL slammer hit (trying to buy something on eBay and wondering why the Internet was so slow). She writes the Patch Watch column for, is a moderator on the listserve, and writes a column of Windows security tips for In real life, she’s the IT wrangler at her firm, Tamiyasu, Smith, Horn and Braun, where she manages a fleet of Windows servers, Microsoft 365 deployments, Azure instances, desktops, a few Macs, several iPads, a few Surface devices, several iPhones and tries to keep patches up to date on all of them. In addition, she provides forensic computer investigations for the litigation consulting arm of the firm. She blogs at and is on twitter at @sbsdiva. She lurks on Twitter and Facebook, so if you are on Facebook with her, she really did read what you posted. She has a SANS/GSEC certification in security and prefers Heavy Duty Reynolds wrap for her tinfoil hat.

More from this author