The Audit Evidence Challenge
You have implemented CIS Benchmark controls for Microsoft 365. Your configurations are solid. But when the auditor arrives, they will not take your word for it—they need evidence.
Here is the uncomfortable truth about CIS audits: many organizations fail not because their security is weak, but because they cannot prove it is strong. They scramble to capture screenshots, export logs, and document policies days before the audit. The result is incomplete evidence, missed controls, and audit findings that could have been avoided.
This guide shows you exactly what evidence auditors expect, how to collect it systematically, and how to build an audit package that demonstrates continuous compliance—not just point-in-time configuration.
What Auditors Actually Look For
CIS audits evaluate whether your Microsoft 365 environment meets the benchmark requirements. But auditors are looking for more than checkboxes. They want to see:
1. Current Configuration State
Does your tenant currently meet the CIS requirement? This requires evidence showing the actual setting value, not just a statement that it is enabled.
2. Historical Compliance
Has this control been consistently maintained? A screenshot from today does not prove you were compliant last month. Auditors increasingly want evidence of continuous compliance.
3. Change Management
When configurations changed, were changes authorized? Audit logs showing who changed what, and when, demonstrate governance maturity.
4. Exception Documentation
If you deviate from a CIS recommendation, is there a documented business justification? Not every control applies to every organization, but exceptions need formal documentation.
5. Remediation Evidence
When drift or violations occur, how quickly do you detect and fix them? Response time matters.
Evidence Types and Collection Methods
Different controls require different types of evidence. Understanding this taxonomy helps you collect the right documentation.
Configuration Screenshots
Direct evidence showing a setting's current state in the admin portal.
Best practices:
- Include the browser URL bar to show the exact location
- Capture the full setting, including any dropdown selections
- Include a visible timestamp (browser clock or system time)
- Use consistent naming:
CIS-1.1.1_MFA-Policy_2026-01-15.png
Where to capture:
- Microsoft Entra admin center (entra.microsoft.com)
- Microsoft 365 admin center (admin.microsoft.com)
- Microsoft Defender portal (security.microsoft.com)
- Exchange admin center (admin.exchange.microsoft.com)
PowerShell Export Evidence
For controls that cannot be easily captured via screenshot, or when you need machine-readable evidence.
Key commands:
# Conditional Access policies
Get-MgIdentityConditionalAccessPolicy | Select-Object DisplayName, State, Conditions, GrantControls | Export-Csv CAPolicies.csv
# Authentication methods
Get-MgPolicyAuthenticationMethodPolicy | ConvertTo-Json -Depth 10 > AuthMethods.json
# Admin role assignments
Get-MgDirectoryRole | ForEach-Object { Get-MgDirectoryRoleMember -DirectoryRoleId $_.Id } | Export-Csv AdminRoles.csv
# Mailbox audit settings
Get-Mailbox -ResultSize Unlimited | Select-Object UserPrincipalName, AuditEnabled, AuditLogAgeLimit | Export-Csv MailboxAudit.csv
Audit Log Exports
Evidence of ongoing compliance and change detection.
Critical logs:
- Unified Audit Log (compliance.microsoft.com)
- Sign-in logs (entra.microsoft.com > Monitoring)
- Directory audit logs (entra.microsoft.com > Audit logs)
Retention consideration: Default retention is 180 days for E5, 90 days for E3. If your audit window exceeds this, you need a log archival solution.
Policy Documents
Written documentation showing governance processes.
Required documents:
- Access control policy
- Password policy (or rationale for no-expiration if following NIST)
- Privileged access management procedures
- Exception approval process
- Incident response procedures
Control-by-Control Evidence Requirements
Identity and Access Management
MFA Enforcement (CIS 1.1.1)
| Evidence Type | How to Collect |
|---|---|
| Conditional Access policy screenshot | Entra admin center > Protection > Conditional Access |
| Policy export | Get-MgIdentityConditionalAccessPolicy |
| Coverage report | Sign-in logs filtered for MFA status |
| Exception list | Document any excluded users/groups with justification |
Auditor questions to expect:
- "Show me that MFA is required for all users."
- "Are there any exclusions? What is the business justification?"
- "How do you monitor for users bypassing MFA?"
Privileged Account Limits (CIS 1.1.4)
| Evidence Type | How to Collect |
|---|---|
| Global Admin count | Entra admin center > Roles and administrators > Global Administrator |
| Role assignment export | Get-MgDirectoryRoleMember for each privileged role |
| PIM configuration | Show PIM policies requiring approval and time limits |
| Access reviews | Evidence of periodic privileged access certification |
Auditor questions to expect:
- "How many standing Global Admins do you have?"
- "Show me the process for granting emergency access."
- "When was the last privileged access review completed?"
Guest Access Controls (CIS 1.3)
| Evidence Type | How to Collect |
|---|---|
| External collaboration settings | Entra admin center > External Identities > External collaboration settings |
| Guest user inventory | Get-MgUser -Filter "userType eq 'Guest'" |
| Guest access reviews | Evidence of periodic guest certification |
| B2B policy documentation | Written policy for external collaboration |
Conditional Access Policies
Legacy Authentication Blocking (CIS 1.1.3)
| Evidence Type | How to Collect |
|---|---|
| Block policy screenshot | CA policy targeting legacy auth clients |
| Sign-in logs | Filter for legacy authentication attempts (should show blocked) |
| Report-only results | If still in report mode, show timeline for enforcement |
Pro tip: Export 30 days of sign-in logs filtered by client app (legacy authentication protocols). Zero successful authentications is your proof.
Risk-Based Policies (CIS 1.2)
| Evidence Type | How to Collect |
|---|---|
| Sign-in risk policy | Identity Protection > Sign-in risk policy screenshot |
| User risk policy | Identity Protection > User risk policy screenshot |
| Risk detection logs | Show how risk events are investigated |
Authentication Methods
FIDO2 and Passwordless (CIS 1.4)
| Evidence Type | How to Collect |
|---|---|
| Authentication methods policy | Entra admin center > Protection > Authentication methods |
| Method registration report | Show which methods users have registered |
| Phishing-resistant MFA coverage | Percentage of users with FIDO2/Windows Hello |
Application Permissions
App Consent Settings (CIS 5.x)
| Evidence Type | How to Collect |
|---|---|
| User consent settings | Entra admin center > Applications > Consent and permissions |
| Admin consent workflow | Show approval process for app requests |
| High-privilege app inventory | Apps with Mail.Read, Directory.ReadWrite.All, etc. |
| App access reviews | Evidence of periodic application permission certification |
PowerShell for app permissions:
# Get all service principals with application permissions
Get-MgServicePrincipal -All | ForEach-Object {
Get-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $_.Id
} | Export-Csv AppPermissions.csv
Audit Logging Configuration
Unified Audit Log (CIS 2.1.1)
| Evidence Type | How to Collect |
|---|---|
| Audit log status | Get-AdminAuditLogConfig |
| Log search results | Compliance portal > Audit > Search with date range |
| Retention settings | Show audit log retention configuration |
| SIEM integration | If forwarding logs, show integration is active |
Common Audit Findings and Prevention
Based on hundreds of CIS audits, these are the most frequent findings—and how to avoid them.
Finding 1: MFA Exclusions Without Documentation
The problem: Auditors find users or service accounts excluded from MFA policies with no documented justification.
Prevention:
- Maintain a formal exception register
- Require security team approval for any MFA exclusion
- Set calendar reminders to review exceptions quarterly
- Document compensating controls for excluded accounts
Finding 2: Stale Privileged Accounts
The problem: Former employees or old service accounts still have admin roles assigned.
Prevention:
- Implement quarterly privileged access reviews
- Use Entra ID Access Reviews for automated certification
- Require PIM for all privileged roles (eliminates standing access)
- Cross-reference admin list with HR termination records
Finding 3: Legacy Authentication Still Enabled
The problem: Policy exists but is in report-only mode, or exclusions allow legacy auth for "just a few accounts."
Prevention:
- Set a firm date for enforcement (not "when we're ready")
- Use sign-in logs to identify any remaining legacy auth clients
- Migrate legacy apps to modern authentication
- Document remediation plan for apps that cannot migrate
Finding 4: Incomplete Audit Logs
The problem: Audit log was not enabled, or logs were not retained long enough to cover the audit period.
Prevention:
- Verify audit logging is enabled at tenant creation
- Configure extended retention (180+ days)
- Implement log archival for long-term storage
- Test log retrieval periodically
Finding 5: No Evidence of Continuous Monitoring
The problem: Screenshots prove current state but not ongoing compliance. Auditor cannot verify the control was maintained throughout the audit period.
Prevention:
- Implement configuration monitoring that tracks changes over time
- Export weekly compliance snapshots
- Maintain a timeline of configuration states
- Use tools that provide historical compliance evidence
Building Your Audit Evidence Package
Folder Structure
Organize evidence logically so auditors can find what they need:
CIS-Audit-Evidence-2026-Q1/
├── 01-Identity-Access/
│ ├── MFA-Policy-Screenshot-2026-01-15.png
│ ├── MFA-Policy-Export.json
│ ├── GlobalAdmin-List-2026-01-15.csv
│ ├── PIM-Configuration.pdf
│ └── Exception-Register.xlsx
├── 02-Conditional-Access/
│ ├── CA-Policies-Export.json
│ ├── Legacy-Auth-Block-Policy.png
│ ├── Risk-Policies-Screenshots/
│ └── Sign-In-Logs-30-Days.csv
├── 03-Authentication-Methods/
│ ├── Auth-Methods-Policy.png
│ └── User-Registration-Report.csv
├── 04-Applications/
│ ├── Consent-Settings.png
│ ├── High-Privilege-Apps.csv
│ └── App-Access-Review-Evidence.pdf
├── 05-Audit-Logging/
│ ├── Audit-Log-Status.png
│ ├── Retention-Configuration.png
│ └── Sample-Audit-Search.pdf
├── 06-Policy-Documents/
│ ├── Access-Control-Policy-v2.1.pdf
│ ├── Privileged-Access-Procedures.pdf
│ └── Exception-Approval-Process.pdf
└── Control-Mapping-Index.xlsx
Control Mapping Index
Create a spreadsheet that maps each CIS control to its evidence:
| CIS Control | Control Name | Evidence File | Last Updated | Status |
|---|---|---|---|---|
| 1.1.1 | MFA for all users | MFA-Policy-Screenshot-2026-01-15.png | 2026-01-15 | Compliant |
| 1.1.3 | Block legacy auth | Legacy-Auth-Block-Policy.png | 2026-01-15 | Compliant |
| 1.1.4 | Limit Global Admins | GlobalAdmin-List-2026-01-15.csv | 2026-01-15 | Compliant |
This index helps auditors quickly locate evidence and helps you identify gaps.
Audit Prep Timeline
8 Weeks Before Audit
- Confirm audit scope (which CIS controls are in scope?)
- Review current control implementation status
- Identify any known gaps requiring remediation
- Assign evidence collection responsibilities
6 Weeks Before Audit
- Begin remediation of any non-compliant controls
- Collect baseline evidence for all in-scope controls
- Review and update policy documentation
- Verify audit logging is enabled and retained
4 Weeks Before Audit
- Complete remediation activities
- Collect fresh evidence for remediated controls
- Conduct internal pre-audit assessment
- Prepare exception documentation for any deviations
2 Weeks Before Audit
- Final evidence collection with current timestamps
- Organize evidence package with control mapping index
- Brief team members who will participate in auditor interviews
- Test evidence retrieval (can you find what auditors will ask for?)
1 Week Before Audit
- Refresh any time-sensitive evidence (logs, current configs)
- Verify no configuration changes occurred since evidence collection
- Prepare meeting room and access for auditors
- Final review of evidence package completeness
Tools That Simplify Evidence Collection
Microsoft Native Tools
Microsoft Purview Compliance Manager
- Maps controls to regulatory frameworks
- Provides improvement actions
- Generates compliance score
- Limited to Microsoft's interpretation of controls
Microsoft Secure Score
- Quick configuration health check
- Does not provide exportable audit evidence
- Not a substitute for detailed control documentation
PowerShell and Microsoft Graph
For organizations comfortable with scripting, automated evidence collection is possible:
# Sample: Export key CIS evidence
$date = Get-Date -Format "yyyy-MM-dd"
$outputPath = "C:\CIS-Evidence\$date"
New-Item -ItemType Directory -Path $outputPath -Force
# Conditional Access policies
Get-MgIdentityConditionalAccessPolicy | ConvertTo-Json -Depth 10 | Out-File "$outputPath\CA-Policies.json"
# Directory roles
Get-MgDirectoryRole | ForEach-Object {
$role = $_
Get-MgDirectoryRoleMember -DirectoryRoleId $_.Id | Select-Object @{N='Role';E={$role.DisplayName}}, Id, DisplayName
} | Export-Csv "$outputPath\Admin-Roles.csv"
# Authentication methods policy
Get-MgPolicyAuthenticationMethodPolicy | ConvertTo-Json -Depth 10 | Out-File "$outputPath\Auth-Methods.json"
Continuous Compliance Monitoring
The most efficient approach is continuous monitoring that maintains audit-ready evidence automatically. Instead of scrambling before audits, your evidence is always current.
Platforms like TrueConfig continuously evaluate your Microsoft 365 tenant against CIS benchmarks, maintaining a historical record of compliance status. When auditors ask "Were you compliant on March 15th?", you have the data—not just a screenshot from yesterday.
Key capabilities to look for:
- Continuous configuration monitoring (not just periodic scans)
- Historical compliance timeline
- Automated evidence export
- Drift detection with timestamps
- Control-to-benchmark mapping
From Audit Prep to Continuous Compliance
The traditional audit cycle—implement controls, forget about them, scramble before the next audit—is unsustainable. Every audit becomes a fire drill.
The better approach: treat audit evidence as a continuous output, not an annual project.
When your security configurations are continuously monitored, evidence collection becomes trivial. You are not proving compliance at a point in time; you are demonstrating continuous compliance with historical proof.
Your next CIS audit does not have to be stressful. With the right evidence collection strategy—and ideally, continuous monitoring—you can walk into that audit confident that your documentation is complete, your controls are verified, and your compliance is demonstrable.
TrueConfig provides continuous CIS Benchmark monitoring for Microsoft 365, maintaining audit-ready evidence of your compliance status 24/7. When auditors ask for proof, you have it—with historical context showing continuous compliance, not just a snapshot from yesterday. See how it works