CIS Microsoft 365 Foundations Benchmark

Industry-standard security configuration guide for Microsoft 365 developed by the Center for Internet Security.

3.0.053 Controls Mapped

Overview

The CIS Microsoft 365 Foundations Benchmark provides prescriptive guidance for establishing a secure configuration posture for Microsoft 365. Developed by a global community of cybersecurity experts, this benchmark offers consensus-based security recommendations that help organizations protect against common threats while maintaining operational efficiency. The benchmark covers identity, access management, data protection, and security monitoring across all M365 workloads.

Consensus-based security recommendations from global experts
Prescriptive configuration guidance with specific settings
Regular updates to address emerging threats
Widely recognized by auditors and regulators
Free to download and implement

Published by

Center for Internet Security

Official Documentation

TrueConfig Control Mappings

TrueConfig maps 53 security controls to CIS Benchmark requirements, helping you demonstrate compliance and identify gaps.

18

critical

21

high

12

medium

2

low

Identity & Authentication

5 controls

ID-01User MFA Registration
critical
ID-02Block Legacy Authentication
high
ID-03Enable Self-Service Password Reset
medium
ID-05Configure Smart Lockout Protection
high
ID-04Require Phishing-Resistant MFA for All Users
critical

Privileged Access

8 controls

PA-01Limit Global Administrators to 2-4
critical
PA-02Use Dedicated Admin Accounts
high
PA-03Configure Emergency Access Accounts
critical
PA-01-L2Eliminate Permanent Global Administrators
critical
PA-04Require PIM for All Privileged Roles
critical
+3 more controls

Conditional Access

12 controls

CA-01Require MFA via Conditional Access Policy
critical
CA-02Require MFA for All Administrators
critical
CA-08Block Access from High-Risk Countries
medium
CA-11Enforce Session Lifetime Limits for Guests and Admins
medium
DV-01Require Compliant Devices for Admin Access
high
+7 more controls

Workload Identity & Applications

8 controls

APP-01Application Ownership for Apps with Credentials
low
APP-02Enforce Application Credential Expiration
critical
APP-05Service Principal Credential Hygiene
critical
APP-08Restrict User Application Consent
high
APP-03Internal App Registration Permissions
high
+3 more controls

Guest & External Access

7 controls

EXT-01Restrict Guest Invitation Permissions
high
EXT-02Require MFA for Guest Users
medium
EXT-06External Sharing Visibility
medium
EXT-07Detect External Mail Forwarding
critical
EXT-04Configure Guest Access Expiration
medium
+2 more controls

Governance & Hygiene

6 controls

GOV-01Review Stale User Accounts
medium
GOV-05Maintain Group Naming Conventions
low
GOV-07Audit Privileged Role Assignments
high
GOV-02Automatically Disable Stale Accounts
medium
GOV-03Conduct Quarterly Privileged Access Reviews
high
+1 more controls

Logging & Visibility

5 controls

LOG-01Enable Unified Audit Logging
high
LOG-04Configure Privileged Operation Alerts
critical
LOG-02Export Logs to Long-Term Storage
medium
LOG-05Admin Activity Anomaly Detection
high
LOG-03Stream All Security Events to SIEM in Real-Time
high

Data Protection

2 controls

DLP-01Enable Sensitive Data Classification
high
DLP-02Block Bulk Data Exfiltration
critical

Who Needs CIS Benchmark?

Target Industries

Financial ServicesHealthcareGovernmentTechnologyManufacturing

Audience Types

enterprisegovernmentregulated

Frequently Asked Questions

What is CIS Microsoft 365 Foundations Benchmark?
The CIS Microsoft 365 Foundations Benchmark provides prescriptive guidance for establishing a secure configuration posture for Microsoft 365. Developed by a global community of cybersecurity experts, this benchmark offers consensus-based security recommendations that help organizations protect against common threats while maintaining operational efficiency. The benchmark covers identity, access management, data protection, and security monitoring across all M365 workloads.
How does TrueConfig help with CIS Benchmark compliance?
TrueConfig maps 53 security controls to CIS Benchmark requirements. Each control includes specific guidance on how it satisfies CIS Benchmark requirements, making it easier to demonstrate compliance and identify gaps.
Who needs to comply with CIS Benchmark?
CIS Benchmark is typically required or recommended for enterprise organizations, government agencies and contractors, organizations in regulated industries. Industries that commonly need this framework include financial-services, healthcare, government.
What are the key benefits of CIS Benchmark compliance?
Consensus-based security recommendations from global experts Prescriptive configuration guidance with specific settings Regular updates to address emerging threats Widely recognized by auditors and regulators Free to download and implement

Related Frameworks

Zero Trust

Microsoft's security model based on "never trust, always verify" principles for identity, devices, and data.

53 controls →

ISO 27001

International standard for information security management systems with Annex A controls.

54 controls →

NIST 800-53

Comprehensive security and privacy controls catalog from the National Institute of Standards and Technology.

54 controls →

Automate CIS Benchmark Compliance

TrueConfig continuously monitors your Microsoft 365 tenant against CIS Benchmark requirements and helps you remediate deviations automatically.

Start Free Trial