Demo Mode

Every screen, flow, export, and remediation path is the real Veri-Guard product. The specific findings, scores, and runbooks shown are curated to illustrate a typical before/after story. Your tenant scan produces your own numbers.

Get started
Veri-Tech
← Veri-Guard

Security Assessment (548 controls)Enterprise

Job ID: demo-assessment-0422

548 controls — Registry v2.3.01184s

succeeded

Remediation Planner

  • Deploy fixes for 89 eligible controls
  • Generate runbooks for manual remediation steps
  • Set risk exceptions and document justifications
  • Track remediation progress across assessments

Generate Docs From Last Report

SOPs, Runbooks & exports

Demo generates 1 sample SOP + 1 sample runbook. Your tenant scan generates one per control — up to 174 runbooks on this assessment.

Executive Report

Scores, trends & analysis

Compliance Packages

ISO, SOC 2, NIST, CIS

Compliance Certificate

Generate a verifiable attestation to share with auditors, partners, or insurers

Assessment Results

Assessment Score

Scanned:

67%Overall

353

Passed

174

Failed

0 SOPs, 174 Runbooks
Passed (353)
Failed (174)
Skipped (21)

Skipped Controls

21 controls excluded from scoring

Scope Privileged Identity Management to least-privilege eligible roles

Skipped

CIS-1.4.1

Entra IDhigh

Control skipped: Entra ID P2 required.

Restrict Entra Agent ID applications to policy-approved scopes

Skipped

NIST-AC-3

Defendermedium

Control skipped: Entra Agent ID not enabled.

Apply App Protection Policy baseline for Windows

Skipped

VT-INTUNE-APP-WINDOWS-BASELINE

Intunemedium

Control skipped: Windows App Protection in preview.

Enable Attack Surface Reduction rules in audit or block mode

Skipped

CIS-2.3.1

Defendermedium

Control skipped: Defender for Endpoint Plan 2 required.

Require password change on high user risk

Skipped

EIDSCA-AG28

Entra IDmedium

Control skipped: Entra ID P2 required.

Enforce sign-in session lifetime for browser-based access

Skipped

NIST-IA-7

Entra IDmedium

Control skipped: M365 E5 Compliance add-on required.

Require number matching for Microsoft Authenticator push

Skipped

NIST-IA-12

Entra IDmedium

Control skipped: Defender for Office 365 Plan 2 required.

Enforce just-in-time access for Exchange Administrator role

Skipped

HIPAA-164.308.4.C

Entra IDhigh

Control skipped: Azure Information Protection P2 required.

Require BitLocker encryption on Windows endpoints

Skipped

CIS-6.5.1

Intunemedium

Control skipped: Defender for Endpoint Plan 2 required.

Require tamper protection on Defender for Endpoint

Skipped

VT-INTUNE-053

Intunemedium

Control skipped: Azure Information Protection P2 required.

Restrict save-as outside managed apps (app protection)

Skipped

VT-INTUNE-CFG-105

Intunehigh

Control skipped: Defender for Office 365 Plan 2 required.

Disable Basic Auth for IMAP at mailbox level

Skipped

CISA-EXO.4.1

Exchangemedium

Control skipped: Azure Information Protection P2 required.

Enforce litigation hold retention for 365 days minimum

Skipped

NIST-SI-6

Exchangehigh

Control skipped: M365 E5 Compliance add-on required.

Block consumer OneDrive access in Teams channels

Skipped

CIS-4.3.1

Teamscritical

Control skipped: Defender for Endpoint Plan 2 required.

Enable ZAP (zero-hour auto-purge) for phish and malware

Skipped

CIS-2.3.2

Defenderhigh

Control skipped: Defender for Endpoint Plan 2 required.

Configure phishing detection alert rule to SOC

Skipped

CISA-DEFENDER.4.1

Defendercritical

Control skipped: Azure Information Protection P2 required.

Enable anti-phishing impersonation protection for VIPs

Skipped

NIST-SI-19

Defendermedium

Control skipped: Defender for Office 365 Plan 2 required.

Require expiration dates on anonymous share links

Skipped

CIS-5.1.3

SharePointhigh

Control skipped: Defender for Endpoint Plan 2 required.

Configure SharePoint information barriers for regulated segments

Skipped

CIS-5.5.8

SharePointcritical

Control skipped: Defender for Endpoint Plan 2 required.

Enforce retention policy on OneDrive document libraries

Skipped

CIS-5.6.2

SharePointlow

Control skipped: Defender for Endpoint Plan 2 required.

Enable audit log search for SharePoint file activity

Skipped

CIS-5.6.4

SharePointhigh

Control skipped: Defender for Endpoint Plan 2 required.

Skipped controls are not included in your compliance score. They may require configuration changes or additional licensing.

Domain Scores

Click a domain to filter Control Results below

SharePoint94% (46/53)
Intune82% (97/122)
Defender70% (46/71)
Teams67% (34/52)
Entra ID54% (84/161)
Exchange53% (46/89)

Framework Compliance

Click a framework to filter Control Results below

67%

CIS Microsoft 365

250/373 controls

64%

CISA Secure Baseline

68/107 controls

62%

EIDSCA

64/104 controls

69%

HHS 405(d) HICP

142/205 controls

73%

HIPAA Security Rule

37/51 controls

69%

ISO 27001:2022

74/107 controls

68%

NIST 800-53 r5

179/264 controls

70%

NIST CSF 2.0

35/50 controls

73%

SOC 2 Type II

38/52 controls

Control Results (548)

548 of 548 controls
Failed (174)
ControlActions

Block legacy authentication protocols

CIS-1.1.2

Configure sign-in risk Conditional Access policy

CIS-1.2.1

Configure user-risk Conditional Access policy

CIS-1.2.2

Block legacy auth endpoints at the authentication methods policy

EIDSCA-AP03

Block external mail auto-forwarding org-wide

CIS-3.3.1

Extend Unified Audit Log retention to 12 months

CIS-3.1.2

Enable Conditional Access for SharePoint access by unmanaged devices

CIS-5.4.1

Block iCloud keychain sync on corporate iOS devices

VT-INTUNE-831

Review access privileges via Access Reviews

NIST-AC-2.5

Require MFA for Global Administrator sign-ins

CIS-1.1.10

Require MFA for Exchange Administrator sign-ins

CIS-1.1.11

Require MFA for SharePoint Administrator sign-ins

CIS-1.1.12

Require MFA for Teams Administrator sign-ins

CIS-1.1.13

Require MFA for Compliance Administrator sign-ins

CIS-1.1.14

Require MFA for Security Administrator sign-ins

CIS-1.1.15

Enforce Conditional Access for unmanaged devices

CIS-1.1.16

Block authentication from anonymous IP ranges

CIS-1.1.17

Require compliant device for privileged role activation

CIS-1.1.18

Enforce maximum sign-in frequency for privileged sessions

CIS-1.1.19

Require password change on high user risk

CIS-1.1.20

Disable self-service sign-up for guest users

CIS-1.1.21

Enforce guest user access review cadence

CIS-1.3.1

Restrict guest user invitation to specific admin roles

CIS-1.3.2

Require admin approval for app consent requests

CIS-1.3.4

Block unmanaged browser access to SharePoint and OneDrive

CIS-1.3.5

Enforce sign-in session lifetime for browser-based access

CIS-1.3.6

Block legacy POP3 authentication to mailboxes

CIS-1.3.7

Block legacy IMAP authentication to mailboxes

CIS-1.3.8

Block legacy SMTP AUTH authentication

CIS-1.3.9

Block authentication attempts from countries not on allowlist

CIS-1.3.10

Require number matching for Microsoft Authenticator push

CIS-1.3.11

Disable SMS as a primary authentication method

CIS-1.3.12

Disable voice call as a primary authentication method

CIS-1.3.13

Enforce Authenticator app for passwordless sign-in

CIS-1.3.14

Enforce FIDO2 security keys for privileged users

CIS-1.3.15

Require temporary access passes to expire within 24 hours

CIS-1.4.2

Configure password protection banned-password list

CIS-1.4.3

Require on-premises password protection agent

CIS-1.4.4

Enforce authenticator app lockout policy

CIS-1.4.5

Configure privileged access workstations for tier-0 admins

CIS-1.4.6

Require compliant device for admin access to Microsoft 365 admin center

CIS-1.4.7

Configure named locations for trusted IP ranges

CIS-1.4.8

Require MFA for external partner tenant access (B2B)

CIS-1.4.9

Disable cross-tenant inbound B2B invitations by default

CIS-1.4.10

Enforce persistent browser sessions off for unmanaged devices

CIS-1.4.11

Configure Identity Protection weekly digest to Security Operations

CIS-1.4.12

Investigate every flagged-for-review sign-in within 24 hours

CIS-1.4.13

Route Identity Protection alerts to the SIEM

EIDSCA-AG10

Enforce just-in-time access for Exchange Administrator role

EIDSCA-AP11

Enforce just-in-time access for Global Reader role

EIDSCA-AM12

Enforce maximum eligible assignment duration for privileged roles

EIDSCA-CR13

Require approval workflow for privileged role activation

EIDSCA-AF14

Notify role administrators on privileged role assignment changes

EIDSCA-PS15

Require justification for privileged role activation

EIDSCA-AG16

Configure activation notification recipients for all privileged roles

EIDSCA-AP17

Require MFA for Global Administrator sign-ins

EIDSCA-AM18

Require MFA for Exchange Administrator sign-ins

EIDSCA-CR19

Require MFA for SharePoint Administrator sign-ins

EIDSCA-AF20

Require MFA for Teams Administrator sign-ins

EIDSCA-PS21

Require MFA for Compliance Administrator sign-ins

EIDSCA-AG22

Require MFA for Security Administrator sign-ins

EIDSCA-AP23

Enforce Conditional Access for unmanaged devices

EIDSCA-AM24

Block authentication from anonymous IP ranges

EIDSCA-CR25

Require compliant device for privileged role activation

EIDSCA-AF26

Enforce maximum sign-in frequency for privileged sessions

EIDSCA-PS27

Disable self-service sign-up for guest users

EIDSCA-AP29

Enforce guest user access review cadence

NIST-IA-2

Restrict guest user invitation to specific admin roles

NIST-IA-3

Prohibit user consent to unverified publisher apps

NIST-IA-4

Require admin approval for app consent requests

NIST-IA-5

Block unmanaged browser access to SharePoint and OneDrive

NIST-IA-6

Block legacy POP3 authentication to mailboxes

NIST-IA-8

Block legacy IMAP authentication to mailboxes

NIST-IA-9

Block legacy SMTP AUTH authentication

NIST-IA-10

Require MFA for SharePoint Administrator sign-ins

CSF-ID.AM-8

Disable self-service sign-up for guest users

CISA-AAD.12.3

Require device lock password policy on Android

CIS-6.8.1

Enforce firewall policy on Windows endpoints

VT-INTUNE-044

Restrict local administrator accounts on Windows

VT-INTUNE-048

Restrict cut-copy-paste outside managed apps

VT-INTUNE-061

Require BitLocker encryption on Windows endpoints

VT-INTUNE-APP-ANDROID-MAIL

Require FileVault encryption on macOS endpoints

VT-INTUNE-APP-MACOS-BROWSER

Require biometric authentication for mobile devices

VT-INTUNE-APP-MACOS-MAIL

Block personal OneDrive sync on corporate Windows

VT-INTUNE-APP-WINDOWS-BROWSER

Require Windows Update for Business ring assignment

VT-INTUNE-APP-ANDROID-OFFICE

Block external USB storage on corporate devices

VT-INTUNE-COMP-010

Deploy Microsoft Edge baseline security profile

VT-INTUNE-COMP-013

Configure app configuration policy for Edge (managed)

VT-INTUNE-CFG-112

Block personal iCloud drive on corporate iOS

NIST-CM-3

Require device lock password policy on Android

NIST-CM-11

Block personal OneDrive sync on corporate Windows

ISO-A.8.22

Enforce Microsoft Defender for Endpoint on macOS devices

ISO-A.8.25

Block external USB storage on corporate devices

ISO-A.8.29

Deploy Microsoft Edge baseline security profile

HIPAA-164.310.1.A

Deploy Office 365 app baseline security profile

HIPAA-164.310.2.B

Restrict local administrator accounts on Windows

HIPAA-164.310.3.C

Enable mailbox audit logging on all mailboxes

CIS-3.2.2

Configure mailbox audit actions to log admin and delegate activity

CIS-3.2.3

Restrict calendar sharing to internal users only

CIS-3.3.3

Configure SPF hard-fail for all accepted domains

CIS-3.4.3

Configure DMARC with p=reject for all accepted domains

CIS-3.5.1

Disable Basic Auth for POP3 at mailbox level

CIS-3.5.2

Disable EWS (Exchange Web Services) legacy auth

CIS-3.6.4

Block mail forwarding to external domains by transport rule

CIS-3.6.6

Require quarantine on detected malware attachments

CIS-3.6.9

Configure Safe Attachments policy for all recipients

CIS-3.6.10

Configure Safe Links policy with click-time protection

CIS-3.6.11

Enable anti-phishing policy with impersonation protection

CIS-3.6.12

Enable spoofing prevention for hybrid deployments

CIS-3.6.14

Enforce litigation hold retention for 365 days minimum

CIS-3.7.8

Enforce retention policy on Exchange mailboxes

CIS-3.7.9

Configure mail flow rule to append external-sender banner

CIS-3.7.11

Restrict external direct-send relay via receive connectors

CIS-3.7.12

Configure mailbox audit actions to log admin and delegate activity

CISA-EXO.1.1

Require MFA for Exchange administrators

CISA-EXO.1.2

Configure DKIM signing for all accepted domains

CISA-EXO.2.3

Configure SPF hard-fail for all accepted domains

CISA-EXO.3.1

Configure DMARC with p=reject for all accepted domains

CISA-EXO.3.2

Disable Basic Auth for POP3 at mailbox level

CISA-EXO.3.3

Disable Basic Auth for SMTP AUTH at mailbox level

CISA-EXO.4.2

Disable Exchange ActiveSync legacy authentication

CISA-EXO.4.3

Disable EWS (Exchange Web Services) legacy auth

NIST-AU-2

Block automatic mail forwarding at mailbox level

NIST-AU-5

Configure Safe Attachments policy for all recipients

NIST-AU-8

Enable anti-phishing mailbox intelligence

NIST-AU-11

Block authentication from high-risk IP ranges

NIST-SI-3

Disable PowerShell remote connections for non-admin mailboxes

NIST-SI-4

Restrict mailbox delegation to approved roles

NIST-SI-5

Restrict external direct-send relay via receive connectors

NIST-SI-10

Enable Unified Audit Log tenant-wide

ISO-A.8.35

Disable anonymous calendar sharing

ISO-A.8.39

Disable Basic Auth for POP3 at mailbox level

SOC2-CC7.1

Disable Basic Auth for SMTP AUTH at mailbox level

SOC2-CC7.3

Disable OAB (Offline Address Book) legacy auth

SOC2-CC7.6

Restrict anti-malware bypass list to approved senders

SOC2-CC7.9

Require lobby admission for external meeting participants

CIS-4.1.3

Enable Safe Links scanning in Teams messages

CIS-4.3.3

Disable Teams guest access tenant-wide when not needed

CIS-4.5.2

Block screen sharing from anonymous meeting participants

CIS-4.5.3

Block Teams live events creation to approved producers only

CIS-4.5.6

Enable DLP policy for Teams chats and channels

CIS-4.5.10

Configure Teams data residency for in-region tenants

CIS-4.6.2

Restrict Teams federation to allow-listed domains

CIS-4.6.7

Disable recording for anonymous meeting participants

CIS-4.6.10

Restrict recording transcription to organizers and presenters

CISA-TEAMS.1.1

Block consumer OneDrive access in Teams channels

CISA-TEAMS.1.3

Restrict guest access to specific team channels

CISA-TEAMS.3.3

Disable Teams guest access tenant-wide when not needed

CISA-TEAMS.4.1

Block Teams live events creation to approved producers only

ISO-A.5.28

Enable communication compliance policy for Teams

ISO-A.5.31

Enable DLP policy for Teams chats and channels

ISO-A.5.32

Configure Teams data residency for in-region tenants

ISO-A.5.34

Enable anti-phishing impersonation protection for VIPs

CIS-2.2.2

Configure DKIM alignment enforcement

CIS-2.2.3

Enable automatic investigation and remediation (AIR)

CIS-2.3.3

Configure email authentication alert rule to SOC

CIS-2.5.2

Enable Attack Simulation Training user outcome tracking

CIS-2.4.6

Configure Explorer search persistent queries for IR

CIS-2.4.8

Enable Defender for Office 365 Plan 2 AIR investigations

CIS-2.4.9

Configure spam confidence level thresholds

CIS-2.4.11

Enable automated investigation for URL compromises

CIS-2.5.4

Configure incident response playbook for mailbox takeover

CIS-2.5.5

Configure incident response playbook for BEC attempts

CIS-2.5.6

Enable standard preset security policy for all users

CIS-2.5.10

Enable anti-phishing impersonation protection for VIPs

CIS-2.5.11

Configure DKIM alignment enforcement

CIS-2.5.12

Enable Defender for Cloud Apps integration with Defender

CISA-DEFENDER.2.2

Enable Defender for Identity integration with Entra ID

CISA-DEFENDER.2.3

Configure spam confidence level thresholds

NIST-IR-8

Enable bulk complaint level (BCL) filtering

NIST-IR-9

Enable intra-organization spoof protection

NIST-IR-10

Enable external-sender tagging in Outlook

NIST-IR-11

Disable SharePoint App Catalog self-service

CIS-5.5.3

Require expiration dates on anonymous share links

CIS-5.6.9

Passed (353)
Control

Prohibit user consent to unverified publisher apps

CIS-1.3.3

Block authentication attempts from countries not on allowlist

NIST-IA-11

Disable SMS as a primary authentication method

NIST-IA-13

Disable voice call as a primary authentication method

NIST-IA-14

Enforce Authenticator app for passwordless sign-in

NIST-IA-15

Enforce FIDO2 security keys for privileged users

NIST-IA-16

Require temporary access passes to expire within 24 hours

NIST-IA-17

Configure password protection banned-password list

NIST-IA-18

Require on-premises password protection agent

NIST-IA-19

Enforce authenticator app lockout policy

NIST-AC-6

Configure privileged access workstations for tier-0 admins

NIST-AC-7

Require compliant device for admin access to Microsoft 365 admin center

NIST-AC-8

Configure named locations for trusted IP ranges

NIST-AC-9

Require MFA for external partner tenant access (B2B)

NIST-AC-10

Disable cross-tenant inbound B2B invitations by default

NIST-AC-11

Enforce persistent browser sessions off for unmanaged devices

NIST-AC-12

Configure Identity Protection weekly digest to Security Operations

NIST-AC-13

Investigate every flagged-for-review sign-in within 24 hours

NIST-AC-14

Route Identity Protection alerts to the SIEM

NIST-AC-15

Enforce just-in-time access for Exchange Administrator role

NIST-AC-16

Enforce just-in-time access for Global Reader role

NIST-AC-17

Enforce maximum eligible assignment duration for privileged roles

NIST-AC-18

Require approval workflow for privileged role activation

NIST-AC-19

Notify role administrators on privileged role assignment changes

NIST-AC-20

Require justification for privileged role activation

ISO-A.5.10

Configure activation notification recipients for all privileged roles

ISO-A.5.11

Require MFA for Global Administrator sign-ins

ISO-A.5.12

Require MFA for Exchange Administrator sign-ins

ISO-A.5.13

Require MFA for SharePoint Administrator sign-ins

ISO-A.5.14

Require MFA for Teams Administrator sign-ins

ISO-A.5.15

Require MFA for Compliance Administrator sign-ins

ISO-A.5.16

Require MFA for Security Administrator sign-ins

ISO-A.5.17

Enforce Conditional Access for unmanaged devices

ISO-A.5.18

Block authentication from anonymous IP ranges

ISO-A.5.19

Require compliant device for privileged role activation

ISO-A.5.20

Enforce maximum sign-in frequency for privileged sessions

ISO-A.5.21

Require password change on high user risk

ISO-A.8.6

Disable self-service sign-up for guest users

ISO-A.8.7

Enforce guest user access review cadence

ISO-A.8.8

Restrict guest user invitation to specific admin roles

ISO-A.8.9

Prohibit user consent to unverified publisher apps

ISO-A.8.10

Require admin approval for app consent requests

ISO-A.8.11

Block unmanaged browser access to SharePoint and OneDrive

ISO-A.8.12

Enforce sign-in session lifetime for browser-based access

ISO-A.8.13

Block legacy POP3 authentication to mailboxes

ISO-A.8.14

Block legacy IMAP authentication to mailboxes

ISO-A.8.15

Block legacy SMTP AUTH authentication

ISO-A.8.16

Block authentication attempts from countries not on allowlist

ISO-A.8.17

Require number matching for Microsoft Authenticator push

SOC2-CC6.2

Disable SMS as a primary authentication method

SOC2-CC6.3

Disable voice call as a primary authentication method

SOC2-CC6.4

Enforce Authenticator app for passwordless sign-in

SOC2-CC6.5

Enforce FIDO2 security keys for privileged users

SOC2-CC6.6

Require temporary access passes to expire within 24 hours

SOC2-CC6.7

Configure password protection banned-password list

SOC2-CC6.8

Require on-premises password protection agent

SOC2-CC6.9

Enforce authenticator app lockout policy

SOC2-CC6.10

Configure privileged access workstations for tier-0 admins

SOC2-CC6.11

Require compliant device for admin access to Microsoft 365 admin center

HIPAA-164.308.1.A

Configure named locations for trusted IP ranges

HIPAA-164.308.2.B

Require MFA for external partner tenant access (B2B)

HIPAA-164.308.3.C

Disable cross-tenant inbound B2B invitations by default

HIPAA-164.308.4.A

Enforce persistent browser sessions off for unmanaged devices

HIPAA-164.308.5.B

Configure Identity Protection weekly digest to Security Operations

HIPAA-164.308.1.C

Investigate every flagged-for-review sign-in within 24 hours

HIPAA-164.308.2.A

Route Identity Protection alerts to the SIEM

HIPAA-164.308.3.B

Enforce just-in-time access for Global Reader role

HIPAA-164.308.5.A

Enforce maximum eligible assignment duration for privileged roles

CSF-ID.AM-1

Require approval workflow for privileged role activation

CSF-ID.AM-2

Notify role administrators on privileged role assignment changes

CSF-ID.AM-3

Require justification for privileged role activation

CSF-ID.AM-4

Configure activation notification recipients for all privileged roles

CSF-ID.AM-5

Require MFA for Global Administrator sign-ins

CSF-ID.AM-6

Require MFA for Exchange Administrator sign-ins

CSF-ID.AM-7

Require MFA for Teams Administrator sign-ins

CISA-AAD.4.1

Require MFA for Compliance Administrator sign-ins

CISA-AAD.5.2

Require MFA for Security Administrator sign-ins

CISA-AAD.6.3

Enforce Conditional Access for unmanaged devices

CISA-AAD.7.1

Block authentication from anonymous IP ranges

CISA-AAD.8.2

Require compliant device for privileged role activation

CISA-AAD.9.3

Enforce maximum sign-in frequency for privileged sessions

CISA-AAD.10.1

Require password change on high user risk

CISA-AAD.11.2

Enforce guest user access review cadence

CISA-AAD.13.1

Restrict guest user invitation to specific admin roles

CISA-AAD.14.2

Enforce device compliance policy on corporate Windows devices

CIS-6.1.1

Enforce device compliance policy on corporate macOS devices

CIS-6.2.1

Enforce device compliance policy on personal iOS devices

CIS-6.3.1

Enforce device compliance policy on personal Android devices

CIS-6.4.1

Require FileVault encryption on macOS endpoints

CIS-6.6.1

Require device lock password policy on iOS

CIS-6.7.1

Enforce Windows Hello for Business with PIN complexity

CIS-6.9.1

Require biometric authentication for mobile devices

CIS-6.10.1

Block personal OneDrive sync on corporate Windows

CIS-6.11.1

Block personal Google Drive sync on corporate Android

CIS-6.12.1

Enforce Microsoft Defender for Endpoint on Windows devices

CIS-6.13.1

Enforce Microsoft Defender for Endpoint on macOS devices

CIS-6.14.1

Configure Autopilot Enrollment Status Page for Windows

VT-INTUNE-040

Configure Autopilot device preparation template

VT-INTUNE-041

Require Windows Update for Business ring assignment

VT-INTUNE-042

Block external USB storage on corporate devices

VT-INTUNE-043

Enforce SmartScreen policy on Edge and Windows

VT-INTUNE-045

Deploy Microsoft Edge baseline security profile

VT-INTUNE-046

Deploy Office 365 app baseline security profile

VT-INTUNE-047

Enforce LAPS (Local Administrator Password Solution)

VT-INTUNE-049

Configure Credential Guard and Remote Credential Guard

VT-INTUNE-050

Enforce attack surface reduction rules in block mode

VT-INTUNE-051

Configure exploit protection for Windows endpoints

VT-INTUNE-052

Block untrusted and unsigned scripts on Windows

VT-INTUNE-054

Require Windows Information Protection (enterprise data boundary)

VT-INTUNE-055

Enforce app protection policy on Outlook mobile

VT-INTUNE-056

Enforce app protection policy on Teams mobile

VT-INTUNE-057

Enforce app protection policy on OneDrive mobile

VT-INTUNE-058

Enforce app protection policy on Office mobile apps

VT-INTUNE-059

Restrict save-as outside managed apps (app protection)

VT-INTUNE-060

Require managed keyboard on iOS managed apps

VT-INTUNE-062

Require PIN re-entry after inactivity in managed apps

VT-INTUNE-063

Block screenshot capture in managed apps on Android

VT-INTUNE-064

Enforce encryption of work data in managed apps

VT-INTUNE-065

Configure app configuration policy for Outlook (managed)

VT-INTUNE-066

Configure app configuration policy for Edge (managed)

VT-INTUNE-067

Block personal iCloud keychain on corporate iOS

VT-INTUNE-068

Block personal iCloud photos on corporate iOS

VT-INTUNE-069

Block personal iCloud drive on corporate iOS

VT-INTUNE-APP-IOS-MAIL

Enforce device compliance policy on corporate Windows devices

VT-INTUNE-APP-ANDROID-BROWSER

Enforce device compliance policy on corporate macOS devices

VT-INTUNE-APP-MACOS-OFFICE

Enforce device compliance policy on personal iOS devices

VT-INTUNE-APP-WINDOWS-EDGE

Enforce device compliance policy on personal Android devices

VT-INTUNE-APP-IOS-TEAMS

Require device lock password policy on iOS

VT-INTUNE-APP-WINDOWS-OFFICE

Require device lock password policy on Android

VT-INTUNE-APP-IOS-EDGE

Enforce Windows Hello for Business with PIN complexity

VT-INTUNE-APP-ANDROID-TEAMS

Block personal Google Drive sync on corporate Android

VT-INTUNE-APP-IOS-OFFICE

Enforce Microsoft Defender for Endpoint on Windows devices

VT-INTUNE-APP-ANDROID-EDGE

Enforce Microsoft Defender for Endpoint on macOS devices

VT-INTUNE-APP-MACOS-TEAMS

Configure Autopilot Enrollment Status Page for Windows

VT-INTUNE-APP-WINDOWS-MAIL

Configure Autopilot device preparation template

VT-INTUNE-APP-IOS-BROWSER

Enforce firewall policy on Windows endpoints

VT-INTUNE-COMP-011

Enforce SmartScreen policy on Edge and Windows

VT-INTUNE-COMP-012

Deploy Office 365 app baseline security profile

VT-INTUNE-COMP-014

Restrict local administrator accounts on Windows

VT-INTUNE-COMP-015

Enforce LAPS (Local Administrator Password Solution)

VT-INTUNE-COMP-016

Configure Credential Guard and Remote Credential Guard

VT-INTUNE-COMP-017

Enforce attack surface reduction rules in block mode

VT-INTUNE-COMP-018

Configure exploit protection for Windows endpoints

VT-INTUNE-COMP-019

Require tamper protection on Defender for Endpoint

VT-INTUNE-COMP-020

Block untrusted and unsigned scripts on Windows

VT-INTUNE-COMP-021

Require Windows Information Protection (enterprise data boundary)

VT-INTUNE-CFG-100

Enforce app protection policy on Outlook mobile

VT-INTUNE-CFG-101

Enforce app protection policy on Teams mobile

VT-INTUNE-CFG-102

Enforce app protection policy on OneDrive mobile

VT-INTUNE-CFG-103

Enforce app protection policy on Office mobile apps

VT-INTUNE-CFG-104

Restrict cut-copy-paste outside managed apps

VT-INTUNE-CFG-106

Require managed keyboard on iOS managed apps

VT-INTUNE-CFG-107

Require PIN re-entry after inactivity in managed apps

VT-INTUNE-CFG-108

Block screenshot capture in managed apps on Android

VT-INTUNE-CFG-109

Enforce encryption of work data in managed apps

VT-INTUNE-CFG-110

Configure app configuration policy for Outlook (managed)

VT-INTUNE-CFG-111

Block personal iCloud keychain on corporate iOS

VT-INTUNE-CFG-113

Block personal iCloud photos on corporate iOS

NIST-CM-2

Enforce device compliance policy on corporate Windows devices

NIST-CM-4

Enforce device compliance policy on corporate macOS devices

NIST-CM-5

Enforce device compliance policy on personal iOS devices

NIST-CM-6

Enforce device compliance policy on personal Android devices

NIST-CM-7

Require BitLocker encryption on Windows endpoints

NIST-CM-8

Require FileVault encryption on macOS endpoints

NIST-CM-9

Require device lock password policy on iOS

NIST-CM-10

Enforce Windows Hello for Business with PIN complexity

NIST-CM-12

Require biometric authentication for mobile devices

NIST-CM-13

Block personal Google Drive sync on corporate Android

ISO-A.8.23

Enforce Microsoft Defender for Endpoint on Windows devices

ISO-A.8.24

Configure Autopilot Enrollment Status Page for Windows

ISO-A.8.26

Configure Autopilot device preparation template

ISO-A.8.27

Require Windows Update for Business ring assignment

ISO-A.8.28

Enforce firewall policy on Windows endpoints

ISO-A.8.30

Enforce SmartScreen policy on Edge and Windows

ISO-A.8.31

Enforce LAPS (Local Administrator Password Solution)

HIPAA-164.310.4.A

Configure Credential Guard and Remote Credential Guard

HIPAA-164.310.1.B

Enforce attack surface reduction rules in block mode

HIPAA-164.310.2.C

Configure exploit protection for Windows endpoints

HIPAA-164.310.3.A

Require tamper protection on Defender for Endpoint

HIPAA-164.310.4.B

Block untrusted and unsigned scripts on Windows

HIPAA-164.310.1.C

Require Windows Information Protection (enterprise data boundary)

HIPAA-164.310.2.A

Enable Unified Audit Log tenant-wide

CIS-3.2.1

Disable anonymous calendar sharing

CIS-3.3.2

Disable external sender reply-to spoofing

CIS-3.4.1

Configure DKIM signing for all accepted domains

CIS-3.4.2

Disable Basic Auth for IMAP at mailbox level

CIS-3.5.3

Disable Basic Auth for SMTP AUTH at mailbox level

CIS-3.6.1

Disable Exchange ActiveSync legacy authentication

CIS-3.6.2

Disable OAB (Offline Address Book) legacy auth

CIS-3.6.5

Block automatic mail forwarding at mailbox level

CIS-3.6.7

Restrict anti-malware bypass list to approved senders

CIS-3.6.8

Enable anti-phishing mailbox intelligence

CIS-3.6.13

Block authentication from high-risk IP ranges

CIS-3.6.15

Disable PowerShell remote connections for non-admin mailboxes

CIS-3.7.6

Restrict mailbox delegation to approved roles

CIS-3.7.7

Configure mail flow rule to quarantine executable attachments

CIS-3.7.10

Disable client-rules forwarding to external addresses

CIS-3.7.13

Enable Unified Audit Log tenant-wide

CIS-3.7.14

Enable mailbox audit logging on all mailboxes

CIS-3.7.15

Disable anonymous calendar sharing

CISA-EXO.1.3

Restrict calendar sharing to internal users only

CISA-EXO.2.1

Disable external sender reply-to spoofing

CISA-EXO.2.2

Disable OAB (Offline Address Book) legacy auth

NIST-AU-3

Block mail forwarding to external domains by transport rule

NIST-AU-4

Restrict anti-malware bypass list to approved senders

NIST-AU-6

Require quarantine on detected malware attachments

NIST-AU-7

Configure Safe Links policy with click-time protection

NIST-AU-9

Enable anti-phishing policy with impersonation protection

NIST-AU-10

Enable spoofing prevention for hybrid deployments

NIST-SI-2

Enforce retention policy on Exchange mailboxes

NIST-SI-7

Configure mail flow rule to quarantine executable attachments

NIST-SI-8

Configure mail flow rule to append external-sender banner

NIST-SI-9

Disable client-rules forwarding to external addresses

NIST-SI-11

Enable mailbox audit logging on all mailboxes

ISO-A.8.36

Configure mailbox audit actions to log admin and delegate activity

ISO-A.8.37

Require MFA for Exchange administrators

ISO-A.8.38

Restrict calendar sharing to internal users only

ISO-A.8.40

Disable external sender reply-to spoofing

ISO-A.8.41

Configure DKIM signing for all accepted domains

ISO-A.8.42

Configure SPF hard-fail for all accepted domains

ISO-A.8.43

Configure DMARC with p=reject for all accepted domains

ISO-A.8.44

Disable Basic Auth for IMAP at mailbox level

SOC2-CC7.2

Disable Exchange ActiveSync legacy authentication

SOC2-CC7.4

Disable EWS (Exchange Web Services) legacy auth

SOC2-CC7.5

Block mail forwarding to external domains by transport rule

SOC2-CC7.7

Block automatic mail forwarding at mailbox level

SOC2-CC7.8

Require quarantine on detected malware attachments

SOC2-CC7.10

Restrict Teams federation to allow-listed domains

CIS-4.1.1

Block anonymous users from joining meetings by default

CIS-4.1.2

Disable recording for anonymous meeting participants

CIS-4.2.1

Restrict recording transcription to organizers and presenters

CIS-4.2.2

Block third-party cloud storage in Teams files

CIS-4.2.3

Require managed device for Teams access (Conditional Access)

CIS-4.3.2

Enable Safe Attachments scanning in Teams files

CIS-4.4.1

Disable external file sharing in Teams channels

CIS-4.4.2

Require guest MFA before Teams access (Conditional Access)

CIS-4.4.3

Restrict guest access to specific team channels

CIS-4.5.1

Require Teams meeting join via authenticated user only

CIS-4.5.4

Disable PSTN dial-in for external meetings by default

CIS-4.5.5

Enforce retention policy on Teams chat messages

CIS-4.5.7

Enforce retention policy on Teams channel messages

CIS-4.5.8

Enable communication compliance policy for Teams

CIS-4.5.9

Block sensitive-label downgrade in Teams

CIS-4.6.1

Enforce branding and disclaimer on external Teams messages

CIS-4.6.3

Restrict Teams app installation to admin-approved apps

CIS-4.6.4

Block custom Teams app sideloading in production

CIS-4.6.5

Require app review before org-wide Teams app deployment

CIS-4.6.6

Block anonymous users from joining meetings by default

CIS-4.6.8

Require lobby admission for external meeting participants

CIS-4.6.9

Block third-party cloud storage in Teams files

CISA-TEAMS.1.2

Require managed device for Teams access (Conditional Access)

CISA-TEAMS.2.1

Enable Safe Links scanning in Teams messages

CISA-TEAMS.2.2

Enable Safe Attachments scanning in Teams files

CISA-TEAMS.2.3

Disable external file sharing in Teams channels

CISA-TEAMS.3.1

Require guest MFA before Teams access (Conditional Access)

CISA-TEAMS.3.2

Block screen sharing from anonymous meeting participants

ISO-A.5.25

Require Teams meeting join via authenticated user only

ISO-A.5.26

Disable PSTN dial-in for external meetings by default

ISO-A.5.27

Enforce retention policy on Teams chat messages

ISO-A.5.29

Enforce retention policy on Teams channel messages

ISO-A.5.30

Block sensitive-label downgrade in Teams

ISO-A.5.33

Configure Safe Attachments preset policy for all recipients

CIS-2.1.1

Configure Safe Links preset policy for all recipients

CIS-2.1.2

Enable strict preset security policy for high-risk users

CIS-2.1.3

Enable standard preset security policy for all users

CIS-2.2.1

Require quarantine end-user notifications for detections

CIS-2.4.1

Enable Defender for Cloud Apps integration with Defender

CIS-2.4.2

Enable Defender for Identity integration with Entra ID

CIS-2.4.3

Enable Microsoft Defender Threat Intelligence feed

CIS-2.5.1

Configure malware detection alert rule to SOC

CIS-2.5.3

Enable Attack Simulation Training quarterly campaigns

CIS-2.4.4

Configure Attack Simulation Training phishing URL library

CIS-2.4.5

Enable Threat Trackers weekly digest for SOC

CIS-2.4.7

Configure Connection Filter policy IP allow list

CIS-2.4.10

Enable bulk complaint level (BCL) filtering

CIS-2.4.12

Enable intra-organization spoof protection

CIS-2.4.13

Configure Safe Attachments preset policy for all recipients

CIS-2.5.7

Configure Safe Links preset policy for all recipients

CIS-2.5.8

Enable strict preset security policy for high-risk users

CIS-2.5.9

Configure DMARC aggregate report ingestion

CISA-DEFENDER.1.1

Enable ZAP (zero-hour auto-purge) for phish and malware

CISA-DEFENDER.1.2

Enable automatic investigation and remediation (AIR)

CISA-DEFENDER.1.3

Require quarantine end-user notifications for detections

CISA-DEFENDER.2.1

Enable Microsoft Defender Threat Intelligence feed

CISA-DEFENDER.3.1

Configure email authentication alert rule to SOC

CISA-DEFENDER.3.2

Configure malware detection alert rule to SOC

CISA-DEFENDER.3.3

Configure Defender Alert severity-based routing

CISA-DEFENDER.4.2

Enable Attack Simulation Training quarterly campaigns

CISA-DEFENDER.4.3

Configure Attack Simulation Training phishing URL library

NIST-IR-2

Enable Attack Simulation Training user outcome tracking

NIST-IR-3

Enable Threat Trackers weekly digest for SOC

NIST-IR-4

Configure Explorer search persistent queries for IR

NIST-IR-5

Enable Defender for Office 365 Plan 2 AIR investigations

NIST-IR-6

Configure Connection Filter policy IP allow list

NIST-IR-7

Enable automated investigation for mailbox compromises

NIST-IR-12

Enable automated investigation for file compromises

NIST-IR-13

Enable automated investigation for URL compromises

NIST-SI-12

Configure incident response playbook for mailbox takeover

NIST-SI-13

Configure incident response playbook for BEC attempts

NIST-SI-14

Configure Safe Attachments preset policy for all recipients

NIST-SI-15

Configure Safe Links preset policy for all recipients

NIST-SI-16

Enable strict preset security policy for high-risk users

NIST-SI-17

Enable standard preset security policy for all users

NIST-SI-18

Configure DKIM alignment enforcement

NIST-SI-20

Configure DMARC aggregate report ingestion

NIST-SI-21

Enable ZAP (zero-hour auto-purge) for phish and malware

NIST-SI-22

Enable automatic investigation and remediation (AIR)

NIST-SI-23

Restrict external sharing to specific trusted domains

CIS-5.1.1

Default new SharePoint sites to "Only people in your organization"

CIS-5.1.2

Require sign-in for external file access

CIS-5.2.1

Require MFA for external file access (Conditional Access)

CIS-5.2.2

Block OneDrive sync on unmanaged devices

CIS-5.2.3

Disable legacy authentication to SharePoint Online

CIS-5.3.1

Require sensitivity label on SharePoint sites

CIS-5.3.2

Require sensitivity label on Microsoft 365 groups

CIS-5.3.3

Block download of labeled content on unmanaged devices

CIS-5.4.2

Enable idle session timeout for browser access

CIS-5.4.3

Restrict custom script on SharePoint sites

CIS-5.5.2

Require admin approval for SharePoint app installation

CIS-5.5.4

Restrict external user re-sharing of content

CIS-5.5.5

Enable versioning on all SharePoint document libraries

CIS-5.5.6

Enable recycle bin retention for 93 days minimum

CIS-5.5.7

Block file upload of executable file types (.exe, .dll, etc.)

CIS-5.5.9

Block file upload of script file types (.ps1, .bat, etc.)

CIS-5.5.10

Enable access requests for site collection permissions

CIS-5.5.11

Enforce retention policy on SharePoint document libraries

CIS-5.6.1

Configure Sites & OneDrive retention for terminated users

CIS-5.6.3

Configure SharePoint deletion alert for sensitive sites

CIS-5.6.5

Require hub-site approval for new site creation

CIS-5.6.6

Restrict external sharing to specific trusted domains

CIS-5.6.7

Default new SharePoint sites to "Only people in your organization"

CIS-5.6.8

Require sign-in for external file access

CIS-5.6.10

Require MFA for external file access (Conditional Access)

CISA-SHARE.1.1

Block OneDrive sync on unmanaged devices

CISA-SHARE.1.2

Disable legacy authentication to SharePoint Online

CISA-SHARE.1.3

Require sensitivity label on SharePoint sites

CISA-SHARE.2.1

Require sensitivity label on Microsoft 365 groups

CISA-SHARE.2.2

Enforce DLP policy on SharePoint and OneDrive

CISA-SHARE.2.3

Block download of labeled content on unmanaged devices

CISA-SHARE.3.1

Enable idle session timeout for browser access

CISA-SHARE.3.2

Restrict custom script on SharePoint sites

CISA-SHARE.3.3

Disable SharePoint App Catalog self-service

CISA-SHARE.4.1

Require admin approval for SharePoint app installation

ISO-A.5.45

Restrict external user re-sharing of content

ISO-A.5.46

Enable versioning on all SharePoint document libraries

ISO-A.5.47

Enable recycle bin retention for 93 days minimum

ISO-A.5.48

Configure SharePoint information barriers for regulated segments

ISO-A.5.49

Block file upload of executable file types (.exe, .dll, etc.)

ISO-A.5.50

Block file upload of script file types (.ps1, .bat, etc.)

ISO-A.5.51

Enable access requests for site collection permissions

ISO-A.5.52

Require hub-site approval for new site creation

SOC2-CC6.12

Restrict external sharing to specific trusted domains

SOC2-CC6.13

Default new SharePoint sites to "Only people in your organization"

SOC2-CC6.14

Skipped (21)
Control

Scope Privileged Identity Management to least-privilege eligible roles

CIS-1.4.1

Restrict Entra Agent ID applications to policy-approved scopes

NIST-AC-3

Apply App Protection Policy baseline for Windows

VT-INTUNE-APP-WINDOWS-BASELINE

Enable Attack Surface Reduction rules in audit or block mode

CIS-2.3.1

Require password change on high user risk

EIDSCA-AG28

Enforce sign-in session lifetime for browser-based access

NIST-IA-7

Require number matching for Microsoft Authenticator push

NIST-IA-12

Enforce just-in-time access for Exchange Administrator role

HIPAA-164.308.4.C

Require BitLocker encryption on Windows endpoints

CIS-6.5.1

Require tamper protection on Defender for Endpoint

VT-INTUNE-053

Restrict save-as outside managed apps (app protection)

VT-INTUNE-CFG-105

Disable Basic Auth for IMAP at mailbox level

CISA-EXO.4.1

Enforce litigation hold retention for 365 days minimum

NIST-SI-6

Block consumer OneDrive access in Teams channels

CIS-4.3.1

Enable ZAP (zero-hour auto-purge) for phish and malware

CIS-2.3.2

Configure phishing detection alert rule to SOC

CISA-DEFENDER.4.1

Enable anti-phishing impersonation protection for VIPs

NIST-SI-19

Require expiration dates on anonymous share links

CIS-5.1.3

Configure SharePoint information barriers for regulated segments

CIS-5.5.8

Enforce retention policy on OneDrive document libraries

CIS-5.6.2

Enable audit log search for SharePoint file activity

CIS-5.6.4

Create ITSM Tickets

Push failed controls as tickets to your ITSM/PSA platform.

174 failed controls without tickets

Risk Exceptions

Accept risk on controls you can't or won't remediate. Waived controls are excluded from scoring.

CIS-5.1.2Marketing campaigns share time-boxed assets with external contractors via anonymous links; risk accepted through Q3 2026.10/15/2026

See a report like this from your own tenant

Connect read-only, watch the same scan run live against your data, and we'll walk through the results together.

Get startedBook a call