Microsoft 365 CIS Benchmark, made operational.

Security Defaults give every tenant a baseline of MFA and legacy auth blocking. The CIS posture replaces them with Conditional Access policies that cover the same gaps with finer control.

Security Defaults and Conditional Access cannot run side by side. Tenants left on Security Defaults cannot use Conditional Access at all, which means no risk-based MFA, no device compliance gating, no admin protections.

Stand up CA policies that require MFA for all users, block legacy auth, and require compliant or hybrid-joined devices for admins. Once the CA policies are reporting-only clean for 24 hours, switch Security Defaults off in Entra admin center, Identity, Overview, Properties.

A Conditional Access policy that targets every admin role and requires an authentication strength of phishing-resistant MFA (FIDO2 security key, Windows Hello for Business, or certificate-based auth).

Push-prompt and SMS MFA are bypassed every quarter in real breaches. Phishing-resistant methods cannot be relayed by an attacker proxy. Admins are the highest-value target in the tenant.

Issue a Temporary Access Pass to each admin, register a FIDO2 key or Windows Hello for Business, then enable a CA policy targeting all admin role IDs with Grant, Require authentication strength, Phishing-resistant MFA.

Conditional Access session controls that force admins to reauthenticate on a regular cadence and prevent the browser from holding the session across closes.

A persistent browser session on a stolen or shared admin device equals a persistent breach. Forcing a sign-in frequency closes the window for token theft and walk-up access.

In your admin CA policy, set Session, Sign-in frequency to four hours and Persistent browser session to Never persistent. Apply to every admin role, exclude only break-glass.

A Conditional Access policy that blocks the Microsoft Admin Portals app for everyone except users assigned an administrative role.

Standard users browsing portal.azure.com or admin.microsoft.com leak the admin URL surface to credential-stealing extensions and phishing kits. Blocking unprivileged access to admin portals shrinks the attack surface to the people who need it.

Create a CA policy with Cloud apps, Microsoft Admin Portals. Users, All users, exclude all admin roles. Grant, Block. Roll out in report-only first to confirm no service accounts get caught.

Number matching, application name display, and geographic location display turned on for the Microsoft Authenticator app.

MFA fatigue attacks (push spamming) succeed when the prompt does not tell the user where the request is coming from. Number matching forces deliberate confirmation. App name and location turn a "tap yes" reflex into a deliberate decision.

Entra admin center, Authentication methods, Policies, Microsoft Authenticator, Configure. Enable Number matching, Show application name, and Show geographic location. Apply to All users.

A DNS TXT record at the apex of every accepted email domain that lists Microsoft 365 as an authorized sender and hard-fails everyone else.

Without SPF, anyone can spoof your domain in an email envelope. Recipients lose the ability to detect that mail claiming to be from you actually came from a third party.

Add a TXT record at each domain apex with content v=spf1 include:spf.protection.outlook.com -all. The hard fail (-all) is the CIS posture, not the soft fail (~all).

A DNS TXT record at _dmarc.<domain> that tells receivers what to do with mail that fails SPF or DKIM, and where to send aggregate reports.

SPF and DKIM tell receivers how to authenticate mail. DMARC tells them what to do when authentication fails. Without DMARC, a receiver can choose to deliver spoofed mail anyway.

Publish a TXT record at _dmarc.yourdomain with v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@yourdomain. Once aggregate reports show only your authorized senders, advance to p=reject.

The Exchange Online malware filter set to block a comprehensive list of dangerous executable and script attachment types, not just the default.

The default Common Attachment Types Filter misses dozens of formats that ship malware (msi, msix, lnk, mst, hta, iso, img, and more). Attackers bounce between them as soon as one gets blocked.

Run Set-MalwareFilterPolicy -Identity Default -EnableFileFilter $true with the comprehensive file type list (ace, apk, app, appx, bat, cmd, com, dll, exe, hta, img, iso, lnk, msi, msix, msp, vbs, and 30 more).

The tenant authorization policy locked so a standard user cannot grant a third-party application permission to read their mailbox, OneDrive, or directory data.

Illicit consent grant attacks (the OAuth phishing kits that send a fake consent page) succeed because most tenants leave user consent at the default permissive setting. Removing that default closes the most common cloud account takeover path.

Entra admin center, Identity, Applications, Enterprise applications, Consent and permissions. Set Users can consent to apps to No. Pair with the admin consent workflow below.

A built-in workflow that lets users request admin consent for apps they need but cannot consent to themselves, with assigned reviewers.

Blocking user consent without a request path shifts shadow IT into worse channels (personal accounts, screenshot exfil). The workflow gives users a sanctioned way to ask, and gives admins visibility into demand.

Entra admin center, Enterprise applications, Consent and permissions, Admin consent settings. Enable Users can request admin consent. Assign two or three reviewers (Cloud App Admin or App Admin role).

At least one Microsoft Purview Data Loss Prevention policy in Enabled mode covering Exchange, scoped to detect and act on sensitive content like financial data, credentials, and regulated identifiers.

DLP is the only Microsoft 365 control that inspects message and file content as it moves. Audit-only DLP does nothing in real time. Enable mode is the entry price for protecting regulated data.

Microsoft Purview, Data loss prevention, Policies. Use a built-in template (Financial, Health, Privacy) and set Mode to Enable. Re-run scans, address false positives, then expand scope.

External Identities settings that limit who can invite guests and which external domains they can invite from.

A wide-open guest invite policy is the simplest way for a phisher with one compromised mailbox to seed a long-running social engineering campaign across your tenant. Allow-listing partner domains and gating invites to admin roles closes that lane.

Entra admin center, External Identities, External collaboration settings. Set Guest invite settings to Only users assigned to specific admin roles. Configure cross-tenant access B2B inbound to allow-list partner tenants.