Title:
CIS for Microsoft 365 — Practical Hardening You Can Apply Today
Introduction
CIS (Center for Internet Security) publishes best-practice security baselines. In M365, CIS basically means:
- Hardening Azure AD
- Enforcing access control
- Strengthening authentication
- Improving logging
- Locking down Exchange, SharePoint, and Teams
- Using Conditional Access correctly
- Reducing attack surface
Below is the real-world version, not the theoretical one.
1. Require MFA (CIS Level 1 Control)
CIS Recommendation: MFA for all accounts.
How to apply:
Use Conditional Access:
- Include: All users
- Exclude: Break-glass admin
- Require MFA
- State: On
2. Disable Legacy Authentication
CIS Control: Block Basic Auth.
Azure Example:
CA Policy → Block legacy protocols
Exchange → Disable POP/IMAP/SMTP AUTH
3. Passwordless Authentication
CIS: Prefer passwordless.
Implementation:
Enable:
- Windows Hello
- Authenticator App
- FIDO2 keys
4. Limit Global Admin Roles
CIS: Admin roles must be minimized.
How to do it:
Assign:
- GA = 2 accounts
- Use PIM (Privileged Identity Management)
- Require MFA + justification
5. Require Compliant Devices
CIS: Block unmanaged devices.
Apply with Conditional Access:
Grant → Require device to be:
- Compliant
- Hybrid joined
- Or require approved apps
6. Exchange Online Protections
CIS: Anti-phishing, anti-malware, safe links, safe attachments.
7. Audit Logging
CIS: Must be enabled.
Check:
Get-AdminAuditLogConfig
Get-AdminAuditLogConfig | FL UnifiedAuditLogIngestionEnabled
8. Session Control
Use Conditional Access → Session Limits
- 8 hour max
- Force reauthentication
Conclusion
CIS is not complicated.
It’s just applying security baselines consistently using tools already built into M365:
- Conditional Access
- Defender
- PIM
- MFA
- Logging
© 2012–2025 Jet Mariano. All rights reserved.
For usage terms, please see the Legal Disclaimer.