Benchmark: CIS v2.0.0
To obtain the latest version of the official guide, please visit http://benchmarks.cisecurity.org.
Overview
This document, Security Configuration Benchmark for Microsoft 365, provides prescriptive guidance for establishing a secure configuration posture for Microsoft 365 Cloud offerings running on any OS. This guide was tested against Microsoft 365, and includes recommendations for Exchange Online, SharePoint Online, OneDrive for Business, Skype/Teams, Azure Active Directory, and inTune. If you have questions, comments, or have identified ways to improve this guide, please write us at feedback@cisecurity.org.
Profiles
The following configuration profiles are defined by this Benchmark:
E3 Level 1
Items in this profile apply to customer deployments of Microsoft M365 with an E3 license and intend to:
- be practical and prudent;
- provide a clear security benefit; and
- not inhibit the utility of the technology beyond acceptable means.
E3 Level 2
This profile extends the "E3 Level 1" profile. Items in this profile exhibit one or more of the following characteristics and is focused on customer deployments of Microsoft M365 E3:
- are intended for environments or use cases where security is paramount
- acts as defense in depth measure
- may negatively inhibit the utility or performance of the technology.
E5 Level 1
Items in this profile extend what is provided by the "E3 Level 1" profile for customer deployments of Microsoft M365 with an E5 license and intend to:
- be practical and prudent;
- provide a clear security benefit; and
- not inhibit the utility of the technology beyond acceptable means.
E5 Level 2
This profile extends the "E3 Level 1" and "E5 Level 1" profiles. Items in this profile exhibit one or more of the following characteristics and is focused on customer deployments of Microsoft M365 E5:
- are intended for environments or use cases where security is paramount
- acts as defense in depth measure
- may negatively inhibit the utility or performance of the technology.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-microsoft365-compliance
Start the Powerpipe server:
steampipe service startpowerpipe server
Open http://localhost:9033 in your browser and select CIS v2.0.0.
Run this benchmark in your terminal:
powerpipe benchmark run microsoft365_compliance.benchmark.cis_v200
Snapshot and share results via Turbot Pipes:
powerpipe benchmark run microsoft365_compliance.benchmark.cis_v200 --share