Home > Baseline Management > Manage Baselines
Download this articleManage Baselines
On the Baselines page, there are built-in baselines for direct use, including Default Intune Baseline, Default CIS Level 1 Baseline, Default CIS Level 2 Baseline. You can create baselines tailored to your business requirements.
Default CIS Level 1 Baseline
This baseline provides a foundational set of secure configurations aligned with the Center for Internet Security (CIS) benchmarks. It delivers pre-configured policies and system settings designed to streamline tenant monitoring and compliance, enforce critical security controls, mitigate risks, and minimize operational demands.
The table below lists the configurations included in Default CIS Level 1 Baseline and their authoritative references in the Center for Internet Security (CIS) Benchmarks.
| Baseline Configuration in Elements | Matched CIS Item | Level | Title | Category | Sub Category |
|---|---|---|---|---|---|
| PasswordExpirationPolicy | 1.3.1 | L1 | Ensure the 'Password expiration policy' is set to 'Set passwords to never expire | Microsoft 365 admin center | Settings |
| OrgSettings > UserOwnedAppsAndServices | 1.3.4 | L1 | Ensure 'User owned apps and services' is restricted | Microsoft 365 admin center | Settings |
| OrgSettings > MicrosoftForms | 1.3.5 | L1 | Ensure internal phishing protection for Forms is enabled | Microsoft 365 admin center | Settings |
| EXOMalwareFilterPolicy | 2.1.2 | L1 | Ensure the Common Attachment Types Filter is enabled | Microsoft 365 Defender | Email & collaboration |
| HostedConnectionFilterPolicy | 2.1.13 | L1 | Ensure the connection filter safe list is off | Microsoft 365 Defender | Email & collaboration |
| TeamsProtectionPolicy | 2.4.4 | L1 | Ensure Zero-hour auto purge for Microsoft Teams is on | Microsoft 365 Defender | System |
| EXOAdminAuditLogConfig | 3.1.1 | L1 | Ensure Microsoft 365 audit log search is Enabled | Microsoft Purview | Audit |
| AuthorizationPolicy | 5.1.2.3 | L1 | Ensure 'Restrict non-admin users from creating tenants' is set to 'Yes' | Microsoft Entra admin center | Users |
| Groups | 5.1.3.1 | L1 | Ensure a dynamic group for guest users is created | Microsoft Entra admin center | Groups |
| ConditionalAccessPolicies | 5.2.2.1 | L1 | Ensure multifactor authentication is enabled for all users in administrative roles | Microsoft Entra admin center | Conditional Access |
| ConditionalAccessPolicies | 5.2.2.2 | L1 | Ensure multifactor authentication is enabled for all users | Microsoft Entra admin center | Conditional Access |
| ConditionalAccessPolicies | 5.2.2.3 | L1 | Enable Conditional Access policies to block legacy authentication | Microsoft Entra admin center | Conditional Access |
| ConditionalAccessPolicies | 5.2.2.4 | L1 | Ensure Sign-in frequency is enabled and browser sessions are not persistent for Administrative users | Microsoft Entra admin center | Conditional Access |
| ConditionalAccessPolicies | 5.2.2.6 | L1 | Enable Identity Protection user risk policies | Microsoft Entra admin center | Conditional Access |
| ConditionalAccessPolicies | 5.2.2.7 | L1 | Enable Identity Protection sign-in risk policies | Microsoft Entra admin center | Conditional Access |
| ConditionalAccessPolicies | 5.2.2.9 | L1 | Ensure a managed device is required for authentication | Microsoft Entra admin center | Conditional Access |
| ConditionalAccessPolicies | 5.2.2.10 | L1 | Ensure a managed device is required to register security information | Microsoft Entra admin center | Conditional Access |
| ConditionalAccessPolicies | 5.2.2.11 | L1 | Ensure sign-in frequency for Intune Enrollment is set to 'Every time' | Microsoft Entra admin center | Conditional Access |
| ConditionalAccessPolicies | 5.2.2.12 | L1 | Ensure the device code sign-in flow is blocked | Microsoft Entra admin center | Conditional Access |
| AuthenticationMethodConfigurations > MicrosoftAuthenticator | 5.2.3.1 | L1 | Ensure Microsoft Authenticator is configured to protect against MFA fatigue | Microsoft Entra admin center | Authentication Methods |
| AADAuthenticationMethodPolicyVoice | 5.2.3.5 | L1 | Ensure weak authentication methods are disabled | Microsoft Entra admin center | Authentication Methods |
| AADAuthenticationMethodPolicySMS | 5.2.3.5 | L1 | Ensure weak authentication methods are disabled | Microsoft Entra admin center | Authentication Methods |
| AADAuthenticationMethodPolicyEmail | 5.2.3.5 | L1 | Ensure weak authentication methods are disabled | Microsoft Entra admin center | Authentication Methods |
| EXOOrganizationConfig | 6.1.1 | L1 | Ensure 'AuditDisabled' organizationally is set to 'False' | Exchange admin center | Audit |
| ExternalInOutlook | 6.2.3 | L1 | Ensure email from external senders is identified | Exchange admin center | Mail flow |
| EXOOrganizationConfig | 6.5.1 | L1 | Ensure modern authentication for Exchange Online is enabled | Exchange admin center | Settings |
| EXOOrganizationConfig | 6.5.2 | L1 | Ensure MailTips are enabled for end users | Exchange admin center | Settings |
| TransportConfig | 6.5.4 | L1 | Ensure SMTP AUTH is disabled | Exchange admin center | Settings |
| SPOTenantSettings | 7.2.1 | L1 | Ensure modern authentication for SharePoint applications is required | SharePoint admin center | Policies |
| SPOTenantSettings | 7.2.2 | L1 | Ensure SharePoint and OneDrive integration with Azure AD B2B is enabled | SharePoint admin center | Policies |
| SPOSharingSettings | 7.2.3 | L1 | Ensure external content sharing is restricted | SharePoint admin center | Policies |
| SPOSharingSettings | 7.2.7 | L1 | Ensure link sharing is restricted in SharePoint and OneDrive | SharePoint admin center | Policies |
| SPOSharingSettings | 7.2.9 | L1 | Ensure guest access to a site or OneDrive will expire automatically | SharePoint admin center | Policies |
| SPOAccessControlSettings | 7.2.10 | L1 | Ensure reauthentication with verification code is restricted | SharePoint admin center | Policies |
| SPOSharingSettings | 7.2.11 | L1 | Ensure the SharePoint default sharing link permission is set | SharePoint admin center | Policies |
| TeamsClientConfiguration | 8.1.2 | L1 | Ensure users can't send emails to a channel email address | Microsoft Teams admin center | Teams |
| TeamsTenantFederationConfiguration | 8.2.2 | L1 | Ensure communication with unmanaged Teams users is disabled | Microsoft Teams admin center | Users |
| TeamsTenantFederationConfiguration | 8.2.3 | L1 | Ensure external Teams users cannot initiate conversations | Microsoft Teams admin center | Users |
| TeamsMeetingPolicy | 8.5.2 | L1 | Ensure anonymous users and dial-in callers can't start a meeting | Microsoft Teams admin center | Meetings |
| TeamsMeetingPolicy | 8.5.3 | L1 | Ensure only people in my org can bypass the lobby | Microsoft Teams admin center | Meetings |
| TeamsMeetingPolicy | 8.5.4 | L1 | Ensure users dialing in can't bypass the lobby | Microsoft Teams admin center | Meetings |
| TeamsMeetingPolicy | 8.5.7 | L1 | Ensure external participants can't give or request control | Microsoft Teams admin center | Meetings |
On this page