AvePoint Learn
Request article
Contact support
Request article
Contact support
English

Home > Baseline Management > Manage Baselines

Export to PDF

Manage Baselines

On the Baselines page, there are built-in baselines like Default Intune Baseline and Default CIS Level 1 Baseline. You can create baselines tailored to your business requirements.

Default CIS Level Baseline

The table below lists the configurations included in Default CIS Level 1 Baseline and their authoritative references in the Center for Internet Security (CIS) Benchmarks.

Baseline Configuration in ElementsMatched CIS ItemLevelTitleCategorySub Category
PasswordExpirationPolicy1.3.1L1Ensure the 'Password expiration policy' is set to 'Set passwords to never expireMicrosoft 365 admin centerSettings
OrgSettings > UserOwnedAppsAndServices1.3.4L1Ensure 'User owned apps and services' is restrictedMicrosoft 365 admin centerSettings
OrgSettings > MicrosoftForms1.3.5L1Ensure internal phishing protection for Forms is enabledMicrosoft 365 admin centerSettings
EXOMalwareFilterPolicy2.1.2L1Ensure the Common Attachment Types Filter is enabledMicrosoft 365 DefenderEmail & collaboration
HostedConnectionFilterPolicy2.1.13L1Ensure the connection filter safe list is offMicrosoft 365 DefenderEmail & collaboration
TeamsProtectionPolicy2.4.4L1Ensure Zero-hour auto purge for Microsoft Teams is onMicrosoft 365 DefenderSystem
EXOAdminAuditLogConfig3.1.1L1Ensure Microsoft 365 audit log search is EnabledMicrosoft PurviewAudit
AuthorizationPolicy5.1.2.3L1Ensure 'Restrict non-admin users from creating tenants' is set to 'Yes'Microsoft Entra admin centerUsers
Groups5.1.3.1L1Ensure a dynamic group for guest users is createdMicrosoft Entra admin centerGroups
ConditionalAccessPolicies5.2.2.1L1Ensure multifactor authentication is enabled for all users in administrative rolesMicrosoft Entra admin centerConditional Access
ConditionalAccessPolicies5.2.2.2L1Ensure multifactor authentication is enabled for all usersMicrosoft Entra admin centerConditional Access
ConditionalAccessPolicies5.2.2.3L1Enable Conditional Access policies to block legacy authenticationMicrosoft Entra admin centerConditional Access
ConditionalAccessPolicies5.2.2.4L1Ensure Sign-in frequency is enabled and browser sessions are not persistent for Administrative usersMicrosoft Entra admin centerConditional Access
ConditionalAccessPolicies5.2.2.6L1Enable Identity Protection user risk policiesMicrosoft Entra admin centerConditional Access
ConditionalAccessPolicies5.2.2.7L1Enable Identity Protection sign-in risk policiesMicrosoft Entra admin centerConditional Access
ConditionalAccessPolicies5.2.2.9L1Ensure a managed device is required for authenticationMicrosoft Entra admin centerConditional Access
ConditionalAccessPolicies5.2.2.10L1Ensure a managed device is required to register security informationMicrosoft Entra admin centerConditional Access
ConditionalAccessPolicies5.2.2.11L1Ensure sign-in frequency for Intune Enrollment is set to 'Every time'Microsoft Entra admin centerConditional Access
ConditionalAccessPolicies5.2.2.12L1Ensure the device code sign-in flow is blockedMicrosoft Entra admin centerConditional Access
AuthenticationMethodConfigurations > MicrosoftAuthenticator5.2.3.1L1Ensure Microsoft Authenticator is configured to protect against MFA fatigueMicrosoft Entra admin centerAuthentication Methods
AADAuthenticationMethodPolicyVoice5.2.3.5L1Ensure weak authentication methods are disabledMicrosoft Entra admin centerAuthentication Methods
AADAuthenticationMethodPolicySMS5.2.3.5L1Ensure weak authentication methods are disabledMicrosoft Entra admin centerAuthentication Methods
AADAuthenticationMethodPolicyEmail5.2.3.5L1Ensure weak authentication methods are disabledMicrosoft Entra admin centerAuthentication Methods
EXOOrganizationConfig6.1.1L1Ensure 'AuditDisabled' organizationally is set to 'False'Exchange admin centerAudit
ExternalInOutlook6.2.3L1Ensure email from external senders is identifiedExchange admin centerMail flow
EXOOrganizationConfig6.5.1L1Ensure modern authentication for Exchange Online is enabledExchange admin centerSettings
EXOOrganizationConfig6.5.2L1Ensure MailTips are enabled for end usersExchange admin centerSettings
TransportConfig6.5.4L1Ensure SMTP AUTH is disabledExchange admin centerSettings
SPOTenantSettings7.2.1L1Ensure modern authentication for SharePoint applications is requiredSharePoint admin centerPolicies
SPOTenantSettings7.2.2L1Ensure SharePoint and OneDrive integration with Azure AD B2B is enabledSharePoint admin centerPolicies
SPOSharingSettings7.2.3L1Ensure external content sharing is restrictedSharePoint admin centerPolicies
SPOSharingSettings7.2.7L1Ensure link sharing is restricted in SharePoint and OneDriveSharePoint admin centerPolicies
SPOSharingSettings7.2.9L1Ensure guest access to a site or OneDrive will expire automaticallySharePoint admin centerPolicies
SPOAccessControlSettings7.2.10L1Ensure reauthentication with verification code is restrictedSharePoint admin centerPolicies
SPOSharingSettings7.2.11L1Ensure the SharePoint default sharing link permission is setSharePoint admin centerPolicies
TeamsClientConfiguration8.1.2L1Ensure users can't send emails to a channel email addressMicrosoft Teams admin centerTeams
TeamsTenantFederationConfiguration8.2.2L1Ensure communication with unmanaged Teams users is disabledMicrosoft Teams admin centerUsers
TeamsTenantFederationConfiguration8.2.3L1Ensure external Teams users cannot initiate conversationsMicrosoft Teams admin centerUsers
TeamsMeetingPolicy8.5.2L1Ensure anonymous users and dial-in callers can't start a meetingMicrosoft Teams admin centerMeetings
TeamsMeetingPolicy8.5.3L1Ensure only people in my org can bypass the lobbyMicrosoft Teams admin centerMeetings
TeamsMeetingPolicy8.5.4L1Ensure users dialing in can't bypass the lobbyMicrosoft Teams admin centerMeetings
TeamsMeetingPolicy8.5.7L1Ensure external participants can't give or request controlMicrosoft Teams admin centerMeetings