AvePoint Docs
Graph API
My support tickets
Graph API
My support tickets
English

    Home > Baseline Management > Manage Baselines > Overview

    Export to PDF

    Manage Baselines

    On the Baselines page, there are built-in baselines like Default Intune Baseline and Default CIS Level 1 Baseline. You can create baselines tailored to your business requirements.

    You can perform the following operations to manage baselines:

    - Create baseline – For detailed instructions, refer to [Create a Baseline](#missing-link). - Duplicate baseline – For detailed instructions, refer to [Duplicate a Baseline](#missing-link). - View baseline – For detailed instructions, refer to [View Baseline Details](#missing-link). - Edit baseline – For detailed instructions, refer to [Edit a Baseline](#missing-link). - Delete baseline – To delete a baseline, select the baseline and click **Delete**. Click **Delete** in the confirmation window. > ***Note**: A baseline with the **Retrieving settings** or **Active** status cannot be deleted. - Publish baseline draft version – If a baseline has a draft version, you can publish it by select the baseline, clicking **Publish**, and then clicking **OK** in the pop-up confirmation message. - Apply baseline to tenant – For detailed instructions, refer to [Apply a Baseline to a Tenant](#missing-link).

    The table below lists the configurations included in Default CIS Level 1 Baseline and their authoritative references in the Center for Internet Security (CIS) Benchmarks.

    ElementsCIS BenchmarksCIS BenchmarksCIS BenchmarksCIS BenchmarksCIS Benchmarks
    Baseline ConfigurationMatched CIS ItemLevelTitleCategorySub Category
    PasswordExpirationPolicy1.3.1L1Ensure the 'Password expiration policy' is set to 'Set passwords to never expireMicrosoft 365 admin centerSettings
    OrgSettings > UserOwnedAppsAndServices1.3.4L1Ensure 'User owned apps and services' is restrictedMicrosoft 365 admin centerSettings
    OrgSettings > MicrosoftForms1.3.5L1Ensure internal phishing protection for Forms is enabledMicrosoft 365 admin centerSettings
    EXOMalwareFilterPolicy2.1.2L1Ensure the Common Attachment Types Filter is enabledMicrosoft 365 DefenderEmail & collaboration
    HostedConnectionFilterPolicy2.1.13L1Ensure the connection filter safe list is offMicrosoft 365 DefenderEmail & collaboration
    TeamsProtectionPolicy2.4.4L1Ensure Zero-hour auto purge for Microsoft Teams is onMicrosoft 365 DefenderSystem
    EXOAdminAuditLogConfig3.1.1L1Ensure Microsoft 365 audit log search is EnabledMicrosoft PurviewAudit
    AuthorizationPolicy5.1.2.3L1Ensure 'Restrict non-admin users from creating tenants' is set to 'Yes'Microsoft Entra admin centerUsers
    Groups5.1.3.1L1Ensure a dynamic group for guest users is createdMicrosoft Entra admin centerGroups
    ConditionalAccessPolicies5.2.2.1L1Ensure multifactor authentication is enabled for all users in administrative rolesMicrosoft Entra admin centerConditional Access
    ConditionalAccessPolicies5.2.2.2L1Ensure multifactor authentication is enabled for all usersMicrosoft Entra admin centerConditional Access
    ConditionalAccessPolicies5.2.2.3L1Enable Conditional Access policies to block legacy authenticationMicrosoft Entra admin centerConditional Access
    ConditionalAccessPolicies5.2.2.4L1Ensure Sign-in frequency is enabled and browser sessions are not persistent for Administrative usersMicrosoft Entra admin centerConditional Access
    ConditionalAccessPolicies5.2.2.6L1Enable Identity Protection user risk policiesMicrosoft Entra admin centerConditional Access
    ConditionalAccessPolicies5.2.2.7L1Enable Identity Protection sign-in risk policiesMicrosoft Entra admin centerConditional Access
    ConditionalAccessPolicies5.2.2.9L1Ensure a managed device is required for authenticationMicrosoft Entra admin centerConditional Access
    ConditionalAccessPolicies5.2.2.10L1Ensure a managed device is required to register security informationMicrosoft Entra admin centerConditional Access
    ConditionalAccessPolicies5.2.2.11L1Ensure sign-in frequency for Intune Enrollment is set to 'Every time'Microsoft Entra admin centerConditional Access
    ConditionalAccessPolicies5.2.2.12L1Ensure the device code sign-in flow is blockedMicrosoft Entra admin centerConditional Access
    AuthenticationMethodConfigurations > MicrosoftAuthenticator5.2.3.1L1Ensure Microsoft Authenticator is configured to protect against MFA fatigueMicrosoft Entra admin centerAuthentication Methods
    AADAuthenticationMethodPolicyVoice5.2.3.5L1Ensure weak authentication methods are disabledMicrosoft Entra admin centerAuthentication Methods
    AADAuthenticationMethodPolicySMS5.2.3.5L1Ensure weak authentication methods are disabledMicrosoft Entra admin centerAuthentication Methods
    AADAuthenticationMethodPolicyEmail5.2.3.5L1Ensure weak authentication methods are disabledMicrosoft Entra admin centerAuthentication Methods
    EXOOrganizationConfig6.1.1L1Ensure 'AuditDisabled' organizationally is set to 'False'Exchange admin centerAudit
    ExternalInOutlook6.2.3L1Ensure email from external senders is identifiedExchange admin centerMail flow
    EXOOrganizationConfig6.5.1L1Ensure modern authentication for Exchange Online is enabledExchange admin centerSettings
    EXOOrganizationConfig6.5.2L1Ensure MailTips are enabled for end usersExchange admin centerSettings
    TransportConfig6.5.4L1Ensure SMTP AUTH is disabledExchange admin centerSettings
    SPOTenantSettings7.2.1L1Ensure modern authentication for SharePoint applications is requiredSharePoint admin centerPolicies
    SPOTenantSettings7.2.2L1Ensure SharePoint and OneDrive integration with Azure AD B2B is enabledSharePoint admin centerPolicies
    SPOSharingSettings7.2.3L1Ensure external content sharing is restrictedSharePoint admin centerPolicies
    SPOSharingSettings7.2.7L1Ensure link sharing is restricted in SharePoint and OneDriveSharePoint admin centerPolicies
    SPOSharingSettings7.2.9L1Ensure guest access to a site or OneDrive will expire automaticallySharePoint admin centerPolicies
    SPOAccessControlSettings7.2.10L1Ensure reauthentication with verification code is restrictedSharePoint admin centerPolicies
    SPOSharingSettings7.2.11L1Ensure the SharePoint default sharing link permission is setSharePoint admin centerPolicies
    TeamsClientConfiguration8.1.2L1Ensure users can't send emails to a channel email addressMicrosoft Teams admin centerTeams
    TeamsTenantFederationConfiguration8.2.2L1Ensure communication with unmanaged Teams users is disabledMicrosoft Teams admin centerUsers
    TeamsTenantFederationConfiguration8.2.3L1Ensure external Teams users cannot initiate conversationsMicrosoft Teams admin centerUsers
    TeamsMeetingPolicy8.5.2L1Ensure anonymous users and dial-in callers can't start a meetingMicrosoft Teams admin centerMeetings
    TeamsMeetingPolicy8.5.3L1Ensure only people in my org can bypass the lobbyMicrosoft Teams admin centerMeetings
    TeamsMeetingPolicy8.5.4L1Ensure users dialing in can't bypass the lobbyMicrosoft Teams admin centerMeetings
    TeamsMeetingPolicy8.5.7L1Ensure external participants can't give or request controlMicrosoft Teams admin centerMeetings