The CIS Microsoft 365 Foundations Benchmark v5.0.0 defines 129 controls across 9 sections. Section 1 — the Microsoft 365 admin center — contains 14 of those controls, and it is the right place to start a compliance review. The reason is simple: Section 1 governs who has administrative access to your tenant and how the tenant itself is configured. A gap here can undermine every other control in the benchmark.
This guide walks through all 14 controls in Section 1, organised into their three subsections, explaining what each control requires and why the benchmark includes it.
For an overview of all 9 sections, see the CIS Microsoft 365 Foundations Benchmark guide.
Section 1.1 — Administrative Accounts (4 controls)
These four controls govern how administrator accounts are provisioned and what access they carry. The underlying principle is consistent: privileged accounts should be cloud-only, minimal, and purpose-limited.
1.1.1 — Admin accounts must not be on-premises sync enabled
Hybrid tenants often sync user accounts from Active Directory to Microsoft Entra ID using Microsoft Entra Connect. The benchmark requires that administrator accounts be cloud-only — not synced from on-premises.
The reason is containment. If an attacker compromises your on-premises environment, a synced admin account becomes a vector into the cloud. A cloud-only admin account breaks that path. Administrators in a hybrid environment will need to log in separately with their cloud admin account when performing administrative tasks, but that friction is the point.
How to check: In the Entra admin center, filter All Users by the "On-premises sync enabled" attribute and verify no privileged accounts appear in that list.
1.1.2 — Two emergency access accounts must be defined
Emergency access accounts (commonly called "break glass" accounts) are Global Administrator accounts held in reserve for scenarios where normal authentication is unavailable — a failed MFA provider, an expired certificate, or the last remaining admin account becoming inaccessible.
The benchmark requires two of them. They should:
- Not be named after a specific person
- Use the tenant's default
.onmicrosoft.comdomain, not the organization's custom domain - Have passwords of at least 16 characters, randomly generated
- Be excluded from at least one Conditional Access policy so they are always accessible
- Have their activity monitored — any sign-in should trigger an alert
Without two working break glass accounts, a single administrative failure can lock an organization out of its own tenant.
1.1.3 — Between 2 and 4 Global Administrators
Having only one Global Administrator creates a single point of failure: if that account is compromised, becomes inaccessible, or the user leaves the organization, administrative control over the tenant is gone. The benchmark sets a minimum of two.
The upper bound matters too. Every Global Administrator is a high-value target. The more exist, the larger the attack surface. The benchmark ceiling is four. If your tenant has more than four Global Administrators, the excess accounts should be reviewed and either demoted or removed.
How to check: In the Microsoft 365 admin center under Roles → Active roles, filter by Global Administrator and count the assigned users.
1.1.4 — Admin accounts must not have licenses assigned
Assigning a Microsoft 365 license to an administrator account gives that account access to Exchange, Teams, SharePoint, and other services. An admin account that can also receive email or open files has a much larger attack surface than an account used exclusively for tenant administration.
The benchmark requires that administrator accounts carry no assigned licenses. Administrators use a separate, licensed account for day-to-day work and switch to their unlicensed admin account only when performing privileged tasks.
Section 1.2 — Microsoft 365 Groups (2 controls)
Microsoft 365 Groups are the underlying membership layer behind Teams, SharePoint sites, and shared mailboxes. These two controls address two specific misconfigurations that are easy to overlook.
1.2.1 — Public Microsoft 365 Groups must be controlled
When a new Microsoft 365 Group is created in the admin center, its default privacy setting is Public. A Public group means any user in the organization can access the associated resources — including the SharePoint site — without requesting access. They can add themselves via the Azure portal, request access (which grants immediate access while notifying the owner), or access the SharePoint URL directly if they can guess or find it.
The benchmark does not require all groups to be Private, but it does require that every Public group be intentional and approved. Organizations should audit their Public groups, set groups that hold sensitive content to Private, and restrict group creation to prevent users from accidentally creating public groups with access to sensitive data.
1.2.2 — Shared mailboxes must have sign-in blocked
A shared mailbox is created with a user account behind it. That account has a system-generated password that is unknown at creation time — but unknown is not the same as inaccessible. An administrator could reset it, and a sufficiently motivated attacker targeting the account could do the same.
The benchmark requires that the user account associated with every shared mailbox have sign-in blocked. Shared mailboxes are intended for delegated access only — team members access them through their own accounts, not by signing in directly. Blocking direct sign-in closes the path for unauthorized access while leaving the delegated access model intact.
Section 1.3 — Tenant-wide Policies (8 controls)
The eight controls in Section 1.3 address org-level settings in the Microsoft 365 admin center. They cover password policy, session management, and a set of features that are on by default but represent unnecessary risk for most organizations.
1.3.1 — Set passwords to never expire
This is one of the most frequently misunderstood controls in the benchmark. The CIS recommendation is to set passwords to never expire — aligning with updated guidance from NIST and Microsoft, which removed mandatory periodic password changes from their recommended practices.
The reasoning: forced expiration leads to predictable password patterns (Password1 → Password2 → Password1! → Password1!1) that are weaker than infrequently changed, strong passwords. The benchmark pairs this recommendation with MFA requirements elsewhere in the benchmark (Section 5), so the password alone is not the sole authentication factor for most accounts.
What this does not mean: passwords should never change. Passwords should be changed immediately when compromise is suspected. The control removes the arbitrary calendar-based requirement, not the response to confirmed compromise.
1.3.2 — Configure idle session timeout at 3 hours or less
An unattended browser session left open on an unmanaged device — a shared computer, a contractor's laptop, a conference room kiosk — is an open door. The idle session timeout setting in the Microsoft 365 admin center signs users out of all Microsoft 365 web apps after a defined period of inactivity.
The benchmark requires a timeout of 3 hours or less. To restrict this to unmanaged devices only (so managed, domain-joined devices are not affected), a corresponding Conditional Access policy targeting browsers must also be in place. Both the timeout configuration and the Conditional Access policy must be present for the control to pass.
1.3.3 — Disable external calendar sharing
By default, Microsoft 365 allows users to share their calendars with anyone outside the organization, including people with no Microsoft account. Shared calendars can reveal names, travel schedules, recurring meetings, and organizational relationships — exactly the kind of information attackers use for social engineering and to time attacks against high-value targets when they are traveling or less attentive.
The benchmark requires disabling the default sharing policy. This can be done through the Org settings Calendar page in the admin center, or via the Set-SharingPolicy Exchange Online PowerShell command.
1.3.4 — Prevent users from installing Office add-ins
Microsoft Word, Excel, and PowerPoint allow users to install add-ins from the Office Store. Add-ins run inside Office applications and can access document data. A malicious or compromised add-in can exfiltrate data without triggering endpoint security tools.
The benchmark requires disabling user-driven add-in installation by turning off the Office Store and the ability to start app trials. IT-managed add-ins deployed centrally are not affected by this control — only the self-service installation path is closed.
1.3.5 — Enable Microsoft Forms phishing protection
Microsoft Forms can be used to collect sensitive information. An attacker with access to a Forms account can create forms that ask users to submit credentials, personal data, or financial information — presenting them as legitimate internal surveys.
The benchmark requires enabling the built-in phishing protection for Forms, which scans form content for indicators of phishing and temporarily blocks distribution of forms flagged as suspicious until an administrator reviews them.
1.3.6 — Enable Customer Lockbox
Customer Lockbox adds an approval step when Microsoft support personnel need to access your organization's data to resolve a support case. Without it, Microsoft engineers can access tenant data for support purposes under the existing Microsoft Services Agreement, with after-the-fact audit trail.
With Customer Lockbox enabled, every such access request requires explicit approval from a designated administrator before it proceeds. This control is particularly relevant in regulated industries where data access by third parties must be authorized and logged.
1.3.7 — Restrict third-party storage in Microsoft 365 on the web
Microsoft 365 on the web supports integration with third-party storage providers — Dropbox and others. When this is enabled, users can save and open files directly from third-party services inside Word, Excel, and PowerPoint Online.
The benchmark requires restricting these integrations. Third-party storage services may not meet the organization's data security requirements, and data stored outside the tenant's control is harder to audit, govern, and recover.
1.3.8 — Disable or restrict Sway
Sway is a Microsoft 365 app for building interactive presentations and reports that are shared via public URLs. A tenant that has not evaluated Sway is likely running it at default settings, which allow users to create publicly accessible content without IT visibility.
The benchmark requires reviewing and restricting Sway settings to prevent unauthorized publication of content containing sensitive organizational information.
How ConfigCobra assesses Section 1
ConfigCobra evaluates all 14 Section 1 controls automatically as part of a full CIS Microsoft 365 Foundations Benchmark assessment.
The scan connects to your Microsoft 365 tenant using read-only Microsoft Graph permissions — no agents, no scripts running in your environment, no admin passwords shared. Within 20–25 minutes, ConfigCobra returns results for all 129 controls across all 9 sections, including every control in Section 1.
For each finding, you get:
- Pass, fail, or partial status
- The actual configuration value that was evaluated
- The CIS remediation procedure
- A generated PowerShell script where applicable
Section 1 controls like 1.1.2 (emergency access accounts), 1.1.3 (global administrator count), and 1.2.2 (shared mailbox sign-in) are among the most commonly failed in tenant assessments — often because they were never configured intentionally, or because configuration drift occurred after the initial setup.
Book a demo to see Section 1 results for your own tenant, or start a free trial to run all 15 trial controls immediately — no demo required.
What comes next
Section 1 establishes who controls the tenant and what tenant-wide policies are in place. The remaining 8 sections go deeper into each Microsoft 365 service:
- Section 2 — Microsoft Defender / Defender for Office 365 (19 controls)
- Section 5 — Microsoft Entra Identity (37 controls — the largest section, covering MFA and Conditional Access)
- Section 6 — Exchange Online (11 controls — mail flow, anti-phishing, DKIM/DMARC)
For the full benchmark overview including all section control counts, see the CIS Microsoft 365 Foundations Benchmark page.