Skip to main content
Five Steps for Cloud Compliance Readiness·A practical playbook for security teamsDownload
Compliance Framework

CIS Microsoft 365 Foundation.
90%+ of controls, automated.

The Center for Internet Security's Microsoft 365 Foundations Benchmark v5.0.0 is the industry-standard set of security configurations for Microsoft 365. ConfigCobra evaluates every control automatically — all 129 controls, across all 9 sections.

Start free trialBook a demo
129
Controls covered
9
Sections
v5.0.0
Benchmark version
90%+
Automated
What is CIS?

The industry-standard baseline for Microsoft 365 security.

The Center for Internet Security (CIS) is a non-profit organisation maintained by a global community of security experts. The CIS Benchmarks are prescriptive configuration recommendations for hardening operating systems, cloud platforms, and SaaS applications — used by governments, regulators, and security auditors worldwide.

The Microsoft 365 Foundations Benchmark (v5.0.0) covers 129 individual controls across the Microsoft 365 admin center, Microsoft Entra (Identity), Microsoft Defender, Microsoft Purview, Microsoft Intune, Exchange Online, SharePoint Online & OneDrive, Microsoft Teams, and Microsoft Fabric (Power BI) — every Microsoft 365 service in scope for a typical compliance audit.

ConfigCobra is a CIS Member organisation and implements the full CIS Microsoft 365 Foundations Benchmark v5.0.0, including all Level 1 and Level 2 controls.

Read about the CIS Benchmark on Microsoft Learn →

CIS Microsoft 365
Foundations Benchmark
v5.0.0
129controls
9sections
v5.0.0release
Benchmark sections

129 controls across 9 sections.

Every Microsoft 365 admin surface has its own CIS section. ConfigCobra walks every section in a single scan.

Section 1Microsoft 365 admin center· 14 controls
Administrative accounts, Microsoft 365 Groups, and password & tenant policies.
Section 2Microsoft Defender· 19 controls
Defender for Office 365 — Safe Links, Safe Attachments, threat policies, and priority-account protection.
Section 3Microsoft Purview· 4 controls
Unified audit log search, Data Loss Prevention, and Information Protection.
Section 4Microsoft Intune· 2 controls
Device compliance policies and device enrollment restrictions.
Section 5Microsoft Entra (Identity)· 37 controls
MFA, password protection, Conditional Access, authentication methods, and Privileged Identity Management.
Section 6Exchange Online· 11 controls
Mailbox auditing, mail flow & anti-phishing, Outlook add-ins, and Exchange modern authentication.
Section 7SharePoint Online & OneDrive· 15 controls
External sharing, default link types, OneDrive sync, and site-level settings.
Section 8Microsoft Teams· 16 controls
Teams file sharing, external access, apps, meetings, and messaging policies.
Section 9Microsoft Fabric (Power BI)· 11 controls
Power BI / Fabric tenant settings, including B2B guest access to workspaces and content.
Profile Levels

Level 1 or Level 2 — pick the right depth for your environment.

Level 1

Foundational hardening

Safe defaults for every Microsoft 365 tenant.

Controls that should be applied to virtually every organisation. Implementing Level 1 should not cause service disruption or reduce functionality for typical users.

  • Recommended starting point for most teams
  • Low / no impact on user experience
  • Appropriate for most organisations as a starting point
Level 2

Enhanced security

Stricter controls for regulated industries.

Controls intended for environments with higher security requirements (financial services, healthcare, government). Some Level 2 controls may affect functionality and warrant testing before deployment.

  • Required for high-assurance environments
  • Includes Level 1 plus additional controls
  • Suitable for regulated and high-assurance environments
CCHow we automate it

Connect once. Every control evaluated automatically.

ConfigCobra connects to your Microsoft 365 tenant with read-only OAuth and walks every CIS control programmatically — pulling the current configuration via Microsoft Graph API and comparing it against the benchmark requirement.

  • Full 129-control scan across all 9 sections — results in 20–25 minutes
  • Covers the Microsoft 365 admin center, Entra, Defender, Purview, Intune, Exchange, SharePoint/OneDrive, Teams, and Fabric/Power BI
  • Per-control evidence with the actual policy value, not just pass/fail
  • CIS-certified PDF report ready for auditors on demand
Control · CIS 5.2.2.3
FailIdentity· Critical
Block legacy authentication
EvidenceNo Conditional Access policy blocks Exchange ActiveSync or other legacy auth clients. Legacy auth bypasses MFA entirely.
RemediationCreate a CA policy with grant: Block — conditions: client apps: Exchange ActiveSync, Other clients.
Get in touch

Let's talk.

Whether you're evaluating ConfigCobra, running an audit, or managing a client fleet — we respond within one business day.

Free trial