Skip to Content
DocsBlog10 M365 Security Controls Every MSP Should Audit Today

The 10 M365 Security Controls That Matter Most Right Now

TL;DR: Identity attacks on M365 are up 32%. BEC losses hit $3 billion in 2025. Most of it is preventable. The CIS M365 Foundations Benchmark v6.0.1 has 140+ controls — these are the 10 that matter most right now.


Most M365 tenants have at least two or three of these misconfigured — not because the MSP managing them is sloppy, but because there are 140+ settings in the CIS Microsoft 365 Foundations Benchmark, clients run on every license tier from Business Basic to E5, and nobody has time to manually audit every tenant every month.

So things drift. And attackers know exactly which settings drift the most.

The 10 controls below are drawn from the CIS M365 Benchmark v6.0.1 (released February 2026). They cover the attack vectors actively being exploited, carry the highest risk scores, and are fixable without a change management process or a week of testing.


Why These 10?

The CIS M365 Benchmark has 140+ controls. Most of them matter. But for a “Day 1” audit across an entire book of business, these are the starting point — because they cover the vectors being actively exploited right now.

  • Identity-based attacks surged 32% in the first half of 2025 (Microsoft Digital Defense Report)
  • BEC losses hit $3.05 billion in 2025 — the highest complaint volume in three years (FBI IC3)

The majority of those incidents exploited configurations that are either off by default or quietly disabled after a helpdesk ticket.


The 10 Controls

1. Require MFA for All Admin Roles

CIS 5.2.2.1 | Risk: 9/10

A single compromised Global Admin account is full tenant takeover. MFA blocks over 99% of identity-based attacks even when the attacker has valid credentials.

The nuance most MSPs miss: Target all 15 admin directory roles explicitly — not just “Global Admin.” Security Admin, Exchange Admin, and Conditional Access Admin are equally dangerous in the wrong hands.


2. Block MFA Fatigue (Number Matching)

CIS 5.2.3.1 | Risk: 8/10

The highest ROI control on the entire list. About 30 minutes to enable across a tenant, and it eliminates the push notification bombing that took down Uber and Cisco.

Number matching forces users to enter a code from their sign-in screen before approving the MFA prompt — no more blind “Approve” taps. If tenants are still using the old Authenticator push notifications without this enabled, fix it today.


3. Block Legacy Authentication

CIS 5.2.2.3 | Risk: 8/10

Legacy protocols — IMAP, POP3, SMTP, older ActiveSync — cannot enforce MFA at all, which means every MFA policy can be bypassed if legacy auth is still open.

Microsoft disabled Basic Auth by default in January 2023, but that doesn’t cover legacy client apps. An explicit Conditional Access policy is still required. Before enforcing: check for printers, scanners, and LOB apps using these protocols — the most common blockers in client environments.


4. Enforce Sign-In Frequency for Admin Sessions

CIS 5.2.2.4 | Risk: 8/10

Without session limits, admin sessions can persist indefinitely. Stolen session cookies give attackers persistent access even after a password reset.

Set sign-in frequency to ≤4 hours for all admin roles and disable persistent browser sessions. It’s one Conditional Access policy — combine it with the MFA policy from Control 1.


5. Block the Device Code Sign-In Flow

CIS 5.2.2.12 | Risk: 8/10

Storm-2372 — a Russia-aligned threat actor — ran active campaigns in 2025 using device code phishing to capture auth tokens and bypass MFA entirely. The attack is simple: send a victim a device code, they enter it at microsoft.com/devicelogin, and the attacker walks away with a long-lived refresh token.

Microsoft started auto-blocking this for inactive tenants in 2025. Active tenants still need an explicit CA policy.


6. Block All Email Forwarding

CIS 6.2.1 | Risk: 8/10

The single most common post-compromise technique. An attacker gets into an account, sets a silent forwarding rule to an external address, and exfiltrates email for weeks before anyone notices.

Two layers required: the outbound spam filter policy in Defender, and a mail flow rule in Exchange. Run both.


7. Publish DMARC for All Client Domains

CIS 2.1.10 | Risk: 8/10

Without DMARC, anyone can spoof your client’s domain. As of May 2025, Google, Yahoo, and Microsoft all enforce DMARC at the SMTP level — meaning client emails may be silently rejected if this isn’t configured correctly.

The path: SPF → DKIM → DMARC, starting at p=none for reporting, then moving to p=quarantine and p=reject once the data is validated. Use a DMARC monitoring service to manage aggregate reports across your entire client base from one dashboard.


CIS 3.1.1 | Risk: 8/10

This should take 15 minutes per tenant. Without audit logs enabled, there is zero forensic capability — no breach investigation, no compromise detection, no compliance demonstration. The OCC disclosed in 2025 that a compromised admin account accessed 150,000+ emails undetected for 18 months, partly because of logging gaps.

There is no valid reason to leave this off.


9. Use Reduced-License Admin Accounts

CIS 1.1.4 | Risk: 8/10

Admins should have two accounts: a standard user account for day-to-day work, and a separate, cloud-only admin account with no M365 license attached. Licensed admin accounts carry a much larger attack surface — mailboxes, OneDrive, Teams — all accessible the moment the account is compromised.


10. Restrict Non-Admin Users from Creating Tenants

CIS 5.1.2.3 | Risk: 7/10

By default, any user can create a new Entra ID tenant and become its Global Admin — shadow IT completely outside your security perimeter, with no visibility, no controls, and no audit trail.

It’s a single toggle to disable. About 30 minutes to close an entire class of governance failures.


The Honest Reality

The problem isn’t awareness — it’s execution at scale.

Manually auditing these 10 controls across 40 tenants takes hours. Doing it consistently, every quarter, across a book of business that’s constantly changing — that’s where it breaks down. And when it breaks down, drift happens silently.

This list is a standardized starting point: something to run through on any new tenant, any new client, any quarterly review.


FAQ

Do these controls apply to all M365 license tiers? Most of them, yes. Controls 1–5 require Entra ID P1 or higher (Microsoft 365 Business Premium or an E3/E5 add-on). If clients are on Business Basic or Standard, the Conditional Access policies won’t be available — which is also a conversation worth having about upgrading.

How often should I run this audit? At minimum, quarterly. Realistically: any time you onboard a new client, after a major Microsoft update, or after any change to the tenant’s admin structure. Configuration drift doesn’t announce itself.

What’s the difference between these controls and a full CIS audit? The full CIS M365 Foundations Benchmark v6.0.1 covers 140+ controls across identity, data, devices, and applications. This list is the triage layer — the 10 with the highest risk scores and clearest remediation paths. Think of it as where you start, not where you stop.

Can I automate any of these? Yes — 8 of the 10 are auto-remediable. The two that aren’t (DMARC and audit logs) require manual DNS changes or portal steps that can’t be scripted cleanly across every client environment.

What if a client pushes back on blocking legacy authentication? Run the sign-in logs first. In most environments there’s no active legacy auth usage and the policy enforces cleanly. The exceptions are usually a printer, a scanner, or a legacy LOB app — all of which have workarounds.

Last updated on