Microsoft 365 CIS Security Best Practices
Scan information
Date
06/09/2021 06:31:28 UTC
Domain
Name
abc.com
Policy Compliance
10
All
9
Non-Compliant
1
Compliant
* Failed Policies Based on Severity
0
Critical
9
High
0
Medium
0
Low
Office 365
Policy Id
Description
Status
Severity
Comments/Recommendations
1.1.1
Ensure multifactor authentication is enabled for all users in administrative roles
Failed
High
Multifactor authentication provides additional assurance that the individual attempting to gain access is who they claim to be. With multifactor authentication, an attacker would need to compromise at least two different authentication mechanisms, increasing the difficulty of compromise and thus reducing the risk
You have 2 out of 7 users with administrative roles registered and protected with MFA.
You have 2 out of 7 users with administrative roles registered and protected with MFA.
1.1.2
Ensure multifactor authentication is enabled for all users in all roles
Failed
High
Multifactor authentication provides additional assurance that the individual attempting to gain access is who they claim to be. With multifactor authentication, an attacker would need to compromise at least two different authentication mechanisms, increasing the difficulty of compromise and thus reducing the risk
You have 2 out of 135 users registered and protected with MFA.
You have 2 out of 135 users registered and protected with MFA.
1.1.3
Ensure that between two and four global admins are designated.
Failed
High
If there is only one global administrator in a tenant, an additional global administrator will need to be identified and configured. If there are more than four global administrators, a review of role requirements for current global administrators will be required to identify which of the users require global administrator access.
You currently have 6 global admins.
You currently have 6 global admins.
1.1.4
Ensure self-service password reset is enabled.
Failed
High
Enabling self-service password reset allows users to reset their own passwords in Azure AD.Users will no longer need to engage the helpdesk for password resets, and the password reset mechanism will automatically block common, easily guessable passwords.
1.1.6
Enable Conditional Access policies to block legacy authentication.
Failed
High
Legacy authentication protocols do not support MFA. These protocols are often used by attackers. Blocking legacy authentication makes harder for attackers to gain access.
1.1.9
Enable Azure AD Identity Protection sign-in risk policies.
Failed
High
Turning on the sign-in risk policy ensures that suspicious sign-ins are challenged for multifactor authentication.
You have 135 of 135 users that don't have the sign-in risky policy turned on.
You have 135 of 135 users that don't have the sign-in risky policy turned on.
1.1.10
Enable Azure AD Identity Protection user risk policies.
Failed
High
Turning on user risk policy helps to detect the probability that a user account has been compromised.
You have 135 users out of 135 that do not have user risk policy enabled.
You have 135 users out of 135 that do not have user risk policy enabled.
3.1
Ensure the customer lockbox feature is enabled.
Failed
High
Enabling this feature protects your data against data spillage and exfiltration
Feature in place: false.
Feature in place: false.
3.4
Ensure DLP policies are enabled.
Failed
High
Enabling DLP policies alerts users and administrators that specific types of data should not be exposed, helping to protect the data from accidental exposure.
4.12
Ensure that SPF records are published for all Exchange Domains.
Passed
High
SPF records allow Exchange Online Protection and other mail systems know where messages from your domains are allowed to originate. This information can be used by that system to determine how to treat the message based on if it is being spoofed or is valid.