diff --git a/baselines/aad.md b/baselines/aad.md
index d5c65398e0..8052d30c32 100644
--- a/baselines/aad.md
+++ b/baselines/aad.md
@@ -1,6 +1,6 @@
-# 1. Introduction
+# Introduction
-## 1.1 Key Terminology
+## Key Terminology
The following are key terms and descriptions used in this document.
@@ -17,7 +17,7 @@ hosts the M365 resources being used.
[home tenant](https://docs.microsoft.com/en-us/azure/active-directory/external-identities/authentication-conditional-access)
is the one that owns the external user’s (e.g., guest) account.
-## 1.2 Assumptions
+## Assumptions
The agency has created emergency access accounts in Azure AD and
implemented strong security measures to protect the credentials of those
@@ -35,9 +35,9 @@ or [G3](https://www.microsoft.com/en-us/microsoft-365/government)
license level. Therefore, only licenses not included in E3/G3 are
listed.
-## 1.3 Common guidance
+## Common guidance
-### 1.3.1 Conditional Access Policies
+### Conditional Access Policies
This section provides common guidance that should be applied when
implementing baseline instructions related to Azure AD Conditional
@@ -52,7 +52,7 @@ assist with running test simulations is the [What If tool](https://docs.microsof
Microsoft also describes [Conditional Access insights and reporting features](https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-insights-reporting)
that can assist with testing.
-### 1.3.2 Azure AD Privileged Identity Management
+### Azure AD Privileged Identity Management
Some of the guidance in this baseline document leverages specific
features of the Azure AD Privileged Identity Management (PIM) service to
@@ -63,7 +63,7 @@ Azure AD PIM, there are third-party vendors that provide products or
services with privileged access management capabilities that can be
leveraged if an agency chooses to do so.
-## 1.4 Resources
+## Resources
License Compliance and Copyright
@@ -74,33 +74,35 @@ and
GitHub repositories. The respective documents are subject to copyright
and are adapted under the terms of the Creative Commons Attribution 4.0
International license. Source documents are linked throughout this
-document. The United States government has adapted selections of these
+document. The United States government has adpted selections of these
documents to develop innovative and scalable configuration standards to
strengthen the security of widely used cloud-based software services.
-# 2. Baseline
+# Baseline
-## 2.1 Legacy Authentication SHALL Be Blocked
+## 1. Legacy Authentication
Block legacy authentication protocols using a conditional access policy.
Legacy authentication does not support multifactor authentication (MFA),
which is required to minimize the impact of user credential theft.
-### 2.1.1 Policy
+### Policies
+#### MS.AAD.1.1v1
+Legacy authentication SHALL be blocked.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-- Legacy authentication SHALL be blocked.
-
-### 2.1.2 Resources
+### Resources
- [Conditional Access: Block Legacy Authentication](https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-block-legacy)
- [Five steps to securing your identity infrastructure](https://docs.microsoft.com/en-us/azure/security/fundamentals/steps-secure-identity)
-### 2.1.3 License Requirements
+### License Requirements
- N/A
-### 2.1.4 Implementation
+### Implementation
1. Before blocking legacy authentication across the entire application
base, follow [these instructions](https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/block-legacy-authentication#identify-legacy-authentication-use)
@@ -112,7 +114,7 @@ which is required to minimize the impact of user credential theft.
to block legacy authentication. **Note:** The instructions suggest
using Report-only mode which will not block legacy authentication.
-## 2.2 High Risk Users SHALL Be Blocked
+## 2. High Risk Users
Azure AD Identity Protection uses various signals to detect the risk
level for each user and determine if an account has likely been
@@ -123,14 +125,18 @@ with a block is implemented, if a high-risk user attempts to login, the
user will receive an error message with instructions to contact the
administrator to re-enable their access.
-### 2.2.1 Policy
-
-- Users detected as high risk SHALL be blocked.
+### Policies
+#### MS.AAD.2.1v1
+Users detected as high risk SHALL be blocked.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-- A notification SHOULD be sent to the administrator when high-risk
- users are detected.
+#### MS.AAD.2.2v1
+A notification SHOULD be sent to the administrator when high-risk users are detected.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-### 2.2.2 Resources
+### Resources
- [Conditional Access: User risk-based Conditional Access](https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-risk-user)
@@ -143,13 +149,13 @@ administrator to re-enable their access.
- [Five steps to securing your identity infrastructure](https://docs.microsoft.com/en-us/azure/security/fundamentals/steps-secure-identity)
-### 2.2.3 License Requirements
+### License Requirements
- Requires an AAD P2 license
-### 2.2.4 Implementation
+### Implementation
-**Policy \#1:**
+**Policy MS.AAD.2.1v1:**
1. To create the conditional access policy that implements the block
for users at the risk level of High, follow the instructions in the
@@ -158,7 +164,7 @@ administrator to re-enable their access.
2. Under **Access Controls** -\> **Grant**, select **Block access**.
-**Policy \#2**:
+**Policy MS.AAD.2.2v1**:
1. Follow the instructions in the [Configure users at risk detected alerts](https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-configure-notifications#configure-users-at-risk-detected-alerts)
section to configure Azure AD Identity Protection to email the
@@ -166,17 +172,19 @@ administrator to re-enable their access.
determined to be high risk so that they can review and respond to
threats.
-## 2.3 High Risk Sign-ins SHALL Be Blocked
+## 3. High Risk Sign-ins
Azure AD Identity Protection uses various signals to detect the risk
level for each user sign-in. Sign-ins detected as high risk are to be
blocked via Conditional Access.
-### 2.3.1 Policy
-
+### Policies
+#### MS.AAD.3.1v1
Sign-ins detected as high risk SHALL be blocked.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-### 2.3.2 Resources
+### Resources
- [Conditional Access: Sign-in risk-based Conditional
Access](https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-risk)
@@ -191,11 +199,11 @@ Sign-ins detected as high risk SHALL be blocked.
Protection](https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-user-experience)
(Examples of how these policies are applied in practice)
-### 2.3.3 License Requirements
+### License Requirements
- Requires an AAD P2 license
-### 2.3.4 Implementation
+### Implementation
To create the conditional access policy that implements the block for
sign-ins at the risk level of **High**, follow the instructions in the
@@ -218,7 +226,7 @@ locations. Azure AD Identity Protection considers the Trusted Location
data when it calculates sign-in risk, and this may help to prevent users
signing in from legitimate locations from being flagged as high risk.
-## 2.4 Phishing-Resistant Multifactor Authentication SHALL Be Required for All Users
+## 4. Phishing-Resistant Multifactor Authentication
Phishing-resistant multifactor authentication protects against
sophisticated phishing attacks. Recognizing the significant risk these
@@ -242,11 +250,14 @@ alt="Weak MFA (SMS/Voice) Stronger MFA (Push Notifications, Software OTP, Hardwa
Figure 1: Options for Weak MFA, Stronger MFA Options, and Strongest MFA
-### 2.4.1 Policy
+### Policies
+#### MS.AAD.4.1v1
+MFA SHALL be required for all users.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-- MFA SHALL be required for all users.
-
-- Phishing-resistant MFA SHALL be used for all users.
+#### MS.AAD.4.2v1
+Phishing-resistant MFA SHALL be used for all users.
- Phishing-resistant methods:
@@ -259,8 +270,11 @@ Figure 1: Options for Weak MFA, Stronger MFA Options, and Strongest MFA
- Federal Personal Identity Verification (PIV) card (Federated from
agency Active Directory or other identity provider)
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-- If phishing-resistant MFA cannot be used, an MFA method from the list
+#### MS.AAD.4.3v1
+If phishing-resistant MFA cannot be used, an MFA method from the list
below SHALL be used in the interim:
- Microsoft Authenticator (Push Notifications)
@@ -277,10 +291,15 @@ Figure 1: Options for Weak MFA, Stronger MFA Options, and Strongest MFA
- Software Tokens One-Time Password (OTP) – This option is commonly implemented using mobile phone authenticator apps
- Hardware tokens OTP
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-- SMS or Voice as the MFA method SHALL NOT be used.
+#### MS.AAD.4.4v1
+SMS or Voice as the MFA method SHALL NOT be used.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-### 2.4.2 Resources
+### Resources
- [What authentication and verification methods are available in Azure
Active
@@ -297,11 +316,11 @@ Figure 1: Options for Weak MFA, Stronger MFA Options, and Strongest MFA
- [M-22-09 Federal Zero Trust
Strategy](https://www.whitehouse.gov/wp-content/uploads/2022/01/M-22-09.pdf)
-### 2.4.3 License Requirements
+### License Requirements
- N/A
-### 2.4.4 Implementation
+### Implementation
**Policy \#1:**
@@ -414,34 +433,39 @@ Passwordless Sign-in) or Microsoft Authenticator (Push Notifications)**
5. Under **verification options**, make sure that **Text message to
phone** and **Call to phone** are **disabled**.
-## 2.5 Azure AD logs SHALL Be Collected
+## 5. Azure AD logs
Configure Azure AD to send critical logs to the agency’s centralized
SIEM and to CISA’s central analysis system so that they can be audited
and queried. Configure Azure AD to send logs to a storage account and
retain them for when incident response is needed.
-### 2.5.1 Policy
-
-- The following critical logs SHALL be sent at a minimum: AuditLogs,
- SignInLogs, RiskyUsers, UserRiskEvents, NonInteractiveUserSignInLogs,
- ServicePrincipalSignInLogs, ADFSSignInLogs, RiskyServicePrincipals,
- ServicePrincipalRiskEvents.
+### Policies
+#### MS.AAD.5.1v1
+The following critical logs SHALL be sent at a minimum: AuditLogs, SignInLogs, RiskyUsers, UserRiskEvents, NonInteractiveUserSignInLogs, ServicePrincipalSignInLogs, ADFSSignInLogs, RiskyServicePrincipals, ServicePrincipalRiskEvents.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-- If managed identities are used for Azure resources, also include the
- ManagedIdentitySignInLogs log type.
+#### MS.AAD.5.2v1
+If managed identities are used for Azure resources, logs SHALL include the ManagedIdentitySignInLogs log type.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-- If the Azure AD Provisioning Service is used to provision users to
- SaaS apps or other systems, also include the ProvisioningLogs log
- type.
+#### MS.AAD.5.3v1
+If the Azure AD Provisioning Service is used to provision users to SaaS apps or other systems, also include the ProvisioningLogs log type.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-- The logs SHALL be sent to the agency’s SOC for monitoring.
+#### MS.AAD.5.4v1
+The logs SHALL be sent to the agencys SOC for monitoring.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-### 2.5.2 Resources
+### Resources
- [Everything you wanted to know about Security and Audit Logging in
Office
@@ -458,11 +482,11 @@ retain them for when incident response is needed.
Architecture Volume
2](https://www.cisa.gov/sites/default/files/publications/NCPS%20Cloud%20Interface%20RA%20Volume%20Two%202021-06-11%20%28508%20COMPLIANT%29.pdf)
-### 2.5.3 License Requirements
+### License Requirements
- N/A
-### 2.5.4 Implementation
+### Implementation
[Follow these instructions](https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/quickstart-azure-monitor-route-logs-to-storage-account)
to configure sending the logs to a storage account:
@@ -478,26 +502,27 @@ to configure sending the logs to a storage account:
4. In the **Retention** field enter “365” days.
-## 2.6 Only Administrators SHALL Be Allowed to Register Third-Party Applications
+## 6. Register Third-Party Applications
Ensure that only administrators can register third-party applications
that can access the tenant.
-### 2.6.1 Policy
-
-- Only administrators SHALL be allowed to register third-party
- applications.
+### Policies
+#### MS.AAD.6.1v1
+Only administrators SHALL be allowed to register third-party applications.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-### 2.6.2 Resources
+### Resources
- [Restrict Application Registration for Non-Privileged
Users](https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/ActiveDirectory/users-can-register-applications.html)
-### 2.6.3 License Requirements
+### License Requirements
- N/A
-### 2.6.4 Implementation
+### Implementation
1. In the **Azure Portal**, navigate to **Azure Active Directory.**
@@ -512,7 +537,7 @@ that can access the tenant.
5. Click **Save**.
-## 2.7 Non-admin Users SHALL Be Prevented from Providing Consent to Third-Party Applications
+## 7. Consenting to Third-Party Applications
Ensure that only administrators can consent to third-party applications
and only administrators can control which permissions are granted. An
@@ -521,17 +546,24 @@ will be blocked when they try to access an application that requires
permissions to access organizational data. Develop a process for
approving and managing third-party applications.
-### 2.7.1 Policy
-
-- Only administrators SHALL be allowed to consent to third-party
+### Policies
+#### MS.AAD.7.1v1
+Only administrators SHALL be allowed to consent to third-party
applications.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-- An admin consent workflow SHALL be configured.
+#### MS.AAD.7.2v1
+An admin consent workflow SHALL be configured.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-- Group owners SHALL NOT be allowed to consent to third-party
- applications.
+#### MS.AAD.7.3v1
+Group owners SHALL NOT be allowed to consent to third-party applications.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-### 2.7.2 Resources
+### Resources
- [Enforce Administrators to Provide Consent for Apps Before
Use](https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/ActiveDirectory/users-can-consent-to-apps-accessing-company-data-on-their-behalf.html)
@@ -539,11 +571,11 @@ approving and managing third-party applications.
- [Configure the admin consent
workflow](https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-admin-consent-workflow)
-### 2.7.3 License Requirements
+### License Requirements
- N/A
-### 2.7.4 Implementation
+### Implementation
1. In the **Azure Portal**, navigate to **Azure Active Directory.**
@@ -569,23 +601,25 @@ approving and managing third-party applications.
9. Under **Admin consent requests** -\> **Users can request admin
consent to apps they are unable to consent to**, select **Yes.**
-10. Under **Who can review admin consent requests**, select the group
+10. Under **Who can review admin consent requests**, select the group
created in step two that is responsible for reviewing and
adjudicating app requests.
11. Click **Save**
-## 2.8 Passwords SHALL NOT Expire
+## 8. Passwords
Ensure that user passwords do not expire. Both the National Institute of
Standards and Technology (NIST) and Microsoft emphasize MFA because they
indicate that mandated password changes make user accounts less secure.
-### 2.8.1 Policy
-
-- User passwords SHALL NOT expire.
+### Policies
+#### MS.AAD.8.1v1
+User passwords SHALL NOT expire.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-### 2.8.2 Resources
+### Resources
- [Password policy recommendations - Microsoft 365 admin \| Microsoft
Docs](https://docs.microsoft.com/en-us/microsoft-365/admin/misc/password-policy-recommendations?view=o365-worldwide#password-expiration-requirements-for-users)
@@ -596,26 +630,28 @@ indicate that mandated password changes make user accounts less secure.
- [NIST Special Publication 800-63B - Digital Identity
Guidelines](https://pages.nist.gov/800-63-3/sp800-63b.html)
-### 2.8.3 License Requirements
+### License Requirements
- N/A
-### 2.8.4 Implementation
+### Implementation
[Follow the instructions at this
link](https://docs.microsoft.com/en-us/microsoft-365/admin/manage/set-password-expiration-policy?view=o365-worldwide#set-password-expiration-policy)
to configure the password expiration policy.
-## 2.9 Session Length SHALL Be Limited
+## 9. Session Length
To reduce the risk of credential theft during user sessions, configure
the sign-in frequency to a limited period of time.
-### 2.9.1 Policy
+### Policies
+#### MS.AAD.9.1v1
+Sign-in frequency SHALL be configured to 12 hours.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-- Sign-in frequency SHALL be configured to 12 hours.
-
-### 2.9.2 Resources
+### Resources
- [Configure authentication session management with Conditional
Access](https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-session-lifetime)
@@ -623,11 +659,11 @@ the sign-in frequency to a limited period of time.
- [NIST Special Publication 800-63B - Digital Identity
Guidelines](https://pages.nist.gov/800-63-3/sp800-63b.html)
-### 2.9.3 License Requirements
+### License Requirements
- N/A
-### 2.9.4 Implementation
+### Implementation
[Follow the instructions at this
link](https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-session-lifetime#policy-1-sign-in-frequency-control)
@@ -642,26 +678,28 @@ frequency,
3. Set the **Access Controls** -\> **Session** -\> **Sign-in
frequency** to a value of “12 hours”.
-## 2.10 Browser Sessions SHALL NOT Be Persistent
+## 10. Browser Sessions
To reduce the risk of credential theft during user sessions, disallow
persistent browser sessions.
-### 2.10.1 Policy
-
-- Browser sessions SHALL not be persistent.
+### Policies
+#### MS.AAD.10.1v1
+Browser sessions SHALL not be persistent.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-### 2.10.2 Resources
+### Resources
- [Configure authentication session management with Conditional Access](https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-session-lifetime)
- [NIST Special Publication 800-63B - Digital Identity Guidelines](https://pages.nist.gov/800-63-3/sp800-63b.html)
-### 2.10.3 License Requirements
+### License Requirements
- N/A
-### 2.10.4 Implementation
+### Implementation
[Follow the instructions at this link](https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-session-lifetime#policy-2-persistent-browser-session)
to implement the conditional access policy that prevents persistent
@@ -674,7 +712,7 @@ browser sessions.
3. Set the **Access Controls -**\> **Session** -\> **Persistent browser
session** to **Never persistent.**
-## 2.11 The Number of Users with the Highest Privilege Roles SHALL Be Limited
+## 11. Global Administrators
Global Administrator is the highest privileged role in Azure AD because
it provides unfettered access to the tenant. Therefore, if a user’s
@@ -684,23 +722,24 @@ users that are assigned the role of Global Administrator. Assign users
to finer-grained administrative roles that they need to perform their
duties instead of being assigned the Global Administrator role.
-### 2.11.1 Policy
-
-- A minimum of two users and a maximum of four users SHALL be
- provisioned with the Global Administrator role.
+### Policies
+#### MS.AAD.11.1v1
+A minimum of two users and a maximum of four users SHALL be provisioned with the Global Administrator role.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-### 2.11.2 Resources
+### Resources
- [Best practices for Azure AD roles (Limit number of Global
Administrators to less than 5)](https://docs.microsoft.com/en-us/azure/active-directory/roles/best-practices#5-limit-the-number-of-global-administrators-to-less-than-5)
- [About admin roles](https://docs.microsoft.com/en-us/microsoft-365/admin/add-users/about-admin-roles?view=o365-worldwide)
-### 2.11.3 License Requirements
+### License Requirements
- N/A
-### 2.11.4 Implementation
+### Implementation
**Policy bullet \#1:**
@@ -754,21 +793,20 @@ duties instead of being assigned the Global Administrator role.
Administrator. Once the roles are reassigned according to the
guidance, check the score again after 48 hours to ensure compliance.
-## 2.12 Highly Privileged User Accounts SHALL Be Cloud-Only
+## 12. Highly Privileged User Accounts
Assign users that need to perform highly privileged tasks to cloud-only
Azure AD accounts to minimize the collateral damage of an on-premises
identity compromise.[^1]
-### 2.12.1 Policy
+### Policies
+#### MS.AAD.12.1v1
+Users that need to be assigned to highly privileged Azure AD roles SHALL be provisioned cloud-only accounts that are separate from the on-premises directory or other federated identity providers.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-- Users that need to be assigned to highly privileged Azure AD roles
- SHALL be provisioned cloud-only accounts that are separate from the
- on-premises directory or other federated identity providers.
-
-- The following built-in Azure AD roles are considered highly privileged
- at a minimum. Additional built-in roles that are considered highly
- privileged in the agency’s environment can be added to this list:
+#### MS.AAD.12.2v1
+The following built-in Azure AD roles are considered highly privileged at a minimum. Additional built-in roles that are considered highly privileged in the agency's environment can be added to this list:
- Global Administrator
@@ -784,32 +822,36 @@ identity compromise.[^1]
- Application Administrator
- - Cloud Application Administrator
+ - Cloud Application Administrator.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-### 2.12.2 Resources
+### Resources
- [Securing privileged access for hybrid and cloud deployments in Azure AD](https://docs.microsoft.com/en-us/azure/active-directory/roles/security-planning#ensure-separate-user-accounts-and-mail-forwarding-for-global-administrator-accounts)
-### 2.12.3 License Requirements
+### License Requirements
- N/A
-### 2.12.4 Implementation
+### Implementation
Review [these](https://docs.microsoft.com/en-us/azure/active-directory/roles/view-assignments)
instructions to identify users assigned to highly privileged roles and
verify the account does not exist outside Azure AD.
-## 2.13 Multifactor Authentication SHALL Be Required for Highly Privileged Roles
+## 13. Multifactor Authentication for Highly Privileged Roles
Require users to perform MFA to access highly privileged roles. This
configuration provides a backup policy to enforce MFA for highly
privileged users in case the main conditional access policy—which
requires MFA for all users—is disabled or misconfigured.
-### 2.13.1 Policy
-
-- MFA SHALL be required for user access to highly privileged roles.
+### Policies
+#### MS.AAD.13.1v1
+MFA SHALL be required for user access to highly privileged roles.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
@@ -820,17 +862,17 @@ requires MFA for all users—is disabled or misconfigured.
additional built-in roles that are considered highly privileged in the
agency’s environment based on its risk tolerance.
-### 2.13.2 Resources
+### Resources
- [Five steps to securing your identity infrastructure](https://docs.microsoft.com/en-us/azure/security/fundamentals/steps-secure-identity)
- [M-22-09 Federal Zero Trust Strategy](https://www.whitehouse.gov/wp-content/uploads/2022/01/M-22-09.pdf)
-### 2.13.3 License Requirements
+### License Requirements
- N/A
-### 2.13.4 Implementation
+### Implementation
[Follow these instructions](https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-all-users-mfa)
to create a conditional access policy requiring MFA for access, but
@@ -843,12 +885,12 @@ policy to privileged roles.
2. Under **Include**, choose **Select users and groups**, then click
the **Directory roles** checkbox. Select each of the roles listed in
- the baseline statement, [Highly Privileged User Accounts SHALL be Cloud-Only](#2121-Policy).
+ the baseline statement, [Highly Privileged User Accounts SHALL be Cloud-Only](Policy MS.AAD.12.1v1).
3. Under **Exclude**, follow Microsoft’s guidance from the previously
provided instructions link.
-## 2.14 Users Assigned to Highly Privileged Roles SHALL NOT Have Permanent Permissions
+## 14. Permanent Permissions
Do not assign users to highly privileged roles using permanent active
role assignments. Instead, assign users to eligible role assignments in
@@ -859,33 +901,30 @@ upon expiration.
**Note**: Although Azure AD PIM is referenced in the implementation
instructions, an equivalent third-party PAM service may be used instead.
-### 2.14.1 Policy
-
-- Permanent active role assignments SHALL NOT be allowed for highly
- privileged roles. Active assignments SHALL have an expiration period.
- - Refer to the baseline statement, [Highly Privileged User Accounts SHALL be Cloud-Only](#2121-Policy),
- for a recommended minimum list of Azure AD built-in roles that are
- considered highly privileged. It is also possible to designate
- additional built-in roles that are considered highly privileged in the
- agency’s environment based on its risk tolerance.
+### Policies
+#### MS.AAD.14.1v1
+Permanent active role assignments SHALL NOT be allowed for highly privileged roles. Active assignments SHALL have an expiration period.
+- Refer to the baseline statement, [Highly Privileged User Accounts SHALL be Cloud-Only](#2121-Policy), for a recommended minimum list of Azure AD built-in roles that are considered highly privileged. It is also possible to designate additional built-in roles that are considered highly privileged in the agency’s environment based on its risk tolerance.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
+#### MS.AAD.14.2v1
+Provisioning of users to highly privileged roles SHALL NOT occur outside of a PAM system, such as the Azure AD PIM service, because this bypasses the controls the PAM system provides.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-- Provisioning of users to highly privileged roles SHALL NOT occur
- outside of a PAM system, such as the Azure AD PIM service, because
- this bypasses the controls the PAM system provides.
-
-### 2.14.2 Resources
+### Resources
- [Assign Azure AD roles in Privileged Identity Management](https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-add-role-to-user)
-### 2.14.3 License Requirements
+### License Requirements
- Use of an Azure AD PIM or an equivalent third-party PAM service.
- Azure AD PIM requires an AAD P2 license
-### 2.14.4 Implementation
+### Implementation
Note: Any parts of the following implementation instructions that
reference the Azure AD PIM service will vary if using a third-party PAM
@@ -951,7 +990,7 @@ system.
non-compliant role assignments and then recreate them using the PIM
service.
-## 2.15 Activation of Highly Privileged Roles SHOULD Require Approval
+## 15. Activation of Highly Privileged Roles
Require approval for a user to activate a highly privileged role, such
as Global Administrator. This makes it more challenging for an attacker
@@ -961,9 +1000,11 @@ ensures that privileged access is monitored closely.
**Note**: Although Azure AD PIM is referenced in the implementation
instructions, an equivalent third-party PAM service may be used instead.
-### 2.15.1 Policy
-
-- Activation of highly privileged roles SHOULD require approval
+### Policies
+#### MS.AAD.15.1v1
+Activation of highly privileged roles SHOULD require approval.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
@@ -973,17 +1014,17 @@ instructions, an equivalent third-party PAM service may be used instead.
that are considered highly privileged in the agency’s environment
based on its risk tolerance.
-### 2.15.2 Resources
+### Resources
- [Approve or deny requests for Azure AD roles in Privileged Identity Management](https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/azure-ad-pim-approval-workflow)
-### 2.15.3 License Requirements
+### License Requirements
- Use an Azure AD PIM or an equivalent third-party PAM service
- Azure AD PIM requires an AAD P2 license
-### 2.15.4 Implementation
+### Implementation
**Note**: Any parts of the following implementation instructions that
reference the Azure AD PIM service will vary if using a third-party PAM
@@ -1020,7 +1061,7 @@ system.
Approvers**, and then click **Select**.
6. Click **Update**.
-## 2.16 Highly Privileged Role Assignment and Activation SHALL Be Monitored
+## 16. Highly Privileged Role Assignment and Activation
Since many cyber attacks leverage privileged access, it is imperative to
closely monitor the assignment and activation of the highest privileged
@@ -1031,10 +1072,11 @@ privileged role.
Note: Although Azure AD PIM is referenced in the implementation
instructions, an equivalent third-party PAM service may be used instead.
-### 2.16.1 Policy
-
-- Eligible and Active highly privileged role assignments SHALL trigger
- an alert.
+### Policies
+#### MS.AAD.16.1v1
+Eligible and Active highly privileged role assignments SHALL trigger an alert.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
@@ -1046,11 +1088,16 @@ instructions, an equivalent third-party PAM service may be used instead.
-- User activation of the Global Administrator role SHALL trigger an
+#### MS.AAD.16.2v1
+User activation of the Global Administrator role SHALL trigger an
alert.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-- User activation of other highly privileged roles SHOULD trigger an
- alert.
+#### MS.AAD.16.3v1
+User activation of other highly privileged roles SHOULD trigger an alert.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
@@ -1064,17 +1111,17 @@ instructions, an equivalent third-party PAM service may be used instead.
versus the mailbox configured for the Global Administrator role, which
should be monitored closely since that role is sensitive.
-### 2.16.2 Resources
+### Resources
- [Assign Azure AD roles in Privileged Identity Management](https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-add-role-to-user)
-### 2.16.3 License Requirements
+### License Requirements
- Use an Azure AD PIM or an equivalent third-party PAM service.
- Azure AD PIM requires an AAD P2 license
-### 2.16.4 Implementation
+### Implementation
Note: Any parts of the following implementation instructions that
reference the Azure AD PIM service will vary if using a third-party PAM
@@ -1123,7 +1170,7 @@ system.
of a mailbox that is different from the one used to monitor Global
Administrator activations.
-## 2.17 Managed Devices SHOULD Be Required for Authentication
+## 17. Managed Devices
Require that users connect to M365 from a device that is managed using
conditional access. Agencies that are implementing a hybrid Azure AD
@@ -1146,11 +1193,13 @@ The implementation section describes the cross-tenant settings that must
be configured in both the home and the resource tenants to facilitate
guest access with managed devices.
-### 2.17.1 Policy
-
-- Managed devices SHOULD be required for authentication.
+### Policies
+#### MS.AAD.17.1v1
+Managed devices SHOULD be required for authentication.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-### 2.17.2 Resources
+### Resources
- [Configure hybrid Azure AD join](https://docs.microsoft.com/en-us/azure/active-directory/devices/howto-hybrid-azure-ad-join)
@@ -1158,12 +1207,12 @@ guest access with managed devices.
- [Set up enrollment for Windows devices (for Intune)](https://docs.microsoft.com/en-us/mem/intune/enrollment/windows-enroll)
-### 2.17.3 License Requirements
+### License Requirements
- Use Microsoft Intune (if implementing the requirement for the device
to be compliant).
-### 2.17.4 Implementation
+### Implementation
[Follow these instructions](https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-compliant-device#create-a-conditional-access-policy)
to create a conditional access policy that requires the device to be
@@ -1232,32 +1281,37 @@ of the tenant):
5. Under **Users and Groups** -\> **Applies to**, select **All users.**
-## 2.18 Guest User Access SHOULD Be Restricted
+## 18. Guest User Access
Ensure that only users with specific privileges can invite guest users
to the tenant and that invites can only be sent to specific external
domains. Also ensure that guest users have limited access to Azure AD
directory objects.
-### 2.18.1 Policy
-
-- Only users with the Guest Inviter role SHOULD be able to invite guest
- users.
+#### MS.AAD.18.1v1
+Only users with the Guest Inviter role SHOULD be able to invite guest users.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-- Guest invites SHOULD only be allowed to specific external domains that
- have been authorized by the agency for legitimate business purposes.
+#### MS.AAD.18.2v1
+Guest invites SHOULD only be allowed to specific external domains that have been authorized by the agency for legitimate business purposes.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-- Guest users SHOULD have limited access to Azure AD directory objects.
+#### MS.AAD.18.3v1
+Guest users SHOULD have limited access to Azure AD directory objects.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-### 2.18.2 Resources
+### Resources
- [Configure external collaboration settings](https://docs.microsoft.com/en-us/azure/active-directory/external-identities/external-collaboration-settings-configure)
-### 2.18.3 License Requirements
+### License Requirements
- N/A
-### 2.18.4 Implementation
+### Implementation
[Follow these instructions](https://docs.microsoft.com/en-us/azure/active-directory/external-identities/external-collaboration-settings-configure#configure-settings-in-the-portal)
to configure the Azure AD **External collaboration settings**.
diff --git a/baselines/defender.md b/baselines/defender.md
index 86f03a7d1a..da3a9a79fa 100644
--- a/baselines/defender.md
+++ b/baselines/defender.md
@@ -1,4 +1,4 @@
-# 1. Introduction
+# Introduction
Microsoft 365 Defender is a cloud-based enterprise defense suite that
coordinates prevention, detection, investigation, and response. This set
@@ -22,7 +22,7 @@ In addition to these controls, agencies should consider using a Cloud
Access Security Broker to secure their environments as they adopt zero
trust principles.
-## 1.1 Assumptions
+## Assumptions
The **License Requirements** sections of this document assume the
organization is using an [M365
@@ -31,7 +31,7 @@ or [G3](https://www.microsoft.com/en-us/microsoft-365/government)
license level. Therefore, only licenses not included in E3/G3 are
listed.
-## 1.2 Resources
+## Resources
**License Compliance and Copyright**
@@ -47,9 +47,9 @@ document. The United States Government has adapted selections of these
documents to develop innovative and scalable configuration standards to
strengthen the security of widely used cloud-based software services.
-# 2. Baseline
+# Baseline
-## 2.1 Preset Security Profiles SHOULD NOT Be Used
+## 1. Preset Security Profiles
Microsoft Defender defines two [preset security
profiles](https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/preset-security-policies?view=o365-worldwide):
@@ -59,50 +59,61 @@ the use of the preset profiles. Instead, it enumerates all relevant
settings, as the preset security profiles are inflexible and take
precedence over all other present policies.
-### 2.1.1 Policy
+### Policies
+#### MS.DEFENDER.1.1v1
+Preset security profiles SHOULD NOT be used.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-- Preset security profiles SHOULD NOT be used.
-
-### 2.1.2 Resources
+### Resources
- [Recommended settings for EOP and Microsoft Defender for Office 365
security \| Microsoft
Docs](https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/recommended-settings-for-eop-and-office365?view=o365-worldwide#eop-anti-spam-policy-settings)
-### 2.1.3 License Requirements
+### License Requirements
- N/A
-## 2.2 Data Loss Prevention SHALL Be Enabled
+## 2. Data Loss Prevention
There are multiple, different ways to secure sensitive information, such
as warning users, encryption, or blocking attempts to share. The
agency’s data loss prevention (DLP) policy will dictate what agency
information is sensitive and how that information is handled.
-### 2.2.1 Policy
-
-- A custom policy SHALL be configured to protect PII and sensitive
- information, as defined by the agency. At a minimum, credit card
- numbers, Taxpayer Identification Numbers (TIN), and Social Security
- Numbers (SSN) SHALL be blocked.
+### Policies
+#### MS.DEFENDER.2.1v1
+A custom policy SHALL be configured to protect PII and sensitive information, as defined by the agency. At a minimum, credit card numbers, Taxpayer Identification Numbers (TIN), and Social Security Numbers (SSN) SHALL be blocked.
+ - _Rationale:_ TODO
+- _Last modified:_ June 2023
-- The custom policy SHOULD be applied in Exchange, OneDrive, Teams Chat,
- and Microsoft Defender.
+#### MS.DEFENDER.2.2v1
+The custom policy SHOULD be applied in Exchange, OneDrive, Teams Chat, and Microsoft Defender.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-- The action for the DLP policy SHOULD be set to block sharing sensitive
- information with everyone when DLP conditions are met.
+#### MS.DEFENDER.2.3v1
+The action for the DLP policy SHOULD be set to block sharing sensitive information with everyone when DLP conditions are met.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-- Notifications to inform users and help educate them on the proper use
- of sensitive information SHOULD be enabled.
+#### MS.DEFENDER.2.4v1
+Notifications to inform users and help educate them on the proper use of sensitive information SHOULD be enabled.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-- A list of apps that are not allowed to access files protected by DLP
- policy SHOULD be defined.
+#### MS.DEFENDER.2.5v1
+A list of apps that are not allowed to access files protected by DLP policy SHOULD be defined.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-- A list of browsers that are not allowed to access files protected by
- DLP policy SHOULD be defined.
+#### MS.DEFENDER.2.6v1
+A list of browsers that are not allowed to access files protected by DLP policy SHOULD be defined.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-### 2.2.2 Resources
+### Resources
- [Plan for data loss prevention (DLP) \| Microsoft
Docs](https://docs.microsoft.com/en-us/microsoft-365/compliance/dlp-overview-plan-for-dlp?view=o365-worldwide)
@@ -116,7 +127,7 @@ information is sensitive and how that information is handled.
- [Sensitive information \|
NIST](https://csrc.nist.gov/glossary/term/sensitive_information)
-### 2.2.3 License Requirements
+### License Requirements
- DLP for Teams requires an E5 or G5 license. See [Information
Protection: Data Loss Prevention for Teams \| Microsoft
@@ -129,7 +140,7 @@ information is sensitive and how that information is handled.
Docs](https://docs.microsoft.com/en-us/microsoft-365/compliance/endpoint-dlp-getting-started?view=o365-worldwide)
for more information.
-### 2.2.4 Implementation
+### Implementation
1. Sign in to the [Microsoft 365
compliance](https://compliance.microsoft.com) admin center.
@@ -143,7 +154,7 @@ information is sensitive and how that information is handled.
5. Select **Edit policy**.
6. Edit the name and description of the policy if desired, then click
- **Next**.
+ **Next**.
7. Under **Locations to apply the policy**, set **Status** to **On**
for all products except Power BI (preview).
@@ -209,7 +220,7 @@ information is sensitive and how that information is handled.
8. Switch **Always audit file activity for devices** to **ON**.
-## 2.3 Common Attachments Filter SHALL Be Enabled
+## 3. Common Attachments Filter
Filtering emails by attachment file types will flag emails as malware if
the file type has been put in a predefined list of disallowed file
@@ -217,15 +228,18 @@ types. The Common Attachments Filter also attempts to look beyond just
the file extension and automatically detect the file type using true
typing.
-### 2.3.1 Policy
-
-- The common attachments filter SHALL be enabled in the default
- anti-malware policy and in all existing policies.
+### Policies
+#### MS.DEFENDER.3.1v1
+The common attachments filter SHALL be enabled in the default anti-malware policy and in all existing policies.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-- Disallowed file types SHALL be determined and set. At a minimum,
- click-to-run files SHOULD be blocked (e.g., .exe, .cmd, and .vbe).
+#### MS.DEFENDER.3.2v1
+Disallowed file types SHALL be determined and set. At a minimum, click-to-run files SHOULD be blocked (e.g., .exe, .cmd, and .vbe).
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-### 2.3.2 Resources
+### Resources
- [Configure anti-malware policies in EOP \| Microsoft
Docs](https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/configure-anti-malware-policies?view=o365-worldwide)
@@ -233,12 +247,12 @@ typing.
- [Anti-malware policies \| Microsoft
Docs](https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-malware-protection?view=o365-worldwide#anti-malware-policies)
-### 2.3.3 License Requirements
+### License Requirements
- Requires Defender for Office 365 Plan 1 or 2. These are included with
E5 and G5 and are available as add-ons for E3 and G3.
-### 2.3.4 Implementation
+### Implementation
To enable common attachments filter in the default policy:
@@ -265,18 +279,20 @@ To create a new, custom policy, follow the instructions on [Use the
Microsoft 365 Defender portal to create anti-malware
policies](https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/configure-anti-malware-policies?view=o365-worldwide#use-the-microsoft-365-defender-portal-to-create-anti-malware-policies).
-## 2.4 Zero-Hour Auto Purge for Malware SHOULD Be Enabled
+## 4. Zero-Hour Auto Purge
This setting determines whether emails can be quarantined automatically
after delivery to a user’s mailbox (e.g., in the case of a match with an
updated malware classification rule).
-### 2.4.1 Policy
+### Policies
-- Zero-hour Auto Purge (ZAP) for malware SHOULD be enabled in the
- default anti-malware policy and in all existing custom policies.
+#### MS.DEFENDER.4.1v1
+Zero-hour Auto Purge (ZAP) for malware SHOULD be enabled in the default anti-malware policy and in all existing custom policies.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-### 2.4.2 Resources
+### Resources
- [Configure anti-malware policies in EOP \| Microsoft
Docs](https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/configure-anti-malware-policies?view=o365-worldwide)
@@ -289,7 +305,7 @@ updated malware classification rule).
- Requires Defender for Office 365 Plan 1 or 2. These are included with
E5 and G5 and are available as add-ons for E3 and G3.
-### 2.4.4 Implementation
+### Implementation
To enable ZAP:
@@ -310,7 +326,7 @@ To enable ZAP:
8. Click **Save**.
-## 2.5 Phishing Protections SHOULD Be Enabled
+## 5. Phishing Protections
There are multiple ways to protect against phishing, including
impersonation protection, mailbox intelligence and safety tips.
@@ -320,27 +336,48 @@ the sender address is significantly similar, as to indicate an
impersonation attempt, the email is quarantined. Mailbox intelligence is
an AI-based tool for identifying potential impersonation attempts.
-### 2.5.1 Policy
-
-- User impersonation protection SHOULD be enabled for key agency
+### Policies
+#### MS.DEFENDER.5.1v1
+User impersonation protection SHOULD be enabled for key agency
leaders.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-- Domain impersonation protection SHOULD be enabled for domains owned by
+#### MS.DEFENDER.5.2v1
+Domain impersonation protection SHOULD be enabled for domains owned by
the agency.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-- Domain impersonation protection SHOULD be added for frequent partners.
+#### MS.DEFENDER.5.3v1
+Domain impersonation protection SHOULD be added for frequent partners.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-- Trusted senders and domains MAY be added in the event of false
+#### MS.DEFENDER.5.4v1
+Trusted senders and domains MAY be added in the event of false
positives.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-- Intelligence for impersonation protection SHALL be enabled.
+#### MS.DEFENDER.5.5v1
+Intelligence for impersonation protection SHALL be enabled.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-- Message action SHALL be set to quarantine if the message is detected
+#### MS.DEFENDER.5.6v1
+Message action SHALL be set to quarantine if the message is detected
as impersonated.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-- Mail classified as spoofed SHALL be quarantined.
+#### MS.DEFENDER.5.7v1
+Mail classified as spoofed SHALL be quarantined.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-- All safety tips SHALL be enabled, including:
+#### MS.DEFENDER.5.8v1
+All safety tips SHALL be enabled, including:
- first contact,
@@ -350,14 +387,19 @@ an AI-based tool for identifying potential impersonation attempts.
- user impersonation unusual characters,
- - “?” for unauthenticated senders for spoof, and
+ - ? for unauthenticated senders for spoof, and
- - “via” tag.
+ - via tag.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-- The above configurations SHALL be set in the default policy and SHOULD
+#### MS.DEFENDER.5.9v1
+The above configurations SHALL be set in the default policy and SHOULD
be set in all existing custom policies.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-### 2.5.2 Resources
+### Resources
- [Configure anti-phishing policies in EOP \| Microsoft
Docs](https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/configure-anti-phishing-policies-eop?view=o365-worldwide)
@@ -365,7 +407,7 @@ an AI-based tool for identifying potential impersonation attempts.
- [EOP anti-phishing policy settings \| Microsoft
Docs](https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/recommended-settings-for-eop-and-office365?view=o365-worldwide#eop-anti-phishing-policy-settings)
-### 2.5.3 License Requirements
+### License Requirements
- Impersonation protection and advanced phishing thresholds require
Defender for Office 365 Plan 1 or 2. These are included with E5 and G5
@@ -376,7 +418,7 @@ an AI-based tool for identifying potential impersonation attempts.
Docs](https://docs.microsoft.com/en-us/office365/servicedescriptions/office-365-platform-service-description/office-365-us-government/office-365-us-government#platform-features)
for current offerings).
-### 2.5.4 Implementation
+### Implementation
1. Sign in to [Microsoft 365
Defender](https://security.microsoft.com/).
@@ -442,37 +484,59 @@ an AI-based tool for identifying potential impersonation attempts.
22. Click **Save**.
-## 2.6 Inbound Anti-Spam Protections SHALL Be Enabled
+## 6. Inbound Anti-Spam Protections
There are several features that protect against inbound spam. Bulk
compliant level, quarantines, safety tips, and zero-hour auto purge.
-### 2.6.1 Policy
+### Policies
-- The bulk complaint level (BCL) threshold SHOULD be set to six or
- lower.
+#### MS.DEFENDER.6.1v1
+The bulk complaint level (BCL) threshold SHOULD be set to six or lower.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-- Spam and high confidence spam SHALL be moved to either the junk email
- folder or the quarantine folder.
+#### MS.DEFENDER.6.2v1
+Spam and high confidence spam SHALL be moved to either the junk email folder or the quarantine folder.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-- Phishing and high confidence phishing SHALL be quarantined.
+#### MS.DEFENDER.6.3v1
+Phishing and high confidence phishing SHALL be quarantined.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-- Bulk email SHOULD be moved to either the junk email folder or the
- quarantine folder.
+#### MS.DEFENDER.6.4v1
+Bulk email SHOULD be moved to either the junk email folder or the quarantine folder.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-- Spam in quarantine SHOULD be retained for at least 30 days.
+#### MS.DEFENDER.6.5v1
+Spam in quarantine SHOULD be retained for at least 30 days.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-- Spam safety tips SHOULD be turned on.
+#### MS.DEFENDER.6.6v1
+Spam safety tips SHOULD be turned on.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-- Zero-hour auto purge (ZAP) SHALL be enabled for both phishing and spam
- messages.
+#### MS.DEFENDER.6.7v1
+Zero-hour auto purge (ZAP) SHALL be enabled for both phishing and spam messages.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-- Allowed senders MAY be added but allowed domains SHALL NOT be added.
+#### MS.DEFENDER.6.8v1
+Allowed senders MAY be added but allowed domains SHALL NOT be added.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-- The previously listed configurations SHALL be set in the default
- policy and SHOULD be set in all existing custom policies.
+#### MS.DEFENDER.6.9v1
+The previously listed configurations SHALL be set in the default policy and SHOULD be set in all existing custom policies.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-### 2.6.2 Resources
+### Resources
- [Bulk complaint level (BCL) in EOP \| Microsoft
Docs](https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/bulk-complaint-level-values?view=o365-worldwide)
@@ -483,11 +547,11 @@ compliant level, quarantines, safety tips, and zero-hour auto purge.
- [Configure anti-spam policies in EOP \| Microsoft
Docs](https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/configure-your-spam-filter-policies?view=o365-worldwide)
-### 2.6.3 License Requirements
+### License Requirements
- N/A
-### 2.6.4 Implementation
+### Implementation
1. Sign in to [Microsoft 365
Defender](https://security.microsoft.com/).
@@ -527,7 +591,7 @@ compliant level, quarantines, safety tips, and zero-hour auto purge.
11. Click **Save.**
-## 2.7 Safe Link Policies SHOULD Be Enabled
+## 7. Safe Links
When enabled, URLs in emails are rewritten by prepending
@@ -548,28 +612,53 @@ scanning service. Their proxy can perform the following:
If all checks pass, the user is redirected to the original URL.
-### 2.7.1 Policy
-
-- The Safe Links Policy SHALL include all agency domains—and by
- extension—all users.
-
-- URL rewriting and malicious link click checking SHALL be enabled.
-
-- Malicious link click checking SHALL be enabled with Microsoft Teams.
-
-- Real-time suspicious URL and file-link scanning SHALL be enabled.
-
-- URLs SHALL be scanned completely before message delivery.
-
-- Internal agency email messages SHALL have safe links enabled.
-
-- User click tracking SHALL be enabled.
-
-- Safe Links in Office 365 apps SHALL be turned on.
-
-- Users SHALL NOT be enabled to click through to the original URL.
-
-### 2.7.2 Resources
+### Policies
+#### MS.DEFENDER.7.1v1
+The Safe Links Policy SHALL include all agency domains and by extension all users.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
+
+#### MS.DEFENDER.7.2v1
+URL rewriting and malicious link click checking SHALL be enabled.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
+
+#### MS.DEFENDER.7.3v1
+Malicious link click checking SHALL be enabled with Microsoft Teams.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
+
+#### MS.DEFENDER.7.4v1
+Real-time suspicious URL and file-link scanning SHALL be enabled.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
+
+#### MS.DEFENDER.7.5v1
+URLs SHALL be scanned completely before message delivery.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
+
+#### MS.DEFENDER.7.6v1
+Internal agency email messages SHALL have safe links enabled.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
+
+#### MS.DEFENDER.7.7v1
+User click tracking SHALL be enabled.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
+
+#### MS.DEFENDER.7.8v1
+Safe Links in Office 365 apps SHALL be turned on.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
+
+#### MS.DEFENDER.7.9v1
+Users SHALL NOT be enabled to click through to the original URL.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
+
+### Resources
- [Safe Links in Microsoft Defender for Office 365 \| Microsoft
Docs](https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-links?view=o365-worldwide)
@@ -578,12 +667,12 @@ If all checks pass, the user is redirected to the original URL.
Microsoft
Docs](https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/set-up-safe-links-policies?view=o365-worldwide)
-### 2.7.3 License Requirements
+### License Requirements
- Requires Defender for Office 365 Plan 1 or 2. These are included with
E5 and G5 and are available as add-ons for E3 and G3.
-### 2.7.4 Implementation
+### Implementation
For more information about recommended Safe Links settings, see
[Safe](https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/recommended-settings-for-eop-and-office365?view=o365-worldwide#safe-links-settings)
@@ -640,7 +729,7 @@ message.**
5. Review the new policy, then click **Submit**.
-## 2.8 Safe-Attachments SHALL Be Enabled
+## 8. Safe-Attachments
The Safe Attachments will scan messages for attachments with malicious
content. It routes all messages and attachments that do not have a
@@ -649,20 +738,28 @@ learning and analysis techniques to detect malicious intent. Enabling
this feature may slow down message delivery to the user due to the
scanning.
-### 2.8.1 Policy
-
-- At least one Safe Attachments Policy SHALL include all agency
- domains—and by extension—all users.
+### Policies
+#### MS.DEFENDER.8.1v1
+At least one Safe Attachments Policy SHALL include all agency domains and by extension all users.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-- The action for malware in email attachments SHALL be set to block.
+#### MS.DEFENDER.8.2v1
+The action for malware in email attachments SHALL be set to block.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-- Redirect emails with detected attachments to an agency-specified email
- SHOULD be enabled.
+#### MS.DEFENDER.8.3v1
+Redirect emails with detected attachments to an agency-specified email SHOULD be enabled.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-- Safe attachments SHOULD be enabled for SharePoint, OneDrive, and
- Microsoft Teams.
+#### MS.DEFENDER.8.4v1
+Safe attachments SHOULD be enabled for SharePoint, OneDrive, and Microsoft Teams.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-### 2.8.2 Resources
+### Resources
- [Safe Attachments in Microsoft Defender for Office 365 \| Microsoft
Docs](https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-attachments?view=o365-worldwide#safe-attachments-policy-settings)
@@ -678,12 +775,12 @@ scanning.
Teams \| Microsoft
Docs](https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/turn-on-mdo-for-spo-odb-and-teams?view=o365-worldwide)
-### 2.8.3 License Requirements
+### License Requirements
- Requires Defender for Office 365 Plan 1 or 2. These are included with
E5 and G5 and are available as add-ons for E3 and G3.
-### 2.8.4 Implementation
+### Implementation
To configure safe attachments for Exchange Online, follow the
instructions listed on [Use the Microsoft 365 Defender portal to create
@@ -732,30 +829,33 @@ Docs](https://docs.microsoft.com/en-us/microsoft-365/security/office-365-securit
6. Set **Turn on Defender for Office 365 for SharePoint, OneDrive, and
Microsoft Teams** to on.
-## 2.9 Alerts SHALL Be Enabled
+## 9. Alerts
There are several pre-built alert policies available pertaining to
various apps in the M365 suite. These alerts give admins better
real-time insight into possible security incidents.
-### 2.9.1 Policy
+### Policies
+#### MS.DEFENDER.9.1v1
+At a minimum, the alerts required by the *Exchange Online Minimum Viable Secure Configuration Baseline* SHALL be enabled.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-- At a minimum, the alerts required by the *Exchange Online Minimum
- Viable Secure Configuration Baseline* SHALL be enabled.
+#### MS.DEFENDER.9.2v1
+The alerts SHOULD be sent to a monitored address or incorporated into a SIEM.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-- The alerts SHOULD be sent to a monitored address or incorporated into
- a SIEM.
-
-### 2.9.2 Resources
+### Resources
- [Alert policies in Microsoft 365 \| Microsoft
Docs](https://docs.microsoft.com/en-us/microsoft-365/compliance/alert-policies?view=o365-worldwide)
-### 2.9.3 License Requirements
+### License Requirements
- N/A
-### 2.9.4 Implementation
+### Implementation
1. Sign in to [Microsoft 365
Defender](https://security.microsoft.com/).
@@ -770,7 +870,7 @@ real-time insight into possible security incidents.
6. Ensure **Email recipients** includes at least one monitored address.
-## 2.10 Unified Audit Logging SHALL Be Enabled
+## 10. Microsoft Purview Audit
Unified audit logging generates logs of user activity in M365 services.
These logs are essential for conducting incident response and threat detection activity.
@@ -786,35 +886,42 @@ policy](https://docs.microsoft.com/en-us/microsoft-365/compliance/audit-log-rete
OMB M-21-13 also requires Advanced Audit be configured in M365. Advanced Audit adds additional event types to the Unified Audit Log.
-### 2.10.1 Policy
-
-- Unified audit logging SHALL be enabled.
+### Policies
+#### MS.DEFENDER.10.1v1
+Microsoft Purview Audit (Standard) logging SHALL be enabled.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-- Advanced audit SHALL be enabled.
+#### MS.DEFENDER.10.2v1
+Microsoft Purview Audit (Premium) logging SHALL be enabled.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-- Audit logs SHALL be maintained for at least the minimum duration
- dictated by OMB M-21-31.
+#### MS.DEFENDER.10.3v1
+Audit logs SHALL be maintained for at least the minimum duration dictated by OMB M-21-31.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-### 2.10.2 Resources
+### Resources
- [OMB M-21-31 \| Office of Management and
Budget](https://www.whitehouse.gov/wp-content/uploads/2021/08/M-21-31-Improving-the-Federal-Governments-Investigative-and-Remediation-Capabilities-Related-to-Cybersecurity-Incidents.pdf)
- [Turn auditing on or off \| Microsoft
- Docs](https://docs.microsoft.com/en-us/microsoft-365/compliance/turn-audit-log-search-on-or-off?view=o365-worldwide)
+ Docs](https://docs.microsoft.com/en-us/microsoft-365/compliance/turn-audit-log-search-on-or-off?view=o365-worldwide)
- [Create an audit log retention policy \| Microsoft
Docs](https://docs.microsoft.com/en-us/microsoft-365/compliance/audit-log-retention-policies?view=o365-worldwide#create-an-audit-log-retention-policy)
- [Search the audit log in the compliance center \| Microsoft
- Docs ](https://docs.microsoft.com/en-us/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance?view=o365-worldwide)
+ Docs ](https://docs.microsoft.com/en-us/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance?view=o365-worldwide)
- [Audited Activities \| Microsoft
Docs](https://docs.microsoft.com/en-us/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance?view=o365-worldwide#audited-activities)
-### 2.10.3 License Requirements
+### License Requirements
-- Advanced audit capabilities, including the creation of a custom audit
+- Microsoft Purview Audit (Premium) logging capabilities, including the creation of a custom audit
log retention policy, requires E5/G5 licenses or E3/G3 licenses with
add-on compliance licenses.
@@ -823,7 +930,7 @@ OMB M-21-13 also requires Advanced Audit be configured in M365. Advanced Audit a
[Licensing requirements \| Microsoft
Docs](https://docs.microsoft.com/en-us/microsoft-365/compliance/auditing-solutions-overview?view=o365-worldwide#licensing-requirements).
-### 2.10.4 Implementation
+### Implementation
Auditing can be enabled from the Microsoft 365 compliance admin center
and the Exchange Online PowerShell. Follow the instructions listed on
diff --git a/baselines/exchange.md b/baselines/exo.md
similarity index 78%
rename from baselines/exchange.md
rename to baselines/exo.md
index 863dddcf65..7e913386f4 100644
--- a/baselines/exchange.md
+++ b/baselines/exo.md
@@ -1,4 +1,4 @@
-# 1. Introduction
+# Introduction
Microsoft Exchange Online provides users easy access to their email and
supports organizational meetings, contacts, and calendars.
@@ -14,7 +14,7 @@ this baseline. When noted, alternative products may be used in lieu of
Defender, on the condition that they fulfill these required baseline
settings.
-## 1.1 Assumptions
+## Assumptions
The **License Requirements** sections of this document assume the
organization is using an [M365
@@ -23,7 +23,7 @@ or [G3](https://www.microsoft.com/en-us/microsoft-365/government)
license level. Therefore, only licenses not included in E3/G3 are
listed.
-## 1.2 Resources
+## Resources
**License Compliance and Copyright**
@@ -39,28 +39,31 @@ document. The United States Government has adapted selections of these
documents to develop innovative and scalable configuration standards to
strengthen the security of widely used cloud-based software services.
-# 2. Baseline
+# Baseline
-## 2.1 Automatic Forwarding to External Domains SHALL Be Disabled
+## 1. Automatic Forwarding to External Domains
This control is intended to prevent bad actors from using client-side
forwarding rules to exfiltrate data to external recipients.
-### 2.1.1 Policy
+### Policies
-- Automatic forwarding to external domains SHALL be disabled.
+#### MS.EXO.1.1v1
+Automatic forwarding to external domains SHALL be disabled.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-### 2.1.2 Resources
+### Resources
- [Reducing or increasing information flow to another company \|
Microsoft
Docs](https://docs.microsoft.com/en-us/exchange/mail-flow-best-practices/remote-domains/remote-domains#reducing-or-increasing-information-flow-to-another-company)
-### 2.1.3 License Requirements
+### License Requirements
- N/A
-### 2.1.4 Implementation
+### Implementation
To disallow automatic forwarding to external domains:
@@ -76,7 +79,7 @@ To disallow automatic forwarding to external domains:
5. Clear the checkbox next to **Allow automatic forwarding**, then
click **Save**.
-## 2.2 Sender Policy Framework SHALL Be Enabled
+## 2. Sender Policy Framework
The Sender Policy Framework (SPF) is a mechanism that allows domain
administrators to specify which IP addresses are explicitly approved to
@@ -86,14 +89,19 @@ rather via DNS records hosted by the agency’s domain. Thus, the exact
steps needed to set up SPF varies from agency to agency, but Microsoft’s
documentation provides some helpful starting points.
-### 2.2.1 Policy
+### Policies
-- A list of approved IP addresses for sending mail SHALL be maintained.
+#### MS.EXO.2.1v1
+A list of approved IP addresses for sending mail SHALL be maintained.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-- An SPF policy(s) that designates only these addresses as approved
- senders SHALL be published.
+#### MS.EXO.2.2v1
+An SPF policy(s) that designates only these addresses as approved senders SHALL be published.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-### 2.2.2 Resources
+### Resources
- [Binding Operational Directive 18-01 - Enhance Email and Web Security
\| DHS](https://cyber.dhs.gov/bod/18-01/)
@@ -108,11 +116,11 @@ documentation provides some helpful starting points.
spoofing \| Microsoft
Docs](https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/how-office-365-uses-spf-to-prevent-spoofing?view=o365-worldwide)
-### 2.2.3 License Requirements
+### License Requirements
- N/A
-### 2.2.4 Implementation
+### Implementation
SPF is not configured through the Exchange admin center, but rather via
DNS records hosted by the agency’s domain. Thus, the exact steps needed
@@ -123,7 +131,7 @@ PowerShell tool Resolve-DnsName. For example:
`Resolve-DnsName example.com txt`
-## 2.3 DomainKeys Identified Mail SHOULD Be Enabled
+## 3. DomainKeys Identified Mail
DomainKeys Identified Mail (DKIM) allows digital signatures to be added
to email messages in the message header, providing a layer of both
@@ -133,11 +141,13 @@ agency manages its DNS. DKIM is enabled for your tenant's default domain
(e.g., onmicrosoft.com domains), but it must be manually enabled for
custom domains.
-### 2.3.1 Policy
+### Policies
+#### MS.EXO.3.1v1
+DKIM SHOULD be enabled for any custom domain.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-- DKIM SHOULD be enabled for any custom domain.
-
-### 2.3.2 Resources
+### Resources
- [Binding Operational Directive 18-01 - Enhance Email and Web Security
\| DHS](https://cyber.dhs.gov/bod/18-01/)
@@ -155,13 +165,13 @@ custom domains.
- [What is EOP? \| Microsoft
Docs](https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/eop-general-faq?view=o365-worldwide#what-is-eop-)
-### 2.3.3 License Requirements
+### License Requirements
- DKIM signing is included with Exchange Online Protection (EOP), which
in turn is included in all Microsoft 365 subscriptions that contain
Exchange Online mailboxes.
-### 2.3.4 Implementation
+### Implementation
To enable DKIM, follow the instructions listed on [Steps to Create,
enable and disable DKIM from Microsoft 365 Defender portal \| Microsoft
@@ -188,7 +198,7 @@ Docs](https://docs.microsoft.com/en-us/microsoft-365/security/office-365-securit
8. Return to the DKIM page on the Defender admin center to finish
enabling DKIM.
-## 2.4 Domain-Based Message Authentication, Reporting, and Conformance SHALL Be Enabled
+## 4 Domain-Based Message Authentication, Reporting, and Conformance (DMARC)
Domain-based Message Authentication, Reporting, and Conformance (DMARC)
works with SPF and DKIM to authenticate mail senders and ensure that
@@ -196,19 +206,28 @@ destination email systems can validate messages sent from your domain.
DMARC helps receiving mail systems determine what to do with messages
sent from your domain that fail SPF or DKIM checks.
-### 2.4.1 Policy
-
-- A DMARC policy SHALL be published for every second-level domain.
+### Policies
+#### MS.EXO.4.1v1
+A DMARC policy SHALL be published for every second-level domain.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-- The DMARC message rejection option SHALL be “p=reject”.
+#### MS.EXO.4.2v1
+The DMARC message rejection option SHALL be p=reject.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-- The DMARC point of contact for aggregate reports SHALL include
- .
+#### MS.EXO.4.3v1
+The DMARC point of contact for aggregate reports SHALL include .
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-- An agency point of contact SHOULD be included for aggregate and/or
- failure reports.
+#### MS.EXO.4.4v1
+An agency point of contact SHOULD be included for aggregate and/or failure reports.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-### 2.4.2 Resources
+### Resources
- [Binding Operational Directive 18-01 - Enhance Email and Web Security
\| DHS](https://cyber.dhs.gov/bod/18-01/)
@@ -225,11 +244,11 @@ sent from your domain that fail SPF or DKIM checks.
- [How Office 365 handles outbound email that fails DMARC \| Microsoft
Docs](https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/use-dmarc-to-validate-email?view=o365-worldwide#how-microsoft-365-handles-inbound-email-that-fails-dmarc)
-### 2.4.3 License Requirements
+### License Requirements
- N/A
-### 2.4.4 Implementation
+### Implementation
DMARC implementation varies depending on how an agency manages its DNS
records. See [Form the DMARC TXT record for your domain \| Microsoft
@@ -247,7 +266,7 @@ is included in the policy returned from the query, and that (3)
is included as a point for contact for
aggregate feedback.
-## 2.5 Simple Mail Transfer Protocol Authentication SHALL Be Disabled
+## 5. Simple Mail Transfer Protocol Authentication (SMTP AUTH)
Modern email clients that connect to Exchange Online mailboxes—including
Outlook, Outlook on the web, iOS Mail, and Outlook for iOS and
@@ -255,13 +274,19 @@ Android—do not use Simple Mail Transfer Protocol Authentication (SMTP
AUTH) to send email messages. SMTP AUTH is only needed for applications
outside of Outlook that send email messages.
-### 2.5.1 Policy
+### Policies
-- SMTP AUTH SHALL be disabled in Exchange Online.
+#### MS.EXO.5.1v1
+SMTP AUTH SHALL be disabled in Exchange Online.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-- SMTP AUTH MAY be enabled on a per-mailbox basis as needed.
+#### MS.EXO.5.2v1
+SMTP AUTH MAY be enabled on a per-mailbox basis as needed.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-### 2.5.2 Resources
+### Resources
- [Enable or disable authenticated client SMTP submission (SMTP AUTH) in
Exchange Online \| Microsoft
@@ -271,11 +296,11 @@ outside of Outlook that send email messages.
specific mailboxes \| Microsoft
Docs](https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/authenticated-client-smtp-submission#use-the-microsoft-365-admin-center-to-enable-or-disable-smtp-auth-on-specific-mailboxes)
-### 2.5.3 License Requirements
+### License Requirements
- N/A
-### 2.5.4 Implementation
+### Implementation
SMTP AUTH can only be disabled tenant-wide using Exchange Online
PowerShell. Follow the instructions listed at [Disable SMTP AUTH in your
@@ -287,22 +312,27 @@ listed at [Use the Microsoft 365 admin center to enable or disable SMTP
AUTH on specific mailboxes \| Microsoft
Docs](https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/authenticated-client-smtp-submission#use-the-microsoft-365-admin-center-to-enable-or-disable-smtp-auth-on-specific-mailboxes).
-## 2.6 Calendar and Contact Sharing SHALL Be Restricted
+## 6. Calendar and Contact Sharing
Exchange Online allows the creation of sharing polices that soften
default restrictions on contact and calendar details sharing. These
policies should only be enabled with caution and must comply with the
following policies.
-### 2.6.1 Policy
+### Policies
-- Contact folders SHALL NOT be shared with all domains, although they
+#### MS.EXO.6.1v1
+Contact folders SHALL NOT be shared with all domains, although they
MAY be shared with specific domains.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-- Calendar details SHALL NOT be shared with all domains, although they
- MAY be shared with specific domains.
+#### MS.EXO.6.2v1
+Calendar details SHALL NOT be shared with all domains, although they MAY be shared with specific domains.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-### 2.6.2 Resources
+### Resources
- [Sharing in Exchange Online \| Microsoft
Docs](https://docs.microsoft.com/en-us/exchange/sharing/sharing)
@@ -313,11 +343,11 @@ following policies.
- [Sharing policies in Exchange Online \| Microsoft
Docs](https://docs.microsoft.com/en-us/exchange/sharing/sharing-policies/sharing-policies)
-### 2.6.3 License Requirements
+### License Requirements
- N/A
-### 2.6.4 Implementation
+### Implementation
To restrict sharing with all domains:
@@ -329,17 +359,19 @@ To restrict sharing with all domains:
3. Under **Individual Sharing**, for all existing policies, ensure that
for all sharing rules, **Sharing with all domains** is not selected.
-## 2.7 External Sender Warnings SHALL Be Implemented
+## 7. External Sender Warnings
Mail flow rules allow the modification of incoming mail, such that mail
from external users can be easily identified, for example by prepending
the subject line with “\[External\].”
-### 2.7.1 Policy
+### Policies
+#### MS.EXO.7.1v1
+External sender warnings SHALL be implemented.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-- External sender warnings SHALL be implemented.
-
-### 2.7.2 Resources
+### Resources
- [Mail flow rules (transport rules) in Exchange Online \| Microsoft
Docs](https://docs.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules)
@@ -352,11 +384,11 @@ the subject line with “\[External\].”
\|
Cisa](https://www.cisa.gov/sites/default/files/publications/CISA_Insights_Actions_to_Counter_Email-Based_Attacks_on_Election-Related_S508C.pdf)
-### 2.7.3 License Requirements
+### License Requirements
- N/A
-### 2.7.4 Implementation
+### Implementation
To enable external sender warnings:
@@ -386,7 +418,7 @@ To enable external sender warnings:
11. Click **Save**.
-## 2.8 Data Loss Prevention Solutions SHALL Be Enabled
+## 8. Data Loss Prevention Solutions
Data loss prevention (DLP) helps prevent both accidental leakage of
sensitive information as well as intentional exfiltration of data. DLP
@@ -404,22 +436,23 @@ Minimum Viable Secure Configuration Baseline*. The DLP solution selected
by an agency should offer services comparable to those offered by
Microsoft.
-### 2.8.1 Policy
-
-- A DLP solution SHALL be used. The selected DLP solution SHOULD offer
- services comparable to the native DLP solution offered by Microsoft.
+### Policies
+#### MS.EXO.8.1v1
+A DLP solution SHALL be used. The selected DLP solution SHOULD offer services comparable to the native DLP solution offered by Microsoft.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-- The DLP solution SHALL protect PII and sensitive information, as
- defined by the agency. At a minimum, the sharing of credit card
- numbers, Taxpayer Identification Numbers (TIN), and Social Security
- Numbers (SSN) via email SHALL be restricted.
+#### MS.EXO.8.2v1
+The DLP solution SHALL protect PII and sensitive information, as defined by the agency. At a minimum, the sharing of credit card numbers, Taxpayer Identification Numbers (TIN), and Social Security Numbers (SSN) via email SHALL be restricted.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-### 2.8.2 Resources
+### Resources
- The “Data Loss Prevention SHALL Be Enabled” section of the *Defender
for Office 365 Minimum Viable Secure Configuration Baseline*.
-## 2.9 Emails SHALL Be Filtered by Attachment File Type
+## 9. Attachment File Type
For some types of files (e.g., executable files), the dangers of
allowing them to be sent over email outweigh any potential benefits.
@@ -436,25 +469,29 @@ Be Enabled” section of the Defender for Office 365 Minimum Viable Secure
Configuration Baseline. The solution selected by an agency should offer
services comparable to those offered by Microsoft.
-### 2.9.1 Policy
-
-- Emails SHALL be filtered by the file types of included attachments.
- The selected filtering solution SHOULD offer services comparable to
- Microsoft Defender’s Common Attachment Filter.
+### Policies
+#### MS.EXO.9.1v1
+Emails SHALL be filtered by the file types of included attachments. The selected filtering solution SHOULD offer services comparable to Microsoft Defenders Common Attachment Filter.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-- The attachment filter SHOULD attempt to determine the true file type
- and assess the file extension.
+#### MS.EXO.9.2v1
+The attachment filter SHOULD attempt to determine the true file type and assess the file extension.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-- Disallowed file types SHALL be determined and set. At a minimum,
- click-to-run files SHOULD be blocked (e.g., .exe, .cmd, and .vbe).
+#### MS.EXO.9.3v1
+Disallowed file types SHALL be determined and set. At a minimum, click-to-run files SHOULD be blocked (e.g., .exe, .cmd, and .vbe).
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-### 2.9.2 Resources
+### Resources
- The “Common Attachments Filter SHALL Be Enabled” section of the
*Defender for Office 365 Minimum Viable Secure Configuration
Baseline*.
-## 2.10 Emails SHALL Be Scanned for Malware
+## 10. Malware
Though any product that fills the requirements outlined in this baseline
setting may be used, for guidance on implementing malware scanning using
@@ -465,16 +502,24 @@ Office 365 Minimum Viable Secure Configuration Baseline*:
- “Zero-hour Auto Purge for Malware SHALL Be Enabled”
-### 2.10.1 Policy
+### Policies
-- Emails SHALL be scanned for malware.
+#### MS.EXO.10.1v1
+Emails SHALL be scanned for malware.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-- Emails identified as containing malware SHALL be quarantined or
- dropped.
+#### MS.EXO.10.2v1
+Emails identified as containing malware SHALL be quarantined or dropped.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-- Email scanning SHOULD be capable of reviewing emails after delivery.
+#### MS.EXO.10.3v1
+Email scanning SHOULD be capable of reviewing emails after delivery.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-### 2.10.2 Resources
+### Resources
- The “Safe-Attachments SHALL Be Enabled” section of the *Defender for
Office 365 Minimum Viable Secure Configuration Baseline.*
@@ -483,7 +528,7 @@ Office 365 Minimum Viable Secure Configuration Baseline*:
*Defender for Office 365 Minimum Viable Secure Configuration
Baseline.*
-## 2.11 Phishing Protections SHOULD Be Enabled
+## 11. Phishing Protections
Several techniques exist for protecting against phishing attacks,
including the following techniques:
@@ -505,22 +550,28 @@ phishing protections with Microsoft’s native solutions, see the
“Phishing Protections SHOULD Be Enabled,” section of the *Defender for
Office 365 Minimum Viable Secure Configuration Baseline*.
-### 2.11.1 Policy
+### Policies
+#### MS.EXO.11.1v1
+Impersonation protection checks SHOULD be used.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-- Impersonation protection checks SHOULD be used.
+#### MS.EXO.11.2v1
+User warnings, comparable to the user safety tips included with EOP, SHOULD be displayed.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-- User warnings, comparable to the user safety tips included with EOP,
- SHOULD be displayed.
+#### MS.EXO.11.3v1
+The phishing protection solution SHOULD include an AI-based phishing detection tool comparable to EOP Mailbox Intelligence.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-- The phishing protection solution SHOULD include an AI-based phishing
- detection tool comparable to EOP Mailbox Intelligence.
-
-### 2.11.2 Resources
+### Resources
- The “Phishing Protections SHOULD Be Enabled” section of the *Defender
for Office 365 Minimum Viable Secure Configuration Baseline.*
-## 2.12 IP Allow Lists SHOULD NOT be Implemented
+## 12. IP Allow Lists
Microsoft Defender supports the creations of IP “allow lists,” intended
to ensure that emails from *specific* senders are not blocked. However,
@@ -537,15 +588,23 @@ Microsoft sources from various third-party subscriptions. As with
senders in the allow list, emails from these senders bypass important
security mechanisms.
-### 2.12.1 Policy
-
-- IP allow lists SHOULD NOT be created.
+### Policies
+#### MS.EXO.12.1v1
+IP allow lists SHOULD NOT be created.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-- Safe lists SHOULD NOT be enabled.
+#### MS.EXO.12.2v1
+Safe lists SHOULD NOT be enabled.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-- A connection filter MAY be implemented to create an IP “Block list.”
+#### MS.EXO.12.3v1
+A connection filter MAY be implemented to create an IP Block list.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-### 2.12.2 Resources
+### Resources
- [Use the IP Allow List \| Microsoft
Docs](https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/create-safe-sender-lists-in-office-365?view=o365-worldwide#use-the-ip-allow-list)
@@ -557,11 +616,11 @@ security mechanisms.
connection filter policy \| Microsoft
Docs](https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/configure-the-connection-filter-policy?view=o365-worldwide#use-the-microsoft-365-defender-portal-to-modify-the-default-connection-filter-policy)
-### 2.12.3 License Requirements
+### License Requirements
- Exchange Online Protection
-### 2.12.4 Implementation
+### Implementation
To modify the connection filters, follow the instructions found on [Use
the Microsoft 365 Defender portal to modify the default connection
@@ -587,7 +646,7 @@ policy](https://docs.microsoft.com/en-us/microsoft-365/security/office-365-secur
8. Ensure **Turn on safe list** is not selected.
-## 2.13 Mailbox Auditing SHALL Be Enabled
+## 13. Mailbox Auditing
Mailbox auditing helps users investigate compromised accounts or
discover illicit access to Exchange Online. Some actions performed by
@@ -595,11 +654,13 @@ administrators, delegates, and owners are logged automatically. While
mailbox auditing is enabled by default, agencies should ensure that it
has not been inadvertently disabled.
-### 2.13.1 Policy
-
-- Mailbox auditing SHALL be enabled.
+### Policies
+#### MS.EXO.13.1v1
+Mailbox auditing SHALL be enabled.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-### 2.13.2 Resources
+### Resources
- [Manage mailbox auditing in Office 365 \| Microsoft
Docs](https://docs.microsoft.com/en-us/microsoft-365/compliance/enable-mailbox-auditing?view=o365-worldwide)
@@ -610,11 +671,11 @@ has not been inadvertently disabled.
- [Microsoft Compliance Manager - Microsoft 365 Compliance \|Microsoft
Docs](https://docs.microsoft.com/en-us/microsoft-365/compliance/compliance-manager?view=o365-worldwide)
-### 2.13.3 License Requirements
+### License Requirements
- N/A
-### 2.13.4 Implementation
+### Implementation
Mailbox auditing can be enabled from the Exchange Online PowerShell.
Follow the instructions listed on [Manage mailbox auditing in Office
@@ -636,7 +697,7 @@ To enable mailbox auditing via PowerShell:
`Set-OrganizationConfig –AuditDisabled $false`
-## 2.14 Inbound Anti-Spam Protections SHALL Be Enabled
+## 14. Inbound Anti-Spam Protections
Microsoft Defender includes several capabilities for protecting against
inbound spam emails. Use of Microsoft Defender is not strictly required
@@ -645,24 +706,30 @@ this baseline setting may be used. See the “Inbound Anti-Spam
Protections SHALL Be Enabled” section of the *Defender for Office 365
Minimum Viable Secure Configuration Baseline* for additional guidance.
-### 2.14.1 Policy
-
-- A spam filter SHALL be enabled. The filtering solution selected SHOULD
- offer services comparable to the native spam filtering offered by
+### Policies
+#### MS.EXO.14.1v1
+A spam filter SHALL be enabled. The filtering solution selected SHOULD offer services comparable to the native spam filtering offered by
Microsoft.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-- Spam and high confidence spam SHALL be moved to either the junk email
- folder or the quarantine folder.
+#### MS.EXO.14.2v1
+Spam and high confidence spam SHALL be moved to either the junk email folder or the quarantine folder.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-- Allowed senders MAY be added, but allowed domains SHALL NOT be added.
+#### MS.EXO.14.3v1
+Allowed senders MAY be added, but allowed domains SHALL NOT be added.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-### 2.14.2 Resources
+### Resources
- The “Inbound Anti-Spam Protections SHALL Be Enabled” section of the
*Defender for Office 365 Minimum Viable Secure Configuration
Baseline*.
-## 2.15 Link Protection SHOULD Be Enabled
+## 15. Link Protection
Several technologies exist for protecting users from malicious links
included in emails. For example, Microsoft Defender accomplishes this by
@@ -688,20 +755,29 @@ guidance for enabling link scanning using Microsoft Defender is included
in the “Safe Links Policies SHALL Be Enabled” section of the *Defender for Office 365
Minimum Viable Secure Configuration Baseline.*
-### 2.15.1 Policy
+### Policies
-- URL comparison with a block-list SHOULD be enabled.
+#### MS.EXO.15.1v1
+URL comparison with a block-list SHOULD be enabled.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-- Direct download links SHOULD be scanned for malware.
+#### MS.EXO.15.2v1
+Direct download links SHOULD be scanned for malware.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-- User click tracking SHOULD be enabled.
+#### MS.EXO.15.3v1
+User click tracking SHOULD be enabled.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-### 2.15.2 Resources
+### Resources
- The “Safe Links Policies SHOULD Be Enabled” section of the *Defender
for Office 365 Minimum Viable Secure Configuration Baseline*.
-## 2.16 Alerts SHALL Be Enabled
+## 16. Alerts
Microsoft Defender includes several prebuilt alert policies, many of
which pertain to Exchange Online. These alerts give admins better
@@ -710,9 +786,9 @@ configuring alerts in Microsoft Defender is given in the “Alerts SHALL
Be Enabled” section of the *Defender for Office 365 Minimum Viable
Secure Configuration Baseline*.
-### 2.16.1 Policy
-
-- At a minimum, the following alerts SHALL be enabled:
+### Policies
+#### MS.EXO.16.1v1
+At a minimum, the following alerts SHALL be enabled:
- Suspicious email sending patterns detected.
@@ -731,16 +807,20 @@ Secure Configuration Baseline*.
- Malware campaign detected after delivery.
- A potentially malicious URL click was detected.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-- The alerts SHOULD be sent to a monitored address or incorporated into
- a SIEM.
+#### MS.EXO.16.2v1
+The alerts SHOULD be sent to a monitored address or incorporated into a SIEM.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-### 2.16.2 Resources
+### Resources
- The “Alerts SHALL Be Enabled” section of the *Defender for Office 365
Minimum Viable Secure Configuration Baseline*.
-## 2.17 Unified Audit Logging SHALL Be Enabled
+## 17. Unified Audit Logging
Unified audit logging generates logs of user activity in M365 services.
These logs are essential for conducting incident response and threat detection activity.
@@ -757,17 +837,23 @@ guidance configuring audit logging, see the “Audit Logging SHALL Be
Enabled” section of the *Defender for Office 365 Minimum Viable Secure
Configuration Baseline*.
-### 2.17.1 Policy
-
-- Unified audit logging SHALL be enabled.
+### Policies
+#### MS.EXO.17.1v1
+Unified audit logging SHALL be enabled.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-- Advanced audit SHALL be enabled.
+#### MS.EXO.17.2v1
+Advanced audit SHALL be enabled.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-- Audit logs SHALL be maintained for at least the minimum duration
- dictated by [OMB M-21-31 (Appendix
- C)](https://www.whitehouse.gov/wp-content/uploads/2021/08/M-21-31-Improving-the-Federal-Governments-Investigative-and-Remediation-Capabilities-Related-to-Cybersecurity-Incidents.pdf).
+#### MS.EXO.17.3v1
+Audit logs SHALL be maintained for at least the minimum duration dictated by [OMB M-21-31 (Appendix C)](https://www.whitehouse.gov/wp-content/uploads/2021/08/M-21-31-Improving-the-Federal-Governments-Investigative-and-Remediation-Capabilities-Related-to-Cybersecurity-Incidents.pdf).
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-### 2.17.2 Resources
+### Resources
- The “Unified Audit Logging SHALL Be Enabled” section of the *Defender for
Office 365 Minimum Viable Secure Configuration Baseline*.
diff --git a/baselines/onedrive.md b/baselines/onedrive.md
index b54c4fa911..170eea0baf 100644
--- a/baselines/onedrive.md
+++ b/baselines/onedrive.md
@@ -1,4 +1,4 @@
-# 1. Introduction
+# Introduction
OneDrive for Business is a cloud-based file storage system with online
editing and collaboration tools for Microsoft Office documents and is
@@ -9,7 +9,7 @@ collaboration with multiple people.
This security baseline applies guidance from industry benchmarks on how
to secure cloud solutions on Azure.
-## 1.1 Assumptions
+## Assumptions
These baseline specifications assume that the agency is using OneDrive
for Business, not personal or school versions, and allowing access using
@@ -25,7 +25,7 @@ or [G3](https://www.microsoft.com/en-us/microsoft-365/government)
license level. Therefore, only licenses not included in E3/G3 are
listed.
-## 1.2 Resources
+## Resources
**License Compliance and Copyright**
@@ -41,9 +41,9 @@ document. The United States Government has adapted selections of these
documents to develop innovative and scalable configuration standards to
strengthen the security of widely used cloud-based software services.
-# 2. Baseline
+# Baseline
-## 2.1 Anyone Links SHOULD Be Turned Off
+## 1. Anyone Links
Unauthenticated sharing (Anyone links) is used to share data without
authentication and users are free to pass it on to others outside the
@@ -51,20 +51,23 @@ agency. To prevent users from unauthenticated sharing of content, turn
off Anyone sharing for users outside the tenant when accessing content
in SharePoint, Groups, or Teams.
-### 2.1.1 Policy
+### Policies
-- Anyone links SHOULD be disabled.
+#### MS.ONEDRIVE.1.1v1
+Anyone links SHOULD be disabled.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-### 2.1.2 Resources
+### Resources
- [Limit accidental exposure \| Microsoft
Docs](https://docs.microsoft.com/en-us/microsoft-365/solutions/share-limit-accidental-exposure?view=o365-worldwide)
-### 2.1.3 License Requirements
+### License Requirements
- N/A
-### 2.1.4 Implementation
+### Implementation
**Note**: OneDrive settings can be more restrictive than the SharePoint
setting, but not more permissive.
@@ -95,7 +98,7 @@ To turn off Anyone links for a site:
5. Click **Save**.
-## 2.2 Expiration Date SHOULD Be Set for Anyone Links
+## 2. Expiration Date for Anyone Links
Files that are stored in SharePoint sites, Groups, and Teams for months
and years could lead to unexpected modifications to files if shared with
@@ -104,22 +107,28 @@ can help avoid unwanted changes. If Anyone links are enabled, the
expiration date SHOULD be set to thirty days or as determined by mission
needs or agency policy.
-### 2.2.1 Policy
+### Policies
-- An expiration date SHOULD be set for Anyone links.
+#### MS.ONEDRIVE.2.1v1
+Expiration Date SHOULD Be Set for Anyone Links.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-- Expiration date SHOULD be set to thirty days.
+#### MS.ONEDRIVE.2.2v1
+Expiration date SHOULD be set to thirty days.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-### 2.2.2 Resources
+### Resources
- [Best practices for unauthenticated sharing \| Microsoft
Docs](https://docs.microsoft.com/en-us/microsoft-365/solutions/best-practices-anonymous-sharing?view=o365-worldwide)
-### 2.2.3 License Requirements
+### License Requirements
- N/A
-### 2.2.4 Implementation
+### Implementation
To set an expiration date for Anyone links across the agency (**Note**:
Anyone links must be enabled).
@@ -153,27 +162,30 @@ To set an expiration date for Anyone links on a specific site:
5. Click **Save**.
-## 2.3 Link Permissions SHOULD Be Set to Enabled Anyone Links to View
+## 3. Link Permissions
The Anyone links default to allow people to edit files, as well as edit
and view files and upload new files to folders. To allow unauthenticated
sharing but keep unauthenticated people from modifying the agency's
content, consider setting the file and folder permissions to **View**.
-### 2.3.1 Policy
+### Policies
-- Anyone link permissions SHOULD be limited to View.
+#### MS.ONEDRIVE.3.1v1
+Link Permissions SHOULD Be Set to Enabled Anyone Links to View.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-### 2.3.2 Resources
+### Resources
- [Set link permissions \| Microsoft
Docs](https://docs.microsoft.com/en-us/microsoft-365/solutions/best-practices-anonymous-sharing?view=o365-worldwide#set-link-permissions)
-### 2.3.3 License Requirements
+### License Requirements
- N/A
-### 2.3.4 Implementation
+### Implementation
1. Open the **SharePoint admin center**.
@@ -183,27 +195,29 @@ content, consider setting the file and folder permissions to **View**.
3. Under **Advanced settings for Anyone links**, set the file and
folder permissions to **View**.
-## 2.4 OneDrive Client SHALL Be Restricted to Windows for Agency-Defined Domain(s)
+## 4. OneDrive Client
Configuring OneDrive to sync only to agency-defined domains ensures that
users can only sync to agency-managed computers.
-### 2.4.1 Policy
+### Policies
-- OneDrive Client for Windows SHALL be restricted to agency-Defined
- Domain(s).
+#### MS.ONEDRIVE.4.1v1
+OneDrive Client SHALL Be Restricted to Windows for Agency-Defined Domain(s).
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-### 2.4.2 Resources
+### Resources
- [Allow syncing only on computers joined to specific domains – OneDrive
\| Microsoft
Docs](https://docs.microsoft.com/en-us/onedrive/allow-syncing-only-on-specific-domains)
-### 2.4.3 License Requirements
+### License Requirements
- N/A
-### 2.4.4 Implementation
+### Implementation
1. Open the **SharePoint admin center.**
@@ -218,7 +232,7 @@ users can only sync to agency-managed computers.
domains** check box.
5. Add the [Globally Unique Identifier (GUID) of each
- domain](https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-addomain?view=windowsserver2022-ps) for
+ domain](https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-addomain?view=windowsserver2022-ps) for
the member computers that the agency wants to be able to sync.
**Note:** Add the domain GUID of the computer domain membership. If
@@ -233,28 +247,30 @@ instead.
6. Click **Save**.
-## 2.5 OneDrive Client SHALL Be Restricted to Sync with Mac for Agency-Defined Devices
+## 5. Sync with Mac for Agency-Defined Devices
Set restrictions on whether users can sync items to non-domain joined
machines, control the list of allowed domains, and manage whether Mac
clients (which do not support domain join) can sync.
-### 2.5.1 Policy
+### Policies
-- OneDrive Client Sync SHALL only be allowed only within the local
- domain.
+#### MS.ONEDRIVE.5.1v1
+OneDrive Client SHALL Be Restricted to Sync with Mac for Agency-Defined Devices.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-### 2.5.2 Resources
+### Resources
- [Set-SPOTenantSyncClientRestriction (SharePointOnlinePowerShell) \|
Microsoft
Docs](https://docs.microsoft.com/en-us/powershell/module/sharepoint-online/set-spotenantsyncclientrestriction?view=sharepoint-ps#:~:text=In%20order%20to%20explicitly%20block%20Microsoft%20OneDrive%20client,cmdlet%20with%20the%20BlockMacSync%20parameter%20set%20to%20true.?msclkid=f80f95c5c4c611ecac7de0980370f33c)
-### 2.5.3 License Requirements
+### License Requirements
- N/A
-### 2.5.4 Implementation
+### Implementation
The `Set-SPOTenantSyncClientRestriction` cmdlet can be used to enable
the feature for tenancy and set the domain GUIDs in the safe recipients
@@ -266,26 +282,29 @@ reflected within five minutes.
"786548DD-877B-4760-A749-6B1EFBC1190A;
877564FF-877B-4760-A749-6B1EFBC1190A" -BlockMacSync:$false`
-## 2.6 OneDrive Client Sync SHALL Only Be Allowed Within the Local Domain
+## 6. Local Domain Sync
Configuring OneDrive to sync only to agency-defined domains ensures that
users can only sync to agency-managed computers.
-### 2.6.1 Policy
+### Policies
-- OneDrive Client Sync SHALL be restricted to the local domain.
+#### MS.ONEDRIVE.6.1v1
+OneDrive Client Sync SHALL Only Be Allowed Within the Local Domain.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-### 2.6.2 Resources
+### Resources
- [Allow syncing only on computers joined to specific domains \|
Microsoft
Documents](https://docs.microsoft.com/en-us/onedrive/allow-syncing-only-on-specific-domains)
-### 2.6.3 License Requirements
+### License Requirements
- N/A
-### 2.6.4 Implementation
+### Implementation
1. Open the **SharePoint admin center**.
@@ -298,7 +317,7 @@ users can only sync to agency-managed computers.
computers joined to specific domains** is checked, and that a domain
GUID displays in the box below it.
-## 2.7 Legacy Authentication SHALL Be Blocked
+## 7. Legacy Authentication
Modern authentication, based on Active Directory Authentication Library
(ADAL) and Open Authorization 2 (OAuth2), is a critical component of
@@ -311,20 +330,23 @@ important to make sure that only apps that support modern authentication
are allowed to connect, assuring that only authorized devices are
allowed to access enterprise data.
-### 2.7.1 Policy
+### Policies
-- Legacy Authentication SHALL be blocked.
+#### MS.ONEDRIVE.7.1v1
+Legacy Authentication SHALL Be Blocked.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-### 2.7.2 Resources
+### Resources
- [Control access from unmanaged devices \| Microsoft
Documents](https://docs.microsoft.com/en-us/sharepoint/control-access-from-unmanaged-devices)
-### 2.7.3 License Requirements
+### License Requirements
- N/A
-### 2.7.4 Implementation
+### Implementation
1. Open the **SharePoint admin center**.
diff --git a/baselines/powerbi.md b/baselines/powerbi.md
index 0259e6770d..adcf40d9ff 100644
--- a/baselines/powerbi.md
+++ b/baselines/powerbi.md
@@ -1,4 +1,4 @@
-# 1. Introduction
+# Introduction
Power BI is a Software as a Service (SaaS) offering from Microsoft that
facilitates self-service business intelligence dashboards, reports,
@@ -20,7 +20,7 @@ additional detail, please refer to the [Power BI
Security](https://docs.microsoft.com/en-us/power-bi/enterprise/service-admin-power-bi-security)
documentation page.)
-## 1.1 Scope
+## Scope
This baseline focuses on the Power BI SaaS service that comes integrated
with Microsoft 365, noting that there is also a desktop version of Power
@@ -32,7 +32,7 @@ separate Power BI desktop baseline with tailored security requirements
and considerations should be developed by security and end user
operations staff.
-## 1.2 Resources
+## Resources
**License Compliance and Copyright**
@@ -48,7 +48,7 @@ document. The United States Government has adapted selections of these
documents to develop innovative and scalable configuration standards to
strengthen the security of widely used cloud-based software services.
-## 1.3 Assumptions
+## Assumptions
Agencies using Power BI have a data classification scheme in place for
the data entering Power BI.
@@ -69,9 +69,9 @@ Agencies using Power BI have a data classification scheme in place for
simplification of data management and access at enterprise scale.
-# 2. Baseline
+# Baseline
-## 2.1 External Sharing SHOULD be Disabled
+## 1. External Sharing
External sharing can represent a potential security risk, therefore,
disabling it is a best practice unless specific, approved use cases make
@@ -102,35 +102,27 @@ People outside the tenant agency cannot see any data if role or
row-level security is implemented on on-premises Analysis Services
tabular models.
-### 2.1.1 Policy
+### Policies
+#### MS.POWERBI.1.1v1
+External sharing SHOULD be disabled unless the agency mission requires the capability.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-- External sharing SHOULD be disabled unless the agency mission requires
- the capability.
+#### MS.POWERBI.1.2v1
+If external sharing is deemed appropriate, the agency SHOULD limit the sharing ability to a security group.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-- If external sharing is deemed appropriate, the agency SHOULD limit the
- sharing ability to a security group instead of the entire agency.
-
-### 2.1.2 Resources
+### Resources
- [Power BI Tenant settings \| Microsoft
Docs](https://docs.microsoft.com/en-us/power-bi/guidance/admin-tenant-settings)
-### 2.1.3 License Requirements
+### License Requirements
- N/A
-### 2.1.4 Implementation
-
-1. In the **Power BI tenant admin portal**, go to **Export and Sharing
- Settings.**
-
-2. Disable the **External sharing** toggle.
-
-3. If the agency approves external sharing, select a specific security
- group that includes users who should be able to share data and
- reports externally.
-
-## 2.2 Publish to Web SHOULD be Disabled
+## 2. Publish to Web
Power BI has a capability to publish reports and content to the web.
This capability creates a publicly accessible web URL that does not
@@ -144,12 +136,13 @@ admins should limit the ability to publish to the web to only specific
security groups, instead of allowing the entire agency to publish data
to the web.
-### 2.2.1 Policy
-
-- The Publish to Web feature SHOULD be disabled unless the agency
- mission requires the capability.
+### Policies
+#### MS.POWERBI.2.1v1
+The Publish to Web feature SHOULD be disabled unless the agency mission requires the capability.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-### 2.2.2 Resources
+### Resources
- [Power BI Tenant settings \| Microsoft
Docs](https://docs.microsoft.com/en-us/power-bi/guidance/admin-tenant-settings)
@@ -157,27 +150,12 @@ to the web.
- [Power BI Security Baseline v2.0 \| Microsoft benchmarks GitHub
repo](https://github.com/MicrosoftDocs/SecurityBenchmarks/blob/master/Azure%20Offer%20Security%20Baselines/2.0/power-bi-security-baseline-v2.0.xlsx)
-### 2.2.3 License Requirements
+### License Requirements
- N/A
-### 2.2.4 Implementation
-
-***Confirm Publish to web is disabled***
-The **Publish to web** setting in the admin portal gives options for
-users to create embed codes. It is recommended that agencies disallow
-publishing to the web pending further justification reviews by
-information security.
-
-1. Administrators can set **Publish to web** to **Disabled.**
-
-2. However, if **Publish to web** is set to **enabled**, admins
- can **Choose how embed codes work** to **Allow only existing embed
- codes**. In that case, users can create embed codes, but they must
- contact the tenant’s Power BI admin to allow them to do so.
-
-## 2.3 Power BI Guest Access SHOULD be Disabled
+## 3. Power BI Guest Access
A best practice is to disallow guest user access. Disallowing guest
access also aligns with zero trust principles. The agency with
@@ -215,12 +193,13 @@ allow these users to use people pickers within the Power BI UX. Since
Power BI integrates natively with AAD, the AAD Baseline should be
consulted for additional guidance on managing guest users.
-### 2.3.1 Policy
+### Policies
+#### MS.POWERBI.3.1v1
+Guest user access to the Power BI tenant SHOULD be disabled unless the agency mission requires the capability.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-- Guest user access to the Power BI tenant SHOULD be disabled unless the
- agency mission requires the capability.
-
-### 2.3.2 Resources
+### Resources
- [Power BI Tenant settings \| Microsoft
Docs](https://docs.microsoft.com/en-us/power-bi/guidance/admin-tenant-settings)
@@ -228,19 +207,12 @@ consulted for additional guidance on managing guest users.
- [Power BI Security Baseline v2.0 \| Microsoft benchmarks GitHub
repo](https://github.com/MicrosoftDocs/SecurityBenchmarks/blob/master/Azure%20Offer%20Security%20Baselines/2.0/power-bi-security-baseline-v2.0.xlsx)
-### 2.3.3 License Requirements
+### License Requirements
- N/A
-### 2.3.4 Implementation
-
-1. In the **tenant admin portal**, go to **Export and Sharing
- Settings**.
-
-2. Disable the **Allow Azure Active Directory guest users to access
- Power BI** toggle.
-## 2.4 External Invitations SHOULD be Disabled
+## 4. External Invitations
This setting controls whether Power BI allows inviting external users to
the agency’s organization through Power BI’s sharing workflows and
@@ -266,12 +238,13 @@ controls the ability to invite guest users through Power BI. See the
*AAD Minimum Viable Secure Configuration Baseline* for more information
on roles.
-### 2.4.1 Policy
+### Policies
+#### MS.POWERBI.4.1v1
+The **Invite external users to your organization** feature SHOULD be disabled unless agency mission requires the capability.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-- The **Invite external users to your organization** feature SHOULD be
- disabled unless agency mission requires the capability.
-
-### 2.4.2 Resources
+### Resources
- [Power BI Tenant settings \| Microsoft
Docs](https://docs.microsoft.com/en-us/power-bi/guidance/admin-tenant-settings)
@@ -283,17 +256,12 @@ on roles.
- [Power BI Security Baseline v2.0 \| Microsoft benchmarks GitHub
repo](https://github.com/MicrosoftDocs/SecurityBenchmarks/blob/master/Azure%20Offer%20Security%20Baselines/2.0/power-bi-security-baseline-v2.0.xlsx)
-### 2.4.3 License Requirements
+### License Requirements
- N/A
-### 2.4.4 Implementation
-
-1. In the tenant admin portal, go to **Export and Sharing Settings**.
-
-2. Disable the **Invite external users to your organization** toggle.
-## 2.5 The External Editing Capability SHOULD be Disabled
+## 5. The External Editing
It is possible to give external guest users the ability to edit and
manage Power BI content; however, this could have considerable data
@@ -305,12 +273,13 @@ If there is a mission need to allow external users to edit and manage
Power BI content, the recommended best practice is to assign these
entities to a security group.
-### 2.5.1 Policy
+### Policies
+#### MS.POWERBI.5.1v1
+The external editing capability SHOULD be disabled unless agency mission requires the capability.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-- The external editing capability SHOULD be disabled unless agency
- mission requires the capability.
-
-### 2.5.2 Resources
+### Resources
- [Power BI Tenant settings \| Microsoft
Docs](https://docs.microsoft.com/en-us/power-bi/guidance/admin-tenant-settings)
@@ -322,20 +291,14 @@ entities to a security group.
- [Power BI Security Baseline v2.0 \| Microsoft benchmarks GitHub
repo](https://github.com/MicrosoftDocs/SecurityBenchmarks/blob/master/Azure%20Offer%20Security%20Baselines/2.0/power-bi-security-baseline-v2.0.xlsx)
-### 2.5.3 License Requirements
+### License Requirements
If this setting is enabled, an AAD B2B guest user must have a Power BI
Pro license in a workspace other than the “My workspace” area to edit
and manage content within the inviting organization’s Power BI tenant.
-### 2.5.4 Implementation
-
-1. In the tenant admin portal, go to **Export and Sharing Settings**.
-
-2. Disable the toggle labeled **Allow Azure Active Directory guest
- users to edit and manage content in the organization**.
-## 2.6 Service Principals SHALL be Allowed to be Used to Securely Manage Application Identities
+## 6. Service Principals
Power BI supports the use of service principals to manage application
identities. Service principals can use application programming
@@ -374,15 +337,19 @@ permissions.
- Instead of enabling service principals for the entire agency,
implement for a dedicated security group.
-### 2.6.1 Policy
+### Policies
+#### MS.POWERBI.6.1v1
+Service Principals SHOULD be allowed for Power BI where applicable.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-- Service Principals SHOULD be allowed for Power BI where applicable.
-
-- Service Principal credentials used for encrypting or accessing Power
- BI SHALL NOT be stored in scripts or config files and SHALL be stored
+#### MS.POWERBI.6.2v1
+Service Principal credentials used for encrypting or accessing Power BI SHALL NOT be stored in scripts or config files and SHALL be stored
in a secure vault such as Azure Key Vault.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-### 2.6.2 Resources
+### Resources
- [Automate Premium workspace and dataset tasks with service principal
\| Microsoft
@@ -407,31 +374,11 @@ permissions.
Microsoft
Docs](https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/power-bi-security-baseline)
-### 2.6.3 License Requirements
+### License Requirements
- N/A
-### 2.6.4 Implementation
-
-Standardize on a single authoritative identity and access management
-source (note that AAD integrates natively for Power BI).
-
-1. In the **tenant settings**
-
-2. Confirm that service principals are enabled in the **Allow service principals to use Power BI APIs** option.
-
-3. Confirm that the service principal is restricted to a security group
-related to Power BI, rather than open to the entire agency. (Note:
-Service principals have access to any tenant settings for which
-they are enabled. Depending on the agency’s admin settings, this
-includes specific security groups or the entire agency.)
-
-To restrict service principal access to specific tenant settings, it is
-recommended to allow access only to specific security groups.
-Alternatively, one can create a dedicated security group for service
-principals and exclude it from the desired tenant settings.
-
-## 2.7 ResourceKey Authentication SHOULD be Blocked
+## 7. ResourceKey Authentication
This setting pertains to the security and development of Power BI
embedded content. The Power BI tenant states that “for extra security,
@@ -452,12 +399,13 @@ to streaming and PUSH datasets using the API with a resource key.
However, if developers have an approved need to leverage this feature,
an exception to the policy can be investigated.
-### 2.7.1 Policy
-
-- ResourceKey Authentication SHOULD be blocked unless a specific use
- case (e.g., streaming and/or PUSH datasets) merits its use.
+### Policies
+#### MS.POWERBI.7.1v1
+RourceKey Authentication SHOULD be blocked unless a specific use case (e.g., streaming and/or PUSH datasets) merits its use.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-### 2.7.2 Resources
+### Resources
- [Power BI Tenant settings \| Microsoft
Docs](https://docs.microsoft.com/en-us/power-bi/guidance/admin-tenant-settings)
@@ -465,16 +413,11 @@ an exception to the policy can be investigated.
- [Real-time streaming in Power BI \| Microsoft
Docs](https://docs.microsoft.com/en-us/power-bi/connect-data/service-real-time-streaming)
-### 2.7.3 License Requirements
+### License Requirements
- N/A
-### 2.7.4 Implementation
-
-1. Under **Developer Settings** in the Power BI tenant admin portal,
- toggle **Block ResourceKey Authentication** to an enabled state.
-
-## 2.8 Python and R Visual Sharing SHOULD be Disabled
+## 8. Python and R Visual Sharing
Power BI can interact with Python and R scripts to integrate
visualizations from these languages. Python visuals are created from
@@ -485,27 +428,23 @@ visuals should only be enabled if the author and source are trusted, or
after a code review of the Python/R script(s) in question is conducted
and deems the scripts free of security risks.
-### 2.8.1 Policy
-
-- R and Python interactions SHOULD be disabled.
+### Policies
+#### MS.POWERBI.8.1v1
+R and Python interactions SHOULD be disabled.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-### 2.8.2 Resources
+### Resources
- [Power BI Visuals and Python \| Microsoft
Docs](https://docs.microsoft.com/en-us/power-bi/connect-data/desktop-python-visuals)
-### 2.8.3 License Requirements
+### License Requirements
- N/A
-### 2.8.4 Implementation
-
-1. In the **Power BI tenant**, go to **R and Python Visuals Settings**.
-2. Toggle off the **Interact with and share R and Python visuals**
- option.
-
-## 2.9 Data Stewards and Power BI Admins SHOULD Discover, Classify, and Label Sensitive Data
+## 9. Sensitive Data
There are multiple ways to secure sensitive information, such as warning
users, encryption, or blocking attempts to share. Use Microsoft
@@ -521,12 +460,13 @@ tool for securing power Power BI datasets. Refer to the *Defender for
Office 365 Minimum Viable Secure Configuration Baseline* for more on
DLP.
-### 2.9.1 Policy
-
-- Sensitivity labels SHOULD be enabled for Power BI and employed for
- sensitive data per enterprise data protection policies.
+### Policies
+#### MS.POWERBI.9.1v1
+Sensitivity labels SHOULD be enabled for Power BI and employed for sensitive data per enterprise data protection policies.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-### 2.9.2 Resources
+### Resources
- [Enable sensitivity labels in Power BI \| Microsoft
Docs](https://docs.microsoft.com/en-us/power-bi/admin/service-security-enable-data-sensitivity-labels)
@@ -540,14 +480,14 @@ DLP.
- [Power BI Security Baseline v2.0 \| Microsoft benchmarks GitHub
repo](https://github.com/MicrosoftDocs/SecurityBenchmarks/blob/master/Azure%20Offer%20Security%20Baselines/2.0/power-bi-security-baseline-v2.0.xlsx)
-### 2.9.3 License Requirements
+### License Requirements
- An Azure Information Protection Premium P1 or Premium P2 license is
required to apply or view Microsoft Information Protection sensitivity
labels in Power BI. Azure Information Protection can be purchased
either standalone or through one of the Microsoft licensing suites.
- See [Azure Information Protection
- pricing](https://azure.microsoft.com/services/information-protection/) for
+ See [Azure Information Protection
+ pricing](https://azure.microsoft.com/services/information-protection/) for
detail.
- Azure Information Protection sensitivity labels need to be migrated to
@@ -565,47 +505,7 @@ DLP.
policies](https://docs.microsoft.com/en-us/microsoft-365/compliance/create-sensitivity-labels)
for detail.
-### 2.9.4 Implementation
-
-**Enable Sensitivity Labels in Power BI:**
-
-Sensitivity labels must be enabled on the tenant before they can be used
-in both the Power BI service and in Desktop. This section describes how
-to enable them in the tenant settings.
-
-To enable sensitivity labels on the tenant:
-
-1. Navigate to the **Power BI Admin portal**-\>**Tenant
- settings** pane-\> **Information protection** section.
-
-2. In the **Information Protection** section, perform the following
- steps:
-
-3. Open **Allow users to apply sensitivity labels for Power BI
- content**.
-
-4. Enable the toggle.
-
-5. Define who can apply and change sensitivity labels in Power BI
- assets. By default, everyone in the agency will be able to apply
- sensitivity labels; however, one can choose to enable setting
- sensitivity labels only for specific users or security groups. With
- either the entire agency or specific security groups selected, one
- can exclude specific subsets of users or security groups.
-
-6. When sensitivity labels are enabled for the entire agency,
- exceptions are typically security groups.
-
-7. When sensitivity labels are enabled only for specific users or
- security groups, exceptions are typically specific users.
-
-This approach makes it possible to prevent certain users from applying
-sensitivity labels in Power BI, even if they belong to a group that
-has permissions to do so.
-
-8. Click **Apply**.
-
-## 2.10 Audit Logs SHALL be Enabled in Power BI Tenant
+## 10. Audit Logs
The Power BI tenant has a setting for audit log generation to monitor
internal activity and compliance. Users within the agency can use
@@ -615,11 +515,13 @@ enabled recording user and admin activity in the Office 365 Admin
Portal, in which case this setting appears enabled but greyed out in the
tenant settings.
-### 2.10.1 Policy
-
-- Power BI audit log generation SHALL be enabled in the Power BI tenant.
+### Policies
+#### MS.POWERBI.10.1v1
+Power BI audit log generation SHALL be enabled in the Power BI tenant.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-### 2.10.2 Resources
+### Resources
- [Power BI Tenant settings \| Microsoft
Docs](https://docs.microsoft.com/en-us/power-bi/guidance/admin-tenant-settings)
@@ -635,18 +537,10 @@ tenant settings.
- [Power BI Security Baseline v2.0 \| Microsoft benchmarks GitHub
repo](https://github.com/MicrosoftDocs/SecurityBenchmarks/blob/master/Azure%20Offer%20Security%20Baselines/2.0/power-bi-security-baseline-v2.0.xlsx)
-### 2.10.3 License Requirements
+### License Requirements
- N/A
-### 2.10.4 Implementation
-
-1. In the **Power BI tenant**, go to **Audit and Usage Settings.**
-
-2. Enable **Create audit logs for internal activity auditing and
- compliance**. This setting may already be enabled and greyed out if
- audit recording has been turned on in the M365 admin portal.
-
# Acknowledgements
@@ -755,8 +649,8 @@ the agency.
required to apply or view Microsoft Information Protection sensitivity
labels in Power BI. Azure Information Protection can be purchased
either standalone or through one of the Microsoft licensing suites.
- See [Azure Information Protection
- pricing](https://azure.microsoft.com/services/information-protection/) for
+ See [Azure Information Protection
+ pricing](https://azure.microsoft.com/services/information-protection/) for
detail.
- Azure Information Protection sensitivity labels need to be migrated to
diff --git a/baselines/powerplatform.md b/baselines/powerplatform.md
index 3afb419317..d677034ed1 100644
--- a/baselines/powerplatform.md
+++ b/baselines/powerplatform.md
@@ -1,4 +1,4 @@
-# 1. Introduction
+# Introduction
The Microsoft Power Platform is a group of applications involving
low-code application development, business intelligence, a custom chat
@@ -41,7 +41,7 @@ often used to store data in SQL-like tables. A Power App would then use
a connector to connect to the Dataverse table and perform create, read,
update and delete (CRUD) operations.
-## 1.1 Assumptions
+## Assumptions
The **License Requirements** sections of this document assume the
organization is using an [M365
@@ -50,7 +50,7 @@ or [G3](https://www.microsoft.com/en-us/microsoft-365/government)
license level. Therefore, only licenses not included in E3/G3 are
listed.
-## 1.2 Resources
+## Resources
**License Compliance and Copyright**
@@ -66,7 +66,7 @@ document. The United States Government has adapted selections of these
documents to develop innovative and scalable configuration standards to
strengthen the security of widely used cloud-based software services.
-# 2. Baseline
+# Baseline
Baselines in this section are for administrative controls that apply to
all Power Platform applications at the Power Platform tenant and
@@ -74,7 +74,7 @@ environment level. Additional Power Platform security settings would be
implemented at the app level, connector level, or Dataverse table level.
Refer to Microsoft documentation for those additional controls.
-## 2.1 Creation of Power Platform Environments SHALL Be Restricted
+## 1. Power Platform Environments
Power Platform environments are used to group together, manage, and
store Power Apps and Power Virtual Agents. By default, any user in the
@@ -83,12 +83,13 @@ control will restrict the creation of new environments to users with the
following admin roles: Global admins, Dynamics 365 admins, and Power
Platform admins.
-### 2.1.1 Policy
+### Policies
+#### MS.POWERPLATFORM.1.1v1
+The ability to create additional environments SHALL be restricted to admins.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-- The ability to create additional environments SHALL be restricted to
- admins.
-
-### 2.1.2 Resources
+### Resources
- [Control who can create and manage environments in the Power Platform
admin center \| Microsoft
@@ -100,11 +101,11 @@ Platform admins.
- [Microsoft Technical Documentation \| Power
Apps](https://docs.microsoft.com/en-us/power-apps/)
-### 2.1.3 License Requirements
+### License Requirements
- N/A
-### 2.1.4 Implementation
+### Implementation
1. Sign in to the [Power Platform admin
center](https://admin.powerplatform.microsoft.com/) or for GCC
@@ -125,7 +126,7 @@ Platform admins.
Now only Global admins, Dynamics 365 service admins, Power Platform
Service admins, and Delegated admins can create environments.
-## 2.2 Data Loss Prevention Policies for Power Platform Environments SHALL Be Created
+## 2. Data Loss Prevention Policies
To secure Power Platform environments Data Loss Prevention (DLP)
policies can be created to restrict the connectors that can be used with
@@ -153,16 +154,19 @@ restrict users in the Azure AD tenant from creating Power Apps in the
default Power Platform environment. Admins can restrict users from
creating apps in all other created environments.
-### 2.2.1 Policy
-
-- A DLP policy SHALL be created to restrict connector access in the
- default Power Platform environment.
+### Policies
+#### MS.POWERPLATFORM.2.1v1
+A DLP policy SHALL be created to restrict connector access in the default Power Platform environment.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-- Non-default environments SHOULD have at least one DLP policy that
- affects them.
+#### MS.POWERPLATFORM.2.2v1
+Non-default environments SHOULD have at least one DLP policy that affects them.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-- All connectors except those listed below SHOULD be added to the
- Blocked category in the default environment policy:
+#### MS.POWERPLATFORM.2.3v1
+All connectors except those listed below SHOULD be added to the Blocked category in the default environment policy:
- Approvals
@@ -198,9 +202,12 @@ creating apps in all other created environments.
- Shifts for Microsoft Teams
- - Yammer
+ - Yammer.
-### 2.2.2 Resources
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
+
+### Resources
- [Data Policies for Power Automate and Power Apps \| Digital
Transformation Agency of
@@ -209,11 +216,11 @@ creating apps in all other created environments.
- [Create a data loss prevention (DLP) policy \| Microsoft
Docs](https://docs.microsoft.com/en-us/power-platform/admin/create-dlp-policy)
-### 2.2.3 License Requirements
+### License Requirements
- N/A
-### 2.2.4 Implementation
+### Implementation
1. Sign in to the [Power Platform admin
center](https://admin.powerplatform.microsoft.com/) (for GCC
@@ -253,7 +260,7 @@ blocked to the **Blocked** category.
14. Select **Next**-\> **Create Policy** to finish.
-## 2.3 Tenant Isolation SHALL Be Enabled to Prevent Cross Tenant Access of Power Platform environments
+## 3. Tenant Isolation
Power Platform tenant isolation is different from Azure AD-wide tenant
restriction. It does not impact Azure AD-based access outside of Power
@@ -273,24 +280,33 @@ external tenants) cross-tenant connections are blocked by Power Platform
even if the user presents valid credentials to the Azure AD-secured data
source.
-### 2.3.1 Policy
+### Policies
-- Power Platform tenant isolation SHALL be enabled.
+#### MS.POWERPLATFORM.3.1v1
+Power Platform tenant isolation SHALL be enabled.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-- An inbound/outbound connection allowlist SHOULD be configured.
+#### MS.POWERPLATFORM.3.2v1
+An inbound/outbound connection allowlist SHOULD be configured.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-- The allowlist MAY be empty.
+#### MS.POWERPLATFORM.3.3v1
+The allowlist MAY be empty.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-### 2.3.2 Resources
+### Resources
- [Enable tenant isolation and configure allowlist \| Microsoft
Docs](https://docs.microsoft.com/en-us/power-platform/admin/cross-tenant-restrictions#enable-tenant-isolation-and-configure-allowlist)
-### 2.3.3 License Requirements
+### License Requirements
- N/A
-### 2.3.4 Implementation
+### Implementation
1. Sign in to the [Power Platform admin
center](https://admin.powerplatform.microsoft.com/) or for GCC
@@ -306,7 +322,7 @@ source.
the allowlist. However, these rules won't be enforced until tenant
isolation is turned **On**.
-## 2.4 Content Security Policy SHALL Be Enabled
+## 4. Content Security Policy
Content Security Policy (CSP) is an added layer of security that helps
to detect and mitigate certain types of attacks, including Cross-Site
@@ -320,21 +336,22 @@ to apply this setting. Also, there is no current way to implement this
setting for Canvas Apps. When enabled, this setting will apply to all
current Model-driven apps at only the environment level.
-### 2.4.1 Policy
-
-- Content security policies for model-driven Power Apps SHALL be
- enabled.
+### Policies
+#### MS.POWERPLATFORM.4.1v1
+Content security policies for model-driven Power Apps SHALL be enabled.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-### 2.4.2 Resources
+### Resources
- [Content Security Policy \| Microsoft
Docs](https://docs.microsoft.com/en-us/power-platform/admin/content-security-policy)
-### 2.4.3 License Requirements
+### License Requirements
- N/A
-### 2.4.4 Implementation
+### Implementation
1. Sign in to [Make Power Apps](https://make.powerapps.com) (for GCC
environments sign in to the [GCC Make Power
diff --git a/baselines/sharepoint.md b/baselines/sharepoint.md
index c7f06858af..b153f02bc2 100644
--- a/baselines/sharepoint.md
+++ b/baselines/sharepoint.md
@@ -1,4 +1,4 @@
-# 1. Introduction
+# Introduction
SharePoint Online is a web-based collaboration and document management
platform. Though highly flexible, it is primarily used to store
@@ -39,7 +39,7 @@ SharePoint Online):
Source:
-## 1.1 Resources
+## Resources
**License Compliance and Copyright**
@@ -55,7 +55,7 @@ document. The United States Government has adapted selections of these
documents to develop innovative and scalable configuration standards to
strengthen the security of widely used cloud-based software services.
-## 1.2 Assumptions
+## Assumptions
The **License Requirements** sections of this document assume the
organization is using an [M365
@@ -64,29 +64,31 @@ or [G3](https://www.microsoft.com/en-us/microsoft-365/government)
license level. Therefore, only licenses not included in E3/G3 are
listed.
-# 2. Baselines
+# Baselines
-## 2.1 File and Folder Links Default Sharing Settings SHALL Be Set to "Specific People (Only the People the User Specifies)"
+## 1. File and Folder Links Default Sharing Settings
This policy ensures that when sharing files in SharePoint, there are
several possible scopes, including agency-wide or “anyone with the
link.”
-### 2.1.1 Policy
+### Policies
-- File and folder links default sharing setting SHALL be set to
- “Specific People (Only the People the User Specifies)”.
+#### MS.SHAREPOINT.1.1v1
+File and folder links default sharing setting SHALL be set to Specific People (Only the People the User Specifies).
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-### 2.1.2 Resources
+### Resources
- [File and folder links \| Microsoft
Documents](https://docs.microsoft.com/en-us/sharepoint/turn-external-sharing-on-or-off#file-and-folder-links)
-### 2.1.3 License Requirements
+### License Requirements
- N/A
-### 2.1.4 Implementation
+### Implementation
In the **SharePoint admin** **center**:
@@ -96,7 +98,7 @@ In the **SharePoint admin** **center**:
2. Under **File and folder links**, ensure that the default link type
is set to **Specific people (only the people the user specifies)**.
-## 2.2 External Sharing SHOULD be Set to “New and Existing Guests” and Managed Through Approved Domains and/or Security Groups Per Interagency Collaboration Needs.
+## 2. External Sharing
SharePoint allows sharing with users who are outside the agency, which
is convenient but may pose a data loss or other information security
@@ -116,21 +118,22 @@ the CIO Council's [Interagency Collaboration
Program](https://community.max.gov/display/Egov/Interagency+Collaboration+Program)’s
OMB Max Site for a list of .gov domains for sharing).
-### 2.2.1 Policy
+### Policies
+#### MS.SHAREPOINT.2.1v1
+External sharing SHOULD be limited to approved domains and security groups per interagency collaboration needs.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-- External sharing SHOULD be limited to approved domains and security
- groups per interagency collaboration needs.
-
-### 2.2.2 Resources
+### Resources
- [Manage sharing settings \| Microsoft
Documents](https://docs.microsoft.com/en-us/sharepoint/turn-external-sharing-on-or-off)
-### 2.2.3 License Requirements
+### License Requirements
- N/A
-### 2.2.4 Implementation
+### Implementation
To adjust sharing settings, in the **SharePoint admin center**:
@@ -157,7 +160,7 @@ To adjust sharing settings, in the **SharePoint admin center**:
11. Select **Save.**
-## 2.3 Sensitive SharePoint Sites SHOULD Adjust Their Default Sharing Settings to Those Best Aligning to Their Sensitivity Level
+## 3. Sensitivity Levels
SharePoint allows sharing with users who are outside the agency, which
is convenient but may pose a data loss or other information security
@@ -166,21 +169,22 @@ organizational settings agencies should evaluate each created site and
adjust sharing settings best aligned to their respective sensitivity
level.
-### 2.3.1 Policy
-
-- Sharing settings for specific SharePoint sites SHOULD align to their
- sensitivity level.
+### Policies
+#### MS.SHAREPOINT.3.1v1
+Sharing settings for specific SharePoint sites SHOULD align to their sensitivity level.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-### 2.3.2 Resources
+### Resources
- [Managing SharePoint Online Security: A Team Effort \| Microsoft
Build](https://docs.microsoft.com/en-us/microsoft-365/community/sharepoint-security-a-team-effort)
-### 2.3.3 License Requirements
+### License Requirements
- N/A
-### 2.3.4 Implementation
+### Implementation
To limit external sharing by domain, in the **SharePoint admin center**:
@@ -201,7 +205,7 @@ To limit external sharing by domain, in the **SharePoint admin center**:
8. Select **Save.**
-## 2.4 Expiration Times for Guest Access to a Site or OneDrive, and Reauthentication Expiration Times for People Who Use a Verification Code, SHOULD Be Determined By Mission Needs / Agency Policy or Else Defaulted to 30 Days.
+## 4. Guest Access to a Site or OneDrive
SharePoint allows sharing with users who are outside the agency, which
is convenient but may pose a data loss or other information security
@@ -211,23 +215,27 @@ access to the site or OneDrive.
**Note**: Adjusting this setting will adjust external sharing
for OneDrive and Teams to the same, specified expiration times.
-### 2.4.1 Policy
+### Policies
+#### MS.SHAREPOINT.4.1v1
+Expiration timers for guest access to a site or OneDrive and people who use a verification code SHOULD be set.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-- Expiration timers for ‘guest access to a site or OneDrive’ and ‘people
- who use a verification code’ SHOULD be set.
+#### MS.SHAREPOINT.4.2v1
+Expiration timers SHOULD be set to 30 days.
+- _Rationale:_ TODO
+- _Last modified:_ June 2023
-- Expiration timers SHOULD be set to 30 days.
-
-### 2.4.2 License Requirements
+### License Requirements
- N/A
-### 2.4.3 Resources
+### Resources
- [Managing SharePoint Online Security: A Team Effort \| Microsoft
Build](https://docs.microsoft.com/en-us/microsoft-365/community/sharepoint-security-a-team-effort)
-### 2.4.4 Implementation
+### Implementation
To limit external sharing by domain, in the **SharePoint admin center**:
@@ -245,26 +253,26 @@ To limit external sharing by domain, in the **SharePoint admin center**:
6. Enter “30 days”.
-## 2.5 Users SHALL Be Prevented from Running Custom Scripts
+## 5. Custom Scripts
Allowing users to run custom scripts can potentially allow malicious
scripts to run in a trusted environment. For this reason, running custom
scripts should not be allowed.
-### 2.5.1 Policy
-
-- Users SHALL be prevented from running custom scripts.
+### Policy
+#### MS.SHAREPOINT.5.1v1
+Users SHALL be prevented from running custom scripts.
-### 2.5.2 Resources
+### Resources
- [Allow or prevent custom script \| Microsoft
Documents](https://docs.microsoft.com/en-us/sharepoint/allow-or-prevent-custom-script)
-### 2.5.3 License Requirements
+### License Requirements
- N/A
-### 2.5.4 Implementation
+### Implementation
In the **SharePoint Classic admin center**:
diff --git a/baselines/teams.md b/baselines/teams.md
index 2931a9e87c..ad0498066d 100644
--- a/baselines/teams.md
+++ b/baselines/teams.md
@@ -1,4 +1,4 @@
-# 1. Introduction
+# Introduction
Microsoft Teams is a text and live chat workspace in Microsoft 365 that
supports video calls, chat messaging, screen-sharing, and file sharing.
@@ -30,7 +30,7 @@ across Microsoft documentation):
users, meaning users that are not logged in to any Microsoft or
organization account, such as dial-in users.[^1]
-## 1.1 Assumptions
+## Assumptions
The **License Requirements** sections of this document assume the
organization is using an [M365
@@ -39,7 +39,7 @@ or [G3](https://www.microsoft.com/en-us/microsoft-365/government)
license level. Therefore, only licenses not included in E3/G3 are
listed.
-## 1.2 Resources
+## Resources
**License Compliance and Copyright**
@@ -55,39 +55,39 @@ document. The United States Government has adapted selections of these
documents to develop innovative and scalable configuration standards to
strengthen the security of widely used cloud-based software services.
-# 2. Baseline
+# Baseline
-## 2.1 External Participants SHOULD NOT Be Enabled to Request Control of Shared Desktops or Windows in Meetings
+## 1. Requesting Control of Shared Desktops or Windows
This setting controls whether external meeting participants can request
control of the shared desktop or window during the meeting. In this
instance, the term “external participants” includes external users, B2B
guest users, unmanaged users and anonymous users.
-While there is some inherent risk in granting an external participant
+### Policies
+
+#### MS.TEAMS.1.1v1
+External participants SHOULD NOT be enabled to request control of shared desktops or windows in the Global (Org-wide default) meeting policy or in custom meeting policies if any exist.
+
+- _Rationale:_ While there is some inherent risk in granting an external participant
control of a shared screen, legitimate use cases for this exist.
Furthermore, the risk is minimal as users cannot gain control of another
user’s screen unless the user giving control explicitly accepts a
control request. As such, while enabling external participants to
request control is discouraged, it may be done, depending on agency
need.
+- _Last modified:_ July 2023
-### 2.1.1 Policy
-
-- External participants SHOULD NOT be enabled to request control of shared
-desktops or windows in the Global (Org-wide default) meeting policy or
-in custom meeting policies if any exist.
-
-### 2.1.2 Resources
+### Resources
- [Configure desktop sharing in Microsoft Teams \| Microsoft
Docs](https://docs.microsoft.com/en-us/microsoftteams/configure-desktop-sharing)
-### 2.1.3 License Requirements
+### License Requirements
- N/A
-### 2.1.4 Implementation
+### Implementation
To ensure external participants do not have the ability to request
control of the shared desktop or window in the meeting:
@@ -105,29 +105,27 @@ control of the shared desktop or window in the meeting:
5. If custom policies have been created, repeat these steps for each
policy, selecting the appropriate policy in step 3.
-## 2.2 Anonymous Users SHALL NOT Be Enabled to Start Meetings
+## 2. Starting Teams Meetings
This setting controls which meeting participants can start a meeting. In
this instance, the term “anonymous users” refers to any Teams users
joining calls that are not authenticated through the agency’s tenant.
-### 2.2.1 Policy
-
-- Anonymous users SHALL NOT be enabled to start meetings in the Global
-(Org-wide default) meeting policy or in custom meeting policies if any
-exist.
+### Policies
-### 2.2.2 Resources
+#### MS.TEAMS.2.1v1
+Anonymous users SHALL NOT be enabled to start meetings in the Global (Org-wide default) meeting policy or in custom meeting policies if any exist.
+- _Rationale:_ TODO add rationale.
+- _Last modified:_ July 2023
+### Resources
- [Meeting policy settings - Participants & guests \| Microsoft
Docs](https://docs.microsoft.com/en-us/microsoftteams/meeting-policies-participants-and-guests)
-### 2.2.3 License Requirements
-
+### License Requirements
- N/A
-### 2.2.4 Implementation
-
+### Implementation
To configure settings for anonymous users:
1. Sign in to the [**Microsoft Teams admin
@@ -143,37 +141,45 @@ To configure settings for anonymous users:
5. If custom policies have been created, repeat these steps for each
policy, selecting the appropriate policy in step 3.
-## 2.3 Automatic Admittance to Meetings SHOULD Be Restricted
-
+## 3. Automatic Admittance into meetings
This setting controls which meeting participants wait in the lobby
before they are admitted to the meeting.
-### 2.3.1 Policy
+### Policies
-- Anonymous users, including dial-in users, SHOULD NOT be admitted
- automatically.
+#### MS.TEAMS.3.1v1
+Anonymous users, including dial-in users, SHOULD NOT be admitted automatically.
+- _Rationale:_ TODO add rationale.
+- _Last modified:_ July 2023
-- Internal users SHOULD be admitted automatically.
+#### MS.TEAMS.3.2v1
+Internal users SHOULD be admitted automatically.
+- _Rationale:_ TODO add rationale.
+- _Last modified:_ July 2023
-- B2B guest users MAY be admitted automatically.
+#### MS.TEAMS.3.3v1
+B2B guest users MAY be admitted automatically.
+- _Rationale:_ TODO add rationale.
+- _Last modified:_ July 2023
-- The above settings SHOULD be set in the Global (Org-wide default)
- meeting policy.
+#### MS.TEAMS.3.4v1
+MS.TEAMS.3.1.1, MS.TEAMS.3.2.1, and MS.TEAMS.3.3.1 SHOULD be applied in the Global (Org-wide default) meeting policy.
+- _Rationale:_ TODO add rationale.
+- _Last modified:_ July 2023
-- Custom meeting policies MAY be created that allow more flexibility for
- specific users.
-
-### 2.3.2 Resources
+#### MS.TEAMS.3.5v1
+Custom meeting policies MAY be created that allow more flexibility for specific users.
+- _Rationale:_ TODO add rationale.
+- _Last modified:_ July 2023
+### Resources
- [Meeting policy settings - Participants & guests \| Microsoft
Docs](https://docs.microsoft.com/en-us/microsoftteams/meeting-policies-participants-and-guests)
-### 2.3.3 License Requirements
-
+### License Requirements
- N/A
-### 2.3.4 Implementation
-
+### Implementation
To configure settings for automatic meeting admittance:
1. Sign in to the [**Microsoft Teams admin
@@ -192,7 +198,7 @@ To configure settings for automatic meeting admittance:
6. If custom policies have been created, repeat these steps for each
policy, selecting the appropriate policy in step 3.
-## 2.4 External User Access SHALL Be Restricted
+## 4. External User Access
External access allows external users to look up internal users by their
email address to initiate chats and calls entirely within Teams.
@@ -214,13 +220,14 @@ Importantly, this setting only pertains to external users (i.e., members
of a different M365 tenant). Access for unmanaged users is controlled
separately.
-### 2.4.1 Policy
-
-- External access SHALL only be enabled on a per-domain basis.
+### Policies
-- Anonymous users SHOULD be enabled to join meetings.
+#### MS.TEAMS.4.1v1
+External access SHALL only be enabled on a per-domain basis.
+- _Rationale:_ TODO add rationale.
+- _Last modified:_ July 2023
-### 2.4.2 Resources
+### Resources
- [Manage external access in Microsoft Teams \| Microsoft
Docs](https://docs.microsoft.com/en-us/microsoftteams/manage-external-access)
@@ -232,11 +239,11 @@ separately.
outside your organization \| Microsoft
Docs](https://docs.microsoft.com/en-us/microsoftteams/communicate-with-users-from-other-organizations)
-### 2.4.3 License Requirements
+### License Requirements
- N/A
-### 2.4.4 Implementation
+### Implementation
To enable external access for only specific domains:
@@ -253,33 +260,7 @@ To enable external access for only specific domains:
5. Click **Save.**
-To enable anonymous users to join meetings:
-
-1. Sign in to the [**Microsoft Teams admin
- center**](https://admin.teams.microsoft.com).
-
-2. Select **Meetings** **-\>** **Meeting settings**.
-
-3. Under **Participants**, set **Anonymous users can join a meeting**
- to **On**.
-
-4. Click **Save**.
-
-Anonymous users can also be enabled/blocked on a per-policy basis.
-
-1. Sign in to the [**Microsoft Teams admin
- center**](https://admin.teams.microsoft.com).
-
-2. Select **Meetings** **-\>** **Meeting policies**.
-
-3. Select the **Global (Org-wide default)**, or other policy as needed.
-
-4. Under **Participants & guests**, set **Let anonymous people join a
- meeting** to **On**.
-
-5. Click **Save**.
-
-## 2.5 Unmanaged User Access SHALL Be Restricted
+## 5. Unmanaged User Access
Blocking contact with unmanaged Teams users prevents these users from
looking up internal users by their email address and initiating chats
@@ -287,26 +268,30 @@ and calls within Teams. These users would still be able to join calls,
assuming anonymous join is enabled. Additionally, unmanaged users may be
added to Teams chats if the internal user initiates the contact.
-### 2.5.1 Policy
-
-- Unmanaged users SHALL NOT be enabled to initiate contact with internal
+### Policies
+#### MS.TEAMS.5.1v1
+Unmanaged users SHALL NOT be enabled to initiate contact with internal
users.
+- _Rationale:_ TODO add rationale.
+- _Last modified:_ July 2023
-
-- Internal users SHOULD NOT be enabled to initiate contact with unmanaged
+#### MS.TEAMS.5.2v1
+Internal users SHOULD NOT be enabled to initiate contact with unmanaged
users.
+- _Rationale:_ TODO add rationale.
+- _Last modified:_ July 2023
-### 2.5.2 Resources
+### Resources
- [Manage contact with external Teams users not managed by an organization
\| Microsoft
Docs](https://docs.microsoft.com/en-us/microsoftteams/manage-external-access#manage-contact-with-external-teams-users-not-managed-by-an-organization)
-### 2.5.3 License Requirements
+### License Requirements
- N/A
-### 2.5.4 Implementation
+### Implementation
Steps are outlined in [Manage contact with external Teams users not
managed by an
@@ -329,16 +314,18 @@ organization](https://docs.microsoft.com/en-us/microsoftteams/manage-external-ac
2. Clear the check next to **External users with Teams accounts not managed by an organization can contact users in my organization**.
-## 2.6 Contact with Skype Users SHALL Be Blocked
-
-Microsoft officially retired Skype for Business Online on July 31, 2021,
-and it is no longer supported.
+## 6. Skype Users
+Microsoft officially retired Skype for Business Online on July 31, 2021, and it is no longer supported. Skype for Business 2015 is slated for Apr 11, 2023 and Skype for Business Server 2015, 2016, 2019 LTSC and Server 2019 is slated for Oct 14, 2025.
-### 2.6.1 Policy
+### Policies
-- Contact with Skype users SHALL be blocked.
+#### MS.TEAMS.6.1v1
+Contact with Skype users SHALL be blocked.
+- _Rationale:_ Microsoft officially retired Skype for Business Online on July 31, 2021,
+and it is no longer supported.
+- _Last modified:_ July 2023
-### 2.6.2 Resources
+### Resources
- [Communicate with Skype users \| Microsoft
Docs](https://docs.microsoft.com/en-us/microsoftteams/manage-external-access#communicate-with-skype-users)
@@ -346,11 +333,11 @@ Docs](https://docs.microsoft.com/en-us/microsoftteams/manage-external-access#com
- [Skype for Business Online to Be Retired in 2021 \| Microsoft Teams
Blog](https://techcommunity.microsoft.com/t5/microsoft-teams-blog/skype-for-business-online-to-be-retired-in-2021/ba-p/777833)
-### 2.6.3 License Requirements
+### License Requirements
- N/A
-### 2.6.4 Implementation
+### Implementation
Instructions for *enabling* communications with Skype users are outlined
in [Communicate with Skype
@@ -366,7 +353,7 @@ users](https://docs.microsoft.com/en-us/microsoftteams/manage-external-access#co
4. Click **Save**.
-## 2.7 Teams Email Integration SHALL Be Disabled
+## 7. Teams Email Integration
Teams provides an optional feature that allows channels to have an email
address and receive email. These channel email addresses are not under
@@ -376,21 +363,23 @@ agencies do not have control over the security settings associated with
this email. For this reason, email channel integration should be
disabled.
-### 2.7.1 Policy
-
-- Teams email integration SHALL be disabled.
+### Policies
+#### MS.TEAMS.7.1v1
+Teams email integration SHALL be disabled.
+- _Rationale:_ TODO
+- _Last modified:_ July 2023
-### 2.7.2 Resources
+### Resources
- [Email Integration \| Microsoft
Docs](https://docs.microsoft.com/en-us/microsoftteams/enable-features-office-365#email-integration)
-### 2.7.3 License Requirements
+### License Requirements
- Teams email integration is only available with E3/E5 licenses. It is not
available in GCC or DoD tenants.
-### 2.7.4 Implementation
+### Implementation
To ensure that teams email integration is disabled:
@@ -402,7 +391,7 @@ To ensure that teams email integration is disabled:
3. Under the **Email integration** section, set **Allow users to send
emails to a channel email address** to **Off**.
-## 2.8 Only Approved Apps SHOULD Be Installed
+## 8. App Management
Teams is capable of integrating with the following classes of apps:
@@ -414,18 +403,24 @@ Teams store.
*Custom apps*: apps not published to the Teams store, such as apps under
development, that users “sideload” into Teams.
-### 2.8.1 Policy
+### Policies
-- Agencies SHOULD allow all apps published by Microsoft, but MAY block
-specific Microsoft apps as needed.
+#### MS.TEAMS.8.1v1
+Agencies SHOULD allow all apps published by Microsoft, but MAY block specific Microsoft apps as needed.
+- _Rationale:_ TODO
+- _Last modified:_ July 2023
-- Agencies SHOULD NOT allow installation of all third-party apps or custom
-apps, but MAY allow specific apps as needed.
+#### MS.TEAMS.8.2v1
+Agencies SHOULD NOT allow installation of all third-party apps or custom apps, but MAY allow specific apps as needed.
+- _Rationale:_ TODO
+- _Last modified:_ July 2023
-- Agencies SHALL establish policy dictating the app review and approval
-process to be used by the agency.
+#### MS.TEAMS.8.3v1
+Agencies SHALL establish policy dictating the app review and approval process to be used by the agency.
+- _Rationale:_ TODO
+- _Last modified:_ July 2023
-### 2.8.2 Resources
+### Resources
- [Manage app permission policies in Microsoft Teams \| Microsoft
Docs](https://docs.microsoft.com/en-us/microsoftteams/teams-app-permission-policies)
@@ -433,11 +428,11 @@ Docs](https://docs.microsoft.com/en-us/microsoftteams/teams-app-permission-polic
- [Upload your app in Microsoft Teams \| Microsoft
Docs](https://docs.microsoft.com/en-us/microsoftteams/platform/concepts/deploy-and-publish/apps-upload)
-### 2.8.3 License Requirements
+### License Requirements
- N/A
-### 2.8.4 Implementation
+### Implementation
To restrict which Team apps can be installed:
@@ -465,25 +460,31 @@ To restrict which Team apps can be installed:
8. If custom policies have been created, repeat these steps for each
policy, selecting the appropriate policy in step 3.
-## 2.9 Cloud Recording of Teams Meetings SHOULD Be Disabled for Unapproved Users
+## 9. Cloud Recording of Teams Meetings
This setting determines whether video can be recorded in meetings hosted
by a user, during one-on-one calls, and on group calls started by a
user. Agencies should comply with any other applicable policies or
legislation in addition to this guidance.
-### 2.9.1 Policy
+### Policies
-- Cloud video recording SHOULD be disabled in the global (org-wide
-default) meeting policy.
+#### MS.TEAMS.9.1v1
+Cloud video recording SHOULD be disabled in the global (org-wide default) meeting policy.
+- _Rationale:_ TODO
+- _Last modified:_ July 2023
-- Alternate meeting policies MAY be created that allow agency-approved
-users the ability to record.
+#### MS.TEAMS.9.2v1
+ Alternate meeting policies MAY be created that allow agency-approved users the ability to record.
+- _Rationale:_ TODO
+- _Last modified:_ July 2023
-- For all meeting polices that allow cloud recording, recordings SHOULD be
-stored inside the country of that agency’s tenant.
+#### MS.TEAMS.9.3v1
+For all meeting polices that allow cloud recording, recordings SHOULD be stored inside the country of that agencys tenant.
+- _Rationale:_ TODO
+- _Last modified:_ July 2023
-### 2.9.2 Resources
+### Resources
- [Teams cloud meeting recording \| Microsoft
Docs](https://docs.microsoft.com/en-us/microsoftteams/cloud-recording)
@@ -491,11 +492,11 @@ Docs](https://docs.microsoft.com/en-us/microsoftteams/cloud-recording)
- [Assign policies in Teams – getting started \| Microsoft
Docs](https://docs.microsoft.com/en-us/microsoftteams/policy-assignment-overview)
-### 2.9.3 License Requirements
+### License Requirements
- N/A
-### 2.9.4 Implementation
+### Implementation
To configure the Meeting policies for cloud video recording:
@@ -539,26 +540,28 @@ record meetings:
9. Select **Apply**.
-## 2.10 Only the Meeting Organizer SHOULD Be Able to Record Live Events
+## 10. Recording of Live Events
Live events are recorded by default. Agencies should increase their
privacy by changing the policy so that events are only recorded at the
organizer’s discretion.
-### 2.10.1 Policy
+### Policies
+#### MS.TEAMS.10.1v1
+Record an event SHOULD be set to Organizer can record.
+- _Rationale:_ TODO
+- _Last modified:_ July 2023
-- Record an event SHOULD be set to Organizer can record.
-
-### 2.10.2 Resources
+### Resources
- [Live Event Recording Policies \| Microsoft
Docs](https://docs.microsoft.com/en-us/microsoftteams/teams-live-events/live-events-recording-policies)
-### 2.10.3 License Requirements
+### License Requirements
- N/A
-### 2.10.4 Implementation
+### Implementation
1. Sign in to the **[Microsoft Teams admin
center](https://admin.teams.microsoft.com).**
@@ -571,7 +574,7 @@ Docs](https://docs.microsoft.com/en-us/microsoftteams/teams-live-events/live-eve
5. Click **Save**.
-## 2.11 Data Loss Prevention Solutions SHALL Be Enabled
+## 11. Data Loss Prevention
Data loss prevention (DLP) helps prevent both accidental leakage of
sensitive information as well as intentional exfiltration of data. DLP
@@ -589,24 +592,37 @@ Minimum Viable Secure Configuration Baseline*. The DLP solution selected
by an agency should offer services comparable to those offered by
Microsoft.
-### 2.11.1 Policy
+### Policies
+
+#### MS.TEAMS.11.1v1
+A DLP solution SHALL be enabled.
+- _Rationale:_ TODO
+- _Last modified:_ July 2023
-- A DLP solution SHALL be enabled.
+#### MS.TEAMS.11.2v1
+Agencies SHOULD use either the native DLP solution offered by Microsoft or a DLP solution that offers comparable services.
+- _Rationale:_ TODO
+- _Last modified:_ July 2023
-- Agencies SHOULD use either the native DLP solution offered by Microsoft
-or a DLP solution that offers comparable services.
+#### MS.TEAMS.11.3v1
+Agencies SHOULD use either the native DLP solution offered by Microsoft or a DLP solution that offers comparable services.
+- _Rationale:_ TODO
+- _Last modified:_ July 2023
-- The DLP solution SHALL protect Personally Identifiable Information (PII)
+#### MS.TEAMS.11.4v1
+The DLP solution SHALL protect Personally Identifiable Information (PII)
and sensitive information, as defined by the agency. At a minimum, the
sharing of credit card numbers, taxpayer Identification Numbers (TIN),
and Social Security Numbers (SSN) via email SHALL be restricted.
+- _Rationale:_ TODO
+- _Last modified:_ July 2023
-### 2.11.2 Resources
+### Resources
- The “Data Loss Prevention SHALL Be Enabled” section of the *Defender for
Office 365 Minimum Viable Secure Configuration Baseline*.
-## 2.12 Attachments SHOULD Be Scanned for Malware
+## 12. Attachment Scanning
Though any product that fills the requirements outlined in this baseline
control may be used, for guidance on implementing malware scanning using
@@ -614,19 +630,24 @@ Microsoft Defender, see the “Data Loss Prevention SHALL Be Enabled”
section of the *Defender for Office 365 Minimum Viable Secure
Configuration Baseline*.
-### 2.12.1 Policy
+### Policies
-- Attachments included with Teams messages SHOULD be scanned for malware.
+#### MS.TEAMS.12.1v1
+Attachments included with Teams messages SHOULD be scanned for malware.
+- _Rationale:_ TODO
+- _Last modified:_ July 2023
-- Users SHOULD be prevented from opening or downloading files detected as
-malware.
+#### MS.TEAMS.12.2v1
+Users SHOULD be prevented from opening or downloading files detected as malware.
+- _Rationale:_ TODO
+- _Last modified:_ July 2023
-### 2.12.2 Resources
+### Resources
- The “Data Loss Prevention SHALL Be Enabled” section of the *Defender for
Office 365 Minimum Viable Secure Configuration Baseline.*
-## 2.13 Link Protection SHOULD Be Enabled
+## 13. Link Protection
Microsoft Defender protects users from malicious links included in Teams
messages by prepending
@@ -652,15 +673,24 @@ in the “Safe Links Policies SHALL Be Enabled” and “Safe Links in Global
Settings SHALL be Configured” sections of the *Defender for Office 365
Minimum Viable Secure Configuration Baseline.*
-### 2.13.1 Policy
+### Policies
-- URL comparison with a block-list SHOULD be enabled.
+#### MS.TEAMS.13.1v1
+URL comparison with a block-list SHOULD be enabled.
+- _Rationale:_ TODO
+- _Last modified:_ July 2023
-- Direct download links SHOULD be scanned for malware.
+#### MS.TEAMS.13.2v1
+Direct download links SHOULD be scanned for malware.
+- _Rationale:_ TODO
+- _Last modified:_ July 2023
-- User click tracking SHOULD be enabled.
+#### MS.TEAMS.13.3v1
+User click tracking SHOULD be enabled.
+- _Rationale:_ TODO
+- _Last modified:_ July 2023
-### 2.13.2 Resources
+### Resources
- The “Safe Links Policies SHALL Be Enabled” section of the *Defender for
Office 365 Minimum Viable Secure Configuration Baseline.*