What's New - CIS Microsoft 365 Foundations Benchmark v6.0.1
— #Security#Microsoft 365#Intune
The Center for Internet Security (CIS) released version 6.0.0 of the Microsoft 365 Foundations Benchmark on 31st October 2025, followed by version 6.0.1 on 26th February 2026. For Microsoft 365 security teams, managed service providers, and administrators, this update introduces practical changes that strengthen tenant hardening across identity, email, collaboration, and device security.
What is the CIS Microsoft 365 Benchmark?
CIS benchmarks are consensus-driven security configuration guidelines built by industry practitioners. The CIS Microsoft 365 Foundations Benchmark provides a prescriptive set of recommendations for hardening a Microsoft 365 tenant across Entra ID, Exchange Online, SharePoint, Teams, Purview, Intune, and Microsoft Fabric.
Each recommendation is mapped to a Level 1 (baseline, broadly applicable) or Level 2 (may impact functionality) profile.
What's changed in CIS Microsoft 365 Benchmark v6.0.1?
Version 6.0.1 introduces 12 new controls, around 30 updated controls, and 3 removed controls compared with v5.0.0.
New controls
Microsoft 365 admin centre
1.3.9 (L1) Ensure shared bookings pages are restricted to select users
Restricts who can publish a shared Bookings page externally, reducing the risk of unauthorised external-facing pages being created against your tenant's domain.
Microsoft Defender
2.1.15 (L1) Ensure outbound anti-spam message limits are in place
Caps the volume of outbound mail a single user can send — a circuit-breaker against a compromised account being used for outbound spam or phishing campaigns.
Microsoft Entra
Entra has seen the most new controls, with a new 5.1.4 Devices sub-section addressing Entra join hardening end-to-end.
5.1.3.2 (L1) Ensure users cannot create security groups
5.1.4.1 (L2) Ensure the ability to join devices to Entra is restricted
5.1.4.2 (L1) Ensure the maximum number of devices per user is limited
5.1.4.3 (L1) Ensure the GA role is not added as a local administrator during Entra join
Stops Global Administrator accounts from being added by default to the local administrators group during Entra join. This is one of those settings that costs nothing, breaks nothing, and closes a real attack path.
5.1.4.4 (L1) Ensure local administrator assignment is limited during Entra join
5.1.4.5 (L1) Ensure Local Administrator Password Solution is enabled
Enables cloud LAPS at the tenant level for both Entra-joined and hybrid-joined devices. This is the headline addition to v6.0.0 — it provides automated rotation and secure storage of the built-in local administrator password. Enabling LAPS at the tenant level does not automatically rotate passwords. You'll also need to deploy a LAPS policy via Intune Endpoint security > Account protection.
5.1.4.6 (L2) Ensure users are restricted from recovering BitLocker keys
5.2.3.7 (L2) Ensure the email OTP authentication method is disabled
Email OTP has been split out of the previous "weak authentication methods" control into its own dedicated Level 2 recommendation.
Exchange Online
6.5.5 (L2) Ensure Direct Send submissions are rejected
Blocks unauthenticated mail submissions via Direct Send — an actively exploited phishing vector. Before enabling, audit your scan-to-email devices and any apps using Direct Send, as they will need to migrate to an authenticated SMTP relay.
Microsoft Teams
8.2.4 (L1) Ensure the organisation cannot communicate with accounts in trial Teams tenants
Prevents communication with users in throwaway trial Teams tenants, a common vector for impersonation and social engineering.
Microsoft Fabric
9.1.12 (L1) Ensure service principals' ability to create workspaces, connections and deployment pipelines is restricted
Removed controls
Three controls have been retired:
- 3.3 (L1) Ensure custom script execution is restricted on personal sites — setting no longer available in SharePoint
- 3.4 (L1) Ensure custom script execution is restricted on site collections — automatically disabled by Microsoft after 24 hours
- 2.4 (L1) Ensure communication with Skype users is disabled — consumer Skype retired 5th May 2025
Top three controls to implement first
1. 5.1.4.5 (L1) Ensure Local Administrator Password Solution is enabled
Cloud LAPS is the headline addition. It's still common to find organisations using a single, shared local administrator password across an entire fleet. If an attacker compromises one device, that single password becomes a master key for lateral movement.
Why prioritise:
- Tenant-level toggle in Entra ID > Devices > Device settings
- Included in all Microsoft 365 plans at no extra cost
- Prerequisite for LAPS recommendations in the CIS Intune for Windows benchmarks
2. 6.5.5 (L2) Ensure Direct Send submissions are rejected
Direct Send lets on-premises devices deliver email directly to Exchange Online with no authentication required. Threat research has documented active campaigns exploiting Direct Send to deliver convincing internal-spoofed phishing. Audit your scan-to-email devices before enabling.
3. 5.1.4.3 (L1) Ensure the GA role is not added as a local administrator during Entra join
By default, Global Administrators are added to the local administrators group on every Entra-joined device. A compromised endpoint becomes an immediate path to harvesting GA credentials. Remediation: Entra admin centre > Entra ID > Devices > Device settings > set Global administrator role is added as local administrator to No.
Why this update matters
The biggest takeaway is that cloud LAPS is now a Level 1 recommendation. Combined with Exchange Online Direct Send protection and stronger Entra device join settings, this update closes some of the most commonly exploited attack paths in Microsoft 365.