Skip to Content
All Blog Posts

What's New - CIS Microsoft 365 Foundations Benchmark v7.0.0

 — #Security#Microsoft 365#Intune

If v6.0.0 was sharpening, v7.0.0 is a re-foundation. The Center for Internet Security released version 7.0.0 of the Microsoft 365 Foundations Benchmark on 19th May 2026. This is the largest update to the benchmark in over a year, with 21 new controls, around 55 controls updated, and a structural overhaul that introduces a new identifier scheme and rehomes 12 recommendations from the Azure Foundations Benchmark.

What is the CIS Microsoft 365 Benchmark?

CIS (Center for Internet Security) benchmarks are consensus-driven security configuration guidelines built by industry practitioners. The CIS Microsoft 365 Foundations Benchmark provides a prescriptive set of recommendations for hardening a Microsoft 365 tenant across Entra ID, Exchange Online, SharePoint, Teams, Purview, Intune, and Microsoft Fabric.

Two structural changes are worth flagging up front:

  • (L1) and (L2) prefix tags have been removed from control titles. Profile levels still exist — you'll find them under each recommendation's Profile Applicability section.
  • Global Recommendation IDs (GRIDs) have been introduced. Each recommendation now carries a unique GRID alongside its numbered identifier, making cross-benchmark mapping consistent and stable across future updates.

What's changed in v7.0.0?

Version 7.0.0 introduces 21 new controls, ~55 updated controls, and 2 removed controls compared with v6.0.1. Twelve of the 21 new recommendations have been relocated from the CIS Microsoft Azure Foundations Benchmark, bringing identity, Conditional Access, and password reset controls under the M365 umbrella where they more naturally belong.

New controls

Microsoft Defender

2.4.5 Ensure 'AIR' remediation is enabled (L1)

Automated Investigation and Response (AIR) clusters malicious messages and produces remediation actions. With auto-remediation enabled, identified threats are contained immediately without waiting for SecOps approval. Requires Defender for Office 365 Plan 2 (included in Microsoft 365 E5).

Microsoft Purview

3.2.3 Ensure DLP policies are published for Copilot users (L1)

Requires at least one DLP policy scoped to Microsoft 365 Copilot and Copilot Chat interactions. Without it, there is no technical control stopping Copilot from surfacing PII, financial data, or other sensitive content in AI-generated responses.

Microsoft Entra — Groups

Three new controls tighten group governance and self-service:

  • 5.1.3.2 Ensure 'Restrict user ability to access groups features in My Groups' is set to 'Yes' (L1)
  • 5.1.3.3 Ensure 'Owners can manage group membership requests in My Groups' is set to 'No' (L1)
  • 5.1.3.4 Ensure 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No' (L1)

Microsoft Entra — Enterprise apps

A new 5.1.5 sub-section addresses application credential hygiene:

  • 5.1.5.3 Ensure password addition is blocked for applications (L2)
  • 5.1.5.4 Ensure password lifetime for applications does not exceed 180 days (L2)
  • 5.1.5.5 Ensure new application passwords are system-generated (L2)
  • 5.1.5.6 Ensure maximum certificate lifetime for applications does not exceed 180 days (L2)

Together these force every new application towards certificate-based authentication or workload identity federation and put a hard expiry on existing credentials.

Microsoft Entra — Conditional Access

Five new Conditional Access controls expand coverage:

  • 5.2.2.13 Ensure that periodic reauthentication is required for all users (L1)
  • 5.2.2.14 Ensure trusted 'named locations' are defined and applied (L2)
  • 5.2.2.15 Ensure exclusionary geographic access controls are utilized (L1)
  • 5.2.2.16 Ensure Token Protection is enforced for session tokens (L2)
  • 5.2.2.17 Ensure authentication transfer is blocked (L1)

Microsoft Entra — Authentication methods

  • 5.2.3.8 Ensure that Account 'Lockout threshold' is '10' or less (L1)
  • 5.2.3.9 Ensure that Account 'Lockout duration in seconds' is at least 60 seconds (L1)
  • 5.2.3.10 Ensure Microsoft Authenticator on companion applications is disabled (L1)

Microsoft Entra — Password reset

  • 5.2.4.2 Ensure that 2 methods are required for password reset (L1)
  • 5.2.4.3 Ensure SSPR registration and authentication re-confirmation are required (L1)
  • 5.2.4.4 Ensure that users are notified on password resets (L1)
  • 5.2.4.5 Ensure all admins are notified when other admins reset their password (L1)

Exchange Online

6.3.2 Ensure the ability to add personal email accounts and calendars is disabled (L1)

Blocks users from connecting personal Outlook.com, Gmail, or Yahoo accounts inside New Outlook for Windows and Outlook on the web. Personal accounts bypass Safe Links, Safe Attachments, DLP, and audit logging — creating both a side-channel exfiltration path and an inbound filtering bypass.

Removed controls

  • 5.1.3.1 Ensure a dynamic group for guest users is created — superseded by guest access reviews and the new My Groups controls
  • 7.3.2 Ensure OneDrive sync is restricted for unmanaged devices — now handled through Conditional Access App Control and Intune device compliance policies

Notable updated controls

Profile elevations (L2 → L1):

  • 4.1 Ensure devices without a compliance policy are marked 'not compliant'
  • 4.2 Ensure device enrollment for personally owned devices is blocked by default

Both Intune controls are now core baseline expectations, not discretionary.

Tightening:

  • 5.1.4.2 Ensure the maximum number of devices per user is limited — recommended limit reduced from 20 to 10

Loosening (worth noting):

  • 5.3.4 / 5.3.5 PIM approval controls — required approvers reduced from 2 to 1. You may want to retain the stricter setting.
  • 5.2.3.1 Ensure Microsoft Authenticator is configured to protect against MFA fatigue — number-matching requirement removed

Top 3 new controls to implement first

1. 5.2.2.17 Ensure authentication transfer is blocked (L1)

Authentication transfer lets users hand off their authenticated state from one device to another via a QR code — with no additional password or MFA prompt. A threat actor with access to a victim's desktop session can silently establish their own authenticated session on a different device, bypassing device compliance and Conditional Access policies.

Remediation: Create a Conditional Access policy targeting All users (excluding break-glass accounts), All resources, condition Authentication flowsAuthentication transfer = Block.

Watch-outs: Pilot in report-only mode first. Users who rely on the QR-code sign-in flow between devices will need to sign in interactively going forward.

2. 5.2.2.16 Ensure Token Protection is enforced for session tokens (L2)

Token theft has been the standout cloud identity threat vector of the past 18 months. A stolen session token bypasses MFA entirely. Token Protection ties session tokens cryptographically to the device that issued them — a stolen token is useless on any other device.

Recommend enforcing for Exchange Online, SharePoint Online, and Microsoft Teams.

Watch-outs: Currently supports native applications only (not browser-based). Still in preview for macOS and iOS. Check Microsoft's known-limitations list before broad enforcement.

3. 6.3.2 Ensure personal email accounts and calendars are disabled (L1)

Personal email accounts added to New Outlook aren't subject to Safe Links, Safe Attachments, DLP, or audit logging. They create a side-channel exfiltration path (drag-and-drop from corporate to personal mailbox) and an inbound filtering bypass (phishing sent to the personal account renders in the trusted Outlook client).

Remediation: Set PersonalAccountsEnabled and PersonalAccountCalendarsEnabled to False on the default OWA mailbox policy.

Watch-outs: Applies to New Outlook and OWA only — not classic Outlook. Changes take up to 60 minutes to propagate. Communicate to users before enabling.

In summary

Version 7.0.0 is the most consequential M365 benchmark release since v4.0.0. The structural changes and absorption of 12 Azure-side identity controls make this a benchmark that finally treats the Microsoft 365 control surface as one estate. If your tenants are already aligned to v6.0.1, there is a substantial uplift from the previous baseline.

Resources