365 Tenant Manager Release on April 23, 2025

Enhancements

• A new predefined template has been released in 365 Tenant Manager, offering a comprehensive set of settings and policies aligned with the CIS Microsoft 365 Foundations Benchmark v4.0. This template automates reporting and remediation for a wide range of security directives, helping organizations streamline compliance, reduce risk, and enforce best practices across their M365 environment.
• The following new predefined settings targeting Exchange, Microsoft 365 (General), Microsoft Teams and SharePoint have been introduced in the predefined settings library:
  • Exchange
    • HS-S0058 – Ensure that SPF records are published for all Exchange Domains
      Checks if the SPF records are published for all Exchange domains to prevent unauthorized email spoofing.
    • HS-S0059 – Ensure that DKIM is enabled for all Exchange Online Domains
      Checks that DKIM is enabled for each domain and verifies that the CNAME DNS records for selectors are correctly configured. Enforces DKIM enabled if set to Enforce.
    • HS-S0060 – Ensure DMARC Records for Exchange Domains
      Checks that DMARC records are published for all Exchange domains with specific required flags.
    • HS-S0084 – Ensure Audit Bypass is Disabled
      Verify that Audit Bypass is disabled for specified user mailboxes in Microsoft 365.
    • HS-S0099 – Restrict disallowed roles in default Role Assignment Policy
      Ensure the default Role Assignment Policy does not include roles like MyCustomApps, MyMarketplaceApps, or MyReadWriteMailboxApps, which can introduce unwanted app permissions or configurations.
  • Microsoft 365 (General)
    • HS-S0080 – Ensure Microsoft Authenticator protects against MFA fatigue
      Ensure Microsoft Authenticator is configured and it’s policy enforces app and location display during MFA to protect users from MFA fatigue attacks.
    • HS-S0088 – Ensure that guest user access is restricted
      By limiting guest access to the most restrictive state this helps prevent malicious group and user object enumeration in the Microsoft 365 environment
    • HS-S0092 – Ensure Restrict non-admin users from creating tenants is Disabled
      Restricting tenant creation prevents unauthorized or uncontrolled deployment of resources and ensures that the organization retains control over its infrastructure
    • HS-S0093 – Ensure all member users are ‘MFA capable’
      Ensure all member users are MFA capable, registered and enabled with a strong authentication method allowed by policy. Users not marked as MFA capable may be unprotected due to missing policies, exclusions, or lack of sign-in activity.
    • HS-S0096 – Ensure weak authentication methods are disabled  
      Controls the availability of less secure authentication methods such as SMS, Voice Call, and Email One-Time Passcode (OTP) for signing in to Microsoft 365. While these methods offer flexibility and ease of access—especially for B2B collaboration scenarios—they rely on external communication channels like telephony and email, which may present higher risk. This setting allows organizations to enforce stronger authentication practices by disabling select fallback methods.
    • HS-S0097 – Ensure guest user invitations are limited to the Guest Inviter role
      By default, all users in the organization, including B2B collaboration guest users, can invite external users to B2B collaboration. The ability to send invitations can be limited by turning it on or off for everyone, or by restricting invitations to certain roles.
    • HS-S0100 – Remove licenses from blocked users
      Checks if a user’s sign-in is blocked and they still have licenses assigned. If so, removes the licenses to optimize license usage.
  • Microsoft Teams
    • HS-S0064 – Restrict anonymous users from joining meeting on GLOBAL policy for Teams
      Ensure if Anonymous Users are restricted from joining meetings on the GLOBAL policy in Teams
    • HS-S0065 – Restrict dial-in users from bypassing a meeting lobby on the GLOBAL Policy
      Restrict Dial-IN (PSTN) users from bypassing meeting lobby in Microsoft Teams according to the GLOBAL meeting Policy.
    • HS-S0066 – Only invited users should be automatically admitted for Global policy in Teams
      Ensures only invited users are automatically admitted to Teams meetings and it is enforced on the Global” policy”.
    • HS-S0067 – Ensure meeting chat does not allow anonymous users
      This setting controls whether meeting chat is enabled in Microsoft Teams, including for anonymous or external participants. Disabling chat helps prevent unmonitored conversations, reduces the risk of data leaks, and ensures that communication during meetings remains compliant with organizational policies.
    • HS-S0070 – Ensure users can’t send emails to a channel email address  
      Manage who can send email to a channel in Microsoft Teams.
    • HS-S0071 – Restrict only Organizers to present in Teams meetings
      This setting controls who is allowed to present in Microsoft Teams meetings by configuring the designated presenter role. Restricting this role to the organizer ensures only the meeting creator can share content or control the session, reducing the risk of unauthorized sharing or disruption.
    • HS-S0073 – Ensure DLP policies are enabled for Microsoft Teams
      This setting controls whether Data Loss Prevention (DLP) policies are actively enforced in Microsoft Teams. DLP policies help protect sensitive information by monitoring and restricting its sharing within Teams messages and files.
    • HS-S0077 – Ensure external file sharing in Teams is enabled for only approved cloud storage services
      This setting manages whether third-party storage providers—such as Google Drive, Dropbox, Box, Egnyte, and Citrix ShareFile—are allowed in Microsoft Teams. Enabling these options lets users connect and share files from external cloud storage platforms within Teams.
    • HS-S0079 – Ensure communication with Skype users is disabled
      Ensuring communication with Skype users is disabled following CIS security baseline
    • HS-S0081 – Ensure meeting recording is off by default in the Global meeting policy
      Disabling meeting recordings in the Global meeting policy ensures that only authorized users such as organizers co-organizers can initiate a recording.
    • HS-S0082 – Ensure external meeting chat is off in the Global meeting policy
      Ensure that external chat in Teams meetings is disabled in the “Global” Meetings policy in Teams.
    • HS-S0083 – Ensure Zero-hour Auto Purge (ZAP) for Microsoft Teams is Enabled in the Global Policy
      Ensure that Zero-hour Auto Purge (ZAP) is enabled in the Global Teams Protection Policy to enhance security and compliance.
    • HS-S0085 – Ensure users can report security risks in Teams
      Make sure users have a way to report security risks in Microsoft Teams, such as phishing messages or suspicious content, through built-in reporting features.
    • HS-S0086 – Ensure communication with unmanaged Teams users is disabled for GLOBAL policy
      Allowing users to communicate with unmanaged Teams users presents a potential security threat as little effort is required by threat actors to gain access,disabling communication entirely will also disable the ability for unmanaged users to initiate contact.
    • HS-S0087 – Ensure external users cannot request control during Teams screen sharing for the Global Policy
      Prevent external users from requesting control during screen sharing in Microsoft Teams for the Global Teams Meeting Policy.
    • HS-S0091 – Restrict external domains in Microsoft Teams
      Restricts Teams external access to either specific domains or blocks all external domains, reducing risk of data leaks or abuse from unauthorized external entities.
  • SharePoint
    • HS-S0076 – Ensure custom script execution is restricted on sites 
      This setting controls whether custom scripts can run on a site, allowing users to modify its appearance and behavior. Scripts run under the user’s permissions, giving them access to all data the user can see—including content across Microsoft 365 and through Microsoft Graph.
    • HS-S0078 – Ensure SharePoint and OneDrive integration with Entra B2B is enabled
      Entra ID B2B enables authentication and management of guest users across Microsoft 365. When guests don’t have a work, school, or Microsoft account, they authenticate via one-time passcode. Integration with SharePoint and OneDrive allows organizations to unify and refine the guest experience and access control, consistent with how guests are managed in services like Microsoft Teams.
    • HS-S0089 – Ensure SharePoint external sharing is managed through domain whitelist or blacklists
      Ensure SharePoint external sharing is restricted for selected domains.
    • HS-S0090 – Ensure that SharePoint guest users cannot share items they don’t own
      Prevent SharePoint guests from sharing content they don’t own to reduce unauthorized external access.
    • HS-S0094 – Ensure link sharing is restricted in SharePoint and OneDrive
      This setting ensures that the default sharing link type and permission in SharePoint and OneDrive is set to a more secure option
    • HS-S0095 – Ensure Sharepoint Re-authentication with verification code is restricted
      This setting configures if guests who use a verification code to access the site or links are required to reauthenticate after a set number of days.
    • HS-S0098 – Ensure guest access to a site or OneDrive will expire automatically
      This setting ensures that guests who no longer need access to the site or link no longer have access after a set period of time. Allowing guest access for an indefinite amount of time could lead to loss of data confidentiality and oversight.
• The following new predefined policies for Entra – Conditional Access have been introduced in the predefined policies library:
  • Entra – Conditional Access Policies
    • HS-P0029 – Ensure Sign-in frequency is enabled and browser sessions are not persistent for Administrative users
      This Conditional Access Policy enforces sign-in frequency and disables persistent browser sessions for administrative users, ensuring frequent re-authentication to enhance security and prevent unauthorized access.
    • HS-P0031 – Ensure ‘sign-in risk’ is blocked for medium and high risk
      This policy blocks all sign-ins with medium or high risk levels to prevent unauthorized access and potential account compromise.
    • HS-P0032 – Ensure admin center access is limited to administrative roles
      Blocking sign-in to Microsoft Admin Portals enhances security of sensitive data by restricting access to privileged users. This mitigates potential exposure due to administrative errors or software vulnerabilities introduced by a CIS, as well as acting as a defense in depth measure against security breaches.
    • HS-P0033 – Ensure a managed device is required for MFA registration
      Requiring registration on a managed device significantly reduces the risk of bad actors using stolen credentials to register for security information.
    • HS-P0034 – Ensure OneDrive sync is restricted for unmanaged devices
      This Conditional Access policy is intended to block access to OneDrive Sync and Sharepoint for all users on unmanaged devices. It targets all client types and uses a device filter based on device trust type, which only applies to Entra ID-joined (Entra-ID -joined and registered) devices. Devices not joined or registered with Entra ID are considered untrusted and would be blocked.