CIS Microsoft 365 Foundations Benchmark

The Center for Internet Security maintains a vendor-curated benchmark for M365. Manage365 runs a subset against every tenant — Level 1 baseline controls plus selected Level 2 controls where the M365 admin surface exposes enough to measure programmatically.

Levels

• Level 1 — practical minimum; cost-effective, low-impact, should apply to every business. Full coverage.
• Level 2 — defence in depth; higher friction and some controls require features not in every SKU. Partial coverage — Manage365 checks the ones the Graph API + Intune surface expose.

Coverage highlights

• Account management — password policy, break-glass accounts, deletion retention
• Authentication — MFA for admins and users, legacy-auth block, number-matching
• Application permissions — consent settings, third-party app allow-list
• Data management — DLP policies, sensitivity labels, external-sharing posture
• Email security — anti-phishing, anti-malware, attachment filtering, SPF/DKIM/DMARC
• Audit & logging — unified audit log enabled, mailbox audit defaults, retention window
• Storage — SharePoint / OneDrive sharing defaults, guest access expiry
• Mobile device management — Intune enrolment requirements, compliance policies

Scoring

Identical shape to Essential Eight and APRA — per-control status, findings, remediation, overall %. Historical tracking via the same compliance-scan table.

Relationship to Essential Eight

There's meaningful overlap — both insist on MFA, both care about admin privilege restriction, both want macros locked down. The CIS scan is broader and covers email / DLP surfaces that Essential Eight doesn't name explicitly. Run both for a fuller picture; the evidence bundle includes the latest scan of every framework.