Skip to main content

M365 controls (73)

CTL.M365.ADMIN.CALENDAR.001

External Calendar Sharing Enabled

  • Severity: medium
  • Type: unsafe_state
  • Domain: exposure
  • Compliance: cis_m365_v4: 15.4; nist_800_53_r5: SC-7; soc2: CC6.6;

Calendar details (subjects, attendees, availability) shared with external recipients.

Remediation: Remediate per control description.

CTL.M365.ADMIN.GLOBALADMIN.001

Global Admin Count Not Within Safe Range

  • Severity: high
  • Type: unsafe_state
  • Domain: identity
  • Compliance: cis_m365_v4: 15.2; nist_800_53_r5: AC-2; soc2: CC6.1;

Fewer than 2 or more than 4 global admins. Single point of failure or excessive attack surface.

Remediation: Remediate per control description.

CTL.M365.ADMIN.GROUPS.001

M365 Groups Have Public Visibility

  • Severity: medium
  • Type: unsafe_state
  • Domain: exposure
  • Compliance: cis_m365_v4: 15.5; nist_800_53_r5: AC-3; soc2: CC6.1;

All users can discover all groups, membership, and purpose. Enables internal reconnaissance.

Remediation: Remediate per control description.

CTL.M365.ADMIN.LOCKBOX.001

Customer Lockbox Not Enabled

  • Severity: high
  • Type: unsafe_state
  • Domain: exposure
  • Compliance: cis_m365_v4: 15.1; nist_800_53_r5: AC-3; soc2: CC6.1;

Microsoft support accesses tenant data without customer approval. No visibility or control over vendor access.

Remediation: Remediate per control description.

CTL.M365.ADMIN.PASSWORD.001

Passwords Set to Never Expire

  • Severity: medium
  • Type: unsafe_state
  • Domain: identity
  • Compliance: cis_m365_v4: 15.3; nist_800_53_r5: IA-5; soc2: CC6.1;

Passwords never expire. Acceptable only with active breach detection (user risk policy). Without it, compromised credentials persist indefinitely.

Remediation: Remediate per control description.

CTL.M365.DEFENDER.ANTIPHISHING.001

Anti-Phishing Policy Not Configured

  • Severity: critical
  • Type: unsafe_state
  • Domain: detection
  • Compliance: cis_m365_v4: 8.1; hipaa: 164.308(a)(5)(ii)(B); nist_800_53_r5: SI-8; pci_dss_v4: 5.1; soc2: CC6.8;

No anti-phishing policy. Impersonation emails, spoofed domains, and BEC attacks not detected or filtered.

Remediation: Remediate per control description.

CTL.M365.DEFENDER.ANTISPAM.BYPASS.001

Anti-Spam Filter Has Bypass Configurations

  • Severity: high
  • Type: unsafe_state
  • Domain: detection
  • Compliance: cis_m365_v4: 8.2; nist_800_53_r5: SI-8; soc2: CC6.8;

Spam filter bypasses active: IP allowlist, safe list, or allowed domains. Malicious email arrives via trusted paths.

Remediation: Remediate per control description.

CTL.M365.DEFENDER.ANTISPAM.FORWARD.001

Outbound Email Forwarding Not Disabled

  • Severity: high
  • Type: unsafe_state
  • Domain: exposure
  • Compliance: cis_m365_v4: 8.3; nist_800_53_r5: SC-7; soc2: CC6.8;

Automatic forwarding not disabled. Compromised accounts silently exfiltrate all incoming email to external addresses.

Remediation: Remediate per control description.

CTL.M365.DEFENDER.ANTISPAM.OUTBOUND.001

Outbound Anti-Spam Policy Not Configured

  • Severity: medium
  • Type: unsafe_state
  • Domain: detection
  • Compliance: cis_m365_v4: 8.4; nist_800_53_r5: SI-8; soc2: CC6.8;

No outbound anti-spam policy. Compromised accounts sending spam are not rate-limited or blocked.

Remediation: Remediate per control description.

CTL.M365.DEFENDER.DKIM.001

DKIM Not Enabled for Domain

  • Severity: high
  • Type: unsafe_state
  • Domain: exposure
  • Compliance: cis_m365_v4: 8.8; nist_800_53_r5: SC-7; soc2: CC6.8;

DKIM signing not enabled in M365. Outgoing email not cryptographically signed for integrity verification.

Remediation: Remediate per control description.

CTL.M365.DEFENDER.MALWARE.001

Malware Attachment Filtering Not Comprehensive

  • Severity: high
  • Type: unsafe_state
  • Domain: detection
  • Compliance: cis_m365_v4: 8.5; nist_800_53_r5: SI-3; pci_dss_v4: 5.2; soc2: CC7.1;

Common dangerous attachment types (exe, bat, js, ps1) not filtered. Executable attachments reach user inboxes.

Remediation: Remediate per control description.

CTL.M365.DEFENDER.REPORT.001

Chat Report Policy Not Configured

  • Severity: low
  • Type: unsafe_state
  • Domain: detection
  • Compliance: nist_800_53_r5: SI-4; soc2: CC7.1;

Users cannot report suspicious Teams messages. No user-facing reporting mechanism for threats in chat.

Remediation: Remediate per control description.

CTL.M365.DEFENDER.SAFEATTACH.001

Safe Attachments Not Enabled

  • Severity: high
  • Type: unsafe_state
  • Domain: detection
  • Compliance: cis_m365_v4: 8.6; nist_800_53_r5: SI-3; pci_dss_v4: 5.2; soc2: CC7.1;

Attachments not detonated in sandbox. Zero-day malware in documents and archives reaches inboxes without behavioral analysis.

Remediation: Remediate per control description.

CTL.M365.DEFENDER.SAFELINKS.001

Safe Links Not Enabled

  • Severity: high
  • Type: unsafe_state
  • Domain: detection
  • Compliance: cis_m365_v4: 8.7; nist_800_53_r5: SI-3; soc2: CC7.1;

URLs not rewritten or checked at click time. Malicious links that become weaponized after delivery not caught.

Remediation: Remediate per control description.

CTL.M365.DEFENDER.ZAP.001

Zero-Hour Auto Purge Not Enabled for Teams

  • Severity: medium
  • Type: unsafe_state
  • Domain: detection
  • Compliance: cis_m365_v4: 8.9; nist_800_53_r5: SI-3; soc2: CC7.1;

ZAP for Teams disabled. Malicious content detected after delivery not automatically purged from conversations.

Remediation: Remediate per control description.

CTL.M365.DEFENDERID.HEALTH.001

Defender for Identity Has Open Health Issues

  • Severity: medium
  • Type: unsafe_state
  • Domain: detection
  • Compliance: nist_800_53_r5: SI-4; soc2: CC7.1;

Open health issues. Sensors may be misconfigured or offline. Identity threat detection has coverage gaps.

Remediation: Remediate per control description.

CTL.M365.ENTRA.ADMIN.CLOUDONLY.001

Admin Accounts Not Cloud-Only

  • Severity: high
  • Type: unsafe_state
  • Domain: identity
  • Compliance: cis_m365_v4: 1.3; nist_800_53_r5: AC-2; soc2: CC6.1;

Admin accounts synced from on-prem AD. On-prem compromise (Kerberoasting, DCSync) grants cloud admin access.

Remediation: Remediate per control description.

CTL.M365.ENTRA.ADMIN.MFA.001

M365 Admin Users MFA Not Enabled

  • Severity: critical
  • Type: unsafe_state
  • Domain: identity
  • Compliance: cis_m365_v4: 1.1; hipaa: 164.312(d); nist_800_53_r5: IA-2; pci_dss_v4: 8.3; soc2: CC6.1;

Admin accounts without MFA. Complete tenant control via password alone.

Remediation: Remediate per control description.

CTL.M365.ENTRA.ADMIN.PHISHING.001

Admin Users Without Phishing-Resistant MFA

  • Severity: high
  • Type: unsafe_state
  • Domain: identity
  • Compliance: cis_m365_v4: 1.2; nist_800_53_r5: IA-2; soc2: CC6.1;

Admin MFA is standard (push/SMS), not phishing-resistant (FIDO2). Real-time phishing proxies (Evilginx) bypass standard MFA.

Remediation: Remediate per control description.

CTL.M365.ENTRA.ADMIN.PORTAL.001

Admin Portal Access Not Restricted

  • Severity: medium
  • Type: unsafe_state
  • Domain: identity
  • Compliance: cis_m365_v4: 1.5; nist_800_53_r5: AC-3; soc2: CC6.1;

Admin portals accessible from any network, device, or location without Conditional Access restrictions.

Remediation: Remediate per control description.

CTL.M365.ENTRA.ADMIN.SIGNIN.001

Admin Sign-In Frequency Not Enforced

  • Severity: medium
  • Type: unsafe_state
  • Domain: identity
  • Compliance: cis_m365_v4: 1.4; nist_800_53_r5: AC-11; soc2: CC6.1;

Admin sessions have no sign-in frequency limit. Stolen session tokens persist indefinitely.

Remediation: Remediate per control description.

CTL.M365.ENTRA.APP.CONSENT.001

User Consent for Apps Not Restricted

  • Severity: high
  • Type: unsafe_state
  • Domain: identity
  • Compliance: cis_m365_v4: 6.1; nist_800_53_r5: AC-3; soc2: CC6.1;

Users consent to third-party app permissions without admin approval. Consent phishing grants apps persistent access.

Remediation: Remediate per control description.

CTL.M365.ENTRA.APP.PRIVILEGED.001

App Registrations with Unused Privileged Permissions

  • Severity: high
  • Type: unsafe_state
  • Domain: identity
  • Compliance: cis_m365_v4: 6.3; nist_800_53_r5: AC-6; soc2: CC6.1;

App registrations have privileged API permissions not being used. Overprivileged apps increase compromise blast radius.

Remediation: Remediate per control description.

CTL.M365.ENTRA.APP.THIRDPARTY.001

Third-Party Integrated Apps Allowed

  • Severity: medium
  • Type: unsafe_state
  • Domain: identity
  • Compliance: cis_m365_v4: 6.2; nist_800_53_r5: CM-6; soc2: CC6.1;

Third-party integrated apps allowed without approval.

Remediation: Remediate per control description.

CTL.M365.ENTRA.BREAKGLASS.001

Break Glass Account Not Properly Configured

  • Severity: medium
  • Type: unsafe_state
  • Domain: identity
  • Compliance: cis_m365_v4: 4.1; nist_800_53_r5: AC-2; soc2: CC6.1;

Emergency access accounts not excluded from CA policies or not registered with FIDO2 keys.

Remediation: Remediate per control description.

CTL.M365.ENTRA.CA.COVERAGE.001

Conditional Access Does Not Cover All Apps

  • Severity: high
  • Type: unsafe_state
  • Domain: identity
  • Compliance: cis_m365_v4: 3.1; nist_800_53_r5: AC-3; soc2: CC6.1;

Not all applications covered by CA policies. Uncovered apps allow auth without MFA, device compliance, or location checks.

Remediation: Remediate per control description.

CTL.M365.ENTRA.CA.DEVICE.001

No CA Policy Requiring Device Compliance

  • Severity: high
  • Type: unsafe_state
  • Domain: identity
  • Compliance: cis_m365_v4: 5.1; nist_800_53_r5: AC-3; soc2: CC6.1;

No CA policy requires device compliance or hybrid join. Users access M365 from any unmanaged device.

Remediation: Remediate per control description.

CTL.M365.ENTRA.CA.DEVICECODE.001

Device Code Flow Not Blocked

  • Severity: high
  • Type: unsafe_state
  • Domain: identity
  • Compliance: cis_m365_v4: 3.4; nist_800_53_r5: IA-2; soc2: CC6.1;

Device code authentication not blocked. Attacker generates code, victim enters it on legitimate Microsoft login, attacker gets session.

Remediation: Remediate per control description.

CTL.M365.ENTRA.CA.DEVICEREG.001

MFA Not Required for Device Registration

  • Severity: high
  • Type: unsafe_state
  • Domain: identity
  • Compliance: cis_m365_v4: 5.5; nist_800_53_r5: IA-2; soc2: CC6.1;

MFA not required for device registration. An attacker registers a controlled device with a stolen password.

Remediation: Remediate per control description.

CTL.M365.ENTRA.CA.DIRSYNC.001

Directory Sync Account Not Excluded from CA

  • Severity: medium
  • Type: unsafe_state
  • Domain: identity
  • Compliance: cis_m365_v4: 5.7; nist_800_53_r5: AC-3; soc2: CC6.1;

Sync service accounts not excluded from CA. CA policies may break AD synchronization.

Remediation: Remediate per control description.

CTL.M365.ENTRA.CA.GUESTS.001

MFA Not Enforced for Guest Users

  • Severity: high
  • Type: unsafe_state
  • Domain: identity
  • Compliance: cis_m365_v4: 3.3; nist_800_53_r5: IA-2; soc2: CC6.2;

External/guest users not required to use MFA when accessing shared resources.

Remediation: Remediate per control description.

CTL.M365.ENTRA.CA.INSIDERRISK.O365.001

O365 Not Blocked for Elevated Insider Risk

  • Severity: medium
  • Type: unsafe_state
  • Domain: identity
  • Compliance: cis_m365_v4: 5.6; nist_800_53_r5: AC-3; soc2: CC6.1;

No CA policy blocks O365 access for elevated insider risk users.

Remediation: Remediate per control description.

CTL.M365.ENTRA.CA.MGMTAPI.001

MFA Not Required for Azure Management API

  • Severity: high
  • Type: unsafe_state
  • Domain: identity
  • Compliance: cis_m365_v4: 3.2; nist_800_53_r5: IA-2; soc2: CC6.1;

Azure Management API accessible without MFA. Infrastructure changes with password-only authentication.

Remediation: Remediate per control description.

CTL.M365.ENTRA.CA.MOBILE.001

No CA Policy for Approved Mobile Client App

  • Severity: medium
  • Type: unsafe_state
  • Domain: identity
  • Compliance: cis_m365_v4: 5.2; nist_800_53_r5: AC-3; soc2: CC6.1;

No CA policy requires approved client apps or app protection on mobile. M365 data accessible from any mobile app.

Remediation: Remediate per control description.

CTL.M365.ENTRA.CA.PLATFORMS.001

Unknown Device Platforms Not Blocked

  • Severity: medium
  • Type: unsafe_state
  • Domain: identity
  • Compliance: cis_m365_v4: 5.3; nist_800_53_r5: AC-3; soc2: CC6.1;

Sign-ins from unknown device platforms not blocked. Only known platforms (Windows, macOS, iOS, Android) should be allowed.

Remediation: Remediate per control description.

CTL.M365.ENTRA.CA.SIGNINFREQ.001

Sign-In Frequency Not Enforced

  • Severity: medium
  • Type: unsafe_state
  • Domain: identity
  • Compliance: cis_m365_v4: 5.4; nist_800_53_r5: AC-11; soc2: CC6.1;

No sign-in frequency on corporate devices or Intune enrollment. Sessions persist indefinitely without reauthentication.

Remediation: Remediate per control description.

CTL.M365.ENTRA.GUEST.ACCESS.001

Guest User Access Not Restricted

  • Severity: medium
  • Type: unsafe_state
  • Domain: identity
  • Compliance: cis_m365_v4: 7.2; nist_800_53_r5: AC-3; soc2: CC6.2;

Guest users have same access as members by default. Guests should have restricted directory access.

Remediation: Remediate per control description.

CTL.M365.ENTRA.GUEST.INVITE.001

Guest Invitations Not Restricted to Admins

  • Severity: medium
  • Type: unsafe_state
  • Domain: identity
  • Compliance: cis_m365_v4: 7.1; nist_800_53_r5: AC-2; soc2: CC6.2;

Any user can invite guest users. Unrestricted invitations expand the tenant identity perimeter.

Remediation: Remediate per control description.

CTL.M365.ENTRA.LEGACYAUTH.001

Legacy Authentication Not Blocked

  • Severity: critical
  • Type: unsafe_state
  • Domain: identity
  • Compliance: cis_m365_v4: 2.3; hipaa: 164.312(d); nist_800_53_r5: IA-2; pci_dss_v4: 8.4; soc2: CC6.1;

Legacy protocols (POP3, IMAP, SMTP basic) not blocked. These bypass all MFA enforcement — password-only access.

Remediation: Remediate per control description.

CTL.M365.ENTRA.PWHASHSYNC.001

Password Hash Sync Not Enabled

  • Severity: medium
  • Type: unsafe_state
  • Domain: identity
  • Compliance: cis_m365_v4: 4.2; nist_800_53_r5: CP-9; soc2: CC7.2;

No fallback authentication path if ADFS fails. Cloud auth depends entirely on federation services.

Remediation: Remediate per control description.

CTL.M365.ENTRA.SIGNINRISK.001

Sign-In Risk Policy Not Enabled

  • Severity: high
  • Type: unsafe_state
  • Domain: identity
  • Compliance: cis_m365_v4: 2.1; nist_800_53_r5: AC-7; soc2: CC6.1;

Risky sign-ins (impossible travel, anonymous IP) not blocked or challenged with MFA.

Remediation: Remediate per control description.

CTL.M365.ENTRA.TENANT.CREATE.001

Users Can Create Tenants

  • Severity: medium
  • Type: unsafe_state
  • Domain: identity
  • Compliance: cis_m365_v4: 7.3; nist_800_53_r5: CM-6; soc2: CC6.1;

Default users can create Azure AD tenants. Shadow IT risk — data moves to unmanaged tenants.

Remediation: Remediate per control description.

CTL.M365.ENTRA.USERRISK.001

User Risk Policy Not Enabled

  • Severity: high
  • Type: unsafe_state
  • Domain: identity
  • Compliance: cis_m365_v4: 2.2; nist_800_53_r5: AC-7; soc2: CC6.1;

Compromised users not forced to change password or blocked.

Remediation: Remediate per control description.

CTL.M365.ENTRA.USERS.MFA.001

Users MFA Not Enabled

  • Severity: critical
  • Type: unsafe_state
  • Domain: identity
  • Compliance: cis_m365_v4: 1.6; hipaa: 164.312(d); nist_800_53_r5: IA-2; pci_dss_v4: 8.3; soc2: CC6.1;

Not all users have MFA enabled. Any account without MFA is a credential-stuffing target.

Remediation: Remediate per control description.

CTL.M365.ENTRA.WEAKMFA.001

Weak MFA Methods (SMS/Voice) Not Disabled

  • Severity: medium
  • Type: unsafe_state
  • Domain: identity
  • Compliance: cis_m365_v4: 2.4; nist_800_53_r5: IA-5; soc2: CC6.1;

SMS and voice MFA enabled. SMS vulnerable to SIM swapping. Voice vulnerable to social engineering.

Remediation: Remediate per control description.

CTL.M365.EXCHANGE.ADDINS.001

Users Can Install Mail Add-Ins

  • Severity: medium
  • Type: unsafe_state
  • Domain: exposure
  • Compliance: cis_m365_v4: 10.6; nist_800_53_r5: CM-6; soc2: CC6.1;

Outlook add-in installation unrestricted. Malicious add-ins read email, access attachments, and exfiltrate data.

Remediation: Remediate per control description.

CTL.M365.EXCHANGE.AUDIT.001

Mailbox Auditing Not Fully Enabled

  • Severity: high
  • Type: unsafe_state
  • Domain: detection
  • Compliance: cis_m365_v4: 10.3; hipaa: 164.312(b); nist_800_53_r5: AU-2; pci_dss_v4: 10.2; soc2: CC7.2;

Org-wide or per-user auditing disabled, or audit bypass active. Email access, deletion, and send-as not recorded.

Remediation: Remediate per control description.

CTL.M365.EXCHANGE.EXTERNAL.001

External Email Tagging Not Enabled

  • Severity: medium
  • Type: unsafe_state
  • Domain: exposure
  • Compliance: cis_m365_v4: 10.4; nist_800_53_r5: SI-4; soc2: CC7.1;

Inbound external email not tagged with [External] indicator. Impersonation emails appear identical to internal messages.

Remediation: Remediate per control description.

CTL.M365.EXCHANGE.MAILTIPS.001

MailTips Not Enabled

  • Severity: low
  • Type: unsafe_state
  • Domain: exposure
  • Compliance: nist_800_53_r5: SI-4; soc2: CC7.1;

Users don't receive warnings when sending to external recipients or large distribution lists.

Remediation: Remediate per control description.

CTL.M365.EXCHANGE.MODERNAUTH.001

Modern Authentication Not Enabled

  • Severity: critical
  • Type: unsafe_state
  • Domain: identity
  • Compliance: cis_m365_v4: 10.1; hipaa: 164.312(e)(1); nist_800_53_r5: IA-2; soc2: CC6.1;

Basic authentication active. Does not support MFA, Conditional Access, or token revocation. Credentials sent in Base64.

Remediation: Remediate per control description.

CTL.M365.EXCHANGE.SHAREDMAILBOX.001

Shared Mailbox Direct Sign-In Not Disabled

  • Severity: high
  • Type: unsafe_state
  • Domain: identity
  • Compliance: cis_m365_v4: 10.7; nist_800_53_r5: IA-2; soc2: CC6.1;

Shared mailboxes allow direct sign-in with credentials. Shared mailboxes often have passwords but no MFA — well-known MFA bypass.

Remediation: Remediate per control description.

CTL.M365.EXCHANGE.SMTPAUTH.001

SMTP AUTH Not Disabled

  • Severity: high
  • Type: unsafe_state
  • Domain: identity
  • Compliance: cis_m365_v4: 10.2; nist_800_53_r5: IA-2; soc2: CC6.1;

SMTP AUTH enabled globally. Legacy sending protocol that bypasses MFA. Used by attackers for spam from compromised accounts.

Remediation: Remediate per control description.

CTL.M365.EXCHANGE.STORAGE.001

Additional Storage Providers Not Restricted

  • Severity: medium
  • Type: unsafe_state
  • Domain: exposure
  • Compliance: cis_m365_v4: 10.5; nist_800_53_r5: SC-7; soc2: CC6.6;

Users can connect Google Drive, Dropbox to Outlook. Data flows to unmanaged cloud storage outside organizational control.

Remediation: Remediate per control description.

CTL.M365.EXCHANGE.TRANSPORT.FORWARD.001

Transport Rules Allow External Forwarding

  • Severity: high
  • Type: unsafe_state
  • Domain: exposure
  • Compliance: cis_m365_v4: 10.8; nist_800_53_r5: SC-7; soc2: CC6.8;

Transport rules forward email externally. Organization-wide admin-level email exfiltration — forwards ALL matching email.

Remediation: Remediate per control description.

CTL.M365.EXCHANGE.TRANSPORT.WHITELIST.001

Transport Rules Whitelist Bypasses Filtering

  • Severity: high
  • Type: unsafe_state
  • Domain: detection
  • Compliance: cis_m365_v4: 10.9; nist_800_53_r5: SI-3; soc2: CC6.8;

Transport rules whitelist senders/domains, bypassing ALL filtering including malware. Higher severity than spam bypass.

Remediation: Remediate per control description.

CTL.M365.INTUNE.COMPLIANCE.001

Unassigned Devices Default to Compliant

  • Severity: high
  • Type: unsafe_state
  • Domain: identity
  • Compliance: cis_m365_v4: 16.1; nist_800_53_r5: AC-3; soc2: CC6.1;

Devices without compliance policy treated as compliant. Unknown devices bypass CA device compliance requirements.

Remediation: Remediate per control description.

CTL.M365.PURVIEW.AUDIT.001

Unified Audit Log Search Not Enabled

  • Severity: critical
  • Type: unsafe_state
  • Domain: detection
  • Compliance: cis_m365_v4: 17.1; hipaa: 164.312(b); nist_800_53_r5: AU-2; pci_dss_v4: 10.1; soc2: CC7.2;

No M365 activity searchable for investigation. Exchange, SharePoint, Teams, Entra ID, OneDrive — complete forensic blindness.

Remediation: Remediate per control description.

CTL.M365.SHAREPOINT.GUEST.001

SharePoint Guest Sharing Not Restricted

  • Severity: medium
  • Type: unsafe_state
  • Domain: exposure
  • Compliance: cis_m365_v4: 14.2; nist_800_53_r5: AC-3; soc2: CC6.1;

Guest sharing permissions not appropriately restricted. Guests may have broader access than intended.

Remediation: Remediate per control description.

CTL.M365.SHAREPOINT.MODERNAUTH.001

SharePoint Modern Authentication Not Required

  • Severity: high
  • Type: unsafe_state
  • Domain: identity
  • Compliance: cis_m365_v4: 14.3; nist_800_53_r5: IA-2; soc2: CC6.1;

Legacy auth clients access SharePoint without MFA or Conditional Access.

Remediation: Remediate per control description.

CTL.M365.SHAREPOINT.SHARING.001

SharePoint External Sharing Not Restricted

  • Severity: high
  • Type: unsafe_state
  • Domain: exposure
  • Compliance: cis_m365_v4: 14.1; hipaa: 164.312(a)(1); nist_800_53_r5: AC-3; soc2: CC6.1;

External sharing set to "Anyone" — anonymous links require no authentication. Anyone with the link accesses content.

Remediation: Remediate per control description.

CTL.M365.SHAREPOINT.SYNC.001

OneDrive Sync Not Restricted on Unmanaged Devices

  • Severity: high
  • Type: unsafe_state
  • Domain: exposure
  • Compliance: cis_m365_v4: 14.4; nist_800_53_r5: SC-7; soc2: CC6.6;

OneDrive sync allowed on unmanaged devices. Organizational files copied to devices without encryption or remote wipe.

Remediation: Remediate per control description.

CTL.M365.TEAMS.ANON.001

Teams Meetings Allow Anonymous Users

  • Severity: high
  • Type: unsafe_state
  • Domain: exposure
  • Compliance: cis_m365_v4: 12.1; nist_800_53_r5: AC-3; soc2: CC6.1;

Anonymous users can join, start, or chat in meetings without authenticating. Not subject to tenant policies or audit.

Remediation: Remediate per control description.

CTL.M365.TEAMS.EMAIL.CHANNEL.001

Email Sending to Channel Enabled

  • Severity: medium
  • Type: unsafe_state
  • Domain: exposure
  • Compliance: cis_m365_v4: 12.9; nist_800_53_r5: SC-7; soc2: CC6.6;

Email sent directly to Teams channels. An attacker who discovers the channel address sends phishing alongside legitimate content.

Remediation: Remediate per control description.

CTL.M365.TEAMS.EXTERNAL.CONVERSATIONS.001

External Users Can Start Conversations

  • Severity: medium
  • Type: unsafe_state
  • Domain: exposure
  • Compliance: cis_m365_v4: 12.8; nist_800_53_r5: AC-3; soc2: CC6.1;

External users initiate new conversations with internal users directly. Unsolicited external outreach via Teams.

Remediation: Remediate per control description.

CTL.M365.TEAMS.EXTERNAL.DOMAINS.001

External Domain Access Not Restricted

  • Severity: high
  • Type: unsafe_state
  • Domain: exposure
  • Compliance: cis_m365_v4: 12.6; nist_800_53_r5: SC-7; soc2: CC6.6;

Communication allowed with all external domains. Any Teams user worldwide can message internal users.

Remediation: Remediate per control description.

CTL.M365.TEAMS.EXTERNAL.FILES.001

External File Sharing Not Restricted

  • Severity: high
  • Type: unsafe_state
  • Domain: exposure
  • Compliance: cis_m365_v4: 12.7; nist_800_53_r5: SC-7; soc2: CC6.6;

External users can share files in Teams. Files from external sources bypass organizational DLP controls.

Remediation: Remediate per control description.

CTL.M365.TEAMS.MEETING.DIALIN.001

Dial-In Users Bypass Meeting Lobby

  • Severity: medium
  • Type: unsafe_state
  • Domain: exposure
  • Compliance: cis_m365_v4: 12.3; nist_800_53_r5: AC-3; soc2: CC6.1;

PSTN dial-in users bypass lobby and join directly. Unverified audio participants join without host approval.

Remediation: Remediate per control description.

CTL.M365.TEAMS.MEETING.EXTERNAL.001

External Users Have Elevated Meeting Privileges

  • Severity: medium
  • Type: unsafe_state
  • Domain: exposure
  • Compliance: cis_m365_v4: 12.2; nist_800_53_r5: AC-3; soc2: CC6.1;

External users can chat, take control, or bypass lobby in meetings. One or more elevated privileges enabled.

Remediation: Remediate per control description.

CTL.M365.TEAMS.MEETING.PRESENTERS.001

Meeting Presenters Not Restricted

  • Severity: medium
  • Type: unsafe_state
  • Domain: exposure
  • Compliance: cis_m365_v4: 12.4; nist_800_53_r5: AC-3; soc2: CC6.1;

Any participant can present by default. Unrestricted screen sharing and content control.

Remediation: Remediate per control description.

CTL.M365.TEAMS.MEETING.RECORDING.001

Meeting Recording Auto-Enabled

  • Severity: medium
  • Type: unsafe_state
  • Domain: exposure
  • Compliance: cis_m365_v4: 12.5; nist_800_53_r5: AC-3; soc2: CC6.1;

Recording unrestricted or auto-enabled. Sensitive discussions and screen shares recorded without controls.

Remediation: Remediate per control description.

CTL.M365.TEAMS.REPORTING.001

Security Reporting Not Enabled

  • Severity: medium
  • Type: unsafe_state
  • Domain: detection
  • Compliance: nist_800_53_r5: SI-4; soc2: CC7.1;

Users cannot report suspicious Teams messages. No in-app mechanism for Teams-based phishing reports.

Remediation: Remediate per control description.

CTL.M365.TEAMS.UNMANAGED.001

Unmanaged Communication Enabled

  • Severity: medium
  • Type: unsafe_state
  • Domain: exposure
  • Compliance: cis_m365_v4: 12.10; nist_800_53_r5: AC-3; soc2: CC6.1;

Users communicate with personal/unmanaged Teams accounts. Unmanaged accounts not subject to organizational policies.

Remediation: Remediate per control description.

CTL.M365.XDR.CREDENTIALS.001

Privileged User Exposed Credentials Detected

  • Severity: critical
  • Type: unsafe_state
  • Domain: detection
  • Compliance: nist_800_53_r5: IA-5; soc2: CC6.1;

Defender XDR detected exposed credentials for privileged users. Active threat requiring immediate credential rotation.

Remediation: Remediate per control description.