CIS Microsoft 365 Benchmark, continuously evidenced.
The CIS Microsoft 365 Benchmark v6.0.0 defines 140 controls covering Microsoft 365 tenant configuration: Microsoft Entra ID (formerly Azure AD), Exchange Online, SharePoint Online, OneDrive, Teams, Defender for Office 365, and Microsoft Purview. CISGuard scans M365 tenants agentlessly via Microsoft Graph and Exchange Online PowerShell, with per-tenant posture and Conditional Access policy validation.
Microsoft 365 benchmark at a glance.
- Benchmark version
- v6.0.0
- Total controls
- 140
- Scan type
- Agentless
- Available tier
- Pro and above
- Category
- Cloud
- Drift detection
- Yes, between every scheduled scan
What this benchmark actually covers.
- Microsoft Entra ID (Conditional Access, MFA, sign-in risk)
- Exchange Online (anti-phishing, anti-spam, encryption)
- SharePoint + OneDrive (sharing controls, external access)
- Teams (federation, guest access, meeting policies)
- Microsoft Defender for Office 365
- Microsoft Purview (DLP, retention, eDiscovery)
- Audit logging configuration
Microsoft 365 questions, answered directly.
How does CISGuard scan Microsoft 365 agentlessly?
CISGuard uses an Entra ID application with read-only permissions across Microsoft Graph and Exchange Online. It queries tenant configuration directly; no software deployed to the tenant. Scans complete in 10-30 minutes depending on tenant complexity and Conditional Access policy count.
Does CISGuard validate Conditional Access policies?
Yes. The CIS Microsoft 365 Benchmark contains specific Conditional Access expectations: MFA for admins, MFA for high-risk users, device compliance requirements. CISGuard validates each expected policy is configured correctly with appropriate scope and conditions.
Can CISGuard scan Microsoft 365 GCC and GCC High?
Yes. CISGuard supports Microsoft 365 Commercial, GCC, GCC High, and DoD environments. Each environment uses different Microsoft Graph endpoints; CISGuard configuration accommodates the appropriate endpoint per tenant. GCC High customers get the same Framework Coverage Reports as commercial customers.
Often deployed together with Microsoft 365.
Want a Microsoft 365 scan of your environment?
Our compliance engineers will scope your environment and quote within one business day of an initial briefing.