This document outlines the logic used by the Rule Evaluators to assess the security and compliance of your Microsoft 365 environment. Each evaluator executes specific PowerShell commands to compare your current configuration against recommended security benchmarks.

Apps

AuditDisabled Organizationally is Set to 'False'

The system retrieves the Microsoft 365 audit log configuration state from the tenant.

• Pass Condition: The value for AuditDisabled is set to False.
• Fail Condition: The value for AuditDisabled is set to True.

Additional Storage Providers Are Restricted in Outlook on the Web

The system retrieves the default Outlook Web App (OWA) mailbox policy to check if users are permitted to add personal storage providers such as Google Drive or Dropbox.

• Pass Condition: AdditionalStorageProvidersAvailable is set to False.
• Fail Condition: AdditionalStorageProvidersAvailable is set to True.

All Forms Of Mail Forwarding Are Blocked And/Or Disabled

The system performs a two-step check on transport rules and anti-spam policies to prevent unauthorized external mail redirection.

• Pass Condition: No transport rules redirect messages to external domains, AND all outbound spam policies have AutoForwardingMode set to Off or Automatic.
• Fail Conditions:
  • One or more transport rules are configured to redirect mail to an external domain.
  • An outbound spam policy has AutoForwardingMode set to On.

An Anti-Phishing Policy Has Been Created

The system evaluates anti-phishing policies and their associated rules to ensure they meet a strict security baseline.

• Pass Condition: A policy exists with all security features enabled (Targeted User Protection, Mailbox Intelligence, etc.) and an associated enabled rule applies to specific recipients or domains.
• Fail Conditions: No policy meets the full list of required security settings.
  • A compliant policy exists but has no associated rule.
  • The associated rule is disabled or lacks recipient/domain definitions.

Anonymous Users Can't Join A Meeting

The system checks the Global Teams Meeting Policy to ensure anonymous individuals are blocked from joining meetings.

• Pass Condition: AllowAnonymousUsersToJoinMeeting is set to False.
• Fail Condition: Anonymous users are permitted to join meetings.

Anonymous Users and Dial-in Callers Can't Start a Meeting

The system retrieves the “anonymous users and dial-in callers can start a meeting” status from Microsoft Teams.

• Pass Condition: The Teams “anonymous users and dial-in callers can start a meeting” setting is set to Off.
• Fail Condition: The Teams “anonymous users and dial-in callers can start a meeting” setting is set to On.

AuditBypassEnabled Is Not Enabled on Mailboxes

The system retrieves a list of mailboxes from Exchange Online with audit bypass set to true.

• Pass Condition: All mailboxes have the setting AuditBypassEnabled set to False.
• Fail Condition: Any mailboxes have the setting AuditBypassEnabled set to True.

Communication With Unmanaged Teams Users Is Disabled

The system checks both organization-wide federation settings and the Global external access policy regarding Teams "consumer" (personal) accounts.

• Pass Condition: The organization setting AllowTeamsConsumer is False, or both the org-level and policy-level consumer access settings are False.
• Fail Condition: Communication with unmanaged consumer Teams users is enabled at either the organization or policy level.

DKIM Is Enabled for All Exchange Online Domain

The system checks to validate that DKIM has been enabled using Get-DkimSigningConfig (ExchangePowerShell)

• Pass Condition: All domains have DKIMEnabled set to True.
• Fail Conditions: Any domain has DKIMEnabled set to False.

Tip: Non-accepted and/or removed domains are not set up with DKIM. However, Microsoft 365 still recognizes these accounts as missing DKIM (validate with Get-DkimSigningConfig).

DMARC Records for All Exchange Online Domains Are Published 

The system checks DNS to validate that all accepted domains have DMARC configured. 

• Pass Conditions: All Exchange Online domains (including the .onmicrosoft) have _dmarc TXT records published with all the following values set: 
  • v=DMARC1 
  • p=quarantine OR p=reject 
  • rua=mailto: <reporting email address>
  • ruf=mailto: <reporting email address>
• Fail Conditions: The _dmarc TXT records are not published for all Exchange Online domains or are missing any of the following values: 
  • v=DMARC1 
  • p=quarantine OR p=reject 
  • rua=mailto: <reporting email address>
  • ruf=mailto: <reporting email address>

Tip: This rule often fails because: 

• The rua and ruf values are not defined. 
• The .onmicrosoft domain does not have DMARC configured.

Direct Send Submissions Are Rejected

The system checks the organizational configuration to ensure that "Direct Send" (a method for sending mail that can bypass certain filters) is disabled.

• Pass Condition: RejectDirectSend is set to True.
• Fail Condition: RejectDirectSend is set to False.

Email From External Senders Is Identified

The system retrieves the External In Outlook configuration to verify that external sender identification (the "External" tag in mail clients) is enabled across the tenant.

• Pass Condition: All ExternalInOutlook configurations have Enabled set to True.
• Fail Condition: No configuration exists, or one or more configurations have Enabled set to False.

Exchange Online Spam Policies Are Set To Notify Administrators

The system reviews outbound spam filter policies to ensure administrators are notified of suspicious or blocked outbound mail.

• Pass Condition: The highest priority policy has BccSuspiciousOutboundMail and NotifyOutboundSpam set to True, with recipient addresses defined for both.
• Fail Condition: Notification settings are disabled or required recipient lists are empty.

External Domains Are Restricted In The Teams Admin Center

The system examines the Global external access policy to check if federation (communication with external domains) is restricted.

• Pass Condition: EnableFederationAccess is set to False.
• Fail Condition: EnableFederationAccess is set to True.

External File Sharing In Teams Is Enabled for Only Approved Cloud Storage Services

The system checks the Global Teams client configuration to see which third-party cloud storage providers (e.g., Dropbox, Google Drive) are permitted.

• Pass Condition: All listed external providers are set to False.
• Fail Condition: One or more external providers are set to True.

External Meeting Chat Is Off

The system examines the Global Teams meeting policy to verify restrictions on chat functionality for participants outside the organization.

• Pass Condition: AllowExternalNonTrustedMeetingChat is set to False.
• Fail Condition: AllowExternalNonTrustedMeetingChat is set to True, allowing external users to participate in meeting chats.

External Participants Can't Give or Request Control

The system checks the Teams Meeting Policy state from Microsoft Teams.

• Pass Condition: The setting for AllowExternalParticipantGiveRequestControl is set to False.
• Fail Condition: The setting for AllowExternalParticipantGiveRequestControl is set to True.

External Teams Users Cannot Initiate Conversations

The system checks the “External users with Teams accounts not managed by an organization can contact users in my organization” setting from Microsoft Teams to validate that it is disabled.

• Pass Condition: The “External users with Teams accounts not managed by an organization can contact users in my organization” setting is False.
• Fail Condition: The “External users with Teams accounts not managed by an organization can contact users in my organization” setting is True.

Idle Session Timeout Is Set to ‘3 Hours (Or Less)’ For Unmanaged Devices

The system retrieves activity-based timeout policies to measure the maximum idle time allowed for web sessions on unmanaged devices.

• Pass Condition: An idle session timeout policy exists and is set to 3 hours or less.
• Fail Conditions: No idle session timeout policy is configured.
  • The configured timeout exceeds 3 hours.

Inbound Anti-Spam Policies Do Not Contain Allowed Domains

The system scans all inbound anti-spam policies to ensure no domains are whitelisted, which would bypass security filters.

• Pass Condition: AllowedSenderDomains is empty for all policies.
• Fail Condition: One or more policies have domains listed in the allowed sender list.

Internal Phishing Protection for Forms Is Enabled

The system queries the Microsoft Forms admin settings to verify that internal forms are scanned for phishing attempts.

• Pass Condition: isInOrgFormsPhishingScanEnabled is set to True.
• Fail Condition: Phishing scans for internal forms are disabled.

Mail Transport Rules Do Not Whitelist Specific Domains

The system searches for transport rules that bypass spam filtering (SCL -1) based on the sender's domain.

• Pass Condition: No transport rules exist that combine SetScl -1 with a SenderDomainIs condition.
• Fail Condition: Transport rules are found that whitelist specific domains.

MailTips Are Enabled For End Users

The system retrieves the organization configuration to verify that MailTips are active for all users and external recipients.

• Pass Condition: MailTipsAllTipsEnabled, MailTipsExternalRecipientsTipsEnabled, and MailTipsGroupMetricsEnabled are all True.
• Fail Condition: Any required MailTip category is disabled.

Mailbox Audit Actions Are Configured

The system reviews the organization-wide configuration to ensure that mailbox auditing is active for the tracking of mailbox access and actions.

• Pass Condition: AuditDisabled is set to False.
• Fail Condition: AuditDisabled is set to True.

Meeting Chat Does Not Allow Anonymous Users

The system examines the Global Teams Meeting Policy to determine the level of access anonymous users have to meeting chats.

• Pass Condition: The Meeting Chat setting is set to EnabledExceptAnonymous, EnabledInMeetingOnlyForAllExceptAnonymous, or Disabled.
• Fail Condition: The Meeting Chat setting allows anonymous users (e.g., set to Enabled).

Meeting Recording Is Off By Default

The system reviews the Global Teams Meeting Policy to see if cloud recording is automatically permitted for all meetings.

• Pass Condition: AllowCloudRecording is set to False.
• Fail Condition: Meeting recording is enabled by default.

Modern Authentication for Exchange Online Is Enabled

The system checks the Exchange Online authentication settings and verifies if modern authentication is enabled.

• Pass Condition: Exchange Online modern authentication is enabled.
• Fail Condition: Exchange Online modern authentication is disabled.

Modern Authentication for SharePoint Applications is Required

The system retrieves the Modern Authentication settings from SharePoint Online to validate whether it’s enabled. 

• Pass Condition: Modern authentication for SharePoint is enabled
• Fail Condition: Modern authentication for SharePoint is disabled.

Notifications For Internal Users Sending Malware Is Enabled

The system checks malware filter policies to ensure administrators are notified if an internal user attempts to send a file containing malware.

• Pass Condition: EnableInternalSenderAdminNotifications is set to True with a valid administrator email address defined.
• Fail Condition: Internal sender notifications are disabled.

Office 365 SharePoint Infected Files Are Disallowed for Download

The system verifies the tenant setting that prevents users from downloading files identified as malicious by built-in scanners.

• Pass Condition: DisallowInfectedFileDownload is set to True.
• Fail Condition: DisallowInfectedFileDownload is set to False.

OneDrive Sync Is Restricted For Unmanaged Devices

The system examines SharePoint tenant sync client restrictions to ensure that OneDrive synchronization is limited to trusted domains.

• Pass Condition: TenantRestrictionEnabled is True AND a non-empty AllowedDomainList of trusted GUIDs is configured.
• Fail Conditions:
  • Tenant restriction is not enabled.
  • The allowed domain list is empty.

Only Organizationally Managed/Approved Public Groups Exist

The system scans all groups in the tenant to identify any that are set to "Public" visibility.

• Pass Condition: No groups with Public visibility are found.
• Fail Condition: One or more public groups exist.

Only Organizers And Co-Organizers Can Present

The system checks the Global Teams meeting policy to determine who is granted the "Presenter" role by default.

• Pass Condition: DesignatedPresenterRoleMode is set to OrganizerOnlyUserOverride.
• Fail Condition: The presenter role is set to a more permissive value (e.g., Everyone).

Only People in My Org Can Bypass the Lobby

The system checks the value of the Auto Admitted Users setting to validate that it excludes guests.

• Pass Condition: The value of AutoAdmittedUsers is set to Everyone In Company Excluding Guests. 
• Fail Condition: The value of AutoAdmittedUsers is set to Everyone.

Outbound Anti-Spam Message Limits Are In Place

The system evaluates the default hosted outbound spam filter policy against recommended recipient limits.

• Pass Condition: External hourly limits are 500 or less, internal hourly and daily limits are 1000 or less, the action is set to BlockUser, and at least one notification mailbox is configured.
• Fail Condition: Any of the threshold or action criteria are not met.

Safe Attachments Policy Is Enabled

The system identifies the active Safe Attachment policy to ensure it is configured to block malicious files.

• Pass Condition: The highest priority policy has Enable set to True, Action set to Block, and QuarantineTag set to AdminOnlyAccessPolicy.
• Fail Condition: No active policy is found or the existing policy uses a non-compliant action.

Safe Links For Office Applications Is Enabled

The system scans all Safe Links policies to find at least one that meets a full suite of security requirements, including scanning URLs and tracking clicks.

• Pass Condition: A policy exists where all parameters (Email, Teams, Office, Internal Senders) are True and AllowClickThrough is False.
• Fail Condition: No policy is found that meets every required security setting.

Sign-In to Shared Mailboxes Is Blocked

The system gathers shared mailbox statuses from Exchange Online.

• Pass Condition: All shared mailboxes are set to block user sign-in.
• Fail Condition: Any shared mailbox is set to allow user sign-in.

SMTP AUTH Is Disabled

The system retrieves the Exchange authentication state from the Exchange Online.

• Pass Condition: Exchange Online SMTP Authentication is disabled.
• Fail Condition: Exchange Online SMTP Authentication is enabled.

SPF Records Are Published for All Exchange Domains

The system checks DNS to validate that ALL Exchange domains have SPF records published.

• Pass Condition: All Exchange Online domains’ DNS zone file contains the SPF record: v=spf1 include:spf.protection.outlook.com
• Fail Condition: One or more Exchange Online domains’ DNS zone file does not contain the SPF record: v=spf1 include:spf.protection.outlook.com

SharePoint And OneDrive Integration With Azure AD B2B Is Enabled

The system checks if SharePoint is configured to use the Azure AD B2B invitation model for guests to improve identity management.

• Pass Condition: EnableAzureADB2BIntegration is set to True.
• Fail Condition: EnableAzureADB2BIntegration is set to False.

The ‘Password Expiration Policy’ Is Set to ‘Set Passwords To Never Expire’

The system retrieves all tenant domains to verify that password expiration is effectively disabled, following modern security best practices.

• Pass Condition: All domains have PasswordValidityPeriodInDays set to 2147483647.
• Fail Condition: One or more domains have a specific expiration period configured.

The Connection Filter Safe List Is Off

The system verifies if the organization is using a Microsoft-managed "safe list" of IPs that bypass connection filtering.

• Pass Condition: EnableSafeList is set to False.
• Fail Condition: The safe list is currently enabled.

The Organization Cannot Communicate With Accounts In Trial Teams Tenants

The system checks the federation configuration to see if communication with "Trial" tenants is permitted.

• Pass Condition: ExternalAccessWithTrialTenants is set to Blocked.
• Fail Condition: Communication with trial tenants is allowed (value is NOT Blocked).

Third-Party Storage Services Are Restricted in ‘Microsoft 365 On The Web’

The system checks for the Office 365 Web Apps Service Principal to ensure third-party storage integration is restricted.

• Pass Condition: The Service Principal is not found or its account status is disabled.
• Fail Condition: The Service Principal is found and enabled.

User Owned Apps And Services' Is Restricted

 The system checks administrative settings via the Graph API to ensure users are restricted from acquiring apps from the Office Store or starting trial services.

• Pass Condition: Both isOfficeStoreEnabled and isAppAndServicesTrialEnabled are set to False.
• Fail Condition: Either the Office Store or trial services remain enabled for users.

Users Can Report Security Concerns In Teams

The system retrieves the report submission policy to ensure that users can report junk, phishing, or malicious chat messages to a customized organizational security address.

• Pass Condition: All reporting types (Junk, Not Junk, Phish, and Chat) are enabled and directed to specific customized email addresses.
• Fail Conditions:
  • Any reporting category (Junk, Not Junk, Phish) is not set to use a customized address.
  • Chat message reporting to customized addresses is disabled.

Users Can't Send Emails To A Channel Email Address

The system retrieves the Global Teams client configuration to verify if the feature allowing users to send emails directly into a Teams channel is disabled.

• Pass Condition: AllowEmailIntoChannel is set to False.
• Fail Condition: AllowEmailIntoChannel is set to True.

Users Dialing in Can't Bypass the Lobby

The system retrieves the Teams meeting policies from Microsoft Teams.

• Pass Condition: The setting for AllowPSTNUsersToBypassLobby is set to False.
• Fail Condition: The setting for AllowPSTNUsersToBypassLobby is set to True.

Users Installing Outlook Add-Ins Is Not Allowed

The system checks all active Role Assignment Policies to ensure users cannot install their own Outlook apps from the marketplace.

• Pass Condition: No assigned policies contain the roles My Custom Apps, My Marketplace Apps, or My ReadWriteMailbox Apps.
• Fail Condition: One or more assigned policies allow users to install their own apps.

Data

DLP Policies Are Enabled

The system retrieves all Data Loss Prevention (DLP) policies to check their operational status.

• Pass Condition: At least one DLP policy is found with the mode set to Enable.
• Fail Condition: No DLP policies are found, or all existing policies are in Test or Disabled modes.

DLP Policies Are Enabled For Microsoft Teams

The system scans all Data Loss Prevention (DLP) policies to find those specifically targeting the Teams workload.

• Pass Condition: At least one DLP policy exists where the mode is Enable and the Teams location is set to All.
• Fail Conditions: No DLP policies are found for the Teams workload.
  • Existing Teams DLP policies are not enabled or do not apply to all Teams locations.

Guest Access To A Site Or OneDrive Will Expire Automatically

The system reviews SharePoint tenant settings to verify that external user access is temporary and requires periodic renewal.

• Pass Condition: External user expiration is Enabled and the expiration period is 30 days or less.
• Fail Conditions: External user expiration is NOT enabled.
  • The expiration period is set to longer than 30 days.

Guest User Access Is Restricted

The system retrieves the guest user access settings from Entra ID to validate guests have restrictions.

• Pass Conditions:
  • GuestUserAccessRestrictions is set to “Guest user access is restricted to properties and memberships of their own directory objects” (most restrictive).
  • GuestUserAccessRestrictions is set to “Guest users have limited access to properties and memberships of directory objects.”
• Fail Condition: GuestUserAccessRestrictions is set to “Guest users have the same access as members (most inclusive).”

External Sharing Of Calendars Is Not Available

The system inspects the "Default Sharing Policy" in Exchange to determine if users can share their calendar details with individuals outside the organization.

• Pass Condition: The sharing policy is Disabled (Enabled = False). 
• Fail Condition: The sharing policy is Enabled.

External Content Sharing Is Restricted

The system checks the SharePoint tenant sharing capabilities to ensure external sharing is managed and restricted to known users.

• Pass Condition: Sharing capability is set to ExternalUserSharingOnly, ExistingExternalUserSharingOnly, or Disabled.
• Fail Condition: Sharing is not restricted (e.g., set to Anyone or ExistingExternalUserAndGuestSharing).

Information Protection Sensitivity Label Policies Are Published

The system verifies that at least one Information Protection sensitivity label policy has been published to the organization.

• Pass Condition: At least one policy of type PublishedSensitivityLabel is found.
• Fail Condition: No published sensitivity label policies are found.

Link Sharing Is Restricted in SharePoint and OneDrive

The system retrieves SharePoint tenant settings to verify the default type of link generated when users share content.

• Pass Condition: DefaultSharingLinkType is set to either Direct or Internal.
• Fail Condition: DefaultSharingLinkType is set to a less restrictive value (such as Anonymous).

Microsoft 365 Audit Log Search is Enabled

The system retrieves the Microsoft 365 audit log configuration state from the tenant.

• Pass Condition: The audit log search state is set to Enabled.
• Fail Condition: The audit log search state is set to Disabled.

OneDrive Content Sharing Is Restricted

The system checks the SharePoint tenant settings to ensure that broad OneDrive sharing is disabled to prevent data leakage.

• Pass Condition: OneDriveSharingCapability is set to Disabled.
• Fail Condition: OneDriveSharingCapability is set to any value other than Disabled.

Reauthentication With Verification Code Is Restricted

The system checks SharePoint settings to ensure external guests must re-verify their identity via email code within a specific timeframe.

• Pass Condition: Email attestation is Required and the re-authentication period is 15 days or less.
• Fail Conditions: Email attestation is Not Required and the re-authentication period is set to longer than 15 days.

SharePoint External Sharing Is Restricted

The system examines SharePoint tenant settings to ensure that external sharing is limited to a specific list of approved domains.

• Pass Condition: SharingDomainRestrictionMode is set to AllowList and the list is not empty.
• Fail Condition: The restriction mode is not set to AllowList or the list is empty.

SharePoint Guest Users Cannot Share Items They Don't Own

The system verifies the tenant setting that prevents external users from re-sharing content they did not create.

• Pass Condition: PreventExternalUsersFromResharing is set to True.
• Fail Condition: PreventExternalUsersFromResharing is set to False.

The SharePoint Default Sharing Link Permission Is Set

The system checks the default permission level assigned to new sharing links created by users.

• Pass Condition: DefaultLinkPermission is set to View.
• Fail Condition: DefaultLinkPermission is set to a more permissive value, such as Edit.

Device

Device Enrollment for Personally Owned Devices is Blocked By Default

The system queries default platform restrictions to verify if personal device enrollment is blocked across all major operating systems.

• Pass Condition: Personal device enrollment is blocked for Windows, iOS, Android (Work and Standard), and macOS.
• Fail Condition: Personal enrollment is permitted for one or more device platforms.

Identity

A Dynamic Group for Guest Users Is Created

The system looks for a group that automatically manages guest memberships via dynamic rules.

• Pass Condition: At least one dynamic group exists with a membership rule targeting userType -eq "Guest".
• Fail Condition: No dynamic group targeting guest users was found.

A Managed Device Is Required for Authentication

The system checks for a global Conditional Access policy that requires a managed device for all authentication attempts to cloud apps.

• Pass Condition: An enabled Conditional Access policy exists targeting All Users and All Cloud Apps that requires a compliant or hybrid-joined device.
• Fail Condition: No global enabled policy exists that requires a managed device for authentication.

A Managed Device Is Required to Register Security Information

The system evaluates Conditional Access policies to ensure that users must be on a compliant or hybrid-joined device when registering security info.

• Pass Condition: An enabled Conditional Access policy exists that targets All Users for the Register security information action and requires a compliant or hybrid-joined device.
• Fail Condition: No enabled policy is found that enforces managed device requirements for security info registration.

Access Reviews For Guest Users Are Configured

The system uses the Graph API to check if identity governance access reviews have been established specifically for guest users.

• Pass Condition: At least one access review definition exists that targets users of the type Guest.
• Fail Condition: No access reviews targeting guest users are configured.

‘Access Reviews’ for Privileged Roles Are Configured

The system validates that recurring access reviews for administrative roles are set up with specific security parameters.

• Pass Condition: An active access review exists that recurs at least monthly, has a duration of 14 days or less, and has auto-apply enabled.
• Fail Condition: No active reviews meet the requirements for frequency, duration, and auto-application.

Administrative Accounts Are Cloud-Only

The system retrieves a list of any hybrid accounts with administrator permissions from Microsoft Entra ID.

• Pass Condition: No hybrid administrative accounts are found.
• Fail Condition: One or more hybrid administrative accounts are found.

Administrative Accounts Use Licenses with Reduced Footprint

The system retrieves a list of Global Administrators and their license assignments from Microsoft Entra ID to validate the licenses.

• Pass Condition: All Admin accounts are either unlicensed or assigned only Entra ID premium P1 or P2 licenses.
• Fail Condition: Any Admin account has a license other than an Entra ID premium P1 or P2 licenses.

All Member Users Are ‘MFA Capable’

The system audits all member users in the directory to verify they have registered at least one MFA method.

• Pass Condition: Every member user in the tenant is registered as MFA Capable.
• Fail Condition: One or more member users have not registered an MFA method.

Approval Is Required for Global Administrator Role Activation

The system inspects PIM settings specifically for the "Global Administrator" role.

• Pass Condition: Role activation requires approval AND at least two primary approvers are assigned.
• Fail Condition: Activation does not require approval or fewer than two approvers are configured.

Approval Is Required for Privileged Role Administrator Activation

The system inspects PIM settings for the "Privileged Role Administrator" role.

• Pass Condition: Activation of the role requires approval AND at least two primary approvers are assigned.
• Fail Condition: Activation does not require approval or fewer than two approvers are configured.

Collaboration Invitations Are Sent To Allowed Domains Only

The system examines the B2B collaboration policy to determine if guest invitations are restricted to a specific list of domains.

• Pass Condition: The policy is configured to use an AllowedDomains list (or no restriction is set, allowing the default safe state).
• Fail Condition: The policy is configured with a BlockedDomains list, which is considered less secure than an explicit "Allow" list.

Comprehensive Attachment Filtering Is Applied

The system compares malware filter policies against a list of dangerous file extensions to ensure robust protection.

• Pass Condition: A malware filter policy is enabled and blocks at least 90% of identified dangerous extensions.
• Fail Condition: No comprehensive policy exists, or existing policies are missing a significant number of extension.

Custom Banned Password Lists Are Used

The system checks if a custom list of prohibited passwords has been uploaded and activated.

• Pass Condition: EnableBannedPasswordCheck is set to True and the BannedPasswordList contains at least one entry.
• Fail Condition: The custom check is disabled or the banned password list is empty.

Enable Conditional Access Policies To Block Legacy Authentication

The system scans all enabled Conditional Access policies for a specific rule targeting legacy protocols.

• Pass Condition: An enabled policy targets All Users and All Apps, includes Exchange ActiveSync or Other client app types, and is set to Block access.
• Fail Condition: No enabled global policy is found that specifically blocks legacy authentication.

Enable Identity Protection Sign-In Risk Policies

The system evaluates policies meant to protect against risky sign-in attempts.

• Pass Condition: An enabled policy targets All Users and All Apps, applies to Medium or High sign-in risk levels, and requires MFA.
• Fail Condition: No enabled policy enforces remediation for sign-in risk.

Enable Identity Protection User Risk Policies

The system searches for Conditional Access policies that mandate remediation for accounts flagged with user risk.

• Pass Condition: An enabled policy targets All Users and All Apps, applies to Medium or High user risk levels, and requires a password change or MFA.
• Fail Condition: No enabled policy enforces remediation for user risk.

Guest User Invitations Are Limited To The Guest Inviter Role

The system examines the authorization policy to identify who is permitted to invite guest users.

• Pass Condition: The AllowInvitesFrom property is set to adminsAndGuestInviters.
• Fail Condition: Guest invitations are permitted from more inclusive groups, such as all members.

Microsoft Authenticator Is Configured to Protect Against MFA Fatigue

The system retrieves the Microsoft Authenticator authentication method configuration to check for advanced security features.

• Pass Condition: Number matching, application name display, and geographic location display are all set to Enabled.
• Fail Condition: Any of the three security features (number matching, app name, or location) are disabled.

Multifactor Authentication Is Enabled For All Users

The system searches for a global policy that enforces MFA across the entire organization.

• Pass Condition: An enabled Conditional Access policy targets All Users and All Cloud Apps and requires MFA.
• Fail Condition: No enabled global policy is found that requires MFA for all users.

Multifactor Authentication Is Enabled For All Users In Administrative Roles

The system checks for a Conditional Access policy that mandates MFA for highly privileged directory roles.

• Pass Condition: An enabled policy exists that targets administrative roles for All Cloud Apps and requires MFA.
• Fail Condition: No enabled policy is found that specifically enforces MFA for administrative roles.

Password Protection Is Enabled for On-Prem Active Directory

The system validates the configuration of the Microsoft Entra password protection settings for on-premises environments.

• Pass Condition: The password rule settings have EnableBannedPasswordCheckOnPremises set to True and the mode set to Enforce.
• Fail Condition: The banned password check is not enabled for on-premises, or the mode is NOT set to Enforce.

Per-User MFA Is Disabled

The system retrieves a list of the users with per-user MFA enabled.

Note: You should only turn off per-user MFA if another method of MFA enforcement is active such as Security Defaults or Conditional Access policies. 

• Pass Condition: Per-user MFA is disabled for all users.
• Fail Condition: Per-user MFA is enabled for any user.

Phishing-Resistant MFA Strength Is Required For Administrators

The system checks for a high-security MFA requirement for administrative accounts.

• Pass Condition: An enabled policy targets administrative roles and requires the Phishing-resistant MFA authentication strength.
• Fail Condition: No policy enforces phishing-resistant MFA for admins.

Privileged Identity Management Is Used to Manage Roles

The system checks for eligible role assignments within Privileged Identity Management (PIM) for sensitive administrative roles.

• Pass Condition: At least one PIM-eligible role assignment is configured for a sensitive administrator role.
• Fail Condition: No PIM-eligible role assignments are found, indicating PIM is not being used for sensitive roles.

Security Defaults Are Appropriately Configured

The system retrieves the Security Defaults state from Microsoft Entra ID and checks the tenant’s subscription type (Business Premium) to determine if Conditional Access policies are available.

• Pass Conditions:
  • Security Defaults are enabled and the tenant does NOT contain an Entra ID Premium P1 or P2 license, OR
  • Security Defaults are disabled and the tenant contains an Entra ID Premium P1 or P2 license.
• Fail Conditions:
  • Security Defaults are disabled and the tenant does NOT contain an Entra ID Premium P1 or P2 license, OR
  • Security Defaults are enabled and the tenant contains an Entra ID Premium P1 or P2 license.

Sign-In Frequency for Intune Enrollment Is Set to ‘Every Time’

The system checks Conditional Access policies specifically for the Intune Enrollment application.

• Pass Condition: An enabled policy targets the "Microsoft Intune Enrollment" app, requires MFA, and has the sign-in frequency set to Every time.
• Fail Condition: No policy is found that enforces MFA and an Every time sign-in frequency for Intune enrollment.

Sign-In Frequency Is Enabled and Browser Sessions Are Not Persistent For Administrative Users

The system checks for session-based restrictions on administrative accounts.

• Pass Condition: An enabled Conditional Access policy targets admin roles with a sign-in frequency of 4 hours or less and sets browser persistence to Never.
• Fail Condition: No policy enforces both the 4-hour re-authentication limit and the never persistent session setting.

Sign-In Risk Is Blocked For Medium And High Risk

The system checks for a strict blocking policy for sign-ins that meet high-risk criteria.

• Pass Condition: An enabled policy targets All Users and All Apps, applies to both Medium and High sign-in risk levels, and is set to Block access.
• Fail Condition: No enabled policy exists to block sign-ins at these risk levels.

System-Preferred Multifactor Authentication Is Enabled

The system checks if Entra ID is configured to automatically present the most secure MFA method to users.

• Pass Condition: The system credential preference state is Enabled for All Users.
• Fail Condition: System-preferred MFA is not enabled or does not target the entire user base.

Tenant Has Between Two and Four Global Admins

The system retrieves a list of Global Administrators from Microsoft Entra ID to validate the number. 

• Pass Condition: There are between two and four Global Administrator accounts. 
• Fail Conditions: 
  • There is only one Global Administrator account. 
  • There are five or more Global Administrator accounts.

The Admin Consent Workflow Is Enabled

The system checks the configuration of the admin consent request policy.

• Pass Condition: The admin consent workflow is explicitly set to Enabled.
• Fail Condition: The admin consent workflow is Disabled, meaning users cannot request admin approval for apps.

The Common Attachment Types Filter Is Enabled

The system retrieves all malware filter policies and identifies the highest priority policy to verify if the common attachment types filter is active.

• Pass Condition: EnableFileFilter is set to True on the highest priority malware filter policy.
• Fail Conditions:
  • No malware filter policies are found in the environment.
  • EnableFileFilter is set to False on the priority policy.

The Connection Filter IP Allow List Is Not Used

The system checks the default hosted connection filter policy for any manually added IP addresses that bypass spam filtering.

• Pass Condition: The IPAllowList is empty.
• Fail Condition: The allow list contains one or more IP addresses.

The Device Code Sign-In Flow Is Blocked

The system verifies if the device code flow is restricted via Conditional Access.

• Pass Condition: An enabled policy targets All Users and All Apps, specifically includes the deviceCodeFlow transfer method, and is set to Block.
• Fail Condition: No enabled policy is found that blocks the device code sign-in flow.

The Email OTP Authentication Method Is Disabled

The system checks the status of the Email One-Time Passcode (OTP) authentication method.

• Pass Condition: The Email authentication method state is set to Disabled.
• Fail Condition: The Email authentication method is Enabled.

Third Party Integrated Applications Are Not Allowed

The system evaluates the authorization policy to determine if users can register their own integrated applications.

• Pass Condition: The AllowedToCreateApps property in the default user role permissions is set to False.
• Fail Condition: Users are permitted to register third-party applications.

Two Emergency Access Accounts Are Defined

The system retrieves a list of Global Administrators from Microsoft Entra ID to validate their configuration.

• Pass Conditions: At least two accounts meet all of the following conditions: 
  • The accounts only use the default .onmicrosoft.com domain.
  • The accounts are cloud-only.
  • The accounts are unlicensed.
  • The accounts are assigned the Global Administrator directory role.
• Fail Conditions: One or fewer accounts meet all of the following conditions:
  • The accounts only use the default .onmicrosoft.com domain.
  • The accounts are cloud-only.
  • The accounts are unlicensed.
  • The accounts are assigned the Global Administrator directory role.

Tip: This rule fails most often because the accounts are on the primary domain rather than the .onmicrosoft domain.

User Consent To Apps Accessing Company Data On Their Behalf Is Not Allowed

The system examines the authorization policy to ensure users cannot grant broad permissions to third-party applications.

• Pass Condition: The policy does not include disallowed permission grant IDs (like microsoft-user-default-low) that allow self-management of app grants.
• Fail Condition: The policy allows users to self-consent to apps using non-restrictive grant settings.

Users Are Restricted From Recovering BitLocker Keys

The system evaluates the authorization policy regarding BitLocker recovery key access.

• Pass Condition: The property allowedToReadBitlockerKeysForOwnedDevice is set to False.
• Fail Condition: The property is set to True, allowing users to read their own BitLocker recovery keys.

Users Cannot Create Security Groups

The system evaluates the directory-level setting for group creation.

• Pass Condition: The allowedToCreateSecurityGroups property is set to False.
• Fail Condition: The property is set to True, allowing standard users to create security groups.

Weak Authentication Methods Are Disabled

The system checks for the presence of insecure authentication methods like SMS and Voice.

• Pass Condition: Both SMS and Voice authentication methods are set to Disabled.
• Fail Condition: One or both of these weak methods are currently Enabled.

Zero-Hour Auto Purge for Microsoft Teams Is On

The system checks for the existence of a Teams Protection Policy and verifies that Zero-hour Auto Purge (ZAP) is active to remove malicious messages.

• Pass Condition: A Teams Protection Policy exists and ZapEnabled is set to True.
• Fail Conditions: No Teams Protection Policy is found.
  • ZapEnabled is set to False.