Documentation Center

Contact Us

If you still have questions or prefer to get help directly from an agent, please submit a request.
We’ll get back to you as soon as possible.

Please fill out the contact form below and we will reply as soon as possible.

  • Support Portal
  • Home
  • Microsoft 365 Management
  • Baseline Management

Security Essential Rule Logic

Contact Us

If you have questions or want help, please Submit a Request.

Updated at Jul 01, 2025
By Kali Patrick

Table of Contents

Tenant Has Between Two and Four Global Admins DMARC Records for All Exchange Online Domains Are Published Modern Authentication for SharePoint Applications Is Required Administrative Accounts Use Licenses With Reduced Footprint Only People in My Org Can Bypass the Lobby Two Emergency Access Accounts Are Defined Guest User Access Is Restricted External Teams Users Cannot Initiate Conversations Microsoft 365 Audit Log Search Is Enabled 'AuditDisabled' Organizationally is Set to 'False' SPF Records Are Published for All Exchange Domains External Participants Can't Give or Request Control SMTP AUTH Is Disabled Modern Authentication for Exchange Online Is Enabled Users Dialing in Can't Bypass the Lobby 'Per-User MFA' Is Disabled Administrative Accounts Are Cloud-Only Security Defaults Are Appropriately Configured 'AuditBypassEnabled' Is Not Enabled on Mailboxes Anonymous Users and Dial-in Callers Can't Start a Meeting Sign-in to Shared Mailboxes Is Blocked DKIM Is Enabled for All Exchange Online Domain

Related Docs

  • About Security Posture Management & Baselines
  • About the Baseline Details Page
  • Attach or Detach Baselines

This document provides information about the pass/fail conditions for each of the Rules comprising the Security Essential baseline. When available, common reasons for failures are also highlighted.

Tenant Has Between Two and Four Global Admins 

The system retrieves a list of Global Administrators from Microsoft Entra ID to validate the number. 

  • Pass Condition: There are between two and four Global Administrator accounts. 
  • Fail Conditions: 
    • There is only one Global Administrator account. 
    • There are five or more Global Administrator accounts.

DMARC Records for All Exchange Online Domains Are Published 

The system checks DNS to validate that all accepted domains have DMARC configured. 

  • Pass Conditions: All Exchange Online domains (including the .onmicrosoft) have _dmarc TXT records published with all the following values set: 
    • v=DMARC1 
    • p=quarantine OR p=reject 
    • pct=100 
    • rua=mailto: <reporting email address>
    • ruf=mailto: <reporting email address>
  • Fail Conditions: The _dmarc TXT records are not published for all Exchange Online domains or are missing any of the following values: 
    • v=DMARC1 
    • p=quarantine OR p=reject 
    • pct=100 
    • rua=mailto: <reporting email address>
    • ruf=mailto: <reporting email address>

Tip: This rule often fails because: 

  • The rua and ruf values are not defined. 
  • The .onmicrosoft domain does not have DMARC configured.

Modern Authentication for SharePoint Applications Is Required

The system retrieves the Modern Authentication settings from SharePoint Online to validate whether it’s enabled. 

  • Pass Condition:  Modern authentication for SharePoint is enabled
  • Fail Condition: Modern authentication for SharePoint is disabled.

Administrative Accounts Use Licenses With Reduced Footprint

The system retrieves a list of Global Administrators and their license assignments from Microsoft Entra ID to validate the licenses.

  • Pass Condition: All Admin accounts are either unlicensed or assigned only Entra ID premium P1 or P2 licenses.
  • Fail Condition: Any Admin account has a license other than an Entra ID premium P1 or P2 licenses.

Only People in My Org Can Bypass the Lobby

The system checks the value of the Auto Admitted Users setting to validate that it excludes guests.

  • Pass Condition: The value of “Auto Admitted Users” is set to “Everyone In Company Excluding Guests.” 
  • Fail Condition: The value of “Auto Admitted Users” is set to “Everyone.”

Two Emergency Access Accounts Are Defined

The system retrieves a list of Global Administrators from Microsoft Entra ID to validate their configuration.

  • Pass Conditions: At least two accounts meet all of the following conditions: 
    • The accounts only use the default .onmicrosoft.com domain.
    • The accounts are cloud-only.
    • The accounts are unlicensed.
    • The accounts are assigned the Global Administrator directory role.
  • Fail Conditions: One or fewer accounts meet all of the following conditions:
    • The accounts only use the default .onmicrosoft.com domain.
    • The accounts are cloud-only.
    • The accounts are unlicensed.
    • The accounts are assigned the Global Administrator directory role.

Tip: This rule fails most often because the accounts are on the primary domain rather than the .onmicrosoft domain.

Guest User Access Is Restricted

The system retrieves the guest user access settings from Entra ID to validate guests have restrictions.

  • Pass Conditions:
    • "Guest User Access Restrictions” is set to “Guest user access is restricted to properties and memberships of their own directory objects (most restrictive).”
    • “Guest User Access Restrictions” is set to ”Guest users have limited access to properties and memberships of directory objects.”
  • Fail Condition: “Guest User Access Restrictions” is set to “Guest users have the same access as members (most inclusive).”

External Teams Users Cannot Initiate Conversations

The system checks the “External users with Teams accounts not managed by an organization can contact users in my organization” setting from Microsoft Teams to validate that it is disabled.

  • Pass Condition: The “External users with Teams accounts not managed by an organization can contact users in my organization” setting is “False.”
  • Fail Condition: The “External users with Teams accounts not managed by an organization can contact users in my organization” setting is “True.”

Microsoft 365 Audit Log Search Is Enabled

The system retrieves the Microsoft 365 audit log configuration state from the tenant.

  • Pass Condition: The audit log search state is set to enabled.
  • Fail Condition: The audit log search state is set to disabled.

'AuditDisabled' Organizationally is Set to 'False'

The system retrieves the Microsoft 365 audit log configuration state from the tenant.

  • Pass Condition: The value for “AuditDisabled” is set to “False.”
  • Fail Condition: The value for “AuditDisabled” is set to “True.”

SPF Records Are Published for All Exchange Domains

The system checks DNS to validate that ALL Exchange domains have SPF records published.

  • Pass Condition: All Exchange Online domains’ DNS zone file contains the SPF record: v=spf1 include:spf.protection.outlook.com
  • Fail Condition: One or more Exchange Online domains’ DNS zone file does not contain the SPF record: v=spf1 include:spf.protection.outlook.com

External Participants Can't Give or Request Control

The system checks the Teams Meeting Policy state from Microsoft Teams.

  • Pass Condition: The “Allow External Participant Give Request Control” is set to “False.”
  • Fail Condition: The “Allow External Participant Give Request Control” is set to “True.”

SMTP AUTH Is Disabled

The system retrieves the Exchange authentication state from the Exchange Online.

  • Pass Condition: Exchange Online  SMTP Authentication is disabled.
  • Fail Condition: Exchange Online SMTP Authentication is enabled.

Modern Authentication for Exchange Online Is Enabled

The system checks the Exchange Online authentication settings and verifies if modern authentication is enabled.

  • Pass Condition: Exchange Online modern authentication is enabled.
  • Fail Condition: Exchange Online modern authentication is disabled.

Users Dialing in Can't Bypass the Lobby

The system retrieves the Teams meeting policies from Microsoft Teams.

  • Pass Condition: The setting for “Allow PSTN Users To Bypass Lobby” is set to “False.”
  • Fail Condition: The setting for “Allow PSTN Users To Bypass Lobby” is set to “True.”

'Per-User MFA' Is Disabled

The system retrieves a list of the users with per-user MFA enabled.

Note: You should only turn off per-user MFA if another method of MFA enforcement is active such as Security Defaults or Conditional Access policies. 

  • Pass Condition: Per-user MFA is disabled for all users.
  • Fail Condition: Per-user MFA is enabled for any user.

Administrative Accounts Are Cloud-Only

The system retrieves a list of any hybrid accounts with administrator permissions from Microsoft Entra ID

  • Pass Condition: No hybrid administrative accounts are found.
  • Fail Condition: One or more hybrid administrative accounts are found.

Security Defaults Are Appropriately Configured

The system retrieves the Security Defaults state from Microsoft Entra ID and checks the tenant’s subscription type (Business Premium) to determine if Conditional Access policies are available.

  • Pass Conditions:
    • Security Defaults are enabled and the tenant contains a Business Standard or lower license.
      OR
    • Security Defaults are disabled and the tenant has a Business Premium or higher license.
  • Fail Conditions:
    • Security Defaults are disabled and the tenant contains a Business Standard or lower license. 
      OR
    • Security Defaults are enabled and the tenant has a Business Premium or higher license.

'AuditBypassEnabled' Is Not Enabled on Mailboxes

The system retrieves a list of mailboxes from Exchange Online with audit bypass set to true.

  • Pass Condition: All mailboxes have the setting “AuditBypassEnabled” set to “False.”
  • Fail Condition: Any mailboxes have the setting “AuditBypassEnabled” set to “True.”

Anonymous Users and Dial-in Callers Can't Start a Meeting

The system retrieves the “anonymous users and dial-in callers can start a meeting” status from Microsoft Teams.

  • Pass Condition: The Teams setting “anonymous users and dial-in callers can start a meeting” setting is set to “Off.”
  • Fail Condition: The Teams setting “anonymous users and dial-in callers can start a meeting” setting is set to “On.”

Sign-in to Shared Mailboxes Is Blocked

The system gathers shared mailbox statuses from Exchange Online.

  • Pass Condition: All shared mailboxes are set to block user sign-in.
  • Fail Condition: Any shared mailbox is set to allow user sign-in.

DKIM Is Enabled for All Exchange Online Domain

The system checks to validate that DKIM has been enabled using Get-DkimSigningConfig (ExchangePowerShell)

  • Pass Condition: All domains have DKIM Enabled set to “True.”
  • Fail Conditions: Any domain has DKIM Enabled set to “False.”

Tip: Non-accepted and/or removed domains are not set up with DKIM. However, Microsoft 365 still recognizes these accounts as missing DKIM (validate with Get-DkimSigningConfig).

Was this article helpful?

Yes
No
Give feedback about this article

The integrated platform for running a profitable MSP business

Syncro All-in-one MSP Software Facebook Syncro All-in-one MSP Software Twitter Syncro All-in-one MSP Software LinkedIn Syncro All-in-one MSP Software YouTube Syncro All-in-one MSP Software Reddit
  • Compliance
  • Privacy Policy
  • Website Terms
  • Service Terms
Knowledge Base Software powered by Helpjuice

© 2017-2024 Servably, Inc. All rights reserved.

Expand