CISA Releases Finalized Microsoft 365 Configuration Baselines

The Cybersecurity and Infrastructure Security Agency has released the final version of its Microsoft 365 configuration baselines alongside a new tool to support baseline implementation.

The Secure Configurations for Microsoft 365 Version 1.0 builds on hundreds of comments CISA solicited in October and pilots conducted to identify advanced cloud security practices and test the baseline configurations. The first version includes baseline configurations for seven Microsoft 365 offerings, including Microsoft Teams, Azure Active Directory and Exchange Online, CISA said Thursday.

The configuration set was released alongside the launch of ScubaGear, which helps organizations assess their Microsoft 365 services against recommended policies. It is designed to make configuration implementation easier for organizations.

The finalized Microsoft 365 configurations were released nearly a week after CISA released new tools that set baseline configurations for Google applications. According to Chad Poland, manager for cyber shared services at CISA, the tools cover most Google software-as-a-service offerings and are designed to prevent misconfigurations and unauthorized access.

CISA is accepting feedback for the Google toolkit until Jan. 12.