LogoLogo
Get CIPPJoin Discord
  • ☕CIPP Documentation
  • 🦸Setup
    • Self Hosting Guide
      • Prerequisites
      • Installation
      • Run From Package Mode
      • Post-Install Configuration
      • Configuring Automatic Updates
      • Updating Versions
      • Migrating to Hosted CIPP
      • Self-hosted API Setup
    • Service Account Setup
      • GDAP's Importance in CIPP
      • Creating the CIPP Service Account
      • Conditional Access best practices
      • Recommended Roles
    • Configuring CIPP
      • Adding users to CIPP
      • Executing the SAM Setup Wizard
      • Tenant Onboarding
      • Adding Tenants & Consenting the CIPP-SAM Application
      • User Roles in CIPP
      • Adding a custom domain name
      • I want to manage my own tenant
    • Implementing CIPP
      • Recommended First Steps
      • Standards Setup
    • Resources
      • Professional Onboarding Services
      • Sponsor Quick Start
  • 🙋User Documentation
    • Shared Features
      • Menu Bar
        • Tenant Select
        • Display Mode
        • 🔍Search
        • Bookmarks
        • User Preferences
      • Table Features
      • Speed Dial
      • Keyboard Shortcuts
    • CIPP Dashboard
    • Identity Management
      • Administration
        • Users
          • Bulk Add
          • Invite Guest
          • Add User
          • View Individual User
            • Edit User
            • Exchange Settings
            • Compromise Remediation
            • Conditional Access
        • Risky Users
        • Groups
          • Add Group
          • Edit Group
        • Group Templates
          • Add Group Template
          • Deploy Group Templates
        • Devices
        • Deleted items
        • Roles
        • JIT Admin
          • Add JIT Admin
        • Offboarding Wizard
      • Reports
        • MFA Report
        • Inactive Users
        • Sign-in Report
        • AAD Connect Report
        • Risk Detections
    • Tenant Administration
      • Administration
        • Tenants
          • Edit Tenant
          • Tenant Groups
            • Add Tenant Group
            • Edit Tenant Group
        • Alert Configuration
          • Add Alert
        • Audit Logs
          • View Audit Log
        • Enterprise Applications
        • Secure Score
        • App Consent Requests
        • Authentication Methods
        • Partner Relationships
      • GDAP Management
        • Relationships
          • Relationship Summary
        • Role Mappings
          • Map GDAP Roles
        • Role Templates
          • Add Template
        • Invites
          • New Invite
        • Onboarding
        • Offboarding
      • Configuration Backup
        • Backups
          • Restore Configuration Backup
          • Add Configuration Backup Task
      • Standards
        • List Standards Templates
        • Add Standards Template
        • Compare Tenant to Standard
        • Best Practice Analyser
          • Best Practice Templates
          • Custom Reports
        • Domains Analyser
      • Conditional Access
        • CA Policies
          • Deploy CA Policies
        • CA Vacation Mode
          • Add Vacation Schedule
        • CA Templates
        • Named Locations
          • Add Named Location
      • Reports
        • License Report
        • Sherweb License Report
          • Add Subscription
        • Consented Applications
    • Security & Compliance
      • Incidents & Alerts
        • Incidents
        • Alerts
      • Defender
        • Defender Status
        • Defender Deployment
        • Vulnerabilities
      • Reports
        • Device Compliance
    • Intune
      • Applications
        • Applications
          • Add Application
            • Add MSP App
            • Add Store App
            • Add Choco App
            • Add Office App
        • Application Queue
      • Autopilot
        • Autopilot Devices
        • Add Autopilot Device
        • Profiles
          • Add Profile
        • Status Pages
        • Add Status Page
      • Device Management
        • Devices
        • Configuration Policies
        • Compliance Policies
        • Protection Policies
        • Apply Policy
        • Policy Templates
        • Scripts
      • Reports
        • Analytics Device Score
        • Work from Anywhere
    • Teams & SharePoint
      • OneDrive
      • SharePoint
        • Add Site
        • Bulk Add Sites
      • Teams
        • Teams
          • Add Team
        • Teams Activity
        • Business Voice
    • Email & Exchange
      • Administration
        • Mailboxes
          • Add Shared Mailbox
        • Deleted Mailboxes
        • Mailbox Rules
        • Contacts
          • Add Contact
          • Edit Contact
        • Quarantine
        • Tenant Allow/Block Lists
          • Add Entry
      • Transport
        • Transport Rules
          • Deploy Transport Rule Template
        • Transport Templates
        • Connectors
          • Deploy Connector Templates
        • Connector Templates
      • Spamfilter
        • Spamfilter
          • Deploy Spamfilter
        • Spamfilter Templates
        • Connection filter
          • Deploy Connection Filter
        • Connection filter templates
      • Resource Management
        • Rooms
          • Add Room
          • Edit Room
        • Room Lists
      • Reports
        • Mailbox Statistics
        • Mailbox Client Access Settings
        • Anti-Phishing Filters
        • Malware Filters
        • Safe Link Filters
        • Safe Attachment Filters
        • Shared Mailbox with Enabled Account
        • Global Address List
    • Tools
      • Tenant Tools
        • Graph Explorer
        • Application Approval
        • Tenant Lookup
        • IP Database
        • Individual Domain Check
      • Email Tools
        • Message Trace
        • Mailbox Restores
        • Message Viewer
      • Dark Web Tools
        • Tenant Breach Lookup
        • Breach Lookup
      • Template Library
      • Community Repositories
        • View Repository Templates
      • Scheduler
        • Add Job
    • CIPP
      • Application Settings
        • Permissions
        • Tenants
        • Backend
        • Notifications
        • Partner Webhooks
        • Licenses
        • CIPP Backup
        • Global Variables
      • Logbook
      • SAM Setup Wizard
      • Integrations
        • Integration Sync
        • CIPP-API
        • Sherweb
        • Gradient
        • Halo PSA Ticketing
        • NinjaOne
        • Hudu
        • Password Pusher
        • Have I Been Pwned?
        • Cloudflare
        • GitHub
      • Custom Data
        • Directory Extensions
          • Add Directory Extension
        • Schema Extensions
          • Add Schema Extension
        • Mappings
          • Add Mapping
          • Edit Mapping
      • Advanced
        • Super Admin
          • Tenant Mode
          • Function Offloading
          • Custom Roles
          • SAM App Roles
          • SAM App Permissions
        • Exchange Cmdlets
        • Timers
        • Table Maintenance
  • 📂Troubleshooting
    • Error codes
    • Troubleshooting instructions
      • Refreshing a Specific Tenant's Permissions via CPV API
    • Frequently Asked Questions
      • I got a "Potential Phishing page detected" alert. What do I do with that?
  • 🔐Security
    • CIPP Security and Compliance
      • Security Policy
      • Security reports
    • CIPP Community Vulnerability Disclosure Policy
  • 👩‍💻👩💻 Dev Documentation
    • CIPP Dev Guide
      • Setting Up for Local Development
      • Executing Local Development
      • Project Structure
      • Development Tips
      • CIPP v7 Developer Brief
    • Contributing to the Code
    • Contributing to the Documentation
  • ⚙️API Documentation
    • Setup & Authentication
    • Endpoints
  • 🧰MSP Adoption Toolkit
    • Building a CIPP Business Case
  • ☕Sip & CIPP
    • Conditional Access
    • Autopilot & Intune
  • CIPP New Interface Release Candidate 2 (rc2)
Powered by GitBook
On this page
  • CIPP Best Practices: Tenant and Table Views
  • v1.0 - Tenant View Checks Included
  • Password Never Expires
  • OAuth App Consent
  • Unified Audit Log
  • MFA Registration Campaign
  • Secure Defaults State
  • Anonymous Privacy Reports
  • Message Copy for Sent-As Disabled
  • Shared Mailboxes with Enabled Users
  • Unused Licenses
  • Secure Score
  • v1.5 - Table View
  • Feature Requests / Ideas

Was this helpful?

Edit on GitHub
Export as PDF
  1. User Documentation
  2. Tenant Administration
  3. Standards
  4. Best Practice Analyser

Best Practice Templates

Discover what's inside the CIPP Best Practices Reports: Ke standards including password policies, OAuth consent, audit logs, MFA, and secure score insights for enhanced Microsoft 365 compliance.

PreviousBest Practice AnalyserNextCustom Reports

Last updated 5 months ago

Was this helpful?

CIPP Best Practices: Tenant and Table Views

The CIPP Best Practices v1.0 Tenant View provides a high-level summary of individual tenant configurations. The v1.5 Table View builds on this by offering detailed metrics and enables multi-tenant comparisons. Together, these views create a comprehensive framework for assessing and enhancing security within Microsoft


v1.0 - Tenant View Checks Included

Purpose: Designed for a high-level tenant-centric overview, this template evaluates key security and compliance settings across a Microsoft 365 tenant.


Password Never Expires

  • What It Checks: Evaluates whether password policies ensure expiry.

  • Expected Setting: No.

  • Why It Matters: Prevents insecure, static password use over long durations.

This setting is checking whether the tenant has set passwords to expire or not. Current research strongly indicates that mandated password changes do more harm than good. Both the and the recommend that timed password expiry isn't used. Having password expiry configured triggers a red danger status as this represents a security risk you should mitigate.


OAuth App Consent

  • What It Checks: Ensures OAuth app consent policies are configured to restrict unauthorized data access.

  • Expected Setting: Yes.

Allowing users to consent to applications can pose a security risk that needs mitigation. This best practice advises against permitting users to grant consent to apps using OpenID Connect or OAuth for sign-in and data access without administrative review. These applications may be created within your organization, by another Office 365 organization, or by third-party vendors. To enhance security, ensure that only administrators can approve app consents


Unified Audit Log

  • What It Checks: Verifies if tenant-level audit logging is enabled.

  • Expected Setting: Yes.

The Unified Audit Log is the primary logging mechanism in Microsoft 365, covering activities for users, groups, applications, domains, and directories. Enabling audit logging is essential for compliance, security monitoring, and incident response.


MFA Registration Campaign

  • What It Checks: Assesses if MFA registration nudges are enabled to encourage multi-factor authentication adoption.

  • Expected Setting: Yes.

Multi-Factor Authentication (MFA) is one of the most effective security measures to protect accounts from unauthorized access. Enabling the MFA registration campaign ensures users are encouraged to adopt MFA consistently.


Secure Defaults State

  • What It Checks: Determines whether secure defaults are active, enforcing MFA and blocking legacy authentication.

  • Expected Setting: Yes (or No if Conditional Access policies are in use).

Modern authentication is a crucial security feature in Microsoft 365. It supports advanced authentication methods, including Multi-Factor Authentication (MFA), smart cards, and third-party providers via Security Assertion Markup Language (SAML). Without enabling modern authentication, your system may be at


Anonymous Privacy Reports

  • What It Checks: Verifies if user privacy settings enable anonymized data reporting, potentially limiting detailed insights.

  • Expected Setting: Disabled.


Message Copy for Sent-As Disabled

  • What It Checks: Identifies mailboxes where sent-as copies are not saved.

  • Why It Matters: Retaining sent-as copies ensures auditing and accountability.

Delegated access allows an assistant to manage a manager's calendar and mailbox, often requiring the "Send As" or "On Behalf Of" permissions. When an assistant sends an email from a manager's account, the sent items by default are saved only in the assistant's mailbox, which may trigger an orange warning indicating best practice violations.

To ensure sent items are saved in both the assistant's and manager's mailboxes, it's possible to enable message copy for "Sent As" actions in Microsoft 365. This ensures that all sent emails are automatically stored in the shared or delegated mailbox, aligning with optimal practices for managing shared accounts.


Shared Mailboxes with Enabled Users

  • What It Checks: Flags shared mailboxes with active user accounts attached, which could pose security risks.

Having shared mailboxes still linked to active user accounts can create a security risk. This situation arises when shared mailboxes, which should not have an enabled login, are associated with accounts that can still access the system. Commonly, this occurs after an employee leaves an organization, and their account is converted to a shared mailbox with the user license removed to cut costs. However, even after changing the password, the active account remains linked, posing a potential security threat.


Unused Licenses

  • What It Checks: Reports on licenses purchased but not assigned, highlighting opportunities for cost optimization.


Secure Score

  • What It Displays: The tenant’s Microsoft Secure Score, which reflects adherence to best practices.

  • Why It Matters: Provides a quantifiable measure of security posture and areas needing improvement.


v1.5 - Table View

Purpose: Provides a detailed, table-oriented view of best practice checks for granular data reporting.


Key Features:

  • Mirrors the tenant-centric checks from v1.0 Tenant View.

  • Includes API-level configurations for extracting detailed metrics.

  • Designed for multi-tenant comparisons and operational insight.


Additional Metrics:

  1. Current Secure Score:

    • Displays as a percentage for easier benchmarking.

  2. Average Comparative Scores:

    • Benchmarks tenant scores against industry and size-based averages.


Data Sources:

  • Microsoft Graph API:

    • Purpose: Pulls tenant configurations like passwordValidityPeriodInDays.

    • Benefit: Facilitates evaluations of password policies and similar critical settings.

  • Exchange PowerShell:

    • Purpose: Verifies Exchange Online properties like UnifiedAuditLogIngestionEnabled.

    • Benefit: Ensures compliance with audit logging requirements.

  • Custom CIPP Functions:

    • Purpose: Extracts metrics like license usage and Secure Scores using tailored commands (e.g., Get-CIPPLicenseOverview).

    • Benefit: Provides actionable insights for tenant optimization.


Feature Requests / Ideas

Enabling privacy in reports is a subjective decision that often results in an orange warning status due to potential reporting challenges. For detailed and accurate reporting, disabling this feature is recommended as it enhances security benefits. However, in many Microsoft 365 reports and APIs to protect user privacy and ensure compliance with local privacy laws.

Unused licenses trigger an orange warning status. You can click the badge in this column to view these licenses. This feature checks all licenses in every tenant by comparing the purchased number to the consumed one. A discrepancy indicates you may be paying for licenses that are not in use. Free licenses and trials are excluded from this check. If you have additional licenses or SKUs you believe should be excluded, please raise a in GitHub.

We value your feedback and ideas. Please raise any on GitHub.

🙋
United Kingdom's National Cyber Security Centre (NCSC)
United States' National Institute of Standards and Technology (NIST)
Microsoft has been pseudonymizing user-level information by default
feature request
feature requests