Edit Standards
Apply pre-defined standards to your Microsoft 365 CSP tenants.
A standard with Remediate applies actual configuration to the selected tenant, not just monitoring.
Note that by default, Standards aren't applied to any tenants upon setup / configuration of CIPP. Applying any standard should only be undertaken with full understanding of the effects of the standard, detailed below.
The Standards page provides the ability for you to apply or reapply specific standards to your entire client base. Standards reapply to your tenants every three hours by default. If a setting covered by a standard changes the next time the standards apply the value specified in the standard takes precedence.
Plans exist to implement more standardised options and settings, along with an alerting system supporting Remote Monitoring and Management (RMM) systems, webhooks or, e-mail.
Some of the standards are explained below:
Note that some standards may require one or more companion (Intune) policies to be set to be effective.
Deselecting an option on the standard simply means it will no longer try to apply that standard. However, it DOES NOT turn the setting off.
IE, if you disable the setting "Enable FIDO2 capabilities", the next time the standard runs, it will no longer try to turn that setting on, but if the option was already on it will not turn it off.
Be aware that if you use different settings for the ‘AllTenants’ and a single tenant when applying a standard, it might not be applied consistently. This is because standards aren’t always applied in the same order.
For example, let’s say you have a standard that allows anyone with the link to access OneDrive and SharePoint. But for a single tenant, you’ve set it so that only people in your organization can access. In this case, the access level will depend on which standard is applied last.
Meet the Standards
Low Impact Changes which have no user-facing impact or minimal impact.
Standard Name | Powershell equivalent | Description |
---|---|---|
Set General Contact e-mail | Set-MsolCompanyContactInformation | This is where Microsoft sends updates about subscriptions |
Set Security Contact e-mail | Set-MsolCompanyContactInformation | Receives emails about security alerts or advisories by Microsoft |
Set Marketing Contact e-mail | Set-MsolCompanyContactInformation | Receives the emails related to marketing; new features etc |
Set Technical Contact e-mail | Set-MsolCompanyContactInformation | Receives emails related to possible technical issues, service disruptions, etc. |
Enable the Unified Audit Log | Enable-OrganizationCustomization | Enabled the Microsoft Unified Audit Log |
Enable Customer Lockbox | Set-OrganizationConfig -CustomerLockBoxEnabled $true | Customer Lockbox ensures that Microsoft can't access your content to do service operations without your explicit approval. Customer Lockbox ensures only authorized requests allow access to your organizations data. |
Enable Mailbox auditing | Set-OrganizationConfig -AuditDisabled $false | Enables mailbox auditing on tenant level and for all mailboxes. Disables audit bypass on all mailboxes. By default Microsoft does not enable mailbox auditing for Resource Mailboxes, Public Folder Mailboxes and DiscoverySearch Mailboxes. Unified Audit Log needs to be enabled for this standard to function. |
Enable Usernames instead of pseudo anonymised names in reports | Portal Only | Microsoft announced some APIs and reports no longer return names, to comply with compliance and legal requirements in specific countries. This proves an issue for a lot of MSPs because those reports are often helpful for engineers. This standard applies a setting that shows usernames in those API calls / reports. |
Restrict guest user access to directory objects | Set-AzureADMSAuthorizationPolicy -GuestUserRoleId '2af84b1e-32c8-42b7-82bc-daa82404023b' | Sets it so guests can view only their own user profile. Permission to view other users isn't allowed. Also restricts guest users from seeing the membership of groups they're in. See exactly what get locked down in the Microsoft documentation. |
Enable LAPS on the tenant | Portal only | Enables the LAPS functionality on the tenant. Prerequisite for using Windows LAPS via Azure AD. |
Enable Phishing Protection system via branding CSS | Portal only | Adds branding to the logon page that only appears if the url is not login.microsoftonline.com. This potentially prevents AITM attacks via EvilNginx. This will also automatically generate alerts if a clone of your login page has been found when set to Remediate. |
Enable Passwordless with Location information and Number Matching | New-AzureADPolicy | Allows users to use Passwordless with Number Matching and adds location information from the last request |
Enable OTP via Authenticator | Update-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration | Allows you to use Microsoft Authenticator OTP token generator. Useful for using the NPS extention as MFA on VPN clients. |
Set Authenticator Lite state | Update-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration | Sets the Authenticator Lite state to enabled. This allows users to use the Authenticator Lite built into the Outlook app instead of the full Authenticator app. |
Enable FIDO2 capabilities | Update-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration | Enables FIDO2 capabilities for the tenant. This allows users to use FIDO2 keys like a Yubikey for authentication. |
Enable Hardware OAuth tokens | Update-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration | Enables Hardware OAuth tokens for the tenant. This allows users to use hardware tokens like a Yubikey for authentication. |
Enable OTP Software OAuth tokens | Update-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration | Enables OTP Software OAuth tokens for the tenant. This allows users to use OTP codes generated via software, like a password manager to be used as an authentication method |
Enable Temporary Access Passwords | Update-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration | Enables Temporary Password generation for the tenant |
Don't expire passwords | Portal Only | Sets passwords to never expire for tenant, recommended to use in conjunction with secure password requirements. |
Disable M365 Tenant creation by users | Update-MgPolicyAuthorizationPolicy | Users by default are allowed to create M365 tenants. This disables that so only admins can create new M365 tenants. |
Enable App consent admin requests | Update-MgPolicyAdminConsentRequestPolicy | Enables the ability for users to request admin consent for applications. Should be used in conjunction with the "Require admin consent for applications" standards |
Enable registration campaign for the tenant | Update-MgPolicyAuthenticationMethodPolicy | Enables the registration campaign for the tenant. Nudges users to set up the Microsoft Authenticator during sign-in |
Disable registration campaign for the tenant | Update-MgPolicyAuthenticationMethodPolicy | Disables the registration campaign for the tenant. Nudges users to set up the Microsoft Authenticator during sign-in |
Disable M365 Group creation by users | Portal Only | Users by default are allowed to create M365 groups. This restricts M365 group creation to certain admin roles. This disables the ability to create Teams, SharePoint sites, Planner, etc |
Set Outbound Spam Alert e-mail | Set-HostedOutboundSpamFilterPolicy | Sets the e-mail address to which outbound spam alerts are sent. |
Enable Auto-expanding archives | Set-OrganizationConfig -AutoExpandingArchive | Enables auto-expanding archives for the tenant. Does not enable archives for users. |
Enable or disable 'external' warning in Outlook | Set-ExternalInOutlook –Enabled $true or $false | Adds or removes indicators to e-mail messages received from external senders in Outlook. You can read more about this feature on Microsoft's Exchange Team Blog. |
Enable all MailTips | Set-OrganizationConfig | Enables all MailTips in Outlook. MailTips are the notifications Outlook and Outlook on the web shows when an email you create, meets some requirements |
Disable daily Insight/Viva reports | Set-UserBriefingConfig | Disables Daily Insight reports for all users in the tenant |
Rotate DKIM keys that are 1024 bit to 2048 bit | Rotate-DkimSigningConfig | Rotates DKIM keys that are 1024 bit to 2048 bit |
Enables DKIM for all domains that currently support it | New-DkimSigningConfig | Enables DKIM for all domains that currently support it. |
Set send/receive size limits | Set-MailboxPlan | Sets the maximum send and receive size for the tenant |
Set Sharing Level for Default calendar | Set-MailboxFolderPermission | Sets the default sharing level for the default calendar for all users in the tenant. You can read about the different sharing levels here. |
Disable external calendar sharing | Get-SharingPolicy | Set-SharingPolicy -Enabled $False | Disables external calendar sharing for the entire tenant. This is not a widely used feature, and it's therefore unlikely that this will impact users. |
Disable additional storage providers in OWA | Get-OwaMailboxPolicy | Set-OwaMailboxPolicy -AdditionalStorageProvidersEnabled $False | Disables additional storage providers in OWA. This is to prevent users from using personal storage providers like Dropbox, Google Drive, etc. Usually this has little user impact. |
Set inactive device retirement days | Portal Only | Sets the number of days before a device is considered inactive and removed from Intune. |
Retain a deleted user OneDrive for 1 year | Portal Only | When a OneDrive user gets deleted, the personal SharePoint site is saved for 1 year and data can be retrieved from it. |
Disable App creation by users | Update-MgPolicyAuthorizationPolicy | Disables the ability for users to create applications in Entra. Done to prevent breached accounts from creating an app to maintain access to the tenant, even after the breached account has been secured. |
Lower Transport Message Expiration to 12 hours | Set-TransportConfig -MessageExpiration 12:00:00 | Expires messages in the transport queue after 12 hours. Makes the NDR for failed messages show up faster for users. Default is 24 hours. |
Medium Impact Changes which have a user impact mitigated with a little communication.
Standard Name | Powershell equivalent cmdlet | Description |
---|---|---|
Disable SMTP Basic authentication | Set-TransportConfig -SmtpClientAuthenticationDisabled $true | Disables SMTP basic authentication for the tenant and all users with it explicitly enabled. |
Enable Online Archive for all users | Enable-Mailbox -Archive $true | Enables the In-Place Online Archive for all UserMailboxes with a valid Exchange license. |
Enable 1 hour Activity based Timeout | Portal Only | Enables and sets Idle session timeout for Microsoft 365 to 1 hour. This policy affects most M365 web apps. |
Disable Security Group creation by users | Portal Only | Completely disables the creation of security groups by users. This also breaks the ability to manage groups themselves, or create Teams. |
Remove Legacy MFA if SD or CA is active | Get-MsolUser | Set-MsolUser -StrongAuthenticationRequirements $null |
Disable Self Service Licensing | Set-MsolCompanySettings -AllowAdHocSubscriptions $false | Does not allow users to get their own licenses. This also blocks PowerBi Self service and Flow Self Service. |
Disable Guest accounts that have not logged on for 90 days | Graph API | Disables guest accounts that have not interactively signed in for 90 days. |
Require admin consent for applications (Prevent OAuth phishing.) | Update-MgPolicyAuthorizationPolicy | Requires users to get administrator consent before sharing data with applications. You can preapprove specific applications. |
Allow users to consent to applications with low security risk (Prevent OAuth phishing. Lower impact, less secure.) | Update-MgPolicyAuthorizationPolicy | Allows users to consent to applications with low assigned risk. |
Remove Safe Senders to prevent SPF bypass | Set-MailboxJunkEmailConfiguration | Removes the Safe Senders list from all mailboxes. This is to prevent SPF bypass attacks, as the Safe Senders list is not checked by SPF. |
Set mailbox Sent Items delegation (Sent items for shared mailboxes) | Set-Mailbox | This makes sure that e-mails sent from shared mailboxes or delegate mailboxes, end up in the mailbox of the shared/delegate mailbox instead of the sender, allowing you to keep replies in the same mailbox as the original e-mail. |
Allow users to send from their alias addresses | Set-Mailbox | Allows users to change the 'from' address to any set in their Azure AD Profile. |
Disable the built-in Report button in Outlook | Set-ReportSubmissionPolicy | Disable the built-in Report button in Outlook |
Enable the built-in Report button in Outlook | New-ReportSubmissionPolicy or Set-ReportSubmissionPolicy | Enable the built-in Report button in Outlook |
Disable Shared Mailbox AAD accounts | Get-Mailbox & Update-MgUser | Shared mailboxes can be directly logged into if the password is reset, this presents a security risk as do all shared login credentials. Microsoft's recommendation is to disable the user account for shared mailboxes. It would be a good idea to review the sign-in reports to establish potential impact. |
Set Maximum Number of Devices per user | Update-MgBetaPolicyDeviceRegistrationPolicy | Sets the maximum number of devices that can be registered by a user. A value of 0 disables device registration by users |
Require Multifactor Authentication to register or join devices with Microsoft Entra | Update-MgBetaPolicyDeviceRegistrationPolicy | Requires users to use MFA when registering a device with Microsoft Entra |
Disable Add Shortcuts To OneDrive | Portal only | When the feature is disabled the option Add shortcut to My files will be removed. Any folders that have already been added will remain on the user's computer. |
Disable legacy basic authentication for SharePoint | Set-SPOTenant -LegacyAuthProtocolsEnabled $false | Disables the ability for users and applications to access SharePoint via legacy basic authentication. This will likely not have any user impact, but will block systems/applications depending on basic auth or the SharePointOnlineCredentials class |
Disable users from installing add-ins in Outlook | Get-ManagementRoleAssignment | Remove-ManagementRoleAssignment | Disables users from being able to install add-ins in Outlook. Only admins are able to approve add-ins for the users. This is done to reduce the threat surface for data exfiltration |
High Impact Changes which should require thought and planning. Should ideally co-ordinate deployment with customers - may have significant impacts on how users interact with Microsoft 365.
Standard Name | Powershell equivalent cmdlet | Description |
---|---|---|
Undo App Consent Standard | Update-MgPolicyAuthorizationPolicy | Undoes the Oauth phising standard |
Enable Security Defaults | Enables SD for the tenant, which disables all forms of basic authentication and enforces users to configure MFA. Users are only prompted for MFA when a logon is considered 'suspect' by Microsoft. | |
Disables SMS as an MFA method | Update-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration | Disables SMS as an MFA method for the tenant. If a user only has SMS as a MFA method, they will be unable to sign in. |
Disables Voice call as an MFA method | Update-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration | Disables Voice call as an MFA method for the tenant. If a user only has Voice call as a MFA method, they will be unable to sign in. |
Disables Email as an MFA method | Update-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration | Disables Email as an MFA method for the tenant. This disables the email OTP option for guest users, and instead promts them to create a Microsoft account. |
Disables Certificates as an MFA method | Update-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration | Disables Certificates as an MFA method for the tenant. |
Set Sharing Level for OneDrive and Sharepoint | Portal Only | Sets the default sharing level for OneDrive and Sharepoint. This is a tenant wide setting and overrules any settings set on the site level |
Disable Resharing by External Users | Portal Only | Disables the ability for external users to share files they don't own. |
Disable site creation by standard users | Update-MgAdminSharepointSetting | Disables standard users from creating sharepoint sites, also disables the ability to fully create teams |
Exclude File Extensions from Syncing | Update-MgAdminSharepointSetting | Excludes files from being synced. Users will get an error when trying to sync the specified files |
Do not allow Mac devices to sync using OneDrive | Update-MgAdminSharepointSetting | Disabled syncing via OneDrive |
Only allow users to sync OneDrive from AAD joined devices | Update-MgAdminSharepointSetting | Only allow AAD joined devices to sync using the onedrive client. Users without will receive an error. |
Feature Requests / Ideas
Please raise any feature requests on GitHub.
Last updated