Edit Standards

Apply pre-defined standards to your Microsoft 365 CSP tenants.

A standard with Remediate applies actual configuration to the selected tenant, not just monitoring.

Note that by default, Standards aren't applied to any tenants upon setup / configuration of CIPP. Applying any standard should only be undertaken with full understanding of the effects of the standard, detailed below.

The Standards page provides the ability for you to apply or reapply specific standards to your entire client base. Standards reapply to your tenants every three hours by default. If a setting covered by a standard changes the next time the standards apply the value specified in the standard takes precedence.

Plans exist to implement more standardised options and settings, along with an alerting system supporting Remote Monitoring and Management (RMM) systems, webhooks or, e-mail.

Some of the standards are explained below:

Note that some standards may require one or more companion (Intune) policies to be set to be effective.

Deselecting an option on the standard simply means it will no longer try to apply that standard. However, it DOES NOT turn the setting off.

IE, if you disable the setting "Enable FIDO2 capabilities", the next time the standard runs, it will no longer try to turn that setting on, but if the option was already on it will not turn it off.

Be aware that if you use different settings for the ‘AllTenants’ and a single tenant when applying a standard, it might not be applied consistently. This is because standards aren’t always applied in the same order.

For example, let’s say you have a standard that allows anyone with the link to access OneDrive and SharePoint. But for a single tenant, you’ve set it so that only people in your organization can access. In this case, the access level will depend on which standard is applied last.

Meet the Standards

Low Impact Changes which have no user-facing impact or minimal impact.

Standard NamePowershell equivalentDescription

Set General Contact e-mail


This is where Microsoft sends updates about subscriptions

Set Security Contact e-mail


Receives emails about security alerts or advisories by Microsoft

Set Marketing Contact e-mail


Receives the emails related to marketing; new features etc

Set Technical Contact e-mail


Receives emails related to possible technical issues, service disruptions, etc.

Enable the Unified Audit Log


Enabled the Microsoft Unified Audit Log

Enable Customer Lockbox

Set-OrganizationConfig -CustomerLockBoxEnabled $true

Customer Lockbox ensures that Microsoft can't access your content to do service operations without your explicit approval. Customer Lockbox ensures only authorized requests allow access to your organizations data.

Enable Mailbox auditing

Set-OrganizationConfig -AuditDisabled $false

Enables mailbox auditing on tenant level and for all mailboxes. Disables audit bypass on all mailboxes. By default Microsoft does not enable mailbox auditing for Resource Mailboxes, Public Folder Mailboxes and DiscoverySearch Mailboxes. Unified Audit Log needs to be enabled for this standard to function.

Enable Usernames instead of pseudo anonymised names in reports

Portal Only

Microsoft announced some APIs and reports no longer return names, to comply with compliance and legal requirements in specific countries. This proves an issue for a lot of MSPs because those reports are often helpful for engineers. This standard applies a setting that shows usernames in those API calls / reports.

Restrict guest user access to directory objects

Set-AzureADMSAuthorizationPolicy -GuestUserRoleId '2af84b1e-32c8-42b7-82bc-daa82404023b'

Sets it so guests can view only their own user profile. Permission to view other users isn't allowed. Also restricts guest users from seeing the membership of groups they're in. See exactly what get locked down in the Microsoft documentation.

Enable LAPS on the tenant

Portal only

Enables the LAPS functionality on the tenant. Prerequisite for using Windows LAPS via Azure AD.

Enable Phishing Protection system via branding CSS

Portal only

Adds branding to the logon page that only appears if the url is not login.microsoftonline.com. This potentially prevents AITM attacks via EvilNginx. This will also automatically generate alerts if a clone of your login page has been found when set to Remediate.

Enable Passwordless with Location information and Number Matching


Allows users to use Passwordless with Number Matching and adds location information from the last request

Enable OTP via Authenticator


Allows you to use Microsoft Authenticator OTP token generator. Useful for using the NPS extention as MFA on VPN clients.

Set Authenticator Lite state


Sets the Authenticator Lite state to enabled. This allows users to use the Authenticator Lite built into the Outlook app instead of the full Authenticator app.

Enable FIDO2 capabilities


Enables FIDO2 capabilities for the tenant. This allows users to use FIDO2 keys like a Yubikey for authentication.

Enable Hardware OAuth tokens


Enables Hardware OAuth tokens for the tenant. This allows users to use hardware tokens like a Yubikey for authentication.

Enable OTP Software OAuth tokens


Enables OTP Software OAuth tokens for the tenant. This allows users to use OTP codes generated via software, like a password manager to be used as an authentication method

Enable Temporary Access Passwords


Enables Temporary Password generation for the tenant

Don't expire passwords

Portal Only

Sets passwords to never expire for tenant, recommended to use in conjunction with secure password requirements.

Disable M365 Tenant creation by users


Users by default are allowed to create M365 tenants. This disables that so only admins can create new M365 tenants.

Enable App consent admin requests


Enables the ability for users to request admin consent for applications. Should be used in conjunction with the "Require admin consent for applications" standards

Enable registration campaign for the tenant


Enables the registration campaign for the tenant. Nudges users to set up the Microsoft Authenticator during sign-in

Disable registration campaign for the tenant


Disables the registration campaign for the tenant. Nudges users to set up the Microsoft Authenticator during sign-in

Disable M365 Group creation by users

Portal Only

Users by default are allowed to create M365 groups. This restricts M365 group creation to certain admin roles. This disables the ability to create Teams, SharePoint sites, Planner, etc

Set Outbound Spam Alert e-mail


Sets the e-mail address to which outbound spam alerts are sent.

Enable Auto-expanding archives

Set-OrganizationConfig -AutoExpandingArchive

Enables auto-expanding archives for the tenant. Does not enable archives for users.

Enable or disable 'external' warning in Outlook

Set-ExternalInOutlook –Enabled $true or $false

Adds or removes indicators to e-mail messages received from external senders in Outlook. You can read more about this feature on Microsoft's Exchange Team Blog.

Enable all MailTips


Enables all MailTips in Outlook. MailTips are the notifications Outlook and Outlook on the web shows when an email you create, meets some requirements

Disable daily Insight/Viva reports


Disables Daily Insight reports for all users in the tenant

Rotate DKIM keys that are 1024 bit to 2048 bit


Rotates DKIM keys that are 1024 bit to 2048 bit

Enables DKIM for all domains that currently support it


Enables DKIM for all domains that currently support it.

Set send/receive size limits


Sets the maximum send and receive size for the tenant

Set Sharing Level for Default calendar


Sets the default sharing level for the default calendar for all users in the tenant. You can read about the different sharing levels here.

Disable external calendar sharing

Get-SharingPolicy | Set-SharingPolicy -Enabled $False

Disables external calendar sharing for the entire tenant. This is not a widely used feature, and it's therefore unlikely that this will impact users.

Disable additional storage providers in OWA

Get-OwaMailboxPolicy | Set-OwaMailboxPolicy -AdditionalStorageProvidersEnabled $False

Disables additional storage providers in OWA. This is to prevent users from using personal storage providers like Dropbox, Google Drive, etc. Usually this has little user impact.

Set inactive device retirement days

Portal Only

Sets the number of days before a device is considered inactive and removed from Intune.

Retain a deleted user OneDrive for 1 year

Portal Only

When a OneDrive user gets deleted, the personal SharePoint site is saved for 1 year and data can be retrieved from it.

Disable App creation by users


Disables the ability for users to create applications in Entra. Done to prevent breached accounts from creating an app to maintain access to the tenant, even after the breached account has been secured.

Lower Transport Message Expiration to 12 hours

Set-TransportConfig -MessageExpiration 12:00:00

Expires messages in the transport queue after 12 hours. Makes the NDR for failed messages show up faster for users. Default is 24 hours.

Medium Impact Changes which have a user impact mitigated with a little communication.

Standard NamePowershell equivalent cmdletDescription

Disable SMTP Basic authentication

Set-TransportConfig -SmtpClientAuthenticationDisabled $true

Disables SMTP basic authentication for the tenant and all users with it explicitly enabled.

Enable Online Archive for all users

Enable-Mailbox -Archive $true

Enables the In-Place Online Archive for all UserMailboxes with a valid Exchange license.

Enable 1 hour Activity based Timeout

Portal Only

Enables and sets Idle session timeout for Microsoft 365 to 1 hour. This policy affects most M365 web apps.

Disable Security Group creation by users

Portal Only

Completely disables the creation of security groups by users. This also breaks the ability to manage groups themselves, or create Teams.

Remove Legacy MFA if SD or CA is active


Set-MsolUser -StrongAuthenticationRequirements $null

Disable Self Service Licensing

Set-MsolCompanySettings -AllowAdHocSubscriptions $false

Does not allow users to get their own licenses. This also blocks PowerBi Self service and Flow Self Service.

Disable Guest accounts that have not logged on for 90 days

Graph API

Disables guest accounts that have not interactively signed in for 90 days.

Require admin consent for applications (Prevent OAuth phishing.)


Requires users to get administrator consent before sharing data with applications. You can preapprove specific applications.

Allow users to consent to applications with low security risk (Prevent OAuth phishing. Lower impact, less secure.)


Allows users to consent to applications with low assigned risk.

Remove Safe Senders to prevent SPF bypass


Removes the Safe Senders list from all mailboxes. This is to prevent SPF bypass attacks, as the Safe Senders list is not checked by SPF.

Set mailbox Sent Items delegation (Sent items for shared mailboxes)


This makes sure that e-mails sent from shared mailboxes or delegate mailboxes, end up in the mailbox of the shared/delegate mailbox instead of the sender, allowing you to keep replies in the same mailbox as the original e-mail.

Allow users to send from their alias addresses


Allows users to change the 'from' address to any set in their Azure AD Profile.

Disable the built-in Report button in Outlook


Disable the built-in Report button in Outlook

Enable the built-in Report button in Outlook

New-ReportSubmissionPolicy or Set-ReportSubmissionPolicy

Enable the built-in Report button in Outlook

Disable Shared Mailbox AAD accounts

Get-Mailbox & Update-MgUser

Shared mailboxes can be directly logged into if the password is reset, this presents a security risk as do all shared login credentials. Microsoft's recommendation is to disable the user account for shared mailboxes. It would be a good idea to review the sign-in reports to establish potential impact.

Set Maximum Number of Devices per user


Sets the maximum number of devices that can be registered by a user. A value of 0 disables device registration by users

Require Multifactor Authentication to register or join devices with Microsoft Entra


Requires users to use MFA when registering a device with Microsoft Entra

Disable Add Shortcuts To OneDrive

Portal only

When the feature is disabled the option Add shortcut to My files will be removed. Any folders that have already been added will remain on the user's computer.

Disable legacy basic authentication for SharePoint

Set-SPOTenant -LegacyAuthProtocolsEnabled $false

Disables the ability for users and applications to access SharePoint via legacy basic authentication. This will likely not have any user impact, but will block systems/applications depending on basic auth or the SharePointOnlineCredentials class

Disable users from installing add-ins in Outlook

Get-ManagementRoleAssignment | Remove-ManagementRoleAssignment

Disables users from being able to install add-ins in Outlook. Only admins are able to approve add-ins for the users. This is done to reduce the threat surface for data exfiltration

High Impact Changes which should require thought and planning. Should ideally co-ordinate deployment with customers - may have significant impacts on how users interact with Microsoft 365.

Standard NamePowershell equivalent cmdletDescription

Undo App Consent Standard


Undoes the Oauth phising standard

Enable Security Defaults

Enables SD for the tenant, which disables all forms of basic authentication and enforces users to configure MFA. Users are only prompted for MFA when a logon is considered 'suspect' by Microsoft.

Disables SMS as an MFA method


Disables SMS as an MFA method for the tenant. If a user only has SMS as a MFA method, they will be unable to sign in.

Disables Voice call as an MFA method


Disables Voice call as an MFA method for the tenant. If a user only has Voice call as a MFA method, they will be unable to sign in.

Disables Email as an MFA method


Disables Email as an MFA method for the tenant. This disables the email OTP option for guest users, and instead promts them to create a Microsoft account.

Disables Certificates as an MFA method


Disables Certificates as an MFA method for the tenant.

Set Sharing Level for OneDrive and Sharepoint

Portal Only

Sets the default sharing level for OneDrive and Sharepoint. This is a tenant wide setting and overrules any settings set on the site level

Disable Resharing by External Users

Portal Only

Disables the ability for external users to share files they don't own.

Disable site creation by standard users


Disables standard users from creating sharepoint sites, also disables the ability to fully create teams

Exclude File Extensions from Syncing


Excludes files from being synced. Users will get an error when trying to sync the specified files

Do not allow Mac devices to sync using OneDrive


Disabled syncing via OneDrive

Only allow users to sync OneDrive from AAD joined devices


Only allow AAD joined devices to sync using the onedrive client. Users without will receive an error.

Feature Requests / Ideas

Please raise any feature requests on GitHub.

Last updated