CIS Microsoft 365 Benchmark in One Click: Authenticated M365 Security Audit

Pentestas ships a modular, CIS-aligned inspector framework that checks your Azure Entra, Exchange Online, SharePoint / OneDrive, Teams, and M365 general posture — and returns a per-control pass/fail/skipped grid with severity, evidence, and stack-specific remediation. In one API call or one click in the UI.

25 inspectors ship today, expanding every release.

Entra ID (6)

• **1.1.1*MFA enforced for all admin roles
• **1.1.2*Two break-glass (emergency-access) Global Admin accounts exist
• **1.1.4*User consent to apps restricted to low-risk scopes
• **1.1.6*Conditional Access blocks legacy authentication
• **1.1.20*Guest-invite permission restricted to admins
• **1.2.1*Security Defaults enabled or equivalent CA policies in place

Exchange Online (9)

• **2.1.1*SPF hard-fail (-all)
• **2.1.2*DKIM signing enabled for every verified domain
• **2.1.9*DMARC enforced (p=quarantine or p=reject)
• **6.1.1*Mailbox auditing enabled tenant-wide
• **6.2.1*Exchange transport rules audit
• **6.2.3*Outlook external sender tag enabled
• **6.3.7*Automatic external forwarding blocked
• **6.5.2 / 6.5.3*Modern authentication enforced
• **1.2.5*Safe Links policy enabled

SharePoint / OneDrive (5)

• **7.2.1*External sharing restricted to Existing Guests or stricter
• **7.2.3 / 7.2.4*Default sharing link = Internal / View-only
• **7.2.6*Guest accounts expirere-auth required
• **7.2.9 / 7.2.10*Anonymous link lifetime ≤ 30 days
• **7.3.2*Legacy authentication blocked

Microsoft Teams (4)

• **8.1.1*Teams external access allowlisted
• **8.2.1*Teams guest policy restrictive
• **8.5.1*Anonymous meeting join requires lobby admission
• **8.6.1*Third-party apps restricted

M365 general (1)

• **3.1.1*Unified audit log enabled tenant-wide

Every inspector is a Python class subclassing CisInspector. The class declares its CIS IDs, profile (L1 / L2), license tier (E3 / E5), default severity, remediation text, and references. The runner auto-discovers files dropped into tools/azure/cis/<family>/ci_<id>_<name>.py — no registry, no wiring.

On each run, every inspector:

1. Calls the minimum set of Microsoft Graph API endpoints needed to observe the control state.
2. Compares the observed value against the CIS baseline.
3. Emits one of:

• PASS — control satisfied, state captured as evidence.
• FAIL — control violated, specific evidence cited, stack-specific remediation attached.
• SKIPPED — control requires Exchange / Teams PowerShell (not exposed via Graph), with the exact cmdlet to verify manually.

Every emitted finding is tagged with CIS IDs, profiles, license tier, severity, CWE, and reference URLs to Microsoft Learn. The report generator consolidates findings into a grid with per-family + per-profile summary counts.

From the UI

Settings → Azure → Run CIS benchmark. Requires Azure credentials to be saved (service principal or az account get-access-token output pasted).

From the API

curl -X POST "https://app.pentestas.com/api/azure/cis-report?families=entra,exchange,sharepoint,teams,m365" \
     -H "X-API-Key: aa_..."

Response: a JSON grid with summary counts + one row per inspector, including evidence and remediation.

Scoped run

# Run only Exchange + SharePoint checks
curl -X POST "https://app.pentestas.com/api/azure/cis-report?families=exchange,sharepoint" \
     -H "X-API-Key: aa_..."

Helpful when you're chasing a specific control category (e.g., post-incident: "which Exchange controls regressed?").

Some CIS Microsoft 365 controls genuinely can't be verified via Graph API — they live only in Exchange PowerShell (Get-SafeLinksPolicy, Get-TransportRule, Get-HostedOutboundSpamFilterPolicy) or Teams PowerShell (Get-CsTeamsMeetingPolicy).

Legacy scanners declare these "pass" in the absence of evidence, which is misleading. Pentestas emits SKIPPED with the exact PowerShell cmdlet you need. The grid shows which controls are genuinely passing, which are genuinely failing, and which require the Exchange PowerShell bridge (scheduled for the next agent release). The resulting report is smaller but far more defensible in front of an auditor.

Fintech + payments

PCI DSS 4.0 requires a documented, tested configuration standard for in-scope systems — Microsoft 365 is in-scope for any cardholder-data workflow that touches email, Teams, or SharePoint. The CIS Microsoft 365 Foundations Benchmark is the industry-accepted baseline. Pentestas produces a per-control pass/fail grid that maps directly into PCI DSS evidence requirements — no manual cross-walk, no spreadsheet roulette.

Medtech + healthtech

HIPAA Security Rule §164.308(a)(8) requires "periodic technical evaluation" of security measures. For covered entities running M365, the CIS benchmark is the de facto technical-evaluation framework. Pentestas's daily-schedulable CIS run gives the compliance officer a defensible "we check this every 24 hours" answer — much cleaner than "we audit annually and hope nothing changes".

Banks + insurance

DORA, NYDFS 500, and FFIEC all impose control-testing cadence obligations on regulated entities running cloud collaboration platforms. The CIS M365 benchmark is the most widely-accepted cross-walk for these control families. A financial-services organisation running Pentestas's CIS grid weekly creates an audit trail far denser than the one produced by the typical on-demand manual review.

Legaltech

Law firms and legaltech platforms face strict client-confidentiality obligations on their M365 tenants. External sharing mis-configurations (CIS 7.2.1) and missing mailbox auditing (CIS 6.1.1) are the two most common client-data exposures in the segment. Pentestas's benchmark flags them automatically and provides the one-line remediation command.

The CIS benchmark catches misconfigurations. An ai pentest catches exploitable vulnerabilities. Pentestas runs both against the same tenant through the same API surface. A Pro+ organisation typically runs:

• **CIS benchmark*— daily. Misconfiguration drift surfaces within 24 hours.
• **Authenticated ai pentest*— weekly or per-build. Active exploitsattack chains.
• **Black-box Azure recon*(separate scan type) — monthly. External-attacker-perspective coverage of public-facing M365 assets.

The three feed the same findings DB; chains can span CIS misconfigurations + AI pentest findings ("SharePoint external sharing set to Anyone + no DLP policy on documents containing PII → GDPR-relevant data exposure"). The resulting dashboard is the compliance officer's single pane of glass for M365 security.

The framework is designed for extension. Drop a file at tools/azure/cis/<family>/ci_<id>_<name>.py, subclass CisInspector, implement audit(ctx). The runner picks it up automatically — no registration, no wiring.

Custom inspectors are useful for:

• Regulator-specific controls (e.g., FINRA's communication-retention requirements that extend beyond CIS)
• Industry-specific baselines (e.g., the HITRUST CSF M365 extensions)
• Company-specific standards (e.g., "no guest users in the Finance-Admin group")

Customers on Business + Enterprise plans can ship custom inspectors via the Pentestas runtime update channel.

The CIS benchmark uses the same credential set as the full Azure pentest:

• **Service principal*with **Readerover the subscriptionSecurity ReaderAuditLog.Read.All*on the AAD side. This is the recommended long-running option.
• **Paste-a-token*— run az account get-access-token and paste the output into the Azure credentials panel. Works for one-hour scans; useful for on-demand checks without creating a long-lived SP.

At-rest, the credential is encrypted with the tenant's Fernet key; see Encryption.

FAIL: Entra 1.1.1

Evidence: Admin MFA not enforced for: Helpdesk Administrator, User Administrator. Policies that DO enforce: CP-Require-MFA-Admins (covers Global Admin, Privileged Role Admin, Security Admin).

Remediation: Entra → Protection → Conditional Access → edit the existing admin-MFA policy, add Helpdesk Administrator + User Administrator to Users → Include → Directory roles.

FAIL: Exchange 6.3.7

Evidence: 4 external forwarding rule(s) across 50 sampled mailboxes: alex@acme.com rule 'Back up to gmail' → alex@gmail.com; sam@acme.com rule '[forward]' → sam-archive@outlook.com; …

Remediation: Defender portal → Policies & rules → Threat policies → Anti-spam → Outbound policy → set Automatic forwarding to 'Off'. Review + disable the four listed inbox rules.

PASS: SharePoint 7.2.1

Evidence: sharingCapability=existingexternalusersharingonly — anyone links cannot be created tenant-wide.

Each FAIL row includes the exact paste-ready remediation command (or admin-console navigation path) specific to your tenant's posture. No generic "review your settings" advice.

CIS benchmark runs are included at no additional charge on Business and Enterprise plans. Typical runtime: 20–40 seconds for the full 25-inspector sweep.

• Azure / M365 CIS benchmark docs — full API referencefamilies
• Azure subscription scan — the complementary deep ARM-resource audit
• Encryption — credential handling at rest