Microsoft 365 Blog

6 MIN READ

Ignite’25 Spotlight: Announcing Microsoft Baseline security mode

Sesha_Mani

Microsoft

Nov 18, 2025

Protect against known vulnerabilities from legacy configurations and emerging AI risks exploiting them

Enable Security by default for Frontier Organizations

At Microsoft, security is our top priority, and through the Secure Future Initiative (SFI), we are continuously applying what we have learned from incidents to improve our methods and practices, ensuring that security is paramount in everything we create and provide.

Customers often ask:
What is Microsoft’s secure-by-default benchmark for Microsoft 365 and Azure?
How do the learnings from the Secure Future Initiative (SFI) translate into customer value?
Is my tenant security hardened enough?

Today, at Microsoft Ignite 2025, we are excited to announce Microsoft Baseline security mode (BSM) now generally available and rolling out globally. With BSM, we have an answer for those questions.

Introducing Microsoft Baseline security mode

BSM is the first product born from decades of experience operating secure cloud services, responding to incidents, and learnings from the Secure Future Initiative (SFI). By simply opting in, your Microsoft cloud environment—starting with Microsoft 365, and Entra adopts strong secure-by-default settings and eliminates vulnerabilities caused by legacy configurations.

Available in the Microsoft 365 admin center, BSM is simple to use yet offers advanced capabilities enabling you to easily:

Disable legacy settings and enable secure-by-default configurations.
Run simulations for complex settings to assess user and app impact.
Deploy protections you have always wanted with just a few clicks.

This empowers organizations to harden their Microsoft cloud services continuously—every day, week, and year—with minimal effort.

A Continuous Journey

Microsoft Baseline security mode is not a one-time feature; it is an evolving standard. On a regular cadence, we will strengthen the baseline with additional configurations across Microsoft cloud services.

This general availability (GA) release marks the first milestone, starting with Microsoft 365 and Entra. Future releases will expand to Purview, Intune, Dynamics 365, Azure, and more.

What is in the November 2025 GA release of BSM?

The GA release introduces three major areas and 18 configuration settings across five core services:

Office
Exchange
Teams
SharePoint/OneDrive
Entra

This is just the beginning of a journey toward a more secure, resilient cloud for every organization.

Baseline security mode starting configuration areas are:

Authentication
Files
Room devices

Let us walk through each area and major settings in them.

Opt-in for Baseline security mode in Microsoft 365 admin center

As Microsoft 365 tenant admin, you can simply navigate to: Microsoft 365 admin center → Org Settings → Security & Privacy → Baseline security mode.

Figure 1 Administrators can opt in to the default recommended Baseline security mode (BSM) policies directly from the Microsoft 365 Admin Center.

This figure highlights that 11 of the 18 configuration settings in BSM are low- to no-impact for users, allowing administrators to safely opt in immediately. For the remaining seven settings, we recommend running them in simulation mode to evaluate potential impact within your tenant. If the impact is minimal, you can confidently disable those settings. If there is meaningful impact, then we recommend kick off change management process with those users and app owners.

BSM provides flexibility and control, enabling administrators to manage each setting independently. You can also experiment by disabling a setting for a defined period—such as few days —to assess impact and dependencies. If critical dependencies exist, you can re-enable the setting and plan to address those dependencies before making permanent changes. This intuitive, phased approach ensures a smooth transition to secure-by-default configurations.

Authentication Area

Legacy authentication protocols and tokens remain one of the most common attack vectors. BSM is designed to significantly reduce this risk by minimizing the attack surface associated with legacy protocols across Microsoft 365 services—including Exchange, SharePoint, OneDrive, Teams, and Microsoft 365 apps. To strengthen your security posture, we strongly recommend disabling these legacy configuration settings.

Figure 2 BSM homepage highlights the Authentication pillar and its associated settings.

Block legacy authentication flows and block basic authentication prompts are both security settings aimed at reducing risk from outdated sign-in methods, but they target various aspects of authentication:

Block legacy authentication flows: This setting disables the use of older, less secure authentication protocols (such as POP, IMAP, SMTP, and legacy Exchange Web Services) that do not support modern security features like multi-factor authentication (MFA) or conditional access. When you block legacy authentication flows, you prevent applications and devices from connecting to Microsoft 365 services using these outdated protocols, thereby closing common attack vectors that are frequently exploited in phishing and brute-force attacks.
Block basic authentication prompts: This setting specifically stops users from seeing or interacting with basic authentication pop-up dialogs (the familiar username/password prompt that appears in many older apps or browsers). Blocking basic authentication prompts helps prevent users from entering their credentials into insecure prompts, which could be easily phished. This setting is often used to protect users from accidentally providing their credentials to malicious or untrusted applications, even if legacy authentication is technically still enabled in the environment.

In summary: Blocking legacy authentication flows cuts off entire outdated sign-in methods at the protocol level, while blocking basic authentication prompts prevents users from being presented with insecure sign-in dialogs. Both are important for strengthening your organization's security posture, but they operate at various levels of the authentication process.

Figure. Admin views the status of BSM authentication area settings across services.

To learn more about BS authentication area, check-out Baseline security mode Authentication area

BSM provides granular control and transparency for every configuration setting. Administrators can access detailed telemetry to monitor impact and, where necessary, exclude specific users or applications.

For example, when you opt in to BSM, phishing-resistant authentication for administrators becomes mandatory. However, you may choose to temporarily exempt certain administrators—either to allow time for setup or to accommodate critical business requirements—while maintaining overall security posture.

Another example: You may want to review all application traffic using the legacy Exchange Web Services (EWS) protocol. This visibility allows you to engage app owners and guide them toward adopting modern, secure protocols. Once migration is complete, you can confidently disable the legacy protocol. For deeper analysis, you also have the option to download a detailed report in CSV format.

Figure 4 Admins can view telemetry insights on legacy Exchange Web Services (EWS) protocol usage.

Files Area

Microsoft 365 apps—such as Word, Excel, and PowerPoint—are used globally to power productivity. However, legacy file formats like Word (.doc) pose significant security risks. We strongly recommend transitioning to modern, secure file formats to protect your organization.

Even more critical is eliminating ActiveX controls embedded in Office files, which introduce vulnerabilities. With BSM, you can enforce these best practices seamlessly helping your organization adopt secure standards with confidence.

Figure 5 Admins can view the status of Baseline security mode (BSM) Files pillar settings for Microsoft 365 Apps.

Once you consent to view detailed telemetry, BSM provides deep insights to guide your decisions. You can view usage analytics for file-related settings, such as how many users are still working with legacy Office documents that include ActiveX controls, and the number of these files opened in your tenant during the last 28 days.

This level of granular visibility empowers administrators to take targeted actions—such as educating users and driving adoption of modern, secure Office file formats—strengthening your organization’s overall security posture.

Figure 6 Admins can view telemetry insights on ActiveX control usage within Microsoft 365 Apps across their organization.

To learn more about BSM’s Files area settings, check out Secure file formats.

Room devices Area

In BSM, the Room Devices area includes two critical best-practice settings that we strongly recommend implementing:

Block unmanaged devices and resource account sign-ins to Microsoft 365 apps.
Restrict resource accounts on Teams Rooms devices from accessing Microsoft 365 files presented during meetings.

Applying these configurations helps ensure that meeting environments remain secure and that sensitive content is protected from unauthorized access.

To learn more about these settings, check out:

Get started

Microsoft Baseline security mode is now rolling out.
If you are an existing Microsoft 365 customer, simply navigate to:
Microsoft 365 admin center → Org Settings → Security & Privacy → Baseline security mode
Sign in with your Microsoft 365 admin account to access these settings: Settings - Microsoft 365 admin center.

If you are new to Microsoft 365, learn how to try or buy a Microsoft 365 subscription.

BSM simplifies compliance and audit readiness, enhances visibility through built-in dashboards and telemetry, and provides a predictable, secure-by-default foundation. This initiative-taking approach reduces legacy risks and delivers robust protection for organizations of all sizes.

References:

Other Ignite blog references: