Guide to implementing CIS Controls with Microsoft 365 Business Premium
Published Sep 22 2020 07:59 AM 20.7K Views

This guide summarizes recommendations for implementing critical cybersecurity controls defined by the Center for Internet Security (CIS) when using Microsoft 365 Business Premium. 


Microsoft 365 Business Premium is a comprehensive suite of collaboration products and enterprise-grade security tools curated specifically for businesses with 1 to 300 employees. It includes Office productivity apps and services plus advanced security  and device management capabilities to help defend businesses against cyberthreats, protect data, and secure devices. This guide will detail how to implement these advanced security capabilities while applying the CIS Controls framework.


About CIS Controls cybersecurity framework:

CIS Controls cybersecurity framework is a list of the top 20 controls or objectives for any organization to meet, in order to achieve basic cybersecurity hygiene. Meeting these controls can significantly reduce your risks of cybersecurity incidents. 


The 20 CIS Controls are broken down into three categories: 

  • Basic (CSC #1-6): These fundamental controls should by implemented first because Foundational & Organizational controls depend on them. An inadequate implementation of any basic control may undermine subsequent controls in the framework. 
  • Foundational (CSC #7-16): These are largely technical controls—the bits and bytes that you can modify to better protect your users, devices, apps, and data. 
  • Organizational (CSC #17-20)Process and procedural controls addressing less technical aspects of cybersecurity including training and awareness, incident response planning, and more.  

CIS controls.JPG


In addition to these categories, there are also a series of sub-controls under each major control. Not every organization needs to implement every sub-control. To guide organizations' level of engagement and commitment to the cybersecurity program, these sub-controls are arranged into Implementation Groups as follows: 

  • Implementation Group IG1Most small and mid-sized organizations, who tend to have limited resources and budget for cybersecurity, should focus on Implementation Group 1. IG1 is considered to be a security baseline for organizations of all types, and will help mitigate the most common attacks observed today. 
  • Implementation Group IG2Small or Mid-sized organizations who are ready to dedicate more capacity in terms of planning and budget to cybersecurity should follow Implementation Group 2. This will help them to advance more advanced cybersecurity objectives such as Information Protection.  
  • Implementation Group IG3: Enterprise organizations with a larger attack area and dedicated cybersecurity resources may want to follow IG3. These organizations deal with advanced threats and adversaries.

To learn more about CIS Controls click here.


Applying the CIS Controls framework with Microsoft 365

Let's go through IG1 and a few IG2 sub-controls that you can deliver with your Microsoft 365 Business Premium deployment.  You can also see this video where Alex Fields, whose blog has great tips on helping small and medium-sized businesses succeed with the Microsoft Cloud, and I talk through these sub-controls.



1. Inventory and Control of Hardware

Implementation Group 1 sub-controls include:

1.4 Maintain a Detailed Asset Inventory: Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or process corporate information. This inventory shall include all assets, whether connected to the organization’s network or not. 

1.6 Address Unauthorized Assets: Ensure that unauthorized assets are either removed from the network, quarantined or the inventory is updated in a timely manner.


The simplest way to maintain a detailed asset inventory of end user computing devices is to enroll them in Intune. Enrollment is easy; however, the steps used to enroll devices will vary depending what type of device it is. These steps generally apply to devices the company owns or controls.

  • To onboard existing Active Directory joined PCs we recommend configuring Hybrid Azure AD join, which allows Windows 10 PCs currently managed in on-premises Active Directory to also be managed through Azure AD. This approach allows users to retain their existing Windows user profiles. If you join computers directly to Azure AD without configuring a hybrid setup, new user profiles will be created on the devices, which will not allow them to access their local files, favorites, and other customizations. For more information see Enable domain-joined Windows 10 devices to be managed by Microsoft 365 for business.
  • Provision new/refreshed company PCs: To set up a PC that is newly purchased or repurposed for a new employee, we recommend Windows Autopilot. Autopilot eliminates the need for traditional imaging and helps set up devices ready for productive use upon receipt by the user. Autopilot can also join the device to Azure AD and enroll in Intune. In this situation, we’re starting with a fresh profile, so hybrid Azure AD joining the device isn’t necessary. The user can still access resources secured by the on-premises Active Directory such as apps, file shares, and printers from a computer that is Azure AD joined. This approach also has an advantage over hybrid device join for new/refreshed company PCs, because hybrid device join requires a network connection to an Active Directory server which is usually not optimal for remote work scenarios.
  • For devices that are not running Windows 10, see the following guides:

In addition to end user computing devices, you will also need to keep an inventory of other devices such as firewalls, switches, wireless access points, and network printers. Microsoft 365 does not include an asset tracking capability for these; however, a manual inventory of these other devices with asset tagging is acceptable to meet the control to Implementation Group 1. You can also automate asset tracking of other devices to further reduce your risk due to human error.


Once you have all of your devices enrolled, you should enable a Conditional Access policy to enforce the access control and require devices to be marked as compliant. That means if a device wants access to corporate resources such as Email or Teams, it must be enrolled and marked compliant. This ensures that you have complete control of endpoints accessing company data, and that no endpoints escape your visibility and control. Follow the steps in this article to apply Device-based Conditional Access rules to your tenant. 


2. Inventory and Control of Software 

For Implementation Group 1, meeting this control means having an accurate picture of all the software that is installed and used in the organization, as well as having an understanding of which packages are approved and not approved (the idea is that you should regularly remove or block unapproved packages). 

2.1 Maintain Inventory of Authorized Software: Maintain an up-to-date list of all authorized software that is required in the enterprise for any business purpose on any business system. 

2.2 Ensure Software Is Supported by Vendor: Ensure that only software applications or operating systems currently supported and receiving vendor updates are added to the organization’s authorized software inventory. Unsupported software should be tagged as unsupported in the inventory system. 

2.6 Address Unapproved Software: Ensure that unauthorized software is either removed or the inventory is updated in a timely manner.


Intune will give you visibility into the software packages that are installed on your endpointsTherefore, if you have already completed the first control and onboarded devices into the Intune service, then you are already on your way toward meeting this control. To fully meet the spirit of this control, you will want a strategy to control the software installations. This will also help users stay productive by ensuring the software they need is available and up to date.


You can leverage Intune to push approved software application packages, and then use Autopilot deployment profiles to remove the local administrator rights (so that end users cannot install their own software). For more information on adding apps to Intune see Add apps to Microsoft Intune. For more information on setting up Autopilot deployment profiles see Configure Autopilot profiles.


Microsoft 365 Business Premium also includes a feature known as Cloud App Discovery. This tool allows an organization to identify “Shadow IT” apps (i.e. unmanaged apps) that are in use in the environment. Once evidence of Shadow IT has been uncovered, then the organization can decide whether they want to take steps to protect and manage those outside applications, or whether to block them instead. See this article to get started: Basic setup for Cloud App Security.


3. Continuous Vulnerability Management 

Microsoft 365 allows you configure software updates for the operating system (Windows) as well as Microsoft Office products, but not third-party software. The first implementation group (IG1) covers both: 

  • 3.Deploy Automated Operating System Patch Management Tools: Deploy automated update tools in order to ensure that the operating systems are running the most recent security updates provided by the software vendor. 
  • 3.5 Deploy Automated Software Patch Management Tools: Deploy automated update tools in order to ensure that third-party software on all systems is running the most recent security updates provided by the software vendor. 


For help configuring Windows updates, see this article: Manage Windows 10 software updates in Intune.


3rd party software patches can be managed in Intune with 3rd party add-ons; however, this is beyond the scope of this guide.


It is important to note that Microsoft Defender ATP, an add-on product available via Cloud Solutions Providers (CSPs), includes a feature known as Threat and Vulnerability Management that highlights active vulnerabilities on your endpoints (whether associated with first or third-party software packages), along with Common Vulnerability Scoring System (CVSS) ratings, and mitigation details. While not exactly in the spirit of the first implementation group, it does help to address other sub-controlswhich reference vulnerability scans (on endpoints). See this article for more information about Threat and vulnerability management in MDATP.


4. Controlled Use of Administrative Privileges 

The spirit of this control is fairly simple; the idea is to contain or limit the use of administrative privileges as much as possible. In the context of Microsoft 365, this applies to two areas in particular: privileges in the cloud, and privileges on the endpoint.

4.2 Change Default Passwords: Before deploying any new asset, change all default passwords to have values consistent with administrative level accounts. 

4.3 Ensure the Use of Dedicated Administrative Accounts: Ensure that all users with administrative account access use a dedicated or secondary account for elevated activities. This account should only be used for administrative activities and not Internet browsing, email, or similar activities.


For traditional hardware assets such as servers, switches, wireless access points, and other network devices you should use strong, unique passwords. If you have on-premises Active Directory you can use RADIUS for authentication, authorization, and accounting. For more information see RADIUS Authentication, Authorization, and Accounting .


You should use dedicated accounts for administration that are not licensed for productivity software.  For example, if my primary user account is I would not assign any administrative roles to that account, instead I would create for administrative activities and not assign a license. On the endpoints, this also means that users should not be local administrators on their computers. This can be accomplished using Autopilot profiles within Intune, which was discussed in CSC #2, above. For more information see Securing privileged access for hybrid and cloud deployments in Azure AD.


Even though these steps cover the requirements of IG1, it is recommended for most organizations to consider incorporating one more sub-control from IG2, covering Multi-factor authentication (MFA): 

  • 4.5 Use Multi-Factor Authentication for All Administrative AccessUse multi-factor authentication and encrypted channels for all administrative account access. 

MFA can be enabled for cloud apps using Security Defaults or Conditional Access policies, and on the endpoints using Windows Hello for Business.


5. Secure Configuration of Hardware and Software 

As part of IG1, the CIS controls recommends documenting your security settings and baseline policies that you choose to implement (separately from the technical enforcement system): 

5.1 Establish Secure ConfigurationsMaintain documented security configuration standards for all authorized operating systems and software.


When you apply baseline configurations, you need to be sure that your customer understands and accepts the impacts (and if they need to make exceptions to the policy for some business reason or another, you can document that as well). 


If you are using Intune to configure security settings on your endpoints, then you will be meeting some of the controls in IG2, as well. For example: 

5.4 Deploy System Configuration Management Tools: Deploy system configuration management tools that will automatically enforce and redeploy configuration settings to systems at regularly scheduled intervals.


A quick and easy way to apply a security policy is to add a Windows 10 Device Configuration policy  under Devices > Policies.  This will create an Intune policy for you with just a few clicks. See this article for more details. For comprehensive guidance to all of the settings available in Intune, refer to the article: Apply features and settings on your devices using device profiles in Microsoft Intune.


For more advanced security configuration, check out Endpoint security > Security Baselines. These profiles are updated regularly by Microsoft according to their best practices. Note that some features may only be compatible with Windows 10 Enterprise and may not apply to Microsoft 365 Business Premium / Windows 10 Pro environments. For more information see Use security baselines to configure Windows 10 devices in Intune.


Many IT service providers will prefer to create their own custom Device configuration profiles and/or Endpoint security profiles. These will have the same settings available, but enables smaller, more discreet policies that are easier to manage (you could exclude a system or user from a single policy rather than an entire set of baseline settings in one giant policy). It is worth mentioning that applying some of these profiles will help you to meet other, later controls from the Foundational category.


6. Maintenance, Monitoring, and Analysis of Audit Logs 

Audit logging is critical to being able to effectively detect and respond to cybersecurity incidents. Without logging enabled, there is very often no or extremely low visibility into potential threats and incidents.

6.2 Activate Audit LoggingEnsure that logging has been enabled on all systems and networking devices. 

Plan to enable the Unified Audit Log for all of the cloud applications in Microsoft 365. For more details see: Turn audit log search on or offThis also enables Alert policies in the Security & Compliance centerwhich will be important for detecting anomalous events. 


With regard to endpoint devices, the most interesting data becomes visible only with a subscription to Microsoft Defender ATPwhich is an add-on product available from CSPs.


We hope this article helps make it easier to get started with CIS Controls. These controls are a great starting point for implementing a well known and highly respected cybersecurity framework and are compatible with other frameworks and programs. For more information on compliance with security and regulatory frameworks, be sure to check out Compliance Manager and Compliance Score. You can learn more by signing into the Microsoft Service Trust Platform.

1 Comment
Version history
Last update:
‎Sep 22 2020 10:49 AM
Updated by: