Common CIS Control Gaps in Microsoft 365 Environments

The CIS Microsoft 365 Foundations Benchmark is one of the most useful checklists available for Microsoft 365 administrators. It is free, regularly updated and mapped against the broader CIS Controls — which in turn map to ISO 27001, NIST CSF and most national equivalents. When Cleverina runs a posture assessment against it, the same gaps appear again and again.

This article calls out the most common ones, grouped by area, with the remediation we recommend.

Identity and access

• Legacy authentication not blocked: still the single most common finding. Disable basic auth at the Conditional Access layer and confirm with sign-in logs.
• Per-user MFA in place of Conditional Access policies: works, but is impossible to manage at scale and breaks reporting. Migrate to policy-based enforcement.
• Global Administrator role used for daily work: violates least privilege. Move to Privileged Identity Management with just-in-time activation and approval.
• Self-service password reset not enforced for admins or not requiring MFA on reset: a single missing control here negates the rest of the identity stack.

Email and Exchange Online

• External mail not tagged: users cannot easily distinguish internal from external senders. Enable external-sender warnings.
• Auto-forwarding to external addresses not blocked: a classic data-exfiltration path during account takeover. Block at the transport-rule layer.
• SPF, DKIM and DMARC incomplete: DMARC in particular is often left at p=none indefinitely. Move to quarantine and then reject once monitored.
• Safe Links and Safe Attachments policies not applied to all users: scope creep is common after pilot rollouts.

SharePoint, OneDrive and Teams

• Anonymous sharing links enabled by default: rarely intentional, frequently still on.
• External sharing not restricted to verified guests: leads to long-lived shares to personal email addresses.
• Default link permissions set to 'Anyone' rather than 'Specific people': a one-click data leak waiting to happen.
• Guest expiration and access reviews not configured: guest accounts accumulate indefinitely.

Defender and threat protection

• Defender for Office 365 policies left at preset 'Standard' without reviewing exclusions.
• Defender for Endpoint not deployed to all in-scope devices, or device compliance not required by Conditional Access.
• Alert notifications not routed to a monitored mailbox or SIEM: alerts exist, no one reads them.

Audit and logging

• Unified audit log not enabled tenant-wide, or retention left at the default 180 days when longer retention is licensed.
• Mailbox audit logging disabled for service accounts that handle sensitive workflows.
• Sign-in and audit logs not exported to a long-term store for forensic use beyond the in-tenant retention window.

An anonymized example

A 600-user organization scored 64% against the CIS Level 1 benchmark on first review. The single largest cluster of gaps was sharing: anonymous links enabled, default link type set to Anyone, and no guest expiration. None of these required new licensing — only configuration and a short user-comms note. After remediation the score moved to 87% within six weeks, and external-sharing volume measured through Defender for Cloud Apps dropped by roughly 40% as users adopted the more deliberate sharing flow.

Practical recommendations

• Run the benchmark at least twice a year and after every major Microsoft 365 feature rollout.
• Treat the report as a backlog, not a slide. Each finding gets an owner, a date and a decision.
• Pair the benchmark with Secure Score so you have both a Microsoft-native and an industry-standard view of the tenant.
• Capture exceptions formally — accepted risks are valid, undocumented ones are not.

Conclusion

The CIS Microsoft 365 Benchmark rewards the boring work: configuration discipline, lifecycle management and documented exceptions. None of the gaps above are exotic, and most can be closed without new tooling. Our Microsoft governance services include scoped CIS reviews and remediation roadmaps — see the services page or reach out via contact if you want a second pair of eyes.