Checklist Summary:

Microsoft 365 (M365) Exchange Online is a cloud-based messaging platform that gives users easy access to their email and supports organizational meetings, contacts, and calendars. This Secure Configuration Baseline (SCB) provides specific policies to strengthen Exchange Online security. Many admin controls for Exchange Online are found in the Exchange admin center. However, several of the security features for Exchange Online are shared between Microsoft products and are configured in either the Microsoft 365 Defender portal or Microsoft Purview compliance portal. Generally speaking, the use of Microsoft Defender is not strictly required for this baseline. When noted, alternative products may be used in lieu of Defender, on the condition that they fulfill these required baseline settings.

Checklist Role:

• Application Server
• Enterprise Email Server
• Enterprise Mail Server

Known Issues:

Not Provided

Target Audience:

The CISA SCuBA SCBs for M365 help secure federal information assets stored within M365 cloud business application environments through consistent, effective, and manageable security configurations. CISA created baselines tailored to the federal government’s threats and risk tolerance with the knowledge that every organization has different threat models and risk tolerance. Non-governmental organizations may also find value in applying these baselines to reduce risks.

Target Operational Environment:

• Managed
• Standalone

Testing Information:

Not Provided

Regulatory Compliance:

Not Provided

Comments/Warnings/Miscellaneous:

Not Provided

Disclaimer:

The information in this document is being provided “as is” for INFORMATIONAL PURPOSES ONLY. CISA does not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial entities or commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoritism by CISA. This document does not address, ensure compliance with, or supersede any law, regulation, or other authority. Entities are responsible for complying with any recordkeeping, privacy, and other laws that may apply to the use of technology. This document is not intended to, and does not, create any right or benefit for anyone against the United States, its departments, agencies, or entities, its officers, employees, or agents, or any other person.

Product Support:

CyberSharedServices@cisa.dhs.gov

Point of Contact:

CyberSharedServices@cisa.dhs.gov

Sponsor:

Not Provided

Licensing:

Portions of this document are adapted from documents in Microsoft’s M365 and Azure GitHub repositories. The respective documents are subject to copyright and are adapted under the terms of the Creative Commons Attribution 4.0 International license. Sources are linked throughout this document. The United States government has adapted selections of these documents to develop innovative and scalable configuration standards to strengthen the security of widely used cloud-based software services. Microsoft Purview Audit (Premium) logging capabilities, including creating a custom audit log retention policy, requires E5/G5 licenses or E3/G3 licenses with add-on compliance licenses. Additionally, maintaining logs in the M365 environment for longer than one year requires an add-on license. For more information, see Licensing requirements | Microsoft Docs. However, this requirement can also be met by exporting the logs from M365 and storing them with your solution of choice, in which case audit log retention policies are not necessary.

Change History:

checklist approved - 2/12/2024
updated to final - 3/11/2024
Changes Approved - 11/29/2024

Dependency/Requirements:

URL	Description

References:

Reference URL	Description
https://www.microsoft.com/en-us/security/blog/2023/07/19/expanding-cloud-logging-to-give-customers-deeper-security-visibility/	Expanding cloud logging to give customers deeper security visibility

NIST checklist record last modified on 11/29/2024