What's New in the CIS Microsoft 365 benchmark v6.0.1: Key security controls for Microsoft 365 admins

The Center for Internet Security (CIS) released version 6.0.0 of the Microsoft 365 Foundations Benchmark on 31^st October 2025, followed by version 6.0.1 on 26^th February 2026. For Microsoft 365 security teams, managed service providers, and administrators, this latest CIS Microsoft 365 Benchmark update introduces practical changes that strengthen tenant hardening across identity, email, collaboration, and device security.

In this guide, I break down what changed in the CIS Microsoft 365 Benchmark v6.0.1, highlight the most important new controls, and explain which Microsoft 365 security settings organisations should prioritise first.

What is the CIS Microsoft 365 Benchmark?

CIS benchmarks are consensus-driven security configuration guidelines built by industry practitioners. The CIS Microsoft 365 Foundations Benchmark provides a prescriptive set of recommendations for hardening a Microsoft 365 tenant across Entra ID, Exchange Online, SharePoint, Teams, Purview, Intune, and Microsoft Fabric.

Each recommendation is mapped to a Level 1 (baseline, broadly applicable) or Level 2 (may impact functionality) profile.

What's changed in CIS Microsoft 365 Benchmark v6.0.1?

Version 6.0.1 introduces 12 new controls, around 30 updated controls, and 3 removed controls compared with v5.0.0. Here's a breakdown by service area:

New controls

1. Microsoft 365 admin centre

1.3.9 (L1) Ensure shared bookings pages are restricted to select users

Restricts who can publish a shared Bookings page externally, reducing the risk of unauthorised external-facing pages being created against your tenant's domain.

2. Microsoft Defender

2.1.15 (L1) Ensure outbound anti-spam message limits are in place

Caps the volume of outbound mail a single user can send, providing a circuit-breaker against a compromised account being used for outbound spam or phishing campaigns.

3. Microsoft Entra

Entra has seen by far the most new controls, with a new 5.1.4 Devices sub-section that addresses Entra join hardening end-to-end.

5.1.3.2 (L1) Ensure users cannot create security groups

Restricts security group creation to administrators, preventing unintended group sprawl and the resulting access control complexity.

5.1.4.1 (L2) Ensure the ability to join devices to Entra is restricted

Limits which users can join devices to Entra, supporting a more controlled device population.

5.1.4.2 (L1) Ensure the maximum number of devices per user is limited

Caps device registrations per user, reducing the impact of unmanaged or forgotten device registrations.

5.1.4.3 (L1) Ensure the GA role is not added as a local administrator during Entra join

Stops Global Administrator accounts from being added by default to the local administrators group during Entra join.

5.1.4.4 (L1) Ensure local administrator assignment is limited during Entra join

Restricts which users are automatically granted local administrator rights on a device during the join process.

5.1.4.5 (L1) Ensure Local Administrator Password Solution is enabled

Enables cloud LAPS at the tenant level for both Entra-joined and hybrid-joined devices.

5.1.4.6 (L2) Ensure users are restricted from recovering BitLocker keys

Limits BitLocker recovery key retrieval to administrators rather than end users, supporting least privilege on key recovery.

5.2.3.7 (L2) Ensure the email OTP authentication method is disabled

Email OTP has been split out of the previous "weak authentication methods" control (5.2.3.5) into its own dedicated Level 2 recommendation.

4. Exchange Online

6.5.5 (L2) Ensure Direct Send submissions are rejected

Blocks unauthenticated mail submissions via Direct Send. This is an actively exploited phishing vector.

5. Microsoft Teams

8.2.4 (L1) Ensure the organization cannot communicate with accounts in trial Teams tenants

Prevents communication with users in throwaway trial Teams tenants, a common vector for impersonation and social engineering.

6. Microsoft Fabric

9.1.12 (L1) Ensure service principals' ability to create workspaces, connections and deployment pipelines is restricted

Further restricts what Fabric service principals can do, building on the service principal controls introduced in v4.0.0.

Removed controls

Three controls have been retired:

• 3.3 (L1) Ensure custom script execution is restricted on personal sites
  he setting is no longer available in SharePoint.
• 3.4 (L1) Ensure custom script execution is restricted on site collections
  The property is now automatically disabled by Microsoft after 24 hours, making the control redundant.
• 2.4 (L1) Ensure communication with Skype users is disabled
  With the consumer Skype service retired by Microsoft on 5th May 2025 (and Skype for Business Online already retired in July 2021), this control is obsolete.

Updated controls

Most of the updates focus on improving the PowerShell audit procedures making them backward compatible, producing better output, or aligning with renamed cmdlets and admin centre blades. The most notable changes worth flagging:

• 2.3.5 (L1) Ensure weak authentication methods are disabled.
  Email OTP has been split out into its own dedicated Level 2 control (the new 5.2.3.7).
• 3.3 (L1) Ensure 'Access reviews' for privileged roles are configured.
  Maximum review duration has been tightened to 14 days.
• 8 Microsoft Teams admin centre.
  Most Teams controls have been rewritten to use the new settings and policies blade introduced by Microsoft.
• 5.4 (L1) Ensure SMTP AUTH is disabled.
  Remediation step 3 corrected (it previously instructed admins to uncheck the setting when it should have been check). Worth re-running this audit if you implemented the remediation from a prior benchmark.

Top three new CIS Microsoft 365 security controls to implement first

Of the 12 new recommendations, three stand out as high-impact, low-effort wins that every business should be rolling out.

1. 5.1.4.5 (L1) Ensure Local Administrator Password Solution is enabled

This is, in my view, the headline addition to v6.0.0. Cloud LAPS (Local Administrator Password Solution) provides automated rotation and secure storage of the built-in local administrator password for both Entra-joined and Entra hybrid-joined devices.

The risk it addresses is well-understood and very real. It's still common to find organisations using a single, shared local administrator password across an entire fleet. If an attacker compromises one device, through a phishing payload, malicious browser extension, or a stolen Intune-enrolled laptop, that single password becomes a master key for lateral movement across every other endpoint.

Why prioritise this one:

• It's a tenant-level toggle in Entra ID > Devices > Device settings.
• It's a prerequisite for the LAPS recommendations in the CIS Intune for Windows benchmarks, so enabling it now unblocks downstream endpoint hardening work.
• It costs nothing in licensing, cloud LAPS is included with all Microsoft 365 plans.

Enabling LAPS at the tenant level does not automatically rotate passwords. You'll also need to deploy a LAPS policy via Intune Endpoint security > Account protection or the Settings Catalog to actually drive enforcement on endpoints.

2. 6.5.5 (L2) Ensure Direct Send submissions are rejected

Direct Send is the mechanism that lets on-premises devices (multifunction printers, scanners, line-of-business apps) deliver email directly to Exchange Online mailboxes in your own accepted domain, with no authentication required. By design, it mimics anonymous internet mail, but uses your domain in the sender address.

Threat research from Varonis has documented active campaigns exploiting Direct Send to deliver convincing internal-spoofed phishing, no credential compromise required, just a guess at the tenant's MX endpoint and a victim's email address. Because the message originates externally but appears internal, it often bypasses both user suspicion and standard inbound filtering. The new control recommends setting the tenant-level RejectDirectSend flag to True.

Before flipping the switch:

• Audit your scan-to-email devices and any apps using Direct Send for printer-to-mailbox style mail flow. They will need to be migrated to an authenticated SMTP relay or a dedicated mail flow connector.
• Azure Communication Services (ACS) traffic using a Microsoft 365 accepted domain in MAIL FROM will be blocked. Microsoft is still working on a compatibility path for this scenario.
• Some third-party forwarding scenarios where the receiving provider doesn't support Sender Rewriting Scheme (SRS) may be affected.

It's a Level 2 control, but for any client doing serious anti-phishing work it's a must-do.

3. 5.1.4.3 (L1) Ensure the GA role is not added as a local administrator during Entra join

By default, the Entra ID join process adds the Global Administrator role to the local administrators group on the device. That is exactly as dangerous as it sounds. It means any time a Global Administrator signs into an Entra-joined endpoint, they're operating with full local admin rights on that machine, and a compromised endpoint becomes an immediate path to harvesting GA credentials, tokens, or cached sessions.

With this changed to No, Global Administrator accounts must be explicitly added when local admin rights are needed. The dedicated Microsoft Entra Joined Device Local Administrator role can be used instead for routine device management, which is exactly what it was designed for and aligns with least privileged.

Remediation via UI:

1. Navigate to Entra admin centre > Entra ID > Devices > Device settings.
2. Set Global administrator role is added as local administrator on the device during Microsoft Entra join to No.

This is one of those settings that costs nothing, breaks nothing, and closes a real attack path.

Why CIS Microsoft 365 Benchmark v6.0.1 matters

The biggest takeaway from CIS Microsoft 365 Benchmark v6.0.1 is that cloud LAPS is now a Level 1 recommendation, reinforcing its importance as a baseline Microsoft 365 security control. When combined with Exchange Online Direct Send protection and stronger Microsoft Entra device join settings, this update helps organisations reduce exposure to some of the most commonly exploited attack paths in Microsoft 365.

If your tenant is already aligned to CIS Microsoft 365 Benchmark v5.0.0, moving to v6.0.1 should be relatively straightforward. The update is modest in scope, but the new controls around local administrator security, Direct Send abuse prevention, and Entra device governance make it well worth prioritising in any Microsoft 365 hardening roadmap.

Need additional support? 

OneAdvanced's relationship with Microsoft goes back over 30 years, over which our Digital Workplace experts have helped numerous organisations digitally transform and embrace a better way of working. Get in touch with our team today to see how we can help!