CIS Benchmarks
Automate CIS Microsoft 365 Foundations Benchmark assessments across your managed tenants. OpsPilot365 Trust Center scans tenant configurations against CIS Level 1 and Level 2 controls, provides compliance scoring, and generates remediation guidance for each benchmark recommendation.
Note: CIS Benchmark scanning is part of the Trust Center add-on. It covers the complete CIS Microsoft 365 Foundations Benchmark with automated assessments for both Level 1 (essential) and Level 2 (defense-in-depth) controls. Benchmark versions are updated as CIS releases new revisions.
CIS Microsoft 365 Benchmark Overview
| Metric | Value |
|---|---|
| Total Recommendations | 150+ |
| Level 1 Controls | 85+ (essential security) |
| Level 2 Controls | 65+ (defense in depth) |
| Auto-Assessed | 95% |
Level 1 vs Level 2 Controls
| Aspect | Level 1 (L1) | Level 2 (L2) |
|---|---|---|
| Purpose | Essential security baseline for all organizations | Defense-in-depth for high-security environments |
| Impact on Usability | Minimal impact on functionality | May restrict some convenience features |
| Recommended For | All managed tenants | Regulated industries, sensitive data handling |
| License Requirement | M365 Business Basic and above | Often requires M365 E3/E5 or equivalent |
| Example Controls | MFA for admins, block legacy auth, audit logging | PIM activation, advanced DLP, app consent restrictions |
Benchmark Sections
| Section | Focus Area | Key Checks | Controls |
|---|---|---|---|
| 1. Account / Authentication | Identity and access | MFA, admin accounts, legacy auth, password policies | 22 |
| 2. Application Permissions | App consent and permissions | OAuth app consent, integrated apps, app registrations | 12 |
| 3. Data Management | Data protection | DLP policies, sensitivity labels, external sharing | 18 |
| 4. Email Security / Exchange | Exchange Online | Anti-phishing, anti-spam, DKIM, DMARC, transport rules | 28 |
| 5. Auditing | Logging and monitoring | Audit log, alert policies, mailbox auditing | 14 |
| 6. Storage | SharePoint and OneDrive | Sharing settings, guest access, link expiration | 16 |
| 7. Mobile Device Management | Intune and devices | MAM policies, compliance policies, enrollment | 12 |
| 8. Microsoft Teams | Teams settings | Guest access, external access, meeting policies, messaging | 18 |
Automated Benchmark Scanning
OpsPilot365 performs automated CIS benchmark scans by querying Microsoft Graph API, Exchange Online PowerShell, SharePoint, and Teams APIs to assess each recommendation.
- Scan Capabilities — Full benchmark scan across all sections in a single pass, per-section targeted scans for focused remediation, scheduled scans (daily, weekly, monthly), on-demand scanning for pre/post-change verification, and multi-tenant batch scanning for portfolio-wide assessment.
- Scan Results — Pass: Configuration matches CIS recommendation. Fail: Configuration does not meet the recommendation. Not Assessed: Manual verification required. Not Applicable: Service not in use or licensed. Error: Scan could not evaluate (permissions or API issue).
Scoring and Compliance Percentage
OpsPilot365 calculates compliance percentages per section and overall, weighted by benchmark level and control applicability.
Level 1 Compliance: Account / Authentication 91%, Application Permissions 83%, Email Security 78%, Auditing 88%.
Level 2 Compliance: Account / Authentication 72%, Data Management 65%, Email Security 60%, Microsoft Teams 48%.
Note: Start all new client onboardings with a CIS Level 1 baseline scan. Level 1 controls are designed to be implementable with minimal disruption and form a solid security foundation. Once Level 1 is fully addressed, evaluate Level 2 controls based on the client’s industry and risk profile. Use the comparative benchmarking feature to show clients how they compare to your portfolio average.
Remediation Guidance
- Step-by-Step Instructions — Each failing control includes detailed remediation steps with links to the relevant M365 admin center page, PowerShell commands, or Graph API calls needed to bring the control into compliance.
- Impact Assessment — Remediation guidance includes impact analysis describing how the configuration change affects end users, noting any features that may be restricted or workflows that may change.
- Auto-Remediation — Select CIS controls support one-click auto-remediation through the OpsPilot365 automation engine. All auto-remediation actions are logged, reversible, and require MSP approval before execution.
- Exception Management — Document exceptions for controls that cannot be implemented due to business requirements, with justification, risk acceptance, compensating controls, and review dates.
Evidence Requirements
| Evidence Type | Description | Collection |
|---|---|---|
| Scan Results | Full benchmark scan results with pass/fail per control | Automated, per scan |
| Configuration Snapshots | Point-in-time exports of assessed M365 settings | Automated, daily |
| Score History | Compliance percentage trends over time | Automated, per scan |
| Remediation Logs | Record of changes made to address failing controls | Automated, event-based |
| Exception Records | Documented exceptions with justifications and approvals | Manual entry |
API Reference
GET /api/addons/trust-center/frameworks/cis/status— Get CIS benchmark compliance summary with scoringGET /api/addons/trust-center/frameworks/cis/controls— List all CIS recommendations with pass/fail statusGET /api/addons/trust-center/frameworks/cis/sections/:sectionId— Get results for a specific benchmark sectionPOST /api/addons/trust-center/frameworks/cis/scan— Trigger a CIS benchmark scan for a tenantGET /api/addons/trust-center/frameworks/cis/remediation/:controlId— Get remediation guidance for a specific failing controlPOST /api/addons/trust-center/frameworks/cis/remediate/:controlId— Execute auto-remediation for a supported controlGET /api/addons/trust-center/frameworks/cis/history— Retrieve historical CIS benchmark scores and trends