Client Portal
Microsoft Partner 2025

Security & Compliance

Gap Analysis
CISA Baseline

Safeguarding your organization’s data, infrastructure, and users.

Get in Touch

Gap Analysis

Exchange Online

Microsoft 365 (M365) Exchange Online is a cloud-based messaging platform that gives users easy access to their email and supports organizational meetings, contacts, and calendars. This Secure Configuration Baseline provides specific policies to strengthen Exchange Online security.

Many admin controls for Exchange Online are found in the Exchange admin center. However, several of the security features for Exchange Online are shared between Microsoft products and are configured in either the Microsoft 365 Defender portal or Microsoft Purview compliance portal. Generally speaking, the use of Microsoft Defender is not strictly required for this baseline. When noted, alternative products may be used in lieu of Defender, on the condition that they fulfill these required baseline settings.

Assumptions

The License Requirements sections of this document assume the organization is using an M365 E3 license level at a minimum. Therefore, only licenses not included in E3 are listed.

Key Terminology

The key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “MAY”, and “OPTIONAL” in this document are to be interpreted as described in RFC 2119.

Security Solutions

1. Automatic Forwarding to External Domains

This control is intended to prevent bad actors from using client-side forwarding rules to exfiltrate data to external recipients.

Policies

MS.EXO.1.1v2 – Automatic forwarding to external domains SHALL be disabled.

  • Rationale: Adversaries can use automatic forwarding to gain persistent access to a victim’s email. Disabling forwarding to external domains prevents this technique when the adversary is external to the organization but does not impede legitimate internal forwarding.
  • Last modified: March 2025
  • Note: Automatic forwarding MAY be enabled with specific, agency-approved domains. There may be cases where an external domain is operationally needed and has an acceptable degree of risk, e.g., a domain controlled by the same agency but that hasn’t been added as an accepted domain in M365.
  • MITRE ATT&CK TTP Mapping:

Resources

License Requirements

  • N/A
 

Security Solutions

2. Sender Policy Framework

The Sender Policy Framework (SPF) is a mechanism allowing domain administrators to specify which IP addresses are explicitly approved to send email on behalf of the domain, facilitating detection of spoofed emails. SPF is not configured through the Exchange admin center, but rather via Domain Name System (DNS) records hosted by the agency’s domain. Thus, the exact steps needed to set up SPF vary from agency to agency, but Microsoft’s documentation provides some helpful starting points.

Policies

 

MS.EXO.2.2v2 – An SPF policy SHALL be published for each domain that fails all non-approved senders.

  • Rationale: An adversary may modify the FROM field of an email such that it appears to be a legitimate email sent by an agency, facilitating phishing attacks. Publishing an SPF policy for each agency domain mitigates forged FROM fields by providing a means for recipients to detect emails spoofed in this way. SPF is required for FCEB departments and agencies by Binding Operational Directive (BOD) 18-01, “Enhance Email and Web Security”.
  • Last modified: March 2024
  • Note: SPF defines two different “fail” mechanisms: fail (indicated by -, sometimes referred to as hardfail) and softfail (indicated by ~). Fail, as used in this baseline policy, refers to hardfail (i.e., -).
  • MITRE ATT&CK TTP Mapping:

Resources

 

License Requirements

 

  • N/A

Security Solutions

3. DomainKeys Identified Mail

DomainKeys Identified Mail (DKIM) allows digital signatures to be added to email messages in the message header, providing a layer of both authenticity and integrity to emails. As with SPF, DKIM relies on DNS records; thus, its deployment depends on how an agency manages its DNS. Exchange Online Protection (EOP) features include DKIM signing capabilities.

Policies

MS.EXO.3.1v1 – DKIM SHOULD be enabled for all domains.

  • Rationale: An adversary may modify the FROM field of an email such that it appears to be a legitimate email sent by an agency, facilitating phishing attacks. Enabling DKIM is another means for recipients to detect spoofed emails and verify the integrity of email content.
  • Last modified: June 2023
  • MITRE ATT&CK TTP Mapping:

Resources

License Requirements

  • N/A

Security Solutions

4. Domain-Based Message Authentication, Reporting, and Conformance (DMARC)

Domain-based Message Authentication, Reporting, and Conformance (DMARC) works with SPF and DKIM to authenticate mail senders and helps ensure destination email systems can validate messages sent from your domain. DMARC helps receiving mail systems determine what to do with messages sent from your domain that fail SPF and DKIM checks.

Policies – MS.EXO.4.1v1

 

A DMARC policy SHALL be published for every second-level domain.

  • Rationale: Without a DMARC policy available for each domain, recipients may improperly handle SPF and DKIM failures, possibly enabling spoofed emails to reach end users’ mailboxes. Publishing DMARC records at the second-level domain protects the second-level domains and all subdomains.
  • Last modified: June 2023
  • MITRE ATT&CK TTP Mapping:

MS.EXO.4.2v1 – The DMARC message rejection option SHALL be p=reject.

MS.EXO.4.3v1 – The DMARC point of contact for aggregate reports SHALL include reports@dmarc.cyber.dhs.gov.

  • Rationale: Email spoofing attempts are not inherently visible to domain owners. DMARC provides a mechanism to receive reports of spoofing attempts. Including reports@dmarc.cyber.dhs.gov as a point of contact for these reports gives CISA insight into spoofing attempts and is required by BOD 18-01 for FCEB departments and agencies.
  • Last modified: June 2023
  • Note: Only federal, executive branch, departments and agencies should include this email address in their DMARC record.
  • MITRE ATT&CK TTP Mapping:

MS.EXO.4.4v1 – An agency point of contact SHOULD be included for aggregate and failure reports.

  • Rationale: Email spoofing attempts are not inherently visible to domain owners. DMARC provides a mechanism to receive reports of spoofing attempts. Including an agency point of contact gives the agency insight into attempts to spoof their domains.
  • Last modified: June 2023
  • MITRE ATT&CK TTP Mapping:

Resources

 

License Requirements

 

  • N/A

Security Solutions

5. Simple Mail Transfer Protocol Authentication

Modern email clients that connect to Exchange Online mailboxes—including Outlook, Outlook on the web, iOS Mail, and Outlook for iOS and Android—do not use Simple Mail Transfer Protocol Authentication (SMTP AUTH) to send email messages. SMTP AUTH is only needed for applications outside of Outlook that send email messages. Multi-factor authentication (MFA) cannot be enforced while using SMTP Auth. Proceed with caution if SMTP Auth needs to be enabled for any use case.

Policies

 

MS.EXO.5.1v1 – SMTP AUTH SHALL be disabled.

  • Rationale: SMTP AUTH is not used or needed by modern email clients. Therefore, disabling it as the global default conforms to the principle of least functionality.
  • Last modified: June 2023
  • MITRE ATT&CK TTP Mapping:
    • None

Resources

 

License Requirements

 

  • N/A

Security Solutions

6. Calendar and Contact Sharing

Exchange Online allows creation of sharing polices that soften default restrictions on contact and calendar details sharing. These policies should be enabled with caution and only after considering the following policies.

Policies

 

MS.EXO.6.1v1 – Contact folders SHALL NOT be shared with all domains.

  • Rationale: Contact folders may contain information that should not be shared by default with all domains. Disabling sharing with all domains closes an avenue for data exfiltration while still allowing for specific legitimate use as needed.
  • Last modified: June 2023
  • Note: Contact folders MAY be shared with specific domains.
  • MITRE ATT&CK TTP Mapping:

MS.EXO.6.2v1 – Calendar details SHALL NOT be shared with all domains.

  • Rationale: Calendar details may contain information that should not be shared by default with all domains. Disabling sharing with all domains closes an avenue for data exfiltration while still allowing for legitimate use as needed.
  • Last modified: June 2023
  • Note: Calendar details MAY be shared with specific domains.
  • MITRE ATT&CK TTP Mapping:

Resources

 

License Requirements

 

  • N/A

Security Solutions

7. External Sender Warnings

Mail flow rules allow incoming email modification, such that email from external users can be easily identified (e.g., by prepending the subject line with “[External]”).

Policies

 

MS.EXO.7.1v1 – External sender warnings SHALL be implemented.

  • Rationale: Phishing is an ever-present threat. Alerting users when email originates from outside their organization can encourage them to exercise increased caution, especially if an email is one they expected from an internal sender.
  • Last modified: June 2023
  • MITRE ATT&CK TTP Mapping:

Resources

 

License Requirements

 

  • N/A

Security Solutions

8. Data Loss Prevention Solutions

Data loss prevention (DLP) helps prevent both accidental leakage of sensitive information as well as intentional exfiltration of data. DLP forms an integral part of securing Microsoft Exchange Online. There are several commercial DLP solutions available that document support for M365. Microsoft itself offer DLP services, controlled within the Microsoft Purview compliance portal. Agencies may select any service that fits their needs and meets the requirements outlined in this baseline setting. The DLP solution selected by an agency should offer services comparable to those offered by Microsoft.

Though use of Microsoft’s DLP solution is not strictly required, guidance for configuring Microsoft’s DLP solution can be found in the following section of the CISA M365 Secure Configuration Baseline for Defender for Office 365.

Policies

 

MS.EXO.8.1v2 – A DLP solution SHALL be used.

MS.EXO.8.2v2 – The DLP solution SHALL protect personally identifiable information (PII) and sensitive information, as defined by the agency.

MS.EXO.8.3v1 – The selected DLP solution SHOULD offer services comparable to the native DLP solution offered by Microsoft.

MS.EXO.8.4v1 – At a minimum, the DLP solution SHALL restrict sharing credit card numbers, U.S. Individual Taxpayer Identification Numbers (ITIN), and U.S. Social Security numbers (SSN) via email.

Resources

 

  • None

License Requirements

 

  • N/A

Security Solutions

9. Attachment File Type

For some types of files (e.g., executable files), the dangers of allowing them to be sent via email outweigh any potential benefits. Some services, such as the Common Attachment Filter of Microsoft Defender, filter emails based on the attachment file types. Using Microsoft Defender for this purpose is not required. However, the solution selected by an agency should offer services comparable to those offered by Microsoft.

Though using Microsoft Defender’s solution is not strictly required for this purpose, guidance for configuring the Common Attachment Filter in Microsoft Defender can be found in the follow section of the CISA M365 Secure Configuration Baseline for Defender for Office 365.

Policies

 

MS.EXO.9.1v2 – Emails SHALL be filtered by attachment file types.

  • Rationale: Malicious attachments often take the form of click-to-run files. Sharing high risk file types, when necessary, is better left to a means other than email; the dangers of allowing them to be sent over email outweigh any potential benefits. Filtering email attachments based on file types can prevent spread of malware distributed via click-to-run email attachments.
  • Last modified: May 2024
  • MITRE ATT&CK TTP Mapping:

MS.EXO.9.2v1 – The attachment filter SHOULD attempt to determine the true file type and assess the file extension.

MS.EXO.9.3v2 – Disallowed file types SHALL be determined and enforced.

  • Rationale: Malicious attachments often take the form of click-to-run files, though other file types can contain malicious content as well. As such, determining the full list of file types to block is left to each organization, to be made in accordance with their risk tolerance.
  • Last modified: May 2024
  • MITRE ATT&CK TTP Mapping:

MS.EXO.9.4v1 – Alternatively chosen filtering solutions SHOULD offer services comparable to Microsoft Defender’s Common Attachment Filter.

  • Rationale: Malicious attachments often take the form of click-to-run files. Sharing high risk file types, when necessary, is better left to a means other than email; the dangers of allowing them to be sent over email outweigh any potential benefits. Filtering email attachments based on file types can prevent spread of malware distributed via click-to-run email attachments.
  • Last modified: May 2024
  • MITRE ATT&CK TTP Mapping:

MS.EXO.9.5v1 – At a minimum, click-to-run files SHOULD be blocked (e.g., .exe, .cmd, and .vbe).

  • Rationale: Malicious attachments often take the form of click-to-run files. Blocking a list of common executable files helps mitigate the risk of adversarial exploitation.
  • Last modified: May 2024
  • MITRE ATT&CK TTP Mapping:

Resources

 

License Requirements

 

  • N/A

Security Solutions

10. Malware Scanning

Email messages may include attachments that contain malware. Therefore, email messages should be scanned for malware to prevent infections. Once malware has been identified, the scanner should drop or quarantine the associated messages. Because malware detections may be updated, it is also important that emails that were already delivered to users are also scanned and removed.

Using Microsoft Defender for this purpose is not required. However, the solution selected by an agency should offer services comparable to those offered by Microsoft. If the agency uses Microsoft Defender to implement malware scanning, see the following policies of the CISA M365 Secure Configuration Baseline for Defender for Office 365 for additional guidance.

Policies

 

MS.EXO.10.1v1 – Emails SHALL be scanned for malware.

  • Rationale: Email can be used as a mechanism for delivering malware. In many cases, malware can be detected through scanning, reducing the risk for end users.
  • Last modified: June 2023
  • MITRE ATT&CK TTP Mapping:

MS.EXO.10.2v1 – Emails identified as containing malware SHALL be quarantined or dropped.

MS.EXO.10.3v1 – Email scanning SHALL be capable of reviewing emails after delivery.

  • Rationale: As known malware signatures are updated, it is possible for an email to be retroactively identified as containing malware after delivery. By scanning emails, the number of malware-infected in users’ mailboxes can be reduced.
  • Last modified: June 2023
  • MITRE ATT&CK TTP Mapping:

Resources

 

  • None

License Requirements

 

  • N/A

Security Solutions

11. Phishing Protections

Several techniques exist for protecting against phishing attacks, including the following:

  • Impersonation protection checks, wherein a tool compares the sender’s address to the addresses of known senders to flag look-alike addresses, such as user@exmple.com and user@example.com.

  • User warnings, such as displaying a notice the first time a user receives an email from a new sender.

  • Artificial intelligence (AI)-based tools.

Any product meeting the requirements outlined in this baseline policy group may be used. If the agency uses Exchange Online Protection (EOP), which is included in all Microsoft 365 subscriptions containing Exchange Online mailboxes, see the following policy and section of the CISA M365 Secure Configuration Baseline for Defender for Office 365.

EOP alone does not support impersonation protection, but this is provided through Defender for Office 365. If using Defender for Office 365 for impersonation protection, see the following policy and section of the CISA M365 Secure Configuration Baseline for Defender for Office 365.

Policies

 

MS.EXO.11.1v1 – Impersonation protection checks SHOULD be used.

  • Rationale: Users might not be able to reliably identify phishing emails, especially if the FROM address is nearly indistinguishable from that of a known entity. By automatically identifying senders who appear to be impersonating known senders, the risk of a successful phishing attempt can be reduced.
  • Last modified: June 2023
  • MITRE ATT&CK TTP Mapping:

MS.EXO.11.2v1 – User warnings, comparable to the user safety tips included with EOP, SHOULD be displayed.

  • Rationale: Many tasks are better suited for automated processes, such as identifying unusual characters in the FROM address or identifying a first-time sender. User warnings can handle these tasks, reducing the burden on end users and the risk of successful phishing attempts.
  • Last modified: June 2023
  • MITRE ATT&CK TTP Mapping:

MS.EXO.11.3v1 – The phishing protection solution SHOULD include an AI-based phishing detection tool comparable to EOP Mailbox Intelligence.

  • Rationale: Phishing attacks can result in unauthorized data disclosure and unauthorized access. Using AI-based phishing detection tools to improve the detection rate of phishing attempts helps reduce the risk of successful phishing attacks.
  • Last modified: June 2023
  • MITRE ATT&CK TTP Mapping:

Resources

 

  • None

License Requirements

 

  • If using Defender for Office 365 for impersonation protection and advanced phishing thresholds, Defender for Office 365 Plan 1 or 2 is required. These are included with E5 and G5 and are available as add-ons for E3 and G3. As of November 14, 2023, anti-phishing for user and domain impersonation and spoof intelligence are not yet available in M365 Government Community Cloud High (GCC High) and M365 Department of Defense (DOD). See Platform features | Microsoft Docs for current offerings.

Security Solutions

12. IP Allow Lists

Microsoft Defender supports creating IP allow lists intended to prevent blocking emails from specific senders. However, as a result, emails from these senders bypass important security mechanisms, such as spam filtering, SPF, DKIM, DMARC, and FROM address enforcement.

IP block lists block email from listed IP addresses. Although we have no specific guidance on which IP addresses to add, block lists can be used to block mail from known spammers.

IP safe lists are dynamic lists of “known, good senders,” which Microsoft sources from various third-party subscriptions. As with senders in the allow list, emails from these senders bypass important security mechanisms.

Policies

 

MS.EXO.12.1v1 – IP allow lists SHOULD NOT be created.

  • Rationale: Messages sent from IP addresses on an allow list bypass important security mechanisms, including spam filtering and sender authentication checks. Avoiding use of IP allow lists prevents potential threats from circumventing security mechanisms.
  • Last modified: June 2023
  • MITRE ATT&CK TTP Mapping:
    • None

MS.EXO.12.2v1 – Safe lists SHOULD NOT be enabled.

  • Rationale: Messages sent from allowed safe list addresses bypass important security mechanisms, including spam filtering and sender authentication checks. Avoiding use of safe lists prevents potential threats from circumventing security mechanisms. While blocking all malicious senders is not feasible, blocking specific known, malicious IP addresses may reduce the threat from specific senders.
  • Last modified: June 2023
  • Note: A connection filter MAY be implemented to create an IP block list.
  • MITRE ATT&CK TTP Mapping:
    • None

Resources

 

License Requirements

 

  • N/A

Security Solutions

13. Mailbox Auditing

Mailbox auditing helps users investigate compromised accounts or discover illicit access to Exchange Online. As a feature of Exchange Online, mailbox auditing is enabled by default for all organizations. Microsoft defines a default audit policy that logs certain actions performed by administrators, delegates, and owners. While mailbox auditing is enabled by default, this policy helps avoid inadvertent disabling.

Policies

 

MS.EXO.13.1v1 – Mailbox auditing SHALL be enabled.

Resources

 

License Requirements

 

  • N/A

Security Solutions

14. Inbound Anti-Spam Protections

Junk email, or spam, can clutter user mailboxes and hamper communications across an agency. Implementing a spam filter helps to identify inbound spam and quarantine or move those messages. Microsoft Defender includes several capabilities for protecting against inbound spam emails. Using Microsoft Defender is not strictly required for this purpose; any product that fulfills the requirements outlined in this baseline policy group may be used. If the agency uses Microsoft Defender to meet this baseline policy group, see the following policy of the CISA M365 Secure Configuration Baseline for Defender for Office 365.

Policies

 

MS.EXO.14.1v2 – A spam filter SHALL be enabled.

  • Rationale: Spam is a constant threat as junk mail can reduce user productivity, fill up mailboxes unnecessarily, and in some cases include malicious links or attachments. Filtering out spam reduces user workload burden, prevents junk mail congestion, and reduces potentially malicious content exposure.
  • Last modified: May 2024
  • MITRE ATT&CK TTP Mapping:

MS.EXO.14.2v1 – Spam and high confidence spam SHALL be moved to either the junk email folder or the quarantine folder.

  • Rationale: Spam is a constant threat as junk mail can reduce user productivity, fill up mailboxes unnecessarily, and in some cases include malicious links or attachments. Moving spam messages to a separate junk or quarantine folder helps users filter out spam while still giving them the ability to review messages, as needed, in case a message is filtered incorrectly.
  • Last modified: June 2023
  • MITRE ATT&CK TTP Mapping:

MS.EXO.14.3v1 – Allowed domains SHALL NOT be added to inbound anti-spam protection policies.

  • Rationale: Legitimate emails may be incorrectly filtered by spam protections. Adding allowed senders is an acceptable method of combating these false positives. Allowing an entire domain, especially a common domain like office.com, however, provides for a large number of potentially unknown users to bypass spam protections.
  • Last modified: June 2023
  • Note: Allowed senders MAY be added.
  • MITRE ATT&CK TTP Mapping:

MS.EXO.14.4v1 – If a third-party party filtering solution is used, the solution SHOULD offer services comparable to the native spam filtering offered by Microsoft.

  • Rationale: Spam is a constant threat as junk mail can reduce user productivity, fill up mailboxes unnecessarily, and in some cases include malicious links or attachments. Filtering out spam reduces user workload burden, prevents junk mail congestion, and reduces potentially malicious content exposure.
  • Last modified: May 2024
  • MITRE ATT&CK TTP Mapping:

Resources

 

License Requirements

 

  • N/A

Security Solutions

Several technologies exist for protecting users from malicious links included in emails. For example, Microsoft Defender accomplishes this by prepending:

https://*.safelinks.protection.outlook.com/?url=

to any URLs included in emails. By prepending the safe links URL, Microsoft can proxy the initial URL through their scanning service. Their proxy can perform the following actions:

  • Compare the URL with a block list.

  • Compare the URL with a list of know malicious sites.

  • If the URL points to a downloadable file, apply real-time file scanning.

If all checks pass, the user is redirected to the original URL.

Microsoft Defender for Office 365 includes link scanning capabilities. Using Microsoft Defender is not strictly required for this purpose; any product fulfilling the requirements outlined in this baseline policy group may be used. If the agency uses Microsoft Defender for Office 365 to meet this baseline policy group, see the following policy of the CISA M365 Secure Configuration Baseline for Defender for Office 365 for additional guidance.

Policies

 

MS.EXO.15.1v1 – URL comparison with a block-list SHOULD be enabled.

  • Rationale: Users may be directed to malicious websites via links in email. Blocking access to known, malicious URLs can prevent users from accessing known malicious websites.
  • Last modified: June 2023
  • MITRE ATT&CK TTP Mapping:

MS.EXO.15.2v1 – Direct download links SHOULD be scanned for malware.

  • Rationale: URLs in emails may direct users to download and run malware. Scanning direct download links in real-time for known malware and blocking access can prevent users from infecting their devices.
  • Last modified: June 2023
  • MITRE ATT&CK TTP Mapping:

MS.EXO.15.3v1 – User click tracking SHOULD be enabled.

  • Rationale: Users may click on malicious links in emails, leading to compromise or unauthorized data disclosure. Enabling user click tracking lets agencies know if a malicious link may have been visited after the fact to help tailor a response to a potential incident.
  • Last modified: June 2023
  • MITRE ATT&CK TTP Mapping:

Resources

 

  • None

License Requirements

 

  • N/A

Security Solutions

16. Alerts

Managing and monitoring Exchange mailboxes and user activity requires a means to define activity of concern and notify administrators. Alerts can be generated to help identify suspicious or malicious activity in Exchange Online. These alerts give administrators better real-time insight into possible security incidents.

Using Microsoft 365 alert policies is not strictly required for this purpose; any product fulfilling the requirements outlined in this baseline policy group may be used. If the agency uses Microsoft 365 alert policies, this includes several prebuilt alert policies, many of which pertain to Exchange Online. Guidance for configuring alerts in Microsoft 365 is given in the following section of the CISA M365 Secure Configuration Baseline for Defender for Office 365.

Policies

 

MS.EXO.16.1v1 – At a minimum, the following alerts SHALL be enabled:

a. Suspicious email sending patterns detected.

b. Suspicious Connector Activity.

c. Suspicious Email Forwarding Activity.

d. Messages have been delayed.

e. Tenant restricted from sending unprovisioned email.

f. Tenant restricted from sending email.

g. A potentially malicious URL click was detected.

MS.EXO.16.2v1 – The alerts SHOULD be sent to a monitored address or incorporated into a security information and event management (SIEM) system.

  • Rationale: Suspicious or malicious events, if not resolved promptly, may have a greater impact to users and the agency. Sending alerts to a monitored email address or SIEM system helps ensure these suspicious or malicious events are acted upon in a timely manner to limit overall impact.
  • Last modified: June 2023
  • MITRE ATT&CK TTP Mapping:

Resources

 

  • None

License Requirements

 

  • N/A

Security Solutions

17. Audit Logging

User activity from M365 services is captured in the organization’s unified audit log. These logs are essential for conducting incident response and threat detection activity.

By default, Microsoft retains the audit logs for 180 days. Activity by users with E5 licenses assigned is retained for one year.

However, in accordance with Office of Management and Budget (OMB) Memorandum 21-31, Improving the Federal Government’s Investigative and Remediation Capabilities Related to Cybersecurity Incidents, Microsoft 365 audit logs are to be retained at least 12 months in active storage and an additional 18 months in cold storage. This can be accomplished by offloading the logs out of the cloud environment or natively through Microsoft by creating an audit log retention policy.

OMB M-21-31 also requires Advanced Audit be configured in M365. Advanced Audit, now Microsoft Purview Audit (Premium), adds additional event types to the Unified Audit Log.

Audit logging is managed from the Microsoft Purview compliance portal. For implementation guidance for configuring audit logging, see the following section of the CISA M365 Secure Configuration Baseline for Defender for Office 365.

Policies

 

MS.EXO.17.1v1 – Unified Audit logging SHALL be enabled.

  • Rationale: Responding to incidents without detailed information about activities that took place slows response actions. Enabling Unified Audit logging helps ensure agencies have visibility into user actions. Furthermore, enabling the Unified Audit log is required for government agencies by OMB M-21-31.
  • Last modified: March 2025
  • MITRE ATT&CK TTP Mapping:

MS.EXO.17.3v1 – Audit logs SHALL be maintained for at least the minimum duration dictated by OMB M-21-31 (Appendix C).

  • Rationale: Audit logs may no longer be available when needed if they are not retained for a sufficient time. Increased log retention time gives an agency the necessary visibility to investigate incidents that occurred some time ago. OMB M-21-13, Appendix C, Table 5 specifically calls out Unified Audit Logs in the Cloud Azure log category.
  • Last modified: June 2023
  • Note: Microsoft 365 Purview (Premium) provides a default audit log retention policy, retaining Exchange Online, SharePoint Online, OneDrive for Business, and Microsoft Entra ID audit records for one year. Additional record types require custom audit retention policies. Agencies may also consider alternate storage locations and services to meet audit log retention needs.
  • MITRE ATT&CK TTP Mapping:

Resources

 

License Requirements

 

  • Microsoft 365 Audit (Premium) capabilities, including the creation of a custom audit log retention policy, requires E5/G5 licenses or E3/G3 licenses with add-on compliance licenses.

  • Additionally, maintaining logs in the M365 environment for longer than one year requires an add-on license. For more information, see Licensing requirements | Microsoft Docs. However, this requirement can also be met by exporting the logs from M365 and storing them with your solution of choice, in which case audit log retention policies are not necessary.

Our Expertise

Why Choose

Crimson Line?

By partnering with Crimson Line, you gain access to a team of experts who are committed to enhancing your business’s productivity and security.

01.

Crimson Line

Innovation

We stay ahead of the curve by embracing AI-driven tools like Copilot.

02.

Crimson Line

Expertise

Our experienced team architects and manages cloud-native solutions.

03.

Crimson Line

Cost-Effective

Enjoy the benefits of PaaS with minimal risk.

04.

Crimson Line

Flexibility

We tailor solutions to meet your unique needs.

Partner with us

Get Started

Create a Customized
Security Strategy

At Crimson Line, security is not just a product—it’s our commitment to your peace of mind.

Partner with us
Get in Touch