maester365 · Mynster9361 · Apr 4, 2026 · Apr 4, 2026 · Apr 4, 2026 · Apr 4, 2026
@@ -108,7 +108,7 @@
     'Test-MtCaSecureSecurityInfoRegistration', 'Test-MtCaWIFBlockLegacyAuthentication', 'Test-MtCis365PublicGroup', 'Test-MtCisAdminConsentWorkflowEnabled',
     'Test-MtCisAuditLogSearch', 'Test-MtCisAttachmentFilter', 'Test-MtCisAttachmentFilterComprehensive',
     'Test-MtCisCalendarSharing', 'Test-MtCisCloudAdmin', 'Test-MtCisCreateTenantDisallowed',
-    'Test-MtCisCommunicateWithUnmanagedTeamsUsers', 'Test-MtCisConnectionFilterSafeList', 'Test-MtCisCustomerLockBox', 'Test-MtCisDevicesWithoutCompliancePolicyMarked',
+    'Test-MtCisCommunicateWithUnmanagedTeamsUsers', 'Test-MtCisCommunicateInitiateExternalTeamsUsers', 'Test-MtCisConnectionFilterSafeList', 'Test-MtCisCustomerLockBox', 'Test-MtCisDevicesWithoutCompliancePolicyMarked',
     'Test-MtCisDkim', 'Test-MtCisEnsureGuestAccessRestricted', 'Test-MtCisEnsureGuestUserDynamicGroup', 'Test-MtCisEnsureUserConsentToAppsDisallowed', 'Test-MtCisFormsPhishingProtectionEnabled',
     'Test-MtCisGlobalAdminCount', 'Test-MtCisHostedConnectionFilterPolicy', 'Test-MtCisInternalMalwareNotification', 'Test-MtCisOutboundSpamFilterPolicy', 'Test-MtCisPasswordExpiry',
     'Test-MtCisSafeAntiPhishingPolicy', 'Test-MtCisSafeAttachment', 'Test-MtCisSafeAttachmentsAtpPolicy',

@@ -1,8 +1,23 @@
 1.2.1 (L2) Ensure that only organizationally managed/approved public groups exist
 
-Microsoft 365 Groups is the foundational membership service that drives all teamwork across Microsoft 365. With Microsoft 365 Groups, you can give a group of people access to a collection of shared resources. While there are several different group types this recommendation concerns Microsoft 365 Groups.
+Microsoft 365 Groups is the foundational membership service that drives all teamwork across Microsoft 365. With Microsoft 365 Groups, you can give a group of people access to a collection of shared resources. When a new group is created in the
+Administration panel, the default privacy value of the group is "Public". (In this case, ‘public’ means accessible to the identities within the organization without requiring group owner authorization to join.)
+Ensure that Microsoft 365 Groups are set to **Private** in the Administration panel.
 
-Ensure that only organizationally managed and approved public groups exist.
+>Note: Although there are several different group types, this recommendation concerns Microsoft 365 Groups specifically.
+
+#### Rationale
+
+If group privacy is not controlled, any user may access sensitive information, depending on the group they try to access.
+When the privacy value of a group is set to "Public," users may access data related to this group (e.g. SharePoint) via three methods:
+1. The Azure Portal: Users can add themselves to the public group via the Azure Portal; however, administrators are notified when users access the Portal.
+2. Access Requests: Users can request to join the group via the Groups application in the Access Panel. This provides the user with immediate access to the group, even though they are required to send a message to the group owner when
+requesting to join.
+3. SharePoint URL: Users can directly access a group via its SharePoint URL, which is usually guessable and can be found in the Groups application within the Access Panel.
+
+#### Impact
+
+If the recommendation is applied, group owners could receive more access requests than usual, especially regarding groups originally meant to be public.
 
 #### Remediation action:
 
@@ -16,7 +31,9 @@ To enable only organizationally managed/approved public groups exist:
 #### Related links
 
 * [Microsoft 365 Admin Center](https://admin.microsoft.com)
-* [CIS Microsoft 365 Foundations Benchmark v5.0.0 - Page 36](https://www.cisecurity.org/benchmark/microsoft_365)
+* [Set up self-service group management in Microsoft Entra ID](https://learn.microsoft.com/en-us/entra/identity/users/groups-self-service-management)
+* [Compare types of groups in Microsoft 365](https://learn.microsoft.com/en-us/microsoft-365/admin/create-groups/compare-groups?view=o365-worldwide)
+* [CIS Microsoft 365 Foundations Benchmark v6.0.1 - Page 36](https://www.cisecurity.org/benchmark/microsoft_365)
 
 <!--- Results --->
 %TestResult%
@@ -5,7 +5,7 @@
 
     .DESCRIPTION
     Ensure that only organizationally managed and approved public groups exist
-    CIS Microsoft 365 Foundations Benchmark v5.0.0
+    CIS Microsoft 365 Foundations Benchmark v6.0.1
 
     .EXAMPLE
     Test-MtCis365PublicGroup

@@ -1,11 +1,18 @@
 5.1.5.2 (L1) Ensure the admin consent workflow is enabled
 
-**Rationale:**
+The admin consent workflow gives admins a secure way to grant access to applications that require admin approval. When a user tries to access an application but is unable to provide consent, they can send a request for admin approval. The request is sent via email to admins who have been designated as reviewers. A reviewer takes action on the request, and the user is notified of the action.
+
+#### Rationale
+
 The admin consent workflow (Preview) gives admins a secure way to grant access to applications that require admin approval. When a user tries to access an application but is unable to provide consent, they can send a request for admin approval. The request is sent via email to admins who have been designated as reviewers. A reviewer acts on the request, and the user is notified of the action.
 
+#### Impact
+
+To approve requests, a reviewer must be a global administrator, cloud application administrator, or application administrator. The reviewer must already have one of these admin roles assigned; simply designating them as a reviewer doesn't elevate their privileges.
+
 #### Remediation action:
 
-1. Navigate to Microsoft Entra ID admin center [https://entra.microsoft.com](https://entra.microsoft.com).
+1. Navigate to [Microsoft Entra ID admin center](https://entra.microsoft.com).
 2. Under **Entra ID** select **Enterprise apps**
 3. Under **Security** select **Consent and permissions**
 4. Under **Manage** select **Admin consent settings**
@@ -14,8 +21,9 @@ The admin consent workflow (Preview) gives admins a secure way to grant access t
 
 #### Related links
 
-* [Microsoft Entra admin center | Enterprise apps | Consent and permissions | Admin consent settings](https://entra.microsoft.com/#view/Microsoft_AAD_IAM/ConsentPoliciesMenuBlade/~/AdminConsentSettings)
-* [CIS Microsoft 365 Foundations Benchmark v5.0.0 - Page 187](https://www.cisecurity.org/benchmark/microsoft_365)
+* [Microsoft Entra ID admin center](https://entra.microsoft.com)
+* [Configure the admin consent workflow](https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/configure-admin-consent-workflow)
+* [CIS Microsoft 365 Foundations Benchmark v6.0.1 - Page 214](https://www.cisecurity.org/benchmark/microsoft_365)
 
 <!--- Results --->
 %TestResult%
@@ -4,7 +4,7 @@
 
 .DESCRIPTION
     The admin consent workflow should be enabled.
-    CIS Microsoft 365 Foundations Benchmark v5.0.0
+    CIS Microsoft 365 Foundations Benchmark v6.0.1
 
 .EXAMPLE
     Test-MtCisAdminConsentWorkflowEnabled
@@ -35,7 +35,8 @@ function Test-MtCisAdminConsentWorkflowEnabled {
 
         if ($testResult) {
             $testResultMarkdown = "Well done. Your tenant settings comply with CIS recommendations.`n`n%TestResult%"
-        } else {
+        }
+        else {
             $testResultMarkdown = "Your tenant settings do not comply with CIS recommendations.`n`n%TestResult%"
         }
 
@@ -44,7 +45,8 @@ function Test-MtCisAdminConsentWorkflowEnabled {
 
         if ($checkAdminConsentWorkflowEnabled) {
             $checkAdminConsentWorkflowEnabledResult = '✅ Pass'
-        } else {
+        }
+        else {
             $checkAdminConsentWorkflowEnabledResult = '❌ Fail'
         }
 
@@ -54,7 +56,8 @@ function Test-MtCisAdminConsentWorkflowEnabled {
 
         Add-MtTestResultDetail -Result $testResultMarkdown
         return $testResult
-    } catch {
+    }
+    catch {
         Add-MtTestResultDetail -SkippedBecause Error -SkippedError $_
         return $null
     }

@@ -1,22 +1,41 @@
 2.1.2 (L1) Ensure the Common Attachment Types Filter is enabled
 
-**Rationale:**
+The Common Attachment Types Filter lets a user block known and custom malicious file types from being attached to emails.
+
+#### Rationale
+
 Blocking known malicious file types can help prevent malware-infested files from infecting a host.
 
+#### Impact
+
+Blocking common malicious file types should not cause an impact in modern computing environments.
+
 #### Remediation action:
 
 To enable the Common Attachment Types Filter:
-1. Navigate to Microsoft 365 Defender [https://security.microsoft.com](https://security.microsoft.com).
+1. Navigate to [Microsoft 365 Defender](https://security.microsoft.com).
 2. Click to expand **Email & collaboration** select **Policies & rules**.
 3. On the Policies & rules page select **Threat policies**.
 4. Under polices select **Anti-malware** and click on the **Default (Default)** policy.
 5. On the Policy page that appears on the right hand pane scroll to the bottom and click on **Edit protection settings**, check the **Enable the common attachments filter**.
 6. Click Save.
 
+##### PowerShell
+
+1. Connect to Exchange Online using `Connect-ExchangeOnline`.
+2. Run the following Exchange Online PowerShell command:
+```powershell
+Set-MalwareFilterPolicy -Identity Default -EnableFileFilter $true
+```
+
+>Note: Audit and Remediation guidance may focus on the Default policy however, if a Custom Policy exists in the organization's tenant, then ensure the setting is set as outlined in the highest priority policy listed.
+
 #### Related links
 
 * [Microsoft 365 Defender](https://security.microsoft.com)
-* [CIS Microsoft 365 Foundations Benchmark v5.0.0 - Page 74](https://www.cisecurity.org/benchmark/microsoft_365)
+* [Get-MalwareFilterPolicy](https://learn.microsoft.com/en-us/powershell/module/exchangepowershell/get-malwarefilterpolicy?view=exchange-ps)
+* [Configure anti-malware policies for cloud mailboxes](https://learn.microsoft.com/en-us/defender-office-365/anti-malware-policies-configure?view=o365-worldwide)
+* [CIS Microsoft 365 Foundations Benchmark v6.0.1 - Page 78](https://www.cisecurity.org/benchmark/microsoft_365)
 
 <!--- Results --->
 %TestResult%
@@ -5,7 +5,7 @@
 
     .DESCRIPTION
     The common attachment types filter should be enabled
-    CIS Microsoft 365 Foundations Benchmark v5.0.0
+    CIS Microsoft 365 Foundations Benchmark v6.0.1
 
     .EXAMPLE
     Test-MtCisAttachmentFilter

@@ -1,32 +1,40 @@
 2.1.11 (L2) Ensure comprehensive attachment filtering is applied
 
-**Rationale:**
-Blocking known malicious file types can help prevent malware-infested files from infecting a host or performing other malicious attacks such as phishing and data extraction. Defining a comprehensive list of attachments can help protect against additional unknown and known threats.
+The Common Attachment Types Filter lets a user block known and custom malicious file types from being attached to emails. The policy provided by Microsoft covers 53 extensions, and an additional custom list of extensions can be defined.
+The list of 184 extensions provided in this recommendation is comprehensive but not exhaustive.
+
+#### Rationale
+
+Blocking known malicious file types can help prevent malware-infested files from infecting a host or performing other malicious attacks such as phishing and data extraction.
+Defining a comprehensive list of attachments can help protect against additional unknown and known threats. Many legacy file formats, binary files and compressed files have been used as delivery mechanisms for malicious software. Organizations can protect themselves from Business E-mail Compromise (BEC) by allow-listing only the file types relevant to their line of business and blocking all others.
+
+#### Impact
+
+For file types that are business necessary users will need to use other organizationally approved methods to transfer blocked extension types between business partners.
 
 #### Remediation action:
 
 To implement a new policy containing a comprehensive list of extensions:
-1. Connect to Exchange Online using Connect-ExchangeOnline.
-2. Run the following script:
+1. Connect to Exchange Online using `Connect-ExchangeOnline`.
+2. Run the following script after editing **InternalSenderAdminAddress**:
 ```
 # Create an attachment policy and associated rule. The rule is
 # intentionally disabled allowing the org to enable it when ready
 $Policy = @{
-    Name = "CIS L2 Attachment Policy"
-    EnableFileFilter = $true
-    ZapEnabled = $true
+    Name                                   = "CIS L2 Attachment Policy"
+    EnableFileFilter                       = $true
+    ZapEnabled                             = $true
     EnableInternalSenderAdminNotifications = $true
-    InternalSenderAdminAddress = 'admin@contoso.com' # Change this.
+    InternalSenderAdminAddress             = 'admin@contoso.com' # Change this.
 }
-
 $L2Extensions = @(
     "7z", "a3x", "ace", "ade", "adp", "ani", "app", "appinstaller",
     "applescript", "application", "appref-ms", "appx", "appxbundle", "arj",
     "asd", "asx", "bas", "bat", "bgi", "bz2", "cab", "chm", "cmd", "com",
     "cpl", "crt", "cs", "csh", "daa", "dbf", "dcr", "deb",
     "desktopthemepackfile", "dex", "diagcab", "dif", "dir", "dll", "dmg",
     "doc", "docm", "dot", "dotm", "elf", "eml", "exe", "fxp", "gadget", "gz",
-    "hlp", "hta", "htc", "htm", "htm", "html", "html", "hwpx", "ics", "img",
+    "hlp", "hta", "htc", "htm", "html", "hwpx", "ics", "img",
     "inf", "ins", "iqy", "iso", "isp", "jar", "jnlp", "js", "jse", "kext",
     "ksh", "lha", "lib", "library-ms", "lnk", "lzh", "macho", "mam", "mda",
     "mdb", "mde", "mdt", "mdw", "mdz", "mht", "mhtml", "mof", "msc", "msi",
@@ -40,29 +48,29 @@ $L2Extensions = @(
     "tar", "theme", "themepack", "timer", "uif", "url", "uue", "vb", "vbe",
     "vbs", "vhd", "vhdx", "vxd", "wbk", "website", "wim", "wiz", "ws", "wsc",
     "wsf", "wsh", "xla", "xlam", "xlc", "xll", "xlm", "xls", "xlsb", "xlsm",
-    "xlt", "xltm", "xlw", "xml", "xnk", "xps", "xsl", "xz", "z"
+    "xlt", "xltm", "xlw", "xnk", "xps", "xsl", "xz", "z"
 )
-
 # Create the policy
 New-MalwareFilterPolicy @Policy -FileTypes $L2Extensions
-
 # Create the rule for all accepted domains
 $Rule = @{
-    Name = $Policy.Name
-    Enabled = $false
+    Name                = $Policy.Name
+    Enabled             = $false
     MalwareFilterPolicy = $Policy.Name
-    RecipientDomainIs = (Get-AcceptedDomain).Name
-    Priority = 0
+    RecipientDomainIs   = (Get-AcceptedDomain).Name
+    Priority            = 0
 }
-
 New-MalwareFilterRule @Rule
 ```
 3. When prepared enable the rule either through the UI or PowerShell.
 
 #### Related links
 
 * [Microsoft 365 Defender](https://security.microsoft.com)
-* [CIS Microsoft 365 Foundations Benchmark v5.0.0 - Page 109](https://www.cisecurity.org/benchmark/microsoft_365)
+* [Get-MalwareFilterPolicy](https://learn.microsoft.com/en-us/powershell/module/exchangepowershell/get-malwarefilterpolicy?view=exchange-ps)
+* [Configure anti-malware policies for cloud mailboxes](https://learn.microsoft.com/en-us/defender-office-365/anti-malware-policies-configure?view=o365-worldwide)
+* [File format reference for Word, Excel, and PowerPoint](https://learn.microsoft.com/en-us/office/compatibility/office-file-format-reference)
+* [CIS Microsoft 365 Foundations Benchmark v6.0.1 - Page 109](https://www.cisecurity.org/benchmark/microsoft_365)
 
 <!--- Results --->
 %TestResult%
@@ -5,7 +5,7 @@
 
     .DESCRIPTION
     The common attachment types filter should be comprehensive
-    CIS Microsoft 365 Foundations Benchmark v5.0.0
+    CIS Microsoft 365 Foundations Benchmark v6.0.1
 
     .EXAMPLE
     Test-MtCisAttachmentFilterComprehensive
@@ -35,7 +35,7 @@
             'cpl', 'crt', 'cs', 'csh', 'daa', 'dbf', 'dcr', 'deb',
             'desktopthemepackfile', 'dex', 'diagcab', 'dif', 'dir', 'dll', 'dmg',
             'doc', 'docm', 'dot', 'dotm', 'elf', 'eml', 'exe', 'fxp', 'gadget', 'gz',
-            'hlp', 'hta', 'htc', 'htm', 'htm', 'html', 'html', 'hwpx', 'ics', 'img',
+            'hlp', 'hta', 'htc', 'htm', 'html', 'hwpx', 'ics', 'img',
             'inf', 'ins', 'iqy', 'iso', 'isp', 'jar', 'jnlp', 'js', 'jse', 'kext',
             'ksh', 'lha', 'lib', 'library-ms', 'lnk', 'lzh', 'macho', 'mam', 'mda',
             'mdb', 'mde', 'mdt', 'mdw', 'mdz', 'mht', 'mhtml', 'mof', 'msc', 'msi',
@@ -49,7 +49,7 @@
             'tar', 'theme', 'themepack', 'timer', 'uif', 'url', 'uue', 'vb', 'vbe',
             'vbs', 'vhd', 'vhdx', 'vxd', 'wbk', 'website', 'wim', 'wiz', 'ws', 'wsc',
             'wsf', 'wsh', 'xla', 'xlam', 'xlc', 'xll', 'xlm', 'xls', 'xlsb', 'xlsm',
-            'xlt', 'xltm', 'xlw', 'xml', 'xnk', 'xps', 'xsl', 'xz', 'z'
+            'xlt', 'xltm', 'xlw', 'xnk', 'xps', 'xsl', 'xz', 'z'
         )
 
         # Duplicate the array, so we are left with a list of extensions missing at the end

@@ -1,21 +1,33 @@
 3.1.1 (L1) Ensure Microsoft 365 audit log search is Enabled
 
-**Rationale:**
-Enabling audit log search in the Microsoft Purview compliance portal can help organizations improve their security posture, meet regulatory compliance requirements, respond to security incidents, and gain valuable operational insights.
+When audit log search is enabled in the Microsoft Purview compliance portal, user and admin activity within the organization is recorded in the audit log and retained for 180 days by default. However, some organizations may prefer to use a third-party security information and event management (SIEM) application to access their auditing data. In this scenario, a global admin can choose to turn off audit log search in Microsoft 365.
+
+#### Rationale
+
+Enabling audit log search in the Microsoft Purview compliance portal can help organizations improve their security posture, meet regulatory compliance requirements, respond to security incidents, and gain valuable operational insights
 
 #### Remediation action:
 
-To enable audit log search:
-1. Navigate to [Microsoft Purview Audit Search](https://purview.microsoft.com/audit/auditsearch).
-2. Select **Audit** to open the audit search.
-3. Click **Start recording user and admin activity** next to the information warning at the top.
+1. Navigate to [Microsoft 365 Purview](https://purview.microsoft.com).
+2. Select **Solutions** and then **Audit** to open the audit search.
+3. Click blue bar **Start recording user and admin activity**.
 4. Click **Yes** on the dialog box to confirm.
 
+##### PowerShell
+
+1. Connect to Exchange Online using `Connect-ExchangeOnline`.
+2. Run the following PowerShell command:
+```powershell
+Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true
+```
+
 #### Related links
 
-* [Microsoft 365 Defender](https://security.microsoft.com)
-* [CIS Microsoft 365 Foundations Benchmark v5.0.0 - Page 143](https://www.cisecurity.org/benchmark/microsoft_365)
-* [Turn auditing on or off | Microsoft Learn](https://learn.microsoft.com/en-us/purview/audit-log-enable-disable)
+* [Microsoft 365 Purview](https://purview.microsoft.com)
+* [CIS Microsoft 365 Foundations Benchmark v6.0.1 - Page 149](https://www.cisecurity.org/benchmark/microsoft_365)
+* [Turn auditing on or off](https://learn.microsoft.com/en-us/purview/audit-log-enable-disable?view=o365-worldwide&tabs=microsoft-purview-portal)
+* [Set-AdminAuditLogConfig](https://learn.microsoft.com/en-us/powershell/module/exchangepowershell/set-adminauditlogconfig?view=exchange-ps)
+* [Verify the auditing status for your organization](https://learn.microsoft.com/en-us/purview/audit-log-enable-disable?view=o365-worldwide&tabs=microsoft-purview-portal#verify-the-auditing-status-for-your-organization)
 
 <!--- Results --->
 %TestResult%
@@ -5,7 +5,7 @@
 
     .DESCRIPTION
     Microsoft 365 audit log search should be enabled
-    CIS Microsoft 365 Foundations Benchmark v5.0.0
+    CIS Microsoft 365 Foundations Benchmark v6.0.1
 
     .EXAMPLE
     Test-MtCisAuditLogSearch