Table of Contents
Baseline Security Mode Configures Entra ID, Office, SharePoint Online, Exchange Online, and Teams
Message center notification MC1193689 (10 December 2025) announces that Microsoft is rolling out the general availability release of Baseline security mode to commercial tenants, with deployment scheduled for completion by late January 2026. Government tenants will get Baseline security mode in January 2026.
In a nutshell, Baseline security mode is a collection of suggested security configurations for important Microsoft 365 services that can be managed from the Microsoft 365 admin center. Administrators can already configure the settings using PowerShell or in different admin centers, but it’s so much easier when administrators can go to one place to see the suggested settings and make whatever changes they think are appopriate. The suggested settings reflect Microsoft’s experience in securing workloads and closing off holes that might be exploited by attackers. Microsoft calls the settings “minimum security benchmark recommendations.”
Accessing Baseline Security Mode
To access the suggested security configurations, open the Org Settings section of the Microsoft 365 admin center, and then choose the Security & privacy tab. You’ll then see a set of default policies and the option to automatically apply these policies (Figure 1).
Automatic application is a good step for inexperienced tenant administrators because it covers issues that should be closed off in every tenant. More experienced administrators should select the Manage all policies option to allow them to manage individual policy settings (12 authentication, 6 files, and 2 for Teams Rooms devices).
Managing Policy Settings
In many cases, applying a recommended policy is as simple as setting a check box to perform actions such as blocking the HTTP and FTP protocols for file opens, blocking access to Exchange Web Services (EWS), or blocking ActiveX controls for Office documents. Apart from gaining more control over policies, administrators can see details of what might be impacted by changing a setting.
Interestingly, this is how I discovered that the Microsoft Office app (AppId d3590ed6-52b3-4102-aeff-aad2292ab01c) still uses EWS to fetch details about Microsoft 365 groups. I disabled EWS and Outlook (classic) could no longer fetch details of unseen counts or group settings. Oh well, I doubt many people still use Outlook classic to interact with mail-centric groups (aka Outlook groups), so disabling the protocol is no big deal. Seriously, check the version numbers for applications posted here before disabling EWS. Losing access to Outlook groups shouldn’t matter too much, but losing access to free/busy information might make people unhappy.
Updating other policies might involve more than switching a setting value. Several require changes to Entra ID policies that deserve more discussion. Take the suggestion to block new password credentials in Entra ID apps (Figure 2). Making this policy effective involves updating the tenant default app management policy to block the ability of app owners to add new passwords (app secrets) to their apps.
The thing is that my tenant has a customized app management policy created using PowerShell. The custom policy blocks app secrets (also blocked in the default app management policy). Although Baseline security mode detected the presence of the custom policy, it didn’t check if the policy blocks app secrets and so meets the requirement.
Recommendations Implemented Through Conditional Access Policies
Another example is the recommendation to block authentication requests that use legacy authentication protocols. This is a good thing to do, and the block is implemented via a Microsoft-managed conditional access policy (Figure 3).
Notice that many of the settings are grayed out. The only things an administrator can do with a Microsoft-managed conditional access policy are set its state (in this case, to set it from Report-only to either On or Off) and manage the excluded identities list (for instance, to add exclusions for break glass accounts).
The Require phishing resistant authentication for administrators suggestion also uses a Microsoft-managed conditional access policy to require accounts holding any of 19 defined administrative roles to use a phishing-resistant authentication method to connect (for example, matching numbers in the Microsoft Authenticator app or a passkey).
My tenant hadn’t received any Microsoft-managed conditional access policies until now (December 8 to be precise). When Microsoft announced the roll out of these policies, they said that only eligible tenants would receive them. I guess that the advent of Baseline security mode changed the definition of eligibility.
Conditional access policies are certainly a great way to impose security restrictions on a tenant. However, it’s easy to get into a mess with conditional access policies, so care must be taken before introducing a new policy to ensure that it doesn’t interfere with existing policies.
All changes made to bring tenant settings into line with the recommendations of the Base security mode are captured in audit records.
A Good Baseline
I don’t have any Teams Rooms devices, so I didn’t check the two settings available to secure these objects. Apart from the caveats expressed above, the first iteration of the Base security mode is solid and should prove useful to many tenants, and might even prompt some experienced administrators into doing something to improve their tenant’s security.
2 Replies to “Microsoft Baseline Security Mode Rolls Out”