Standards
Configuration Changes
A standard applies actual configuration to the selected tenant, not just monitoring.
Note that by default, Standards aren't applied to any tenants upon setup / configuration of CIPP. Applying any standard should only be undertaken with full understanding of the effects of the standard, detailed below.
The Standards page provides the ability for you to apply or reapply specific standards to your entire client base. Standards reapply to your tenants every three hours by default. If a setting covered by a standard changes the next time the standards apply the value specified in the standard takes precedence.
Plans exist to implement more standardised options and settings, along with an alerting system supporting Remote Monitoring and Management (RMM) systems, webhooks or, e-mail.
Below the are standards explained:
Meet the Standards​
Low Impact
Changes which have no user-facing impact or minimal impact.
| Standard Name | Powershell equivalent | Description |
|---|---|---|
| Set General Contact e-mail | Set-MsolCompanyContactInformation | this is where Micrososft sends updates about subscriptions |
| Set Security Contact e-mail | Set-MsolCompanyContactInformation | Receives emails about security alerts or advisories by Microsoft |
| Set Marketing Contact e-mail | Set-MsolCompanyContactInformation | Receives the emails related to marketing; new features etc |
| Set Technical Contact e-mail | Set-MsolCompanyContactInformation | Receives emails related to possible technical issues, service disruptions, etc. |
| Enable the Unified Audit Log | Enable-OrganizationCustomization | Enabled the Microsoft Unified Audit Log |
| Enable Usernames instead of pseudo anonymised names in reports | Portal Only | Microsoft announced some APIs and reports no longer return names, to comply with compliance and legal requirements in specific countries. This proves an issue for a lot of MSPs because those reports are often helpful for engineers. This standard applies a setting that shows usernames in those API calls / reports. |
| Enable Modern Authentication | Set-OrganizationConfig -OAuth2ClientProfileEnabled $false | Enables Modern Authentication. If your tenant creation date is after 2018 this should be the current state. |
| Disable Basic Authentication | Setting enforced by MS starting October 2022 | Disables most forms of basic user authentication, this permits SMTP authentication as Microsoft doesn't consider this a legacy protocol yet. It's important to review the sign-in reports to identify impact for each customer. It cuts off any connection and blocks future connections using legacy authentication in addition to blocking applications or devices which don't support modern authentication. |
| Don't expire passwords | Portal Only | Sets passwords to never expire for tenant, recommended to use in conjunction with secure password requirements. |
| Disable M365 Group creation by users | Portal Only | Users by default are allowed to create M365 groups. This disables that so only admins can create new M365 groups. |
| Enable Temporary Access Passwords | Portal Only | Enables Temporary Password generation for the tenant |
| Enable Spoofing warnings for Outlook (This e-mail is external identifiers) | Set-ExternalInOutlook –Enabled $true | Adds indicators to e-mail messages received from external senders in Outlook. You can read more about this feature on Microsoft's Exchange Team Blog. |
| Enable Passwordless with Number Matching | New-AzureADPolicy | Allows users to use Passwordless with Number Matching |
| Enable Passwordless with Location information and Number Matching | New-AzureADPolicy | Allows users to use Passwordless with Number Matching and adds location information from the last request |
| Disable daily Insight/Viva reports | Set-UserBriefingConfig | Disables Daily Insight reports for all users in the tenant |
| Retain a deleted user OneDrive for 1 year | Portal Only | When a OneDrive user gets deleted, the sharepoint site is saved for 1 year and data can be retrieved from it. |
| Enable Auto-expanding archives | Set-OrganizationConfig -AutoExpandingArchive | Enables auto-expanding archives for the tenant. Does not enable archives for users. |
Medium Impact
Changes which have a user impact mitigated with a little communication.
| Standard Name | Powershell equivalent cmdlet | Description |
|---|---|---|
| Disable Security Group creation by users | Portal Only | Completely disables the creation of security groups by users. This also breaks the ability to manage groups themselves, or create Teams. |
| Enable Self Service Password Reset | Portal Only | Enables SSPR for the tenant, requiring users to give two methods via which they can get their password reset. |
| Undo SSPR Standard | Portal Only | Removes the SSPR configuration that has been set by CIPP. |
| Disable Azure Portal access for Standard users | Portal Only | Disables standard users from accessing the Azure portal. This might cause issues if users have their own Azure Resources configured. |
| Remove Legacy MFA if SD or CA is active | Get-MsolUser | Set-MsolUser -StrongAuthenticationRequirements $null |
| Disable Self Service Licensing | Set-MsolCompanySettings -AllowAdHocSubscriptions $false | Does not allow users to get their own licenses. This also blocks PowerBi Self service and Flow Self Service. |
| Allow users to send from their alias addresses | Set-Mailbox | Allows users to change the 'from' address to any set in their Azure AD Profile. |
| Enable 1 hour Activity based Timeout | Portal Only | Sets the maximum session age of Sharepoint sites to 1 hour, before being logged out. |
| Set mailbox Sent Items delegation (Sent items for shared mailboxes) | Set-mailbox | This makes sure that e-mails sent from shared mailboxes or delegate mailboxes, end up in the mailbox of the shared/delegate mailbox instead of the sender, allowing you to keep replies in the same mailbox as the original e-mail. |
High Impact
Changes which should be require thought and planning. Should ideally co-ordinate deployment with customers - may have significant impacts on how users interact with Microsoft 365.
| Set Sharing Level for OneDrive and Sharepoint | Portal Only | Sets the sharing level for OneDrive allowed by users |
|---|---|---|
| Exclude File Extensions from Syncing | Portal Only | Excludes files from being synced. Users will get an error when trying to sync the specified files |
| Do not allow Mac devices to sync using OneDrive | Portal Only | Disabled syncing via OneDrive |
| Disable Resharing by External Users | Portal Only | Disables (guest) users from resharing a file to more users. |
| Disable site creation by standard users | Portal Only | Disables standard users from creating sharepoint sites, also disables the ability to fully create teams |
| Only allow users to sync OneDrive from AAD joined devices | Portal Only | Only allow AAD joined devices to sync using the onedrive client. Users without will receive an error. |
| Disable Shared Mailbox AAD accounts | Get-mailbox &Â Disable-user | Shared mailboxes can be directly logged into if the password is reset, this presents a security risk as do all shared login credentials. Microsoft's recommendation is to disable the user account for shared mailboxes. It would be a good idea to review the sign-in reports to establish potential impact. |
| Require admin consent for applications (Prevent OAuth phishing.) | Update-MgPolicyAuthorizationPolicy | Requires users to get administrator consent before sharing data with applications. You can preapprove specific applications. |
| Undo App Consent Standard | Update-MgPolicyAuthorizationPolicy | Undoes the Oauth phising standard |
| Enable Security Defaults | https://www.cyberdrain.com/automating-with-powershell-enabling-secure-defaults-and-sd-explained/ | Enables SD for the tenant, which disables all forms of basic authentication and enforces users to configure MFA. Users are only prompted for MFA when a logon is considered 'suspect' by Microsoft. |
| Enable per-user MFA for all user (Legacy) | Get-msoluser | set-msoluser -StrongAuthenticationRequirements |
Known Issues / Limitations​
- These jobs run asynchronously every 3 hours per default, you can check the log for the current operation by looking for "Standards API" in the LogBook.
- The job engine might slow down other APIs temporarily if it has a lot to process.(loads of settings, loads of tenants).
If you have any other issues, then please report a bug.
