Skip to main content

Standards

Configuration Changes

A standard applies actual configuration to the selected tenant, not just monitoring.

Note that by default, Standards aren't applied to any tenants upon setup / configuration of CIPP. Applying any standard should only be undertaken with full understanding of the effects of the standard, detailed below.

The Standards page provides the ability for you to apply or reapply specific standards to your entire client base. Standards reapply to your tenants every three hours by default. If a setting covered by a standard changes the next time the standards apply the value specified in the standard takes precedence.

Plans exist to implement more standardised options and settings, along with an alerting system supporting Remote Monitoring and Management (RMM) systems, webhooks or, e-mail.

Below the are standards explained:

Meet the Standards​

Low Impact

Changes which have no user-facing impact or minimal impact.

Standard NamePowershell equivalentDescription
Set General Contact e-mailSet-MsolCompanyContactInformationthis is where Micrososft sends updates about subscriptions
Set Security Contact e-mailSet-MsolCompanyContactInformationReceives emails about security alerts or advisories by Microsoft
Set Marketing Contact e-mailSet-MsolCompanyContactInformationReceives the emails related to marketing; new features etc
Set Technical Contact e-mailSet-MsolCompanyContactInformationReceives emails related to possible technical issues, service disruptions, etc.
Enable the Unified Audit LogEnable-OrganizationCustomizationEnabled the Microsoft Unified Audit Log
Enable Usernames instead of pseudo anonymised names in reportsPortal OnlyMicrosoft announced some APIs and reports no longer return names, to comply with compliance and legal requirements in specific countries. This proves an issue for a lot of MSPs because those reports are often helpful for engineers. This standard applies a setting that shows usernames in those API calls / reports.
Enable Modern AuthenticationSet-OrganizationConfig -OAuth2ClientProfileEnabled $falseEnables Modern Authentication. If your tenant creation date is after 2018 this should be the current state.
Disable Basic AuthenticationSetting enforced by MS starting October 2022Disables most forms of basic user authentication, this permits SMTP authentication as Microsoft doesn't consider this a legacy protocol yet. It's important to review the sign-in reports to identify impact for each customer. It cuts off any connection and blocks future connections using legacy authentication in addition to blocking applications or devices which don't support modern authentication.
Don't expire passwordsPortal OnlySets passwords to never expire for tenant, recommended to use in conjunction with secure password requirements.
Disable M365 Group creation by usersPortal OnlyUsers by default are allowed to create M365 groups. This disables that so only admins can create new M365 groups.
Enable Temporary Access PasswordsPortal OnlyEnables Temporary Password generation for the tenant
Enable Spoofing warnings for Outlook (This e-mail is external identifiers)Set-ExternalInOutlook –Enabled $trueAdds indicators to e-mail messages received from external senders in Outlook. You can read more about this feature on Microsoft's Exchange Team Blog.
Enable Passwordless with Number MatchingNew-AzureADPolicyAllows users to use Passwordless with Number Matching
Enable Passwordless with Location information and Number MatchingNew-AzureADPolicyAllows users to use Passwordless with Number Matching and adds location information from the last request
Disable daily Insight/Viva reportsSet-UserBriefingConfigDisables Daily Insight reports for all users in the tenant
Retain a deleted user OneDrive for 1 yearPortal OnlyWhen a OneDrive user gets deleted, the sharepoint site is saved for 1 year and data can be retrieved from it.
Enable Auto-expanding archivesSet-OrganizationConfig -AutoExpandingArchiveEnables auto-expanding archives for the tenant. Does not enable archives for users.
Medium Impact

Changes which have a user impact mitigated with a little communication.

Standard NamePowershell equivalent cmdletDescription
Disable Security Group creation by usersPortal OnlyCompletely disables the creation of security groups by users. This also breaks the ability to manage groups themselves, or create Teams.
Enable Self Service Password ResetPortal OnlyEnables SSPR for the tenant, requiring users to give two methods via which they can get their password reset.
Undo SSPR StandardPortal OnlyRemoves the SSPR configuration that has been set by CIPP.
Disable Azure Portal access for Standard usersPortal OnlyDisables standard users from accessing the Azure portal. This might cause issues if users have their own Azure Resources configured.
Remove Legacy MFA if SD or CA is activeGet-MsolUserSet-MsolUser -StrongAuthenticationRequirements $null
Disable Self Service LicensingSet-MsolCompanySettings -AllowAdHocSubscriptions $falseDoes not allow users to get their own licenses. This also blocks PowerBi Self service and Flow Self Service.
Allow users to send from their alias addressesSet-MailboxAllows users to change the 'from' address to any set in their Azure AD Profile.
Enable 1 hour Activity based TimeoutPortal OnlySets the maximum session age of Sharepoint sites to 1 hour, before being logged out.
Set mailbox Sent Items delegation (Sent items for shared mailboxes)Set-mailboxThis makes sure that e-mails sent from shared mailboxes or delegate mailboxes, end up in the mailbox of the shared/delegate mailbox instead of the sender, allowing you to keep replies in the same mailbox as the original e-mail.
High Impact

Changes which should be require thought and planning. Should ideally co-ordinate deployment with customers - may have significant impacts on how users interact with Microsoft 365.

Set Sharing Level for OneDrive and SharepointPortal OnlySets the sharing level for OneDrive allowed by users
Exclude File Extensions from SyncingPortal OnlyExcludes files from being synced. Users will get an error when trying to sync the specified files
Do not allow Mac devices to sync using OneDrivePortal OnlyDisabled syncing via OneDrive
Disable Resharing by External UsersPortal OnlyDisables (guest) users from resharing a file to more users.
Disable site creation by standard usersPortal OnlyDisables standard users from creating sharepoint sites, also disables the ability to fully create teams
Only allow users to sync OneDrive from AAD joined devicesPortal OnlyOnly allow AAD joined devices to sync using the onedrive client. Users without will receive an error.
Disable Shared Mailbox AAD accountsGet-mailbox &  Disable-userShared mailboxes can be directly logged into if the password is reset, this presents a security risk as do all shared login credentials. Microsoft's recommendation is to disable the user account for shared mailboxes. It would be a good idea to review the sign-in reports to establish potential impact.
Require admin consent for applications (Prevent OAuth phishing.)Update-MgPolicyAuthorizationPolicyRequires users to get administrator consent before sharing data with applications. You can preapprove specific applications.
Undo App Consent StandardUpdate-MgPolicyAuthorizationPolicyUndoes the Oauth phising standard
Enable Security Defaultshttps://www.cyberdrain.com/automating-with-powershell-enabling-secure-defaults-and-sd-explained/Enables SD for the tenant, which disables all forms of basic authentication and enforces users to configure MFA. Users are only prompted for MFA when a logon is considered 'suspect' by Microsoft.
Enable per-user MFA for all user (Legacy)Get-msoluserset-msoluser -StrongAuthenticationRequirements

Known Issues / Limitations​

  • These jobs run asynchronously every 3 hours per default, you can check the log for the current operation by looking for "Standards API" in the LogBook.
  • The job engine might slow down other APIs temporarily if it has a lot to process.(loads of settings, loads of tenants).

If you have any other issues, then please report a bug.