Top 5 New Controls in the CIS Microsoft 365 Benchmark Version 6

The Center for Internet Security (CIS) recently released version 6 of the Microsoft 365 Security Benchmark, and with it comes several powerful new controls designed to strengthen cloud security and reduce modern threat risks.

These updates help to reduce the impact of business email compromise and lateral movement across your devices. They provide tighter identity management and enhanced containment strategies for compromised accounts—ensuring organizations stay ahead of evolving cyber threats.

Here are the top 5 new controls every organization should know about in CIS M365 v6.

1. Ensure Outbound Anti-Spam Message Limits Are in Place

Why it matters:

Outbound message limits help contain the impact of a Business Email Compromise (BEC) by automatically throttling or restricting accounts that suddenly begin sending large volumes of email.

This control is critical for:

• Preventing compromised accounts from launching widespread phishing campaigns

• Reducing the risk of your organization being blacklisted by Microsoft or external mail providers

• Maintaining your organization’s reputation and ensuring legitimate mail remains deliverable

  
  

Without outbound limits, a single compromised account could send thousands of emails before detection—potentially leading Microsoft to block your domain’s email flow entirely. This control saved one of my customers. I strongly recommend implementing it today!

2. Ensure Direct Send Submissions Are Rejected

Why it matters:

Direct Send allows email to be submitted without authentication, making it a favorite vector for attackers.

Key risks include:

• Unauthenticated Email Delivery: Enables spoofing of internal addresses.

• Phishing and Spoofing: Emails appear to come from trusted internal users or systems.

• Lack of Visibility and Control: Direct Send traffic often bypasses normal logging and filtering.

  
  

By rejecting Direct Send submissions, you enforce authentication across all outbound mail flows—closing a significant loophole that attackers frequently exploit.

3. Ensure Local Administrator Assignment Is Limited During Entra Join

Why it matters:

When devices join Microsoft Entra ID (formerly Azure AD), they can automatically assign local administrator privileges to the joining user. If not properly managed, this undermines the principle of least privilege.

CIS now recommends limiting local administrator assignment and managing it centrally through Intune using approved administrative roles. This reduces:

• The number of users with elevated privileges

• The attack surface associated with local admin accounts

• The risk of privilege abuse or credential theft

Centralized management also streamlines deprovisioning—ensuring administrative access can be revoked efficiently and consistently across all endpoints.

4. Ensure Local Administrator Password Solution (LAPS) Is Enabled

Why it matters:

Local Administrator Password Solution (LAPS) automatically rotates local admin passwords and stores them securely in Microsoft Entra ID. This prevents attackers from using shared or static local passwords to move laterally across systems.

By enforcing LAPS, organizations gain:

• Unique, random local passwords per device

• Automatic password rotation and protection in Entra ID

• Stronger defense against lateral movement post-compromise

  
  

This control is an essential step in protecting privileged credentials in hybrid and cloud environments.

5. Ensure the Global Administrator Role Is Not Added as a Local Administrator During Entra Join

Why it matters:

Using Global Administrator (GA) accounts for local administration is a dangerous shortcut that can lead to full organizational compromise.

CIS now explicitly recommends preventing GA accounts from being added as local administrators during Entra join. This ensures that:

• High-level accounts aren’t exposed to endpoint-level risks

• Administrative actions are performed using appropriately scoped accounts

• The principle of least privilege is consistently enforced

  
  

For example, if a GA account authenticates to a compromised device, the attacker could escalate privileges across the entire tenant.

Final Thoughts

These new CIS M365 v6 controls reflect a continued push toward identity-centric, least-privilege, and containment-driven security—three of the most important principles for modern cloud defense.

Organizations that quickly align to the new benchmark will significantly strengthen their Microsoft 365 security posture and reduce the risk of credential misuse, data leaks, and mail-based compromise.

👉 Call Redeemer Cyber today to schedule a Microsoft 365 Security Assessment and verify whether these new controls—and the rest of the CIS M365 v6 benchmark—are properly implemented in your environment.📩 Visit www.redeemercyber.com to get started.