Most security problems in Microsoft 365 are not caused by zero-day vulnerabilities or sophisticated attackers. They are caused by misconfigurations — settings left at their default values, features never enabled, policies created but not enforced. Microsoft's new Baseline Security Mode is designed to surface exactly these gaps, presented in plain language with impact analysis before any change is applied.
If you are a Microsoft 365 administrator — or if someone else manages your tenant and you want to know whether it is configured securely — this post explains what the dashboard shows, what the recommendations actually mean, and how to prioritise what to fix first.
What Baseline Security Mode Is — and Is Not
Baseline Security Mode is a centralised dashboard in the Microsoft 365 Admin Center that compares your tenant's current configuration against Microsoft's recommended minimum security standards across five workloads: Office apps, SharePoint, Exchange Online, Microsoft Teams, and Entra ID (formerly Azure Active Directory).
It is not an automatic enforcement tool. Nothing changes in your tenant until an administrator explicitly chooses to apply a recommendation. The dashboard shows you the gap; it does not close it without your approval. This is important to understand, because the name "Security Mode" implies something active when it is fundamentally a visibility and guidance tool.
What makes it useful is the impact analysis feature. Before applying any recommended change, you can run an impact report that shows which users or groups will be affected, what the change will do in practical terms, and whether any exceptions should be made. For busy administrators who cannot afford to break something during a Tuesday morning configuration change, this is genuinely valuable.
How to Find It and Read the Dashboard
- Log into the Microsoft 365 Admin Center at admin.microsoft.com with a Global Admin or Security Admin account.
- Navigate to Settings → Org Settings → Security & privacy → Baseline Security Mode.
- The main view shows a summary tile with your overall posture — either "Meets standards," "Partially meets standards," or "At risk."
- Below the summary, recommendations are grouped by workload and colour-coded by risk level: High (red), Medium (orange), and Informational (blue).
- Clicking any recommendation opens a detail panel with an explanation of the risk, the specific setting being evaluated, and the option to run an impact analysis or apply the recommendation.
Most tenants that have not been proactively hardened will show several High-risk recommendations, typically around MFA enforcement, legacy authentication blocking, and external sharing settings.
The Most Common Recommendations and What They Mean
MFA Not Enforced for All Users High Risk
This appears when Security Defaults are disabled and no Conditional Access policy enforces MFA for all users. An account without MFA can be compromised with only a stolen password — a realistic threat given how many credential databases are sold or leaked online. The fix is either enabling Security Defaults (fastest, least flexible) or creating a Conditional Access policy requiring MFA for all users except any approved exceptions.
Legacy Authentication Not Blocked High Risk
Legacy authentication protocols (SMTP AUTH, IMAP, POP3 with Basic Auth, older Exchange ActiveSync) bypass Conditional Access policies entirely, including MFA. An attacker who knows a user's password can authenticate via a legacy protocol and skip MFA completely. Blocking legacy auth via a Conditional Access policy closes this bypass. The impact analysis will flag any devices or applications still using these protocols — this is your checklist of what needs to be migrated first.
SharePoint External Sharing Too Permissive Medium Risk
The default SharePoint configuration allows sharing with anyone via an anonymous link. This means any document in your SharePoint or OneDrive can be shared with a URL that anyone can open without authentication. For DSGVO compliance in Germany, this setting is problematic — personal data that should be restricted could be shared inadvertently. The recommended setting is "Existing guests" or "Only people in your organisation" depending on your sharing needs.
Admin Accounts Not Separate from User Accounts Medium Risk
Global Administrators should have dedicated admin accounts that are not used for day-to-day email and productivity tasks. If a Global Admin account is also used for reading email and browsing the web, a phishing attack or malware infection on that account has immediate global administrative access to the entire tenant. Baseline Security Mode detects whether Global Admin accounts have mail enabled (indicating they are used for standard work) and flags this as a risk.
Audit Logging Not Enabled Informational
Microsoft 365 audit logging captures user and admin activities across Exchange, SharePoint, Teams, and Entra. It is not enabled by default in all tenants. Without it, you cannot investigate incidents after the fact — you have no record of who accessed what, when a file was deleted, or when a configuration change was made. For DSGVO breach investigations and NIS2 incident reporting, audit logs are not optional. Enable them immediately and ensure the retention period matches your compliance requirements.
Mapping to BSI IT-Grundschutz
For organisations in Germany following the BSI IT-Grundschutz methodology, Baseline Security Mode recommendations map directly to several standard building blocks:
- ORP.4 (Identity and Access Management): MFA enforcement, admin account separation, and Conditional Access policies address ORP.4 requirements directly.
- OPS.1.1.3 (Patch Management): While Microsoft 365 is a cloud service and patches are handled by Microsoft, ensuring your tenant is not running deprecated configurations (legacy auth) aligns with the spirit of this building block.
- CON.2 (Data Privacy): SharePoint external sharing settings directly impact DSGVO compliance documentation under CON.2.
- DER.2.1 (Incident Handling): Audit logging is a prerequisite for any effective incident response — the absence of logs is a critical gap under DER.2.1.
If your organisation is pursuing BSI IT-Grundschutz certification or maintaining an ISMS, a clean Baseline Security Mode dashboard is a useful evidence artefact — a Microsoft-verified confirmation that your tenant meets their recommended standards, timestamped and reproducible.
A Realistic Implementation Order
Not all recommendations carry the same urgency. Here is a practical sequence:
- Enable audit logging — no user impact, takes 5 minutes, and you need it before anything else so you have a baseline record.
- Block legacy authentication — run the impact analysis first to identify affected devices. Plan device remediation alongside the policy change.
- Enforce MFA — use Conditional Access rather than Security Defaults if you need any exceptions (service accounts, break-glass accounts). Roll out phased by department with user communication.
- Restrict SharePoint external sharing — review what is currently shared anonymously before tightening, to avoid breaking existing workflows unexpectedly.
- Separate admin accounts — create dedicated cloud-only admin accounts for each Global Admin and revoke Global Admin from their standard user accounts.
How IDE Solutions Can Help
We run Baseline Security Mode reviews for managed clients and for businesses that want a one-time security assessment of their Microsoft 365 environment. Our process covers every recommendation in the dashboard, prioritises fixes by risk and operational impact, and implements changes with tested rollback procedures.
For businesses that need BSI IT-Grundschutz documentation, we map the Baseline Security Mode findings directly to the relevant building blocks and produce an evidence package suitable for an ISMS audit.
Reference: Microsoft 365 Security Documentation