Baseline Security Mode (BSM) in Microsoft 365

BSM is a secure-by-default, opt-in feature introduced at Microsoft Ignite 2025, now generally available. It simplifies tenant hardening by applying 18 initial settings across Authentication, File protection, and Room devices spanning Exchange, Teams, SharePoint, OneDrive, and Entra while continuously evolving with future service expansions.

Who Can Use BSM

• Requires a Microsoft 365 subscription, available across all plans.
• Configuration rights limited to Global or Security admins; scoped roles (e.g., Exchange, Teams, SharePoint Admins) can view and configure relevant domain settings.

How to Enable BSM

1. Access the Admin Portal
   • Sign in to the Microsoft 365 admin center as a Global or Security admin.
   • Navigate to Settings → Org Settings → Security & privacy → Baseline Security Mode.
   • Click on Open Baseline Security Mode button to open the BSM recommendations page.
     
2. Opt-in to BSM
   • Choose Apply default policies for the 11 low-impact settings.
   • For the 7 potentially disruptive settings:
     • Use Simulation mode to assess impact for up to 24 hours.
     • If safe, enable; otherwise, exclude users/apps as needed.
       
3. Monitor and Manage
   • Access dashboards for telemetry, CSV reporting, and manual overrides.
   • Roll out changes gradually and revisit periodically.

Generate Impact Report Before Policy Changes

When enabling a potentially disruptive BSM policy, you can generate an impact report to identify which users, groups, or applications would be affected before enforcement.

Steps to Generate an Impact Report:

1. Navigate to Settings → Org Settings → Security & privacy → Baseline Security Mode.
2. For each non-default policy, select Generate report.
3. Review the report, which includes:
   • Affected users and apps
   • Dependency details (protocols, conditional access policies)
   • Status tags like “At risk” or “Meets standards”

BSM Settings by Category

Authentication

1. Require phishing-resistant MFA for admins
2. Block legacy authentication protocols
3. Block basic authentication prompts
4. Block legacy browser auth to SPO/OD (RPS)
5. Block legacy client auth to SPO/OD (IDCRL)
6. Block adding new password credentials to applications
7. Restrict end-user consent to trusted apps

Files (OneDrive, SharePoint, Office Apps)

8. Block insecure file protocols (HTTP/FTP)
9. Block FrontPage RPC protocol
10. Open ancient legacy formats in Protected View (no edit)
11. Open older legacy formats in Protected View (with edit)
12. Block ActiveX controls in Office documents
13. Block OLE Graph and OrgChart objects
14. Block DDE server launches in Excel
15. Block Microsoft Publisher

Room Devices (Teams)

16. Block resource account sign-in to M365 apps
17. Only allow compliant, managed devices for resource accounts
18. Prevent resource accounts accessing M365 files

Recommended Deployment Workflow

1. Pilot low-impact defaults to distribute 11 safe policies quickly.
2. Run simulations on riskier settings, analyzing impact telemetry.
3. Address dependencies, consult app or user owners before enabling.
4. Enable remaining policies, or exempt entities with a watchlist.
5. Review consistently, leveraging updates as Microsoft extends BSM across more services.

Why Implement BSM?

• Reduces attack surface by disabling legacy auth, file exploits, and unsecured protocols.
• Streamlines compliance with secure-by-default posture and telemetry analytics.
• Minimizes disruption through targeted controls and staged rollout.
• Evolves continuously, expanding into Purview, Intune, Dynamics 365, Azure, etc.