Microsoft is starting to roll out Baseline Security Mode to Microsoft 365 tenants. Through a new dashboard, administrators can assess, simulate, and then apply recommended security settings.
Microsoft is starting the rollout of Baseline Security Mode for Microsoft 365. This is an opt-in feature in the Microsoft 365 Admin Center. The mode bundles recommended security configurations for Office, SharePoint, Exchange, Teams, and Entra into a single dashboard. In December, the option will appear for some tenants under
Baseline Security Mode was announced during Ignite 2025. The goal is to make common configuration errors visible more quickly. Administrators can assess vulnerabilities via impact reports. They can then implement measures in phases, without immediate changes for end users.
18 to 20 policies, spread across three domains
According to Microsoft, the mode applies 18 to 20 policies across three core areas. A significant portion concerns authentication. In total, there are 12 authentication policies. These block, among other things, legacy protocols such as basic authentication, Exchange Web Services, and IDCRL. Phishing-resistant MFA is required for administrators, via FIDO2 or passkeys.
In addition, there are file- and app-related protection measures. These limit risky behavior, such as opening documents via insecure HTTP or FTP paths. Functions such as ActiveX and DDE are also more strictly shielded. Furthermore, the mode disables certain older tools, including Microsoft Publisher, which Microsoft plans to discontinue in 2026.
Simulation first, changes only after approval
Administrators with a Security or Global role can activate Baseline Security Mode themselves. They can have seven checks applied immediately via Automatically apply default policies. For the remaining settings, there is Generate report. This simulates the impact and uses audit data. The results usually appear within 24 hours. The tenant will only change after explicit approval.
The dashboard shows progress and status per component, such as At risk or Meets standards. Microsoft says that the phased approach should help close gaps that are often exploited in phishing and credential stuffing. The public preview and general availability started in mid-November 2025. For GCC, DoD, and GCCH clouds, the phased rollout will continue until March 2026.
Earlier this month, Microsoft announced a price increase for business Microsoft 365 users. Many plans, including the popular Business Basic and Business Standard, are impacted.