Baseline Security Mode is Microsoft’s secure-by-default framework for Microsoft 365.
It lets admins turn on recommended security protections directly from the Microsoft 365 admin center, without needing PowerShell.
Think of it as:
“Microsoft’s opinionated security baseline — designed to block common attacks while still letting admins control rollout.”
What Baseline Security Mode Helps With
It is designed to:
- Protect business data
- Prevent account compromise
- Block unsafe end-user behavior
- Secure privileged admin accounts
- Ensure safe collaboration
It applies across core Microsoft 365 services:
- Microsoft 365 Apps
- SharePoint & OneDrive
- Microsoft Teams
- Exchange Online
- Microsoft Entra
Why This Matters for Techs
Historically, many of these settings were:
- Hidden in PowerShell
- Hard to audit
- Applied inconsistently
Baseline Security Mode centralises them, adds impact reporting, and allows phased rollout.
This means:
✅ Fewer legacy attack paths
✅ Less guesswork
✅ Safer defaults without breaking production
How to Access Baseline Security Mode
- Sign in to Microsoft 365 Admin Center
- Go to Settings > Org settings
- Select Security & Privacy
- Open Baseline Security Mode
⚠️ Role-based access applies — workload admins only see what they manage.
Recommended Rollout Approach (Microsoft-Approved)
Microsoft strongly recommends a phased rollout:
- Run impact reports for each setting
- If zero impact → enable it
- If dependencies exist → fix them first
- Temporarily disable settings to test impact
This avoids outages while moving toward secure-by-default.
Key Security Areas Covered
Authentication Protections
Baseline Security Mode blocks the most abused attack methods:
- Enforces phishing-resistant MFA for admins
- Blocks legacy authentication (used in most password spray attacks)
- Prevents adding weak password credentials to apps
- Restricts risky app consent
- Blocks basic authentication prompts
📌 Microsoft reports up to 99% reduction in account compromise when legacy auth is disabled.
File & App Security (Office, SharePoint, OneDrive)
These settings reduce file-based attacks:
- Opens legacy file formats in Protected View
- Blocks ActiveX, OLE, DDE exploits
- Blocks insecure protocols (HTTP / FTP)
- Disables Microsoft Publisher (end-of-life Oct 2026)
- Prevents new custom scripts in SharePoint
Translation: Stops malicious files from executing code when users open documents.
Exchange & API Security
- Disables Exchange Web Services (EWS)
- Reduces legacy app access to mailbox data
- Minimizes phishing, spoofing, and mailbox abuse
⚠️ Important:
Before disabling EWS, ensure:
- Clients are on supported Office builds
- Hybrid Exchange supports REST APIs
Teams Rooms & Device Security
Protects resource accounts, which are often overlooked:
- Blocks unmanaged devices from signing in
- Prevents Teams Rooms accounts from accessing M365 files
- Requires compliant, managed endpoints
This stops attackers from abusing shared meeting room accounts.
Known Impacts & Limitations (Read This First)
When enabled, the following may stop working:
- Legacy Exchange ActiveSync certificate auth
- Power BI / Fabric Power Query connectors
- Cross-tenant calendar sharing & MailTips
- Some Dynamics & Power Platform dataflows
➡️ This is why impact reports are critical before enabling.
Who Can Configure What?
| Area | Required Role |
|---|---|
| Authentication | Security / Conditional Access Admin |
| SharePoint & OneDrive | SharePoint Admin |
| Exchange | Exchange Admin |
| Teams / Rooms | Teams Admin |
| Office Apps | Office Apps Admin |
Baseline Security Mode fully supports RBAC.
Why Microsoft Is Pushing This Now
This aligns with Microsoft’s broader strategy:
- Move away from legacy protocols
- Reduce credential-based attacks
- Standardise Zero Trust security
- Simplify admin experience
Baseline Security Mode is essentially:
Microsoft saying “These settings should already be on.”
Tech Takeaways
- ✔ Not mandatory — but strongly recommended
- ✔ Designed to be tested safely
- ✔ Eliminates many legacy attack paths
- ✔ Reduces reliance on PowerShell
- ⚠ Must be reviewed before enabling in production
Bottom Line
Baseline Security Mode is one of the most impactful security improvements Microsoft 365 admins can enable in 2026 — if rolled out correctly.
