Why this update matters
On October 31, 2025, the Center for Internet Security (CIS) released Microsoft 365 Foundations Benchmark v6.0.0, marking a significant milestone in how organizations secure Microsoft 365 configurations.
This version expands the benchmark from 130 to 140 controls and maintains 98.5% continuity with v5 while addressing new areas of hybrid work security such as device management, outbound email protection, and collaboration hardening.
This version reflects the realities of today’s SaaS-first enterprise: identity sprawl, cross-tenant collaboration, data everywhere, and the need for continuous governance rather than one-time checks.
For companies using Microsoft 365 at scale, being early to align with v6 is a competitive advantage. It shows that your organization understands the evolving threat surface and is proactively managing configuration risk, compliance, and operational maturity while others are still adapting.
What changed in CIS Microsoft 365 Benchmark v6
Since v5, the market has shifted. Collaboration systems like Teams and SharePoint have matured, device management has become central to SaaS security, identity tools like Entra ID have grown more complex, and data governance is no longer optional.
CIS v6 introduces 13 new controls and removes 3 outdated ones. The update keeps nearly all v5 controls intact but expands coverage to fill real-world gaps in device, collaboration, email, and identity governance.
Device Management
Device security is now a first-class concern. Unmanaged or freely enrolled devices present major risk in hybrid environments, and CIS is codifying that device trust verification is now a minimum standard.
Collaboration Management
Attackers are exploiting permissive defaults in collaboration tools. CIS v6 makes clear that Teams, SharePoint, and Power BI must be intentionally hardened instead of relying on vendor defaults.
Email Security
Outbound monitoring is now as essential as inbound filtering. These updates reflect the need to detect compromised accounts early through abnormal outbound email patterns.
Identity Governance
CIS is tightening governance to reduce privilege creep and remove weak authentication mechanisms commonly targeted by attackers.
TL;DR
CIS v6 builds on v5’s foundation but raises the bar for operational security by prioritizing device trust, behavioral monitoring, and collaboration governance.
How to operationalize CIS M365 v6 in your program
To capture value from v6 and avoid having the update be “another project,” adopt a sustainable process that embeds benchmark alignment into your SaaS security operations. Here’s a practical loop:
- Discover your current Microsoft 365 tenant configuration and map existing controls to the new v6 framework
- Identify misconfigurations, exposures and deviations across Exchange Online, SharePoint Online, OneDrive for Business, Teams, Power BI, and Entra AD (all covered by the benchmark’s 140 controls)
- Prioritize findings by business impact: number of users exposed, data sensitivity, blast radius of access, remediation effort
- Assign remediation owners, set SLA targets, and track progress with evidence and metrics
- Monitor continuously for drift: schedule re-assessments, track change events, alert on risky moves
By embedding this loop, your organization can prove ongoing posture management, not a one-off “benchmark check.” This process makes a difference in audit cycles, board readiness, and operational maturity.
Where Valence fits
At Valence we enable security teams to find and fix SaaS risks across their ecosystem, and now with built-in alignment to CIS Microsoft 365 Benchmark v6 we help you move from theory to action.
Here’s how we support you:
- Automated assessment of your Microsoft 365 tenant against v6 controls
- Identification of misconfigurations, excessive privileges, risky external sharing and unused access with context from SaaS identity & application usage
- Prioritization by exposure, business relevance and remediation complexity
- Guided workflows for remediation: assign owners, track tickets, collaborate between security, IT, and app teams
- Dashboards and reports showing posture improvement over time, providing evidence for audit and risk committees
With Valence you don’t just check a box. You build a continuous compliance and posture improvement program that scales across your SaaS estate.
Quick checklist to get started on CIS M365 v6
Here’s what you should do this week if Microsoft 365 is central to your business:
- Confirm scope and control ownership across security, IT and application teams
- Export baseline configurations for Exchange Online, SharePoint Online, OneDrive for Business, Teams, Power BI, and Entra ID
- Run an initial assessment against CIS v6 and capture evidence of current state
- Triage and prioritize findings: focus on high-risk identity exposures and external sharing issues
- Assign remediation owners and set clear SLAs for closure
- Schedule monthly or quarterly re-tests and drift reviews
Following this checklist will position you to move from unknown-to-known quickly and show tangible progress.
Frequently asked questions about CIS Microsoft 365 v6
What is the CIS Microsoft 365 Foundations Benchmark v6?
It is the latest consensus guidance from CIS for establishing secure configurations in Microsoft 365 environments. The benchmark lists configuration controls across many Microsoft 365 services.
Which services are in scope?
The benchmark covers Exchange Online, SharePoint Online, OneDrive for Business, Teams, Power BI, and Entra ID.
When was the previous version released?
Version 5.0.0 was publicly referenced in April 2025 and appears in the CIS listings as the current prior version.
How quickly should we move to v6?
As soon as practical. Initiating an early gap assessment allows you to capture value while other organizations are still evaluating. It keeps you ahead of the curve.
Next steps
If Microsoft 365 is business critical for you, now is the time to validate your configuration against CIS Microsoft 365 Benchmark v6 and close any gaps.
See how Valence supports CIS Microsoft 365 Benchmark v6 compliance with your personalized demo.
.jpg)
