At Microsoft Ignite 2025 in November, Microsoft announced Baseline Security Mode (BSM) is generally available and will begin rolling it out to Microsoft 365 Tenants globally.
What is BSM?
BSM is Microsoft’s recommended security hardening protections found under the org settings in the admin center. BSM is divided into two sections ‘Default Policies’, which can be applied automatically (by selecting a checkbox) and usually have little impact, and ‘Measured Policies’ which as the name suggests, requires assessment before enabling.
Lucky for us, for ‘Measured Policies’ Microsoft does all the heavy lifting by generating reports, making recommendations, identifying the risk and measuring the impact before applying the policy/setting, like report-only mode for conditional access policies.
Generating a report usually changes the recommendation status to ‘In review’. I say ‘usually’ because the layout and functionality of the GUI have changed since I first reviewed the Baseline Security Mode two weeks ago on my test tenant, so this is likely to change again in the future.
Let’s look at ‘Block new password credentials in apps’ which is currently ‘At Risk’. We can check the recommendation and click the button at the bottom of the image below to apply the setting or download a detailed report to measure the risk. Clicking ‘Customize this policy’ brings you directly to the setting in the Entra ID portal.
Looking at the ‘Block legacy authentication’ which is currently ‘In Review’ status, we can see that there aren’t any ‘Sign-in requests authenticating with legacy auth’. Phew – we’re safe!
Similarly, we can check the box and save the policy to apply the recommendation, or we can click ‘customize this policy’ to take us directly to the setting/policy section in the Entra ID portal.
As always, I like to finish off my blog posts with my opinion – BSM is a much-anticipated feature I’ve been wanting from Microsoft for what feels like a lifetime. I’ve been looking for a mechanism to measure a tenants security posture without the need for manual checklists or external tools.
Currently BSM is only targeting Microsoft 365 apps, SharePoint/OneDrive, Teams, Exchange Online and Entra. I’ve heard through the grapevine that BSM will be expanding to Intune. Hopefully as a feature of security baselines because there’s a lack of impact reports, yes folks will argue that you should test before applying the baselines but even then there’s nearly always some outlier that wasn’t part of your test group that needs remedying.
Anyways, big thumbs up for Microsoft on this, BSM is a cool feature that I will be using often when reviewing the security posture of clients tenants. Like Secure Score, BSM should be reviewed regularly as more hardening settings become available.
If you enjoyed my blog, please subscribe to get emailed when I release more.
N.B – Just as I’m ready to publish this post 😁
Leave a Reply