Microsoft has quietly rolled out Baseline Security Mode, a new opt-in feature in the Microsoft 365 admin center that allows organizations to apply a comprehensive set of security recommendations with a single click. The tool consolidates dozens of best-practice controls across identity, file sharing, email, and collaboration workloads—without forcing admins to configure each setting manually. It’s the closest thing yet to a “secure by default” posture for tenants that can’t tolerate the rigidity of Security Defaults.

What Is Baseline Security Mode?

Baseline Security Mode is a policy bundle that centralizes recommended security configurations from multiple Microsoft 365 services—Azure Active Directory, Exchange Online, SharePoint, OneDrive for Business, and Teams—into one manageable toggle. Once enabled, it applies pre-defined settings that Microsoft’s own security experts consider essential for most organizations. The feature lives in the Microsoft 365 admin center under Settings > Org settings > Security & privacy and is available for tenants with eligible licensing (Microsoft 365 Business Premium, E3, or E5).

Unlike the existing Security Defaults, which are binary and enforce a strict set of controls (like requiring MFA for all users and blocking legacy authentication), Baseline Security Mode offers granularity. Admins can review exactly which settings will be changed before turning it on, and they can choose to exclude certain workloads or users if necessary. The goal is to strike a balance: significantly improve security posture without disrupting legacy line-of-business applications or workflows that still rely on older protocols or conditional access exclusions.

How It Works

Baseline Security Mode functions as a policy orchestrator. When an admin enables it, the system deploys configuration changes across connected services using the same APIs that PowerShell and the admin portals use. The settings are not a new policy type; rather, they are a curated subset of existing configuration options that have been validated for compatibility. This means organizations can later adjust individual settings if needed, but the baseline gives them a strong starting point.

The feature also includes a drift detection mechanism: if an admin manually modifies a setting that deviates from the baseline, the admin center will flag the change and offer a one-click remediation to revert it back to the baseline value. This continuous monitoring helps maintain the intended security posture over time, addressing the well-known problem of configuration drift.

What Settings Does Baseline Security Mode Apply?

Microsoft has grouped the controls into five domains:

  • Authentication & Identity: Enforces MFA for all users (with the option to create a break-glass admin account), blocks legacy authentication protocols except for specific exceptions, and enables Azure AD password protection to ban common passwords.
  • Email Security: Enables Safe Attachments and Safe Links for all users in Exchange Online Protection, enables DMARC, DKIM, and SPF for custom domains, and sets anti-phishing policies to their recommended levels.
  • Files & Sharing: Configures SharePoint and OneDrive sharing policies to “most restrictive” (e.g., external sharing limited to existing guests, anonymous links disabled), enables modern authentication for Office clients, and applies sensitivity labeling defaults if Microsoft Purview is licensed.
  • Collaboration: Restricts Teams guest access, prevents users from creating new teams without admin approval, and disables public team discovery.
  • Device Management: Enforces conditional access policies requiring compliant devices for access (if Intune is present) and enables Windows Defender Application Guard for supported browsers.

These settings are not arbitrary; they are derived from the Microsoft 365 security baseline, a long-standing reference document that Microsoft updates with each service change. The difference is that the baseline existed only as a spreadsheet or script, requiring manual implementation. Baseline Security Mode operationalizes it.

Why It Matters: The Security Gap for Mid-Market Organizations

Small businesses often enable Security Defaults and live with the limitations; large enterprises invest in dedicated security teams and tools like Microsoft Secure Score and custom Conditional Access policies. Mid-market organizations—those with 100 to 3,000 employees—frequently fall through the cracks. They have complex environments but lack the staffing to implement and maintain security baselines. Baseline Security Mode targets this gap directly.

According to Microsoft’s internal telemetry, less than 5% of eligible tenants had manually applied all recommended configurations. The majority had significant gaps, especially around legacy authentication blocking and external sharing controls. By packaging these settings as a one-click deployment, Microsoft hopes to move the needle on tenant hardening without overwhelming the IT departments that already manage dozens of other priorities.

Comparison With Security Defaults

Security Defaults, introduced in 2018, were a game-changer for small tenants. They enforced MFA registration and blocked legacy authentication across the board. But they were inflexible: no exclusions, no customization, and no support for conditional access policies. For any organization with a hybrid identity setup, a third-party billing system that sends SMTP, or a business-critical app that relies on basic authentication, Security Defaults could cause visible business disruption.

Baseline Security Mode, by contrast, is designed to be adaptive. Admins can:

  • Exclude specific users from MFA requirements (e.g., a service account used for scanners).
  • Allow specific legacy protocols for a defined set of IP addresses.
  • Gradually phase in controls, starting with monitoring mode and then enforcing.
  • Tailor sharing settings to match organizational maturity instead of going straight to “most restrictive.”

This flexibility is crucial for organizations that want to raise their security floor without triggering a flood of help-desk tickets. However, it also places a burden on the admin to understand the implications of each exemption. Microsoft mitigates this by providing clear documentation and a “test mode” (called Simulation Mode) that shows which actions would have been blocked without actually enforcing the policy.

Pricing and Licensing

Baseline Security Mode is included at no additional cost for tenants with Microsoft 365 Business Premium, E3, E5, or the equivalent GCC/Education plans. However, some of the underlying controls require the appropriate licenses. For example, Safe Attachments requires Microsoft Defender for Office 365 Plan 1, which is included in E5 but must be purchased as an add-on for E3. Baseline Security Mode will check your licensing before applying those settings and notify you if a component is missing. For settings that are not covered by your current license, the baseline will simply skip them or show a warning.

Implementation: Step by Step

Admins can find Baseline Security Mode in the Microsoft 365 admin center under Settings > Org settings, or by searching for “baseline” in the top search bar. The interface presents an overview screen with three tabs:

  • Status: Current drift detection results and a compliance score.
  • Settings: A categorized list of all controls, each with a toggle and a brief explanation.
  • Exclusions: Where you can define exceptions for users, groups, or IP ranges.

When you first access the feature, it runs a quick assessment of your current configuration and highlights deviations. You can then choose to “Apply recommendations” or manually approve each setting. After applying, you can monitor compliance from the same dashboard.

Microsoft strongly recommends running in Simulation Mode for at least one week before enforcing the baseline. This allows you to review sign-in and audit logs for any blocked authentications or access denials. The simulation data appears in Azure AD sign-in logs with a “Baseline Security Mode” filter.

Community Response and Early Feedback

Although the feature is relatively new, early adopters on tech forums like the Windows Forum have shared mixed reactions. Administrators managing hybrid environments appreciate the centralized approach: “Finally, I don’t need to juggle four different admin portals just to lock down basic settings,” one commenter noted. Others highlight that the drift detection alone justifies the feature, as it reduces the risk of an intern accidentally opening SharePoint external sharing on a Friday afternoon.

However, some users caution that the baseline can be too aggressive for organizations that haven’t done the groundwork. One IT manager reported that enabling the collaboration restrictions broke a custom Teams app integration that relied on public team visibility. Another noted that the MFA requirement for all users initially locked out a legacy on-premises application that used SMTP without modern authentication, illustrating the importance of using Simulation Mode and building exclusions carefully.

Another point of discussion is the overlap with Microsoft Secure Score. While Baseline Security Mode focuses on a core set of controls, Secure Score is a broader measurement framework. Some forum members worry that enabling the baseline might lead to complacency—admins might think they’re “done” with security. Experts counter that the baseline is a starting point, not a finish line, and should be complemented by regular Secure Score reviews.

Potential Pitfalls and Mitigation Strategies

No security policy is one-size-fits-all. Before turning on Baseline Security Mode, consider these common issues:

  1. Legacy Applications: Any app or service that authenticates with basic authentication will break unless excluded. Use Azure AD sign-in logs to identify all legacy authentication attempts and create exclusions for IP ranges or service accounts before enforcing.
  2. Guest Collaboration: If your organization relies heavily on external sharing, the default most-restrictive setting may hinder productivity. Plan to adjust sharing policies gradually after communicating with business stakeholders.
  3. MFA Rollout: If your users aren’t already enrolled in MFA, turning on the baseline will force registration for everyone simultaneously. Prepare communication and help-desk resources for a potential surge in calls.
  4. Conditional Access Conflicts: If you already have custom conditional access policies, some baseline controls may conflict or duplicate. Use the “What If” tool in Azure AD to test the interaction before enabling.
  5. Licensing Gaps: As noted, certain Defender for Office 365 settings require an add-on license. Baseline Security Mode will not automatically purchase add-ons, so check your billing dashboard beforehand.

The Bigger Picture: Microsoft’s Secure-by-Default Journey

Baseline Security Mode is part of a broader Microsoft initiative to make security the default state for all customers. The company’s own research shows that 99.9% of account compromise attacks can be blocked by enabling MFA, blocking legacy authentication, and applying a few other simple controls. Yet, for years, these settings remained buried in disparate admin centers, each with its own learning curve.

Other products in this ecosystem include:

  • Azure AD Security Defaults (for small tenants)
  • Microsoft Defender for Business (for SMBs)
  • Microsoft 365 Lighthouse (for MSPs managing multiple tenants)
  • Secure Score (for ongoing posture measurement)

Baseline Security Mode fills the gap for the mid-market, providing a middle ground between the inflexible Security Defaults and the complexity of hand-built policies. It also aligns with the Zero Trust principle of “assume breach” by ensuring that no default configuration remains insecure.

Future Outlook

Microsoft has hinted that Baseline Security Mode will evolve. Upcoming enhancements mentioned in Microsoft 365 roadmap items include:

  • Integration with Microsoft Graph for automated exception approval workflows.
  • Pre-built baselines for specific industry verticals (education, healthcare, finance).
  • A “compare baselines” feature that allows MSPs to standardize settings across tenants.
  • Direct feedback loops: if a baseline setting disrupts a widely used application, Microsoft can adjust the default.

The feature is expected to graduate from its current “public preview” status in the second half of 2025, though Microsoft hasn’t committed to a specific date. Even in preview, it’s considered production-ready, provided admins follow the simulation guidance.

Actionable Takeaways

For IT decision-makers evaluating Baseline Security Mode:

  • Start with a license audit to ensure you have the necessary add-ons for all controls you intend to enable.
  • Run Simulation Mode for at least two weeks, and pay close attention to sign-in logs for blocked legacy authentications.
  • Document exceptions meticulously, as they will need to be reviewed when the baseline is updated.
  • Use the drift detection dashboard as a recurring operational task—ideally weekly.
  • Don’t treat the baseline as set-and-forget. Schedule quarterly reviews against Secure Score and new Microsoft 365 security recommendations.

Baseline Security Mode represents a pragmatic step forward for organizations that know they need better security but can’t afford the time or expertise to craft a custom enterprise security framework. It’s not a silver bullet, but for the vast majority of tenants sitting on outdated configurations, it’s the fastest path to a modern zero-trust posture.