You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: microsoft-365/baseline-security-mode/baseline-security-mode-settings.md
+3-3Lines changed: 3 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -88,7 +88,7 @@ This section outlines the options available to block insecure authentication met
88
88
>
89
89
> Customers who accessed Baseline Security Mode in Microsoft 365 between November 2025 and early February 2026 might see two draft Microsoft Entra ID Conditional Access policies created in their tenant in a **Disabled** state. These policies are associated with Baseline Security Mode and might appear as created by the administrator who signed in to the Microsoft Baseline Security Mode page.
90
90
>
91
-
> This behavior doesn't represent a security incident and has no effect on tenant security. The policies are in a disabled draft state. A fix is in progress to ensure policies are created only through explicit administrator action. Microsoft will remove any unintentionally created policy drafts and will notify customers in advance.
91
+
> This behavior doesn't represent a security incident and has no effect on tenant security. The policies are in a disabled draft state. A fix is in progress to ensure policies are created only through explicit administrator action. Microsoft removes any unintentionally created policy drafts and notifies customers in advance.
92
92
93
93
|Setting|More information|
94
94
|---|---|
@@ -99,7 +99,7 @@ This section outlines the options available to block insecure authentication met
99
99
|**Block basic authentication**|Basic authentication is an outdated and insecure method that transmits user credentials in a way that can easily be intercepted and stolen. When you block basic authentication prompts, this setting helps protect your users from credential theft, especially during phishing attacks or when accessing services over insecure networks. When you enable this setting, users no longer see prompts for basic authentication. This setting reduces the risk of credential theft and enforces more secure authentication methods. <br/><br/> For more information, see [Block basic authentication in Microsoft 365 apps](block-basic-authentication.md).|
100
100
|**Block insecure protocols for file opens**|When users open files from locations using insecure protocols like HTTP or FTP, sensitive data can be exposed because these protocols transmit information in plain text. Blocking these protocols helps prevent attackers from intercepting credentials or other confidential data during file access. When you enable this setting, users are prevented from opening files from locations that use HTTP or FTP. This setting helps enforce secure data transmission practices and reduces exposure to man-in-the-middle attacks. <br/><br/> For more information, see [Block insecure protocols for file opens](block-insecure-protocols-file-opens.md).|
101
101
|**Block FrontPage Remote Procedure Call (FPRPC) protocol for file opens**|FrontPage Remote Procedure Call (FPRPC) is an outdated protocol that was used for remote web page authoring. While no longer widely used, attackers can still exploit FPRPC to execute arbitrary commands or compromise a system through specially crafted files or network traffic. Microsoft 365 apps now block FPRPC by default in favor of HTTPS. Enabling this setting ensures users in your environment can't override the default configuration. <br/><br/> For more information, see [Block FrontPage Server Extensions Remote Procedure Call (FPRPC) for file opens in Microsoft 365](block-server-extensions-protocol-file-opens.md).|
102
-
|**Block legacy browser authentication connections to SharePoint and OneDrive with legacy Relying Party suite (RPS) protocol**|Legacy protocols are more susceptible to brute-force and phishing attacks. Microsoft reports that organizations that disable legacy authentication experience fewer account compromises. Enforcing this setting prevents applications (including non-Microsoft applications) from using legacy authentication protocols to access SharePoint and OneDrive resources in a browser. <br/><br/> Reporting on this setting shows which users are accessing SharePoint or OneDrive with RPS authentication. The report also lets you know the date and time, and which SharePoint site or OneDrive file or folder they accessed. <br/><br/> **Note**: The change isn't instant. It might take up to 24 hours to be applied. <br/><br/> For more information, see [Set-SPOTenant -LegacyBrowserAuthProtocolsEnabled](/powershell/module/microsoft.online.sharepoint.powershell/set-spotenant#-legacybrowserauthprotocolsenabled).|
102
+
|**Block legacy browser authentication connections to SharePoint and OneDrive with legacy Relying Party suite (RPS) protocol**|Legacy protocols are more susceptible to brute-force and phishing attacks. Microsoft reports that organizations that disable legacy authentication experience fewer account compromises. Enforcing this setting prevents applications (including non-Microsoft applications) from using legacy authentication protocols to access SharePoint and OneDrive resources in a browser. <br/><br/> Reporting on this setting shows which users are accessing SharePoint or OneDrive with RPS authentication. The report also lets you know the date and time, and which SharePoint site or OneDrive file or folder they accessed. <br/><br/> **Note**: The change isn't instant. It might take up to 24 hours to be applied. <br/><br/> For more information, see [Set-SPOTenant -LegacyBrowserAuthProtocolsEnabled](/powershell/module/microsoft.online.sharepoint.powershell/set-spotenant#-legacybrowserauthprotocolsenabled). <br/><br/> **Note**: Legacy browser authentication was deprecated for enterprise tenants as of October 2025. This setting is longer available to set to true. The RPS protocol no longer functions.|
103
103
|**Block legacy client authentication connections to SharePoint and OneDrive with legacy Identity Client Runtime Library (IDCRL) protocol**|Legacy protocols are more susceptible to brute-force and phishing attacks. Microsoft reports that organizations that disable legacy authentication experience fewer account compromises. Enforcing this setting prevents clients from using legacy authentication protocols from accessing SharePoint and OneDrive resources. <br/><br/>Reporting on this setting shows which users are accessing SharePoint with IDCRL authentication. The reports also let you know the date and time, and which SharePoint site or OneDrive file or folder they accessed. <br/><br/> **Note**: The change isn't instant. It might take up to 24 hours to be applied. <br/><br/> For more information, see [Set-SPOTenant -LegacyAuthProtocolsEnabled](/powershell/module/microsoft.online.sharepoint.powershell/set-spotenant#-legacyauthprotocolsenabled).|
104
104
|**Don't allow new custom scripts in SharePoint sites**|Custom scripts are used to modify SharePoint site behaviors. When you allow users to run custom script, you can no longer enforce governance, scope the capabilities of inserted code, block specific parts of code, or block all deployed custom code. This setting permanently removes the ability to add new custom scripts in OneDrive and SharePoint sites. Instead of allowing custom script, use the [SharePoint Framework](/sharepoint/dev/spfx/sharepoint-framework-overview). <br/><br/> For more information, see [Allow or prevent custom script](/sharepoint/allow-or-prevent-custom-script).|
105
105
|**Disable Access to Microsoft Store for SharePoint**|Users can install certain applications from the Microsoft Store. Sometimes, this capability can go against organizational policies and can increase governance costs. This setting removes the ability for end users to install applications directly from the Microsoft Store. <br/><br/> For more information, see [Configure settings for the SharePoint store](/sharepoint/configure-sharepoint-store-settings)|
@@ -171,7 +171,7 @@ You must be a member of the [Teams administrator role](/entra/identity/role-base
171
171
172
172
|Setting|More information|
173
173
|---|---|
174
-
|**Don't allow resource accounts on Teams Rooms devices from accessing Microsoft 365 files**|To increase security, remove resource accounts access that Teams Rooms and devices use to access Microsoft 365 assets for meeting and collaboration. <br/><br/> For more information, see [Set-SPOTenant](/powershell/module/microsoft.online.sharepoint.powershell/set-spotenant).|
174
+
|**Don't allow resource accounts on Teams Rooms devices from accessing Microsoft 365 files**|To increase security, remove resource accounts access that Teams Rooms and devices use to access Microsoft 365 assets for meeting and collaboration. <br/><br/> For more information, see [Set-SPOTenant](/powershell/module/microsoft.online.sharepoint.powershell/set-spotenant) and the [restrict resource account access parameter](/powershell/module/microsoft.online.sharepoint.powershell/set-spotenant?view=sharepoint-ps#-restrictresourceaccountaccess).|
175
175
|**Only allow endpoint managed, compliant devices to sign in**|To increase security, only compliant, organization-managed Teams Rooms devices can sign in to Microsoft 365 applications and resource accounts can't be misused to authenticate from unmanaged devices. <br/><br/> For more information, see [Block Teams resource account sign in to Microsoft 365 clients](/MicrosoftTeams/rooms/block-non-compliant-teams-rooms-devices).|
176
176
|**Block unmanaged devices and resource account sign-ins to Microsoft 365 apps**|To increase security, block resource accounts used for Teams devices from being used to sign in to Microsoft 365 clients. <br/><br/> For more information, see [Block Teams resource account sign in to Microsoft 365 clients](/MicrosoftTeams/rooms/block-non-compliant-teams-rooms-devices).|
0 commit comments