To help organizations the basics, Microsoft has been steadily moving from optional best practices to a more secure-by-default approach. Baseline security mode (BSM) is one example of this shift. BSM spans critical security settings across the entire Microsoft 365 suite, including Exchange, Teams, SharePoint, OneDrive, and Microsoft 365 Apps.
With this update, Microsoft is raising the security floor for everyone, not just highly regulated or security-mature organizations.
What is Baseline Security Mode?
Baseline security mode brings together a curated set of Microsoft‑recommended security settings aimed at protecting organizations against common and high‑impact threats. These are established, industry‑backed choices that Microsoft considers essential across Microsoft 365. Many of these settings have traditionally been scattered across workload‑specific admin centers, required PowerShell to configure, or were easy to miss as environments evolved. By surfacing them centrally, baseline security mode provides a practical way to review and enable foundational protections while staying aligned with Microsoft’s current expectations, without turning security into a one‑time exercise or a reactive cleanup after issues surface.
What kind of settings does it cover?
Instead of overwhelming you with hundreds of knobs, baseline security mode focuses on a manageable set of high‑value protections. Think of these as the minimum controls you would want in place before layering on more advanced security tooling.
At a high level, the settings fall into a few key categories:
Authentication and identity protection: These controls modernize how users and administrators sign in, reducing exposure from legacy authentication methods and weak sign‑in flows that are frequently targeted by attackers.
Email and collaboration security: Several settings strengthen how Exchange Online and Teams handle potentially unsafe content and interactions, helping reduce phishing, spoofing, and accidental data exposure.
File and document protection: Baseline security mode includes protections for Microsoft 365 Apps, SharePoint, and OneDrive that limit risky behaviors when opening or working with files — especially older or less secure formats.
You can read about it in detail on this Learn page.
Administrative and service account safeguards:
Some settings are specifically aimed at protecting high‑privilege and non‑user accounts, reducing the blast radius if those credentials are misused.
Individually, none of these controls are revolutionary. Taken together, they form a solid baseline that closes off entire classes of common attack paths — with relatively low operational impact for most organizations.
How to access Baseline Security Mode
The feature has been in preview since late 2025, but went GA during March 2026 and should be available to all by now. Baseline security mode lives directly in the Microsoft 365 admin center, making it accessible without jumping between multiple portals.
At a high level, you access it by:
- Signing in to the Microsoft 365 admin center
- Going to Settings → Org settings
- Opening Security & privacy
- Selecting Baseline security mode
Role-based access control applies, meaning workload administrators (Exchange, SharePoint, Teams, etc.) can see and manage the settings relevant to their area.
One important design choice is that Microsoft encourages a phased approach. You can review impact reports, identify dependencies, and validate the effect of each setting before making it permanent, which significantly lowers the risk of accidental disruption.
Final thoughts
Staying up to date isn’t about chasing every new security feature, it’s about regularly verifying that your fundamentals are still solid. Baseline security mode gives you a practical checkpoint to do just that, across the full Microsoft 365 stack.
If you want more updates and practical insights around Microsoft 365, Copilot, and security, feel free to follow me on LinkedIn — that’s where I share most of my work and observations.
Comments