Beyond the SCuBA Checklist: Hardening M365 Control by Control, Mapped to CIS
TL;DR
- CISA's Secure Cloud Business Applications (SCuBA) project is a strong starting checklist for Microsoft 365, but it ships without enablement material or mapping to broader cybersecurity frameworks.
- A usable hardening baseline documents every control across Azure AD, Teams, Exchange, SharePoint, OneDrive, and Intune, not just the settings in one workload.
- Each control needs nine artifacts to be operational: a summary, policy definition, licensing considerations, setup instructions, end-user impact notes, tips, PowerShell scripts, video demos, and reporting templates.
- Mapping every M365 security recommendation to the CIS Controls turns a settings checklist into evidence you can hand to auditors, insurers, and clients.
- End-user notification templates, 48 in the guide as of March 2023, are what keep a hardening rollout from becoming a help desk incident.
A checklist tells you which switches to flip. It does not tell you what license the switch hides behind, what breaks for users when you flip it, or which framework control you get to mark satisfied afterward. That gap is exactly what the Secure Cloud Business Applications (SCuBA) project (opens in new tab) from the Cybersecurity & Infrastructure Security Agency (CISA) left open when it shipped. We think SCuBA is genuinely useful, and it still leaves the practitioner wanting more: enablement material, and a way to tie each setting back to the broader cybersecurity frameworks businesses are actually adopting.
That is the reason for building a lengthy guide that expands on the project, with security controls across all six core workloads: Azure AD, Teams, Exchange, SharePoint, OneDrive, and Intune.
What does each control need before it is usable?
A control that says "require MFA" is a sentence. A control you can deploy on Tuesday is a package. In the guide, every security control ships with the same enablement material:
- Control summary
- Multi-tenant and single-tenant Power BI templates
- Policy definition
- Licensing considerations
- Setup instructions
- End-user impact and notification templates
- Tips
- PowerShell scripts
- Video demonstrations
The licensing considerations and end-user impact sections earn their place. Plenty of hardening projects stall when a recommended setting turns out to need a SKU the client does not own, or when an unannounced change buries the help desk. Documenting both up front is what makes a baseline something a team can execute rather than admire.
You can review a sample of the guide here: guide sample (Word document) (opens in new tab).
For a taste of the same control-by-control treatment applied to one workload, the device chapter has a free companion: 16 Intune controls from enrollment to wipe.
Why anchor every control to CIS?
Because the framework conversation is coming whether you schedule it or not. Clients, insurers, and prospects increasingly want security work expressed in a recognized framework, even where no strict regulation forces one. So every security recommendation in the guide is mapped to the CIS Controls, which means each configuration change you make doubles as documented progress against a framework auditors recognize.

Telling users before you change their world
The guide includes 48 end-user notification templates as of March 2023. These are ready-to-send communications that explain what is changing, when, and what users need to do, for each control that touches the user experience.


Reporting the posture, not just configuring it
The guide pairs the controls with Power BI templates, in both multi-tenant and single-tenant versions, so the state of the baseline is something you can show rather than describe. For MSPs, the multi-tenant view is the one that turns a hardening standard into a client-facing deliverable.

The full guide, including the CIS Controls mapping and the Power BI templates, is available here: get the premium guide (opens in new tab).
Frequently asked questions
What is CISA's SCuBA project?
Secure Cloud Business Applications (SCuBA) is a CISA project that publishes secure configuration baselines for cloud business apps, including Microsoft 365. It defines what to configure, but leaves implementation guidance, licensing context, and framework mapping to you.
Why map M365 controls to CIS instead of just following the checklist?
Most businesses are being pushed toward a recognized compliance framework by clients, insurers, or regulators even when no strict regulation applies. Mapping each M365 control to a CIS Control means the same configuration work doubles as framework evidence.
Why do end-user notification templates matter in a hardening guide?
Almost every meaningful security control changes something users touch, like MFA prompts or device enrollment. Telling users what changes and when, before it changes, is the difference between a planned rollout and a flood of tickets.
The control-by-control audit, automated
Documenting a baseline is half the job. Proving every tenant still matches it is the other half. CloudCapsule checks 250+ controls per tenant in about 60 seconds and maps findings to the frameworks your clients ask about.
Run a free scan
Written by
Nick Ross
CEO · Microsoft MVP · Founder, T-Minus 365
Nick is not just a CEO, he's a respected thought leader and influencer in the MSP space. Tens of thousands of MSPs learn through his YouTube channel, T-Minus365. Nick has been honored as a three-time Microsoft MVP for his educational content; his expertise and influence are the backbone of our mission, ensuring that you are in the best hands when it comes to security.
Nick joined Pax8 in 2017, where he would ultimately oversee product management for PSA and Microsoft integrations. Following his tenure at Pax8, Nick has continued to demonstrate his leadership prowess as an executive at various MSPs, culminating in his most recent role at Sourcepass.
Nick holds a Bachelor's Degree in Business Management from Florida State University, as well as a Minor Degree in Entrepreneurship. In his free time, Nick is an avid hiker, reader, and fitness-junkie.


