In a bid to close long-standing security gaps across enterprise collaboration tools, Microsoft has begun rolling out Baseline Security Mode, a new centralized framework designed to harden defenses across Microsoft 365 services including Office, SharePoint, Exchange, Teams and Entra.
The feature, announced earlier this year at Microsoft Ignite 2025, introduces a dedicated dashboard within the Microsoft 365 Admin Center that consolidates recommended security configurations into a single, opt-in control plane. The aim, Microsoft says, is to make strong security the default posture—without forcing abrupt changes on users.
A Centralized Response to Fragmented Security
For years, administrators managing Microsoft’s sprawling cloud ecosystem have faced a familiar problem: security controls scattered across multiple portals, each with its own logic, risk models and deployment timelines. Baseline Security Mode attempts to simplify that landscape.
Appearing gradually in select tenants since December 2025 under Org Settings > Security & Privacy, the feature allows administrators to assess exposure, simulate policy impact and apply protections in phases. A global rollout is planned for late January 2026, with government and regulated clouds—including GCC, DoD and GCCH—following by March.
Microsoft officials say the model draws on threat intelligence collected over two decades, including data from the company’s response centers and signals observed across billions of daily authentications.
Phasing Out Legacy Weak Points
At its core, Baseline Security Mode enforces between 18 and 20 security policies grouped into three main areas. Authentication controls form the largest segment, blocking legacy protocols such as basic authentication, Exchange Web Services and IDCRL—mechanisms long exploited in credential-stuffing and phishing campaigns.
For administrators, the framework mandates phishing-resistant multi-factor authentication using FIDO2 keys or passkeys, aligning with Microsoft’s broader push to move enterprises away from passwords altogether.
File and application protections address another common attack surface. Risky behaviors—such as opening Office documents over insecure HTTP or FTP connections, enabling ActiveX or Dynamic Data Exchange, or relying on outdated file formats outside Protected View—are restricted by default. Microsoft has also moved to disable Microsoft Publisher, ahead of its planned retirement in 2026, citing its vulnerability profile.
Measure First, Enforce Later
Unlike earlier security baselines that often required manual rollout, the new mode emphasizes simulation before enforcement. Administrators with Global or Security roles can choose to automatically apply seven low-impact controls, while generating impact reports for the remaining policies.
Those reports, typically available within 24 hours, rely on audit data to show which users, apps or workflows would be affected. No changes are enforced until an administrator explicitly approves them. Progress indicators label tenants as either “At risk” or “Meets standards,” offering a snapshot of organizational readiness.
“This is about eliminating silent misconfigurations,” Microsoft said in briefing notes, adding that many high-impact breaches still stem from settings left unchanged after initial deployment.
Preparing for an AI-Driven Threat Landscape
The rollout comes as organizations face increasingly sophisticated attacks, from ransomware campaigns targeting collaboration tools to supply-chain intrusions leveraging stolen credentials. Microsoft positions Baseline Security Mode as a foundational layer under its broader Secure Future Initiative, which anticipates AI-assisted threats as well as AI-driven defenses.
Future updates are expected to extend the model to additional services such as Purview, Intune and Azure. For tenants already seeing the feature, the company argues, the benefit is not just compliance—but time gained against adversaries who continue to exploit configuration drift.
As enterprises race to modernize their security posture, Microsoft’s message is clear: in an era of relentless cyber risk, security can no longer be optional—or fragmented.
