Microsoft 365 Baseline Security Mode: Everything Admins Need to Know April 2026 Generally

Poongundran R

Poongundran R

3 min read
Share

If you've recently opened the Microsoft 365 Admin Center and noticed a new Baseline Security Mode option under Security & Privacy — you're not imagining things. Microsoft quietly rolled out one of its most impactful admin-center additions in years, and if you haven't explored it yet, this post covers everything you need to know.

What is Baseline Security Mode?

Baseline Security Mode (BSM) is a centralized dashboard in the Microsoft 365 Admin Center that consolidates Microsoft's recommended security configurations across five core services — all in one place. It was announced at Microsoft Ignite 2025 and reached general availability in late 2025/early 2026.

Before BSM, hardening your tenant meant juggling PowerShell scripts, navigating multiple admin portals, and hoping nothing was missed. BSM changes that by surfacing 18–20 recommended settings in a single, actionable dashboard.

Why it mattersMany Microsoft 365 tenants still operate with weak or outdated security configurations — often because admins delay enforcement or rely on legacy settings. BSM is Microsoft's answer to closing that gap, built from two decades of incident response experience and the Secure Future Initiative (SFI).

Where to find it

  1. Sign in to theMicrosoft 365 Admin Center
  2. Navigate toSettings → Org Settings
  3. Click theSecurity & Privacytab
  4. SelectBaseline Security Mode

The three security pillars

BSM organizes its 18–20 settings across three focused areas:

Authentication — 12 settings

Block legacy auth

Disables POP, IMAP, SMTP Auth, legacy EWS, basic auth prompts. Enforces phishing-resistant MFA for admins.

Files — 6 settings

Secure file formats

Blocks legacy formats like .doc, eliminates ActiveX controls, enforces modern file handling across Word, Excel, and PowerPoint.

Teams Rooms — 2 settings

Secure meeting devices

Applies device-level protections for Teams Rooms hardware. Only relevant if you have Room devices in your tenant.

Two ways to enable BSM

✅ Automatically apply default policies

Instantly applies 7 low-impact policies Microsoft considers safe for most organizations. No simulation required. Good starting point for most tenants.

📊 Generate report (simulation mode)

Runs the remaining 11 policies in monitor-only mode and generates an impact report (within ~24 hours) showing affected users, apps, and devices — before any changes are made.

Best practiceAlways run simulation/impact reports before enforcing stricter settings — especially for authentication policies. The reports may include end-user identifiable information (EUII) and rely on tenant-level audit logs.

Dashboard: know your posture at a glance

The BSM dashboard gives you an at-a-glance view of your tenant's security posture compared to Microsoft's 18 recommended settings. Each recommendation shows a status — At risk or Meets standards — with drill-down details on impact, exclusions, and remediation steps.

Role-based access control (RBAC)

BSM fully supports RBAC, so workload-specific administrators only manage their own area. The following roles have access to relevant settings:

  • Security Administrator / Global Administrator — full access
  • Office Apps Administrator — Microsoft 365 Apps settings
  • SharePoint Administrator — SharePoint and OneDrive settings
  • Exchange Administrator — Exchange Online settings
  • Teams Administrator — Teams settings

Availability

BSM is available across all Microsoft 365 subscriptions and plans — no premium add-on required. It is opt-in, giving admins full control over when and what to enable.

The rollout timeline: commercial tenants from November 2025 (GA by late January 2026); GCC, DoD, and GCCH government clouds through March 2026.

Known limitations to watch out for

⚠ Current limitationsSome features do not work when certain BSM settings are enabled. Test in simulation mode first.

  • Certificate Based Authentication for Exchange ActiveSync (legacy flow)
  • Excel for Windows and Excel for the web
  • Power BI, Microsoft Fabric, and Power Platform Dataflows
  • Calendar sharing and Free/Busy information (cross-tenant)
  • Dynamics 365 Customer Insights
  1. Start withAutomatically apply default policiesfor immediate low-risk wins
  2. EnableGenerate reportfor remaining 11 settings
  3. Review impact reports — identify affected apps, users, and legacy protocols
  4. Work with app owners to migrate off legacy protocols (e.g. EWS, basic auth)
  5. Enforce remaining policies progressively with exclusions where needed
  6. Monitor regularly — Microsoft will add new policies in future phases

Official Microsoft resources

Official linksMS Learn: Baseline Security Mode Settings (learn.microsoft.com)Microsoft Ignite 2025 Announcement Blog (techcommunity.microsoft.com)

Final thoughts

Baseline Security Mode is one of the most meaningful quality-of-life improvements Microsoft has made for M365 admins in recent years. The ability to assess, simulate, and enforce security hardening from a single dashboard — without PowerShell expertise — lowers the bar for every organization to achieve a strong security baseline.

If you haven't explored it yet, now is the time. Start with the default auto-apply policies and run simulation reports for the rest. Your tenant's security posture will thank you.

Read more