Don't Leave the Microsoft 365 Gateway Slightly Open: Use BSM's "God's Eye View" to Precisely Identify Security Risks

In today’s increasingly complex digital risks, how can enterprises proactively perceive security threats and achieve a leap from passive defense to active management? Microsoft’s latest Baseline Security Mode (Baseline Security Mode, hereinafter referred to as Microsoft BSM), launched at the end of 2025, is becoming an important direction for the evolution of global enterprise cybersecurity architecture.

As a strategic alliance partner of Microsoft, PwC has not only been deeply involved in the initial implementation of Microsoft BSM but has also accumulated cutting-edge application experience across multiple practical scenarios. Based on its own complex architecture security practices, PwC helps organizations identify and converge legacy high-risk configurations and protocols still in use within Microsoft 365 (M365, hereinafter referred to as M365) and Entra ID. Through impact reporting and assessment of dependencies and business impacts, it promotes baseline reinforcement at a manageable pace, providing a practical path for enterprises to solve old system protection issues and strengthen security baselines.

To this end, we have specially compiled and first published this article to share our pioneering insights and practical summaries in the field of Microsoft BSM with enterprises that are currently using or planning to use this technology, helping clients stay ahead in security construction and gain a competitive edge.

1. Why has the “Security Baseline” become more urgent now?

Today’s cyber threats are entering a new phase of “AI acceleration”: attackers leverage large models and automation tools to scan exposed surfaces and identify vulnerabilities more quickly and accurately, achieving attack goals with greater agility within enterprise environments. Cybercriminal groups find it easier to exploit legacy security weaknesses, which are not only from traditional old systems but also often found in legacy configurations and protocols still retained by many organizations within M365 and Microsoft Entra identity platforms. When these high-risk configurations are layered with multi-cloud/hybrid architectures, defenders often struggle to keep up, while attackers become bolder.

To outpace such adversaries, enterprises need to establish “holistic visibility” in complex and interdependent environments: including cloud tenants and applications, as well as key control points in identity and access chains. The challenge lies in the fact that legacy configurations are highly “concealed” and “dependent”—they may be repeatedly inherited over years of iteration but lack continuous inventory and convergence mechanisms. If updates and reinforcement cannot keep pace, attackers will see them as shortcuts to bypass strong validation, escalate privileges, or move laterally and vertically. Meanwhile, fundamental issues such as cloud configuration drift and risks from cross-system integrations remain widespread, and opponents equipped with new technologies are further raising the risk thresholds of these problems.

PwC’s “2026 Global Digital Trust Insights” also confirms this trend through research: cloud-related threats are considered the top cybersecurity threat enterprises are “least prepared” for; legacy configurations and supply chain vulnerabilities rank among the top two weaknesses faced by organizations, with over half of respondents admitting they can only “barely cope” under related attacks. Therefore, while industry concerns may differ, effective responses must return to fundamental security practices—solidifying the security baseline to provide a stable foundation for defense systems.

Against this backdrop, organizations often face the following common pain points when promoting “security baseline configurations”:

2. Microsoft BSM: Microsoft’s “Security-by-default Baseline” capability

With over 90% of Fortune 500 companies already covered by M365 and its Copilot assistant tools, Microsoft launched at the end of 2025 a new security product based on M365—Microsoft BSM. This capability is deeply integrated into the M365 Admin Center and is a security baseline configuration capability for enterprise M365 and Microsoft Entra identity systems. It consolidates key security settings, previously scattered across Office, Exchange, Teams, SharePoint/OneDrive, and other enterprise applications and management portals, into a unified interface. Based on Microsoft’s analysis of real attack data, it prioritizes covering a set of the most exploited legacy/high-risk configurations.

Through Microsoft BSM, administrators can quickly view configuration status and prioritization on a single dashboard, combine impact reports/simulation (What-if) assessments of change effects on users and applications, and then centrally enable security default configurations or block high-risk features using a “switch-based governance” approach.

Its focus is on eliminating known, easily exploitable legacy configurations retained in M365 applications and Microsoft Entra, through centralized management.

Core service areas of Microsoft BSM currently include:

Identity and Permissions: Reducing the success rate of credential attacks and lateral movement

Old authentication protocols/tokens remain one of the most common intrusion entry points. Microsoft BSM recommends reducing exposure to legacy protocols in services like Exchange, SharePoint/OneDrive, Teams, and M365 apps by suggesting the unified disabling of related legacy configurations, thereby lowering risks from phishing, credential stuffing, and password spraying.

Blocking legacy authentication flows: Disabling protocols such as POP (Post Office Protocol), IMAP (Internet Message Access Protocol), SMTP (Simple Mail Transfer Protocol), and outdated EWS (Exchange Web Services) that do not support MFA (Multi-Factor Authentication) or conditional access, directly cuts off high-risk login channels.

Blocking basic authentication prompts: Prevents traditional “username/password” pop-up prompts, reducing the chance of credential theft and phishing.

Files and Collaboration: Reducing attack surfaces from malicious documents and legacy file features

M365 applications (like Word/Excel/PowerPoint) improve efficiency but pose security risks with older Office file formats (e.g., Word’s .doc) and embedded ActiveX controls. Microsoft BSM recommends and can enforce tenant migration to more modern, secure file formats, and restrict/eliminate high-risk files containing ActiveX, reducing attack surfaces at the source.

With user consent to view detailed diagnostic data, Microsoft BSM can also provide granular visibility—such as the number of users still using legacy documents with ActiveX in the past 28 days, and how often such files are opened—helping administrators conduct targeted user education and policy convergence, accelerating security standard implementation.

Meeting Rooms and Shared Devices: Making “blind spot assets” controllable again

Microsoft BSM emphasizes two key best practices in meeting room device scenarios to reduce misuse and data leakage risks:

Blocking unmanaged devices and resource accounts from logging into M365 applications: Restrict non-managed endpoints and resource accounts (like meeting room accounts) from directly accessing Office apps, reducing entry points for misuse.

Restricting Teams Rooms resource accounts from accessing meeting files: Prevent or limit resource accounts on Teams Rooms devices from accessing M365 files displayed during meetings, avoiding unauthorized reading or downloading of sensitive content.

Implementing these configurations significantly enhances the security of meeting environments and protects meeting data and sensitive information.

Features of Microsoft BSM

Future Planning of Microsoft BSM

The first release—Microsoft BSM 2025—has introduced 20 baseline configurations across five core applications. Microsoft Digital has assisted in verifying and deploying these features enterprise-wide. The next wave of updates is already underway, with a larger scope including 46 features—more than twice the first round. The Microsoft BSM product team is expanding coverage, focusing on: deeper protocol restrictions, broader application controls, and more granular identity verification strategies.

3. Common pain points in deploying security baselines vs. how Microsoft BSM addresses them

Microsoft BSM does not replace a comprehensive security system (such as threat detection, response, data governance, etc.) but prioritizes “building the foundation”: stronger default configurations to reduce attack entry points, supported by impact simulations and diagnostic data to help enterprises advance remediation at a manageable pace.

Pain points in deploying security baselines & how Microsoft BSM responds

4. Typical scenarios suitable for Microsoft BSM

Aligning with the actual needs of enterprise digital office security, Microsoft BSM’s capabilities can be precisely applied to various core business and operational scenarios. Its protection solutions for high-frequency security risks in office environments can effectively safeguard key aspects such as accounts, authentication, scripts, transmission, controls, and device login, aligning well with common security management pain points in daily enterprise operations.

5. Differences between Microsoft BSM and other Microsoft security products: avoiding common misconceptions

Many enterprises have already deployed Microsoft Secure Score, Microsoft Entra Access, Microsoft Defender series, and various baseline scripts. They often ask, “Is Microsoft BSM redundant?” Our advice is to understand the differences in positioning to avoid feature confusion.

Core comparison of Microsoft security products

6. From “configuration” to “implementation”: PwC’s own deployment experience

Due to its large scale and complex architecture, PwC itself faces potential risks from legacy configurations that could become new attack vectors as threat environments evolve. Thanks to the strategic partnership with Microsoft’s Inner Circle, which enhances collaboration and practical alignment, PwC was among the first global organizations to pilot Microsoft Baseline Security Mode (BSM). This “early validation and early consolidation” approach provides a reusable methodology and delivery path for subsequent enterprise-wide promotion.

What have we gained from the pilot?

First, Microsoft BSM offers a more centralized, actionable control and management interface. Previously, similar configurations were scattered across multiple consoles and locations, requiring separate review and setup. With Microsoft BSM, we can identify legacy configurations still in use within the organization from a single view, and when necessary, quickly converge and block high-risk capabilities across the entire organization using simple “switch-based” policies—turning risk management from “point-based governance” into “systematic governance.”

It’s important to note that Microsoft BSM does not produce a “one-click” comprehensive configuration list. During the pilot, we observed that many recommendations involve adjustments that significantly impact current business environments: once enabled, they often affect existing application dependencies, authentication methods, and legacy protocols. Based on this, we incorporated these suggestions into existing change management and risk assessment processes, developing phased remediation roadmaps: regularly reviewing impact data from Microsoft BSM, proactively identifying potentially affected users and applications; and aligning with business leaders on alternative solutions, transition windows, and customized exceptions, ensuring recommendations are implemented smoothly at a controlled pace—enhancing security baseline while maintaining business continuity.

Our value lies in translating Microsoft BSM’s “security suggestions” into actionable remediation roadmaps, change rhythms, and responsibility mechanisms based on an understanding of enterprise business processes and system dependencies, ultimately achieving both baseline security enhancement and business continuity.

How do we operate it?

While Microsoft BSM can directly generate required data, we recognize that users need clear, actionable implementation plans. Based on our practical experience, we have developed several supporting capabilities:

Automated technical solutions: Custom tools and dashboards to help organizations interpret Microsoft BSM data, prioritize remediation, and track risk reduction progress.

Support cycle center: Establishing a support hub to provide resources and technical assistance from planning to implementation.

Standard operating manuals: Creating practical operational procedures to guide efficient implementation of Microsoft BSM recommendations.

Leveraging these solutions and experiences, PwC can help enterprises turn Microsoft BSM and other security features into tangible results, closing the loop from data insights to risk management.

PwC’s Microsoft BSM implementation service overview

PwC’s BSM Accelerator consolidates impact reports, which are scattered and require clicking through multiple links, and combines them with Microsoft Entra’s user and application metadata. It transforms impact information—originally only application IDs and lacking responsible persons or business attribution—into a comprehensive map including business lines, applications, responsible persons, and affected scope. This enables security teams to analyze impacts across business units, applications, and responsible personnel in a single view, avoiding repeated communication across controls. With visual change tracking, it continuously measures risk reduction progress and supports periodic management reporting, elevating Microsoft BSM deployment from a one-time configuration to a “collaborative, traceable, closed-loop” project.

7. Conclusion: Turning “Default Security” into a Common Language for Organizations

Enterprises can now quickly identify legacy configurations and protocol vulnerabilities. For example, Microsoft BSM provides proactive blocking mechanisms to prevent the use of high-risk legacy components from the source. As auditors and regulators increasingly scrutinize enterprise security defenses, such investments not only meet compliance requirements but also transform into strategic advantages.

In today’s highly interconnected environment, a company’s security weaknesses can trigger systemic risks. Investing in proactive defense measures like Microsoft BSM is crucial—basic security is no longer just an internal matter but a shared industry responsibility. The overall security strength of the ecosystem depends on the robustness of each link; only through collective optimization can the overall security baseline be elevated.

PwC’s cybersecurity team specializes in cybersecurity, data compliance, and digital trust, focusing on Microsoft BSM-related security concepts and practices, integrating global cutting-edge experience with local implementation capabilities. We provide comprehensive security services across the entire lifecycle—from strategic planning to operational deployment—helping enterprises build a solid security foundation amid digital transformation.