// ENGINEERING_LOG

Microsoft Baseline
Security Mode (BSM)
The technical analysis.

Ignite 2025 Deep Dive: What does Baseline Security Mode really do in the backend? We analyzed the logs.

Përparim Kastrati - Author
Përparim Kastrati
23 December 2025 12 min read
Microsoft Baseline Security Mode Architecture

Announced at Ignite 2025, Baseline Security Mode (BSM) is now available in most tenants. Microsoft positions it as the "successor" to Security Defaults. But what does it really do in the backend? We analyzed the logs.

01. Architecture & Functionality

Unlike the rigid "Security Defaults" (On/Off), BSM is a Configuration Overlay. Found under M365 Admin Center > Settings > Org settings > Security & privacy, it acts as an orchestrator.

When you activate BSM, the service executes Graph API calls in the background to change settings across various workloads:

  • Entra ID: Creates/activates Conditional Access Policies (with naming schema Microsoft managed: ...).
  • Exchange Online: Sets Set-OrganizationConfig parameters.
  • SharePoint/Teams: Modifies sharing settings.
⚙️
Drift Detection: A core feature of BSM is monitoring. If you manually change one of these policies (e.g., re-enabling Legacy Auth), the BSM dashboard reports status "At risk". It's not just "Set & Forget", but a compliance monitor.

02. Comparison: BSM vs. Security Defaults vs. Custom CA

Where does BSM fit in? Here's the decision matrix for architects:

Feature Security Defaults Baseline Security Mode Custom CA (Flowbotics)
Licensing Free / Basic Business Premium / E3+ Business Premium / E3+
Flexibility None (All or nothing) Medium (Exclusions possible) Maximum (Granular)
Legacy Auth Blocks everything Blocks (with Impact Report) Granular controllable
Target Group Micro-Business (< 10 users) SMEs without IT Security team Enterprise & Regulated

03. Policy Inventory (Technical)

Microsoft documents "roughly" what happens. Here's the technical reality of what gets changed in the tenant:

A. Identity & Access (Entra ID)

  • MFA Enforcement: Enforces MFA for all admin roles (Global, Security, Exchange, SharePoint, Helpdesk).
  • Legacy Authentication: Blocks protocols that don't support MFA. Technically: CA Policy blocking clients like ExchangeActiveSync, OtherClients.
  • Admin Protection: Enforces phishing-resistant MFA (FIDO2/Certificate) for High-Privilege Roles (optionally activatable).

B. Exchange Online Protection

  • External Forwarding: Sets AutoForwardingMode on RemoteDomains to Off or SystemManaged.
  • Malware Filter: Activates "Common Attachment Types Filter" (Blocks .exe, .vbs, .ps1).
  • SMTP Auth: Disables SmtpClientAuthenticationDisabled globally at tenant level (exceptions must be set per mailbox).

C. Office & Apps Hardening

This is the part that's often overlooked. BSM sets security standards for the apps themselves:

  • Macros: Sets policies to block macros from the internet (Mark-of-the-Web).
  • DDE: Disables Dynamic Data Exchange (popular malware attack vector in Excel).
  • OLE: Blocks activation of OLE objects in Office.

04. The Killer Feature: Impact Analysis

The biggest risk with security hardening is the "Scream Test" (We turn it off and wait who screams). BSM integrates an Impact Analysis Engine.

Before a policy becomes active, BSM scans the Sign-In Logs and Mail-Flow-Logs of the last 30 days.

📊
The advantage: You see in the dashboard: "Enabling 'Block Legacy Auth' will affect 3 service accounts and the CEO (iPhone Mail App)." This enables proactive migration before enforcing.

05. Risks for Enterprise Tenants

Why we at Flowbotics remain cautious in enterprise environments:

  • Black Box Policies: The Microsoft-managed CA policies often can't be edited. If you have complex "Break Glass" account logic, BSM might overwrite or ignore it.
  • Conflicts: If you already have your own CA policies (e.g., "Block Legacy Auth except IP x.x.x.x"), BSM can lead to unexpected overlaps.
  • False Sense of Security: BSM covers the "baseline". It doesn't replace a Zero Trust architecture with Device Compliance, Sensitivity Labels and Data Loss Prevention.

06. Audit Script: Are You Ready for BSM?

Before flipping the switch, you should know if your environment is "clean". This script checks the most critical factor: Active Legacy Authentication.

PowerShell - Legacy Auth Audit 
# Prerequisites: Install-Module Microsoft.Graph.Reports
Connect-MgGraph -Scopes "AuditLog.Read.All"

# Period: Last 30 days (Maximum for Interactive Logs via Graph)
$StartDate = (Get-Date).AddDays(-30).ToString("yyyy-MM-dd")

Write-Host "Analyzing Sign-Ins for Legacy Protocols (POP/IMAP/SMTP)..."

$LegacySignIns = Get-MgAuditLogSignIn -Filter "createdDateTime ge $StartDate and clientAppUsed eq 'Legacy Authentication'" -All

if ($LegacySignIns.Count -gt 0) {
    $LegacySignIns | Group-Object UserPrincipalName, AppDisplayName | 
    Select-Object Name, Count | 
    Sort-Object Count -Descending |
    Format-Table -AutoSize
    
    Write-Warning "WARNING: Legacy Auth found! BSM would block these connections."
} else {
    Write-Host "Clean! No Legacy Auth activity found."
}

Unsure whether BSM or Custom Policies are right for you?

Book Architecture Review
Back to Engineering Log