Effective November 15, 2025, Microsoft Baseline Security Mode (BSM) became generally available worldwide. This new opt-in feature provides a secure-by-default configuration baseline for Microsoft cloud services by eliminating vulnerabilities from legacy settings. Administrators can enable BSM via the Microsoft 365 Admin Center to instantly apply Microsoft’s recommended security settings across their tenant with minimal effort. Announced at Microsoft Ignite 2025, Baseline Security Mode is now rolling out globally to all Microsoft 365 customers.
What is Microsoft Baseline Security Mode
Microsoft Baseline Security Mode (BSM) is a security feature that enforces essential protection settings across Microsoft cloud services by default. It was developed from Microsoft’s internal security initiatives and best practices to serve as a built-in security baseline for organizations. In practical terms, BSM introduces a standardized set of secure configurations for your Microsoft 365 environment. By opting in, an organization’s Microsoft 365 and Microsoft Entra (cloud identity) services automatically disable outdated, less secure configurations and enable modern, recommended security settings without requiring manual configuration. This ensures every tenant meets a minimum security standard, closing gaps left by legacy settings. Importantly, BSM is an evolving standard – the initial release focuses on Microsoft 365 and Entra (formerly Azure AD), and future updates will extend its coverage to other platforms like Microsoft Purview, Intune, Dynamics 365, and Azure.
Key Features
- Secure-by-default settings: BSM automatically enforces modern security configurations and disables legacy insecure settings across key Microsoft 365 services. For example, it can block outdated authentication methods (such as legacy protocol logins and basic auth prompts) and disallow vulnerable legacy file formats in Office apps (like disabling ActiveX controls in old documents). These measures significantly reduce common attack vectors by closing off known weaknesses in older configurations.
- Easy opt-in with low impact: Administrators can enable BSM through the Microsoft 365 Admin Center with just a few clicks. Most of the default baseline policies have little to no user impact, allowing them to be applied immediately without disruption. For settings that might affect users or applications, BSM offers a simulation mode to run impact assessments before fully enforcing the changes. This phased approach lets IT teams preview and address any issues in advance, ensuring a smooth transition to the secure baseline.
- Continuous improvement: Baseline Security Mode will be regularly updated with new protections. The November 2025 release is the first step, focusing on Microsoft 365 and Entra, but Microsoft plans to expand BSM to other services (such as Purview, Intune, Dynamics 365, and Azure) over time. In other words, BSM is not a one-time “set and forget” feature – it’s a continually evolving security baseline that will strengthen with each update to keep up with emerging threats.
- Visibility and control: BSM provides built-in dashboards and telemetry to give administrators insight into their security posture. You can monitor which legacy features or protocols are in use and track progress as baseline policies are applied. Each security setting in BSM is granularly controllable – admins can review detailed reports on what impact a setting would have and even exempt specific users or applications temporarily if needed. This flexibility allows organizations to adopt the secure baseline at their own pace while maintaining necessary functionality for certain users or scenarios.
Licensing
Microsoft Baseline Security Mode is delivered as part of the Microsoft 365 service and does not require a separate license. It is available across all Microsoft 365 subscriptions and plans, meaning any organization with a Microsoft 365 tenant can access BSM through the admin center at no additional cost. If you are unsure about your eligibility or how BSM fits into your current licenses, we recommend consulting with SCHNEIDER IT MANAGEMENT for expert licensing guidance tailored to your specific situation.
More Information
Original announcement: Microsoft 365 Blog – Ignite’25 Spotlight: Announcing Microsoft Baseline security mode (Tech Community) – https://techcommunity.microsoft.com/blog/microsoft_365blog/ignite%E2%80%9925-spotlight-announcing-microsoft-baseline-security-mode/4469709
Official documentation: Microsoft Learn – Baseline Security Mode settings – https://learn.microsoft.com/microsoft-365/baseline-security-mode/baseline-security-mode-settings
For our Microsoft page, please visit: https://www.schneider.im/software/microsoft.
Please contact us for expert services on your specific Microsoft software and online services requirements and to request a quote today.
