
365 Multi-Tenant Manager – Release July 14, 2026
Enhancements
The following new predefined settings have been introduced in the predefined settings library:
- HS-S0127 – Ensure users cannot create security groups
- Restricts users from creating security groups in Microsoft Entra ID.
- HS-S0128 – Ensure the ability to join devices to Entra is restricted
- Controls who can join devices to Microsoft Entra ID.
- HS-S0129 – Ensure the maximum number of devices per user is limited
- Limits how many devices each user can register in Microsoft Entra ID.
- HS-S0130 – Ensure the GA role is not added as a local administrator during Entra join
- Prevents the Global Administrator role from being automatically granted local administrator rights during device join.
- HS-S0131 – Ensure local administrator assignment is limited during Entra join
- Restricts which users receive local administrator permissions when devices join Entra ID.
- HS-S0132 – Ensure Local Administrator Password Solution is enabled
- Ensures Microsoft Local Administrator Password Solution (LAPS) is enabled to better protect local admin credentials.
- HS-S0133 – Ensure users are restricted from recovering BitLocker keys
- Restricts non-authorized users from recovering BitLocker keys.
- HS-S0134 – Ensure Direct Send submissions are rejected
- Prevents Direct Send email submissions where this configuration should not be allowed.
- HS-S0135 – Ensure devices without a compliance policy are marked ‘not compliant’
- Ensures devices without an assigned compliance policy are treated as non-compliant.
- HS-S0136 – Ensure ‘Access reviews’ for Guest Users are configured
- Helps ensure guest user access is regularly reviewed.
- HS-S0137 – Ensure the admin consent workflow is enabled
- Ensures the admin consent workflow is active for application permission requests.
- HS-S0138 – Ensure system-preferred multifactor authentication is enabled
- Enables Microsoft’s system-preferred MFA method selection.
- HS-S0139 – Ensure the organisation cannot communicate with accounts in trial Teams tenants
- Blocks communication with accounts hosted in trial Microsoft Teams tenants.
The following new predefined policies have been introduced in the predefined policies library:
- HS-P0101 – Ensure a managed device is required to register security information
- Requires users to use a managed device when registering security information.
- HS-P0102 – Ensure sign-in frequency for Intune Enrollment is set to ‘Every time’
- Requires users to re-authenticate each time they enroll a device with Microsoft Intune.
The following new predefined templates have been introduced in the templates library:
- CIS M365 v5.0 Template – Introduces a new predefined template containing the newly supported CIS Microsoft 365 Benchmark v5.0 content.
- CIS M365 v6.0 Template – Introduces a new predefined template containing the newly supported CIS Microsoft 365 Benchmark v6.0 content.
Improvements
- Fixed an issue where the Identity screen incorrectly showed users as non-compliant.