Microsoft’s security baselines are undergoing a fundamental transformation that will reshape how UK small and medium-sized enterprises (SMEs) secure their Microsoft 365 tenants. By 2026, the approach shifts from static checklists to a continuous, adaptive framework—what industry leaders are calling a “living doctrine.” This evolution, driven by Microsoft, the US Cybersecurity and Infrastructure Security Agency (CISA), and a growing chorus of security practitioners, demands that businesses stop treating baseline configurations as a one-off compliance exercise and start managing them as an ongoing operational discipline.

For years, organisations have approached security baselines as a periodic audit: compare settings against a published template, check boxes, generate a report, and declare victory. That model is broken. Configuration drift, new attack vectors, and the rapid pace of cloud service changes render a point-in-time baseline obsolete within weeks. The living doctrine model embeds security configuration into daily operations, with continuous monitoring, automated enforcement, and threat-informed policy adjustments.

The End of the Checklist Mentality

Security baselines first emerged as prescriptive configuration guides—long tables of recommended settings for operating systems, applications, and cloud services. Microsoft publishes them for Windows, Microsoft 365, and Edge, offering detailed explanations of each control and its security impact. CISA and the UK’s National Cyber Security Centre (NCSC) issued similar guidance. Consultants turned them into packaged assessments, and many SMEs adopted annual or project-based reviews.

This checklist approach has three fatal weaknesses. First, it ignores drift: a user with privileged permissions today can change a setting tomorrow, and no re-evaluation occurs until the next audit. Second, it assumes a static threat landscape; attackers constantly evolve tactics, and a control effective last year may be useless against a new pass-the-token attack. Third, it decouples security from operational reality—settings that break a critical business application get reverted without compensating controls, leaving a gap no checklist captures.

UK SMEs face acute pressure. Many lack dedicated security staff and rely on managed service providers (MSPs) or part-time IT. A 2023 UK government survey found 32% of businesses experienced a cyber attack in the previous year, with the average cost for medium firms reaching £19,400. In this environment, the living doctrine is not just a philosophy; it’s a survival strategy.

What a Living Doctrine Looks Like

The concept of a living doctrine borrows from military and intelligence communities, where doctrine evolves based on real-time intelligence and after-action reviews. In Microsoft 365, it translates to:

  • Continuous configuration assessment: Instead of quarterly spreadsheet reviews, use tools like Microsoft Secure Score and the Microsoft 365 security center’s compliance dashboard to get near-real-time visibility into baseline drift.
  • Automated remediation: Define desired state configurations using Desired State Configuration (DSC), Microsoft Intune policies, or third-party tools. When a setting deviates, automatically revert it and alert the security team.
  • Threat-informed tuning: Integrate threat intelligence feeds—from Microsoft Defender, CISA alerts, or industry ISACs—to prioritise updates. For example, if a new OAuth phishing campaign is observed, immediately review Conditional Access policies and application consent settings.
  • Business context integration: A baseline isn’t one-size-fits-all. A living doctrine embeds exceptions through a risk assessment process, documenting why a control is relaxed and what compensating controls exist. This documentation is part of the operating procedure, not a separate audit artifact.

Microsoft’s 2026 security baseline refresh will likely bake these principles into the tooling. Early previews at Microsoft Ignite hinted at a “policy drift analytics” feature in Microsoft Defender for Cloud Apps that tracks changes from the baseline and correlates them with Secure Score shifts. Conditional Access policy templates are becoming more intelligent, suggesting baselines based on your tenant’s size, industry, and risk profile.

The Role of Conditional Access and Entra ID Identity

At the heart of modern Microsoft 365 security is identity, governed by Microsoft Entra ID (formerly Azure Active Directory). Conditional Access acts as the brains of access control. In a living doctrine approach, baselines for Conditional Access are not a static set of policies but a continuously evaluated framework.

Consider the baseline recommendation to require multifactor authentication (MFA) for all users. Under the old model, an SME might check “MFA enabled” and move on. A living doctrine demands ongoing scrutiny: are legacy authentication protocols truly blocked? Are exception groups being abused? Are service accounts covered? Automated tools can audit these continuously, and Conditional Access policy insights (now in public preview) can suggest tightening based on sign-in risk signals from Microsoft Entra ID Protection.

For UK SMEs, which often use a mix of in-office and remote workers, location-based Conditional Access is critical. A living doctrine would dynamically adjust trusted locations based on threat indicators—if Microsoft detects a spike in malicious sign-ins from a specific ISP, it could recommend temporarily tightening access for that network.

UK-Specific Regulatory Alignment

While the living doctrine message originates from a global community, UK SMEs have additional impetus. The NCSC’s Cyber Essentials scheme, required for many government contracts, already prescribes baseline technical controls like secure configuration. However, Cyber Essentials certification is often a point-in-time assessment. The NCSC is increasingly emphasising continuous assurance, particularly in its “10 Steps to Cyber Security” guidance, which advocates embedding security into business processes.

For financial services and legal firms regulated by the FCA or SRA, the shift is even more pronounced. Regulators expect demonstrable, ongoing compliance—not just a certificate on the wall. A living doctrine aligned to Microsoft 365 baselines can provide the audit trail and evidence these bodies demand.

Insurers are also taking note. Cyber insurance applications now ask detailed questions about MFA enforcement, patch management cadence, and configuration hardening. A static baseline may lead to an inaccurate declaration; a living doctrine with automated drift detection ensures the answers remain true and reduces the risk of coverage being voided.

Implementation Roadmap for SMEs

Transitioning from a checklist to a living doctrine doesn’t require a huge budget. Many capabilities are already included in Microsoft 365 Business Premium, the SKU recommended for SMEs. Here’s a pragmatic, phased approach:

Phase 1: Establish Your Current Baseline and Drift Monitoring

  1. Run the baseline assessment: Use the Microsoft 365 compliance center’s “Microsoft Secure Score” and the “Security baseline” comparison report. Document any existing deviations.
  2. Enable audit logging: Turn on unified audit log in Microsoft Purview. Forward logs to a SIEM if you have one, or at least configure alerts for critical configuration changes (e.g., changes to Conditional Access policies, disabling MFA, modifying SharePoint sharing settings).
  3. Set a recurring review cadence: Weekly for small teams, daily if automated. Even a manual weekly 15-minute Secure Score check is better than an annual review.

Phase 2: Automate Common Remediations

  1. Intune configuration profiles: Deploy Windows security baselines via Intune, but switch the profile from “checklist” to “enforce” mode. This ensures settings like BitLocker encryption and Windows Defender Firewall remain active.
  2. Conditional Access policy automation: Use the “policy inspector” to detect if any new policies conflict with your baseline. Set up Azure Automation runbooks to reapply a known-good policy set if someone mistakenly deletes a rule.
  3. Self-service exception management: Create a controlled process in Microsoft Teams or SharePoint for requesting baseline exceptions. Each request should trigger a risk assessment and an automatic removal date after which the exception is re-evaluated.

Phase 3: Integrate Threat Intelligence

  1. Activate Microsoft Defender for Office 365: Ensure Safe Links and Safe Attachments policies are applied. Use the attack simulation training to test user awareness, feeding results back into your baseline tuning (e.g., if a user clicks a simulated phishing link, tighten their access and require additional MFA).
  2. Subscribe to NCSC and CISA alerts: Filter alerts relevant to your technology stack and configure a workflow to review baseline settings against the threat. For instance, a CISA alert about Active Directory Federation Services exploitation should trigger an immediate check of your federation trust security settings.

Phase 4: Measure and Communicate

  1. Define security OKRs: Instead of “meet baseline,” measure metrics like “mean time to detect and revert a critical configuration drift” (target: < 24 hours) and “percentage of risky sign-ins automatically blocked” (target: > 95%).
  2. Report to leadership monthly: A one-page dashboard showing Secure Score trending and drift incidents ties security to business risk. This isn’t a compliance checkbox; it’s an operational update.

Real-World Feedback from Early Adopters

Several UK-based MSPs have already begun marketing the living doctrine concept. Leeds-based Pure IT found that clients who moved to automated drift detection reduced time spent on manual audits by 70%. “Before, we’d spend hours each month checking settings,” said James Ackroyd, security practice lead. “Now we get alerts only when something actually changes, and we can deal with it in minutes. The clients’ Secure Score has gone up and stays up.”

A London law firm that adopted the living doctrine approach after a near-miss ransomware incident now uses Power Automate to revoke all external sharing if a Microsoft Defender alert indicates a compromised account. “Our baseline says ‘external sharing limited to approved domains,’ but one admin accidentally opened it to ‘anyone with the link’ for a weekend upgrade,” said the firm’s IT manager. “The automated response caught it and locked it down before any data leaked.”

The Convergence of Frameworks

The living doctrine push is not happening in isolation. CISA’s Secure Cloud Business Applications (SCuBA) project provides a baseline for Microsoft 365 with continuous monitoring recommendations. Microsoft’s own Dynamics 365 and Azure baselines are being unified under the Microsoft Cloud Security Benchmark, which explicitly calls for “continuous assessment and remediation.” Meanwhile, the Center for Internet Security will update its Controls v9 to emphasise automated monitoring over manual spot-checks.

For UK SMEs, aligning with these frameworks isn’t just about safety; it’s about business competitiveness. Clients increasingly ask for proof of security posture in RFPs, and insurers demand evidence. A documented living doctrine provides that evidence far more credibly than a dusty baseline report.

Potential Pitfalls and How to Avoid Them

A living doctrine is not without risks. Organisations must avoid the temptation to over-automate without context. If a critical business process relies on a temporary deviation, auto-remediation could cause an outage. The remedy is a well-functioning exception process, not a halt to automation.

Another challenge is alert fatigue. Dozens of drift alerts can overwhelm a small IT team. Tuning is essential: initially, monitor all changes, then over time classify them as expected (e.g., a routine update to a mail transport rule) or anomalous. Machine learning in Microsoft Sentinel, if affordable, can help, but even manual tuning over three months yields significant noise reduction.

Finally, a living doctrine requires a cultural shift. SMEs must move from seeing security as a project to seeing it as a permanent function, no different from payroll or customer service. Leadership buy-in is crucial; the framing should be about protecting revenue and reputation, not about IT compliance.

Looking Ahead: 2026 and Beyond

Microsoft’s 2026 baseline refresh will likely introduce “policy recommendation intelligence” that learns from your tenant behavior and suggests tailored baseline adjustments. Integration with Microsoft Copilot for Security promises to explain the rationale behind each recommended change in plain English. For UK SMEs, these advancements will lower the barrier to implementing living doctrine principles, making sophisticated continuous security affordable.

The days of “configure once, check next year” are ending. In a landscape where a single misconfiguration can lead to a data breach costing a small business its livelihood, treating Microsoft 365 security baselines as living doctrine isn’t just best practice—it’s the new minimum standard. UK SMEs that embrace this shift now will be better protected, more resilient, and ahead of regulatory demands.