Microsoft 365 Security / Necessities / Checklist

Microsoft 365 is often considered safe, as it’s always up to date and maintained by Microsoft.

Unfortunately, this is not true! Well, at least some parts aren’t. There are quite some options and products/features that should be configured to limit risk and exposure.

In this post, I’m outlining the most important security settings and products, everyone should implement.

You can also request an export or status of these settings from your MSP, and have them verified by an independent advisor.

Do you need help with your Modern Workplace? Check out our service page!

A Business Premium license is recommended.

  1. Enable FIDO Security Keys. This new technique is phish-resistant sign-in method, and a huge improvement. Use it or require it wherever you can. You can enable it in Entra ID > Security > Authentication Settings
  2. Entra ID App Registrations. If not configured correctly, threat actors can use App Registrations from their own tenant to lure end users to approve access rights in your tenant. From there, they can access the environment without the user knowing, from another location.
    Resume: App Registrations should be limited to Admins, auto approval can be set for low-risk rights.
  3. Configure Guest Access restrictions. By default, guest access can query the directory for all kinds of information, basically recon the environment, find out who the admins are, find other users, etc.
  4. Limit Guest Invite restrictions. You don’t want everyone to be able to invite users to your organization. Create a process and limit this access to a group of people.
  5. Company Branding. Some phishing sites are easy to spot, but some look close to the real thing. Customize your sign-in page with your logo and background, so generic phish sign-in pages jump out.
  6. Privilege Identity Management. You don’t want your admin accounts to have Global Admin rights permanently activated. Use PIM to create a process, optionally with secondary approvers.
  7. Exchange MailFlow Remote Domains. Turn NDR off. It is sometimes used to verify if email addresses are valid to be used in phishing attacks.
  8. Spam, Fish & Safe Links. Ensure all important options are enabled, they aren’t always by default.
    • “Anti-spam inbound policy (Default)”, on most tenants, all options can be enabled.
    • “Office365 AntiPhish Default (Default)”, enable domain impersonation for owned domains, and all impersonations options, and apply suitable actions.
    • Antimalware Default Policy, Configure common attachments filter and zero-hour purge
    • Safe Attachments, create a new policy and enable preview
    • Safe Links, create a new policy and enable all options, do not configure “Do not rewrite URLs”
  9. Exchange Email Security. SPF, DKIM and DMARC. This not only protects unauthenticated sender from sending email from your domain, but also decreases the risk of your email being delivered into Junk Folders. Optionally, configure BIMI.
    Note: These configurations need to be set in your DNS hosting provider, and it’s advisable to use a third-party DMARC Analyze tool.
  10. Exchange Attachments. Block HTML and HTM attachments, they can contain malware and are often not detected.
  11. Entra ID Join all your computers. This will enhance your SSO experience and increase security with Windows Hello For Business and Intune Device Management.
  12. Conditional Access Rules. This will enforce MFA, or requires your device to be managed. Some basics rules to configure:
    • Require compliant devices for Windows Modern Applications
    • Require compliant devices or App Protection Policies for Mobile Devices
    • Require MFA for all
    • Require MFA for EntraID Machine Join Context
    • Require strong MFA for browser sessions
    • Configure a short browser short session time-out for non-Entra ID joined devices
    • Bock Basic Authentition
    • Block Windows Phones
  13. Intune settings.
    • Enforce Windows Update to auto-install with a deadline
    • Enforce Edge Update to auto-install with a 1 or 2 day deadline
    • Configure App Protection Policies to require a minimum OS level and Defender Score
    • Require Windows Devices to a minimum Defender Score
    • Require Bitlocker, Windows Firewall, EDR, Attack Surface Reduction Rules, SmartScreen, etc.
    • Enable Defender Cloud Protection.
    • Redirect Known Folders to OneDrive
  14. Microsoft Sentinel. This is a great Log Analytics products, which analyzes and alerts on malicious activity (if configured correctly). Different datasources can be connected such as M365, Intune, Defender, etc. It is deployed in an Azure subscription and doesn’t costs more than $20 per month for a 30 to 40 user company.
  15. Defender For Cloud Apps. An under-rated product. Often catches malicious files and activity before there is any impact. Malicious files on OneDrive for example, or unexpected data exfiltration to a new cloud service. It does require an extra license.
  16. Microsoft 365 Backup. File versioning is not the same as a backup. It is still best practice to implement a third-party off-platform backup.

As you can see, there is a lot that can and should be done to increase the security of your Microsoft 365 tenant. Of course, your security scope should not be limited to this list (ours isn’t), but it’s a good start!

Our Modern Workplace Baseline contains a lot more extra security settings and optimizations, custom scripts, etc. Feel free to contact us, or view this page for more information.


2 Responses

  1. Can you give more details on number 14? When we looked into Sentinel, the price was too high. How are you calculating $20 for a 30-40 user company?

    • Hi Dan,

      This is regarding Azure Sentinel; it’s a SIEM that imports data from Defender, M365, and other sources. Costs are per gb ingested, the $20 is based on an average company.

      You can also apply actions after an alert with logic apps, such as posting an alert in a teams channel or isolating a computer.


Leave a Reply

Your email address will not be published. Required fields are marked *