Microsoft 365 Security Checklist is a practical guide for the time-strapped admin that shows you all the security settings and configurations you need to know to properly secure M365 tools like email, Teams, SharePoint etc.
It’s in the cloud so Microsoft secures your data – right? Well, not exactly. Proper security is tailored to an infrastructure’s unique requirements and responds to a constantly evolving attack and threat landscape. You can’t just rely on Microsoft default settings. You need to do more than just ‘set it and forget’.
The Microsoft 365 Security Compliance Best Practises Audit Assessment Checklist shows you all the security settings and configurations you need to know for each M365 license to properly secure your environment covers:
- Endpoint Manager
- Information Protection
- Secure Score
- Business Premium and Microsoft 365 E3 / E5
- And more.
Depending on what your business is and what sector you operate, there might a minimum requirement of what should be in place to satisfy insurance policies, global data laws or general compliance. So, make sure you take the time to figure out what your business needs to be compliant and protected.
Secure your data and business, work through the checklist today.
Table of Contents
There used to be a saying in the SMB IT space – “anyone can set up a Small Business Server (SBS), but only a professional can set it up right”.
The same is true now, but instead of SBS it’s an Office / Microsoft 365 tenant. A few minutes and a credit card and you can have enterprise-grade email and collaboration tools ready to go, with not a thought for security, governance, or best practices, because after all, “it’s in the cloud so Microsoft takes care of it – right”? Well, that’s not true and this eBook and accompanying checklist will show you all the settings you should consider configuring.
Depending on what your business is and what sector you operate, there might a minimum requirement of what should be in place to satisfy insurance policies, global data laws or general compliance. So, it’s worth taking the time to figure out what your business needs and using this guide to ensure your business is compliant and protected.
Don’t set it and forget it.
The reason every security setting isn’t turned on by default is of course that every business has different needs and constraints and thus you must find the right balance for your business. And it keeps altering as attacks and the threat landscape, and available options and settings in Microsoft 365, keep changing so this isn’t a “set it and forget” list – security is a journey with no end. We’ll go through each setting, why you’d want to enable it, what the implications are and our recommended configuration, while the checklist simply lists each setting.
There are three columns, one for settings available for most licensing options, one for Business Premium specific controls and finally one for the advanced security settings in M365 E5. Dark grey boxes indicate controls not available in that licensing SKU. Share and use this with your team/s to secure your M365 environment.
- Enable MFA for administrators
- Enable MFA for users
- Create cloud only administrator accounts for privileged users / occasional administrators
- Disable app passwords
- (Configure trusted IPs)
- Disable text message MFA
- Disable phone call MFA
- Remember MFA trusted devices 90 days
- Train staff in using MFA correctly
- Use Windows Hello where possible
- Use FIDO2 / 2FA keys where possible
- Investigate legacy authentication protocol usage in AAD Sign-in logs
- Block legacy authentication with CA Policy
- Block legacy authentication in M365 Admin Center
- Create two Break glass accounts and exempt from MFA, CA Policies etc.
- Configure alerting if a Break glass account is used
- Enable Security Defaults in AAD (consider the limitations)
- Enable PIM (AAD Premium P2) for all admin users
- Add organization specific words to Password protection
- Deploy Password protection in AD on-premises
- CA Policy Require MFA for admins
- CA Policy Require MFA for users
- CA Policy Require MFA for Azure management
- CA Policy Block legacy authentication
- CA Policy Require compliant or Hybrid AAD joined device for admins
- CA Policy Require compliant or Hybrid AAD joined device for users
- CA Policy Block access to M365 from outside your country
- Require MFA for risky sign-ins
- Require password change for high-risk users
- Create custom branding logos and text in Azure AD
- Enable and configure Self Service Password Reset, including password writeback
- Check that Unified Auditing is enabled
- Define audit retention policies (90 or 365 days)
- Integrate applications into Azure AD
- AAD Connect – Ensure only relevant OUs are replicated to Azure AD
- Check that mailbox auditing is on for all mailboxes, if not, enable it
- Edit the default anti-phishing policy
- Include domains you own
- Enable mailbox intelligence including impersonation protection
- Enable spoof intelligence
- Threat policies – configure Anti-phishing, enable mailbox intelligence, safety tips on
- Threat policies – configure Anti-spam, enable ZAP, outbound spam notification
- Threat policies – configure Anti-malware, add all file extensions
- Configure Outlook Report Message add-in for all users + tenant mailbox to get reported messages
- Configure Alert policies to match business needs
- Train users to use Office Message Encryption
- Configure Office Message Encryption with Mail flow rules
- Warn and Block emails with dangerous attachments
- Configure Safe Attachments policy
- Configure Safe Attachments Global settings
- Configure Safe Links policy
- Configure Safe Links Global settings
- Block auto forwarding of emails with a Mail flow rule
- Check user accounts linked to shared mailboxes and block login for them
- Check SPF record for each vanity domain
- Configure DKIM CNAME records in DNS and ensure they’re picked up in DKIM in the security portal
- Configure DMARC TXT record in DNS
- Configure DMARC to reject policy once you know the domain is covered
- Install Message Header Analyzer add-in on your device
- Limit Teams creation to a set of users
- Limit private channel creation to a set of users
- Delete inactive Teams
- Disable third-party Teams file storage locations
- Configure interoperability with Teams in other tenants and Skype consumer
- Configure guest user settings in Azure AD – directory permissions
- Configure guest user settings in Azure AD – who can invite
- Configure guest user settings in Azure AD – user flows for application access
- Configure guest user settings in Azure AD – which domains can users be invited from
- Configure Guest access settings in Teams
- Customize meeting invitation branding
- Configure External file sharing for SharePoint
- Configure External file sharing for OneDrive for Business
- Configure other external file sharing settings
- Configure Access control
- Configure an alert when files are shared externally
- Investigate existing OAuth applications and their granted permissions
- Restrict or remove suspicious / malicious OAuth applications
- Configure User and Group settings for granting permissions to OAuth apps, None or limited permissions
- If using limited permissions, define those
- Configure Admin consent requests and accounts who are going to review requests
- Define device groups in Endpoint Manager
- Define enrolment / application management policies Endpoint Manager
- Create a device compliance policy for Windows devices
- Optional – create policies for other device types
- Optional – create Configuration policies
- Optional – import existing Group Policy settings
- Configure Security baselines
- Create a label
- Create a label policy and test it
- Work with the business to identify data labels to use
- Create a group of Super User accounts for data recovery
- Create a report only DLP policy with email notifications
- Check current secure score
- Implement all low user impact actions
- Implement all high score improvement actions
- Plan to implement the rest of the possible actions to take
- Go through the list of security features available in Business Premium and ensure they’re configured
- Deploy Defender for Business to all endpoints (when it’s available)
Microsoft 365 Enterprise E5
- Deploy Defender for Endpoint plan 2
- Deploy Defender for Identity
- Enable Defender for Application Guard
- Enable Safe Documents
- Create an OAuth app policy in Defender for Cloud Apps
- Explore Threat Trackers
- Use Threat Explorer
- Configure Automated Investigation and Response in Defender for Office 365
- Use Attack Simulation Training to train end users
- Explore Campaign Views
- Enforce PIM for ALL administrative accounts, apart from your break glass accounts
- Configure Sign-in risk policy
- Configure User risk policy
- Configure Access Reviews for Teams / groups, guests, administrative accounts and AAD applications
- Automate Information Protection labelling across your cloud estate
- Use the Information Protection scanner to find, label and protect sensitive data on premises
- Enable DLP for Teams chat
- Configure Endpoint DLP with business input
- Configure Advanced Message Encryption
- Configure Advanced Audit retention policies to 1 year for all users
- Configure Insider Risk Management policies
- Configure Communication Compliance policies and reviewers
- Configure Information Barriers
- Configure Privileged Access Management
There are many IT acronyms used in this eBook and while they’re spelt out the first time they’re used, here’s a handy list of all of them, along with a short explanation of what each means.
Azure Active Directory. The underlying directory of Microsoft 365 that maintains information about user and device accounts, authenticates and authorizes access to resources, and can optionally be synchronized with on-premises Active Directory using Azure AD Connect.
Conditional Access Policies. A feature of Azure AD Premium P1+ that lets you craft policies to control who can access what resource, from where and under what conditions.
Continuous Access Evaluation. A feature of Azure AD that evaluates a change in a user’s state (disabled, moved to a different Wi-Fi network etc.) much faster than the legacy 1 hour delay.
Cloud Access Security Broker. A “Firewall as a Service” that runs in the cloud and controls access to SaaS applications and identifies malicious files and actions.
Common Vulnerabilities and Exposures. An identified vulnerability in a system (software or hardware), used in TVM to identify vulnerable software in your environment.
Domain Controller. A server in your on-premises Active Directory that authenticates and authorizes user and device account access to resources. Can be synchronized with Azure Active Directory.
Data Loss Prevention. A technology in Microsoft 365 to identify sensitive data and report on, recommend against or block accidental sharing of this data in the wrong context.
Domain Keys Identified Mail. An email security feature that enables recipients of emails that purport to be coming from your organization to check the validity of that claim.
Domain-based Message Authentication, Reporting and Conformance. An email security feature that lets recipients of emails from your domain know what to do if they’re identified as spoofed.
Endpoint Detection and Response. A modern endpoint protection approach that keeps track of every single action, by every process, taken in the OS, to identify malicious code or attacker’s actions.
Mobile Application Management. Managing applications on iOS, Android and to some degree, Windows, and these application’s access on personally owned devices.
Microsoft Defender for Cloud Apps. Microsoft’s CASB, part of M365 E5 licensing.
Microsoft Defender for Endpoint. A full EDR and endpoint protection solution for Windows, MacOS, iOS, Android, and Linux. Comes in P1, P2 and Business versions.
Mobile Device Management. Enrolling all types of devices into full management through a cloud-based service for device control.
Microsoft Defender for Identity. A cloud service that gathers information from your Domain Controllers on premises to quickly identify malicious activity by attackers.
Microsoft Defender for Office 365. A set of security features to enhance the security of email and collaboration tools and protect against malicious emails, attachments, messages, and links.
Microsoft Endpoint Manager. The umbrella name for Intune, the cloud service for MAM and MDM plus Configuration Manager Endpoint Manager for larger businesses’ on-premises device management.
Multi Factor Authentication. Using a second factor beyond username and password to identify a user when they log in to a system.
Microsoft Information Protection. The umbrella term for different technologies, all designed to identify sensitive data in your business and safeguard it with policies, visual cues, and encryption.
Managed Service Provider. An outsourced IT service provider that manages your IT systems on a contracted, preventative maintenance basis.
Managed Security Service Provider. An outsourced IT Security provider who focuses on protecting your systems against cyber threats and identify / block them when they do occur.
Open Authentication. A standard for authentication of applications and how they can be integrated into Azure AD.
Office Message Encryption. The ability to encrypt and / or set Do not Forward on emails sent from Exchange Online to any email address, either manually or automatically.
Personally Identifiable Information. Data about a person that could be used to identify them or reveal sensitive information about them.
Privileged Identity Management. A feature of Azure AD Premium P2 that turns permanent administrator accounts into eligible accounts so that they must elevate their accounts to privileged permissions (for a short time) when they need to perform admin activity.
Security, Information, and Event Management. A group of services and tools that give real-time analysis of information security in an organization.
Sensitive Information Type. A component of MIP with predefined identifiers for sensitive data such as credit card numbers, passport IDs etc. from all over the world.
Sender Policy Framework. A way to use DNS records to identify potentially malicious or spam email.
Self Service Password Reset. The ability for users to reset their own password when they’ve forgotten it, using alternate email address, MFA and / or security questions to lower the load on your help desk.
Threat & vulnerability Management. A feature of Defender for Endpoint that identifies all software installed on each endpoint, what known vulnerabilities exists (CVEs) and gives you a list of what needs to be upgraded to minimize the attack surface.
Windows Hello for Business. A collection of biometric (fingerprint and face scan) technologies and other features to improve the sign in security on Windows devices.
Windows Information Protection. The ability to separate business and personal data on a Windows device in applications that support the blocking of copy and paste, saving etc. to the wrong location.
Zero-hour auto purge. The ability of Exchange Online to “reach into” users’ mailboxes and to delete an already delivered email that’s been subsequently identified as malicious.