Scope of M365 Hardening and Security Optimization Project
Included as part of the service contract, this project encompasses some or all of the following measures (but is not limited to):
Microsoft 365 Best Practices Configuration Guide
1
1. Identity and Access Management
Enable Multi-Factor Authentication (MFA)
Require MFA for all users, especially global administrators.
Use Conditional Access to enforce MFA based on location, device, or risk level.
2
2. Implement Conditional Access Policies
Enforce policies to block risky logins and limit access to trusted devices and locations.
Require compliant or hybrid Azure AD-joined devices for access to critical resources.
Use "Sign-in Risk" and "User Risk" policies to trigger extra authentication or block access for suspicious logins.
3
3. Limit Administrative Access
Use Azure AD Privileged Identity Management (PIM) to restrict permanent admin access and implement "Just-In-Time" (JIT) access.
Assign the least privilege necessary for all roles.
4
4. Enable Self-Service Password Reset (SSPR)
Allow users to securely reset passwords using MFA.
5
5. Implement Single Sign-On (SSO) with Entra ID
Centralize identity management by integrating Entra ID (Azure AD) with supported applications for SSO.
Reduce password fatigue and strengthen access security.
Email Security Measures
Enable Microsoft Defender for Office 365
Protect against phishing, malware, and other threats with Safe Links and Safe Attachments policies.
Set Up Anti-Spam and Anti-Phishing Policies
Configure custom policies to block spoofed domains and impersonation attempts.
Enforce Email Encryption
Use Office Message Encryption (OME) to secure sensitive communications.
Audit Email Forwarding Rules
Prevent unauthorized auto-forwarding of emails to external domains.
Data Protection Strategies
1
Use Sensitivity Labels
Classify and protect files with encryption and access restrictions based on sensitivity.
2
Enable Data Loss Prevention (DLP)
Prevent sharing of sensitive information through email, SharePoint, and OneDrive.
3
Enable Microsoft Purview Information Protection
Automate classification and protection of sensitive data.
4
Implement Conditional Access App Control
Monitor and control actions within apps, such as blocking downloads or enforcing read-only access for sensitive files.
Attack Surface Reduction
1
Enable Attack Surface Reduction Rules
Block Office Applications from Creating Child Processes: Prevent malicious macros from running commands
Block Executable Content in Emails: Restrict users from opening executables sent via email
Block Downloads from Legacy Non-Browser Apps: Mitigate risks from outdated applications
Use Controlled Folder Access: Protect sensitive directories from unauthorized modifications
Prevent Office Macros from the Internet: Block untrusted macros
2
Enable Tamper Protection in Microsoft Defender
Prevent unauthorized changes to security settings.
3
Block USB Device Access
Restrict external storage usage or enforce monitoring.
4
Enable Cloud-Delivered Protection
Use real-time threat intelligence to stop emerging threats.
App Security Protocols
Enable App Governance
Use Microsoft Defender for Cloud Apps to monitor app permissions and detect risky behaviors.
Monitor Third-Party App Permissions
Regularly review and revoke unnecessary or high-risk permissions granted to third-party apps.
Restrict Third-Party App Access
Use Conditional Access App Control to enforce policies for third-party applications that access Microsoft 365.
Secure API Integrations
Limit API calls to approved applications and monitor API usage for unusual activity.
Conditional Access
Define Conditional Access Policies
Require MFA for access to sensitive apps and resources.
Block access from untrusted locations or devices.
Allow access only from compliant or Azure AD-joined devices.
Enforce Access Based on User Risk
Block or restrict access for high-risk users identified by Azure AD Identity Protection.
Apply Session Controls
Enforce read-only access or block downloads for users accessing from unmanaged devices.
Implement Conditional Access for Guest Users
Restrict access for external users to specific apps or resources.
Global Secure Access Implementation
Zero Trust Network Access (ZTNA)
Implement Zero Trust Network Access (ZTNA) to replace traditional VPNs with ZTNA to ensure secure access to internal applications.
Microsoft Entra Verified ID
Use Microsoft Entra Verified ID to strengthen user authentication by issuing and verifying digital credentials.
Microsoft Secure Access Service Edge (SASE)
Leverage Microsoft Secure Access Service Edge (SASE) to integrate with Azure AD and Microsoft Defender to provide secure, scalable access to corporate resources.
Microsoft 365 Global Secure Access
Enable Microsoft 365 Global Secure Access to enforce granular access controls for internet use and SaaS apps based on user roles and device compliance.
Endpoint and Device Security
1
Enable Microsoft Defender for Endpoint
Deploy Endpoint Detection and Response (EDR) to monitor and protect against advanced threats.
2
Implement Device Compliance Policies
Enforce encryption, password complexity, and security baselines for all devices accessing Microsoft 365.
3
Enable Mobile Application Management (MAM)
Protect app data on personal devices without requiring full device management.
4
Deploy Windows Autopilot for Device Preparation
Streamline provisioning of new devices with pre-configured security policies and applications. Automate device enrollment into Intune for ongoing management.
Endpoint and Device Security
Security Monitoring and Logging
Enable Unified Audit Logs to track and monitor activity across all Microsoft 365 services.
Microsoft Secure Score
Use Microsoft Secure Score to regularly review your Secure Score and implement recommended improvements.
Threat Analytics
Enable Threat Analytics to gain insights into active threats and vulnerabilities across the environment.
Compliance and Governance Measures
Enable Retention Policies
Retain or delete data based on regulatory requirements.
Use eDiscovery and Legal Hold
Preserve data for legal or compliance purposes.
Monitor Compliance Manager
Use built-in assessments to improve compliance posture.