Microsoft 365 Security Checklist

Administrator accounts are high-value targets for attackers. MFA protects against 99.9% of identity-based attacks. If you aren't requiring every privileged account to use MFA, stop reading and do this immediately.

Many breaches start with compromised user credentials. MFA is free for all Microsoft 365 tenants and significantly reduces the risk of account compromise.

Train users to: install Microsoft Authenticator app, understand why MFA is deployed, and REJECT prompts they didn't initiate (potential attack indicator).

Separate admin accounts from day-to-day user accounts. Cloud-only accounts aren't synced from on-premises AD, reducing attack surface. They don't require a license for admin-only tasks.

App passwords are a workaround for legacy clients that don't support modern authentication. They bypass MFA protection and should be disabled in 2024.

SMS-based MFA is vulnerable to SIM swapping attacks, SS7 protocol vulnerabilities, and social engineering. Microsoft Authenticator or FIDO2 keys are much more secure.

Voice calls for MFA share similar vulnerabilities to SMS. Social engineering attacks can trick phone carriers into forwarding calls. Use app-based or hardware token authentication instead.

Prompting users too frequently leads to "MFA fatigue" where they automatically approve without thinking. Microsoft recommends 90 days or using Conditional Access for smarter sign-in frequency.

MFA is only effective if users understand how to use it properly. They must know to REJECT unexpected prompts, as attackers may trigger prompts hoping users approve out of habit.

Windows Hello for Business (WHFB) provides passwordless, phishing-resistant authentication using biometrics or PIN tied to the device's TPM. This is stronger than traditional MFA.

FIDO2 security keys provide the strongest form of MFA, offering phishing-resistant, passwordless authentication. The key physically validates the website's identity, preventing credential theft.

Legacy protocols (POP3, IMAP, SMTP AUTH, etc.) don't support MFA, allowing attackers to bypass your MFA protection. Before blocking, identify legitimate uses.

• Android/iOS native mail apps (switch to Outlook)
• Printers/scanners sending email
• Line-of-business applications
• Old Office versions (pre-2013)

Conditional Access provides granular control to block legacy auth while allowing exceptions. This is the recommended method over the admin center toggle.

Belt and suspenders approach - use both Conditional Access AND the admin center setting for defense in depth.

Break glass accounts provide emergency access if MFA services are down or all admins are locked out. They're exempt from MFA and CA policies but have extremely strong passwords.

You must be immediately notified if break glass accounts are used - this could indicate a legitimate emergency OR an attacker who obtained the credentials.

Privileged Identity Management (PIM) provides just-in-time admin access. Accounts are ordinary users until they elevate for a limited time, reducing the attack window.

Microsoft Entra Password Protection blocks common bad passwords globally. Add your company name, products, locations, executive names, and local sports teams - words your employees likely use.

Custom branding helps users identify legitimate login pages. Phishing attacks typically use generic Microsoft login pages - your branded page is a security indicator. Also required for Windows Autopilot.

SSPR reduces help desk load and allows users to reset passwords securely 24/7. Without it, users may choose weaker passwords or share credentials to work around lockouts.

Audit logs are essential for investigating security incidents. Without sufficient retention, evidence may be lost before you discover a breach. Default is on but verify retention policy exists.

Don't sync service accounts, computer objects, or test accounts to Microsoft Entra ID. Every synced account is potential attack surface. Only sync OUs with actual users who need cloud access.

Mailbox auditing logs actions like message access, deletion, and forwarding. Essential for investigating compromised accounts. Enabled by default since 2019 but verify older mailboxes.

Zero-hour Auto Purge (ZAP) removes malicious messages that were delivered before being identified as threats. It "reaches into" inboxes to remove newly-identified spam/phish.

Attackers often set up email forwarding to external addresses after compromising accounts. This lets them monitor communications for Business Email Compromise (BEC) attacks, which cost more than ransomware.

SPF (Sender Policy Framework) helps receiving servers verify that email claiming to be from your domain actually came from authorized servers.

DKIM (DomainKeys Identified Mail) cryptographically signs outgoing emails, allowing recipients to verify the message wasn't altered in transit.

Safe Attachments detonates suspicious attachments in a sandbox VM to catch zero-day malware that bypasses traditional AV. Dynamic Delivery shows the email immediately while attachments are scanned.

Safe Links scans URLs at time-of-click, not just delivery. Attackers often send clean links, wait for delivery, then weaponize the destination. Time-of-click scanning defeats this.

By default, all users can create Teams (M365 Groups). This leads to sprawl and potential data governance issues.

• Only people in organization - No external sharing
• Existing guests - Only share with already-invited guests
• New and existing guests - Anyone with a guest account
• Anyone - Anonymous links (not recommended)

Malicious OAuth apps can gain persistent access to user mailboxes even after password changes and MFA. Users may unknowingly grant excessive permissions.

• Require BitLocker encryption
• Require Secure Boot
• Require firewall enabled
• Require antivirus/antispyware
• Minimum OS version

1. Implement all low user-impact actions first
2. Then high score-improvement actions
3. Schedule monthly reviews for new recommendations

Microsoft Defender for Business provides enterprise-grade endpoint security designed for SMBs. It includes threat & vulnerability management, attack surface reduction, next-generation protection, endpoint detection and response (EDR), and automated investigation.

Devices must be onboarded to receive protection. Windows 10/11 devices can be onboarded automatically via Intune, manually with a local script, or through Group Policy for domain-joined devices.

Method 1: Automatic via Intune (Recommended)
Devices enrolled in Intune are automatically onboarded when you enable the Microsoft Intune connection.

Method 2: Local Script
Download the onboarding package and run on individual devices.

Method 3: Group Policy
For domain-joined devices not managed by Intune.

Mac devices are increasingly targeted by malware. Defender for Business protects macOS 11 (Big Sur) and later with the same EDR and threat protection capabilities as Windows.

• Full Disk Access - Required for scanning
• System Extension - Required for real-time protection
• Network Extension - Required for network protection
• Notifications - For alert notifications

Mobile devices access corporate email and data. Defender for iOS provides web protection, anti-phishing, and blocks unsafe connections on iPhones and iPads.

• Web Protection - Blocks malicious websites
• Anti-phishing - Protects against phishing in all browsers
• Jailbreak Detection - Detects compromised devices
• Conditional Access - Block access from risky devices

Android devices are frequent targets for malware and phishing. Defender provides malware scanning, web protection, and network protection on Android 8.0+.

• Anti-malware - Scans apps and files for malware
• Web Protection - Blocks malicious websites
• Anti-phishing - SMS/messaging app phishing protection
• Network Protection - Blocks rogue WiFi networks
• Privacy Protection - App permission audit

Android Enterprise (Recommended): Deploy via Managed Google Play in Intune
Device Administrator: Legacy mode, deploy APK via Intune

Next-generation protection includes real-time antivirus, cloud-delivered protection, behavior monitoring, and machine learning-based detection. Default policies are applied automatically but can be customized.

• Real-time protection - Should be ON
• Cloud-delivered protection - Should be ON (enables cloud ML)
• Automatic sample submission - Send suspicious files to Microsoft
• Potentially Unwanted Apps (PUA) - Block mode recommended
• Tamper protection - Prevent malware from disabling Defender

ASR rules block specific behaviors commonly used by malware - like Office macros launching executables, obfuscated scripts, or credential stealing from LSASS. These rules significantly reduce attack surface.

• Block executable content from email and webmail
• Block Office apps from creating executable content
• Block Office apps from injecting code into other processes
• Block JavaScript/VBScript from launching downloaded executables
• Block execution of potentially obfuscated scripts
• Block Win32 API calls from Office macros
• Block credential stealing from Windows LSASS
• Block process creations from PSExec and WMI commands
• Block untrusted/unsigned USB processes

Web protection blocks access to malicious websites, phishing sites, and exploit sites. Network protection extends this to all network connections, blocking connections to malicious IPs/domains at the network layer.

• Web threat protection - Blocks malicious websites
• Web content filtering - Block categories (adult, gambling, etc.)
• Custom indicators - Block/allow specific URLs/IPs
• Network protection - Block C2 callbacks, malicious IPs

Controlled folder access prevents unauthorized apps from modifying files in protected folders. This is your last line of defense against ransomware - even if malware executes, it cannot encrypt protected files.

• Documents
• Pictures
• Videos
• Music
• Desktop
• Favorites
You can add custom folders like network shares

Windows Defender Firewall policies can be centrally managed through Defender for Business, ensuring consistent firewall rules across all devices.

TVM scans all onboarded devices and identifies vulnerabilities (CVEs) in installed software. It provides a prioritized list of what to patch based on risk, exploit availability, and prevalence in your environment.

• Exposure Score - Overall vulnerability exposure
• Microsoft Secure Score for Devices - Security configuration score
• Security Recommendations - Prioritized remediation actions
• Software Inventory - All installed software across devices
• Weaknesses - CVEs found in your environment

You need to be notified immediately when threats are detected. Configure email notifications for security alerts and schedule regular reports.

AIR automatically investigates alerts and can remediate threats without manual intervention. This is crucial for SMBs without a dedicated SOC team - Defender handles most threats automatically.

• Full (Recommended) - Automatic remediation
• Semi - Requires approval for some actions
• No automation - Manual review only

Regularly verify that all devices are onboarded and actively reporting. Devices that stop reporting may have been compromised or have Defender disabled.

• All company devices are listed
• Health status is "Active"
• Sensor health has no issues
• Antivirus status is current
• Last seen time is recent (within 24 hours)

Regular review of security reports helps identify trends, verify protection is working, and demonstrate security posture to stakeholders.

• Threat protection report - Threats blocked/detected
• Device health report - Sensor and AV health
• Vulnerable devices - Devices needing patches
• Web protection report - Blocked web threats

Defender for Endpoint P2 adds advanced capabilities beyond P1/Business: Threat Hunting, Microsoft Threat Experts, full EDR capabilities, and support for Linux servers.

• Advanced Hunting - Query-based threat hunting with KQL
• Threat Experts - Access to Microsoft's SOC analysts
• Endpoint Attack Notifications - Proactive threat alerts
• Sandbox (Deep Analysis) - Detonate suspicious files
• Linux Server support - Full EDR for Linux

Advanced Hunting allows proactive threat hunting using Kusto Query Language (KQL). Search across 30 days of raw endpoint, email, identity, and app data to find hidden threats.

• DeviceEvents - Security events on devices
• DeviceProcessEvents - Process execution
• DeviceNetworkEvents - Network connections
• DeviceFileEvents - File operations
• DeviceRegistryEvents - Registry changes
• EmailEvents - Email metadata
• IdentityLogonEvents - Authentication events

Microsoft Threat Experts provides access to Microsoft's security analysts who proactively hunt for threats in your environment and provide expert guidance.

Endpoint Attack Notifications (Included with E5):
• Proactive notifications about serious threats
• Targeted attack notifications tagged in portal

Experts on Demand (Additional purchase):
• Consult Microsoft analysts directly
• Get expert help with investigations

Defender for Identity (formerly Azure ATP) monitors Active Directory traffic to detect advanced attacks like Pass-the-Hash, Pass-the-Ticket, Golden Ticket, and lateral movement.

• Reconnaissance - Account enumeration, network mapping
• Compromised credentials - Brute force, exposed credentials
• Lateral movement - Pass-the-Hash, Pass-the-Ticket, NTLM relay
• Domain dominance - Golden Ticket, DCSync, skeleton key
• Exfiltration - DNS exfiltration

Review and tune alerts to reduce noise. Some alerts may need exclusions for legitimate admin activities like penetration testing or specific service accounts.

Threat Explorer provides real-time views of email threats, allowing you to investigate phishing campaigns, trace malware delivery, and understand attack patterns.

• All Email view - See all messages and their verdicts
• Malware view - Filter for malware detections
• Phish view - Filter for phishing attempts
• Content Malware - Threats in SharePoint/OneDrive
• URL clicks - Track clicked URLs and their verdicts

AIR automatically investigates alerts, determines scope, and can automatically remediate threats (delete malicious emails, block URLs) without manual intervention.

• Soft delete malicious emails from all mailboxes
• Block malicious URLs organization-wide
• Turn off external mail forwarding
• Quarantine messages matching threat indicators

Regular phishing simulations train users to recognize attacks. Users who fail simulations get automatic training. Track improvement over time with detailed reports.

• Credential Harvest - Fake login pages
• Malware Attachment - Simulated malicious files
• Link in Attachment - Link inside document
• Link to Malware - Direct download link
• Drive-by URL - Compromised website simulation

Threat Trackers provide intelligence on current threats targeting organizations worldwide. Campaign Views show coordinated attacks targeting your organization.

Discover Shadow IT - cloud applications your users are using without IT approval. The catalog includes 31,000+ apps with risk scores based on security, compliance, and legal factors.

• Defender for Endpoint integration - Automatic discovery from endpoints
• Log upload - Upload firewall/proxy logs
• Log collectors - Continuous automated upload

OAuth apps with excessive permissions are a major attack vector. Defender for Cloud Apps provides visibility into all OAuth apps and can automatically revoke risky ones.

• Alert on apps with high permission level from unverified publishers
• Alert on apps accessing mail/files with no recent activity
• Block apps with community rating below threshold
• Revoke access for apps marked as banned

Conditional Access App Control enables real-time monitoring and control of cloud app sessions. Block downloads, restrict copy/paste, require step-up authentication for sensitive actions.

• Block download of sensitive files on unmanaged devices
• Protect documents with encryption on download
• Block copy/paste of sensitive content
• Block print of sensitive documents
• Block upload of malware

Sign-in risk uses ML to evaluate each login in real-time. Risky sign-ins (unfamiliar location, impossible travel, malware-linked IP) automatically require MFA or are blocked.

• Anonymous IP address (TOR, VPN)
• Atypical travel (impossible travel)
• Malware-linked IP address
• Unfamiliar sign-in properties
• Password spray detection
• Microsoft Entra threat intelligence

User risk identifies potentially compromised accounts over time. When Microsoft finds credentials in breach dumps or detects suspicious activity patterns, the user is marked as risky.

PIM provides just-in-time privileged access. Admin accounts remain ordinary users until they elevate for a limited time. This dramatically reduces the risk of persistent admin access being compromised.

1. Admin requests activation of their eligible role
2. They must provide justification
3. They complete MFA challenge
4. (Optional) Another admin approves the request
5. Role is active for limited time (e.g., 8 hours)
6. Role automatically deactivates

Access Reviews automate the process of verifying that users still need their access. Reviewers regularly certify that group memberships, role assignments, and guest access are still appropriate.

• Admin role assignments - Monthly, reviewed by manager
• Guest user access - Quarterly, reviewed by sponsor
• Sensitive group memberships - Quarterly
• Application access - Semi-annually

E5 enables automatic sensitivity labeling based on content inspection. Documents containing sensitive data (SSN, credit cards, etc.) are automatically classified and protected without user action.

• Exchange Online emails
• SharePoint Online sites
• OneDrive for Business
• On-premises file shares (with scanner)

Endpoint DLP extends data loss prevention to Windows and macOS devices. Control printing, USB copying, cloud uploads, and clipboard operations based on document sensitivity.

• Upload to cloud services (Dropbox, personal OneDrive)
• Copy to USB/removable media
• Copy to network shares
• Print documents
• Copy to clipboard
• Access by unallowed apps

Insider Risk Management detects and helps you act on malicious and inadvertent insider threats - data theft by departing employees, data leaks, and security policy violations.

• Data theft by departing users - HR integration triggers
• Data leaks - Unusual file sharing patterns
• Security policy violations - Disabling security controls
• Patient data misuse - Healthcare-specific
• Risky browser usage - Visiting risky sites

Communication Compliance scans Teams, Exchange, and Yammer for regulatory violations, harassment, threats, and inappropriate content. Required for many financial services regulations.

• Regulatory compliance - FINRA, SEC requirements
• Inappropriate content - Harassment, threats, discrimination
• Sensitive information - Detect PII sharing
• Custom policies - Keywords, trainable classifiers

Advanced Audit extends retention to 1 year (vs 90 days), adds crucial events like MailItemsAccessed, and provides high-bandwidth API access for investigation.

• MailItemsAccessed - Every email access (sync or view)
• Send - Email sent by user
• SearchQueryInitiatedExchange - Mailbox searches
• SearchQueryInitiatedSharePoint - SharePoint searches

Microsoft 365 Defender correlates signals across endpoint, email, identity, and cloud apps into unified incidents. Instead of separate alerts, you get the full attack story.

• Microsoft Defender for Endpoint
• Microsoft Defender for Office 365
• Microsoft Defender for Identity
• Microsoft Defender for Cloud Apps
• Microsoft Entra ID Protection

Microsoft Sentinel is a cloud-native SIEM/SOAR that can ingest M365 Defender data alongside logs from other sources (firewalls, other clouds, on-premises) for unified security monitoring.

• Correlate M365 with non-Microsoft data sources
• Long-term log retention beyond M365 limits
• Custom detection rules and analytics
• Automated response playbooks (Logic Apps)
• Workbooks for custom reporting