Microsoft 365 Security Hardening Guide

Enable Security Defaults in Microsoft Entra admin center under Properties if you do not have Conditional Access licensing.

For organizations with Entra ID P1 or P2, create a Conditional Access policy requiring MFA for all users across all cloud apps.

Require phishing-resistant MFA (FIDO2 keys, Windows Hello, or Microsoft Authenticator passkeys) for administrator accounts.

Block legacy authentication protocols that cannot support MFA by creating a Conditional Access policy targeting Exchange ActiveSync and Other clients.

Register all users for MFA using the combined security information registration experience at aka.ms/mysecurityinfo.

Configure MFA number matching and additional context in the Authenticator app settings to prevent MFA fatigue attacks.

Create a baseline policy requiring MFA for all users, all cloud apps, and all platforms (Windows, macOS, iOS, Android, Linux).

Create a policy blocking access from untrusted locations or countries your organization does not operate in.

Require compliant or Hybrid Azure AD joined devices for access to sensitive applications.

Create a policy requiring MFA for risky sign-ins using Entra ID Protection (requires P2 licensing).

Block or restrict access from unmanaged devices to prevent data exfiltration.

Enable sign-in frequency controls to require re-authentication at appropriate intervals.

Use report-only mode first to test policies before enforcement to avoid unintended lockouts.

Activate PIM for all Global Administrator, Exchange Administrator, SharePoint Administrator, and Security Administrator roles.

Configure eligible assignments instead of permanent active assignments for all privileged roles.

Set activation to require MFA, justification, and approval for Global Administrator role.

Configure maximum activation duration to 8 hours or less depending on role sensitivity.

Set up access reviews for privileged role assignments on a quarterly basis.

Enable notifications for role activations to alert security teams.

Audit current legacy authentication usage using the Entra ID Sign-ins log filtered by Client App.

Identify and migrate applications relying on basic authentication to modern authentication (OAuth 2.0).

Create a Conditional Access policy blocking legacy authentication for all users.

Monitor the Sign-ins log for blocked legacy authentication attempts over 30 days to verify no business impact.

Disable legacy authentication protocols at the service level for Exchange Online using authentication policies.

Navigate to Microsoft Defender portal, then Email and Collaboration, then Policies and Rules, then Threat Policies.

Create or edit the default anti-phishing policy to enable mailbox intelligence and spoof intelligence.

Enable impersonation protection for your executives and board members by adding them to the protected users list.

Add your critical domains and partner domains to the protected domains list.

Set the action for detected impersonation attempts to Quarantine the message.

Enable first contact safety tips to alert recipients when they receive email from new senders.

Configure honor DMARC policy to reject or quarantine messages that fail DMARC checks.

Enable Safe Attachments with the Dynamic Delivery action to deliver emails immediately while attachments are being scanned.

Turn on Safe Attachments for SharePoint, OneDrive, and Microsoft Teams in the global settings.

Enable Safe Links for email messages with URL scanning on click and real-time scanning.

Do not allow users to click through to the original URL when Safe Links identifies a malicious link.

Enable Safe Links for Microsoft Teams to scan links shared in conversations.

Add any legitimate URLs that are being incorrectly blocked to the tenant allow/block list.

Verify SPF records for all sending domains: create a TXT record with v=spf1 include:spf.protection.outlook.com -all.

Enable DKIM signing for all custom domains in the Microsoft Defender portal under Email Authentication settings.

Rotate DKIM keys by creating a second selector and publishing the new CNAME records in DNS.

Create a DMARC record starting with p=none for monitoring: v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com.

Monitor DMARC aggregate reports for 30 to 60 days to identify legitimate senders not yet in your SPF record.

Progress DMARC policy from p=none to p=quarantine to p=reject as alignment improves.

Consider a DMARC reporting service to parse and visualize aggregate report data.

Navigate to SharePoint admin center and select Policies, then Sharing.

Set the organization-level sharing default to Existing guests (requires authentication) or more restrictive.

Restrict OneDrive sharing to the same level or more restrictive than SharePoint.

Require external users to accept sharing invitations using the same account the invitation was sent to.

Set sharing links to default to Specific people (direct sharing) rather than Anyone links.

Set expiration for Anyone links to 30 days maximum and restrict permissions to View only.

Block sharing to specific external domains if your organization does not need to collaborate broadly.

Create DLP policies in Microsoft Purview compliance portal to detect sensitive information types relevant to your industry.

Start with common templates: U.S. Financial Data, U.S. PII, or HIPAA depending on your regulatory requirements.

Configure policies to apply to Exchange email, SharePoint sites, OneDrive accounts, and Teams chats and channels.

Set policy actions to notify users with a policy tip when they attempt to share sensitive data.

For high-confidence detections, block external sharing and restrict access to the content.

Enable endpoint DLP if your organization has Microsoft 365 E5 licensing to monitor file activities on devices.

Define a sensitivity label taxonomy (e.g., Public, Internal, Confidential, Highly Confidential).

Create labels in Microsoft Purview that apply visual markings (headers, footers, watermarks).

Configure encryption on Confidential and Highly Confidential labels to restrict access to internal users only.

Publish labels to all users via a label policy and set a default label for new documents.

Enable mandatory labeling so users must select a label before saving or sending.

Consider auto-labeling policies to automatically classify documents containing sensitive information types.

Review and restrict external access in Teams admin center under Users, then External Access.

Block communication with all external domains by default, then allow specific trusted partner domains.

Configure guest access settings to restrict guests from creating, updating, or deleting channels.

Disable guest access to files and folders in team sites if not required for collaboration.

Set guest user expiration to automatically remove guest access after a defined period (e.g., 90 days).

Enable access reviews for guest accounts on a quarterly basis using Entra ID Governance.

Configure meeting policies to restrict anonymous users from joining meetings.

Enable lobby settings so external participants must wait for an organizer to admit them.

Disable automatic admission for dial-in users by default.

Restrict who can present in meetings to organizers and co-organizers by default.

Disable recording and transcription for meetings with external participants unless explicitly required.

Configure messaging policies to restrict URL previews and file sharing with external users in chat.

Ensure at least two Global Administrators are assigned for redundancy, but no more than four to limit exposure.

Create emergency access (break glass) accounts that are excluded from Conditional Access and monitored with alerts.

Disable user consent for applications in Entra ID Enterprise Applications settings and require admin consent.

Configure the admin consent workflow so users can request access to apps and admins can review and approve.

Block user creation of Entra ID tenants and Azure subscriptions under User settings.

Disable the Self-Service Password Reset (SSPR) registration campaign if using Conditional Access for MFA enforcement.

Verify that Unified Audit Log is enabled in the Microsoft Purview compliance portal.

Set audit log retention to at least 180 days (E5) or use basic audit with 90-day retention (E3).

Create alert policies for high-risk activities: elevation of privilege, mailbox forwarding rules, mass file downloads, and eDiscovery searches.

Configure sign-in log exports to a SIEM or Log Analytics workspace for centralized monitoring.

Enable mailbox auditing on all mailboxes (enabled by default but verify with Get-OrganizationConfig).

Review Microsoft Secure Score weekly and address recommendations to improve your overall security posture.

Set up a regular cadence for reviewing inactive user accounts and service principals.