Microsoft 365 Security Hardening Checklist

Default Microsoft 365 settings are not secure settings. Work through this checklist with your IT or security provider and confirm each item is verified, not just assumed.

Download PDF

Microsoft 365
Security Hardening
Checklist

Default Microsoft 365 settings are not secure settings. This checklist covers the configurations that matter most for Australian SMBs.

stealthcyber.io

Identity and Authentication

Highest priority. An identity misconfiguration underpins the majority of M365 compromises we investigate.

Security Defaults or Conditional Access policies are enabled. Conditional Access is strongly preferred for business environments.

Legacy authentication protocols are blocked (basic auth, IMAP, POP3, SMTP AUTH) for all users without a documented technical requirement.

MFA is enforced for all users via Conditional Access, not just enabled via per-user MFA settings.

MFA is enforced for all Global Administrators and privileged roles.

Phishing-resistant MFA (FIDO2 or certificate-based) is deployed for the highest-privilege accounts.

Sign-in is restricted to compliant, managed devices via Conditional Access where possible.

Sign-ins from high-risk locations or anonymous IP addresses are blocked or require additional verification.

Sign-in risk policies are configured in Entra ID Identity Protection (P2 licence required).

Self-service password reset is enabled and configured with appropriate verification methods.

Password hash synchronisation is enabled if using hybrid identity.

Emergency access (Break Glass) accounts exist, are excluded from Conditional Access, are monitored, and credentials are stored securely offline.

Admin Role Management

The number of Global Administrator accounts is five or fewer.

Global Administrator accounts are cloud-only, not synchronised from on-premises Active Directory.

Global Administrator accounts are not used for day-to-day tasks.

Role assignments follow least privilege: users hold only the roles they need.

Privileged Identity Management (PIM) is configured for just-in-time admin access where licencing permits.

Admin roles are reviewed and validated at least every 90 days.

Admin accounts do not have active mailboxes used for routine email.

Exchange Online and Email Security

SPF record is published and correctly configured for your domain.

DKIM signing is enabled for all sending domains.

DMARC is configured with at minimum a quarantine policy (p=quarantine). Reject (p=reject) is the target.

DMARC reports are being monitored.

External email tagging is enabled so staff can identify emails originating outside the organisation.

Anti-phishing policies are configured with impersonation protection for key personnel.

Safe Links is enabled and configured to scan URLs in email and Office documents.

Safe Attachments is enabled and configured to detonate suspicious attachments before delivery.

Automatic external email forwarding is disabled at the tenant level.

Transport rules are reviewed for unexpected or unauthorised configurations.

Mailbox auditing is enabled for all users (on by default for E3/E5 but should be verified).

Unified audit log is enabled and retention period is configured appropriately.

Mail flow rules are reviewed and documented.

SharePoint, OneDrive, and Teams

External sharing in SharePoint is restricted to the minimum required. Anonymous sharing links are disabled or time-limited.

SharePoint site permissions are reviewed periodically. Overly permissive sites are a significant Copilot risk.

OneDrive external sharing is configured consistently with SharePoint policy.

Guest access in Teams is enabled only if required and is governed by a documented policy.

External access (federation) in Teams is restricted to known, trusted domains where possible.

Sensitivity labels are applied to SharePoint sites and Teams containing confidential content.

Data Loss Prevention (DLP) policies are configured to detect and control sensitive data sharing.

Microsoft Defender for Office 365

Defender for Office 365 Plan 1 or Plan 2 is licenced and configured (included in Business Premium).

Anti-malware policies are configured with appropriate alert and quarantine settings.

Zero-hour auto purge (ZAP) is enabled to retroactively remove malicious messages post-delivery.

Attack simulation training is configured and running regular phishing simulations.

Threat Explorer or Real-time detections are being used to investigate suspicious activity.

Preset security policies (Standard or Strict) have been applied as a baseline.

Endpoint Security (Defender for Endpoint / Intune)

Microsoft Defender for Endpoint is deployed and active on all Windows endpoints.

Defender for Endpoint is integrated with the Microsoft 365 Defender portal.

Endpoint Detection and Response (EDR) is in Block mode, not just Audit mode.

Attack Surface Reduction (ASR) rules are configured and enforced.

Intune is managing all corporate devices with compliance policies enforced.

Device compliance policies require encryption, screen lock, and minimum OS version.

Non-compliant devices are blocked from accessing corporate resources via Conditional Access.

Mobile devices accessing corporate email are enrolled in Intune.

Windows Autopatch or a comparable patch management process is active and verified.

Microsoft Secure Score

Microsoft Secure Score has been reviewed in the last 30 days.

A remediation plan exists for the highest-impact recommendations.

Secure Score is tracked over time and reviewed as part of regular security governance.

Recommendations have been assessed against your environment before being actioned.

Monitoring and Alerting

Microsoft Sentinel or an equivalent SIEM is ingesting M365 audit logs.

Alerts are configured for high-risk events: impossible travel logins, mass file deletion, privilege escalation, new inbox rules, legacy auth attempts.

Alerts are being reviewed by a human, not just landing in a queue.

Sign-in logs are being reviewed for anomalous activity.

A process exists for responding to Identity Protection risk events.

Data Protection and Compliance

Microsoft Purview Information Protection is configured with sensitivity labels appropriate to your data classifications.

Labels are applied to documents and emails containing confidential or restricted content.

Retention policies are configured to meet your legal and regulatory obligations.

eDiscovery and audit capabilities are understood and tested if required for your sector.

Personal data subject to the Privacy Act is identified and controls are appropriate.

Interpreting Your Results

Fewer than 15 ticked: Significant security gaps. Prioritise Section 1 and Section 3 immediately.

15 to 35 ticked: Partial baseline. Focus on completing Sections 1 through 4.

36 to 50 ticked: Solid baseline. Work through remaining items in a structured plan.

50 or more ticked: Strong configuration. Maintain through regular review and Secure Score monitoring.

Need help hardening your M365 tenant?

Stealth Cyber specialises in Microsoft 365 security hardening, Secure Score remediation, and managed detection and response for Australian professional services firms. Get in touch for a verified assessment of your M365 security posture.

Website

stealthcyber.io

contact@stealthcyber.io

Phone

AU: +61 7 5230 8381

US: +1 (855) 774-2595

Offices

Gold Coast, Australia

São Paulo, Brazil

Texas, United States