Practical guide to security using Microsoft 365

Business (Basic, Standard, and Premium)

Author: David Bjurman-Birr

Contributors: Alex Fields, Andreas Bürkle

Published: February 2023

For the latest information, please see:

aka.ms/smbsecurityguide

For a checklist form of this guide, please see:

aka.ms/smbsecuritychecklist

For feedback and suggestions, please email:

[email protected]

This document is provided to you "as-is" by Microsoft. Information and views expressed in this document may change
without notice. You bear the risk of using it and verifying the continued accuracy of any claims. This document does not
provide you with any legal rights to any intellectual property in any Microsoft product.
Table of Contents
Introduction..................................................................................................................................................................... 5
Getting Started: Preparation Checklist for Onboarding.................................................................................. 6
Adopt a formal cybersecurity framework........................................................................................................ 6
Plan for identity management............................................................................................................................. 6
Plan for administrative accounts......................................................................................................................... 6
Plan for device management................................................................................................................................ 6
Plan for licensing....................................................................................................................................................... 6
Choose technical and administrative contacts.............................................................................................. 6
Identity Protection Checklist................................................................................................................................... 10
Apply principles of least privilege.................................................................................................................... 10
Create emergency access account(s).............................................................................................................. 10
Set up Conditional Access................................................................................................................................... 10
Enable Self Service Password Reset................................................................................................................. 10
Configure Azure AD primary authentication method.............................................................................. 10
Email & Apps Protection Checklist....................................................................................................................... 12
Configure SPF record............................................................................................................................................ 12
Configure email authentication with DKIM and DMARC........................................................................12
Enable Unified Audit Log..................................................................................................................................... 12
Enable Alert Policies.............................................................................................................................................. 12
Enable Defender for Office 365 preset policies.......................................................................................... 12
Block auto forwarding.......................................................................................................................................... 13
Manage user Phishing reports.......................................................................................................................... 13
Turn on Defender for Office 365 for SharePoint, OneDrive, and Microsoft Teams......................13
Guest access in Teams.......................................................................................................................................... 13
 External chat in Teams.......................................................................................................................................... 13
Third-party cloud storage in Teams................................................................................................................ 13
Endpoint Enrollment Checklist............................................................................................................................... 15
Choose mobility management approach...................................................................................................... 15
Configure device enrollment restrictions...................................................................................................... 15
Deploy App protection policies (MAM)......................................................................................................... 15
Configure device enrollment pre-reqs for supported platforms..........................................................15
Configure default compliance policy settings............................................................................................. 16
Create compliance policies................................................................................................................................. 16
Enable device-based conditional access policies....................................................................................... 16
Configure Enterprise State Roaming............................................................................................................... 16
Deploy Microsoft 365 apps................................................................................................................................ 16
Enroll devices........................................................................................................................................................... 16
Endpoint Protection Checklist................................................................................................................................ 19
Set up Microsoft Defender for Business........................................................................................................ 19
Configure Attack Surface Reduction (ASR) rules........................................................................................ 19
Configure disk encryption (BitLocker) policy............................................................................................... 19
Configure compliance policy integration with Defender for Business...............................................19
Other security policies.......................................................................................................................................... 19
Data Protection Checklist......................................................................................................................................... 22
Create and publish Sensitivity labels............................................................................................................... 22
Create DLP policies................................................................................................................................................ 22
Create a retention policy for Exchange mailboxes, and other locations as needed.....................22
Advanced Security and Additional Recommendations................................................................................ 24
Advanced Identity Protection Checklist.............................................................................................................. 24
Use FIDO2 keys for passwordless authentication...................................................................................... 24
Secure MFA and self-service password reset registration......................................................................24
Manage customer consent to applications & permissions requests..................................................24
Configure granular control of Azure AD external identities...................................................................24
Advanced Email & Apps Protection..................................................................................................................... 25
Use configuration analyzer................................................................................................................................. 25
Configure defense in depth for email security............................................................................................ 25
Configure skip listing if using a third-party email filtering device or service..................................26
Block all executable email attachments......................................................................................................... 26
Customize quarantine permissions and policies........................................................................................ 26
Customize Defender for Office 365 Anti-phishing Policies....................................................................26
Extend DMARC protection to other domains not used for email........................................................26
Configure additional email encryption........................................................................................................... 26
Restrict external domains that can send email messages to Teams channels................................26
Disable 3rd party & custom apps in Teams................................................................................................... 27
Customize Teams meeting settings................................................................................................................ 27
Introduction
This guide summarizes Microsoft’s recommendations for enabling employees at small and
medium-sized businesses to securely work from anywhere- whether from home, in the office or
on the go, using the features included in Microsoft 365 Business Premium.

Microsoft 365 Business Premium is a comprehensive suite of collaboration products and

enterprise-grade security tools curated specifically for businesses with 1 to 300 employees. It
includes Office productivity apps and services plus advanced security capabilities to help
defend businesses against cyberthreats, protect company data, and secure devices. Although
other licensing plans include some of these advanced security and management capabilities,
for organizations with less than 300 employees, Microsoft 365 Business Premium is generally
the most cost-effective package.

Because SMBs have different security needs and attitudes, the checklist includes general
recommendations scenarios; however, you should evaluate each recommendation and adjust
based on your customers’ unique circumstances and requirements.

Many businesses will want to enable security and balance ease of use with security. Other
businesses may want to maximize security protections and have higher concern for risk (for
example, to adhere to regulatory requirements such as HIPAA or GLBA). This business is also
willing to apply more effort and resources into maintaining security and control of the work
environment.

These guidelines are intended to provide a starting point for a serious discussion around the
security and compliance options available, rather than prescriptive guidance. One of the first
and most important things that IT leaders and business leaders can do is talk through the
possibilities.

You can download the summary checklist here. If you’d like to learn more about the checklist
items, we’ve broken it down section by section below.
Getting Started: Preparation Checklist for Onboarding

Checklist item Description Learn more

Adopt a formal Using a vendor agnostic cybersecurity NIST Cybersecurity
cybersecurity framework framework such as NIST or CIS can help Framework
you prioritize and validate your CIS Critical Security
adoption of cybersecurity technology. Controls
Plan for identity Most SMBs should move toward a Determine your cloud
management cloud-only architecture, but in some identity model
cases, you may need to retain a hybrid
environment.
Plan for administrative Partners should set up GDAP to manage Set up GDAP for your
accounts customer tenants, but customers may customers
also want to maintain one or more Granular Delegated
admin accounts. Admin Privileges
Least privileged roles by
task
Plan for device What types of devices are Company What is the difference
management owned? Do you allow personally owned between device and app
devices to access company data? If so, management
how will you manage those devices?
Plan for licensing We recommend Microsoft 365 Business Compare All Microsoft
Premium for most SMB deployments, 365 Plans for Business
but some organizations may want to
mix-and-match licenses for different
user personas.
Choose technical and Determine where to send billing Manage billing
administrative contacts notifications, security alerts, and more. notifications

Here is a brief explanation & our recommendation for each checklist item.

 Adopt a formal cybersecurity framework: A security framework will help guide and
rationalize decision making around cybersecurity vendors, products, and features in use
by your business and your customers. They are basically independent blueprints of most
of the things you should consider regarding cybersecurity. If you don’t already have a
framework in mind, we recommend starting with CIS Controls v8, Implementation group
1 because we find it very approachable for SMB partners and customers. Additionally,
the CIS Microsoft 365 Foundations Benchmark provides prescriptive guidance for
establishing a secure configuration posture for Microsoft 365 Cloud offerings. Your
 customers may find a different cybersecurity framework more suitable based on
regional or industry vertical considerations; however, the controls between different
frameworks are mostly compatible with each other so solving controls for one usually
solves for controls in other frameworks. For your convenience, we have listed the
applicable CIS control in the checklist below.
 Plan for identity management: The users in the Microsoft 365 tenant can have their
identities (usernames, passwords, etc.) managed completely in the cloud, or
synchronized with an on-premises Active Directory. If your customer does not have an
existing Active Directory on-premises, you can set up cloud-only identity by adding
users individually in the admin portal, using PowerShell, or bulk loading users using a
CSV file. If your customer has Active Directory, then we recommend starting with a
hybrid approach—using Azure AD Connect to synchronize the domain to Microsoft 365
and them moving from hybrid to managing identities only in the cloud as soon as
reasonably possible because it’s simpler to administer, reduces complexity, and it is
much easier to secure a single cloud identity than identities synchronized from on-
premises infrastructure. We recommend configuring Azure AD Connect with Microsoft
365 Business Premium:

Setting Description Recommended Value

Azure AD Connect - Password Hash Sync is the simplest Password Hash Sync
sign-in method way to enable authentication for
on-premises directory objects in
Azure AD. Users can use the same
username and password that they
use on-premises without having to
deploy any additional
infrastructure.
Azure AD Connect - SSO provides users easy access to Enabled
single sign-on cloud-based applications without
needing any additional on-
premises components.
Azure AD Connect - The userPrincipalName in AD userPrincipalName
On-premises should match the user’s email
attribute for Azure address.
AD username
Azure AD Connect - Password writeback synchronizes Enabled
Password writeback password changes in Azure AD
back to the on-premises AD
environment. Additional
configuration required.
Azure AD Connect – Azure AD Connect can configure Configured using Azure
Service Connection the service connection point (SCP) AD Connect Additional
 Point (SCP) object in AD for you. This will tasks –> Configure
enable domain joined computers to Device Options ->
discover Azure AD tenant Configure hybrid Azure
information. For more information AD Join
click here.
Azure AD Connect – Select the operating systems in use. Windows 10 and later
hybrid Azure AD join We recommend upgrading
device operating operating systems older than
systems Windows 10.

 Plan for administrative accounts: There are five rules that we recommend observing
with regard to administrative accounts in Microsoft 365:
1. Reduce the number of global admins: We recommend 2 and no more than
5 global administrators per tenant.
2. Use separate accounts: Do not assign admin privileges to standard user
accounts, and do not sync existing admins from on-premises Active Directory,
and assign those same accounts cloud administrative privileges. Instead, use a
separate, unlicensed administrative user ID in the onmicrosoft.com domain.
3. Require strong authentication: All administrative accounts should be
required to use strong authentication methods. This requirement will also be
addressed under Identity Protection in this checklist.
4. Partners are encouraged to implement GDAP: Granular Delegated Admin
Privileges or GDAP allows partners to manage least privilege access for their
users within customer tenants. See this article for more information. Microsoft
365 Lighthouse has an easy to use wizard that will set up GDAP. See this
article for more information on using Lighthouse to set up GDAP for your
customers.
5. Customers are encouraged to implement RBAC: Delegate admin roles
where appropriate. For example, instead of assigning Global admin to every
user, determine if lesser roles would be adequate for each user’s job function:
e.g., Helpdesk administrator, License administrator, Billing administrator, etc.
See this article for a list of roles and permissions.
 Plan for device management: We recommend enrolling Company-owned devices into
Microsoft Intune in order to establish a device and software inventory and to centralize
management. When it comes to personally owned devices, companies will have some
additional decisions to make prior to implementation:
o MAM vs. MDM for mobile devices: We can protect corporate data that resides
on personal iOS and Android devices at the application layer using MAM,
without needing to enroll the devices for full management (MDM). Company-
owned mobile devices, however, should always be enrolled.
 o Block enrollment and access for other devices: Some organizations may want
to consider blocking access to company apps and data on personally owned
desktop and laptop computers (Windows, MacOS, Linux, etc.).
o Enable web-only access: Another option that organizations have for personally
owned devices is to allow a limited web access experience where data cannot be
copied, printed, or downloaded to the device.
 Plan for licensing: It is essential to understand the needs of your organization and
select an appropriate plan that aligns with the needs of your company. For small to
medium-sized businesses we recommend using Microsoft 365 Business Premium, as
it provides a comprehensive set of features and tools to help manage and secure your
organization's data and devices. However, depending on the specific requirements of
your organization, you may want to consider mixing different licenses for different user
personas. It’s important to note that Microsoft 365 Business Basic and Microsoft 365
Business Standard have security features but are not security solutions and require
additional capabilities. If you have customers using Microsoft 365 Business Basic or
Microsoft 365 Business Standard, we recommend adding Microsoft Defender for
Business, Microsoft Defender for Office 365, and Azure Active Directory Premium P1 to
those users.
 Choose technical and administrative contacts: Select individuals within your
organization who will act as the primary point of contact for notifications such as billing,
security alerts and service health. This will ensure that important notifications are
received on time and are quickly and efficiently resolved. We recommend creating
distribution groups for this purpose.
Identity Protection Checklist

Identity protection is a crucial aspect of securing sensitive information and maintaining the
privacy of both employees and customers in today's digital landscape. Microsoft 365 Business
Premium included Azure Active Directory Premium P1 that provides robust security features to
protect the user identities from security threats such as password attacks, phishing scams, and
malicious software. Microsoft 365 Lighthouse also helps partners monitor and manage their
customers' identities, ensuring that only authorized personnel have access to critical
information. With identity protection in Microsoft 365 Business Premium, small and medium
businesses can safeguard their operations and maintain the trust of their customers while they
focus on growing their business.

Checklist item Description Learn more CIS Ref.

Apply principles of least Use separate admin Partners: 5.4, 6.8,
privilege accounts & RBAC roles to Set up GDAP for 12.2
limit admin privileges; grant your customers
only the minimum roles Customers:
required for job function. Least privileged
roles by task
Create emergency Microsoft recommends 2 or Manage emergency N/A
access account(s) more cloud-only accounts access admin
for emergency access. accounts
Set up Conditional Enable Multi-factor Providing a default 6.3, 6.4,
Access authentication, block legacy level of security in 6.5
authentication, etc. Azure AD
Enable Self Service End users will be able to Cloud-only:
Password Reset reset their own passwords Enable Azure Active
from the cloud using their Directory self-service
secure authentication password reset
methods. Hybrid:
Enable Azure Active
Directory password
writeback
Configure Azure AD Configure Microsoft Passwordless sign-in N/A
primary authentication Authenticator auth method with Microsoft
method to enhance security for Authenticator
sign-ins.
 Apply principles of least privilege: Pay special attention to admin accounts. Use a
separate named account for each Global Administrator that does not have a license
assigned. Use limited admin roles whenever possible. For partner access to customer
tenants, run the GDAP wizard in Lighthouse to assign technicians to appropriate roles in
customer tenants.
 Create emergency access account(s): To prevent accidental lockout of administrative
access, creating two emergency access accounts that are not synchronized to AD and
are excluded from Conditional Access policies. Store the account credentials safely and
protect these accounts with a FIDO2 security key. Configure Azure Log Analytics to
trigger email and SMS alerts whenever these accounts sign in. For more information see
Enable passwordless security key sign-in and Integrate Azure AD logs with Azure
Monitor logs.
 Set up Conditional Access: Most common conditional access policies can be deployed
using built-in templates; see Conditional Access templates for more details. We
recommend deploying at least the following four policies to replace the functionality of
Security Defaults:

o Block legacy authentication

o Require multifactor authentication for admins
o Require multifactor authentication for all users
o Require multifactor authentication for Azure management

 Enable Self Service Password Reset: Allowing end users to reset their own passwords
from the cloud, without the need for IT administrator intervention. This helps to
improve productivity and reduces the workload on the IT department by enabling users
to reset their own passwords quickly and easily. To set up Self Service Password Reset
(SSPR) in Microsoft 365, the wizard provided in the Microsoft 365 admin center should
be used. The wizard will guide you through the process of configuring the
authentication methods that users will use to verify their identity before resetting their
password. You can choose from phone call, text message, and the Microsoft
Authenticator app. Additionally, you will need to specify the users or groups that will be
able to use SSPR, and set rules for password complexity, length, and how often
passwords can be reset. Once you have completed the wizard, SSPR will be enabled for
your tenant, and users will be able to reset their own passwords from the Microsoft 365
login page or the Azure AD self-service password reset page.
 Configure Azure AD primary authentication method: Configure the primary
authentication method for Azure AD to use Microsoft Authenticator to enhance security
for sign-ins. Users will be able to sign in to Azure AD and other Microsoft services using
a one-time passcode generated by the app, or a number matching experience where
the user must enter the correct number in their Authenticator app, which is being
displayed to them within the sign-in prompt.
Email & Apps Protection Checklist
Email is a critical tool for communication and collaboration in today's fast-paced business
environment. Unfortunately, it is also a prime target for cybercriminals looking to exploit
vulnerabilities and steal sensitive information. Solving problems with Phishing and SPAM is one
of the first items we recommend partners focus on because it is so important for small and
medium businesses and it’s hard to move on to other things if the customer is plagued with
email hygiene problems. Microsoft 365 Business Premium includes Defender for Office 365 P1
which is a highly effective safeguard against threats such as phishing scams, spam, and
malware. The platform employs advanced filtering techniques to identify and block malicious
messages, while also providing users with tools to report suspicious emails and for your to take
action to protect their accounts.

Checklist item Description Learn more CIS Ref.

Configure SPF record Enter this TXT DNS record Set up SPF to help
to help validate outbound prevent spoofing
email sent from your
domain.
Configure email Email authentication builds Email authentication
authentication with on SPF to build a solid in EOP
DKIM and DMARC foundation to reduce email
spoofing. Misconfiguration
can lead to false detections
and outbound email going
to junk mail.
Enable Unified Audit Record activity from Turn auditing on or off
Log Microsoft 365 services such
as Exchange Online and
SharePoint Online.
Enable Alert Policies With the audit log enabled, Microsoft 365 alert
you can alert on suspicious policies
activities such as Elevation
of Exchange admin privilege
and more.
Enable Defender for Quickly configures anti- Preset security policies
Office 365 preset spam, anti-malware, anti-
policies phishing and zero-day
protections including Safe
Links and Safe Attachments.
Block auto forwarding Prevent inbox rules or Configuring and
mailbox forwarding from controlling external
 automatically sending mail email forwarding in
to external addresses. Microsoft 365
Manage user Phishing Allow end users to report Deploy and configure
reports messages suspected as the report message
phishing to Microsoft and add-in to users
to you as part of a managed
service for email protection.
Turn on Defender for Activate Microsoft Defender Reduce the attack
Office 365 for for Office 365 to secure surface for Microsoft
SharePoint, OneDrive, SharePoint, OneDrive, and Teams
and Microsoft Teams Microsoft Teams against
potential cyber threats, and
ensure the integrity of your
data and files stored on
these platforms.
Guest access in Teams Allow end users to invite Use guest access to
external guests into Teams. collaborate with
people outside your
organization
External chat in Teams Allow end users to chat with Manage external
people external to the access in Microsoft
organization. Teams
Third-party cloud Control which third-party Manage Microsoft
storage in Teams cloud storage providers, if Teams settings for
any, are allowed to be your organization
presented through Teams.
Use configuration Compare your customer’s Configuration analyzer
analyzer email protection settings to for protection policies
Microsoft recommendations in EOP and Microsoft
Defender for Office
365

 Configure SPF record: SPF is a TXT record in DNS that helps validate outbound email
sent from your custom domain. Microsoft will recommend the correct value if all email
originates from the Exchange Online service. If your customer has email originating
from other places, consider routing it through Microsoft or customizing the SPF record.
 Configure email authentication with DKIM & DMARC: DomainKeys Identified Mail
(DKIM) will protect your customers’ domains from malicious email spoofing. It allows
the system receiving the email to check that it was sent by the domain it claims to be
sent from, and that it hasn't been modified in transit. To set up DKIM, you will need to
create DKIM DNS records and then configure Microsoft 365 to sign outgoing messages
with the corresponding private key. See Use DKIM to validate outbound email sent from
 your custom domain. Adding DMARC records to your customers’ domain's DNS allow
you to specify what the receiving email systems should do with messages that fail the
check (e.g. accept, quarantine or reject). This way you can Use DMARC to validate email
and ensure the destination email systems trust messages sent from your customers’
domains. The DNS records for DKIM are very specific and we recommend either
copying the values directly from the M365 Admin Center or using automation such as a
PowerShell script to reliably create the correct DNS records.
 Enable Unified Audit Log: Enterprise tenants will have this enabled by default;
however, partners should verify the auditing status for their customer organizations. The
audit log is required for several security scenarios in this guide.
 Enable Alert Policies: Microsoft provides built-in alert policies. On the Alert policies
page, the names of these built-in policies are in bold, and the policy type is defined as
System. Configure the policy to send email notifications to the technical or
administrative contacts defined earlier in this guide.
 Enable preset security policy: Start with Standard protection for the entire domain. If
your customer has specific users that are either sensitive to or targets for malicious
email or SPAM, consider the Strict level of protection for them. For more information
see Set up steps for the Standard or Strict preset security policies in Microsoft Defender
for Office 365.
 Block auto forwarding: New tenants will have the outbound spam policy configured to
block automatic forwarding. For existing tenants, this is a way to help prevent business
email compromises.
 Respond to user Phishing reports: Enable users to report false positives (good email
marked as bad) or false negatives (bad email allowed) to Microsoft for analysis.
Optionally, you can set up a process to review these messages and respond to users.
For more information see Enable the Microsoft Report Message or the Report Phishing
add-ins and Admin review for reported messages.
 Turn on Defender for Office 365 for SharePoint, OneDrive, and Microsoft Teams
 Guest access in Teams: Many businesses want to use Teams to collaborate with
outside clients, suppliers, and partners beyond participating in meetings. To allow
external users to fully participate in teams, enable guest access in the Teams admin
center. We recommend enabling guest access even for security-conscious businesses
because only specific users are allowed access and they must be explicitly added to
individual teams. For more information refer to Use guest access to collaborate with
people outside your organization.
 External chat in Teams: is different from guest access in that it only allows users
outside of the business to initiate a Teams chat. This is useful when it is desirable for
employees at businesses to initiate a chat just by knowing someone’s email address;
however, it may turn tricky in situations where uninvited chats are undesirable. By
default, external chat is allowed from any domain even if guest access is disabled and
we recommend the default setting for most customers; however, you can turn it off or
 restrict external chat to a list of domains. For more information see Manage external
access in Microsoft Teams and Disable open federation.
 3rd party cloud storage in Teams: Teams includes the ability for users to upload and
share files from cloud storage services such as Dropbox, Box, and Google Drive. Some
businesses may want to limit cloud storage to only those services they control directly
in their Microsoft 365 tenant (SharePoint and OneDrive). For more information refer to
Manage Microsoft Teams settings for your organization and Managing third party
storage options.
 Use configuration analyzer: Partners can use the Configuration analyzer in the
Microsoft 365 Defender portal to quickly find and fix email security policies where the
settings are below the Standard protection and Strict protection profile settings in
preset security policies.

Endpoint Enrollment Checklist

Enrolling devices in Microsoft 365 Business Premium is an important step partners should take
to maintain the security and compliance of their customers’ data and systems. Enrollment is the
first step to ensure that all the devices used to access their information and applications are
properly configured and managed. This helps to minimize the risk of security breaches, data
loss, and other security incidents. Once enrollment is complete, additional controls can block or
limit unknown devices from accessing data and applications. Microsoft 365 Business Premium
included Microsoft Endpoint Manager (also known as Intune) which is a comprehensive device
management solution that enables customers to enroll, monitor, and manage all the devices
used in their organization, including macOS, iOS, and Android devices. Microsoft 365
Lighthouse provides partners deployment steps that make it easy to enroll devices for multiple
customers.

Checklist item Description Learn more CIS Ref.

Choose mobility iOS and Android devices What is the difference 1.1
management approach can be managed via either between device and
MAM or MDM. For app management
personally owned devices,
we recommend MAM.
Configure device For MAM deployments, Create device platform 1.2
enrollment restrictions block personal enrollments. restrictions

Deploy App protection Protects company data on Create and deploy app
policies (MAM) mobile devices at the protection policies
application layer.
Configure device Prepare supported device Apple: Get an Apple
enrollment pre-reqs for platforms for MDM MDM Push certificate
supported platforms enrollment, as needed. You Android: Connect your
do not need to configure Google Play account
platforms you do not Windows: Set up
intend to enroll or support. enrollment for
Windows devices
Configure default We recommend using the Device compliance
compliance policy default compliance policy policies in Microsoft
settings settings for most Intune
deployments.
Create compliance For each platform you Create device
policies intend to support, create a compliance policies in
basic compliance policy. Microsoft Intune
Enable device-based Use Conditional Access to Require approved app 1.2
conditional access enforce app protection and or app protection
policies device compliance policies, Require compliant,
and prevent unauthorized hybrid join, or MFA
device access. Block unsupported
platforms
Require MFA for Intune
Enrollment
Configure Enterprise Allow user settings in Enable Enterprise State
State Roaming Windows to sync with Roaming in Azure
Azure AD and follow the Active Directory
user.
Deploy Microsoft 365 Use Intune to remotely Add Microsoft 365 2.1
apps deploy the Microsoft 365 Apps to Windows 10/11
apps to managed Windows devices using Microsoft
devices. Intune
Enroll devices Company-owned devices Android 1.1
should be Azure AD joined iOS
and enrolled. Linux
macOS
Windows

 Choose mobility management approach: For personally owned devices, we

recommend implementing MAM (Mobile App Management). For Company-owned
devices, we recommend enrolling the devices for MDM (device-based management).
For more information, see What is the difference between device and app
management?
 Configure device enrollment restrictions: Determine in advance whether you will
need to block or allow enrollment of specific device types. For example, you can block
personal enrollment of iOS and Android devices (MAM does not require enrollment).
 For more information, see Create device platform restrictions. Another reason to
consider enrollment restrictions is if you intend to use MAM, you can prevent end users
from inadvertently enrolling their device in MDM.
 Deploy App protection policies (MAM): App protection policies enable MAM on iOS
and Android mobile devices. These policies include settings that help protect data on
mobile devices, without requiring the device itself to become enrolled. For example, we
can require a PIN or biometric to use the Outlook application, instead of requiring a
passcode to open the “Home” screen of the device. We can also restrict the ability to
save company data to local storage on the device and require that data always be kept
within the boundaries of the Corporate-owned and managed applications. Microsoft
has Microsoft has introduced a data protection configuration framework taxonomy,
organized into distinct configuration scenarios. For more information see Data
protection framework using app protection policies. Basic recommendations include:
o From Apps > App protection policies, create policies for both iOS/iPadOS and
Android
o Target policy to Microsoft core apps (this includes Outlook)
o Block backup of org data to iCloud or Google cloud
o Send org data to Policy managed apps
o Block saving copies of org data; Allow users to save to OneDrive and SharePoint
o For remaining selections, accept the default values or choose your own
preferences, and finish creating the policy, assigning to All users.
 Configure device enrollment pre-reqs for supported platforms: Before you enroll
any devices, it may be necessary to complete some pre-requisites for certain scenarios.
You do not have to complete these steps for any device platforms you do not intend to
enroll and support in your organization:
o Get an Apple MDM Push certificate
o Connect your Google Play account
o Set up enrollment for Windows devices
 Configure default compliance policy settings: Compliance policy settings are
evaluated as the “Built-in compliance policy” by Intune. The most important setting is to
determine whether devices which have not yet been evaluated by a compliance policy
are to be considered Compliant or Not compliant. In other words, we are telling Intune
whether to treat devices as innocent until proven guilty (Compliant), or guilty until
proven innocent (Not compliant). We recommend using the default settings.
 Create compliance policies: For every device platform that you will have enrolled, we
recommend creating a compliance policy. Think of this policy as defining the “minimum
bar” that devices must reach before they are extended access to company data. For
example, you can require BitLocker for Windows devices. Note however that
compliance-based access will not be enforced until the corresponding Conditional
Access policy is deployed.
 o Recommended compliance policy for Windows 10 and later:
 Turn on Device Health options including BitLocker, Secure Boot,
Require code integrity
 Turn on System Security > Device Security options including Firewall,
TPM, Antivirus and Antispyware
 Turn on Defender options including Antimalware, Antimalware
security intelligence up-to-date and Real-time protection
 Under Actions for noncompliance, set Mark device noncompliant after
1 day
 Assign the policy to All users
o For other platforms: It is generally recommended to enforce device passcode with
device encryption and code integrity where available.
 Enable device-based conditional access policies: We recommend the following
policies which can be used to help protect the device enrollment process, and enforce
device-based access controls:
o Require multifactor authentication to register or join devices to Azure AD
o Block unknown or unsupported device platforms
o Require multifactor authentication for Intune device enrollment
o Require approved app or app protection policy
o Require compliant, hybrid joined devices, or MFA
 Configure Enterprise State Roaming: Certain settings in Windows 10/11 can follow
users around between different devices. See this article for more information.
 Deploy Microsoft 365 apps: When endpoints are enrolled with Intune, assigned
software such as Microsoft 365 apps for the desktop can be automatically installed on
the device. See this article for more information. Using Intune to deploy apps also helps
establish and maintain a software inventory as outlined in CIS Control v8 2.1.
 Enroll devices: Once you have laid all the groundwork and prepared your device
policies, you can begin enrolling devices. See these articles for more details:
o Enroll Android personally owned work profile
o Enroll personally owned iOS devices
o Enroll Linux devices
o Enroll personally owned macOS devices
o Enroll personally owned Windows devices

Endpoint Protection Checklist

Checklist item Description Learn more CIS Ref.
Set up Microsoft Use the setup wizard for Use the setup wizard 10.1, 4.4,
Defender for Business Microsoft Defender for in Microsoft Defender 4.5
Business to automatically for Business
onboard devices and create
your initial policies
including antivirus, firewall
and EDR as well as set up
email notification rules.
Configure Attack Enable ASR rules to reduce Attack surface
Surface Reduction (ASR) attack surface on devices. reduction capabilities
rules in Microsoft Defender
for Business
Configure disk We recommend the silent Encrypt Windows
encryption (BitLocker) encryption option using the devices with BitLocker
policy Endpoint security disk in Intune
encryption policy.
Configure compliance Defender can report a Use Microsoft
policy integration with machine risk score, which Defender for Endpoint
Defender for Business can be leveraged by Intune in Microsoft Intune
compliance policies.
Other security policies Import other recommended Manage device
security policies (device security with endpoint
configuration profiles) security policies in
Microsoft Intune

 Set up Microsoft Defender for Business: To set up Microsoft Defender for Business,
we recommend using the setup wizard provided in the Microsoft 365 Defender admin
center. The wizard will guide you through the process of onboarding your devices and
creating your initial security policies.
First, the wizard will assist you to Assign security roles and permissions in Microsoft
Defender for Business. Grant your security team access to the Microsoft 365 Defender
portal, where your security team will manage the security capabilities of your
organization, view alerts, and take any necessary actions on detected threats. Also, don’t
forget to set up email notifications for your security team to ensure that your team is
informed of alerts and vulnerabilities.
The wizard will also guide you to the process to Onboard devices to Microsoft Defender
for Business. If you are already using Intune, you can continue using it to Manage
endpoint security in Microsoft Intune, otherwise you can use the Microsoft 365
Defender portal to onboard devices.
Finally, you can configure your security policies. Defender includes default security
 policies for next-generation protection and firewall protection that can be applied to
your company's devices. These default policies use recommended settings and are
designed to provide strong protection for your devices. You also have the option to
create your own security policies. See View and edit security policies and settings in
Microsoft Defender for Business
 Configure Attack Surface Reduction (ASR) rules: There are several features available
in the Windows Operating System that are generally not needed by the average
information worker. It is a best practice to close doors that you yourself do not intend
to walk through, so we have Attack Surface Reduction rules to turn off some of these
superfluous capabilities. The Threat and Vulnerability Management in Microsoft
Defender for Business will recommend which ASR policies to turn on first. See Review
remediation actions in the Action center for more information. If you’d like to test the
impact of a rule before enabling it, then enable the rule in Audit mode and use the
attack surface reduction report to view detections. For more information see Attack
surface reduction capabilities in Microsoft Defender for Business.
 Configure disk encryption policy: We recommend configuring your disk encryption
policy to enable BitLocker in Silent mode. That means the end user is not prompted for
any inputs, and the service is configured “silently” in the background. Here are the
settings to include in your policy to make this happen:
o BitLocker base settings
 Enable full disk encryption for OS and fixed data drives
 Hide prompt about third-party encryption
 Allow standard users to enable encryption during autopilot
 Enable rotation on Azure AD Joined devices
o BitLocker fixed drive settings
 Recovery key file creation: Allowed
 Configure BitLocker recovery package: Password and key
 Require device to back up recovery information to Azure AD
 Recovery password creation: Allowed
 Hide recovery options during BitLocker setup
 Block the use of certificate-based data recovery agent (DRA)
 Block write access to fixed data drives not protected by BitLocker
o BitLocker OS drive settings
 Startup authentication required
 Compatible TPM required
 Compatible startup PIN: Blocked
 Compatible startup key: Blocked
 Compatible startup key and PIN: Blocked
 Disable BitLocker on devices where TPM incompatible
 Recovery key file creation: Allowed
  Configure BitLocker recovery package: Password and key
 Require device to back up recovery information to Azure AD
 Recovery password creation: Allowed
 Hide recovery options during BitLocker setup
 Block the use of certificate-based data recovery agent (DRA)
 Configure compliance policy integration with Defender for Business: Microsoft
Defender for Business integrates with Intune compliance policies and reports a “device
risk score” that can be leveraged as a bar for device compliance. When you combine
this with Conditional Access, it means that devices which are considered “at risk” will
lose access to resources until the problem is resolved, and the risk score returns to a
clear state. See this article for more information: Use Microsoft Defender for Endpoint in
Microsoft Intune.
o Recommended Windows policy:
 From Endpoint Security > Device compliance, create a new policy for
Windows 10 and later devices
 Configure the Compliance settings for Microsoft Defender for Endpoint:
 Set Require the device risk score… to Clear
 Assign to All users
 Other security policies: You may want to create additional endpoint configuration
profiles to establish a secure baseline for your Company owned endpoints. See
Overview of using Microsoft 365 Lighthouse baselines to deploy standard tenant
configurations and Create a device profile in Microsoft Intune for more information.
Data Protection Checklist
Data protection is crucial in Microsoft 365 Business Premium as it ensures the confidentiality,
integrity, and availability of sensitive business information stored within the platform. This
includes personal information of employees and customers, financial data, and other critical
business records. By implementing robust data protection measures for your customers, you
can help safeguard their data against cyber-attacks, unauthorized access, and accidental loss,
thus maintaining the trust of their stakeholders and complying with relevant data protection
regulations.

Checklist item Description Learn more CIS Ref.

Create and publish Provides the ability to Create and publish
Sensitivity labels classify documents sensitivity labels
according to sensitivity,
including encryption for
confidential information.
Create DLP policies Monitor or block external Create a DLP policy
sharing of sensitive from a template
information.
Create a retention policy This allows you to retain Get started with data
for Exchange mailboxes, mailbox data when lifecycle management
and other locations as employees leave the
needed organization.

 Create and publish Sensitivity labels: Sensitivity labels help end users to classify and
protect sensitive or proprietary information, including company files, emails, and sites or
groups (such as Teams). A common deployment might contain the following labels:

Label name Description Files & emails Groups & sites

Personal Non-business data No restrictions Not defined
that is intended for
personal use only.
Public Business data No restrictions Not defined
intended for public
consumption.
General Business data that No restrictions Allow external
can be shared as guests and sharing
needed for with Anyone
business purposes.
Confidential Business data that Apply encryption Allow external
is sensitive and for Any guests and sharing
 should be shared authenticated user with New and
discreetly. Existing guests
Highly Business data that Apply encryption Block external
Confidential should never be for internal users guests and sharing
shared externally. only

 Create DLP policies: Microsoft 365 Business Premium tenants come with a default DLP
policy, and you can modify this for customers based on potentially sensitive data
discovered in the tenant. For more information see Get started with the default DLP
policy.
 Create retention policies: We recommend defining at minimum a retention policy for
Exchange email. Once you have a mailbox retention policy in place, you can take
advantage of Inactive mailboxes, which means that within the retention timeframe, you
can still recover or restore the mailboxes of departed employees who have left the
organization. You can also deploy retention policies for other locations in Microsoft 365
such as OneDrive and SharePoint. Always be sure that your retention policy parameters
follow organizational as well as State and Federal requirements.
Advanced Security and Additional Recommendations
In the previous sections we have covered the essential steps required to quickly secure your
customers’ Microsoft 365 environment. However, implementing the steps outlined in this
section will provide an extra layer of security and help you protect your organization's sensitive
information even better. These steps are not mandatory but are highly recommended for
optimal security and you should review them for additional considerations that may apply to
your customer.

Advanced Identity Protection Checklist

By taking extra steps to implement advanced identity protection features in Azure AD Premium
P1 (Included in M365 Business Premium), partners can help safeguard their customer’s business
and maintain the trust of their stakeholders by providing extra layers of security to protect
identities and sensitive information from malicious actors.

Checklist item Description Learn more CIS Ref.

Use FIDO2 keys for Consider using strong Enable passwordless 6.6, 12.7,
passwordless authentication for global security key sign-in 16.11
authentication admins as well as access to
highly sensitive apps and
data.
Secure MFA and self- Restrict when and how Common Conditional 6.6
service password reset users register for Azure AD Access policy:
registration multifactor Authentication Securing security info
and self-service password registration
reset with a Conditional
Access policy
Manage customer Reduce the risk of threat Configure how users 3.3
consent to applications actors using malicious consent to
& permissions requests applications to trick users applications
into granting them access
to your customers’ data by
managing user consent
requests.
Configure granular Manage how your customer Overview: Cross- 6.3
control of Azure AD collaborates with other tenant access with
external identities Azure AD tenants with B2B Azure AD External
direct connect. Identities

 Use FIDO2 keys for passwordless authentication: Enable passwordless security key
sign-in by using a FIDO2 security key. This provides more security for your organization
 and is also phishing resistant. With this method, users can authenticate to web-based
applications using their Azure AD account without the need for a username or
password.
 Secure MFA and self-service password reset registration by only allowing users to
register for MFA and configure self-service password reset from trusted locations. You
can provide your customers a Temporary Access Pass if they need to register from a
different location after verifying their identity.
 Manage customer consent to applications & permissions requests - By default, all
users are allowed to consent to applications for permissions that don't require
administrator consent. You can provide additional security value by managing this for
your customer and routing user consent requests to you for approval. See Configure the
admin consent workflow for more information.
 Configure granular control of Azure AD external identities - Control how external
Azure AD organizations collaborate with your customer. For example, your customer
may want to require MFA for guest access to their tenant or specify who can invite
guests to Teams.

Advanced Email & Apps Protection

Phishing and malware attacks are among the most common threats faced by SMB
organizations, and they can result in data breaches and significant financial losses.
Configuration is key to using Microsoft 365 Defender for Office 365 successfully. False positives
are disruptive to your customer’s business and a top cause for concern with email security.
Implementing advanced phishing and malware protection in Defender for Office 365 P1
(Included in M365 Business Premium) is crucial for ensuring the security of a customer’s
sensitive information and digital assets. Defender for Office 365 P1 provides advanced phishing
and malware protection features, such as threat intelligence, advanced threat protection, and
email security, to help prevent these types of attacks.

Checklist item Description Learn more CIS Ref.

Configure defense in Review the latest guidance Getting the best
depth for email security for Microsoft 365 Defender security value from
for Office 365 paying Microsoft Defender
special attention if you’re for Office 365 when
using any kind of 3rd party you have third party
filtering service. email filtering
Configure skip listing if Customers will have Manage mail flow
using a third-party email erroneous SPAM and using a third-party
filtering device or Phishing detections if using cloud service with
service 3rd party filtering without Exchange Online
 skip listing or bypass.
Block all executable Enforce a strict policy that Use mail flow rules to
email attachments prohibits the receipt and block messages with
execution of email executable
attachments with attachments in
executable file extensions to Exchange Online
safeguard against potential
malicious software and
viruses that could
compromise security.
Customize quarantine Allow users to request Creating Custom
permissions and policies release of lower risk quarantine policies
quarantined messages. with Request release
flow
Customize Defender for Configure additional Impersonation
Office 365 Anti-phishing impersonation protection settings in anti-
Policies for email addresses that phishing policies in
might be impersonated by Microsoft Defender
attackers, such as top-level for Office 365
executives, board members,
and other people in key
roles.
Extend DMARC Attackers may leverage How to enable
protection to domains seldom used domains in DMARC Reporting for
not used for email your customer tenant if left Microsoft Online Email
unprotected, including the Routing Address
onmicrosoft.com domain. (MOERA) and parked
Domains
Configure additional Microsoft 365 delivers Email encryption
email encryption multiple encryption options
to help you meet your
customers’ needs for email
security.
Restrict external Specify the domains that Reduce the attack
domains that can send can send email to Teams surface for Microsoft
email messages to channels. Teams
Teams channels
Disable 3rd party & Applications are a very Disabling Third-party
custom apps in Teams useful part of Microsoft & custom apps
Teams; however, we
recommend only enabling a
specific list of allowed apps
rather than allowing all apps
 by default.
Customize Teams Consider controls on the Reduce the attack
meeting settings ability of guests to request surface for Microsoft
access to control presenter’s Teams
screens and how to handle
anonymous participants.
Set up digest
notifications

 Configure skip listing if using a third-party email filtering device or service –

Microsoft Defender for Office 365, included in M365 Business Premium, has excellent
Phish and SPAM protection and we recommend configuring your MX records to point
to Office 365 so the algorithms work optimally. If a 3rd party receives mail before Office
365 and/or modifies the content of the inbound email it will cause problems with false
positives, false negatives, and email authentication errors. If you’re using a 3 rd party filter
that scans email before M365 then you must either configure skip listing
(recommended) or bypass SPAM filtering. See Enhanced Filtering for Connectors in
Exchange Online for more information.
 Block all executable email attachments - If you enabled the Standard or Strict pre-set
email policy it will have enabled the Common Attachments filter to block several
executable attachment types. Many small and medium businesses to do need to send
executable attachments of any type via email. You can enhance protection to block all
executable attachments via transport rules. See Use mail flow rules to block messages
with executable attachments in Exchange Online and Configure anti-malware policies in
EOP.
 Customize quarantine permissions and policies: You can enable your customers to
triage false positives for specific verdicts (bulk, spam, phish, high confidence phish, or
malware) and request release of those items. For more information see this.
 Customize Defender for Office 365 Anti-phishing Policies: Enabling Standard or
Strict pre-set policies enables protection from phishing email threats in real-time by
using intelligent systems that inspect attachments and links for malicious content.
Safety tips can inform users when receiving email from a sender for the first time or
when the sender does not pass email authentication, which are common in phishing
scenarios. You may also want to configure policies to help prevent impersonation of key
individuals, also known as spear-phishing, or impersonation of domains that belong to
key suppliers and partners. For more information see Anti-phishing policies in Microsoft
365 and Configure anti-phishing policies in Microsoft Defender for Office 365 .
 Extend DMARC protection to other domains not used for email: Best practice for
domain email security protection is to enable DMARC for all domains even if they
parked or not currently used for email.
 Configure additional email encryption: If you configure sensitivity labels for your
customer they will be able to send encrypted email. Your customer may have additional
requirements for email encryption such as S/MIME.
 Restrict external domains that can send email messages to Teams channels: By
default, any channel in a team can receive email from any sender. You may limit the
domains allowed to send to Teams channels. For more information see Manage and
monitor Teams.
 Disable 3rd party & custom apps in Teams: You can use app permission policies to
control the apps that are available to your customers. For more information see Use app
permission policies to control user access to apps.