EFROS

Resource · Operational Checklist

Microsoft 365 security checklist.

A practical CIS-aligned hardening checklist for small and mid-sized businesses running Microsoft 365. Use it as a self-audit, a vendor-onboarding scorecard, or evidence for a cyber-insurance renewal.

1. Identity baseline

  • MFA enforced for every user (Authenticator app, not SMS where possible)
  • Legacy authentication blocked (POP, IMAP, SMTP basic, EWS, MAPI)
  • Global Administrator role limited to 2–4 named individuals with separate admin accounts
  • Privileged Identity Management (PIM) enabled for admin roles where the license allows
  • Conditional Access policy: block sign-in from outside the operating geography
  • Conditional Access policy: require compliant device for admin roles
  • Self-service password reset enabled with security questions disabled
  • Identity Protection policies: user risk and sign-in risk enabled

2. Email security

  • SPF record with hard-fail (-all) or strict soft-fail (~all) policy
  • DKIM signing enabled on every active sending domain
  • DMARC policy at quarantine or reject with aggregate reporting enabled
  • MTA-STS policy file published and DNS records present
  • TLS-RPT reporting endpoint configured
  • Defender for Office 365: Safe Links, Safe Attachments, anti-phish policy enabled
  • Impersonation protection on executive and finance mailboxes
  • External mailbox forwarding blocked or alerted on creation
  • Mailbox audit logging enabled with 365-day retention minimum
  • Quarantine review process documented and assigned to an owner

3. Devices and endpoints

  • Microsoft Intune (or equivalent MDM) enrolling every Windows, macOS, iOS, and Android device that touches Microsoft 365
  • Device compliance policies: encryption required, screen lock enforced, jailbreak/root blocked
  • Conditional Access tied to device compliance
  • Microsoft Defender for Endpoint (or third-party EDR) deployed on every workstation and server
  • Attack Surface Reduction rules enabled in block mode
  • Local administrator accounts removed from standard user devices
  • USB control policy in place (block or warn) for removable storage
  • Patch management cadence documented (monthly minimum, weekly for security updates)

4. Data protection

  • Data Loss Prevention (DLP) policies on email, SharePoint, OneDrive, and Teams
  • Sensitivity labels deployed for Confidential and Restricted content
  • Retention policies defined per regulatory scope (HIPAA, PCI, GDPR)
  • External sharing scoped: anonymous sharing disabled, link expiry enforced
  • OAuth app review: third-party apps with mailbox-read or files-read scopes reviewed quarterly
  • Microsoft 365 backup with documented restore tests (Microsoft does not back up your data by default)

5. Monitoring and response

  • Sign-in logs forwarded to SIEM or Sentinel with 90-day retention minimum
  • Audit logs forwarded with 365-day retention minimum
  • Defender XDR alerts triaged by named owner with documented response procedure
  • Risky sign-in detection enabled with auto-remediation for high-risk events
  • Session revocation tested as a documented runbook step
  • Incident-response contact named, on-call rotation documented

6. Cyber-insurance evidence pack

  • MFA enforcement screenshot or report
  • EDR deployment report with coverage percentage
  • Backup configuration and last successful restore-test evidence
  • Patch management report (last 90 days)
  • Phishing simulation results or security-awareness training completion log
  • Incident response plan document with last review date
  • Logging and monitoring configuration evidence

FAQ.

What Microsoft 365 license tier is required?

Business Premium covers most of this checklist. Microsoft 365 E3 + a Defender XDR / Sentinel add-on unlocks the full monitoring and response stack. The exact licensing depends on your size and compliance scope.

How long does a typical hardening rollout take?

Foundations (MFA, Conditional Access, Defender, DMARC visibility) land in two to four weeks. Full baseline (DLP, retention, DMARC reject, EDR coverage, IR runbook) is 60 to 90 days for a 50-to-150-user environment.

What if we already have most of this in place?

Most environments have 30 to 60% of the checklist done. The Cybersecurity Assessment surfaces what is missing, the underlying configuration drift, and the gaps your cyber-insurance carrier or auditor will flag.

Review My Microsoft 365 Tenant →Microsoft 365 Security Service