M365 Tenant
Hardening Checklist
A complete walkthrough of locking down a Microsoft 365 tenant from scratch. Email authentication, Conditional Access, device management, data protection, and audit logging. Over 40 controls, all documented.
What this covers and why
Every time I onboard a new client or take over an existing M365 tenancy, I run through the same set of checks. In practice, most tenants I inherit have the same gaps: no DMARC, Security Defaults still on instead of Conditional Access, audit logging disabled, and SharePoint sharing set to Anyone. Sometimes all four.
This document is the full checklist I work through. It's split into five areas: email authentication, identity and access, device management, data protection, and monitoring. Everything is mapped to M365 Business Premium licencing, which covers most SMBs I work with. Where something needs P2 or E3, that's noted.
SPF, DKIM, and DMARC
Email authentication is the first thing I check. It's free to configure, most tenants don't have it set up properly, and it makes a real difference to deliverability and phishing resistance. The three records work together and each one builds on the last.
| Control | What it does | Licence |
|---|---|---|
| SPF record | Declares which mail servers are authorised to send on behalf of your domain. Prevents spoofing at the envelope level. For M365 only tenants this is usually v=spf1 include:spf.protection.outlook.com -all | FREE |
| DKIM signing | Cryptographically signs outbound emails so receiving servers can confirm they weren't altered in transit. Enabled per-domain in the Defender portal under Email Authentication Settings. | FREE |
| DMARC record | Ties SPF and DKIM together and tells receiving servers what to do when mail fails both checks. Start with p=none to monitor, then move to p=quarantine after reviewing reports. | FREE |
| Anti-phishing policy | Enable impersonation protection for key users and domains. Set spoof intelligence to block. Defender for Office 365 P1 (included in BP) adds mailbox intelligence for better detection. | M365 BP |
| Safe Links and Safe Attachments | Rewrite URLs at click time and detonate attachments in a sandbox before delivery. Apply to all users. Set Safe Attachments to Dynamic Delivery to avoid delays. | M365 BP |
| Disable SMTP AUTH | Legacy SMTP AUTH bypasses MFA. Disable at tenant level in the Exchange Admin Centre, then re-enable per-mailbox only for printers or line-of-business apps that genuinely need it. | FREE |
MFA, Conditional Access, and admin hygiene
This is where most of the risk sits. A hardened email configuration doesn't matter much if an admin account has no MFA and a password that got breached two years ago.
| Control | What it does | Licence |
|---|---|---|
| Disable Security Defaults | Security Defaults and Conditional Access are mutually exclusive. Once you've built your CA policies, disable Security Defaults. Never leave both off at the same time, even briefly. | FREE |
| MFA for all users | Require MFA on every sign-in via Conditional Access. Block SMS as an MFA method and push users to Microsoft Authenticator with number matching turned on. | P1 |
| Block legacy authentication | IMAP, POP3, and basic auth can't do MFA. Block them via a CA policy targeting the Exchange ActiveSync and Other Clients conditions. This alone stops the majority of password spray attacks. | P1 |
| Dedicated admin accounts | No one should be doing day-to-day work as a Global Admin. Create separate cloud-only admin accounts, don't assign M365 licences to them, and use them only for admin tasks. | FREE |
| Break-glass accounts | Two emergency access accounts excluded from all CA policies. Strong, unique passwords. Monitored with an alert rule so any sign-in triggers an immediate notification. | FREE |
| Password protection | Enable Entra ID Password Protection to block common passwords and custom banned terms. Extends to on-prem AD via the Password Protection agent if hybrid. | P1 |
| Self-service password reset | Reduces helpdesk load and means users can recover accounts themselves. Require two authentication methods for SSPR to prevent it becoming a bypass route. | P1 |
| Privileged Identity Management | Makes admin roles eligible rather than permanent. Admins activate roles just-in-time when needed, with MFA and an approval workflow. Cuts standing access risk substantially. | P2 |
Intune, BitLocker, and compliance
Device management is where M365 Business Premium earns its keep. Intune gives you full MDM without needing a separate licence, and the combination of compliance policies plus Conditional Access means you can enforce that only healthy, managed devices get access to company data.
| Control | Notes | Licence |
|---|---|---|
| Intune enrolment | All Windows devices joined via Autopilot or manual Entra ID join and auto-enrolled to Intune. macOS devices enrolled via Company Portal. | M365 BP |
| Compliance policies | Minimum OS version, BitLocker required, Defender real-time protection required, no jailbreak/root. Non-compliant devices blocked from company resources via CA. | M365 BP |
| BitLocker via Intune | Deploy BitLocker through Intune endpoint security. Set recovery keys to escrow to Entra ID automatically. TPM + PIN required. Silent encryption where the device supports it. | M365 BP |
| LAPS | Microsoft LAPS rotates the local admin password on each device and stores it in Entra ID. Stops lateral movement dead if a device is compromised. | FREE |
| Block removable storage | USB drives blocked via Attack Surface Reduction rules in Intune. Exceptions created per-device for approved hardware using device instance IDs if needed. | M365 BP |
| Defender for Endpoint | Onboarded via Intune connector. ASR rules in Block mode, real-time protection on, cloud-delivered protection enabled, and compliance integration sending risk scores to Intune. | M365 BP |
SharePoint, Teams, and sensitivity labels
Default M365 sharing settings are extremely permissive. Out of the box, SharePoint allows anonymous sharing, guests can reshare files, and there's no classification on anything. Tightening this up doesn't require licences most SMBs don't already have.
| Control | Notes | Licence |
|---|---|---|
| Restrict SharePoint sharing | Set the tenant-wide sharing limit to Existing Guests or New and Existing Guests. Turn off Allow Anyone links. Set link expiry to 30 days maximum. | FREE |
| Guest access review | Run a quarterly review of all guest accounts in Entra ID. Remove guests who haven't signed in for 90 days. Automate with Access Reviews if on P2. | FREE |
| Sensitivity labels | Create at minimum Internal, Confidential, and Highly Confidential labels. Apply to emails, files, and Teams. Confidential+ adds encryption and prevents external sharing automatically. | M365 BP |
| DLP policies | At minimum, a policy to detect UK financial data and NHS numbers being shared externally. Start in audit mode, review hits for two weeks, then enforce. | M365 BP |
| Teams external access | Restrict external federation to approved domains only. Disable federation with Teams Free and Skype consumers unless there's a business need. | FREE |
| Retention policies | Apply retention policies to Exchange, SharePoint, and Teams. Minimum 1-year retain for most businesses, 7 years for anything subject to financial regulation. | M365 BP |
Audit logging and alert policies
Hardening a tenant is only half the job. You also need to know when something goes wrong. The Unified Audit Log captures everything that happens in M365, but you have to make sure it's turned on and that you're actually reviewing the right events.