Microsoft 365 Security Checklist

time to read: 11 min
microsoft-365-azure-entra-id-security-checklist

Table of Contents

Download the Microsoft 365 checklist

While the Microsoft 365 and Azure Entra ID security checklist will be provided at the end of this article (plus a downloadable PDF), I believe it is important to discuss its most critical parts. 

Just going item by item may seem systematic, but it isn’t. 

If implemented incorrectly, any one of the 200 items on the checklist may give you a false sense of security or, worse, decrease your defense levels. 

For example, “Implement MFA” might seem logical, but there are nuances that even highly technical experts without years of attack/defense experience will miss. 

How? 

Just Google “bypass Microsoft 365 MFA“!

So how should you approach using and implementing the checklist? 

Research!

Every item on the list requires research, planning, and testing. 

Create a small group of test users, include yourself (or a test account of yours, which is safer) in it, and test in small batches. It is tempting to implement a lot of changes at once, but then you risk users complaining, services stopping, and all kinds of other issues, and you would have a hard time knowing which change caused the problem(s). 

Account Security

Multi-Factor Authentication (MFA): Enable MFA for all users is critical but must be implemented cautiously. For example, there are quite expensive but rock-solid ways of implementation, such as allowing Yubikey (or another brand of security physical keys) only. In that case, it would be nearly impossible for a hacker to log in, but you would have to buy 2 devices for each user (one backup, one primary in case they lose the primary device) and configure 2 devices per user. As always, the most secure configuration requires the highest time and resources investment. Another option which is just as secure is certificate-based authentication as MFA for 365/Entra ID. Once again, not an easy solution, but the easy solutions are the ones that can be bypassed. The  least secure MFA option would be SMS-based verification, because intercepting SMS or creating a phishing page capturing the SMS code is trivially easy and can be done by kids. 

Conditional Access Policies: They allow you to enforce MFA for specific scenarios, such as accessing sensitive data or applications, providing an additional layer of security based on user location, device compliance, and risk level. One great way of using conditional access policies is restricting login to compliant, company-owned devices only. But that would require you to increase your licensing level to include Intune. 

Legacy Authentication Protocols: Disable legacy authentication protocols, which do not support MFA, to mitigate vulnerabilities associated with older, less secure authentication methods.

Password Policies: Implement strong password policies, including complexity requirements, minimum length, and expiration periods, to ensure that user passwords are resilient against brute-force attacks.

Passwordless Authentication: Utilize options such as Windows Hello for Business and FIDO2 security keys to provide secure and user-friendly alternatives to traditional passwords, enhancing both security and user experience. 

Sign-In Monitoring: Regularly monitor user sign-ins for anomalies to detect and respond to suspicious activities, such as failed login attempts and sign-ins from unfamiliar locations. Ideally you would assign someone to do that every day, first thing in the morning. Alternatively, hire a cybersecurity expert or a third-party cybersecurity service to do that for you. Otherwise, the moment a breach happens, how would you know? 

Self-Service Password Reset (SSPR): Allow users to reset their passwords securely without administrative intervention, reducing helpdesk workload and ensuring users can regain access quickly if they forget their passwords.

Application Security

Application Registration: Register all applications in Azure AD to ensure they are managed securely, with appropriate permissions and access controls.

OAuth 2.0: Use OAuth 2.0 for application authentication to ensure secure access to resources by granting tokens with limited permissions.

App Permissions: Configure app permissions based on the principle of least privilege to minimize the risk of over-privileged applications being exploited.

App Governance: Enforce app governance policies and regularly review third-party app access to maintain control over the applications integrated with your environment.

Single Sign-On (SSO): Enable SSO to simplify user access to multiple applications, reduce password fatigue, and enhance security by centralizing authentication.

Managed Identities: Use managed identities for Azure resources to eliminate the need for hard-coded credentials in your code, enhancing security and ease of management.

Data Protection

Data Loss Prevention (DLP): Enable DLP policies to help prevent sensitive information from being inadvertently shared or leaked by detecting and blocking risky data transfers.

Sensitivity Labels: Configure sensitivity labels to classify and protect data based on its sensitivity, applying appropriate encryption and access controls.

Microsoft Information Protection (MIP): Use MIP to classify, label, and protect data, ensuring that sensitive information is handled securely.

Encryption: Enable encryption at rest and in transit to ensure that data is protected from unauthorized access during storage and transmission. One key aspect here is that some files should be encrypted at all times – meaning, you should use some form of 3rd party encryption (BoxCryptor, for example) or protect the files using their built-in security mechanisms (password to open, for example). 

Retention Policies: Implement data retention policies to ensure that data is retained for the necessary period for compliance and business requirements, while also facilitating secure disposal of data that is no longer needed.

Email Security

Defender for Office 365: Use Microsoft Defender for Office 365 to provide advanced threat protection for emails, including anti-phishing, anti-malware, and safe links and attachments.

Email Encryption: Enable email encryption to ensure that sensitive email content can only be accessed by intended recipients, protecting it from interception and unauthorized access.

Anti-Phishing Policies: Configure anti-phishing policies to help detect and block phishing attempts, protecting users from fraudulent emails designed to steal credentials or sensitive information.

DKIM, DMARC, and SPF: Implement these email authentication protocols to verify the legitimacy of emails sent from your domain, reducing the risk of email spoofing and phishing attacks.

Audit Logging: Enable audit logging for mailbox activities to provide visibility into actions taken within mailboxes, helping detect and investigate suspicious activities.

Device Security

Intune MDM: Enroll devices in Microsoft Intune for Mobile Device Management (MDM) to ensure that devices are configured, managed, and secured according to your organization’s policies.

microsoft 365 security checklist 1

After enrolling your devices, make sure you have at least the baseline policies enabled. 

Compliance Policies: Set up device compliance policies to ensure that only devices meeting your security requirements can access corporate resources, enhancing overall security.

BitLocker Encryption: Enable BitLocker encryption for all devices to protect data at rest by encrypting the entire drive, preventing unauthorized access if the device is lost or stolen.

Endpoint Detection and Response (EDR): Implement EDR solutions to help detect, investigate, and respond to advanced threats targeting endpoints, providing robust protection against sophisticated attacks. One great option I often recommend is to use Defender for Endpoint P2 as a separate license; it is well worth the cost.

Windows Defender: Use Windows Defender Antivirus and Firewall to provide comprehensive protection against malware and network threats, safeguarding your devices and data.

Network Security

Azure Firewall: Use Azure Firewall to secure network traffic and help protect your resources from unauthorized access and threats by applying network security policies.

Network Security Groups (NSGs): Implement NSGs to control inbound and outbound traffic to your Azure resources, enhancing network security through fine-grained access controls.

DDoS Protection: Enable Azure DDoS Protection to help safeguard your applications from distributed denial-of-service attacks, ensuring high availability and performance.

VPNs: Use Virtual Private Networks (VPNs) for secure remote access to ensure that data transmitted between remote users and corporate resources is encrypted and protected from interception.

Azure Bastion: Configure Azure Bastion for secure RDP/SSH access to eliminate the need for public IP addresses on your virtual machines, reducing the attack surface.

Identity and Access Management (IAM)

Privileged Identity Management (PIM): Configure PIM to help manage, control, and monitor access to important resources, ensuring that privileged roles are only granted when necessary and for a limited time.

Conditional Access Policies: Implement Conditional Access policies for critical applications to ensure that access is granted based on defined criteria, such as user risk, device compliance, and location. To enable location-based conditional access policies you would need to first specify networks and locations and name them. Then you can use them in the policies. 

Role-Based Access Control (RBAC): Use RBAC to assign permissions based on roles to ensure that users only have access to the resources necessary for their job functions, minimizing the risk of over-privileged accounts.

Identity Protection: Enable Azure AD Identity Protection to help detect and respond to identity-based risks, such as compromised accounts and risky sign-ins, enhancing overall security.

Access Reviews: Regularly conduct access reviews to ensure that only authorized users have access to critical resources, maintaining a secure and compliant environment.

General Security Practices

Regular Security Reviews: Most security standards or frameworks would suggest having yearly security audits, but for most companies that is not feasible nor practical. My recommendation is to run at least one comprehensive security audit when you start working on your defenses. Then, do yearly short reviews on what was done and what you plan to implement next year. 

Security Training: Providing security training and awareness programs for your employees because it helps cultivate a security-conscious culture. Human error is the most likely reason for most security incidents, by addressing this you will decrease the number of incidents. 

Incident Response Plans: Develop and test incident response plans at least once a year. If your company has more than 500 employees, test the DFIR plans twice a year. Your organization should be prepared to respond effectively to security incidents and minimize potential damage.

Logging and Monitoring: Enabling comprehensive logging and monitoring across all services will give you visibility into suspicious activities and events. You should be able to quickly detect a regular employee running VBA scripts, PowerShell scripts, or suspicious binaries they should not be running. This will help you detect and respond to security threats promptly.

Zero-Trust Security Model: Implement a zero-trust security model to ensure that all access requests are thoroughly verified, regardless of their origin, enhancing overall security.

Microsoft 365 and Azure Entra ID Security Checklist

Account Security

  1. Enable Multi-Factor Authentication (MFA) for all users.
  2. Use Conditional Access Policies to enforce MFA for specific scenarios.
  3. Disable legacy authentication protocols.
  4. Enforce password policies (complexity, length, expiration).
  5. Implement passwordless authentication options.
  6. Monitor and manage user sign-ins for anomalies.
  7. Review and audit user roles and permissions regularly.
  8. Set up self-service password reset (SSPR).
  9. Enable risk-based Conditional Access policies.
  10. Use Azure AD Identity Protection for risk detection and response.
  11. Configure Azure AD Password Protection to block common passwords.
  12. Set up Azure AD authentication methods policies.
  13. Enable sign-in risk policy to prompt for additional verification.
  14. Review sign-in logs and risky sign-in reports.
  15. Enable user risk policy to block compromised accounts.
  16. Configure account lockout settings to prevent brute force attacks.
  17. Enable Continuous Access Evaluation (CAE).
  18. Set up emergency access accounts.
  19. Implement time-based one-time password (TOTP) for MFA.
  20. Use Azure AD smart lockout to block brute force attacks.
  21. Review and manage service account permissions.
  22. Enable password expiration notifications.
  23. Set up Azure AD Identity Governance.
  24. Use Azure AD B2B for secure guest access.
  25. Implement dynamic groups for automated membership management.
  26. Configure MFA registration policies to enforce timely registration.
  27. Enable password hash synchronization.
  28. Use PIM to manage Azure AD roles.
  29. Regularly review and remove inactive user accounts.
  30. Configure session controls for additional access security.

Application Security

  1. Register all applications in Azure AD.
  2. Use OAuth 2.0 for application authentication.
  3. Configure app permissions to follow the principle of least privilege.
  4. Monitor consented permissions and remove unused app registrations.
  5. Enable App Governance policies.
  6. Review third-party application access regularly.
  7. Enforce application-specific Conditional Access policies.
  8. Implement API management for custom applications.
  9. Use managed identities for Azure resources.
  10. Set up secure application secret storage.
  11. Enable single sign-on (SSO) for enterprise applications.
  12. Configure application proxy for secure remote access.
  13. Review and manage service principal permissions.
  14. Set up application insights for monitoring app performance and security.
  15. Enable Microsoft Defender for Cloud Apps.
  16. Monitor and control OAuth app behavior.
  17. Implement certificate-based authentication for apps.
  18. Configure lifecycle policies for application objects.
  19. Set up app registration ownership review.
  20. Enable Conditional Access App Control.
  21. Use application role assignments for access control.
  22. Regularly audit API permissions and usage.
  23. Configure app consent policies to control user consent.
  24. Use managed identities to avoid hardcoding credentials.
  25. Enable service principal logging and monitoring.

Data Protection

  1. Enable Data Loss Prevention (DLP) policies.
  2. Configure sensitivity labels for classification and protection.
  3. Use Microsoft Information Protection (MIP).
  4. Enable Azure Information Protection (AIP).
  5. Encrypt sensitive data at rest and in transit.
  6. Use Customer Key for Microsoft 365.
  7. Enable Rights Management Services (RMS).
  8. Implement data retention policies.
  9. Regularly audit data access and sharing.
  10. Secure OneDrive and SharePoint with advanced security settings.
  11. Enable Microsoft Purview for comprehensive data governance.
  12. Configure eDiscovery and legal hold for compliance.
  13. Set up data classifications to identify and protect sensitive information.
  14. Enable file activity monitoring and alerts.
  15. Use Microsoft Defender for Endpoint to protect data on devices.
  16. Configure sensitivity labels for Teams, SharePoint, and OneDrive.
  17. Enable encryption for Office 365 messages.
  18. Set up records management for regulatory compliance.
  19. Monitor data access patterns for anomalies.
  20. Configure and manage data at rest encryption policies.
  21. Implement data classification policies for emails and documents.
  22. Enable Advanced Data Governance.
  23. Use Information Rights Management (IRM) to protect documents.
  24. Set up policies for automatic data labeling.
  25. Enable endpoint DLP to monitor and protect data on devices.

Email Security

  1. Enable Microsoft Defender for Office 365.
  2. Configure anti-phishing policies.
  3. Set up safe links and safe attachments.
  4. Enable email encryption.
  5. Implement outbound spam filtering.
  6. Use DKIM, DMARC, and SPF to secure email domains.
  7. Monitor email activity for anomalies.
  8. Train users to recognize phishing attempts.
  9. Set up Exchange Online Protection (EOP).
  10. Review and manage mailbox permissions.
  11. Enable audit logging for mailbox activity.
  12. Configure junk email settings and policies.
  13. Set up automatic forwarding restrictions.
  14. Enable advanced threat protection for emails.
  15. Monitor for email forwarding rules that may indicate compromise.
  16. Configure mailbox auditing for critical users.
  17. Set up quarantine policies for suspicious emails.
  18. Use Threat Explorer to investigate email threats.
  19. Enable Zero-Hour Auto Purge (ZAP) for malware and phishing.
  20. Configure email authentication settings (DMARC, DKIM, SPF).
  21. Set up anti-spoofing protection.
  22. Use Clutter to manage low-priority emails.
  23. Enable mailbox recovery and retention policies.
  24. Configure email retention and deletion policies.

Device Security

  1. Enroll devices in Intune for Mobile Device Management (MDM).
  2. Set up device compliance policies.
  3. Enable BitLocker encryption for all devices.
  4. Use Windows Defender Antivirus.
  5. Enable Windows Defender Firewall.
  6. Implement Endpoint Detection and Response (EDR).
  7. Configure device health monitoring.
  8. Set up device restrictions and configurations.
  9. Enforce software updates and patch management.
  10. Monitor device activity and compliance.
  11. Implement Mobile Application Management (MAM).
  12. Enable Conditional Access policies for device compliance.
  13. Configure Windows Hello for Business for secure sign-ins.
  14. Set up automatic device enrollment and provisioning.
  15. Monitor for jailbroken or rooted devices.
  16. Enable compliance reporting and alerts.
  17. Configure application protection policies for mobile apps.
  18. Set up device wipe and lock capabilities.
  19. Monitor and manage device encryption status.
  20. Enable security baselines for device configuration.
  21. Use Microsoft Defender ATP for advanced threat protection.
  22. Set up device health attestation.
  23. Configure device compliance policies for macOS, iOS, and Android.
  24. Implement secure boot policies.
  25. Monitor and manage device hardware and software inventory.

Network Security

  1. Use Azure Firewall to secure network traffic.
  2. Implement Network Security Groups (NSGs).
  3. Enable Azure DDoS Protection.
  4. Use VPNs for secure remote access.
  5. Monitor network traffic with Azure Network Watcher.
  6. Configure Azure Bastion for secure RDP/SSH access.
  7. Set up virtual network peering securely.
  8. Enforce strict network segmentation.
  9. Use Web Application Firewall (WAF) for web apps.
  10. Implement security baselines for network configurations.
  11. Enable Just-In-Time (JIT) VM access.
  12. Configure private endpoints for Azure services.
  13. Monitor and manage network security groups and rules.
  14. Use Azure Traffic Manager for high availability and security.
  15. Enable logging and diagnostics for network resources.
  16. Implement network isolation for sensitive workloads.
  17. Set up Azure Front Door for secure and fast content delivery.
  18. Use Azure Private Link to secure service access.
  19. Enable network anomaly detection.
  20. Configure network security policies for virtual networks.
  21. Implement virtual network service endpoints.
  22. Use Azure Sentinel for advanced threat detection.
  23. Enable DNS security features.
  24. Set up network access control policies.

Identity and Access Management (IAM)

  1. Configure Privileged Identity Management (PIM).
  2. Enable Just-In-Time (JIT) access for privileged roles.
  3. Implement role-based access control (RBAC).
  4. Use Azure AD Privileged Access Management (PAM).
  5. Review and manage guest access and external users.
  6. Audit and manage admin accounts separately.
  7. Set up identity synchronization with secure settings.
  8. Monitor and review sign-in logs and reports.
  9. Use identity governance to automate lifecycle management.
  10. Enable Azure AD Password Protection.
  11. Set up access reviews for user and group memberships.
  12. Implement Conditional Access policies for critical applications.
  13. Use access reviews for privileged roles.
  14. Monitor for unusual sign-in activity.
  15. Implement Azure AD Join for secure device management.
  16. Configure B2C for customer identity management.
  17. Set up access policies for external identities.
  18. Monitor and manage directory synchronization.
  19. Enable hybrid identity for seamless access management.
  20. Set up password writeback for hybrid environments.
  21. Enable Identity Secure Score for continuous improvement.
  22. Configure user risk policies in Azure AD Identity Protection.
  23. Set up dynamic membership rules for security groups.
  24. Monitor and review user activity logs.
  25. Implement identity protection policies for high-risk users.
  26. Enable password reset registration and usage reports.

General Security Practices

  1. Regularly review and update security policies.
  2. Conduct periodic security assessments and audits.
  3. Train employees on security best practices.
  4. Set up incident response and recovery plans.
  5. Monitor security alerts and respond promptly.
  6. Use security baselines for consistent configuration.
  7. Enable logging and monitoring across all services.
  8. Implement least privilege access across all systems.
  9. Regularly review and update Conditional Access policies.
  10. Use Secure Score to prioritize and track security improvements.
  11. Implement a zero-trust security model.
  12. Monitor and manage compliance requirements.
  13. Set up and test disaster recovery plans.
  14. Review and manage access to sensitive information.
  15. Use Azure Security Center for unified security management.
  16. Monitor and review activity logs regularly.
  17. Implement security training and awareness programs.
  18. Regularly update and patch all systems and applications.
  19. Configure secure access to on-premises applications.
  20. Implement Azure Policy for compliance and governance.
  21. Use Microsoft Defender for Identity for advanced threat detection.

For a downloadable version of the checklist, which you can print out, please fill out the form at the top of this page.