Microsoft 365 Security Checklist: 13 Essential Steps

It sounds backwards at first, but if you want fine-grained microsoft 365 compliance controls, you usually need to disable Microsoft’s generic Security Defaults and replace them with proper Conditional Access policies.

Security Defaults are “okay” for tiny organizations with no IT support. For anyone thinking about the cis benchmark microsoft 365 or a formal m365 security assessment, they’re too blunt.

Checklist items:

• [ ] Sign in as Global Administrator
• [ ] Go to Entra ID (Identity) → Properties
• [ ] Set “Security defaults” to Disabled
• [ ] Reason: “My organization is using Conditional Access”

Once that’s off, you can implement the more robust, auditable controls that CIS and most regulators actually expect.

Multifactor authentication is the single biggest win for microsoft 365 security audit preparation. The key is to enforce it consistently, not just “encourage” it.

Checklist items:

• [ ] In Entra ID → Protection → Conditional Access → Policies
• [ ] Create a policy (e.g., “CA01 – Require MFA for all users”)
• [ ] Apply to: All users (exclude a break-glass admin account)
• [ ] Target: All cloud apps
• [ ] Grant: Require multifactor authentication
• [ ] Start in Report-only if it’s an existing tenant, then switch to On once validated

This aligns closely with several CIS benchmark microsoft 365 controls and is almost always questioned during any m365 security assessment.

By default, anyone from any country can try to sign in to your Microsoft 365. That’s a huge attack surface.

A simple win: only allow sign-ins from countries where you actually operate, plus some controlled exceptions for travel.

Checklist items:

• [ ] In Conditional Access → Named locations, create a list like “Approved countries” (e.g., UK, US, EU)
• [ ] Create policy “CA02 – Block access from non-approved countries”
• [ ] Users: All users, excluding a break-glass admin
• [ ] Cloud apps: All cloud apps
• [ ] Locations: Include Any location, but Exclude your “Approved countries”
• [ ] Client apps: Browser + Mobile apps and desktop clients
• [ ] Access control: Block

This gives you geo-based protection while still allowing legitimate work.

If your business only supports Windows and macOS, why allow logins from Linux, legacy Windows Phone, or other platforms you don’t manage?

Checklist items:

• [ ] Create policy “CA03 – Block unapproved device types”
• [ ] Users: All users
• [ ] Cloud apps: All cloud apps
• [ ] Device platforms: Configure → select unsupported platforms (e.g., Linux, Windows Phone)
• [ ] Grant: Block access

This is simple, but it reduces the variety of endpoints you need to keep secure and makes your m365 security assessment story cleaner.

Persistent sessions keep users signed in even after closing the browser. Convenient, yes. But on shared or personal devices, it’s risky.

Checklist items:

• [ ] Create policy “CA04 – Disable persistent browser sessions”
• [ ] Users: All users
• [ ] Cloud apps: All cloud apps
• [ ] Client apps: Configure → Browser only
• [ ] Session: Persistent browser session = Never persistent

Now, when someone closes their Microsoft 365 tab, they’ll be prompted to sign in next time. It’s a small friction point that significantly reduces the chance of unauthorized access from a forgotten, open session.

Most employees will install Outlook, Teams, or Office on their personal phones. That’s fine, but only if you protect corporate data on those devices.

Checklist items:

• [ ] Create Intune App Protection Policies for Android and iOS
• [ ] In Conditional Access, create “CA05 – Require app protection policy”
• [ ] Users: All users (or all licensed users)
• [ ] Cloud apps: Office 365
• [ ] Device platforms: Android, iOS
• [ ] Client apps: Browser + Mobile apps and desktop clients
• [ ] Grant: Require app protection policy

This ensures mobile access is wrapped in data protection policies, which is a big point in many microsoft 365 compliance frameworks.

Legacy authentication (basic auth) is weak and widely abused in password spray and brute-force attacks. Even if Microsoft disables a lot of it by default in new tenants, you should explicitly block it.

Checklist items:

• [ ] In Conditional Access → New policy from template
• [ ] Choose “Block legacy authentication” template
• [ ] Name: e.g., “CA06 – Block legacy authentication”
• [ ] Users: All users
• [ ] State: On

This is a common requirement in any m365 security audit and appears directly in many CIS microsoft 365 foundations controls.

You don’t want just anyone registering devices into Entra ID without additional verification.

Checklist items:

• [ ] Create policy “CA07 – Require MFA to join devices”
• [ ] Users: All users (or restrict to device join admins)
• [ ] Target resource: User actions → Register or join devices
• [ ] Grant: Require multifactor authentication

This tightens the control around device lifecycle and supports more advanced compliance models that expect strong assurance for device onboarding.

Not all MFA methods are equal anymore. SMS and phone calls are considered weaker and are increasingly discouraged in security frameworks.

Checklist items:

• [ ] In Entra ID → Protection → Authentication methods → Policies
• [ ] Enable Microsoft Authenticator for all users
• [ ] Enable FIDO2 security keys (e.g., YubiKey) for all users who need higher assurance
• [ ] Prefer these stronger methods over SMS / phone call

This will look good in any m365 security assessment and aligns with modern CIS and NIST guidance.

There are a couple of small but important settings in Entra ID user settings that are easy to miss.

Checklist items:

• [ ] Go to Entra ID → Users → User settings
• [ ] Restrict non-admin users from creating tenants = Yes
• [ ] Restrict access to Microsoft Entra admin center = Yes (admins only)

This prevents standard users from spinning up new tenants or wandering into admin portals they shouldn’t see.

Users can connect a surprising range of third-party apps to Microsoft 365. By default, they can often grant those apps access to organization data.

Checklist items:

• [ ] Go to Entra ID → Enterprise applications → Consent and permissions
• [ ] Change from “Allow user consent for apps” to:
• Ideally: Admin consent required for all apps
• Or at least: Allow user consent for apps from verified publishers
• [ ] Set “Group owner consent” (if still available) to Do not allow

This keeps you in control of which apps get access to corporate data, which is a critical area for both microsoft 365 compliance and privacy regulations.

SharePoint and OneDrive are generous with sharing by default. Generous is great for collaboration, not so great for compliance.

Checklist items:

• [ ] Go to Microsoft 365 admin center → SharePoint admin
• [ ] Policies → Sharing
• [ ] Change external sharing from “Anyone” to New and existing guests – guests must sign in or use verification code

This stops fully anonymous “anyone with the link” sharing while still allowing controlled external collaboration.

One last SharePoint tweak that prevents accidental data changes: adjust the default permission on sharing links.

Checklist items:

• [ ] In SharePoint admin → Policies → Sharing
• [ ] Set “Choose the permission that’s selected by default for sharing links” to View instead of Edit

Users can still change a link to allow editing when needed, but the safe default becomes read-only.