The Microsoft 365 Security Baseline Checklist: 13 Essential Controls
A pragmatic 13-item checklist of the Microsoft 365 security controls every admin should configure first — distilled from CIS Benchmark v5.0.0, Microsoft's secure-by-default guidance, and what we actually see going wrong in production tenants.
Microsoft 365 ships with sensible defaults, but the defaults assume a tenant that will never face a determined attacker. Below is the short list of controls every admin should configure first — before the full 129-control CIS deep dive, before any compliance project. If you do nothing else, do these thirteen things.
How to use this checklist
Each item links to a tactical guide or doc. None of these requires E5 licensing — Business Premium and E3 cover everything below.
Identity & access (5 controls) #
1. Enforce MFA for every administrator
Not "encourage" — enforce, via a Conditional Access policy targeting all directory roles. The single highest-leverage control in M365. If an admin account is breached without MFA, game over.
2. Block legacy authentication
IMAP, POP, SMTP AUTH, and legacy Office clients bypass MFA entirely. Microsoft has been disabling legacy auth on new tenants since 2022 — older tenants still need an explicit Conditional Access policy.
3. Eliminate standing Global Admin accounts
Move all admins to Privileged Identity Management (PIM) with just-in-time role activation. Aim for fewer than 5 emergency-access (break-glass) global admins, with MFA enforced and quarterly attestation.
4. Require MFA for all users (not just admins)
The simplest path is the Microsoft-managed Security Defaults. For tenants with conditional access needs (location-based, device-based), build a baseline CA policy that requires MFA for all users with sensible exclusions for break-glass accounts.
5. Disable user consent for unverified third-party apps
Consent phishing — where an attacker tricks users into granting permissions to a malicious OAuth app — bypasses MFA entirely. Restrict consent to verified publishers, require admin approval above a permission threshold, and review the OAuth app inventory quarterly.
Email & collaboration (4 controls) #
6. Apply Microsoft's Standard preset security policy
In Defender for Office 365, the Standard preset turns on Safe Links, Safe Attachments, anti-phishing, and impersonation protection with sensible defaults — covers most of CIS Level 1 email requirements in one click.
7. Configure DKIM, DMARC and SPF correctly
SPF alone is no longer sufficient. DMARC should be set to
p=quarantineat minimum (eventuallyp=reject), with aggregate reports going to a mailbox someone actually reads. Without DMARC enforcement, your domain can be spoofed in phishing campaigns aimed at your customers.8. Enable the Unified Audit Log
Without it, post-incident investigation is essentially impossible. The setting is off by default on older tenants — turn it on, then verify mailbox auditing is enabled per-mailbox. See our dedicated setup guide for the full procedure.
9. Lock down external sharing in SharePoint, OneDrive and Teams
The default sharing setting is "Anyone with the link." For most organisations, "New and existing guests" with link expiration is the right baseline. Coordinate with the business — this is the one control on the list that genuinely affects end-user workflows.
Device & data (4 controls) #
10. Block macros from the internet
Microsoft now blocks Office macros from internet-sourced files by default, but verify the GPO or Intune policy is in place on managed devices — and audit which Trusted Locations users have configured.
11. Require device compliance for M365 access
Conditional Access + Intune compliance policies = unmanaged devices can't touch corporate data. Start with "device is healthy and compliant" for admins, then expand to all users once the policy is tuned.
12. Configure DLP for the obvious patterns
A minimum-viable DLP policy: block sharing of credit card numbers, IBANs, national IDs, and (if applicable) PHI. The built-in sensitive info types cover most regulatory bases — no need to build custom classifiers on day one.
13. Set retention policies for email and SharePoint
Either you have a documented retention policy or you're keeping everything forever — which is itself a compliance and legal-discovery risk. Define retention per workload and apply default labels.
What to do next #
These thirteen controls cover roughly 80% of the risk that a real-world Microsoft 365 attacker exploits. Once they are in place, the next move is the full CIS Microsoft 365 Foundations Benchmark — which adds another ~500 controls of defence-in-depth.
- Complete CIS Microsoft 365 Benchmark v5.0.0 guide — the next step after this checklist.
- Start a free trial to see exactly where your tenant stands against all 129 controls.