# Microsoft 365 + Entra ID Hardening Baseline A practical hardening baseline for a Microsoft 365 + Entra ID tenant that gives you defensible posture against the attacks that actually happen — token theft, illicit consent, mailbox auto-forward exfil, OAuth abuse, AiTM phishing — without breaking the business. Aligned to CIS Benchmarks, Microsoft Secure Score, and Cyber Essentials Plus. MIT licensed. Authored by VantagePoint Networks. **Audience:** IT Managers, M365 Administrators, Information Security Leads, MSP Account Managers **Use this when:** taking ownership of a tenant for the first time, preparing for Cyber Essentials Plus / ISO 27001 audit, post-incident hardening, or as a baseline for a new tenant. --- ## 1. Principles 1. **Identity is the new perimeter.** Treat every Conditional Access policy as a firewall rule. Every admin role as a privileged interface. 2. **Phishing-resistant MFA for admins, MFA for everyone.** No exceptions. No "just for now." 3. **Least privilege, just-in-time.** Admin = activated via PIM, not assigned. Standard users get only what they need. 4. **Block legacy auth.** Permanently. The attack surface from POP / IMAP / SMTP basic auth is not worth the convenience. 5. **Defaults are dangerous.** Microsoft's defaults are improving but assume a green-field. Any tenant > 3 years old needs a re-baseline. 6. **Logging is non-negotiable.** Audit log on, mailbox audit on, retention configured. You cannot investigate what you didn't log. 7. **Trust the device.** Conditional Access requires compliant or hybrid-joined devices for sensitive apps. 8. **Test changes in pilot.** Conditional Access can lock everyone out fast. Always pilot to a security group first. ## 2. Tenant prerequisites - Microsoft 365 Business Premium or Microsoft 365 E3 / E5 licence (E5 unlocks the most controls; E3 + Defender for Office 365 P2 add-on covers most) - Tenant-wide MFA capability (included in all paid plans) - Microsoft Entra ID P1 minimum (P2 unlocks Identity Protection + PIM full features) - Tenant administrator access for an account that is NOT your daily-driver ## 3. Break-glass accounts Configure FIRST, before any Conditional Access policy. - 2 break-glass accounts (e.g. `breakglass-1@yourtenant.onmicrosoft.com`) - Cloud-only (not synced from on-prem AD) - Permanently assigned Global Administrator (PIM not used — these must work even if PIM breaks) - 64-character random password, stored in physical safe - Hardware FIDO2 key MFA (separate from any other admin's key) - Excluded from ALL Conditional Access policies - Sign-in monitored: any sign-in triggers SIEM alert + on-call page - Tested quarterly — sign in, verify access, log result ## 4. Identity baseline (Entra ID) ### 4.1 Authentication - [ ] Security defaults: **disabled** (we use Conditional Access instead — they conflict) - [ ] All users: MFA registered - [ ] Admins: phishing-resistant MFA enforced (FIDO2, Windows Hello, certificate-based) - [ ] Authentication methods policy: enable Authenticator (push + number match), FIDO2; disable SMS for admins; disable voice - [ ] Password protection: enable on-prem if hybrid; configure custom banned passwords - [ ] Self-service password reset: enabled for users, with secure verification - [ ] Combined registration: enabled (single experience for MFA + SSPR) ### 4.2 Authorisation — Privileged Identity Management (PIM) - [ ] Identify all permanent role assignments — should be only break-glass + (rarely) on-call admins - [ ] All privileged roles set to **eligible**, not assigned: - Global Administrator - Privileged Role Administrator - User Administrator - Conditional Access Administrator - Security Administrator - Exchange Administrator - SharePoint Administrator - Application Administrator - Cloud Application Administrator - [ ] Activation max duration: 8 hours - [ ] Activation requires: justification + ticket reference + (for Global Admin) approval - [ ] Notification on activation: to Security DL - [ ] Access reviews on roles: quarterly ### 4.3 Conditional Access (baseline policies) Create and pilot in this order. Names use `CA0XX-` prefix for sortable display. | ID | Policy | Assignment | Conditions | Grant | Session | |---|---|---|---|---|---| | CA001 | Block legacy authentication | All users | Client apps: Exchange ActiveSync, Other clients | Block | — | | CA002 | Require MFA for all users | All users (excl. break-glass) | All cloud apps | Grant: require MFA | — | | CA003 | Require phishing-resistant MFA for admins | Privileged role members | All cloud apps | Grant: require auth strength = phishing-resistant | — | | CA004 | Require compliant device for admin portals | Privileged role members | Apps: Microsoft Admin Portals, Azure Mgmt | Grant: require compliant device | — | | CA005 | Block sign-in from disallowed countries | All users (excl. break-glass) | Locations: outside allowed list | Block | — | | CA006 | Risk-based MFA (sign-in risk medium+) | All users (excl. break-glass) | Sign-in risk: medium, high | Grant: require MFA | — | | CA007 | Block users with high user risk | All users (excl. break-glass) | User risk: high | Block | — | | CA008 | Sign-in frequency for sensitive apps | All users | Apps: Exchange Online, SharePoint, Teams | — | Sign-in frequency: 12h | | CA009 | Require app protection policy on mobile | All users | Devices: iOS, Android, browser apps | Grant: require app protection | — | | CA010 | Block unmanaged device download (Exchange + SharePoint) | All users | Apps: Exchange Online, SharePoint Online | Browser only / no download | Block download on unmanaged | **Pilot strategy:** Add a `CA-Pilot` group, target the policy at it for 1 week, monitor sign-in logs for unintended impact, then promote to "All users (excl. break-glass)". ### 4.4 Identity Protection (P2 only) - [ ] Sign-in risk policy: medium+ → require MFA (already in CA006) - [ ] User risk policy: high → block (already in CA007), low/medium → require password change - [ ] Configure email alerts on risky users to Security DL - [ ] Review risky sign-ins weekly (or feed to SIEM) ### 4.5 External collaboration - [ ] Guest user access restrictions: most restrictive practical (e.g. guest users have limited directory access) - [ ] Guest invite settings: only users with specific roles can invite (not "anyone in your organisation") - [ ] Cross-tenant access settings: configured explicitly per partner — default block - [ ] B2B collaboration auto-cleanup: review and remove inactive guests quarterly (or use entitlement management with expiration) ### 4.6 Application & service principal hardening - [ ] User consent for apps: only allow consent to apps from verified publishers AND for low-risk permissions - [ ] Admin consent workflow: enabled — users request, admins approve - [ ] User can register applications: **No** (centralise via app dev process) - [ ] User can create security groups: **No** (centralise) - [ ] Owner can manage Microsoft Graph application permissions: **No** - [ ] Review existing service principals quarterly: orphaned ones removed ## 5. Exchange Online baseline ### 5.1 Authentication & access - [ ] Modern authentication: enabled (default) - [ ] OAuth 2.0 token revocation: tested - [ ] Disable EWS basic auth (deprecated by Microsoft, confirm not in use) - [ ] Disable POP3, IMAP4, SMTP AUTH at organisation level (allow only on accounts that need it via override) ### 5.2 Mail flow - [ ] SPF: configured for primary domain (`v=spf1 include:spf.protection.outlook.com -all`) - [ ] DKIM: enabled per accepted domain - [ ] DMARC: published, start at `p=none` for monitoring, move to `p=quarantine` then `p=reject` - [ ] MTA-STS: published (DNS + policy file) - [ ] TLS-RPT: enabled for monitoring - [ ] External email tagging: enabled (banner on emails from outside org) ### 5.3 Anti-phishing / anti-spam (Defender for Office 365) - [ ] Standard preset policy: enabled and assigned to all users - [ ] Strict preset: applied to executives + finance + IT admins - [ ] Anti-phish: impersonation protection enabled, mailbox intelligence enabled, spoof intelligence enabled - [ ] Anti-spam: outbound limit set (block exfil), connection filter allow-list reviewed - [ ] Safe Attachments: enabled with Dynamic Delivery - [ ] Safe Links: enabled, real-time URL detonation, do not track user clicks (privacy) - [ ] Quarantine: review queue weekly; user-released items investigated - [ ] Tenant Allow/Block list: reviewed quarterly ### 5.4 Mailbox controls - [ ] Auto-forwarding to external addresses: **disabled** at remote domain level - [ ] Disable client-side rules that auto-forward externally - [ ] Mailbox audit logging: enabled for all mailboxes (default since 2018) - [ ] Audit log retention: 1+ year - [ ] Litigation / In-Place hold for compliance-scoped mailboxes ## 6. SharePoint Online + OneDrive - [ ] External sharing: most restrictive practical (default = allow only existing guests; tighten per site) - [ ] Anyone links: disabled at tenant level (require specific people) - [ ] Default link permissions: View (not Edit), expiration enabled (e.g. 30 days) - [ ] Block downloads on unmanaged devices: applied via Conditional Access (CA010) - [ ] Sensitivity labels: configured for site classification - [ ] DLP policies: cover credit cards, NHS / NI / passport numbers, AWS keys, OAuth tokens - [ ] Restrict SharePoint admin centre access to PIM activation only ## 7. Microsoft Teams - [ ] External access (federation): allow-list specific domains, block all others - [ ] Guest access: allowed for specific teams only (per-team setting) - [ ] Anonymous join in meetings: disabled (or restricted) - [ ] Meeting recording: store in OneDrive of organiser, expiration configured - [ ] Voice / video: meeting policies match risk profile of audience - [ ] App permission policies: block 3rd-party apps unless approved via app catalog ## 8. Defender for Office 365 + Defender XDR - [ ] Defender for Office 365 P2 (or P1 + Add-on for Sentinel data ingest) — depends on licensing - [ ] Threat Explorer: review attack signals weekly - [ ] Attack simulator: quarterly phishing simulation campaign - [ ] Automated investigation and response (AIR): enabled, review actions weekly - [ ] Incidents in Defender XDR: integrated with SIEM (Sentinel) ## 9. Audit + monitoring - [ ] Unified audit log: enabled (verify with `Search-UnifiedAuditLog`) - [ ] Mailbox auditing: enabled for all mailboxes - [ ] Audit log retention: minimum 90 days (E3) or 1 year (E5); use Audit Log Retention Policies for longer - [ ] Defender for Cloud Apps: connected to Microsoft 365 (if licensed) - [ ] Sentinel data connectors enabled: Entra ID sign-in, audit, Office 365, Defender XDR ## 10. Endpoint compliance (Intune) - [ ] Device compliance policies: encryption required, password policy enforced, OS minimum version, AV present, jailbreak / root blocked - [ ] Conditional Access uses compliance signal (CA004 + CA010 already covered) - [ ] App protection policies for BYOD: data protection (no copy-paste to unmanaged apps), wipe on unenrol - [ ] Update rings: defined for Windows + Office (pilot → broad) - [ ] Defender for Endpoint deployed as compliance signal ## 11. Secure Score targets (12-week trajectory) | Week | Target Secure Score | |---|---| | 0 (baseline) | Whatever you have today (often 35-50%) | | 4 | 60% — quick wins (legacy auth, MFA, audit log, SPF/DKIM/DMARC) | | 8 | 75% — Conditional Access pilot complete, Defender preset policies applied | | 12 | 85%+ — PIM live, sensitivity labels, DLP, Defender for Office 365 fully tuned | Don't chase Secure Score for its own sake — some recommendations don't fit every org. But moving from 40% to 85% covers the high-impact gaps. ## 12. Common findings (audit / pen test) 1. **Legacy auth still allowed** for "that one printer / scanner / app" — find a replacement. 2. **Global Admin held permanently** by 4-6 people — should be 0 (only break-glass). 3. **External auto-forwarding silently allowed** — common exfil vector. 4. **No DMARC** — inbound spoofing vector. 5. **Anonymous links shared and never expired** — wide-open documents. 6. **App consent permissive** — illicit consent attacks succeed. 7. **Audit log not enabled** before incident — no forensics. 8. **No PIM** — admin permissions used for daily work. 9. **MFA exempt for "service accounts"** that turn out to be human accounts. 10. **Guest accounts from 3 years ago** still active. ## 13. Implementation order (pragmatic 12-week) | Week | Task | |---|---| | 1 | Break-glass accounts + monitoring; baseline Secure Score | | 2 | Disable legacy auth (CA001), enforce MFA (CA002), enable audit log | | 3 | DMARC monitor mode, SPF, DKIM | | 4 | Conditional Access pilot group + CA003-CA010 in pilot | | 5 | Promote CA policies to production after pilot | | 6 | PIM rollout for all admin roles | | 7 | Defender for Office 365 preset policies (Standard + Strict) | | 8 | Disable external auto-forward, tighten OAuth consent | | 9 | SharePoint / OneDrive sharing restrictions, DLP starter | | 10 | Intune compliance + app protection policies | | 11 | Sensitivity labels + DLP for sensitive content | | 12 | Phishing simulation, document baseline, schedule re-baseline | ## 14. Maintenance cadence - **Weekly:** Risky sign-in / risky user review, quarantine review - **Monthly:** Defender XDR incidents review, Conditional Access policy effectiveness - **Quarterly:** PIM access review, guest account purge, attack simulator campaign, break-glass test - **Annually:** Full re-baseline against latest CIS benchmark, Secure Score reset goal ## 15. Useful related VantagePoint material - `/access-review` — quarterly access certification (covers Entra roles + group memberships) - `/security-policy-drafter` — generates the policy docs auditors expect - `/incident-responder` — for any account compromise that gets through - `/zero-trust-assessor` — gap analysis against ZTA principles (this baseline is one piece) - `azure-landing-zone-reference.md` — broader Azure tenant alongside M365 - `cyber-essentials-plus-readiness.md` — CE+ explicitly references many of these controls - `iso27001-annex-a-evidence-pack.md` — maps M365 controls to A.5.15-18, A.8.1-7 - `sentinel-kql-detection-pack.md` — detections for the abuse patterns above ## 16. References - Microsoft Secure Score: https://security.microsoft.com/securescore - CIS Microsoft 365 Foundations Benchmark: https://www.cisecurity.org/benchmark/microsoft_365 - Microsoft Zero Trust deployment guides: https://learn.microsoft.com/en-us/security/zero-trust/ - Cybersecurity & Infrastructure Security Agency (CISA) M365 hardening guidance --- **Authored by:** VantagePoint Networks (Hak, Senior Engineer & Author) **Licence:** MIT — adapt freely.