Default Microsoft 365 settings are not secure enough for real business use. Here is the hardening baseline RE2 Tech applies on every managed tenant.
See the BaselineTalk to Us
Microsoft 365 out of the box is a productivity platform, not a secure business platform. The default settings prioritize ease of use and backward compatibility. Making a Microsoft 365 tenant actually secure requires applying a hardening baseline. This article walks through the baseline RE2 Tech applies on every managed tenant.
MFA enforced on every user account via Conditional Access, not via per-user MFA. Legacy authentication blocked via Conditional Access. Risky sign-in policies that block or challenge suspicious sign-ins based on location and device. Administrative accounts separated from daily use accounts. Emergency access accounts with their own protection.
Anti-phishing policies enabled. Safe Links and Safe Attachments configured. DMARC, DKIM, and SPF properly configured on your sending domain. External email sender warnings enabled. Mailbox auditing turned on for all mailboxes. Transport rules that block dangerous attachment types.
SharePoint and OneDrive sharing restricted to prevent accidental external sharing. DLP policies for sensitive data types your business handles. Sensitivity labels for important documents. Versioning and retention policies that protect against accidental deletion and ransomware.
Intune enrollment required for devices accessing company data. Device compliance policies that require encryption, passcode, and supported operating system versions. Conditional Access policies that only grant data access from compliant devices.
Alert policies for suspicious sign-ins, mass file downloads, forwarding rules created by users, and privilege elevation. Daily or weekly review of security reports. Microsoft Defender for Office 365 enabled where licensing permits.
Third-party backup of Microsoft 365 data. The built-in retention is not a substitute for real backup. If your users delete data or ransomware encrypts OneDrive files, you need an independent backup to recover from.
Some of these protections require Microsoft 365 Business Premium, E3, or E5 licensing. If you are on a basic plan, consider upgrading at least some users to get the security features. The licensing cost is a small fraction of what a real security incident would cost.
Cloud Services | Compliance Solutions | All Services
Questions? Call 952-223-4422 or compare managed IT vs break-fix.
Call a RE2 Tech engineer today and get a specific proposal inside of 72 hours. No pressure, no long pitch.
952-223-4422helpdesk@re2tech.com