A practical, no-nonsense security hardening baseline for Microsoft 365 tenants. Each control is something you can actually go and do today.

Built and maintained by SecValley - because "we'll get to it later" is not a security strategy.

Work through each section and tick off what you've implemented. Controls are tagged by severity:

• Critical - Fix this now. Seriously.
• High - Should be done within a sprint or two.
• Medium - Important, but won't ruin your weekend if it waits a bit.
• Low - Nice hardening. Good hygiene.

Not every control will apply to every organization. Read the "why" before flipping a switch, especially in large tenants where a misconfigured transport rule can ruin a lot of people's mornings.

• Exchange Online
• SharePoint and OneDrive
• Microsoft Teams
• Tenant-Wide Settings
• Going Further
• Related Projects
• License

• [Critical] Enable multi-factor authentication for all mailbox users Credential stuffing against mailboxes is still one of the most common initial access vectors. MFA should be enforced through Conditional Access, not per-user MFA settings, so you get proper reporting and policy flexibility. Microsoft Docs - Conditional Access and MFA

• [Critical] Disable legacy authentication protocols Protocols like POP3, IMAP, and SMTP AUTH do not support modern authentication. Attackers love them because MFA doesn't apply. Block them via authentication policies or Conditional Access. Microsoft Docs - Disable Basic Authentication

• [Critical] Configure anti-phishing policies with mailbox intelligence Turn on mailbox intelligence, spoof intelligence, and impersonation protection in Microsoft Defender for Office 365. Set actions to quarantine rather than just adding a safety tip. Microsoft Docs - Anti-phishing Policies

• [High] Enable audit logging for all mailboxes Mailbox audit logging is on by default since 2019, but verify it hasn't been disabled. You need these logs for incident response. Check that owner, delegate, and admin actions are all being captured. Microsoft Docs - Mailbox Auditing

• [High] Configure DKIM and DMARC for all accepted domains SPF alone is not enough. Enable DKIM signing for every domain, then publish a DMARC record. Start with p=none and monitor, then move to p=quarantine or p=reject once you're confident. Microsoft Docs - DKIM

• [High] Block auto-forwarding rules to external domains Attackers frequently set up mail forwarding rules to exfiltrate data after compromising a mailbox. Use a mail flow rule to block external auto-forwarding, or set it via the outbound anti-spam policy. Microsoft Docs - Outbound Spam Filtering

• [High] Enable Safe Attachments and Safe Links (Defender for Office 365) Safe Attachments detonates files in a sandbox before delivery. Safe Links rewrites URLs and checks them at click time. Both should be enabled org-wide with policies covering all recipients. Microsoft Docs - Safe Attachments

• [Medium] Restrict who can create and manage mail flow (transport) rules Transport rules can silently redirect, copy, or delete mail. Limit the Exchange admin role and regularly audit existing transport rules for anything unexpected. Microsoft Docs - Mail Flow Rules

• [Medium] Disable SMTP AUTH submission globally, enable per-mailbox only where needed SMTP AUTH is the last remaining basic auth vector for many tenants. Disable it at the org level and only enable it for specific service accounts that genuinely need it (like printers or LOB apps). Microsoft Docs - Enable or Disable SMTP AUTH

• [Low] Configure external sender tagging Mark emails from external senders with a visual indicator in Outlook. It's a small thing, but it helps users spot phishing and impersonation attempts, especially when the display name matches an internal contact. Microsoft Docs - External Email Tagging

• [Critical] Restrict external sharing to authenticated guests only The default sharing settings in many tenants are far too permissive. At minimum, disable anonymous "Anyone" links. Require guests to authenticate, and consider limiting sharing to guests in specific domains. Microsoft Docs - Sharing Settings

• [Critical] Block downloads from unmanaged devices Use Conditional Access app-enforced restrictions to prevent users on personal or unmanaged devices from downloading files from SharePoint and OneDrive. Allow browser-only access if needed. Microsoft Docs - Control Access from Unmanaged Devices

• [High] Enable sensitivity labels for documents and sites Sensitivity labels let you classify and protect content based on its sensitivity. Apply labels to documents automatically or manually, and use them to enforce encryption, watermarking, and access controls. Microsoft Docs - Sensitivity Labels

• [High] Set default sharing link type to "Specific People" When users click "Share," the default link type matters a lot. Set it to "Specific People" (direct share) rather than "Anyone with the link" or "People in your organization." Fewer accidental over-shares this way. Microsoft Docs - Default Sharing Link Type

• [High] Configure expiration and permissions for guest access Guest access should not be indefinite. Set expiration policies for guest accounts and review guest access regularly. Require guests to re-authenticate periodically. Microsoft Docs - Guest Expiration

• [High] Enable versioning on document libraries Versioning provides a recovery path when files are corrupted, overwritten, or hit by ransomware. Enable it on all document libraries and set a reasonable version limit (50-100 major versions is usually fine). Microsoft Docs - Versioning

• [Medium] Restrict site creation to specific users or groups By default, all users can create SharePoint sites and Microsoft 365 groups. This leads to sprawl and ungoverned data stores. Limit site creation to IT or designated users and establish a request process. Microsoft Docs - Manage Site Creation

• [Medium] Disable legacy SharePoint authentication workflows Some older SharePoint authentication methods bypass modern auth controls. Review and disable any custom authentication providers and ensure all access flows through Entra ID with Conditional Access enforced. Microsoft Docs - SharePoint Authentication

• [Medium] Review and restrict SharePoint app-only access App-only permissions (via Azure AD app registrations or SharePoint Add-ins) can have broad access to site content without user context. Audit app registrations that have Sites.Read.All or Sites.FullControl.All permissions. Microsoft Docs - App-Only Access

• [Low] Configure idle session timeout for SharePoint If a user walks away from their browser while viewing sensitive documents, you want the session to expire. Set idle session sign-out policies, especially for unmanaged device scenarios. Microsoft Docs - Idle Session Timeout

• [Critical] Restrict external access to approved domains only By default, Teams allows federation with all external tenants. Lock this down to only the partner domains you actually work with, or disable it entirely and use guest access instead. Microsoft Docs - External Access

• [Critical] Control guest access permissions in Teams If guest access is enabled, make sure guests can't create or delete channels, add or remove apps, or share files without oversight. Review guest permissions in Teams admin center and apply the principle of least privilege. Microsoft Docs - Guest Access

• [High] Restrict which apps users can install The Teams app store is open by default. Users can install third-party apps that may access organizational data. Block all third-party apps by default and allow only vetted apps through an approval process. Microsoft Docs - App Permission Policies

• [High] Configure meeting policies to prevent anonymous join Anonymous users joining meetings is a data leak risk. Disable anonymous join for meetings, or at minimum require organizer approval in the lobby. Also consider disabling dial-in bypass for the lobby. Microsoft Docs - Meeting Policies

• [High] Disable email integration for channels if not needed Each Teams channel can have an email address for inbound mail. If nobody is using this feature, disable it. It's another ingress point for phishing or spam content that bypasses Exchange transport rules. Microsoft Docs - Email Integration

• [High] Review and restrict who can create teams and private channels Uncontrolled team creation leads to data sprawl and shadow IT. Use Microsoft 365 group creation restrictions to limit who can spin up new teams, and have a process for private channel requests. Microsoft Docs - Team Creation

• [Medium] Enforce meeting recording storage and access controls Meeting recordings land in OneDrive or SharePoint. Make sure the storage location is governed, recordings inherit site permissions, and retention policies apply so recordings don't live forever. Microsoft Docs - Meeting Recording

• [Medium] Configure data loss prevention policies for Teams chat DLP policies can detect and block sensitive data (credit card numbers, personal IDs, health records) from being shared in Teams chats and channels. Extend your existing DLP policies to cover Teams. Microsoft Docs - DLP for Teams

• [Medium] Restrict file sharing in Teams chats to managed domains By default, users can share files in 1:1 and group chats. If combined with external access, files could end up in the wrong hands. Review your file sharing policies and restrict where needed. Microsoft Docs - Messaging Policies

• [Low] Disable third-party cloud storage integration Teams can integrate with Dropbox, Google Drive, Box, and other cloud storage providers. If your organization standardizes on OneDrive/SharePoint, disable the other providers to prevent data from leaking into unmanaged storage. Microsoft Docs - Cloud Storage Settings

• [Critical] Enable Security Defaults or implement a Conditional Access baseline If you don't have Entra ID P1/P2, enable Security Defaults at minimum. If you do, build a Conditional Access baseline that enforces MFA, blocks legacy auth, requires compliant devices for sensitive apps, and defines named locations. Microsoft Docs - Security Defaults

• [Critical] Enable Unified Audit Log and set retention to maximum The Unified Audit Log is your single most important forensic data source in M365. Verify it's enabled, increase retention (default is 180 days, E5 gets 365 days), and consider exporting logs to a SIEM for longer retention. Microsoft Docs - Audit Log

• [Critical] Restrict Global Administrator count and enforce PIM You should have no more than 2-4 Global Admins, and ideally they should use Privileged Identity Management (PIM) for just-in-time activation. Break-glass accounts are an exception, but those should be monitored closely. Microsoft Docs - PIM

• [High] Disable user consent to third-party applications By default, users can grant third-party apps access to organizational data. This is a major OAuth phishing vector. Disable user consent and require admin approval for all app registrations. Microsoft Docs - User Consent

• [High] Enable Microsoft Secure Score monitoring Secure Score gives you a measurable baseline and improvement roadmap. Review it regularly, assign improvement actions to owners, and track progress over time. It's not perfect, but it's a solid starting point. Microsoft Docs - Secure Score

• [High] Configure alerts for high-risk sign-ins and risky users Set up alert policies in the Microsoft 365 Defender portal for impossible travel, sign-ins from anonymous IP addresses, leaked credentials, and other risk detections. Don't just enable them, make sure someone is actually watching. Microsoft Docs - Risk Detections

• [High] Enforce named locations and block sign-ins from high-risk countries If your organization only operates in certain geographies, there is no reason to allow sign-ins from everywhere. Define named locations and create a Conditional Access policy to block or require extra verification for unexpected regions. Microsoft Docs - Named Locations

• [Medium] Configure data retention and deletion policies Define retention policies for Exchange, SharePoint, OneDrive, and Teams. Data should not live forever, and you need clear policies for both retention (for compliance) and deletion (for minimizing exposure). Microsoft Docs - Retention Policies

• [Medium] Review and clean up stale guest accounts quarterly Guest accounts accumulate over time and are often forgotten. Set up a recurring access review in Entra ID Governance, or at minimum run a quarterly PowerShell script to find and remove guests who haven't signed in recently. Microsoft Docs - Access Reviews

• [Medium] Enable customer lockbox Customer Lockbox gives you approval control when Microsoft support engineers need to access your tenant data during a service request. It's an E5 feature, but if you have the license, turn it on. Microsoft Docs - Customer Lockbox

• [Low] Disable self-service license assignments and trials Users can sign up for trial licenses and self-service purchases by default. This creates unmanaged workloads and data stores that IT doesn't know about. Disable self-service purchasing via PowerShell. Microsoft Docs - Self-Service Purchase

This baseline covers the essentials. For continuous, automated M365 security assessment with 400+ controls, attack path analysis, and compliance mapping, check out SecValley CSPM.

• cloud-security-checklist - Broad cloud security checklist covering AWS, Azure, and GCP
• entra-id-security-checklist - Dedicated Entra ID (Azure AD) hardening guide

Found a control that's missing, outdated, or just plain wrong? Open a PR or file an issue. Security is a moving target, and this document benefits from community input.

Please keep contributions practical - every control should be something an admin can actually implement, not a theoretical best practice nobody follows.

This project is licensed under the MIT License. See LICENSE for details.

Maintained by SecValley