This baseline assumes Business Standard, Business Premium, or Enterprise E3/E5 licensing. Some controls require Business Premium or higher. Where a control is license-gated we call it out.
Identity & access
- ✓Security defaults disabled, Conditional Access enforced instead (finer-grained)
- ✓MFA required for every user — no exceptions, including service accounts via certificate or app password where possible
- ✓Block legacy authentication (POP, IMAP, SMTP basic auth, ActiveSync basic) at the tenant level
- ✓Block sign-in from countries where you don't operate (country-based Conditional Access)
- ✓Require compliant device or hybrid-joined device for sensitive roles (Business Premium+)
- ✓Self-service password reset enabled
- ✓Privileged Identity Management (PIM) for admin roles — just-in-time elevation (E5 / EMS E5)
Email protection
- ✓DMARC enforcement on your sending domain (not just p=none)
- ✓SPF and DKIM aligned and published for all sending sources
- ✓Anti-phishing policy with impersonation protection on VIP accounts
- ✓Safe Attachments and Safe Links enabled (Defender for Office 365 — Business Premium+)
- ✓External-sender banner on all inbound email
- ✓Block auto-forwarding to external addresses (a classic post-compromise attacker move)
- ✓Quarantine review rhythm — weekly at minimum
Device management (Intune)
- ✓All company devices enrolled in Intune
- ✓BitLocker enforced on all Windows devices, FileVault on all Macs
- ✓OS update compliance policy: no device more than 7 days behind current patch
- ✓Application control — only approved apps can install on company devices (Business Premium+)
- ✓Remote-wipe capability tested annually
Data protection (Purview)
- ✓Sensitivity labels configured for Internal, Confidential, and PII/PHI categories
- ✓DLP policies blocking SSN, credit-card, and (for healthcare) PHI from leaving the tenant
- ✓Retention policies aligned to your legal and regulatory requirements
- ✓Sharing restrictions on SharePoint / OneDrive — no anonymous links for confidential labels
- ✓Audit log retention set to 1 year minimum (90 days default; longer requires E5 or compliance add-on)
SharePoint & OneDrive
- ✓Site-level access reviews quarterly
- ✓External sharing off by default, enabled per-site where business requires it
- ✓Link defaults: 'Specific people' not 'Anyone with the link'
- ✓SharePoint version history retained 90+ days
- ✓OneDrive KFM (Known Folder Move) enabled so Desktop/Documents/Pictures back up automatically
Teams
- ✓External federation limited to partner tenants only, not open
- ✓Meeting lobby enforced for external participants
- ✓Recording retention set; recordings land in a reviewable location
- ✓App permission policy limits what third-party Teams apps users can add
Audit & response
- ✓Unified audit log enabled and reviewed (at least via an alerting tool)
- ✓Risky-sign-in alerts routed to your MSP or security team
- ✓Impossible-travel detection enabled
- ✓Mailbox audit on all accounts
- ✓Documented incident-response runbook for a compromised M365 account
What this baseline does NOT cover
- ✓CMMC / HIPAA / SOC 2-specific controls beyond the M365 configuration
- ✓Backup — M365's retention is not backup; you need a third-party M365 backup (Acronis, CrashPlan, Datto, etc.)
- ✓On-premises Active Directory hardening (if you still run AD)
- ✓Identity governance at enterprise scale — PIM access reviews, access packages