Over the years, I have compiled “Best practices” checklists and implementation guides for several popular Microsoft cloud services, for example:
- Azure Active Directory
- Microsoft Endpoint Manager (i.e., Intune)
- Microsoft Office 365 (Exchange, SharePoint, Teams, etc.)
- Microsoft Defender for Business (MDE for the SMB)
- And more
You can obtain the best practices checklists & guides from the Store. Each publication is updated regularly (at least annual or sometimes semi-annual updates), and yes, your purchase *includes* those future updates.
If you would like a free sample, see the Microsoft 365 Business Security Essentials Guide.
Quick and Easy: Some best practices you can implement today
Just want decent security for your tenant with minimal effort? I recommend you do these four things:
Implement Security Defaults or equivalent Conditional Access policies
- Make sure end users are aware that they will be asked to register their security information for Multi-Factor Authentication (MFA)
- Go to the Azure AD Admin center and navigate to Azure Active Directory > Properties > Manage security defaults. Set the option Enable security defaults to Yes. Note: Every user will be prompted to register their security information within 14 days.
- If you prefer to use custom Conditional Access policies (allows you to make exceptions or specify additional rules for device and location-aware policies), then turn off the Security defaults, and see these articles on Microsoft Docs:
Turn on Standard protection using the Preset security policies
- Navigate to the Security center > Policies & rules > Threat policies
- Click Preset security policies
- Under Standard protection click Manage and complete the wizard to enable for all users in the tenant (add the entire domain)
- Consider Strict protection for sensitive users who are considered “higher value” targets. Note however that these users may have more false positives in their junk mail/quarantine as a result.
Always use separate admin accounts for tenant administration
- If you have a user account called “Mary Smith” and Mary is your administrator, make sure she also has an account called “Mary Smith Admin” or similar so that she does not use her daily account where she receives email, etc. for administrative tasks inside the tenant.
- Create a new user for administrative purposes from the Admin center > Users > Active users;
- Licensing for this account is entirely optional; you can just select Create user without a product license
- Make sure to specify Admin center access > Global administrator role when you create the account.
- Remove the role from your normal user account, Click Manage roles, and make sure it is set to User (no admin center access)
- Sometimes administrators need less access than Global administrator to do their job. Consider using other roles where appropriate such as:
- Helpdesk administrator (licensing changes, password resets, etc.)
- Billing administrator (manage subscriptions, pay bills, etc.)
- And more (See this article for a list of built-in roles)
Monitor important events in your tenant using Alert policies
- To use Alert policies, you must first enable the Unified audit log; from the Security center go to Audit and click Start recording user and admin activity.
- From the Security center navigate to Policies & rules > Alert policy.
- For each policy in the list, Edit the policy and specify an email address where alerts can be monitored.
- Consider adding custom policies; see this script which will install additional policies to monitor important changes in Azure AD