Best Practices

Over the years, I have compiled “Best practices” checklists and implementation guides for several popular Microsoft cloud services, for example:

  • Azure Active Directory
  • Microsoft Endpoint Manager (i.e., Intune)
  • Microsoft Office 365 (Exchange, SharePoint, Teams, etc.)
  • Microsoft Defender for Business (MDE for the SMB)
  • And more

You can obtain the best practices checklists & guides from the Store. Each publication is updated regularly (at least annual or sometimes semi-annual updates), and yes, your purchase *includes* those future updates.

Best Practices - ITProMentor

If you would like a free sample, see the Microsoft 365 Business Security Essentials Guide.

Quick and Easy: Some best practices you can implement today

Just want decent security for your tenant with minimal effort? I recommend you do these four things:

Implement Security Defaults or equivalent Conditional Access policies

Turn on Standard protection using the Preset security policies

  • Navigate to the Security center > Policies & rules > Threat policies
  • Click Preset security policies
  • Under Standard protection click Manage and complete the wizard to enable for all users in the tenant (add the entire domain)
  • Consider Strict protection for sensitive users who are considered “higher value” targets. Note however that these users may have more false positives in their junk mail/quarantine as a result.

Always use separate admin accounts for tenant administration

  • If you have a user account called “Mary Smith” and Mary is your administrator, make sure she also has an account called “Mary Smith Admin” or similar so that she does not use her daily account where she receives email, etc. for administrative tasks inside the tenant.
  • Create a new user for administrative purposes from the Admin center > Users > Active users;
    • Licensing for this account is entirely optional; you can just select Create user without a product license
    • Make sure to specify Admin center access > Global administrator role when you create the account.
    • Remove the role from your normal user account, Click Manage roles, and make sure it is set to User (no admin center access)
  • Sometimes administrators need less access than Global administrator to do their job. Consider using other roles where appropriate such as:
    • Helpdesk administrator (licensing changes, password resets, etc.)
    • Billing administrator (manage subscriptions, pay bills, etc.)
    • And more (See this article for a list of built-in roles)

Monitor important events in your tenant using Alert policies

  • To use Alert policies, you must first enable the Unified audit log; from the Security center go to Audit and click Start recording user and admin activity.
  • From the Security center navigate to Policies & rules > Alert policy.
  • For each policy in the list, Edit the policy and specify an email address where alerts can be monitored.
  • Consider adding custom policies; see this script which will install additional policies to monitor important changes in Azure AD

Helping IT Consultants Succeed in the Microsoft Cloud

Have a Question? Contact me today.