365 Standards\Best Practices

Tenant Level Checking 
  • Check 2FA is enabled for all staff
  • Correct Licensing ( no extra licenses not applied ) 

  • Azure AD if used setup for Password Sync , make sure Passwords cannot be changed in 365 if they don’t have Azure AD p1

  • 365 has email Filtering Inbound and Outbound
  • DKIM/SPF and DMARC Records ( Vali for Dmarc )
  • 365 Backup and Continuity ( Mimecast and Veeam ) 

  • Technical Contact is correct and Notifications are set for service outage

  • Tenant Location is in right Global Datacenter
  • Check Litigation hold:  Get-mailbox -Filter {(RecipientTypeDetails -eq ‘UserMailbox’) -and (LitigationHoldEnabled -eq $False)} | fl name, LitigationHoldEnabled

  • Check Mailbox auditing:  Get-mailbox -Filter {(RecipientTypeDetails -eq ‘UserMailbox’) -and (AuditEnabled -eq $False)} | fl name, AuditEnabled
    Check Auditing is enabled (both should come back ‘true’)
    get-AdminAuditLogConfig | fl AdminAuditlogenabled,UnifiedAuditLogIngestionEnabled

  •  Search Log – Need to fix filters
    Search-UnifiedAuditLog -StartDate 1/1/2018 -EndDate 8/8/2018 -Filter {(Activity eq ‘UserLoginFailed’)} | Format-List userIds, creationdate

  • Retention Policy – Get-RetentionPolicy ( Make sure there’s a Tenant Retention Policy if the license admits one ) 
  • Check No Retention Policy Hold ( Otherwise archive won’t work )  :Get-Mailbox -ResultSize unlimited | Where-Object {$_.RetentionHoldEnabled -eq $true} | Format-Table Name,RetentionPolicy,RetentionHoldEnabled -Auto 8.2)
  • Deleted items retention – Get-Mailbox * | Where-Object {$_.Retaindeleteditemsfor -lt 30} | Format-Table name ( Increase Deleted Items from 14 days to 30 days)

  • Run the Secure Score in O365 – https://securescore.microsoft.com/ ( https://support.office.com/en-us/article/how-to-check-office-365-service-health-932ad3ad-533c-418a-b938-6e44e8bc33b0 ? )

  • Check modern auth is enabled on Exchange Online Get-OrganizationConfig | Format-Table Name,OAuth* -Auto
  • Check and Report on any Email Forwarders -> https://gcits.com/knowledge-base/find-external-forwarding-mailboxes-office-365-customer-tenants-powershell/
  • Check for any flow’s setup – You will need to create a flow in Microsoft Flow under the Domain account to search out flows and check them out – disabling any that forward email or alert a domain admin

  • Check Oauth – Audit your Oath applications on the domain you didn’t have the first step locked down via: https://aad.portal.azure.com/#blade/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/AppAppsPreview this is as close as you can get to the M365 Microsoft Cloud App Security portal. and revoke anything that shouldn’t be there
    Get-MsolCompanyInformation | Select DisplayName, UsersPermissionToUserConsentToAppEnabled
  • Check Spam Policy ( https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/recommended-settings-for-eop-and-office365-atp?view=o365-worldwide
    • Image links to remote sites = OFF
    • Numeric IP addresses = ON
    • URL redirect to other port = ON
    • URL to .biz or .info websites = ON
    • Empty messages = ON
    • Javascript or VBScript in HTML = ON
    • Frame or iFrame tags in HTML = ON
    • Object tags in HTML = ON
    • Embed tags in HTML = ON
    • Form tags in HTML = ON
    • Web bugs in HTML = ON
    • Apply sensitive word list = ON
    • SPF record hard fail = ON
    • Conditional sender ID hard fail = ON
    • NDR backscatter = ON
  • Check to see if basic auth in O365 has been disabled
  • Make sure there is a onmicrosoft.com administrator account documented incase anything wrong with adconnect sync

Tenant Level Changing
  • Set ligation Hold For All Mailboxes : Get-mailbox -Filter {(RecipientTypeDetails -eq ‘UserMailbox’)} | ForEach {Set-Mailbox $_.Identity LitigationHoldEnabled $true }

  • Set mailbox auditting For All Mailboxes : Get-mailbox -Filter {(RecipientTypeDetails -eq ‘UserMailbox’)} | ForEach {Set-Mailbox $_.Identity -AuditEnabled $true}

  • Disable users being able to installed 3rd party Plugins : set-MsolCompanysettings -UsersPermissionToUserConsentToAppEnabled $false

# If authentication policy column is empty that means not authentication policy is applied and basic auth is allowed

get-user -ResultSize unlimited -RecipientTypeDetails usermailbox | get-user | where{($_.AuthenticationPolicy -eq $null) | select UserPrincipalName,authenticationpolicy

# create new policy to disable basic auth

New-AuthenticationPolicy -Name “Disable Basic Auth”

# assign new auth policy to all mailboxes

get-user -RecipientTypeDetails usermailbox | set-User -AuthenticationPolicy “Disable Basic Auth” -StsRefreshTokensValidFrom $([System.DateTime]::UtcNow)

# Set default auth policy for org. i.e. this policy will be applied to any mailbox without a policy assigned. Assigned policy will take precedence over the default.

Set-OrganizationConfig -DefaultAuthenticationPolicy <PolicyIdentity>



– App Password will stop working

– Recreation of account is required for iOS Mail App, or changing any application accounts from App Password to Modern Auth (just to be safe).




Disabling Basic Authentication on Exchange Online



GD Star Rating
GD Star Rating

Tags: 365, 365 best practice, policys, standards

Trackback from your site.