CIS -> ***https://www.cisecurity.org/benchmark/microsoft_365***

Blueprint

https://blueprint.oobe.com.au/blueprint/office-365/

Free Siem why not ? https://www.blumira.com/pricing/

Tenant Level Checking 

• Check 2FA is enabled for all staff
• Is https://config.office.com/ being users? OnedriveSync Health \ Update Policies
• Correct Licensing ( no extra licenses not applied )
• Azure AD if used setup for Password Sync , make sure Passwords cannot be changed in 365 if they don’t have Azure AD p1
• Check Defender Endpoint Best Prac
• https://office365itpros.com/2021/03/11/external-email-tagging-exo/
• 365 has email Filtering Inbound and Outbound
• SPF should end with -all
• https://office365itpros.com/2021/07/20/block-self-service-purchases-of-windows-365-licenses/
• Branding Login Page to Stop Phising Attacks
• Outbound and Inbound Spam Policies should be enabled for Defender 365
• Safety Tips in Emails – Enable First Contact Safety Tip for Exchange Online (admindroid.com)
• DKIM Rotate keys at least every six months minimum of 2048-bit key
• DMARC Records ( Set to None if no reporting ) ( Vali for Dmarc )
• 365 Backup and Continuity ( Mimecast and Veeam )
• Technical Contact is correct and Notifications are set for service outage
• Global Litigation hold
• Check Mailbox auditing
• https://ourcloudnetwork.com/limit-local-administrators-on-microsoft-entra-joined-devices/
• Risky users
• Check Configuration analyzer https://security.microsoft.com/configurationAnalyzer
• E5 have they run the Attack simulation training?
• Set-OwaMailboxPolicy -Identity OwaMailboxPolicy-Default -AdditionalStorageProvidersAvailable $false
• Azure AD Logs 90 days ( E5 license for 1 Year )
• Retention Policy – Get-RetentionPolicy ( Make sure there’s a Tenant Retention Policy if the license admits one ) 
• Check No Retention Policy Hold ( Otherwise archive won’t work )  :Get-Mailbox -ResultSize unlimited | Where-Object {$_.RetentionHoldEnabled -eq $true} | Format-Table Name,RetentionPolicy,RetentionHoldEnabled -Auto 8.2)

• Deleted items retention – Get-Mailbox * | Where-Object {$_.Retaindeleteditemsfor -lt 30} | Format-Table name ( Increase Deleted Items from 14 days to 30 days)
• Run the Secure Score in O365 – https://securescore.microsoft.com/ ( https://support.office.com/en-us/article/how-to-check-office-365-service-health-932ad3ad-533c-418a-b938-6e44e8bc33b0 ? )
• Identity Secure Score as well
• Check modern auth is enabled on Exchange Online Get-OrganizationConfig | Format-Table Name,OAuth* -Auto
• Check and Report on any Email Forwarders -> https://gcits.com/knowledge-base/find-external-forwarding-mailboxes-office-365-customer-tenants-powershell/
• Check for any flow’s setup – You will need to create a flow in Microsoft Flow under the Domain account to search out flows and check them out – disabling any that forward email or alert a domain admin
• Check Oauth – Audit your Oath applications on the domain you didn’t have the first step locked down via: https://aad.portal.azure.com/#blade/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/AppAppsPreview this is as close as you can get to the M365 Microsoft Cloud App Security portal. and revoke anything that shouldn’t be there
  Get-MsolCompanyInformation | Select DisplayName, UsersPermissionToUserConsentToAppEnabled
• Enabled Zero-Hour Auto Purge for AntiSpam and Anti Malware
• Check Spam Policy ( https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/recommended-settings-for-eop-and-office365-atp?view=o365-worldwide )
  • Image links to remote sites = OFF
  • Numeric IP addresses = ON
  • URL redirect to other port = ON
  • URL to .biz or .info websites = ON
  • Empty messages = ON
  • Javascript or VBScript in HTML = ON
  • Frame or iFrame tags in HTML = ON
  • Object tags in HTML = ON
  • Embed tags in HTML = ON
  • Form tags in HTML = ON
  • Web bugs in HTML = ON
  • Apply sensitive word list = ON
  • SPF record hard fail = ON
  • Conditional sender ID hard fail = ON
  • NDR backscatter = ON

• Check to see if basic SMTP in O365 has been disabled – Disable SMTP Authentication in Exchange Online! – Joey Verlinden
• Check Conditional Access for Other Basic Auth ( Does not cover SMTP )
• Make sure there is a onmicrosoft.com administrator account documented incase anything wrong with adconnect sync
• Teams : Microsoft Teams Security Best Practices (admindroid.com) or https://tminus365.com/how-to-secure-microsoft-teams-top-tips/
• https://www.reddit.com/r/Office365/comments/18yjljh/cleanup_unused_azuread_enterprise_applications/
• Disable users being able to installed 3rd party Plugins : set-MsolCompanysettings -UsersPermissionToUserConsentToAppEnabled $false

Default user role permissions

Users can register applications No

Restrict non-admin users from creating tenants Yes

Users can create security groups No

https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-continuous-access-evaluation?ocid=magicti_ta_learndoc Conditional Access Evaluation

Protect from MiTM Attacks? PasswordLess?

https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-system-preferred-multifactor-authentication

Show application name in push and passwordless notifications – Enabled

Show geographic location in push and passwordless notifications – Enabled

Configure how users consent to applications

Disabling Third-party & custom apps