{"id":3463,"date":"2018-07-17T06:42:28","date_gmt":"2018-07-17T06:42:28","guid":{"rendered":"https:\/\/pariswells.com\/blog\/?p=3463"},"modified":"2026-03-11T23:14:45","modified_gmt":"2026-03-11T23:14:45","slug":"365-standards","status":"publish","type":"post","link":"https:\/\/pariswells.com\/blog\/research\/365-standards","title":{"rendered":"365 Standards\\Best Practices"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">CIS -&gt; ***<a href=\"https:\/\/www.cisecurity.org\/benchmark\/microsoft_365\">https:\/\/www.cisecurity.org\/benchmark\/microsoft_365<\/a>***<\/h2>\n\n\n\n<p><a href=\"https:\/\/www.msb365.blog\/?p=5832\">https:\/\/www.msb365.blog\/?p=5832<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/github.com\/microsoft\/zerotrustassessment\">GitHub &#8211; microsoft\/zerotrustassessment: Repository for the Zero Trust Assessment project<\/a><\/p>\n\n\n\n<p><strong>Maester<\/strong><\/p>\n\n\n\n<p><a href=\"https:\/\/seanmcavinue.net\/2024\/08\/29\/validate-the-security-of-your-microsoft-cloud-environment-with-maester\/\">Validate The Security Of Your Microsoft Cloud Environment With Maester \u2013 Sean McAvinue<\/a><\/p>\n\n\n\n<p><\/p>\n\n\n\n<p><strong>Tenant Level Checking&nbsp;<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/techcommunity.microsoft.com\/t5\/microsoft-entra-blog\/public-preview-token-protection-for-sign-in-sessions\/ba-p\/3815756\">https:\/\/techcommunity.microsoft.com\/t5\/microsoft-entra-blog\/public-preview-token-protection-for-sign-in-sessions\/ba-p\/3815756<\/a><\/li>\n\n\n\n<li>Check 2FA is enabled for all staff<\/li>\n\n\n\n<li>Set-OrganizationConfig -AutoEnableArchiveMailbox $true<\/li>\n\n\n\n<li>Windows Update Status -&gt; <a href=\"https:\/\/www.burgerhout.org\/enable-windows-update-for-business-reports\/\">Enable Windows Update for Business Reports (burgerhout.org)<\/a><\/li>\n\n\n\n<li>Retention Logs &#8211; <a href=\"https:\/\/pariswells.com\/blog\/research\/365-audit-log-retention-everything-for-1-year\/\">https:\/\/pariswells.com\/blog\/research\/365-audit-log-retention-everything-for-1-year\/<\/a> ( Only Exchange \\ AD \\ Onedrive Sharepoint by default )<\/li>\n\n\n\n<li><a href=\"https:\/\/blog.ciaops.com\/2025\/01\/18\/checking-your-environment-for-oversharing\/\">https:\/\/blog.ciaops.com\/2025\/01\/18\/checking-your-environment-for-oversharing\/<\/a><\/li>\n\n\n\n<li>BYOD Policy <a href=\"https:\/\/tminus365.com\/how-to-secure-access-on-personal-devices-across-your-customers\/\">How to secure access on personal devices across your customers &#8211; (tminus365.com)<\/a><\/li>\n\n\n\n<li>Is https:\/\/config.office.com\/ being users? OnedriveSync Health \\ Update Policies <\/li>\n\n\n\n<li>Correct Licensing ( no extra licenses not applied )<\/li>\n\n\n\n<li>Conditional Access : <a href=\"https:\/\/tminus365.com\/your-conditional-access-policies-suck\/\">https:\/\/tminus365.com\/your-conditional-access-policies-suck\/<\/a> &#8211; <a href=\"https:\/\/github.com\/aollivierre\/ConditionalAccess\">GitHub &#8211; aollivierre\/ConditionalAccess: This repository contains a comprehensive set of Conditional Access (CA) policies and PowerShell management tools for Microsoft Entra ID (formerly Azure AD), designed to enhance your organization&#8217;s security posture while maintaining usability.<\/a><\/li>\n\n\n\n<li>Azure AD if used setup for Password Sync , make sure Passwords cannot be changed in 365 if they don\u2019t have Azure AD p1<\/li>\n\n\n\n<li><a href=\"https:\/\/blog.admindroid.com\/privileged-access-management-in-microsoft-365\/\">Privileged Access Management in Microsoft 365 (admindroid.com)<\/a> PAM <\/li>\n\n\n\n<li><a href=\"https:\/\/learn.microsoft.com\/en-us\/entra\/id-governance\/privileged-identity-management\/pim-configure\">What is Privileged Identity Management? &#8211; Microsoft Entra ID Governance | Microsoft Learn<\/a> PIM <\/li>\n\n\n\n<li><a href=\"https:\/\/pariswells.com\/blog\/research\/windows-defender-best-practice\" title=\"Check Defender Endpoint Best Prac\">Check Defender Endpoint Best Prac<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/office365itpros.com\/2021\/03\/11\/external-email-tagging-exo\/ \">https:\/\/office365itpros.com\/2021\/03\/11\/external-email-tagging-exo\/ <\/a><\/li>\n\n\n\n<li>365 has email Filtering Inbound and Outbound<\/li>\n\n\n\n<li>SPF should end with -all<\/li>\n\n\n\n<li>Break Glass Account &#8211; <a href=\"https:\/\/tminus365.com\/best-practices-for-break-glass-accounts\/\">Best Practices for Break Glass Accounts &#8211; (tminus365.com)<\/a><\/li>\n\n\n\n<li>https:\/\/office365itpros.com\/2021\/07\/20\/block-self-service-purchases-of-windows-365-licenses\/<\/li>\n\n\n\n<li>Branding Login Page to Stop Phising Attacks<\/li>\n\n\n\n<li>Outbound and Inbound Spam Policies should be enabled for Defender 365<\/li>\n\n\n\n<li>Safety Tips in Emails &#8211; <a href=\"https:\/\/blog.admindroid.com\/enable-first-contact-safety-tip\/\">Enable First Contact Safety Tip for Exchange Online (admindroid.com)<\/a><\/li>\n\n\n\n<li>DKIM  Rotate keys at least every six months minimum of 2048-bit key<\/li>\n\n\n\n<li>DMARC Records ( Set to None if no reporting ) ( Vali for Dmarc )<\/li>\n\n\n\n<li>365 Backup and Continuity ( Mimecast and Veeam )<\/li>\n\n\n\n<li>Technical Contact is correct and Notifications are set for service outage<\/li>\n\n\n\n<li>Global Litigation hold<\/li>\n\n\n\n<li>Check Mailbox auditing<\/li>\n\n\n\n<li>https:\/\/ourcloudnetwork.com\/limit-local-administrators-on-microsoft-entra-joined-devices\/ <\/li>\n\n\n\n<li>Risky users<\/li>\n\n\n\n<li>Check Configuration analyzer https:\/\/security.microsoft.com\/configurationAnalyzer<\/li>\n\n\n\n<li>E5 have they run the Attack simulation training?<\/li>\n\n\n\n<li><em>Set-OwaMailboxPolicy -Identity OwaMailboxPolicy-Default -AdditionalStorageProvidersAvailable $false<\/em><\/li>\n\n\n\n<li>Azure AD Logs 90 days ( E5 license for 1 Year ) <\/li>\n\n\n\n<li>Retention Policy \u2013&nbsp;Get-RetentionPolicy ( Make sure there\u2019s a Tenant Retention Policy if the license admits one )&nbsp;<\/li>\n\n\n\n<li>Check No Retention Policy Hold ( Otherwise archive won\u2019t work )&nbsp; :Get-Mailbox -ResultSize unlimited | Where-Object {$_.RetentionHoldEnabled -eq $true} | Format-Table Name,RetentionPolicy,RetentionHoldEnabled -Auto 8.2)<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Deleted items retention \u2013&nbsp;Get-Mailbox&nbsp;* |&nbsp;Where-Object&nbsp;{$_.Retaindeleteditemsfor&nbsp;-lt&nbsp;30} |&nbsp;Format-Table&nbsp;name (&nbsp;Increase Deleted Items from 14 days to 30 days)<\/li>\n\n\n\n<li>Run the Secure Score in O365 \u2013 https:\/\/securescore.microsoft.com\/ (\u00a0https:\/\/support.office.com\/en-us\/article\/how-to-check-office-365-service-health-932ad3ad-533c-418a-b938-6e44e8bc33b0 ? )<br><br>https:\/\/github.com\/directorcia\/Office365\/blob\/master\/Analysis\/Secure%20Score\/o365-secure-score-extract.ps1<\/li>\n\n\n\n<li>Identity Secure Score as well<\/li>\n\n\n\n<li>Check modern auth is enabled on Exchange Online&nbsp;Get-OrganizationConfig | Format-Table Name,OAuth* -Auto<\/li>\n\n\n\n<li>Check and Report on any Email Forwarders -&gt; https:\/\/gcits.com\/knowledge-base\/find-external-forwarding-mailboxes-office-365-customer-tenants-powershell\/<\/li>\n\n\n\n<li>Check for any flow\u2019s setup \u2013 You will need to create a flow in Microsoft Flow under the Domain account to search out flows and check them out \u2013 disabling any that forward email or alert a domain admin<\/li>\n\n\n\n<li>Check Oauth \u2013 Audit your Oath applications on the domain you didn\u2019t have the first step locked down via:&nbsp;<a href=\"https:\/\/aad.portal.azure.com\/#blade\/Microsoft_AAD_IAM\/StartboardApplicationsMenuBlade\/AppAppsPreview\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/aad.portal.azure.com\/#blade\/Microsoft_AAD_IAM\/StartboardApplicationsMenuBlade\/AppAppsPreview<\/a>&nbsp;this is as close as you can get to the M365 Microsoft Cloud App Security portal. and revoke anything that shouldn\u2019t be there<br>Get-MsolCompanyInformation | Select DisplayName, UsersPermissionToUserConsentToAppEnabled<\/li>\n\n\n\n<li>Enabled Zero-Hour Auto Purge for AntiSpam and Anti Malware<\/li>\n\n\n\n<li>Check Spam Policy (&nbsp;<a href=\"https:\/\/docs.microsoft.com\/en-us\/microsoft-365\/security\/office-365-security\/recommended-settings-for-eop-and-office365-atp?view=o365-worldwide\">https:\/\/docs.microsoft.com\/en-us\/microsoft-365\/security\/office-365-security\/recommended-settings-for-eop-and-office365-atp?view=o365-worldwide<\/a>&nbsp;)\n<ul class=\"wp-block-list\">\n<li>Image links to remote sites =&nbsp;<strong>OFF<\/strong><\/li>\n\n\n\n<li>Numeric IP addresses =&nbsp;<strong>ON<\/strong><\/li>\n\n\n\n<li>URL redirect to other port =&nbsp;<strong>ON<\/strong><\/li>\n\n\n\n<li>URL to .biz or .info websites =&nbsp;<strong>ON<\/strong><\/li>\n\n\n\n<li>Empty messages =&nbsp;<strong>ON<\/strong><\/li>\n\n\n\n<li>Javascript or VBScript in HTML =&nbsp;<strong>ON<\/strong><\/li>\n\n\n\n<li>Frame or iFrame tags in HTML =&nbsp;<strong>ON<\/strong><\/li>\n\n\n\n<li>Object tags in HTML =&nbsp;<strong>ON<\/strong><\/li>\n\n\n\n<li>Embed tags in HTML =&nbsp;<strong>ON<\/strong><\/li>\n\n\n\n<li>Form tags in HTML =&nbsp;<strong>ON<\/strong><\/li>\n\n\n\n<li>Web bugs in HTML =&nbsp;<strong>ON<\/strong><\/li>\n\n\n\n<li>Apply sensitive word list =&nbsp;<strong>ON<\/strong><\/li>\n\n\n\n<li>SPF record hard fail =&nbsp;<strong>ON<\/strong><\/li>\n\n\n\n<li>Conditional sender ID hard fail =&nbsp;<strong>ON<\/strong><\/li>\n\n\n\n<li>NDR backscatter =&nbsp;<strong>ON<\/strong><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Check to see if basic SMTP in O365 has been disabled &#8211; <a href=\"https:\/\/www.joeyverlinden.com\/disable-smtp-authentication-in-exchange-online\/\">Disable SMTP Authentication in Exchange Online! &#8211; Joey Verlinden<\/a><\/li>\n\n\n\n<li><\/li>\n\n\n\n<li>Check Conditional Access for Other Basic Auth ( Does not cover SMTP ) <\/li>\n\n\n\n<li>Make sure there is a onmicrosoft.com administrator account documented incase anything wrong with adconnect sync<\/li>\n\n\n\n<li>Teams : <a href=\"https:\/\/blog.admindroid.com\/microsoft-teams-security-best-practices\/\">Microsoft Teams Security Best Practices (admindroid.com)<\/a> or https:\/\/tminus365.com\/how-to-secure-microsoft-teams-top-tips\/<\/li>\n\n\n\n<li><a href=\"https:\/\/www.reddit.com\/r\/Office365\/comments\/18yjljh\/cleanup_unused_azuread_enterprise_applications\/\">https:\/\/www.reddit.com\/r\/Office365\/comments\/18yjljh\/cleanup_unused_azuread_enterprise_applications\/<\/a><\/li>\n\n\n\n<li>Disable users being able to installed 3rd party Plugins :&nbsp;<strong>set-MsolCompanysettings -UsersPermissionToUserConsentToAppEnabled $false<\/strong><\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><a href=\"https:\/\/pariswells.com\/blog\/wp-content\/uploads\/2023\/10\/image-6.png\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"550\" src=\"https:\/\/pariswells.com\/blog\/wp-content\/uploads\/2023\/10\/image-6-1024x550.png\" alt=\"\" class=\"wp-image-7397 img-responsive\" srcset=\"https:\/\/pariswells.com\/blog\/wp-content\/uploads\/2023\/10\/image-6-1024x550.png 1024w, https:\/\/pariswells.com\/blog\/wp-content\/uploads\/2023\/10\/image-6-300x161.png 300w, https:\/\/pariswells.com\/blog\/wp-content\/uploads\/2023\/10\/image-6-768x412.png 768w, https:\/\/pariswells.com\/blog\/wp-content\/uploads\/2023\/10\/image-6.png 1280w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><a href=\"https:\/\/pariswells.com\/blog\/wp-content\/uploads\/2023\/10\/image-7.png\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"568\" src=\"https:\/\/pariswells.com\/blog\/wp-content\/uploads\/2023\/10\/image-7-1024x568.png\" alt=\"\" class=\"wp-image-7398 img-responsive\" srcset=\"https:\/\/pariswells.com\/blog\/wp-content\/uploads\/2023\/10\/image-7-1024x568.png 1024w, https:\/\/pariswells.com\/blog\/wp-content\/uploads\/2023\/10\/image-7-300x167.png 300w, https:\/\/pariswells.com\/blog\/wp-content\/uploads\/2023\/10\/image-7-768x426.png 768w, https:\/\/pariswells.com\/blog\/wp-content\/uploads\/2023\/10\/image-7-1536x852.png 1536w, https:\/\/pariswells.com\/blog\/wp-content\/uploads\/2023\/10\/image-7.png 1609w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">Default user role permissions<\/h3>\n\n\n\n<p>Users can register applications&nbsp;<strong>No<\/strong><\/p>\n\n\n\n<p>Restrict non-admin users from creating tenants&nbsp;<strong>Yes<\/strong><\/p>\n\n\n\n<p>Users can create security groups&nbsp;<strong>No<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><a href=\"https:\/\/pariswells.com\/blog\/wp-content\/uploads\/2023\/02\/image-7.png\"><img loading=\"lazy\" decoding=\"async\" width=\"905\" height=\"493\" src=\"https:\/\/pariswells.com\/blog\/wp-content\/uploads\/2023\/02\/image-7.png\" alt=\"\" class=\"wp-image-6713 img-responsive\" srcset=\"https:\/\/pariswells.com\/blog\/wp-content\/uploads\/2023\/02\/image-7.png 905w, https:\/\/pariswells.com\/blog\/wp-content\/uploads\/2023\/02\/image-7-300x163.png 300w, https:\/\/pariswells.com\/blog\/wp-content\/uploads\/2023\/02\/image-7-768x418.png 768w\" sizes=\"auto, (max-width: 905px) 100vw, 905px\" \/><\/a><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><a href=\"https:\/\/pariswells.com\/blog\/wp-content\/uploads\/2023\/10\/image-8.png\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"610\" src=\"https:\/\/pariswells.com\/blog\/wp-content\/uploads\/2023\/10\/image-8-1024x610.png\" alt=\"\" class=\"wp-image-7402 img-responsive\" srcset=\"https:\/\/pariswells.com\/blog\/wp-content\/uploads\/2023\/10\/image-8-1024x610.png 1024w, https:\/\/pariswells.com\/blog\/wp-content\/uploads\/2023\/10\/image-8-300x179.png 300w, https:\/\/pariswells.com\/blog\/wp-content\/uploads\/2023\/10\/image-8-768x458.png 768w, https:\/\/pariswells.com\/blog\/wp-content\/uploads\/2023\/10\/image-8.png 1515w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><a href=\"https:\/\/pariswells.com\/blog\/wp-content\/uploads\/2023\/10\/image-9.png\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"520\" src=\"https:\/\/pariswells.com\/blog\/wp-content\/uploads\/2023\/10\/image-9-1024x520.png\" alt=\"\" class=\"wp-image-7404 img-responsive\" srcset=\"https:\/\/pariswells.com\/blog\/wp-content\/uploads\/2023\/10\/image-9-1024x520.png 1024w, https:\/\/pariswells.com\/blog\/wp-content\/uploads\/2023\/10\/image-9-300x152.png 300w, https:\/\/pariswells.com\/blog\/wp-content\/uploads\/2023\/10\/image-9-768x390.png 768w, https:\/\/pariswells.com\/blog\/wp-content\/uploads\/2023\/10\/image-9.png 1325w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a><\/figure>\n\n\n\n<p><a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/active-directory\/conditional-access\/concept-continuous-access-evaluation?ocid=magicti_ta_learndoc\">https:\/\/learn.microsoft.com\/en-us\/azure\/active-directory\/conditional-access\/concept-continuous-access-evaluation?ocid=magicti_ta_learndoc<\/a> Conditional Access Evaluation <\/p>\n\n\n\n<p><strong>Protect from MiTM Attacks?<\/strong> PasswordLess? <\/p>\n\n\n\n<figure class=\"wp-block-embed is-type-wp-embed is-provider-jeffrey-appel-microsoft-security-blog wp-block-embed-jeffrey-appel-microsoft-security-blog\"><div class=\"wp-block-embed__wrapper\">\nhttps:\/\/jeffreyappel.nl\/protect-against-aitm-mfa-phishing-attacks-using-microsoft-technology\n<\/div><\/figure>\n\n\n\n<p>https:\/\/learn.microsoft.com\/en-us\/azure\/active-directory\/authentication\/concept-system-preferred-multifactor-authentication<\/p>\n\n\n\n<p>Show application name in push and passwordless notifications &#8211; Enabled<\/p>\n\n\n\n<p>Show geographic location in push and passwordless notifications &#8211; Enabled<\/p>\n\n\n\n<p><a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/active-directory\/manage-apps\/configure-user-consent?pivots=portal\">Configure how users consent to applications<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/learn.microsoft.com\/en-us\/microsoft-365\/security\/office-365-security\/step-by-step-guides\/reducing-attack-surface-in-microsoft-teams?view=o365-worldwide#disabling-third-party--custom-apps\">Disabling Third-party &amp; custom apps<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>CIS -&gt; ***https:\/\/www.cisecurity.org\/benchmark\/microsoft_365*** https:\/\/www.msb365.blog\/?p=5832 GitHub &#8211; microsoft\/zerotrustassessment: Repository for the Zero Trust Assessment project Maester Validate The Security Of Your Microsoft Cloud Environment With Maester \u2013 Sean [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[1206,3213,3215,1176,3214],"class_list":["post-3463","post","type-post","status-publish","format-standard","hentry","category-research","tag-1206","tag-365-best-practice","tag-policys","tag-smtp","tag-standards"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts\/3463","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/comments?post=3463"}],"version-history":[{"count":64,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts\/3463\/revisions"}],"predecessor-version":[{"id":9483,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts\/3463\/revisions\/9483"}],"wp:attachment":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/media?parent=3463"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/categories?post=3463"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/tags?post=3463"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}