Entra ID

o Account passwords never expire

o Audit logs always on

o Do not allow third party integrated applications

o Enable Multifactor Authentication (MFA) either via Security Defaults or Conditional Access Policies when available

o Exchange

o Block “bad” file extension attachments (.ace, .ani, .app, .docm, .exe, .jar, .reg, .scr, .vbe, and .vbs

o Display external tag

o Restrict calendar details sharing to authenticated only

o Remove Exchange scripting (PowerShell) access from non-admin accounts

o Flag phishing emails using tenant domain or staff name

o Mailbox audit logs always-on

o Microsoft 365 can remove dangerous emails/files from inbox

o Outbound spam notifications for users sending spam to alerts@systemsupport.com

o Client rules forwarding if the Client has no business need for forwarding. If it cannot be globally applied via Office Protect, specific forwarding rules are created within the Microsoft 365 tenant for all other users.

o Teams

o Block 3rd party cloud storage

o Block custom apps that are not in the Teams App Marketplace

o Control guests access

o SharePoint

o Block guests from sharing content

o Disable anonymous sharing to where all guests sharing