Microsoft 365 Security: The Zero Trust Checklist
Modern security is no longer about perimeter defense. With remote work and cloud-native infrastructure, the default assumption must be that any request could be a breach attempt.
Here is the operational checklist we use to secure Microsoft 365 tenants under a Zero Trust model.
1. Identity & Access Control (Priority 1)
- Enforce Phishing-Resistant MFA: Move away from SMS and phone call verification. Require the Microsoft Authenticator app (with number matching) or FIDO2 security keys for all users.
- Implement Conditional Access Policies:
- Block access from unsupported platforms and legacy clients.
- Require compliant or hybrid Azure AD joined devices for accessing sensitive corporate data.
- Enforce risk-based sign-in policies using Microsoft Entra ID Protection.
- Disable Legacy Authentication: Block legacy protocols (IMAP, POP3, SMTP Auth) completely. Legacy authentication bypasses MFA requirements.
2. Device Security & Compliance
- Enroll Devices in Intune: Set up mobile device management (MDM) and mobile application management (MAM) policies.
- Establish Device Compliance Policies: Ensure that only devices with active antivirus, enabled firewalls, and up-to-date operating systems can access corporate resources.
- Enforce BitLocker Encryption: Require full-disk encryption for all Windows and macOS endpoints.
3. Data Protection & Loss Prevention (DLP)
- Configure Sensitivity Labels: Automatically label and encrypt documents containing sensitive information (SSNs, credit card numbers, trade secrets).
- Implement Data Loss Prevention (DLP) Policies: Restrict users from sharing sensitive data externally via Teams, SharePoint, or Exchange.
- Restrict External Sharing in SharePoint/Teams: Set default sharing links to "People in your organization" and require authentication for external guest access.
4. Threat Protection & Monitoring
- Enable Defender for Office 365: Configure Safe Links and Safe Attachments policies to scan incoming emails and documents in real-time.
- Activate Microsoft 365 Unified Audit Logging: Ensure logging is turned on so you have historical data for security incident investigation.
- Set Alert Policies for Suspicious Activities: Alert on mass file downloads, unusual admin creations, and anomalous logins.