Technical Deep Dive

Microsoft 365 Security: The Zero Trust Checklist

Modern security is no longer about perimeter defense. With remote work and cloud-native infrastructure, the default assumption must be that any request could be a breach attempt.

Here is the operational checklist we use to secure Microsoft 365 tenants under a Zero Trust model.

1. Identity & Access Control (Priority 1)

  • Enforce Phishing-Resistant MFA: Move away from SMS and phone call verification. Require the Microsoft Authenticator app (with number matching) or FIDO2 security keys for all users.
  • Implement Conditional Access Policies:
    • Block access from unsupported platforms and legacy clients.
    • Require compliant or hybrid Azure AD joined devices for accessing sensitive corporate data.
    • Enforce risk-based sign-in policies using Microsoft Entra ID Protection.
  • Disable Legacy Authentication: Block legacy protocols (IMAP, POP3, SMTP Auth) completely. Legacy authentication bypasses MFA requirements.

2. Device Security & Compliance

  • Enroll Devices in Intune: Set up mobile device management (MDM) and mobile application management (MAM) policies.
  • Establish Device Compliance Policies: Ensure that only devices with active antivirus, enabled firewalls, and up-to-date operating systems can access corporate resources.
  • Enforce BitLocker Encryption: Require full-disk encryption for all Windows and macOS endpoints.

3. Data Protection & Loss Prevention (DLP)

  • Configure Sensitivity Labels: Automatically label and encrypt documents containing sensitive information (SSNs, credit card numbers, trade secrets).
  • Implement Data Loss Prevention (DLP) Policies: Restrict users from sharing sensitive data externally via Teams, SharePoint, or Exchange.
  • Restrict External Sharing in SharePoint/Teams: Set default sharing links to "People in your organization" and require authentication for external guest access.

4. Threat Protection & Monitoring

  • Enable Defender for Office 365: Configure Safe Links and Safe Attachments policies to scan incoming emails and documents in real-time.
  • Activate Microsoft 365 Unified Audit Logging: Ensure logging is turned on so you have historical data for security incident investigation.
  • Set Alert Policies for Suspicious Activities: Alert on mass file downloads, unusual admin creations, and anomalous logins.

Found this helpful?

Get your own technical audit and fix your infrastructure for good.