Remediation DeploymentEnterprise

Block legacy authentication protocols

Configure sign-in risk Conditional Access policy

Configure user-risk Conditional Access policy

Block legacy auth endpoints at the authentication methods policy

Block external mail auto-forwarding org-wide

Extend Unified Audit Log retention to 12 months

Enable Conditional Access for SharePoint access by unmanaged devices

Block iCloud keychain sync on corporate iOS devices

Review access privileges via Access Reviews

Require MFA for Global Administrator sign-ins

Require MFA for Exchange Administrator sign-ins

Require MFA for SharePoint Administrator sign-ins

Require MFA for Teams Administrator sign-ins

Require MFA for Compliance Administrator sign-ins

Require MFA for Security Administrator sign-ins

Enforce Conditional Access for unmanaged devices

Block authentication from anonymous IP ranges

Require compliant device for privileged role activation

Enforce maximum sign-in frequency for privileged sessions

Require password change on high user risk

Disable self-service sign-up for guest users

Enforce guest user access review cadence

Restrict guest user invitation to specific admin roles

Require admin approval for app consent requests

Block unmanaged browser access to SharePoint and OneDrive

Enforce sign-in session lifetime for browser-based access

Block legacy POP3 authentication to mailboxes

Block legacy IMAP authentication to mailboxes

Block legacy SMTP AUTH authentication

Block authentication attempts from countries not on allowlist

Require number matching for Microsoft Authenticator push

Disable SMS as a primary authentication method

Disable voice call as a primary authentication method

Enforce Authenticator app for passwordless sign-in

Enforce FIDO2 security keys for privileged users

Require temporary access passes to expire within 24 hours

Configure password protection banned-password list

Require on-premises password protection agent

Enforce authenticator app lockout policy

Configure privileged access workstations for tier-0 admins

Require compliant device for admin access to Microsoft 365 admin center

Configure named locations for trusted IP ranges

Require MFA for external partner tenant access (B2B)

Disable cross-tenant inbound B2B invitations by default

Enforce persistent browser sessions off for unmanaged devices

Configure Identity Protection weekly digest to Security Operations

Investigate every flagged-for-review sign-in within 24 hours

Route Identity Protection alerts to the SIEM

Enforce just-in-time access for Exchange Administrator role

Enforce just-in-time access for Global Reader role

Enforce maximum eligible assignment duration for privileged roles

Require approval workflow for privileged role activation

Notify role administrators on privileged role assignment changes

Require justification for privileged role activation

Configure activation notification recipients for all privileged roles

Require MFA for Global Administrator sign-ins

Require MFA for Exchange Administrator sign-ins

Require MFA for SharePoint Administrator sign-ins

Require MFA for Teams Administrator sign-ins

Require MFA for Compliance Administrator sign-ins

Require MFA for Security Administrator sign-ins

Enforce Conditional Access for unmanaged devices

Block authentication from anonymous IP ranges

Require compliant device for privileged role activation

Enforce maximum sign-in frequency for privileged sessions

Disable self-service sign-up for guest users

Enforce guest user access review cadence

Restrict guest user invitation to specific admin roles

Prohibit user consent to unverified publisher apps

Require admin approval for app consent requests

Block unmanaged browser access to SharePoint and OneDrive

Block legacy POP3 authentication to mailboxes

Block legacy IMAP authentication to mailboxes

Block legacy SMTP AUTH authentication

Require MFA for SharePoint Administrator sign-ins

Disable self-service sign-up for guest users

Require device lock password policy on Android

Enforce firewall policy on Windows endpoints

Restrict local administrator accounts on Windows

Restrict cut-copy-paste outside managed apps

Require BitLocker encryption on Windows endpoints

Require FileVault encryption on macOS endpoints

Require biometric authentication for mobile devices

Block personal OneDrive sync on corporate Windows

Require Windows Update for Business ring assignment

Block external USB storage on corporate devices

Deploy Microsoft Edge baseline security profile

Configure app configuration policy for Edge (managed)

Block personal iCloud drive on corporate iOS

Require device lock password policy on Android

Block personal OneDrive sync on corporate Windows

Enforce Microsoft Defender for Endpoint on macOS devices

Block external USB storage on corporate devices

Deploy Microsoft Edge baseline security profile

Deploy Office 365 app baseline security profile

Restrict local administrator accounts on Windows

Enable mailbox audit logging on all mailboxes

Configure mailbox audit actions to log admin and delegate activity

Restrict calendar sharing to internal users only

Configure SPF hard-fail for all accepted domains

Configure DMARC with p=reject for all accepted domains

Disable Basic Auth for POP3 at mailbox level

Disable EWS (Exchange Web Services) legacy auth

Block mail forwarding to external domains by transport rule

Require quarantine on detected malware attachments

Configure Safe Attachments policy for all recipients

Configure Safe Links policy with click-time protection

Enable anti-phishing policy with impersonation protection

Enable spoofing prevention for hybrid deployments

Enforce litigation hold retention for 365 days minimum

Enforce retention policy on Exchange mailboxes

Configure mail flow rule to append external-sender banner

Restrict external direct-send relay via receive connectors

Configure mailbox audit actions to log admin and delegate activity

Require MFA for Exchange administrators

Configure DKIM signing for all accepted domains

Configure SPF hard-fail for all accepted domains

Configure DMARC with p=reject for all accepted domains

Disable Basic Auth for POP3 at mailbox level

Disable Basic Auth for SMTP AUTH at mailbox level

Disable Exchange ActiveSync legacy authentication

Disable EWS (Exchange Web Services) legacy auth

Block automatic mail forwarding at mailbox level

Configure Safe Attachments policy for all recipients

Enable anti-phishing mailbox intelligence

Block authentication from high-risk IP ranges

Disable PowerShell remote connections for non-admin mailboxes

Restrict mailbox delegation to approved roles

Restrict external direct-send relay via receive connectors

Enable Unified Audit Log tenant-wide

Disable anonymous calendar sharing

Disable Basic Auth for POP3 at mailbox level

Disable Basic Auth for SMTP AUTH at mailbox level

Disable OAB (Offline Address Book) legacy auth

Restrict anti-malware bypass list to approved senders

Require lobby admission for external meeting participants

Enable Safe Links scanning in Teams messages

Disable Teams guest access tenant-wide when not needed

Block screen sharing from anonymous meeting participants

Block Teams live events creation to approved producers only

Enable DLP policy for Teams chats and channels

Configure Teams data residency for in-region tenants

Restrict Teams federation to allow-listed domains

Disable recording for anonymous meeting participants

Restrict recording transcription to organizers and presenters

Block consumer OneDrive access in Teams channels

Restrict guest access to specific team channels

Disable Teams guest access tenant-wide when not needed

Block Teams live events creation to approved producers only

Enable communication compliance policy for Teams

Enable DLP policy for Teams chats and channels

Configure Teams data residency for in-region tenants

Enable anti-phishing impersonation protection for VIPs

Configure DKIM alignment enforcement

Enable automatic investigation and remediation (AIR)

Configure email authentication alert rule to SOC

Enable Attack Simulation Training user outcome tracking

Configure Explorer search persistent queries for IR

Enable Defender for Office 365 Plan 2 AIR investigations

Configure spam confidence level thresholds

Enable automated investigation for URL compromises

Configure incident response playbook for mailbox takeover

Configure incident response playbook for BEC attempts

Enable standard preset security policy for all users

Enable anti-phishing impersonation protection for VIPs

Configure DKIM alignment enforcement

Enable Defender for Cloud Apps integration with Defender

Enable Defender for Identity integration with Entra ID

Configure spam confidence level thresholds

Enable bulk complaint level (BCL) filtering

Enable intra-organization spoof protection

Enable external-sender tagging in Outlook

Disable SharePoint App Catalog self-service

Require expiration dates on anonymous share links