The checklist
The Microsoft 365 security best practices that actually matter
Every Microsoft 365 hardening list contains a hundred items of equal apparent weight. This one is different: ten checks in priority order, chosen because their absence keeps appearing in real UK tenant compromises. Each one tells you what to check, why it matters and how to verify it, and the whole thing ships as a free PDF.
The checklist as a working PDF
Tick boxes, verification steps and an owner column per item. No email wall, no registration: it is more useful to us in your hands than in a funnel.
Enforce MFA for every user through Conditional Access
Why it matters: Stolen passwords are the entry point for most tenant compromises; enforced MFA defeats the plain credential attack outright.
How to verify: Entra admin centre > Conditional Access: a policy requiring MFA for all users, all apps, with only a break-glass exclusion. Registration alone is not enforcement.
Block legacy authentication protocols
Why it matters: IMAP, POP and SMTP basic auth ignore MFA entirely, which is why password-spray attacks target them first.
How to verify: A Conditional Access policy blocking legacy authentication clients, and sign-in logs filtered to legacy protocols showing no successful entries.
Cut Global Administrator accounts to five or fewer
Why it matters: Every additional global admin is another account whose compromise means total tenant loss. CIS recommends two to four plus emergency access.
How to verify: Entra roles: count Global Administrator assignments; each must be a named person with a reason, plus one documented break-glass account.
Turn on unified audit logging and mailbox auditing
Why it matters: Without the logs there is no investigation, only guesswork. This is the finding that turns incidents into unanswerable questions.
How to verify: Purview compliance portal > Audit: search enabled and returning events; Get-Mailbox reporting AuditEnabled true for all user mailboxes.
Disable or govern automatic email forwarding
Why it matters: Silent forwarding rules to external addresses are the classic persistence trick in business email compromise cases.
How to verify: Exchange admin centre: outbound spam policy blocks auto-forwarding, and a transport rule report shows no unexplained external forwards.
Require admin consent for new app registrations
Why it matters: OAuth consent phishing grants an attacker durable, MFA-proof access through an app your user approved in one click.
How to verify: Entra > Enterprise applications > Consent settings: user consent disabled or restricted to verified publishers with the admin consent workflow on.
Restrict anonymous and company-wide sharing links
Why it matters: Anyone-links turn a single misjudged share into public exposure of client data; defaults matter more than policy documents.
How to verify: SharePoint admin centre: external sharing at the most restrictive workable level, default link type set to specific people.
Govern guest access with expiry and reviews
Why it matters: Guests accumulate: every finished project leaves accounts with live access to your Teams and files.
How to verify: Entra > External identities: guest invite settings restricted, access reviews scheduled, and last quarter's review actually completed.
Deploy the anti-phishing stack you already own
Why it matters: Safe Links, Safe Attachments and impersonation protection ship with Business Premium and above; unconfigured, they protect nobody.
How to verify: Defender portal > Email & collaboration policies: preset security policies applied, or custom policies covering all recipients.
Set retention before you need it
Why it matters: Deleted evidence and unrecoverable mailboxes both trace back to retention decisions nobody made.
How to verify: Purview > Data lifecycle management: retention policies covering Exchange, SharePoint and OneDrive with periods your legal team recognises.
After the ten
Where the checklist stops and assessment starts
These ten checks close the doors attackers use most. What they cannot do is read your tenant in context: which of the several hundred remaining settings matter for how your business uses Microsoft 365, where your sensitive data actually sits, and which findings deserve next week versus next quarter. That judgement is the assessment.
If you work through the PDF and want the expert pass over everything else, the published pricing means you already know what it costs.
Quick answers
Checklist questions, answered
Where does this checklist come from?
It is the priority slice of what our consultants check in real assessments, ordered by which misconfigurations feature in actual UK tenant compromises. Every item maps to the CIS Microsoft 365 Foundations Benchmark and to Microsoft's own security defaults and baselines.
Is the downloadable PDF the same as this page?
Same ten checks, formatted as a working document: tick boxes, the verification steps and space for owner and date per item. No registration wall; take it and use it.
If we complete all ten, is the tenant secure?
It is dramatically better defended than most, and you will have closed the doors used in the majority of real cases. A full assessment goes further: several hundred settings, your specific data exposure, and the findings a checklist cannot see because they need context.
Does 'tenant hardening' mean the same as best practices?
Hardening is the doing: changing configuration to reduce attack surface. Best practices are the target state. This page is the target state with verification steps; the remediation phase after an assessment is hardening with a priority order and a safety net.
Ten down, the rest to go
Let an expert take it from here
Book a free 45 minute scoping call and find out what an assessment of your full tenant would check, cost and deliver.