28.8 C
Dubai
Tuesday, December 6, 2022

Microsoft 365 Deployment Settings Check List

Microsoft 365 High-level deployment settings check List for Architects and Optimization teams: It covers many topics and requires extensive knowledge of various technologies before configuring them. Please do the appropriate research before changing any settings in a production tenant. It also requires various licenses to utilize some of the features part of the deployment settings.

  • Microsoft 365 Organization Profile Branding – In Admin Microsoft Portal
  • Enabling Combined Registration – Ignore for new tenants
  • Restricting Users from creating Azure AD Tenants
    Users can create Azure AD Tenants – Set to NO.
  • Enable Multifactor authentication registration policy
  • Restricting users joining their Personal Devices to Azure AD
  • Moving Coexistence Mode from Islands to Teams Only
  • Allowing Admin Roles to Invite Guests to have SSO for External Users added to Azure AD IAM
  • Enable Admin Consent Requests with Reviewers – For Application Consents
  • Enabling Integration with Defender to Endpoint Manager to Test Defender Onboarding from endpoint manager
  • Configure Conditional Access

  • CA001: Require multifactor authentication for admins
  • CA002: Securing security info registration
  • CA003: Block legacy authentication
  • CA004: Require multifactor authentication for all users
  • CA005: Require multifactor authentication for guest access
  • CA006: Require multifactor authentication for Azure management
  • CA007: Require multifactor authentication for risky sign-ins
  • CA008: Require password change for high-risk users
  • CA009: Require compliant or hybrid Azure AD joined device for admins
  • CA010: Block access for unknown or unsupported device platform
  • CA011: No persistent browser session
  • CA012: Require approved client apps and app protection
  • CA013: Require compliant or hybrid Azure AD joined device or multifactor authentication for all users
  • CA014: Use application enforced restrictions for unmanaged devices

with Devices based Conditional Access.

  • Enable Intune Advanced Features
  • Idle Session Timeout
  • Enable Self-Service Password Reset
  • Configure Authentication methods for reset
  • Configure Service Desk Link or email
  • Enable DKIM for your domain
  • DMARC Sample Record
TXT _dmarc "v=DMARC1; p=reject; pct=100; fo=1;rua=mailto:dmarc@azure365pro.com; ruf=mailto:dmarc@azure365pro.com"
  • Device Clean Up Rules

Delete devices based on last check-in date – Yes
Delete devices that haven’t checked in for this many days – 180

  • Security Setting Management

Allow security settings in Microsoft Endpoint Manager (MEM) to be enforced by Microsoft Defender for Endpoint (MDE).
This configuration setting will apply to devices not yet enrolled in Microsoft Endpoint Manager.
You’ll need to turn on the integration in Microsoft Defender for Endpoint connector settings under Microsoft Endpoint Manager.”

Use MDE (Microsoft Defender for Endpoint) to enforce security settings from MEM (Microsoft Endpoint Manager)
So that Servers and Client Policies can be managed from MEM (Microsoft Endpoint Manager) and not from SCCM

Setting Deletion Threshold on Azure AD Connect

It’s wise to reduce your Azure AD Connect deletion threshold from 500 to 50. suppose your total user base is from 3000 to 5000 users. So that you are Cloud environment is unaffected when something worse happens on your on-premises Active Directory.

The default value is 500.

Get-ADSyncExportDeletionThreshold
Enable-ADSyncExportDeletionThreshold -DeletionThreshold 50

if the action is intentional.

Disable-ADSyncExportDeletionThreshold

  • Add Anti-Phishing Policy

https://security.microsoft.com/antiphishing

Satheshwaran Manoharan
Satheshwaran Manoharanhttps://www.azure365pro.com
Specialized in Microsoft Azure - Office 365 / Microsoft Exchange; conducted numerous projects worldwide in designing, supporting, and implementing messaging and virtualization infrastructure for medium-sized and large enterprises. Further, I am a Cloud Architect and Technical Advisor for various start-ups.

Related Articles

LEAVE A REPLY

Please enter your comment!
Please enter your name here

× How can I help you?