40 C
Thursday, August 11, 2022

Microsoft 365 Deployment Settings Check List

Microsoft 365 High-level deployment settings check List for Architects and Optimization teams, As it covers a lot of topics and requires extensive knowledge of various technologies before configuring them. Please do the appropriate research before changing any settings in a production tenant. It also requires various licenses to utilize some of the features part of the deployment settings.

  • Microsoft 365 Organization Profile Branding – In Admin Microsoft Portal
  • Enabling Combined Registration – Ignore for new tenants
  • Enable Multifactor authentication registration policy
  • Restricting users joining their Personal Devices to Azure AD
  • Moving Coexistence Mode from Islands to Teams Only
  • Allowing Admin Roles to Invite Guests to have SSO for External Users added to Azure AD IAM
  • Enable Admin Consent Requests with Reviewers – For Application Consents
  • Enabling Integration with Defender to Endpoint Manager to Test Defender Onboarding from endpoint manager
  • Configure Conditional Access

  • CA001: Require multifactor authentication for admins
  • CA002: Securing security info registration
  • CA003: Block legacy authentication
  • CA004: Require multifactor authentication for all users
  • CA005: Require multifactor authentication for guest access
  • CA006: Require multifactor authentication for Azure management
  • CA007: Require multifactor authentication for risky sign-ins
  • CA008: Require password change for high-risk users
  • CA009: Require compliant or hybrid Azure AD joined device for admins
  • CA010: Block access for unknown or unsupported device platform
  • CA011: No persistent browser session
  • CA012: Require approved client apps and app protection
  • CA013: Require compliant or hybrid Azure AD joined device or multifactor authentication for all users
  • CA014: Use application enforced restrictions for unmanaged devices

with Devices based Conditional Access.

  • Enable Intune Advanced Features
  • Idle Session Timeout
  • Enable Self-Service Password Reset
  • Configure Authentication methods for reset
  • Configure Service Desk Link or email
  • Enable DKIM for your domain
  • DMARC Sample Record
TXT _dmarc "v=DMARC1; p=reject; pct=100; fo=1;rua=mailto:dmarc@azure365pro.com; ruf=mailto:dmarc@azure365pro.com"
  • Device Clean Up Rules

Delete devices based on last check-in date – Yes
Delete devices that haven’t checked in for this many days – 180

  • Security Setting Management

Allow security settings in Microsoft Endpoint Manager (MEM) to be enforced by Microsoft Defender for Endpoint (MDE).
This configuration setting will apply to devices not yet enrolled in Microsoft Endpoint Manager.
You’ll need to turn on the integration in Microsoft Defender for Endpoint connector settings under Microsoft Endpoint Manager.”

Use MDE (Microsoft Defender for Endpoint) to enforce security settings from MEM (Microsoft Endpoint Manager)
So that Servers and Client Policies can be managed from MEM (Microsoft Endpoint Manager) and not from SCCM

Satheshwaran Manoharan
Satheshwaran Manoharanhttps://www.azure365pro.com
Specialized in Microsoft Azure - Office 365 / Microsoft Exchange; conducted numerous projects worldwide in designing, supporting, and implementing messaging and virtualization infrastructure for medium-sized and large enterprises. Further, I am a Cloud Architect and Technical Advisor for various start-ups.

Related Articles


Please enter your comment!
Please enter your name here