M365 Enforced Settings Wishlist
in progress
W
Will MacFee
Entra ID
o Account passwords never expire
o Audit logs always on
o Do not allow third party integrated applications
o Enable Multifactor Authentication (MFA) either via Security Defaults or Conditional Access Policies when available
o Exchange
o Block “bad” file extension attachments (.ace, .ani, .app, .docm, .exe, .jar, .reg, .scr, .vbe, and .vbs
o Display external tag
o Restrict calendar details sharing to authenticated only
o Remove Exchange scripting (PowerShell) access from non-admin accounts
o Flag phishing emails using tenant domain or staff name
o Mailbox audit logs always-on
o Microsoft 365 can remove dangerous emails/files from inbox
o Outbound spam notifications for users sending spam to alerts@systemsupport.com
o Client rules forwarding if the Client has no business need for forwarding. If it cannot be globally applied via Office Protect, specific forwarding rules are created within the Microsoft 365 tenant for all other users.
o Teams
o Block 3rd party cloud storage
o Block custom apps that are not in the Teams App Marketplace
o Control guests access
o SharePoint
o Block guests from sharing content
o Disable anonymous sharing to where all guests sharing
S
Scott Riley
marked this post as
in progress
Hey Will - great list!! So....
Entra ID
GA Account passwords never expire
GA Audit logs always on
GA Do not allow third party integrated applications
GA Enable Multifactor Authentication (MFA) either via Security Defaults or Conditional Access Policies when available
Exchange
Q3 Block “bad” file extension attachments (.ace, .ani, .app, .docm, .exe, .jar, .reg, .scr, .vbe, and .vbs
GA Display external tag
Q3 Restrict calendar details sharing to authenticated only
GA Flag phishing emails using tenant domain or staff name
GA Mailbox audit logs always-on
GA Microsoft 365 can remove dangerous emails/files from inbox
Q3 Outbound spam notifications for users sending spam to alerts@systemsupport.com
GA Client rules forwarding if the Client has no business need for forwarding. If it cannot be globally applied via Office Protect, specific forwarding rules are created within the Microsoft 365 tenant for all other users.
Teams
Q3 Block 3rd party cloud storage
Q3 Block custom apps that are not in the Teams App Marketplace
Q3 Control guests access
SharePoint
GA Block guests from sharing content
GA Disable anonymous sharing to where all guests sharing
I've tagged your list as either GA, so it'll be there ready before or at launch on July 1
I've also tagged Q3 if we already have it planned to FAST-FOLLOW launch. Like July 1 is start of Q3 anyway but just so you know it's planned.
This one:
Remove Exchange scripting (PowerShell) access from non-admin accounts. I need to check this one out with the team!
W
Will MacFee
Scott Riley Oh awesome, thank you! For the ones marked GA, will they be listed in the IPSM Security Controls or Huntress Managed Policies?
S
Scott Riley
Will MacFee You should see them in the main Security Controls list and we'll help you make it easier to filter through those by platform (Exchange, Entra, Sharepoint etc) but.... you should also have some new UI experience coming which will guide you more through which controls / policies to roll out first etc.
We're ramping as much cool stuff as we can for you guys ready for July 1 so you should see more stuff dropping in as we go. You'll get emails to let you know as new features drop too.