Enterprise Security Maturity Program

Enable MFA for ALL users — no exceptions

Entra ID → Security → MFA → Enable per-user or via Conditional Access. Security Defaults is minimum; Conditional Access is better.

Require MFA for all admin accounts

Create a Conditional Access policy: All admins → Require MFA → Always (no exclusions, no trusted IPs).

Use Microsoft Authenticator app, not SMS

SMS is SIM-swap vulnerable. Push notification + number matching is minimum. Passkeys/FIDO2 keys ideal for admins.

Block legacy authentication protocols

Conditional Access → Conditions → Client Apps → Legacy Auth → Block. Kills IMAP/POP/SMTP basic auth.

Require MFA for all users accessing cloud apps

CA Policy: All users → All cloud apps → Grant: Require MFA. This is your baseline.

Require compliant device for access to FCI data

CA Policy: Grant → Require device to be marked compliant (needs Intune). Enforces endpoint controls before data access.

Sign-in risk policy — block high-risk sign-ins

Requires Entra ID P2. CA Policy: Sign-in risk = High → Block. Medium → Require MFA.

No shared accounts — every user has their own login

Shared accounts kill auditability. If they exist, eliminate them before assessment.

Enforce strong password policy

Min 12 characters. Enable Entra ID Password Protection to block common passwords + custom banned list.

Disable accounts immediately upon termination

Document offboarding checklist: disable Entra account → revoke sessions → remove licenses → forward email → backup data.

Limit Global Admin accounts to 2–3 max

Entra ID → Roles → Global Administrator. Break-glass accounts only. Day-to-day admins use scoped roles.

Admins use separate admin accounts

Never use a Global Admin account for daily email/browsing. Separate user@company.com from admin.user@company.com.

Enable Privileged Identity Management (PIM)

Requires Entra ID P2. Admins request elevation just-in-time. Global Admin is never always-on.

Enable Defender for Office 365 — Safe Attachments + Safe Links

Security & Compliance Center → Threat policies → Safe Attachments (Block on malware) + Safe Links (Rewrite all URLs, block known bad).

Configure anti-phishing policy with impersonation protection

Threat policies → Anti-phishing → Enable mailbox intelligence, impersonation protection for key users and domain.

Set up SPF, DKIM, and DMARC on the domain

SPF: v=spf1 include:spf.protection.outlook.com -all. Enable DKIM. DMARC: start with p=none, move to p=reject within 30 days.

Block auto-forwarding to external addresses

Exchange Admin → Remote domains → uncheck "Allow automatic forwarding." Create mail flow rule to block forwarding.

Enable Purview Information Protection (sensitivity labels)

Create labels: Internal, FCI — Confidential, FCI — Restricted. Train users to apply. Labels can enforce encryption.

Create DLP policy to detect and block FCI data leaving

Purview → Data Loss Prevention → Policy for contract numbers, CAGE codes, or sensitive keywords. Alert or block sending externally.

Disable "Anyone with a link" sharing tenant-wide

SharePoint Admin Center → Policies → Sharing → Set to "Only people in your organization" or "Specific people." No anonymous links.

Create a dedicated FCI SharePoint site — restricted membership

Separate site from general company SharePoint. Only users needing FCI access are members. Evidence repo lives here. Private site.

Enable versioning on all document libraries

Library Settings → Versioning → Enable major versions, keep at least 50. Provides ransomware recovery and change history.

Restrict OneDrive sync to managed devices only

SharePoint Admin → Settings → Sync → Allow sync on PCs joined to specific domain or Intune-compliant. Stops syncing FCI to personal laptops.

Disable or restrict external/guest access in Teams

Teams Admin Center → Org-wide settings → External access and Guest access. If guests needed, restrict to specific domains. FCI never passes through guest channels.

Disable third-party app installs in Teams

Teams Admin → Teams apps → Permission policies → Block all third-party and custom apps unless specifically approved.

Enroll ALL corporate-issued devices into Intune

Windows: Autopilot or manual Entra Join + Intune enrollment. Mac: ADE enrollment via Apple Business Manager. No unmanaged device accesses FCI.

Create compliance policies — enforce them via Conditional Access

Intune → Compliance → Windows policy: require BitLocker, require AV, min OS version, no jailbreak. Mark non-compliant devices as blocked.

Deploy Windows Update for Business — enforce patching

Intune → Update rings: security updates within 7 days, feature updates within 30. No device older than 30 days behind on patches.

Enable BitLocker encryption on all Windows devices

Intune → Endpoint security → Disk encryption → BitLocker policy. Full disk encryption on OS and fixed drives. Store recovery keys in Entra ID.

Configure device lock / screen timeout policy

Intune → Configuration profile: screen lock after 5–15 min idle, require PIN/password to unlock.

Enable remote wipe capability

Intune enrolled devices can be wiped remotely. Document the process. Apply when device lost/stolen or employee terminated.

Deploy Microsoft Defender Antivirus via Intune

Intune → Endpoint security → Antivirus → Windows Defender policy. Enable real-time protection, cloud-delivered protection, auto sample submission.

Verify AV definitions update automatically — daily minimum

Policy: signature update interval every 4–8 hours. Verify via Intune compliance report. Screenshot definition version report for evidence.

Enable scheduled scans + real-time scan on file download

Defender policy: weekly full scan, real-time protection always on, scan USB/removable drives, scan email attachments.

Enable Microsoft Defender for Endpoint (MDE)

Included in M365 Business Premium. Provides EDR, threat & vulnerability management, attack surface reduction. Critical for CMMC posture.

Block USB / removable storage on FCI-handling devices

Intune → Configuration profile → Device restrictions → Block removable storage. Or use MDE Device Control. No FCI leaving on thumb drive.

Deploy security baseline via Intune

Intune → Endpoint security → Security baselines → Windows 365 Security Baseline. Microsoft-curated 200+ settings. Apply to all managed devices.

Disable local administrator accounts on endpoints

Enable LAPS (Local Administrator Password Solution) via Intune. Randomizes local admin passwords per machine.

Enable Windows Firewall — all profiles

Intune → Endpoint security → Firewall → Windows Firewall policy. Block inbound by default, allow outbound. Log dropped packets.

Business-grade firewall — not a consumer router

Meraki MX, Fortinet, Palo Alto, or equivalent. Must have stateful inspection, application awareness, and logging.

Block inbound traffic by default — allowlist only what's needed

Firewall rules: default deny inbound, explicit allow for business services only. Document every open inbound port.

DNS filtering / protective DNS

Deploy Cisco Umbrella, Cloudflare Gateway, or MS Defender for DNS. Blocks malicious domains, C2 traffic before connection made.

Separate guest Wi-Fi from corporate network

Guest SSID must be on separate VLAN with no access to internal resources. Visitors and personal devices on guest only.

Remote access via VPN or Zero Trust (not open RDP)

Never expose RDP directly to internet. Use MFA-protected VPN or Azure AD Application Proxy / ZTNA solution.

Enable firewall logging — retain 90 days minimum

Forward firewall logs to syslog or SIEM. Log denied inbound, allowed inbound, and VPN connections.

Confirm Unified Audit Log (UAL) is turned ON

Purview → Audit → Verify audit logging is active. Should be on by default. Captures sign-ins, file access, admin actions, mail events.

Set audit log retention to 1 year minimum

Default UAL retention is 90 days (E3) or 1 year (E5/Business Premium). If on lower plan, export logs monthly to evidence SharePoint.

Enable Entra ID sign-in and audit logs

Entra ID → Monitoring → Sign-in logs + Audit logs. Export to Log Analytics or storage account for long-term retention.

Set up alerts for suspicious activity

Purview → Alert policies: mass file download, impossible travel sign-in, new admin role assigned, mail forwarding rule created.

Review Microsoft Secure Score monthly

security.microsoft.com → Secure Score. Track score over time. Screenshot monthly score for evidence of ongoing monitoring.

Document a written Incident Response plan

1–2 pages: what counts as an incident, who to call (legal, DoD POC if FCI involved), steps to contain, steps to document. Store in evidence repo.

Know your DoD incident reporting obligation

If FCI is compromised, may have reporting obligations to contracting agency. Check contract language. Some require reporting within 72 hours.

Disable Microsoft 365 app self-service purchases

M365 Admin → Settings → Org settings → Self-service purchases → Block. Prevents users from buying unapproved apps.

Control which third-party apps can connect to M365

Entra ID → Enterprise Applications → User consent settings → Disable user consent. Require admin approval. Review existing connected apps.

Conduct security awareness training annually (minimum)

Use Microsoft Attack Simulator (included in Business Premium) for phishing simulations. Keep completion records in evidence repo.

Backup M365 data with a third-party backup tool

Microsoft's recycle bin is NOT a backup. Use Veeam, Datto SaaS Protection, or Acronis. Test restore quarterly. Document the test.

Document everything — system inventory + network diagram

Maintain a list of all systems, devices, and users in scope. Your SSP needs this. Update whenever things change.