Set up tenant | | | |
| Decide between hybrid & cloud-only identity | Hybrid, Azure AD Connect | Hybrid, Azure AD Connect |
| Azure AD Connect – sign-in method | Password Hash Sync | Password Hash Sync |
| Azure AD Connect – single sign-on | Enabled | Enabled |
| Azure AD Connect – On-premises attribute for Azure AD username | userPrincipalName | userPrincipalName |
| Azure AD Connect – Password writeback | Enabled | Enabled |
| Decide on email migration strategy | Hybrid Agent | Hybrid Agent |
| Configure DNS domains | Situational | Situational |
Configure identity protection | | | |
| Plan for administrative access | Required | Required |
| Configure dedicated admin accounts | Recommended | Recommended |
| Multi-factor authentication (MFA) for admins | Security defaults | Required, Conditional Access |
| Multi-factor authentication (MFA) for users | Security defaults | Required, Conditional Access |
| Self-service password reset (SSPR) | Enabled-All | Enabled-All |
| Combined security information registration | Enabled-All | Enabled-All |
Configure email protection | | | |
| Enable Common Attachment Types filter | Recommended | Required |
| Enable transport rule for attachments with Office macro extension | Warn | Block |
| Enable transport rule to block auto-forwarded email | Recommended | Required |
| Enable Sender Policy Framework (SPF) to help prevent spoofing | Required | Required |
| Enable DomainKeys Identified Mail (DKIM) to help prevent spoofing | Optional | Signed, all domains |
| Enable DMARC policy to validate email | Enabled, p=quarantine | Enabled, p=reject |
| Enable Office 365 ATP Policies | Recommended policies | Required, with spear phish |
Configure information governance | | | |
| Set up Data Loss Prevention (DLP) | Recommended, using default policy | Enabled for sensitive data types (GLBA, HIPAA, etc.) |
| Enable email encryption | Office 365 Message Encryption | Sensitivity Labels |
| Enable retention policies | None | Enabled |
| Enable sensitivity labels | Optional | Enabled, Default or custom labels |
Configure Teams security | | | |
| Teams governance (to allow users to create Teams on their own) | Defaults | Restrict groups settings |
| Guest access (to allow external users to fully participate in teams & channels) | Enabled | Enabled |
| External chat (to allow external users to initiate chat) | Allowed, default policy | Restricted |
| 3rd party cloud storage | Defaults | Off |
| Meeting policy and settings | Defaults | Block anonymous |
| Messaging policy | Defaults | Defaults |
| OneDrive for Business sharing | Anyone | Require login |
| Migrate files to Teams & OneDrive for Business (to enable recovery) | Required | Required |
Manage devices | | | |
| Onboard existing Active Directory joined PCs | Hybrid Azure AD Join | Hybrid Azure AD Join |
| Provision new/refreshed company PCs | Azure AD join Autopilot recommended | Azure AD join Autopilot recommended |
| Configure app protection policies for company owned PCs | Enabled, encrypt data only | Encrypt + block relocation |
| Block/Allow access from employee owned mobile devices | Allowed, default app protection policy | Block client app access, block web downloads |
| Block/Allow access from employee owned PCs | Block client app access, block web downloads | Block client app access, block web downloads |
| Enable device configuration profiles | Basic config profile | Endpoint security profiles |
| Enable device compliance policies | Optional | Enforced, Conditional Access |
Secure remote access | | | |
| Access to on-premises data & apps (existing VPN) | Split-tunnel VPN | Split-tunnel-VPN |
| Access to 3rd party cloud apps | Azure AD Single sign-on (SSO) | Azure AD Single sign-on (SSO) |
| Access to on-prem webapps | Azure AD App proxy | Azure AD App proxy |
| Access to desktop apps | Windows Virtual Desktop (WVD) | Windows Virtual Desktop (WVD) |