Microsoft 365 Business Premium: Checklist for securing remote work

Because Small and Medium Businesses have different security needs and attitudes, the checklist includes suggested recommendations for two common scenarios.

  • The normal scenario is designed for a typical business that wants to enable secure remote work and balance ease of use with security.
  • The high risk scenario is more appropriate for a business that wants to maximize security protections and has higher concern for risk (for example, to adhere to regulatory requirements such as HIPAA or GLBA). This business is also willing to put more effort into maintaining security and control of the work from home environment.

Both sets of defaults are intended to provide a starting point for a serious discussion around the security and compliance options available, rather than prescriptive guidance. One of the first and most important things that IT leaders and business leaders can do is talk through the possibilities.

Recommend settings – normal scenarioRecommended settings – high risk scenario
Set up tenant
Decide between hybrid & cloud-only identityHybrid, Azure AD ConnectHybrid, Azure AD Connect
Azure AD Connect – sign-in methodPassword Hash SyncPassword Hash Sync
Azure AD Connect – single sign-onEnabledEnabled
Azure AD Connect – On-premises attribute for Azure AD usernameuserPrincipalNameuserPrincipalName
Azure AD Connect – Password writebackEnabledEnabled
Decide on email migration strategyHybrid AgentHybrid Agent
Configure DNS domainsSituationalSituational
Configure identity protection
Plan for administrative accessRequiredRequired
Configure dedicated admin accountsRecommendedRecommended
Multi-factor authentication (MFA) for adminsSecurity defaultsRequired, Conditional Access
Multi-factor authentication (MFA) for usersSecurity defaultsRequired, Conditional Access
Self-service password reset (SSPR)Enabled-AllEnabled-All
Combined security information registrationEnabled-AllEnabled-All
Configure email protection
Enable Common Attachment Types filterRecommendedRequired
Enable transport rule for attachments with Office macro extensionWarnBlock
Enable transport rule to block auto-forwarded emailRecommendedRequired
Enable Sender Policy Framework (SPF) to help prevent spoofingRequiredRequired
Enable DomainKeys Identified Mail (DKIM) to help prevent spoofingOptionalSigned, all domains
Enable DMARC policy to validate emailEnabled, p=quarantineEnabled, p=reject
Enable Office 365 ATP PoliciesRecommended policiesRequired, with spear phish
Configure information governance
Set up Data Loss Prevention (DLP)Recommended, using default policyEnabled for sensitive data types (GLBA, HIPAA, etc.)
Enable email encryptionOffice 365 Message EncryptionSensitivity Labels
Enable retention policiesNoneEnabled
Enable sensitivity labelsOptionalEnabled, Default or custom labels
Configure Teams security
Teams governance (to allow users to create Teams on their own)DefaultsRestrict groups settings
Guest access (to allow external users to fully participate in teams & channels)EnabledEnabled
External chat (to allow external users to initiate chat)Allowed, default policyRestricted
3rd party cloud storageDefaultsOff
Meeting policy and settingsDefaultsBlock anonymous
Messaging policyDefaultsDefaults
OneDrive for Business sharingAnyoneRequire login
Migrate files to Teams & OneDrive for Business (to enable recovery)RequiredRequired
Manage devices
Onboard existing Active Directory joined PCsHybrid Azure AD JoinHybrid Azure AD Join
Provision new/refreshed company PCsAzure AD join
Autopilot recommended
Azure AD join Autopilot recommended
Configure app protection policies for company owned PCsEnabled, encrypt data onlyEncrypt + block relocation
Block/Allow access from employee owned mobile devicesAllowed, default app protection policyBlock client app access, block web downloads
Block/Allow access from employee owned PCsBlock client app access, block web downloadsBlock client app access, block web downloads
Enable device configuration profilesBasic config profileEndpoint security profiles
Enable device compliance policiesOptionalEnforced, Conditional Access
Secure remote access
Access to on-premises data & apps (existing VPN)Split-tunnel VPNSplit-tunnel-VPN
Access to 3rd party cloud appsAzure AD Single sign-on (SSO)Azure AD Single sign-on (SSO)
Access to on-prem webappsAzure AD App proxyAzure AD App proxy
Access to desktop appsWindows Virtual Desktop (WVD)Windows Virtual Desktop (WVD)