Security Enhancements in your Microsoft 365 Tenant

Overview

To improve the security and resilience of your Microsoft 365 environment, we are implementing a series of configuration updates across identity, device, and collaboration services. These changes follow Microsoft’s recommended best practices and are being rolled out in structured phases to minimize disruption.

Rollout Steps

Step 1: Reporting Only

We begin by enabling reporting and visibility for key security features. No enforcement is applied at this stage.

  • Monitor login activity and authentication methods
  • Review token protection and conditional access readiness
  • Assess device compliance and encryption status
  • Identify legacy authentication usage

Step 2: Core Security Enforcement

This phase introduces foundational security controls that are silently applied or minimally disruptive.

Identity & Access

  • Enforce multi-factor authentication (MFA) for:
    • All users
    • Administrators
    • Guest access
    • Azure and Microsoft admin portals
  • Enable secure authentication methods:
    • Microsoft Authenticator
    • FIDO2 keys
    • Temporary Access Pass
    • QR code, SMS, Voice call
  • Disable legacy authentication protocols
  • Restrict application and group registration to approved users
  • Enable cross-tenant MFA trust

Email & Collaboration

  • Enable archive mailboxes and auto-expanding archiving
  • Display external email warning tags in Outlook
  • Enforce message size limits
  • Disable legacy SMTP and TLS clients
  • Enable plus addressing and focused inbox
  • Manage remote domain settings
  • Enable unified audit logging

SharePoint & OneDrive

  • Enable notifications for site and file activity
  • Allow users to create and comment on modern pages
  • Set retention policies for deleted users
  • Apply storage limits and site quota controls

Device Hygiene

  • Intune Device Clean-up Rules will automatically remove stale, inactive, or unresponsive devices from Intune MDM
  • The clean-up threshold to delete devices that haven’t checked in for 90 days
  • Helps maintain accurate device inventory and improves reporting clarity

Step 3: Device Configuration via Settings Catalog

This phase applies device-level security and app deployment policies using Microsoft Intune.

  • Enforce BitLocker encryption for Windows 10 and later
  • Configure Windows Hello for Business
  • Enable built-in administrator account where required
  • Deploy Windows LAPS for secure local admin password management
  • Configure Microsoft Defender for Endpoint (EDR)
  • Apply security settings for:
    • Microsoft Edge
    • OneDrive
    • Outlook
  • Deploy:
    • Company Portal via Microsoft Store
    • Microsoft 365 Apps for Windows

Step 4: Conditional Access – Reporting Mode

We introduce location-based and token protection policies in report-only mode to monitor impact before enforcement.

  • Restrict login access to Australian IP ranges
  • Require token protection for all users

Step 5: Conditional Access – Enforcement

Once reporting confirms readiness, we enforce the policies introduced in Step 4.

Important Advisory:

  • Overseas Travel: Users planning to travel overseas may be blocked from signing in unless their device is correctly registered and compliant.
    Recommendation: Connect the device to the office network via VPN before departure to ensure policies are applied and cached.

  • Token Protection: This feature may prevent access if the device is not properly registered or compliant with Intune.
    Recommendation: Ensure all devices are enrolled and showing as compliant in Intune before enforcement begins.

Prerequisites

To ensure successful deployment, the following must be in place:

  • Microsoft 365 Business Premium or Enterprise licensing
  • Devices enrolled in Microsoft Intune
  • Azure Active Directory (Microsoft Entra ID) configured
  • Modern authentication enabled
  • Windows 10 or later on managed devices (Windows 10 devices need to be upgraded anyway to Windows 11 prior to 14th October 2025)

User Impact

Most changes will apply silently. However, users may be prompted to re-authenticate or notice minor changes in login behaviour, email layout, or device settings. We recommend notifying staff ahead of Step 5 enforcement, especially if travel is planned.