Primary audience
CIO, security manager, M365 platform owner
M365 Security Baseline Program
How to implement a Microsoft 365 baseline that auditors accept and operations can sustain.
Typical decision window
30-90 days
Expected output
Baseline policy set, rollout sequence, exception governance
Implementation guidance
Scope and blast radius control
- Separate tenant-wide controls into identity, messaging, collaboration, and endpoint layers.
- Map current admin roles and break-glass paths before turning on high-impact controls.
- Define business-critical workflows that cannot fail during rollout week.
Control package
- Require phishing-resistant MFA for privileged roles and enforce MFA for all users.
- Disable legacy authentication, POP/IMAP exceptions, and unmanaged forwarding where possible.
- Enable audit retention, mailbox alerts, and high-risk sign-in monitoring tied to ticket workflows.
Implementation sequence
- Pilot with IT and finance departments first, then expand by location waves.
- Use report-only Conditional Access for one week before enforcement.
- Run daily exception review during rollout to prevent permanent policy bypass.
Recommended artifacts
- Security baseline matrix (control, owner, evidence)
- Conditional Access wave plan
- Executive risk memo with residual risks