Checklist
intermediate

New Microsoft 365 Tenant Security Checklist

Essential security configurations for a newly created Microsoft 365 tenant. Complete this checklist within the first 30 days to establish a secure foundation.

13 items
2-4 hours
IT Administrators setting up a new Microsoft 365 tenant

Prerequisites

  • Global Admin access to Microsoft 365 tenant
  • Microsoft Entra admin center access
  • Basic understanding of identity concepts

Day 1: Critical Security Settings

These settings should be configured immediately upon tenant creation.

Enable MFA for all administrator accountscritical~15 minutes

Require multi-factor authentication for Global Admins and other privileged roles.

Related: ID-01

Tips:

  • Use phishing-resistant MFA methods like FIDO2 or Windows Hello
  • Enable number matching for Microsoft Authenticator
Limit Global Admin accounts to 2-4critical~30 minutes

Remove unnecessary Global Admin assignments and use role-specific admin roles.

Related: PA-01
Block legacy authentication protocolscritical~20 minutes

Create a Conditional Access policy to block IMAP, POP3, SMTP AUTH, and other legacy protocols.

Related: CA-09
Create emergency access (break-glass) accountscritical~30 minutes

Set up 2 cloud-only emergency access accounts excluded from Conditional Access.

Related: PA-05

Tips:

  • Use long, randomly generated passwords (32+ characters)
  • Store credentials in a secure physical location
  • Test accounts quarterly

Week 1: Authentication Security

Strengthen authentication across the organization.

Require MFA for all usershigh~30 minutes

Create Conditional Access policy requiring MFA for all cloud apps.

Related: CA-01
Configure password policieshigh~15 minutes

Disable password expiration, enable banned password list.

Related: ID-02
Configure self-service password resetmedium~20 minutes

Enable SSPR with appropriate authentication methods.

Week 2: Access Controls

Implement proper access management.

Enable Privileged Identity Management (PIM)high~1 hour

Configure just-in-time access for privileged roles.

Related: PA-04
Configure guest access settingshigh~30 minutes

Restrict who can invite guests and from which domains.

Related: EXT-01
Configure application consent settingshigh~20 minutes

Require admin approval for user app consent.

Related: APP-02

Week 3-4: Monitoring & Governance

Set up ongoing monitoring and governance.

Verify audit logging is enabledhigh~15 minutes

Ensure unified audit log is capturing all activities.

Related: LOG-01
Configure security alert policiesmedium~30 minutes

Set up alerts for suspicious activities and admin actions.

Schedule recurring access reviewsmedium~30 minutes

Configure quarterly reviews for privileged roles and groups.

Related: GOV-03

Automate this checklist with TrueConfig

TrueConfig automatically monitors your Microsoft 365 configuration against these best practices and alerts you when settings drift.