Microsoft Customer Experience
Security Fundamentals for Microsoft M365
Business Premium
Authors: David Bjuman-Birr, Morgan Messina, Patrick McDonald
Contributors: Alex Fields, Andreas Bürkle
This security best practices checklist offers a practical approach to securing small and medium-
sized businesses (SMBs) using Microsoft 365 Business Premium. These best practices were
designed specifically for businesses with 1 to 300 employees, empowering them to work securely
from anywhere – be it at home, in the office, or on the go. This is designed to be a starting point
for your security journey and NOT a deep dive into each topic.
Essential Tasks Learn more
Create break-glass admin accounts Manage emergency access accounts
Customize your sign in page Add company branding to your organization's sign-in page
Enable Authentication Methods Manage authentication methods
Identity Self-service Password Reset Enable self-service password reset
Management &
Secure Foundation Conditional Require MFA for administrators
Protection
Access Policies Block legacy authentication
Require MFA for all users
Go passwordless with your users Enable passwordless sign-in with Microsoft Authenticator
Entra ID Join your devices Join your work device to your work or school network
Sync your Active Directory to Entra Entra Connect sync with Express Settings
Hybrid Identity ID with Password Hash Sync (PHS)
(Only applies for How Password Hash Sync works
customers with a
Password Writeback for Self- Enable password writeback to on-premises
local Active
service Password Reset
Directory server)
Hybrid Entra ID join your devices Configure Entra ID Hybrid Join for managed domains
Email & Configure SPF record Set up SPF to help prevent spoofing
Collaboration Enable DomainKeys Identified Mail Use DKIM to validate outbound email from your custom
Protection (DKIM) domain
(against Phishing
Enable Domain-based Message Use DMARC to validate email
attacks, using
Authentication, Reporting, and
safe links and
Conformance (DMARC) policy
safe attachments)
� Enable Defender for Office 365 Enable preset security policies in EOP and Defender for Office
email and collaboration policies 365
Configure device enrollment pre- Get an Apple MDM Push certificate for iOS/iPadOS/macOS
requisites for supported devices
platforms.
Connect Intune to a Managed Google Play Account for
Android devices
Set up automatic enrollment for Windows devices
Compliance Policies Create a compliance policy in Microsoft Intune
Security Baselines Use baselines to configure Windows devices in Intune
Enable Device Encryption Manage BitLocker policy for Windows devices with Intune
Use FileVault disk encryption for macOS
Endpoint
Management Intune App Protection Android app protection policy settings
iOS app protection policy settings
Windows app protection policy settings
Conditional Access Policies Create a device-based Conditional Access policy
Set up app-based Conditional Access policies
Manage Office and Edge Add Microsoft 365 Apps to Windows devices
Add Microsoft 365 Apps to macOS devices
Add Microsoft Edge for Windows devices
Add Microsoft Edge to macOS devices
Set up and configure Microsoft Onboard devices to Defender
Defender for Business
Endpoint Configure Defender Policies Next generation protection policies
Protection
Web Content Filtering
Attack Surface Reduction rules
Next Steps
With the completion of this checklist, you have enabled the basic security best practices as
outlined by the Microsoft Managed Security Services team. To customize these setting to the
particular needs of your organization, please refer to the full best practices guide located at:
https://aka.ms/smbsecurityguide.
2 | Page Microsoft 2023, All Rights Reserved
