CIS Microsoft 365 Benchmarking


Microsoft 365 Security Standardization & Onboarding

My team and I leveraged Inforcer to onboard and standardize Microsoft 365 environments across multiple client tenants. Following initial onboarding, comprehensive audits were conducted against the Microsoft 365 Foundations Benchmark to identify security gaps and areas of misconfiguration.

Findings were then communicated to client stakeholders, and clear, actionable recommendations were made. I helped collaboratively review these recommendations with stakeholders to align on risk, business impact, and implementation priorities. Based on these discussions, scoped remediation efforts were designed. 

My work has been centered on implementing security controls across the Microsoft 365 ecosystem, with a strong focus on aligning tenant configurations to the Microsoft 365 Foundations benchmark. 

This work resulted in immediate and measurable improvements, including increased Secure Score, reduced attack surface, and a more mature, standardized security posture across client environments.

This included leading remediation efforts across core administrative portals, such as:

  • Microsoft 365 Admin Center

  • Microsoft Entra 

  • Microsoft Defender 

  • Microsoft Purview 

  • Microsoft Intune

  • Microsoft Entra ID

Identity and Access Management in Microsoft Entra

I focused heavily on:

  • Designing and implementing Conditional Access policies

    • Some client environments required a complete rearchitecture of Conditional Access policies. I helped do so by implementing strong MFA enforcement for admins and all users, guest and external user MFA policies, admin center access restrictions, legacy authentication blocking, location-based sign-in restrictions, risk-based Conditional Access policies (User Risk & Sign-in Risk), and idle session timeouts for unmanaged devices. 

  • Strengthening authentication and authorization controls by enforcing multifactor authentication.

    • Several clients had no standardized MFA in place, requiring me to help configure and deploy phased, tailored MFA registration campaigns to onboard users effectively and ensure readiness for the enhanced security controls.

  • Securing privileged roles through role-based access controls and Privileged Identity Management.

    • It was common to find end users with persistent/static administrative privileges. I helped conduct thorough audits to identify these accounts and collaborated with clients to remove unnecessary privileges from their primary “driver” accounts. We then provisioned dedicated cloud-only administrative accounts, assigned Entra ID P2 licenses, and scoped permissions precisely to role requirements using Privileged Identity Management.

Endpoint and Device Security through Intune 

I drove improvements by:

  • Enforcing compliance policies on iOS and Android devices.

    • Policies were carefully staged for end users, with attention given to application availability and accessibility via the Company Portal and Managed Google Play Store, ensuring minimal disruption and consistent user experience.

  • Deploying strong anti-virus policies.

    • This included real-time behavior monitoring, cloud protection, email and network file scanning, script and removable drive scanning, and PUA blocking. Policies enforced threat remediation based on severity, ensured automatic signature and engine updates via the broad channel, enabled network protection in block mode, and optimized performance with low CPU priority and randomized scan scheduling. All configurations were designed to maximize detection, prevention, and remediation while maintaining operational efficiency across managed endpoints.

  • Deploying strong firewall policies.

    • This included enforcing domain, private, and public profile firewalls with inbound traffic blocked by default and outbound traffic allowed. Logging was enabled for both successful connections and dropped packets, with maximum file sizes defined for audit retention. Stateful FTP was disabled, local policy and IPsec merges were prevented, and inbound notifications were suppressed to reduce user disruption. These settings provided consistent, centrally managed network protection and reduced exposure to network-based threats across all managed endpoints.

  • Deploying strong Bitlocker policies.

    • This included enforcing full-disk encryption on the operating system, fixed data, and removable drives using XTS-AES 256-bit. Recovery keys and key packages were securely stored in Active Directory, with encryption enforced only after recovery information was confirmed. Policies required TPM-based encryption without additional startup PINs, allowed enhanced PINs where supported, and permitted controlled user application of BitLocker on removable drives. This configuration ensured strong device encryption, centralized recovery management, and consistent enforcement of endpoint data protection across all managed devices.

  • Attack Surface Reduction policies. 

    • This included policies that blocked execution of potentially obfuscated scripts, untrusted or unsigned processes from removable media, credential theft via LSASS, code injection by Office applications, child process creation, malicious macro activity, and ransomware behaviors. Additional rules restricted process creation via PSExec/WMI, blocked executable content from email and webmail, prevented abuse of vulnerable signed drivers, and enforced advanced protections against persistent threats. Targeted exclusions were applied where necessary to ensure operational compatibility while maintaining security enforcement.

Email and Collaboration Security within Microsoft Defender

Where I implemented protections such as:

  • Safe Links

    • Ensured Safe Links policies across Office applications, Teams, and email to protect users from malicious URLs and phishing attempts were enforced. The policy rewrote and scanned links in real-time, applied protections to internal and external messages, and tracked user interactions to monitor potential threats. Click-throughs were disabled to prevent bypassing protections, and all valid organizational domains were included in the policy scope. Deployment and auditing were performed via both the Microsoft 365 Defender portal and PowerShell.

  • Safe Attachments

    • Ensured the policy scanned incoming attachments before delivery, blocking any identified threats and quarantining them under an admin-only access policy. Domains and users were carefully scoped to ensure comprehensive coverage, and the policy was continuously audited and updated via both the Microsoft 365 Defender portal and PowerShell to maintain alignment with organizational security standards. 

  • Anti-phishing policies

    • Ensured the policy leveraged spoof intelligence, enforced DMARC alignment, and applied automated actions, including quarantine, rejection, or routing to Junk Email based on message authenticity. User-facing protections included first-contact safety tips, “via” tagging, and visual indicators for unauthenticated senders.

  • Strict anti-spam (inbound & outbound) configurations.

Data Loss Prevention (DLP) policies in Microsoft Purview 

I helped configure:

  • Sensitivity labeling and audit logging.

    • Helped organizations to better control, classify, and monitor sensitive information.

  • Security settings within SharePoint, OneDrive, and Teams.

    • Worked to restrict external sharing, enforce access controls, and secure collaboration workflows without disrupting business operations.

Throughout these efforts, I helped translate benchmark-driven audit findings into actionable remediation plans, worked closely with stakeholders to align on risk and priorities, and directly implemented the necessary configuration changes. This consistently resulted in immediate improvements to Secure Score and, more importantly, a measurable elevation in overall security posture, establishing a strong, standardized, and defensible Microsoft 365 environment.