Microsoft 365 Tenant Reference¶
Recommended configuration for a new or hardened Microsoft 365 tenant. Settings follow Microsoft best practices and CIS Benchmarks where applicable.
Sections¶
-
Entra ID
Conditional Access, MFA, user and group management.
-
Email Security
SPF/DKIM/DMARC, anti-spam, anti-phishing, anti-malware, and mailbox configuration.
-
Intune
Device enrollment, compliance policies, configuration profiles, and app management.
-
Purview
Sensitivity labels, DLP policies, compliance reporting, and audit logs.
Recommended Setup Order¶
When configuring a new tenant, work through the areas in this order to avoid dependency issues:
flowchart LR
A[Entra ID\nMFA + CA Policies] --> B[Email Security\nFiltering + Auth]
B --> C[Intune\nDevice Compliance]
C --> D[Purview\nLabels + DLP]Licensing requirements
Some features require specific licence tiers:
| Feature | Minimum licence |
|---|---|
| Conditional Access | Entra ID P1 (Microsoft 365 Business Premium / E3) |
| Identity Protection (risk-based CA) | Entra ID P2 (Microsoft 365 E5 / EMS E5) |
| Defender for Office 365 (anti-phishing presets) | Microsoft 365 Business Premium / Defender for Office P1 |
| Intune | Microsoft 365 Business Premium / Intune Plan 1 |
| Purview DLP / Sensitivity Labels | Microsoft 365 Business Premium / E3 (basic) |
| Purview Advanced DLP / auto-labelling | Microsoft 365 E5 Compliance |