Microsoft 365 Azure Active Directory Best Practices Checklist

By Alex Fields, ITProMentor.com

Updated April 2020

Complete Checklist item Description End user impact Where to change this Importance
The activity log is not recording audit log
Security + Compliance > Search > Audit log
☐ Enable the unified audit log data across all services by default; it needs None Critical
search
to be enabled
Cloud-only accounts configured with long
Create emergency access global admin Microsoft 365 Admin center > Users >
☐ password; excluded from MFA, Conditonal None Critical
accounts Active users
access
Adjust service settings and enable MFA for Users must register for and use the MFA Multi-Factor Authentication > service
☐ Configure multi-factor authentication Critical
all accounts service upon next sign-in via the web portal settings
Users must meet the conditions specified
Set up recommended Conditional Access Refer to my Conditional access policy
☐ by policy in order to gain access to Azure AD > Security > Conditional access Critical
policies design and guide
resources
Azure AD includes several built-in roles
Use roles to limit privileges, especially for
☐ including Global reader, which grants full None Azure AD > Roles and administrators Critical
service accounts
read-only access
By default all users are able to grant If users want to configure add-ins they will
☐ Enable admin consent requests Enterprise Applications > User settings Recommended
permissions to apps or add-ins require admin approval
Configure a timeout so that admins do not
After specified time period, idle sessions
☐ Configure directory level timeout leave their Azure portal sessions open Settings > Configure directory level timeout Recommended
will be automatically logged out.
indefinitely.
Ensure that your password expiration is in Users will be required to change passwords Microsoft 365 Admin center > Settings >
☐ Configure the password expiration policy Recommended
alignment with corporate policy according to the policy Security & Privacy
Corporate branding of the login page
Users will see corporate background and
☐ Configure Company branding for login reduces likelihood of phishing via look-a- Azure AD > Company branding Recommended
logo displayed at login screen
like pages
By default users can access and browse the
Restrict user access to the Azure AD admin Users will be unable to login to the Azure
☐ admin portal (without the ability to Users > User settings Recommended
portal AD admin portal
changes)
Allow users to reset their own passwords Users must register for SSPR in order to
☐ Enable Self-service password reset Users > Password reset Recommended
using a second factor reset passwords
Configure device settings for Azure AD Allow all users to join Azure AD but require Users who attempt to join new Windows 10
☐ Devices > Device settings Recommended
joined devices MFA in order to complete a join operation devices to Azure AD must perform MFA
This feature is in preview, which means it Users > User settings > Access panel >
Users will only have to register once for
☐ Enable combined registration (enhanced) could still change before going to General Manage settings for access panel preview Recommended
both MFA and SSPR
Availability features
Consider disabling external users from
Users external to the organization will not Azure AD > Organizational relationships >
☐ Configure external collaboration defaults being able to invite other guests to shared Optional
be able to share or invite other users Settings
content
Notify group owners of expiry with option
Control group creation, expiration, naming See settings under Groups blade in Azure
☐ Configure governance options for groups to renew, restrict rights for group creation, Optional
policy and more AD
etc.
Azure AD can manage third-party apps as Users will have access to Enterprise apps
☐ Configure Enterprise apps Azure AD > Enterprise applications Optional
well as Microsoft apps via the apps portal or app launcher in 365

Besides Azure AD Connect, a few other Users can be automatically hybrid joined to
☐ Enable hybrid support (only if applicable) See this article for more detail Optional
steps are required to complete hybrid join Azure AD and enrolled in Intune
Microsoft Endpoint Manager (Intune) Best Practices Checklist
By Alex Fields, ITProMentor.com
Updated October 29, 2019

Complete Checklist item Description End user impact Where to change this Importance
Define pilot group for testing updates and
No impact simply by creating securtiy
☐ Create security groups for deployment rings changes; additional rings up to your Groups Recommended
groups
discretion
Define Windows 10 update rings to apply
☐ Setup Windows 10 Software Update Rings automatic updates; also defer updates for Updates will be less likely to negatively Devices > Windows 10 Update Rings Recommended
sensitive users impact end users in deferred update groups
Office 365 apps auto-installed on enrolled End users (or IT) will not have to manually
Setup automatic deployment of the Office
☐ Windows 10 devices; also define servicing download and install basic productivity Apps > All apps Recommended
apps on Windows 10
branches software
MAM enables BYOD scenarios with
Users must meet the conditions of the
☐ Setup App protection policies (MAM) application-based management, rather than Apps > App protection policies Recommended
policy (e.g. PIN, etc.)
device-based (MDM)
Configure branding, privacy URL, and define The Company Portal app will display the
Tenant administration > Branding and
☐ Customize Company Portal the support contact displayed in the defined settings and customizations to end Optional
customization
Company portal users
This is the Organization's place to
End users will view and accept the terms
communicate terms of use. Skip this step if Tenant administration > Terms and
☐ Create the Company terms and conditions and conditions in the Intune Company Optional
you are using Conditional access > Terms of conditions
portal app
use.
Users will not be able to enroll certain
Blocks unsupported devices from enrolling,
☐ Configure Device enrollment restrictions device types, nor will they be able to enroll Devices > Enrollment restrictions Recommended
and limits the number of devices per user
too many devices
End users who join devices using corporate
Configure Windows 10 automatic Windows devices joined to Azure AD will be Devices > Device enrollment > Windows
☐ credentials will not have to enroll separaetly Critical
enrollment auto-enrolled into the Intune service also enrollment
for Intune
Hello is 2FA built-in to Windows 10; many
Users will be required to setup PIN and Devices > Device enrollment > Windows
☐ Configure Windows Hello for Business devices also support fingerprint or face Recommended
optional biometric for Windows enrollment
recognition
Users may be prevented from using the
Configure Windows Device enrollment Configure what happens during assignment Devices > Device enrollment > Windows
☐ device until all apps and profiles are intalled Optional
status page of apps and profiles enrollment
successfully
Only if managing iOS devices via MDM: you End-users with mobile devices under MDM
Devices > Device enrollment > Apple
☐ Configure Apple MDM push certificate must setup a certificate through Apple will be required to enroll via the Company Critical
enrollment
(renewed annually) portal app
Devices that have not checked in will need
Delete devices based on the last check-in
☐ Configure device cleanup to be re-enrolled into the service if past this Devices > Device cleanup rules Recommended
date, e.g. 90-180 days
date
Devices with no policy will be denied access
Configure the default compliance policy Devices without an assigned compliance Devices > Compliance policies> Compliance
☐ to resources (once Conditional access is in Recommended
settings policy should be marked as non-compliant policy settings
place)

Notifications can be used to alert users End users will receive email notifications Devices > Compliance policies >
☐ Configure Device compliance notifications Optional
when devices become noncompliant when there is a problem with their device Notifications

Each type of device that you intend to End users will be required to enroll their
☐ Configure Device compliance policies manage should have a compliance policy for devices and meet the requirements of Devices > Compliance policies > Policies Critical
use with Conditional access compliance (e.g. PIN, encryption, etc.)
Devices must be enrolled for management Devices that are not enrolled will not have
Use the Company Portal app, or automatic
☐ Enroll devices or none of the policies and profiles will access to resources (once Conditional Critical
enrollment with AAD Join
apply access is enabled)
Non-compliant devices will be denied access
☐ Verify compliance Do not skip this step. Review compliance for to resources (once Conditional access is in Devices > Monitor > Device compliance Critical
any non-compliant devices, and remediate place)
Users must enroll devices and/or use
See my Conditional Access policy design and
☐ Enable Conditional Access managed applications, according to the Devices > Conditional access Recommended
guide for more details
rules defined.

Recommended profiles for Windows 10 are Devices in scope of the profiles will receive
☐ Setup Device configuration profiles discussed in the guide. Others up to your settings from Intune; users will not be able Devices > Configuration profiles Optional
discretion. to change the admin-defined settings
Recommended Conditional Access
Policy Design Authentication Baseline policies (replaces Security Defaults) Device Management policies Strict Security policies
Alex Fields, ITProMentor.com; Updated 12/01/2019 Block web
Require MFA for Personal mobile Corporate downloads on Block Require MFA Block web access Require Disable
Require MFA for Require MFA for Require MFA for Azure Block legacy Windows 10 MacOS client device access mobile device unmanaged unsupported Block foreign registration from on unmanaged acceptance of Sign-in persistent
admins users guests management protocols client access access (MAM) access (MDM) devices device platforms countries trusted locations devices Terms of Use Frequency browser session
Assignments
Users and groups
Include Admin roles All users Guests All users All users All users All users All users All users All users All users All users All users All users All users All users All users

Exclude Excluded from CA Excluded from CA Excluded from CA Excluded from CA Excluded from CA Excluded from CA Excluded from CA Excluded from CA Excluded from CA Exclude from CA Excluded from CA Excluded from CA Excluded from CA Excluded from CA Excluded from CA Excluded from CA Excluded from CA
Admin roles, Guests Guests Guests Guests Guests Guests Guests Guests
Cloud apps
Include All cloud apps All cloud apps All cloud apps Azure Management All cloud apps Exchange Online Exchange Online Exchange Online Exchange Online Exchange Online All cloud apps All cloud apps Exchange Online All cloud apps All cloud apps All cloud apps
SharePoint Online SharePoint Online SharePoint Online SharePoint Online SharePoint Online SharePoint Online
Exclude

User actions X
Register security information X

Conditions
Sign-in risk (Azure AD Premium P2)
High
Medium
Low
No risk
Device platforms
Include Windows MacOS iOS iOS Any device
Android Android
Exclude Android, iOS,
MacOS, Windows

Locations
Include All locations All locations All locations

Exclude Trusted locations Allowed Countries Trusted locations

Client apps
Browser X X X X
Mobile apps and desktop clients X X X X X X
Modern authentication clients X X X X X
Exchange ActiveSync clients X
Other clients X
Device State
Exclude
Device Hybrid Azure AD joined X X
Device marked as compliant X X

Access controls
Block access X X X X
Grant access X X X X X X X X X X
Require Multi-Factor Authentication X X X X
Require device to be marked as compliant X X X X
Require Hybrid Azure AD Joined device X
Require approved client app X
Require app protection policy
Terms of Use X

Require one of the selected controls X X X X X X X X X X X X X X

Require all of the selected controls
Session X X X
Use app enforced restrictions X
Use Conditional access app control
Sign-in frequency 30 days
Persistent browser session Never persistent