The baseline problem
Every new Microsoft 365 tenant ships with Microsoft’s defaults. Microsoft’s defaults are designed to balance usability and security for a global audience of organizations ranging from 10-person startups to Fortune 500 enterprises.
They are not designed for a 60-person Canadian financial advisory firm with a cyber insurance renewal in four months.
We’ve been hardening M365 tenants since Microsoft launched Intune co-management in 2018. Over that time, we’ve converged on a baseline of approximately 150 policy configurations that we apply — with client-specific adjustments — before any user signs in on day one.
Here’s how they break down.
Entra ID / Identity (42 policies)
This is where we spend the most time, because it’s where the most risk lives.
Authentication (12): Disable legacy authentication protocols (SMTP auth, POP/IMAP, basic auth) — these bypass MFA entirely. Enable phishing-resistant MFA as the default method. Configure authentication strength policies per application sensitivity. Set sign-in frequency and persistent session policies.
Conditional Access (18): Require MFA for all users with no trusted location exceptions. Require compliant devices for access to sensitive applications. Block access from high-risk sign-ins and risky users automatically. Require password change on detected credential compromise. Block legacy auth at the CA layer as a belt-and-suspenders.
Privileged Access (8): Enable PIM for all privileged roles. Require justification and approval for Global Admin activation. Set activation time limits. Alert on role assignments outside PIM. Enable break-glass accounts with audit logging.
User and Group Hygiene (4): Disable self-service group creation for regular users. Restrict external sharing invitations to approved domains. Set guest user access to equivalent of member (not guest) permissions where required. Configure access review schedules for all privileged groups.
Intune / Device Management (38 policies)
Windows Configuration (16): Bitlocker encryption required and key escrowed to Intune. Windows Hello for Business enabled. LAPS configured for local admin accounts. Telemetry set to minimum required for Defender. Windows Firewall profiles enforced. SmartScreen enabled for Edge and apps.
Compliance Policies (8): Minimum OS version enforced. Bitlocker required. Code integrity required. Secure boot required. Defender real-time protection required. Firewall required. Antivirus signature freshness.
App Protection Policies (8): MAM policies for iOS and Android — prevent copy/paste from managed to unmanaged apps, require PIN, wipe on device unenroll. Require approved client apps for Exchange and SharePoint on mobile.
Update Rings (6): Configure Windows Update for Business with a staged ring — pilot group receives updates 7 days after GA, general ring at 14 days. Driver updates on a separate ring. Feature updates held until tested.
Exchange Online / Email (28 policies)
Anti-phishing (10): Enable impersonation protection for all executives and domain names. Set spoof intelligence to quarantine. Enable mailbox intelligence. Configure advanced phishing thresholds to aggressive (level 3).
Anti-malware (6): Enable safe attachments in block mode. Enable safe links. Block file types: .exe, .dll, .bat, .ps1, .vbs, and 30+ others. Enable zero-hour auto purge (ZAP).
Outbound controls (6): Configure DLP policy for PII, PCI, and Canadian SIN detection. Set outbound spam threshold. Enable automatic encryption for external email containing sensitive data types.
Audit and retention (6): Enable mailbox audit for all non-owner operations. Set retention policy appropriate to industry. Configure litigation hold for executives. Enable unified audit log.
SharePoint / OneDrive (18 policies)
Enable sensitivity labels. Require labels on all documents shared externally. Block anyone links (replace with specific-person sharing). Set external sharing to existing guests only as a default. Enable access reviews for externally shared content. Restrict SharePoint admin access to PIM-eligible roles.
Defender for Endpoint / Security (24 policies)
Configure attack surface reduction rules in block mode (18 rules). Enable network protection. Enable web content filtering. Set EDR collection intervals. Configure live response. Enable automated investigation and remediation.
The Canadian additions
Beyond the CIS and CISA baselines, we add a layer of configurations specific to Canadian regulatory requirements:
- PIPEDA data residency: Configure SharePoint to prefer Canadian regions for new sites.
- Law 25 (Quebec) controls: Enable data classification labels that map to personal information categories defined under Law 25.
- OSFI B-13: Configure third-party app approval workflow and maintain a register of connected applications.
- CASL compliance: Configure email marketing tenant-level settings to require explicit consent records.
The delivery process
We deliver this baseline via Intune configuration profiles, Defender for Endpoint policies, and Exchange Online PowerShell — not manual point-and-click. Every policy is version-controlled, documented in our ISMS platform, and part of the configuration baseline that gets audited in your SOC II engagement.
On day one, your tenant meets the standard. We monitor for drift nightly.
Alex Tremblay is the CTO at TruPoint Technology and the architect of the TruPoint M365 baseline.