Skip to main content

Recommended Settings for Microsoft 365

ivan@ivancarlos.com.br
Updated

Below are the recommended settings for Microsoft 365:

User report settings: https://security.microsoft.com/securitysettings/userSubmission

  • Outlook:
    • Enable "Monitor reported messages in Outlook" > "Use the built-in report button in Outlook"
      • Enable "Ask the user to confirm before reporting"
      • Enable "Show a success message..."
  • Microsoft Teams:
    • Enable "Monitor reported messages in Microsoft Teams"
  • Destination of reported messages:
    • Enable "Microsoft only"
  • Email notifications
    • Enable "Automatically send by email..."
      • Enable "Phishing or Malware"
      • Enable "Spam"
      • Enable "No threat found"
  • Customize sender and branding
    • Disable the option "Specify a Microsoft 365 mailbox..."
    • Enable the option "Replace Microsoft logo..."
  • Quarantine reports
    • Enable "Allow reports of messages in quarantine..."

Two-step verification requirement for tenant portals: https://entra.microsoft.com/#view/Microsoft_Azure_Resources/MfaSettings.ReactView

  • Check that in Multifactor Authentication, the "Enforcement status" option is "Enforced"; if not, set a date to enable the setting or select "Enable enforcement now". 

Two-step verification requirement for users (for tenants without federated authentication): https://entra.microsoft.com/#view/Microsoft_AAD_IAM/TenantOverview.ReactView/initialValue//tabId//recommendationResourceId//fromNav/Identity

  • In the Tenant Properties tab, if the organization is not protected by "security defaults", select "Manage security defaults", choose the "Enabled" option, and click "Save".

Consent and access permission for third-party applications: https://entra.microsoft.com/#view/Microsoft_AAD_IAM/ConsentPoliciesMenuBlade

  • Consent and permissions | User consent settings
    • Select "Allow user consent for apps from verified publishers, for selected permissions"
  • Consent and permissions | Admin consent settings
    • Select Yes for "Users can request admin consent to apps they are unable to consent to"
    • Select the users, groups, and roles who will review the requests
    • Select Yes for "Selected users will receive email notifications for requests​"
    • Select Yes for "Selected users will receive request expiration reminders​"
    • A reasonable date of 30 days for "Consent request expires after (days)​"
  • Consent and permissions | Permission classifications
    • Select permissions in the Low tab that users can grant without approval:
      • Select User.Read, offline_access, openid, profile, email and confirm with Yes, add selected permissions

License request and approval flow: https://admin.cloud.microsoft/?#/licenses/requestspage

  • It is recommended to enable your third-party license request system, if you have one. For Ivan Carlos Consultoria, we use the following form: https://icc.gg/licencas
    • Access the configuration menu via the link "Connect your request process"
    • Enable the option "Use my organization's request process"
    • Fill in the "Message" field as preferred, such as Request your access using the request and approval process
    • Fill in the Link to documentation field as appropriate, such as https://icc.gg/licencas

Teams recording settings: https://admin.teams.microsoft.com/one-policy/settings/meeting

  • Content sharing section:

  • Recording & transcription section:

Teams external usage section: https://admin.teams.microsoft.com/company-wide-settings/external-communications

  • Organization settings section

Organization settings / Security and privacy, Organization profile:

  • Security and privacy: Settings - Microsoft 365 admin center
    • Sharing: Usually there are no issues allowing users to add new guests
    • Privacy profile: Important to add the link and contact email related to the privacy policy
    • Password expiration policy: Best practices recommend marking that passwords do not expire
    • Self-service password reset; usually users are allowed to reset their passwords on their own
  • Organization profile: Settings - Microsoft 365 admin center
    • Send email notifications from your domain: It is recommended not to enable this option to ensure message delivery
    • Organization information: Important to validate company information, company name, and technical contact
    • Technical support information: You can add information so that the end user can contact the company’s official technical support
    • Data location: You can check where the data for each service is stored
    • Organization profile > Custom themes: You can add a logo and corporate website URL in this option 

 

Was this article helpful?

0 out of 0 found this helpful
Return to top

Related articles