Standards

Set General Contact e-mail

Set-MsolCompanyContactInformation

This is where Microsoft sends updates about subscriptions

Set Security Contact e-mail

Set-MsolCompanyContactInformation

Receives emails about security alerts or advisories by Microsoft

Set Marketing Contact e-mail

Set-MsolCompanyContactInformation

Receives the emails related to marketing; new features etc

Set Technical Contact e-mail

Set-MsolCompanyContactInformation

Receives emails related to possible technical issues, service disruptions, etc.

Enable the Unified Audit Log

Enable-OrganizationCustomization

Enabled the Microsoft Unified Audit Log

Enable Customer Lockbox

Set-OrganizationConfig -CustomerLockBoxEnabled $true

Customer Lockbox ensures that Microsoft can't access your content to do service operations without your explicit approval. Customer Lockbox ensures only authorized requests allow access to your organizations data.

Enable Mailbox auditing

Set-OrganizationConfig -AuditDisabled $false

Enables mailbox auditing on tenant level and for all mailboxes. Disables audit bypass on all mailboxes. By default Microsoft does not enable mailbox auditing for Resource Mailboxes, Public Folder Mailboxes and DiscoverySearch Mailboxes. Unified Audit Log needs to be enabled for this standard to function.

Enable Usernames instead of pseudo anonymised names in reports

Portal Only

Microsoft announced some APIs and reports no longer return names, to comply with compliance and legal requirements in specific countries. This proves an issue for a lot of MSPs because those reports are often helpful for engineers. This standard applies a setting that shows usernames in those API calls / reports.

Restrict guest user access to directory objects

Set-AzureADMSAuthorizationPolicy -GuestUserRoleId '2af84b1e-32c8-42b7-82bc-daa82404023b'

Sets it so guests can view only their own user profile. Permission to view other users isn't allowed. Also restricts guest users from seeing the membership of groups they're in. See exactly what get locked down in the Microsoft documentation.

Enable LAPS on the tenant

Portal or Graph API

Enables the LAPS functionality on the tenant. Prerequisite for using Windows LAPS via Azure AD.

Enable Phishing Protection system via branding CSS

Portal only

Adds branding to the logon page that only appears if the url is not login.microsoftonline.com. This potentially prevents AITM attacks via EvilNginx. This will also automatically generate alerts if a clone of your login page has been found when set to Remediate.

Enable Passwordless with Location information and Number Matching

New-AzureADPolicy

Allows users to use Passwordless with Number Matching and adds location information from the last request

Enable OTP via Authenticator

Update-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration

Allows you to use Microsoft Authenticator OTP token generator. Useful for using the NPS extention as MFA on VPN clients.

Set Authenticator Lite state

Update-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration

Sets the Authenticator Lite state to enabled. This allows users to use the Authenticator Lite built into the Outlook app instead of the full Authenticator app.

Enable FIDO2 capabilities

Update-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration

Enables FIDO2 capabilities for the tenant. This allows users to use FIDO2 keys like a Yubikey for authentication.

Enable Hardware OAuth tokens

Update-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration

Enables Hardware OAuth tokens for the tenant. This allows users to use hardware tokens like a Yubikey for authentication.

Enable OTP Software OAuth tokens

Update-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration

Enables OTP Software OAuth tokens for the tenant. This allows users to use OTP codes generated via software, like a password manager to be used as an authentication method

Enable Temporary Access Passwords

Update-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration

Enables Temporary Password generation for the tenant

Don't expire passwords

Portal Only

Sets passwords to never expire for tenant, recommended to use in conjunction with secure password requirements.

Disable M365 Tenant creation by users

Update-MgPolicyAuthorizationPolicy

Users by default are allowed to create M365 tenants. This disables that so only admins can create new M365 tenants.

Enable App consent admin requests

Update-MgPolicyAdminConsentRequestPolicy

Enables the ability for users to request admin consent for applications. Should be used in conjunction with the "Require admin consent for applications" standards

Enable registration campaign for the tenant

Update-MgPolicyAuthenticationMethodPolicy

Enables the registration campaign for the tenant. Nudges users to set up the Microsoft Authenticator during sign-in

Disable registration campaign for the tenant

Update-MgPolicyAuthenticationMethodPolicy

Disables the registration campaign for the tenant. Nudges users to set up the Microsoft Authenticator during sign-in

Disable M365 Group creation by users

Portal Only

Users by default are allowed to create M365 groups. This restricts M365 group creation to certain admin roles. This disables the ability to create Teams, SharePoint sites, Planner, etc

Set Outbound Spam Alert e-mail

Set-HostedOutboundSpamFilterPolicy

Sets the e-mail address to which outbound spam alerts are sent.

Enable Auto-expanding archives

Set-OrganizationConfig -AutoExpandingArchive

Enables auto-expanding archives for the tenant. Does not enable archives for users.

Enable or disable 'external' warning in Outlook

Set-ExternalInOutlook –Enabled $true or $false

Adds or removes indicators to e-mail messages received from external senders in Outlook. You can read more about this feature on Microsoft's Exchange Team Blog.

Enable all MailTips

Set-OrganizationConfig

Enables all MailTips in Outlook. MailTips are the notifications Outlook and Outlook on the web shows when an email you create, meets some requirements

Disable daily Insight/Viva reports

Set-UserBriefingConfig

Disables Daily Insight reports for all users in the tenant

Rotate DKIM keys that are 1024 bit to 2048 bit

Rotate-DkimSigningConfig

Rotates DKIM keys that are 1024 bit to 2048 bit

Enables DKIM for all domains that currently support it

New-DkimSigningConfig and Set-DkimSigningConfig

Enables DKIM for all domains that currently support it.

Set send/receive size limits

Set-MailboxPlan

Sets the maximum send and receive size for the tenant

Set Sharing Level for Default calendar

Set-MailboxFolderPermission

Sets the default sharing level for the default calendar for all users in the tenant. You can read about the different sharing levels here.

Disable external calendar sharing

Get-SharingPolicy | Set-SharingPolicy -Enabled $False

Disables external calendar sharing for the entire tenant. This is not a widely used feature, and it's therefore unlikely that this will impact users.

Disable additional storage providers in OWA

Get-OwaMailboxPolicy | Set-OwaMailboxPolicy -AdditionalStorageProvidersEnabled $False

Disables additional storage providers in OWA. This is to prevent users from using personal storage providers like Dropbox, Google Drive, etc. Usually this has little user impact.

Set inactive device retirement days

Portal Only

Sets the number of days before a device is considered inactive and removed from Intune.

Retain a deleted user OneDrive for 1 year

Portal Only

When a OneDrive user gets deleted, the personal SharePoint site is saved for 1 year and data can be retrieved from it.

Disable App creation by users

Update-MgPolicyAuthorizationPolicy

Disables the ability for users to create applications in Entra. Done to prevent breached accounts from creating an app to maintain access to the tenant, even after the breached account has been secured.

Lower Transport Message Expiration to 12 hours

Set-TransportConfig -MessageExpiration 12:00:00

Expires messages in the transport queue after 12 hours. Makes the NDR for failed messages show up faster for users. Default is 24 hours.

Set Focused Inbox state

Set-OrganizationConfig -FocusedInboxOn $true or $false

Sets the default Focused Inbox state for the tenant. This can be overridden by the user in their Outlook settings. For more information, see Microsoft's documentation.

Disable TNEF/winmail.dat

Set-RemoteDomain -Identity 'Default' -TNEFEnabled $false

Disables Transport Neutral Encapsulation Format (TNEF)/winmail.dat for the tenant. TNEF can cause issues if the recipient is not using a client supporting TNEF. Cannot be overridden by the user. For more information, see Microsoft's documentation.

Set Global Quarantine Notification Interval

Set-QuarantinePolicy -EndUserSpamNotificationFrequency

Sets the global quarantine notification interval for the tenant. This is the time between the quarantine notification emails are sent out to users. Default is 24 hours.

Set Teams Meetings by default state

Set-OrganizationConfig -OnlineMeetingsByDefaultEnabled

Sets the default state for automatically turning meetings into Teams meetings for the tenant. This can be overridden by the user in Outlook. By default this is enabled.

Set Cloud Message Recall state

Set-OrganizationConfig -MessageRecallEnabled

Sets the default state for Cloud Message Recall for the tenant. This can be overridden by the user in Outlook. By default this is enabled. You can read more about the feature here.

Disable SMTP Basic authentication

Set-TransportConfig -SmtpClientAuthenticationDisabled $true

Disables SMTP basic authentication for the tenant and all users with it explicitly enabled.

Enable Online Archive for all users

Enable-Mailbox -Archive $true

Enables the In-Place Online Archive for all UserMailboxes with a valid Exchange license.

Enable Activity based Timeout

Portal Only

Enables and sets Idle session timeout for Microsoft 365 to the value specified. This policy affects most M365 web apps.

Disable Security Group creation by users

Portal Only

Completely disables the creation of security groups by users. This also breaks the ability to manage groups themselves, or create Teams.

Remove Legacy MFA if SD or CA is active

Set-MsolUser -StrongAuthenticationRequirements $null

This standard currently does not function and can be safely disabled.

Set Bookings state

Set-OrganizationConfig -BookingsEnabled

Enables or disables Microsoft Bookings for the tenant. Bookings is a scheduling tool that allows users to book appointments with others both internal and external.

Disable Self Service Licensing

Set-MsolCompanySettings -AllowAdHocSubscriptions $false

Does not allow users to get their own licenses. This also blocks PowerBi Self service and Flow Self Service.

Disable Guest accounts that have not logged on for 90 days

Graph API

Disables guest accounts that have not interactively signed in for 90 days.

Require admin consent for applications (Prevent OAuth phishing.)

Update-MgPolicyAuthorizationPolicy

Requires users to get administrator consent before sharing data with applications. You can preapprove specific applications.

Allow users to consent to applications with low security risk (Prevent OAuth phishing. Lower impact, less secure.)

Update-MgPolicyAuthorizationPolicy

Allows users to consent to applications with low assigned risk.

Remove Safe Senders to prevent SPF bypass

Set-MailboxJunkEmailConfiguration

Removes the Safe Senders list from all mailboxes. This is to prevent SPF bypass attacks, as the Safe Senders list is not checked by SPF.

Set mailbox Sent Items delegation (Sent items for shared mailboxes)

Set-Mailbox

This makes sure that e-mails sent from shared mailboxes or delegate mailboxes, end up in the mailbox of the shared/delegate mailbox instead of the sender, allowing you to keep replies in the same mailbox as the original e-mail.

Allow users to send from their alias addresses

Set-Mailbox

Allows users to change the 'from' address to any set in their Azure AD Profile.

Set the state of the built-in Report button in Outlook

New-ReportSubmissionPolicy or Set-ReportSubmissionPolicy

Set the state of the built-in Report button in Outlook. This gives the users the ability to report emails as spam or phish.

Set the destination email for user reported emails

New-ReportSubmissionRule or Set-ReportSubmissionRule

Set the destination email for user reported phishing emails. This is where the reported phishing emails will be sent to.

Disable Shared Mailbox AAD accounts

Get-Mailbox & Update-MgUser

Shared mailboxes can be directly logged into if the password is reset, this presents a security risk as do all shared login credentials. Microsoft's recommendation is to disable the user account for shared mailboxes. It would be a good idea to review the sign-in reports to establish potential impact.

Set Maximum Number of Devices per user

Update-MgBetaPolicyDeviceRegistrationPolicy

Sets the maximum number of devices that can be registered by a user. A value of 0 disables device registration by users.

Require Multifactor Authentication to register or join devices with Microsoft Entra

Update-MgBetaPolicyDeviceRegistrationPolicy

Requires users to use MFA when registering a device with Microsoft Entra.

Disable Add Shortcuts To OneDrive

Portal only

When the feature is disabled the option Add shortcut to My files will be removed. Any folders that have already been added will remain on the user's computer.

Disable legacy basic authentication for SharePoint

Set-SPOTenant -LegacyAuthProtocolsEnabled $false

Disables the ability for users and applications to access SharePoint via legacy basic authentication. This will likely not have any user impact, but will block systems/applications depending on basic auth or the SharePointOnlineCredentials class.

Disable users from installing add-ins in Outlook

Get-ManagementRoleAssignment | Remove-ManagementRoleAssignment

Disables users from being able to install add-ins in Outlook. Only admins are able to approve add-ins for the users. This is done to reduce the threat surface for data exfiltration.

Undo App Consent Standard

Update-MgPolicyAuthorizationPolicy

Undoes the Oauth phishing standard

Enable Security Defaults

https://www.cyberdrain.com/automating-with-powershell-enabling-secure-defaults-and-sd-explained/

Enables SD for the tenant, which disables all forms of basic authentication and enforces users to configure MFA. Users are only prompted for MFA when a logon is considered 'suspect' by Microsoft.

Disables SMS as an MFA method

Update-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration

Disables SMS as an MFA method for the tenant. If a user only has SMS as a MFA method, they will be unable to sign in.

Disables Voice call as an MFA method

Update-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration

Disables Voice call as an MFA method for the tenant. If a user only has Voice call as a MFA method, they will be unable to sign in.

Disables Email as an MFA method

Update-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration

Disables Email as an MFA method for the tenant. This disables the email OTP option for guest users, and instead promts them to create a Microsoft account.

Disables Certificates as an MFA method

Update-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration

Disables Certificates as an MFA method for the tenant.

Set Sharing Level for OneDrive and Sharepoint

Portal Only

Sets the default sharing level for OneDrive and SharePoint. This is a tenant wide setting and overrules any settings set on the site level

Disable Resharing by External Users

Portal Only

Disables the ability for external users to share files they don't own.

Disable site creation by standard users

Update-MgAdminSharepointSetting

Disables standard users from creating SharePoint sites, also disables the ability to fully create teams

Exclude File Extensions from Syncing

Update-MgAdminSharepointSetting

Excludes files from being synced. Users will get an error when trying to sync the specified files

Do not allow Mac devices to sync using OneDrive

Update-MgAdminSharepointSetting

Disabled syncing via OneDrive

Only allow users to sync OneDrive from AAD joined devices

Update-MgAdminSharepointSetting

Only allow AAD joined devices to sync using the onedrive client. Users without will receive an error.