Global Standards

Enable Usernames instead of pseudo anonymised names in reports

Microsoft announced some APIs and reports no longer return names, to comply with compliance and legal requirements in specific countries. This proves an issue for a lot of MSPs because those reports are often helpful for engineers. This standard applies a setting that shows usernames in those API calls / reports.

Update-MgBetaAdminReportSetting -BodyParameter @{displayConcealedNames = $true}

AnonReportDisable

Enable the Unified Audit Log

Enables the Unified Audit Log for tracking and auditing activities. Also runs Enable-OrganizationCustomization if necessary.

"CIS"

Enable-OrganizationCustomization

AuditLog

Set branding for the tenant

Sets the branding for the tenant. This includes the login page, and the Office 365 portal.

Portal only

Branding

Restrict guest user access to directory objects

Sets it so guests can view only their own user profile. Permission to view other users isn't allowed. Also restricts guest users from seeing the membership of groups they're in. See exactly what get locked down in the Microsoft documentation.

Set-AzureADMSAuthorizationPolicy -GuestUserRoleId '2af84b1e-32c8-42b7-82bc-daa82404023b'

DisableGuestDirectory

Enable Customer Lockbox

Customer Lockbox ensures that Microsoft can't access your content to do service operations without your explicit approval. Customer Lockbox ensures only authorized requests allow access to your organizations data.

"CIS"

Set-OrganizationConfig -CustomerLockBoxEnabled $true

EnableCustomerLockbox

Enable Pronouns

Enables the Pronouns feature for the tenant. This allows users to set their pronouns in their profile.

Update-MgBetaAdminPeoplePronoun -IsEnabledInOrganization:$true

EnablePronouns

Set contact e-mails

Defines the email address to receive general updates and information related to M365 subscriptions. Leave a contact field blank if you do not want to update the contact information.

Set-MsolCompanyContactInformation

MailContacts

Enable Phishing Protection system via branding CSS

Adds branding to the logon page that only appears if the url is not login.microsoftonline.com. This potentially prevents AITM attacks via EvilNginx. This will also automatically generate alerts if a clone of your login page has been found when set to Remediate.

"CIPP"

Portal only

PhishProtection

Enable Activity based Timeout

Enables and sets Idle session timeout for Microsoft 365 to 1 hour. This policy affects most M365 web apps

"CIS"

Portal or Graph API

ActivityBasedTimeout

Disable SMTP Basic Authentication

Disables SMTP basic authentication for the tenant and all users with it explicitly enabled.

Set-TransportConfig -SmtpClientAuthenticationDisabled $true

DisableBasicAuthSMTP