{"id":2106,"date":"2025-09-22T12:46:46","date_gmt":"2025-09-22T12:46:46","guid":{"rendered":"https:\/\/www.nicktailor.com\/?p=2106"},"modified":"2025-10-23T06:37:57","modified_gmt":"2025-10-23T06:37:57","slug":"microsoft-365-security-in-azure-entra-step%e2%80%91by%e2%80%91step-deployment-playbook","status":"publish","type":"post","link":"https:\/\/nicktailor.com\/tech-blog\/microsoft-365-security-in-azure-entra-step%e2%80%91by%e2%80%91step-deployment-playbook\/","title":{"rendered":"Microsoft 365 Security in Azure\/Entra &#8211; Step\u2011by\u2011Step Deployment Playbook"},"content":{"rendered":"<div class=\"wrap\">\n<header>\n<p class=\"lede\">A practical, production\u2011ready guide to ship a secure Microsoft 365 tenant using Entra ID (Azure AD), Conditional Access, Intune, Defender, and Purview \u2014 with rollback safety and validation checklists.<\/p>\n<div class=\"kbdrow\"><span class=\"tag\">M365<\/span> <span class=\"tag\">Azure \/ Entra<\/span> <span class=\"tag\">Conditional Access<\/span> <span class=\"tag\">Intune<\/span> <span class=\"tag\">Defender &amp; Purview<\/span><\/div>\n<\/header>\n<div class=\"grid\"><main class=\"card\"><\/p>\n<div class=\"callout ok\"><strong>Outcome:<\/strong> In a few hours, you\u2019ll have MFA + Conditional Access, device trust with Intune, phishing\/malware defense with Defender, and data controls with Purview \u2014 all auditable and SIEM\u2011ready.<\/div>\n<section id=\"toc\">\n<h2>Table of Contents<\/h2>\n<ol class=\"toc\">\n<li><a href=\"#planning\">0) Pre\u2011reqs &amp; Planning<\/a><\/li>\n<li><a href=\"#tenant\">1) Create Tenant &amp; Verify Domain<\/a><\/li>\n<li><a href=\"#identity\">2) Identity Foundations (Entra)<\/a><\/li>\n<li><a href=\"#ca\">3) Conditional Access \u2014 Secure Baseline<\/a><\/li>\n<li><a href=\"#intune\">4) Endpoint &amp; Device Management (Intune)<\/a><\/li>\n<li><a href=\"#defender\">5) Threat Protection \u2014 Defender for Office 365<\/a><\/li>\n<li><a href=\"#purview\">6) Data Protection \u2014 Purview (Labels, DLP, Retention)<\/a><\/li>\n<li><a href=\"#collab\">7) Collaboration Controls \u2014 SharePoint\/OneDrive\/Teams<\/a><\/li>\n<li><a href=\"#logging\">8) Logging, Monitoring, and SIEM<\/a><\/li>\n<li><a href=\"#ops\">9) Admin Hardening &amp; Operations<\/a><\/li>\n<li><a href=\"#rollout\">10) Rollout &amp; Testing Plan<\/a><\/li>\n<li><a href=\"#powershell\">11) PowerShell Quick\u2011Starts<\/a><\/li>\n<li><a href=\"#pitfalls\">12) Common Pitfalls<\/a><\/li>\n<li><a href=\"#templates\">13) Reusable Templates<\/a><\/li>\n<li><a href=\"#runbook\">14) Ops Runbook<\/a><\/li>\n<li><a href=\"#links\">15) Portal Shortcuts<\/a><\/li>\n<\/ol>\n<\/section>\n<section id=\"planning\">\n<h2>0) Pre\u2011reqs &amp; Planning<\/h2>\n<ul>\n<li><strong>Licensing<\/strong>:\n<ul>\n<li>Lean: <em>Microsoft 365 Business Premium<\/em><\/li>\n<li>Enterprise baseline: <em>M365 E3 + Defender for Office 365 P2 + Intune<\/em><\/li>\n<li>Advanced\/XDR+Data: <em>M365 E5<\/em><\/li>\n<\/ul>\n<\/li>\n<li><strong>Inputs<\/strong>: primary domain, registrar access, two break\u2011glass mailboxes, trusted IPs\/regions, device platforms, retention\/DLP requirements.<\/li>\n<\/ul>\n<div class=\"callout\"><strong>Safety first:<\/strong> Keep <em>two<\/em> break\u2011glass Global Admins excluded from Conditional Access until end\u2011to\u2011end validation is complete.<\/div>\n<\/section>\n<section id=\"tenant\">\n<h2>1) Create Tenant &amp; Verify Domain<\/h2>\n<ol>\n<li>Sign up for Microsoft 365 (creates an <strong>Entra ID<\/strong> tenant).<\/li>\n<li>Admin Center \u2192 <em>Settings &gt; Domains<\/em> \u2192 Add domain \u2192 verify via TXT.<\/li>\n<li>Complete MX\/CNAME\/Autodiscover as prompted.<\/li>\n<li><strong>Email auth trio<\/strong>:\n<ul>\n<li>SPF (root TXT): <code>v=spf1 include:spf.protection.outlook.com -all<\/code><\/li>\n<li>DKIM: Exchange Admin \u2192 Mail flow \u2192 DKIM \u2192 enable per domain<\/li>\n<li>DMARC (TXT at <code>_dmarc.domain<\/code>): <code>v=DMARC1; p=none; rua=mailto:dmarc@domain; adkim=s; aspf=s; pct=100<\/code> (tighten later)<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n<\/section>\n<section id=\"identity\">\n<h2>2) Identity Foundations (Entra)<\/h2>\n<h3>2.1 Break\u2011Glass Accounts<\/h3>\n<ul>\n<li>Create two cloud\u2011only Global Admins (no MFA) with strong secrets and exclude from CA.<\/li>\n<li>Alert if these accounts sign in.<\/li>\n<\/ul>\n<h3>2.2 Least Privilege &amp; PIM<\/h3>\n<ul>\n<li>Use role\u2011based admin (Exchange\/SharePoint\/Intune Admin, etc.).<\/li>\n<li>(E5) Enable PIM for JIT elevation, approvals, and MFA on activation.<\/li>\n<\/ul>\n<h3>2.3 Prereqs &amp; Auth Methods<\/h3>\n<ul>\n<li>Disable Security Defaults if deploying custom CA.<\/li>\n<li>Add Named Locations (trusted IPs; optional geofencing).<\/li>\n<li>Enable Microsoft Authenticator, FIDO2\/passkeys; define a <em>Strong MFA<\/em> authentication strength.<\/li>\n<\/ul>\n<\/section>\n<section id=\"ca\">\n<h2>3) Conditional Access \u2014 Secure Baseline<\/h2>\n<p>Deploy in <strong>Report\u2011only<\/strong> mode, validate sign\u2011ins, then switch to <strong>On<\/strong>.<\/p>\n<ul>\n<li><strong>Require MFA (All Users)<\/strong>: exclude break\u2011glass\/service accounts.<\/li>\n<li><strong>Block Legacy Auth<\/strong>: block \u201cOther clients\u201d (POP\/IMAP\/SMTP basic).<\/li>\n<li><strong>Protect Admins<\/strong>: require MFA + compliant device; add sign\u2011in risk \u2265 Medium (E5).<\/li>\n<li><strong>Require Compliant Device<\/strong> for M365 core apps (SharePoint\/Exchange\/Teams).<\/li>\n<li><strong>Emergency Bypass<\/strong> policy for break\u2011glass accounts.<\/li>\n<\/ul>\n<div class=\"callout danger\"><strong>Avoid lockout:<\/strong> Keep a dedicated browser profile signed in as break\u2011glass while enabling policies.<\/div>\n<\/section>\n<section id=\"intune\">\n<h2>4) Endpoint &amp; Device Management (Intune)<\/h2>\n<ul>\n<li>Confirm MDM authority = Intune.<\/li>\n<li><strong>Enrollment<\/strong>: Windows auto\u2011enroll; Apple Push cert for macOS\/iOS; Android Enterprise.<\/li>\n<li><strong>Compliance<\/strong>: BitLocker\/FileVault, Secure Boot\/TPM, passcode\/biometric, minimum OS, Defender for Endpoint onboarding.<\/li>\n<li><strong>Configuration<\/strong>: Windows Security Baselines; firewall; SmartScreen; ASR rules.<\/li>\n<li><strong>MAM (BYOD)<\/strong>: restrict copy\/paste, block personal saves, require app PIN, selective wipe.<\/li>\n<\/ul>\n<\/section>\n<section id=\"defender\">\n<h2>5) Threat Protection \u2014 Defender for Office 365<\/h2>\n<ul>\n<li>Enable <strong>Preset security policies<\/strong> (Standard\/Strict).<\/li>\n<li>Turn on <strong>Safe Links<\/strong> (time\u2011of\u2011click) and <strong>Safe Attachments<\/strong> (Dynamic Delivery).<\/li>\n<li>Tune anti\u2011spam and anti\u2011phishing; add VIP\/user impersonation protection.<\/li>\n<li>Configure alert policies; route notifications to SecOps\/Teams.<\/li>\n<\/ul>\n<\/section>\n<section id=\"purview\">\n<h2>6) Data Protection \u2014 Purview<\/h2>\n<h3>Sensitivity Labels<\/h3>\n<ul>\n<li>Define taxonomy: Public \/ Internal \/ Confidential \/ Secret.<\/li>\n<li>Encrypt for higher tiers; set a default label; publish to groups.<\/li>\n<li>Enable mandatory labeling in Office apps.<\/li>\n<\/ul>\n<h3>Auto\u2011Labeling &amp; DLP<\/h3>\n<ul>\n<li>Auto\u2011label by sensitive info types (PCI, PII, healthcare, custom).<\/li>\n<li>DLP for Exchange\/SharePoint\/OneDrive\/Teams: block or allow with justification; user tips; incident reports.<\/li>\n<\/ul>\n<h3>Retention<\/h3>\n<ul>\n<li>Create retention policies per location; enable Litigation Hold when required.<\/li>\n<\/ul>\n<\/section>\n<section id=\"collab\">\n<h2>7) Collaboration Controls \u2014 SharePoint\/OneDrive\/Teams<\/h2>\n<ul>\n<li>External sharing: start with <em>Existing guests only<\/em> or <em>New &amp; existing guests<\/em> per site.<\/li>\n<li>OneDrive default link type: <em>Specific people<\/em>.<\/li>\n<li>Apply CA \u201cRequire compliant device\u201d for SPO\/OD to block unmanaged downloads (or use session controls via Defender for Cloud Apps).<\/li>\n<\/ul>\n<\/section>\n<section id=\"logging\">\n<h2>8) Logging, Monitoring, and SIEM<\/h2>\n<ul>\n<li>Ensure Unified Audit is <strong>On<\/strong> (Audit Standard\/Premium).<\/li>\n<li>Use Defender incidents and Advanced Hunting for investigations.<\/li>\n<li>Connect Entra\/M365\/Defender to <strong>Microsoft Sentinel<\/strong>; enable analytics rules (impossible travel, MFA fatigue, OAuth abuse).<\/li>\n<\/ul>\n<\/section>\n<section id=\"ops\">\n<h2>9) Admin Hardening &amp; Operations<\/h2>\n<ul>\n<li>Use <strong>PIM<\/strong> for privileged roles; do monthly access reviews for guests\/roles.<\/li>\n<li>Require compliant device for admins (PAW or CA).<\/li>\n<li>Grant least\u2011privilege Graph scopes to app registrations; store secrets in <strong>Key Vault<\/strong>.<\/li>\n<\/ul>\n<\/section>\n<section id=\"rollout\">\n<h2>10) Rollout &amp; Testing Plan<\/h2>\n<ol>\n<li><strong>Pilot<\/strong>: IT users \u2192 CA in report\u2011only \u2192 validate \u2192 turn on; Defender presets; labels\/DLP in audit mode.<\/li>\n<li><strong>Wave 1<\/strong>: IT + power users \u2192 verify device compliance, mail flow, labeling prompts.<\/li>\n<li><strong>Wave 2<\/strong>: All staff \u2192 tighten DMARC (quarantine \u2192 reject) and DLP blocking.<\/li>\n<\/ol>\n<h3>Validation Checklist<\/h3>\n<ul>\n<li>MFA prompts; legacy auth blocked in Sign\u2011in logs.<\/li>\n<li>Devices compliant; non\u2011compliant blocked.<\/li>\n<li>Safe Links rewriting; malicious attachments quarantined.<\/li>\n<li>Labels visible; DLP warns\/blocks exfil.<\/li>\n<li>External sharing limited and audited.<\/li>\n<li>Audit flowing to Sentinel; test incidents fire.<\/li>\n<\/ul>\n<\/section>\n<section id=\"powershell\">\n<h2>11) PowerShell Quick\u2011Starts<\/h2>\n<pre><code># Graph\nInstall-Module Microsoft.Graph -Scope CurrentUser\nConnect-MgGraph -Scopes \"Directory.ReadWrite.All, Policy.Read.All, Policy.ReadWrite.ConditionalAccess, RoleManagement.ReadWrite.Directory\"\n\n# Exchange Online\nInstall-Module ExchangeOnlineManagement -Scope CurrentUser\nConnect-ExchangeOnline\n\n# Purview (Security &amp; Compliance)\nInstall-Module ExchangeOnlineManagement\nConnect-IPPSSession\n\n# Examples\nGet-MgIdentityConditionalAccessPolicy | Select-Object displayName,state\nSet-Mailbox user@contoso.com -LitigationHoldEnabled $true\nStart-DkimSigningConfig -Identity contoso.com<\/code><\/pre>\n<\/section>\n<section id=\"pitfalls\">\n<h2>12) Common Pitfalls<\/h2>\n<ul>\n<li><strong>CA Lockout:<\/strong> Always exclude break\u2011glass until you validate.<\/li>\n<li><strong>MFA fatigue:<\/strong> Use number matching \/ strong auth strengths.<\/li>\n<li><strong>Unmanaged devices:<\/strong> Require compliant device or use session controls.<\/li>\n<li><strong>Over\u2011sharing:<\/strong> Default to \u201cSpecific people\u201d links; review guests quarterly.<\/li>\n<li><strong>Excessive admin rights:<\/strong> PIM + recurring access reviews.<\/li>\n<\/ul>\n<\/section>\n<section id=\"templates\">\n<h2>13) Reusable Templates<\/h2>\n<h3>CA Baseline<\/h3>\n<ul>\n<li>Require MFA (exclude break\u2011glass\/service)<\/li>\n<li>Block legacy auth<\/li>\n<li>Require compliant device for admins<\/li>\n<li>Require compliant device for M365 core apps<\/li>\n<li>Emergency bypass for break\u2011glass<\/li>\n<\/ul>\n<h3>Intune Compliance (Windows)<\/h3>\n<ul>\n<li>BitLocker required; TPM; Secure Boot; Defender AV on; OS \u2265 Win10 22H2; Firewall on<\/li>\n<\/ul>\n<h3>DLP Starter<\/h3>\n<ul>\n<li>Block outbound email with PCI\/SSN (allow override with justification for managers)<\/li>\n<li>Block sharing items labeled <em>Confidential<\/em> to external<\/li>\n<\/ul>\n<h3>Purview Labels<\/h3>\n<ul>\n<li>Public (no controls)<\/li>\n<li>Internal (watermark)<\/li>\n<li>Confidential (encrypt; org\u2011wide)<\/li>\n<li>Secret (encrypt; specific groups only)<\/li>\n<\/ul>\n<\/section>\n<section id=\"runbook\">\n<h2>14) Ops Runbook<\/h2>\n<ul>\n<li><strong>Daily:<\/strong> Review Defender incidents; quarantine releases.<\/li>\n<li><strong>Weekly:<\/strong> Triage risky sign\u2011ins; device compliance drifts.<\/li>\n<li><strong>Monthly:<\/strong> Access reviews (guests\/roles); external sharing &amp; DMARC reports.<\/li>\n<li><strong>Quarterly:<\/strong> Test break\u2011glass; simulate phish; tabletop exercise.<\/li>\n<\/ul>\n<\/section>\n<section id=\"links\">\n<h2>15) Portal Shortcuts<\/h2>\n<table class=\"table\">\n<thead>\n<tr>\n<th>Portal<\/th>\n<th>URL<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>Entra (Azure AD)<\/td>\n<td><a href=\"https:\/\/entra.microsoft.com\" target=\"_blank\" rel=\"noopener\">entra.microsoft.com<\/a><\/td>\n<\/tr>\n<tr>\n<td>M365 Admin<\/td>\n<td><a href=\"https:\/\/admin.microsoft.com\" target=\"_blank\" rel=\"noopener\">admin.microsoft.com<\/a><\/td>\n<\/tr>\n<tr>\n<td>Exchange Admin<\/td>\n<td><a href=\"https:\/\/admin.exchange.microsoft.com\" target=\"_blank\" rel=\"noopener\">admin.exchange.microsoft.com<\/a><\/td>\n<\/tr>\n<tr>\n<td>Intune<\/td>\n<td><a href=\"https:\/\/intune.microsoft.com\" target=\"_blank\" rel=\"noopener\">intune.microsoft.com<\/a><\/td>\n<\/tr>\n<tr>\n<td>Defender (XDR)<\/td>\n<td><a href=\"https:\/\/security.microsoft.com\" target=\"_blank\" rel=\"noopener\">security.microsoft.com<\/a><\/td>\n<\/tr>\n<tr>\n<td>Purview\/Compliance<\/td>\n<td><a href=\"https:\/\/compliance.microsoft.com\" target=\"_blank\" rel=\"noopener\">compliance.microsoft.com<\/a><\/td>\n<\/tr>\n<tr>\n<td>Teams Admin<\/td>\n<td><a href=\"https:\/\/admin.teams.microsoft.com\" target=\"_blank\" rel=\"noopener\">admin.teams.microsoft.com<\/a><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/section>\n<footer>Have questions or want a tailored baseline for your organization\u2019s licenses and regions? Drop a comment below.<\/p>\n<\/footer>\n<p><\/main><\/p>\n<aside class=\"card\">\n<h3>At a Glance<\/h3>\n<ul>\n<li>Two break\u2011glass admins<\/li>\n<li>Require MFA for all<\/li>\n<li>Block legacy auth<\/li>\n<li>Compliant device required<\/li>\n<li>Safe Links &amp; Attachments<\/li>\n<li>Labels + DLP + Retention<\/li>\n<li>Audit &amp; Sentinel<\/li>\n<li>PIM + Access reviews<\/li>\n<\/ul>\n<h3>Copy\u2011Paste Snippets<\/h3>\n<pre><code># DMARC example\nv=DMARC1; p=quarantine; rua=mailto:dmarc@domain; adkim=s; aspf=s; pct=100<\/code><\/pre>\n<pre><code># Block legacy auth with CA:\nClient apps \u2192 Other clients \u2192 Grant: Block access<\/code><\/pre>\n<h3>Changelog<\/h3>\n<ul>\n<li>v1.0 \u2014 Initial publication<\/li>\n<\/ul>\n<\/aside>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>A practical, production\u2011ready guide to ship a secure Microsoft 365 tenant using Entra ID (Azure AD), Conditional Access, Intune, Defender, and Purview \u2014 with rollback safety and validation checklists. M365 Azure \/ Entra Conditional Access Intune Defender &amp; Purview Outcome: In a few hours, you\u2019ll have MFA + Conditional Access, device trust with Intune, phishing\/malware defense with Defender, and data<a href=\"https:\/\/nicktailor.com\/tech-blog\/microsoft-365-security-in-azure-entra-step%e2%80%91by%e2%80%91step-deployment-playbook\/\" class=\"read-more\">Read More &#8230;<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[146,131],"tags":[],"class_list":["post-2106","post","type-post","status-publish","format-standard","hentry","category-azure","category-security"],"_links":{"self":[{"href":"https:\/\/nicktailor.com\/tech-blog\/wp-json\/wp\/v2\/posts\/2106","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nicktailor.com\/tech-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nicktailor.com\/tech-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nicktailor.com\/tech-blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/nicktailor.com\/tech-blog\/wp-json\/wp\/v2\/comments?post=2106"}],"version-history":[{"count":2,"href":"https:\/\/nicktailor.com\/tech-blog\/wp-json\/wp\/v2\/posts\/2106\/revisions"}],"predecessor-version":[{"id":2111,"href":"https:\/\/nicktailor.com\/tech-blog\/wp-json\/wp\/v2\/posts\/2106\/revisions\/2111"}],"wp:attachment":[{"href":"https:\/\/nicktailor.com\/tech-blog\/wp-json\/wp\/v2\/media?parent=2106"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nicktailor.com\/tech-blog\/wp-json\/wp\/v2\/categories?post=2106"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nicktailor.com\/tech-blog\/wp-json\/wp\/v2\/tags?post=2106"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}