M365 Tips to secure your tenant

 




🔐 5 Quick CIS Security Wins to Strengthen Your Microsoft 365 Tenant Today

 

As IT professionals, we all want a secure tenant, but between tickets, deployments, and patching, configuring new settings in Intune, Entra, Defender, etc. security hardening often gets pushed to ‘will do later.’

The problem?
Attackers will never wait us!

I found a couple of settings, some of them so simple, but we miss them because we are always busy. I was digging in Defender and M365 Admin Center:

1.      📅 CIS Benchmark L2 for M365 recommended to disable calendar share with external.

 

One of the main reasons attackers need to know about your organization before they attack it is that if we allow our users to publicly share their calendars, it can help attackers learn more about the organization and its users. They can then use this information to exploit situations like when employees are out of the office, traveling, etc. 

2.      👉Teams & Groups, CIS Benchmark L2 for M365 recommends changing your default Teams group from Public to Private. Teams & Groups.

When your Teams groups are public, it means anything shared with the group members can be accessed by anyone within the organization (not from outside) without needing permission from the owner. The same applies to SharePoint, such as adding themselves to public groups in Azure, requesting access through group applications, accessing SharePoint URLs, etc. Once you change it to ‘Private’, no one can access without permission from the group owners.

3.      🔐Customer Lockbox: CIS Benchmark L2 for M365 recommends checking the box; this helps M365 Admins secure their tenant, so Microsoft Engineers need to grant access to their tenant before providing support or troubleshooting.

 

4.      🛡 CIS Benchmark L2 for M365 Security, under ‘Safe links’ recommended to

uncheck "Do not rewrite URLs, do checks via SafeLinks API only" because if you keep it checked, this will scan only URLs received through SafeLinks API (Microsoft’s secure link scanning service), and will not process URLs outside this service. This approach prevents URLs from being altered or rewritten, providing safer click-through experiences for users.

Uncheck “Let users click through to the original URL” to ensure all links are scanned at the time of click and rewritten if safe, preventing bypass of protection.

 

5.      🛡CIS Benchmark L2 for M365 Security, under ‘Notify an admin about undelivered message from internal senders.’

The primary security reason for this is critical, it allows the admin to detect and address malware-infected messages before they reach recipients.

It also gives the admin a clear audit trail and alerts security teams so they can respond quickly.

I hope these tips help to secure your tenants.

 

 

Comments

Post a Comment

Popular posts from this blog

New LAPS for Windows 11 24H2

Image
  Windows LAPS automatically manages and backs up the password of a local administrator account on devices joined to Microsoft Entra ID (formerly Azure AD) or Windows Server Active Directory. This feature helps protect against pass-the-hash and lateral-traversal attacks, enhances security for remote help desk scenarios, and facilitates device recovery if they become inaccessible.   As many of you know, LAPS for Entra joined devices was announced around 2023 and has worked perfectly since then on Entra, Hybrid, joined, and On-premises devices via AD as well. One of the big challenges we all know is that the first version (if I can say that) of LAPS did not allow you to create a new custom admin account or change the existing admin account, which meant we had to use custom configuration or scripts to do that.   Microsoft announced the new LAPS about 3 weeks ago via Arnab Mitra, Sr. Program Manager at Microsoft, and it was a great announcement. Let us go ahead and co...
Read more

Why Your Devices Are Skipping Updates in SCCM and Intune – And How to Fix It Fast

Image
  Ever wondered why some devices in your organization stubbornly refuse to get updates despite being in SCCM or Intune? This represents a common challenge faced by administrators during the implementation of security patches. Administrators endeavor to fulfill their responsibilities and meet the expectations of the security, compliance teams, and management. I was among those 😒 who initiated a hot seat challenge from August to October 2025. Many customers were affected, regardless of their Endpoint Management system, whether SCCM or Intune. Some of their devices repeatedly failed despite ongoing efforts 🙄 . Why should I care? When you work with Endpoints, you're engaging with your compliance and cybersecurity team, who want to make sure there are no security risks. They focus on Security Zero Trust and Conditional Access, so your users can smoothly access your organization's resources without being blocked just because a device isn't marked as compliant.    ...
Read more

How to block TikTok or other social media

Image
Have you considered blocking social media platforms like Facebook, TikTok, and others on corporate devices?   Many government entities in our community want to restrict access to social media on their official devices rather than personally owned devices (BYOD). There are several reasons for this. For example, in the USA, TikTok was blocked and unblocked.   There are many ways to do this, such as Firewall, Network, Microsoft Defender, and so on. However, I will discuss how to do it via Intune. Create a Policy:         Create a New Policy: Name it as you want and add the description.     Configuration settings > add settings > and search for “URL blocking” and pick both Google Chrome and Microsoft Edge. And pick the one for the device, not the user, did not work for me. Then add the URL you want to block to “ Block access to a list of URLs (Device)”. I went a little further by disallowing the users to run the TikTok application “...
Read more