Establish main tenant administrator with strong password and MFA and create a break glass global admin account using yourtenet.onmicrosoft.com so if a mistake is made you can still login to Office 365 as a global admin.
Enable/Verify that modern authentication is enabled and or enable security defaults in azure AD, if you are deploying hybrid configure conditional access rules so your Exchange service account is never prompted for 2fa from your exchange servers IP.
Setup tenant profile with organization information: https://admin.microsoft.com/AdminPortal/Home#/companyprofile
Configure Account Recovery Options: https://aka.ms/ssprsetup
Grant Delegated Admin to CSP (if MS Partner)
Disable self service Purchases across the board:
Install-Module -Name MSCommerce #once you install you should remove this line
Import-Module -Name MSCommerce
Connect-MSCommerce #sign-in with your global or billing administrator account when prompted
Get-MSCommerceProductPolicies -PolicyId AllowSelfServicePurchase | forEach {
Update-MSCommerceProductPolicy -PolicyId AllowSelfServicePurchase -ProductId $_.ProductID -Enabled $false }
Consider limiting group creation so that only users of the group “Group Admins” security group are allowed to create office 365 groups: https://docs.microsoft.com/en-us/office365/admin/create-groups/manage-creation-of-groups?view=o365-worldwide
Configure Tenant alerts email addresses as a distribution group and set it in powershell.
Set-AzureADTenantDetail -SecurityComplianceNotificationMails "[email protected]" - TechnicalNotificationMails "[email protected]" -MarketingNotificationEmails "[email protected]"
- Enable Unified Audit Logging
Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $True
- Enable Mailbox Audit Logging
$AuditSettings = @{
AuditEnabled = $True AuditLogAgeLimit = 365 AuditOwner =
"Create,HardDelete,MailboxLogin,Move,MoveToDeletedItems,SoftDelete,Update,UpdateCale ndarDelegation,UpdateFolderPermissions,UpdateInboxRules"
AuditDelegate = "Create,FolderBind,HardDelete,Move,MoveToDeletedItems,SendAs,SendOnBehalf,SoftDelet e,Update,UpdateFolderPermissions"
AuditAdmin = "Copy,Create,FolderBind,HardDelete,Move,MoveToDeletedItems,SendAs,SendOnBehalf,Soft Delete,Update,UpdateCalendarDelegation,UpdateFolderPermissions,UpdateInboxRules"
}
Get-Mailbox | Set-Mailbox @AuditSettings
- Set Language and Time Zone for All Users this will save them a step when they first sign in
Get-Mailbox | Get-MailboxRegionalConfiguration | ? {$_.TimeZone -eq $null} | Set-MailboxRegionalConfiguration -Language 1033 -TimeZone "Central Standard Time"
- Increase Deleted Item Retention from 14 to 30 Days
Get-Mailbox -ResultSize unlimited | Set-Mailbox -RetainDeletedItemsFor 30
- Show mailtip for External Recipients
Set-OrganizationConfig -MailTipsExternalRecipientsTipsEnabled $True
- Show mailtip for large number of recipients (Shows tip Beyond threshold)
Set-OrganizationConfig -MailTipsLargeAudienceThreshold 10
- Set Outbound Spam Notifications
Set-HostedOutboundSpamFilterPolicy Default -NotifyOutboundSpam $true - NotifyOutboundSpamRecipients “[email protected]”
- Prevent Inbox Rules Forwarding Messages Externally, strongly recommend.
Set-RemoteDomain Default -AutoForwardEnabled $false
- Prepend Disclaimer on External Messages
$TransportSettings = @{
Name = 'External Sender Warning'
FromScope = 'NotInOrganization'
SentToScope = 'InOrganization'
ApplyHtmlDisclaimerLocation = 'Prepend' ApplyHtmlDisclaimerText = "<p><div style='border:solid #9C6500
1.0pt;padding:2.0pt 2.0pt 2.0pt 2.0pt'><p class=MsoNormal style='line- height:12.0pt;background:#FFEB9C'><b><span style='font- size:10.0pt;color:#9C6500'></span></b><span style='font- size:10.0pt;color:black'>[EXTERNAL]<o:p></o:p></span></p>"
ApplyHtmlDisclaimerFallbackAction = 'Wrap' }
New-TransportRule @TransportSettings
- Increase OneDrive Deleted User Retention (up to 3650 days) no typo 10 years is correct and can be configured.
Set-SPOTenant -OrphanedPersonalSitesRetentionPeriod 180
- Disable IMAP / POP Protocols For Current Users, also strongly recommend.
Get-CASMailbox -Filter {ImapEnabled -eq "true" -or PopEnabled -eq "true" } | Select-Object @{n = "Identity"; e = {$_.primarysmtpaddress}} | Set-CASMailbox -ImapEnabled $false -PopEnabled $false
and for Future Users
Get-CASMailboxPlan -Filter {ImapEnabled -eq "true" -or PopEnabled -eq "true" } | set-CASMailboxPlan -ImapEnabled $false -PopEnabled $false
- If migrating a large environment call Microsoft and ask them to disable throttling for your tenet.