M365 ships permissive — that's its design. Hardening is a deliberate set of moves. This checklist is the pragmatic order-of-operations we run on Indian BFSI tenants, sequenced so the biggest risk reduction lands in the first afternoon.

1. Identity foundation (do these first)

Block legacy authentication tenant-wide
Enforce MFA on all users via Conditional Access (not Security Defaults)
Privileged Identity Management (PIM) for all Global Admin / Exchange Admin / SharePoint Admin roles
Break-glass account: 2 cloud-only accounts excluded from CA, 24+ char passwords, alerting on use
Disable self-service password reset for privileged accounts

2. Conditional Access policies

Require MFA for all users
Block sign-in from countries you don't operate in
Require compliant device for admins
Block legacy auth (yes, again — this catches misconfig)
Require approved client app (Outlook / Edge) for mobile
Session controls: web session 8 hours, persistent browser session disabled for sensitive apps

3. Email + anti-phishing

Enable SPF, DKIM, DMARC on every accepted domain — DMARC at p=reject after 30 days at p=quarantine
Anti-phishing policy with mailbox-intelligence + impersonation protection
External tagging on all inbound external email
Safe Links + Safe Attachments enabled with detonation
Auto-forwarding to external addresses blocked tenant-wide

4. Audit + monitoring

Unified audit log enabled tenant-wide
Mailbox audit enabled with Owner action set
Sign-in logs forwarded to SIEM
Defender for Office 365 alerts forwarded to SOC
Microsoft Defender for Cloud Apps connected for OAuth-app + anomaly detection

5. Sharing + DLP

OneDrive + SharePoint external sharing limited to allowed-domain list
Anonymous links disabled or time-bound (≤14 days)
DLP policy covering PAN, Aadhaar, account numbers — at least 'audit + tip' mode
Sensitivity labels published for Confidential / Restricted classifications

6. App + integration governance

User OAuth-app consent restricted to verified-publisher apps with low-risk permissions
Admin consent workflow enabled for higher-risk permissions
Quarterly review of granted enterprise apps + their permissions
Power Automate / Power Apps DLP policies prevent business-data ↔ social connector flows

Order matters.

If you only have one afternoon, do section 1 — block legacy auth, enforce MFA via CA, and harden privileged accounts. That single afternoon eliminates 80% of the M365 attack surface.

Engage Macksofy

Need this in production, not on paper?

Macksofy offers full-service engagements that map directly to this resource. Common starting points:

Or talk to a senior consultant — fixed-price proposal in 48 hours.