Tenant hardening as a managed service: the Microsoft 365 baselines an MSP should run on every renewal

A Microsoft 365 tenant that's been running for four years without a structured security review is almost always in a worse posture than its owners believe. Not because it was configured badly to begin with, but because M365 is a living platform: default settings change, new attack surfaces appear, Conditional Access exceptions accumulate, and the security controls that were appropriate when a 50-person business bought Business Standard are materially insufficient when that same business has grown to 200 staff on Business Premium.

Tenant hardening as a managed service means applying and maintaining documented security baselines against a defined standard, and keeping them current as the platform evolves. It's distinct from a one-off security assessment: a one-off assessment produces a findings report; a managed hardening programme owns the configuration.

The baseline standard Frontrow works from

Frontrow's M365 tenant hardening baseline draws from three sources: Microsoft's Secure Score recommendations, the ACSC's Essential Eight Maturity Model (particularly the identity and patching controls), and the CIS Microsoft 365 Benchmark. Not every control from every framework applies to every client, the baseline is tiered by licence SKU and risk profile.

The controls below represent the baseline Frontrow applies to Business Premium and E3 tenants at onboarding and at annual renewal. Controls marked with an asterisk require E5 or an add-on SKU, they're flagged here as upgrade triggers rather than immediate requirements for lower-tier clients.

Identity hardening

Identity is the highest-leverage surface in any M365 tenant. The majority of successful M365 compromises that Frontrow sees, typically through incident response referrals or onboarding discoveries, trace back to three identity failures: no MFA on a compromised account, a legacy authentication protocol left enabled, or a Global Administrator account used for routine operations.

1. 1MFA enforcement via Conditional Access, not Security Defaults, which allow app passwords and don't provide the granularity needed for exception management. Every user account, no exceptions without documented risk acceptance.
2. 2Legacy authentication blocked, Exchange ActiveSync, POP3, IMAP, SMTP AUTH disabled or scoped to specific service accounts with monitoring. Legacy auth is the bypass path for MFA.
3. 3Global Administrator accounts hardened, maximum five accounts, all assigned to named humans, all registered with hardware tokens or passkeys, all excluded from automatic licence assignment.
4. 4Privileged Identity Management enabled, admin roles (Exchange Admin, SharePoint Admin, Teams Admin, Security Admin) assigned as eligible rather than permanent, with time-bounded activation and approval workflow for Global Admin activation.
5. 5Microsoft Entra ID Protection enabled, User Risk and Sign-in Risk policies set to require MFA or password change at medium and above.
6. 6Conditional Access, Named Locations policy to flag impossible travel, location-based block for non-approved countries where business doesn't operate, session controls on unmanaged devices.

Email and collaboration hardening

Email remains the primary attack vector for most business-email compromise and phishing campaigns targeting Australian organisations. The controls in this section address the inbound attack surface and the outbound reputation risk that comes with a compromised account sending at scale.

1. 1DMARC at p=quarantine or p=reject, most tenants publish SPF and DKIM but leave DMARC at p=none, which produces reporting without enforcement. p=quarantine is the defensible minimum; p=reject is the target for stable sending domains.
2. 2Microsoft Defender for Office 365, anti-phishing policies with impersonation protection for all executives, safe links for all URLs in email and Teams messages, safe attachments for all inbound mail.
3. 3External email warning banners, implemented via Exchange mail flow rules, not just configuration settings, to survive platform changes.
4. 4Outbound spam policy, tight sending limits (200 messages per hour for standard users) to limit blast radius if an account is compromised and used for spam campaigns.
5. 5Shared mailbox access audit, shared mailboxes accessed without 'Send As' or 'Send on Behalf' rights are a common source of ungoverned email access. Audit and remove direct login access.
6. 6Teams external access scoped, default Teams settings allow federation with any external Teams tenant. For most clients, restricting to named partner tenants or disabling entirely is lower risk without material productivity impact.

SharePoint and data hardening

SharePoint hardening has become a more urgent priority since Copilot deployment accelerated. The oversharing configurations that were dormant business risks become active, promptable risks the moment Copilot is in the tenant. The controls below apply regardless of whether Copilot is deployed.

1. 1Tenant-wide sharing settings, anonymous link sharing turned off or scoped to specific sites only. The default 'Anyone with the link' setting is an exfiltration path with no access log.
2. 2Default sharing link type, change from 'People with existing access' (which Frontrow recommends for most clients) or 'Specific people'; avoid 'Anyone' as the default.
3. 3SharePoint Advanced Management (SAM), for Business Premium tenants, SAM enables restricted access control policies, site access reviews and data access governance reports. Enable and schedule quarterly access reviews for sites containing sensitive data.
4. 4OneDrive sync restrictions, restrict sync to domain-joined or Intune-compliant devices to prevent unmanaged personal devices syncing corporate data.
5. 5Site creation restrictions, by default, all M365 users can create SharePoint sites and M365 Groups. Restrict creation to IT-managed provisioning process to prevent uncontrolled site proliferation.
6. 6Sensitivity labels deployed, minimum three-tier taxonomy (General, Internal, Confidential) with Confidential enforcing encryption. Labels required on all new documents created in Office apps once deployed.

Device and endpoint hardening

For a managed service client on Business Premium, Microsoft Intune is included and should be the device management baseline. A Frontrow onboarding that finds devices not enrolled in Intune treats enrolment as the first deliverable, ahead of most other configuration work, an unmanaged device connecting to M365 is a control gap that cascades into every other hardening layer.

1. 1Intune enrolment, all corporate devices enrolled; Windows Autopilot configured for new device provisioning to ensure no device ever joins the environment outside policy.
2. 2Compliance policies, minimum OS version, BitLocker encryption, Defender running and updated, no rooted or jailbroken status for mobile. Non-compliant devices blocked from M365 access via Conditional Access.
3. 3Intune Autopatch, configured with deployment rings as described in the patching cadence article. Internet-facing devices (laptops) patched within 23 days of Patch Tuesday.
4. 4Defender for Endpoint, baseline deployed via Intune configuration profile. Attack surface reduction rules at Block mode for all rules with low false-positive risk; at Audit mode for rules requiring business process review.
5. 5Application control policy, Microsoft Defender Application Control (MDAC) at Audit mode minimum; Block mode for clients meeting the Essential Eight Maturity Level 2 or above requirement.
6. 6Windows Hello for Business, replaces password-based Windows login with biometric or PIN authentication backed by a device-bound key. No password transmitted at login, eliminating pass-the-hash attack surface on compliant devices.

Maintaining the baseline over time

The hardening baseline is not a one-time configuration exercise. Microsoft updates security defaults, adds new controls, and retires old ones on a rolling basis. A tenant hardened in Q1 2025 will have drifted from the current baseline by Q1 2026 in at least five to eight settings areas, not through neglect, but because the platform moved.

Frontrow runs a configuration comparison against the current hardening baseline at each quarterly health review, using a combination of the Microsoft Secure Score, Microsoft Entra configuration exports, and manual checks for the settings Secure Score doesn't cover. Configuration drift items are categorised: auto-remediated within the managed service scope, scheduled for a change window, or deferred with a risk acceptance.

A NSW professional services firm Frontrow onboarded in 2024 had been with a previous MSP for six years. The tenant review at onboarding found 23 legacy Conditional Access policies (several conflicting), anonymous link sharing enabled globally, no DMARC enforcement, PIM not deployed, and three Global Administrator accounts used for routine operations by engineers. None of these were introduced deliberately, they accumulated through M365's own evolution and the absence of a structured review cadence.