Office 365 Best Practices Checklist
 Find an experienced Technology partner to assist
with navigating Office 365
 Review your Microsoft Secure Score at
https://security.microsoft.com/securescore
 Require MFA for all users
 Disable POP/IMAP/SMTP Auth
 Block sign-in for terminated employees, forwarding
mailboxes, shared mailboxes
 Unique passwords for all users
 Supplement Microsoft's backups
 Turn on audit data recording
 Block client forwarding rules
 Set outbound spam notifications
 Turn on mailbox auditing for all users
 Consume audit data weekly
 No transport rule to external domains
 Do not use mail flow rules that bypass anti-spam
protection
 Review mailbox forwarding rules weekly
 Review mailbox access by non-owners bi-weekly
 Review malware detections report weekly
 Designate more than one global admin
 Do not use mail forwarding rules to external
domains
 Designate fewer than 5 global admins
 Do not expire passwords
 Do not allow anonymous calendar sharing
 Do not allow calendar details sharing
 Use limited administrative roles
 Do not allow mailbox delegation
 Turn on sign-in risk policy
 Turn on user risk policy
 Enable policy to block legacy authentication
 Activate mobile device management services
 Require mobile devices to use a password
 Require mobile devices to block access and
report policy violations
 Require mobile devices to manage email
profile
 Do not allow simple passwords on mobile
devices
 Require mobile devices to use alphanumeric
password
 Require mobile devices to use encryption
 Require mobile devices to lock if inactive
 Require mobile devices to have minimum
password length
 Require mobile devices to wipe on multiple
sign-in failures
 Block jail broken or rooted mobile devices from
connecting
 Remove mobile device policies that expire
passwords
 Reduce mobile device password re-use