80 controls · 14 categories

Microsoft 365 Security Hardening Checklist

A default Microsoft 365 tenant leaves dozens of doors unlocked. This checklist walks through 80 CIS-based controls across 13 security domains — from MFA and Conditional Access to email security, SharePoint, Teams, and Secure Score — each prioritized so you fix the highest-impact gaps first.

Get the checklist — $97 Free 1-page preview (PDF)

One-time purchase · instant download · 80 controls with verification & remediation steps

What's inside

80 controls across 14 categories

Every control is plain-language, prioritized by severity, and paired with how to verify it and how to fix it. Organized into 13 sections.

Email11

Admin Accounts8

Endpoint8

Conditional Access7

MFA6

SharePoint6

Logging6

Guest Access5

App Security5

Compliance5

Secure Score4

Passwords4

Teams4

OneDrive1

Real sample controls

A look at the highest-severity controls

These are taken directly from the checklist — no paraphrasing.

M365-01CRITICALMFA
Require multi-factor authentication for every user, not just admins.
M365-02CRITICALMFA
Enforce MFA on all Global Administrator accounts.
M365-03CRITICALMFA
Block legacy (Basic) authentication protocols with Conditional Access.
M365-07CRITICALConditional Access
Run an active Conditional Access policy that requires MFA for all users.

M365 Security Hardening Checklist

$97one-time

80 prioritized controls
Verify & fix steps for each control
14 categories across 13 sections
Instant download · lifetime access

Get the checklist ›

By purchasing you agree to our Terms. Digital products are non-refundable once accessed.

Free

Not ready to buy?

Download a free one-page preview of this checklist — the highest-impact controls, no email gate. Want the curated top-10 by email instead? Use the form on the homepage.

Download free 1-pager (PDF)Email me the top-10 controls ›

Why teams use Strondex

Built by security professionals

Controls drawn from CIS benchmarks, framework requirements, and real-world assessment findings.

Self-serve, no consultant

Plain-language steps you can action yourself — without the $300/hr engagement.

Honest scope

Exactly 80 controls. No inflated counts, no fabricated reviews — see the samples above.

Frequently asked questions

Is this M365 hardening checklist based on CIS benchmarks?

Yes. The 80 controls are built on CIS Microsoft 365 benchmark guidance and organized into 13 practical security domains so you can work through them tenant by tenant.

Do I need Microsoft 365 E5 to apply these controls?

Most controls apply to standard Business and E3 tenants. A handful of advanced controls (such as certain Defender and compliance features) call out the licensing they require so you know what is in scope.

Will hardening break my users’ workflows?

Each control includes verification and remediation guidance so you can roll changes out safely. The checklist flags severity so you can sequence high-impact, low-disruption changes first.