Multifactor authentication for everyone
Enforce MFA for all users and admins via Conditional Access. New tenants leave most accounts protected by a password alone.
Microsoft 365 — Environment setup
Secure baseline configuration of your Microsoft 365 tenant, aligned with Microsoft best practices and the CIS Microsoft 365 Foundations Benchmark — so your environment is not left in insecure defaults.
€490.00 Jednorazowo
Co zawiera
- Identity & Conditional Access hardening
- Email & Exchange Online security
- External sharing, Teams & data protection
- Microsoft Defender & device security
- Audit logging, alerts & Secure Score
- Configuration handover & documentation
Secure baseline — what we configure
Aligned with Microsoft best practices and the CIS Microsoft 365 Foundations Benchmark.
Block legacy authentication
Disable legacy/basic auth protocols (POP, IMAP, SMTP AUTH and older clients) that bypass MFA and are allowed by default.
Conditional Access baseline
Policies that require MFA, block legacy auth and react to sign-in and user risk (Identity Protection), plus device-based access controls.
Phishing-resistant sign-in
Roll out Microsoft Authenticator with number matching and passkeys (FIDO2); remove weak SMS and voice methods.
Admin roles & Privileged Identity Management
Keep only a few Global Admins, assign least-privilege roles, and enable PIM for just-in-time, zero-standing admin access.
Break-glass emergency accounts
Two cloud-only emergency admin accounts, excluded from Conditional Access and monitored, so you are never locked out of the tenant.
Self-service password reset & protection
Enable SSPR with strong methods, banned-password protection and smart lockout against password-spray attacks.
Restrict app registration & consent
Block users from registering apps, creating tenants and consenting to third-party apps; require admin or verified-publisher consent (auto-block unconfigured OAuth).
External sharing & guest access
Tighten SharePoint/OneDrive sharing (default allows “Anyone” links) and Teams external/guest access to authenticated guests only.
Email authentication — SPF, DKIM, DMARC
Enable DKIM (off by default) and publish a DMARC quarantine/reject policy to stop spoofing of your domain.
Exchange Online hardening
Block external auto-forwarding, disable legacy mail protocols per mailbox, and confirm mailbox audit logging is on.
Microsoft Defender for Office 365
Apply the preset Standard/Strict security policies: anti-phishing and impersonation protection, Safe Links and Safe Attachments.
Device & app security (Intune)
Onboard Defender for Business, set Intune compliance and mobile app protection policies, and require compliant devices via Conditional Access (Business Premium).
Data protection (Microsoft Purview)
Sensitivity labels and Data Loss Prevention (DLP) policies for sensitive data — a new tenant ships with none.
Microsoft 365 Copilot data governance
Review oversharing and apply labels and DLP before enabling Copilot, so AI cannot surface data users should not see.
Audit logging, alerts & Secure Score
Confirm the unified audit log and retention, configure alert policies for risky activity, and track Microsoft Secure Score over time.