# Security - [Azure AD (Entra)](/security/azure-ad-entra.md) - [MFA Shall Be Required for All Users](/security/azure-ad-entra/mfa-shall-be-required-for-all-users.md) - [MFA is enforced on accounts with Highly Privileged Roles](/security/azure-ad-entra/mfa-is-enforced-on-accounts-with-highly-privileged-roles.md) - [MFA is enforced for Azure Management](/security/azure-ad-entra/mfa-is-enforced-for-azure-management.md) - [MFA registration and usage shall be periodically reviewed](/security/azure-ad-entra/mfa-registration-and-usage-shall-be-periodically-reviewed.md) - [Legacy Authentication shall be blocked](/security/azure-ad-entra/legacy-authentication-shall-be-blocked.md) - [High Risk Users Shall Be Blocked](/security/azure-ad-entra/high-risk-users-shall-be-blocked.md) - [High Risk Sign-Ins Shall Be Blocked](/security/azure-ad-entra/high-risk-sign-ins-shall-be-blocked.md) - [Browser Sessions shall not be persistent for privileged users](/security/azure-ad-entra/browser-sessions-shall-not-be-persistent-for-privileged-users.md) - [MFA shall be required to enroll devices to Azure AD](/security/azure-ad-entra/mfa-shall-be-required-to-enroll-devices-to-azure-ad.md) - [Managed Devices shall be required for authentication](/security/azure-ad-entra/managed-devices-shall-be-required-for-authentication.md) - [Guest User Access Shall be restricted](/security/azure-ad-entra/guest-user-access-shall-be-restricted.md) - [The number of users with highly privileged roles shall be limited](/security/azure-ad-entra/the-number-of-users-with-highly-privileged-roles-shall-be-limited.md) - [Users assigned highly privileged roles shall not have permanent permissions](/security/azure-ad-entra/users-assigned-highly-privileged-roles-shall-not-have-permanent-permissions.md) - [Activation of privileged roles should be monitored and require approval](/security/azure-ad-entra/activation-of-privileged-roles-should-be-monitored-and-require-approval.md) - [Highly privileged accounts shall be cloud-only](/security/azure-ad-entra/highly-privileged-accounts-shall-be-cloud-only.md) - [Highly privileged role assignments shall be periodically reviewed](/security/azure-ad-entra/highly-privileged-role-assignments-shall-be-periodically-reviewed.md) - [Passwords shall not expire](/security/azure-ad-entra/passwords-shall-not-expire.md) - [Azure AD Logs shall be collected](/security/azure-ad-entra/azure-ad-logs-shall-be-collected.md) - [Only Admins shall be allowed to register 3rd party applications](/security/azure-ad-entra/only-admins-shall-be-allowed-to-register-3rd-party-applications.md) - [Non-admin users shall be prevented from providing consent to 3rd party applications](/security/azure-ad-entra/non-admin-users-shall-be-prevented-from-providing-consent-to-3rd-party-applications.md) - [Authorized Applications shall be configured for Single Sign-On](/security/azure-ad-entra/authorized-applications-shall-be-configured-for-single-sign-on.md) - [Inactive accounts shall be blocked or deleted](/security/azure-ad-entra/inactive-accounts-shall-be-blocked-or-deleted.md) - [Teams](/security/teams.md) - [Private Channels shall be utilized to restrict access to sensitive information](/security/teams/private-channels-shall-be-utilized-to-restrict-access-to-sensitive-information.md) - [External Participants SHOULD NOT Be Enabled to Request Control of Shared Desktops or Windows in Meet](/security/teams/external-participants-should-not-be-enabled-to-request-control-of-shared-desktops-or-windows-in-meet.md) - [Anonymous Users SHALL NOT Be Enabled to Start Meetings](/security/teams/anonymous-users-shall-not-be-enabled-to-start-meetings.md) - [Automatic Admittance to Meetings SHOULD Be Restricted](/security/teams/automatic-admittance-to-meetings-should-be-restricted.md) - [External User Access SHALL Be Restricted](/security/teams/external-user-access-shall-be-restricted.md) - [Unmanaged User Access SHALL Be Restricted](/security/teams/unmanaged-user-access-shall-be-restricted.md) - [Contact with Skype Users SHALL Be Blocked](/security/teams/contact-with-skype-users-shall-be-blocked.md) - [Teams Email Integration SHALL Be Disabled](/security/teams/teams-email-integration-shall-be-disabled.md) - [Only Approved Apps SHOULD Be Installed](/security/teams/only-approved-apps-should-be-installed.md) - [File Sharing and File Storage Options shall be blocked](/security/teams/file-sharing-and-file-storage-options-shall-be-blocked.md) - [Only the Meeting Organizer SHOULD Be Able to Record Live Events](/security/teams/only-the-meeting-organizer-should-be-able-to-record-live-events.md) - [Attachments SHOULD Be Scanned for Malware](/security/teams/attachments-should-be-scanned-for-malware.md) - [Link Protection SHOULD Be Enabled](/security/teams/link-protection-should-be-enabled.md) - [Restrict Users who can Create Teams Channels](/security/teams/restrict-users-who-can-create-teams-channels.md) - [Teams Channels shall have an expiration policy](/security/teams/teams-channels-shall-have-an-expiration-policy.md) - [Data Loss Prevention Solutions SHALL Be Enabled](/security/teams/data-loss-prevention-solutions-shall-be-enabled.md) - [Exchange](/security/exchange.md) - [Automatic Forwarding to External Domains SHALL Be Disabled](/security/exchange/automatic-forwarding-to-external-domains-shall-be-disabled.md) - [Sender Policy Framework SHALL Be Enabled](/security/exchange/sender-policy-framework-shall-be-enabled.md) - [DomainKeys Identified Mail SHOULD Be Enabled](/security/exchange/domainkeys-identified-mail-should-be-enabled.md) - [Domain-Based Message Authentication, Reporting, and Conformance SHALL Be Enabled](/security/exchange/domain-based-message-authentication-reporting-and-conformance-shall-be-enabled.md) - [Enable Email Encryption](/security/exchange/enable-email-encryption.md) - [Simple Mail Transfer Protocol Authentication SHALL Be Disabled](/security/exchange/simple-mail-transfer-protocol-authentication-shall-be-disabled.md) - [Calendar and Contact Sharing SHALL Be Restricted](/security/exchange/calendar-and-contact-sharing-shall-be-restricted.md) - [External Sender Warnings SHALL Be Implemented](/security/exchange/external-sender-warnings-shall-be-implemented.md) - [Data Loss Prevention Solutions SHALL Be Enabled](/security/exchange/data-loss-prevention-solutions-shall-be-enabled.md) - [Emails SHALL Be Filtered by Attachment File Type](/security/exchange/emails-shall-be-filtered-by-attachment-file-type.md) - [Zero-Hour Auto Purge for Malware SHOULD Be Enabled](/security/exchange/zero-hour-auto-purge-for-malware-should-be-enabled.md) - [Phishing Protections SHOULD Be Enabled](/security/exchange/phishing-protections-should-be-enabled.md) - [Inbound Anti-Spam Protections SHALL Be Enabled](/security/exchange/inbound-anti-spam-protections-shall-be-enabled.md) - [Safe Link Policies SHOULD Be Enabled](/security/exchange/safe-link-policies-should-be-enabled.md) - [Safe Attachments SHALL Be Enabled](/security/exchange/safe-attachments-shall-be-enabled.md) - [IP Allow Lists SHOULD NOT be Implemented](/security/exchange/ip-allow-lists-should-not-be-implemented.md) - [Mailbox Auditing SHALL Be Enabled](/security/exchange/mailbox-auditing-shall-be-enabled.md) - [Alerts SHALL Be Enabled](/security/exchange/alerts-shall-be-enabled.md) - [Audit Logging SHALL Be Enabled](/security/exchange/audit-logging-shall-be-enabled.md) - [Enhanced Filtering Shall be configured if a 3rd party email filtering tool is being used](/security/exchange/enhanced-filtering-shall-be-configured-if-a-3rd-party-email-filtering-tool-is-being-used.md) - [SharePoint](/security/sharepoint.md) - [File and Folder Links Default Sharing Settings SHALL Be Set to Specific People](/security/sharepoint/file-and-folder-links-default-sharing-settings-shall-be-set-to-specific-people.md) - [External Sharing SHOULD be Set to “New and Existing Guests”](/security/sharepoint/external-sharing-should-be-set-to-new-and-existing-guests.md) - [Sensitive SharePoint Sites SHOULD Adjust Their Default Sharing Settings](/security/sharepoint/sensitive-sharepoint-sites-should-adjust-their-default-sharing-settings.md) - [Expiration Times for Guest Access to a Site SHOULD Be Determined by specific needs](/security/sharepoint/expiration-times-for-guest-access-to-a-site-should-be-determined-by-specific-needs.md) - [Users SHALL Be Prevented from Running Custom Scripts](/security/sharepoint/users-shall-be-prevented-from-running-custom-scripts.md) - [OneDrive](/security/onedrive.md) - [Anyone Links SHOULD Be Turned Off](/security/onedrive/anyone-links-should-be-turned-off.md) - [Expiration Date SHOULD Be Set for Anyone Links](/security/onedrive/expiration-date-should-be-set-for-anyone-links.md) - [Link Permissions SHOULD Be Set to Enabled Anyone Links to View](/security/onedrive/link-permissions-should-be-set-to-enabled-anyone-links-to-view.md) - [Windows and MacOS devices should be prevented from syncing the OneDrive Client on personal devices](/security/onedrive/windows-and-macos-devices-should-be-prevented-from-syncing-the-onedrive-client-on-personal-devices.md) - [Legacy Authentication SHALL Be Blocked](/security/onedrive/legacy-authentication-shall-be-blocked.md) - [Intune](/security/intune.md) - [Personal Devices should be restricted from enrolling into the MDM solution](/security/intune/personal-devices-should-be-restricted-from-enrolling-into-the-mdm-solution.md) - [Devices shall be deleted that haven’t checked in for over 30 days](/security/intune/devices-shall-be-deleted-that-havent-checked-in-for-over-30-days.md) - [Devices compliance policies shall be configured for every supported device platform](/security/intune/devices-compliance-policies-shall-be-configured-for-every-supported-device-platform.md) - [Noncompliant devices shall be blocked from accessing corporate resources](/security/intune/noncompliant-devices-shall-be-blocked-from-accessing-corporate-resources.md) - [MFA Shall be required for Intune Enrollment](/security/intune/mfa-shall-be-required-for-intune-enrollment.md) - [Security Baselines should be configured for Windows Devices](/security/intune/security-baselines-should-be-configured-for-windows-devices.md) - [Windows Update Rings shall be configured for Windows Devices](/security/intune/windows-update-rings-shall-be-configured-for-windows-devices.md) - [Update Policies shall be configured for Apple Devices](/security/intune/update-policies-shall-be-configured-for-apple-devices.md) - [App Protection policies should be created for mobile devices](/security/intune/app-protection-policies-should-be-created-for-mobile-devices.md) - [Mobile devices shall only be able to access corporate data through approved client apps](/security/intune/mobile-devices-shall-only-be-able-to-access-corporate-data-through-approved-client-apps.md) - [Lockout screen and password settings shall be configured for each device](/security/intune/lockout-screen-and-password-settings-shall-be-configured-for-each-device.md) - [Encryption shall be required on all devices](/security/intune/encryption-shall-be-required-on-all-devices.md) - [Windows Hello for Business should be configured where applicable](/security/intune/windows-hello-for-business-should-be-configured-where-applicable.md) - [Authorized Applications should be deployed to managed devices](/security/intune/authorized-applications-should-be-deployed-to-managed-devices.md) - [Device Use Shall be restricted until required applications are installed](/security/intune/device-use-shall-be-restricted-until-required-applications-are-installed.md) - [Devices and Applications shall be wiped when a user leaves the organization or reports a lost/stolen](/security/intune/devices-and-applications-shall-be-wiped-when-a-user-leaves-the-organization-or-reports-a-lost-stolen.md)