Security roadmap - Top priorities for the first 30 days, 90 days, and beyond

Is this page helpful?

Any additional feedback?

Feedback will be sent to Microsoft: By pressing the submit button, your feedback will be used to improve Microsoft products and services. Privacy policy.

Note

Want to experience Microsoft 365 Defender? Learn more about how you can evaluate and pilot Microsoft 365 Defender.

This article includes top recommendations from Microsoft's cybersecurity team for implementing security capabilities to protect your Microsoft 365 environment. This article is adapted from a Microsoft Ignite session — Secure Microsoft 365 like a cybersecurity pro: Top priorities for the first 30 days, 90 days, and beyond. This session was developed and presented by Mark Simos and Matt Kemelhar, Enterprise Cybersecurity Architects.

In this article:

• Roadmap outcomes
• 30 days — powerful quick wins
• 90 days — enhanced protections
• Beyond

Roadmap outcomes

These roadmap recommendations are staged across three phases in a logical order with the following goals.

Time frame	Outcomes
30 days	Rapid configuration: Basic admin protections. Logging and analytics. Basic identity protections. Tenant configuration. Prepare stakeholders.
90 days	Advanced protections: Admin accounts. Data and user accounts. Visibility into compliance, threat, and user needs. Adapt and implement default policies and protections.
Beyond	Adjust and refine key policies and controls. Extend protections to on-premises dependencies. Integrate with business and security processes (legal, insider threat, etc.).

30 days — powerful quick wins

These tasks can be accomplished quickly and have low impact to users.

Area	Tasks
Security management	Check Secure Score and take note of your current score (https://security.microsoft.com/securescore). Turn on audit logging for Office 365. See Search the audit log. Configure Microsoft 365 for increased security. Regularly review dashboards and reports in the Microsoft 365 Defender portal and Defender for Cloud Apps.
Threat protection	Connect Microsoft 365 to Microsoft Defender for Cloud Apps to start monitoring using the default threat detection policies for anomalous behaviors. It takes seven days to build a baseline for anomaly detection. Implement protection for admin accounts: Use dedicated admin accounts for admin activity. Enforce multi-factor authentication (MFA) for admin accounts. Use a highly secure Windows device for admin activity.
Identity and access management	Enable Azure Active Directory Identity Protection. For federated identity environments, enforce account security (password length, age, complexity, etc.).
Information protection	Review example information protection recommendations. Information protection requires coordination across your organization. Get started with these resources: Office 365 Information Protection for GDPR Configure Teams with three tiers of protection (includes sharing, classification, Microsoft Purview data loss prevention, and Azure Information Protection)

90 days — enhanced protections

These tasks take a bit more time to plan and implement but greatly increase your security posture.

Area	Task
Security management	Check Secure Score for recommended actions for your environment (https://security.microsoft.com/securescore). Continue to regularly review dashboards and reports in the Microsoft 365 Defender portal, Defender for Cloud Apps, and SIEM tools. Look for and implement software updates. Conduct attack simulations for spear-phishing, password-spray, and brute-force password attacks using Attack simulation training (included with Office 365 Threat Intelligence. Look for sharing risk by reviewing the built-in reports in Defender for Cloud Apps (on the Investigate tab). Check Compliance Manager to review status for regulations that apply to your organization (such as GDPR, NIST 800-171).
Threat protection	Implement enhanced protections for admin accounts: Configure Privileged Access Workstations (PAWs) for admin activity. Configure Azure AD Privileged Identity Management. Configure a security information and event management (SIEM) tool to collect logging data from Office 365, Defender for Cloud Apps, and other services, including AD FS. The audit log stores data for only 90 days. Capturing this data in SIEM tool allows you to store data for a longer period.
Identity and access management	Enable and enforce MFA for all users. Implement a set of conditional access and related policies.
Information protection	Adapt and implement information protection policies. These resources include examples: Office 365 Information Protection for GDPR Configure Teams with three tiers of protection Use data loss prevention policies and monitoring tools in Microsoft Purview for data stored in Microsoft 365 (instead of Defender for Cloud Apps). Use Defender for Cloud Apps with Microsoft 365 for advanced alerting features (other than data loss prevention).

Beyond

These are important security measures that build on previous work.

Area	Task
Security management	Continue planning next actions by using Secure Score (https://security.microsoft.com/securescore). Continue to regularly review dashboards and reports in the Microsoft 365 Defender portal, Defender for Cloud Apps, and SIEM tools. Continue to look for and implement software updates. Integrate eDiscovery into your legal and threat response processes.
Threat protection	Implement Secure Privileged Access (SPA) for identity components on premises (AD, AD FS). Use Defender for Cloud Apps to monitor for insider threats. Discover shadow IT SaaS usage by using Defender for Cloud Apps.
Identity and access management	Refine policies and operational processes. Use Azure AD Identity Protection to identify insider threats.
Information protection	Refine information protection policies: Microsoft 365 and Office 365 sensitivity labels and data loss prevention (DLP), or Azure Information Protection. Defender for Cloud Apps policies and alerts.

Also see: How to mitigate rapid cyberattacks such as Petya and WannaCrypt.