The Enterprise M365 Baseline
A fully standardized, production-ready Microsoft 365 environment built on industry security frameworks. Phish-resistant by design, automated from day one, and deployed in hours — not weeks.
What You Get Out of the Box
Every deployment includes these capabilities from day one.
Zero Trust Security, By Default
The baseline is built on Zero Trust principles — never trust, always verify. Every access request is authenticated, authorized, and continuously validated regardless of network location, user, or device.
Verify Explicitly
Every sign-in is evaluated against identity, device health, location, and risk signals — no implicit trust granted by default.
Least Privilege Access
Users and devices receive only the minimum access needed. Admin rights are stripped, guest permissions scoped, and privileged roles tightly controlled.
Assume Breach
The environment is designed assuming attackers may already be present — segmentation, monitoring, and automated incident response are built in from day one.
Identity Protection
Entra ID Identity Protection continuously evaluates sign-in and user risk, triggering automated remediation when anomalies are detected.
Device Trust Enforcement
Only Intune-managed and compliant devices can access company resources. Unmanaged endpoints are blocked at the Conditional Access layer.
Microsoft Framework Aligned
Configurations align with Microsoft's Zero Trust deployment guidance and industry security frameworks out of the box.
Device Compliance as the Access Gate
Company data is accessible only from registered devices meeting vital security criteria. High-risk, unmanaged computers are blocked automatically — creating a phish-resistant perimeter.
Why this makes the environment phish-resistant
Modern phishing attacks — including tools like Evilginx — bypass traditional MFA by stealing session tokens or browser cookies from compromised devices. With device compliance enforcement, stolen credentials and session tokens are useless: Microsoft 365 continuously re-evaluates device compliance on every request, so an attacker authenticating from an unmanaged device is blocked instantly — even with valid credentials and a stolen session cookie.
InfoStealer malware follows the same logic — it can extract saved passwords and session tokens from a compromised browser, but the access attempt will fail because the attacker's device is not Intune-compliant. No managed device, no access.
Device Requirements Enforced
- • Drive encryption (BitLocker / FileVault) must be active
- • Antivirus solution running and up to date
- • Minimum OS version enforced — no outdated systems
- • Secure Boot and TPM presence validated
- • Firewall must be enabled and reporting
Non-Compliant Device Options
Users on non-compliant or unmanaged computers can optionally authenticate via phish-resistant methods for browser-only access:
- • YubiKey (USB security key) — phish-resistant sessions
- • Passkey-grade MFA for browser access
- • No local data sync permitted outside managed devices
Evilginx / AiTM Phishing
Session tokens are bound to device compliance. Even a stolen token cannot be used from a non-compliant device — the Conditional Access check blocks the request.
InfoStealer Malware
Malware extracting browser cookies or saved credentials from a compromised PC cannot replay them — access is denied because the attacker's device is not enrolled or compliant.
Credential Stuffing
Leaked username and password combinations are useless without a managed, compliant device. Attackers cannot satisfy the Conditional Access policy from an unknown machine.
Zero Trust Conditional Access Policies
Five layered policies enforce Zero Trust authentication. Exclusions and extra rules can be scoped per user or device using Security Groups.
MFA Enrollment Required
Microsoft MFA must be used — all users are required to enroll, including configuring multiple password-reset options.
Azure Virtual Desktop Access
AVD is accessible with standard MFA. Security can be increased to require phish-resistant MFA for AVD sessions.
Browser Access to Microsoft 365
Browser access to all M365 resources requires phish-resistant MFA — via YubiKey, Intune-compliant device, or App Protection Policy device. Session persistence is disabled. Sessions time out after 8 hours.
Locally Installed Applications
Applications such as Teams and Outlook can only be accessed from Intune-managed devices. This ensures no company data is synced to unprotected computers and all data remains on encrypted, managed devices.
Extra Security Rules & Exclusions
Additional rules and targeted exclusions can be applied granularly using Security Groups — for example, service accounts, break-glass accounts, or legacy application exceptions.
Encryption Enforced Across All Platforms
Intune configuration profiles auto-encrypt Windows and Mac local drives. Recovery keys are stored securely in Entra ID. USB drives can be encrypted with a password.
Auto-encryption enforced via Intune. Recovery keys escrowed to Entra ID.
Mac drives are auto-encrypted via Intune configuration profiles. Recovery keys are stored in Entra ID for centralized management.
- • iOS and Android: encrypted via App Protection Policies or full Intune enrollment profiles
- • USB drives: can be encrypted with a password using Intune policy
Passwordless MFA at Sign-In
Users configure Windows Hello for Business during first sign-in. PIN, fingerprint, facial recognition, and Bluetooth phone are all supported as second factors.
Supported Authentication Factors
Deployment Notes
- Users are guided through WHFB configuration on first sign-in
- Two-factor sign-in is enabled by default (any combination of PIN, fingerprint, camera, or Bluetooth)
- Per-device exclusions can be set using Security Groups (e.g., shared kiosks or legacy hardware)
Secure Microsoft Apps Without Full Enrollment
App Protection Policies secure Microsoft applications on iOS and Android without requiring full Intune enrollment — increasing user experience without sacrificing security. Full enrollment is required for native app access.
App Authentication
PIN code, Face ID, or fingerprint required to open any Microsoft app on mobile.
Data Encryption
Encryption applied to all Microsoft app data. iOS and Android backups of app data are disabled.
OneDrive-Only Storage
Data storage within Microsoft apps is limited to OneDrive, preventing leakage to personal cloud storage.
Defender for Endpoint Required
Microsoft Defender must be installed on the device for vulnerability management and threat signals.
Minimum OS Enforced
Devices on unsupported OS versions are blocked. Older phones unable to update must be replaced.
Rooted Devices Blocked
Rooted or jailbroken devices are automatically blocked from accessing company data via Microsoft apps.
Centrally Controlled — No Local Overrides
Local merge for Firewall and Defender exclusions has been disabled. This prevents malware from creating its own exclusions before downloading a payload — a common attack vector.
No exclusions are configured by default
All unsolicited inbound connections are blocked by default
Any required exclusions must be configured centrally via Intune
Automated, Wave-Based Patching
Windows updates are handled by Windows Auto-Patch. Devices are divided into waves and patches are approved and monitored by Microsoft automatically.
Windows Auto-Patch
- • Devices divided into deployment waves for staged rollout
- • Patches automatically approved per wave schedule
- • Results and issues monitored and troubleshot by Microsoft
- • Minimizes risk from a bad patch affecting all devices simultaneously
Edge Update Settings
Due to the higher risk and impact of browser vulnerabilities, Edge updates are configured with stricter deadlines:
- • Updates checked and installed every 2 hours
- • User is prompted to restart Edge regularly
- • Auto-restart deadline set at 2 days after update availability
Optimized Windows Experience by Default
Several tweaks and optimizations are applied to all users automatically — covering productivity, security hardening, and configuration management.
Productivity & Convenience
- → Edge auto sign-in with work account
- → Edge profile sync — same bookmarks and settings on all devices
- → Edge ads and news blocker enabled
- → Edge search engine set to Google
- → OneDrive auto sign-in
- → OneDrive Known Folder Move (Desktop, Documents, Pictures)
- → Azure Virtual Desktop auto-subscribe
Security Hardening
- → Local admin rights stripped from standard users
- → BitLocker auto-encryption
- → Attack Surface Reduction (ASR) rules
- → Defender SmartScreen enabled
- → Protected folders (Controlled Folder Access)
- → Network Protection
- → Device lock settings and time client configuration
Unified Endpoint Control
Intune is the central management plane for all security products, application deployment, update settings, and compliance enforcement across Windows, macOS, iOS, and Android.
App Deployment
Applications deployed automatically to enrolled devices. New devices self-configure on sign-in.
Security Enforcement
Windows Firewall, Defender, BitLocker, and Update settings all enforced via configuration profiles.
Compliance Requirements
Entra ID requires compliant devices. Restrictions include minimum OS version, Secure Boot, TPM, and BitLocker.
Defender Integration
Connected to Defender for Endpoint for real-time device risk level signals that feed into Conditional Access.
End-to-End Microsoft Defender Coverage
Defender provides deep integration across endpoints, email, and servers — with risk-level signals feeding directly into Intune Conditional Access. The Defender for Endpoint license is included in Microsoft 365.
- • Auto-enrollment for Windows and Mac desktops
- • iOS and Android client with vulnerability management and web content scanning
- • EDR cloud protection with real-time file reputation scans
- • Network Protection
- • Controlled folder access — limits process access to OneDrive/Documents
- • Attack Surface Reduction rules (Office, Adobe, WMI, and more)
- • Web protection and content filtering
- • SmartScreen
- • Auto-investigation and remediation
- • Intune risk level integration — access limited during active threats
- • Vulnerability management
- • Included in Microsoft 365 license
- • High-end email security layer
- • ZAP — Zero-hour Auto Purge: newly detected spam is deleted from all mailboxes even after delivery
- • Safe Attachments — sandboxed scanning of all email attachments
- • Safe Links — real-time URL detonation and rewriting
- • Anti-spam and anti-malware controls
- • Recommended for a unified EDR and vulnerability management solution across servers and endpoints
- • Same detection techniques as Defender for Endpoint
- • Alerts on network threats such as RDP brute-force attacks
Security Orchestration, Automation & Response
Microsoft Sentinel continuously monitors the tenant and responds automatically to alerts and incidents. Estimated cost: approximately €1 per user/month in Azure resources.
Automated User & Device Isolation
During high-severity incidents, our automation engine automatically isolates affected users and devices to contain the threat and prevent lateral movement before it can spread.
Threat Intelligence Integration
Sentinel is augmented with threat intelligence, integrated with Microsoft 365 activity to detect and alert on malicious activities.
User Activity Monitoring
Malicious activity such as sign-ins from VPN connections or creation of inbox rules is continuously monitored to detect unauthorized access.
Non-Compliant Device Alerting
Non-compliant Intune devices are flagged and alerted on to maintain a consistently secure device posture.
Risky App Registration Detection
Analytics rules monitor and flag risky app registrations to protect against data breaches and OAuth abuse.
Privileged Account Monitoring
Creation and modification of privileged accounts is closely monitored to prevent unauthorized access to sensitive resources.
Defender Incident Automation
Defender incidents are automatically detected and alerted on — enabling swift action against active threats.
Logic Apps Customization
Custom alert flows and automated response actions can be built using Logic Apps for specific business requirements.
DMARC, DKIM & SPF Management
DMARC analytics give full visibility into what is sending email from your domain and what security is applied. Results are reviewed weekly and DKIM and SPF are configured wherever possible.
Domain-based Message Authentication, Reporting & Conformance — analytics provide weekly visibility into all email sources and authentication results.
DomainKeys Identified Mail — cryptographic signing of outbound email to prove authenticity and prevent spoofing.
Sender Policy Framework — configured to authorize all legitimate sending sources and reject unauthorized ones.
Application Execution Whitelisting
AppLocker limits the locations from which executables, scripts, and installers can launch. This blocks malicious scripts or executables before they can do any harm — catching threats that traditional antivirus often misses.
What AppLocker Blocks
- • Executables launched from non-whitelisted paths
- • Scripts run from user-writable locations
- • Installers from unauthorized sources
- • Malware that downloads and runs payloads from temp directories
Note: Specific rule details are not made publicly available for security reasons.
Onboarding Process
Implementing AppLocker involves a whitelisting phase during which all legitimate business applications are identified and approved before enforcement begins.
- 1. Audit mode enabled to discover all running apps
- 2. Legitimate applications added to the whitelist
- 3. Enforcement mode activated
Automated App Deployment at Scale
Multiple deployment methods ensure new devices and users get their applications automatically on enrollment. A dedicated packaging team is available for complex legacy applications.
- • Community repository with thousands of apps (browsers, tools, etc.)
- • Easily scripted and deployed via Intune
- • Simple install:
choco install app -y
Prof-IT Services hosts a private Chocolatey repository with malware scanning and no rate-limiting. Included in managed services.
- • Applications recorded and deployed in a virtual bubble
- • Easy install, uninstall, and update lifecycle
- • Distributed to managed Windows devices via Intune
- • Smooth installation without conflicts
- • Requires expertise — dedicated packaging team available
- • Used when Chocolatey and MSIX are not viable
- • Full control over installation logic via PowerShell scripts
- • Deployed and managed through Intune
Automated Vulnerability Management
Defender for Endpoint scans and alerts for potential vulnerabilities across Windows and mobile. Applications are automatically updated where possible, using a custom automation script and our privately hosted software repository.
Automated Updates
- • Third-party applications auto-updated via custom automation script
- • Privately hosted software repository — no rate-limiting, malware-scanned
- • Mobile device OS minimum versions enforced via Intune
User Notifications
- • Daily desktop toast notifications for non-managed software updates
- • Weekly email digest of vulnerability alerts
- • Users prompted to take action before security risks escalate
Defender for Endpoint continuously scans devices and surfaces CVEs, exposure scores, and remediation recommendations.
Protection Against MITM Attacks
Using custom CSS and a server-side solution, every Microsoft 365 login session is validated in real time. This defends against Man-in-the-Middle attacks where proxy tools like EvilGinx are used to steal sessions — bypassing even standard MFA.
Threat: MITM / EvilGinx Attacks
A proxy server records the user's full session — capturing credentials and session tokens. Standard MFA does not protect against this type of attack. The attacker replays the session immediately after capture.
Our Solution: Session Validation
Our servers validate each login session in real time. Anomalies are flagged automatically — the user sees a red background and warning text on the Microsoft 365 login page. A safe login is confirmed by the Prof-IT Services logo appearing in the bottom-left corner.
How It Works
User begins Microsoft 365 login — custom CSS is loaded from our servers
Server validates the session origin on every authentication request
If anomaly detected: red background + warning text displayed on the login page
If session is safe: Prof-IT Services logo confirms authenticity in the bottom-left corner
Agent-Less Health Monitoring at Scale
A customized monitoring solution using scheduled tasks, PowerShell scripts, and Azure Monitoring tracks vital device health across all tenants — without requiring any RMM agent or dependency on Intune Remediations.
What Is Monitored
- • OneDrive sync health across all user devices
- • SharePoint connectivity and health signals
- • Defender for Endpoint agent health and coverage gaps
- • Custom health metrics via scheduled PowerShell tasks
Architecture
- • No RMM agent installation required on endpoints
- • No dependency on Intune Remediations
- • Log Analytics workspace deployed per customer tenant
- • Billed based on data ingested — scales with tenant size
- • Works across all managed tenants simultaneously
Deployed by Code, Not by Hand
Most Intune policies, configuration profiles, Conditional Access rules, security groups, and Entra settings are deployed using our automation platform — based on a standardized Microsoft 365 environment kept to the highest industry standard.
All configurations deployed via PowerShell automation scripts — fast, repeatable, and auditable.
All options are granular and applicable to specific users and devices via targeted security groups.
Kept in compliance with all popular security frameworks and Microsoft's own recommendations.
Deployment Requirement
The engineer deploying this baseline requires Global Administrator rights for the duration of the deployment. Rights can be scoped down after deployment is complete.
Full Configuration Scope
The platform deploys and manages configuration across every major Microsoft 365 workload — not just Intune and Conditional Access.
Conditional Access
- → 47+ Security Groups
- → Access policies
- → Named Locations
- → Assignment Filters
Intune — Device
- → Compliance policies
- → Settings Catalog profiles
- → PowerShell scripts
- → Autopilot profiles
Intune — Apps
- → App protection policies
- → App configuration policies
- → Application packaging
- → Assignment management
Exchange Online
- → Transport rules
- → DMARC / DKIM / SPF
- → Mail flow policies
- → Tenant send/receive connectors
Entra ID
- → Authentication Methods (FIDO2, TAP, SMS)
- → Device registration & LAPS settings
- → Custom Security Attributes
- → Enterprise App registrations
Microsoft Teams
- → Tenant-wide Teams settings
- → Messaging & meeting policies
- → External access policies
- → App permission policies
SharePoint Online
- → Tenant sharing settings
- → External sharing policies
- → Default site permissions
- → Sensitivity label integration
Consent & Permissions
- → Consent permission classifications
- → Admin consent workflows
- → OAuth app policies
- → Delegated permission grants
Security & Compliance
- → Microsoft Defender settings
- → Sentinel analytics rules
- → Retention & DLP policies
- → Sensitivity labels
Ready to Deploy the Baseline?
Get in touch to start your onboarding project. We'll implement the full Modern Workplace baseline — resulting in a stable, phish-resistant, and compliant Microsoft 365 environment.
Optional managed services — CSS Phish Protection, Microsoft 365 Backup, and Security Orchestration — can be added after the initial project.