56 M365 settings explained β what they do, when to use them, risk profile, PowerShell commands, and plain-English explanations.
π Identity & Auth
Security Defaults Security Defaults are a set of pre-configured baseline identity security settings Microsoft enables for new tenants. Theβ¦
mfa legacy auth entra +2
View details β
π Identity & Auth
Per-User MFA The legacy method of enforcing MFA per individual user account via the old Azure AD portal. States are Disabled, Enabledβ¦
mfa multi-factor authentication +2
View details β
π Identity & Auth
Self-Service Password Reset (SSPR) Allows users to reset their own passwords without contacting the helpdesk by verifying their identity via registered metβ¦
password reset self-service +2
View details β
π Identity & Auth
Device Code Flow An OAuth 2.0 grant type designed for input-constrained devices (CLIs, smart TVs, IoT sensors). The device displays a shoβ¦
oauth authentication cli +4
View details β
π Identity & Auth
Legacy Authentication Refers to older authentication protocols that do not support modern authentication (OAuth/OIDC) or MFAβincluding Basic Aβ¦
basic auth smtp pop +4
View details β
π Identity & Auth
FIDO2 / Passwordless Authentication FIDO2 is an open standard for passwordless authentication using hardware security keys (YubiKey, Feitian) or platform auβ¦
fido2 passwordless security key +3
View details β
π Identity & Auth
Privileged Identity Management (PIM) PIM provides just-in-time (JIT) privileged access to Entra ID and Azure roles. Admins are "eligible" for a role but not β¦
pim jit just-in-time +3
View details β
π‘οΈ Conditional Access
Conditional Access β Session Controls Session Controls within Conditional Access policies limit what users can do within an authenticated sessionβwithout re-aβ¦
conditional access session persistent browser +3
View details β
π‘οΈ Conditional Access
Named Locations Named Locations allow you to define trusted IP ranges (e.g., corporate office egress IPs) or trusted countries/regions. β¦
named locations ip range trusted +3
View details β
π§ Exchange & Mail
DKIM Selector DKIM (DomainKeys Identified Mail) adds a cryptographic signature to outbound emails. The selector is a DNS label (e.g., β¦
dkim email authentication dns +3
View details β
π§ Exchange & Mail
DMARC DMARC (Domain-based Message Authentication, Reporting and Conformance) is a DNS TXT record that tells receiving mail serβ¦
dmarc email authentication dns +4
View details β
π§ Exchange & Mail
SPF (Sender Policy Framework) SPF is a DNS TXT record that lists which mail servers are authorised to send email for your domain. When a receiving serβ¦
spf email authentication dns +4
View details β
π§ Exchange & Mail
DLP Policy (Data Loss Prevention) DLP policies in Microsoft Purview detect and protect sensitive information (credit card numbers, SSNs, health data, custβ¦
dlp data loss prevention purview +4
View details β
π§ Exchange & Mail
HiddenFromExchangeClientsEnabled A property on Microsoft 365 Groups that hides the group from the Global Address List (GAL) and the Exchange/Outlook addrβ¦
group m365 group gal +4
View details β
π§ Exchange & Mail
Mail Flow Rules (Transport Rules) Mail Flow Rules (also called Transport Rules) process email messages as they pass through Exchange Online. Rules have coβ¦
transport rules mail flow exchange +4
View details β
π₯ Groups & Teams
Public Microsoft 365 Group Microsoft 365 Groups are the membership foundation for Teams, SharePoint sites, Planner, and shared mailboxes. A Public β¦
m365 group public private +4
View details β
π₯ Groups & Teams
Teams Guest Access Guest Access allows users outside your organisation (external email addresses) to be added to Teams channels and particiβ¦
teams guest external +3
View details β
π Compliance
Sensitivity Labels Sensitivity labels classify and protect content (emails, documents, Teams meetings) based on sensitivity level (e.g., Puβ¦
sensitivity labels purview information protection +4
View details β
π Compliance
Retention Policies Retention policies in Microsoft Purview automatically retain or delete content after a specified period. Policies can prβ¦
retention purview hold +4
View details β
π Compliance
Audit Log The Unified Audit Log records user and admin activity across Microsoft 365 servicesβExchange, SharePoint, OneDrive, Teamβ¦
audit log unified audit log +4
View details β
π» Intune & Devices
Windows Autopilot Windows Autopilot automates the setup and configuration of new Windows devices. When a new device is unboxed and poweredβ¦
autopilot intune device provisioning +3
View details β
π» Intune & Devices
Intune Compliance Policy Intune Compliance Policies define the minimum security requirements a device must meet to be considered "compliant." Reqβ¦
intune compliance device +4
View details β
π» Intune & Devices
Entra ID Join vs. Hybrid Join Entra ID Join (formerly Azure AD Join): devices are joined only to Entra IDβno on-premises Active Directory required. Maβ¦
azure ad join entra join hybrid join +3
View details β
π SharePoint & OneDrive
SharePoint External Sharing Controls whether and how SharePoint sites and OneDrive files can be shared with users outside the organisation. Four levβ¦
sharepoint onedrive external sharing +3
View details β
βοΈ App & Identity
App Registration App Registrations in Entra ID are identity objects for applications that need to authenticate to Microsoft APIs (Graph, β¦
app registration entra oauth +4
View details β
βοΈ App & Identity
Managed Identity Managed Identities are automatically managed identity credentials for Azure resources (VMs, Azure Functions, Logic Apps,β¦
managed identity azure service principal +3
View details β
π Identity & Auth
Emergency Access Accounts (Break Glass) Emergency access accounts (break glass accounts) are cloud-only Global Administrator accounts deliberately excluded fromβ¦
break glass emergency global admin +3
View details β
π‘οΈ Conditional Access
Sign-in Risk Policy (Identity Protection) Entra ID Identity Protection analyses each sign-in attempt in real time using machine learning to assign a risk level: Lβ¦
identity protection sign-in risk risk-based +4
View details β
π‘οΈ Conditional Access
User Risk Policy (Identity Protection) User Risk in Entra ID Identity Protection reflects the probability that a user identity has been compromisedβprimarily tβ¦
identity protection user risk leaked credentials +3
View details β
π‘οΈ Defender for M365
Safe Attachments (Defender for Office 365) Safe Attachments (part of Microsoft Defender for Office 365 Plan 1) scans email attachments in a virtual sandbox (detonaβ¦
safe attachments mdo defender +5
View details β
π‘οΈ Defender for M365
Safe Links (Defender for Office 365) Safe Links rewrites URLs in emails and Office documents at time of click, routing them through Microsoft's reputation scβ¦
safe links mdo defender +4
View details β
π‘οΈ Defender for M365
Anti-Phishing Policy (Defender for Office 365) Anti-Phishing policies in MDO provide impersonation protection and advanced spoof intelligence. Impersonation protectionβ¦
anti-phishing mdo defender +5
View details β
π§ Exchange & Mail
Shared Mailbox A Shared Mailbox is a mailbox multiple users can access without a separate loginβcommonly used for team inboxes (info@, β¦
shared mailbox exchange full access +4
View details β
π₯ Groups & Teams
Microsoft 365 Group Expiration Policy Group Expiration Policy automatically expires (deletes) Microsoft 365 Groups and their associated Teams, SharePoint siteβ¦
group expiration m365 groups lifecycle +4
View details β
π₯ Groups & Teams
Teams Meeting Policies Teams Meeting Policies control the meeting features available to usersβwho can join meetings (lobby settings), who can rβ¦
teams meeting recording +5
View details β
π Compliance
eDiscovery & Content Search Microsoft Purview eDiscovery allows compliance and legal teams to search, hold, and export content across Exchange, Teamβ¦
ediscovery content search legal hold +4
View details β
π» Intune & Devices
Intune App Protection Policy (MAM) App Protection Policies (APP / MAM β Mobile Application Management) protect corporate data within managed apps (Outlook,β¦
mam app protection intune +6
View details β
π» Intune & Devices
Windows LAPS (Local Admin Password Solution) Windows LAPS (built into Windows since April 2023 Patch Tuesday update) automatically rotates the local administrator acβ¦
laps local admin password +5
View details β
π SharePoint & OneDrive
OneDrive Known Folder Move (KFM) Known Folder Move (KFM) silently redirects the Windows Desktop, Documents, and Pictures folders to back up to OneDrive aβ¦
onedrive known folder move kfm +5
View details β
βοΈ App & Identity
OAuth App Consent Policy Consent policies control whether users can grant permissions to third-party OAuth applications that want to access Microβ¦
consent oauth app consent +5
View details β
π Identity & Auth
Entra ID Password Protection & Smart Lockout Entra ID Password Protection maintains a global banned password list (Microsoft-managed) and optionally a custom banned β¦
password protection banned password smart lockout +3
View details β
π Identity & Auth
MFA Number Matching & Additional Context Number Matching requires users to enter a 2-digit code displayed on the sign-in screen into the Microsoft Authenticator β¦
number matching mfa fatigue push notification +5
View details β
π Identity & Auth
Cross-Tenant Access Settings Cross-Tenant Access Settings (in Entra External Identities) control how your tenant interacts with other specific Entra β¦
cross-tenant b2b inbound +5
View details β
π‘οΈ Conditional Access
Authentication Strength (Conditional Access) Authentication Strength is a Conditional Access grant control that requires a specific level of MFA rather than just "anβ¦
authentication strength phishing-resistant mfa ca policy +4
View details β
π§ Exchange & Mail
Microsoft Purview Message Encryption Microsoft Purview Message Encryption (formerly Office 365 Message Encryption / OME) lets users and mail flow rules send β¦
ome message encryption purview +5
View details β
π§ Exchange & Mail
Message Trace Message Trace in the Exchange Admin Center shows the delivery path of specific emails through Exchange Online. For each β¦
message trace exchange email delivery +5
View details β
π‘οΈ Defender for M365
Anti-Spam & Connection Filter Policies Anti-Spam policies in Exchange Online Protection (EOP) filter inbound email for spam, bulk mail, phishing, and high-confβ¦
anti-spam spam junk +6
View details β
π‘οΈ Defender for M365
Attack Simulation Training Attack Simulation Training (part of Microsoft Defender for Office 365 Plan 2) lets admins send realistic simulated phishβ¦
attack simulation phishing simulation security awareness +4
View details β
π Compliance
Communication Compliance Communication Compliance in Microsoft Purview monitors internal and external communications (Teams, Exchange, Yammer, Coβ¦
communication compliance purview policy violation +6
View details β
π Compliance
Insider Risk Management Insider Risk Management in Microsoft Purview uses machine learning to detect patterns suggesting an insider threatβa curβ¦
insider risk purview data theft +4
View details β
π» Intune & Devices
Intune Configuration Profiles Intune Configuration Profiles push settings to managed devicesβbeyond compliance policy (which only reports state). Profβ¦
configuration profile intune device config +5
View details β
π» Intune & Devices
Windows Update Rings (Windows Update for Business) Update Rings in Intune configure Windows Update for Business (WUfB) policy: deferring feature updates (major Windows verβ¦
update rings windows update wufb +5
View details β
βοΈ App & Identity
Enterprise Application SSO (SAML/OIDC) Enterprise Applications in Entra ID enable Single Sign-On (SSO) for third-party SaaS applications. SAML 2.0 and OIDC/OAuβ¦
enterprise app sso saml +6
View details β
π Licensing & Admin
Microsoft Secure Score Microsoft Secure Score is a numeric measurement of your organisation's security posture in Microsoft 365, ranging from 0β¦
secure score security posture defender +3
View details β
π Licensing & Admin
Microsoft 365 Admin Roles & Least Privilege Microsoft 365 uses Role-Based Access Control (RBAC) with over 100 built-in roles across Entra ID, Exchange, Teams, Intunβ¦
admin roles rbac least privilege +5
View details β
π Licensing & Admin
Group-Based Licensing Group-Based Licensing allows Microsoft 365 licenses to be assigned automatically to users based on their Entra ID group β¦
licensing group-based licensing entra +5
View details β
PowerShell commands use Microsoft Graph, ExchangeOnline, and Security & Compliance modules. Always test in a non-production tenant first. Documentation links point to Microsoft Learn.
