Entra ID & M365 Hardening ChecklistEntra ID & M365 Hardening Checklist
Priorisierte Härtungsmaßnahmen für Identität, Email, Collaboration, Geräte und Compliance mit Portalpfad und PowerShell-Referenz.Prioritized hardening actions for identity, email, collaboration, devices, and compliance with portal path and PowerShell references.
UmfangCoverage
125 priorisierte Maßnahmen über sechs Bereiche.125 prioritized actions across six areas.
FokusFocus
Identity zuerst, danach Daten-, Geräte- und Collaboration-Schutz.Identity first, then data, device, and collaboration protection.
UmsetzungExecution
Jede Maßnahme mit Portalpfad und PowerShell-Referenz.Each action with a portal path and PowerShell reference.
Identity Hardening (50 Punkte)Identity hardening (50 items)
| PrioritätPriority | BeschreibungDescription | PortalpfadPortal path | PowerShellPowerShell |
|---|---|---|---|
| KritischCritical | Security Defaults oder CA-Baseline tenantweit aktivieren.Enable Security Defaults or a CA baseline tenant-wide. | Entra admin center > Protection > Conditional Access | Get-MgPolicyIdentitySecurityDefaultEnforcementPolicy |
| KritischCritical | Legacy Authentication vollständig blockieren.Block legacy authentication completely. | Entra admin center > Protection > Conditional Access | Get-AuthenticationPolicy |
| KritischCritical | MFA für alle Benutzer erzwingen.Require MFA for all users. | Entra admin center > Protection > Conditional Access | Get-MgIdentityConditionalAccessPolicy |
| KritischCritical | Phishing-resistant MFA für Administratoren erzwingen.Require phishing-resistant MFA for administrators. | Entra admin center > Protection > Conditional Access | Get-MgPolicyAuthenticationStrengthPolicy |
| KritischCritical | Break-glass-Konten definieren und ausschließen.Define and exclude break-glass accounts. | Entra admin center > Roles & admins | Get-MgUser -Filter "accountEnabled eq true" |
| HochHigh | Globale Administratoren auf weniger als fünf beschränken.Limit Global Administrators to fewer than five. | Entra admin center > Roles & admins | Get-MgDirectoryRoleMember -DirectoryRoleId <GlobalAdminRoleId> |
| KritischCritical | PIM für alle privilegierten Rollen einsetzen.Use PIM for all privileged roles. | Entra admin center > Identity Governance > PIM | Invoke-MgGraphRequest -Method GET -Uri "https://graph.microsoft.com/v1.0/roleManagement/directory/roleEligibilitySchedules" |
| HochHigh | Genehmigung für Tier-0-Aktivierungen verlangen.Require approval for Tier-0 activations. | PIM > Roles > Settings | Invoke-MgGraphRequest -Method GET -Uri "https://graph.microsoft.com/v1.0/policies/roleManagementPolicies" |
| HochHigh | Begründung und Ticketnummer in PIM erzwingen.Require justification and ticket number in PIM. | PIM > Roles > Settings | Invoke-MgGraphRequest -Method GET -Uri "https://graph.microsoft.com/v1.0/policies/roleManagementPolicyAssignments" |
| HochHigh | Access Reviews für privilegierte Rollen aktivieren.Enable access reviews for privileged roles. | Identity Governance > Access reviews | Get-MgIdentityGovernanceAccessReviewDefinition |
| HochHigh | Authentication Methods Policy auf moderne Verfahren begrenzen.Limit the authentication methods policy to modern methods. | Protection > Authentication methods | Invoke-MgGraphRequest -Method GET -Uri "https://graph.microsoft.com/v1.0/policies/authenticationMethodsPolicy" |
| HochHigh | SMS und Voice für Admins deaktivieren.Disable SMS and voice for admins. | Protection > Authentication methods | Invoke-MgGraphRequest -Method GET -Uri "https://graph.microsoft.com/v1.0/policies/authenticationMethodsPolicy/authenticationMethodConfigurations/Sms" |
| HochHigh | FIDO2/Passkeys für privilegierte Nutzer pilotieren.Pilot FIDO2/passkeys for privileged users. | Protection > Authentication methods > FIDO2 | Get-MgUserAuthenticationFido2Method -UserId admin@contoso.com |
| HochHigh | Windows Hello for Business für verwaltete Windows-Geräte ausrollen.Roll out Windows Hello for Business for managed Windows devices. | Intune admin center > Account protection | Get-CimInstance -Namespace root\cimv2\mdm\dmmap -ClassName MDM_Policy_Result01_WindowsHelloForBusiness02 |
| HochHigh | Microsoft Authenticator Number Matching überwachen.Monitor Microsoft Authenticator number matching. | Protection > Authentication methods | Get-MgAuditLogSignIn -Top 20 |
| HochHigh | Combined Registration und Security Info durchsetzen.Enforce combined registration and Security Info. | Protection > Authentication methods > Registration campaign | Get-MgReportAuthenticationMethodUserRegistrationDetail |
| HochHigh | SSPR tenantweit bereitstellen.Provide SSPR tenant-wide. | Password reset | Get-MsolCompanyInformation |
| MittelMedium | Password Writeback in Hybridumgebungen aktivieren.Enable password writeback in hybrid environments. | Entra Connect > Optional features | Get-ADSyncAADCompanyFeature |
| HochHigh | Sign-in-Risk-Policy aktivieren.Enable the sign-in-risk policy. | Protection > Identity Protection | Get-MgIdentityProtectionRiskyUser |
| HochHigh | User-Risk-Policy mit Secure Password Change aktivieren.Enable the user-risk policy with secure password change. | Protection > Identity Protection | Get-MgIdentityProtectionRiskDetection |
| MittelMedium | Trusted Named Locations auf echte Corporate Egresses beschränken.Limit trusted named locations to real corporate egress points. | Protection > Conditional Access > Named locations | Get-MgIdentityConditionalAccessNamedLocation |
| MittelMedium | Nicht benötigte Länder blockieren.Block unneeded countries. | Protection > Conditional Access > Named locations | Get-MgIdentityConditionalAccessNamedLocation |
| HochHigh | Compliant Device für sensible Browserzugriffe verlangen.Require a compliant device for sensitive browser access. | Protection > Conditional Access | Get-MgDeviceManagementManagedDevice -Top 20 |
| HochHigh | App Protection für BYOD-Mobile aktivieren.Enable app protection for BYOD mobile. | Intune admin center > Apps > App protection policies | Get-MgDeviceAppManagementManagedAppProtection |
| MittelMedium | Sign-in Frequency für Administratoren verkürzen.Shorten sign-in frequency for administrators. | Protection > Conditional Access > Session | Get-MgIdentityConditionalAccessPolicy |
| MittelMedium | Persistente Browser-Sitzungen auf Shared Devices abschalten.Disable persistent browser sessions on shared devices. | Protection > Conditional Access > Session | Get-MgIdentityConditionalAccessPolicy |
| MittelMedium | Token Protection für geeignete Admin-Szenarien pilotieren.Pilot token protection for suitable admin scenarios. | Protection > Conditional Access | Get-MgAuditLogSignIn -Top 50 |
| MittelMedium | CAE-fähige Apps priorisieren.Prioritize CAE-capable apps. | Protection > Conditional Access | Get-MgAuditLogSignIn -Top 50 |
| HochHigh | Workload Identities mit eigenem CA- und Monitoring-Modell schützen.Protect workload identities with a dedicated CA and monitoring model. | Protection > Workload identities | Invoke-MgGraphRequest -Method GET -Uri "https://graph.microsoft.com/beta/identityProtection/riskyServicePrincipals" |
| HochHigh | App-Secrets auf kurze Laufzeiten begrenzen.Limit app secrets to short lifetimes. | Entra admin center > App registrations | Get-MgApplication | Select-Object DisplayName,PasswordCredentials |
| HochHigh | Zertifikate oder Managed Identities statt Shared Secrets bevorzugen.Prefer certificates or managed identities over shared secrets. | App registrations / Azure resources | Get-MgServicePrincipal -Top 20 |
| HochHigh | User Consent auf verified publishers und low-risk apps begrenzen.Restrict user consent to verified publishers and low-risk apps. | Enterprise applications > Consent and permissions | Invoke-MgGraphRequest -Method GET -Uri "https://graph.microsoft.com/v1.0/policies/authorizationPolicy" |
| MittelMedium | OAuth- und Enterprise-App-Berechtigungen quartalsweise reviewen.Review OAuth and Enterprise App permissions quarterly. | Enterprise applications | Get-MgServicePrincipalOauth2PermissionGrant -All |
| MittelMedium | Unnötige Tenant-Creation- und Self-Service-Funktionen einschränken.Restrict unnecessary tenant-creation and self-service features. | User settings | Get-MgPolicyAuthorizationPolicy |
| HochHigh | Gast-Einladungen nur erlaubten Rollen überlassen.Limit guest invitations to approved roles. | External Identities > External collaboration settings | Get-MgPolicyAuthorizationPolicy |
| HochHigh | Cross-Tenant-Defaults auf least privilege setzen.Set cross-tenant defaults to least privilege. | External Identities > Cross-tenant access settings | Invoke-MgGraphRequest -Method GET -Uri "https://graph.microsoft.com/v1.0/policies/crossTenantAccessPolicy" |
| KritischCritical | Alle Admin-Portale mit starker MFA schützen.Protect all admin portals with strong MFA. | Protection > Conditional Access | Get-MgIdentityConditionalAccessPolicy | Select-Object DisplayName |
| MittelMedium | Audit- und Sign-in-Logs in Sentinel einspeisen.Feed audit and sign-in logs into Sentinel. | Microsoft Sentinel > Data connectors | Get-MgAuditLogDirectoryAudit -Top 20 |
| MittelMedium | Global Secure Access und Tenant Restrictions evaluieren.Evaluate Global Secure Access and tenant restrictions. | Global Secure Access | Get-MgOrganization |
| HochHigh | Authentication Strengths statt generischem MFA-Schalter nutzen.Use authentication strengths instead of a generic MFA switch. | Protection > Authentication strengths | Get-MgPolicyAuthenticationStrengthPolicy |
| HochHigh | Separate Admin-Workstations oder PAWs definieren.Define separate admin workstations or PAWs. | Intune admin center / endpoint security | Get-DeviceHealthAttestation |
| HochHigh | Nur verwaltete Geräte für Adminzugriff zulassen.Allow only managed devices for admin access. | Protection > Conditional Access | dsregcmd /status |
| MittelMedium | Temporary Access Pass nur für Recovery und Onboarding nutzen.Use Temporary Access Pass only for recovery and onboarding. | Protection > Authentication methods > TAP | Get-MgUserAuthenticationTemporaryAccessPassMethod -UserId user@contoso.com |
| MittelMedium | External User Lifecycle und Expiration prüfen.Review external user lifecycle and expiration. | Entra ID > Users > All guests | Get-MgUser -Filter "userType eq 'Guest'" |
| MittelMedium | Terms of Use für Gäste und sensible Apps einsetzen.Use terms of use for guests and sensitive apps. | Protection > Conditional Access > Grant | Get-MgIdentityGovernanceTermsOfUseAgreement |
| MittelMedium | Self-Service-Gruppenfunktionen nur mit Governance erlauben.Allow self-service group features only with governance. | Groups > General | Get-MgGroupSetting |
| MittelMedium | CA-Ausnahmen dokumentieren und mit Owner versehen.Document CA exceptions and assign owners. | Protection > Conditional Access | Get-MgIdentityConditionalAccessPolicy | Export-Csv ca-policies.csv |
| MittelMedium | Dauerhaft privilegierte, inaktive Konten monatlich reviewen.Review permanently privileged inactive accounts monthly. | PIM / Roles & admins | Get-MgAuditLogSignIn -Top 100 |
| MittelMedium | Notfallprozesse für CA-Fehlkonfiguration dokumentieren.Document emergency procedures for CA misconfiguration. | Operations runbook | Get-MgIdentityConditionalAccessPolicy |
| MittelMedium | Sicherheitsberichte für Registrierungsreife und Risky Users regelmäßig prüfen.Review security reports for registration readiness and risky users regularly. | Reports > Authentication methods / Identity Protection | Get-MgReportAuthenticationMethodUserRegistrationDetail |
Email Hardening (20 Punkte)Email hardening (20 items)
| PrioritätPriority | BeschreibungDescription | PortalpfadPortal path | PowerShellPowerShell |
|---|---|---|---|
| KritischCritical | SPF korrekt veröffentlichen.Publish SPF correctly. | Exchange admin center > Mail flow > Accepted domains | Get-AcceptedDomain |
| KritischCritical | DKIM für alle sendenden Domains aktivieren.Enable DKIM for all sending domains. | Defender portal > Email & collaboration > Policies | Get-DkimSigningConfig |
| KritischCritical | DMARC auf p=reject und rua/ruf ausrichten.Align DMARC to p=reject with rua and ruf. | DNS / Defender portal | Get-TransportConfig |
| HochHigh | Outbound Anti-Spam sauber konfigurieren.Configure outbound anti-spam cleanly. | Defender portal > Policies | Get-HostedOutboundSpamFilterPolicy |
| HochHigh | Safe Links aktivieren.Enable Safe Links. | Defender portal > Safe Links | Get-SafeLinksPolicy |
| HochHigh | Safe Attachments aktivieren.Enable Safe Attachments. | Defender portal > Safe Attachments | Get-SafeAttachmentPolicy |
| HochHigh | Anti-Phishing und Impersonation Protection schärfen.Tighten anti-phishing and impersonation protection. | Defender portal > Anti-phishing | Get-AntiPhishPolicy |
| MittelMedium | Zero-hour auto purge aktiviert lassen.Keep zero-hour auto purge enabled. | Defender portal > Quarantine | Get-HostedContentFilterPolicy |
| MittelMedium | User Submissions und Report Message einführen.Introduce user submissions and Report Message. | Defender portal > User reported settings | Get-ReportSubmissionPolicy |
| MittelMedium | Externes Sender-Tagging aktivieren.Enable external sender tagging. | Exchange admin center > Mail flow > Rules | Get-ExternalInOutlook |
| HochHigh | Mailbox Auditing für alle Postfächer aktivieren.Enable mailbox auditing for all mailboxes. | Exchange admin center > Mailboxes | Get-OrganizationConfig | Select AuditDisabled |
| HochHigh | Externe Auto-Weiterleitung standardmäßig blockieren.Block external auto-forwarding by default. | Defender portal > Anti-spam | Get-HostedOutboundSpamFilterPolicy |
| MittelMedium | Transport-Connectoren minimieren und reviewen.Minimize and review transport connectors. | Exchange admin center > Mail flow > Connectors | Get-InboundConnector; Get-OutboundConnector |
| MittelMedium | Quarantine Policies rollenbasiert definieren.Define quarantine policies by role. | Defender portal > Quarantine policies | Get-QuarantinePolicy |
| MittelMedium | Delegationen auf Shared Mailboxes regelmäßig prüfen.Review shared mailbox delegation regularly. | Exchange admin center > Shared mailboxes | Get-EXOMailboxPermission -Identity shared@contoso.com |
| MittelMedium | Allow- und Block-Listen zentral steuern.Govern allow and block lists centrally. | Defender portal > Tenant Allow/Block List | Get-TenantAllowBlockListItems |
| MittelMedium | Mailflow-Regeln mit Change Control absichern.Protect mail flow rules with change control. | Exchange admin center > Rules | Get-TransportRule |
| MittelMedium | Mailbox-Weiterleitungen und Redirects alarmieren.Alert on mailbox forwarding and redirects. | Exchange admin center / Sentinel | Get-InboxRule -Mailbox user@contoso.com |
| HochHigh | Exchange-Administratorrollen über PIM schützen.Protect Exchange administrator roles through PIM. | PIM > Roles | Get-MgDirectoryRole |
| MittelMedium | Retention/Journal/Transport mit Compliance abstimmen.Align retention, journaling, and transport with compliance. | Purview / Exchange | Get-RetentionCompliancePolicy |
SharePoint & OneDrive Hardening (15 Punkte)SharePoint & OneDrive hardening (15 items)
| PrioritätPriority | BeschreibungDescription | PortalpfadPortal path | PowerShellPowerShell |
|---|---|---|---|
| HochHigh | Externe Freigabe tenantweit auf least privilege setzen.Set tenant-wide external sharing to least privilege. | SharePoint admin center > Policies > Sharing | Get-SPOTenant | Select SharingCapability |
| HochHigh | Domain Allow/Block Lists für Sharing verwenden.Use domain allow/block lists for sharing. | SharePoint admin center > Sharing | Get-SPOTenant | Select SharingAllowedDomainList,SharingBlockedDomainList |
| MittelMedium | Standardlinktyp nicht auf Anyone setzen.Do not use Anyone as the default link type. | SharePoint admin center > Policies > Sharing | Get-SPOTenant | Select DefaultSharingLinkType |
| MittelMedium | Standardlinkberechtigung auf View setzen.Set the default link permission to view. | SharePoint admin center > Policies > Sharing | Get-SPOTenant | Select DefaultLinkPermission |
| HochHigh | Anyone-Links für sensible Sites unterbinden.Block Anyone links for sensitive sites. | SharePoint admin center > Active sites | Get-SPOSite -Limit All |
| HochHigh | Unmanaged Device Restrictions für SharePoint aktivieren.Enable unmanaged device restrictions for SharePoint. | SharePoint admin center > Policies > Access control | Get-SPOTenant | Select ConditionalAccessPolicy |
| MittelMedium | Sensitivity Labels für Sites und Teams einsetzen.Use sensitivity labels for sites and teams. | Purview > Information Protection | Get-Label |
| HochHigh | CA App Enforced Restrictions für Browserzugriffe nutzen.Use CA app-enforced restrictions for browser access. | Entra admin center > Conditional Access | Get-MgIdentityConditionalAccessPolicy |
| MittelMedium | Sync auf unmanaged Geräten einschränken.Restrict sync on unmanaged devices. | SharePoint admin center > Policies > Access control | Get-SPOTenant | Select BlockMacSync,BlockDownloadLinksFileType |
| MittelMedium | OneDrive-Aufbewahrung nach Benutzerlöschung definieren.Define OneDrive retention after user deletion. | SharePoint admin center > Policies > Retention | Get-SPOTenant | Select OrphanedPersonalSitesRetentionPeriod |
| MittelMedium | SharePoint Admin über PIM schützen.Protect SharePoint admin through PIM. | PIM > Roles | Get-MgDirectoryRole |
| MittelMedium | Site-Owner und Gäste regelmäßig reviewen.Review site owners and guests regularly. | SharePoint admin center > Active sites | Get-SPOSite -Limit All | Select Url,Owner |
| MittelMedium | Guest-Link-Ablaufzeiten aktivieren.Enable guest-link expiration. | SharePoint admin center > Policies > Sharing | Get-SPOTenant | Select RequireAnonymousLinksExpireInDays |
| MittelMedium | App Catalog und Custom Script streng steuern.Strictly govern the app catalog and custom script. | SharePoint admin center > More features | Get-SPOSite -Limit All | Select Url,DenyAddAndCustomizePages |
| MittelMedium | Storage- und Oversharing-Reports überwachen.Monitor storage and oversharing reports. | SharePoint admin center > Reports | Get-SPOSite -Limit All | Select Url,StorageUsageCurrent |
Teams Hardening (15 Punkte)Teams hardening (15 items)
| PrioritätPriority | BeschreibungDescription | PortalpfadPortal path | PowerShellPowerShell |
|---|---|---|---|
| HochHigh | Gastzugriff nur mit klaren Geschäftsregeln aktivieren.Enable guest access only with clear business rules. | Teams admin center > Users > Guest access | Get-CsTeamsClientConfiguration |
| MittelMedium | Externe Domänen explizit allow-/deny-listen.Explicitly allow- or deny-list external domains. | Teams admin center > Users > External access | Get-CsTenantFederationConfiguration |
| MittelMedium | Meeting-Aufzeichnungen und Downloadpfade kontrollieren.Control meeting recordings and download paths. | Teams admin center > Meetings | Get-CsTeamsMeetingPolicy |
| MittelMedium | Anonyme Besprechungsteilnahme minimieren.Minimize anonymous meeting participation. | Teams admin center > Meetings | Get-CsTeamsMeetingPolicy |
| MittelMedium | Lobby-Regeln für sensible Meetings verschärfen.Harden lobby rules for sensitive meetings. | Teams admin center > Meetings | Get-CsTeamsMeetingPolicy |
| MittelMedium | Externe Presenter und Screen Sharing einschränken.Restrict external presenters and screen sharing. | Teams admin center > Meetings | Get-CsTeamsMeetingPolicy |
| HochHigh | App Permission Policies auf erlaubte Apps reduzieren.Reduce app permission policies to approved apps. | Teams admin center > Teams apps | Get-CsTeamsAppPermissionPolicy |
| MittelMedium | App Setup Policies für Standard-Apps kuratieren.Curate app setup policies for standard apps. | Teams admin center > Teams apps | Get-CsTeamsAppSetupPolicy |
| MittelMedium | Teamerstellung nur erlaubten Gruppen erlauben.Allow team creation only to approved groups. | Teams admin center > Teams settings | Get-MgGroup |
| MittelMedium | Voicemail, Transkription und Copilot-Datenpfade bewerten.Assess voicemail, transcription, and Copilot data paths. | Teams admin center > Voice | Get-CsOnlineVoicemailPolicy |
| HochHigh | Teams Admin-Rollen über PIM schützen.Protect Teams admin roles through PIM. | PIM > Roles | Get-MgDirectoryRole |
| MittelMedium | Sensitivity Labels für Teams und Meetings aktivieren.Enable sensitivity labels for teams and meetings. | Purview / Teams admin center | Get-Label |
| MittelMedium | Datei- und Chat-DLP für Teams aktivieren.Enable file and chat DLP for Teams. | Purview > DLP | Get-DlpCompliancePolicy |
| MittelMedium | Incident Response für Oversharing und Guest Abuse definieren.Define incident response for oversharing and guest abuse. | SOC playbook | Get-MgTeam |
| MittelMedium | Calling- und PSTN-Policies nur nach Rolle zuweisen.Assign calling and PSTN policies only by role. | Teams admin center > Voice | Get-CsOnlineVoiceRoutingPolicy |
Device Hardening (15 Punkte)Device hardening (15 items)
| PrioritätPriority | BeschreibungDescription | PortalpfadPortal path | PowerShellPowerShell |
|---|---|---|---|
| KritischCritical | Corporate Devices über Enrollment und Compliance erzwingen.Enforce enrollment and compliance for corporate devices. | Intune admin center > Devices | Get-MgDeviceManagementManagedDevice -Top 20 |
| KritischCritical | Compliance Policies für alle Plattformen definieren.Define compliance policies for all platforms. | Intune admin center > Devices > Compliance | Get-MgDeviceManagementDeviceCompliancePolicy |
| HochHigh | BitLocker auf Windows aktivieren.Enable BitLocker on Windows. | Intune admin center > Endpoint security > Disk encryption | Get-BitLockerVolume |
| HochHigh | Secure Boot und TPM-Health prüfen.Check Secure Boot and TPM health. | Intune admin center > Endpoint security | Confirm-SecureBootUEFI |
| HochHigh | Defender AV und EDR-Onboarding erzwingen.Enforce Defender AV and EDR onboarding. | Intune admin center > Endpoint security > Microsoft Defender | Get-MpComputerStatus |
| HochHigh | Attack Surface Reduction Regeln einsetzen.Use Attack Surface Reduction rules. | Intune admin center > Endpoint security > ASR | Get-MpPreference | Select AttackSurfaceReductionRules_Ids |
| MittelMedium | Host-Firewall auf Clients aktiv halten.Keep the host firewall enabled on clients. | Intune admin center > Endpoint security > Firewall | Get-NetFirewallProfile |
| HochHigh | Windows Hello for Business aktivieren.Enable Windows Hello for Business. | Intune admin center > Account protection | dsregcmd /status |
| MittelMedium | Windows Autopilot für Standardgeräte nutzen.Use Windows Autopilot for standard devices. | Intune admin center > Devices > Enrollment | Get-AutopilotDiagnostics |
| HochHigh | Lokale Adminrechte mit Windows LAPS reduzieren.Reduce local admin rights with Windows LAPS. | Intune admin center > Endpoint security > Account protection | Get-LapsAADPassword -DeviceIds <DeviceId> |
| MittelMedium | Patch-Ringe für Qualitäts- und Feature-Updates definieren.Define patch rings for quality and feature updates. | Intune admin center > Devices > Update rings | Get-WindowsUpdateLog |
| HochHigh | Root/Jailbreak-Erkennung auf Mobilgeräten erzwingen.Enforce root/jailbreak detection on mobile devices. | Intune admin center > Compliance | Get-MgDeviceManagementDeviceCompliancePolicy |
| HochHigh | Mobile Disk Encryption aktivieren.Enable mobile disk encryption. | Intune admin center > Compliance | Get-MgDeviceManagementManagedDevice | Select OperatingSystem,EncryptionState |
| MittelMedium | Application Control / Allowlisting für kritische Geräte verwenden.Use application control or allowlisting on critical devices. | Intune admin center > Endpoint security > Application control | Get-CimInstance -Namespace root\Microsoft\Windows\CI -ClassName Win32_DeviceGuard |
| HochHigh | Admin- und User-Kontext auf Geräten trennen.Separate admin and user context on devices. | Endpoint security / local admin | whoami /groups |
Compliance Hardening (10 Punkte)Compliance hardening (10 items)
| PrioritätPriority | BeschreibungDescription | PortalpfadPortal path | PowerShellPowerShell |
|---|---|---|---|
| HochHigh | Unified Audit Log aktivieren und testen.Enable and test the unified audit log. | Purview > Audit | Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-1) -EndDate (Get-Date) -ResultSize 10 |
| MittelMedium | Audit-Retention nach Bedarf auf Premium-Level erhöhen.Increase audit retention to premium levels where needed. | Purview > Audit | Get-AdminAuditLogConfig |
| HochHigh | Sensitivity Labels für Datenklassen definieren.Define sensitivity labels for data classes. | Purview > Information Protection | Get-Label |
| HochHigh | DLP-Policies für Mail, Dateien, Teams und Endpoints aktivieren.Enable DLP policies for mail, files, Teams, and endpoints. | Purview > Data loss prevention | Get-DlpCompliancePolicy |
| MittelMedium | Retention Policies und Labels konsistent einsetzen.Use retention policies and labels consistently. | Purview > Data lifecycle management | Get-RetentionCompliancePolicy |
| MittelMedium | Insider Risk nur mit klarer Governance aktivieren.Enable insider risk only with clear governance. | Purview > Insider risk management | Get-InsiderRiskPolicy |
| MittelMedium | eDiscovery-Rollen und Custodians sauber trennen.Separate eDiscovery roles and custodians cleanly. | Purview > eDiscovery | Get-RoleGroup |
| MittelMedium | Records Management für regulatorische Inhalte planen.Plan records management for regulatory content. | Purview > Records management | Get-RetentionComplianceRule |
| HochHigh | Endpoint DLP für Windows und macOS ausrollen.Roll out endpoint DLP for Windows and macOS. | Purview > Endpoint DLP | Get-DlpCompliancePolicy |
| MittelMedium | Alert Policies für exfiltration- und adminrelevante Ereignisse definieren.Define alert policies for exfiltration and admin-relevant events. | Purview > Alerts | Get-ActivityAlert |
GitHub-ReferenzenGitHub references
| RepositoryRepository | NutzenPurpose |
|---|---|
| CISecurity/CIS-Microsoft-365-Foundations-Benchmark | Benchmark und Priorisierung für M365-Grundhärtung.Benchmark and prioritization for Microsoft 365 foundational hardening. |
| soteria-security/365Inspect | Assessment-Tool für M365-Sicherheitsreife.Assessment tool for Microsoft 365 security posture. |
| microsoft/Microsoft-365-Defender-Hunting-Queries | KQL-Referenz für Hunting und Detection Engineering.KQL reference for hunting and detection engineering. |