Azure security on day one: a tenant-level hardening guide

An Azure / Microsoft 365 tenant is initially configured for ease of onboarding rather than security. The two foundational documents are the Microsoft Cloud Security Benchmark (MCSB) v1, which replaces the older Azure Security Benchmark, and CIS Microsoft Azure Foundations Benchmark v2.1. Both map to Azure Policy initiatives ready to assign at subscription scope. Day one hardening is not optional and is largely free.

Identity first. Disable Security Defaults if you have any Microsoft Entra ID P1 or P2 license — Security Defaults conflicts with Conditional Access. Build a Conditional Access policy set: require MFA for all users, block legacy authentication, require compliant device for privileged roles, block sign-ins from countries you do not operate in, require phishing-resistant MFA for global admins. Microsoft publishes a baseline policy set called the "Conditional Access Personas" reference architecture; clone and adapt rather than building from scratch.

Privileged access second. Designate Tier 0 administrator accounts (Global Admin, Privileged Role Admin) as separate cloud-only identities. Enroll those accounts in Privileged Identity Management with eligible (not active) role assignments, requiring approval and MFA on every activation. Limit Global Admins to fewer than five and audit weekly. Block consumer authentication methods (SMS, voice) for Tier 0 accounts. Enable PIM for Groups for sensitive Microsoft 365 groups like SharePoint admin pools.

Logging, defense, governance third. Enable Microsoft Defender for Cloud at the Standard tier across all subscriptions for the workloads in scope (servers, App Service, SQL, storage, containers, key vault). Connect Microsoft Sentinel and pipe Azure AD Sign-In Logs, Audit Logs, Office 365 Activity, and Defender alerts. Enable diagnostic settings on every subscription to ship Activity Logs to a Log Analytics workspace and to immutable storage in a different subscription. Apply Azure Policy to enforce: tag governance, allowed locations, no public IP on VMs, encryption at rest, and TLS 1.2 minimum. Treat the day-one configuration as code in Bicep or Terraform.