Hardening a live M365 tenant through mail flow rules, anti-spam policies, MFA enforcement, and Microsoft Secure Score — simulating real-world security operations for an IT department.
Exchange Admin Center · Transport Rules
Configured two outbound transport rules in Exchange Admin Center: a company-wide email disclaimer appended to all outgoing messages, and a keyword-based sensitive content blocker that prevents confidential data from leaving the organisation.
Auto-appends confidentiality footer to all outbound emails from the tenant
Blocks outbound emails containing flagged terms — delivery fails with custom NDR
Used EAC Message Trace to verify rule triggers and confirm blocked delivery events
Evidence
Company Email Disclaimer outbound transport rule — Enforce mode, Priority 0, applied to all tenant senders
Outbound email received in Gmail with disclaimer appended — confirms the rule fired successfully on an external send
Block Sensitive Keywords outbound rule enabled at Priority 1 — fires after disclaimer, rejects messages containing flagged sensitive terms
NDR delivered to sender — "A custom mail flow rule at anish.website has blocked your message" confirming the rule works end-to-end
Message Trace Verification
Message Trace detail for the blocked test email — shows Receive → Submit → Fail → Transport Rule events, pinpointing exactly where the block occurred
Microsoft Defender · Email & Collaboration
Configured the default anti-spam inbound policy to quarantine high-confidence spam, added domain-level allow and block lists, and verified the quarantine dashboard reflects a clean state with no false positives.
Spam and high-confidence spam set to Quarantine — not Junk folder, ensuring admin visibility
gmail.com added to allowed senders list for reliable delivery of test messages
spam.com added to the blocked senders list — all inbound from this domain auto-quarantined
Evidence
Default inbound policy — Spam and High Confidence Spam both set to Quarantine message with DefaultFullAccessPolicy
spam.com added to blocked domains list — messages from this domain will always be quarantined automatically
Quarantine dashboard — 0 items across 30-day window, confirming no legitimate mail is being incorrectly flagged
Microsoft Entra ID · Authentication Methods
Enforced per-user Multi-Factor Authentication for the Global Administrator account via Microsoft Entra, and reviewed Password Protection settings including smart lockout thresholds and custom banned password lists.
Global Admin account (Anish Giri) set to Enforced status — strongest MFA requirement level
Reviewed smart lockout (10 attempts / 60s) and custom banned passwords settings
Reviewed MFA status across all tenant users — identified accounts without MFA enabled
Evidence
Per-user MFA page — Anish Giri set to Enforced, success toast confirms "Multifactor authentication was enabled successfully"
Microsoft Defender · Security Posture
Reviewed the tenant's Microsoft Secure Score dashboard to understand the overall security posture and identify the top recommended actions for further hardening. Achieved 76.06% (54/71 points) — above baseline for a lab tenant.
54 of 71 points achieved — 8 items remaining to address across Identity and App categories
Defender for Identity deployment, user consent policies, and Teams meeting controls identified as priority items
Score history and metrics confirm upward trend as security configurations were applied during the project
Evidence
Secure Score overview — 54/71 points achieved, 8 items To Address, trending upward after security configurations applied
Recommended actions ranked by score impact — top items include Defender for Identity deployment (+7.04%) and user consent policies (+5.63%)