These settings allow you to assign a unique name and description to each baseline, making it easier to determine its applicability for a customer.

This setting is report-only because there is no enforcement action.

This setting is report-only because there is no enforcement action. It verifies if the correct API permissions are applied.

• Enable Defender for Endpoint: Enabled.

  Justification: When enabled, this setting automatically enables Defender for Endpoint at the customer-account level.

• Allow Defender to manage endpoint security configurations: Enabled.

  Justification: Defender can't enforce security policies directly

• Enable device diagnostics: Enabled.

  Justification: Prevents troubleshooting limitations, enhances threat visibility, and supports effective remote assistance.

• Let Defender evaluate device risk: Enabled for all options - Windows, iOS, and Android.

  Justification: Enabling Defender for Endpoint to evaluate device risk enhances security by integrating real-time risk assessments into Entra Conditional Access policies. This ensures that access to corporate resources is dynamically controlled based on a device's security posture.

• Device onboarding profile for Intune managed devices: Coming soon. Follow the Release Notes page for updates.

• Policy Baseline: Select either Nerdio’s default Policy baseline for Defender for Endpoint or Custom.

  Justification: The default option is ideal for partners without existing Defender for Endpoint policies. However, as you expand your Modern Work offerings, you will likely create a custom policy baseline instead. For details, see Intune: Policy Baselines.

• Assignment: Select All devices or Custom (manually assign the configuration profile) if you want to choose what devices the policies should be assigned to individual customers.

  Justification: Typically, you want your endpoint security policies to apply to all devices. However, if you need to make exceptions, select Custom.

• Service Notifications: Coming soon. Follow the Release Notes page for updates.

This provides a high-level overview of how enabling the solution baseline affects the customer. It includes Enforce, Report-only, and Exclude modes.

These settings allow you to assign a unique name and description to each baseline, making it easier to determine its applicability for a customer.

• Let group owners add people outside the organization to Microsoft M365 Groups as guests: Disabled.

  Justification: Allowing external guests can introduce security and compliance risks, such as potential data leaks and unauthorized access. It's advisable to disable this setting, unless there is a clear business need.

• Let guest group members access group content: Disabled.

  Justification: It is generally advisable to restrict guest access by default and enable it only when necessary, applying security controls to minimize data exposure.

• Users can register applications: Disabled.

  Justification: Preventing all users from registering applications helps mitigate security risks, such as unauthorized third-party app integrations that could access organizational data.

• Restrict non-admin users from creating tenants: Enabled.

  Justification: Prevents users from unintentionally or maliciously creating separate tenants, which could lead to data fragmentation, compliance issues, or shadow IT risks.

• Users can create security groups: Disabled.

  Justification: Ensures IT control over group management.

• Users can create Microsoft 365 groups in Azure portals, API, or PowerShell: Disabled.

• Justification: Prevents uncontrolled group sprawl, reducing administrative overhead.

• Guest invite restrictions: Select Member users and users assigned to specific admin roles can invite guest users including guests with member permissions.

  Justification: Prevents uncontrolled external access and security risks.

• User consent for applications: Select Do not allow user consent. An administrator will be required for all apps.

  Justification: Prevents unauthorized app access and data leaks.

• Users can request admin consent to apps they are unable to consent to: Enabled.

  Justification: Allows controlled access to apps while preventing users from granting excessive permissions.

• Registration Campaign State: Enabled.

  Justification: Encourages users to register for security features like MFA and Self-Service Password Reset (SSPR).

• Days allowed to snooze: Set to 3.

  Justification: Balances security and user convenience by giving users a short grace period.

• Limited number of snoozes: Enabled.

  Justification: Prevents indefinite postponement of security registration and forces compliance within a reasonable timeframe.

This provides a high-level overview of how enabling the solution baseline affects the customer. It includes Enforce, Report-only, and Exclude modes.

These settings allow you to assign a unique name and description to each baseline, making it easier to determine its applicability for a customer.

• Check for license: This setting is report-only because there is no enforcement action.

• Application context: This setting verifies if the correct API permissions are applied. It is report-only because there is no enforcement action.

• SPF / DKIM / DMARC: Enabled.

  Justification: Prevent spoofing, phishing, and email forgery.

• This accepted domain is: Select Authoritative.

  Justification: Ensures that Exchange Online is the primary mail host for your domain.

• Allow mail to be sent from this domain: Enabled.

  Justification: Ensures outgoing emails are properly routed.

• Modern Authentication: Enabled.

  Justification: Disables legacy authentication to reduce the attack surface

• Ensure users installing Outlook add-ins is not allowed: Enabled.

  Justification: Prevents installation of malicious add-ins.

• Turn off plus addressing for the organization: Enabled.

  Justification: Prevents users from creating unlimited email variations (for example, user+randomtext@domain.com), reducing security risks and mail filtering issues.

• Turn on sending from alias: Disabled.

  Justification: Prevents users from sending email from alternate or secondary email addresses.

• Turn off SMTP AUTH protocol for the organization: Enabled.

  Justification: SMTP AUTH is insecure and often exploited by attackers for phishing and credential stuffing.

• Turn on use of legacy TLS clients: Disabled.

  Justification: Legacy TLS is insecure and frequently targeted by attackers. Enable legacy TLS only if absolutely necessary, and implement a phased approach to migrate older clients to more secure protocols.

• Enable reply-all storm protection: Enabled.

  Justification: Prevents excessive reply-all responses that can create email storms or loops.

  • Minimum number of recipients: Set to 1000.

  • Minimum number of reply-alls: Set to 8.

  • Block duration: Set to 10 (hours).

• Enable cloud-based message recall: Disabled.

  Justification: Prevents reliance on an ineffective recall feature, potential security risks, and auditing challenges.

• Allow users to recall messages read by the recipient: Disabled.

  Justification: Prevents compromise of audit trails and violations of compliance policies (for example, legal holds, eDiscovery) by recalling read messages.

• Enable recall alerts for recipients: Disabled.

  Justification: Prevents drawing attention to potentially sensitive information by notifying recipients when a recall attempt fails.

• External warning in Outlook: Enabled.

  Justification: Warns users about external emails to help prevent phishing attacks.

• Ensure MailTips are enabled for end users: Enabled.

  Justification: Provides real-time email guidance.

• Enable mailbox auditing: Enabled.

  Justification: Tracks email access and actions for compliance.

• Additional storage providers in OWA: Disabled.

  Justification: Prevents users from storing emails in untrusted locations.

• Default retention for deleted items: Set to 30 (days).

  Justification: Ensures emails are retained for a specified period for compliance.

• Auto-expanding archives: Enabled.

  Justification: Provides additional mailbox storage for compliance users.

• Calendar sharing level: Select Calendar free/busy information with time only.

  Justification: Controls who can view or edit calendars.

• External calendar sharing: Select Sharing with a specific domain.

  Justification: Unless your organization requires open collaboration with external domains, it is best to take a more restrictive approach.

• Focused Inbox: Enabled.

  Justification: Improves email organization.

• Common attachments filter (only for the default policy): Enabled.

  Justification: Blocks dangerous file types, such as .exe or.vbs.

• Notifications for internal users sending malware (only for the default policy): Enabled.

  Justification: Alerts internal senders if their email contains malware.

• Notifications have been set for Exchange Online Spam Policies: Enabled.

  Justification: Ensures users are informed about quarantined messages.

• Anti-phishing policy has been created: Enabled.

  Justification: Protects against impersonation attacks and spoofing.

This provides a high-level overview of how enabling the solution baseline affects the customer. It includes Enforce, Report-only, and Exclude modes.

These settings allow you to assign a unique name and description to each baseline, making it easier to determine its applicability for a customer.

• SharePoint: Select New and existing guests.

  Justification: This allows adding new external users but requires them to sign in.

• Limit external sharing by domain: Select No.

  Justification: For security, it is best to control sharing using either an allowlist or a blocklist. However, adjust this setting based on your organization's requirements.

• Allow guests to share items they don’t own: Disabled.

  Justification: Prevents guests from resharing confidential files they don’t own.

• Apps that don’t use modern authentication: Select Block access.

  Justification: Preventing the use of legacy authentication methods helps mitigate security risks, as they lack MFA support and are vulnerable to password attacks.

• Allow notifications: Enabled.

  Justification: Security notifications help users detect unauthorized access or file changes.

• Allow users to create modern pages: Enabled.

  Justification: Allow users to create internal pages for collaboration.

• Allow commenting on modern pages: Enabled.

  Justification: Facilitates internal collaboration.

• Days to retain a deleted user’s OneDrive: Set to 60 (adjust per your requirement).

  Justification: Retains files for a specified period in case of accidental deletion or compliance investigations.

• Show the Sync button on the OneDrive website: Enabled.

  Justification: Allows users to sync files to their local device securely.

• Block upload of specific file types: Set per your requirement.

  Justification: This blocks the upload of undesired file types, such as .exe, .msi, and .ps1.

• Check for license: This setting is report-only because there is no enforcement action.

• Application context: This setting is report-only because there is no enforcement action. It verifies if the correct API permissions are applied.

This provides a high-level overview of how enabling the solution baseline affects the customer. It includes Enforce, Report-only, and Exclude modes.

These settings allow you to assign a unique name and description to each baseline, making it easier to determine its applicability for a customer.

• Create private channels: Disabled.

  Justification: Prevents increased IT overhead, limited features, and the risk of orphaned data.

• Create shared channels: Enabled.

  Justification: Simplifies external collaboration, improves security, and reduces team sprawl.

• Invite external users to shared channels: Disabled.

  Justification: Ensures that all additions go through IT administration, allowing for better security control.

• Join external shared channels: Disabled.

  Justification: Allows trusted partner organizations to join through cross-tenant access settings for enhanced security control.

• Guest Access: Off.

  Justification: Enhances security. You can handle external collaboration via shared channels, which don’t require guests in your account.

• Make private calls: Disabled.

  Justification: Prevents unmonitored communication and potential misuse.

• Screen Sharing: Select Single Application mode.

  Justification: Allows collaboration without sharing files but prohibits sharing the entire desktop.

• Meet Now in Channels: Disabled.

  Justification: Prevents security risks, compliance issues, and loss of control.

• Edit sent messages: Disabled.

  Justification: Prevents information tampering.

• Delete sent messages: Disabled.

  Justification: Prevents unauthorized communication from being hidden, ensuring compliance and auditability.

• Chat: Disabled.

  Justification: Reduces risk of unmonitored communication. Guests can still chat inside meetings.

• People in the organization can communicate with unmanaged Teams accounts: Disabled.

  Justification: Prevents unmanaged accounts from being vulnerable to phishing attacks or malware that could compromise sensitive information.

• External users with Teams accounts not managed by an organization can contact users in the organization: Disabled.

  Justification: Prevents unverified external users from contacting internal employees for malicious purposes.

• People in the organization can communicate with accounts in trial Teams tenants: Disabled.

  Justification: Prevents increased risk to communication due to inadequate enterprise-level security measures in trial accounts.

• People in the organization can communicate with Skype users: Disabled.

  Justification: Prevents security risks from Skype users, especially those on consumer accounts, who are not subject to the same enterprise security standards as Teams users.

• Private meeting scheduling: Enabled.

  Justification: Enables private meeting scheduling only for authorized users and allows controlling who can create private meetings.

• Meet now in private meetings: Enabled.

  Justification: Ensures that only authorized users can initiate Meet now sessions in private meetings.

• Channel meeting scheduling: Enabled.

  Justification: Sets permissions to allow only Team Owners and Admins to schedule channel meetings.

• Meet now in channel meetings: Enabled.

  Justification: Enables Meet now in channels only for Team Owners or authorized users.

• Outlook add-in: Enabled.

  Justification: Enables Outlook add-in only for internal users who are trusted and require it for their daily operations.

• Attendance and engagement report: Select On, but organizers can turn it off.

  Justification: Restricts report sharing and implements strong data retention policies to avoid unnecessary exposure.

• Include attendees in the report: Select Yes, but attendees can opt out.

  Justification: Only include attendee information when necessary for reporting and compliance.

• Attendee information: Select Only show who attended.

  Justification: Minimizes data exposure, enhances privacy, and reduces the risk of data misuse.

• Anonymous users can join a meeting: Disabled.

  Justification: Reduces the risk of uninvited participants.

• Anonymous users and dial-in callers can start a meeting: Disabled.

  Justification: Prevents unauthorized meeting initiation.

• Who can bypass the lobby: Set to Only organizers and co-organizers.

  Justification: Ensures meetings are properly moderated.

• People dialing in can bypass the lobby: Disabled.

  Justification: Allows controlling access for phone participants.

• People can join external meetings hosted by: Set to Only people in trusted orgs.

  Justification: Protects users from external threats.

• Meeting chat: Select On for everyone but for anonymous users.

  Justification: Prevents spam, phishing attempts, and inappropriate messages by restricting chat access for anonymous users.

• External meeting chat: Disabled.

  Justification: Prevents uncontrolled information sharing, security gaps with external domains, and a lack of oversight.

• Who can present: Select Only organizers and co-organizers.

  Justification: Prevents external users from sharing unwanted or malicious content.

• Screen sharing: Select Single application.

  Justification: Prevents participants from sharing an entire screen that could expose sensitive information, notifications, or background applications.

• Participants can give or request control: Disabled.

  Justification: Prevents any participant from taking control of a shared screen, potentially accessing confidential files.

• External participants can give or request control: Disabled.

  Justification: Prevents external users from taking control of shared content, accessing internal systems, or executing unauthorized actions.

• Require participant agreement for recording and transcription: Enabled.

  Justification: Prevents legal and compliance issues, privacy concerts, and ethical considerations.

• Transcription: Disabled.

  Justification: Prevents data retention risks, confidentiality issues, and compliance violations.

• Anonymous users can join a meeting: Disabled.

  Justification: Prevents unverified attendees from disrupting meetings, sharing sensitive information with unintended participants, and bypassing tracking or verification.

Coming soon. Follow the Release Notes page for updates.

• License Validation: This setting is report-only because there is no enforcement action.

• Permissions: This setting is report-only because there is no enforcement action.

This provides a high-level overview of how enabling the solution baseline affects the customer. It includes Enforce, Report-only, and Exclude modes.