Get started with Microsoft 365 solution baselines in Nerdio Manager

Avatar
Nerdio Support

Get started with Microsoft 365 solution baselines in Nerdio Manager

Nerdio Manager enhances security and simplifies management of Microsoft 365 components by enabling solution baselines. Solution baselines are predefined configurations that help standardize security and compliance settings across multiple customer accounts.

This guide outlines best practices for:

  • Establishing consistent security baselines for Microsoft 365 components across accounts.

  • Monitoring and remediating solution baselines configuration drift.

Prerequisites

Before you get started, ensure the following prerequisites are met:

  • At least one Intune license exists in your MSP account.

  • You have Super Admin permissions in Nerdio Manager.

  • Microsoft 365 is enabled in your customer’s account. For details, see Enable and Disable Modern Work Components.

Workflow overview

To implement solution baselines in Nerdio Manager, complete the following steps:

Step 1: Configure solution baselines

Setting up solutions baselines ensures consistent security and configuration across your customer accounts. In Nerdio Manager, you can configure baselines for the following key Microsoft 365 components:

  • Defender for Endpoint

  • Entra ID

  • Exchange Online

  • Intune

  • SharePoint and OneDrive

  • Teams

Nerdio provides solution baselines recommended settings to help you align with best practices while optimizing user experience, performance, and security.

For detailed recommendations and their justifications, see What Microsoft 365 solution baseline settings are recommended?. Adjust these settings as needed to meet your organization's requirements and compliance needs.

Important! These recommendations follow Microsoft's best practices and Nerdio’s expertise from years of experience. Before implementing these changes, consult with your Security and Operations teams.

For details on configuring solution baselines for each component, see the following references:

Note: In Nerdio Manager, you can clone an existing solution baseline to set up a different solution baseline for each of your customer verticals. Cloning is also recommended to ensure a fresh starting point. For details, see Solution Baselines: MSP-level Management.

Step 2: Assign accounts to solution baselines

Once you have configured solution baselines with the recommended settings that reflect your desired configuration state, you can assign accounts to them. This ensures that all customer accounts linked to the baseline inherit the same configuration settings automatically. Any modifications made to the solution baseline are applied to all assigned customer accounts, ensuring ongoing consistency without the need for manual updates across multiple accounts.

Note: You need to assign each baseline individually.

To assign accounts to a solution baseline:

  1. In Nerdio Manager, at the MSP level, navigate to Solution Baselines.

  2. Locate the solution baseline you wish to work with.

  3. From the action menu, select Assign.

  4. Select Add assignments.

  5. Enter the following information:

    • Assignments: From the drop-down list, select the account(s) to assign.

    • Add / Overwrite: Select whether to add the selected accounts to the existing assignments, or replace (overwrite) the existing assignments with the new selections.

  6. Review all the assignments and select Confirm.

  7. On the Assignments page, in the Mode column, select Report-only.

    Note: Setting the solution baseline to Report-only mode helps you evaluate this baseline without immediately enforcing it on assigned accounts.

  8. Select Apply and close.

  9. Review your changes and clear the Do you want to remove policies that are affected by this change? option as needed.

    When selected, this option removes the solution baseline policies from the account if they don't have any other assignments.

    Note: Make sure you don't select the Process the solution baseline after saving option, which immediately applies the solution baseline to assigned accounts.

  10. Select Confirm.

Before you implement the solution baseline in your customer account, test it thoroughly to ensure it meets the customer requirements. Once validated, enforce your solution baseline by setting its assignment mode to Enforce.

To enforce a solution baseline:

  1. In Nerdio Manager, at the MSP level, navigate to Solution Baselines.

  2. Locate the solution baseline you wish to work with.

  3. From the action menu, select Assign.

  4. On the Assignments page, in the Mode column, select Enforce.

    Note: Setting the solution baseline to Enforce mode applies it to all assigned customer accounts.

  5. Select Apply and close.

  6. Review your changes and clear the Do you want to remove policies that are affected by this change? option as needed.

    When selected, this option removes the solution baseline policies from the account if they don't have any other assignments.

  7. Select Confirm.

For more details, see Solution Baselines: MSP-level Management.

Step 3: Monitor and manage configuration drift in solution baselines

Nerdio Manager allows you to view the status of solution baselines and accept drifts.

To view the status of solution baselines and accept drifts:

  1. In Nerdio Manager, at the MSP level, navigate to Solution Baselines.

  2. Locate the solution baseline you wish work with.

  3. From the action menu, select Status overview.

    • Alternatively, select the status overview icon.

    The Status page uses the following colors:

    • Green: Valid (Satisfied)

    • Yellow: Mismatch (Drifted)

    • Red: Not Found (Drifted)

    • Gray: Excluded

  4. (Optional) Select View details to see the details.

  5. For any drifted setting, select Accept Drift.

  6. Enter the following information:

    • Drift acceptance expires after: From the drop-down list, select the drift expiration. Alternatively, type a date.

    • Description: Optionally, type a description about why this drift was accepted.

    • Allow processing: Select this option for the next republishing to try to sync the policy.

  7. Once you have entered the desired information, select Accept.

    The setting remains in the drifted group and its status is Accepted drift.

  8. Hover over Accepted drift to see its details.

  9. To remove the acceptance, next to Accepted drift, select the remove icon.

See also

Was this article helpful?

0 out of 0 found this helpful
Have more questions? Submit a request

Related articles

Comments (0 comments)

Please sign in to leave a comment.