CMMC Microsoft 365 Setup Checklist: 35 Settings Security Engineers Must Verify

Why Microsoft 365 Configuration Is a CMMC Audit Priority

Microsoft 365 is the collaboration backbone for most defense contractors, which means it is also one of the most scrutinized environments during a CMMC Level 2 assessment. A misconfigured tenant does not just create a compliance gap — it creates a documented finding that can delay certification, trigger a Plan of Action and Milestones, and put your contracts at risk.

The checklist below reflects the 35 settings that consistently surface during assessments we support at Cleared Systems. These map directly to NIST SP 800-171 controls and the CMMC practices derived from them. If your security engineers have not verified each of these settings, your tenant is not ready for a C3PAO audit.

Before working through this checklist, confirm you are operating in the correct Microsoft cloud environment. Most contractors handling CUI require Microsoft 365 GCC High, not commercial Microsoft 365. Running CMMC workloads in a commercial tenant is one of the most common and costly configuration mistakes we see.

Identity and Access Management Settings (Checks 1–9)

Access control is the single largest CMMC domain by control count, and Microsoft 365 offers robust native tools to satisfy it — if they are properly configured.

1. Enable Azure AD Multi-Factor Authentication for all users. MFA must be enforced for every account with access to CUI, not just administrators. Verify that no legacy authentication exceptions exist.
2. Block legacy authentication protocols. Protocols such as SMTP AUTH, IMAP, and POP3 bypass MFA. Use Conditional Access policies to block them across the tenant.
3. Configure Conditional Access policies for CUI environments. Policies should restrict access by compliant device status, location, and user risk level. Verify that the policies are in enforcement mode, not report-only.
4. Enforce Privileged Identity Management (PIM) for admin roles. Global Administrator and other privileged roles should require just-in-time activation with approval workflows. Persistent standing admin access is a red flag for assessors.
5. Audit all guest and external user accounts. Guest accounts must not have access to CUI-bearing SharePoint sites, Teams channels, or OneDrive folders. Review external sharing settings at both the tenant and site level.
6. Enable Azure AD Identity Protection risk policies. Configure user risk and sign-in risk policies to require password change or block access when anomalous behavior is detected.
7. Verify named location and trusted IP definitions. Conditional Access policies that rely on location must have accurate network definitions. Stale or overly broad named locations undermine access control effectiveness.
8. Disable self-service password reset without identity verification. SSPR must require identity verification through an approved second factor before allowing a password change.
9. Review and restrict consent grant permissions. Users should not be permitted to consent to third-party OAuth applications accessing organizational data. Restrict consent to administrator-approved applications only.

Data Protection and DLP Settings (Checks 10–18)

CUI must be identified, labeled, and protected wherever it resides in Microsoft 365. These settings directly support CMMC practices in the Configuration Management and System and Communications Protection domains. Our post on understanding Data Loss Prevention provides additional context for implementing these controls effectively.

10. Deploy Microsoft Purview sensitivity labels for CUI categories. Labels must align to the CUI Registry categories relevant to your contracts. Verify that labels are published to all users who handle CUI and that auto-labeling policies are active.
11. Configure DLP policies to detect and protect CUI. Policies should cover Exchange Online, SharePoint, OneDrive, and Teams. Verify that policies are in block mode with appropriate overrides, not audit-only.
12. Enable encryption for sensitivity label-protected content. Verify that labels trigger rights management encryption and that external recipients cannot access CUI without authorization.
13. Restrict external sharing in SharePoint and OneDrive. Tenant-level sharing must be restricted to existing guests or disabled entirely for CUI repositories. Verify site-level settings do not override tenant policy.
14. Disable Microsoft 365 Groups external access for CUI teams. Teams backed by Microsoft 365 Groups can inherit sharing settings that allow external collaboration. CUI-bearing Teams must be configured to prevent external access.
15. Review retention labels and policies for CUI content. Retention policies must align to your organization's records management requirements and contractual obligations. Verify that CUI is not subject to auto-delete policies that conflict with retention requirements.
16. Enable insider risk management policies. Configure at minimum the data leak policy and the departing employee policy. These provide audit evidence that user activity on CUI is monitored.
17. Verify communication compliance policies are active. For organizations handling sensitive acquisition data, communication compliance policies provide reviewable evidence of monitoring.
18. Audit Microsoft Teams external access and federation settings. External access should be restricted to specific approved domains. Open federation with any Teams organization is not appropriate for CUI environments.

Endpoint and Device Compliance Settings (Checks 19–25)

CMMC requires that devices accessing CUI meet defined security baselines. Microsoft Intune is the primary enforcement mechanism in a Microsoft 365 environment.

19. Enforce device compliance policies in Microsoft Intune. Compliance policies must require BitLocker encryption, OS patch currency, antivirus status, and firewall enablement. Non-compliant devices must be blocked from accessing CUI through Conditional Access enforcement.
20. Enable Microsoft Defender for Endpoint integration with Intune. The Defender risk signal must be consumed by Intune compliance policies so that devices with active threats are flagged and blocked.
21. Verify attack surface reduction rules are deployed. ASR rules must be configured in block mode for workstations accessing CUI. Document the specific rules enabled as evidence for assessors.
22. Configure endpoint detection and response (EDR) in block mode. Defender for Endpoint must be set to block mode, not audit mode, to satisfy the CMMC requirement for active protection rather than passive detection.
23. Audit and restrict USB and removable media access. Device control policies in Defender for Endpoint should restrict unauthorized removable media. Approved devices should require justification and logging.
24. Verify mobile device management enrollment for all CUI-accessing devices. Unmanaged devices must not be permitted to access CUI. Confirm that Conditional Access requires a compliant or hybrid Azure AD-joined device.
25. Enable application control policies for managed endpoints. Application allowlisting, even in audit mode, provides a control baseline and generates evidence that software execution is being monitored.

Audit Logging and Monitoring Settings (Checks 26–31)

CMMC's Audit and Accountability domain requires that events be logged, protected, and reviewed. Microsoft 365 provides extensive logging capabilities that must be explicitly enabled and configured. For a deeper discussion of how these requirements intersect with your broader security documentation, see our overview of SSP and POA&M requirements.

26. Enable unified audit logging in Microsoft Purview. Unified audit logging is not enabled by default in all tenants. Verify it is active and that the log retention period meets your contractual and CMMC requirements — a minimum of one year is the baseline.
27. Configure Microsoft Sentinel or equivalent SIEM integration. Audit logs must be ingested into a SIEM that supports alerting and investigation. Verify that connector configurations are complete and data is flowing.
28. Enable mailbox auditing for all user accounts. Mailbox auditing must be enabled for every account. Verify that the default audit actions cover send, receive, delete, and access by non-owners.
29. Configure alerts for high-risk events. Create alerts for events including bulk file downloads, mass deletion, failed MFA attempts, and privilege escalation. These must be routed to a monitored queue.
30. Verify admin activity logging is complete. All Azure AD and Microsoft 365 admin operations must be captured. Verify that sign-in logs, directory audit logs, and provisioning logs are retained and accessible.
31. Test log integrity and access controls. Logs must be protected from unauthorized modification. Verify that only authorized personnel can access and export audit logs, and that the access itself is logged.

Additional Security Configuration Checks (Checks 32–35)

32. Configure Microsoft Secure Score remediation priorities. Secure Score provides a structured backlog of configuration improvements. Document your score, assign ownership of open items, and establish a review cadence.
33. Verify DNS filtering and safe links policies in Defender for Office 365. Safe Links must be enabled in enforcement mode for email and Office applications. Safe Attachments must be configured with Dynamic Delivery for all users handling CUI.
34. Review and harden Exchange Online mail flow rules. Mail flow rules that bypass spam filtering, bypass DLP policies, or allow unrestricted forwarding to external addresses must be identified and remediated.
35. Validate System Security Plan documentation reflects current configurations. Every control addressed through Microsoft 365 must be described in your SSP with specific configuration details. Assessors will cross-reference your SSP against the actual tenant configuration.

Turning This Checklist Into Sustained Compliance

A one-time configuration pass is not sufficient. CMMC requires continuous monitoring and evidence of ongoing management. Each of these 35 settings should be assigned an owner, incorporated into a change management process, and verified on a scheduled basis — not just in the weeks before an assessment.

If your team is working through CMMC audit preparation, this checklist should be cross-referenced against your System Security Plan and your current POA&M. Gaps identified here become documented remediation items, not surprises during the assessment.

For contractors who need support establishing the governance structure around these technical controls, our CMMC, CUI, and DFARS compliance services cover both the configuration layer and the documentation layer required for a successful assessment. Organizations that prefer ongoing executive-level security leadership to oversee this work may benefit from our Regulatory vCISO services, which provide a compliance-focused security leader without the cost of a full-time hire.

If your organization is ready to get a structured assessment of where your Microsoft 365 tenant stands today, request a quote from our team and we will scope an engagement built around your specific contract requirements and assessment timeline.