Microsoft Compliance Configuration Checklist: 40 Settings Across Purview, Defender, and Intune

Why Microsoft Compliance Configuration Demands Deliberate Attention

Microsoft 365 is not compliant out of the box. Whether you are operating in a commercial tenant, GCC, or GCC High environment, the default settings leave significant exposure gaps that assessors, auditors, and adversaries will find before your team does. For defense contractors pursuing CMMC, federal agencies managing CUI, and healthcare organizations under HIPAA scrutiny, the configuration of Microsoft Purview, Microsoft Defender, and Microsoft Intune is not an IT task — it is a compliance obligation.

This checklist covers 40 specific settings your compliance and security teams should verify. It is organized by platform so you can assign ownership and track progress. If you are looking for broader Microsoft 365 compliance architecture guidance, our IT compliance services team works with regulated organizations daily on exactly this kind of configuration work.

Microsoft Purview: Information Protection and Governance Settings

Purview is your primary tool for data classification, labeling, retention, and data loss prevention. Misconfigured or absent Purview policies are among the most common findings in CMMC and DFARS assessments involving Microsoft environments. For deeper background on DLP policy structure, our post on understanding data loss prevention is a useful reference.

Sensitivity Labels and Information Protection

• Setting 1: Sensitivity label taxonomy published. Labels must be created, scoped, and published to users and groups. Unpublished labels do not appear in Office applications.
• Setting 2: CUI and ITAR labels configured with encryption. Labels covering Controlled Unclassified Information must apply encryption with rights management settings that restrict forwarding and printing.
• Setting 3: Auto-labeling policies enabled for SharePoint and OneDrive. Client-side labeling alone is insufficient. Auto-labeling on the service side catches documents that users fail to label manually.
• Setting 4: Default label applied to Outlook email. A default sensitivity label for outbound email reduces the risk of unprotected CUI transmission.
• Setting 5: Label inheritance from email attachments enabled. When a labeled attachment is added to a message, the email should inherit the highest label present.
• Setting 6: Mandatory labeling enforced. Users should not be able to save or send documents without selecting a label. This requires policy enforcement, not just recommendation.

Data Loss Prevention Policies

• Setting 7: DLP policy covers Teams chat and channel messages. Many organizations configure DLP for email and SharePoint but forget Teams, which is a primary vector for inadvertent CUI disclosure.
• Setting 8: DLP policy covers endpoint devices. Endpoint DLP must be enabled and scoped to prevent copying CUI to USB, unmanaged cloud locations, or unapproved applications.
• Setting 9: Credit card and SSN patterns blocked in outbound email. Baseline PII protection requires at minimum these two sensitive information types to be detected and blocked or alerted.
• Setting 10: DLP alerts routed to Security Operations Center or compliance team. Alerts with no reviewer are not a control. Confirm alert routing is active and documented.
• Setting 11: DLP policy in enforce mode, not test mode. Policies left in simulation or test mode for extended periods provide no actual protection. Verify mode status in the compliance portal.

Retention Policies and Records Management

• Setting 12: Retention policies scoped to all workloads. Exchange, SharePoint, OneDrive, Teams, and Viva Engage should each have retention policies aligned to your records schedule.
• Setting 13: Litigation hold enabled for key custodians. For federal contractors, litigation hold protects data from deletion in the event of an investigation or contract dispute.
• Setting 14: Retention labels applied to CUI document libraries. Beyond policy-based retention, regulatory records benefit from explicit retention labels applied to libraries containing sensitive data.
• Setting 15: Communication compliance policy active for regulated communications. For organizations subject to export controls or ITAR, communication compliance monitoring of flagged keywords adds a critical detection layer.

Audit and eDiscovery Configuration

• Setting 16: Audit log enabled and set to Advanced Audit where licensed. Basic audit is on by default in most tenants, but Advanced Audit extends log retention and captures higher-fidelity events needed for incident investigation.
• Setting 17: Audit log retention set to minimum 12 months. CMMC and NIST SP 800-171 require audit log retention sufficient to support after-the-fact investigation. Confirm your retention period in the compliance portal.
• Setting 18: Insider risk management policies configured. Purview Insider Risk Management detects risky activities such as data exfiltration before termination or unusual download patterns — a capability increasingly expected in CMMC Level 2 environments.

Microsoft Defender: Endpoint and Identity Security Settings

Microsoft Defender for Endpoint, Identity, and Office 365 collectively provide threat detection and response capabilities that map directly to CMMC and NIST 800-171 incident response and malware protection requirements. Hardening these tools is essential before any assessment. Our team has documented Defender hardening settings for federal and defense environments in greater detail for organizations pursuing CMMC alignment.

Microsoft Defender for Endpoint

• Setting 19: Defender for Endpoint onboarded to all managed devices. Confirm all Windows, macOS, and mobile endpoints are onboarded and reporting to the Defender portal. Gaps in coverage create unmonitored attack surface.
• Setting 20: Attack Surface Reduction rules enabled in block mode. ASR rules in audit mode do not prevent attacks. Move rules to block mode after validating against your environment.
• Setting 21: Tamper protection enabled. Prevents unauthorized changes to Defender configurations by malware or malicious insiders. Should be enabled on all endpoints via Intune or Group Policy.
• Setting 22: Network protection enabled in block mode. Blocks connections to malicious domains and IP addresses at the kernel level, providing protection independent of browser security settings.
• Setting 23: Automated investigation and remediation set to full automation. For most regulated environments, full automation reduces response time and removes manual bottlenecks in the incident response process.
• Setting 24: Vulnerability management baseline configured. Defender Vulnerability Management should have a security baseline assigned so that deviations trigger alerts and appear in your risk scoring.
• Setting 25: Threat and vulnerability management connected to SIEM or ticketing system. Defender findings must flow into your remediation workflow. Standalone Defender findings without a connected ticket system frequently age without resolution.

Microsoft Defender for Identity and Office 365

• Setting 26: Defender for Identity sensor deployed on all domain controllers. Identity-based attacks targeting Active Directory are the primary lateral movement vector in most breaches. Sensor coverage on every DC is non-negotiable.
• Setting 27: Safe Attachments policy set to block mode with dynamic delivery. Dynamic delivery allows email flow while attachments are being scanned, preventing business disruption while maintaining protection.
• Setting 28: Safe Links policy enforced for all internal and external URLs. Safe Links should be configured to rewrite and scan URLs at click time, not just at delivery. Verify that the policy covers Teams in addition to email.
• Setting 29: Anti-phishing policy with impersonation protection enabled. Configure impersonation protection for executives and key personnel. Enable mailbox intelligence to improve detection accuracy over time.
• Setting 30: DMARC, DKIM, and SPF records published and enforced. Email authentication records prevent domain spoofing. DMARC should be set to reject or quarantine, not monitor-only, in production environments.
• Setting 31: Defender for Cloud Apps connected as CASB and alerting on anomalous activity. Cloud App Security provides visibility into shadow IT and data movement to unmanaged cloud services — a frequent CUI leakage vector.

Microsoft Intune: Device Compliance and Management Settings

Intune enforces device health as a prerequisite for accessing organizational resources. For organizations handling CUI, every device accessing that data must demonstrate compliance before being granted access. This is a foundational zero trust control. For additional context, see our post on endpoint security fundamentals.

Device Compliance Policies

• Setting 32: Compliance policy requires BitLocker encryption on Windows devices. Full-disk encryption is required under CMMC and NIST 800-171 for devices that store or process CUI. Intune compliance policy should make this a conditional access enforcement point.
• Setting 33: Compliance policy requires minimum OS version. Devices running unsupported or outdated operating system versions should be marked non-compliant and blocked from accessing sensitive resources.
• Setting 34: Compliance policy requires Defender for Endpoint health signal. Integrate Defender for Endpoint risk scores into Intune compliance so that compromised devices are automatically blocked from accessing corporate resources.
• Setting 35: Non-compliant device grace period set to 24 hours or less. Extended grace periods allow non-compliant devices to continue accessing resources. For CUI environments, the grace period should be minimal.
• Setting 36: iOS and Android compliance policies enforce screen lock with PIN or biometric. Mobile device access to email and Teams must require authentication controls that prevent unauthorized access on lost or stolen devices.

Configuration Profiles and App Protection

• Setting 37: App protection policies block copy and paste from managed to unmanaged apps. On mobile devices, data leakage often occurs through copy-paste or the share sheet. App protection policies block this transfer path without requiring full device enrollment.
• Setting 38: Windows Hello for Business configured as primary authentication method. Passwordless authentication using TPM-backed credentials significantly reduces credential theft risk and supports NIST 800-171 authenticator requirements.
• Setting 39: Device configuration profile enforces CIS Benchmark or DISA STIG baseline. Assign a hardening profile based on CIS Level 1 or applicable DISA STIG to all managed Windows endpoints. Document the baseline for assessment evidence.
• Setting 40: Conditional Access policy blocks legacy authentication protocols. Legacy protocols such as SMTP AUTH, IMAP, and POP3 bypass modern authentication and MFA entirely. Block these protocols at the Conditional Access layer for all users handling CUI.

Turning This Checklist Into a Compliance Program

A checklist is a starting point, not a compliance program. Each of these 40 settings requires a documented configuration decision, an owner, evidence of implementation, and a process for ongoing verification. For defense contractors, these settings must also align to your System Security Plan and support your CMMC assessment scope. Our CMMC, CUI, and DFARS compliance services include hands-on Microsoft 365 configuration review as part of our assessment preparation engagements.

Organizations in healthcare should note that many of these same Purview and Defender settings directly satisfy HIPAA Security Rule administrative and technical safeguard requirements, particularly around audit controls, access management, and transmission security.

If your organization is managing multiple compliance frameworks simultaneously — CMMC, ITAR, HIPAA, or FedRAMP — the configuration decisions in Microsoft 365 need to be deliberate and documented. A regulatory vCISO engagement can provide the strategic oversight needed to ensure your Microsoft environment is not just configured, but defensibly configured and documented for audit.

Get Expert Help With Your Microsoft Compliance Configuration

Cleared Systems works with defense contractors, federal agencies, and regulated organizations to audit, harden, and document Microsoft 365 compliance configurations across Purview, Defender, and Intune. Whether you are preparing for a CMMC Level 2 assessment, a DCSA review, or an OCR audit, our team can identify gaps and implement remediations that hold up under scrutiny. Request a quote to discuss your environment and timeline with our compliance team.