Microsoft Security Hardening Checklist for CMMC Level 2: 50 Settings to Lock Down First

Why Microsoft Security Hardening Is Non-Negotiable for CMMC Level 2

If your organization handles Controlled Unclassified Information and operates in the Defense Industrial Base, misconfigured Microsoft 365 settings are one of the fastest paths to a failed CMMC Level 2 assessment. Microsoft's platform is powerful, but its default configuration is designed for productivity, not compliance. Locking it down for CMMC, CUI, and DFARS compliance requires deliberate, documented configuration decisions across identity, endpoint, data, and communication controls.

This checklist covers 50 Microsoft security hardening settings that Cleared Systems consistently prioritizes when helping defense contractors prepare for third-party assessments. These are not theoretical controls. They are the specific settings that assessors examine, that auditors ask about, and that adversaries exploit when left at default. Work through this list methodically, document every change in your System Security Plan, and treat each item as both a technical control and a compliance artifact.

Before diving in, understand that hardening alone does not equal compliance. Configuration must be paired with policy, training, and ongoing monitoring. That said, getting these 50 settings right will address a significant portion of the 110 NIST SP 800-171 controls that underpin CMMC Level 2 requirements.

Identity and Access Management: Settings 1–15

Identity is the primary attack surface in modern cloud environments. Every one of these settings directly maps to CMMC access control and identification and authentication practices.

1. Enforce Multi-Factor Authentication for all users. No exceptions, including service accounts and break-glass accounts. Configure MFA through Conditional Access, not per-user legacy MFA.
2. Disable legacy authentication protocols. Block Basic Auth, POP3, IMAP, and SMTP AUTH across all tenants. Legacy protocols bypass MFA and are a primary vector for credential stuffing attacks.
3. Configure Conditional Access policies for CUI access. Require compliant devices, approved locations, and MFA as a baseline. Deny access from non-compliant endpoints.
4. Implement Privileged Identity Management (PIM). Eliminate standing global administrator access. Require just-in-time activation with approval workflows and time-bound assignments.
5. Enable Azure AD Identity Protection. Configure risk-based Conditional Access policies that automatically respond to risky sign-ins and compromised user accounts.
6. Enforce password protection and ban common passwords. Deploy Azure AD Password Protection both in the cloud and on-premises to prevent weak credentials.
7. Configure sign-in risk and user risk policies. Set high-risk users to require password reset and MFA. Set medium-risk sign-ins to require MFA before granting access.
8. Enable Privileged Access Workstations (PAW) for admin accounts. Admin tasks should only occur from hardened, dedicated workstations that cannot browse the internet or receive email.
9. Disable the default user consent for applications. Require administrator approval before any OAuth application can access organizational data. This blocks consent phishing attacks.
10. Configure account lockout thresholds. Set lockout to trigger after five failed attempts with a 30-minute lockout duration. Document this in your account management policy.
11. Implement separation of duties for admin roles. No single account should hold Global Administrator and other privileged roles simultaneously. Assign least-privilege role assignments.
12. Enforce session timeout for inactive sessions. Configure sign-in frequency Conditional Access policies to require re-authentication after defined periods, particularly for CUI access.
13. Enable continuous access evaluation. This ensures that token revocations and policy changes take effect in near-real-time rather than waiting for token expiration.
14. Restrict external guest access. Configure B2B collaboration settings to prevent foreign nationals from accessing CUI environments without explicit authorization and proper access control documentation.
15. Enable audit logging for all privileged operations. Ensure every Azure AD administrative action is captured in the unified audit log with sufficient retention for your SSP requirements.

Endpoint and Device Security: Settings 16–28

Endpoints are where CUI is created, processed, and stored. Endpoint security hardening ensures that only trusted, compliant devices can access your environment.

1. Enroll all devices in Microsoft Intune. Establish device compliance baselines that must be met before Conditional Access grants access to any organizational resource.
2. Enable BitLocker full-disk encryption on all endpoints. Store recovery keys in Azure AD. Document encryption coverage in your SSP as evidence for media protection controls.
3. Configure Microsoft Defender Antivirus with real-time protection. Disable any user ability to turn off real-time protection. Enable cloud-delivered protection and automatic sample submission.
4. Enable Microsoft Defender for Endpoint Plan 2. Activate attack surface reduction rules, endpoint detection and response, and automated investigation and response capabilities.
5. Configure attack surface reduction rules in block mode. Enable all production-ready ASR rules, particularly those blocking Office macros from spawning child processes and executable content from email.
6. Disable macros from the internet in Office applications. Use Group Policy or Intune to prevent execution of VBA macros in files originating from the internet or external sources.
7. Enable Windows Defender Credential Guard. This isolates LSASS to prevent credential theft via pass-the-hash and pass-the-ticket attacks on domain-joined workstations.
8. Enable Windows Defender Application Guard for Edge. Isolate untrusted websites in a Hyper-V container to prevent browser-based exploits from reaching the host operating system.
9. Configure Intune compliance policies with grace period enforcement. Define what constitutes a non-compliant device and establish the window within which remediation must occur before access is blocked.
10. Enable tamper protection for Microsoft Defender. Prevent malicious or unauthorized changes to Defender settings through Intune or the Microsoft 365 Defender portal.
11. Restrict USB and removable media access. Use Intune device configuration profiles or Group Policy to block unauthorized removable storage on devices that process CUI.
12. Configure Windows Update for Business with mandatory patch timelines. Critical patches must be deployed within defined windows. Document patching cadence and exceptions in your POA&M process.
13. Enable Windows Firewall on all profiles with default-deny inbound rules. Verify through Intune compliance reporting that firewall status is enforced and cannot be disabled by end users.

Data Protection and Information Governance: Settings 29–38

Protecting CUI at the data layer requires sensitivity labels, DLP policies, and information governance controls that follow data wherever it travels. Review our deeper analysis of Data Loss Prevention for additional context on these controls.

1. Deploy Microsoft Purview sensitivity labels for CUI categories. Create labels that align to CUI Basic and CUI Specified categories. Apply encryption, access restrictions, and watermarking at the label level.
2. Configure auto-labeling policies for known CUI patterns. Use trainable classifiers and sensitive information types to automatically detect and label CUI in SharePoint, OneDrive, and Exchange.
3. Enable DLP policies for CUI exfiltration prevention. Create policies that block or audit the sharing of labeled content externally, to personal email, or to USB devices.
4. Configure retention policies aligned to CUI handling requirements. Set retention labels and policies that meet both contractual obligations and the NIST SP 800-171 audit and accountability requirements.
5. Enable communication compliance for CUI-related communications. Configure policies to detect potential CUI exposure in Teams and Exchange, particularly in channels accessible to external users.
6. Restrict sharing settings in SharePoint and OneDrive. Set the organizational sharing level to existing guests or only people in your organization. Disable anonymous link sharing entirely for CUI repositories.
7. Configure Teams governance for external collaboration. Restrict who can create teams, enable guest access controls at the team level, and prevent guests from accessing CUI-designated team channels.
8. Enable Microsoft Purview Insider Risk Management. Configure policies to detect data theft scenarios, departing employee activity, and policy violations involving CUI.
9. Apply information barriers where separation of duties is required. Prevent specific groups from communicating or sharing data with other groups in environments with program segregation requirements.
10. Configure eDiscovery and audit log retention for 12 months minimum. CMMC Level 2 requires audit log retention sufficient to support incident investigation. Verify retention settings meet your SSP commitments.

Email and Collaboration Security: Settings 39–45

Email remains the primary initial access vector. These settings address the most commonly exploited gaps in Microsoft Exchange Online and Teams configurations.

1. Enable Microsoft Defender for Office 365 Plan 2. Activate Safe Links, Safe Attachments, and anti-phishing policies with impersonation protection for all users handling CUI.
2. Configure DMARC, DKIM, and SPF for all sending domains. Set DMARC to a reject policy for your primary domain. This prevents domain spoofing in phishing attacks targeting your organization and partners.
3. Enable Safe Attachments in dynamic delivery mode. Scan all attachments in a detonation sandbox before delivery. Apply this policy globally, not just to selected users.
4. Configure anti-phishing policies with mailbox intelligence. Enable first contact safety tips, unauthenticated sender indicators, and impersonation protection for key personnel and domains.
5. Disable automatic email forwarding to external domains. Configure an outbound spam policy and transport rule to block all automatic forwarding. This is one of the most frequently missed controls in CMMC assessments.
6. Restrict calendar and contact sharing to internal users only. Prevent free/busy details and full calendar sharing with external parties unless explicitly authorized and documented.
7. Enable audit logging for Exchange mailbox operations. Ensure mailbox auditing is enabled by default for all users, including owner, delegate, and admin operations, with adequate retention periods.

Network and Application Security: Settings 46–50

1. Enable Microsoft Defender for Cloud Apps (MCAS) in session control mode. Enforce real-time access and session controls for sanctioned applications, particularly when accessing from unmanaged devices.
2. Configure Microsoft Sentinel for centralized SIEM logging. Ingest logs from Azure AD, Defender, Exchange, SharePoint, and Teams into Sentinel. Create detection rules aligned to CMMC incident response requirements.
3. Implement application allowlisting through Intune or AppLocker. Restrict execution to approved applications on CUI-handling endpoints. Block execution from user-writable locations including temp folders and downloads.
4. Configure Named Locations and compliant network controls in Conditional Access. Define trusted IP ranges and enforce network-based conditions for access to highly sensitive resources.
5. Enable Microsoft Secure Score monitoring and remediation tracking. Use Secure Score as a continuous improvement mechanism. Assign remediation actions to responsible owners and track progress against your SSP commitments.

Turning This Checklist Into a Defensible Compliance Posture

Working through these 50 settings is the technical foundation, but CMMC Level 2 assessors evaluate evidence, documentation, and process maturity alongside technical controls. Every setting you configure needs a corresponding entry in your System Security Plan describing how the control is implemented, who is responsible, and how it is monitored. Settings that are partially implemented must be captured in a Plan of Action and Milestones with realistic remediation timelines.

If your organization is still determining which Microsoft tenant environment is appropriate for your CUI boundary, review our analysis of GCC High for ITAR and CMMC 2.0 before investing significant effort in commercial tenant hardening. The tenant choice affects which controls are available and how they map to CMMC practices.

For organizations that have completed initial hardening and are approaching a C3PAO assessment, our team also recommends reviewing the most commonly failed CMMC Level 2 controls to identify residual gaps before your assessment window opens.

Finally, Microsoft security hardening is not a one-time project. Configurations drift, new features require policy updates, and threat landscapes evolve. Organizations pursuing long-term compliance program maturity should consider whether a Regulatory vCISO engagement makes sense to maintain ongoing oversight of your Microsoft security posture and broader compliance obligations.

Get Expert Help With Your Microsoft Security Hardening Program

Cleared Systems works with defense contractors, federal agencies, and regulated organizations to configure, document, and maintain Microsoft 365 security environments that meet CMMC Level 2, DFARS, and NIST SP 800-171 requirements. Whether you need a gap assessment against this checklist, full SSP documentation, or hands-on configuration support, our team delivers practical results that hold up under third-party scrutiny. Request a quote today to discuss your Microsoft security hardening requirements and assessment timeline with our compliance team.