Security Baselines in Microsoft 365
How to apply security baselines to harden endpoints and services in Microsoft 365 with secure-by-default configurations.
What security baselines are
A security baseline is a preconfigured set of recommended settings to reduce the risk of a system or service. Instead of leaving each administrator to discover the best values for hundreds of settings alone, Microsoft publishes baselines curated by its security teams, reflecting proven best practices.
The value of a baseline is turning secure configuration from an artisanal, error-prone exercise into a repeatable, auditable standard.
Where baselines apply
Baselines cover multiple layers of the Microsoft environment:
| Layer | Example settings |
|---|---|
| Windows | Account policies, exploit protection, restrictions |
| Microsoft Edge | Secure browsing controls |
| Defender for Endpoint | Antivirus, ASR, cloud protection |
| Microsoft 365 | Tenant and service settings |
On the endpoint side, baselines are distributed via Microsoft Intune, applying dozens of secure settings at once and monitoring deviations continuously.
How to adopt baselines without breaking things
Applying a full baseline at once across the whole organization is risky, since some settings can affect legacy apps. The recommended approach follows progressive deployment rings.
- Start from the default baseline relevant to your environment.
- Deploy to a pilot ring with representative users.
- Monitor impact on apps and workflows.
- Document justified deviations and adjust only what is necessary.
- Expand in rings until the whole fleet is covered.
- Reassess periodically as Microsoft updates recommendations.
Manage deviations with discipline
No baseline fits every environment perfectly. There will be cases where a setting must be loosened for a business requirement. The critical point is deviation discipline: every departure from the baseline should be documented, justified, approved and reviewed periodically.
Without that discipline, the environment accumulates silent exceptions that erode security posture. A clear deviation record lets you audit why each setting differs from the recommended standard.
Avoid policy conflicts
A common risk when managing settings via Intune is conflict between policies. When two policies define different values for the same setting, the result can be unpredictable. To avoid this:
- Consolidate related settings into a few coherent policies.
- Use descriptive names that indicate scope and purpose.
- Monitor conflict status in the configuration dashboard.
- Prefer baselines over ad hoc collections of loose settings.
Baselines versus compliance
It is worth distinguishing two complementary concepts. The security baseline defines how the device should be configured. The compliance policy checks whether the device meets minimum requirements and feeds Conditional Access. Together, they ensure devices are both configured securely and continuously verified before accessing resources.
Keep baselines up to date
Threats evolve and Microsoft updates its recommendations periodically. A baseline applied and forgotten ages. Establish a review cadence to incorporate new versions, evaluate changes and redeploy in a controlled way. Treat the baseline as a living artifact, not a one-time configuration.
Key takeaways
- Baselines are curated sets of secure-by-default settings.
- Distribute them via Intune and apply in progressive deployment rings.
- Manage deviations with discipline: document, justify, approve and review.
- Avoid conflicts by consolidating related settings into a few policies.
- Baselines configure; compliance policies verify. Use both.
RHC, a Microsoft CSP provider, deploys and maintains security baselines via Intune, hardening the environment without compromising application compatibility.
Frequently asked questions
Read next
Ready to do more with Microsoft?
Talk to an expert and discover how to optimize licensing, security and productivity.