IT & InfrastructureAdvanced 5 to 7 hours

M365 Tenant Hardening and Compliance Configuration

Configure an M365 tenant to a defensible security and compliance posture.

The Scenario

A 400-person SA mining company is consolidating to Microsoft 365 from a hybrid Exchange. The CIO wants a tenant that survives a Big Four audit and aligns with the company's POPIA obligations. The tenant currently runs at default settings.

The Brief

Design a complete M365 tenant hardening configuration covering identity, conditional access, data protection, and audit. Each control must be justified and traceable to a risk or compliance requirement.

Deliverables

  • A conditional access matrix listing each policy (block legacy auth, require MFA, require compliant device, geo-block high-risk countries, session lifetime), the user scope, and the rationale
  • A data protection baseline covering: sensitivity labels, DLP policies (POPIA personal data, banking details, ID numbers), retention labels, and encryption defaults
  • An audit and monitoring plan covering: unified audit log retention, alerts for high-risk activity, the SOC integration point, and the reporting cadence
  • A change rollout sequence ordering the controls (least-disruptive first), with communications and a rollback option per change

Submission Guidance

Tenant hardening fails when controls get rolled out at once and break legitimate workflows. Sequence conditional access carefully, validate exclusions for break-glass accounts, and pilot DLP in audit mode before enforcement.

Submit Your Work

Your submission is graded against the rubric on the right. If you pass, you get a public Badge URL you can share on LinkedIn. There is no draft save, so work offline first and paste your finished response here.

This appears on your public Badge.

We'll email you the permanent link to your Badge so you never lose it. Not shown publicly.

0/20000 charactersMarkdown supported

One per line or comma separated. Up to 5 links.

Loading security check...

By submitting, you agree your submission text, name, and evaluation will appear on a public Badge URL.