← Back to Resources
Microsoft 365 Governance Checklist
A high-level checklist for establishing a governance baseline across Microsoft Purview, Entra ID, and Intune to secure data, manage identities, and protect endpoints.
Phase 1: Foundational Data Governance (Purview)
Goal: Discover, classify, and protect sensitive data at rest and in transit.
- Identify and scan critical data repositories (SharePoint, OneDrive, Exchange).
- Configure and test key Sensitive Information Types (SITs) and trainable classifiers.
- Create and publish core sensitivity labels (e.g., General, Confidential, Highly Confidential) with content marking and encryption.
- Deploy a baseline Data Loss Prevention (DLP) policy for a critical workload (e.g., Exchange) to monitor for high-risk sharing.
- Establish a data classification schema and ownership model.
Phase 2: Identity & Access Governance (Entra ID)
Goal: Enforce least-privilege access and secure authentication.
- Enforce MFA for all users, with exceptions managed via Conditional Access policies.
- Implement a baseline set of Conditional Access policies to block legacy auth and require trusted devices for high-risk apps.
- Configure Privileged Identity Management (PIM) for key Azure and M365 roles (e.g., Global Admin).
- Conduct a baseline access review for a critical M365 Group or application.
- Define and document identity lifecycle management processes (Joiner-Mover-Leaver).
Phase 3: Endpoint Management & Security (Intune)
Goal: Ensure all endpoints accessing corporate data are compliant and secure.
- Enroll all corporate devices (Windows, macOS, iOS/Android) into Intune.
- Deploy baseline security policies (e.g., password complexity, disk encryption) via Intune Endpoint Security profiles.
- Configure device compliance policies to measure health and security posture.
- Integrate Intune with Conditional Access to enforce device compliance for access.
- Set up Windows Autopilot and/or Apple Business Manager for zero-touch provisioning.