Skip to content

18 - Final Hardening / Configurations

Once everything is looking appropriately implemented AND you have tested Cloud PC access successfully, complete the following steps:

1. Conditional Access Enablement

  1. Connect into the Cloud PC to ensure you don't block yourself, then enable all of the Conditional Access policies into the ON option (this will block all access to admin portals from outside of the Cloud PC)

2. Add Client User Account(s)

  1. At the very minimum, add the technical POC who will be the client Global Administrator & CUI User to the tenant if you have not already provisioned accounts yet

  2. Create user in the portal.office365.us/adminportal website

    • Format: firstname.lastname@clientdomain.us
    • Don't assign them a license or anything
    • Generate a 50+ character password and store their details within Keeper

  3. Go into Entra ID (entra.microsoft.us) and assign them the M365 G5 license group, as well as the MFA Pending group. NO OTHER GROUPS

3. SharePoint Block/Restrict

  1. Add yourself to the 'Users - SharePoint Administrator Role - Static' group in Entra ID and use PIM to activate the role

  2. Go to the SharePoint Admin page for the tenant, and edit the two sites like so:

Home Page Site (client name gov)

  1. Membership > Site Admin > Ensure ONLY SharePoint Administrator role is in here. NOT GLOBAL ADMINISTRATOR

  2. Membership > Site Owner > Ensure ONLY the client technical POC is in here

  3. Membership > Site Members > Ensure ONLY the 'Users - CUI User Access - Static' group is in here

  4. Membership > Site Visitors > Ensure NOTHING is in here

  5. These settings will ensure tenant administrators (the MSP) cannot access SharePoint at all

Controlled Work Site

  1. Membership > Owners > Ensure ONLY the client technical POC is in here

  2. Membership > Site admins > It should just have 'Controlled Work Site Owners'

  3. Membership > Site owners > It should just have 'Controlled Work Site Owners'

  4. Membership > Site members > It should ONLY have 'Controlled Work Site members' AND 'Users - CUI User Access - Static'

  5. Membership > Site Visitors > Ensure NOTHING is in here

  6. These settings will ensure only the right users can access the Controlled Work Site

4. Remove All Active Administrative Assignments and Move to Eligible PIM

  1. Ensure yourself and the other MSP/Security team members are within the correct PIM groups (eg. Users - Global Administrator Role - Static) within Entra ID

  2. Edit each of the admin's profiles to remove the Active assignment of the Administrative Role(s)

    • You may have to get someone else to edit your own one OR login using the Emergency Access Account in a private window to remove your own one

  3. Edit the Azure Subscription as well (portal.azure.us) to ensure all Owner assignments are 'Eligible' and not 'Active'

    • You may have to get someone else to edit your own one OR login using the Emergency Access Account in a private window to remove your own one