Insight
Hardening Our Own Microsoft 365 Tenant: Six Controls, Secure Score 84 → 100
On May 20, 2026, Cornerstone Systems Group (CSG) ran a hardening sweep against its own Microsoft 365 tenant. Six discrete control changes lifted Microsoft Secure Score from 84.38 percent to a projected 100 percent, measured against Microsoft’s published baseline as of that date. Secure Score is a Microsoft index, not a National Institute of Standards and Technology (NIST) or Cybersecurity Maturity Model Certification (CMMC) certification. The sweep took one focused session, cost zero dollars, and every change is reversible.
We did the work on our own tenant first because we will not recommend a security posture to a client that we have not already validated against our own operating environment. This post documents what we applied, why, and how each control maps to the federal frameworks our prospective customers are evaluated against — NIST Special Publication 800-53 Revision 5 (NIST SP 800-53 Rev. 5) and CMMC version 2.0 Level 2 (CMMC 2.0 L2).
Why we hardened our own tenant first
A capability statement that describes hardening services without naming evidence is rhetoric. A prospective contracting officer or technical point of contact evaluating CSG will run two checks before any conversation goes deep: first, does this firm operate the way it claims to, and second, does it understand the frameworks against which the buyer’s own posture is measured?
The operator tenant is the lowest-cost demonstration surface available to a small consultancy. The decisions we made there are the same decisions we will recommend to a federal or state, local, and education (SLED) client at a similar Microsoft 365 stock-keeping unit (SKU) tier. The sequence matters: harden the operator environment, document the work, then offer the work externally. This sequence is also the order federal pre-award due diligence asks about — “show us your own posture” arrives before “describe what you would do for us.”
The Secure Score figure is a useful proxy because it is published, dated, and machine-verifiable. We pair it with the framework citations below because Secure Score alone does not satisfy a CMMC assessor.
The six controls applied
Each control below states the change, the Microsoft 365 surface affected, and the framework references it maps to.
1. Unified audit logging enabled
The pre-sweep state showed unified audit logging disabled at the tenant level — a finding surfaced mid-sweep, not in the original Microsoft-tracked gap list. Audit logging was enabled via the Microsoft Purview Audit portal. Default retention on Microsoft 365 Business Standard is 180 days.
Maps to NIST SP 800-53 Rev. 5 controls AU-2 (Event Logging) and AU-12 (Audit Record Generation); CMMC 2.0 practice AU.L2-3.3.1 (Create and retain system audit logs for monitoring, analysis, investigation, and reporting).
2. Standard preset email security policy applied
The Exchange Online Protection (EOP) Standard preset security policy was applied to all recipients. This activates Microsoft’s baseline anti-spam, anti-malware, and anti-phishing rule sets without manual per-rule tuning.
Maps to NIST SP 800-53 Rev. 5 controls SI-3 (Malicious Code Protection) and SC-7 (Boundary Protection); CMMC 2.0 practice SI.L2-3.14.2 (Provide protection from malicious code at designated locations).
3. Teams meeting policy hardened
A single Teams meeting policy edit closed three sub-settings: anonymous users can no longer join meetings unverified, lobby bypass is restricted to people who were explicitly invited, and presenter rights are restricted to organizers and co-organizers.
Maps to NIST SP 800-53 Rev. 5 controls AC-3 (Access Enforcement) and SC-15 (Collaborative Computing Devices and Applications); CMMC 2.0 practice AC.L2-3.1.3 (Control the flow of controlled unclassified information).
4. User consent for third-party applications blocked
End users can no longer grant consent to third-party applications requesting access to tenant data. Application consent now requires Global Administrator review. This control captured the single largest Secure Score gain in the sweep at +6.25 percentage points.
Maps to NIST SP 800-53 Rev. 5 controls AC-6 (Least Privilege) and CM-7 (Least Functionality); CMMC 2.0 practice AC.L2-3.1.5 (Employ the principle of least privilege).
5. Break-glass Global Administrator account provisioned
A dedicated emergency-access Global Administrator account was provisioned, with credentials stored offline in physical custody. This removes the single-administrator failure mode and satisfies Microsoft’s recommended baseline for tenant continuity.
Maps to NIST SP 800-53 Rev. 5 controls AC-2 (Account Management) and CP-2 (Contingency Planning); CMMC 2.0 practice AC.L2-3.1.1 (Limit system access to authorized users).
6. Security Defaults baseline verified enforced
Microsoft’s Security Defaults — which enforce multi-factor authentication (MFA) on all accounts and block legacy authentication protocols — were confirmed active. At the Business Standard SKU, Security Defaults subsumes Conditional Access as the tenant-floor identity protection.
Maps to NIST SP 800-53 Rev. 5 control IA-2(1) (Identification and Authentication — Multi-Factor Authentication to Privileged Accounts); CMMC 2.0 practice IA.L2-3.5.3 (Use multi-factor authentication for local and network access to privileged accounts).
What this signals for prospective clients
A prospective client engaging CSG can expect three things from a hardening engagement: framework-mapped control selection, before-and-after measurement against a published index, and per-control reversibility documented in writing. The work in this post is the operator-tenant precedent for the same engagement scoped to a client environment.
Two transparency points belong here. First, Microsoft Secure Score is a vendor-published index, not a NIST or CMMC certification — a client pursuing formal compliance against either framework requires assessor-led work beyond Secure Score. Second, the Microsoft 365 Business Standard SKU has documented control ceilings. Conditional Access, Defender for Business, Microsoft Intune device compliance, and Microsoft Purview Information Protection are not in scope until Business Premium or specific add-on licensing. Where a client’s compliance target requires those controls, the SKU decision precedes the hardening decision and should be surfaced in the engagement scoping conversation.
Schedule a discovery call
If you are responsible for a Microsoft 365 tenant and need a security posture that is framework-mapped, measurable, and operator-validated before it lands in your environment, schedule a thirty-minute discovery call. We will walk through your current Secure Score, the SKU tier your tenant runs on, and the control ceiling that follows from it.