Greetings, everyone. As cloud security definitely varies by vendor, I'd like to ask about one of the biggest of 'em all: Microsoft 365. I'd like to hear some opinions on due diligence, known pitfalls, or other interesting concerns with a system that essentially places your AD in the cloud... or other interesting stories that you might have which reinforces a set of good security practices.
By the way, we're not in banking or a government subcontractor... but the tide is turning in M365's direction, and we need to start checklisting.
--- I've always said, "There's nothing an agnostic can't do if he really doesn't know whether he believes in anything or not."
Re: Office 365 / Microsoft 365 hardening & security
Depend on your Microsoft 365 license, you can start off by leveraging existing Microsoft security features you have. For example, Identity Protection, Privilege Identity Management...etc.
Microsoft 365 Security Center and Compliance Center will give score base on your environment. It also outline tasks that can improve the score. You can use that as a good starting point and gradually improve the security score to enhance security posture.