365 Multi-Tenant Manager Release on July 14, 2025

Enhancements

A new predefined template has been released in 365 Multi-Tenant Manager for MSPs, offering a comprehensive collection of settings and policies aligned with the NIST Cybersecurity Framework (CSF) 2.0. It enables automated reporting and remediation across core functions, helping organizations enhance their Microsoft 365 security posture, streamline compliance efforts, and stay aligned with industry-recognized cybersecurity standards.

• The following new predefined settings have been introduced in the predefined settings library:
  • HS-S0102 – Ensure all DLP policies are enabled Enabling DLP policies alerts users and administrators that specific types of data should not be exposed, helping to protect the data from accidental exposure.
  • HS-S0103 – Ensure Anti-Spam Policy Enforces ZAP features and Thresholds Ensure the Default Hosted Content Filter Policy is configured with recommended values for ZAP features, spam and phishing actions, quarantine retention, and bulk email thresholds to enforce consistent anti-spam protection across the tenant.
  • HS-S0104 – Ensure Self-Service Sign-Up for guest users is enabled with user flows Ensures Self-Service Sign-Up is configured for guest users via user flows, validating the state against tenant requirements and enforcing or notifying based on compliance actions.
  • HS-S0105 – Ensure creation of Teams channels are restricted Enforce Teams policy for allowing or blocking private and shared channel creation to align with your organization collaboration standards. Applies only to the Global (Org-wide default) policy.
  • HS-S0106 – Ensure Retention Compliance Policy is enabled and configured This setting checks whether any Microsoft Purview Retention Compliance Policies are configured in your tenant. If no policy exists and the compliance action is set to Enforce, it will automatically create a new policy to ensure mailbox retention standards are applied.
  • HS-S0107 – Ensure only administrators are allowed to create applications This compliance script ensures that only roles with admin privileges are permitted to create App Registrations and Enterprise Applications within the Microsoft 365 environment.
  • HS-S0108 – Ensure Transport Rule for external sender warnings exists This setting checks if an Exchange Online Transport Rule exists that matches a specific mode, sender scope, and subject prepend string used for external sender warnings, and creates it if not present when enforcement is enabled.
  • HS-S0109 – Remove disabled users This setting checks for disabled user accounts in Microsoft Entra ID and, if the compliance action is set to Enforce, removes them; otherwise, it logs them as non-compliant for notification.
• The following new predefined policies have been introduced in the predefined policies library:
  • HS-P0035 – Require MFA for Entra ID Device Enrollment This Conditional Access policy enforces multi-factor authentication (MFA) when users attempt to register a device in Microsoft Entra ID.
  • HS-P0036 – Require MFA for Intune Enrollment This Conditional Access policy requires multi-factor authentication (MFA) for all users attempting to enroll devices through Microsoft Intune by targeting the Intune Enrollment app. Note that if the app (Microsoft Intune Enrollment) is not registered in the tenant, the policy will fail to apply.
  • HS-P0037 – App Protection Policy for iOS – Core Microsoft Apps This iOS App Protection Policy targets Microsoft 365 apps—including Copilot, Edge, Excel, OneDrive, OneNote, Outlook, PowerPoint, SharePoint, Teams, To Do, and Word—by enforcing encryption, PIN access, and compliance-based restrictions while blocking data backup, clipboard sharing, and unauthorized data transfers to ensure secure handling of corporate information on mobile devices.
  • HS-P0038 – App Protection Policy for Android – Core Microsoft Apps This Android App Protection Policy targets core Microsoft apps—including Outlook, Teams, OneDrive, SharePoint, Yammer, Power BI, Power Apps, Microsoft Stream, To Do, and Edge—by enforcing encryption, PIN access, compliance-based access, and restricting data backup, clipboard sharing, and data transfers to protect corporate data from unauthorized access or leakage.
  • HS-P0039 – macOS Update Policy This macOS update policy ensures critical updates are installed immediately, while all other update categories follow the system’s default behavior, maintaining a continuous update schedule without user deferral.
  • HS-P0040 – Password and Lockout Policy for Windows Devices Password and Lockout Policy for Windows Devices
  • HS-P0041 – macOS Enhanced Security Device Compliance Ensures comprehensive security compliance for macOS devices in Microsoft Intune. The policy requires a complex alphanumeric password with a minimum length of 8 characters, expiration every 30 days, a lock after 15 minutes of inactivity, and a history of the last 5 passwords to prevent reuse. The device must have encryption enabled, firewall activated (excluding block-all mode), and Gatekeeper configured to allow apps only from the Mac App Store and identified developers.
  • HS-P0042 – Windows Update Rings Policy This Update Ring Policy enforces automatic installation and reboot without user control, applies updates with no deferral, and enables rollback for feature updates using the configured default window.
  • HS-P0043 – Attack Surface Reduction (ASR) This policy is designed to harden security on Windows 10 devices by reducing attack surfaces and preventing unauthorized file modifications and executing possibly dangerous files.
  • HS-P0044 – Windows Autopilot Deployment Profile Windows Autopilot profile for single-user Windows PCs with a streamlined setup experience—privacy settings, EULA, and keyboard selection are hidden; pre-provisioning is disabled.