Microsoft Intune: Implement Microsoft 365 Apps for Enterprise Security Baseline with Settings Catalog


In this article, I’ll show you how to implement the Microsoft 365 Apps for Enterprise Security Baseline with Settings Catalog in Microsoft Intune based on the recommended security baselines by Microsoft.

Most of you know the pre-build Security Baselines available for Windows, Defender for Endpoint, Edge, and Windows 365 in Microsoft Intune. But where is the Security Baseline for Microsoft 365 Apps?

What do we need?

So where do we get those Security Baseline recommendations by Microsoft regarding the Microsoft 365 Apps for Enterprise? Microsoft provided a toolkit called Microsoft Security Compliance Toolkit 1.0 which can be downloaded here.

For this article, I chose Microsoft 365 Apps for Enterprise-2206-FINAL.zip

Microsoft 365 Security Baseline

Once you’ve downloaded the ZIP file, extract it and search for the Excel file named, Microsoft 365 Apps for enterpris 2206.xlsx. This file contains the baselines Microsoft recommends for Microsoft 365 Apps for Enterprise. The current version (during these writings) is v2206, June 2022.

If you open the file you should see 3 sheets (Information, Computer & User). The last two will contain the settings needed to create our Configuration Profile using Settings Catalog. Now in the Computer & User sheet, filter the Area to Security Baseline. You’ll get a list of settings shown below.

Microsoft 365 Security Baseline

Create the Microsoft 365 Apps for Enterprise Security Baseline – Configuration Profile

Go the https://endpoint.microsoft.com => Devices => Configuration profiles and choose + Create profile.
Choose the following and choose Create.

  • Platform: Windows 10 and later
  • Profile type: Settings catalog

Microsoft 365 Security Baseline

In the next screen, you need to give a name and description of the policy and choose Next.

  • Name: Security Baseline – Microsoft 365 Apps for Enterprise – v.2206
  • Description: Security baseline for Microsoft 365 Apps for enterprise (v2206, June 2022)
Microsoft 365 Security Baseline

In the configuration settings, choose + Add settings and search for the settings as described in the Excel file. I always start by searching for the Policy Path (Microsoft Office 2016 as the example shown below)

Microsoft 365 Security Baseline

Once you select a setting it will automatically add in your list, now select all the settings needed and choose the cross button on the top right corner.

After adding all the settings we can configure them as shown in the Security Baseline and choose Next.

NOTE: In this article, I only used a single setting to show how to use the Settings Catalog. Multiple settings are possible, so you can add all those recommended by Microsoft. This all in one policy or multiple policies (per application).

Now go through the Scope Tags and Assignments screens. I’m leaving these blank for now, you can add some of your own later and assign them to your own specific groups. Choose Create and your policy is ready to use.

That’s it, your Microsoft 365 Apps Security Baseline with Settings Catalog is ready for use. As you will see, there are a lot of settings recommended but feel free to choose your own. These are only the recommendation from Microsoft.

Want to use the recommendations by Microsoft, and use an import tool for Microsoft Intune? You can download the JSON file from my Github page here.

I hope you find this article useful! If you are interested in more, feel free to check out my other posts here.

Nicky De Westelinck

Nicky De Westelinck is a Modern Workplace Consultant for Wortell Belgium with several years of experience in Microsoft 365. His main focus is Microsoft EndPoint Manager and Microsoft 365 Administration. He is also a Microsoft Certified Trainer since 2021.

View all posts by Nicky De Westelinck →