The Scenario
A 400-person SA mining company is consolidating to Microsoft 365 from a hybrid Exchange. The CIO wants a tenant that survives a Big Four audit and aligns with the company's POPIA obligations. The tenant currently runs at default settings.
The Brief
Design a complete M365 tenant hardening configuration covering identity, conditional access, data protection, and audit. Each control must be justified and traceable to a risk or compliance requirement.
Deliverables
- A conditional access matrix listing each policy (block legacy auth, require MFA, require compliant device, geo-block high-risk countries, session lifetime), the user scope, and the rationale
- A data protection baseline covering: sensitivity labels, DLP policies (POPIA personal data, banking details, ID numbers), retention labels, and encryption defaults
- An audit and monitoring plan covering: unified audit log retention, alerts for high-risk activity, the SOC integration point, and the reporting cadence
- A change rollout sequence ordering the controls (least-disruptive first), with communications and a rollback option per change
Submission Guidance
Tenant hardening fails when controls get rolled out at once and break legitimate workflows. Sequence conditional access carefully, validate exclusions for break-glass accounts, and pilot DLP in audit mode before enforcement.
Submit Your Work
Your submission is graded against the rubric on the right. If you pass, you get a public Badge URL you can share on LinkedIn. There is no draft save, so work offline first and paste your finished response here.