Pragmatic Controls

Focus on visibility first, then guardrails. Make the secure path the easiest path.

Discovery & Inventory

Catalog apps via identity logs, expense reports, DNS, or secure proxies. Start a living register.

SSO & MFA by Default

Centralize access in your IdP. Enforce MFA and lifecycle (join, move, leave).

App Governance

Review OAuth permissions, browser extensions, data egress. Approve patterns, not one‑offs.

DLP & Sensitivity Labels

Protect data in sanctioned apps. Block risky destinations, watermark where needed.

Lightweight Policy

Clear rules: what’s allowed, how to request exceptions, approved alternatives, DPAs.

Training & Nudges

Short guidance in‑context (wiki, Teams posts). Reward secure choices.

Playbooks

Baseline Controls

Start with these. Keep them small, testable, and phased. Link each to change tickets and owners.

1
Disable user consent; enable admin consent workflow
Route app approvals through admins; stop ad-hoc OAuth.·Docs:Configure user consent·Admin consent workflow
2
Require compliant devices (Conditional Access) for Microsoft 365
Gate SharePoint/Teams/Exchange behind Intune compliance.·Docs:Require device compliance (CA)
3
Block external auto-forward; DLP baseline for Exchange/SharePoint/OneDrive
Stop silent exfiltration; detect risky content.·Docs:Block external auto-forward·Purview DLP for Exchange
4
Apply sensitivity labels; enable auto-label where feasible (Purview)
Encrypt by data class and keep control after sharing.·Docs:Sensitivity labels overview·Auto-label policies
5
Managed browser with extension allow-list (Edge/Chrome via Intune)
Harden the browser; remove risky extensions.·Docs:Manage Edge extensions·ExtensionInstallAllowlist policy
6
Guest sponsor + expiry ≤ 365 days; run periodic access reviews
Owner accountability and automatic clean-up.·Docs:Guest access reviews·Set expiry via entitlement mgmt
7
SharePoint external sharing default = Specific people
No public links by default; narrow recipients.·Docs:Change default link type·Tenant sharing settings
8
Access reviews for high-scope enterprise apps in Entra ID
Re-certify who can use powerful app permissions.·Docs:Access reviews overview·Review app permissions
9
CASB sanction/unsanction apps; monitor uploads to personal cloud
Prefer approved apps; watch for shadow SaaS.·Docs:Sanction/unsanction apps·Control uploads (session)
10
Publish a sanctioned SaaS catalog + fast request workflow
Make the secure path the easy path.·Docs:Create catalogs (Entitlement mgmt)·Request access (My Access)

Control Bundles

Concrete prevention patterns mapped to Microsoft. Expand a card to view details.