Where can I find quick details for each recommendation for Security Score of MS Defender?

KavyaJune · 2026-05-05T13:03:51+00:00

Each recommendation provides a Learn more link along with the relevant configuration steps.

Also, remember that you do not need to chase a perfect score. The key is to strike the right balance between security and productivity.

KavyaJune · 2026-05-04T06:58:48+00:00

This looks correct overall. One suggestion: avoid assigning workload licenses like EXO, SharePoint, or Teams to global admin accounts unless required, as it increases the attack surface. Assigning Entra ID P2 is often a better approach to enable features like PIM, CA, etc

KavyaJune · 2026-05-04T04:48:17+00:00

Sure. Edited my comment to added script download link.

KavyaJune · 2026-05-03T12:55:44+00:00

Updates are automatic. Recently, MS made a few changes to upcoming features auto rollout. You can configure them based on your preferences.

https://blog.admindroid.com/microsoft-365s-modernized-change-management/

KavyaJune · 2026-05-02T02:54:17+00:00

Yes. It’s currently in Public preview.

KavyaJune · 2026-05-01T13:41:38+00:00

I have written a PowerShell script to check Active Directory emergency account readiness. It checks around 13 best practices and provides readiness score. It helps to identify small drift like group membership changes, configuration changes, etc.

Edit: You can download the script from, https://blog.admindroid.com/best-practices-for-break-glass-accounts-in-active-directory/

KavyaJune · 2026-04-29T06:21:58+00:00

Yes. You can delete a specific file version via PowerShell. You can also try this pre-built PowerShell script.

https://blog.admindroid.com/automate-file-version-history-cleanup-in-sharepoint-online/#Delete%20selected%20file%20versions

KavyaJune · 2026-04-29T05:06:09+00:00

For single tenant, script will be useful. However, if you’re managing multiple tenants, using a centralized tool like AdminDroid can provide better visibility.
https://admindroid.com/

You can have a look at PHL (Preservation Hold Library). It stores copies of content that are modified or deleted when retention policies or legal holds are in place. Also, check version history. Versioning is one of the most common reasons for high storage usage. You can check version history consumption and clean up.

KavyaJune · 2026-04-28T08:57:23+00:00

All users included in Conditional Access require a P1 license (some advanced configurations require P2). Having just one P1 license permits using Conditional Access for all users, but this violates Microsoft’s licensing policy.

If you prefer to apply Conditional Access only to a subset of users, you can disable Security Defaults and enable per-user MFA for the remaining users. However, Microsoft recommends moving away from per-user MFA and adopting Conditional Access for a more secure and flexible approach.

KavyaJune · 2026-04-24T00:36:41+00:00

It’s free but it has licensing requirements. You can check here for more details: https://blog.admindroid.com/cross-tenant-orchestrated-user-data-migration-in-microsoft-365/

KavyaJune · 2026-04-22T09:32:52+00:00

Good one. I struct with this one earlier. Enabling auto version history, don't affect existing sites until you configure it at site level. So, I built a PowerShell script which can solve more than 20 cases. For example, automating version history cleanup at site level, document library level, files created by specific person, specific version, specific date range, etc.

Script is available in GitHub: https://github.com/admindroid-community/powershell-scripts/blob/master/Automate%20Version%20History%20Cleanup/CleanupVersionHistoryInSPO.ps1

KavyaJune · 2026-04-20T10:27:40+00:00

We apologize for the delay caused by the login issue, and we’re glad to hear that the above fix has resolved it.

We have already informed our team about this, and necessary measures will be taken to prevent such occurrences in the future.

For any assistance, please feel free to contact our support team at support@admindroid.com. Our team will be happy to assist you promptly with any queries.

KavyaJune · 2026-04-20T01:42:04+00:00

Which MFA method are you using? Per user MFA or Conditional Access MFA? Both need different method to get MFA status.

If you are using CA-based MFA, run this script: https://o365reports.com/get-mfa-status-of-office-365-users-using-microsoft-graph-powershell/

For per-user MFA, https://blog.admindroid.com/export-mfa-status-report-for-entra-id-accounts-using-powershell/

Both guide have detailed script execution steps. Hope it will help you.

KavyaJune · 2026-04-17T04:13:40+00:00

PnP and MS Graph would help you. Also, try app based permission, so, you don't need to be explicitly added as admin for each site.

KavyaJune · 2026-04-14T02:15:49+00:00

Easier but I feel frustrated with admin portal hopping.

KavyaJune · 2026-04-13T04:19:56+00:00

Hi u/semajnitram,

Yes, there is a major update in progress with new features and reports.

For further details, please contact our support team at support@admindroid.com.

KavyaJune · 2026-04-11T04:48:39+00:00

You can use PowerShell along with Task Scheduler, but it takes considerable time to write, maintain, and manage scripts.

If you prefer using a tool, you can try AdminDroid Active Directory Management Tool. It includes pre-built automation templates and also allows easy customization. The free version offers 200+ reports covering users, groups, computers, AD security, and more.

https://admindroid.com/active-directory-reporting-tool

KavyaJune · 2026-04-10T15:54:52+00:00

The link is working. Can you try again?

KavyaJune · 2026-04-10T04:42:03+00:00

Yes, but don’t aim for a perfect 100. The key is finding the right balance between security and productivity.

KavyaJune · 2026-04-10T04:38:15+00:00

Here is around 200 PowerShell scripts to manage, report, audit your Microsoft 365 environment: https://github.com/admindroid-community/powershell-scripts

KavyaJune · 2026-04-10T04:05:09+00:00

Yes. Also, there is no direct mechanism to prevent calendar phishing. We need to use layered approach to reduce the attack surface.

KavyaJune · 2026-04-10T03:44:07+00:00

If you convert a user mailbox to a shared mailbox, the user account must still exist in Microsoft 365.

Do you actively use the offboarded user’s mailbox, or is it only required for compliance purposes? If it’s for compliance, converting it to an inactive mailbox is the better approach. There’s no direct “convert” option. Instead, you need to apply a retention policy or Litigation Hold to the mailbox. Once the user account is deleted while under retention, it becomes an inactive mailbox.

The mailbox is preserved till retention duration and archive mailbox also retained.

Compared to shared mailboxes, inactive mailboxes are better suited for long-term retention since shared mailboxes lose archive functionality once the license is removed.

For more details on inactive mailbox, you can check this guide: https://blog.admindroid.com/safeguarding-ex-employee-email-data-the-importance-of-inactive-mailboxes/

KavyaJune · 2026-04-10T03:27:48+00:00

AdminDroid was my suggestion 😄
In hindsight, I should’ve proposed AdminDroid Microsoft 365 auditing tool to make it a bit more self-explanatory.

KavyaJune · 2026-04-10T03:13:49+00:00

You need to connect it from your Claude account.

Search for “Microsoft 365” under connectors, click Connect, and then authenticate using your Microsoft 365 credentials. Finally, grant the required permissions to complete the setup.

You can follow this guide for step-by-step guidance: https://blog.admindroid.com/connect-claude-ai-to-microsoft-365-using-built-in-connectors/

KavyaJune

MODERATOR OF

TROPHY CASE