Microsoft 365 Hardening for the Showroom

If fraud hits a dealership, it usually walks in through email. One spoofed “urgent wire” to the Controller or a compromised Sales Manager inbox that forwards quotes to a Gmail, and you’re cleaning up for weeks. The fastest way to cut this risk is to harden Microsoft 365 with a few settings that fit how a dealership works.

Note: Practical guidance, not legal advice. Align with your cyber insurer and OEM requirements.

What “good” looks like for a dealership

  • MFA on every mailbox, with stricter rules for executives, Controllers, and any admin accounts
  • Conditional Access policies that block risky sign-ins, legacy/basic auth, and unknown countries
  • Auto-forward to external domains blocked for everyone except a named break-glass list
  • Alerting on new inbox rules and impossible travel
  • Separation of duties: no one uses an admin account for daily email
  • Quarterly evidence snapshots for your QI scorecard

15-minute quick wins to deploy today

  1. Turn on MFA for all users
    Enforce MFA organization-wide. Require it immediately for executives, Controller/AP, and anyone with DMS/CRM admin rights.
  2. Block legacy authentication
    Legacy protocols let attackers bypass MFA. Disable POP/IMAP/SMTP AUTH unless a specific device truly requires it.
  3. Stop auto-forward to external addresses
    Create a transport rule to block forwarding to external domains. Allow only a tiny, documented exception list.
  4. Add an external sender tag
    Label external emails clearly so sales and F&I can spot look-alike domains.
  5. Require the Report Phish button
    Add the Microsoft 365 “Report Message/Phish” add-in and train staff to use it.

The five Conditional Access policies that matter

Policy 1: Require MFA for all cloud apps

  • Users: All users (exclude break-glass)
  • Cloud apps: All
  • Conditions: None
  • Grant: Require MFA

Policy 2: Block legacy authentication

  • Users: All users
  • Conditions: Client apps = Other clients (legacy)
  • Grant: Block access

Policy 3: Require compliant or hybrid-joined devices for admins

  • Users: Roles = Global Admin, Exchange Admin, Security Admin, SharePoint Admin
  • Conditions: Device platform = Any
  • Grant: Require device to be marked compliant OR hybrid Azure AD joined, plus MFA

Policy 4: Restrict sign-ins by location

  • Users: All users (exclude service accounts and break-glass)
  • Conditions: Named locations = Allow US/Canada only (adjust to your footprint); block others
  • Grant: Block access

Policy 5: Elevate protection for high-risk users

  • Users: Controller/AP, Dealer Principal, CFO, QI
  • Conditions: Sign-in risk = Medium and above
  • Grant: Require password change + MFA, or block until reviewed

Dealer-ready Exchange Online settings

Auto-forward block

  • Mail flow rule: If message type is auto-forward to external domain, reject with explanation
  • Exceptions: none by default; add named exceptions only with QI approval

Inbox-rule alerting

  • Turn on alert policies for “Creation of forwarding/redirect rules” and “Inbox rules that delete or move messages”
  • Daily digest to QI and IT support

Spoof/impersonation protection

  • Enable anti-impersonation for Dealer Principal, Controller, CFO, HR, and your domain
  • Add look-alike domain protection for common vendor and lender domains

External banner

  • Prepend subject or header: “[External]”
  • Add a short footer line: “Verify bank changes by callback. Do not trust email instructions.”

Shared mailboxes and departments

BDC and internet leads

  • Use shared mailboxes (e.g., internet@) with named user access, not shared passwords
  • Enforce MFA per user; disable sign-in on the mailbox object

F&I

  • Prohibit storing driver’s licenses or credit apps in email. Route to approved systems only
  • Block PST export permissions except for QI-approved roles

Service advisors

  • Require the Report Phish add-in; pin it to the ribbon
  • Disable third-party mail add-ins unless approved

Controller’s anti-wire-fraud bundle (copy/paste)

  • Auto-forward blocked to external domains
  • External banner enabled
  • Alert when new inbox rules are created
  • Dual control enforced in AP; vendor-master callback policy on file
  • Quarterly sample of Controller/AP inbox rules and sign-ins reviewed by QI

Hardening checklist for your QI scorecard

  • MFA coverage 100 percent (screenshot of policy)
  • Legacy auth disabled tenant-wide (screenshot)
  • Five Conditional Access policies enabled (exports)
  • Auto-forward block rule in place (screenshot)
  • Alert policies for inbox rules and impossible travel (screenshot)
  • Admin roles separated from daily accounts (list of admin roles; proof of PIM if used)
  • Quarterly access review completed (export from Entra/Azure AD)
  • Phishing failure rate under 4 percent with coaching notes

“Show me” evidence you can capture in under an hour

  • Export Conditional Access policy list to PDF
  • Screenshot of Security defaults or custom MFA policies
  • Screenshot of legacy auth sign-in attempts trending to zero
  • Mail flow rule screenshot blocking auto-forward
  • Alert policy configuration and a sample alert email
  • Admin role assignments export
  • Phish simulation report with store-level results

Common dealership gotchas and fixes

Gotcha: Service PCs using POP/IMAP that break when legacy auth is blocked
Fix: Move to Modern Auth or service accounts with app-specific tokens; document exceptions with end date

Gotcha: Shared “F&I Admin” mailbox with password taped under the keyboard
Fix: Convert to shared mailbox with named user access; disable direct sign-in; enforce MFA on users

Gotcha: Executives skipping MFA on new phones
Fix: Use number matching in the Authenticator app and register at least two methods per user

Gotcha: Vendor field techs with persistent admin access
Fix: Create time-bound guest access via PIM; require MFA and restrict to specific apps

30-day rollout plan across multiple rooftops

Week 1

  • Enable MFA tenant-wide; create break-glass account with strong controls
  • Block legacy auth; monitor sign-in logs

Week 2

  • Deploy five Conditional Access policies; pilot on HQ users first
  • Turn on inbox-rule and impossible-travel alerts; add external banner

Week 3

  • Create auto-forward block rule; collect exceptions with QI sign-off
  • Enforce admin role separation and PIM (Privileged Identity Management) if available

Week 4

  • Run a phishing simulation and 15-minute coaching at each store
  • Package screenshots and exports into the Safeguards evidence folder

Quick training script managers can read at the sales tower

“Two rules: 1) If an email changes payment instructions, stop and call the vendor using the number in the vendor master. 2) If you weren’t expecting a link or attachment, click Report Phish. IT would rather check ten false alarms than miss one real one.”

FAQ

Can we skip Conditional Access if we have MFA
No. MFA alone won’t stop legacy protocols or risky locations. Conditional Access is how you enforce the guardrails.

Will blocking auto-forward break lender notices
It might for a few edge cases. Use an exception group approved by the QI. Default should be “block.”

Do shared mailboxes need MFA
The mailbox object doesn’t, but every user who accesses it does. Use named accounts only.

Still Need Help?

Want a fill-in-the-blank Microsoft 365 hardening pack with screenshots, policy text, and an evidence checklist. Contact us and we can help you get this to ideal standards.

Share

Disclaimer

Dealerships should consult their own legal counsel, compliance specialists, or cybersecurity professionals before taking any action based on this website.
Explore
Get FTC Safeguards help today!
Subscribe