Hardening Office 365 security

A couple easy ways to harden Office 365 security:

Here are a couple messy notes for client access rules. We are trying to limit access to e-mail accounts that are legacy, i.e., MFA printer devices or devices that send notifications, but do not support Modern Authentication. Most MFP printers, Canon, HP, Xerox printer built before 2017 probably do not support Modern Authentication. A key sign that it is modern authentication is it opens a browser window for user/pass and not a Windows popup box.
Create Priority Rule 1 to Allow Powershell Access:

New-ClientAccessRule -Name AllowRemotePS -Action Allow -AnyOfProtocols RemotePowerShell -Priority 1

1) Identify clients that do not support Modern authentication. smtp.utility@mydomain.com
2) Specify field to input client to filter, e.g., deparment, custom, company and input ‘SMTP’
3) Create new client rule to only applies to that field:

New-ClientAccessRule -Enabled $true -Action Block -UserRecipientFilter "Department -eq 'SMTP'" -ExceptAnyOFClientIPAddressesOrRanges @{Add='1.1.1.1','2.2.2.2'}

4) Test new rule with test-clientaccessrule
More Powershell Exchange Fun!
Here are Office Modules/Applications you should have loaded:
1) Connect-MsolService
2) Connect-ExchangeOnline
3) Connect-AzureAD

1) Enable Modern Authentication (disable use of older more vulnerable protocols)
2) Enable Client Access Rules (limit access to apps based on location)
3) Configure AuthenticationPolicy (block older protocols)
Consider enable policy and rules using these commands:
Get-OrganizationConfig
Run the following command to enable modern authentication connections to Exchange Online by Outlook 2013 or later clients:

Set-OrganizationConfig -OAuth2ClientProfileEnable $true

I am using the Microsoft.Exchange.Management.ExoPowershellModule Module on my test tenant.
Authentication Policies and Client Access Rules:

NAME
    Set-AuthenticationPolicy
SYNTAX
    Set-AuthenticationPolicy [-Identity] <AuthPolicyIdParameter> [-AllowBasicAuthActiveSync] [-AllowBasicAuthAutodiscover] [-AllowBasicAuthImap] [-AllowBasicAuthMapi]
    [-AllowBasicAuthOfflineAddressBook] [-AllowBasicAuthOutlookService] [-AllowBasicAuthPop] [-AllowBasicAuthPowershell] [-AllowBasicAuthReportingWebServices] [-AllowBasicAuthRpc]
    [-AllowBasicAuthSmtp] [-AllowBasicAuthWebServices] [-DomainController <Fqdn>] [-ProxyToMailbox <MailboxIdParameter>] [-ProxyToServer <string>] [-WhatIf] [-Confirm] [-Name <string>]
    [<CommonParameters>]

NAME
    Set-ClientAccessRule
SYNOPSIS
    This cmdlet is available in on-premises Exchange and in the cloud-based service. Some parameters and settings may be exclusive to one environment or the other.
    Use the Set-ClientAccessRule cmdlet to modify existing client access rules. Client access rules help you control access to your organization based on the properties of the connection.
    For information about the parameter sets in the Syntax section below, see Exchange cmdlet syntax (https://technet.microsoft.com/library/bb123552.aspx).
    -------------------------- Example 1 --------------------------
    Set-ClientAccessRule "Allow IMAP4" -AnyOfClientIPAddressesOrRanges @{Add="172.17.17.27/16"}
    This example adds the IP address range 172.17.17.27/16 to the existing client access rule named Allow IMAP4 without affecting the existing IP address values.

When setting ClientAccessRules, this will apply to everybody in your tenant, so be careful. The policy will take a while to apply too, so give it at least an hour before you give up.
Client Access Rules provide a solid way limited who can access e-mail, administrator portals, and remote Powershell. These things are not enabled by default, so tighten your security up to be safe.
Tips:
You can use this parameter to filter:

Get-ClientAccessRule

(list current rules).

Get-User -Filter "Department -eq 'IT'"

(filter by field Department)

Set-User Username -Department IT

(set the department for this user)

Set-ClientAccessRule -Identity ITPolicy -UserRecipientFilter "Department -eq 'IT'"

Set-ClientAccessRule -Identity ITPolicy -UserRecipientFilter "Department -ne 'IT'" -Action DenyAccess -AnyofProtocols "RemotePowerShell","ExchangeAdminCenter" 

Configure rules based by IP addresses. This is perfect for older mailboxes that need to send mail, but do not support Modern Authentication. This is common with printers internally.

Set-ClientAccessRule -ExceptAnyOfClientIPAddressesOrRanges @{Add="50.34.200.0/24"}

Here are the types of access you can allow or deny:

-AnyOfProtocols

The AnyOfProtocols parameter specifies a condition for the client access rule that's based on the client's protocol.
Valid values for this parameter are: