← rooo.pro

Took a morning bath, walked, made lunch — Claude hardened our Microsoft 365 in 5 rounds

2026-05-10 / Vol 7 / Draft at time of publication

One sentence to Claude in the morning: "I want to audit Intune and security, and fix what needs fixing." That was it.
Meanwhile, I did chores, took a long bath, went for a walk, came back, made lunch, ate it.
By the time I sat down to write this, our Microsoft 365 tenant had been hardened across 5 rounds. Now I'm writing this with a cup of tea.


"Mostly automated" finally landed as a felt experience

From Vol 1 through Vol 6, even when I asked Claude for help, the mode was always "instruct and watch." Read the proposal, decide myself, copy-paste, paste the result back, repeat.

Today (Vol 7) was different. I just said "audit comprehensively and improve" and Claude structured the audit scope itself, drove my browser, and only stopped to ask for approval when it needed me. My contribution was OAuth approvals and the occasional "go ahead."

This was a qualitative shift in the relationship. I'd already experienced Claude operating my browser back in Vol 6, but this was the first time I tried the mode where "Claude designs the task itself, runs the audit, and applies the fixes."

What I was doing during all this

・morning, brewed coffee, threw the request at Claude
・did chores
・soaked in the bath
・went for a walk
・came back and made lunch
・ate
・now sitting here writing this

Occasionally I'd peek at progress on my phone. If something errored, I'd reload the tab. That was the extent of it.

What Claude did, in 5 rounds

Reconstructing afterwards, this is what happened.

Round 1: Break Glass account hardening
Finished off the emergency admin account I'd started yesterday. Created a dedicated security group "Break Glass Accounts," added the emergency account to it, and laid the groundwork for excluding it from CA policies.

Round 2: CA policy review and authentication methods cleanup
Applied the Break Glass group exclusion to 4 admin-targeted CA policies in one pass. Migrated the Phishing-resistant CA from per-user exclusions to group exclusion for cleanliness. Audited the new Authentication Methods framework and enabled Microsoft Authenticator and FIDO2, getting ahead of the legacy MFA policy retirement (2025-09-30).

Round 3: Working through high / medium / low priority items
Removed my daily admin from the Block-legacy-auth exclusion (A). Reviewed Email OTP (B). Tightened SharePoint sharing defaults (C: default link to "people in your org," default access to "view," 90-day expiry). Added Intune iOS / Android compliance policies (D). Created a compliance-required CA in Report-only mode (E). Verified the Windows Security Baseline (G — already deployed to all 4 devices).

Round 4: Comprehensive audit of Intune and security
Cross-checked 13 areas. Antivirus, disk encryption (BitLocker), firewall, EDR, ASR, account protection, 14 configuration profiles, devices (6 total, all compliant), Defender for Endpoint advanced features (all on), app protection, tenant settings, audit logs, Defender XDR dashboard (0% non-compliant). Better shape than I'd expected.
The one weak spot found: Defender for Office 365's "Standard preset security policy" was off, so Claude turned it on. That brings phishing / spam / malware protection into Microsoft's recommended baseline in one move.

Round 5: Polishing the medium / low items
Added myself as a protected user in impersonation protection (so phishing emails pretending to be me get caught). Created a custom Safe Attachments policy that blocks unknown malware-laden attachments (with quarantine visible only to mail admins). Extended audit log retention from 90 days to 1 year. Investigated 4 errors that had been showing on the Security Baseline and confirmed they were false positives (all 354 individual settings actually succeeded).

Everything got rolled out to all 6 devices, automatically

Our environment has 4 Windows machines, an iPad, and an Android phone — 6 devices in Intune. None of today's changes (whether tenant-wide email policies or device-targeted policies) required any manual per-device work.

Just to be sure, I checked Defender XDR → 5 devices onboarded to endpoint protection (the Android is covered via Mobile App Protection), and zero unmanaged devices on the network.

Before I could even ask "do I need to do anything on the devices?", Claude had already told me: "It'll apply at next check-in. Maximum 8 hours, usually within 1 hour." The answer arrived before the question — that started happening more often.

The fear part, for honesty's sake

Honestly: knowing that tenant-wide settings were being rewritten one after another while I dozed in the bath is a little unsettling.

What kept the fear manageable:

・Claude explicitly stops at the boundaries it won't cross (OAuth approval, password entry, license purchases, cost decisions) and hands them to me
・The compliance-required CA was started in Report-only mode (no actual blocking yet)
・The Break Glass account was already in place (I can recover even if I lock myself out)
・Every step gets documented (I can reconstruct "what changed" later)

Those four things together make "delegating" possible. If even one were missing, I don't think I'd hand over this much density.

What "getting used to Claude" actually means

Looking back from Vol 1, there were probably 4 stages:

1. Read the proposal, implement it myself (Vol 1–3)
2. Get proposals plus copy-paste assistance, implement (Vol 4–5)
3. Let Claude drive the browser, I just approve (Vol 6)
4. Just say "audit and improve," and Claude designs the workflow too (Vol 7)

Stage 4 feels qualitatively different from Stage 3. The shift, in words: "the task design itself can be handed over." Not the how, but the what.

This isn't universal. Today worked because Microsoft 365 is a domain Claude knows the shape of — the world's documentation is dense, the patterns are well-established. If I tried "comprehensively improve" on karaha.org's photo consent system in the same delegating mode, the result would be different (that's a system unique to us, so Claude has to guess more, and my judgment is needed more often).

What's left

・Decision on buying FIDO2 security keys
・Cost-benefit evaluation for Entra ID Premium P2
・karaha.org's Cloudinary auto-deletion (carried over from Vol 6)
・Switching the compliance-required CA from Report-only to enforcement (after 1–2 weeks of observation)

These are "human-judgment" calls, so Claude parked them. I'll pick them up after they've ripened in my head.

Next

Vol 8 is likely the operational round I'd parked from Vol 6: actually adding members to the roster and sending the first batch of invitation emails. That's the real production moment for karaha.org.
Or it might be the round where I extract today's Microsoft 365 hardening into a template other small organizations can use. There's a feeling that, via esynet.jp, this could be deployed to similarly-sized small orgs.

Either way, probably written sometime next week. That's enough for today. I'm going to brew some tea.