How to Secure Your Microsoft 365 Tenant in 10 Essential Steps

Security Defaults is Microsoft's baseline security configuration, available for free on all tenants. It enforces MFA for all users and blocks legacy authentication protocols.

When to Use Security Defaults

Security Defaults is ideal for small organizations without Entra ID P1/P2 licenses. It provides:

• MFA registration required for all users
• MFA challenged when necessary (risk-based)
• Legacy authentication blocked
• Privileged actions require MFA

How to Enable Security Defaults

1. Go to Microsoft Entra admin center > Identity > Overview > Properties
2. Click Manage security defaults
3. Set Security defaults to Enabled
4. Click Save

When to Use Conditional Access Instead

If you have Entra ID P1 or P2 licenses, Conditional Access policies offer more granular control:

• Require MFA for specific apps or user groups
• Block access from specific countries
• Require compliant devices
• Implement risk-based policies

Important: Security Defaults and Conditional Access are mutually exclusive. Disable Security Defaults before creating Conditional Access policies.

MFA is the single most effective control against account compromise. Microsoft reports that MFA blocks 99.9% of automated attacks.

Recommended MFA Methods (Ranked by Security)

1. FIDO2 security keys – Phishing-resistant, hardware-based
2. Windows Hello for Business – Phishing-resistant, biometric
3. Microsoft Authenticator (passwordless) – Push notifications with number matching
4. Microsoft Authenticator (verification code) – Time-based codes
5. SMS/Voice – Least secure, vulnerable to SIM swapping

Configure MFA via Conditional Access

Create a policy requiring MFA for all users:

1. Go to Entra admin center > Protection > Conditional Access
2. Click + Create new policy
3. Name: Require MFA for all users
4. Users: All users (exclude break-glass accounts)
5. Target resources: All cloud apps
6. Grant: Require multifactor authentication
7. Enable policy: On

Critical: Create Break-Glass Accounts

Before enforcing MFA everywhere, create 2 emergency access accounts:

• Cloud-only accounts (not synced from AD)
• Excluded from ALL Conditional Access policies
• Strong 16+ character passwords stored securely offline
• Monitor sign-ins with alerts

Legacy authentication protocols (IMAP, POP3, SMTP AUTH, older Office clients) don't support MFA, making them prime targets for password spray attacks.

Block Legacy Auth via Conditional Access

1. Go to Entra admin center > Protection > Conditional Access
2. Create new policy named "Block legacy authentication"
3. Users: All users
4. Target resources: All cloud apps
5. Conditions > Client apps: Select only:
   • Exchange ActiveSync clients
   • Other clients
6. Grant: Block access
7. Enable policy: On

Verify Legacy Auth is Blocked

Check sign-in logs for legacy authentication attempts:

1. Go to Entra admin center > Monitoring > Sign-in logs
2. Add filter: Client app contains "Other clients" or "Exchange ActiveSync"
3. Review any remaining legacy auth sign-ins

Administrative accounts are high-value targets. Compromising a Global Admin means full tenant control.

Implement Privileged Identity Management (PIM)

With Entra ID P2, use PIM to provide just-in-time admin access:

1. Go to Entra admin center > Identity Governance > Privileged Identity Management
2. Click Microsoft Entra roles
3. For each admin role, configure:
   • Activation maximum duration: 4-8 hours
   • Require MFA on activation: Yes
   • Require justification: Yes
   • Require approval: Yes (for Global Admin)

Admin Account Best Practices

• Dedicated admin accounts: Separate from daily-use accounts
• No email on admin accounts: Reduces phishing risk
• Cloud-only admin accounts: Not synced from on-premises AD
• Named accounts: No shared admin credentials
• Regular access reviews: Quarterly minimum

Protect Global Admins with Stricter Policies

Create a Conditional Access policy for admins:

• Require phishing-resistant MFA (FIDO2 or WHfB)
• Require compliant/hybrid joined device
• Block access from non-trusted locations

Defender for Office 365 (included in M365 Business Premium and E5, or available as add-on) provides advanced threat protection for email and collaboration tools.

Enable Preset Security Policies

Microsoft offers preset policies optimized for most organizations:

1. Go to Microsoft Defender portal > Email & collaboration > Policies & rules
2. Click Threat policies > Preset Security Policies
3. Enable Standard protection for all users
4. Enable Strict protection for executives and sensitive roles

Configure Safe Attachments

Safe Attachments detonates suspicious attachments in a sandbox:

1. Go to Threat policies > Safe Attachments
2. Create or edit policy:
   • Action: Dynamic Delivery (recommended) or Block
   • Enable Safe Attachments for SharePoint, OneDrive, and Teams: Yes
   • Enable Safe Documents: Yes (E5)

Configure Safe Links

Safe Links rewrites URLs and checks them at click time:

1. Go to Threat policies > Safe Links
2. Create or edit policy:
   • On: Safe Links checks URLs when users click: Yes
   • Apply Safe Links to messages sent within organization: Yes
   • Do not track when users click: No
   • Do not let users click through: Yes

Enable Anti-Phishing Policies

1. Go to Threat policies > Anti-phishing
2. Enable impersonation protection for:
   • Users: Add executives and finance team
   • Domains: Your verified domains + partners
3. Set Mailbox intelligence: On
4. Set Spoof intelligence: On

Even without Defender for Office 365, Exchange Online Protection (EOP) provides baseline email security included in all plans.

Review and Tighten Anti-Spam Policies

1. Go to Defender portal > Threat policies > Anti-spam
2. Edit the default inbound policy:
   • Bulk email threshold: 5-6 (stricter)
   • Spam action: Move to Junk Email folder
   • High confidence spam: Quarantine
   • Phishing: Quarantine
   • High confidence phishing: Quarantine with no user access

Configure Outbound Spam Policy

Prevent your tenant from being used for spam:

1. Edit outbound spam filter policy
2. Set Sending limits:
   • External recipients per hour: 500
   • Internal recipients per hour: 1000
   • Daily recipient limit: 1000
3. Automatic forwarding: Automatic - System controlled (blocks external forwarding)

Enable Enhanced Filtering for Connectors

If you use a third-party email gateway, enable Enhanced Filtering to preserve original sender IP:

1. Go to Mail flow > Connectors
2. Edit your inbound connector
3. Enable Enhanced Filtering and add gateway IPs

DLP policies prevent sensitive information from leaving your organization through email, Teams, SharePoint, and OneDrive.

Create DLP Policies for Sensitive Data

1. Go to Microsoft Purview > Data loss prevention > Policies
2. Click + Create policy
3. Start with built-in templates:
   • Financial data (credit card numbers, bank accounts)
   • PII (Social Security numbers, passport numbers)
   • Health records (HIPAA)
4. Configure actions:
   • Low volume: Show policy tip to user
   • High volume: Block and notify admin

DLP Policy Tips Configuration

Policy tips warn users before they share sensitive content:

1. In your DLP policy, enable User notifications
2. Customize the policy tip message
3. Enable User overrides with business justification (optional)

Extend DLP to Endpoints

With Microsoft 365 E5 or E5 Compliance, extend DLP to Windows endpoints:

1. Go to Purview > Data loss prevention > Endpoint DLP settings
2. Enable endpoint DLP
3. Onboard devices via Intune or Group Policy

You can't protect what you can't see. The unified audit log captures activities across all Microsoft 365 services.

Verify Audit Log is Enabled

Auditing is enabled by default on new tenants, but verify:

1. Go to Purview > Audit
2. If you see "Start recording user and admin activity," click it
3. Allow 24-48 hours for logs to populate

Configure Critical Alerts

Set up alerts for suspicious activities:

1. Go to Purview > Audit > Alert policies
2. Review and enable default policies:
   • Creation of forwarding/redirect rule
   • eDiscovery search started or exported
   • Elevation of Exchange admin privilege
   • User restricted from sending email
3. Create custom alerts for:
   • Admin role changes
   • Consent granted to application
   • External sharing enabled
   • Mailbox delegation added

Set Audit Log Retention

Default retention is 180 days (E3) or 365 days (E5). For longer retention:

1. Use Audit retention policies in Purview (E5)
2. Or export logs to SIEM/Log Analytics for long-term storage

Overly permissive sharing settings are a common source of data leaks.

Configure Sharing Settings

1. Go to SharePoint admin center > Policies > Sharing
2. Set external sharing levels:
   • SharePoint: New and existing guests (or stricter)
   • OneDrive: Same or more restrictive than SharePoint
3. Configure advanced settings:
   • Limit external sharing by domain: Add allowed/blocked domains
   • Guests must sign in: Yes
   • Allow guests to share items they don't own: No
   • Guest access expires automatically: 30-90 days

Restrict "Anyone" Links

"Anyone" links allow access without authentication:

1. Set Anyone link expiration: 7-30 days maximum
2. Set Anyone link permissions: View only
3. Consider disabling "Anyone" links entirely for sensitive sites

Configure Site-Level Sharing

For sensitive sites, override tenant defaults:

1. Go to SharePoint admin center > Active sites
2. Select the site > Policies > External sharing
3. Set to "Only people in your organization" for confidential content

Malicious OAuth applications are an increasingly popular attack vector. Users can unknowingly grant apps access to their mailbox, files, and more.

Configure User Consent Settings

1. Go to Entra admin center > Applications > Consent and permissions
2. Under User consent settings, choose:
   • Do not allow user consent (strictest)
   • Or Allow user consent for apps from verified publishers (balanced)
3. Enable Admin consent workflow so users can request apps

Review Existing App Permissions

Audit applications already granted access:

1. Go to Entra admin center > Applications > Enterprise applications
2. Click Admin consent requests to review pending requests
3. Filter by Permission classifications to find high-privilege apps
4. Review User consent for each app
5. Revoke access for suspicious or unused applications

Block Risky OAuth Permissions

Consider blocking consent for high-risk permissions:

• Mail.ReadWrite (full mailbox access)
• Files.ReadWrite.All (all OneDrive/SharePoint files)
• Directory.ReadWrite.All (modify directory)