Securing Microsoft 365 for Your Organization

Microsoft 365 is the most targeted productivity platform in the SMB market. The platform has solid security tooling built in. The problem is most tenants ship with defaults that favor ease of adoption over security, and most organizations never revisit them.

The result is a tenant that looks locked down on the surface and is wide open underneath.

Here’s what I’ve seen separate the tenants that get through it from the ones that don’t.

Start with identity, not features

The majority of M365 incidents start the same way: a credential gets compromised, legacy authentication bypasses MFA, and the attacker is in. Everything else is noise until you fix this.

Two things to do first. Block legacy authentication protocols: IMAP, POP3, SMTP AUTH, Exchange ActiveSync with basic auth. These protocols can’t complete modern authentication challenges, which means they route around MFA entirely. A Conditional Access policy to block legacy auth closes that gap; there’s no good reason to leave it open.

Second: enable MFA for every account, not just admins. “We’ll roll it out to the rest next quarter” is how breaches happen this quarter. The Microsoft Authenticator app with number matching is the right baseline. If the organization genuinely can’t absorb that friction right now, push for at least SMS. It’s weaker than TOTP, but it’s better than a password alone.

Conditional Access is your policy engine

Conditional Access is where M365’s security model gets real. It’s a set of policies you maintain and update as the organization changes, not a one-time toggle. Start with the basics and enforce them consistently.

Policies worth getting in place early:

• Require MFA for all users on all cloud app sign-ins.
• Block legacy authentication protocols.
• Require compliant or hybrid-joined devices for access to corporate data.
• Block sign-ins from countries the organization doesn’t operate in.
• Enforce MFA on all admin roles, no exceptions.

A note on report-only mode: it’s useful for understanding impact before you enforce something, but report-only doesn’t protect anything. Organizations that stay in report-only for months are not protected. Run it briefly to validate coverage, then enforce.

Admin accounts deserve their own discipline

Dedicated admin accounts

Every person doing admin work should have a separate account for it. Their day-to-day account is for email and Teams. Their admin account is for the admin center. Never the same account. This limits the blast radius when a credential gets phished. It happens to admins too.

Privileged Identity Management

If the tenant is on Entra ID P2 (which comes with M365 E5 or as an add-on), PIM is worth the setup time. Admin roles sit dormant by default; users activate them on-demand with justification and a time limit. Standing Global Admin access disappears from accounts that don’t need it around the clock. It’s a real reduction in the window of exposure.

Emergency access accounts

Every tenant should have at least one break-glass account: excluded from Conditional Access policies, stored offline, used only if you’re locked out. Document it, don’t use it day-to-day, and verify it works before you need it. Most organizations don’t have this until they need it.

Exchange Online Protection and Defender for Office 365

EOP is on by default, but the out-of-box configuration isn’t the tightest. If the subscription includes Defender for Office 365 (Plan 1 comes with Business Premium), use it. The default policy is a floor, not a finished setup.

The areas worth attention:

• Anti-phishing: enable impersonation protection for executive accounts and key domains. The default policy exists but doesn’t protect specific users unless you configure it.
• Safe Links: rewrite and scan URLs at click-time. A link that’s clean at delivery can redirect to something malicious six hours later. Safe Links catches that.
• Safe Attachments: sandbox attachments before delivery. There’s a latency tradeoff, but Dynamic Delivery mitigates most of it. The message body delivers immediately while the attachment is scanned.
• DMARC, DKIM, SPF: all three on every domain in the tenant. These don’t stop inbound phishing, but they stop your domain from being spoofed to send it. Check with a DNS lookup. A surprising number of tenants are still missing one.

Audit logging and alert policies

This one gets skipped more than almost anything else. Unified audit logging should be on for every tenant. Not because you’ll watch it actively, but because when an incident happens, you need a record of what occurred. Off means no forensic trail.

Check it: Security & Compliance Center → Audit → verify logging is enabled. One click if it isn’t. Turn it on now.

Beyond that, configure a handful of alert policies: mass file download or deletion from SharePoint, inbox rules forwarding mail externally, risky sign-ins. Microsoft provides defaults. Tune them to what matters for your environment. You don’t need a SOC to catch the most common attack patterns. You need alerts that fire when something is actually wrong.

External sharing in SharePoint and OneDrive

Default external sharing in a new M365 tenant is permissive. Anyone with a link can often view content without signing in. For most business environments, that’s too open.

At the tenant level, scope external sharing to what the organization actually uses. A middle ground that works for many SMBs: sharing with authenticated external users only, no anonymous links. Set it at the tenant level, then tighten specific site collections further where the content is sensitive.

Review the external sharing report regularly. SharePoint Admin Center → Reports → Sharing. External users accumulating access over months without review is a slow-moving problem that tends to surface at the worst time.

Secure Score is a map, not a grade

Microsoft Secure Score in the Defender portal ranks the tenant against Microsoft’s security benchmarks. Treat it as a prioritized to-do list, not a report card to forward to leadership.

The value is in the recommendations list: each item tells you what to change, the expected score improvement, and the user impact. Work through the high-value, low-disruption items first. Some recommendations are operationally disruptive for good reasons, so don’t chase the number blindly. Use judgment about what makes sense for the environment.

A rough benchmark: most organizations that have spent real time on M365 security land in the 60–75% range. Below 40% typically means baseline controls are missing.

The things people get wrong

Most M365 security work gets done at implementation and left alone. The platform changes. New features ship. Policies appropriate for a 20-person company don’t hold up at 120. Put a quarterly review on the calendar; most teams can manage that. Check Secure Score drift, review admin role assignments, confirm MFA enrollment is still at 100%, look at external sharing reports.

The other common mistake: MFA on user accounts but not on admin accounts, or the reverse. The account with the most privilege is the one that matters most. If Global Admin credentials aren’t behind MFA and Conditional Access, everything else is academic.

Properly configured, M365 is a defensible environment. Most of what attackers use to get in are gaps in controls Microsoft already provides. They just don’t ship enabled.

Running into something specific in your M365 tenant? I’m happy to talk through it.