Microsoft 365 Security Basics
Note: This is general information and not legal advice.
Executive Summary
- • Identity is the perimeter: 99.9% of account compromise incidents are blocked by MFA.
- • Defaults are not enough: Out-of-the-box settings leave legacy protocols open to password spray attacks.
- • Separate Admin Accounts: Never browse the web or read email with a Global Admin account.
1 Identity & Access
- Enforce Multi-Factor Authentication (MFA)
For ALL users. No exceptions. Prefer Authenticator App or FIDO2 keys over SMS.
- Block Legacy Authentication
Disable IMAP, POP, and SMTP auth protocols that bypass MFA.
- Conditional Access Policies
Block sign-ins from high-risk countries. Require compliant devices for admin access.
2 Email Hygiene
- Preset Security Policies
Enable "Standard" or "Strict" preset security policies in Defender for Office 365.
- External Tagging
Turn on the "External" tag for emails coming from outside the org to prevent impersonation.
- SPF / DKIM / DMARC
Configure these DNS records to prevent others from spoofing your domain.
3 Admin Protection
- Dedicated Admin Accounts
Admins should not use their daily email account for Global Admin tasks. Use separate cloud-only accounts.
- Break Glass Account
Create one emergency access account excluded from Conditional Access, with a complex password stored offline.
Common Questions
Is Microsoft Defender enough?
For most SMBs and Mid-Market orgs, yes—IF configured correctly. Defender for Endpoint P2 or Business is a top-tier EDR solution.
What license do I need for these features?
Most security features (Conditional Access, Intune, Defender) are available in Microsoft 365 E3 and E5. E3/E5 provides enterprise-grade controls and better alignment with compliance frameworks.
Related resources
Sources & References
Need a Security Audit?
We can check your M365 tenant against these best practices and fix the gaps.
Book an Audit