Microsoft 365 Security Basics

Identity is the perimeter for Microsoft 365. If an attacker can compromise credentials, they can access email, files, Teams conversations, and administrative controls. The most effective control is also the simplest: require Multi-Factor Authentication for every user, every time.

Enforce MFA for all users. There should be no exceptions for "senior leadership" or "power users." If someone needs faster access, the answer is phishing-resistant MFA (FIDO2 keys, passkeys), not weaker authentication. Authenticator apps are acceptable as a minimum; SMS should be avoided.

Block legacy authentication. IMAP, POP, and SMTP with basic authentication bypass MFA entirely. These protocols are the primary vector for password spray attacks. Microsoft has disabled basic auth for most Exchange Online protocols by default, but you should verify no legacy dependencies remain in your environment.

Implement Conditional Access policies. Conditional Access lets you make access decisions based on context: device compliance, location, risk level, and application sensitivity. Start with policies that require compliant devices for admin access and block sign-ins from impossible travel locations. See the Conditional Access guide for a detailed approach.

Related: identity foundations and MFA guide.

The most dangerous admin account is one that is also used for daily tasks: reading email, browsing the web, opening attachments. If that account gets compromised through phishing, the attacker has Global Admin access to your entire Microsoft 365 tenant.

Use dedicated admin accounts. Admins should have a separate cloud-only account for administrative tasks. That account should only be used when performing admin actions, never for email or web browsing. This limits the exposure surface: even if the daily account is compromised, the admin account remains protected.

Create a break-glass account. Maintain at least one emergency access account that is excluded from all Conditional Access policies. Store the credentials securely offline (not in a password manager connected to the tenant). This account exists for scenarios where a misconfigured policy locks everyone out.

Apply the principle of least privilege. Not every IT staff member needs Global Admin. Use role-based access control to assign the minimum permissions needed. See RBAC for more on this.

Related: remove local admin rights.

Email is the primary attack vector for credential theft and malware delivery. Microsoft 365 includes strong email security capabilities, but they require intentional configuration.

Enable preset security policies. Microsoft provides "Standard" and "Strict" preset policies in Defender for Office 365. Standard is a reasonable starting point; Strict provides stronger protection but may generate more false positives. Enable at least Standard for all users.

Turn on external sender tagging. This adds a visual indicator to emails from outside your organization, making it harder for attackers to impersonate internal senders. It is a simple, high-impact change.

Configure SPF, DKIM, and DMARC. These DNS records prove that email claiming to come from your domain actually did. Without them, attackers can spoof your domain for phishing campaigns against your partners, customers, and employees. See the email authentication guide.

Related: business email compromise guide.

Microsoft 365 security does not stop at identity and email. The devices that connect to your tenant matter just as much. A compromised credential on a managed device is a contained incident. The same credential on an unmanaged, unencrypted laptop is a potential breach.

Deploy Defender for Endpoint (or equivalent). Endpoint detection and response provides visibility into what happens on devices and gives you containment options when threats are detected. Defender for Endpoint P2 or Business is a capable solution for most mid-market organizations. See the EDR guide for implementation details.

Enroll devices in management. Intune (or equivalent MDM) lets you enforce device encryption, screen lock requirements, and compliance policies. Devices that do not meet baseline requirements should be blocked or limited by Conditional Access policies. This is where BYOD and company-owned devices diverge in their security posture.

Enable audit logging. Microsoft 365 audit logs are essential for incident investigation and compliance evidence. Ensure Unified Audit Log is enabled (it is on by default for most tenants) and that you retain logs long enough for your compliance requirements. Most frameworks expect 90 to 180 days of retention.

Microsoft 365 security is not a standalone topic. It is the practical implementation of identity and security controls that connect to the broader security posture.

• Identity foundations: MFA, Conditional Access, and least privilege are identity controls that Microsoft 365 makes available. Understanding why they matter helps you configure them correctly.
• MFA: the single most impactful security control for any Microsoft 365 tenant. If you do nothing else, enforce MFA.
• Conditional Access: the policy engine that ties identity, device state, and risk together for access decisions in Microsoft 365.
• EDR: Defender for Endpoint provides the detection and response capability that complements the preventive controls described above.