Most Microsoft 365 tenants are deployed with default settings - and default settings are not secure settings. This guide walks through the highest-impact configuration changes you can make to your M365 environment, organized by category and prioritized by risk reduction.
Before you start: You'll need Global Administrator access to your Microsoft 365 tenant. Some configurations (Conditional Access, Defender policies) require specific license tiers - license requirements are noted where relevant.
1. Identity & Authentication
Enforce MFA for All Users Critical
Multi-factor authentication is the single highest-impact security control available in M365. Enforcing it for all users eliminates the majority of account compromise attacks.
- Navigate to Entra admin center → Protection → Conditional Access
- Create a policy targeting all users, requiring MFA for all cloud apps
- Exclude break-glass emergency access accounts
- Enable Security Defaults as a minimum if Conditional Access is unavailable on your license
Block Legacy Authentication Critical
Legacy authentication protocols (IMAP, POP3, SMTP AUTH, older Office clients) cannot enforce MFA. Blocking them eliminates a common attack vector.
- In Conditional Access, create a policy targeting legacy authentication clients
- Set the grant control to Block access
- Monitor sign-in logs for legacy auth activity before enforcing to avoid disruption
Restrict Global Administrator Usage High
- Audit current Global Admins: Entra → Roles and administrators
- Target fewer than 5 Global Admins for most organizations
- Assign scoped roles (Exchange Admin, SharePoint Admin) for day-to-day tasks
- Ensure all admin accounts have dedicated admin-only accounts (not used for daily email)
- Enable Privileged Identity Management (PIM) if you have Entra ID P2
Configure Self-Service Password Reset (SSPR) Medium
- Navigate to Entra → Protection → Password reset
- Enable for all users or a pilot group
- Require two authentication methods for reset
- Enable password writeback if using hybrid identity
2. Email & Collaboration Security
Enable Defender for Office 365 Preset Policies High
Requires Defender for Office 365 Plan 1 (included in Business Premium, M365 E3 add-on, or standalone).
- Go to security.microsoft.com → Email & collaboration → Policies & rules → Threat policies
- Under Preset security policies, apply the Standard protection preset to all users
- This enables Safe Links, Safe Attachments, and anti-phishing policies in one step
- Review the Configuration Analyzer to identify gaps against the Standard baseline
Configure Anti-Phishing Policy High
- Enable impersonation protection for key executives and domains
- Enable mailbox intelligence (learns normal communication patterns)
- Set action for impersonation detections to Quarantine
- Enable spoof intelligence and review the spoof intelligence insight regularly
Enable Audit Logging Critical
Unified audit logging is not enabled by default on all tenants. Without it, you have no forensic trail after an incident.
- Go to compliance.microsoft.com → Audit
- If logging is not enabled, click Start recording user and admin activity
- Verify logs are being captured by running a test search
- For extended retention, configure audit log retention policies (E3/E5 or add-on required)
3. Data Protection
Configure Data Loss Prevention (DLP) Policies Medium
Requires Microsoft Purview (included in Business Premium and above).
- Navigate to compliance.microsoft.com → Data loss prevention
- Start with Microsoft's built-in templates: Financial, Medical, PII
- Begin in Test mode to understand impact before enforcing
- Configure policies to cover Exchange, SharePoint, OneDrive, and Teams
Enable Sensitivity Labels Medium
- Create a baseline label taxonomy: Public, Internal, Confidential, Highly Confidential
- Configure auto-labeling policies for known sensitive content types
- Enable labels for Teams, SharePoint, and Office files
- Publish a label policy to all users with default label set to Internal
Review External Sharing Settings High
- Go to SharePoint admin center → Policies → Sharing
- Set organization-level sharing to Existing guests or New and existing guests at most
- Disable "Anyone" links or restrict them to specific site collections only
- Set link expiration and require re-authentication for guest access
4. Device Management
Enroll Devices in Intune Medium
Intune is included in Business Premium and M365 E3+.
- Configure Auto-enrollment in Intune for Entra-joined devices
- Deploy compliance policies: minimum OS version, BitLocker required, antivirus active
- Create a Conditional Access policy requiring compliant device for access to M365 apps
- Use Windows Autopilot for new device provisioning
Enable Microsoft Defender for Endpoint High
Defender for Business is included in Business Premium. Defender for Endpoint P1/P2 for enterprise tiers.
- Onboard devices via Intune or local script
- Enable tamper protection in Defender settings
- Configure attack surface reduction (ASR) rules - start in audit mode
- Review the Vulnerability management dashboard regularly
5. Monitoring & Ongoing Hygiene
Review Secure Score Monthly Ongoing
- Access at security.microsoft.com → Secure Score
- Sort improvement actions by Score impact and work down the list
- Filter by license tier to avoid chasing unavailable improvements
- Target 70–80% as a defensible baseline for most SMBs
Enable Risky Sign-In Alerts Medium
- In Entra → Protection → Identity Protection, configure risk policies (requires Entra ID P2)
- For lower license tiers, set up Conditional Access sign-in risk policies
- Subscribe to Microsoft 365 service health and security advisories
- Review the Entra sign-in logs weekly for anomalous patterns
Next step: Use the M365 Tenant Review Checklist to validate these configurations are in place across your environment, and identify any remaining gaps.