Microsoft 365's default security settings are designed for ease of deployment, not security. Out-of-the-box, M365 allows password-only authentication, external sharing of sensitive documents, forwarding of emails to personal accounts, and minimal audit logging. Organizations that deploy M365 without hardening face a 60-80% higher breach risk compared to properly secured tenants. The good news: 15 configuration changes eliminate 90% of common attack vectors and take 4-8 hours to implement.
This guide walks through essential M365 security hardening for small to mid-size businesses (10-500 users). You'll learn exactly what to configure, why it matters, how to implement it without breaking user workflows, and how to verify it's working. These configurations apply to Microsoft 365 Business Premium, E3, and E5 plans.
Why Microsoft 365 Security Matters
Common M365 Attack Vectors
- Credential compromise: 81% of breaches start with stolen or weak passwords. Attackers use phishing, credential stuffing, or password spray attacks to gain initial access to M365 accounts.
- Business email compromise (BEC): Attackers compromise executive email accounts and send wire transfer requests or W-2 requests to finance teams. $43 billion lost globally to BEC attacks in 2021-2023.
- Ransomware via SharePoint/OneDrive: Attackers gain access to M365, sync SharePoint/OneDrive to local machine, encrypt files, and ransomware syncs back to cloud. Recovery requires restoring from version history or backups.
- Data exfiltration: Attackers use compromised accounts to download sensitive files, forward emails to external addresses, or share documents publicly via anonymous links.
- Third-party app abuse: Users grant excessive permissions to third-party OAuth apps that access M365 data. Attackers exploit these apps to read emails, access files, or send messages as the user.
Cost of M365 Breaches
- Direct financial loss: Average ransomware payment: $200K-$2M. BEC wire fraud: $50K-$500K per incident.
- Recovery costs: Forensics, incident response, legal fees, regulatory fines: $50K-$500K for small businesses.
- Operational disruption: 3-21 days of partial or complete business shutdown during recovery. Lost productivity: $100K-$1M.
- Reputational damage: Customer trust erosion, contract losses, insurance premium increases.
Security Hardening Checklist: 15 Critical Configurations
1. Enforce Multi-Factor Authentication (MFA) for All Users
Why It Matters
MFA blocks 99.9% of credential-based attacks. Even if an attacker steals a password, they can't access the account without the second factor (authenticator app, hardware key, or SMS code).
How to Implement
Option A: Per-User MFA (Basic, Works on All Plans)
- Go to Microsoft 365 Admin Center → Users → Active Users
- Click "Multi-factor authentication" link
- Select all users → Bulk update → Enable
- Users will be prompted to set up MFA on next login
Option B: Conditional Access (Recommended, Requires Azure AD P1/P2)
- Go to Azure AD Admin Center → Security → Conditional Access
- Create new policy: "Require MFA for all users"
- Assignments: All users (exclude break-glass admin account)
- Cloud apps: All cloud apps
- Grant: Require multi-factor authentication
- Enable policy
Best Practices
- Use Microsoft Authenticator app (push notifications) instead of SMS (SIM swapping risk)
- Allow hardware security keys (YubiKey, Titan) for high-risk users
- Create break-glass admin account with 16+ character password stored in safe, excluded from MFA
- Monitor sign-in logs for MFA failures (potential attack indicators)
2. Implement Conditional Access Policies
Why It Matters
Conditional Access enforces context-aware security: block risky sign-ins, require compliant devices, restrict access from untrusted locations. Goes beyond MFA to prevent access even when credentials are valid.
Essential Conditional Access Policies
Policy 1: Block Legacy Authentication
- Legacy protocols (POP3, IMAP, SMTP AUTH) don't support MFA
- Attackers exploit legacy auth to bypass MFA
- Block all legacy authentication except for specific service accounts that require it
Policy 2: Require Compliant or Hybrid Azure AD Joined Devices
- Only allow access from company-managed devices registered in Intune or Azure AD
- Prevents BYOD and compromised personal devices from accessing corporate data
- Exemption: Allow from trusted locations (office networks) for guest access
Policy 3: Block High-Risk Sign-Ins (Requires Azure AD P2)
- Azure AD Identity Protection calculates risk score based on anomalous behavior
- Block or require MFA for medium/high risk sign-ins
- Catches credential stuffing, password spray, impossible travel
Policy 4: Require MFA for Admins Always
- Admin accounts are highest-value targets
- Require MFA for all admin roles even if they have device compliance
- Separate policy ensures admins can't be exempted accidentally
Implementation Steps
- Azure AD Admin Center → Security → Conditional Access
- Create policies in "Report-only" mode first
- Monitor impact for 1-2 weeks using CA insights
- Adjust policies to reduce false positives
- Switch to "On" to enforce
3. Configure Email Security: Anti-Phishing, Anti-Malware, Safe Attachments
Why It Matters
Email is the #1 attack vector. 90% of breaches start with phishing. M365's default Exchange Online Protection (EOP) provides basic filtering, but advanced threats require additional configuration.
Anti-Phishing Policy Configuration
- Go to Microsoft 365 Defender → Email & collaboration → Policies & rules → Threat policies
- Select Anti-phishing → Create new policy
- Impersonation protection: Add executive email addresses and high-value domains (your domain, bank, payroll provider). Block emails impersonating these.
- Mailbox intelligence: Enable AI-based detection of unusual sender patterns
- Spoof settings: Enable anti-spoofing, quarantine spoofed emails from domains you own
- Actions: Quarantine suspected phishing (don't just move to Junk — users ignore Junk folder warnings)
Safe Attachments and Safe Links (Defender for Office 365)
Requires Microsoft 365 Business Premium or Defender for Office 365 Plan 1/2:
- Safe Attachments: Detonates attachments in sandbox before delivery. Blocks malicious files (ransomware, trojans, weaponized Office docs).
- Safe Links: Rewrites URLs to check at click-time. Prevents time-delayed phishing attacks where URL becomes malicious after email is delivered.
- Configuration: Microsoft 365 Defender → Policies → Safe Attachments and Safe Links → Enable for all users, block mode
Email Authentication: SPF, DKIM, DMARC
Prevents attackers from spoofing your domain in phishing attacks:
- SPF: Publish SPF record in DNS listing authorized mail servers (include:spf.protection.outlook.com for M365)
- DKIM: Enable DKIM signing in M365, publish DKIM keys in DNS (proves emails from your domain are authentic)
- DMARC: Publish DMARC policy starting with p=none (monitor), move to p=quarantine or p=reject after validating legitimate mail flow
4. Lock Down SharePoint and OneDrive External Sharing
Why It Matters
SharePoint and OneDrive allow external sharing by default. Users create "Anyone with the link" anonymous links that can be accessed without authentication. These links leak via email forwards, accidental Slack posts, and search engine indexing.
Recommended Sharing Configuration
- SharePoint Admin Center → Policies → Sharing
- Organization-level: Set to "New and existing guests" (requires authentication) or "Only people in your organization" (no external sharing)
- Disable "Anyone" links: Uncheck "Anyone" option. Forces all shared links to require authentication.
- Set default link type: "Specific people" instead of "Anyone" or "People in organization". Least-privilege sharing by default.
- Expiration: Set "Anyone" links (if enabled) to expire in 30 days
- External sharing domains: Allow list specific partner domains, block all others
OneDrive-Specific Settings
- Sync restrictions: Allow OneDrive sync only on domain-joined or Intune-managed devices (prevents personal device sync)
- Disable personal account sync: Block users from syncing corporate OneDrive to personal Microsoft accounts
5. Enable Unified Audit Logging and Configure Alerts
Why It Matters
Without audit logging, you're blind to attacker activity. Audit logs capture every action in M365: logins, file access, permission changes, admin actions. Critical for incident response and forensics.
Enable Audit Logging
- Microsoft 365 Compliance Center → Audit
- Turn on audit logging (applies to all users and services)
- Logs retained 90 days (E3/E5), 1 year with Advanced Audit (E5/A5)
- For longer retention: Export logs to SIEM (Azure Sentinel, Splunk) or storage account
Configure Alert Policies
Microsoft 365 Compliance Center → Alerts → Alert policies. Create alerts for:
- Elevation of Exchange admin privileges: Alerts when user is added to admin role (potential attacker privilege escalation)
- Unusual volume of file deletion: 10+ files deleted in 30 minutes (ransomware indicator)
- Unusual volume of external file sharing: Mass sharing to external domains (data exfiltration)
- Forwarding rule created: User creates inbox rule forwarding email to external address (BEC persistence mechanism)
- Malware detected: Email or file with malware blocked by Defender
- Suspicious OAuth app consent: User grants permissions to risky third-party app
6. Implement Data Loss Prevention (DLP) Policies
Why It Matters
DLP prevents accidental or malicious sharing of sensitive data: credit card numbers, SSNs, patient health information, customer data, financial records. Required for compliance (PCI-DSS, HIPAA, GDPR).
Common DLP Policies
Policy 1: Block Sharing of Credit Card Numbers
- Scan emails, SharePoint, OneDrive, Teams for 15-16 digit sequences matching card patterns
- Block external sharing, notify user and compliance team
- Applies to: All users
Policy 2: Protect Personally Identifiable Information (PII)
- Detect SSNs, driver's license numbers, passport numbers
- Restrict sharing outside organization unless explicitly approved
- Applies to: All users except HR (exemption for legitimate use)
Policy 3: Prevent Sharing of Confidential Files
- Detect files labeled "Confidential" via sensitivity labels
- Block external sharing, require justification for internal sharing
- Applies to: All users
Implementation Steps
- Microsoft 365 Compliance Center → Data loss prevention → Policies
- Create policy, choose template (Financial data, Privacy, Custom)
- Define locations: Exchange, SharePoint, OneDrive, Teams, Devices
- Configure conditions (content contains X, shared with external, etc.)
- Define actions: Block, encrypt, alert only, require justification
- Start in "Test mode with policy tips" for 2-4 weeks
- Review incidents, tune to reduce false positives
- Switch to enforcement mode
7. Configure Password Policies and Ban Common Passwords
Why It Matters
Default M365 password policy allows weak passwords. Users choose "Summer2026!", "Company123!", "Password1!". Attackers use password spray attacks with common passwords to gain access.
Modern Password Policy Configuration
- Azure AD Admin Center → Security → Authentication methods → Password protection
- Enable custom banned password list: Add company name, product names, common local terms (city name, sports team). Azure AD blocks passwords containing these terms.
- Enforce on password reset: Users can't reset to banned passwords
- Smart lockout: Configure to lock accounts after 5 failed sign-in attempts for 60 seconds (prevents password spray)
- Don't require periodic password changes: Modern guidance (NIST) says frequent changes lead to weaker passwords. Only require change if compromise suspected.
8. Restrict Third-Party App Permissions
Why It Matters
Users grant OAuth permissions to third-party apps that access M365 data. Malicious apps use phishing to trick users into granting excessive permissions (read all email, access all files). These apps persist even after password changes.
App Consent Configuration
- Azure AD Admin Center → Enterprise applications → Consent and permissions
- User consent settings: "Do not allow user consent" or "Allow user consent for apps from verified publishers, for selected permissions"
- Admin consent workflow: Enable admin consent requests. Users request admin approval for apps, IT reviews before granting.
- App permissions policies: Block high-risk permissions (read all user mail, send mail as user) from user consent
Review Existing App Permissions
- Azure AD Admin Center → Enterprise applications → All applications
- Review apps with high-risk permissions
- Remove unused apps or overly permissive apps
- Quarterly audit of OAuth apps and permissions
9. Enable Microsoft Defender for Cloud Apps (MCAS)
Why It Matters
Defender for Cloud Apps (formerly Cloud App Security) provides real-time monitoring, anomaly detection, and threat protection across M365 and third-party cloud apps. Detects compromised accounts, unusual behavior, shadow IT.
Key MCAS Capabilities
- Session monitoring: Real-time monitoring of user activity, block risky actions (mass download, share to competitor domain)
- Anomaly detection: Machine learning identifies unusual behavior (login from new country, unusual file download volume, impossible travel)
- App governance: Discover and control third-party OAuth apps
- Conditional Access integration: Enforce session-level controls based on risk (allow read-only access from unmanaged devices)
Configuration
- Microsoft 365 Defender → Cloud Apps
- Connect M365 apps (automatic for E5, requires license for E3)
- Enable anomaly detection policies (impossible travel, suspicious inbox forwarding)
- Configure session policies for high-risk scenarios
10. Implement Privileged Access Management
Why It Matters
Admin accounts are prime targets. Attackers compromise admin credentials to deploy ransomware, create backdoor accounts, or exfiltrate all company data. Privileged Access Management (PAM) implements just-in-time admin access with approval workflows.
Best Practices for Admin Accounts
- Separate admin accounts: Admins should have two accounts — standard user account for daily work, separate admin account for admin tasks only
- Cloud-only admin accounts: Admin accounts should not sync from on-prem AD (prevents lateral movement from on-prem to cloud)
- Limit global admins: Maximum 3-5 global admin accounts. Use role-based admin instead (Exchange admin, SharePoint admin, etc.)
- Require hardware MFA for admins: FIDO2 security keys, not SMS or authenticator app
Azure AD Privileged Identity Management (PIM)
Requires Azure AD P2 or Microsoft 365 E5:
- Just-in-time access: Users request admin role elevation, approved by another admin, role granted for 1-8 hours, automatically removed
- Approval workflow: High-risk roles (Global Admin) require approval and justification
- Audit and alerts: All admin role activations logged, alerts sent to security team
- Configuration: Azure AD → Privileged Identity Management → Azure AD roles → Configure roles for JIT access
11. Configure Mobile Device Management (MDM) with Intune
Why It Matters
Mobile devices (phones, tablets) access corporate email and files. Lost or stolen devices, compromised personal devices, and unpatched devices create security risks. MDM enforces security baselines and enables remote wipe.
Intune Configuration for iOS and Android
- Enrollment: Require device enrollment to access M365 apps (Outlook, OneDrive, Teams)
- Compliance policies: Require passcode, encryption, OS version, jailbreak/root detection
- App protection policies: Prevent copy/paste from corporate apps to personal apps, require PIN to access corporate data, disable save-as to personal storage
- Conditional Access integration: Block non-compliant devices from accessing M365
- Remote wipe: IT can remotely wipe corporate data from lost/stolen devices
12. Enable Microsoft Defender for Endpoint (EDR)
Why It Matters
Antivirus is not enough. Modern attacks use fileless malware, living-off-the-land techniques, and zero-day exploits. Endpoint Detection and Response (EDR) detects and responds to advanced threats in real-time.
Defender for Endpoint Capabilities
- Next-gen antivirus: Machine learning-based malware detection
- Attack surface reduction: Block Office macros, script execution, credential theft
- Behavioral detection: Identify ransomware behavior (mass file encryption), credential dumping, lateral movement
- Automated investigation and remediation: AI investigates alerts, isolates compromised devices, remediates threats
- Threat hunting: Advanced query language to search for indicators of compromise across all endpoints
Configuration
- Onboard devices to Defender for Endpoint (automatic with Intune or manual deployment)
- Configure attack surface reduction rules (Microsoft 365 Defender → Settings → Endpoints)
- Enable automated investigation and remediation (full or semi-automated)
- Integrate with Defender for Cloud Apps and Azure AD for unified security monitoring
13. Implement Information Protection and Sensitivity Labels
Why It Matters
Not all data is equally sensitive. Sensitivity labels classify data (Public, Internal, Confidential, Highly Confidential) and automatically apply protection (encryption, watermarks, access restrictions).
Sensitivity Label Configuration
- Microsoft 365 Compliance Center → Information protection → Labels
- Create label taxonomy:
- Public: No restrictions
- Internal: Company employees only
- Confidential: Specific departments/teams only
- Highly Confidential: Named individuals only, encrypted
- Configure protection settings: Encryption, watermarks, prevent copy/print, block external sharing
- Publish labels: Make available to users in Office apps (Word, Excel, Outlook, PowerPoint)
- Auto-labeling: Automatically apply labels based on content (files with SSN = Confidential, files with "Board Materials" = Highly Confidential)
14. Configure Secure Email Flow and Mail Flow Rules
Why It Matters
Mail flow rules (transport rules) enforce email policies: block certain attachments, encrypt sensitive emails, prevent accidental external sends, add disclaimers.
Essential Mail Flow Rules
Rule 1: Block Dangerous Attachments
- Block .exe, .bat, .cmd, .scr, .vbs, .js, .jar extensions inbound and outbound
- Prevents malware delivery via email
Rule 2: Encrypt Emails with Sensitive Keywords
- If subject or body contains "SSN", "confidential", "bank account", apply encryption
- Prevents accidental plaintext transmission of sensitive data
Rule 3: Warn on External Email
- Prepend "[EXTERNAL]" to subject line of all emails from outside organization
- Reduces phishing success (users recognize external emails)
Rule 4: Block Forwarding to Consumer Email
- Block or alert when emails forwarded to Gmail, Yahoo, Hotmail
- Prevents data exfiltration via email forwarding
Configuration
- Exchange Admin Center → Mail flow → Rules
- Create rules with conditions and actions
- Test in audit mode before enforcing
15. Regular Security Assessment and Monitoring
Microsoft Secure Score
Microsoft 365 Defender → Secure Score. Provides security posture score (0-100%) with recommended improvement actions:
- Review weekly, implement high-impact recommendations first
- Target score: 70%+ for small businesses, 85%+ for regulated industries
- Track score over time to measure security improvement
Regular Security Reviews
- Weekly: Review alert emails, check for suspicious sign-ins, review high-risk incidents
- Monthly: Review Secure Score and implement 1-2 recommendations, audit admin role assignments, review OAuth app permissions
- Quarterly: Full security assessment, penetration test or tabletop exercise, review and update security policies
- Annually: Third-party security audit, compliance certification (SOC 2, ISO 27001), disaster recovery test
Implementation Roadmap
Phase 1: Quick Wins (Week 1-2, 4-8 hours)
- Enable MFA for all users
- Turn on audit logging
- Configure basic email security (anti-phishing, anti-malware)
- Restrict SharePoint external sharing
- Create alert policies for critical events
Phase 2: Foundational Security (Week 3-6, 12-20 hours)
- Implement Conditional Access policies
- Configure password protection and banned passwords
- Set up DLP policies (start in test mode)
- Restrict third-party app permissions
- Configure mail flow rules
- Review and reduce admin role assignments
Phase 3: Advanced Protection (Week 7-12, 20-40 hours)
- Deploy Intune and enforce device compliance
- Implement sensitivity labels and auto-labeling
- Enable Defender for Cloud Apps
- Deploy Defender for Endpoint to all devices
- Configure Privileged Identity Management (if E5)
- Tune DLP policies and move to enforcement
Phase 4: Optimization and Maintenance (Ongoing)
- Monitor Secure Score and implement recommendations
- Review security alerts and incidents weekly
- Conduct monthly security reviews
- Quarterly security assessments and policy updates
- Annual third-party audit
Common Mistakes to Avoid
1. Enabling MFA but Not Blocking Legacy Authentication
MFA doesn't protect legacy protocols. Attackers bypass MFA by using legacy auth. Always block legacy authentication when enabling MFA.
2. Setting Policies Too Restrictively Without Testing
Overly restrictive policies break legitimate workflows and cause user rebellion. Always test in report-only or audit mode first, gather feedback, tune, then enforce.
3. Not Excluding Break-Glass Accounts from MFA/Conditional Access
If you lock yourself out (MFA server down, Conditional Access misconfigured), you need a break-glass admin account to fix it. Exclude one cloud-only global admin from all policies, store password in physical safe.
4. Ignoring User Training
Technical controls only go so far. Users need to recognize phishing, understand why security matters, and know how to report suspicious activity. Quarterly security awareness training is essential.
5. Failing to Monitor and Respond to Alerts
Configuring alerts is useless if no one reviews them. Assign responsibility: who reviews alerts daily? What's the escalation path for critical incidents? Document and test incident response procedures.
Cost of Implementation
Licensing Requirements
- Basic security (MFA, email protection, SharePoint hardening):Included in all M365 plans
- Conditional Access: Requires Azure AD P1 (included in Microsoft 365 Business Premium, E3, E5)
- Advanced email security (Safe Attachments, Safe Links): Requires Defender for Office 365 (included in Business Premium, E5, or standalone add-on)
- DLP, sensitivity labels, MCAS: Included in E3/E5/Business Premium
- Defender for Endpoint: Standalone license or included in Microsoft 365 E5/A5
- PIM: Requires Azure AD P2 (included in E5/A5)
Labor Costs
- Internal implementation: 40-80 hours for phases 1-3 (4-8 hours per week over 3 months)
- External consultant: $5,000-$15,000 for complete implementation and configuration
- Ongoing maintenance: 2-4 hours per week (monitoring, incident response, policy updates)
Measuring Success
Key Metrics
- Microsoft Secure Score: Target 70%+ (small business), 85%+ (regulated industries)
- MFA adoption: Target 100% of users
- Blocked sign-ins: Track high-risk sign-ins blocked by Conditional Access
- Phishing catch rate: % of phishing emails blocked before reaching user
- DLP incidents: Number of policy violations (should decrease over time as users learn)
- Time to detect/respond: How long from alert to remediation
Conclusion
Microsoft 365 security hardening is not optional. Out-of-the-box M365 leaves you vulnerable to credential theft, phishing, ransomware, and data breaches. The 15 configurations in this guide eliminate 90% of common attack vectors and take 40-80 hours to implement fully.
Start with phase 1 quick wins (MFA, audit logging, email security, SharePoint hardening) in week 1. These alone prevent the majority of breaches and take less than one day to implement. Then systematically work through phases 2 and 3 over the next 2-3 months.
Security is not a one-time project. It's an ongoing process of monitoring, tuning, and improving. Commit to weekly alert reviews, monthly policy updates, and quarterly security assessments. The organizations that treat security as continuous practice rather than checkbox compliance are the ones that stay protected.
Need Help Securing Your Microsoft 365 Environment?
Ez IT Expert provides complete Microsoft 365 security assessments and hardening services for small and mid-market businesses. We implement all 15 configurations in this guide, conduct security testing, provide documentation and training, and set up ongoing monitoring. Our clients achieve 70-85% Secure Score within 60-90 days and significantly reduce breach risk.
Schedule a Free M365 Security Assessment →