Microsoft 365 Security: Hardening Your Business Tenant

Why Microsoft 365 Security Configuration Matters

A Microsoft 365 subscription is not secure by default — it is secure by configuration. Many of the controls that meaningfully reduce breach risk are available to all paid plan tiers but are not switched on out of the box. Businesses that deploy Microsoft 365 without applying security hardening are exposed to account compromise, data exfiltration, ransomware and phishing — regardless of which plan they're on.

The UK's National Cyber Security Centre (NCSC) consistently identifies compromised credentials and misconfigured cloud services as the primary cause of business email compromise (BEC) and ransomware incidents. Most of the controls in this guide directly address those two attack vectors.

1. Enable Multi-Factor Authentication for All Users

MFA is the single most impactful security control in Microsoft 365. It prevents a stolen or guessed password from being sufficient to access an account. Microsoft's own data indicates that MFA blocks over 99% of account compromise attacks.

For tenants on Business Basic or Standard (without Azure AD Premium P1), enable Security Defaults in Azure Active Directory. Security Defaults enforces MFA registration for all users and requires MFA at sign-in using the Microsoft Authenticator app. It is free and can be enabled in minutes.

For Business Premium and Enterprise tenants, implement Conditional Access policies instead of Security Defaults. Conditional access provides more granular control — requiring MFA when signing in from outside the office, blocking access from specific locations or non-compliant devices, and requiring stronger authentication for admin accounts.

Enforce Authenticator app-based MFA rather than SMS. SMS MFA is vulnerable to SIM-swapping attacks; Authenticator app push notifications with number matching are significantly more phishing-resistant.

2. Protect Admin Accounts

Global Administrator accounts have unrestricted access to your entire Microsoft 365 environment. They should be treated as high-value targets:

• Use dedicated admin accounts — separate from day-to-day user accounts — for administrative tasks
• Enable MFA specifically for all admin roles (Conditional Access policies targeting admin roles)
• Enable Privileged Identity Management (PIM) if you have Azure AD Premium P2 or E5 — this restricts admin roles to just-in-time elevation rather than permanent assignment
• Minimise the number of Global Administrators. Most admin tasks don't require Global Admin — use least-privilege roles (Exchange Admin, SharePoint Admin, etc.) instead

3. Configure Microsoft Defender for Office 365

Exchange Online includes basic anti-spam and anti-malware filtering by default. For meaningful protection against phishing and malicious attachments, configure:

• Safe Attachments (Business Premium / Defender for Office 365 Plan 1) — sandboxes email attachments before delivery, blocking malware that bypasses signature-based detection
• Safe Links — rewrites URLs in emails and Teams messages, checking them at click time against Microsoft's threat intelligence
• Anti-phishing policy — enable impersonation protection to detect emails spoofing your own domain or senior staff names
• DKIM and DMARC — configure these DNS records to prevent spoofing of your domain and to receive reports on unauthorised sending

4. Block Legacy Authentication

Legacy authentication protocols (Basic Auth, IMAP, POP3 without modern auth) bypass MFA entirely. Accounts using legacy authentication cannot be protected by conditional access. Block legacy authentication using Conditional Access policies — this is one of the most impactful single controls for reducing account compromise risk.

Check that your email clients support Modern Authentication before blocking legacy auth. Outlook 2013 and later on Windows supports modern auth; older Outlook versions or some mobile mail clients may not. The Microsoft 365 Admin Centre's Usage reports show which clients are connecting via legacy protocols.

5. Configure Data Loss Prevention (DLP)

DLP policies (available on Business Premium and above via Microsoft Purview) scan emails and documents for sensitive content patterns — card numbers, National Insurance numbers, health data, financial data — and can block or warn when sensitive content is sent externally.

Starting DLP in audit-only mode first is recommended. This allows you to see what sensitive content is moving without risking legitimate business communications being blocked. Once you understand the patterns, enable enforcement for the highest-risk scenarios first.

6. Manage External Sharing

By default, Microsoft 365 allows users to share SharePoint files and Teams resources with external parties using any email address. This is a common source of unintentional data exposure. Review and configure external sharing settings in the SharePoint Admin Centre:

• Consider restricting sharing to authenticated external users only (requiring a Microsoft account to access shared content)
• Enable link expiry for anonymous sharing links
• Limit sharing to specific approved external domains where appropriate

7. Enable Unified Audit Logging

Microsoft 365's Unified Audit Log captures a comprehensive record of user and admin activity across Exchange, SharePoint, Teams, OneDrive and Azure AD. This log is essential for incident investigation and is a requirement for many compliance frameworks.

Audit logging is turned on by default in most tenants but check it explicitly. Log retention is 90 days on Business plans; E5 or the Advanced Audit add-on extends this to 1 year or 10 years.

8. Implement Secure Score Recommendations

Microsoft Secure Score (accessible from security.microsoft.com) provides a scored view of your tenant's security posture based on the controls you've implemented, alongside prioritised recommendations for improvement. It's an excellent starting point for identifying the highest-impact actions remaining.

AMVIA conducts Microsoft 365 security assessments for UK businesses, identifying configuration gaps and implementing hardening measures. If your business hasn't reviewed its Microsoft 365 security configuration, this is a high-priority task.