Microsoft 365 is bought in a few minutes, but the default configuration is designed so that everything works, not so that everything is secure. In the cases we handle, the compromise of a company environment usually does not result from some sophisticated attack, but from details left on their default settings. This guide is a practical order of actions that raises the bar for an attacker without making work harder for people.
Start with identity, not antivirus
In the cloud, the account is the new network perimeter. There is no wall around the server room, but there is a login that opens email, files and applications from anywhere. That is why the first front is identity.
- Turn on MFA for everyone, with no exceptions for the board and administrators.
- Block legacy authentication, that is old protocols such as IMAP, POP3 and SMTP AUTH, which do not understand MFA at all.
- Set up separate administrative accounts, kept apart from the accounts used for daily work and email.
- Clean up dormant accounts and those of former employees, because an active account of someone who has left is a ready point of entry.
In most incidents on Microsoft 365 the attacker did not crack passwords by force. They came in from the side: through an old protocol, a stolen session token or an account that should long have been disabled.
Conditional access as a decision, not a gate
MFA alone answers the question of whether it is you. Conditional access in Entra ID answers the question of whether you are allowed in under these conditions. It is a difference that closes off a whole class of attacks.
The policies we roll out first:
- A requirement for a compliant, managed device for access to company data.
- Blocking or extra verification when signing in from an unusual country.
- A response to elevated sign-in risk, when Microsoft flags anomalies.
- Phishing-resistant MFA methods for administrators: FIDO2 keys or Windows Hello instead of SMS codes.
Order in Entra ID decides whether these policies have anything to rest on. Without a clean base of accounts even a good rule will be full of holes.
Visibility after sign-in
The best sign-in policy will not catch everything. You need a layer that observes what is already happening inside the environment. Microsoft Defender gives that visibility in several places at once.
- Defender for Office 365 filters phishing and malicious attachments before they reach the mailbox.
- Defender for Cloud Apps catches unusual account behaviour, for example mass file downloads or silent mail forwarding rules.
- Alerts should be routed to a person or team that actually reacts to them, rather than just collecting them in a mailbox.
A silent mail forwarding rule set up on a board member’s mailbox is a classic symptom of account takeover. MFA alone will not see it, Defender will.
Email and file sharing
Two areas where companies most often open the door themselves are mail rules and sharing in SharePoint and OneDrive.
- Disable the ability to automatically forward mail externally, apart from exceptions approved manually.
- Set up SPF, DKIM and DMARC, so the company’s mail does not land in spam and is harder to spoof.
- Limit sharing files by anonymous links, and set expiry dates on the links you do share.
- Turn on sensitivity labels for sensitive documents, if the plan allows it.
Backup is not the same as Microsoft
The most common misunderstanding: a company assumes that because the data is in the Microsoft cloud, it is automatically protected. Microsoft is responsible for the availability of the service, but you are responsible for your data. The deleted items bin has a time limit, and ransomware or an employee’s mistake can wipe mailboxes and files before anyone reacts. An independent Microsoft 365 backup is a condition of really being able to restore data.
Endpoints
A secure environment on an insecure laptop is an illusion. Managing devices through Intune lets you enforce disk encryption, an up-to-date system and blocking access from computers that do not meet policy. Only then does the compliant-device condition in conditional access make sense.
The order that works
If you are starting from scratch, this sequence works well:
- MFA for everyone and blocking legacy authentication.
- Basic conditional access policies based on device and risk.
- Order in the administrative and privileged accounts.
- Turning on and configuring Defender and responding to alerts.
- Email hygiene, DMARC and control over file sharing.
- An independent backup and device management.
Each of these steps closes a specific attack route on its own. Together they turn the environment from an open door into a target that, for most attackers, simply is not worth attacking.
What next
Securing Microsoft 365 is not a one-off project, but a state you have to maintain. If you want to go through this list in your own environment and set everything up for the specifics of your company, we will help you put the whole thing in order, from the Microsoft 365 deployment through to identity and protection. A good start is a short conversation about what actually protects your accounts today and what only looks like protection.