Microsoft 365 is the backbone of a lot of modern organisations, but too many of them are leaving the door wide open without realising it. The good news? Several of the most impactful security improvements will cost no more than you’re currently paying and can be done in an afternoon.
Here's what we recommend you tackle first.
1. Enable MFA And Make It Stronger
Multi-factor authentication is the single most effective way to prevent account takeover. If you're already using it, great, but it’s worth taking it a little further. Most organisations still allow SMS and phone calls as MFA methods, which are vulnerable to SIM-swapping attacks. Go into Entra ID > Authentication methods and disable these in favour of the Microsoft Authenticator app. Better still, push passwordless authentication using Windows Hello for Business.
While you're there, it’s also a good idea to enable the "Remember MFA on trusted devices" option and set it to 90 days. This will significantly reduce user friction without reducing security.
2. Activate Your Conditional Access Policies
A surprisingly common pattern we’ve seen when conducting M365 assessments is that Conditional Access (CA) policies have been created but are sitting in report-only mode, or are only applied to a small pilot group. Report-only is a perfectly sensible way to test, but policies don't protect anyone until they're turned on.
Review your CA policies in Entra ID > Security > Conditional Access and start promoting them to active status, beginning with your highest-risk scenarios: blocking access from outside your trusted locations, enforcing MFA for all users, and blocking legacy authentication protocols (which bypass MFA entirely).
3. Block Legacy Authentication
This one deserves its own mention because it's incredibly important. Legacy authentication protocols like POP3, IMAP, and older SMTP clients don't support modern MFA. Attackers love them precisely because they bypass your security controls. Creating a Conditional Access policy to block legacy authentication across the board is one of the fastest wins you can get in M365 security.
4. Audit Your Privileged Accounts
More Global Admins than you need is a risk in itself. Head to Entra ID > Roles and administrators and take an honest look at who has elevated permissions. Best practice is to have no more than five Global Admins, to use role-specific admin accounts (e.g. a User Administrator for managing accounts, Exchange Administrator for mail), and to require those accounts to use separate credentials for day-to-day work.
It’s also worth checking for stale user accounts, i.e. disabled accounts that haven't been cleaned up. At best they’re dead weight, and at worst they’re another attack surface.
5. Disable Direct Login on Shared Mailboxes
Shared mailboxes are intended to be accessed through individual user accounts, not by logging in directly. When shared mailboxes have direct login enabled, you lose accountability, create compliance risks, and introduce credentials that often have weak (or no) MFA protection.
In Exchange Admin Centre, go through your shared mailboxes and block sign-in on any that don't need it. It should only take a matter of minutes to do this for every mailbox.
6. Check Your Email Authentication (SPF, DKIM, DMARC)
DKIM is the most commonly missed fix in many assessments. Enabled by default for the primary .onmicrosoft.com domain, a lot of organisations forget to enable it for their custom domains. If DKIM is off, it's much easier for attackers to spoof your domain in phishing emails. Head to Defender > Email & collaboration > Policies & rules > Threat policies > DKIM and verify every domain has signing enabled.
While you're there, check that SPF and DMARC records are correctly configured for all your sending domains. These cost nothing and are critical for email deliverability and reputation.
7. Expand Your Anti-Phishing Coverage
Defender for Office 365 includes a robust anti-phishing engine, but its most useful features are often only partially turned on. In particular:
- Mailbox intelligence for impersonations - this uses AI to learn who your users normally communicate with and flags unusual patterns
- Safety tips - simple visual alerts shown to users in Outlook when an email looks suspicious
- Safe Links and Safe Attachments - ensure these policies apply to all users, not just a pilot group
These settings live in Defender > Email & collaboration > Policies & rules > Threat policies. None of them incur extra costs if you have Defender for Office 365 Plan 1 or Plan 2.
8. Restrict External Sharing in SharePoint and Teams
External sharing is on by default and organisations often don't tighten it until after an incident. We recommend:
- In SharePoint Admin Centre > Policies > Sharing, set guest access links to expire after 30–60 days and require verification codes to re-authenticate
- Enable the idle session timeout in SharePoint Access Control
- In Teams Admin Centre, restrict anonymous users from joining meetings, and limit who can create private channels
- Set up an alert policy in Purview to notify your security team when files are shared externally
None of these measures require additional licensing.
9. Configure Audit Log Retention
Microsoft 365 audit logs are invaluable when investigating an incident, but they're not retained forever by default. Standard retention is 90 days for most licences (180 days for E3, 1 year for E5). Creating a custom Audit Retention Policy in Microsoft Purview > Audit lets you retain logs for up to ten years for specific activities and users.
At the very minimum, create a policy that retains logs for a full year for your admin accounts and sensitive workloads. It takes about ten minutes to set up and could be invaluable during an investigation.
10. Check Your Microsoft Secure Score
Microsoft Secure Score is a free, built-in dashboard available to all M365 tenants at security.microsoft.com. It gives you a score out of a possible maximum and, importantly, shows you a prioritised list of recommended actions ranked by impact and ease of implementation.
The best starting point is to filter by "Recommended actions" and sort by Low user impact as these are improvements you can make with minimal disruption. Many of them are simply turning on a setting that's already available in your licence. A typical organisation can improve their score significantly in a single focused session.
Start Small, But Start Now
You don't need a six-figure security project to meaningfully reduce your risk in Microsoft 365. Most of the recommendations above can be done by a competent IT admin with existing licensing, it just requires someone to prioritise them.
If you're not sure where your environment stands, consider commissioning an M365 security assessment. The findings are almost always illuminating, and the remediation roadmap pays for itself many times over.
