Office 365 Security Best Practices: Hardening Your Microsoft Tenant
Office 365 is secure by default. But “by default” isn’t the same as “secure for your business”. Out of the box, you can log in with just a password. Users can forward emails anywhere. Anyone can install third-party apps. Deleted files are gone forever.
Most Australian SMBs inherit these defaults and never change them. Then they’re surprised when someone’s password gets compromised and the attacker reads three years of confidential emails.
The good news: hardening Office 365 is straightforward and mostly free (or included in your license). It’s a checklist, not a technical transformation.
Start with Microsoft Secure Score
Before you make any changes, look at your Secure Score. It’s a dashboard in the Microsoft 365 admin centre that rates your tenant security on a scale of 0–100 and recommends improvements.
You’ll find it under Security > Secure Score in the admin centre. It shows your current score, your comparison to similar organisations, and a prioritised list of improvements.
The improvements are ranked by impact. The ones at the top prevent the most common attacks. Focus on those first.
Secure Score is the fastest way to identify your biggest gaps. Don’t skip this step.
Multi-Factor Authentication: Non-Negotiable
A password alone isn’t enough anymore. Attackers can buy stolen passwords cheaply online. Multi-factor authentication (MFA) makes accounts dramatically harder to compromise because an attacker needs both your password and your phone (or security key).
What you should do:
Enable MFA for all cloud accounts, especially admin accounts. Start with admins—the damage from a compromised admin account is far greater.
In the admin centre: Users > Active users, select a user, then Edit > Require multi-factor authentication. Do this for all admins first, then roll out to all users.
What type of MFA? The Microsoft Authenticator app is best (it can approve requests with a single tap), SMS is acceptable (though less secure), and authenticator hardware keys are hardest to compromise but expensive. For SMBs, the Authenticator app covers most needs.
Key setting: In Azure Active Directory > Security > MFA > Additional cloud-based MFA settings, enable “block legacy authentication”. This prevents old email clients that don’t support MFA from connecting. It sounds disruptive (you’ll have one or two users with old software), but it closes a huge attack vector.
If you get complaints about MFA being inconvenient: MFA is inconvenient for legitimate users approximately once per device. It’s inconvenient for attackers 100% of the time.
Conditional Access Policies: Automation for Security
Conditional access lets you set rules like “require MFA if the user is logging in from an unknown location” or “block access if the device looks compromised”.
You set these policies in Azure Active Directory > Security > Conditional Access. They’re powerful but can be confusing to set up. Start with the simplest ones:
Policy 1: Require MFA for risky sign-ins. Azure detects when a sign-in looks unusual. Automatically require MFA for these sign-ins. Legitimate users get a prompt; attackers usually can’t provide it.
Policy 2: Block legacy authentication. Old email clients don’t support modern security protocols. Block them entirely. You’ll lose maybe one or two users with very old setups, but you prevent a common attack vector.
Implementing these hardening measures across your entire tenant takes expertise. Our Microsoft 365 security solutions include full tenant configuration, conditional access policies, and ongoing monitoring.
Related reading: plan your M365 deployment | secure migration
Policy 3: Require compliant devices. If a device is enrolled in Intune, require it to be compliant (updated patches, antivirus running, encryption enabled) before allowing access.
Conditional access is initially overwhelming, but these three policies cover most of your security needs. Start there and expand later if needed.
Email Authentication: Prevent Spoofing
Email spoofing means attackers send emails pretending to be you. Stop this with three technical controls: SPF, DKIM, and DMARC. These don’t require new technology—they’re just DNS configuration. Set them up once and they work forever. They’re one of the highest-ROI security changes you can make.
Data Loss Prevention (DLP): Stop Secrets Leaking
DLP prevents people from accidentally (or intentionally) emailing confidential information. You define what’s confidential (customer lists, financial data, personal information, API keys, etc), and Office 365 blocks emails containing it.
Sensitivity Labels: Protect Files from Inside
Sensitivity labels let you mark files as “Confidential”, “Internal”, or “Public”. When you label a file, Office 365 applies protections automatically. For SMBs, a simple three-level labeling system works well: Public, Internal, and Confidential.
Defender for Office 365: Threat Prevention at Scale
Defender for Office 365 is an add-on that provides advanced threat protection. It includes Safe Attachments, Safe Links, anti-phishing, and impersonation protection. For SMBs handling sensitive data or receiving many phishing attempts, it’s worth the investment.
Admin Roles and Privileged Access
Admin accounts are high-value targets. First, identify who actually needs admin access. Second, create separate admin accounts. Third, enforce MFA on all admin accounts. Fourth, limit admin role scope. Fifth, monitor admin activity. Sixth, consider Privileged Access Management for critical operations.
Putting It All Together: The Checklist
Here’s the order to implement these controls:
- Check your Secure Score and read the recommendations
- Enable MFA for all admin accounts
- Enable MFA for all users
- Set up SPF, DKIM, DMARC in your DNS
- Create a simple DLP policy for financial data
- Set up Conditional Access policies
- Create Sensitivity Labels
- Consider Defender for Office 365
- Audit admin roles and remove unnecessary access
- Monitor your Secure Score monthly
Office 365 is secure software. But you have to actively configure it to take advantage of that security.
