Microsoft 365 Security Basics
Microsoft 365 is the operating system of modern business, but its default settings prioritize convenience over security. Here are the non-negotiable baselines.
1 Identity & Access
- Enforce MFA (Multifactor Authentication)
For ALL users. No exceptions. Prefer Authenticator App or FIDO2 keys over SMS.
- Block Legacy Authentication
Disable IMAP, POP, and SMTP auth protocols that bypass MFA.
- Conditional Access Policies
Block sign-ins from high-risk countries. Require compliant devices for admin access.
2 Email Hygiene
- Preset Security Policies
Enable "Standard" or "Strict" preset security policies in Defender for Office 365.
- External Tagging
Turn on the "External" tag for emails coming from outside the org to prevent impersonation.
- SPF / DKIM / DMARC
Configure these DNS records to prevent others from spoofing your domain.
3 Admin Protection
- Dedicated Admin Accounts
Admins should not use their daily email account for Global Admin tasks. Use separate cloud-only accounts.
- Break Glass Account
Create one emergency access account excluded from Conditional Access, with a complex password stored offline.
Common Questions
Is Microsoft Defender enough?
For most SMBs and Mid-Market orgs, yes—IF configured correctly. Defender for Endpoint P2 or Business is a top-tier EDR solution.
What license do I need for these features?
Most security features (Conditional Access, Intune, Defender) are included in Microsoft 365 Business Premium. It is the best value SKU for security.