Microsoft 365 Security Checklist

Microsoft 365 offers robust built‑in security features, but you need to configure them properly. Use this checklist to harden your tenant:

Enable multi‑factor authentication (MFA)

Ensure all accounts require a second factor. This is one of the most effective ways to prevent credential theft.

Use conditional access policies

Require MFA when users log in from unfamiliar locations or devices, and restrict access from high‑risk countries or anonymising networks.

Apply least‑privilege roles

Grant administrators only the permissions they need. Use scoped roles (e.g. Exchange Administrator) instead of Global Admin wherever possible.

Configure anti‑phishing and anti‑spam policies

Enable Safe Links, Safe Attachments and anti‑impersonation measures in Microsoft Defender for Office 365 or your chosen email security gateway.

Block legacy authentication

Disable POP, IMAP and older SMTP protocols that do not support modern authentication. These protocols are frequently exploited.

Turn on auditing and alerts

Enable mailbox auditing and sign‑in logs. Configure alerts for suspicious activities such as multiple failed logins or unusual mailbox forwarding rules.

Restrict external sharing

Set policies on SharePoint and OneDrive to limit who can share files externally. Use Data Loss Prevention (DLP) to block sensitive data from leaving your environment.

Backup your data

Microsoft ensures high availability but doesn’t provide point‑in‑time restoration. Use third‑party backups or retention policies to safeguard against deletion or ransomware.

← Back to Knowledge Base