Protect identities first

Microsoft 365 security begins with user identities. Require MFA for every user and use stronger methods for administrators. Disable legacy authentication where it is still enabled because older protocols can bypass modern sign-in protections.

Separate administrator accounts

Administrators should use a normal account for email and daily work and a separate account for privileged tasks. Keep the number of global administrators small, review roles regularly, and maintain protected emergency-access accounts.

Use conditional access when licensing supports it

Conditional Access can require MFA, block risky sign-ins, restrict unsupported devices, and apply stronger controls to administrators. Start with report-only mode, review the impact, and then enforce policies in stages.

Configure email authentication

Publish SPF and DKIM records for approved senders and implement DMARC. These controls reduce domain spoofing and provide visibility into systems sending mail as your domain. Move gradually toward a stronger DMARC enforcement policy after reviewing reports.

Reduce external sharing risk

Review SharePoint, Teams, and OneDrive sharing settings. Limit anonymous links, set expiration dates where practical, and make owners responsible for reviewing external guests. Remove stale guest accounts and old shared links.

Protect devices that access company data

Require supported operating systems, encryption, screen lock, endpoint protection, and timely updates. For mobile and personally owned devices, use app protection or device-management controls appropriate to the sensitivity of the data.

Review inbox rules and forwarding

Attackers often create hidden forwarding rules after compromising an account. Block automatic external forwarding unless there is a documented business need, and investigate unusual rules, delegates, or mailbox permissions.

Turn on auditing and alerting

Confirm that audit data is available and that someone reviews risky sign-ins, administrator changes, malware detections, suspicious inbox rules, and unusual sharing. Alerts need an owner and a response process.

Plan for recovery

Microsoft provides resilient cloud services, but businesses remain responsible for accidental deletion, malicious changes, retention choices, and recovery requirements. Define retention policies and consider an independent Microsoft 365 backup when the business needs longer or more flexible recovery.

Standardize onboarding and offboarding

Use checklists for account creation, licensing, MFA enrollment, group membership, device setup, and permissions. Offboarding should disable sign-in promptly, revoke sessions, preserve needed data, transfer ownership, and remove access from third-party applications.