ReLoIT
Back to Resources
Guide25 min read

Microsoft 365 Security Configuration Guide

Step-by-step guide to securing your Microsoft 365 environment. Covers Secure Score optimization, Entra ID, Conditional Access, and Zero Trust implementation.

Get M365 Help

Understanding Microsoft Secure Score

Microsoft Secure Score is your security posture measurement. Most organizations score between 30-50% out of the box. Following this guide can help you reach 70-80% or higher.

30-45%
Default configuration
50-65%
Basic hardening
70-85%
Well-secured

Access your score: security.microsoft.com → Secure Score

Before You Start

Some settings require specific licenses (E3/E5, Entra ID P1/P2). Verify your licensing before implementing. Test changes in a pilot group before org-wide deployment.

Identity & Access Management

Entra ID (formerly Azure AD) is your security foundation. Get this right first.

Enable Security Defaults or Conditional Access

Critical

Security Defaults provide baseline MFA protection. For more control, use Conditional Access policies.

+15 points
Secure Score

Implementation Steps:

  1. 1.Entra admin center → Properties → Manage Security defaults
  2. 2.For advanced: Create Conditional Access policies requiring MFA
  3. 3.Block legacy authentication protocols

Require MFA for All Users

Critical

MFA blocks 99.9% of automated attacks. No exceptions, especially for admins.

+10 points
Secure Score

Implementation Steps:

  1. 1.Conditional Access → New policy → All users
  2. 2.Grant access → Require multi-factor authentication
  3. 3.Exclude break-glass emergency accounts (document separately)

Enable Privileged Identity Management (PIM)

High

Just-in-time admin access reduces standing privilege exposure.

+8 points
Secure Score

Implementation Steps:

  1. 1.Requires Entra ID P2 license
  2. 2.Configure eligible assignments for admin roles
  3. 3.Set maximum activation duration (8 hours recommended)
  4. 4.Require approval for Global Admin activation

Configure Password Protection

High

Block common passwords and organization-specific banned words.

+5 points
Secure Score

Implementation Steps:

  1. 1.Entra ID → Security → Authentication methods → Password protection
  2. 2.Enable custom banned passwords
  3. 3.Add company name variations, products, locations

Email Security (Exchange Online)

Email is the #1 attack vector. These settings are essential.

Enable Microsoft Defender for Office 365

Critical

Advanced threat protection for email, including Safe Attachments and Safe Links.

+12 points
Secure Score

Implementation Steps:

  1. 1.Microsoft 365 Defender portal → Policies & rules
  2. 2.Enable Safe Attachments (Dynamic Delivery recommended)
  3. 3.Enable Safe Links for email and Teams
  4. 4.Enable Anti-phishing policies with impersonation protection

Configure DMARC, DKIM, and SPF

Critical

Email authentication prevents domain spoofing and improves deliverability.

+8 points
Secure Score

Implementation Steps:

  1. 1.SPF: Add TXT record "v=spf1 include:spf.protection.outlook.com -all"
  2. 2.DKIM: Enable in Exchange admin center → DKIM
  3. 3.DMARC: Add TXT record "_dmarc" with policy (start with p=none)

Block Auto-Forwarding to External Domains

High

Prevents attackers from silently forwarding emails after compromise.

+5 points
Secure Score

Implementation Steps:

  1. 1.Exchange admin center → Mail flow → Rules
  2. 2.Create rule: If sender is inside org AND recipient is outside org AND message type is auto-forward → Block

Enable Mailbox Auditing

High

Track mailbox access and actions for forensic investigations.

+4 points
Secure Score

Implementation Steps:

  1. 1.Enabled by default since 2019, but verify
  2. 2.PowerShell: Get-OrganizationConfig | FL AuditDisabled
  3. 3.Should return "False"

Device Security (Intune)

Control what devices can access corporate data.

Require Device Compliance for Access

Critical

Only compliant, managed devices should access corporate resources.

+10 points
Secure Score

Implementation Steps:

  1. 1.Intune → Devices → Compliance policies
  2. 2.Create policies for Windows, iOS, Android
  3. 3.Require encryption, password, up-to-date OS
  4. 4.Integrate with Conditional Access to enforce

Enable Microsoft Defender for Endpoint

High

EDR capabilities detect and respond to threats on managed devices.

+12 points
Secure Score

Implementation Steps:

  1. 1.Requires Microsoft 365 E5 or Defender for Endpoint P2
  2. 2.Onboard devices through Intune
  3. 3.Configure attack surface reduction rules
  4. 4.Enable automated investigation and remediation

Configure App Protection Policies

High

Protect corporate data on personal devices (BYOD) without full MDM.

+6 points
Secure Score

Implementation Steps:

  1. 1.Intune → Apps → App protection policies
  2. 2.Require PIN/biometric for corporate apps
  3. 3.Prevent copy/paste to non-corporate apps
  4. 4.Require minimum OS version

Data Protection

Classify and protect sensitive information.

Enable Sensitivity Labels

High

Classify and protect documents based on sensitivity.

+8 points
Secure Score

Implementation Steps:

  1. 1.Microsoft Purview → Information protection → Labels
  2. 2.Create labels: Public, Internal, Confidential, Highly Confidential
  3. 3.Apply encryption and access restrictions to sensitive labels
  4. 4.Enable auto-labeling for files containing sensitive data

Configure Data Loss Prevention (DLP)

High

Prevent accidental sharing of sensitive information.

+10 points
Secure Score

Implementation Steps:

  1. 1.Microsoft Purview → Data loss prevention → Policies
  2. 2.Create policies for credit cards, SSNs, health records
  3. 3.Apply to Exchange, SharePoint, OneDrive, Teams
  4. 4.Start with "Test" mode, then enable blocking

Enable Unified Audit Log

High

Centralized logging for security investigations.

+5 points
Secure Score

Implementation Steps:

  1. 1.Microsoft Purview → Audit
  2. 2.Verify auditing is enabled
  3. 3.Configure retention (90 days default, extend if needed)
  4. 4.Set up alerts for suspicious activities

SharePoint & OneDrive

Control file sharing and external access.

Restrict External Sharing

High

Limit who can share files externally and how.

+6 points
Secure Score

Implementation Steps:

  1. 1.SharePoint admin center → Policies → Sharing
  2. 2.Restrict to "New and existing guests" or stricter
  3. 3.Require guests to sign in
  4. 4.Set expiration for guest access (90 days recommended)

Block Sync from Unmanaged Devices

Medium

Prevent downloading corporate files to personal devices.

+4 points
Secure Score

Implementation Steps:

  1. 1.SharePoint admin center → Settings → Sync
  2. 2.Enable "Allow syncing only on computers joined to specific domains"
  3. 3.Add your Entra ID tenant

Enable Versioning and Recycle Bin

Medium

Ransomware recovery through file versioning.

+3 points
Secure Score

Implementation Steps:

  1. 1.Already enabled by default
  2. 2.Verify: Site settings → Site collection features → Versioning
  3. 3.Consider extending recycle bin retention

Quick Wins (Do These First)

  1. 1
    Enable Security DefaultsFree, instant MFA protection for all users
  2. 2
    Block Legacy AuthenticationCloses major security gap
  3. 3
    Enable Safe Attachments and Safe LinksBlocks malicious content in email
  4. 4
    Configure DMARC/DKIM/SPFPrevents email spoofing
  5. 5
    Block External Email ForwardingPrevents data exfiltration

Need Help Securing Microsoft 365?

Our team can assess your M365 security posture and implement these configurations for you.

Book Assessment