Microsoft 365 Security Best Practices: Protecting Your Organization's Cloud Identity
🛡️ Security Intermediate 22 min read

Microsoft 365 Security Best Practices: Protecting Your Organization's Cloud Identity

Microsoft 365 is the backbone of enterprise productivity—and a prime target for attackers.

Published: December 11, 2025 • Updated: December 11, 2025
AB
Anthony Bahn IT Director & Cybersecurity Consultant
Microsoft 365Entra IDAzure ADConditional AccessOAuthIdentity SecurityZero TrustEnterprise SecurityMFA

Microsoft 365Microsoft 365🌐Microsoft's subscription-based cloud productivity suite including Office applications, Exchange Online, SharePoint, and Teams. powers over 345 million paid commercial seats worldwide, making it the world's most widely deployed enterprise productivity platform. This ubiquity makes it an irresistible target for attackers. From consent phishingConsent PhishingPhishing🛡️A social engineering attack using fake emails or websites to steal login credentials or personal info.🛡️A social engineering attack where victims are tricked into granting malicious applications OAuthOAuth🛡️An open standard authorization protocol that allows applications to access user resources without exposing passwords, using tokens instead of credentials. permissions, giving attackers persistent access to their accounts. campaigns like ConsentFix to sophisticated business email compromise schemes, threat actors have developed extensive toolkits specifically designed to compromise Microsoft 365 environments.

The challenge for security teams is that Microsoft 365 security isn't a single setting—it's a complex web of identity controls, application permissions, conditional policies, and monitoring capabilities spread across multiple admin portals. Default configurations prioritize usability over security, leaving organizations vulnerable until they implement deliberate hardening measures.

This guide provides a comprehensive, actionable framework for securing Microsoft 365 environments. We'll cover identity security fundamentals with Microsoft Entra IDMicrosoft Entra ID🛡️Microsoft's cloud-based identity and access management service (formerly Azure Active Directory), providing authentication, SSO, and security features for Microsoft 365 and other applications. (formerly Azure Active Directory), building effective Conditional AccessConditional Access🛡️A Microsoft Entra ID feature that evaluates signals about users, devices, and locations to make real-time access decisions. policies, controlling OAuth application consent, implementing robust monitoring, and defending against token-based attacks. Whether you're hardening an existing deployment or building security into a new tenant from day one, these practices will significantly reduce your attack surface.

The strategies outlined here align with Microsoft's own security recommendations and Zero TrustZero Trust🛡️A security model that requires strict verification for every user and device trying to access resources, regardless of whether they're inside or outside the network perimeter. principles. They're designed to be implemented incrementally—you don't need to do everything at once, but each control you enable closes attack vectors that threat actors actively exploitExploit🛡️Code or technique that takes advantage of a vulnerability to cause unintended behavior, such as gaining unauthorized access..

Understanding Microsoft 365 Identity Security

In Microsoft 365, identity is the security perimeter. Unlike traditional on-premises networks protected by firewalls, cloud services are accessible from anywhere—making the user's identity the primary gate that controls access to corporate data.

Microsoft Entra ID: The Identity Foundation

Microsoft Entra ID (formerly Azure Active Directory) is the identity provider that authenticates users and authorizes access to Microsoft 365 services. Every sign-in to Outlook, Teams, SharePoint, or OneDrive goes through Entra ID. This centralization is both a strength (single place to enforce policy) and a risk (compromise Entra ID, compromise everything).

Entra ID offers three license tiers with progressively stronger security features:

  • Free: Basic user management, Security DefaultsSecurity Defaults🛡️A set of basic identity security settings in Microsoft Entra ID that enable MFA, block legacy authentication, and protect privileged accounts—recommended for organizations without premium licenses. (basic MFA), self-service password reset
  • P1: Conditional Access, group-based access management, hybrid identity features
  • P2: Identity ProtectionIdentity Protection🛡️A Microsoft Entra ID Premium feature that uses machine learning to detect risky sign-ins and user behaviors, automatically enforcing remediation like MFA challenges or password resets. (risk-based policies), Privileged Identity Management (PIM), access reviews

    • Most of the advanced security features covered in this guide require at least Entra ID P1. Organizations with high-value targets or regulatory requirements should strongly consider P2 for risk-based controls.

    The M365 Attack Surface

    Attackers target Microsoft 365 through multiple vectors:

  • Credential theft: Phishing, password spraying, credential stuffing
  • Token theft: Stealing OAuth tokens to bypass authentication entirely
  • Consent phishing: Tricking users into granting malicious apps OAuth permissions
  • Legacy protocol abuse: Exploiting protocols that don't support MFA
  • Admin account compromise: Targeting Global Admins for maximum access

    • Essential Entra ID Configuration

    Before implementing advanced features, ensure these foundational settings are properly configured.

    Security Defaults vs. Conditional Access

    Security Defaults is Microsoft's baseline security configuration, available to all tenants for free. When enabled, it requires MFA registration for all users, challenges admins with MFA on every sign-in, blocks legacy authenticationLegacy Authentication🛡️Older authentication protocols (POP, IMAP, SMTP AUTH, older Office clients) that don't support modern security features like MFA, making them prime targets for credential attacks. protocols, and protects privileged actions.

    Recommendation: Organizations without Entra ID P1 should enable Security Defaults immediately. Organizations with P1 or P2 should disable Security Defaults and implement Conditional Access policies for more granular control.

    Protect Administrative Accounts

    Global Administrators have complete control over your tenant. Protect these accounts with extreme diligence:

  • Limit Global Admin count: Microsoft recommends fewer than 5 Global Admins. Use least-privilege roles instead.
  • Use dedicated admin accounts: Admins should have separate accounts for admin work (admin@) and daily tasks (regular account).
  • Require phishing-resistant MFA: Admins should use hardware security keys (FIDO2) or Windows Hello, not SMS or phone calls.
  • Create emergency access accounts: Two cloud-only break-glass accounts excluded from Conditional Access, secured with long random passwords stored offline.

    • Block Legacy Authentication

    Legacy protocols like POP, IMAP, and SMTP AUTH don't support modern authentication or MFA, making them perfect for password spray attacks. Block them with Conditional Access or Security Defaults. Before blocking, audit current usage via Sign-in logs to identify apps that need migration to modern authentication.

    Conditional Access Policies

    Conditional Access is the cornerstone of Zero Trust in Microsoft 365. These policies evaluate sign-in context (who, what, where, how) and enforce appropriate controls (allow, block, require MFA, require compliant device).

    Essential Conditional Access Policies

    Every organization should implement these baseline policies:

    1. Require MFA for All Users

    The single most impactful security control. Microsoft reports that MFA blocks 99.9% of account compromise attacks. Create a policy targeting All Users, All Cloud Apps, requiring multifactor authentication as a grant control. Exclude your emergency access accounts.

    2. Block Legacy Authentication

    Target All Users, All Cloud Apps, with a condition filtering for legacy authentication clients. Set the access control to Block. This closes a major attack vector.

    3. Require Compliant Devices for Sensitive Access

    For sensitive applications (SharePoint, Exchange), require devices be Intune-managed and compliant. This ensures devices have proper security configurations, current patches, and endpoint protection.

    4. Block High-Risk Sign-ins

    With Entra ID P2, create policies that block sign-ins detected as high risk by Identity Protection. For medium-risk sign-ins, require MFA or password change. This provides adaptive, risk-based security.

    5. Protect Admin Portals

    Create a policy targeting admin roles (Global Admin, Security Admin, etc.) that requires phishing-resistant MFA (FIDO2 key or Windows Hello) and blocks access from non-compliant devices. Consider location restrictions to trusted networks.

    Location-Based Policies

    Named locations allow you to define trusted IP ranges and countries. Common use cases include blocking access from countries where you don't operate, requiring MFA for access outside trusted corporate networks, and blocking sign-ins from anonymizing proxies and VPNs (unless you use corporate VPN).

    Pro tip: Always test Conditional Access policies in Report-only mode before enforcing. This shows what would be blocked without actually disrupting users.

    OAuth App GovernanceApp Governance🛡️A Microsoft Defender for Cloud Apps feature that provides visibility into OAuth apps, detects anomalous behavior, and enables policy-based controls over third-party application access. and Consent Controls

    Consent phishing attacks like ConsentFix exploit OAuth application permissions. Controlling what apps can access your tenant is critical for defense. Learn more about how these attacks work in our guide to OAuth Security.

    Configure User Consent Settings

    Navigate to Entra ID > Enterprise Applications > Consent and permissions > User consent settings. Choose one of these options based on your risk tolerance:

  • Do not allow user consent (Recommended): All app access requires admin approval. Most secure but requires admin overhead.
  • Allow user consent for apps from verified publishers: Users can consent only to apps from Microsoft-verified organizations requesting low-impact permissions.
  • Allow user consent for all apps: Not recommended—this is what attackers exploit.

    • Implement Admin Consent Workflow

    If you disable user consent, enable the Admin consent request workflow so users can request access to apps they need. Admins receive requests and can evaluate whether apps are legitimate before granting tenant-wide or user-specific consent.

    Deploy App Governance

    App Governance (part of Microsoft Defender for Cloud Apps) provides advanced OAuth app monitoring and control:

  • Visibility: See all OAuth apps with access to your tenant, their permissions, and which users authorized them
  • Anomaly detection: Alerts on unusual app behavior like data exfiltrationData Exfiltration🛡️The unauthorized transfer of data from a computer or network, often performed by attackers before deploying ransomware to enable double extortion. or excessive API calls
  • Policy enforcement: Create policies to automatically disable apps meeting certain risk criteria

    • Regularly Audit Existing Consents

    Review currently authorized apps quarterly. Look for apps with excessive permissions (Mail.ReadWrite, Mail.Send, Files.ReadWrite.All), apps from unverified publishers, apps with no business justification, and apps authorized by users who have since left the organization. Revoke access for any suspicious or unnecessary applications.

    Monitoring and Alerting

    Security controls are ineffective without visibility. Microsoft 365 provides extensive logging—but you need to enable, retain, and actually monitor these logs.

    Enable Unified Audit LogUnified Audit Log🛡️A centralized logging system in Microsoft 365 that records user and admin activities across Exchange, SharePoint, Teams, and other services for security monitoring and compliance.

    The Unified Audit Log is not enabled by default. Enable it in the Microsoft Purview compliance portal. This log captures user and admin activities across Exchange, SharePoint, OneDrive, Teams, Power BI, and more. Retention is 90 days by default; consider extending with Audit (Premium) or exporting to external SIEM.

    Critical Events to Monitor

    Create alerts for these high-risk activities:

  • OAuth consent events: "Consent to application" activities, especially for high-privilege scopes
  • Admin role changes: Any additions to Global Admin, Exchange Admin, or other privileged roles
  • Mail rules: Creation of forwarding rules or inbox rules that delete/hide messages (common BEC indicator)
  • eDiscovery: Searches by non-legal/compliance users (potential data exfiltration)
  • Anonymous link creation: SharePoint/OneDrive links accessible without authentication
  • Conditional Access failures: Blocked sign-ins from suspicious locations

    • Microsoft Sentinel Integration

    For enterprise environments, Microsoft Sentinel provides cloud-native SIEM capabilities with built-in M365 connectors, pre-built detection rules for common M365 attacks, automated investigation and response playbooks, and long-term log retention.

    Protecting Against Token-Based Attacks

    OAuth token theft is increasingly common because tokens bypass MFA—if an attacker steals your refresh tokenRefresh Token🛡️A long-lived credential used to obtain new access tokens without requiring the user to re-authenticate, enabling persistent application access., they don't need your password or second factor. Understanding these attacks is crucial; see our guide to OAuth Security for a deep dive.

    Enable Continuous Access Evaluation (CAE)

    Continuous Access Evaluation enables near real-time token revocation. Without CAE, access tokens are valid until expiry (typically 1 hour)—even if you disable the user account, revoke sessions, or the user's risk level changes. CAE allows Entra ID to push critical events to applications, invalidating tokens within minutes rather than hours.

    CAE responds to user disabled/deleted, password changed, MFA required by admin, session revoked, and high user risk detected (with P2).

    Token ProtectionToken Protection🛡️Security measures that bind OAuth tokens to specific devices or sessions, preventing stolen tokens from being replayed on attacker-controlled systems. (Preview)

    Token Protection binds tokens to specific devices using cryptographic proof-of-possession. Even if a token is stolen, it cannot be used from a different device. This significantly mitigates token theft attacks. Enable via Conditional Access by requiring token protection as a session control.

    Configure Sign-in Frequency

    Conditional Access can require periodic reauthentication. For high-risk applications or sensitive admin portals, consider requiring fresh authentication every 4-8 hours rather than allowing persistent sessions.

    MFA Best Practices: Beyond Basic MFA

    Enabling MFA is step one. Optimizing it for security and usability requires more nuance.

    MFA Method Hierarchy

    Not all MFA is equal. From strongest to weakest:

  • FIDO2 security keys and Passkeys: Phishing-resistant, strongest option
  • Windows Hello for Business: Hardware-bound, phishing-resistant
  • Microsoft Authenticator (number matching): Good protection with fatigue resistance
  • Microsoft Authenticator (push): Convenient but vulnerable to MFA fatigue
  • TOTP apps: Better than SMS, but codes can be phished
  • SMS/Voice: Weakest—vulnerable to SIM swapping and interception

    • Enable Number Matching and Context

    If using Microsoft Authenticator, enable number matching (users must enter a displayed number rather than just tapping Approve) and additional context (shows app name and location). These features combat MFA fatigue attacks like the one used in the Uber breach.

    Disable Weak Methods for Admins

    Use Authentication methods policies to disable SMS and voice for administrative accounts. Require these high-value accounts to use phishing-resistant methods only.

    Zero Trust Implementation in Microsoft 365

    Zero Trust operates on the principle "never trust, always verify." Instead of assuming everything inside the corporate network is safe, Zero Trust verifies every access request as if it originates from an untrusted network.

    Zero Trust Pillars in M365

  • Identity: Strong authentication (MFA), Conditional Access, Identity Protection
  • Devices: Device complianceDevice Compliance🛡️The state of a device meeting organizational security requirements such as encryptionEncryption🛡️The process of converting data into a coded format that can only be read with the correct decryption key., up-to-date OS, and PIN configuration. with Intune, endpoint protection with Defender
  • Applications: OAuth app governance, Defender for Cloud Apps
  • Data: Information Protection labels, DLP policies
  • Infrastructure: Secure Score monitoring, security configuration management
  • Network: Network segmentation, VPN/proxy controls

    • Microsoft Secure Score provides a measurement of your organization's security posture and recommendations for improvement. Review it regularly and prioritize actions that address high-impact risks.

    Security Checklist for Administrators

    Use this checklist to assess and improve your Microsoft 365 security posture:

    Immediate Actions (Do Today)

  • Enable Security Defaults OR implement Conditional Access MFA for all users
  • Verify fewer than 5 Global Administrators exist
  • Enable Unified Audit Log
  • Review and restrict user consent settings for OAuth apps
  • Create emergency access (break-glass) accounts

    • This Week

  • Block legacy authentication via Conditional Access
  • Audit existing OAuth app consents and revoke suspicious apps
  • Enable Microsoft Authenticator number matching
  • Configure alerts for admin role changes and consent events

    • This Month

  • Implement device compliance requirements for sensitive apps
  • Deploy phishing-resistant MFA for administrators (FIDO2 keys)
  • Enable Privileged Identity Management (PIM) for admin roles
  • Review Microsoft Secure Score and address top recommendations

    • Quarterly

  • Review and recertify admin role assignments
  • Audit OAuth apps and user consents
  • Test emergency access accounts
  • Conduct phishing simulations for user awareness

    • Conclusion

    Microsoft 365 security is not a destination—it's a continuous process of configuration, monitoring, and adaptation. The threat landscape evolves constantly; attacks like consent phishing and MFA fatigue didn't exist a few years ago but are now significant risks.

    The controls outlined in this guide—strong Conditional Access policies, restricted OAuth consent, comprehensive monitoring, phishing-resistant MFA, and Zero Trust architecture—significantly reduce your attack surface. More importantly, they position your organization to adapt as new threats emerge.

    Start with the immediate actions on the checklist, then systematically work through the rest. Each control you implement closes doors that attackers actively try to open. Your users may not notice the security measures working silently in the background—but you'll notice the absence of incidents that might have succeeded otherwise.

    Related Reading

    For technical details on OAuth attacks targeting Microsoft 365, read our guide on Understanding OAuth Security. To understand the social engineeringSocial Engineering🛡️The psychological manipulation of people into performing actions or divulging confidential information, exploiting human trust rather than technical vulnerabilities. tactics used to trick users into granting malicious app permissions, see Social Engineering Attacks Explained. For the latest news on threats affecting Microsoft environments, check our coverage of the ConsentFix phishing kit and other security alerts.

    Keep Learning

  • What is Two-Factor Authentication? — Enable MFA for all Microsoft 365 users
  • Understanding OAuth Security — Manage Azure AD app permissions safely
  • Social Engineering Attacks — Protect users from phishing attacks
  • What is Patch Tuesday? — Keep Microsoft 365 updated and secure

    • Frequently Asked Questions

    How do I know if my systems are affected by these vulnerabilities?

    Check vendor advisories for affected versions, use vulnerabilityVulnerability🛡️A weakness in software, hardware, or processes that can be exploited by attackers to gain unauthorized access or cause harm. scanners, review your asset inventory, and monitor CISA's Known Exploited Vulnerabilities catalog for active threats requiring immediate attention.

    What are the most critical security settings in Microsoft 365?

    Enable Security Defaults or Conditional Access, require MFA for all users, disable legacy authentication, configure alert policies, and regularly review the Microsoft Secure Score recommendations.

    What firewallFirewall🌐Security system that monitors and controls network traffic based on predetermined rules. rules should every organization have?

    Start with a deny-all default policy, allow only required traffic, segment your network, log all denied connections, regularly audit rules, and remove obsolete entries. Defense-in-depth is key.

    What will I learn from this article?

    Microsoft 365 is the backbone of enterprise productivity—and a prime target for attackers.

    📦 Related Reviews

    Put your knowledge to use with these expert-reviewed products

    📚 Keep Learning

    Continue your journey with these related guides

    📰 Latest Security News

    🛡️ Unleash Protocol Loses $3.9M in Unauthorized Smart Contract Upgrade Attack Dec 31 🛡️ RansomHouse Ransomware Upgrades to Advanced 'Mario' Encryptor With Multi-Layer Encryption Dec 21 🛡️ Critical Fortinet SSO Vulnerabilities Under Active Exploitation — Admin Accounts and Config Files Targeted Dec 16
    Back to All Guides