Security Alerts

The M365 Security Hardening Checklist

Microsoft 365 ships with permissive defaults that leave your organization exposed. Use this actionable checklist to harden your tenant against common attack vectors, from MFA enforcement to mailbox auditing.

StrategixIT · · 7 min read

Your M365 Tenant Is Probably Misconfigured

Microsoft 365 is the backbone of most small and mid-sized businesses: email, file storage, collaboration, identity. It is also one of the most targeted platforms by attackers because the default configuration prioritizes usability over security.

Out of the box, M365 allows legacy authentication protocols, does not enforce multi-factor authentication, permits unrestricted external sharing, and leaves critical audit logs disabled. These defaults made sense when Microsoft was competing for adoption. They do not make sense when your tenant contains financial records, customer data, and intellectual property.

This checklist covers the high-impact hardening steps we implement for every client. Each item is practical, actionable, and does not require an E5 license unless noted.

Identity and Access Controls

Enforce Multi-Factor Authentication for All Users

This is non-negotiable. MFA blocks over 99% of credential-based attacks. Configure it through Conditional Access policies (not per-user MFA or Security Defaults) for granular control.

What to configure:

  • Create a Conditional Access policy requiring MFA for all users, all cloud apps
  • Exclude a break-glass emergency access account (with a complex 30+ character password stored in a physical safe)
  • Require MFA re-authentication every 30 days for compliant devices, every session for unmanaged devices
  • Block legacy authentication protocols entirely. They cannot perform MFA and are a primary attack vector

Lock Down Admin Accounts

Admin accounts are the highest-value targets in your tenant. Treat them accordingly.

What to configure:

  • Dedicate separate admin accounts (no daily-driver admin accounts)
  • Require phishing-resistant MFA (FIDO2 keys or Windows Hello) for all admin roles
  • Limit Global Administrator assignments to two accounts maximum
  • Use Privileged Identity Management (PIM) for just-in-time admin access (requires Entra ID P2)
  • Review admin role assignments monthly. Remove any that are no longer needed

Block Legacy Authentication

Legacy authentication protocols (POP3, IMAP, SMTP AUTH, ActiveSync with basic auth) do not support MFA. Attackers use credential stuffing against these protocols daily.

What to configure:

  • Create a Conditional Access policy blocking legacy authentication for all users
  • Check the Sign-in logs for any remaining legacy auth connections before enforcing
  • Migrate any applications still using basic auth to modern authentication (OAuth 2.0)

Email Security

These Defender for Office 365 features provide real-time URL scanning and sandboxed attachment analysis.

What to configure:

  • Enable Safe Links for email messages, Microsoft Teams, and Office apps
  • Turn on URL detonation (time-of-click scanning, not just time-of-delivery)
  • Enable Safe Attachments with Dynamic Delivery (delivers the email body immediately while attachments are scanned)
  • Apply to all recipients. Do not leave gaps in coverage

Configure Anti-Phishing Policies

Default anti-phishing policies are permissive. Tighten them.

What to configure:

  • Enable impersonation protection for your executives and high-value targets (CFO, CEO, HR)
  • Enable mailbox intelligence to detect anomalous sending patterns
  • Set the phishing email threshold to “Most aggressive” (level 4)
  • Configure notifications so your security team sees quarantined messages

Restrict Automatic Email Forwarding

Attackers who compromise a mailbox often set up forwarding rules to exfiltrate data silently. This is one of the first things they do.

What to configure:

  • Create a mail flow rule blocking auto-forwarding to external domains
  • Disable client-side inbox rules that forward externally (via OWA mailbox policy)
  • Audit existing mailbox rules for any unauthorized forwarding. Use Get-InboxRule across all mailboxes
  • Alert on new forwarding rules created going forward

Data Protection and Sharing

Restrict External Sharing in SharePoint and OneDrive

Default sharing settings allow anyone with a link to access files. This is a data leak waiting to happen.

What to configure:

  • Set SharePoint external sharing to “Existing guests only” or “Only people in your organization” for sensitive sites
  • Require guests to authenticate (disable anonymous access links)
  • Set link expiration to 30 days maximum for any external shares
  • Disable “Anyone” links organization-wide unless there is a documented business need
  • Review existing shared links quarterly and revoke stale access

Enable Sensitivity Labels

Sensitivity labels classify and protect data based on its content. Even basic labeling helps users identify what needs extra protection.

What to configure:

  • Create labels: Public, Internal, Confidential, Highly Confidential
  • Apply default labels to new documents and emails (Internal is a good default)
  • Enable mandatory labeling so users must classify before sharing
  • Configure label-based encryption for Confidential and above (requires M365 E3 or higher)

Auditing and Monitoring

Enable Unified Audit Logging

This should be on by default in newer tenants, but verify. Without audit logs, you cannot investigate incidents.

What to configure:

  • Verify Unified Audit Log is enabled in the Purview compliance portal
  • Set audit log retention to at least 180 days (default is 180 days for E3, 365 days for E5)
  • Enable mailbox auditing for all mailboxes (verify with Get-OrganizationConfig | Select AuditDisabled)

Enable Sign-In and Activity Alerts

Proactive alerting catches compromises faster than periodic review.

What to configure:

  • Create alert policies for: impossible travel sign-ins, sign-ins from anonymous IP addresses, unfamiliar sign-in properties
  • Alert on admin role assignments and changes
  • Alert on mail flow rule creation or modification
  • Alert on bulk file downloads from SharePoint or OneDrive
  • Route alerts to a monitored mailbox or SIEM. Alerts nobody reads are worthless

Review the Secure Score

Microsoft Secure Score provides a prioritized list of security improvements specific to your tenant configuration.

What to configure:

  • Review Secure Score monthly in the Microsoft 365 Defender portal
  • Prioritize recommendations marked “High impact”
  • Document accepted risks for recommendations you choose not to implement
  • Track score changes over time. A sudden drop indicates a configuration regression

Device and Application Controls

Require Managed Devices for Sensitive Access

If users can access company data from any unmanaged personal device, your data protection controls are bypassed.

What to configure:

  • Create a Conditional Access policy requiring compliant or Entra-joined devices for desktop apps
  • Allow mobile access through approved apps only (Outlook, Teams, OneDrive) with app protection policies
  • Block access from unsupported operating systems and browsers

By default, users can grant third-party applications access to their M365 data. Attackers exploit this through consent phishing, tricking users into authorizing malicious apps.

What to configure:

  • Set user consent to “Do not allow user consent” in Entra ID
  • Implement an admin consent workflow so users can request access and admins review
  • Audit existing app consents and revoke any that are suspicious or unnecessary

Implementation Order

If you are starting from scratch, prioritize in this order:

  1. Block legacy authentication: eliminates the easiest attack vector
  2. Enforce MFA for all users: prevents credential-based compromise
  3. Restrict email forwarding: stops data exfiltration from compromised accounts
  4. Enable Safe Links and Safe Attachments: catches phishing and malware
  5. Lock down admin accounts: protects your highest-value targets
  6. Restrict external sharing: prevents accidental data exposure
  7. Enable audit logging and alerts: ensures you can detect and investigate
  8. Implement device compliance: extends protection to endpoints

Each step is independent. You do not need to complete the entire checklist in one sprint. But every week you delay items 1 through 3, your tenant remains vulnerable to attacks that are trivially preventable.

Need Help Hardening Your Tenant?

We perform M365 security assessments for businesses across the Cincinnati region. Our assessment reviews your current configuration against this checklist and CIS benchmarks, identifies gaps, and produces a prioritized remediation plan. No sales pitch, just a clear picture of where you stand.

Schedule a free M365 security assessment to get started.

Need help with your cybersecurity posture?

Schedule a Free Assessment