Practical guide: 21 Microsoft 365 security best practices

Learn how to apply Microsoft 365 security best practices to better understand and leverage collaboration tools like SharePoint, Teams, and OneDrive and secure your organization's data.

No matter the organization, no matter the platform: information security tops the list of required skills for every IT pro. This comes as no surprise when you think of all the cybercriminals lurking in every corner of the internet—or even with the amount of file sharing and collaboration with external shareholders in today's remote workplaces.

Luckily for those who use it, Microsoft 365 makes information security a much easier job for IT. Microsoft 365 is a cloud-based suite of productivity apps and services that include numerous collaboration tools like SharePoint, Teams, and OneDrive. It also comes with advanced, enterprise-grade security features that meet global standards.

This practical guide will show you how to apply Microsoft 365 security best practices to better understand and leverage those features and secure your organization's data in the best way possible. Hop on!

Understanding Microsoft 365's security infrastructure

Security threats to the modern digital workplace are constant and ever-evolving. On the one hand, the interconnected cloud-based systems necessary to support remote work are a natural target for cyberattacks. On the other hand, communicating, collaborating, and sharing data online also presents risks if IT doesn't set the proper guardrails.

Microsoft 365 offers a robust set of services, features, and solutions to help organizations create a safe and secure digital workplace: 

• Exchange Online Protection for protection against email threats
• Microsoft Defender, which serves as the primary security center for Microsoft 365
• Microsoft Purview, which is where compliance is managed

Thankfully, you can ahead of data breaches and compliance challenges with the Microsoft Compliance Center–a central hub equipped to safeguard your organization's sensitive information

​​​​​​​​​​​​​​A holistic approach to cybersecurity

Microsoft takes a holistic approach to cybersecurity, addressing four key pillars of cybersecurity:

• Security and risk management—Real-time reports on users, devices, apps, and infrastructure provided through the Microsoft 365 Security Center dashboard, along with the ability to configure device and data policies following your organization's governance strategy  
• Information protection—Integrated solutions designed to help you protect and manage sensitive information and data throughout its lifecycle and across all apps, devices, and cloud services.
• Threat protection—A combination of specialized services and automated security features that protect against threats to end-user identities, mobile devices, end-user data, including email and documents, cloud applications and their data stores, and your organization's IT infrastructure.
• Identity and access management—With Azure Active Directory and conditional access controls, identity protection tools, and secure authentication options that help you manage user accounts to protect your end users' identities and ensure that only people with proper credentials can access your system and files they have permission to access.  ​​​​​​​

Microsoft 365's compliance with global industry standards

In addition to those four areas, Microsoft 365 also complies with the ISO/IEC 27001 global industry standard for information security management systems.

The ISO/IEC 27001 provides a set of policies and procedures that must be a part of Microsoft 365's information risk management processes to be certified. This annual certification process helps Microsoft demonstrate to its customers that its infrastructure is resilient and secure through management following internationally recognized processes and best practices.

Evolving and costly threats make security best practices a must

It's your responsibility as an IT admin to make the best out of Microsoft 365's strong information security features to secure your tenant. Here are two stats that show you how crucial your role is:

1. Cybersecurity threats are getting more and more sophisticated, with costly consequences. According to the 2023 Cyberthreat Defense Report, 85% of organizations experienced a successful cyberattack in 2022, with 73% falling victim to ransomware.
2. According to IBM's 2022 report, 45% of data breaches take place in the cloud, with an average cost of $3.8-$5.2 million. This figure doesn't encompass indirect losses such as damage to reputation.

Your customers and clients expect and trust you will keep their data safe. So, even with the robust security framework Microsoft 365 offers, staying on top of current security best practices and implementing them in your organization is a must for safeguarding your company's data and user information. ​​​​​​​​​​​​​​

​​​​​​​​​21 best practices for securing Microsoft 365

☑️ Security defaults: a baseline for improving your security

Security defaults provide a basic level of security within Microsoft 365 and are automatically enabled in certain circumstances. This is how they help you secure your environment:

• Requiring all users to register for Azure Active Directory Multi-Factor Authentication (MFA)—This type of authentication requires either the Microsoft Authenticator app or any app that supports Open Authentication time-based one-time passwords (OATH TOTP). 
• Requiring MFA for everyone, including end users and admins—For admins, MFA provides additional protection for highly privileged accounts with broad access to sensitive information and the ability to make system-wide changes. And, because many attacks target end users, requiring MFA for them as well will provide additional protections there.
• Blocking legacy authentication—These requests use legacy authentication protocols made by Microsoft clients that don't use modern authentication or any client that uses older mail protocols like IMAP, SMTP, and POP3.

The security defaults in Microsoft 365 provide a high level of security out of the box, which may be enough for smaller organizations with basic security needs. Best of all? You can enable them with a single click.

But if your organization is more complex, you shouldn't stop there. You'll need to go beyond security defaults and set up more advanced configurations if you have a large remote workforce, for example. In this case, you might need tighter device management and integration with third-party solutions.

☑️ Zero trust and the Principle of Least Privilege 

Zero trust is an IT framework that addresses user and device authentication and authorization with mechanisms that can accurately identify who or what is attempting to gain access to the system and recognize suspicious activity. Because authentication and authorization processes are required whenever any attempt is made to access the system, there is essentially "zero" trust.

The Principle of Least Privilege (POLP) takes this idea further. POLP is the practice of restricting access to applications and resources until the end-user has successfully authenticated to the network. The idea here is that by limiting access to only what end users need, the potential impact of a compromised account or sabotage by an end user gone rogue is significantly reduced than if they had full access to the system.

In Microsoft 365, implementing ​​​​​​​zero trust and POLP requires ​​​​​​​setting up user permissions and restrictions and assigning role-based access controls.

☑️ Enabling Multi-Factor Authentication (MFA)

Multi-Factor Authentication (MFA) is a crucial cloud security guardrail in Microsoft 365. MFA is an authentication method that requires end users to authenticate with one or more verification forms in addition to their usernames and password.

Most MFA methods rely on one of three types of verification methods:

• Things you know—Passwords, security questions, or a PIN
• Something you have—Physical items that you might carry on your person, such as a mobile device
• Something you are—Biometrics such as a thumbprint or your voice

Other common methods include a one-time password (OTP), a 4-8 digit code you might receive via text or email, and dynamically generated verification codes that you can receive with an authentication app or by text message.  

When you enable multi-factor authentication in Microsoft 365, you add an extra solid layer of protection for your organization, for example, when an individual end user's password is compromised or in the event of a brute force attack on your system resulting in the theft of multiple passwords. 

Microsoft 365 offers several MFA methods, and setting it up for your organization is pretty straightforward. 

☑️ Using secure password policies

We know changing your password every 60-90 days is a pain, even for IT types. But you know how vital password policies are to protecting your system and sensitive data. And, to the extent you can help your end users understand why they're necessary, the policies you set will be easier to enforce on user accounts. 

One of those policies should be requiring solid passwords. Here are two surefire ways to enhance password security:

1. Strengthening passwords—Implementing length requirements and complexity rules (including numbers, special characters, and upper/lower case letters) enhances password uniqueness and makes it harder for attackers (humans or bots) to guess them. Also, Microsoft's Azure Active Directory Password Protection further mitigates the risks presented by weak passwords.
2. Avoiding password reuse and enforcing regular changes—Using the same password across systems and applications creates equal vulnerability if one account is hacked. However, controlling end users' password practices can be challenging. Requiring regular password changes, with a restriction on reusing previous passwords, minimizes the risk associated with overused passwords.

Of course, you must balance how often you require password changes and the end user's convenience. Otherwise, they'll get frustrated, and you'll start getting complaints (and who needs more end-user complaints, right?). Fortunately, combining password changes with other security measures, such as MFA, can help you stretch that timeframe out if needed.

☑️ Configuring conditional access policies

In Microsoft 365, conditional access is a practice that provides granular access control to applications and sensitive data based on conditions you specify. 

Conditional access policies define a set of actions based on if-then rules that define a trigger and an automated response. Triggers rely on signals such as user, device, location, or risk level. The resulting actions are based on whatever organizational access policies you define. For example, you can build conditions that manage security controls to block access, require multi-factor authentication, or place restrictions on an end user's session.

Here are a couple of tips for setting up your conditional access policies:

• Start with a strategy—Before diving into creating policies, you need to have a clear strategy in place. Determine what resources must be protected and identify all the potential vulnerabilities in your organization's security. Once you know the lay of the land, you can more easily prioritize the policies that offer the most significant immediate benefit.​​​​​​​
• Use the report-only mode—Conditional access policies can greatly impact how users can access Microsoft 365 resources, so it's critical to test them thoroughly in 'report-only' mode before you implement them. This allows you to see the effects of each policy without actually enforcing it and make any necessary adjustments before you turn it on for real.  

☑️ Safeguarding against phishing attacks

Phishing is one of the most common types of cyberattacks out there. These attacks come in emails from what appear to be legitimate sources. While they're not very sophisticated technically, the social engineering they use certainly is. Attackers can use social media to gather information on their targets and lend credibility to their messages, making it harder to discern whether the email is authentic. They also use visual elements such as counterfeit logos to make the messages look more convincing.

There are three types of phishing attacks, and the goal is always the same—to trick the target into revealing sensitive information that they can use to access your system. ​​​​​​​Regular phishing targets a large number of people, while spear phishing is more precise and targeted toward a specific individual or group. Whaling, another type of phishing, uses emails presumably from high-profile employees (the CEO, for example) to gain access by tricking employees into providing sensitive information or files.

Best practices for protecting your organization's Microsoft 365 data against these threats are: 

• Employee training—This is the first line of defense against phishing attacks. While you can't prevent the attacks, providing regular training for employees on what these attacks look like, how to recognize potential threats, and what actions to take when they suspect a phishing attempt will limit the damage they can do. Training should include identifying suspicious email addresses, understanding the dangers of clicking on unverified links, and not sharing personal or company information.
• Using Microsoft 365's anti-phishing tools—Microsoft 365's Advanced Threat Protection (ATP)  includes anti-phishing policies that identify and neutralize phishing attempts. These tools use machine learning models to analyze incoming emails. They can quarantine or flag suspicious emails before reaching their intended targets, significantly reducing the likelihood of successful attacks.

☑️ Using Microsoft Defender

Microsoft Defender is a service that uses artificial intelligence and machine learning to continuously analyze signals throughout the Microsoft system globally (to the tune of about 43 trillion signals daily) to detect threats in real time, 24/7, 365 days a year. It can identify and neutralize new and evolving threats before they can cause harm, providing comprehensive, proactive protection for your Microsoft 365 tenant.

ATP also offers comprehensive, in-depth reporting and trace capabilities, enabling IT admins to track and understand threats, attacks, and response activities. This visibility can be critical in identifying security weaknesses, understanding the nature of attacks, and enhancing your organization's security over time.

☑️ Enabling Safe Links and Safe Attachments

Enabling Safe Links and Safe Attachment features are part of Microsoft Defender, providing an additional layer of security against sophisticated email-based threats.

Safe Links detects and blocks known malicious URLs to safeguard end users from potential phishing and malware attacks. Safe Attachments opens any incoming email attachments in a virtual environment to analyze them for potential threats before delivering them to users' mailboxes. Together, these features help prevent the spread of malware and ensure that potentially harmful attachments are isolated and neutralized.

Together, these features proactively protect your end users from that ever-pesky problem of human error, reducing their ability to unknowingly interact with malicious links or open infected attachments in their Microsoft Office apps. 

☑️ Enabling and configuring data loss prevention (DLP) policies

Data loss prevention (DLP) policies in Microsoft 365 can help prevent sensitive information from being shared outside your organization. This feature uses pattern matching and other techniques to identify and protect financial data, personally identifiable information (PII), and other types of sensitive data.

You can enable DLP policies through the Microsoft 365 Compliance Center by selecting the 'Data loss prevention' option under 'Policies.' Once enabled, you can create new custom policies based on your organization's needs or use a pre-built template for the type of policy you need.

When configuring DLP policies, you can define the types of sensitive information you want to protect, the conditions that will trigger the policy, and what actions to take when a policy is matched. Actions can include sending a notification to the user, blocking the content from being shared, or alerting administrators.

☑️ Implementing Information Rights Management (IRM)

Information Rights Management (IRM) in Microsoft 365 is a service that helps protect sensitive information from unauthorized access. It encrypts information and applies rights restrictions, such as preventing content from being printed, forwarded, or copied.

You can activate IRM for your tenant through the Microsoft 365 Admin Center by selecting the 'Rights Management' option under 'Service settings.' Once activated, IRM becomes available across many Microsoft 365 services, including SharePoint Online and Exchange Online.

With IRM activated, you can define policies regarding the types of actions end users can perform on specific content. For example, an IRM policy on a document may allow only certain users to view it and prevent it from being edited, printed, or shared with unauthorized individuals. The IRM policy for that document will be enforced regardless of where it's located or who is accessing it.

☑️ Managing mobile devices and apps

With remote work and the rise of the 'bring your own device' (BYOD) trend, managing mobile devices and apps have become critical to information security. Effectively managing personal mobile devices involves creating and enforcing policies for their use and managing the Microsoft Office and other sanctioned apps that employees use on them.

Examples of policies for mobile devices include requiring device encryption and requiring a PIN for access, while app management might consist of ​​​​​​​limiting data sharing between mobile apps and controlling app updates to ensure security patches are applied.

Here are some additional device management strategies you can use to give your end users the ability to use their mobile devices to access and share their work-related files securely:

• Unified Endpoint Management (UEM)—Consider adopting a UEM solution like Microsoft Intune that will allow you to manage all endpoints, including mobile devices, laptops, and desktops, from a single platform.
• Regular device audits—Conduct regular audits to identify all devices with access to corporate data and ensure they comply with company security policies.
• Zero trust—As mentioned before, with a zero trust strategy, every device that someone uses to try accessing your network is considered untrusted until verified. When applied to mobile devices, every time someone attempts to access the network with a mobile phone or tablet, they'll have to authenticate their device to prove it's secure before being granted access.

☑️ Using Mobile Device Management (MDM)​​​​​​​​​​​​​​

Microsoft 365 offers a built-in Mobile Device Management (MDM) service allowing IT admins to manage company-owned or personal mobile devices remotely.

​​​​​​Once a device is enrolled in MDM, admins can ​​​​​​​remotely wipe company data if lost or stolen to prevent unauthorized access. Admins can also define compliance policies and set up automated actions, such as blocking access if ​an enrolled device is found to be non-compliant. ​​​​​​

☑️ Enforcing guardrails in self-service environments

Microsoft 365 was built for productivity, and organizations implementing self-service achieve a greater ROI from the platform. However, giving employees the freedom to use their Microsoft Office apps in ways that work best without any guardrails to protect your tenant is like giving your 14-year-old keys to your brand-new car. 

Protecting your system from the risks associated with a self-serve environment requires a good provisioning strategy and providing end users with everything they need to create and manage their teams, sites, and pages with guardrails in place to ensure policy compliance and security. 

Finding the right balance between self-service and security can be tricky in Microsoft 365. Self-service done right, though, can significantly reduce the load on your IT team, allowing them to focus more on security planning and less time on routine tasks that don't make the best use of their valuable expertise. And if you do experience a significant security incident, your IT team will be able to respond more quickly.

To learn more about securely implementing self-service in your Microsoft 365 environment, check out our free online course to help you do it right. 

☑️ Ensuring secure communication via encryption

Encryption ensures that data can only be accessed by authorized individuals, whether the data is at rest or in transit. This is vital for secure organizational communication, particularly when transmitting sensitive data.

With the built-in encryption features in Microsoft 365, you can encrypt emails in Outlook. And any attached files stored in OneDrive and SharePoint are also encrypted, so the data they contain is protected even if an email is intercepted.

Admins can manage encryption keys through the Microsoft 365 admin center. Managing encryption keys is a crucial part of maintaining the security and effectiveness of encryption and requires rotating keys regularly and ensuring that old keys are safely archived or destroyed.

☑️ Implementing regular security awareness training

Despite all the built-in security features and services Microsoft 365 provides, one thing it can't protect you from is human error. To be sure, it can minimize human error's impact on the ATP we described above. But providing ​​​​​​​security awareness training is critical to help avoid security issues in the first place. By helping your employees recognize potential security threats, you can stop more of them. 

Security risks are continuously evolving, so training needs to be an ongoing effort to ensure you're staying ahead of emerging threats. The goal is to ensure that all employees are up-to-date with the latest security best practices and threats and know about any new security features in Microsoft 365 or updates to company security policies. Conducting simulated attacks and other practical exercises can give employees valuable hands-on experience in recognizing threats and responding effectively.

☑️ Regularly reviewing audit logs

Microsoft 365 supports audit logging for more than 30 different Microsoft 365 services and features in a unified audit log, giving you many different ways to monitor your system for security and compliance. When you enable a unified audit log, you gain an added layer of surveillance of your Microsoft 365 environment.

For example, audit logs help you understand what's happening in your SharePoint environment, in Teams and other Microsoft Office apps, and in your Azure Active Directory, to name a few. Audit logs can be used to monitor both end-user and admin activity. By regularly reviewing your audit logs, you can spot any unusual activity or potential security breaches before they become a problem. 

Microsoft 365 uses role-based access control, and generally, this feature is restricted to global administrators and auditor roles, so you'll need to check to ensure you have the proper permission to access audit logs. If you do, here's how to get started with this best practice:

• Accessing audit logs—You can access the audit logs through the Microsoft 365 Security and  Compliance Center. Simply navigate to "Search" and "Audit log search" to find the log you're looking for. 
• Interpreting audit logs—Once you access the audit logs, you can use the filter options to narrow down the events you want to review based on criteria like date range, users, and activity types. Each entry in the log will provide details about the activity, such as the date and time the activity occurred, who performed the activity, and more. Reviewing the events, you're looking for any unusual or suspicious activities. Note that to recognize an anomaly, you'll first need to understand the typical pattern of your organization's operations.

☑️ Regularly conducting risk assessments

Regular risk assessments will help you identify and evaluate potential threats and vulnerabilities within your Microsoft 365 environment regarding your data security, access controls, and compliance with industry regulations. ​​​​​​​​​​​​​​Evaluating the likelihood and potential impact of all the risks you identify can help you prioritize mitigation efforts based on the severity and probability of each risk.

Based on the findings of your risk assessment, you can develop and implement appropriate mitigation measures to protect your organization. This may include updating security policies, enhancing access controls, or implementing additional security solutions to address identified risks and reduce overall risk exposure.

☑️ Applying compliance policies and sensitivity labels

Compliance policies and sensitivity labels should be critical components of every data loss prevention DLP strategy for organizations using Microsoft 365. 

Compliance policies define rules and controls regarding data handling, retention, and sharing with Microsoft Office apps. They help you maintain compliance with legal requirements and ensure that your organization adheres to relevant industry regulations and data protection standards. 

Sensitivity labels allow you to classify and protect your data based on its sensitivity level. When you apply a sensitivity label to a document, email, or other data, any configured protection settings for that label are automatically enforced, preventing unauthorized disclosure or misuse. ​​​​​​​You can use sensitivity labels to secure sensitive data with automations to enforce encryption, restrict access, or implement data loss prevention measures.

Compliance policies and sensitivity labels can enhance data protection across your entire Microsoft 365 environment, reducing the risk of data breaches and ensuring the proper handling of confidential information.

☑️ Regular backup and restore testing

Up to this point, much of what we've covered in this guide focuses on how to avoid security issues. However, the reality is that too many attacks still succeed, costing organizations millions each year. This is why regularly backing up critical data is so important. Backing up your data is essential to mitigating the damage from data loss incidents, such as ransomware attacks, hardware failures, or human errors. It ensures the ability to restore data to its previous state in case of unforeseen circumstances so you can resume your business operations.

It's not enough to do regular backups, though. You need to regularly test your backup and restore processes to ensure they work and will work for you when you need them. Testing your backup and restore processes also provides an opportunity to validate the integrity and accuracy of the backed-up data. Such testing can reveal potential issues, such as corrupted backups or incomplete data, to help you ensure data reliability during a restore operation. 

☑️ Keeping up with software updates

"Patch Tuesday" is an important date on the calendars of most Microsoft 365 admins because that's when Microsoft releases its most current updates, which often include security patches to address new vulnerabilities and protect against known exploits.

Implementing software updates and patches, Microsoft pushes out every other Tuesday may feel like a never-ending job. But doing so is critical to reducing the window of opportunity for potential attackers to exploit vulnerabilities in your system. It helps ensure your environment is protected against the latest threats.

​​​​​​​​​​​​​​Fortunately, Microsoft 365 also provides automation tools, such as Microsoft Endpoint Manager and  Windows Update for Business, to streamline the update process. Automating updates enables you to deploy patches efficiently across your Microsoft 365 ecosystem, reducing the burden on IT staff and improving your overall security posture.

☑️ Integrating with Microsoft Secure Score

Secure Score is a built-in security analytics tool in Microsoft 365 that measures your organization's security posture. It assigns a score based on implementing recommended security controls and best practices. The higher the score, the more secure your system is.  

Integrating with Secure Score provides a centralized dashboard accessible in the Microsoft 365 Defender portal. Here, you can ​​​​​​​gain insights into potential security gaps within your Microsoft 365 environment, identify areas where you can improve security, and highlight specific actions to improve your organization's overall security posture. 

The recommendations and guidance Secure Score provides can act as a roadmap to help you prioritize and implement security enhancements, driving continuous improvement in your organization's security resilience. 

By integrating with Secure Score and implementing other security best practices in this guide, you'll be on your way to securing your tenant as much as possible in this ever-changing cybersecurity environment.

Before we go, one last tip: security best practices work hand-in-hand with solid data governance. To learn more best practices for governance in Microsoft 365, check out our article, How to implement Microsoft 365 governance best practices.