01
Microsoft 365 Security: What You Already Have
If your business uses Microsoft 365, you already have access to a significant security capability โ most of which is not enabled by default. The gap between what Microsoft provides and what most organisations actually have configured is the primary cause of Microsoft 365-related incidents.
| Feature | Required Action | Where to Configure |
|---|
| MFA for all users | Enable and enforce | Entra ID > Security > Conditional Access |
| Safe Links and Attachments | Configure policy | Security.microsoft.com > Email & collab |
| Unified audit log | Enable | Compliance.microsoft.com > Audit |
| Microsoft Secure Score | Review and act | Security.microsoft.com > Secure Score |
| Device compliance | Deploy Intune | Intune.microsoft.com |
| DLP policies | Create policies | Compliance.microsoft.com > DLP |
Microsoft's default configuration is designed for broad compatibility, not security. Securing your tenant requires deliberate configuration changes beyond the defaults.
Conditional Access Policies
โRequire MFA for all users โ no exceptions
โBlock legacy authentication protocols โ these bypass MFA
โRequire compliant device for sensitive apps (when Intune is deployed)
โBlock access from high-risk sign-ins โ Entra ID Identity Protection integration
โRestrict admin portal access to managed devices only
Admin Role Security
โGlobal Admin accounts separate from daily-use accounts โ no mailbox on GA accounts
โUse role-specific admin roles โ not Global Admin for everything (Exchange Admin, Teams Admin, etc.)
โEnable Privileged Identity Management โ Just-in-Time admin role activation
โRequire MFA for all admin role activation
User Account Security
โSelf-Service Password Reset with MFA verification โ reduce helpdesk burden
โEntra ID Identity Protection โ risk policies for users and sign-ins
โNamed locations โ flag sign-ins from countries you don't operate in
โPasswordless authentication for supported users
Exchange Online Protection (included in all licences)
โAnti-spam policies โ tune confidence thresholds
โAnti-malware policy โ block common malicious file types
โSpoofing protection โ built-in for your tenant domains
Defender for Office 365 (Business Premium / E3+addon)
โSafe Links โ time-of-click URL detonation
โSafe Attachments โ sandbox file detonation
โAnti-phishing โ impersonation protection for key users and domains
โSpoof intelligence โ cross-domain spoofing detection
Email Authentication
โSPF record: publish and test
โDKIM: enable for all sending domains, include marketing/automation tools
โDMARC: start at p=none, monitor, move to p=quarantine, then p=reject
โDMARC reporting: configure external reporting to review spoofing attempts
04
Device and Endpoint Security
Microsoft Intune
โEnrol all company-owned devices โ Windows, macOS, iOS, Android
โConfigure device compliance policies โ encryption, OS version, screen lock, antivirus
โApply Conditional Access requiring compliant device for corporate data access
โDeploy Intune Configuration Profiles โ browser policies, Wi-Fi, VPN settings
Defender for Endpoint
โOnboard all enrolled devices to MDE via Intune
โConfigure security baseline via Endpoint Security policies
โEnable Tamper Protection โ prevent attackers from disabling security
โAttack Surface Reduction rules โ at minimum enable in audit mode, then block mode after review
Application Management
โIntune Application Protection Policies โ protect corporate data in mobile apps without full MDM
โBlock copy/paste from corporate apps to personal apps
โRemote wipe of corporate data from personal devices (MAM wipe)
05
Data Protection and Compliance
Microsoft Purview (Compliance portal)
โEnable Unified Audit Log โ required for any security investigation
โSensitivity labels โ classify documents: Public, Internal, Confidential, Highly Confidential
โDLP policies โ prevent sensitive data leaving via email, Teams, or SharePoint sharing
โRetention policies โ define data lifecycle: how long to keep, what to delete
โCommunication compliance โ optional, for regulated industries requiring message monitoring
Secure Score
Microsoft Secure Score (security.microsoft.com > Secure Score) is the single most actionable starting point for Microsoft 365 security improvement. It scores your current configuration, shows what's missing, and provides direct implementation guidance.
โTarget: 60%+ for SMB baseline
โEach recommendation includes effort estimate and security impact
โPrioritise: identity recommendations highest impact, email second, device third
06
De4sec Microsoft 365 Security Service
Tenant Audit
Review current configuration against security best practices. Identify gaps in identity, email, device, and data protection.
Secure Baseline
Implement Conditional Access, email security, Intune, DLP, sensitivity labels, and audit logging.
Secure Score Optimisation
Work through prioritised Secure Score recommendations. Target 65%+ within 90 days of engagement.
Ongoing Management
Monthly Secure Score review, alert monitoring, quarterly policy review, patch compliance reporting.
