Microsoft 365 Security Hardening Checklist [2026]

Microsoft 365 is the operating system of the modern workplace. Email, file storage, collaboration, identity — it all runs through M365. That makes it the single highest-value target in most organizations. A compromised Microsoft 365 tenant gives an attacker access to every email, every document in SharePoint and OneDrive, every Teams conversation, and — through Azure AD — every connected application and cloud resource.

Microsoft’s own security best practices for M365 acknowledge that default configurations need hardening. The default M365 configuration is not secure enough for production business use. Microsoft prioritizes usability in its defaults, which means legacy authentication protocols are often enabled, audit logging may not be fully configured, and external sharing is wide open. Hardening M365 requires deliberate configuration across identity, email, data protection, endpoint security, and monitoring.

This checklist covers the configurations that matter most, organized by priority. Start at the top and work down. Each section includes the specific settings to change, why they matter, and the risks of leaving them at default.

Identity and Access Controls

Identity is the perimeter. If an attacker compromises a user’s credentials, they inherit every permission that user has. Hardening identity controls is the single most impactful thing you can do for M365 security.

Enforce Multi-Factor Authentication (MFA)

MFA blocks 99.9% of account compromise attacks according to Microsoft’s own analysis. There is no single control that provides more security value per unit of effort.

Configuration:

• Enable Security Defaults (for small organizations without Azure AD Premium) or Conditional Access policies (for organizations with Azure AD P1/P2)
• Require MFA for all users, including service accounts where technically feasible
• Use phishing-resistant MFA methods for administrators: FIDO2 security keys, Windows Hello for Business, or certificate-based authentication
• Disable SMS and voice call as MFA methods (vulnerable to SIM swapping and SS7 attacks)
• Configure MFA number matching to prevent MFA fatigue attacks

For detailed MFA implementation guidance, see our guide on securing your accounts with multi-factor authentication.

Implement Conditional Access Policies

Conditional access policies go beyond MFA by adding contextual controls — who is accessing what, from where, on what device, at what risk level.

Baseline policies to deploy:

Block legacy authentication:

• Create a conditional access policy that blocks Exchange ActiveSync clients, IMAP, POP3, SMTP AUTH, and “Other clients”
• Verify no users or applications depend on legacy protocols before enforcing (check Azure AD sign-in logs filtered by “Client app”)

Require compliant devices:

• Require Intune-compliant or hybrid Azure AD joined devices for access to Exchange Online, SharePoint Online, and Teams
• Configure Intune compliance policies that require encryption, OS version minimums, and active threat protection

Restrict high-risk sign-ins:

• With Azure AD P2, configure policies that block or require MFA for sign-ins flagged as high risk by Azure AD Identity Protection
• Block sign-ins from countries/regions where your organization has no employees or business presence

Limit Azure management access:

• Require MFA and compliant devices for access to the Azure portal, Azure PowerShell, and Azure CLI
• Set sign-in frequency to 1 hour for administrative sessions

Configure Break-Glass Accounts

Break-glass accounts are emergency-only accounts that bypass conditional access policies. They ensure you can access your tenant even if conditional access misconfiguration locks everyone out.

• Create 2 cloud-only accounts with Global Administrator role
• Exclude them from all conditional access policies
• Use 16+ character passwords stored in a physical safe (not in a password manager that depends on Azure AD)
• Do not assign MFA (or use a separate FIDO2 key stored with the password)
• Monitor sign-in activity on these accounts with an alert rule — any use should trigger immediate investigation
• Test break-glass accounts quarterly to verify they still work

Enable Privileged Identity Management (PIM)

PIM provides just-in-time access for administrative roles, reducing the window of exposure for privileged accounts.

• Remove permanent Global Administrator assignments (except break-glass accounts)
• Configure eligible assignments for all administrative roles with approval workflows
• Set maximum activation duration to 8 hours
• Require justification and MFA for role activation
• Configure PIM alerts for suspicious activation patterns

Email Security

Email is the primary attack vector for most organizations. Business email compromise (BEC), phishing, and malware delivery all flow through email. Hardening email security requires configuration at the domain level (DNS), the platform level (Exchange Online Protection), and the application level (Defender for Office 365).

Configure Email Authentication (DMARC, DKIM, SPF)

Email authentication prevents attackers from spoofing your domain in phishing emails.

SPF (Sender Policy Framework):

• Publish an SPF record in DNS that lists all authorized email senders for your domain
• Include Microsoft 365: v=spf1 include:spf.protection.outlook.com -all
• Add entries for any third-party services that send email on your behalf (marketing platforms, ticketing systems, CRM)
• Use -all (hard fail) rather than ~all (soft fail) to reject unauthorized senders

DKIM (DomainKeys Identified Mail):

• Enable DKIM signing in the Microsoft 365 Defender portal for each custom domain
• Publish the CNAME records that Microsoft provides in your DNS
• Verify DKIM is signing outbound email using a DKIM checker tool

DMARC (Domain-based Message Authentication, Reporting, and Conformance):

• Start with a monitoring policy: v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com
• Analyze DMARC aggregate reports for 4-6 weeks to identify legitimate senders
• Move to quarantine: v=DMARC1; p=quarantine; pct=25; rua=mailto:dmarc@yourdomain.com
• Gradually increase percentage and move to reject: v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com

Configure Exchange Online Protection (EOP)

EOP is included with every Microsoft 365 subscription and provides baseline email filtering.

• Review and tighten anti-spam policies: lower the bulk complaint level (BCL) threshold, enable safety tips
• Configure anti-malware policies: enable common attachment type filtering (block .exe, .vbs, .js, .scr, .bat, .cmd, .ps1)
• Enable zero-hour auto purge (ZAP) to retroactively remove malicious messages from mailboxes when a new threat signature is identified
• Review mail flow rules (transport rules) for overly permissive exceptions that bypass spam filtering

Configure Microsoft Defender for Office 365

Defender for Office 365 (Plan 1 or Plan 2) adds advanced threat protection beyond EOP.

Safe Links:

• Enable Safe Links for all users
• Enable URL scanning for email messages, Teams messages, and Office documents
• Enable real-time URL detonation (scan URLs at time of click, not just time of delivery)
• Do not allow users to click through warnings

Safe Attachments:

• Enable Safe Attachments for all users
• Set action to “Dynamic Delivery” (delivers the email body immediately, replaces the attachment with a placeholder until scanning completes)
• Enable Safe Attachments for SharePoint, OneDrive, and Teams

Anti-phishing:

• Enable mailbox intelligence (learns each user’s communication patterns to detect impersonation)
• Configure impersonation protection for executives and high-value targets per Microsoft’s anti-phishing policy guidance
• Enable first contact safety tip (warns users when they receive email from a sender they have not previously communicated with)

Data Protection

Configure Data Loss Prevention (DLP)

DLP policies prevent sensitive data from leaving your organization through email, Teams, SharePoint, OneDrive, and endpoint devices.

• Enable built-in DLP policy templates for your regulatory requirements:
  • Financial data (credit card numbers, bank account numbers)
  • PII (Social Security numbers, passport numbers, driver’s license numbers)
  • Health information (HIPAA-covered data)
  • Compliance-specific templates (PCI DSS, GDPR, HIPAA)
• Configure policy tips to educate users before they share sensitive data
• Set up incident reports to notify security or compliance teams when DLP rules trigger
• Start with “test with policy tips” mode, then move to “turn it on right away” after validating

Organizations subject to regulatory requirements should also reference the NIST SP 800-171 framework for protecting controlled unclassified information. For organizations in healthcare, see our guide on understanding HIPAA compliance.

SharePoint and OneDrive Permissions

Default SharePoint and OneDrive settings are too permissive for most organizations.

• Disable anonymous sharing links (anyone with the link)
• Set default sharing link type to “Specific people” (not “People in your organization”)
• Set default sharing permission to “View” (not “Edit”)
• Configure external sharing at the tenant level:
  • SharePoint: “New and existing guests” or “Only people in your organization” depending on business requirements
  • OneDrive: Same as or more restrictive than SharePoint
• Block sharing with specific domains (competitors, free email providers) if appropriate
• Enable access expiration for guest users (e.g., 30 or 90 days)
• Review and audit existing sharing links quarterly

Sensitivity Labels

Microsoft Information Protection sensitivity labels classify and protect documents and emails based on content sensitivity.

• Define a sensitivity label taxonomy (Public, Internal, Confidential, Highly Confidential)
• Configure encryption for Confidential and Highly Confidential labels (restricts access to specified users or groups even if the file is shared externally)
• Configure auto-labeling policies to automatically detect and label documents containing sensitive data
• Deploy sensitivity labels to Exchange Online, SharePoint Online, OneDrive, Teams, and Office desktop apps

Endpoint Security

Microsoft Defender for Endpoint

If your organization licenses Microsoft Defender for Endpoint (included in M365 E5 or as an add-on), configure it for maximum protection.

• Enable automated investigation and remediation (AIR) to automatically contain and remediate common threats
• Configure attack surface reduction (ASR) rules:
  • Block executable content from email client and webmail
  • Block Office applications from creating child processes
  • Block JavaScript or VBScript from launching downloaded executable content
  • Block credential stealing from the Windows Local Security Authority Subsystem (LSASS)
  • Block process creations originating from PSExec and WMI commands
• Enable tamper protection to prevent users or malware from disabling Defender
• Enable network protection to block connections to known malicious domains and IP addresses
• Enable web content filtering to block access to categories of malicious or inappropriate websites

For more on endpoint protection, see our guide on how to implement effective endpoint management solutions.

Device Compliance Policies

Intune device compliance policies define the minimum security requirements for devices accessing M365 resources.

• Require device encryption (BitLocker on Windows, FileVault on macOS)
• Require minimum OS version (block devices running unsupported OS versions)
• Require active threat protection (Defender for Endpoint must be running and healthy)
• Require device PIN or password with minimum complexity
• Mark non-compliant devices and block their access to M365 through conditional access
• Configure compliance policy notifications to inform users when their device falls out of compliance

For organizations considering BYOD policies, see our guide on benefits and risks of a BYOD policy.

Audit Logging and Monitoring

Without logging, you cannot detect a breach, investigate an incident, or prove compliance. M365 audit logging is not fully enabled by default.

Enable Unified Audit Logging

• Verify that unified audit logging is enabled in the Microsoft Purview compliance portal (it should be enabled by default for new tenants, but verify)
• Enable Mailbox Auditing for all mailboxes (enabled by default since 2019, but verify and ensure it is not disabled for specific mailboxes)
• Enable audit log search retention:
  • E3 licenses: 180 days default retention
  • E5 licenses: 365 days default retention, 10-year retention available with Audit (Premium)

Configure Alert Policies

Microsoft Purview includes built-in alert policies, but you should review and customize them:

• Enable alerts for:
  • Unusual volume of file deletions
  • Unusual volume of external sharing
  • Elevation of Exchange admin privilege
  • Malware campaign detected after delivery
  • User reported a phishing email
  • Email messages removed after delivery (ZAP action)
• Configure alert notification recipients (security team distribution list)
• Create custom alerts for organization-specific scenarios

Integrate with SIEM

For organizations with a SIEM platform, forward M365 audit logs for correlation with other security data sources. For a comparison of SIEM options, see our guide on Azure Sentinel vs Splunk vs Datadog.

• Configure the Office 365 Management Activity API or Microsoft 365 Defender connector to forward logs to your SIEM
• Validate that critical log sources are ingesting correctly: Azure AD sign-in logs, audit logs, Exchange Online, SharePoint Online, Teams, and Defender alerts

Secure Score

Microsoft Secure Score provides a numerical assessment of your M365 security posture and recommends improvements.

• Review Secure Score in the Microsoft 365 Defender portal
• Prioritize recommended actions by impact and implementation effort
• Set a target Secure Score and track progress monthly
• Compare your score to similar organizations using the industry benchmark feature

Additional Hardening Measures

Disable Unused Services

• Disable Sway, Forms, or other M365 services that your organization does not use (reduces attack surface)
• Disable user consent to third-party OAuth applications (require admin consent)
• Review and remove unnecessary third-party application consents from Azure AD Enterprise Applications

Teams Security

• Restrict external domain communication to approved partner domains (or disable entirely)
• Disable anonymous meeting join for internal meetings
• Configure meeting lobby for external participants
• Restrict who can create Teams (use a governance group rather than all users)
• Enable DLP policies for Teams chat and channel messages

Power Platform Governance

• Restrict Power Automate connectors to approved services (prevent data exfiltration through automated flows)
• Configure data loss prevention policies for Power Platform environments
• Restrict Power Apps creation to licensed users with a business justification
• Monitor Power Platform admin center for unusual connector usage

Implementation Priority

Not every item on this checklist carries equal weight. Implement in this order:

Week 1 — Critical:

1. Enable MFA for all users
2. Block legacy authentication
3. Configure break-glass accounts
4. Enable unified audit logging
5. Configure DMARC, DKIM, and SPF

Week 2 — High Priority: 6. Deploy conditional access policies (compliant devices, risk-based access) 7. Enable Safe Links and Safe Attachments 8. Configure anti-phishing impersonation protection 9. Restrict SharePoint and OneDrive external sharing 10. Enable Microsoft Defender for Endpoint ASR rules

Week 3-4 — Important: 11. Configure DLP policies 12. Deploy sensitivity labels 13. Enable PIM for administrative roles 14. Configure device compliance policies 15. Review and customize alert policies

Ongoing: 16. Monthly Secure Score review 17. Quarterly access reviews for guest users and external sharing 18. Quarterly break-glass account testing 19. Annual review of all conditional access policies and DLP rules

Frequently Asked Questions

Do I need Microsoft 365 E5 for full security hardening?

No, but E5 provides the most comprehensive security stack. E3 includes EOP, basic conditional access (with Azure AD P1), and Intune. E5 adds Defender for Office 365 Plan 2, Defender for Endpoint Plan 2, Azure AD P2 (Identity Protection, PIM), and advanced audit capabilities. Organizations on E3 can add individual security components a la carte if E5 is not in the budget.

How long does it take to fully harden a Microsoft 365 tenant?

The critical controls (MFA, legacy auth block, email authentication) can be deployed in a week. Full hardening — including conditional access, DLP, sensitivity labels, endpoint protection, and monitoring — typically takes 4-8 weeks for a mid-sized organization, with ongoing tuning and optimization.

Will these changes break anything for users?

The most disruptive change is blocking legacy authentication, which can break older email clients (Outlook 2013 and earlier), some mobile email apps, and applications that use basic authentication. Audit legacy authentication usage in Azure AD sign-in logs for at least 2 weeks before enforcing the block. MFA enrollment is a minor user experience change that most users adapt to within a day.

How do I handle service accounts and shared mailboxes with MFA?

Service accounts that need to authenticate programmatically should use application permissions with certificates or managed identities rather than user credentials. For shared mailboxes, MFA is enforced when the user accessing the shared mailbox signs in (shared mailboxes themselves do not have interactive sign-ins). Disable direct sign-in on shared mailboxes and block them from conditional access MFA requirements.

What is the relationship between Microsoft 365 Defender and Microsoft Defender for Cloud?

Microsoft 365 Defender protects M365 workloads (email, identity, endpoints, cloud apps). Microsoft Defender for Cloud protects Azure and multi-cloud infrastructure (VMs, containers, databases, storage). They are separate products with separate portals, though they share the Microsoft Defender brand and can forward alerts to the same SIEM. For comprehensive security, you need both if you use both M365 and Azure infrastructure. For more on cloud security, see our guide on security and compliance services.

Should I use Microsoft’s built-in security tools or third-party alternatives?

For organizations deeply invested in the Microsoft ecosystem, the built-in tools (Defender for Office 365, Defender for Endpoint, Sentinel) provide the best integration and lowest operational overhead. Third-party tools (Proofpoint for email, CrowdStrike for endpoint, Splunk for SIEM) may offer superior detection capabilities in specific areas but add integration complexity and cost. The right answer depends on your existing security stack, team expertise, and budget.

Next Steps

Hardening Microsoft 365 security does not have to be overwhelming. Exodata’s security and compliance team can help you assess your current M365 security posture, prioritize hardening actions, and implement the controls that protect your organization from the threats that matter most. Talk to an engineer today — no sales pitch, just answers.