Overview
Microsoft 365 is the backbone of most enterprise productivity environments — and a prime target for attackers. This guide covers the essential security and compliance configurations every M365 tenant should implement, from identity protection to data loss prevention.
Who Should Use This Guide:
- M365 administrators configuring tenant security
- Security engineers implementing compliance controls
- MSP technicians hardening client tenants
- IT managers preparing for compliance audits
What You Will Learn:
| Area | Configuration |
|---|---|
| Identity | MFA enforcement, conditional access, PIM |
| Anti-phishing, safe links, safe attachments | |
| Data Protection | DLP policies, sensitivity labels, retention |
| Audit & Monitoring | Unified audit log, alert policies |
| Compliance | eDiscovery, compliance score, assessments |
Requirements
| Component | Minimum License |
|---|---|
| Conditional Access | Entra ID P1 (included in M365 E3) |
| PIM | Entra ID P2 (included in M365 E5) |
| Defender for Office 365 | Plan 1 (E3) or Plan 2 (E5) |
| DLP | M365 E3+ |
| Sensitivity Labels | M365 E3+ |
| Advanced Audit | M365 E5 |
Part 1: Identity Security
Enable Security Defaults (Minimum Baseline)
For tenants without Entra ID P1:
# Connect to Microsoft Graph
Connect-MgGraph -Scopes "Policy.ReadWrite.ConditionalAccess"
# Check current security defaults status
Get-MgPolicyIdentitySecurityDefaultEnforcementPolicy
# Enable security defaults (if no conditional access policies exist)
Update-MgPolicyIdentitySecurityDefaultEnforcementPolicy -IsEnabled $trueConditional Access Policies (Recommended Over Security Defaults)
Policy 1: Require MFA for All Users
| Setting | Value |
|---|---|
| Users | All users |
| Exclude | Break-glass emergency accounts |
| Cloud Apps | All cloud apps |
| Grant | Require authentication strength — Phishing-resistant MFA |
Policy 2: Block Legacy Authentication
| Setting | Value |
|---|---|
| Users | All users |
| Cloud Apps | All cloud apps |
| Conditions > Client apps | Exchange ActiveSync, Other clients |
| Grant | Block access |
Policy 3: Require Compliant Devices
| Setting | Value |
|---|---|
| Users | All users |
| Cloud Apps | Office 365 |
| Conditions > Device platforms | Windows, macOS, iOS, Android |
| Grant | Require device to be marked as compliant |
Policy 4: Block Access from Risky Sign-ins
| Setting | Value |
|---|---|
| Users | All users |
| Conditions > Sign-in risk | High |
| Grant | Block access |
Break-Glass Emergency Accounts
Always maintain at least two emergency access accounts:
# Create break-glass account (do this in Entra admin center)
# - Use a non-personal, organization-owned email
# - Exclude from ALL conditional access policies
# - Use a very long, complex password stored in a physical safe
# - Do NOT enable MFA on these accounts
# - Monitor sign-in activity with alerts
# Create alert for break-glass account usage
# In Microsoft 365 Defender > Alert policies
# Alert when: "Activity by break-glass account"Part 2: Email Security (Defender for Office 365)
Anti-Phishing Policy
# Connect to Exchange Online
Connect-ExchangeOnline
# Create strict anti-phishing policy
New-AntiPhishPolicy -Name "Strict Anti-Phishing" `
-Enabled $true `
-EnableMailboxIntelligenceProtection $true `
-EnableOrganizationDomainsProtection $true `
-EnableSpoofIntelligence $true `
-EnableFirstContactSafetyTips $true `
-EnableSimilarUsersSafetyTips $true `
-EnableUnauthenticatedSender $true `
-PhishThresholdLevel 3 `
-TargetedUserProtectionAction Quarantine `
-TargetedDomainProtectionAction Quarantine `
-MailboxIntelligenceProtectionAction Quarantine
# Apply to all users
New-AntiPhishRule -Name "Strict Anti-Phishing Rule" `
-AntiPhishPolicy "Strict Anti-Phishing" `
-RecipientDomainIs (Get-AcceptedDomain).DomainNameSafe Links Policy
New-SafeLinksPolicy -Name "Strict Safe Links" `
-EnableSafeLinksForEmail $true `
-EnableSafeLinksForTeams $true `
-EnableSafeLinksForOffice $true `
-TrackClicks $true `
-ScanUrls $true `
-EnableForInternalSenders $true `
-DeliverMessageAfterScan $true `
-DisableUrlRewrite $false
New-SafeLinksRule -Name "Strict Safe Links Rule" `
-SafeLinksPolicy "Strict Safe Links" `
-RecipientDomainIs (Get-AcceptedDomain).DomainNameSafe Attachments Policy
New-SafeAttachmentPolicy -Name "Strict Safe Attachments" `
-Enable $true `
-Action Block `
-ActionOnError $true `
-EnableRedirect $true `
-RedirectAddress "security@example.com"
New-SafeAttachmentRule -Name "Strict Safe Attachments Rule" `
-SafeAttachmentPolicy "Strict Safe Attachments" `
-RecipientDomainIs (Get-AcceptedDomain).DomainNameEmail Authentication (SPF, DKIM, DMARC)
| Record | Configuration |
|---|---|
| SPF | v=spf1 include:spf.protection.outlook.com -all |
| DKIM | Enable in Defender portal for each domain |
| DMARC | v=DMARC1; p=reject; rua=mailto:dmarc@example.com; pct=100 |
Part 3: Data Loss Prevention (DLP)
Create DLP Policy for Sensitive Data
# Connect to Security & Compliance
Connect-IPPSSession
# Create DLP policy for credit card numbers
New-DlpCompliancePolicy -Name "Protect Financial Data" `
-ExchangeLocation All `
-SharePointLocation All `
-OneDriveLocation All `
-TeamsLocation All `
-Mode Enable
New-DlpComplianceRule -Name "Block Credit Card Sharing" `
-Policy "Protect Financial Data" `
-ContentContainsSensitiveInformation @{
Name = "Credit Card Number"
MinCount = 1
MaxConfidence = 100
MinConfidence = 75
} `
-BlockAccess $true `
-NotifyUser "SiteAdmin" `
-GenerateIncidentReport "SiteAdmin"Recommended DLP Templates
| Template | What It Protects |
|---|---|
| Financial data | Credit cards, bank account numbers |
| PII | SSNs, passport numbers, driver's licenses |
| Healthcare (HIPAA) | Medical record numbers, health data |
| PCI DSS | Payment card industry data |
| GDPR | EU personal data |
Part 4: Audit Logging and Monitoring
Enable Unified Audit Log
# Check if audit logging is enabled
Get-AdminAuditLogConfig | Select-Object UnifiedAuditLogIngestionEnabled
# Enable unified audit logging
Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $trueEnable Mailbox Auditing
# Enable mailbox auditing for all mailboxes
Get-Mailbox -ResultSize Unlimited |
Set-Mailbox -AuditEnabled $true -AuditLogAgeLimit 365
# Verify
Get-Mailbox -ResultSize Unlimited |
Select-Object DisplayName, AuditEnabled |
Where-Object { -not $_.AuditEnabled }Critical Alert Policies
Configure these in Microsoft 365 Defender:
| Alert | What It Monitors |
|---|---|
| Suspicious email forwarding | Auto-forwarding rules to external domains |
| Elevation of privilege | Admin role assignments |
| Malware campaign | Multiple users receiving same malware |
| Unusual external user file activity | External sharing anomalies |
| eDiscovery search started | Compliance search initiated |
| Mass file deletion | Bulk SharePoint/OneDrive deletions |
Part 5: Additional Hardening
Disable External Forwarding
# Block automatic external forwarding
Set-TransportRule -Name "Block External Auto-Forwarding" `
-FromScope InOrganization `
-MessageTypeMatches AutoForward `
-SentToScope NotInOrganization `
-RejectMessageReasonText "External email forwarding is blocked by policy" `
-RejectMessageEnhancedStatusCode "5.7.1"SharePoint and OneDrive Security
# Connect to SharePoint Online
Connect-SPOService -Url "https://contoso-admin.sharepoint.com"
# Restrict external sharing
Set-SPOTenant -SharingCapability ExternalUserSharingOnly
# Block downloads from unmanaged devices
Set-SPOTenant -ConditionalAccessPolicy AllowLimitedAccess
# Require MFA for sharing
Set-SPOTenant -RequireAcceptingAccountMatchInvitedAccount $trueTeams Security
| Setting | Recommended Value |
|---|---|
| External access | Allow only specific domains |
| Guest access | Enabled with restrictions |
| Meeting policies | Lobby for external participants |
| Messaging policies | Report security concerns enabled |
| App permissions | Admin-approved apps only |
Compliance Score Checklist
Track your progress in Microsoft Compliance Manager:
- MFA enabled for all users
- Legacy authentication blocked
- Anti-phishing policies configured
- Safe Links and Safe Attachments enabled
- SPF, DKIM, DMARC configured
- DLP policies active for sensitive data
- Unified audit logging enabled
- Mailbox auditing enabled
- External forwarding blocked
- SharePoint external sharing restricted
- Alert policies configured
- Break-glass accounts created and monitored
- Conditional access policies deployed
- Sensitivity labels published