April 29, 2025
|
8
min read
Rob Edmondson
From email security to privileged access management to DevOps, Rob’s experience has led to his deep passion for solving the biggest challenges for IT and security teams across higher education, Fortune 1,000 companies, and more.

Contributions by Vasil Michev, Sharon Breeze, and Terence Jackson

For Microsoft 365 organizations, it’s no longer a question of if their tenant will be breached. It’s a question of when (and how often). With a strong cyber resilience strategy for Microsoft 365, you can build layers of resilience into your tenant. That way you can withstand attacks when they happen.

This article covers:

  1. The Four Components of Cyber Resilience for Microsoft Tenants
  2. The Cyber Resilience Maturity Model for M365
  3. Resources for Building Cyber Resilience for Microsoft 365

Why is Cyber Resilience Important for Microsoft 365?

Microsoft 365 isn’t just an app. It’s a prime target for cybercriminals. The average Microsoft 365 tenant contains 58% of an organization’s sensitive cloud data and, arguably, has the most powerful privileged accounts a business has.  

Industry surveys have revealed that Microsoft 365 tenants are still facing a constant barrage of attacks.

  1. Nation state attackers like Nobelium (Midnight Blizzard) and Hafnium have consistently prioritized attacks on Microsoft 365 tenants, to the point that CISA is now mandating all federal agencies to implement secure configurations across all Microsoft 365 tenants by June 20th 2025.  
  2. Outside of the public sector, a Vectra survey of over 1,000 security professionals found that 71% of Microsoft 365 deployments had suffered an average of seven successful account takeovers.

Your tenant will be breached. Cyber resilience techniques for Microsoft help you withstand attacks and recover more quickly.

Sensitive Cloud Data in Microsoft 365

The Four Components of Cyber Resilience for Microsoft Tenants

NIST defines Cyber Resilience as:  

“The ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources.”

Let’s break this down into its four constituents and look at what this may involve for Microsoft 365.  

Anticipate Attacks in Your M365 Tenant

Whereas traditional security builds defenses based on an existing understanding of best practices, cyber resilience implores security teams to look ahead and anticipate emerging threats and trends.  

No one can predict the future, but you can ensure you partner with vendors and service providers who react quickly to the threat landscape. And you can implement an internal process to review emerging threats frequently and adapt your internal standards appropriately.  

Implementing this process is a strong starting point. But it should also include a practical way to make changes quickly. For example, if you identify a requirement that your existing toolset cannot deliver, you will be able to adapt faster if you have an extensible platform.

Graphic from CoreView's Microsoft 365 Cyber Resilience Maturity Model

Withstand Attacks in Your Microsoft Tenant

It’s obvious that every organization should implement strong access-level security for its tenants, such as email filtering, zero-trust authentication, and cloud access control.

However, withstanding an attack means implementing robust security measures to minimize the impact when someone successfully outwits or bypasses these controls.

To minimize the impact when your tenant is breached, you will want to make it as difficult as possible for cybercriminals to move laterally, elevate their privileges, persist in your tenant, and reach their final objective.

For the full list of best practices to withstand a tenant attack, access the full Microsoft 365 Cyber Resilience guide.

Recover After a Tenant Attack

There are now over 10,000 unique policy elements across Microsoft 365’s many configuration types, with many of these designed to have multiple variations (e.g., multiple user groups or conditional access policies).

This means the day-to-day operation of a Microsoft 365 tenant may rely on hundreds of thousands (or in some cases millions) of unique configurations.

With this complexity, it is now critical that organizations keep their Microsoft 365 tenant configurations backed up, ready to be restored in the event of a disaster.

Quote from CoreView's Microsoft 365 Cyber Resilience Maturity Model guide

Adapt Your Tenant Security Measures

The final element in the NIST definition of cyber resilience is the ability to adapt and continuously improve your tenant security based on what you learn from past incidents. To ensure you can do this, it is critical to ensure you are working with platforms that are extensible and allow you to adapt them to your unique requirements.

Dive deeper into best practices you can implement today to be more resilient with our complete guide: Microsoft 365 Cyber Resilience Maturity Model.

The Four Pillars of Cyber Resilience in Microsoft 365
The Four Pillars of Cyber Resilience in Microsoft 365

The Cyber Resilience Maturity Model for Microsoft 365 Tenants

Without a clear plan, attackers can spread laterally, escalate privileges, and exfiltrate data before you even detect them. This maturity model is designed to help you detect intrusions early, contain threats, and recover before attackers cause serious damage.

CoreView’s Cyber Resilience Maturity Model for Microsoft Tenants
CoreView’s Cyber Resilience Maturity Model for Microsoft Tenants

Maturity Model Level 1: Access Security and Data Backup for Your Tenant

At this level, the goal is to reduce the likelihood of initial compromise in your tenant. Implementing the controls associated with Level 1 will help you enforce strong user access, email filtering, and data access controls for your tenant—all things that drive down the risk of an initial breach.  

The controls of this level include:

  • Basic Cyber Hygiene
  • Privileged Access Management vs. Least Privilege

Maturity Model Level 2: Configuration and Backup in Microsoft 365

At level two, you’re aiming to reduce the impact of compromise once someone has accessed your tenant. The controls here include backing up your configurations, deploying secure configurations, detecting configuration drift, enforcing configuration change management, and detecting and testing new Microsoft updates before they’re rolled out.

Maturity Model Level 3: Least Privilege and Collaboration

With your configurations now tamper-proof, Level 3 looks to remove common escalation vectors and pathways that cybercriminals love to exploit. Controls for level 3 include:

  • True Least Privilege Admin Roles
  • Entra App Management
  • External User and Collaboration Security  
  • Detect High-Risk Files and Sharing  
  • Detect Suspicious Mailboxes
Quote from CoreView's Microsoft 365 Cyber Resilience Maturity Model guide

Maturity Model Level 4: Governance and Automation

By the time you come to Level 4, you have put layers of resilience into your tenant to slow attackers down to a crawl. The next step is to implement governance and automation to keep your attack surface lean and your response time fast.  

This level involves implementing sprawl and lifecycle management, user access reviews, enhanced audit and reporting, secure task management, and rapid extensibility.  

Resources to Improve Cyber Resilience for Your Microsoft 365 Tenant

Microsoft 365 Cyber Resilience Maturity Model

The Cyber Resilience Maturity Model for Microsoft 365 covers each level of the maturity model in-depth, including recommendations and best practices from Microsoft experts to build cyber resilience into your day-to-day operations.

Preview of CoreView’s Microsoft 365 Cyber Resilience Maturity Model
Preview of CoreView’s Microsoft 365 Cyber Resilience Maturity Model

Anatomy of a Microsoft 365 Attack

To get inside your tenant, attackers use all kinds of tactics—some new, some old. Stay up-to-date on the latest attack tactics from cybercriminals to strengthen your organization’s defenses against evolving threats.  

See how in the Anatomy of a Microsoft 365 Attack.

Admin Permissions Scanner for Microsoft 365

It takes attackers just 16 hours to reach your directory.  

And, once inside your tenant, attackers will find and hijack high-privilege accounts. Counteract these attacks by identifying accounts with excessive permissions and reducing exposure with the Admin Permissions Scanner for Microsoft 365.

Preview of the Admin Permissions Report for Microsoft 365
Preview of the Admin Permissions Report for Microsoft 365

Building an Effective Cyber Resilience Strategy with CoreView

With CoreView, you get the tools you need for true cyber resilience for your Microsoft tenant. Our rapid response and secure automation tools make tenant protection more than just a preventative measure:

  • Create admin roles with “just enough” access.
  • See which of your integrated apps have powerful permissions in your tenant.
  • Detect when attackers change configurations with comprehensive change management.
  • Backup configurations so you can roll back and restore them when disaster strikes.
  • Take control of guest users and sharing in your tenant.
  • Enforce tenant lifecycle management to keep your attack surface as small as possible.

See how your peers use CoreView to build resilience in Microsoft 365. Or, schedule a demo to dive deeper into our cyber resilience capabilities.

How Attackers Take Control of Microsoft 365 Tenants
How Attackers Take Control of Microsoft 365 Tenants

Get a personalized demo today

Created by M365 experts, for M365 experts.