In just the first half of 2025, attackers compromised 15.7 billion records worldwide, nearly double the same period in 2024. Breaches are now more frequent and more expensive (the average cost of a breach is now at $4.88M).
For Microsoft 365 customers, one wrong click – an over-permissioned guest, a forgotten admin role, a disabled conditional access policy – can open your entire tenant. Gartner found that 99% of breaches come down to mistakes like these. And in Microsoft 365, mistakes are almost guaranteed. That’s why every setting, role, and policy you put in place (or leave unchecked) matters. This article covers security best practices to shut down the pathways attackers exploit when mistakes slip through.
This article covers:
Misconfigurations, privilege sprawl, and limited visibility are the leading causes of breaches and compliance failures. (Gartner) As Microsoft continues to expand its native security capabilities, organizations struggle to determine which controls are essential, how licensing impacts implementation, and where gaps persist. This report organizes existing Microsoft 365 security best practices into clear categories, highlights areas where native tools fall short, and provides a comprehensive checklist for ongoing security and governance. Executives and technical teams can use this guidance to strengthen operational and cyber resilience, reduce risk, and align with compliance frameworks.
Verizon’s 2025 DBIR found 82% of breaches involve identity. Yet nearly 60% of enterprises lack basic identity hygiene, like enforcing MFA. These missteps quickly become prime attack vectors.
At enterprise scale, your identities are the single largest risk multiplier. Users and their identities are on the frontlines of security, meaning that everything from basic password hygiene to multi-factor authentication makes a difference to keeping your M365 resources, data, and systems safe. And, unlike smaller tenants, large organizations face unique complexity: multiple business units, thousands of privileged users, and external collaboration at the global scale.
Within Microsoft 365 (M365), Identity and Access Management (IAM) forms the foundation of your organization's security posture. Because of how M365 is structured, everything is integrated with identity. Identity is not just an access layer in M365, but the key to your company’s entire M365 environment.
M365 is a high-value, and often highly accessible, target for attackers because M365 enjoys wide global adoption, almost always offers up a high volume of privileged accounts (and it only takes access to a single identity to wreak havoc – up to and including complete environment takeover) and can unlock access to everything.
This section outlines actionable IAM best practices, step-by-step implementation guidance, and draws on zero trust principles to reduce attack surfaces and prevent unauthorized access. Adopting best practices in IAM not only blocks common threats but also ensures resilience against Advanced Persistent Threats (APT) and insider threats.
Enforcing MFA is the single most effective step to protect user accounts. It requires users to authenticate with one or more verification forms in addition to their basic username and password. Users will need to provide a second factor (such as an authenticator app code or push notification) in addition to their password, which helps to block over 99% of automated account takeover attacks.
MFA should be enabled for all accounts, including administrators and regular users, to drastically reduce the risk of credential compromise and add another layer of protection. Tips for implementing MFA in Microsoft 365 are below.
Use the Microsoft Entra admin center to either enable Security Defaults or configure conditional access policies to require MFA for all users. Security Defaults are a pre-configured set of security settings that introduce one-click rollout of basic MFA for all users within all M365 plans. This enforces MFA on admin roles and new users by default.
For greater granularity in MFA enforcement, configure conditional access policies, which will require a premium Microsoft 365 license. This allows for more specificity in how MFA is applied under certain conditions, e.g., managing or blocking all logins from outside the corporate network or blocking brute-force-exploitable legacy authentication protocols that bypass modern authentication.
Global administrator (and other privileged) roles hold tremendous power – and risk. Privileged accounts have the highest level of access to sensitive information as well as the ability to make system-wide changes. As such, they make tempting attack targets. Immediately require MFA for these roles and secure them first. Roll out MFA to all remaining users as soon as possible (e.g., within 30 days) thereafter.
Encourage use of the Microsoft Authenticator app for push notifications, or other phishing-resistant methods like FIDO2 security keys or certificate-based authentication (CBA) rather than SMS codes. App-based or token MFA is more secure and user-friendly (one-tap approval) and avoids SIM-swap or SMS phishing risks. Any authentication app that supports Open Authentication time-based one-time passwords (OATH TOTP) works.
Inform and educate users about the MFA rollout and the importance of MFA. Provide guides on setting up the authenticator app or other second factors. Emphasize that this extra step protects their account and company data.
All Microsoft 365 plans support basic MFA (e.g., via Security Defaults). Advanced conditional access policies for MFA enforcement require premium licensing.
Keep track of user MFA status and monitor overall MFA adoption in your Microsoft Secure Score.
Passwords are widely perceived as the weakest link in cybersecurity. More than 8 in 10 hacking-related breaches are caused by weak or stolen passwords. It’s easy to exploit existing password vulnerabilities that range from human error to password fatigue to credential stuffing to phishing attacks. Introducing more secure password policies contributes to enhanced overall M365 security.
Below are secure password policy tips.
Implement complexity rules for acceptable passwords e.g., length requirements and different characters, including numbers, special characters, and upper/lower case letters.
Password managers can generate long, unique, complex passwords for you and store them securely in their database. Password managers can help prevent phishing attacks as they detect breaches and can provide notifications when a website or password is corrupted.
Password fatigue can cause significant friction for users, which is often where password hygiene and behavior becomes sloppy. Passwordless authentication methods, such as Windows Hello for Business, one-time passwords sent to user device, or secure keys, can help preserve the user experience while adhering to the strongest level of security.
Risk-based access draws on behavioral and contextual signals to grant or deny access to resources based on the assessed risk level of a user or specific sign-in attempt.
Conditional access policies are built around if-then rules that trigger automated response. Triggers rely on signals such as user, device, location, or risk level. Based on the access policies you define, the end user will experience a different outcome. That is, your conditions may block access to certain assets for certain groups of users, may require MFA across the board, or place restrictions on a user’s session.
Conditional access automates your dynamic approach to security based on real-time risk, location, device health, or user role. This ensures that users have just enough access to get what they need to do their jobs, but not enough that it places the organization, its infrastructure and its data at risk.
Risk-based and conditional access implementation tips:
Map out your resources and users to determine what needs to be protected and find your vulnerabilities. Having a clear picture of the risk profile of your company’s M365 ecosystem helps you to define, prioritize, and create the conditional access policies that will secure your resilience posture.
There are any number of different risk-based detection events. These can be categorized as sign-in risk and user-based risk. For example, you can block access from high-risk sign-ins using an Entra ID Protection risk score, set compliance conditions for unmanaged devices, implement geo-based controls, block anonymous IP addresses, and enforce app protection for mobile through Intune.
Introduce your conditional access policies after testing them in report-only mode to see the effects of each policy and make corrections before rolling out live.
The 2025 CoreView State of Microsoft 365 Security Report revealed that organizations that deploy PIM solutions experience 64% fewer security incidents while those that fail to manage excessive privilege in the form of admin accounts are 3.8x more likely to experience account compromise incidents.
For these reasons, adopting and enforcing privileged identity management is key to overall security.
Privileged identity management tips:
Global admin accounts open the door to excessive risk and should be assigned sparingly. Existing admin accounts that do not need admin-level permissions should have appropriate limits in place to ensure just enough access.
Enable granular control over administrative tasks, allowing organizations to assign specific roles and permissions to different users or teams based on roles and functions, limiting exposure and following the least privilege principle.
Use workflows to automatically elevate a user’s access to Microsoft roles, like Global Admin or Exchange Admin for a set period of time.
Access Reviews can help with continuous visibility into your least privilege posture, allowing for regular and automated reviews of privileges.
Human access control is one thing, but don’t forget about apps with read-write access. Application privileges are on the rise, with 51% of organizations in the 2025 Microsoft 365 Security report disclosing more than 250 Entra applications had dangerous read-write permissions. These represent thousands of direct access points into your tenant, which is a massive risk.
Checklist for IAM:
Modern attackers exploit multiple vectors — email, links, malicious files, compromised credentials, and device vulnerabilities. In Microsoft 365, Advanced Threat Protection (ATP) tools such as Microsoft Defender provide layered defense. Microsoft’s threat telemetry processes billions of email messages, logins, and endpoint signals daily. While native ATP tools are powerful, misconfiguration or incomplete deployment leaves exploitable gaps.
This section covers ATP best practices with step-by-step implementation guidance, focusing on detection, prevention, and automated response against advanced threats.
Blocking malicious content in Microsoft 365 is essential to protecting your organization from threats that can compromise sensitive data and disrupt operations. Since M365 is a central hub for email, file sharing, and collaboration, it’s a prime target for cybercriminals. Proactively filtering and blocking harmful content helps prevent attacks before they reach users.
Safe Attachments helps to eliminate email and file threats by blocking or detonating malicious files before they reach users. Defender can ensure that the body of an email is delivered first, and it can replace attachments after scanning them. This can be enabled not just for email but also for SharePoint, OneDrive, and Teams to prevent lateral spread.
Safe Links offers link protection, ensuring that malicious URLs are not weaponized after their initial delivery. Safe Links allows for real-time URL scanning, can be configured to not allow users to click through, and tracks user clicks.
Many ransomware and malware outbreaks start in macro-enabled Office files. To develop defenses against malicious content, implement Attack Surface Reduction (ASR) via Intune to block all Office applications from creating child processes, block macros from the internet, and block high-risk file types like .exe, .scr and .vbs in Exchange transport rules.
Blocking email auto-forwarding to external addresses is central to protecting sensitive company data and the prevention of data breaches. Exchange Admin lets you disable forwarding activity by default and create transport rules to block forwarding to known risky domains as parts of a data exfiltration prevention strategy.
Being able to remove a malicious email even post-delivery (if detected retroactively) is an important aspect of threat removal. ZAP is enabled by default in Defender and helps neutralize spam, phishing, and malware.
Threat Explorer enables proactive hunting for malicious activity to identify actions such as clicked malicious links, blocked attachments, or unusual senders to prepare for faster incident response.
Business disruption comes in many forms, including phishing, ransomware, and business email compromise (BEC) campaigns. Implementing anti-phishing policies, domain and user impersonation protection, spoof protection, email authentication, and device threat detection in addition to continuous monitoring can help reduce the likelihood of significant business disruption.
Because email remains one of the biggest security vulnerabilities, employing email authentication adds a layer of needed security. Deploy SPF (sender policy framework) to help prevent email spoofing, DKIM (DomainKeys Identified Mail) that helps validate mail sent by your organization by associating a domain name with the message, and DMARC (Domain-based message authentication, reporting, and conformance) to help prevent email spoofing and phishing by verifying the sender’s identity.
Social engineering schemes like phishing are successful because humans are susceptible to the way phishing works. Implementing anti-phishing policies, such as mailbox intelligence and configuring specific impersonation settings and spoof protections, is key to combating the “human weakest link” and combating these pervasive threats.
Domain and user impersonation protection prevents BEC by blocking lookalike domains and user names as part of anti-phishing policies.
Unsecured devices also pose threats, making Defender critical for detecting and responding to endpoint threats. Onboard devices with Intune and implement tamper protection and automated investigation and remediation.
Early detection of suspicious patterns allows for faster incident response. Some suspicious patterns might be unusual inbox forwarding rules, sudden inbox rule changes, excessive failed login attempts, or impossible travel logins.
Checklist for ATP:
While identity holds the key to Microsoft 365’s front door, the data and configurations just beyond that door make up the bulk of your business value and your ability to operate. Protecting and backing up information, data and configurations should be a priority. M365 holds your organization’s most sensitive content. This includes intellectual property, regulated data, executive and strategic communications – and more.
Even if identity credentials are stolen, strong data governance ensures sensitive content is classified, protected, monitored, and, when necessary, automatically disposed of according to policy. And backing up tenant configurations, which is not natively supported in Microsoft 365, is critical to ensuring that your vigilance in protecting your critical data is not for nothing.
Without appropriate governance, you fail to control and oversee your security posture and cannot demonstrate your good-faith efforts to secure cyber resilience.
An organization requires a shared, consistent set of definitions for levels of sensitivity as a part of building its security posture. Data classification taxonomies and sensitivity labels are a precursor for being able to set up adequate protection for sensitive data.
Work with compliance, legal and business stakeholders to define data classification tiers, e.g., public, internal, confidential, high confidential. Map these tiers to Microsoft Purview sensitivity labels and document the rules in your security governance policy. Make sure to limit the tiers to the most important ones to avoid making the classification too complex.
Sensitivity Labels are attached to the data as it moves, which will enforce access controls across devices, locations, and applications no matter where the data moves. Sensitivity Labels can be created in Microsoft Purview, and you should also configure encryption to restrict access to specific users or groups and block external access. You can also use content marking to add headers and footers to make status visible, e.g., “Confidential”.
Having the flexibility to share externally is one of the key benefits of M365, but controlling accidental oversharing is key to preserving your security posture. Require “specific people” be identified when link sharing, rather than permitting “Anyone with the link” option.
Once you have set some clear guidelines for sensitivity levels and labeling, you can create auto-labeling policies to remove the manual labor and potential for error that comes with human labeling. Purview allows you to create auto-labeling policies that use built-in sensitive information types and apply them to Exchange, SharePoint, OneDrive, Teams, etc.
Automatically block certain file types, such as .xlsm or .docm, from being opened from untrusted locations.
Humans remain responsible for at least 95% of data breaches. Protecting data with a clear data loss prevention (DLP) strategy can lift some of this responsibility off the shoulders of humans by codifying and automating the implementation of policies that help prevent the loss or leakage of sensitive data and manage the life cycle of this data.
It is also important to understand that backing up tenant configurations is as important to your security and business continuity as backing up the rest of your critical data. CoreView’s recent State of M365 Security indicates that most organizations (almost 100%) regularly back up data, but half of all organizations have no idea that Microsoft does not back up their tenant configurations – and only 18% report manually backing up configurations themselves.
This is a massive security gap. After all, if your M365 tenant configurations were compromised (which is a growing problem), how would you restore them if you don’t have them backed up… and don’t even know that you don’t?
Checklist for information protection and governance:
Even with strong identity controls and data governance best practices, unsecured devices remain a security risk. Compromised or non-compliant endpoints can be exploited to bypass identity protections and exfiltrate sensitive data.
Hybrid work has increased the use of personal (BYOD) devices, and these endpoints can be compromised as entry points for ransomware and phishing campaigns, which can lead directly to data leakage and lateral movement in cloud services.
Beyond the risk, compliance frameworks like NIST 800-53, CIS Controls, and ISO 27001 require device posture enforcement. Mobile application management (MAM) and Mobile Device Management (MDM) policies help to drive consistency in how data is accessed on mobile devices.
Only managed devices can be monitored, patched, and controlled. Make sure that your organizations’ devices do not become its biggest weakness.
Checklist for device management:
In Microsoft 365, day-to-day work relies on productivity apps and collaboration tools (Teams, SharePoint, OneDrive, Exchange, Office apps). These applications and tools are prime targets for attackers — from consent phishing and malicious add-ins to oversharing of sensitive files.
Hardening these applications reduces the attack surface and ensures collaboration does not compromise security.
Attackers exploit collaboration features like file sharing and external access. Add in the commonness of user error with accidental oversharing and trusting malicious apps, and you have a recipe for disaster. Governing how your organization and its people are able to share and collaborate adds a necessary layer of security.
Not only is content and data central to your organization’s ability to operate, but compliance requirements also often demand that you have complete control over where and how sensitive data is access and stored.
Weak application security undermines otherwise strong identity and device controls.
Checklist for application and collaboration hardening:
In Microsoft 365, real-time monitoring and rapid incident response are essential to detect, contain, and recover from threats before they escalate into major breaches. Even with best-practice security configurations, visibility and quick action make the difference in the speed with which you can mitigate issues.
Microsoft 365 provides native logging, alerting, and analytics tools, including Unified Audit Logs (UAL), Microsoft Defender for Office 365, Microsoft Sentinel, and Microsoft Purview monitoring capabilities.
Checklist for monitoring and response:
Strong security in Microsoft 365 is not a “set-and-forget” initiative. It requires ongoing operational discipline, continuous improvement, and measurable governance.
System security management is complex – security baselines drift over time without active management. Microsoft regularly updates capabilities (meaning that best practices evolve). Attackers exploit unpatched systems, misconfigured policies and unused features.
Active security management and M365 security best practices demand that you be vigilant to keep your M365 environment resilient against evolving threats through regular assessments, proactive maintenance, and policy enforcement.
Microsoft Secure Score tracking provides a quantified view of your M365 security posture, benchmarking it against others in the same industry. It also provides recommended actions to improve your score. Implementation is just the first step – you will want to review your score monthly and track score changes over time to measure progress.
Aligning your M365 security with industry-standard frameworks and regulations can ensure best practices as well as compliance. Create a control mapping document linking Secure Score recommendations, conditional access policies, DLP, encryption, and identity protections to NIST CSF, CIS v8, and ISO 27001 guidelines.
Simulate phishing actions within your organization to keep user behavior top of mind and drive security awareness organization-wide. Vary the scenarios to make them less predictable, including credential harvesting, malware attachment, and drive-by URL attacks. Provide targeted remediation for those who clicked on problematic simulations.
Keep organization leadership informed and accountable by providing monthly executive security reports, which Microsoft tools can provide.
Manually trying to detect all the issues that exist in your M365 ecosystem would be impossible, so you can schedule automated reviews and audits to detect dormant accounts, excessive privileges and configuration drift.
Using Microsoft’s Zero Trust Assessment Tool, you can make sure M365 aligns with the Zero Trust model’s Verify explicitly, Least privilege, Assume breach pillars.
By implementing and enforcing security baselines, you can prevent misconfigurations and drift from secure defaults.
Uncontrolled and unmonitored changes create vulnerabilities. Require change tickets for conditional access modifications, role assignments, and DLP or label policy changes. An M365 Change Log can keep track of these changes for audit purposes.
Ensure that outdated software isn’t opening the door to an M365 attack. Use Windows Update for Business with Intune to deploy updates automatically and enforce deadlines for installation.
In the event of needing to recover all of your data or configurations, you need to make sure you have validated full backups for both data and tenant configurations to restore properly. Test restoration procedures regularly for an extra layer of safety.
Checklist for system security and operations:
This master checklist consolidates all security domains — from identity to monitoring — into a single, comprehensive governance tool. A checklist is a living document for evaluating your control over Microsoft 365 security, and as such, should be actively consulted and used to maintain best practices.
Many built-in Microsoft features are only available with specific license types. It is important you look into your license type to determine what you can implement directly from Microsoft and what you will either need to upgrade to access or find a third-party solution to cover.
Microsoft 365 security capabilities evolve rapidly. What was a best practice five years ago – or even a year ago – may now be obsolete or even a security risk if still in use. Update or avoid the following practices as part of your review and adoption of current M365 security best practices.
Just blocking basic authentication only for high-risk accounts or certain protocols is outdated advice. Basic Auth is deprecated and will be removed permanently across Microsoft 365. Leaving it enabled leaves wide open a huge attack surface.
Modern best practice is to block all basic authentication across the organization via conditional access. The only exceptions should be for specific service accounts, which should also be migrated to modern auth as soon as possible.
Security is an ongoing effort and turning on “Security Defaults” is just step one of a more advanced security approach. Security Defaults do not provide granular access control that enterprises need.
Modern best practice is to use custom conditional access policies tailored to your risk profile, maintaining a policy library for different user groups, e.g., executives, privileged roles, etc.
Modern best practice recommends using Microsoft Defender and its anti-phishing policies with impersonation detection, mailbox intelligence, and domain similarity detection.
Leaving minimal device policies in place, only requiring device passcodes or PINs as a security control, is not secure enough, as this ignores encryption, OS compliance and device health.
Adopt Intune compliance policies that require encryption and patch compliance and enforce with conditional access.
Surprisingly, many organizations still rely on exporting reports manually from M365 for audit purposes. This is labor-intensive, potentially incomplete, and prone to human error.
Automate reporting to provide continuous clarity and visibility.
Microsoft 365 security and compliance portals provide insight into incidents but can be augmented with third-party tools to help centralize incident response, improve visibility and achieve compliance.
Integrating M365 logs with Microsoft Sentinel or another SIEM for unified monitoring will bring alerts up to modern security standards.
A secure Microsoft 365 environment requires more than point-in-time configuration — it demands continuous monitoring, automation, policy enforcement, and operational efficiency.
While Microsoft’s native security stack is powerful, it’s not designed to solve every visibility, automation, and multi-tenant management challenge.
This is where CoreView can fill the gaps — centralizing visibility, automating security tasks, managing multiple tenants, and enforcing governance at scale.
Instead of pivoting between Microsoft 365 Defender, Entra ID, Purview, and Compliance Center, CoreView consolidates critical signals into a single-pane dashboard for faster threat detection and easier reporting. For example, a single view of MFA adoption, privileged role assignments, guest user activity and license usage are possible.
CoreView provides cross-tenant visibility and control — something Microsoft does not offer natively. Multi-tenant environments are notoriously complex, and almost impossible to manage with native Microsoft tooling. CoreView enables the application of consistent policies, threat monitoring and reporting across tenant environments, relieving organizations of the classic security versus productivity tradeoff.
CoreView’s Virtual Tenants allow the delegation of security administration based on business unit, geography, or function without granting excessive privilege – just the right amount of access for what a specific user or group needs. This granularity reduces risk by enforcing true least privilege access.
CoreView automates repetitive tasks that otherwise require manual PowerShell scripting or E5 automation licenses, including privilege change alerts and remediation, inactive user cleanup, license compliance monitoring, guest user lifecycle management, and more. Automation reduces operational overhead and human error.
CoreView’s governance engine helps organizations enforce security policies continuously, not just during audits. This keeps security on track all the time, preventing baseline drifts and ensuring Zero Trust alignment.
By integrating with Microsoft’s security signals and providing real-time alerting with contextual insights, CoreView helps contain threats faster.
CoreView makes it easy to turn security posture into actionable intelligence for automated reporting.
By pairing Microsoft’s native defenses with CoreView’s cyber resilience and tenant security solutions, organizations can:
Think of Microsoft 365 as your security engine, and CoreView as the control plane that lets organizations keep that engine running at optimally, filling in the gaps and shortcomings of native Microsoft 365 tooling.
