Microsoft 365 Security Checklist
M365's default settings are not secure. This checklist covers the configurations that matter most — and the data that explains why.
Why M365 default settings aren't enough
What Microsoft ships enabled by default
Microsoft 365's out-of-the-box configuration prioritizes usability and backward compatibility over security. Basic authentication (legacy protocols) may be enabled, MFA is not enforced, Conditional Access policies don't exist, anti-phishing settings are minimal, and external sharing controls for SharePoint and OneDrive are permissive. New tenants that haven't been actively hardened are meaningfully less secure than properly configured ones.
Microsoft has improved Security Defaults — a baseline MFA and legacy auth blocking policy — and has enabled it for new tenants since 2019. However, Security Defaults is a blunt instrument. Properly hardened M365 requires Conditional Access policies, Defender for Office 365 configuration, and tenant-level settings that Security Defaults doesn't touch.
The legacy authentication problem
Microsoft's own security data shows that legacy authentication protocols — IMAP, POP3, Basic Auth SMTP — are used in the vast majority of password spray attacks. These protocols can't use MFA, so even a tenant with MFA enabled is vulnerable if legacy auth is still permitted. CISA included blocking legacy authentication as one of its top required security controls for federal agencies for this reason.
Microsoft deprecated Basic Auth for Exchange Online in October 2022, but tenants that requested exceptions or use hybrid configurations may still have legacy auth pathways open. Conditional Access policies should explicitly block legacy authentication for all users.
The Microsoft 365 security checklist
Organized by category. Items in bold have the highest individual impact on security posture.
Identity & Authentication
- Enable MFA for all users — not just administrators; use Authenticator app, not SMS where possible
- Block legacy authentication via Conditional Access policy for all users
- Create dedicated admin accounts — Global Admins should not use their admin account for daily email and work
- Limit Global Admin role to 2–4 named accounts maximum; use least-privilege roles for all others
- Enable Self-Service Password Reset (SSPR) to reduce helpdesk load and lockout risk
- Configure Conditional Access: require MFA for all cloud apps from all locations
- Configure Conditional Access: block sign-ins from high-risk countries if none of your users are there
- Enable Identity Protection and configure risk-based Conditional Access if licensed
- Review guest and external accounts quarterly; remove unused access
Admin & Privileged Access
- Enable Privileged Identity Management (PIM) for Just-In-Time admin access — requires P2 license
- Create break-glass emergency access accounts (2) with strong passwords stored offline
- Configure activity alerts for Global Admin sign-ins from new locations
- Never use service accounts with interactive sign-in enabled unless required
Email & Phishing Protection
- Configure anti-phishing policy with impersonation protection for key executives and your own domain
- Enable Safe Links to rewrite and scan all URLs in email and Office documents
- Enable Safe Attachments with Dynamic Delivery to detonate suspicious attachments in sandbox
- Publish DKIM signing for all sending domains — prevents spoofing of your own domain
- Publish DMARC record at minimum p=quarantine; advance to p=reject once DKIM is stable
- Verify SPF record is published and includes all sending sources (M365, marketing tools, etc.)
- Configure mail flow rule to display external sender warning banner on all inbound email
- Block high-risk file extensions (.exe, .vbs, .js, .bat) via mail flow rules or Safe Attachments
- Enable outbound spam filtering to catch compromised accounts sending spam
Data & Monitoring
- Enable Unified Audit Log — off by default on some plan types; required for any security investigation
- Review SharePoint external sharing settings — default allows sharing with anyone via link
- Configure alert policies for suspicious activity: impossible travel, mass file download, forwarding rules created
- Check Microsoft Secure Score baseline — aim to address all items scored High impact
- Review and disable auto-forwarding rules in Exchange Online admin center
- Configure retention policies for email and Teams data matching your compliance requirements
Microsoft provides a free Secure Score in the Microsoft 365 Defender portal — a 0–100 measure of your tenant's security configuration against Microsoft's recommended controls. Most un-hardened tenants score below 30%. Addressing all High-impact items typically raises the score to 50–65% and closes the most exploited attack paths. It's a useful baseline tool even if you're not using it to track every point.
- Microsoft Security, "One simple action you can take to prevent 99.9% of account attacks," 2023
- Microsoft Entra ID Protection, Monthly Compromise Statistics, 2023
- Proofpoint, State of the Phish Report, 2023
- Abnormal Security, Email Security Threat Report, 2023
- CISA, Cross-Sector Cybersecurity Performance Goals, 2022
- Microsoft, Exchange Online Basic Auth deprecation documentation, 2022
- FBI Internet Crime Complaint Center (IC3), 2023 Annual Report
Find out where your Microsoft 365 tenant stands.
Book a free assessment — we'll review your M365 configuration against this checklist and show you what needs to change.