Securing Microsoft 365: The 15 Most Important Security Settings

Why the Default Configuration Is Not Enough

Microsoft 365 is part of daily operations in nearly every mid-market company. Email runs on Exchange Online, files reside in SharePoint and OneDrive, Teams is the central communication platform. What many IT managers underestimate: a freshly provisioned M365 tenant is configured for maximum usability, not maximum security. External sharing is enabled by default, legacy authentication works, and the audit log may not even be activated depending on the license.

The result: most work with sensitive company data takes place in an environment whose security settings were never consciously chosen. And that is exactly where this article comes in. The following 15 settings cover the most important attack vectors and can in most cases be implemented within a few days. These are not exotic enterprise features but measures available with Business Premium or E3 licenses that can realistically be operated in companies with 50 to 500 employees.

Each setting described can be documented as a technical and organizational measure (TOM) in your ISMS. With each item you will find the reference to the relevant ISO 27001 controls, so you can establish the link to the standard directly.

1. Enforce Multi-Factor Authentication for All Users

MFA is the single measure with the greatest security impact. Microsoft itself estimates that MFA reduces account compromises by over 99 percent. Yet there are still companies that have MFA enabled only for administrators or rely on Security Defaults, which offer only a limited MFA variant.

The right approach uses Conditional Access policies, not the per-user MFA setting that Microsoft continues to offer for compatibility reasons. A Conditional Access policy for MFA gives you control over when MFA is triggered: at every login, only for risky sign-ins, only from certain locations, or only on unmanaged devices.

Recommended configuration:

• Conditional Access policy enforcing MFA for all users on all cloud apps
• Exception for emergency access accounts (break glass accounts) protected by other mechanisms
• Preferred MFA method: Microsoft Authenticator app with number matching (no SMS)
• Registration campaign with combined security info registration portal

ISO 27001 reference: A.8.5 (Secure Authentication), A.5.17 (Authentication Information)

2. Block Legacy Authentication

Legacy authentication refers to protocols like POP3, IMAP, SMTP AUTH and older Office versions that do not support MFA. As long as these protocols are active, an attacker with stolen credentials can bypass MFA entirely. Microsoft has since disabled basic authentication for most protocols, but there are exceptions and transition periods you must actively manage.

Recommended configuration:

• Conditional Access policy blocking legacy authentication for all users
• First: analyze sign-in logs for active legacy auth usage (Entra ID > Sign-in Logs > Filter: Client App = Other clients)
• Migrate remaining applications to Modern Authentication (OAuth 2.0)
• Multi-function printers and scanners are often the last legacy auth users and need SMTP AUTH with a dedicated service account

ISO 27001 reference: A.8.5 (Secure Authentication), A.8.9 (Configuration Management)

3. Set Up Conditional Access Policies

Conditional Access is the central control instrument for access to M365 resources. It allows you to define granular policies that grant or deny access based on user identity, device state, location, risk level and app type.

A baseline set of Conditional Access policies should exist in every tenant. The details can be found in the separate article on Conditional Access. Here, just the core policies:

Recommended baseline policies:

• MFA for all users on all cloud apps
• Block legacy authentication
• MFA for all administrative roles (separate, with break glass exception)
• Device compliance required for access to corporate data
• Block sign-ins from countries where the company is not active
• Risk-based policies (sign-in risk, user risk) with P2 license

ISO 27001 reference: A.8.2 (Privileged Access Rights), A.8.1 (User Endpoint Devices), A.5.15 (Access Control)

4. Configure Anti-Phishing Policies

Phishing remains the most common initial attack vector. Exchange Online Protection (EOP) provides baseline protection, but the advanced anti-phishing policies in Microsoft Defender for Office 365 go significantly further. They detect impersonation attempts where an attacker poses as an internal employee or a known external contact.

Recommended configuration:

• Enable impersonation protection for executive management and finance department (protection against CEO fraud)
• Enable mailbox intelligence so the system learns each user's typical communication patterns
• Enable first contact safety tip (warns on emails from first-time senders)
• Configure and regularly review spoof intelligence
• Quarantine rather than junk folder delivery for detected phishing

ISO 27001 reference: A.8.23 (Web Filtering), A.5.14 (Information Transfer)

5. Activate Safe Links and Safe Attachments

Safe Links scans URLs in emails and Office documents at the time of click and blocks access if the URL has been classified as malicious in the meantime. This is a crucial difference from pure URL scanning at receipt: many phishing URLs are activated only hours after the email is sent to evade the initial scan.

Safe Attachments opens suspicious attachments in a sandbox environment (detonation chamber) and analyzes behavior. Only when the attachment is classified as safe is it delivered to the recipient. This causes a brief delivery delay but protects against zero-day malware not yet detected by signature-based scanners.

Recommended configuration:

• Safe Links: enable for all users, enable URL rewriting, including for internal emails
• Safe Links: also enable in Teams messages and Office documents
• Safe Attachments: use dynamic delivery (message is delivered immediately, attachment is delivered after scan)
• Safe Attachments: also enable for SharePoint, OneDrive and Teams
• No exceptions for "trusted" domains (attackers compromise partners too)

ISO 27001 reference: A.8.7 (Protection Against Malware), A.5.14 (Information Transfer)

6. Set Up Data Loss Prevention (DLP)

DLP policies prevent sensitive data from being unintentionally sent via email, externally shared in SharePoint, or shared in Teams chats. Microsoft 365 includes pre-built DLP templates that detect common patterns: credit card numbers, national ID numbers, IBAN numbers, health data and more.

To start, it is enough to begin with one or two policies and gradually expand the scope. Start in test mode (policy tips without blocking) so you can assess the false-positive rate before activating enforcement.

Recommended configuration:

• DLP policy for personal data (national ID numbers, tax IDs) in email and SharePoint
• DLP policy for financial data (IBAN, credit card numbers)
• Initially in test mode with policy tips (users are warned but can still share)
• After evaluation phase: block at high confidence, warn at low confidence
• Regular evaluation of DLP reports in the Compliance Center

ISO 27001 reference: A.5.12 (Information Classification), A.5.14 (Information Transfer), A.8.12 (Data Leakage Prevention)

7. Activate and Monitor the Unified Audit Log

The unified audit log records user and administrator activities across all M365 services: sign-ins, file access, sharing changes, mailbox access, admin configuration changes and much more. It is the most important data source for investigating security incidents and simultaneously a compliance requirement.

In some tenants, the audit log is enabled by default; in others, it is not. Check the status in the Microsoft Purview Compliance Center under Audit. If it is not active, activation takes only one click — but recording begins only from that point. Historical data are not available retroactively.

Recommended configuration:

• Activate audit log (if not already active)
• Set retention period to at least 180 days (E5/G5 allows up to 10 years)
• Enable mailbox audit logging for all mailboxes (has been the default since 2019, but check older mailboxes)
• Set up alert policies for critical events: admin role changes, mass downloads, external sharing
• Regular spot-check evaluation of audit logs (at least monthly)
• If needed: export to SIEM solution via the Management Activity API

ISO 27001 reference: A.8.15 (Logging), A.8.16 (Monitoring Activities)

8. Restrict External Sharing in SharePoint and OneDrive

The default setting in SharePoint Online allows every user to share files and folders with any external person — including with anonymous links requiring no sign-in. In most companies, this is far too open. Particularly critical are "Anyone" links that work without authentication and can be valid indefinitely.

Recommended configuration:

• Tenant-wide sharing setting: at least "New and existing guests" (no anonymous links)
• Better: "Existing guests only" (only guests already in the directory)
• Expiration date for guest sharing: maximum 30 days, after which shares must be renewed
• Restrict sharing to specific domains (allow-list for partner companies)
• Restrict sensitive SharePoint sites to "Only people in your organization"
• Regular review of external shares via the sharing report in the SharePoint Admin Center

ISO 27001 reference: A.5.14 (Information Transfer), A.8.3 (Access Restriction to Information), A.5.10 (Acceptable Use)

9. Control Guest Access

Guest access in Microsoft 365 allows external persons to access Teams channels, SharePoint sites and other resources. This is valuable for collaboration with partners and service providers but must be controlled. Without restrictions, guests may access more resources than intended, and orphaned guest accounts remain active indefinitely.

Recommended configuration:

• Leave guest access in Teams enabled (if needed), but restrict to specific teams
• Configure Entra ID External Collaboration Settings: invitations only by admins or specific roles
• Regularly review guest accounts (access reviews in Entra ID P2)
• Conditional Access policy for guests: enforce MFA, restrict access to specific apps
• Automatic deactivation of guest accounts after 90 days of inactivity
• Hide guests from the global address list

ISO 27001 reference: A.5.15 (Access Control), A.5.16 (Identity Management), A.6.6 (Confidentiality Agreements)

10. Mailflow Rules for Spoofing Protection

In addition to the anti-phishing policies in Defender for Office 365, you should set up mailflow rules (transport rules) in Exchange Online that provide additional protection against spoofing and social engineering. Particularly effective is an external email warning that prepends a clearly visible notice to all incoming emails from outside the organization.

Recommended configuration:

• External sender warning: mailflow rule that prepends a banner to emails from external senders ("This message originated from outside your organization. Be careful with links and attachments.")
• Block emails that use your own domain as sender but do not originate from your own mail servers (in combination with SPF/DKIM/DMARC)
• Block auto-forwarding to external addresses (prevents compromised accounts from forwarding emails)
• Block executable file types in attachments (.exe, .bat, .ps1, .vbs, .js, .wsf)

ISO 27001 reference: A.8.23 (Web Filtering), A.5.14 (Information Transfer), A.8.7 (Protection Against Malware)

11. Enforce Device Compliance with Intune

Conditional Access alone is not enough if you do not know whether the accessing device is secure. Device compliance policies in Microsoft Intune define minimum requirements for endpoints: is the OS current? Is the disk encrypted? Is an up-to-date antivirus running? Is the device not jailbroken or rooted?

Only the combination of Conditional Access and device compliance closes the loop: only authenticated users on compliant devices gain access to corporate data.

Recommended configuration:

• Intune enrollment for all Windows, macOS and mobile devices
• Compliance policies per platform (at minimum: OS version, encryption, antivirus, passcode)
• Conditional Access policy: "Require device to be marked as compliant"
• Grace period for non-compliant devices: 3-7 days for compliance, then access blocked
• For BYOD scenarios: App Protection Policies (MAM) instead of full device management

ISO 27001 reference: A.8.1 (User Endpoint Devices), A.8.9 (Configuration Management)

12. Control App Permissions and Consent

In the default configuration, users can independently grant third-party apps access to their M365 data (user consent). This sounds harmless but is a significant attack vector: an attacker creates an OAuth app that requests access to emails or files, and an inattentive user grants permission. From that moment, the attacker has persistent access — even without a password, even with MFA.

Recommended configuration:

• Disable user consent for third-party apps (Entra ID > Enterprise Applications > Consent and Permissions)
• Enable admin consent workflow: users can request apps, but an admin must approve
• Review existing app permissions regularly (at least quarterly)
• Critically examine apps with high permissions (Mail.Read, Files.ReadWrite.All, Directory.ReadWrite.All)
• Remove app registrations and their permissions that are no longer needed

ISO 27001 reference: A.8.9 (Configuration Management), A.5.15 (Access Control), A.8.26 (Application Security Requirements)

13. Restrict Administrative Roles

The principle of least privilege applies especially to administrator roles. A common mistake in M365 tenants: too many users have the "Global Administrator" role even though they only need to perform a specific task. Every Global Admin is a potential entry point — anyone who compromises this role has full control over the entire tenant.

Recommended configuration:

• Maximum 2-4 Global Administrators (plus 1-2 break glass accounts)
• Dedicated admin roles instead of Global Admin: Exchange Admin for email, SharePoint Admin for files, Security Admin for security settings
• Privileged Identity Management (PIM) with P2 license: just-in-time activation of admin roles instead of permanent assignment
• Separate admin accounts for administrative tasks (no admin access through daily work accounts)
• Enforce MFA for all admin roles via Conditional Access (separate policy with elevated requirements)

ISO 27001 reference: A.8.2 (Privileged Access Rights), A.5.15 (Access Control), A.5.18 (Access Rights)

14. Retention Policies and eDiscovery

Retention policies in Microsoft Purview control how long data in Exchange, SharePoint, OneDrive and Teams are retained and when they are automatically deleted. This simultaneously fulfills two requirements: compliance-conform retention and privacy-conform deletion after expiry of the retention period.

eDiscovery enables targeted search across all M365 services — for example, during internal investigations, GDPR access requests or litigation. Without prepared retention policies, you risk that relevant data have already been deleted when you need them.

Recommended configuration:

• Retention policy for Exchange: retain emails at least 1 year, then automatically delete (align with GDPR deletion policy)
• Retention policy for SharePoint/OneDrive: retain document versions at least 2 years
• Retention policy for Teams chats and messages: at least 1 year
• Retention labels for special document types (contracts: 10 years, personnel files: 3 years after departure)
• Restrict eDiscovery permissions to a small group (data protection, legal, IT security)
• Regular verification that retention policies are correctly applied

ISO 27001 reference: A.5.33 (Protection of Records), A.8.10 (Information Deletion)

15. Monitor and Improve Microsoft Secure Score

Microsoft Secure Score is a dashboard that rates the security posture of your M365 tenant on a point scale and provides specific improvement recommendations. It aggregates the status of all the settings described above (and many more) into a single metric and prioritizes recommendations by security gain and implementation effort.

Secure Score is not an end in itself but an excellent tool for maintaining oversight and making progress visible. As a KPI in the ISMS, it is suitable for the management review and continuous improvement.

Recommended configuration:

• Check Secure Score in the Security Center regularly (at least monthly)
• Set a realistic target (70-80 percent is a good target value for most SMEs)
• Work through the top 5 recommendations quarterly
• Include Secure Score as a KPI in the ISMS dashboard
• Consciously mark unachievable recommendations as "Resolved through third party" or "Risk accepted"

ISO 27001 reference: A.5.36 (Compliance with Policies and Standards), A.8.8 (Management of Technical Vulnerabilities)

The Right Sequence: Where to Start?

The 15 measures are ordered by priority, but you do not have to implement them all simultaneously. A pragmatic roadmap for introduction over three months:

Month 1 (quick wins with high impact):

• MFA for all users (item 1)
• Block legacy authentication (item 2)
• Activate audit log (item 7)
• Clean up admin roles (item 13)

These four measures close the biggest security gaps and require no license upgrades. MFA alone dramatically reduces the risk of account compromise, and blocking legacy auth ensures that MFA cannot be bypassed.

Month 2 (email protection and access control):

• Anti-phishing policies (item 4)
• Safe Links and Safe Attachments (item 5)
• Mailflow rules (item 10)
• Conditional Access baseline set (item 3)
• Restrict app permissions (item 12)

In the second month, you focus on the email channel as the most common attack vector and establish a structured Conditional Access framework.

Month 3 (data protection and compliance):

• Restrict external sharing (item 8)
• Control guest access (item 9)
• DLP policies (item 6)
• Device compliance (item 11)
• Retention policies (item 14)
• Establish Secure Score as KPI (item 15)

The third month addresses data protection, compliance and long-term operations. These measures require more coordination with business units and are therefore at the end of the roadmap.

Licenses: What Do I Need for What?

Not all 15 measures are available in every license. Here is an overview of which license you need for which measure:

Microsoft 365 Business Basic/Standard:

• Audit log (basic, 90-day retention)
• Mailflow rules
• Configure external sharing
• Admin roles

Microsoft 365 Business Premium:

• Everything from Basic/Standard, plus:
• Conditional Access
• Intune (device compliance)
• Defender for Office 365 Plan 1 (Safe Links, Safe Attachments, anti-phishing)
• DLP (basic)
• Entra ID P1 (Conditional Access)

Microsoft 365 E3:

• Everything from Business Premium, plus:
• Advanced DLP policies
• Sensitivity labels (manual)
• Retention policies (advanced)
• eDiscovery (standard)

Microsoft 365 E5 / Entra ID P2:

• Everything from E3, plus:
• Privileged Identity Management (PIM)
• Access reviews
• Risk-based Conditional Access policies
• Audit log with 10-year retention
• eDiscovery (Premium)
• Auto-labeling with sensitivity labels

For most mid-market companies, Business Premium offers the best value for money. If you need risk-based Conditional Access and PIM, you will need E5 or an Entra ID P2 add-on.

M365 Security as Part of the ISMS

The 15 settings described are not an isolated IT checklist but an integral part of your ISMS. Each setting can be mapped to one or more controls from ISO 27001 Annex A — and that is exactly what you should do. Documenting the M365 security configuration as TOMs in your ISMS creates several advantages. In ISMS Lite, each of the 15 settings can be documented as a TOM and mapped to the appropriate ISO 27001 control, including implementation status and effectiveness review.

First: transparency. You know exactly which measures are implemented and which are still missing. The Secure Score provides an automated indicator for this, but documentation in the ISMS goes deeper: it captures not only the technical status but also organizational responsibility, the approval process and the effectiveness review.

Second: evidence. When the auditor asks how you control access to cloud services, you can present the documented Conditional Access policies, the DLP configuration and the audit log evaluations. The link to ISO 27001 controls shows that the measures were not chosen randomly but are based on a systematic risk assessment.

Third: continuous improvement. When you include Secure Score as a KPI in the ISMS and discuss it quarterly in the management review, the M365 security configuration becomes part of the PDCA cycle. New recommendations flow into the treatment plan as measures, implemented measures are reviewed for effectiveness, and the score measurably improves.

Common Mistakes in M365 Hardening

Even though the individual settings are not technically complicated, there are recurring mistakes that negate the security gain or cause operational problems.

Activating everything at once: If you enable all 15 measures on a Friday afternoon, you will be rewarded with an overwhelmed helpdesk on Monday. MFA rollout and legacy auth blocking in particular need lead time and communication. Give users at least two weeks for MFA registration before switching the Conditional Access policy from report-only to enforced.

Forgetting break glass accounts: When you enforce MFA and Conditional Access for all users, you need at least one emergency access account that is not affected by these policies. Otherwise, in the worst case, you lock yourself out of the tenant. Break glass accounts have an extremely long password, are excluded from Conditional Access and are monitored via alert policies.

Too many exceptions: Every exception in a Conditional Access policy is a potential security gap. If you create an exception for every user who complains, you undermine the protection. Critically examine every exception and document the justification.

DLP without a test phase: DLP policies that immediately block rather than just warn lead to frustration and workarounds. Always start with policy tips (warning without blocking) and only switch to blocking after an evaluation phase.

Not evaluating the audit log: Activating the audit log is useless if nobody reads it. Set up automatic alert policies and regularly evaluate the logs. A log that nobody reads is not a security instrument — it is just storage consumption.

Monitoring and Effectiveness Review

Setting up the 15 measures is the beginning, not the end. For the security configuration to remain effective, you need a monitoring process:

Weekly:

• Check alert notifications (automatically via email)
• Check the quarantine queue in Defender for Office 365 (identify false positives)

Monthly:

• Check Secure Score and evaluate new recommendations
• Audit log spot checks (focus: admin activities, external sharing, mailbox access)
• Evaluate DLP reports (match rate, false positives, user overrides)

Quarterly:

• Check Conditional Access policies for currency
• Review app permissions
• Review guest accounts and deactivate orphaned accounts
• Evaluate external sharing in SharePoint

Annually:

• Compare entire M365 security configuration against current Microsoft recommendations
• Review license needs (new features may require higher licenses)
• Feed results into the management review

Checklist: 15 Measures at a Glance

Further Reading

• Conditional Access in Entra ID: Policies for SMEs
• Securing Exchange Online: Anti-Phishing, Safe Links and Mailflow Rules
• Microsoft Secure Score: What It Measures and How to Improve It
• Securing SharePoint and OneDrive: Sharing, DLP and Classification
• Intune for Beginners: Device Management Without Enterprise Complexity