Corsica Technologies Acquires AccountabilIT. LEARN MORE HERE.
Contact Us
Contact Us
Microsoft 365 security best practices
💡 Interactive Calculator: 

How Much Should You Pay for Managed Security?

Try the Calculator

M365 Security: 12 Crucial Best Practices

  • Cybersecurity, Microsoft 365, Microsoft Security

In today’s cyberthreat landscape, Microsoft 365 is a prime target for attack.

Factors like environment complexity, misconfigured users, and default security settings can all make M365 vulnerable to exploitation.

So how do you protect your environment? What does it take to secure M365?

The best defense for Microsoft 365 is a layered defense. Here at Corsica Technologies, we are a Microsoft Modern Work Solutions Partner, a Security Solutions Partner with the Identity and Access Management specialization, and a member of MISA (the Microsoft Intelligent Security Association)—so when it comes to Microsoft 365 security, we’ve got answers for even the toughest questions.

Here are the top 12 cybersecurity best practices that we recommend, implement, and manage for customers using Microsoft 365.

Key takeaways:

  • Universal MFA is a must for Microsoft 365 security.
  • An intelligent approach to users, identity, and access helps secure M365.
  • Zero Trust architecture is a crucial pillar of M365 security.
  • Consider device-level controls in Microsoft Intune in addition to M365 security controls.
  • Make sure your employees are trained to recognize phishing emails.
Implement MFA everywhere in M365

1. Implement MFA everywhere

MFA is the single most effective control against credential compromise. According to Microsoft’s research, MFA is 99.99% effective at maintaining account security. Clearly, you should implement MFA across the board in M365. Here’s what that coverage looks like.

  • All users (excluding break‑glass accounts)
  • All privileged and administrative roles
  • All remote access scenarios
  • Guest and external users

2. Implement conditional access policies

MFA alone isn’t enough to protect M365. You should also implement conditional access policies that block access based on suspicious activity. Properly implemented, these policies account for user risk, sign-in behavior, device compliance, and application sensitivity. Typical policies include:

  • Block access from unmanaged devices
  • Require compliant or hybrid‑joined devices
  • Disallow persistent browser sessions

The free version of Entra ID does not include Conditional Access—it is included in Entra ID P1 and these M365 versions: E3, E5, and Business Premium.

3. Manage privileged access

Some accounts in M365 will always be more sensitive than others. Those with privileged access require additional controls and policies to protect them. Here’s what we recommend for accounts with privileged access.

  • Use PIM (privileged identity management) in Microsoft Entra ID
  • Enforce JIT (just in time) access
  • Separate global admin roles
  • Monitor privileged activity logs

Privileged Identity Management (PIM) is not available in the free or Entra ID P1 products, PIM requires Entra ID P2, M365 E5, or the Microsoft Entra ID Governance license.

4. Implement Zero Trust architecture

Securing M365 requires explicit verification, least privilege access, and continuous evaluation, all of which are core tenets of Zero Trust architecture. In the context of M365, key elements include:

  • Conditional access policies for risk‑based authentication
  • Device compliance enforcement via Intune
  • Network‑independent access controls (don’t trust internal networks)

5. Disable legacy authentication protocols

If you implement MFA, you’ll have to disable legacy authentication protocols by default—but it’s worth calling out exactly what’s being disabled. You should block non-HTTPS and outdated protocols, including:

  • POP and IMAP without OAuth
  • Older Office clients
  • Basic authentication endpoints

6. Optimize Defender for Office 365

Microsoft Defender for Office 365 automatically protects a new M365 environment with default security settings. However, default settings may not be adequate in all cases. In particular, make sure Defender for O365 is providing:

  • Safe Links (URL rewriting)
  • Safe Attachments (sandboxing)
  • Anti‑phishing and anti‑spoofing intelligence

Defender for Office 365 can be licensed these ways:

  • Microsoft 365 Business Premium: Includes Defender for Office 365 Plan 1.
  • Microsoft 365 E3: Includes Defender for Office 365 Plan 1.
  • Microsoft 365 E5: Includes Defender for Office 365 Plan 2.
  • Microsoft 365 E5 Security Add-on: Includes Defender for Office 365 Plan 2 for organizations with E3 or E3 subscriptions.

7. Strengthen endpoint security with Intune

Microsoft Intune allows you to implement required security policies on managed devices. Proper configuration of Intune is a key component in overall M365 security. You can use Intune to enforce:

  • Device compliance policies
  • Application control
  • Encryption (BitLocker)
  • OS update and patch enforcement
Train staff to recognize phishing emails

8. Train staff to recognize phishing emails

Technological controls are essential to M365 security, but people remain the weakest link. Make sure your users are fully trained to recognize phishing emails. Here are some common phishing strategies that your users should be trained to recognize.

  • Urgent requests
  • Unexpected refunds and payments
  • Spear phishing
  • Whaling

Learn more here: 17 Phishing Email Examples.

Proper training here requires up-to-date information on what cybercriminals are doing today. That’s why many companies choose Phishing and Cybersecurity Awareness Training for Employees.

Hot tip: A new Security Copilot credit for M365 E5 customers empowers your organization to deploy the popular Phishing Triage Agent that brings AI power to scale the triage and classification of user‑reported phishing emails.

9. Apply Microsoft’s security baselines

To protect customers, Microsoft regularly updates their security baselines. These recommendations serve as hardened configuration templates for enterprise clients. Recent baselines include:

  • Excel File Block expansion (blocks external link files)
  • Blocking all non‑HTTPS protocols
  • Restricting unsafe automation tools (e.g., legacy OLE components)
  • PowerPoint and Excel macro hardening

You can deploy these baselines via Intune, Group Policy, or Office Cloud Policy Service.

10. Implement DLP and sensitivity labels

Data security is challenging in modern environments, but Microsoft has an answer. You can implement DLP (data loss prevention) and other forms of data protection through Microsoft Purview. Here are a few best practices for Purview as it relates to M365.

  • Implement DLP to detect and block inappropriate sharing of sensitive data across your M365 environment and applications.
  • Use Purview to gain visibility into your entire data landscape.
  • Apply sensitivity labels to data, either automatically or manually.
  • Implement encryption for sensitive emails and documents.
  • Use Purview for governance of Copilot access and data output.

You can license Microsoft Purview through M365 E5 or by adding the Microsoft Purview Suite to M365 E3 or Business Premiums plans.

11. Harden Office applications and disable unsafe features

You can reduce the exploitable surface area in Office applications by following Microsoft’s latest baselines. In particular, you should block:

  • Legacy automation interfaces
  • Unsafe macros and ActiveX
  • External link file refreshes
  • Downgrade-prone protocols

12. Choose M365 managed security services

All the measures we’ve discussed so far are powerful.

But sometimes, they’re not enough.  

The final defense is M365 managed security services designed specifically for your environment. Here at Corsica Technologies, our M365 customers enjoy dedicated security monitoring, threat response, and consulting that’s difficult to provide in-house.

Here’s what you can get when you choose Corsica for M365 security services.

  • M365 security strategy consulting
  • M365 optimization and management
  • M365 managed security services
  • 24/7 monitoring and threat response for M365
  • Enhanced productivity apps

The takeaway: Don’t wait to protect your M365 environment

Modern cybercriminals know M365 far too well. They know where to find loopholes, misconfigurations, and default settings that offer a way in. If you need help locking down M365, contact us. We’re a long-standing and proven Microsoft Solutions Partner for Security with specializations in Cloud Security, Identity and Access Management, and Threat Protection, and a member of the Microsoft Intelligent Security Association (MISA). We’ve helped 1,000+ customers solve their toughest problems with technology. Contact us today, and let’s secure your M365 environment.
John is Senior Director of Technology at Corsica Technologies. Awarded Microsoft MVP for 18 years (2007-2026), he is currently dual-awarded in Azure Management and Cloud Security. He is a certified Azure Solutions Architect Expert and Microsoft Cybersecurity Architect Expert. John co-authored the four books in the industry-standard reference series, System Center Operations Manager: Unleashed (Sams publishing). His most recent book ‘Azure Arc-Enabled Kubernetes and Servers’ was published by Apress. Specialties include Microsoft Sentinel/Defender XDR, Security Copilot, Defender for Cloud, Defender for IoT, Azure Monitor, and Azure Arc. He is a retired U.S. Navy Lt. Commander who served as Chief of Network Operations for NATO southern region and national Network Security Officer for the Navy Bureau of Personnel.

Ready to take your next step?

Contact us today to get the outside perspective you need for the next step on your journey.

Contact Us Now →

Moving forward with AI- Corsica Technologies

Table of Contents

💡 Interactive Calculator: 

How Much Should You Pay for Managed Security?

Try the Calculator

Ready to talk to an expert?

We’ll respond within 1 business day, or you can grab time on our calendar.