
Although there are many best practice blogs for M365, we’ve noticed that most of them repeat advice from other blogs without providing important information about the critical security settings that can help prevent or minimize data breaches involving M365. This Microsoft 365 Security guide will focus on the shared responsibility model between your organization and Microsoft and overarching settings across products. At the end of the guide, we will also provide a free security tool that allows you to audit these settings automatically (and more) across 100s of SaaS platforms such as Microsoft 365, Salesforce, Zapier and more!
1. Review Global Admins Regularly
Microsoft 365 offers a variety of roles; some of the more used ones include Global Administrator (most privileged), SharePoint Administrator, User Administrator and others. Global Administrators can access your entire Microsoft 365 tenant, including modifying security settings and viewing any files or folders hosted in SharePoint or OneDrive. Limiting the number of Global Administrators and ensuring that no account used for day-to-day purposes (e.g., employee accounts used for emails) has this permission. This way, the impact is limited in the event of account compromise. For example, Unicoin, a Web3 company, got hacked, resulting in a 4-day lockout from their GSuite account and the theft of all their sensitive files. The damage could have been limited if they had created unique accounts for administrators not used for day-to-day activity. To ensure the security of these accounts used for administrative activities, create them with unique usernames and passwords (it can be an unlicensed user), remove administrative permissions from everyone else, and grant access following the concept of least privilege.
2. Disable User Consent for OAuth 2.0 Apps
Enabling users to approve OAuth 2.0 apps can expose your Microsoft 365 environment to security risks, such as consent phishing attacks. These attacks deceive users into granting permissions to malicious apps by creating legitimate-looking applications (e.g. a productivity integration), which can result in unauthorized access to company data. By preventing user consent for OAuth apps, you can evaluate the apps users try to consent to, allowing you to investigate the application and determine if it should have access to your company data.
- Free Cybersecurity Training for Employees (Consent Phishing + Other Attacks)
- Configure how users consent to applications (Microsoft Learn)
- Managing user consent to apps in Microsoft 365 (Microsoft Learn)
Free Cybersecurity Training for Employees (Consent Phishing + Other Attacks) Configure how users consent to applications (Microsoft Learn) Managing user consent to apps in Microsoft 365 (Microsoft Learn)
3. Require MFA for Guests
Guests may use personal or non-compliant email accounts that do not follow governance policies or best practices. It is essential to enforce Multifactor Authentication (MFA) in case their accounts get compromised and they attempt to access a resource shared by someone on your team. This can be achieved by creating a conditional access policy that targets guest users (B2B collaboration guest users and B2B collaboration member users), selecting the “Require multifactor authentication” checkbox, and enabling the policy. This will mandate guests to enroll in MFA before accessing any company information, whether it’s shared content via OneDrive, SharePoint, or a Microsoft Teams channel. Unfortunately, this feature requires a premium license and may not be visible to users on a basic M365 license.
Create a more secure guest sharing environment (Microsoft Learn)
Email spoofing is a common tactic used in phishing attacks, where attackers send emails that appear to come from a trusted source. By configuring DMARC (Domain-based Message Authentication, Reporting & Conformance), DKIM (Domain Keys Identified Mail) & SPF (Sender Policy Framework), you can authenticate your domain’s emails and reduce the likelihood of spoofing emails sent to mimic your domain (and resulting in less phishing emails getting through). Each step is configured by adding TXT records to your DNS provider, and the relevant links are included below. Despite DMARC/SPF/DKIM keeping phishing emails out, the reality is that phishing emails will still get through and end up compromising your users. This is where WatchDog Security’s email firewall excels – included with every paid subscription (in addition to various other tools) we can effectively keep 99.2% of phishing emails out of your inbox resulting in reduced risk of successful social engineering or phishing attacks against your user.
- Set up DMARC to validate the From address domain for senders in Microsoft 365 (MS Learn)
- Set up DKIM to sign mail from your Microsoft 365 domain (Microsoft Learn)
- Set up SPF to identify valid email sources for your Microsoft 365 domain (Microsoft Learn)
Set up DMARC to validate the From address domain for senders in Microsoft 365 (MS Learn) Set up DKIM to sign mail from your Microsoft 365 domain (Microsoft Learn) Set up SPF to identify valid email sources for your Microsoft 365 domain (Microsoft Learn)
5. Disable Insecure MFA methods (e.g. SMS)
While using MFA is better than not using it, there are more secure options than the traditional SMS-based MFA code. Relying on text or phone call verification can expose users to risks such as SIM swapping, where an attacker steals your identity to get your phone carrier to issue a new SIM card, thereby gaining access to your phone calls and text messages. This, combined with them having your credentials, renders MFA ineffective. Thankfully, M365 allows you to specify which types of MFA are available to your users. We recommend enabling only Verification code from a mobile app or hardware token, as even notification through a mobile app can make users vulnerable to attacks such as MFA fatigue/exhaustion, where an attacker repeatedly requests access until the user agrees. While configuring this, you can also disable the creation of app passwords (an insecure way to authenticate) and disable the option to remember MFA on trusted devices, assuming a zero-trust model.
- Set up multifactor authentication for Microsoft 365 (Microsoft Learn)
- Implementing Phishing-Resistant MFA (Cybersecurity & Infrastructure Security Agency)
- Defend your users from MFA fatigue attacks (Microsoft Entra Blog)
Set up multifactor authentication for Microsoft 365 (Microsoft Learn) Implementing Phishing-Resistant MFA (Cybersecurity & Infrastructure Security Agency) Defend your users from MFA fatigue attacks (Microsoft Entra Blog)
6. Set Default Sharing Behavior
By default, when a new file is shared, it is set to be accessible to anyone or only to people in your organization, which could potentially expose sensitive data. Instead, businesses should configure M365 to automatically disable sharing new files and require users to manually share files with specific users, reinforcing the concept of least privilege. When editing default sharing behaviour, you can also securely set external sharing and the default permission when sharing links (e.g., view). You can also expire access after 90 days (or a predefined period), eliminating the need to remember to remove users who no longer need access manually. This can also help enforce your data management policy (if it exists) by restricting access to potentially confidential or internally classified data.
- Manage sharing settings for SharePoint and OneDrive in Microsoft 365
- Crafting & Implementing A Data Management Policy
Manage sharing settings for SharePoint and OneDrive in Microsoft 365 Crafting & Implementing A Data Management Policy
Allowing communication with unmanaged Teams accounts can expose your organization to potential data leaks and security breaches. By restricting Teams messaging to only accounts managed by your organization, you maintain control over your communication channels and ensure that sensitive information stays within your trusted network. While this seems restricve, you have the ability to manually add domains which messaging can be allowed with to help aliverate some of the downsides wieh enabling this. A news article by BleepingComputer dived into research by Checkpoint which showed a clear pattern of guest users (or unmanaged accounts) impersonating valid users (or trusted third parties like an IT partner) to message their users and gain unauthorized access.
Manage external meetings and chat with people and organizations using Microsoft identities
Total visibility. Zero blind spots. WatchDog helps you monitor every user, service account, and system across Cloud, SaaS, and devices -flagging misconfigurations and risks the moment they arise.
- ➕ Asset management – Add and track your own assets easily across Cloud, SaaS + On-Prem
- Identity monitoring – Limited to Google Workspace & M365 Non-Human Identities on free plan
- 🔧 SaaS + Cloud hardening checks – Spot misconfigurations before they become risks
Get started free today – no credit card required.
- Microsoft 365 for business security best practices (Microsoft Documentation)
- Microsoft Office 365 Security Recommendations (Cybersecurity & Infrastructure Security Agency)
Microsoft 365 for business security best practices (Microsoft Documentation) Microsoft Office 365 Security Recommendations (Cybersecurity & Infrastructure Security Agency)

