M365 Security Basics

The question is not whether or not you are using Microsoft 365 (formerly Office 365), but rather, are you using it securely? Microsoft has steadily improved the default security settings, but it still requires some experience to get it 100% there. The amount of attacks on the M365 is astounding, specifically with phishing attempts to gain user passwords. You can review three M365 Security Basics here to ensure you don’t get compromised.

Security Defaults

This is a big shift from the configure-what-you-want security attitude of prior M365 services. Today, any new tenant will be created with Security Defaults enabled by default. It is important to understand what these settings are as they will likely impact some of your users on older devices and definitely impact older scan-to-email devices.

Some planning needs to be done before flipping to switch here, including reviewing what legacy protocols are in use, which users are not using MFA, and if any services you utilize require the use of app passwords. This can all be accomplished in the Azure AD portal. Once any issues are remediated, flipping the switch is easy!

A word of caution, this a preconfigured set of options that are not independently changeable. The reality is the most organizations will want to step up to using both Intune, and the more advanced security options provided in the Microsoft 365 Business Premium plan.

Microsoft Secure Score

This is an excellent tool to understand where your M365 security posture is. You will need to use an account with global administrator privileges to access your Secure Score. This tool will provide recommendations, guidance, and reports related to your configuration settings in M365.

It is important to understand what impacts any setting changes will have before making them. Flipping the switch on some of these items will cause end-user connectivity issues, so plan ahead! There are also many settings that will require additional licenses to enable, this is where a partner can access your business risk and determine if this level of protection is needed.


Passwords are useless as a security factor. Guidance today is NOT to even rotate them but to enable MFA so that you are truly secure. This has been covered HERE and other places many times. It is very surprising the number of organizations on M365 that still have not enabled this basic protection, don’t be one of them!

The Microsoft 365 platform has many advanced security features, but it requires experience and planning to implement them correctly. The Security Defaults is a big step forward for smaller organizations that have a basic set of needs and we encourage you to talk with an experienced partner to see if that will work for you!