Microsoft 365 ships with an extensive set of security controls. The problem is that many of them are disabled by default, buried inside the Defender portal, or require additional licensing to activate. Left unconfigured, a Microsoft 365 tenant is significantly more vulnerable than it needs to be.

This checklist covers the most important security controls across six categories. Work through each section systematically. Where a control requires a specific licence tier, we have noted it so you can plan accordingly.

This checklist reflects the state of Microsoft 365 security defaults and configuration options as of January 2026. Microsoft updates these interfaces regularly. Verify exact menu paths in your tenant before acting on any step.

Category 1: Identity and Authentication

  • Enable Multi-Factor Authentication for all usersNavigate to Entra ID, then Security, then Authentication Methods. Ensure MFA is enforced for every account, including service and admin accounts. Security Defaults enable MFA automatically for new tenants but may not cover all account types.
  • Configure Conditional Access policiesSecurity Defaults and Conditional Access are mutually exclusive. If you have licences for Conditional Access (included in Entra ID P1 and above), disable Security Defaults and implement targeted policies instead. At minimum, require MFA for all users and block legacy authentication protocols.
  • Block legacy authenticationProtocols like POP, IMAP, and SMTP AUTH do not support MFA. Create a Conditional Access policy that blocks all requests using legacy authentication clients. This single change eliminates a large category of credential stuffing attacks.
  • Protect privileged accounts with dedicated admin accountsGlobal Administrators should use accounts that are separate from their day-to-day user accounts. Privileged Identity Management (PIM), available with Entra ID P2, enables just-in-time admin access with approval workflows.
  • Review Global Administrator countFewer than five Global Administrators is the recommended baseline for most organisations. Review the Roles section in the Admin Centre and remove unnecessary admin role assignments across all built-in roles.
  • Enable Self-Service Password ResetSSPR reduces helpdesk burden and ensures users can recover accounts without requiring an admin to intervene. Configure authentication methods and registration requirements in Entra ID.

Category 2: Email Security

  • Verify SPF, DKIM, and DMARC records are configuredAll three email authentication standards should be active for your domain. SPF prevents spoofing, DKIM ensures message integrity, and DMARC gives you policy control over authentication failures. Use MXToolbox or the Microsoft Defender email authentication reporting to verify.
  • Enable Anti-Phishing policies in DefenderIn Microsoft Defender for Microsoft 365, navigate to Email and Collaboration, then Policies, then Anti-Phishing. Enable impersonation protection for your domain and key executives. Set the phishing threshold to Aggressive for high-risk environments.
  • Configure Safe Links and Safe AttachmentsAvailable with Defender for Microsoft 365 Plan 1. Safe Links rewrites URLs and scans them at click time. Safe Attachments detonates email attachments in a sandbox before delivery. Enable both and apply them to all recipients.
  • Disable automatic email forwarding to external addressesIn Exchange Online admin, set the outbound spam filter to block or audit automatic email forwarding. This prevents a compromised account from silently forwarding all email to an attacker.
  • Review mail connectors and transport rulesAttackers who gain admin access often create transport rules to exfiltrate email. Review existing connectors and rules in Exchange Admin Centre regularly and remove any that are unauthorised.

Category 3: Data Protection

  • Create Data Loss Prevention policiesAvailable in the Microsoft Purview compliance portal. Create DLP policies that detect and block sharing of sensitive data types — credit card numbers, social security numbers, health records — via email, Teams, and SharePoint.
  • Configure sensitivity labelsSensitivity labels apply persistent encryption and access restrictions to documents and emails. Define label taxonomy matching your organisation's data classification requirements and publish them to users via the Purview Information Protection settings.
  • Review SharePoint external sharing settingsNavigate to the SharePoint Admin Centre and review tenant-wide external sharing settings. For most businesses, restricting sharing to existing guests and verified domains is appropriate. Avoid the Anyone with a link setting unless your use case specifically requires it.

Category 4: Device Management

  • Enable Intune device compliance policiesRequire devices accessing Microsoft 365 to be enrolled in Intune and meet compliance baselines — OS version requirements, disk encryption, password complexity, and screen lock timers. Use Conditional Access to enforce compliance before granting resource access.
  • Configure mobile application management for BYODFor organisations where employees use personal devices, Intune App Protection Policies can protect Microsoft 365 data without enrolling the entire device. These policies prevent copy and paste between managed and unmanaged apps and enforce PIN requirements.

Category 5: Monitoring and Audit Logging

  • Confirm audit logging is enabledMicrosoft 365 unified audit logging should be active. Verify in the Microsoft Purview compliance portal under Audit. Audit logs capture user and admin activity across Exchange, SharePoint, Teams, and Entra ID. Retention periods vary by licence.
  • Set up alert policies for critical admin actionsIn the Microsoft Purview or Defender portal, create alert policies that notify your security team when high-risk actions occur — global admin role assignments, mail flow rule creation, large-scale data downloads, and sign-ins from unusual locations.
  • Review Secure Score and action planMicrosoft Secure Score in the Defender portal provides a quantified assessment of your security posture and a prioritised list of improvement actions. Review it monthly and work through the highest-impact recommendations.

Category 6: App and Third-Party Access

  • Review OAuth app consentsIn Entra ID under Enterprise Applications, review all applications that have been granted access to your tenant. Revoke permissions for any application that is unrecognised or no longer in use. Consider requiring admin consent for all new app registrations.
  • Disable user consent to apps from unverified publishersBy default, users can grant third-party applications access to their Microsoft 365 data. Change the user consent settings in Entra ID to require admin approval for applications from unverified publishers, or restrict all user consent.
  • Restrict Teams external access and guest accessIn the Teams Admin Centre, review external access (federation with other Teams organisations) and guest access settings. Both can expand your attack surface significantly if left at defaults. Ensure guests cannot access directory information and that meeting lobby settings are appropriately restricted.