Office 365 Security Best Practices Guide. In 2025, Office 365 (now Microsoft 365) continues to be the dominant productivity platform used by organizations around the world. With this popularity comes increasing threats from cyberattacks, phishing campaigns, and unauthorized access. As an IT admin, your responsibility is to ensure your tenant is configured securely to reduce risk while maintaining usability.
This guide provides a comprehensive Office 365 security best practice step-by-step overview of the most important security best practices for securing Microsoft 365 in 2025, including their implementation and their relevance to the following compliance frameworks:
Office 365 Security Best Practices Guide (Step by Step)
1. Enable Multi-Factor Authentication (MFA)
Why?
MFA significantly reduces the risk of credential compromise. According to Microsoft, MFA can block over 99.9% of account compromise attacks. Without MFA, stolen credentials (through phishing, password sprays, or brute-force attacks) can be used to access your tenant without resistance. Enable MFA to increase your Office 365 security.
1.1 Enable Office 365 MFA
- Sign in to the Microsoft Entra admin center: https://entra.microsoft.com
- Navigate to Protection > Conditional Access
- Create a new policy:
- Assign to All users (exclude break-glass accounts)
- Target All cloud apps
- Conditions: Sign-in risk: Medium and above (optional)
- Access controls: Grant access > Require multi-factor authentication
4. Enable the policy.
1.2 PowerShell Script
If you wish to apply MFA to your tenant using PowerShell, here is the command:
# Enable Security Defaults for MFA (for tenants without Conditional Access)
Connect-AzAccount
Set-AzTenantSecurityDefault -Enable $true
1.3 MFA Compliance Mapping
Having MFA enabled in your tenant will meet the following compliance controls:
CIS Control 4.5 – Implement Multi-Factor Authentication (MFA): Use MFA to secure access to sensitive data and administrative accounts.
NIST 800-53 AC-2(1) – Account Management | Multi-Factor Authentication for Privileged Accounts: Requires MFA for privileged account access.
ISO 27001 A.9.4.2 – Secure log-on procedures: Mandates strong authentication procedures.
2. Disable Legacy Authentication
Why?
Legacy protocols like IMAP, POP3, and SMTP AUTH don’t support MFA and are often exploited by attackers to bypass security. Disabling them eliminates a major attack vector.
2.1 Steps to Disable Legacy Authentication
- Go to Microsoft 365 admin center > Reports > Usage > Legacy authentication
- Identify usage by app and user.
- Create a Conditional Access policy:
- Assign to all users
- Client apps:
Other clients - Block access
2.2 PowerShell Script
If you wish to disable legacy authentication using a Powershell script, try this:
# Block legacy authentication via Conditional Access (requires P1 license)
Connect-MgGraph -Scopes 'Policy.ReadWrite.ConditionalAccess'
$policy = @{
displayName = "Block Legacy Authentication"
state = "enabled"
conditions = @{
clientAppTypes = @("other")
}
grantControls = @{operator = "OR"; builtInControls = @("block")}
assignments = @{users = @{includeUsers = @("All")}}
}
New-MgConditionalAccessPolicy -BodyParameter $policy
2.3 Disable Legacy Auth Compliance Mapping
Disabling legacy authentication in your Microsoft 365 tenant will meet the following compliance controls:
CIS Control 4.6 – Disable Legacy Authentication Protocols: Legacy auth methods should be disabled as they don’t support secure authentication.
NIST 800-53 SC-12 – Cryptographic Key Establishment: Recommends secure protocols for encryption and authentication.
ISO 27001 A.13.1.1 – Network controls: Encourages the use of secure network protocols.
3. Protect Azure Admin Accounts
Why?
Global admin accounts have unrestricted access. If compromised, attackers can exfiltrate data, disable security settings, or delete resources.
3.1 Steps to protect M365/Azure Admin Accounts.
Create dedicated cloud-only admin accounts.
Exclude these from user-based Conditional Access policies.
Apply a strict Conditional Access policy:
Require compliant or hybrid Azure AD joined device
Require MFA
Block from risky locations or high sign-in risk
Enable Privileged Identity Management (PIM) to require just-in-time admin access.
Conditional Access Policy templates for administrators can be found on : https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-policy-common?tabs=protect-administrator
3.2 PowerShell Script
To use PowerShell instead, try the following script to create a conditional access policy to restrict admin access:
# List global admins
Connect-AzAccount
Get-AzRoleAssignment | Where-Object {$_.RoleDefinitionName -eq "Global Administrator"}
# Create Conditional Access policy to restrict admin access (template example)
Connect-MgGraph -Scopes 'Policy.ReadWrite.ConditionalAccess'
$policy = @{
displayName = "Admins - Require MFA and Compliant Devices"
state = "enabled"
conditions = @{
users = @{includeRoles = @("62e90394-69f5-4237-9190-012177145e10")}
}
grantControls = @{operator = "AND"; builtInControls = @("mfa", "compliantDevice")}
}
New-MgConditionalAccessPolicy -BodyParameter $policy
3.3 Protect Admin Accounts Compliance Mapping
Securing your Microsoft 365 admin accounts via a strict conditional access policy will meet the following compliance controls:
CIS Control 5.1 – Establish and Maintain an Inventory of Service Accounts: Ensure administrative accounts are limited and monitored.
NIST 800-53 AC-5 – Separation of Duties: Reduce risk by separating privileged functions.
ISO 27001 A.9.2.3 – Management of privileged access rights: Ensure admin access is restricted and controlled.
4. Enable Microsoft Defender for Office 365
Why?
Defender for Office 365 adds advanced threat protection against phishing, malware, and zero-day attacks. It actively scans emails, links, and attachments.
4.1 Steps to Enable Mail Threat Policies
Go to security.microsoft.com > Policies & Rules > Threat Policies
Configure the following:
Safe Links
Safe Attachments
Anti-phishing policies
Use Preset Security Policies (Standard or Strict) to simplify management.
4.2 PowerShell Script
Alternative method is to run the following PowerShell script:
# Enable preset security policy (Standard)
Connect-ExchangeOnline
Set-StandardPresetsSecurityPolicy -Identity Standard -Enabled $true
4.3 Microsoft Defender for Office 365 Compliance Mapping
Configuring Defender for Office 365 advanced threat protection for mail protection will meet the following compliance controls:
CIS Control 10.1 – Ensure Malicious Code Protection is Enabled: Deploy tools to detect and respond to malware.
NIST 800-53 SI-3 – Malicious Code Protection: Use AV and ATP solutions.
ISO 27001 A.12.2.1 – Controls against malware: Protect against malicious code.
5. Audit and Review Sign-Ins Regularly
Why?
Regularly reviewing sign-in activity helps detect abnormal or malicious logins.
5.1 Steps to Audit Entra Sign-In Logs
In Microsoft Entra, go to Monitoring > Sign-in logs
Filter by:
Failure reasons
Location anomalies
MFA status
Export logs for SIEM or long-term archiving.
Create alert policies for:
Impossible travel
Sign-ins from new locations
Multiple failures
5.2 PowerShell Script
Instead of logging into the Azure portal, you can run the following script to export the sign-in logs to CSV:
# Export sign-in logs for analysis
Connect-MgGraph -Scopes 'AuditLog.Read.All'
Get-MgAuditLogSignIn -Top 100 | Export-Csv -Path "SignInLogs.csv" -NoTypeInformation
5.3 Monitoring Entra Sign-In Activity Compliance Mappings
Monitoring your Entra sign-in audit logs for suspicious login activities, you will meet the following compliance controls:
CIS Control 6.2 – Centralize Security Event Alerting: Monitor logs for anomalies.
NIST 800-53 AU-6 – Audit Review, Analysis, and Reporting: Requires log review.
ISO 27001 A.12.4.1 – Event logging: Implement logging and review.
Try our AD, Entra ID & Office 365 Reporting & Auditing Platform
Try us out for Free. AD Reporting & Auditing SaaS. Audit, Report & Monitor Active Directory, Azure AD & Office 365.
6. Configure Email Authentication (SPF, DKIM, DMARC)
Why?
These protocols help prevent spoofing and phishing by verifying the sender’s identity.
6.1 Steps to Secure Email Authentication
SPF:
Add:
v=spf1 include:spf.protection.outlook.com -allto your DNS TXT records
DKIM:
Go to Microsoft 365 Defender > Email & collaboration > DKIM
Enable DKIM signing for each domain
DMARC:
Add policy like:
v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com
6.2 PowerShell Script
You can enable DKIM signing for your domain using the following PowerShell script:
# Enable DKIM signing for domain
Connect-ExchangeOnline
Get-DkimSigningConfig -Identity yourdomain.com | Set-DkimSigningConfig -Enabled $true
6.3 M365 Email Authentication Compliance Mapping
Setting up SPF, DKIM, DMARC for your domains will help you meet the following compliance controls:
CIS Control 9.2 – Ensure Only Authorized Mail Servers are Used: Implement SPF, DKIM, and DMARC.
NIST 800-53 SC-7 – Boundary Protection: Use filters to prevent unauthorized traffic.
ISO 27001 A.13.2.3 – Electronic messaging: Secure email systems.
7. Enable Unified Audit Logging for Office 365 Security
Why?
Audit logs track user and admin activity, which is essential for incident response and compliance.
7.1 Steps to Enable Unified Audit Loggging
Go to compliance.microsoft.com > Audit
Enable auditing if not already enabled
Ensure you have at least Audit (Standard) or Audit (Premium) via licensing
Review user activity, eDiscovery exports, admin changes, etc.
7.2 PowerShell Script
Instead of using the compliance portal to enable auditing, you can use the following Powershell script:
# Enable audit log in compliance center
Connect-ExchangeOnline
Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true
7.3 Microsoft Unified Audit Logging Compliance Mapping
Setting up Microsoft unified audit logging, you will meet the following compliance controls:
CIS Control 6.1 – Establish Security Logging Mechanisms: Enable system and security logs.
NIST 800-53 AU-2 – Audit Events: Log actions that affect security.
ISO 27001 A.12.4.3 – Administrator and operator logs: Maintain audit trails.
8. Monitor Secure Score for Office 365 Security
Why?
Secure Score offers actionable recommendations to improve your security posture.
8.1 Steps to Review Azure Secure Score
Review your current score
Click into each control to:
Understand impact
Get implementation steps
Prioritize high-impact, low-effort tasks first (e.g., MFA, CA policies)
8.2 PowerShell Script
Instead of logging into the Secure Score dashboard, you can retrieve your score using the following PowerShell command:
# Get Secure Score summary
Connect-MgGraph -Scopes 'SecurityEvents.Read.All'
Get-MgSecuritySecureScore | Select-Object Id, CurrentScore, MaxScore
8.3 Microsoft Secure Score Compliance Mapping
By using Microsoft Secure Score you will meet the following compliance controls:
CIS Control 4.1 – Establish and Maintain a Secure Configuration Process: Use benchmarks like Secure Score.
NIST RMF RA-3 – Risk Assessment: Evaluate threats and mitigate risks.
9. Use Conditional Access Best Practices
Why?
Conditional Access allows granular control over how users access data based on risk, location, and device state.
9.1 Conditional Access Recommend Policies
Require MFA for all users
Block legacy auth
Block access from unsupported locations
Require compliant devices for admin roles
Require sign-in risk policies
Refer to Microsoft Conditional Access Policy Templates: https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-policy-common?tabs=secure-foundation
9.2 Conditional Access Recommended Policies for Compliance
Setting up the above recommend conditional access policies, you will meet the following compliance controls:
CIS Control 4.8 – Manage Access Control: Enforce context-aware access.
NIST 800-53 AC-17 – Remote Access: Restrict remote connections.
ISO 27001 A.9.1.2 – Access to networks and network services: Restrict logical access.
10. Backup and Monitor Critical Office 365 Data
Why?
Microsoft provides high availability, not full backup. Without a third-party solution, data recovery may be impossible beyond retention policies.
10.1 Recommended Office 365 DR Solutions
Use a trusted third-party SaaS backup tool
Backup SharePoint, OneDrive, Exchange, Teams
Monitor file sharing, DLP policies, insider risk events
10.2 Office 365 Data Backup Compliance Mapping
When you start backing up your Office 365 data you will meet the following compliance controls:
CIS Control 11.4 – Perform Automated Backups: Regular backups protect critical data.
NIST 800-53 CP-9 – Information System Backup: Backup and recovery capabilities.
ISO 27001 A.12.3.1 – Information backup: Ensure backups are done securely and regularly.
Office 365 Security Best Practices Conclusion
Implementing Office 365 security best practices is not a “set-and-forget” task. It requires continuous monitoring, auditing, and adjustment. The practices in this guide will significantly reduce your risk posture and ensure compliance with standards like CIS Microsoft 365 Foundations Benchmark, NIST 800-53, and ISO/IEC 27001.
Want a hands-free way to audit your tenant and get real-time compliance insights?
👉 Try InfraSOS – Office 365 and Azure AD Security Reporting & Monitoring
