Microsoft 365 Security Recommendations

Below is a list of best practice changes we recommend that all clients make to their Microsoft 365 tenant to improve the security of their accounts and data.

Changes that apply to all Microsoft 365 licenses

Below is a list of settings that we recommend changing for all firms using Microsoft 365.

These setting ensure that our customers can comfortably operate their business without the looming threat of a security breach and data loss.

Email Security

  • Raise the level of protection against malware in mail / reference
    • WHAT - This setting enabled the “Common Attachment Types Filter” in the Anti-Malware setting to block a range of malicious file types sent as attachments.
    • WHY - Blocking potentially malicious attachments from being sent through emails can help to eliminate malware that may pass through the antivirus scanners
    • IMPACT - Users may not be able to receive some attachments, however these attachments are typically not files used in a law firm.
  • Protect against ransomware / reference
    • WHAT - This change extends on the common attachments filter by creating a series of custom rules that warns or block additional file types when they are sent as attachments in emails.
    • WHY - Blocking potentially malicious attachments from being sent through emails can help to eliminate malware that may pass through the antivirus scanners
    • IMPACT - The files that are blocked are regularly used to send malware and would not typically be sent in a business environment (for example executables). Files that may contain malware but may also be legitimate are set to warn only.
  • Stop auto-forwarding for email / reference
    • WHAT - The ability for users to forward their email account to external recipients is disabled.
    • WHY - When an account is compromised often the offender will set up auto forwarding to allow them to gain access to the account even if the password is changed.
    • IMPACT - There should be no user impact in most situations as users can still forward their emails to internal recipients. There are potential issues where external applications or vendors use the email forwarding option to receive legitimate emails.
  • Protection against Anti-Impersonation & Phishing / reference
    • WHAT - Creating a policy to prevent high authority users and accounts from being impersonated by malicious actors.
    • WHY - Blocking impersonated emails prevents users from receiving emails and potentially providing personal information or company data to malicious actors.
    • IMPACT - Emails that are received by users that have the same name as CEO/high authority accounts protected by this policy will be blocked/sent to junk. Users will be warned that addresses are contacting them for the first time and to proceed with caution.

User Identity Protection

  • Enable users to reset their own password / reference
    • WHAT - When users sign in they are prompted for additional account details (secondary email, mobile number etc) to enable them to verify their own identity if they forget their password.
    • WHY - This allows users to get back into their account quickly or outside of business hours. It also standardises the verification of identity methods.
    • IMPACT - If you are in a hybrid mode or syncing users passwords from on premise active directory then an Azure AD Premium license is required.
  • Set password to never expire / reference
    • WHAT - Disable the password expiration policy so that users passwords do not expire every 90 days.
    • WHY - Research suggests that requiring users to regularly change their passwords results in them choosing easy passwords or re-using passwords across multiple systems making the passwords easy to guess by hackers.
    • IMPACT - This policy should only be implemented with MFA or security defaults enabled. The only impact to this policy is that users will not be required to change their passwords every 90 days and can instead choose a complex password that is also easy to remember.
  • Enforce multi-factor authentication (MFA) / reference
    • WHAT - Enable the Microsoft Security Defaults which enforced users to setup MFA using their smartphone. When a user logs into a new device or accesses a privileged service they will be prompted to approve the request on their phone.
    • WHY - Microsoft research suggests that enabling MFA can block over 99.9% of account compromise attacks and using the Security Defaults is the easiest way for organisations to implement MFA. For more complex environments Conditional Access can be used instead of Security Defaults which allows additional customisation.
    • IMPACT - MFA is a lot easier than you think. Users will be required to setup the Microsoft Authenticator application on their smartphone and link it to their account. When they login to a new devoice they will need to approve their login on their smartphone so they will need to keep their smartphone handy. Security Defaults also blocks legacy applications that cannot authenticate with a modern authentication protocol. This may impact some old systems that rely on IMAP or POP3 access to mailboxes.
  • Use dedicated admin accounts / reference
    • WHAT - Dedicated admin accounts should be used for access to the Microsoft 365 admin portal and the accounts should only be used when specifically required. Where we maintain an a Global Admin account for a customers tenant the customer still controls and manages their own admin account.
    • WHY - Dedicated admin accounts should be used that are also not used to run applications or browse the internet. This minimises the impact of a hacker getting access to the admin credentials if a computer is compromised.
    • IMPACT - There is minimal impact to users. A user with admin access needs to authenticate with a different username and password when admin access is required.
  • Turn on Audit Logging / reference
    • WHAT - Audit Logging records user and administrator actions in Microsoft 365 which are recorded in an audit log. This log is not enabled by default.
    • WHY - Enabling the audit log records audit for user actions to enable the identification of who changes a setting or deleted an email item into a central audit log.
    • IMPACT - There is no user impact to this change.

Sharepoint Online

  • Set external sharing level to new and existing guests /

    • WHAT - This setting disabled the option Users can share files and folders using links that don’t require sign-in
    • WHY - This prevents users from sharing files externally without any sign in.
    • IMPACT - Files can still be shared with other firms but the recipients need to sign in or provide a verification code for access.
  • Limit sharing of individual sites

    • WHAT - Store confidential files in their own sites and then restrict sharing of those sites to prevent files being shared externally. For sites that are not restricted set the site sharing so that the entire site can only be shared by the site owner.
    • WHY - This prevents users from accidentally sharing confidential files externally.
    • IMPACT - Files is confidential sites can only be shared with internal staff.
  • Follow the Principle of Least Privilege

    • Give people the lowest permission levels they need to perform their assigned tasks.
  • Give people access by adding them to standard, default groups (such as Members, Visitors, and Owners).

  • Segment your content by security level
    – create a site or a library specifically for sensitive documents, rather than having them scattered in a larger library and protected by unique permissions.

Microsoft 365 Business Premium and E5

  • For Microsoft 365 plans that include these features we will enable
    • Office Message Encryption
    • Protect your email from phishing attacks
    • Protect against malicious attachments and files with ATP Safe Attachments
    • Protect against phishing attacks with ATP Safe Links


Microsoft Intune will allow us to:
- Enforce bitlocker on all company owned computers
- Enable the windows firewall
- Enforce up to date antivirus
- Not enable OneDrive App access from any device that is not compliant

Additional Steps

  • As an additional point of security we suggest moving your DNS hosting in to Office 365.
  • Once the above changes have been completed we will review the Security Score. Which can be checked by clicking here

Questions about the security settings above? We can help

For further assistance feel free to contact the team at ServiceScaler to speak with one of our experts.

Let's work together

Contact the team at ServiceScaler today for a free and confidential discussion

Contact Us