Strengthening the security of your Microsoft 365 – The top 5 built-in security features you should deploy

By in
Strengthening the security of your Microsoft 365 – The top 5 built-in security features you should deploy

If you’re a Microsoft 365 user you probably feel your data is in safe hands.  Microsoft spends about $1 billion on cloud cyber security each year, and its data centers feature cutting edge physical and cyber security technologies.  Around 80% of fortune 500 companies use Microsoft 365, so it’s got to be a pretty secure platform, right?

There’s no doubt that the enterprise-grade security offered by Microsoft’s cloud is class-leading, and that cloud computing in general is no less secure than on-premise networks.  However, the system isn’t infallible, and a degree of responsibility lies with you – the end user – in ensuring that your Microsoft 365 accounts are comprehensively safeguarded against cyber threats. 

In this short blog series we’ll explore some of the actions you can take to optimize the security of your 365 environment, starting with some of the security features Microsoft 365 comes preloaded with.  Let’s get started.

Configure Threat Policies

365 customers are often unaware that basic threat protection tools are included as standard with all Microsoft 365 subscriptions.  To locate these, navigate to your 365 “admin center,” then select “security” from the side menu.  Now that you’re in the security center, locate “policies & rules” from the side menu before clicking on “Threat policies.”

 The threat protection tools available to you will depend on the level of Microsoft 365 subscription you’re signed up to, but you should have the ability to configure policies for anti-phishing, anti-spam and anti-malware protections as shown below.

These 3 threat protection features are designed to offer a degree of protection to your employee email accounts.  While this may seem limited – email being only one of many Microsoft 365 components – it’s important to remember that email remains the primary route of entry point through which cyber-attacks are launched.  Protecting your email inbox goes a long way in protecting your entire IT environment.

Implement Role-based access control (RBAC)

Role-based access control defines the ability to extend and deny administrative privileges to end users.  Traditionally, “admin” privileges would be reserved for a select few employees who would be permitted to reconfigure settings, make changes to software and download new applications.  In the context of Microsoft 365, the “Global Admin” is the person who purchased the subscription, and they have the most extensive set of privileges applied by default.  You can of course assign admin privileges to other users too, but giving many users full administrative privileges is a bad idea from a security perspective.

Microsoft 365 offers a compromise, allowing you to extend partial access privileges to certain users, for a pre-defined period of time.  To do this, navigate to the “settings” menu on the left hand side of the MS 365 Admin center and select “Org settings.”  From here select the tab titled “Security and privacy,” and navigate to “Privileged access.”

From here you can configure policies to apply limited and specific administrative privileges in a way that limits risk to you organisation.  You might want to make a member of your team a Teams administrator, but only for the purpose of carrying out a specific task.   365 lets you do that, and you could choose to award those privileges for an hour or two – just long enough to complete the task in question.

Admin accounts are highly prized by hackers, as they give near unlimited access to data and the ability to perform actions that inflict maximum damage.  By applying admin privileges on an as-and-when-required basis you can minimize the number of permanent admins, and thus reduce the risk of an account takeover resulting in catastrophic system-wide damage.

Utilize Secure Score

Secure Score is a useful dashboard located within the 365 admin center that lets you review your security posture and offers advice on how to improve it.  Your overall score is displayed as a percentage, and the dashboard also features a breakdown of your security posture in relation to different security categories, such as identities or apps.  The most useful component of this feature is the “improvement actions” tab.  This displays a list of the actions you could take to most significantly improve your security posture, with the most effective changes shown at the top.  When you click on each proposed improvement action, you’ll be presented with a description and links which direct you to the implementation page for each.  If like many, you find cyber security a perplexing and daunting prospect, Secure Score is a reassuringly intuitive way to implement simple changes that will bolster your cyber defenses.

Activate Multi Factor Authentication (MFA)

Multi-factor authentication is protection mechanism that requires the provision of 2 or more pieces of data in order for access to be granted to an account or service.  Using multi factor authentication to protect your 365 accounts means users are required to present information which further verifies their identity, over and above their account password.

You can enforce MFA for individual users through the 365 admin center.  Select “Users” from the side menu, navigate to “Active users” and then click “Multi-factor authentication” from the tabs at the top – highlighted in green below.

The default method for MFA implementation is using the Microsoft authenticator mobile app.  This app aids in the verification process, by providing a user-specific code which is required upon account sign in, in addition to an account password.  This additional sign-in component helps verify the identities of personnel trying to access your Microsoft accounts, aiding the security posture of your entire 365 environment.

You could enforce MFA across your entire team, but as a minimum it should be implemented to safeguard accounts with the greatest access privileges, as these are the most critical from a security standpoint.

Enable passwordless authentication

With the advanced password-cracking tools cyber criminals now have access to, the next level of account protection could be the removal of passwords from the equation altogether.  Passwordless authentication involves 2 or more pieces of evidence, which could include something you possess, something you are (biometric data),  locational data or something you’ve been gifted (an access key).

It can be instituted through the Azure Active Directory admin center.  From your main dashboard, scroll down to “security” on the side menu,  then select “Authentication methods” as shown below.

From here, passwordless sign-in options can be configured.  The current options include:

  • Microsoft Authenticator.  Enter a randomly generated number into your authenticator app for password-free sign in.
  • Window Hello.  Use biometric data or pins to access Windows devices.
  • FIDO2 security keys.  Hardware-based authentication typically involving the connection of USB devices.

While not all-encompassing, Microsoft 365’s native security features are a great foundation upon which to base your security strategy.  By exploring the features above, you’ll help ensure your Microsoft accounts remain beyond the reach of the hacking community.

Stay tuned for our next article, where we’ll give a quick rundown of 6 more ways to defend your Microsoft 365 accounts.


Since 2002, Echelon Technologies has been a leading provider of IT support and consulting, focusing on small and medium-sized businesses in the Greater Phoenix area. We have helped hundreds of companies, and thousands of users, to increase productivity and profitability by making IT a streamlined part of their operations. We equip our clients with customized technology solutions for greater operational value and to reduce risk. Please don’t hesitate to get in contact and see what we can do for you.