Microsoft 365 Security Checklist for IT Leaders

Why Configuration Matters More Than Licenses

Many organizations invest in premium Microsoft 365 licenses but leave security features disabled or misconfigured. You're paying for protection you're not using. Meanwhile, attackers are exploiting gaps—compromised credentials, exposed data, ransomware spread—that proper configuration would have prevented.

The good news: most Microsoft 365 security features are included in standard licenses. The challenge is knowing what to configure and in what order. This checklist walks through the critical settings every IT leader should verify.

Identity and Access Security

✓ Enable Multi-Factor Authentication (MFA)

This is non-negotiable. MFA stops 99.9% of account takeover attacks. Every user should authenticate with something they have (phone, authenticator app) in addition to something they know (password).

• Require MFA for all users—no exceptions
• Use authenticator apps (Microsoft Authenticator, Google Authenticator) over SMS when possible
• Configure MFA enforcement at the tenant level via Azure AD
• Set a deadline—if not enforced, users will delay indefinitely

✓ Implement Conditional Access

Conditional access adds intelligence to authentication. It evaluates risk factors—location, device health, sign-in patterns—and responds accordingly. Suspicious logins can be blocked or required to provide additional authentication.

• Require compliant devices for sensitive apps
• Block sign-ins from unusual locations automatically
• Require re-authentication for high-risk operations
• Create policies that adapt to your organization's actual risk profile

✓ Monitor and Respond to Risky Sign-In Activity

Azure AD Identity Protection detects compromised accounts in real time. Integrate these signals into your incident response—fast response stops attacks before they spread.

• Review risky sign-in alerts at least weekly
• Investigate impossible travel alerts (sign-in from two locations in impossible time)
• Reset passwords for compromised accounts immediately
• Set up automated response rules where possible

✓ Disable Legacy Authentication

Legacy authentication protocols (basic auth, NTLM) bypass modern security controls and are the entry point for many attacks. Modern clients don't need them.

• Block legacy authentication protocols via conditional access
• Migrate applications and devices to modern auth before disabling
• Provide clear communication so IT isn't surprised by access denials

Data and Email Security

✓ Enable Advanced Threat Protection (Defender for Office 365)

Email is still the primary attack vector. Advanced Threat Protection uses AI to detect phishing, malware, and business email compromise attacks that basic filtering misses.

• Enable Safe Links to scan URLs in real time
• Enable Safe Attachments to detonate files in a sandbox environment
• Enable anti-phishing policies with impersonation protection
• Set up alerts for suspicious email patterns

✓ Configure Data Loss Prevention (DLP)

DLP prevents sensitive data from leaving your organization—whether accidentally by an employee or intentionally by an attacker. Set rules based on your industry and data types.

• Identify what data types matter (credit cards, PII, proprietary info)
• Create rules that prevent those types from being shared externally
• Start in audit mode, then move to enforcement when you understand patterns
• Exclude roles that need more flexibility; enforce for everyone else

✓ Enable Sensitivity Labels and Encryption

Sensitivity labels classify data by sensitivity and apply protections automatically. Encryption ensures data remains protected even if accessed by unauthorized users.

• Create labels for internal, confidential, and public data
• Apply encryption to sensitive emails automatically
• Train users to apply labels consciously
• Enforce label application for certain document types

Threat Detection and Response

✓ Enable Microsoft Defender for Cloud Apps

Cloud Apps visibility detects risky user behavior, compromised accounts, and data exfiltration happening within your organization's SaaS applications.

• Monitor for impossible travel and suspicious activities
• Detect mass file downloads or sharing by single users
• Investigate alerts through integrated dashboards
• Block high-risk sessions in real time

✓ Configure Audit Logging and Review Regularly

If you're not logging, you're not investigating. Microsoft 365 logs everything; you need to look at it.

• Enable unified audit log for all Microsoft 365 services
• Set up alerts for high-risk activities (admin role changes, forwarding rules, mailbox exports)
• Export logs regularly for long-term retention
• Review logs at least weekly for anomalies

✓ Set Up Incident Response Processes

Alerts are worthless if you don't respond quickly. Define who investigates what, how escalation works, and how fast you need to act.

• Assign clear ownership for different alert types
• Create runbooks for common incidents (compromised account, phishing link, data exfiltration)
• Practice incident response quarterly
• Document lessons learned after each incident

Organizational and Compliance Controls

✓ Configure External Sharing Policies

External sharing is necessary but risky. Control who can share what with whom.

• Require approval for external sharing by default
• Restrict external sharing to specific domains if possible
• Monitor external sharing patterns for abuse
• Set expiration dates on shared access

✓ Implement Application Consent Policies

Malicious apps often trick users into granting broad permissions. Control what third-party apps can access.

• Disable user consent for applications by default
• Review and approve apps before allowing organization-wide use
• Periodically audit app permissions and disable unused apps
• Be especially strict with apps requesting email or file access

✓ Enable Device Compliance and Compliance Management

Compromised or unmanaged devices are a primary infection vector. Require devices to be compliant before accessing sensitive resources.

• Require password protection on all devices
• Require encryption on mobile devices and laptops
• Enforce antivirus/antimalware requirements
• Block access from non-compliant devices automatically

The Quick Wins

If you're not sure where to start, focus on these first (you can deploy in order):

1. Enable MFA (1-2 weeks) - Stops most account takeovers
2. Enable Defender for Office 365 (1 week) - Catches phishing and malware
3. Block legacy authentication (1 week) - Prevents legacy-based attacks
4. Enable conditional access (2-3 weeks) - Adds intelligence to authentication
5. Configure DLP (2-4 weeks) - Prevents data loss

These five changes prevent the majority of attacks against organizations your size.

Don't Go It Alone

Microsoft 365 security is complex, and misconfiguration is common. If your team lacks expertise in Microsoft 365 security or conditional access, that's the exact area where external expertise adds tremendous value.

A proper security assessment will identify which of these controls you're missing and prioritize them based on your risk profile. Then you can tackle them systematically instead of guessing.