Defaults help, but they’re not enough anymore. Microsoft reports 600 million identity attacks every day, and more than 99% of those attacks focus on passwords. Microsoft also says it blocked 7,000 password attacks per second last year. That’s why we lock down Microsoft 365 for clients, so you reduce account takeovers, stop common phishing paths, and gain clear audit trails when something looks suspicious.
What Top Ranking Checklists Miss
Posts from AdminDroid, CoreView, SyncroMSP, Practical365, and O365reports share the same gaps.
- The Defaults vs Conditional Access choice is missing.
- Report-only rollout missing.
- Break-glass plan missing.
- SPF/DKIM/DMARC skipped.
- Verification steps skipped.
Before You Touch Settings: 5-Minute Safety Prep
Confirm Roles And Access
You need the right admin role to change security settings
We check Global, Security, and Exchange admin roles
Decide Your Baseline Path
Security Defaults are a simple baseline with no license requirement
Conditional Access is customizable and requires at least Entra ID P1
Microsoft says to disable Security Defaults when you use Conditional Access
Create Two Break-Glass Accounts
Create two emergency accounts and store credentials offline
Exclude them only from specific recovery rules, not from everything
Turn On Microsoft Secure Score
Microsoft Secure Score measures posture and maps to improvement actions
Use it to show progress after each change
The 10 Microsoft 365 Security Settings We Lock Down For Clients
1) Enforce MFA For All Users
Goal: add a second factor beyond passwords
Where: Security Defaults, or Conditional Access.
- Watch-outs: older sign-in flows.
- Verify: sign-in logs show MFA prompts.
2) Block Legacy Authentication
Goal: stop legacy auth requests that weaken identity controls
- Where: Conditional Access “block legacy authentication.”
- Rollout: start in report-only mode.
- Verify: review report-only impact and logs.
3) Require Phishing-Resistant MFA For Admins
Goal: protect privileged roles with stronger sign-in methods
- Where: Entra authentication method settings.
- Recommended: passkeys or FIDO2 keys for admins.
Verify: test an admin sign-in end-to-end.
4) Add Risk-Based Access Policies
Goal: respond to risky sign-ins and risky users
- Where: Identity Protection risk policies with Conditional Access.
- Recommended: require MFA at medium or high risk.
Verify: confirm outcomes in sign-in logs and risk views.
5) Turn On Baseline Security Mode
Goal: Apply baseline security mode settings from the admin center
- Where: Microsoft 365 admin center → Baseline Security Mode.
- Recommended: use as a starting point, then refine.
- Verify: recheck Baseline Security Mode after changes.
6) Tune Defender Anti-Phishing Policies
Goal: reduce spoofing and impersonation risk
7) Enable Safe Links And Safe Attachments
Goal: stop malicious URLs and weaponized files
- Where: Defender for Office 365 policies.
- Recommended: start with Microsoft’s recommended settings.
- Verify: use reports and controlled test messages.
8) Publish SPF, DKIM, And DMARC
Goal: stop spoofed senders and strengthen domain trust
- Where: DNS records for each sending domain.
- Recommended: stage DMARC from none to quarantine to reject.
- Verify: validate DNS and monitor DMARC feedback.
9) Block External Auto-Forwarding
Goal: stop silent data leaks through inbox rules
- Where: outbound spam policies for external forwarding.
- Recommended: disable by default, then allow exceptions.
- Verify: create a forwarding rule and confirm it fails.
10) Turn On Audit Logging And Mailbox Auditing
Goal: investigate “who changed what” fast
What These Settings Don’t Replace
You Still Need Device Controls
Conditional Access is Microsoft’s Zero Trust policy engine for enforcing access decisions
If devices are unmanaged, add device compliance controls to reduce risk
You Still Need User Training
Verizon reports that pretexting incidents often lead to BEC and account for about 24% to 25% of financially motivated attacks
Verizon also reports that the median BEC transaction was around $50,000
You Still Need Backups
Mailbox audit guidance and retention behavior are not a full backup plan
Back up what you cannot lose
A Simple Rollout Plan That Avoids Lockouts
Week 1: Identity Baseline
Enable Security Defaults or Conditional Access baselines
Deploy legacy auth blocking in report-only, then enforce in stages
Week 2: Email Protection
Apply Microsoft’s recommended settings guidance for EOP and Defender
Turn on Safe Links and Safe Attachments for priority groups first
Week 3: Domain Trust And Forwarding Controls
Publish SPF, DKIM, and DMARC for each sending domain
Disable external auto-forwarding, then document exceptions
Week 4: Visibility And Maintenance
Track Secure Score history monthly
Review sign-ins, quarantine, and audit logs monthly
Lock It Down, Prove It, Keep It Simple
Start with identity, then secure email, then tighten visibility. Roll changes out in report-only, keep two break-glass accounts, and track Microsoft Secure Score every month to prove progress. Ready to harden your tenant without breaking sign-ins? Book a Microsoft 365 security audit today.
FAQs
Should I use security defaults or conditional access?
Security Defaults are a fast baseline. Conditional Access is flexible and needs Entra ID P1
What are the first three settings to apply?
MFA first, legacy auth block in report-only second, anti-phishing policies third
Where do I find recommended email settings?
Microsoft publishes recommended settings for EOP and Defender for Office 365
What is Microsoft Secure score?
Secure Score measures posture and lists improvement actions
