Most lists of Microsoft 365 security best practices have the same problem: they are flat. Thirty bullet points, no order, no sense of which one closes a real attack path and which one is a nice-to-have. Meanwhile the tenant's defaults quietly favour convenience over security, and the settings you "fixed" six months ago have drifted back.
This guide is different in two ways. First, it is prioritised — identity and email come before everything else, because that is where the consequential misconfigurations live. Second, every practice is mapped to the CIS Microsoft 365 Foundations Benchmark v5.0.0, which defines 129 controls across 9 sections, so you are working against an external standard rather than one vendor's opinion. If you want the fast, do-these-now version, our Microsoft 365 security checklist is the companion to this piece; this one explains the why and the order.
How to Prioritise Microsoft 365 Security Best Practices
You do not harden a tenant by working through 129 controls alphabetically. You start where the blast radius is largest.
The CIS Microsoft 365 Foundations Benchmark organises its 129 controls into 9 sections, and they are not equal in weight. Microsoft Entra (Identity) is by far the largest at 37 controls, and Microsoft Defender for Office 365 adds another 19 — together, well over 40% of the benchmark, and the two areas where a single bad setting most often turns into an incident. Do those first. Data, devices, collaboration, and analytics follow.
Here is the order this guide uses, with the CIS section behind each:
- Identity and access — Section 5 (37 controls)
- Email security — Section 2, Defender (19 controls) and Section 6, Exchange (11 controls)
- Data protection and sharing — Section 3, Purview (4) and Section 7, SharePoint & OneDrive (15)
- Devices — Section 4, Intune (2 controls)
- Collaboration — Section 8, Teams (16 controls)
- Analytics — Section 9, Microsoft Fabric / Power BI (11 controls)
1. Identity and Access — Start Here
Identity is the most exploited attack surface in Microsoft 365, which is exactly why it is the benchmark's largest section. Get these right before touching anything else.
- Require MFA for every user, with no standing exclusions. This is the single highest-impact control. The catch is not turning MFA on — it is the exclusions that accumulate on Conditional Access policies and quietly exempt the accounts that matter most, including admins. Audit the exclusion list, not just the policy.
- Block legacy authentication. Basic-auth protocols (IMAP, POP3, SMTP AUTH) bypass modern authentication entirely, which means they bypass MFA. Disable them at the tenant level and create narrow, documented exceptions only where genuinely unavoidable.
- Use just-in-time admin access with Privileged Identity Management. Standing Global Administrator assignments are a permanent liability. PIM makes privileged roles time-bound and approved, so admin rights exist only when they are being used.
- Minimise and dedicate admin accounts. Keep the number of Global Administrators as low as your operations allow, give admins dedicated cloud-only accounts rather than using their day-to-day mailbox identity, and define two emergency access (break-glass) accounts so tightening admin access can never lock you out.
- Turn on self-service password reset and password protection. Combine SSPR with banned-password lists so users cannot reset to weak or predictable credentials.
Identity best practices are also where modern attacks concentrate — techniques like device-code phishing succeed specifically against tenants left at permissive identity defaults, without ever defeating MFA head-on.
2. Email Security — The Second Priority
Email is how most attacks arrive. The benchmark splits this across Defender for Office 365 (19 controls) and Exchange Online (11 controls).
- Apply Safe Links and Safe Attachments to every user. Microsoft's default protection is not sufficient for a benchmark-aligned posture. Safe Links should rewrite URLs at click time, Safe Attachments should detonate files in a sandbox before delivery, and both must cover all users — not just a pilot group from an old rollout.
- Configure anti-phishing impersonation protection for your key people and sending domains, rather than relying on the broad default policy.
- Get your mail authentication right: SPF, DKIM, and DMARC. A DMARC record at
p=noneonly monitors — it does not stop spoofing. Move top=quarantine, thenp=reject, once you have confirmed legitimate mail is not caught. - Disable SMTP AUTH at the tenant level, with mailbox-level exceptions only for services that genuinely cannot use OAuth.
- Confirm mailbox auditing is on for every mailbox type, including shared and service mailboxes, which are the ones most often left unaudited.
3. Data Protection and Sharing
This spans Microsoft Purview (4 controls) and SharePoint Online & OneDrive (15 controls) — small and large, but both foundational.
- Enable the Unified Audit Log first. Without it you have no record of tenant activity — you cannot investigate an incident or answer an auditor. It belongs at the very top of the data section, not the bottom.
- Restrict external sharing defaults. "Anyone" links with no expiry are a standing data-leak risk. Require authentication for external links at minimum, and enforce expiry on any anonymous links you do permit.
- Lay the groundwork for Data Loss Prevention and Information Protection so sensitive content is classified and its movement is controlled, rather than trusting users to get it right every time.
4. Devices — Small Section, Real Leverage
Intune has only 2 controls in the benchmark, but they punch above their weight.
- Define device compliance policies that actually specify what "compliant" means (encryption, OS version, PIN, and so on).
- Require device compliance in Conditional Access for access to corporate resources — a compliant-device requirement is only meaningful if the compliance policy behind it is real.
5. Collaboration — Teams
Teams carries 16 controls, more than SharePoint, because it has become the default doorway for external collaboration and its defaults lean heavily towards openness.
- Restrict external access to an allow-list of named domains rather than "all external domains".
- Disable or lobby-gate anonymous meeting join, so a forwarded link is not an open door.
- Scope guest permissions to the minimum a given collaboration needs, instead of letting guests see every channel and file in a team.
6. Analytics — Microsoft Fabric / Power BI
The final section, 11 controls, is the one most often forgotten because it lives in a separate admin portal. Tenant settings there control who can publish reports, share dashboards externally, and embed content in other applications — and they default to permissive. Review them and restrict to what your organisation actually uses.
The Best Practice Most Teams Miss: Keep It Enforced
Every practice above is a point-in-time fix. The best practice that ties them together is treating security posture as a state you keep proving, not a project you finish.
Configuration drifts. An exclusion is added for a migration and never removed; a sharing setting is loosened for one project and left open. Your Microsoft Secure Score gives you a rough directional signal, but it is a single weighted number that can still show green while a specific high-severity control quietly fails. The durable best practice is continuous monitoring with drift detection — so the moment a control regresses, you know, instead of discovering it at the next annual review.
Microsoft 365 Security Best Practices — Quick Checklist
A condensed reference you can run through after any significant change to your tenant:
Identity (CIS Section 5)
- [ ] MFA enforced for all users, exclusion lists audited
- [ ] Legacy authentication blocked tenant-wide
- [ ] Privileged Identity Management active for privileged roles
- [ ] Global Administrators minimised, dedicated, and cloud-only
- [ ] Two emergency access accounts defined
- [ ] Self-service password reset and password protection on
Email (CIS Sections 2 & 6)
- [ ] Safe Links and Safe Attachments applied to all users
- [ ] Anti-phishing impersonation protection configured
- [ ] SPF, DKIM, and DMARC (
p=quarantineorp=reject) in place - [ ] SMTP AUTH and legacy authentication disabled
- [ ] Mailbox auditing on for all mailbox types
Data & sharing (CIS Sections 3 & 7)
- [ ] Unified Audit Log enabled and verified
- [ ] External sharing restricted; anonymous links expire
- [ ] DLP and sensitivity labelling in progress
Devices, collaboration & analytics (CIS Sections 4, 8 & 9)
- [ ] Intune compliance policies defined and required in Conditional Access
- [ ] Teams external access on an allow-list; anonymous join restricted; guests scoped
- [ ] Fabric / Power BI tenant sharing settings restricted
For the step-by-step version of this list, see the Microsoft 365 security checklist. For the full control-by-control procedure, follow the Microsoft 365 security audit guide.
Automate and Enforce Best Practices with ConfigCobra
Knowing the best practices is the easy part. Proving all 129 controls are in place across nine admin portals — and staying that way — is the hard part.
ConfigCobra connects to your tenant using read-only Microsoft Graph permissions — no agents, no scripts in your environment, no admin password shared — and runs the full CIS Microsoft 365 Foundations Benchmark v5.0.0 assessment, all 129 controls across 9 sections, in 20–25 minutes. For every finding you get a pass / fail / partial status, the actual configuration value evaluated, severity tagged from the benchmark, and a copy-paste remediation script (PowerShell or admin-portal steps) — plus a CIS-certified PDF report with a timestamped tenant snapshot for your audit file.
Then it keeps the practices enforced: continuous monitoring runs on the cadence you choose and alerts you the moment a control regresses, so drift is caught when it happens. It works across more than one tenant, too — assess subsidiaries or client tenants from one workspace, with a read-only auditor seat for clients or external auditors. And for teams using AI assistants, the ConfigCobra MCP server answers plain-language questions from your live scan data — "which of my admin accounts are excluded from Conditional Access?" — rather than a static report.
You can run a free assessment covering 15 of the 129 controls against your own tenant right now, or book a demo to see the complete assessment and exactly which best practices your tenant is missing.
Frequently Asked Questions
What are the most important Microsoft 365 security best practices?
Identity and email come first. Enforce MFA for every user with no standing exclusions, block legacy authentication, use just-in-time admin access, and apply Safe Links / Safe Attachments and DMARC to all users. These map to the two largest sections of the CIS benchmark — Microsoft Entra (37 controls) and Defender for Office 365 (19 controls) — and close the attack paths most commonly exploited.
How many Microsoft 365 security controls are there?
The CIS Microsoft 365 Foundations Benchmark v5.0.0 defines 129 controls across 9 sections, covering the Microsoft 365 admin center, Microsoft Entra, Microsoft Defender, Microsoft Purview, Microsoft Intune, Exchange Online, SharePoint & OneDrive, Microsoft Teams, and Microsoft Fabric / Power BI.
Are best practices the same as a Microsoft 365 security assessment?
No. Best practices tell you what to do; an assessment measures which of them are actually in place. A Microsoft 365 security assessment evaluates your tenant control by control against the CIS benchmark and prioritises the gaps by severity.
How often should I review Microsoft 365 security best practices?
Continuously, not annually. Settings drift as exclusions and exceptions accumulate, so the practice that matters most is monitoring for regression — being told the moment a control fails, rather than finding out at the next review.
Related reading