A Microsoft 365 tenant is not secure just because MFA is switched on for a few people. The minimum baseline combines protected identities, separate admin accounts, Security Defaults or Conditional Access, blocked legacy authentication, managed devices, mail protection, sharing permissions, auditing, recovery and backups aligned with the business.
Initial inventory
- Domains
- Licenses
- Users
- Guests
- Admins
- Shared mailboxes
- Groups
- Enterprise applications
- Devices
- Mail rules
- SharePoint/Teams
- Backups and retention
Review inactive accounts and existing privileges before adding new controls.
MFA and conditional access
Microsoft recommends keeping Security Defaults enabled unless it is replaced by Conditional Access policies. Both should never be switched off at the same time.
Priority order:
- MFA for everyone.
- Phishing-resistant methods for admins and high-risk profiles.
- Block legacy authentication.
- Policies based on risk, location and device.
- Controlled emergency accounts.
Break-glass accounts are monitored and tested, not used day to day.
Admins
- Account separate from the daily-work account
- Minimum number of Global Admins
- Specific roles
- Time-bound activation with PIM where available
- Strong MFA
- Alerts
- Monthly review
An admin account is never shared with a provider.
Onboarding, changes and offboarding
The cycle must involve HR:
- Onboarding with minimum role
- License and groups
- Device
- Role change
- Immediate revocation
- Controlled handover
- Session/token termination
- Retention and deletion
Offboarding does not end with just blocking sign-in.
Main threats: phishing, BEC, malware and malicious mailbox rules.
Controls:
- SPF, DKIM and DMARC
- Anti-phishing protection
- Safe Links/Attachments depending on license
- Blocking external auto-forwarding
- Rule-based alerts
- Shared mailbox review
- Training and a reporting channel
IBAN changes are always verified through an independent channel.
OAuth applications
Review application consent, its permissions and the publisher. Broad user consent can be blocked, or an approval workflow can be put in place.
Service principals, secrets, certificates and their use need to be inventoried, and applications without an owner should be revoked.
SharePoint, OneDrive and Teams
- External sharing on a need basis
- Expiring links
- Avoiding "anyone with the link" by default
- Groups, not individual permissions
- Site owners
- Guest review
- Sensitivity labels
- DLP where relevant
- Teams lifecycle
Ease of sharing does not justify indefinite access.
Devices
With Intune or another management tool:
- Encryption
- Local PIN/biometrics
- Patching
- Antivirus/EDR
- Lock
- Remote wipe
- Compliance
- Restricting unmanaged devices
BYOD requires separating corporate data from personal data.
Data protection and retention
What must be kept or deleted needs to be defined. Retention policies serve compliance and information lifecycle needs; they should not be confused with a full recovery strategy.
Labels, eDiscovery and auditing are applied according to need and the available license.
Backup and recovery
Microsoft 365 Backup provides protection for SharePoint, OneDrive and Exchange, and third-party partner solutions also exist. The organization must define:
- Covered workloads
- RPO/RTO
- Retention
- Immutability
- Granular/bulk restore
- Accounts and keys
- Testing
- Cost
The recycle bin or versioning does not necessarily replace a backup built for ransomware scenarios and accidental deletion.
Secure Score
Secure Score helps measure security posture and prioritize recommendations. It is not a certification and does not guarantee security. Each action is assessed against the business, and accepted risk is documented.
Treat it as a trend to track, not a target of hitting 100%.
Auditing and alerts
Worth monitoring:
- Impossible-travel or risky sign-in
- New admin creation
- OAuth consent
- Mailbox rules
- Forwarding
- Bulk download
- Public sharing
- Policy change
- Break-glass account use
Alerts must have an owner and an associated procedure.
Providers
If an MSP administers the tenant:
- Named accounts
- Minimum roles
- Controlled delegated access
- MFA
- Logs
- SLA
- Incidents
- Offboarding
- Data processing agreement
The provider must not operate with shared client credentials.
30-day plan
Week 1
Inventory, admins, MFA and legacy authentication.
Week 2
Email, OAuth, guests and sharing.
Week 3
Devices, retention, backups and alerts.
Week 4
Testing, incidents, documentation and training.
Common mistakes
- Turning off Security Defaults without implementing Conditional Access.
- Administering with the daily-use account.
- SMS-only MFA for admins.
- External auto-forwarding left enabled.
- OAuth applications left unreviewed.
- Anonymous links with no expiration.
- Permanent guest accounts.
- Confusing retention with backup.
- Never testing restores.
- MSP using a shared account.
Checklist
- Inventory
- MFA/Conditional Access
- Separate admins
- Legacy authentication blocked
- Email and domains
- OAuth
- SharePoint/Teams
- Devices
- Retention and backups
- Alerts, providers and incidents
FAQ
Security Defaults or Conditional Access?
Security Defaults is a simple baseline; Conditional Access enables advanced policies. One should not be switched off without implementing the other.
Does Secure Score prove compliance?
No. It helps prioritize security posture, but additional analysis and evidence are still required.
Does Microsoft handle backups?
Microsoft 365 Backup exists, along with other partner solutions. The organization must configure coverage and test recovery.
Summum Sistemas can audit and apply a baseline proportionate to each organization's licenses and risk.