Microsoft 365 Security Hardening Guide: Entra ID, Exchange, Defender, and Secure Score

Entra ID (formerly Azure Active Directory) is the identity foundation of every M365 deployment. Security failures here cascade to every connected application and service.

Enforce MFA for all users using Conditional Access: Do not use Security Defaults for production tenants with dedicated security requirements; use Conditional Access policies for granular control. Create a Conditional Access policy: all users, all cloud apps, grant access requiring multi-factor authentication. Exclude break-glass emergency access accounts and service accounts. Apply the policy in report-only mode for two weeks to identify affected accounts before enforcement.

Block legacy authentication: Legacy authentication protocols (SMTP AUTH, POP3, IMAP, Exchange ActiveSync with Basic Auth) cannot enforce MFA and are the primary bypass path attackers use against tenants with MFA enabled. Create a Conditional Access policy: all users, all cloud apps, condition: client apps = Exchange ActiveSync Clients and Other Clients, grant: Block. Monitor the sign-in logs in report-only mode to identify any business-critical legacy auth flows before enforcement.

PowerShell to identify legacy auth sign-in activity in the last 30 days:

Get-MgAuditLogSignIn -Filter "clientAppUsed ne 'Browser' and clientAppUsed ne 'Mobile Apps and Desktop clients'" -Top 100 | Select-Object UserPrincipalName, ClientAppUsed, AppDisplayName | Sort-Object UserPrincipalName

Admin role hardening: Global Administrator is the most dangerous role in an M365 tenant. Assign it to a minimum of 2 and maximum of 5 accounts; use role-specific admin roles (Exchange Admin, SharePoint Admin, Security Admin) for all other administrative functions. Require phishing-resistant MFA (FIDO2 security key or Certificate-Based Authentication) for all admin accounts via Conditional Access. Enforce Privileged Identity Management (PIM) for all Global Admin and other privileged roles: no standing admin access, require JIT elevation with justification and approval.

Conditional Access policy baseline (minimum set):

• Require MFA for all users (all apps)
• Block legacy authentication (all users)
• Require MFA and compliant device for admin roles
• Block access from high-risk sign-ins (requires Entra ID P2)
• Block access for users flagged as high-risk (requires Entra ID P2)
• Require compliant or hybrid-joined device for all corporate applications (phased rollout)

Named locations for trusted network exclusions: If requiring MFA from trusted corporate IP ranges creates operational friction, create Named Locations for your corporate IP ranges and build a Conditional Access policy that requires MFA from any location except trusted named locations. This maintains protection for remote access while reducing friction inside the office. Note: this is less secure than requiring MFA everywhere; the named location approach is a pragmatic concession for organizations where trusted-network-only access is operationally necessary.

Exchange Online is the primary delivery mechanism for phishing, BEC, and malware. The default configuration is not hardened; specific policies must be configured to protect against the most common threats.

Email authentication (SPF, DKIM, DMARC): Publish SPF and DKIM records for your domain and set DMARC to p=reject. This prevents attackers from spoofing your domain in phishing and BEC attacks. DMARC at p=reject is the most impactful single email security control: it prevents your domain from being used against your own employees and customers.

# Enable DKIM for your domain in Exchange Online
New-DkimSigningConfig -DomainName yourdomain.com -Enabled $true
Get-DkimSigningConfig -Identity yourdomain.com | Select-Object Selector1CNAME, Selector2CNAME
# Publish these CNAME records in DNS before enabling

Anti-phishing policies: In Microsoft Defender for Office 365 (required for Plan 1 or Plan 2 features), configure anti-phishing policies with impersonation protection. Key settings: enable mailbox intelligence, enable impersonation protection for all executive email addresses and your domain, set action to move to quarantine for impersonation detections, enable spoof intelligence.

Safe Attachments: Configure Safe Attachments in Defender for Office 365 to detonate email attachments in a sandbox before delivery. Set action to Block for malicious attachments. Enable Safe Attachments for SharePoint, OneDrive, and Teams to catch malicious files shared within the platform.

Safe Links: Enable Safe Links to rewrite all URLs in email and Teams messages through Microsoft's URL detonation service at click time. Configure: do not let users click through to original URLs for malicious links, track user clicks, apply to email and Teams. This prevents time-of-click attacks where URLs are benign at delivery and weaponized afterward.

Outbound spam policies: Configure outbound spam policies to limit per-user sending thresholds. This limits the blast radius when a compromised account is used for spam campaigns and triggers alerts on abnormal outbound sending volume.

Audit log and mailbox auditing: Verify that unified audit logging is enabled. Enable mailbox auditing for all users:

Set-OrganizationConfig -AuditDisabled $false
Get-Mailbox -ResultSize Unlimited | Set-Mailbox -AuditEnabled $true

Mailbox audit logs are required to investigate BEC incidents and detect inbox rule manipulation (a common attacker persistence technique in compromised M365 accounts).

Microsoft Defender for Office 365 provides anti-malware, anti-phishing, anti-spam, Safe Links, and Safe Attachments capabilities. It is available at two tiers: Plan 1 (included in M365 Business Premium and available as an add-on to E3) and Plan 2 (included in M365 E5).

Preset security policies (Standard and Strict): Microsoft provides two preconfigured policy bundles: Standard Protection and Strict Protection. Standard applies conservative but practical settings appropriate for most users. Strict applies maximum protection settings with higher false-positive rates, appropriate for executive and high-risk user groups. Apply Standard Protection to all users as a baseline and apply Strict Protection to executives and IT admins as a priority account policy.

Configuring preset policies via PowerShell:

# Apply Standard preset policy to all users
Enable-AntiPhishRule -Identity "Standard Preset Security Policy"
# Apply Strict policy to a specific group
New-AntiPhishRule -Name "Strict Policy - Executives" -AntiPhishPolicy "Strict Preset Security Policy" -SentToMemberOf "Executives-DL"

Attack simulation training: Defender for Office 365 Plan 2 includes Attack Simulation Training, which delivers simulated phishing and social engineering campaigns. This is the built-in alternative to third-party phishing simulation platforms for organizations already on M365 E5. Configure monthly simulations across difficulty tiers and use the built-in training modules for employees who click.

Threat Explorer and Real-time Detections: Use Threat Explorer (Plan 2) or Real-time Detections (Plan 1) to investigate email campaigns, review quarantined messages, and identify patterns in phishing attempts reaching your users. This is the primary investigation tool for email-borne incidents.

Priority account protection: Designate executives, finance approvers, and IT admins as Priority Accounts in Defender. Priority accounts receive enhanced signal weighting in detections and appear in dedicated reporting. Alerts on priority account anomalies are prioritized in the Defender portal.

Data exfiltration through SharePoint and OneDrive sharing is a significant risk in M365 environments. Default configurations allow broad external sharing that most organizations do not intend.

External sharing controls: Review SharePoint admin center sharing settings. The default allows sharing with anyone via anonymous links; harden to require authentication for external sharing at minimum. Recommended settings: SharePoint external sharing = Existing guests (users already in your directory) or New and existing guests (requires authentication, limits to invited externals). Disable 'Anyone' links that allow unauthenticated access.

PowerShell to identify sites with anonymous sharing enabled:

Get-SPOSite -Limit ALL | Where-Object {$_.SharingCapability -eq "ExternalUserAndGuestSharing"} | Select-Object URL, SharingCapability

Data Loss Prevention (DLP) policies: Configure DLP policies in the Microsoft Purview compliance portal to detect and block transmission of sensitive data types: credit card numbers, Social Security numbers, health record data, and custom sensitive information types relevant to your data classification. Apply policies to Exchange, SharePoint, OneDrive, and Teams. Start in audit mode to understand the baseline volume before switching to block mode.

Sensitivity labels: Deploy Microsoft Purview sensitivity labels to classify documents and emails. Labels apply persistent encryption and access controls that travel with the document: a file labeled Confidential can be configured to require authentication for any external recipient and prevent downloading to unmanaged devices. This is the M365-native equivalent of enterprise DRM.

Teams external access controls: Separately configure Teams external access (federation with other Teams organizations) and guest access (external collaborators added to Teams). Disable external access to unknown organizations; allow only to specific trusted partner tenants if required. Review guest access policies to ensure guests cannot access content beyond the specific Teams they are invited to.

Microsoft Secure Score is a measurement of an M365 tenant's security posture relative to available controls, expressed as a percentage. A score of 60 percent means 60 percent of applicable recommended controls are implemented. Secure Score is useful as a relative progress metric and a prioritization aid, not as an absolute security posture measure.

How Secure Score is calculated: Each recommended action has a point value. Completing the action earns those points. Total earned points divided by total possible points equals the Secure Score percentage. Actions are categorized by product area (Identity, Data, Device, App) and by impact on score.

Prioritizing Secure Score improvements: Filter the recommended actions by: score impact (highest first), implementation cost (user impact, whether the action causes workflow changes), and product area. Prioritize identity actions first: they address the primary M365 attack surface and typically have high score impact. Device actions (Intune compliance policies) and data actions (DLP policies, sensitivity labels) are the next priority tiers.

High-impact Secure Score actions for most tenants:

• Enable MFA for all users: typically 10-15 point impact
• Block legacy authentication: 5-10 point impact
• Do not allow users to grant consent to unmanaged applications (blocks malicious OAuth apps): 5-8 point impact
• Enable Microsoft Defender for Office 365: 10-20 point impact depending on current configuration
• Enable unified audit logging: 5 point impact
• Configure named accounts to use FIDO2 or certificate-based authentication: varies

Secure Score limitations: A high Secure Score does not mean a tenant is secure. It measures configuration compliance against Microsoft's recommended controls, not threat detection coverage, incident response capability, or whether controls are operating effectively. Organizations with 80 percent Secure Score can still be compromised via phishing-resistant MFA bypass (AiTM), OAuth token theft, or supply chain compromise. Use Secure Score as a configuration hygiene metric, not as a comprehensive security posture indicator.

The following PowerShell commands address the most critical M365 hardening tasks. Run these using accounts with the appropriate admin roles: Security Administrator for Defender and Exchange policies, Global Administrator for Entra ID policies.

Prerequisites:

# Install required modules
Install-Module Microsoft.Graph -Scope CurrentUser
Install-Module ExchangeOnlineManagement -Scope CurrentUser
Install-Module Microsoft.Online.SharePoint.PowerShell -Scope CurrentUser
# Connect to services
Connect-MgGraph -Scopes "Policy.ReadWrite.ConditionalAccess", "Directory.ReadWrite.All"
Connect-ExchangeOnline -UserPrincipalName admin@yourdomain.com

Disable basic authentication protocols in Exchange:

# Disable POP3 and IMAP for all users
Get-Mailbox -ResultSize Unlimited | Set-CasMailbox -PopEnabled $false -ImapEnabled $false
# Disable SMTP AUTH at the organization level (re-enable for specific service accounts only)
Set-TransportConfig -SmtpClientAuthenticationDisabled $true

Audit admin role assignments:

# Get all Global Administrators
Get-MgDirectoryRoleMember -DirectoryRoleId (Get-MgDirectoryRole -Filter "displayName eq 'Global Administrator'").Id | Select-Object AdditionalProperties

Identify inactive accounts for review:

# Accounts with no sign-in in 90 days
Get-MgUser -All | Where-Object {$_.SignInActivity.LastSignInDateTime -lt (Get-Date).AddDays(-90) -and $_.AccountEnabled -eq $true} | Select-Object DisplayName, UserPrincipalName, SignInActivity

Enable advanced audit logging:

# Enable audit log search
Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true
# Enable advanced auditing events for all mailboxes
Get-Mailbox -ResultSize Unlimited | Set-Mailbox -AuditEnabled $true -AuditOwner @{Add="MailboxLogin","MoveToDeletedItems","SoftDelete","HardDelete"} -AuditDelegate @{Add="SendAs","Create","MoveToDeletedItems"}