Most organizations inherit Microsoft 365 tenants with default configurations that fail compliance audits within the first month. Email forwarding is unrestricted. External sharing is enabled. Audit logging is off or misconfigured. Multi-factor authentication is optional.
Here’s what you need to lock down first.
The Default Configuration Problem
Microsoft ships M365 with sensible user experience defaults. They don’t assume your organization requires compliance controls. Exchange Online allows external forwarding by default. SharePoint allows external sharing. Azure AD allows risky sign-in practices. Auditors see this as negligence.
Compliance isn’t about restrictive security; it’s about intentional control. Auditors want to see: we evaluated the risk, made a deliberate choice, documented it, and monitor it. Default = uncontrolled.
Priority 1: Authentication & Access (Week 1)
Multi-Factor Authentication (MFA)
Baseline: MFA for all users. Minimum MFA: Microsoft Authenticator app. Don’t accept SMS-only MFA for compliance purposes; SMS is vulnerable to SIM swaps. Enforce MFA at sign-in and for sensitive actions (changing password, delegating access, managing distribution groups).
Conditional Access Policies
Set up baseline policies in Azure AD that block legacy authentication and require managed devices for sensitive data. Example: if a user signs in from an unknown location or untrusted device, require step-up authentication or block access entirely.
Password Policy
Minimum 12 characters, complexity requirements, no password history reset, and lockout after 10 failed attempts. Password expiration is outdated (NIST no longer recommends it), but if your compliance framework requires it, implement it.
Priority 2: Data Protection (Weeks 1-2)
Exchange Online Data Loss Prevention (DLP)
Create DLP policies that detect and quarantine or block:
- Social security numbers, credit card numbers, financial account details
- PII in email subject lines or attachments
- Proprietary information patterns (your own keywords)
- External email forwarding (user rule configuration)
DLP should log policy violations but not block all non-compliant email initially. Test in audit mode first, then enforce with notifications to users, and escalate to admins. Most auditors accept warnings; blocking email causes operational friction.
SharePoint and OneDrive External Sharing
Restrict external sharing to specific domains or disable entirely for sensitive sites. If external sharing is required, auditors expect you to justify it in your security plan.
Email Encryption and IRM
Enable Information Rights Management (IRM) for sensitive emails. Users can mark emails “Do Not Forward” to prevent copies. This is auditor-visible compliance.
Priority 3: Audit Logging & Monitoring (Weeks 2-3)
Unified Audit Log
Enable and configure the Microsoft 365 Unified Audit Log to capture:
- Exchange Online: mailbox access, forwarding rules, mailbox permissions
- SharePoint/OneDrive: file access, sharing, deletion, external access
- Azure AD: sign-ins, role changes, consent grants
- Teams: chat deletion, external guest access
Retain logs for minimum 1 year (Microsoft default is 90 days). Export and archive monthly for compliance.
Alert Policies
Create alert policies for risky activities:
- Multiple failed sign-in attempts
- Email forwarding rule creation
- Sensitive files shared externally
- User added to admin role
- Mailbox delegation changes
Defender for Office 365
Enable safe attachments (sandbox detonation) and safe links (URL rewriting). This is basic phishing protection that auditors expect.
Priority 4: Administration & Governance (Weeks 3-4)
Privileged Access Workstations (PAW)
Global admins and security admins should only sign in from a dedicated, hardened device (physical or virtual). Auditors treat admin accounts as critical infrastructure. Separate device = demonstrable control.
Privileged Identity Management (PIM)
For admins, require just-in-time elevation for sensitive roles. Admins request access, provide justification, and access expires after 8 hours. This creates an audit trail of admin activity.
Access Reviews
Quarterly reviews of who has admin roles and why. Document approval. Auditors expect to see evidence that you’ve reviewed access and removed unnecessary privileges.
Priority 5: Ongoing Compliance (Monthly)
Alerts and Incident Response
Review alert logs weekly. Establish an incident response process: detect → investigate → remediate → log. Auditors expect to see a log of incidents and your response.
Compliance Score
Use Microsoft’s Compliance Score tool to track your progress against various frameworks (NIST, HIPAA, GDPR, SOC 2). It’s not auditor-grade, but it’s a useful internal scorecard.
Policy Updates
Review DLP, conditional access, and audit policies quarterly. Technology changes; your policies should adapt.
Typical timeline: Organizations can implement core M365 security controls in 3-4 weeks. The effort is more configuration than technical. Budget for user communication and help-desk preparation for MFA and DLP policy impact.
Common Misunderstandings
- “We bought M365 licenses, so we’re secure.” Licenses enable features; configuration provides security. Defaults are user-friendly, not secure.
- “Auditors only care about email encryption.” Encryption is part of it, but auditors care about access control, logging, and incident response more.
- “DLP will break all our workflows.” Start in audit mode. Tune policies based on real false positives. Most organizations accept a 5-10% adjustment.
- “We don’t need an admin; we have Microsoft support.” Microsoft support is for technical issues, not compliance. You own the configuration.
Ready to harden your Microsoft 365 tenant?
We conduct M365 security posture assessments and implement controls aligned to your compliance framework.
Explore M365 Security Service