Secure Microsoft 365: Three basic principles for a safer M365 environment
Microsoft 365 is the dominant platform for email, document management and collaboration in most workplaces. The platform is based on an Azure infrastructure and Entra ID for identity and access management. Securing your M365 environment therefore means working to protect everything related to identity, access and assets in your environment.
The default settings are designed to make the platform user-friendly. But to meet new recommendations and legal requirements, many organisations require more robust protection. It then becomes up to the individual organisation to raise the security level of their own environment. But how do you go about it? Here we explain more about three basic principles for a more secure tenant that also meets official recommendations from MCF's CERT-SE.
When default settings in Microsoft 365 are not enough
Microsoft's default settings are generous. In a new M365 tenant, users can register applications, invite guest users, create Teams channels, and consent to third-party apps accessing organisational data. But it is precisely this kind of openness that CERT-SE believes should be restricted.
The environment is also constantly changing. Microsoft releases many hundreds of changes every month. New features that may involve new sharing settings or access paths needing evaluation. Identity is the primary attack vector. According to Microsoft themselves, the majority of all identity attacks are password-based, with thousands of attacks being blocked every second. This makes it clear that the default settings need to be supplemented to secure your environment.
According to Microsoft themselves, the majority of all identity attacks are password-based, with thousands of attacks being blocked every second
Three basic principles for a more secure tenant in M365
1. Secure identities and access with MFA and role management
Multi-factor authentication (MFA) is by far the most effective measure and stops over 99% of all account takeover attempts. Despite this, many organisations we encounter lack MFA on all accounts. For example, administrator accounts for the tenant.
MCF's CERT-SE has issued specific recommendations to secure your M365 environments, indicating that this is a national level priority. Regarding identity and access, CERT-SE specifically recommends:
- Limit users' ability to register apps and give consent to third-party apps, as this is a common route in so-called consent phishing.
- Block legacy authentication protocols that do not support MFA.
- Use dedicated administrator accounts and apply least privilege access.
- Limit and regularly review guest users.
- Ensure privileged accounts are protected. Limit yourselves to 2–4 global administrators. These should be protected with phishing-resistant MFA.
2. Limit sharing and exposure of data in M365
Default sharing in M365 is often more open than the organisation realises. Sharing links are created so that anyone with the link gets access without authentication. It is recommended to always change the default setting to specific people, and to block automatic forwarding of email to external addresses as this is a common technique used by attackers after account takeover.
Complexity quickly increases. Each team in Teams automatically creates a SharePoint site and an M365 group with their own permission settings. Without governance, numerous storage locations with varying access control rapidly emerge. These permissions are basically managed via Entra ID in Azure, where group membership, guest policies and conditional access interplay. If you don't have control there, you also lack control over where your data can actually end up.
We recommend that our customers implement thorough information classification and DLP policies to prevent sensitive information from falling into the wrong hands.
Standard sharing in M365 is often more open than the organisation realises.
3. Work in a structured and continuous manner with Microsoft 365 security
Security is not a one-time effort, but a continuous process that should be developed ongoingly. The EU's security directive NIS2 also places high demands on systematic security work, clear management responsibilities, and incident reporting. This, in turn, requires that you have logging enabled so you can detect and trace incidents in your environment.
Zero Trust sets the strategic framework: always verify, provide the least possible privilege, and assume that a breach has already occurred. In M365 and Azure, this concretely means implementing conditional access via Entra ID, requiring device compliance, activating continuous session evaluation, and centralising logs to enable early detection of anomalous behaviour.
The human factor
Users are an equally important piece of the puzzle. As technology develops and your IT environment becomes more inaccessible, attackers want to exploit the human factor. Simulated phishing campaigns and ongoing training become crucial to keep employees alert to current threats and make them an active part of your defence.
Users are an equally important piece of the puzzle. As technology develops and your IT environment becomes more difficult to access, attackers want to exploit the human factor.
From Recommendation to Reality with Security Baseline
The challenge when it comes to enhanced cyber protection in M365 is not the lack of information and guidance. The recommendations are there, open to all. What is often missing is structure, time and continuity to make the recommendations a reality.
Nordlos Security Baseline: Defined Minimum Level for M365 Security
Nordlos Security Baseline provides you with a defined minimum level for the security configuration in your M365 and Azure environment. It covers identity protection, email security, sharing, logging and policies, all to build robust protection for your data. Together we look at where you are today, where the gaps are and which measures should be prioritised. Everything is summarised in a personalised dashboard with recommendations for improvements.
The process begins with a review of your current configuration against established recommendations. We identify the gaps, prioritise the measures and help you implement them. Then we ensure continuity through regular reviews and updates in line with new threats and changes in Microsoft's platform.
The result is not only a safer environment, it also provides management with the insight and decision-making basis required to make cybersecurity the management issue it must be.
5 common questions and answers about securing your Microsoft 365 environment
- Why are Microsoft's default settings not enough to secure M365?
The default settings are designed for user-friendliness, not security. Users can, among other things, register apps, invite guests, and give third-party apps access to organisational data without IT approval. This makes the environment vulnerable to, for example, consent phishing and account takeover. - What is the most important step to secure Microsoft 365?
Enabling multi-factor authentication (MFA) on all accounts, including administrator accounts. MFA blocks over 99% of all account takeover attempts and is recommended by both Microsoft and MCF's CERT-SE. - How does NIS2 affect our Microsoft 365 environment?
The NIS2 directive requires systematic security work, management responsibility, and incident reporting. It assumes that you have logging enabled, structured security policies, and a continuous process to detect and manage incidents in your M365 environment. - What does Zero Trust mean in practice for M365 and Azure?
Zero Trust means that you always verify identities, grant the least possible privileges, and assume that a breach has already occurred. In practice, this involves conditional access via Entra ID, device compliance requirements, continuous session evaluation, and centralised logging. - What is included in Nordlos Security Baseline?
Nordlos Security Baseline is an overview and hardening of your M365 and Azure environment. It includes identity protection, email security, sharing settings, logging, and policies. You receive a dashboard with clear recommendations, prioritised actions, and a plan for continuous improvements..
