Browse all topics
All guidesGlossary
Microsoft Defender (Security)

Microsoft 365 security baselines

The minimum security configuration every Microsoft 365 tenant should have — and how to get there.

Every Microsoft 365 tenant ships with sensible-but-not-great defaults. Microsoft offers two ready-made baselines — Security defaults and preset Conditional Access policies — and there's a clear minimum every organisation should reach beyond that. This is the checklist.

Tier 0 — Security defaults (free, every tenant)

Tenants with no Conditional Access in place should turn on Security defaults in Entra ID. This enables:

  • MFA for all users, with the Microsoft Authenticator app encouraged.
  • MFA enforcement for admin actions.
  • Block of legacy authentication protocols (POP, IMAP basic auth, etc.).
  • Protected privileged actions.

Security defaults are free and dramatically lift the security posture. Their limitation: they can't be customised. Once a tenant outgrows them, switch to Conditional Access.

Tier 1 — Conditional Access baseline (Entra ID P1+)

A minimum CA policy set:

  1. Block legacy authentication.
  2. Require MFA for all users.
  3. Require MFA for admins (every privileged role).
  4. Block sign-ins from high-risk countries (or step up MFA).
  5. Require compliant or hybrid-joined devices for Microsoft 365 apps.
  6. Require terms-of-use acceptance for guests.
  7. Block unmanaged-device access to OneDrive/SharePoint downloads (use browser-only).

Add break-glass accounts excluded from every policy.

Tier 2 — Hardening (Entra ID P2 / Microsoft 365 E5)

  • PIM for every privileged role, time-bound activation.
  • Identity Protection policies blocking high-risk users / sign-ins.
  • Defender for Office 365 with Standard or Strict preset policies.
  • Defender for Endpoint onboarded on every managed device.
  • Sensitivity labels with a baseline taxonomy (Public, Internal, Confidential, Highly Confidential).
  • DLP policies for credit card data, government IDs, source code, and any regulated data your industry has.
  • Purview retention policies for Exchange, SharePoint, OneDrive, Teams.

Tier 3 — Identity and data governance

  • Access reviews for guests and privileged roles quarterly.
  • Entitlement management access packages for project-based access.
  • Restricted access controls for high-risk SharePoint sites.
  • Information barriers for groups that must not share content (legal/regulatory).
  • Insider risk policies with HR/legal sign-off.
  • Defender for Identity sensors on every DC.

Cadence

A baseline isn't a one-off. The right cadence:

  • Monthly: review Secure Score progress; close one or two items.
  • Quarterly: review CA policies, guests, privileged role memberships.
  • Annually: full baseline review against the current Microsoft recommendations.

Microsoft Secure Score (security.microsoft.com/securescore) tracks where you are against Microsoft's recommended controls, with a numeric score and prioritised actions. Use it as the planning backlog rather than as a target on its own.

A tenant that hits Tier 2 has dramatically more security than a default deployment. Most breaches in Microsoft 365 environments hit organisations that hadn't reached Tier 1.