Microsoft 365

Unlocking the full potential of Microsoft 365

Security & compliance best practices

Why M365 security matters

Maximize what you already have

Microsoft 365 is a globally recognized and widely adopted cloud-based productivity suite that caters to businesses across various industries, including Belgium. It provides a comprehensive suite of tools, including email, SharePoint, and MS Teams, all underpinned by Microsoft’s Identity and Access Management platform, Entra ID.

Entra ID plays a crucial role in enabling secure identities and access management for users, but research has shown that even the essential safeguards included in Entra ID are not implemented.

Therefore, we created a comprehensive evaluation with more than 110 controls to evaluate the Microsoft 365 security maturity of our clients.

While needs can vary between businesses, our evaluation provides an excellent starting point for developing more customized and thorough compliance policies and security focused configurations across Entra ID.

The controls outlined in this document provide the basics of our comprehensive evaluation and are a real minimum baseline that every company should have applied to their Microsoft 365 environment.

Key Takeaways
  1. If you are not currently utilizing Microsoft 365 Business Premium, upgrading will give access to a comprehensive range of enhanced security functionalities.

  2. Prioritize the maximalization of existing technologies rather than immediately investing in novel solutions.

  3. Implement automated compliance reviews to safeguard your security measures from potential disruption resulting from changes in your M365 environment.
Key focus areas in Microsoft 365 Security & Compliance
1. Entra ID - Identity at the core
Limit access to administrative privileges

Microsoft recommends having no more than 5 global admins and using specialized roles and user groups to assign limited admin privileges to other key personnel.

Make sure there are dedicated admin accounts that are not used for daily activities like email, teams, SharePoint, etc.
Make sure a strong phishing-resistant MFA method is enabled for all users in administrative roles.

Emergency access accounts with different MFA method that are only used in case of an actual emergency and tested on regular intervals.

 

Multifactor authentication

According to Microsoft 99,9% of identity-related attacks (password spray, replay and phishing) can be stopped by enabling multi-factor authentications, and according to the Cybersecurity Center for Belgium, only 46% of Belgian companies use MFA (Less than half of Belgian companies use the most basic security measures! | CCB Safeonweb). Therefore, ensure that all users use a strong, preferably a phishing-resistant, multi-factor authentication method. 

Implement single-sign-on (SSO) across all platforms to enhance user security. By requiring users to provide a single login for access to multiple systems, the risk of password sharing and potential breaches will reduce drastically. Additionally, SSO simplifies administrative management by centralizing user access and reducing the need for managing user accounts across different portals.

Block device code authentication by using conditional access policies to restrict how device code flow can be used within your organization and prevent MFA bypass attacks.

2. Conditional access policies

Conditional Access Policies are a set of rules in Entra ID that define the conditions under which a user can access resources. These policies control who can access what, where, and when and are an essential part of a zero-trust network access (ZTNA) approach.

Conditional access policies allow organizations to define granular access control parameters, such as requiring multi-factor authentication for accessing data, allowing access only from specific locations or devices and preventing legacy authentication protocols like POP, IMAP or basic authentication.

Therefore, conditional access policies provide significantly more granular control over access to resources than the Security Defaults offered by Microsoft for the free Entra ID tenants where the conditional access policies feature is not available.

3. Application control

Microsoft Entra ID Enterprise Applications are used primarily for managing and securing access to third-party and internal applications within an organization’s identity infrastructure.

Enterprise application consent should be limited to verified publishers or applications that are explicitly approved. The permissions for each application should be monitored and reviewed periodically to prevent to broaden permissions (ex. Directory.Read.All, User.ReadWrite.All, Mail.Send)

App registrations define how to applications behaves, authenticates and what permissions it requests. The preferred authentication method for app registrations should be by using certificates over client secrets.

4. Guest access management

One of the advantages of the cloud is the ability to collaborate with external users like partners, suppliers or customers.  To prevent abuse of this collaboration feature, you have to make sure that guest access is limited to authorized domains only and guest users have limited access to your resources.

5. Email security posture

Implementing advanced threat protection measures within Microsoft 365 significantly enhances an organization’s defense against modern cyber threats. Features such as Safe Links in Office 365 proactively protect users by scanning and rewriting URLs in real time to block access to malicious websites, while the Safe Attachments Policy ensures that all email attachments are detonated in a secure sandbox environment before delivery, preventing zero-day attacks.

Complementing these with robust anti-malware policies that leverage both the common attachment filter to block high-risk file types and Zero-hour Auto Purge (ZAP) to retroactively remove malicious content post-delivery.

Furthermore, enabling an anti-phishing policy with safety tips helps users recognize suspicious messages by flagging impersonation attempts and anomalies, effectively combining automated protection with user awareness. Together, these layered security configurations create a comprehensive and adaptive email security posture within Microsoft 365.

In addition to advanced threat protection policies, implementing SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail) and DMARC (Domain-based Message Authentication, Reporting & Conformance) is critical for securing email integrity and preventing spoofing, enhancing email trust and deliverability. Read more about this in our news post about strengthening your email security: Strenghtening email security with SPF, DKIM and DMARC

6. Backup strategy

Microsoft 365 offers only limited data retention, with deleted items typically stored for a maximum of 30 days.

While this provides basic recovery for accidental deletions, it’s not sufficient for long-term protection or compliance. Ransomware, insider threats, or configuration errors can still result in data loss beyond this short window.

That’s why it’s strongly recommended to implement your own backup strategy. By storing backups offline or in a separate tenant, you ensure full control and recovery capability when it matters most.

7. Monitoring & access reviews

Effective security management in Microsoft 365 requires organizations to continuously monitor and review access to sensitive data and critical resources. Regularly auditing user permissions, administrative roles, and sign-in activity helps identify excessive privileges, stale accounts, and potential indicators of compromise.

Leveraging tools like Microsoft Entra ID sign-in logs, Access Reviews, and Privileged Identity Management (PIM) enables security teams to enforce the principle of least privilege and detect anomalous behaviour in real time.

By proactively reviewing who has access to what and why, organizations can reduce their attack surface, ensure compliance, and maintain tight control over their digital environment.

How synsec helps

Our syncheck service provides a comprehensive analysis of your current Microsoft 365 security posture.

We don’t just identify gaps - we help implement the solutions:

  • Full assessment based on 110+ security checks
  • Prioritized roadmap
  • Configuration & policy support
  • Maximize the value of tools you already have

Read more about our syncheck on: SynCheck, comprehensive elevation of your security maturity.

Questions?

Thanks to our strategic partnerships with Microsoft and our broad experience, we are uniquely positioned to deliver a comprehensive, end-to-end solution to keep your security under control.

Let’s talk about how we can help secure your environment via eb.cesnys@olleh or +32 494 03 28 66

Privacy policy