How to Harden Your Microsoft 365 Tenant: Complete Guide

Why M365 Is Not Secure by Default

Microsoft 365 is designed for ease of deployment and broad compatibility — it ships with default settings that work for the widest range of environments, which means prioritising accessibility over security. Legacy authentication protocols are enabled. Any device with valid credentials can access email. The most powerful admin roles are permanently assigned rather than time-limited. Audit logging may not be configured to retain events long enough for forensic investigation.

These defaults are not a Microsoft failure — they reflect deliberate design choices for ease of use. But for businesses that have not deliberately hardened their M365 tenant, these defaults represent significant attack surface. Many of the most common Microsoft 365 attacks — password spray, legacy protocol credential stuffing, OAuth application abuse — exploit exactly these default settings.

Identity Hardening

Identity hardening starts with Conditional Access. AMVIA deploys a baseline set of Conditional Access policies that require MFA for all users, block legacy authentication protocols, require device compliance for access to sensitive applications, and apply additional protection to admin accounts. These policies together address the most common identity-based attack vectors.

Admin account security is a separate focus area. Permanent Global Administrator access is a significant security risk — an attacker who compromises a permanent Global Admin account has unrestricted access to your entire M365 tenant. Privileged Identity Management (PIM) replaces permanent admin assignment with just-in-time elevation — admin roles are activated only when needed, for a limited time, with approval workflow and full audit logging. AMVIA configures PIM for all admin accounts as part of M365 hardening.

Email Security Hardening

Exchange Online Protection is active by default, but default policies are not optimal. Anti-phishing policies should be configured with impersonation protection enabled for key executives and commonly impersonated domains. Safe Links and Safe Attachments (included in Business Premium) should be enabled with appropriate settings — not left at defaults. DKIM signing for your domain should be enabled. A DMARC policy should be deployed and advanced to enforcement.

Outbound spam policies should be configured to detect and block behaviour consistent with a compromised account sending spam — an important early indicator of an account takeover that most businesses do not have configured.

Endpoint Hardening

Defender for Business configuration goes well beyond simply enabling the product. Attack surface reduction rules should be enabled at appropriate levels — many are off by default or in audit-only mode. Controlled folder access protects against ransomware by blocking unauthorised processes from modifying files in protected directories. Network protection blocks connections to known malicious domains. These configurations are not enabled by default and require deliberate setup.

Data and Compliance Hardening

SharePoint external sharing defaults are often too permissive — allowing documents to be shared with anyone who has the link, including anonymous access. AMVIA reviews and restricts external sharing policies to require authenticated sharing only, and removes anonymous link sharing unless there is a specific business case for it. Teams external access and guest access settings are reviewed for the same reason.

Audit logging should be enabled and configured with appropriate retention. Microsoft 365 audit logs are essential for forensic investigation of security incidents — without them, investigating a compromise becomes significantly harder. The default audit log retention in Microsoft 365 Business Premium is 90 days; some compliance requirements may necessitate longer retention through Microsoft Purview.

Key Considerations for UK SMEs

• Review Microsoft Secure Score as a starting point — it provides an ordered list of improvements with implementation guidance
• Prioritise MFA enforcement, legacy authentication blocking, and admin account PIM above other hardening steps
• Use report-only mode for Conditional Access policies before enforcement — understand the impact before blocking users
• Document changes made during hardening — a record of configuration decisions supports audit and troubleshooting
• Re-assess Secure Score quarterly — new recommendations are added as Microsoft identifies new risks

How AMVIA Can Help

AMVIA hardens Microsoft 365 tenants as a structured engagement for new clients and as an ongoing service for managed clients. The process starts with a current configuration review against Microsoft's Secure Score and NCSC guidance, followed by a prioritised remediation plan. AMVIA implements changes during agreed maintenance windows, documents all configuration changes, and provides a post-hardening Secure Score comparison. Ongoing quarterly reviews ensure the tenant stays hardened as Microsoft adds new recommendations and as the business's environment evolves. Contact AMVIA on 0333 733 8050.