The Microsoft 365 Security Baseline We Deploy on Day One
A reference configuration for Microsoft 365 security that closes the most common gaps without breaking productivity.
Identity baseline
Block legacy authentication. Require phishing-resistant MFA for all administrative roles. Enable security defaults only if you are not yet using Conditional Access — once you adopt Conditional Access, manage the equivalent policies explicitly.
Exchange Online and Defender
Configure DMARC at reject for all sending domains. Enable Safe Links and Safe Attachments. Disable auto-forwarding to external addresses by default. Turn on impersonation protection for executives and finance roles.
SharePoint, OneDrive, and Teams
Set the default external sharing posture to authenticated guests only. Block anonymous links unless a specific business case justifies them. Enable sensitivity labels and apply default labels to the most sensitive sites.
Reader questions, answered
Do we need Microsoft Defender for Office 365 Plan 2?+
If you are using Microsoft 365 as your primary email and collaboration platform, yes. The automated investigation and response capabilities pay for themselves quickly.
Raza Ahmad is a technology author and IT infrastructure specialist based in Melbourne, Australia. He writes practitioner-grade guides on cloud computing (Azure and AWS), cybersecurity, enterprise networking with Cisco platforms, Linux administration, DevOps, and virtualization. His work focuses on translating complex infrastructure topics into clear, accurate guidance that engineers, system administrators, and IT decision makers can put to work in production environments. Every article published under his byline is fact-checked against current vendor documentation, official standards, and Raza's own hands-on experience operating the technologies he covers.
More from Cybersecurity
Zero Trust Architecture: A Practical Implementation Roadmap
Cutting through the marketing to show what zero trust actually means for identity, devices, networks, and applications.
A Practical Linux Server Hardening Checklist for Production
The 20 controls that move a freshly-provisioned Linux server from “default” to “appropriate for production” without breaking operations.
The Complete Cybersecurity Guide for IT Teams in 2026
A practical, framework-aligned cybersecurity reference for IT teams responsible for real systems, real users, and real regulatory obligations.
One email. The technology stories that actually matter for engineers.
A curated digest of the week's most useful tutorials, reviews, and analysis — no clickbait, no AI summaries of someone else's work.
Free. Unsubscribe anytime. See our privacy policy.