Hardening Your Microsoft 365 Tenant: A Practical Four-Pillar Approach

Setting up a Microsoft 365 (M365) tenant is often straightforward, thanks to the quick-start wizards. While ease and convenience are great, they don't always translate into strong security.

When we created TBDCyber, we set up our M365 tenant in a matter of minutes. We had immediate access to all the productivity applications we needed, from Outlook to Teams. We had all the ease and convenience we needed to start operating our business, but the next question was: Are we doing this in the most secure way?

For any small or medium business, moving beyond the default, often permissive configuration, is essential for proper protection.

As we set about hardening our M365 environment, we focused on four critical pillars to build a secure foundation for our productivity suite.

1. Overall Tenant Hardening & Configuration

The default M365 configuration is often very permissive, allowing users to easily share data externally. Our first step was to address these "low-hanging fruit" configurations, drawing on guidance from frameworks like the CIS Benchmark for a tactical, actionable approach.

Among the critical steps we took were:

● Disable Default Application Consent: By default, any user can register an application and grant it consent to access their profile data and environment^.  We disabled this ability for regular users, preventing accidental data sharing when a user clicks "agree" to a third-party application's request for access permissions.

● Restrict External Sharing: We implemented sharing configurations (especially in SharePoint, OneDrive, and Teams) to create structure around external collaboration. We followed an allow list/block list principle, permitting sharing only with specified, trusted domains and blocking random external sharing requests.

● Implement Data Loss Prevention (DLP): DLP policies for Teams, OneDrive, and Outlook are crucial, although they can be complex to configure correctly. We recommend a focused approach to identify and protect the most sensitive data types first.

2. Accounts and Access Control (Identity)

Identity is the core of M365 security, focusing on how powerful roles are provisioned and access is controlled.

We took several steps to enhance identity protection, including:

● Separate Privileged Accounts: The most common mistake many small businesses make  is using the same day-to-day email account for the Global Admin role. We strictly separated highly privileged administrative accounts from regular user accounts (which have email and licenses assigned).

● Enable Multi-Factor Authentication (MFA) for Everyone: MFA is the single most significant security control. A basic Conditional Access policy requires users to use the authenticator application to access any M365 application.

● Implement Conditional Access Policies: Beyond basic MFA, Conditional Access in Entra ID (formerly Azure AD) lets you block or allow authentication based on specific conditions.

○  Session Controls: We configured sessions to expire after a certain number of days for regular users, and to require daily login for admin accounts.

○ Location-Based Restrictions: We created a policy that allows logins only from our known countries and blocks access from all other countries.

○ Advanced Licensing for Admins: While M365 Business Premium is a good starting subscription for a small business, obtaining additional Entra ID P2 licensing specifically for our administrators is a sound security add-on. This enables just-in-time access control for privileged accounts. Administrative accounts start with no privileges and only "elevate" or "activate" their powerful roles for a limited time (e.g., 4 or 8 hours) to perform a specific task. This prevents the account from being persistently vulnerable.

3. Endpoint Management

The endpoint device is a common attack path for bad actors. We used Microsoft Intune, included with the M365 Business Premium subscription, to manage security on both corporate-owned and personal devices.

Steps included:

● Managed (Corporate-Owned) Devices: We used Intune to onboard our Windows and Mac devices and applied policies to ensure they met security standards.

○ Devices are kept up to date (OS updates).

○ Encryption is required (BitLocker/password/PIN to log in).

○ Defender is active with tamper protection enabled.

○ The screen automatically locks after a period of inactivity.

● Unmanaged (Personal/BYOD) Devices: For employee personal devices that need to access corporate data, we implemented App Protection Policies. This is an alternative to complete Mobile Device Management (MDM).

○  It containerizes corporate data within supported apps, such as Outlook.

○  It applies policies to restrict actions, such as preventing users from copying sensitive content from a corporate email into their personal notepad application.

○ This allows us to remotely remove only the corporate data without affecting the user's personal content or "cat videos".

4. Data Resiliency (Backups)

Microsoft offers retention and versioning, but this is not the same as a proper, air-gapped backup. Given the very real threat of ransomware, a third-party backup solution is essential for data resiliency.

We evaluated several third-party backup providers based on several key criteria:

○ Granularity of Restore: The ability to restore a single file or an entire mailbox.

○ Speed of Restores: Ensuring we can recover potentially gigabytes of data quickly.

○ Security Measures: Maintaining separation between the live M365 environment and the backup data.

Third-party M365 backup is a commodity market with affordable yearly licenses, making it a critical, non-negotiable layer of protection.

How TBDCyber Can Help You Secure Your M365 Tenant

TBDCyber can help organizations of all sizes, from under 20 users to over 100,000, to move beyond the default setup and maximize the security capabilities already included in their M365 licenses.

Our standardized approach includes:

1. Assessment and Roadmap: We assess your M365 tenant against best-practice standards (e.g., CIS Benchmarks) and identify quick wins, design opportunities, and ways to leverage your existing licenses for better security outcomes.

2. Design: We focus on how to best use your already-licensed Microsoft capabilities to deliver specific security outcomes.

3. Implementation: We don't just strategize; we implement the quick wins and complete the full design.

Would you like to explore a security assessment of your M365 tenant against these four critical pillars?