Microsoft 365 security policies are configurable rules that control how users, devices, and applications interact with your organization’s data. Built on Zero Trust principles—verify explicitly, enforce least privilege, and assume breach—these policies safeguard access, secure email, protect endpoints, and govern administrative rights.
This guide covers the twelve foundational policies every tenant needs, the Conditional Access configurations to prioritize first, and how to align your security posture with frameworks like CIS, NIST, and Microsoft Secure Score.
What Are Microsoft 365 Security Policies
Microsoft 365 security policies are configurable rules that control how users, devices, and applications interact with your organization’s data. Built on Zero Trust principles—verify explicitly, enforce least privilege, and assume breach—these policies safeguard access, secure email, protect endpoints, and govern administrative rights.
Think of policies as automated guardrails. They define what’s allowed, what’s blocked, and what triggers additional verification, all without requiring someone to manually approve every decision. Policies span identity (who can sign in), email protection (what gets through), device compliance (which endpoints connect), and data protection (what can be shared). Together, they form layered defenses that reduce your attack surface across the entire Microsoft 365 environment.
Core Pillars of Microsoft 365 Security
Before getting into specific policies, it helps to understand the five interconnected domains they address. Each pillar represents a category of risk, and effective security requires policies across all of them.
Identity and Access Management
This pillar controls who can sign in and under what conditions. Conditional Access and multi-factor authentication are the primary policy tools here. When someone attempts to access Microsoft 365, identity policies evaluate whether that person is who they claim to be and whether the sign-in context looks trustworthy.
Threat Protection
Email remains the most common attack vector. Threat protection policies in Microsoft Defender for Office 365 defend against phishing, malware, and business email compromise through Safe Links, Safe Attachments, and anti-phishing rules. These policies scan content before it reaches users and block malicious payloads.
Information Protection
Information protection policies classify, label, and prevent unauthorized sharing of sensitive data. Data Loss Prevention (DLP) and sensitivity labels work together to identify confidential content and control where it can travel. A DLP policy might block an email containing credit card numbers from leaving the organization, for example.
Device and Endpoint Management
Intune compliance and configuration policies ensure only secure, managed devices access corporate resources. If a laptop lacks encryption or runs an outdated operating system, device policies can block access until the issue is resolved.
Security and Risk Management
This pillar provides governance through audit logging, Secure Score tracking, and continuous monitoring. It ties everything together by giving you visibility into what’s happening across your tenant and highlighting areas that still need attention.
Essential Microsoft 365 Security Policies Every Tenant Needs
Here’s the foundational checklist. These twelve policies address the most common attack vectors and compliance gaps across Microsoft 365 tenants.
1. Enforce Multi-Factor Authentication for All Users
MFA is the single most effective identity protection available. According to Microsoft, MFA blocks 99.9% of account compromise attacks. You can enable MFA through Security Defaults (available in all plans) or Conditional Access (requires Entra ID P1 or higher).
Phishing-resistant methods like FIDO2 security keys or Windows Hello are preferable to SMS codes. SMS remains vulnerable to SIM-swapping attacks, where an attacker convinces a mobile carrier to transfer your phone number to their device.
2. Block Legacy Authentication Protocols
Legacy authentication refers to older protocols like POP, IMAP, and SMTP AUTH that don’t support MFA. Attackers specifically target legacy auth because it bypasses multi-factor requirements entirely. If MFA is your front door lock, legacy auth is an unlocked side entrance.
Blocking legacy auth is a Conditional Access policy that takes minutes to configure but closes one of the most exploited gaps in Microsoft 365 security.
3. Apply Conditional Access Baselines
Conditional Access policies are “if-then” rules that evaluate sign-in context before granting access. If a user signs in from an unmanaged device, then require MFA. If sign-in risk is high, then block access completely.
Common baseline conditions include:
- Device compliance status: Is the device managed and meeting security requirements?
- User location: Is the sign-in coming from a known or suspicious geography?
- Application sensitivity: Does the app being accessed contain sensitive data?
- Real-time risk signals: Has Microsoft Entra ID Protection detected suspicious behavior?
4. Turn on Microsoft Defender Preset Security Policies
Microsoft offers pre-configured email protection that can be enabled without manual tuning. Preset policies apply recommended settings for anti-spam, anti-malware, anti-phishing, Safe Links, and Safe Attachments all at once.
For most organizations, the Standard preset provides balanced protection. High-security environments may prefer the Strict preset, though it can increase false positives and may require more user exceptions.
5. Configure Safe Links and Safe Attachments
Safe Links scans URLs at time-of-click, protecting users even if a link was safe when the email arrived but became malicious later. Safe Attachments detonates files in a sandbox environment before delivery, watching for malicious behavior.
Both features protect email and Microsoft Teams messages, addressing the two primary channels attackers use to deliver malware and credential-harvesting pages.
6. Enable Data Loss Prevention Policies
DLP policies detect and block sensitive information from being shared inappropriately. You define three components: conditions (what triggers the policy), actions (block, notify, or encrypt), and locations (Exchange, SharePoint, Teams, or endpoints).
Even a basic DLP policy covering common sensitive data types like credit card numbers or Social Security numbers significantly reduces accidental data exposure.
7. Apply Sensitivity Labels and Information Rights Management
Sensitivity labels classify documents and emails by confidentiality level. When combined with Information Rights Management (IRM), labels can encrypt content and restrict actions like forwarding, printing, or copying.
Labels follow the content wherever it travels. A document labeled “Confidential” remains protected even when downloaded, emailed externally, or copied to a USB drive.
8. Enforce Device Compliance with Intune
Compliance policies in Microsoft Intune check device health before granting access to Microsoft 365 resources. Common checks include BitLocker encryption, firewall status, antivirus presence, and minimum OS version.
When paired with Conditional Access, non-compliant devices are blocked automatically. A user with an unencrypted laptop simply can’t access SharePoint until encryption is enabled.
9. Apply App Protection Policies for Mobile Devices
App protection policies (sometimes called MAM policies) protect corporate data within apps on personal devices without requiring full device enrollment. They can enforce PIN requirements, prevent copy/paste to personal apps, and encrypt corporate data at rest.
This approach works well for BYOD environments where users resist full device management. Corporate data stays protected inside Outlook and Teams while personal apps remain untouched.
10. Restrict External Sharing in SharePoint and OneDrive
Sharing policies control whether users can share files externally and with whom. Default settings are often more permissive than organizations realize, sometimes allowing anonymous sharing links that anyone can access.
Options include restricting sharing to authenticated guests only, limiting sharing to specific domains, or disabling external sharing entirely for sensitive sites.
11. Enable Unified Audit Logging
Audit logs record user and admin activity across all Microsoft 365 services. Without them, investigating a security incident becomes nearly impossible because you have no record of what happened.
Unified audit logging is enabled by default in most tenants, but it’s worth verifying. Logs are retained for 180 days with E5 licensing or 90 days with lower tiers.
12. Create Break-Glass Emergency Access Accounts
Break-glass accounts are cloud-only admin accounts excluded from Conditional Access policies. They exist solely for emergency scenarios when normal admin access fails, like a misconfigured policy that locks out all administrators.
Create at least two break-glass accounts, secure them with ultra-strong passwords stored offline, and monitor them for any sign-in activity. These accounts are your safety net.
Conditional Access Policies You Should Configure First
Conditional Access deserves special attention because it’s the policy engine that ties identity protection together. Here are the highest-priority policies to configure.
| Policy | Trigger Condition | Action |
|---|---|---|
| Risk-based MFA | Medium or high sign-in risk detected | Require MFA |
| Block legacy auth | Client uses legacy protocol | Block access |
| Password change for risky users | High user risk score | Require password reset |
| Require compliant devices | Device fails Intune compliance | Block access |
| Approved apps only | Mobile app not on approved list | Block access |
| Block risky locations | Sign-in from blocked country | Block access |
Require MFA Based on Sign-In Risk
Risk-based Conditional Access uses Microsoft Entra ID Protection signals to trigger MFA only when sign-in behavior looks suspicious. A user signing in from their usual location on their usual device might not see an MFA prompt, while the same user signing in from a new country at 3 AM would.
Block Clients That Do Not Support Modern Authentication
This policy forces users onto modern authentication clients, eliminating legacy protocol vulnerabilities. Older versions of Outlook and other applications that rely on basic authentication simply won’t connect.
Require Password Change for High-Risk Users
When Entra ID Protection detects compromised credentials or high-risk user behavior, this policy forces an immediate password reset. The user can’t access anything until they create a new password.
Require Compliant Devices for Microsoft 365 Access
Combining Conditional Access with Intune compliance ensures only healthy, managed devices connect. If a device falls out of compliance, access is revoked until the issue is fixed.
Require Approved Apps or App Protection Policies
This policy restricts mobile access to apps that support app protection policies or appear on an approved list. Users can’t access corporate email through an unapproved third-party mail client.
Block Access From Risky Locations and Countries
Named locations in Conditional Access let you block sign-ins from countries where you have no business presence. If no one in your organization travels to a particular region, blocking sign-ins from there eliminates a category of risk.
Tip: Start with Conditional Access policies in report-only mode. This lets you see what would be blocked without actually enforcing the policy, reducing the risk of locking out legitimate users during rollout.
Preset Security Policies in Microsoft Defender for Office 365
Microsoft Defender for Office 365 offers three tiers of pre-configured protection. Understanding the differences helps you choose the right level for each environment.
Built-In Protection for Safe Links and Safe Attachments
Built-in protection is automatic baseline protection applied to all tenants with Defender for Office 365 licensing. It provides Safe Links and Safe Attachments coverage without any configuration required.
Standard Preset Security Policy
The Standard preset balances protection with user experience. It applies recommended settings for anti-phishing, anti-spam, anti-malware, Safe Links, and Safe Attachments. Most organizations find this tier appropriate for their needs.
Strict Preset Security Policy
The Strict preset applies the most aggressive filtering. It catches more threats but also generates more false positives, which means legitimate emails may occasionally be quarantined. This tier suits high-security environments where the tradeoff is acceptable.
When to Use Custom Policies Over Presets
Custom policies make sense when presets don’t fit your specific requirements. You might need exceptions for specific user groups, different settings for partner communications, or configurations that meet particular compliance mandates.
Aligning Microsoft 365 Policies With CIS, NIST, SCuBA, and Secure Score
Mapping your policies to recognized frameworks simplifies compliance reporting and builds trust with stakeholders who want to see alignment with industry standards.
- CIS Microsoft 365 Foundations Benchmark: Prescriptive hardening recommendations with specific pass/fail controls that auditors recognize.
- NIST Cybersecurity Framework: Organizes security into Identify, Protect, Detect, Respond, and Recover functions, providing a common language for security discussions.
- CISA SCuBA: US government guidance specifically for Microsoft 365 security baselines, increasingly referenced in compliance requirements.
- Microsoft Secure Score: Built-in prioritized improvement list showing scoring impact for each recommended action, useful for tracking progress over time.
How to Deploy Microsoft 365 Security Policies Across Multiple Tenants
For MSPs managing many clients, consistent policy deployment at scale is the real challenge. Manual configuration tenant-by-tenant doesn’t scale and introduces configuration drift over time.
Step 1: Establish a Standard Security Baseline
Document a set of policies that apply to all clients regardless of size or industry. This becomes your repeatable starting point and ensures no tenant falls below a minimum security threshold.
Step 2: Build Reusable Policy Templates
Create exportable or templatized configurations that can be deployed repeatedly without rebuilding from scratch. Templates save time and reduce the chance of configuration errors.
Step 3: Pilot Policies in Report-Only Mode
Test policy impact before enforcement. Conditional Access report-only mode shows what would be blocked without actually blocking it, letting you identify potential issues before users are affected.
Step 4: Roll Out Policies Tenant by Tenant
Deploy in phases, validating each tenant before moving to the next. This catches environment-specific issues early and prevents a single misconfiguration from affecting all clients simultaneously.
Step 5: Monitor for Configuration Drift
Settings change over time, sometimes intentionally and sometimes not. Continuous monitoring and remediation keeps tenants aligned with your baseline and catches unauthorized changes quickly.
Augmentt’s Secure Autopilot enables one-click deployment of security baselines aligned with CIS, NIST, SCuBA, and Secure Score across all your tenants, with ongoing drift detection and automated remediation.
Frequently Asked Questions About Microsoft 365 Security Policies
What licenses are required to enforce Microsoft 365 security policies?
Basic policies like Security Defaults and audit logging are available in all Microsoft 365 plans. Advanced features like Conditional Access, Defender for Office 365, and Intune require Business Premium, E3, or E5 licensing.
Are Microsoft Security Defaults sufficient without Conditional Access policies?
Security Defaults provide baseline MFA and block legacy authentication but lack granular control. Organizations with compliance requirements or complex environments typically benefit from upgrading to Conditional Access policies.
How often should Microsoft 365 security policies be reviewed?
Quarterly reviews are a reasonable minimum. Immediate review is warranted after significant changes in licensing, user population, compliance requirements, or following a security incident.
Can L1 or L2 technicians safely apply Microsoft 365 security policies?
With proper tooling that provides guardrails and pre-built templates, junior technicians can safely apply standardized security policies without needing deep expertise or direct access to Microsoft admin portals.
