Hanso Group

Securing Microsoft 365 Environments

Marcus Feimer 20 minutes read

As organisations increasingly migrate their operations to cloud platforms like Microsoft 365, securing this environment becomes a critical priority. The shift to remote and hybrid work has expanded the attack surface, making comprehensive security strategies more important than ever. In this article, we’ll explore a holistic approach to securing Microsoft 365 environments, moving beyond basic security measures to implement a robust, defence-in-depth strategy.

The Evolving Threat Landscape

Before diving into specific security measures, it’s important to understand the threat landscape facing Microsoft 365 environments. Recent attack trends include:

  • Sophisticated phishing campaigns targeting Microsoft 365 credentials
  • OAuth application abuse for persistent access
  • Lateral movement across integrated cloud services
  • Supply chain attacks through trusted third-party integrations
  • Business email compromise (BEC) targeting financial transactions

According to Microsoft’s Digital Defense Report 2024, identity-based attacks remain the most prevalent entry point for threat actors, accounting for approximately 70% of breaches. This highlights the importance of robust identity security measures in any Microsoft 365 security strategy.

Identity and Access Management: The Foundation of Security

Effective identity and access management (IAM) forms the cornerstone of Microsoft 365 security. Here are key components of a robust IAM approach:

Multi-Factor Authentication (MFA)

MFA remains one of the most effective security controls, with Microsoft reporting that it can block over 99.9% of account compromise attacks. Despite this, adoption rates remain surprisingly low in many organisations.

Best practices for MFA implementation include:

  • Enforcing MFA for all users without exception
  • Implementing phishing-resistant factors like FIDO2 security keys
  • Removing SMS as an authentication method due to known vulnerabilities
  • Testing MFA bypass scenarios to identify potential weaknesses

The following PowerShell script demonstrates how to identify users without MFA enabled:

## Connect to Microsoft Graph with appropriate permissions
Connect-MgGraph -Scopes "User.Read.All", "UserAuthenticationMethod.Read.All"

## Get all users
$users = Get-MgUser -All

$mfaStatus = @()

foreach ($user in $users) {
    # Skip service accounts and other non-user accounts that shouldn't have MFA
    if ($user.UserPrincipalName -like "*#EXT#*" -or
        $user.UserPrincipalName -like "sync_*" -or
        $user.UserType -eq "Guest") {
        continue
    }

    # Get authentication methods
    $authMethods = Get-MgUserAuthenticationMethod -UserId $user.Id

    # Check for MFA methods (excluding SMS)
    $hasMFA = $false
    foreach ($method in $authMethods) {
        $methodType = $method.AdditionalProperties.'@odata.type'

        # Check for strong authentication methods
        if ($methodType -match "microsoft.graph.microsoftAuthenticatorAuthenticationMethod|microsoft.graph.fido2AuthenticationMethod|microsoft.graph.windowsHelloForBusinessAuthenticationMethod") {
            $hasMFA = $true
            break
        }
    }

    $mfaStatus += [PSCustomObject]@{
        UserPrincipalName = $user.UserPrincipalName
        DisplayName = $user.DisplayName
        MFAEnabled = $hasMFA
    }
}

## Output users without MFA
$mfaStatus | Where-Object { -not $_.MFAEnabled } | Format-Table -AutoSize

## Export to CSV for reporting
$mfaStatus | Export-Csv -Path "MFAStatus_$(Get-Date -Format 'yyyyMMdd').csv" -NoTypeInformation

Conditional Access Policies

Conditional Access allows for granular access control based on signals such as user identity, device health, location, and application. A robust Conditional Access strategy should include:

  • Zero Trust policy foundation: Requiring MFA for all users and applications
  • Device compliance requirements: Ensuring devices meet security standards before granting access
  • Location-based restrictions: Limiting access from high-risk locations
  • Application-specific controls: Implementing tailored policies for sensitive applications

The following policy structure represents a comprehensive Conditional Access approach:

Policy Name Assignment Conditions Controls
Baseline Protection All users (excluding emergency access accounts) All cloud apps Require MFA
Block Legacy Authentication All users Client apps: Exchange ActiveSync, other clients Block access
High-Risk Sign-In Protection All users User risk: High Require password change + MFA
Device Compliance All users All cloud apps Require device compliance
Guest Access Restrictions Guest users All cloud apps Require MFA, block download
Sensitive Data Access Members of sensitive data groups Target specific apps Require MFA, compliant device, approved apps

Privileged Access Management

Privileged accounts represent high-value targets for attackers. A comprehensive privileged access strategy should include:

  • Just-in-time access: Providing elevated privileges only when needed
  • Privileged Identity Management (PIM): Implementing approval workflows and time-bound role activation
  • Role separation: Dividing administrative responsibilities to prevent concentration of privileges
  • Emergency access accounts: Maintaining break-glass accounts for recovery scenarios

Here’s a sample PowerShell script to audit privileged role assignments in Microsoft 365:

## Connect to Microsoft Graph with appropriate permissions
Connect-MgGraph -Scopes "RoleManagement.Read.Directory", "Directory.Read.All"

## Get all directory roles
$roles = Get-MgDirectoryRole

$privilegedAssignments = @()

## Define highly privileged roles to monitor
$criticalRoles = @(
    "Global Administrator",
    "Exchange Administrator",
    "SharePoint Administrator",
    "User Administrator",
    "Security Administrator",
    "Privileged Role Administrator",
    "Application Administrator"
)

foreach ($role in $roles) {
    # Check if this is a critical role
    $isCriticalRole = $criticalRoles -contains $role.DisplayName

    # Get members of the role
    $members = Get-MgDirectoryRoleMember -DirectoryRoleId $role.Id

    foreach ($member in $members) {
        # Get user details
        $userDetails = Get-MgUser -UserId $member.Id -ErrorAction SilentlyContinue

        if ($userDetails) {
            $privilegedAssignments += [PSCustomObject]@{
                RoleName = $role.DisplayName
                IsCriticalRole = $isCriticalRole
                UserPrincipalName = $userDetails.UserPrincipalName
                DisplayName = $userDetails.DisplayName
                AccountEnabled = $userDetails.AccountEnabled
                IsManagedWithPIM = $false # Would need additional PIM API checks
            }
        }
    }
}

## Output critical role assignments
$privilegedAssignments | Where-Object { $_.IsCriticalRole } | Format-Table -AutoSize

## Export to CSV for reporting
$privilegedAssignments | Export-Csv -Path "PrivilegedRoles_$(Get-Date -Format 'yyyyMMdd').csv" -NoTypeInformation

Email Security: Beyond the Basics

Email remains the primary attack vector for most organisations. Microsoft 365 provides robust email security capabilities that should be fully leveraged:

Advanced Threat Protection

Microsoft Defender for Office 365 (formerly ATP) provides comprehensive email security through features such as:

  • Safe Attachments: Scanning attachments in a virtual environment
  • Safe Links: Checking URLs at time of click
  • Anti-phishing protection: Using machine learning to detect impersonation attempts

The most effective configurations go beyond default settings. Here’s a checklist of enhanced settings:

  • ✅ Enable Safe Attachments for SharePoint, OneDrive, and Teams
  • ✅ Configure Safe Links to scan URLs in email and Office documents
  • ✅ Enable time-of-click protection and URL detonation
  • ✅ Implement anti-spoofing and anti-impersonation policies
  • ✅ Create custom “do not rewrite” lists for trusted domains only

Transport Rules and Mail Flow

Exchange Online transport rules provide additional layers of protection through mail flow rules. Effective strategies include:

  • External sender warnings: Adding visual notifications for emails from outside the organisation
  • Attachment filtering: Blocking high-risk attachment types
  • Domain spoofing protection: Implementing rules to detect lookalike domains
  • Sensitive information filtering: Creating rules based on sensitive data patterns

Here’s an example of a transport rule to flag external senders impersonating internal users:

New-TransportRule -Name "External Sender Using Internal Display Name" `
    -FromScope "NotInOrganization" `
    -SentToScope "InOrganization" `
    -HeaderMatchesMessageHeader "From" `
    -HeaderMatchesPatterns "^(.*)@yourdomain\.com$" `
    -ApplyHtmlDisclaimerLocation "Prepend" `
    -ApplyHtmlDisclaimerText "<p style='background-color:#FFEB9C; border:1px solid #9C6500; padding:5px;'><strong>Warning:</strong> This message appears to be from someone inside the organisation, but it was sent from an external source. Please verify the sender before responding or clicking links.</p>" `
    -SetAuditSeverity "High"

Data Loss Prevention

Data Loss Prevention (DLP) policies prevent sensitive information from leaving the organisation via email and other channels. A comprehensive DLP strategy includes:

  • Sensitive information type identification: Creating custom patterns for organisation-specific data
  • Policy application across services: Extending DLP to SharePoint, OneDrive, and Teams
  • Graduated response actions: Implementing tiered responses based on severity
  • User education: Using policy tips to inform users of potential violations

Endpoint Management and Security

With remote work becoming the norm, securing endpoints that access Microsoft 365 is critical. Key components include:

Microsoft Intune for Device Management

Intune provides comprehensive management of devices accessing Microsoft 365, enabling:

  • Device enrollment and compliance: Ensuring devices meet security standards
  • Configuration profiles: Deploying security settings at scale
  • App protection policies: Protecting corporate data on personal devices
  • Conditional Access integration: Using device compliance as an access signal

Defender for Endpoint Integration

Integrating Microsoft Defender for Endpoint with Microsoft 365 creates a unified security ecosystem:

  • Threat and vulnerability management: Identifying and addressing vulnerabilities
  • Endpoint detection and response: Detecting and remediating advanced threats
  • Risk-based Conditional Access: Using device risk level to determine access
  • Automated investigation and remediation: Responding to threats without human intervention

The following PowerShell script demonstrates how to identify devices with critical vulnerabilities that access Microsoft 365:

## This would require Microsoft Defender for Endpoint API access
## Connect to Microsoft Graph with appropriate permissions
Connect-MgGraph -Scopes "DeviceManagementManagedDevices.Read.All", "SecurityEvents.Read.All"

## Get all managed devices
$devices = Get-MgDeviceManagementManagedDevice -All

## Get vulnerability data (simplified example)
## In a real implementation, you would use the Defender for Endpoint API
$vulnerabilityData = @{
    "device1" = @{Severity = "Critical"; CVEs = @("CVE-2024-1234", "CVE-2024-5678")}
    "device2" = @{Severity = "High"; CVEs = @("CVE-2024-9101")}
}

$vulnerableDevices = @()

foreach ($device in $devices) {
    # Check if we have vulnerability data for this device
    if ($vulnerabilityData.ContainsKey($device.DeviceName)) {
        $vulnerableDevices += [PSCustomObject]@{
            DeviceName = $device.DeviceName
            Owner = $device.UserPrincipalName
            OS = $device.OperatingSystem
            LastSync = $device.LastSyncDateTime
            Compliant = $device.ComplianceState -eq "Compliant"
            VulnerabilitySeverity = $vulnerabilityData[$device.DeviceName].Severity
            CVEs = $vulnerabilityData[$device.DeviceName].CVEs -join ", "
        }
    }
}

## Output vulnerable devices
$vulnerableDevices | Where-Object { $_.VulnerabilitySeverity -eq "Critical" } | Format-Table -AutoSize

## Export to CSV for reporting
$vulnerableDevices | Export-Csv -Path "VulnerableDevices_$(Get-Date -Format 'yyyyMMdd').csv" -NoTypeInformation

Cloud App Security and Shadow IT

Microsoft Defender for Cloud Apps (formerly Cloud App Security) provides visibility and control over cloud applications, addressing:

Cloud Discovery and Shadow IT

Many organisations face challenges with unauthorised cloud applications. Defender for Cloud Apps helps by:

  • Discovering shadow IT: Identifying unauthorised cloud applications
  • Risk assessment: Evaluating the security posture of cloud apps
  • Policy enforcement: Creating policies to govern cloud app usage
  • Integration with proxies and firewalls: Expanding visibility across the network

Advanced Threat Protection for Cloud Apps

Beyond discovery, Defender for Cloud Apps provides advanced security capabilities:

  • Anomaly detection: Identifying unusual user behaviour
  • OAuth app governance: Controlling third-party app permissions
  • Session controls: Implementing real-time monitoring and control
  • Information protection integration: Extending data protection to cloud apps

Monitoring and Response

Even with robust preventative controls, comprehensive monitoring and response capabilities are essential:

Security Monitoring

Effective security monitoring in Microsoft 365 includes:

  • Unified audit logging: Enabling comprehensive audit logs across services
  • Alert policies: Creating custom alerts for suspicious activities
  • Integration with SIEM solutions: Forwarding logs to central security platforms
  • Regular review processes: Establishing procedures for log review and triage

The following PowerShell script demonstrates how to retrieve and analyze sign-in logs for suspicious patterns:

## Connect to Microsoft Graph with appropriate permissions
Connect-MgGraph -Scopes "AuditLog.Read.All"

## Get sign-in logs for the past 7 days
$startTime = (Get-Date).AddDays(-7).ToUniversalTime().ToString("o")
$endTime = (Get-Date).ToUniversalTime().ToString("o")

$signInLogs = Get-MgAuditLogSignIn -Filter "createdDateTime ge $startTime and createdDateTime le $endTime" -All

## Identify suspicious sign-ins
$suspiciousSignIns = @()

foreach ($signIn in $signInLogs) {
    $isSuspicious = $false
    $reason = ""

    # Check for failed sign-ins
    if ($signIn.Status.ErrorCode -ne 0) {
        $isSuspicious = $true
        $reason += "Failed sign-in; "
    }

    # Check for sign-ins from unusual locations
    if ($signIn.Location.CountryOrRegion -in @("Russia", "North Korea", "Iran")) {
        $isSuspicious = $true
        $reason += "High-risk location; "
    }

    # Check for impossible travel
    # This would require comparing with previous sign-ins and calculating distance/time

    # Check for unusual user agents
    if ($signIn.UserAgent -match "Tor|anonymous|VPN") {
        $isSuspicious = $true
        $reason += "Suspicious user agent; "
    }

    if ($isSuspicious) {
        $suspiciousSignIns += [PSCustomObject]@{
            UserPrincipalName = $signIn.UserPrincipalName
            DateTime = $signIn.CreatedDateTime
            IPAddress = $signIn.IpAddress
            Location = "$($signIn.Location.City), $($signIn.Location.CountryOrRegion)"
            Status = if ($signIn.Status.ErrorCode -eq 0) { "Success" } else { "Failure: $($signIn.Status.FailureReason)" }
            Application = $signIn.AppDisplayName
            Device = $signIn.DeviceDetail.DisplayName
            Reason = $reason.TrimEnd("; ")
        }
    }
}

## Output suspicious sign-ins
$suspiciousSignIns | Format-Table -AutoSize

## Export to CSV for reporting
$suspiciousSignIns | Export-Csv -Path "SuspiciousSignIns_$(Get-Date -Format 'yyyyMMdd').csv" -NoTypeInformation

Incident Response

An effective incident response strategy for Microsoft 365 includes:

  • Response playbooks: Developing scenarios for common attack types
  • Automation and orchestration: Using tools like Microsoft Sentinel for automated response
  • Regular tabletop exercises: Practicing response procedures
  • Post-incident analysis: Learning from incidents to improve security posture

Compliance and Governance

Alongside security measures, organisations must address compliance and governance requirements:

Information Governance

Effective information governance in Microsoft 365 includes:

  • Retention policies: Implementing retention schedules for different data types
  • Records management: Classifying and managing important records
  • eDiscovery and legal hold: Preserving data for legal proceedings
  • Data lifecycle management: Implementing processes for data from creation to deletion

Compliance Management

Microsoft 365 provides tools to manage compliance requirements:

  • Compliance Manager: Assessing and improving compliance posture
  • Data Subject Requests (DSRs): Fulfilling privacy requests from individuals
  • Compliance score: Tracking progress toward compliance objectives
  • Regulatory templates: Leveraging pre-built templates for common regulations

Bringing It All Together: A Security Roadmap

Implementing comprehensive security for Microsoft 365 can be overwhelming. Here’s a phased approach based on our experience working with enterprise clients:

Phase 1: Foundation (1-3 months)

  • ✅ Enable unified audit logging
  • ✅ Implement MFA for all users
  • ✅ Configure basic Conditional Access policies
  • ✅ Enable Defender for Office 365 (Plan 1)
  • ✅ Deploy basic DLP policies for highly sensitive data

Phase 2: Enhanced Security (3-6 months)

  • ✅ Implement Privileged Identity Management
  • ✅ Deploy comprehensive Conditional Access policies
  • ✅ Configure advanced Defender for Office 365 features
  • ✅ Implement device compliance with Intune
  • ✅ Enhance DLP coverage across services

Phase 3: Advanced Protection (6-12 months)

  • ✅ Deploy Defender for Cloud Apps
  • ✅ Implement Defender for Endpoint integration
  • ✅ Establish security monitoring and alerting
  • ✅ Develop and test incident response procedures
  • ✅ Implement information governance and compliance controls

Phase 4: Optimization and Automation (12+ months)

  • ✅ Implement Microsoft Sentinel for SIEM and SOAR
  • ✅ Develop automated response playbooks
  • ✅ Conduct regular security assessments and tabletop exercises
  • ✅ Implement continuous compliance monitoring
  • ✅ Regular security posture reviews and improvement

Conclusion

Securing Microsoft 365 requires a comprehensive, defence-in-depth approach that addresses identity, data, endpoints, and applications. By implementing the strategies outlined in this article, organisations can significantly enhance their security posture while enabling productivity and collaboration.

Remember that security is not a one-time project but an ongoing process. Regular assessment, adaptation to emerging threats, and continuous improvement are essential elements of a mature security program.

References

  1. Microsoft. (2025). Microsoft Digital Defense Report 2024. https://www.microsoft.com/en-us/security/business/security-intelligence-report

  2. National Cyber Security Centre. (2024). Cloud Security Guidance. https://www.ncsc.gov.uk/collection/cloud-security

  3. Microsoft. (2025). Microsoft 365 Security Documentation. https://docs.microsoft.com/en-us/microsoft-365/security/

  4. Cunningham, S. (2024). Microsoft 365 Security Administration: MS-500 Exam Guide. Packt Publishing.

  5. NIST. (2024). Zero Trust Architecture (SP 800-207). https://csrc.nist.gov/publications/detail/sp/800-207/final

Back to all articles