Skip to content
cyber-security.eu
DEEN

Microsoft 365 security

Microsoft 365 is the central workspace and identity ecosystem for many organisations. This page outlines the key security building blocks without admin step-by-step instructions.

Who this page is for

IT leaders, Microsoft 365 administrators, security leaders and auditors making an honest assessment of a tenant.

Security relevant building blocks

Identities and [MFA](/en/mfa), conditional access, role model, mail security with anti-phishing and anti-spoofing, audit logs, Defender components for endpoint, identity, mail and cloud apps, and app permissions and consent.

Typical risks

[Phishing](/en/phishing) and consent phishing target identities directly.

Compromised mailboxes with forwarding rules are often noticed late.

Weak admin accounts remain a primary attacker goal.

Missing conditional access allows sign-ins from arbitrary countries and devices.

Unused audit logs make incident analysis hard.

Sensible measures

Phishing-resistant MFA on all admins, strict conditional access for privileged roles, separate admin identities, anti-phishing and anti-spoofing in Exchange Online, active audit logs with adequate retention, Defender components actually reviewed, and a consent strategy for third-party apps. Concrete configuration belongs in specialised admin documentation.

Scenario

An organisation spots a business email compromise because a forwarding rule to an external address appeared. Audit logs and Defender alerts make the case visible, conditional access limits the damage.

Checklist

  • MFA for all accounts, phishing-resistant for admins
  • Separate admin identities without mailbox
  • Conditional access with risk-aware policies
  • Anti-phishing and anti-spoofing active
  • Audit logs active and reviewed
  • Consent strategy for third-party apps
  • Defender components reviewed, not just enabled

Frequently asked questions

+Are default settings enough?

Defaults are a start but do not replace deliberate hardening.

+What is consent phishing?

Attackers request permissions via a malicious app. Approving it grants access without revealing a password.

Related topics

Multi-factor authentication

MFA significantly reduces the risk of compromised accounts. This page explains which methods actually work, where the weak points are and how to prioritise rollout in practice.

Identity security

Identities are a primary target today. Clean handling of accounts, roles and permissions reduces the risk of many incidents significantly.

Account compromise

A compromised account is one of the most common incident types today. This page outlines causes, early signs and reasonable first actions.

Business email compromise

Business email compromise targets money or data flows through manipulated business mail - often via compromised mailboxes or convincing correspondence. This page outlines scenarios and controls.

Phishing

Phishing remains one of the most common entry points. Modern attacks look professional, use trusted brands and adapt quickly. Technical filters, awareness and a simple report button belong together.

Cloud security

Cloud security combines safe configuration, strong identities, good logging and clear responsibility. This page outlines the core building blocks.

Zero trust

Zero trust is an architectural principle, not a product. It means: trust nothing automatically, verify every access based on identity, device and context.