1. Multi-factor authentication (MFA) for everyone
A password alone is not enough — most account compromises start with a leaked or guessed password. Enforce MFA for every user, not just admins, and prefer an authenticator app over SMS. This single control blocks the overwhelming majority of account-takeover attempts.
2. Conditional Access
Conditional Access is the rules engine that decides who can sign in, from where, and on which devices. Even a few sensible policies — block legacy authentication, require MFA from unmanaged devices, restrict risky sign-ins — dramatically raise the bar for an attacker.
3. Admin accounts and least privilege
Review who has Global Administrator rights — it’s usually more people than it should be. Use separate admin accounts, grant the minimum role needed, and make sure every admin has MFA.
4. Email security: SPF, DKIM and DMARC
These three records stop attackers spoofing your domain to send convincing phishing emails as “you”. Many businesses have SPF but are missing DKIM and DMARC. Getting all three right also improves your legitimate email deliverability.
5. Backup — yes, even in the cloud
Microsoft 365 is not a backup. Deleted mailboxes and files age out of retention, and ransomware or a rogue account can destroy data that Microsoft won’t restore for you. A dedicated M365 backup closes that gap.
Not sure where you stand?
A Microsoft 365 security review checks all of the above (and more) against recognised baselines, and gives you a prioritised list of what to fix. We offer that review free — you only pay if you’d like us to carry out the remediation.