The Microsoft 365 Security Landscape in 2026
Microsoft 365 is the most targeted enterprise cloud platform globally. Its widespread use among Fortune 500 companies makes it a key target for various cyber threats. These threats include:
- Phishing attacks
- Ransomware
- Data breaches
- Credential theft
- Business email compromise
- Ransomware delivery
- Data exfiltration
In 2025, Microsoft reported significant security measures:
- Blocked over 35 billion phishing emails
- Prevented 25 billion brute force authentication attacks against Azure AD (now Entra ID)
The security challenge is not due to a lack of capabilities. Microsoft 365 E5 offers over 30 unique security features. These features cover:
- Identity
- Endpoint
- Data
- Cloud app security
However, the real issue is configuration. Most enterprise tenants utilize less than 20% of the available security features. This leaves significant gaps that attackers frequently exploit.
This guide provides the prioritized implementation roadmap your security team needs to harden your Microsoft 365 environment against the threat landscape enterprises face today.
Identity Protection: The Foundation of Zero Trust
Identity is now the new perimeter. In a zero trust architecture, every access request is verified, no matter where it comes from. Microsoft 365 identity protection begins with Entra ID (formerly Azure AD). It consists of these key components:
- Identity verification
- Access management
- Threat detection
- Identity verification for all access requests
- Protection against unauthorized access
- Continuous monitoring and assessment
- Conditional access
- Multi-Factor Authentication (MFA)
- Risk-based policies
Multi-Factor Authentication: Beyond the Basics
MFA is the single most effective security control available. Microsoft reports that MFA blocks 99.9% of automated credential attacks. But not all MFA methods are equal:
- SMS and voice call (weakest): Vulnerable to SIM swapping, call forwarding, and social engineering of mobile carriers. Acceptable as a transitional measure but should not be the long-term strategy.
- Microsoft Authenticator push notifications (good): Resistant to SIM swapping but vulnerable to MFA fatigue attacks where attackers flood users with push notifications until they approve. Mitigate by enabling number matching (now default) which requires the user to enter a displayed number rather than simply tapping "Approve."
- Microsoft Authenticator passwordless (better): Replaces passwords entirely with biometric verification on the mobile device plus a displayed number match. Eliminates the password as an attack vector.
- FIDO2 security keys (strongest): Hardware-based authentication that is immune to phishing by design. The authentication is bound to the specific domain, so phishing sites cannot intercept credentials. Mandate for all privileged administrators.
- Windows Hello for Business (strongest): Biometric or PIN-based authentication bound to the device TPM chip. Equivalent security to FIDO2 for managed Windows devices.
Enterprise recommendation: Implement Microsoft Authenticator with number matching for all standard users. For privileged administrators, executive leadership, and users with access to sensitive data, use FIDO2 or Windows Hello for Business.
Conditional Access Policies: The Zero Trust Engine
Conditional access is the policy engine that enforces zero trust decisions in Microsoft 365. Each policy evaluates several signals:
- User identity
- Device state
- Location
- Risk level
- Application being accessed
Based on these signals, it applies various controls:
- Grant access
- Block access
- Require MFA
- Require compliant device
- Limit session
The following conditional access policies should be implemented in every enterprise Microsoft 365 environment:
| Policy | Signal | Control | Priority |
|---|---|---|---|
| Require MFA for all users | All users, all cloud apps | Grant with MFA required | Critical |
| Block legacy authentication | All users, legacy auth clients | Block access | Critical |
| Require compliant device | All users, all apps, managed devices | Grant with compliant device | High |
| Block high-risk sign-ins | High sign-in risk (Identity Protection) | Block access | High |
| Require password change for risky users | High user risk (Identity Protection) | Grant with password change + MFA | High |
| Restrict unmanaged devices | Non-compliant devices | Browser-only, no downloads | Medium |
| Require phishing-resistant MFA for admins | Directory roles (GA, Security Admin) | Grant with FIDO2/WHfB only | Critical |
Critical implementation note: Always create at least two break-glass emergency access accounts. These accounts should be excluded from all conditional access policies.
Each account must:
- Have Global Administrator privileges
- Use long, complex passwords stored in a physical safe
- Be monitored with Azure AD alerts for any sign-in activity
- Be tested quarterly to ensure they can still sign in
Without break-glass accounts, a misconfigured conditional access policy can lock every administrator out of the tenant with no recovery path.
Azure AD Identity Protection
Identity Protection uses machine learning to identify unusual sign-in patterns and user behavior. It sends risk signals to conditional access policies, allowing automated responses to threats.
- Anonymous IP address sign-ins
- Atypical travel (impossible travel between locations)
- Leaked credentials found on the dark web
- Password spray attacks detected across the Microsoft tenant ecosystem
- Unfamiliar sign-in properties indicating a new device, location, or browser
Configure Identity Protection to automatically block high-risk sign-ins. It also requires a password reset and multi-factor authentication (MFA) for high-risk users. These automated actions address threats in seconds, which is much faster than waiting for a SOC analyst investigation that can take hours.
Email Security: Microsoft Defender for Office 365
Email is still the main way that enterprises face security breaches. In 2024, business email compromise (BEC) caused over $2.9 billion in reported losses, as stated in the FBI IC3 report.
To address these threats, Microsoft Defender for Office 365 provides essential multi-layered email security for enterprise environments.
Safe Attachments
Safe Attachments detonates email attachments in a secure sandbox before they reach user mailboxes. This sandbox runs the attachments and checks for harmful actions. It looks for:
- Registry modifications
- Process injection
- File system changes
- Network callbacks
If any attachments are found to be malicious, they are blocked and quarantined.
Configure Safe Attachments using dynamic delivery mode. This feature sends the email body immediately while the attachment is being scanned. After scanning, the attachment is:
- Released if it's clean
- Replaced with a notification if it's malicious
This method balances security and user productivity by preventing delays for clean attachments.
Safe Links
Safe Links rewrites URLs in email messages and Office documents. This process ensures that links are scanned by Microsoft's service when clicked. It protects against delayed attacks. A URL may be safe when the email is delivered but could become harmful hours later, after the email has been sent and security scanning is complete.
Enable Safe Links for email messages, Microsoft Teams messages, and Office desktop applications. Configure the policy to track user clicks for reporting and investigation.
Additionally, enable the "Do not let users click through to the original URL" setting. This will prevent users from bypassing the block page for known malicious URLs.
Anti-Phishing Policies
Establish advanced anti-phishing policies that offer impersonation protection for executive leaders and key staff. Include the following roles in your protection list:
- CEO
- CFO
- CTO
- Other commonly impersonated executives
Activate mailbox intelligence. This feature uses machine learning to analyze each user's communication habits. It helps identify impersonation attempts that differ from normal patterns.
For enterprise organizations, setting up domain impersonation protection is crucial for both primary and subsidiary domains. This feature helps identify emails that appear to come from domains similar to yours. A common example is typosquatting, where a domain like epcgr0up.net can be mistaken for epcgroup.net.
Data Protection: DLP and Sensitivity Labels
Data protection in Microsoft 365 operates through two complementary systems: Data Loss Prevention (DLP) for content-based detection and sensitivity labels for classification-based protection.
Data Loss Prevention Policies
DLP policies check content in several areas, including Exchange Online, SharePoint Online, OneDrive for Business, Microsoft Teams, and endpoints. These policies look for sensitive information types.
Microsoft offers more than 300 built-in sensitive information types. These types cover regulatory frameworks from around the globe.
Enterprise DLP implementation should prioritize regulatory-required sensitive information types first. For healthcare organizations, this means HIPAA-related types including medical record numbers, DEA numbers, and diagnosis codes. For financial services, this means credit card numbers, bank account numbers, and ABA routing numbers. For all organizations, protect personally identifiable information including Social Security numbers, passport numbers, and driver's license numbers.
Configure DLP policies with various levels of enforcement. Start with policy tips that alert users when they attempt to share sensitive content.
Next, implement blocking with an override option. This allows users to provide a business reason to proceed.
Finally, apply hard blocks for the most sensitive content categories. These are for cases where no valid business justification exists.
Sensitivity Labels
Sensitivity labels apply persistent protection to documents and emails based on their classification level. A typical enterprise label taxonomy includes:
- Public: No restrictions. Content approved for external distribution.
- General / Internal: No encryption. Watermark or header indicating internal use. Default label for most content.
- Confidential: Encryption enabled. Access restricted to internal users or specified external recipients. Content marking with "Confidential" header and footer.
- Highly Confidential: Strong encryption. Access restricted to named individuals or security groups. Prevents forwarding, printing, and copying. Watermark, header, and footer applied.
Enable automatic labeling policies that apply sensitivity labels based on content inspection. For instance, any document with more than 5 Social Security numbers should automatically get the Confidential label.
Automatic labeling acts as a safety net for content that users might not classify manually.
Insider Risk Management
Not all threats come from outside your organization. Insider risk management in Microsoft 365 helps detect and investigate risky activities by users. This includes:
- Data theft by departing employees
- Accidental data leaks by careless users
- Violations of security policies
- Theft of intellectual property
Microsoft Purview Insider Risk Management identifies users who may pose a risk by using various signals. These include:
- HR systems (termination dates, performance reviews)
- DLP policy violations
- Anomalous file download patterns
- Email forwarding rules
The system generates alerts. Privacy-preserving investigation workflows enable HR and legal teams to assess these alerts without revealing user identities to IT administrators until investigation thresholds are met.
Enterprise organizations should set up insider risk policies to address three key areas:
- Departing Employee Data Theft: Triggered by HR system integration that provides notice dates.
- Data Leak Detection: Triggered by DLP policy matches and unusual sharing patterns.
- Security Policy Violation: Triggered by disabled security features or attempts to bypass policies.
Information Barriers
Information barriers prevent communication and collaboration between specific groups of users within your organization. This is a regulatory requirement in financial services (Chinese wall requirements between investment banking and equity research), legal environments (conflict-of-interest prevention), and organizations managing competitive client relationships.
Information barriers are important for Microsoft Teams, SharePoint Online, and OneDrive for Business. They help prevent issues like:
- Chat and channel membership in Microsoft Teams
- Site access and file sharing in SharePoint Online
- File sharing between barriered segments in OneDrive for Business
Configure these barriers using Azure AD user attributes, such as department. Ensure that segments are mutually exclusive. Thoroughly test barrier policies before enforcement to avoid disrupting legitimate business communication.
Zero Trust Architecture Implementation
Zero trust in Microsoft 365 is not just one product. It is an architectural approach that uses various security features working together. The zero trust principles include:
- Verify explicitly: Always confirm user identity.
- Use least privilege access: Give users only the access they need.
- Assume breach: Act as if a breach could happen at any time.
These principles translate into specific configurations within Microsoft 365.
Verify Explicitly
Conditional access policies evaluate each access request using various factors. These factors include:
- User identity
- Device health
- Location
- Risk signals
No access request is automatically trusted based on network location or previous authentication.
Continuous access evaluation (CAE) enhances security beyond initial authentication. It can revoke sessions almost instantly if certain conditions change. This can occur in situations such as:
- A user account is disabled.
- The network location of the user changes.
Use Least Privilege Access
Privileged Identity Management (PIM) prevents administrators from having permanent elevated privileges. Administrators can activate privileged roles only when needed, using time-limited sessions, justification requirements, and approval workflows.
Configure PIM for the following roles:
- Global Administrator
- Security Administrator
- Exchange Administrator
- SharePoint Administrator
Each role has a maximum activation duration of 8 hours. Global Administrator activation requires mandatory approval.
Assume Breach
Set up your environment with the understanding that an attacker may have gained initial access. Begin by enabling unified audit logging for all Microsoft 365 services.
Ensure the retention period is at least one year.
- Set up alert policies for suspicious activities, such as mass file downloads, mailbox forwarding rule creation, and admin role assignments.
- Deploy Microsoft Defender for Cloud Apps to discover shadow IT and control sessions.
- Implement network micro-segmentation using Azure AD application proxies instead of VPN-based access.
Security Score Optimization Roadmap
Microsoft Secure Score provides a quantified measurement of your Microsoft 365 security posture. Use this 90-day roadmap to systematically improve your score:
Days 1-30: Foundation
Enable MFA for all users through conditional access. Block legacy authentication. If conditional access is not available for E3 tenants, enable Security Defaults.
- Enable Safe Attachments and Safe Links.
- Configure basic DLP policies for your top regulatory requirements.
- Enable unified audit logging.
Target: achieve a 50% secure score.
Days 31-60: Hardening
Implement device compliance policies using conditional access. Configure sensitivity labels and deploy them to pilot users. Enable Identity Protection with risk-based policies.
- Implement Privileged Identity Management for admin roles.
- Configure anti-phishing protection against impersonation.
- Enable mailbox audit logging for all mailboxes.
- Target: achieve a 65% secure score.
Days 61-90: Maturity
Roll out sensitivity labels to all users using automatic labeling policies. Implement insider risk management policies as needed. Set up information barriers if regulations require them.
Additionally, deploy Microsoft Defender for Cloud Apps policies and enable continuous access evaluation.
Additionally, implement application consent policies to prevent OAuth phishing. Our goal is to achieve a secure score of 75% or higher.
Frequently Asked Questions
What is Microsoft Secure Score and what score should enterprises target?
Microsoft Secure Score is a numerical measurement of your Microsoft 365 security posture, expressed as a percentage of the maximum possible points. It evaluates your configuration against hundreds of security best practices across identity, data, devices, apps, and infrastructure. Enterprise organizations should target a minimum score of 70%, with critical environments (healthcare, financial services, government) targeting 80%+. The average enterprise score is approximately 50-60%. Each improvement action shows the point value and implementation difficulty, allowing security teams to prioritize high-value, low-effort changes first. Secure Score updates daily and trends over time, making it an effective KPI for security program maturity.
How should enterprises implement conditional access policies in Microsoft 365?
Enterprise conditional access implementation should follow a phased approach starting with report-only mode before enforcement. Priority policies include: requiring MFA for all users (with emergency break-glass accounts excluded), blocking legacy authentication protocols, requiring compliant or Hybrid Azure AD joined devices for resource access, restricting access from high-risk sign-in locations, enforcing session controls for unmanaged devices (browser-only access with download restrictions), and requiring phishing-resistant MFA (FIDO2 or Windows Hello) for privileged administrators. Always test policies in report-only mode for 2-4 weeks before switching to enforcement to avoid locking users out. Use named locations to define trusted corporate networks and implement risk-based policies using Azure AD Identity Protection signals.
What is the difference between DLP and sensitivity labels in Microsoft 365?
Data Loss Prevention (DLP) and sensitivity labels serve complementary but distinct purposes. DLP policies detect and prevent the sharing of sensitive information based on content inspection, identifying patterns like Social Security numbers, credit card numbers, or health records regardless of how the content is labeled. Sensitivity labels classify and protect content based on business context, applying encryption, access restrictions, watermarks, and headers/footers. DLP answers the question "does this content contain sensitive data?" while sensitivity labels answer "how should this content be treated?" The most effective enterprise implementations use both together: sensitivity labels for proactive classification and protection, and DLP policies as a safety net that catches sensitive content that was not properly labeled.
How does Microsoft Defender for Office 365 protect against phishing and ransomware?
Microsoft Defender for Office 365 provides multi-layered protection against email-based threats. Plan 1 includes Safe Attachments (detonates attachments in sandbox environments before delivery), Safe Links (rewrites URLs to check at click-time for malicious destinations), and anti-phishing policies with impersonation protection for key executives. Plan 2 adds Threat Explorer for manual investigation, automated investigation and response (AIR) that automatically remediates detected threats, attack simulation training to test employee susceptibility, and campaign views that track coordinated attack campaigns. For ransomware specifically, Safe Attachments blocks malicious macro-enabled documents and executables, while Safe Links prevents users from reaching phishing sites that deliver ransomware payloads. Plan 2 is recommended for all enterprise organizations; Plan 1 is the minimum acceptable baseline.
What are the essential Microsoft 365 security configurations every enterprise should implement immediately?
The five highest-impact security configurations that every enterprise should implement immediately are: (1) Enable Security Defaults or conditional access policies requiring MFA for all users including administrators, (2) Block legacy authentication protocols (POP, IMAP, SMTP AUTH, ActiveSync basic auth) which bypass MFA, (3) Enable Microsoft Defender for Office 365 Safe Attachments and Safe Links with organization-wide policies, (4) Configure DLP policies for at minimum your industry regulatory requirements (HIPAA, PCI, GLBA), and (5) Enable unified audit logging and ensure it is retained for at least 1 year (default is 180 days on E5, 90 days on E3). These five configurations address the most common attack vectors used against Microsoft 365 tenants and can be implemented within a single week.
Harden Your Microsoft 365 Security Posture
EPC Group has successfully managed hundreds of Microsoft 365 environments in various sectors, including healthcare, financial services, and government. Our team has 29 years of experience in Microsoft security.
We also possess extensive knowledge of compliance standards, including:
- HIPAA
- SOC 2
- FedRAMP
- CMMC
Errin O'Connor
CEO & Chief AI Architect at EPC Group with 29 years of experience in Microsoft enterprise solutions. Bestselling Microsoft Press author specializing in SharePoint, Power BI, Azure, and large-scale cloud migrations for Fortune 500 organizations.