How to Harden Your Microsoft 365 Tenant: Complete Guide

Why Your Microsoft 365 Tenant Is Not Secure by Default

When UK businesses deploy Microsoft 365, they often assume that a cloud platform backed by Microsoft's security investment is inherently secure. This is a dangerous misconception. Microsoft 365 is designed for ease of deployment and broad compatibility — it ships with default settings that prioritise accessibility over security. Legacy authentication protocols are enabled. Any device with valid credentials can access email. The most powerful admin roles are permanently assigned rather than time-limited. Audit logging may not be configured to retain events long enough for forensic investigation.

With 43% of UK businesses experiencing a cybersecurity breach in 2025 (Department for Science, Innovation and Technology), and Microsoft 365 used by over 1 million UK businesses (Microsoft), the scale of exposure created by unhardened tenants is significant. Many of the most common Microsoft 365 attacks — password spray, legacy protocol credential stuffing, OAuth application abuse — exploit exactly these default settings. Hardening your M365 tenant means deliberately configuring security controls to close these gaps.

Step 1: Identity Hardening with Conditional Access

Identity is the most critical hardening domain because 85% of businesses that experienced a breach identified phishing as the attack vector (DSIT Cyber Security Breaches Survey 2025), and most successful attacks against Microsoft 365 involve stolen or compromised credentials. Identity hardening starts with Conditional Access, the policy engine in Microsoft Entra ID that controls who can access your systems, from which devices, and under what conditions.

AMVIA deploys a baseline set of Conditional Access policies for every managed client: requiring MFA for all users across all applications; blocking legacy authentication protocols entirely; requiring device compliance for access to sensitive applications including SharePoint, Exchange Online, and Teams; and applying additional protection to admin accounts including phishing-resistant MFA methods. These policies together address the most common identity-based attack vectors that UK businesses face.

Security Defaults vs Full Conditional Access

Microsoft 365 Business Basic and Business Standard include Security Defaults — a simplified set of pre-configured policies that enforce MFA and block legacy authentication. For organisations on these licence tiers, Security Defaults provides a meaningful improvement over no MFA. However, Security Defaults does not offer granular policy control, device compliance enforcement, location-based rules, or risk-based access. Full Conditional Access, available with Business Premium, is the recommended approach for any organisation serious about identity security.

Step 2: Admin Account Protection with PIM

Admin account security is a critical and frequently overlooked hardening area. Permanent Global Administrator access means that if an admin account is compromised at any point — through phishing, credential theft, or malware — the attacker immediately has unrestricted access to the entire M365 tenant. Only 14% of UK businesses have a formal incident response plan (DSIT 2025), meaning many organisations would struggle to respond effectively to such a compromise.

Privileged Identity Management (PIM) replaces permanent admin assignment with just-in-time elevation. Admin roles are not permanently active — when a user needs to perform an administrative task, they request role activation, provide a justification, specify a duration, and in some cases require approval from another administrator. The role is active for the specified period and then automatically expires. Every activation is fully logged, providing a complete audit trail. AMVIA configures PIM for all admin accounts as a standard part of M365 hardening.

Step 3: Multi-Factor Authentication Enforcement

MFA is the single highest-impact security control available. Microsoft reports that MFA blocks over 99% of account compromise attacks. The critical distinction is how MFA is enforced. Legacy per-user MFA settings can be bypassed through legacy authentication protocols that do not support modern authentication. Conditional Access enforces MFA at the policy level, ensuring consistent enforcement across all access points and all applications without exception.

Microsoft Authenticator with number matching is the recommended MFA method for business users, providing resistance to MFA fatigue attacks. For admin accounts, AMVIA recommends phishing-resistant MFA using FIDO2 hardware security keys or Windows Hello for Business, which cannot be intercepted by adversary-in-the-middle phishing attacks.

Step 4: Email Security Hardening

Exchange Online Protection provides baseline email filtering, but default policies are not optimised for targeted threats. Anti-phishing policies should be configured with impersonation protection enabled for key executives and commonly impersonated domains — the names most likely to be used in business email compromise attacks. Safe Links and Safe Attachments, included in Business Premium through Defender for Office 365, should be enabled with appropriate settings rather than left at defaults.

DKIM signing for your domain should be enabled to cryptographically authenticate outbound email. A DMARC policy should be published and progressively advanced to enforcement (p=reject), preventing attackers from spoofing your domain to send phishing emails to your clients, suppliers, and partners. SPF records should be reviewed to ensure all legitimate sending sources are authorised.

Outbound spam policies should be configured to detect and block behaviour consistent with a compromised account sending spam — an important early indicator of account takeover that most businesses do not have configured. This detection is particularly valuable because it can alert you to a compromise before the attacker has completed their objective.

Step 5: Endpoint Hardening with Defender for Business

Microsoft Defender for Business, included in Business Premium, provides endpoint detection and response (EDR) capabilities. However, its default configuration does not enable the full range of available protections. Attack surface reduction (ASR) rules should be enabled at appropriate enforcement levels — many are off by default or set to audit-only mode. Key ASR rules include blocking Office applications from creating child processes, blocking executable content from email, and preventing credential theft from the Windows local security authority subsystem.

Controlled folder access protects against ransomware by blocking unauthorised processes from modifying files in protected directories such as Documents, Desktop, and Pictures. Network protection blocks outbound connections to known malicious domains and IP addresses. Web content filtering can restrict access to categories of websites that present security risks. All of these capabilities require deliberate configuration — simply licensing Defender for Business does not activate them.

Step 6: Data Loss Prevention and Sharing Controls

SharePoint external sharing defaults are typically too permissive, allowing documents to be shared with anyone who has the link, including anonymous users who do not need to authenticate. AMVIA reviews and restricts external sharing policies to require authenticated sharing only, removing anonymous link sharing unless there is a documented business requirement. Teams external access and guest access settings are reviewed and restricted for the same reason.

Data Loss Prevention (DLP) policies in Microsoft Purview detect and prevent the sharing of sensitive information — financial data, personal identifiable information, confidential documents — through email, Teams, SharePoint, and OneDrive. DLP policies can alert users when they attempt to share sensitive content externally, require justification before allowing the share, or block the sharing entirely. For UK businesses handling personal data under UK GDPR, DLP provides an important technical control supporting data protection obligations.

Step 7: Audit Logging and Monitoring

Audit logging is essential for forensic investigation of security incidents. Without adequate logs, determining what happened during a compromise — which accounts were affected, what data was accessed, how the attacker gained entry — becomes extremely difficult or impossible. Microsoft 365 audit logs should be enabled and configured with appropriate retention periods. The default retention in Business Premium is 90 days; some regulatory or compliance requirements may necessitate longer retention through Microsoft Purview.

AMVIA monitors audit logs through AmviaIQ, providing ongoing visibility of security-relevant events including unusual sign-in patterns, administrative actions, external sharing activity, and mailbox forwarding rule creation — a common indicator of account compromise.

Using Microsoft Secure Score to Track Progress

Microsoft Secure Score, available at security.microsoft.com, provides a real-time measurement of your M365 security configuration against Microsoft's recommended settings. The industry average is approximately 50%. Secure Score provides an ordered list of improvement actions with impact ratings, making it straightforward to identify and prioritise the most impactful hardening steps. AMVIA uses Secure Score as a baseline measurement before hardening and as an ongoing tracking tool for quarterly reviews.

Key Considerations for UK SMEs

• Prioritise MFA enforcement via Conditional Access, legacy authentication blocking, and admin account PIM above other hardening steps — these address the most commonly exploited attack vectors
• Use report-only mode for Conditional Access policies before enforcement — understand the impact before blocking users
• Document all configuration changes made during hardening — a record of decisions supports audit requirements and troubleshooting
• Re-assess Secure Score quarterly — Microsoft adds new recommendations as new threats emerge and new features are released
• Consider hardening as an ongoing process, not a one-time project — the threat landscape and available controls evolve continuously

How AMVIA Can Help

AMVIA hardens Microsoft 365 tenants as a structured engagement for new clients and as an ongoing service for managed clients. The process starts with a current configuration review against Microsoft Secure Score and NCSC guidance, followed by a prioritised remediation plan. AMVIA implements changes during agreed maintenance windows, documents all configuration changes, and provides a post-hardening Secure Score comparison. Ongoing quarterly reviews ensure the tenant stays hardened as Microsoft adds new recommendations and as the business's cybersecurity environment evolves. Contact AMVIA on 0333 733 8050.