Cloud Sentry
Operations

Microsoft 365 Hardening: The 10 Settings We Change Day One

Most Microsoft 365 tenants ship with defaults that look safe and aren't. Here are the 10 settings Cloud Sentry changes on day one of every new engagement, why each matters, and what breaks if you leave the defaults in place.

Microsoft 365 tenants ship with defaults designed for onboarding friction, not security posture. That's a deliberate Microsoft choice, and it's fine for a five-person agency. It is not fine for a company with regulated data, enterprise buyers, or a growing employee base.

Here are the ten settings we change on day one of every new engagement, ordered roughly by risk reduction per hour of effort.

The Ten Settings

1. Disable legacy authentication

Legacy auth protocols (POP, IMAP, SMTP Basic, ActiveSync Basic) bypass MFA. If any of them are enabled, your MFA enforcement has a back door. Disable them in Conditional Access as the first block policy. Anything that still uses legacy auth in 2026 should either be replaced or given a conscious, documented exception.

2. Enforce MFA for every user, not just admins

Security Defaults gets you most of the way. Enforcing MFA on every user in Conditional Access gets you the rest, with control over methods (app-based, FIDO2 keys) and fallback behavior. Admins-only MFA is a compromised-account waiting to happen, because compromise usually starts at a standard user.

3. Build a Conditional Access baseline

Three policies are the floor: block legacy auth, require MFA for all users, require compliant device or MFA for admin portals. Above that, you add geography restrictions, session controls, and device compliance as the tenant matures. Baseline policies are exit criteria from Security Defaults, not a replacement for thinking.

4. Tighten external sharing defaults

SharePoint and OneDrive default to "anyone with the link" for new shares. Tighten to "specific people" or "only people in your organization" at the tenant level, and grant exceptions per-site when business need justifies it. This alone eliminates most accidental external exposure.

5. Configure anonymous link expiration

If you permit anonymous links at all, set a short default expiration (30 or 60 days) and enforce password protection. Shared links that never expire are a known exfiltration path, frequently found in breach postmortems.

6. Maximize audit log retention

Audit log retention defaults vary by license. Set it to the maximum available for your SKU. Most incident investigations fail because the relevant logs had already aged out. Paying for log storage is cheap insurance compared to flying blind during an incident.

7. Enable unified audit log

The unified audit log is still opt-in on some tenants. Without it, you cannot correlate events across Exchange, SharePoint, Entra ID, and Teams. It is a one-click change in the Security and Compliance portal and it is consistently overlooked.

8. Enable Safe Links and Safe Attachments

Included in Defender for Office 365. Safe Links rewrites URLs in email and Teams to a time-of-click scan. Safe Attachments detonates attachments in a sandbox. Both dramatically reduce phishing success rates and are underused because the defaults are off.

9. Review and restrict Teams external access

By default, Teams allows federation with any other Teams tenant and often allows guest access broadly. Tighten external access to an allow-list of trusted partner tenants, and govern guest access through Conditional Access and access reviews.

10. Enable Privileged Identity Management for admin roles

Global Admin should never be a standing assignment. PIM gives you just-in-time elevation with approval workflows and session logging. This is table stakes for any company pursuing SOC 2 or HIPAA, and it prevents the most expensive incidents: compromised standing admin accounts.

How to Phase the Rollout

Doing all ten on day one breaks things. Here's the sequence we use on real engagements:

  1. Enable unified audit log and max retention (zero user impact, enables everything else)
  2. Roll out MFA to admins and IT staff first; verify no gaps
  3. Roll out MFA to the whole workforce with a 7-day notice window
  4. Add the Conditional Access baseline policies in report-only mode; monitor for a week; promote to enforce
  5. Tighten external sharing defaults and Teams federation (expect some workflow questions, communicate)
  6. Enable Safe Links and Safe Attachments (expect a few false positives early)
  7. Enable PIM for admin roles last, once you've validated the rest of the stack

The whole rollout, done well, takes 2 to 4 weeks for a company under 100 people. The risk reduction is measurable from the first week.

Book a Microsoft 365 hardening review

Book a Discovery Call
More articles

More in Operations

Operations

Joiner, Mover, Leaver: The Access Workflow That Survives an Audit

Access management is the most-failed control in SOC 2 and HIPAA audits, not because it is technically hard but because the workflow is usually tribal. Here is what a joiner, mover, leaver process actually looks like.

Read more
Operations

SaaS Sprawl Audit: 6 Red Flags in Your Cloud Stack

SaaS sprawl is invisible until it's expensive. Six concrete red flags to look for in your stack and what each one means for cost, security, and audit readiness.

Read more