Introduction

Almost every modern organization, regardless of startup or established enterprise has Microsoft 365 or Azure services in place to fulfill IT requirements and operations. The most common services include:

  • Microsoft 365 Apps (Teams, Outlook, Office etc.) for collaboration
  • Entra ID for the user accounts, identity (resources)
  • Azure platform hosting computing resources

What to expect

In this post I want to share my experience for small & medium businesses (SMB) as well as large enterprises when it comes to Microsoft Cloud Security. The target audience are especially managed service providers (MSP) or internal IT administrators who aren't experts on the Microsoft Cloud subject and want to have an easy to understand guide. This is it 😉


List of low hanging fruits

I define a "low-hanging fruit"🍒 as:

Easy to implement control that elevates your security posture immensely, without disturbing processes.

In my daily work I have insights into a lot of Microsoft 365 and Azure infrastructures and their usage. Regardless of large enterprise or SMB, most of the low hanging fruits are equal. BUT an SMB is more agile and can implement those faster and is easier with adjustments. Large enterprises should host an internal IT department with more budget for security.

Challenge: How to start?

There are endless of security measurements that you could take to make your digital infrastructure more secure. However, resources are limited and we want to achieve the highest possible security. In this post I will make a list of topics and key considerations and provide a description to them. Those are based on industry standards, personal experience and common security knowledge.

Defining the goal

We want to focus on topics that:

  • 🚀 Bring in the most obvious security and protect the largest attack surfaces
  • ✅ Are easy to implement and operate
  • 😡 Don't mean end user drawbacks or high negative impact on productivity

 

In my definition, cybersecurity is about:

Ruin the potential attackers return on investment.

Means: Security technologies and controls should be as effective, that the attackers effort isn't worth the return. (Return in this case would be access to accounts, data or digital infrastructures.)

Surprisingly, this is achievable by basic security hygiene and simple configurations. Based on the Microsoft Digital Defense Report, basic security hygiene protects against 99% of the attacks. Sounds like a good deal, if we can achieve the basic security hygiene 🤝.

 

Overview Top 10

This is my personal list of top 10 security controls that should be implemented in every organization.

Title Security area Involved products Recommendation
Enable multi-factor authentication Identity & access control Entra ID Enable MFA for all users so their authentication is strong and an attack would need both 2 factors to get access.
Stay up to date Process and technology - Enable auto-update services in everything - Windows Update, app updates and service updates.
Use endpoint protection software Threat protection Microsoft Defender (for Endpoint) Enable and configure Defender (for Endpoint). Make sure you control the settings via GPO or Intune so a user or potential attack can't modify it.
Review role assignments and RBAC Identity & access control Entra ID Review your role assignments, make sure to only use least privilege needed. Split roles and permissions based on job role and responsibility.
Activate Conditional Access template policies Identity & access control Entra Protection Conditional Access Enable all recommended or template Conditional Access policies to ensure access control based on signals.
Ensure tenant security settings Identity & access control Entra ID Review your tenant based on best practice frameworks and make general security configurations.
Implement modern mail protection Threat protection Microsoft Defender for Office 365, Exchange Online Protection Review and adjust your mail protection policies like Defender for Office 365 to protect from spam, phishing and malware, attachments and links.
Set up notification on alerts Threat response Microsoft Defender XDR In case of a detected incident it is important that you get notified. In Defender XDR you can set up alerts for incidents.
Awareness trainings Awareness - Create awareness for your employees by trainings and attack simulation trainings.
Evaluate new technology Mindset Any Once new technology is released, evaluate it and check potential implementation cost and value.

ℹ️
Before you implement any of those features, make sure you meet the license prerequisites. Find an easy overview here: https://m365maps.com

1. Enable multi-factor authentication

Multi-factor authentication is the best and easiest way to elevate your security. It protects your identities by requiring two factors to authenticate. Modern MFA methods that should be used are the Microsoft Authenticator App, FIDO 2 keys and passkeys or a Temporary Access Pass. You can start enforcing MFA with a registration campaign in Entra ID Protection:

ℹ️
Use this opportunity to migrate to the new authentication methods blade, that must be done prior to the deadline of 30.9.2025. More info

2. Stay up to date

Up-to-date software ensures that vulnerabilities are patched directly by the vendor of the software. If you mainly use SaaS (Software as a Service) apps in the web, you are released from this challenge. But if you have client installations or any operating system, you should ensure that those products automatically update themself. Ensure auto-update features are enabled or regularly update the version manually. There are also tools on the market that do auto-update for you.


3. Use endpoint protection software

Threat protection and endpoint detection and response systems should be installed on every endpoint. My recommendation is to use Microsoft Defender Antivirus and Defender for Endpoint for cloud-powered protection. Make sure to enable these products and configure them accordingly. Find more information here:

Microsoft Defender: a review
A review of Microsoft Defender + Defender of Endpoint (MDATP). Technical overview of capabilities, as well as my personal opinion.

4. Review role assignments and RBAC

Roles are user with special permissions like administrators in your environment. Role-based access controls should be implemented to adhere the least privilege principle that states that should only be able to perform actions that you need to do based on your job role. With every tenant that I touch, I have a look at the roles blade in Entra ID:


5. Activate Conditional Access template policies

Conditional Access is the heart of every Microsoft tenant when it comes to identity & access management. This is one of the key products to implement and use. It lets you define signals like geographical location, device state or risk level to define access requirements. Micorsoft equips every tenant with a set of recommended template policies. You should review them, estimate the impact and set them live.

Read my blog post about Conditional Access:

Conditional Access - The ultimate starter guide
IntroductionIn today’s world, workforce is more distributed and the security landscape keeps evolving. For IT security, identities and access management this brings some challenges along. A sign-in from a remote location, device or app may be suspect or originates from an attacker. However, we need…

6. Ensure tenant security settings

Tenant security settings build the foundation of your identity platform such as Microsoft Entra ID. There are many good frameworks to orientate which settings are important. Nevertheless, you should at least have a look at all the settings and know whats possible. I can recommend Maester as Microsoft Security test automation framework.


7. Implement modern mail protection

Mail threats are one of the most common attack methods. End users frequently interact with mails and mail content like attachments or links, that could be malicious. Defender for Office 365 provides adequate protection to those threats. Read more in my dedicated blog post:

Defender for Office 365 fundamentals
The use case In cybersecurity we consider the Internet and office applications as the biggest attack surface as most of us have interactions to these two matters, making them extremely comprehensive and diverse and unfortunately lucrative for attackers to try to breach in our actions. We try to coun…

8. Set up notification on alerts

Notifications in Microsoft Defender XDR can easily be set up at security.microsoft.com in the settings. Set up alerts for Incidents (a group of alerts triggered, indicating for a security incident), Actions (tasks and operations that were started in Defender automatically or manually) or Threat analytics (Information on the cybersecurity landscape, provided by Microsoft.)


9. Awareness trainings

Last but not least I recommend to involve all of your users (including admins) to do awareness trainings. Those should raise the understanding and readiness for potential upcoming threats and how to treat them. From my experience, a personal workshop is always the best method to achieve this. But for sure it must be said, that you should not rely on the users decision, but make the security controls as effective as possible. Also you can consider the Defender for Office 365 attack simulation training.

Launching an attack simulation training
The idea Most enterprises use email systems to communicate with internal colleagues, other companies or customers. The exchange of information represents a potential security concern, as adversaries could use it to attack end users. Technical measures do not always provide sufficient protection, so…
ℹ️
Cybersecurity is a journey. You should "do" as much as possible to prevent attacks or remediate them, in case of an occurence. It is always a best effort and individual decision which countermeasures to set.

10. Evaluate new technology and keep an eye on the market

This is probably one of the most challenging parts of staying secure. As adversaries don't stop developing their technology-related attacks, neither should you! Microsoft releases new features almost every day, and it can sometimes be hard to keep track. Evaluate new features regularly and check if they are worth implementing. This way, you will ensure not just to be safe, but to stay safe!

Oceanleaf is your one-stop Microsoft learning shop.

powered by Oceanleaf

Oceanleaf
Technology blog on Microsoft Cloud. Learn about cutting edge tech, explained simply & straightforward in quality focused blog posts.
You’ve successfully subscribed to Oceanleaf
Welcome back! You’ve successfully signed in.
Great! You’ve successfully signed up.
Success! Your email is updated.
Your link has expired
Success! Check your email for magic link to sign-in.