Office 365 Security Best Practices


Office 365 has quickly become the most popular cloud productivity suite because it enables access to corporate data from any device, anywhere, improving IT flexibility and employee productivity. But those gains come with security and compliance challenges.

With an increase in the number and complexity of security compromises, it is crucial for companies using Office 365 to take action to prevent damage from these incidents. It's important to know that even though Office 365 has numerous security settings and configurations, many at no cost, they are not configured out-of-the-box.

New to Office 365 Security? Watch our webinar on-demand: Office 365 Security Best Practices


Enable Microsoft Secure Scoreoffice 365 secure score

Check Secure Score now and take action

The overall cyber threat landscape has evolved from traditional opportunistic threats to persistent and determined adversaries. Microsoft Secure Score helps increase your organization’s security by encouraging you to use the built-in security features in Office 365 (many of which you already purchased but might not be aware of).

Secure Score analyzes your Office 365 security based on your regular activities and security settings and assigns a score. Begin by taking note of your current score. The goal is not to achieve the max score, but to be aware of opportunities to protect your environment that do not negatively affect productivity for your users.

See how Secure Score it works


Getting Started with Office 365 Security


5 Ways to Secure Office 365


As a top Microsoft Partner iV4 has identified Office 365 security best practices that you can put in motion to immediately help protect and secure your environments.


1. Enable Multi-Factor Authentication for Global Admins

Security breaches of an Office 365 account, including information harvesting and phishing attacks, are typically done by compromising the credentials of an Office 365 global admin account.

Enabling multi-factor authentication (MFA) for global admins will make it much more difficult for an attacker to steal admin credentials because it requires the user to verify their identity in at least two ways such as a text message, call or notification through a mobile app.

2. Enable Multi-Factor Authentication for All Users

When it comes to protecting your accounts, two-step verification should be standard across your organization. Compromising multiple authentication factors presents a significant challenge for attackers. Even if an attacker manages to learn the user's password, it is useless without also having possession of the trusted device.

  • You get a free version of Azure multi-factor authentication as part of your Office 365 for business subscription. For a list of features included in your version of Office 365, see How to get Azure Multi-Factor Authentication.

3. Enable Advanced Threat Protection

Advanced Threat Protection (ATP) helps protect against unknown malware and viruses hidden in email attachments and links. With ATP, all messages and attachments that don't have a known virus/malware signature are routed to a special environment where ATP uses a variety of machine learning and analysis techniques to detect malicious intent. If no suspicious activity is detected, the message is released for delivery to the mailbox.

  • ATP is included in Office 365 E5 and Microsoft 365 E5 plans. ATP can be added on to the Office 365 plans listed here.


4. Disable Accounts Not Used in 30 Days

While there may be legitimate circumstances where an account is unused for 30 days, these accounts can be targets for attackers who are looking to find ways to access your data without being noticed.

Deleting unnecessary accounts when an employee leaves, changes groups, or does not use the account prior to its expiration helps prevent breaches. When an account is deleted, it becomes inactive. For approximately 30 days after having deleted it, you can restore the account.

5. Complete User Alternate Information

Completing alternate information for all users, such as personal email or cell phone number, will allow you to safely contact users to verify their identity in the event that abnormal activity occurs. (If at any point you do enable multi-factor authentication, users will be able to complete the registration.)


Office 365 Consulting Services



Office 365 Security Assessment

One-time implementation of Office 365 security best practices utilizing Microsoft Secure Score.

Office 365 Security Hardening Review



Office 365 Security Health Check

Monthly comprehensive review of key configurations and reports for any anomalies or suspicious activity.

Office 365 Security Health Check


Office 365 Migration

iV4 works alongside your team to architect and implement a seamless Office 365 migration plan that won't impact your schedule.

Office 365 Migration Services

SharePoint Consulting

iV4's SharePoint consultants can help your business manage data, applications, and information with greater ease and efficiency.

SharePoint Consulting