Skip to content

Microsoft 365 and Exchange Online security

Microsoft 365 tenants, and the underlying authentication system Entra ID (Azure AD), have many different configuration options to allow your business to implement different levels of security. Many of these options aren't enabled by default. While this document doesn't cover every security option available, or discuss other technologies such as device management and data loss prevention (DLP), it provides guidance to our customers about recommended settings that will help improve identity protection and reduce the chance of Business Email Compromise (BEC).

The guidance is in two sections, recommended settings and optional settings. We urge all customers to implement recommended settings. We also suggest you consider and investigate the optional settings, and apply them as suitable for your environment.

Any change to your environment you're considering should be reviewed and tested in your organization after referring to the appropriate documentation from Microsoft. We recommend that you do any changes in batches, using test accounts, pilot users and small departments before the entire organization. Ensure you have an emergency access account available, as documented below, to avoid being locked out.

License guidance

Some of the configuration items below are available in all M365 tenants, regardless of the licenses being used. However most will require at least 'Entra ID P1' licenses to be available in your tenant, with some requiring 'Entra ID P2' licenses. 'Entra ID P1' is included with the M365 Business Premium E3/A3 bundles, with 'Entra ID P2' licenses available in M365 E5/A5 bundles.

If you're not using licensing that includes at least 'Entra ID P1' licensing, then we strongly recommend the use of Microsoft's 'Security Defaults'. This is a basic set of security policies that are controlled by Microsoft. See Providing a default level of security in Microsoft Entra ID - Microsoft Entra.

When integrating Microsoft alerts to the Sophos MDR service, 'Entra ID P1' is the minimum license that you should use, however we recommend the use of 'Entra ID P2', due to the increased amount of alerts generated by Microsoft. See these articles for examples of these alerts:

We recommend asking your Microsoft licensing specialist for additional licensing information.

  • Enable unified audit log


    Ensure the audit log is recording activity for all services.

    Location: Defender portal > Audit

  • Configure alert policies


    Alert policies will generate email notifications when certain high-risk events happen in Exchange. We recommend ensuring these alerts are configured to go to Exchange Online administrators.

    Location: Defender portal > Policies & rules > Alert policy

    Block sign-in for all shared mailboxes

    • Shared mailboxes are often easy targets with weak passwords and no MFA. We recommend that permissions are modified to block sign-ins to shared mailboxes directly, and they're only accessed via authenticated user accounts.
    • Location: Admin centre > Users

    Block users automatically forwarding messages outside the organization

    • Threat actors will often compromise mailboxes and set up forwarding rules to outside accounts. We recommend blocking the ability for users to create auto-forwarding rules to external recipients.
    • Location: Defender portal > Policies & rules > Threat policies > Anti-spam (outbound policy).

Optional configuration items

  • Implement pre-set security policies (Email Protection)


    Microsoft publishes two sets of security policies to define how Exchange Online protection handles threats. We recommend using at least the 'Standard Protection' group of policies to protect against email-based threats. If using an additional external spam filtering solution, be sure to consult that vendor before modifying these settings.

    Location: Defender portal > Policies & rules > Threat policies > Pre-set security policies

    Reference: