Securing Your Microsoft 365 Enterprise Data: 7 Key Built-In Features

By Rob Cunningham | November 30, 2020
Rob is a Solutions Architect Manager at Ntiva, with a diverse history working in the information technology and managed services industry.

Working from home is the new standard. Thanks to cloud-based solutions such as Microsoft 365, what was a bit of a rocky start for some has settled into a fairly smooth operation.

That being said, if you’re using Microsoft 365 for Business, a huge percentage of your company data from emails to spreadsheets and more, are now hosted somewhere in the Microsoft cloud.

While the Microsoft cloud platform is incredibly secure on its own, it’s up to YOU to manage your environment.

This requires administrative configurations of the built-in security features in Microsoft 365 to be turned on!

Keep reading to learn about our 7 most recommended features that you should know about, and that are built-in to the 365 platform.


Note: This article is based on our webinar, "Microsoft 365 Security- Mind the Gap," which you can watch below.


Webinar: Microsoft 365 Security - Mind the Gap!



How Secure is Microsoft Office 365 - The Big Picture

How secure is microsoft 365There is no magic button or one-size-fits-all option to Microsoft 365 security.

It requires serious thought and execution to ensure you’re really protected.

Down below, we provide you with what we consider the 7 most important security features that are built-in to the Microsoft 365 platform that you should turn on - and why you should take advantage of them.

However, before you start this journey, you need to understand all of your security risks at every layer of Microsoft 365, including users, devices, mobile apps, email, and documents.

Although the 365 family of products and services, including Windows 10, has many of the features you will most likely need, there are also situations where you may need additional security products to provide the most robust cyber security protection possible.

Let’s break each layer down and see where the top vulnerabilities lie.

1. Employee Risks

  • Compromised Login
  • Weak Credentials
  • Suspicious Locations
  • Legacy Authentication Protocols

If you haven’t implemented strict policies, your employees could be using logins with weak passwords, or even credentials that have unknowingly been compromised.

You need to ensure that Multi Factor Authentication (MFA), conditional access policies, and easily accessible password reset tools are enabled.

Want to learn more about end user security settings in Microsoft 365? Go here!

2. Device Risks

  • Malware/Ransomware
  • Unmanaged Devices
  • Weak PIN/Login Credentials

If you’re not combining the power of Microsoft InTune cloud services with Endpoint Detection and Response software across your entire network on all your employee devices, you’re simply not doing enough.

With everyone working remotely these days, there’s an abundance of opportunity for cybercriminals to access your data through unsecured personal computers, which can act as propagators for any malware or ransomware attack.

Device management can help keep potentially compromised machines out of your data.

3. Application Risks

  • Ability to Copy/Paste/Save Corporate Data
  • Potentially Weak Security in 3rd Party Apps

With a small amount of configuration, you can ensure that your sensitive company data stays internal on your secure software platform.

Disabling the ability to locally save or copy/paste data is crucial to security.

You also need to be sure that only approved cloud apps are being used to manage your data.

This should also cover default applications, such as using Microsoft Teams for internal communication instead of any 3rd party messaging app.

4. Email Risks

There are huge risks associated with unsecured or improperly configured corporate email, but at the very least, you need to enable Advanced Threat Protection (ATP) and Data Loss Prevention (DLP) to monitor sensitive data and prevent successful ransomware, malware, and other phishing attacks.

5. Document Risks

  • Lack of Internal and External Protection
  • Improper Folder Security Configuration
  • Access Retention for Departed Employees

Maintaining document security may be the most tedious job of all we’ve listed, but it's a must.

Most importantly, folder restrictions must be in place, ensuring only the necessary people have access to sensitive data, and these permissions need to be audited routinely, as changes always occur!


How To Secure Microsoft 365 - The Top 7 Built-In Features


365 List


There are seven core security features inside Microsoft 365 that are an absolute must for any organization.

These all come as part of your 365 licensing, but to be utilized properly, they have to be configured and maintained for your specific business needs.

1. Multi-Factor Authentication (MFA) –

In today's landscape, multi factor authentication is NOT optional.

MFA protects your cloud identities when a password is inevitably leaked or stolen.

It can also allow you to adopt a simpler password complexity policy and remove the need for password expiration thanks to the added authentication step.

With MFA, any leaked credential is useless to a cybercriminal, since they won’t be able to complete the authentication process.

This extra layer of security only takes a few seconds out of your day and will ensure your accounts (and the data within) are safe. Be sure this feature is enabled in your Microsoft 365 platform!

2. Audit Log Search and Alert Policies –

This feature has recently been updated to be automatically enabled, but still is worth checking, just to be sure.

With audit logs, you can view history of activity within the 365 tenants.

Depending on which license you’re using, you can create additional customized alert policies to stay informed of any event you deem necessary in 365.

3. Email Authentication: SPF, DKIM & DMARC –

These are simply different forms of authentication inside your emails.

Notice the lock icon next to the website in the address bar of your browser?

DKIM is basically a variation of that, digitally signing your email and marking it with the proper source. This all happens in the background, with no noticeable alteration to your emails or 365 experience.

The purpose of these email authentication pieces is to ensure that no one can impersonate your email address or domain both internally and externally.

This is a crucial security combination; it just requires some precise configuration!

4. Exchange Online Protection Baseline –

Out of the box, the “protection baseline” is installed and operational. The initial settings are generic and should be configured by your IT administrator for your specific needs.

The policy included in the baseline needs to be reviewed and aligned with your industry’s current best practices.

A vCIO can be a great resource if you need a bit of assistance with this tedious process!

5. Disabling Client Auto-Forward –

Often, malicious parties will use this feature to quietly forward sensitive emails out of an organization to a mailbox they control. End users typically aren’t aware this is happening.

Generally speaking, corporate email probably shouldn’t be forwarded to private addresses at all.

For this reason, we recommend always disabling this feature across the board. From there, it can be re-enabled on a specific per-user basis when needed.

6. Administrative Consent Requests –

This is another attack method that is often overlooked.

By default, anyone can grant access to a third-party app to be used inside the Microsoft 365 cloud. An example would be Adobe’s document cloud.

To establish this connection, certain access is granted between the third-party and 365.

Without administrative consent enabled, a spear phishing attempt with a link asking a user to reset their OneDrive password could actually allow cybercriminals inside the your organization’s 365 tenant.

Administrative Consent Requests take the cybersecurity risks out of the user’s hands.

7. OneDrive Backup for Known Folders –

All Microsoft 365 Business Premium subscription service plans have 1 TB of OneDrive space per user.

This cloud storage space should be used to replace your organization’s old methods for redirecting folders onto your servers.

OneDrive provides automatic cloud backups across the Office suite; which users can restore on their own from anywhere in the world without needing assistance from system administrators.


Why You Need a Microsoft 365 Audit

We know this is a lot to manage, but maintaining basic security protocols inside all versions of Microsoft 365 must be done to ensure your organization’s data and reputation are safe and secure.

When is the last time you did a deep dive into your Microsoft 365 account security?

An external audit is the only way to know for sure that your company email, information, and client data are all safe and secured with the most up-to-date features customized to meet the requirements of your exact industry.

If you need assistance, click below to learn more on how we can help!

New call-to-action


Tags: Microsoft