Thought Leadership

Microsoft 365 Security Starts with Proper Setup and Configuration

Microsoft 365 Security

(June 28, 2021) In our last post, we discussed the need for a comprehensive security strategy to protect sensitive data stored in the Microsoft 365 platform. The good news is that Microsoft provides many of the tools needed. Microsoft 365 security starts with proper planning, setup, and configuration.

Microsoft Secure Score

The first step is to evaluate your organization’s Microsoft 365 Secure Score in the security center dashboard. This feature is available to any organization that has a subscription to Microsoft 365 Business Standard or Premium. Only administrators have access to it.

Secure Score is designed to help organizations determine if they have the right security tools and practices in place to protect their Microsoft 365 data. It compares an organization’s Microsoft 365 configurations to baseline standards and key performance indicators and provides a robust set of metrics, visualizations, and trends.

More importantly, it recommends steps administrators can take to improve their organization’s Secure Score, with ranking based upon user impact, implementation difficulty, and complexity. Tasks that significantly improve the Secure Score with minimal difficulty and impact are ranked highest. The Secure Score is updated in real-time as administrators perform these tasks, allowing them to see the effect of their actions.

Multifactor Authentication

Microsoft recommends that all organizations set up multifactor authentication (MFA). MFA enhances security by requiring users to enter a second authentication factor in addition to a password when they log in. With Microsoft 365, that means users will receive a code on their mobile device that they must type in to gain access. This prevents hackers from taking over a user’s account by stealing the password.

Setting up MFA in Microsoft 365 requires modifying the security defaults in the Azure Active Directory admin center. Once MFA is turned on, users will have to set up their mobile devices to receive the verification code. Microsoft 365 walks them through that process.

Administrator Accounts

Administrator accounts have elevated privileges compared to other users, making them a prime target of attackers. Microsoft recommends that you set up individual accounts for each administrator, and dedicate administrator accounts to administrative use. In other words, admins should use their administrator accounts only to complete administrative tasks, and maintain a separate user account for non-administrative activities. Administrator accounts should be set up for MFA, and periodically reviewed to determine if the privileges are appropriate.

It’s also important to follow best practices when using administrator accounts. Admins should exit all unrelated applications and browser sessions, including personal email, before logging in. They should immediately log out when administrative tasks are complete.

Malware and Ransomware Protection

Microsoft 365 includes malware protection, but administrators can increase security by blocking email attachments with certain file types. When enabled, this feature blocks common attachment types by default, but administrators can add or delete file types in the control panel.

In addition, administrators can increase ransomware protection by setting up one or more mail flow rules. In addition to blocking attachments, administrators can display a warning when users receive certain types of files via email.

Premium Edition Tools

The security capabilities listed here are available in both Microsoft 365 Business Standard and Premium editions. Our next post will highlight some of the additional security controls included in the Premium edition.


Mainstream Technologies delivers a full range of technology services in Arkansas and the surrounding region including managed technology services and consulting custom software development and cybersecurity services. We also offer industry-leading data center services in our Little Rock facilities. Established in 1996, Mainstream has earned a reputation for delivering quality, reliable, and professional technology services for public and private-sector customers across the United States.

Jeff Pracht
IT Business Development Manager
(479) 715-8629 Office
(501) 529-0008 Mobile


  • Industry

  • Category

  • Regulation

  • Solution