Read time 7 minutes

This blog is for those who need their Microsoft 365 account to be well-secured from external threats and security breaches.

It is a fact that even cloud data is not completely secure; rather, it is highly vulnerable to malware attacks, phishing attacks, ransomware attacks, data breaches, hacking, and more such external threats. Most of the Microsoft 365 users are suffering from this currently as they have not followed even the basic security practices suggested by Microsoft.

Best Practices for Microsoft 365 Security

We decided to provide some essential information regarding these practices to help them work on a secure, breach-proof, and risk-free cloud environment.

Use Microsoft 365 Security Score

Microsoft 365 Security Score is an in-built service from Microsoft, by which users can analyze the current settings and history to get insights compared to recommended actions for Microsoft 365 identities, applications, data, devices, and infrastructure. It generates reports with details based on the performance and provides a security score.

This security score compares the Microsoft 365 user security settings to the standard practices by Microsoft. Using Microsoft 365 score helps users to update the security of their Microsoft 365 accounts.

Provide Training to Users

Office 365 users should be provided with advanced training on the features, interface, and security.

They should be trained on essential Microsoft 365 security practices like creating strong, unguessable passwords for the user mailboxes, enabling Windows system protections like Firewalls, Antivirus or Antimalware, using accounts protections tactics, and more.

Set Multi-factor Authentication to Accounts

The Office 365 account is password protected, but that is not enough due to increasing hacking activities in the digital world. The recommendation here would be to enable the multi-factor authentication for the Office 365 user accounts.

Multi-Factor Authentication means users can sign into the Microsoft 365 account only after completing multiple authentications for the same account. The authentications can be OTP verification from the phone number or an email address other than the current one. It is also known as 2-step verification. It is good to protect your account from unwanted intruders and hackers.

It is needed to enable Security Defaults in Microsoft 365 to enable multi-factor authentication. In the latest subscriptions, it is enabled by default. Though, here are the necessary steps to enable it manually.

  1. Sign in to your Microsoft 365 account with administrator credentials (username and password).
  2. Click on Admin Center and navigate to Show All>Admin centers>Azure Active Directory
    .Admin Center
  3. In the opened Azure Active Directory admin center, select Azure Active Directory and then select Properties option.
    Azure Active Directory
  4. Next, click on Manage Security defaults option.
  5. To enable the Security defaults, click on Yes and then click on Save to save this setting.enable the Security defaults

After enabling security defaults, you can now enable Multi-factor Authentication or 2-step verification for your Microsoft 365 account with the Account Settings feature.

Security Practices for Microsoft 365 Account Data

There is a great threat to email messages and their confidential data from intruders in some way or the other. We are suggesting some effective security practices to protect the data of the organization.

Use Office message encryption

Encrypted messages are those messages which can be read or used by the intended recipients only. Microsoft 365 users can encrypt the emails before sending it to the desired recipient within email services like Yahoo, Gmail,, and more.

To encrypt the email, users just need to click on Options while drafting the email and then follow Permission>Encrypt. There are other permissions options as well, like Do Not Forward, Confidential/All Employees, and Highly Confidential/All Employees, which users can apply. The recipient has to enter a passcode or sign in to access the encrypted email there, making it accessible to him only. So, encrypting the email message is another great security practice to protect Office 365 account data from misuse or breach.

Disable the Autoforward feature

The Auto Forward setting can be easily misused. But the user may not have any knowledge about this.

It is a wise practice to avoid this auto-forwarding of emails, and the best way to do it is creating a new rule and then restricting the Auto-forwarding in the settings.

  1. Sign in to your Micros 365 account and open Admin Center.
  2. Follow Admin Centers>Exchange to open the Exchange Admin Center.
  3. Select mail flow category from the left panel and then click on on rules
  4. Click the plus icon to create a new rule. Click on More options.
  5. Apply settings with Reject Auto-forward emails to external domains and add conditions as per the requirement.
    Add a Name and use Block the Message action for Rejecting email for certain recipients and add desired conditions.Rejecting email
  6. Click Save to save settings of this new rule for your Microsoft 365 account email flow.

Configuring advanced protection against malware/ransomware

Microsoft 365 Security & Compliance Center includes advanced options to protect from malware and ransomware.

For protection against malware, users can use the Threat Management Policy and block those common file extensions, which generally include malware.The simple procedure for Protect Office 365 Mailbox from Ransomware Attacks do as a follow.

  1. Follow this link and user global administrator credentials to open the Security & Compliance Center of your Microsoft 365 account.
  2. From the left panel, under the Security & Compliance Center, click on Threat Management and then select Policy>Malware.Threat Management
  3. Double click the default policy for editing and then click on the Settings option.
  4. Go to the Common Attachments Type Filter and set it as ON. Make selections from the available list or add/remove file types as per your wisdom; then finally click on Save to save this this setting

The Microsoft 365 Advanced Threat Management feature also allows users to set up ATP anti-phishing policy, ATP Safe Attachments policy, and ATP Safe Links policy to prevent Microsoft 365 content from harmful phishing attacks, malicious attachments, and infected links respectively.

To save the precious emails from the undesirable ransomware attacks, users can create a mail transport rule and apply settings and conditions over the suspicious emails like this.

  1. Open the Exchange Admin Center from the Admin Centers category in the Microsoft 365 Admin Center.
  2. Go to mail flow>rules and click on the plus icon to create a new rule.
  3. Click on 4 stars to open More options.
  4. Apply the following settings for mail flow:
    • Block file types that could contain ransomware or other malicious code
    • Warn users before opening attachments of Office files
  5. Add conditions for the emails and attachments as per your wisdom and requirement.
  6. Now, your emails and attachment files are ransomware protected.

We hope you have learned some advanced security services provided by the Microsoft 365. To have permanent security for the Microsoft 365 data, users can perform regular backups of its data. We make it easy for our users with the Kernel Office 365 Backup & Restore solution, allows Office 365 data backup efficiently.