Microsoft 365 Administration: Best Practices for Busy IT Teams
The tenant is your new perimeter
For most organizations, Microsoft 365 is now the single largest concentration of identity, email, files, and collaboration data they own. That makes the tenant, not the office network, the thing attackers go after first. A phished credential or a stale global admin account is a faster path to the whole business than any firewall bypass. Yet a lot of tenants are still running close to their out-of-the-box configuration: legacy authentication enabled, external sharing wide open, a dozen people holding Global Administrator, and "backup" assumed to be handled because the data lives in the cloud.
Busy IT teams do not need another 300-control hardening spreadsheet. They need the handful of decisions that move the most risk with the least ongoing effort. This is the order we work through them for clients.
Secure identity first
Identity is where the highest-leverage controls live, so start there before you touch anything else.
- Enforce MFA everywhere, without exceptions. Microsoft's own data has long put the risk reduction from MFA above 99 percent for account-compromise attacks. Turn on Security Defaults if you have no other controls, but the moment you have Entra ID P1, move to Conditional Access so you can require MFA precisely and kill the exceptions that always creep into a blanket policy.
- Kill legacy authentication. Protocols like IMAP, POP, SMTP AUTH, and older Exchange ActiveSync clients that rely on basic authentication cannot present an MFA prompt, so attackers use them to sidestep it entirely. Block legacy auth in Conditional Access and confirm nothing critical breaks — anything that does was a security liability anyway.
- Move toward phishing-resistant MFA. SMS and voice codes are better than nothing, but they are interceptable. Push the organization toward number matching, the Authenticator app, or passkeys. This ties directly into a broader identity and access management program rather than living as a one-off toggle.
Figure: each layer assumes the one above it can fail — identity hardening, access policy, data governance, and backup are independent, not substitutes.
Use Conditional Access as your policy engine
Conditional Access is the tenant's real security control plane. Treat it as a small, deliberate set of policies rather than an ever-growing pile. A workable baseline for most organizations:
- Require MFA for all users across all cloud apps.
- Block legacy authentication for everyone.
- Require compliant or hybrid-joined devices for access to email and SharePoint, so unmanaged personal machines cannot pull down corporate data.
- Require MFA for risky sign-ins using Identity Protection signals if you have P2 licensing.
- Block or step up authentication from unexpected countries where you have no legitimate users.
Always create a break-glass account — a cloud-only global admin excluded from Conditional Access, with a long stored password and its own monitoring — before you enforce anything. Locking yourself out of your own tenant with a misconfigured policy is a genuine and common failure. Test new policies in report-only mode first; it shows exactly who a policy would have blocked before it blocks anyone.
Right-size admin roles and licenses
Two forms of sprawl quietly accumulate in every tenant: too much privilege and too much license spend.
- Reduce Global Administrators to the minimum. Microsoft recommends fewer than five. Everyone else should hold a scoped role — Exchange Administrator, SharePoint Administrator, User Administrator — that matches their actual job.
- Use Privileged Identity Management (PIM). With Entra ID P2, admin roles become just-in-time: an engineer activates Global Admin for a defined window with an approval and a reason, instead of holding it permanently. That shrinks the standing attack surface dramatically and produces a clean audit trail. If privileged access is a broad concern across your estate, treat it as part of a formal privileged access management practice.
- Right-size licenses on a schedule. Reclaim licenses from departed staff, find users on E5 who only use E3 features, and consolidate add-ons that duplicate a bundle. A quarterly review against actual usage reports routinely recovers real budget without anyone losing a feature they use.
Govern Exchange, SharePoint, and Teams
The collaboration layer is where data governance succeeds or fails, and where sprawl is hardest to unwind after the fact.
- Exchange Online. Turn off auto-forwarding to external domains — it is a common data-exfiltration and business-email-compromise technique. Configure DKIM and DMARC so your domain cannot be spoofed. Restrict who can create transport rules, because a malicious inbox rule is a favorite attacker persistence trick.
- SharePoint and OneDrive. Set a sane default sharing scope. Most organizations should default new sites and links to "people in your organization," not "anyone with the link," and grant broader access only where a business case exists.
- Teams. Every Team creates a Microsoft 365 Group, a SharePoint site, and a mailbox behind the scenes. Left ungoverned, you accumulate hundreds of orphaned Teams with no owner and unknown data. Control who can create Teams, require at least two owners, and apply an expiration policy that forces periodic re-justification of stale groups.
Lock down external sharing
External sharing is the setting that most often turns "we use M365" into "we had a data exposure." Decide it deliberately rather than accepting the default.
- Set the tenant-wide external sharing ceiling, then loosen it per site only where needed — never the reverse.
- Prefer authenticated guest access over anonymous "anyone" links so every external viewer has an identity you can see and revoke.
- Set link expiration and default to view-only for external shares.
- Use sensitivity labels to auto-apply encryption and sharing restrictions to regulated content, so protection travels with the file rather than depending on each user's choices — the on-ramp to a real data loss prevention capability.
Native retention is not a backup
This is the single most expensive misunderstanding in Microsoft 365 administration. Microsoft operates the platform under a shared-responsibility model: they keep the service running and resilient, but the data is yours to protect. Retention policies, litigation hold, and the recycle bin are governance and availability features, not a recovery backup.
They will not save you when:
- A user or attacker deletes mailboxes or files and the retention window lapses.
- Ransomware encrypts synced OneDrive and SharePoint content.
- A departing employee's account — and its data — is removed on offboarding.
- A misconfigured retention policy purges data you needed.
Deploy a third-party backup that captures Exchange, SharePoint, OneDrive, and Teams to independent, immutable storage with its own retention and a tested restore path. That belongs inside a broader backup and disaster recovery program with defined RPO/RTO targets, not as an afterthought.
Monitor with Secure Score and the audit log
You cannot hold a configuration you do not watch.
- Track Secure Score as a trend line, not a target number. It translates your tenant posture into concrete, prioritized recommendations and shows whether you are drifting after each change.
- Enable and retain unified audit logging. It is your record of who did what, essential for investigating a compromise. Confirm the retention period matches your compliance obligations, since defaults are often shorter than an investigation needs.
- Alert on high-risk events — new global admin assignments, mailbox forwarding rules, mass downloads, impossible-travel sign-ins — and route them somewhere a human actually reviews.
Make it a standing discipline
Microsoft 365 administration is not a hardening project you finish; it is an operating rhythm. Enforce identity controls, keep Conditional Access tight, right-size roles and licenses, govern the collaboration layer, control external sharing, back up what Microsoft will not, and watch Secure Score and the audit log for drift. Done consistently, that rhythm keeps the tenant defensible without consuming your team.
If your tenant has grown faster than your ability to govern it, that is exactly the work intSignal runs for clients as part of complete IT support — securing the configuration, closing the backup gap, and keeping the whole environment monitored. Talk to our team and we will start with a review of where your tenant stands today.