M365 Security Checklist: 10 Things to Do This Week

Why This Matters

80% of data breaches involve stolen or weak passwords. Microsoft 365 has powerful security tools built in — most companies just never turn them on. Here are 10 things you can do this week, ranked by impact.

The Checklist

1. Enable MFA for all users — Multi-Factor Authentication blocks 99.9% of automated attacks. Go to Entra ID → Security → MFA. This is the single most impactful thing you can do.
2. Disable legacy authentication — Older protocols (POP3, IMAP, SMTP) bypass MFA. Block them via Conditional Access policy.
3. Set up Conditional Access — Require MFA from untrusted locations, block sign-ins from high-risk countries, require compliant devices for admin access.
4. Enable Security Defaults — If you don't have Azure AD P1 licenses, Security Defaults gives you baseline MFA and blocks legacy auth for free.
5. Review admin accounts — Do you really need 8 Global Admins? Reduce to 2-3. Create separate admin accounts (not the same as daily-use accounts).
6. Turn on audit logging — Go to Microsoft Purview → Audit. Enable unified audit log so you can investigate incidents. Logs are retained for 90 days on standard plans.
7. Create a DLP policy for sensitive data — Prevent accidental sharing of credit card numbers, Aadhaar numbers, or PAN details via email or Teams. Microsoft Purview DLP has built-in templates for Indian regulations.
8. Enable Safe Attachments & Safe Links — Microsoft Defender for Office 365 scans email attachments in a sandbox and checks URLs in real-time. Worth every rupee.
9. Set up alerts for suspicious activity — Go to Microsoft Defender → Alert policies. Enable alerts for: impossible travel, mass file downloads, forwarding rules created, and privilege escalation.
10. Run Microsoft Secure Score — Go to security.microsoft.com → Secure Score. It gives you a percentage score and ranks recommendations by impact. Aim for 70%+ within 30 days.