Threatscape Essential 10: Securing Microsoft 365

Microsoft 365 is at the heart of many organisations’ IT infrastructure. It offers a comprehensive suite of services essential for modern business operations, including email and communication, collaboration and generative AI, identity management and access, device administration, and end-to-end security tooling.

Given this vastness and value, securing it against threats needs to be front-of-mind for all tenant administrators.

The Threatscape Essential 10 is a pragmatic collection of key considerations organisations should prioritise to harden Microsoft 365. By prioritising these cyber defences, organisations will reduce the likelihood of security incidents, the blast radius when incidents occur, and, as a byproduct, mature and more fully leverage their Microsoft 365 licensed solutions such as Defender XDR, Entra, Intune, and Purview.

1. Defend Against Token Theft and User Compromise

User compromise, often by token theft but also compromised authentication methods, is a common initial access technique. Attackers can exploit stolen Entra tokens to gain unauthorised access to Microsoft 365 and other Entra apps, bypassing authentication requirements. This can lead to the adversary commanding control of the compromised identity, and consequent risks such as exfiltration, lateral movement, establishing persistence, and so on. This attack vector is often facilitated by phishing, malware, social engineering, or leaked credentials. The likelihood of such attacks is high, given the increasing prevalence of phishing toolkits, adversary in the middle (AiTM), and financial incentives.

Essential recommendations for this consideration include, but aren’t limited to:

Block legacy authentication everywhere.

Require phishing-resistant MFA using Conditional Access authentication strengths. Prefer Windows Hello for Business, Passkeys (FIDO2), or certificate-based authentication.

Require specific device states such as compliant devices, including Defender for Endpoint device risk using Entra Conditional Access to reduce risk of infostealers.

For sensitive apps and unmanaged or risky devices, where supported, leverage token protection, shorter sign-in frequency, and never persist browser sessions.

Control access based on risk signals using Entra ID Protection.

Control guest access including limitations on default reconnaissance capabilities and leveraging cross-tenant access settings.

2. Defend Against Unmanaged or Risky Devices

Unmanaged devices are those not controlled by IT, such as BYOD assets. These, or managed but poorly maintained risky devices, can introduce posture vulnerabilities, making it easier for attackers to exploit weaknesses. For example, these devices may lack proper security hardening and tooling, making them susceptible to malware, data breaches, and unauthorised access. The prevalence of bring-your-own-device (BYOD) expectations and remote work increases the likelihood of such risks.

Essential recommendations for this consideration include, but aren’t limited to:

For the highest level of security, allow only organisation owned and Intune compliant devices access using Entra Conditional Access.

Where BYOD is required, leverage app protection policies to control data exfiltration paths and app access with conditional launch.

For unmanaged device scenarios, introduce guardrails around accidental data exfiltration or access from outdated devices using Conditional Access App Control and Defender for Cloud Apps.

Identify devices with device discovery in Defender for Endpoint/Defender Vulnerability Management, bringing them under management where possible or monitoring vulnerabilities with Enterprise IoT security.

Consider VDI implementations such as Azure Virtual Desktop and Windows 365.

3. Defend Against Data Exfiltration

We define data exfiltration as the unauthorised transfer of data beyond organisational control. This can lead to significant breaches, such as the unauthorised exposure of sensitive information, credentials, and other valuable secrets. The risk of data exfiltration is particularly significant for organisations handling large volumes of confidential data stored in Microsoft 365 or Entra apps as they often support access from any device and any location, given the nature of SaaS. Attackers may use various methods, such as malware, insider threats, or compromised accounts, to exfiltrate data; and insiders may accidentally cause data exfiltration events if not following sanctioned data flows, BYOD compromise, or other similar scenarios. The prevalence of data breaches and the high value of sensitive information make this a critical area to defend against, especially since data exfiltration is one of the primary objectives of most attackers.

Essential recommendations for this consideration include, but aren’t limited to:

Architect Purview Data Loss Prevention policies for Exchange, SharePoint, OneDrive, Teams, endpoints, and any other available resources.

Apply sensitivity labels with encryption and ideally auto-labeling.

Implement Purview Insider Risk Management to detect and respond to potential malicious insiders, including with connectors to other resources such as HR apps.

Control access from unmanaged devices by leveraging Entra Conditional Access, Defender for Cloud Apps, and Intune enrolment restrictions and app protection policies.

Harden endpoints to defend against data loss, such as with BitLocker device encryption and device control in Defender for Endpoint.

Use Purview Data Lifecycle Management to remove stale data, de-risking the volume of data that may be exfiltrated.

4. Defend Against Business Email Compromise

Business email compromise (BEC) is a type of attack where adversaries leverage email to conduct fraudulent activities. This can result in financial loss, data breaches, and reputational damage. BEC attacks are often targeted and can involve social engineering tactics to deceive employees into transferring funds or sharing sensitive information. Security researchers have observed generative AI being used to improve efficacy of such attacks (by, for example, better tuning emails and profiling victims). These attacks often differ from general anti-spam defenses insofar as adversaries can leverage “known good” infrastructure or other compromised accounts to spread their malicious email.

Essential recommendations for this consideration include, but aren’t limited to:

Implement DNS email security capabilities such as SPF, DKIM, and DMARC.

Leverage preset security policies (standard/strict) in Defender for Office 365, customising where required, to enforce capabilities such as anti-phishing, anti-malware, anti-spam, Safe Links, and Safe Attachments.

Avoid bypasses by preventing authentication to shared mailboxes and limiting the mailbox auditing bypass setting.

Disable auto-forwarding externally except by exception, with alerts on suspicious inbox rules.

Minimise security exceptions such as trusted IPs, domains, or emails and, where required, leverage lifecycle capabilities such as the tenant allow/block list.

Extend similar defenses to Teams by controlling external messaging and phishing settings.

5. Defend Against App-to-App Access and Consent Risk

App-to-app access and consent risk concerns OAuth permissions, either delegated or application types. In short, the risk that apps connected to Entra/Microsoft 365 may pose based on their permissions to access data. Malicious applications may gain unauthorised access to sensitive data through user or admin consent, where attackers trick users into granting permissions to malicious apps, leading to data breaches and unauthorised access. The likelihood of such attacks is high, given the increasing use of third-party applications and the complexity of managing app permissions. One must also consider supply chain compromise, where a previously trusted app is being exploited by adversaries. Ensuring that only trusted applications can interact with organisational data, and continually attesting that trust, is essential to mitigate this risk.

Essential recommendations for this consideration include, but aren’t limited to:

Disable broad user consent and enable an admin consent workflow, requiring permission reviews and verified publishers where possible.

Replace app secrets and legacy service accounts with managed identities or certificates, and alert on expiring credentials, reducing risks of exposed or weak passwords (including those synced from on-premises).

Adhere to least privilege permissions, granting only the permissions required to achieve the apps’ objectives, and ensure lifecycle management exists for sanctioned apps.

Leverage Conditional Access for workload identities to block service principles based on risk or unauthorised IP use.

Enable Defender for Cloud Apps’ app governance capability for continuous monitoring and anomaly detection.

Use Defender for Cloud Apps’ connected apps capability to conduct SaaS Security Posture Management (SSPM) assessments to proactively harden SaaS.

6. Defend Against Endpoint Risks

Endpoint risks involve vulnerabilities and threats targeting devices used to access organisational resources. These risks include malware (of many types, including infostealers and ransomware) and other threats that can compromise the security of endpoints. The prevalence of endpoint attacks is high, though modern endpoint protection platforms can offer robust defenses. While identity is often described as the new security perimeter, protecting endpoints is crucial to protecting those identities and preventing attacks.

Essential recommendations for this consideration include, but aren’t limited to:

Onboard all devices to Defender for Endpoint for the highest levels of visibility.

Use cloud delivered protection and block at first sight in Defender Antivirus to protect against emerging threats.

Enforce attack surface reduction rules, exploit protection, network protection, and potentially unwanted app protection to minimise risk of exploitation.

Enforce tamper protection as part of defense in depth measures to restrict even administrator bypasses.

Implement operating system security baselines such as the OpenIntuneBaseline or Microsoft Security Baseline.

Leverage hypervisor-protected code integrity capabilities such as Credential Guard or, for the highest levels of protection, application control.

7. Defend Against Excessive Privileges

Excessive privileges can lead to unauthorised access and potential misuse of sensitive data and systems. Attackers may exploit privileged accounts to gain access to critical resources, leading to data breaches and other security incidents. The likelihood of such attacks is significant, given the high value of privileged accounts and the potential impact of their compromise. Managing and monitoring privileged access is essential to reduce the risk of threats and ensure that only authorised personnel have access to critical resources.

Essential recommendations for this consideration include, but aren’t limited to:

Use Entra Privileged Identity Management for all admin roles, including requiring reauthentication and MFA on activation, ideally coupled with privileged access workstations. This does not negate the need for separate, dedicated administrator accounts and scope admins with Entra administrative units so role assignments are limited to specific users, groups, or devices.

Use Entra ID Governance entitlement management and access reviews to control the lifecycle of identities and access, from provisioning to ongoing adjustments and decommissioning (joiners/movers/leavers).

Implement least privileged principles when granting access, by identifying the absolute minimum level of access required and granting only that.

On endpoints, control local admin permissions through Entra device settings, Local Administrator Password Solution, and Intune Endpoint Privilege Management.

Where supported, leverage in-app RBAC such as Exchange Online, Purview, and Defender XDR’s unified RBAC model to achieve the most specific level of permissions.

Ensure integration of third-party applications with Entra using SSO, to centralise secure modern identity.

8. Defend Against Hybrid Identity Attack Paths

Integrating ‘on-premises’ Active Directory with Entra in a hybrid environment can create potential vulnerabilities that attackers may exploit to gain unauthorised access to both on-premises and cloud resources. The significance of this risk lies in the interconnected nature of hybrid environments, where a compromise in one system can see lateral movement to the other, leading to broader security breaches. That is compounded by the reality of how Active Directory is targeted and often the weakest point for massive compromise. Given the prevalence of hybrid environments in many organisations, defending against hybrid threats is crucial to ensure the security and integrity of both on-premises and cloud-based resources.

Essential recommendations for this consideration include, but aren’t limited to:

With Defender for Identity, leverage action accounts and Defender XDR integration to automatically remediate risky accounts, while pro-actively monitoring security assessments and lateral movement paths to understand Active Directory weaknesses.

Prefer password hash sync as the authentication solution instead of more limited options such as Active Directory Federation Services and pass-through authentication.

Treat the Entra Connect server as a critical asset, of the highest tier level, and with the access restrictions that come of such tiering; or, where possible, prefer Entra Cloud Sync.

Deprecate the use of Seamless SSO, which is a legacy solution for devices that do not support Entra registration, but can be exploited by adversaries.

Do not sync privileged Active Directory accounts to Entra and vice versa.

Strengthen access to domain controllers with a tiering strategy and privileged accessed workstations.

9. Defend Against AI-Driven Threats

AI-driven threats relate to the risks associated with the use of generative artificial intelligence, whether sanctioned or unsanctioned (shadow AI/shadow IT), including services like Microsoft 365 Copilot and third-party AI applications. The significance of this risk lies in the potential for AI to be misused or exploited, leading to data breaches, unauthorised access, and other security incidents. AI can be leveraged by attackers to enhance the speed and sophistication of their attacks, and evade traditional security measures, such as with prompt injections. The rapidly evolving nature of AI, with continually changing and sometimes inherent risks, makes it a critical area to defend against.

Essential recommendations for this consideration include, but aren’t limited to:

Adhere to least privileged principles for data stores used by Microsoft 365 Copilot, such as SharePoint Online, Teams, OneNote, OneDrive for Business, and Microsoft 365 in general.

Use Microsoft Defender for Cloud Apps’ cloud discovery capability to discover AI app usage, assess risk, and control access.

Track risky AI usage with Purview Communication Compliance and Insider Risk Management.

Use Purview DSPM for AI to prevent unintended data leaks, including both Copilot and third-party AIs such as ChatGPT.

User Purview Data Loss Prevention and sensitivity labels to control Copilot access to highly sensitive material.

Manage who can access Copilot agents and leverage the agent inventory to assign sanctioned agents.

10. Defend Against Visibility Gaps

Visibility gaps in Microsoft 365 can leave organisations vulnerable to undetected threats, unauthorised activities, configuration weaknesses, and incident response difficulties. Without comprehensive logging and monitoring, it becomes challenging to identify, investigate, and respond to security incidents in a timely manner. Ensuring robust visibility and logging across your Microsoft 365 environment is crucial for maintaining a strong security posture.

Essential recommendations for this consideration include, but aren’t limited to:

Enable the unified audit log, including non-default logs, in Microsoft Purview to capture and retain audit logs, including using retention policies to protect logs

Improve Entra’s built-in logging and retention by configuring diagnostic settings to collect logs and metrics.

Onboard devices to Purview Data Loss Prevention and use the Purview browser extension to track activities

Configure the Microsoft Information Protection Scanner for on-premises file shares to discover sensitive data

Use Microsoft Defender for Cloud Apps to monitor SaaS app (including Microsoft 365) usage and configuration, detect anomalies, and gain visibility into shadow IT.

As broadly as possible, deploy Defender XDR workloads such as Defender for Endpoint and Identity to centralise records for advanced hunting.

No single checklist eliminates all risk, but these considerations represent the core steps. They have been built to align security capabilities and are mapped in Threatscape Overwatch to security posture controls. Our Essential 10 focuses on the highest-impact risks and the controls that measurably reduce them across identity, devices, data, collaboration, and visibility. Each area aligns with Microsoft 365 capabilities in Defender XDR, Entra, Intune, and Purview, and maps to Threatscape Overwatch controls so adoption can be tracked, assisted by expert guidance, and verified. Organisations should adopt the Threatscape Essential 10 as a standard Microsoft 365 security awareness guide and use it to drive their security program.