Updated as of February 10, 2025
Misconfigurations, excessive admin privileges, and guest access risks in Microsoft 365 leave organizations vulnerable. In this article, we cover Office 365 security best practices from Microsoft help security teams close the biggest gaps, including:
“Any configuration drift from the initial posture can introduce vulnerabilities, break functionality, or disrupt availability,” warns Microsoft. To address this, they recommend using a real-time drift detection system, such as their native Configuration Analyzer.
Still, when administrators make policy changes in Microsoft 365, the system overwrites previous configuration histories with new timestamps, making it difficult to keep accurate change tracking records. The Configuration Analyzer provides basic drift analysis but requires Unified Auditing to be enabled. It’s also limited to security policies and doesn’t cover the full range of Microsoft 365 configurations.
For a more comprehensive approach to drift detection, implement a system that continuously monitors your configurations across the entire Microsoft 365 environment. This should include Entra ID, Defender, Intune, Purview, Exchange, SharePoint, and Teams. And, each of these workloads should align with established baselines and best practices. Consider using Configuration as Code principles to automatically detect deviations from these baselines so you can quickly restore them in case of disaster.
Last but not least, maintaining detailed logs of all changes, including who made them, when they happened, and the reasons behind them, is crucial for full visibility and control and to comply with configuration change management requirements.
Vasil Michev, 9-time Microsoft MVP shares his thoughts on configurations:
“Microsoft 365 has grown immensely over the last decade and nowadays includes hundreds of configuration settings. While most settings can be found in the Microsoft 365 Admin Center, some of them are only exposed in the "specialized" admin portals, and sometimes only via PowerShell or the Graph API. In turn, it's not uncommon for such settings to be overlooked by admins. Even when you have a good understanding of all the settings, without advanced tools such as CoreView, you will have to manually audit changes across multiple endpoints to identify and remediate potential misconfigurations.”
Microsoft recommends integrating "detailed change management processes" to maintain the integrity of your business data. It even goes so far as to offer up its own Change Management Plan to help customers plan for crucial updates. However, its native tools are lacking in more than a few areas.
Enabling configuration change management within Microsoft 365 requires having Dev and Test tenants where configurations can be experimented with and tested. However, for these tests to be reliable the Test tenants must have consistent configurations with the Production tenant Keeping just one tenant correctly configured can be a full-time job for multiple admins, but to keep two tenants in sync adds even more layers of complexity and work.
To address these challenges, consider implementing automated change management capabilities. Not only will this type of system help maintain consistent configurations across development, test, and production environments, but it will also keep detailed audit logs of configuration changes and automatically detect configuration drift.
You may even consider using tools that allow you to template your Microsoft 365 tenant configurations. This can add powerful automation and ensure that all changes adhere to structured management processes. As a result, you simplify the change management workflow and minimize the risk of misconfigurations.
With the new Microsoft 365 Backup platform for SharePoint, OneDrive, and Exchange, Microsoft recognizes the need for a centralized backup solution for your business data. However, it still does not offer a native backup solution for tenant configurations, forcing users to resort to code-heavy options like the open-source PowerShell module called Microsoft 365 DSC.
Yet while this tool can "create a snapshot of your current tenant configuration across services like Exchange Online, SharePoint, Teams, and more," it remains extremely code-intensive and suffers from poor performance at scale, rendering it unsuitable for the spontaneous needs of large-scale enterprise organizations.
However, regardless of the method you use to back up your configurations, it's crucial to perform backups on a daily basis. This practice ensures that you have the most current version available and minimizes potential data loss.
Additionally, ongoing drift detection is vital to ensure that your configurations remain aligned with your business goals. If an unauthorized actor gains access to your tenant, you’ll need an easy way to roll back critical changes. Templating your ideal configurations and maintaining a comprehensive version history of changes can help support robust and effective configuration management.
In the Administrator Accounts Security Planning Guide, Microsoft emphasizes the importance of minimizing privileged access to enhance security. The company recommends assigning "fewer than five people" as Global Administrators, as these accounts have "essentially unrestricted access." For other privileged roles, Microsoft suggests limiting assignments to "fewer than 10" to reduce risks. The idea is simple: users should only have the minimum permissions needed to complete a task.
To support this, Microsoft offers tools like Role-Based Access Control (RBAC), Privileged Identity Management (PIM), and Privileged Access Management (PAM). But, Microsoft's roles are often too broad and unrestrictive, forcing organizations to give users dangerous levels of access.
The solution to this is straightforward; you just need a way to easily delegate “just enough” access to administrators. There are two sides to this coin. Firstly, there is the environment that an admin gets access to, then there are the permissions that the admin has.
On the environmental side it is best to segment your tenant so that administrators can only flex their privileges where they need to. For example, a user with an Endpoint Privilege Manager role will by default have the ability to manage endpoint policies for all users globally within the Intune console, but in most cases this level of access is not necessary.
This highlights the need for tenant segmentation; the ability to give an administrator limited access based on time zone, region, office, and other divisional limitations. Then, with this segmented environment in place, you can then ensure that the admin is granted the precise permission they need to fulfill their task.
“I’m proud to highlight how our partnership with CoreView empowers organizations using Microsoft 365 to achieve exceptional security outcomes. CoreView’s suite enhances our customers’ ability to enforce the principle of least privilege by providing granular visibility and real-time control over user access. This integration enables organizations to quickly identify and remediate over-privileged accounts, significantly reducing the overall attack surface. By streamlining compliance and allowing teams to focus on proactive security measures, CoreView complements Microsoft’s commitment to robust, agile, and secure solutions in today’s dynamic threat landscape.” - Terence Jackson, Customer Security Officer at Microsoft
Microsoft often highlights the importance of managing privileged app permissions in Entra ID, stressing that organizations need "extensive access management for configured applications" to ensure proper access policies are in place.
39% of third-party apps connecting to Entra request high-level permissions, with many organizations managing thousands of these apps that have privileged access but minimal visibility for security. So, Microsoft provides native tools like Application Proxy, Conditional Access policies, and built-in administrative roles for app management.
While offering a good starting point, these tools lack full visibility into app permissions across the tenant, making it hard for organizations to maintain consistent business logic across multiple apps. Additionally, detecting and fixing apps with excessive privileges is challenging, which complicates enforcing least-privilege access controls.
Solving this problem therefore requires enhanced visibility. Being able to report on all Entra Apps, to see who owns them, when secrets are expiring (and when they aren’t), and finally, being able to filter apps based on the levels of permissions they have, is critical.
Also, given that there can sometimes be hundreds or thousands of Entra applications running in a tenant, it is wise to implement mechanisms to automate the remediation process where possible.
Moreover, CoreView’s app permission scanner, developed by MVP Vasil Michev and CTO Ivan Fioravanti, identifies elevated custom and third-party app permissions that might lead to non-compliance or security risks, helping organizations stay secure and compliant.
Microsoft recommends using the "join, move, and leave" model for managing employee accounts from onboarding to offboarding. For collaboration spaces, the company suggests a structured approach that manages "the beginning, middle, and end" of each workspace's lifecycle, helping organizations effectively track and manage projects. It also recommends setting up retention policies to preserve business-critical data while protecting sensitive information from prying eyes.
To support lifecycle management, Microsoft offers tools like Microsoft Entra ID Governance for identity management, Retention Policies for data lifecycle management, and Teams lifecycle controls for external and internal collaboration. These tools allow organizations to automatically grant or revoke user access based on HR system updates, adjusting user identities as roles or statuses change.
Yet these solutions have limitations, such as a lack of full automation, significant manual intervention, and limited visibility across Microsoft 365 workloads. Managing thousands of user identities and collaboration spaces can quickly become complex without proper automation.
Best practice lifecycle management means having full governance and oversight for users, objects, and privileges in your tenant, and having ways to automate the governance process. For example, trying to detect and deprovision unused users, apps, licenses, and Teams chats without automation can require an almost endless cycle of work. This use case alone builds the business case for investing in a built for purpose offering.
It’s also work considering how you can use automation to provision and deprovision users, and access reviews to ensure that users only keep the privileges they need.
Microsoft highlights the importance of managing guest access effectively across multiple layers of authorization. Organizations need to implement controls at four key levels: Microsoft Entra ID, Microsoft 365 Groups, Microsoft Teams, and SharePoint Online. The company advises conducting regular "guest access reviews" to confirm whether guests still need permissions, using "terms of use for guests," and enabling "multifactor authentication for guest accounts."
Microsoft’s built-in tools, like Microsoft Entra ID Governance, offer basic guest management features. These include automatically adding or removing user access based on HR system updates and managing user identities as roles or statuses change.
However, these tools lack automated lifecycle management, provide limited visibility across workloads, and don’t offer a centralized way to manage guest access across multiple tenants.
An automated detection and remediation system for managing guest users will not only save you huge amounts of time, but will also reduce your tenant’s risk profile by always ensuring guests/external users are monitored, and also automating their removal when they are no long active.
It’s also recommended that you implement an alerting process when guests and external users are active in sensitive environments, because these use cases are the highest priority for review.
Microsoft recommends a multi-layered approach to security configuration, urging organizations to use security baselines to set best practice configurations for devices and apply targeted policies for areas like antivirus, disk encryption, and firewalls.
However, with over 10,000 different policy details available within Microsoft 365, it’s not unusual for organizations to end up with over 100,000 unique configurations. This means that monitoring for where configurations have changed from your ideal standard quickly becomes impractical.
It’s highly recommended that organizations use automation to detect when configurations change and take action where required. The best way to do this is to synchronize your production tenant to a baseline, enabling you to detect when variations occur.
"Threat actors can exploit compromised user accounts in several ways, such as reading emails, creating rules to forward emails to external accounts, deleting traces of their activity, and sending phishing emails," warns Microsoft. To help combat these threats, the company offers tools like Threat Explorer and Microsoft Defender for Office 365.
However, the remediation process involves multiple manual steps across different admin centers. To make matters worse, Microsoft caps actions at batches of 50,000 messages for optimal performance. The platform also struggles with consistent monitoring across multiple workloads, forcing security teams to switch between interfaces to fully resolve issues.
Building our visibility and enhance reporting/alerting for suspicious and high-risk mailboxes is therefore critical. For organizations looking to manage potential threats, it’s recommended that they monitor for mailboxes with automated forwarding, audit turned off, and no litigation hold as a starting point. From there, building enhanced visibility of mail flow is also highly beneficial – making it easy to drill down and see which domains your teams have been emailing with during an attack.
Microsoft provides native tools like sensitivity labels, sharing restrictions at site level, and Data Loss Prevention (DLP) policies to control unauthorized sharing. These tools allow organizations to configure sharing settings across Microsoft Entra ID, SharePoint, OneDrive, and Teams.
But due to its limited automation capabilities, IT teams are forced to juggle multiple interfaces at the same time while manually working through endless settings to configure and implement their external sharing policies.
Best practice here means keeping your team alert to high-risk sharing scenarios. A good example of this is external sharing links with no expiration policy. These links create a web of access in and out of your tenant and therefore need to be managed.
This report explores attack vectors used by cybercriminals and provides best practices to secure your tenant, offering insights to strengthen your security posture against cyberattacks.
Access the Anatomy of a Microsoft 365 Attack here.
Launched in September 2018, Microsoft Learn is a comprehensive documentation hub for training your IT team on all things Office 365. It contains many detailed guides on how best to secure your workspace in the face of increasing cyberattacks, such as:
With such a huge database of best practices to parse through, it’s no wonder that IT managers have a hard time setting up their Office 365 environment in the most secure way. What’s worse is the fact that Microsoft doesn’t often provide any of the native tools and resources needed to implement many of its security recommendations.
Instead of wading through Microsoft’s resources to find security best practices for your organization, consider CoreView.
Created by Microsoft 365 experts, for Microsoft 365 experts, CoreView makes best practice for Microsoft 365 effortless by simplifying, unifying, and enhancing the Microsoft 365 admin experience. Security teams use CoreView to:
Middleby, a leading manufacturer of cooking, residential, and industrial processing equipment in the US, has saved more than $200,000 till date in Microsoft 365 costs by implementing CoreView. A few other success stories from our many years in business include the City University of New York (CUNY), Jefferson County Public Library, and the Burke Porter Group.
The decision to implement CoreView ultimately comes down to one question: Is your organization struggling with the complexity of managing Microsoft 365 security and administration across multiple portals and teams? If you're dealing with configuration drift, security vulnerabilities, or spending excessive time on manual Microsoft 365 management tasks, schedule a demo today for a courtesy health check by our operations team.
