Configure your Microsoft 365 tenant for increased security


The improved Microsoft 365 security center is now available. This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. Learn what's new.

Applies to

This topic walks you through recommended configuration for tenant-wide settings that affect the security of your Microsoft 365 environment. Your security needs might require more or less security. Use these recommendations as a starting point.

Check Office 365 Secure Score

Office 365 Secure Score analyzes your organization's security based on your regular activities and security settings and assigns a score. Begin by taking note of your current score. Adjusting some tenant-wide settings will increase your score. The goal is not to achieve the max score, but to be aware of opportunities to protect your environment that do not negatively affect productivity for your users. See Microsoft Secure Score.

Tune threat management policies in the Microsoft 365 security center

The Microsoft 365 security center includes capabilities that protect your environment. It also includes reports and dashboards you can use to monitor and take action. Some areas come with default policy configurations. Some areas do not include default policies or rules. Visit these policies under threat management to tune threat management settings for a more secure environment.

Area Includes a default policy Recommendation
Anti-phishing Yes If you have a custom domain, configure the default anti-phishing policy to protect the email accounts of your most valuable users, such as your CEO, and to protect your domain.

Review Anti-phishing policies in Office 365 and see Configure anti-phishing policies in EOP or Configure anti-phishing policies in Microsoft Defender for Office 365.

Anti-Malware Engine Yes Edit the default policy:
  • Common Attachment Types Filter: Select On

You can also create custom malware filter policies and apply them to specified users, groups, or domains in your organization.

More information:

Safe Attachments in Microsoft Defender for Office 365 No On the main page for Safe Attachments, click Global settings and turn on this setting:
  • Turn on Defender for Office 365 for SharePoint, OneDrive, and Microsoft Teams

Create a Safe Attachments policy with these settings:

  • Block: Select Block as the unknown malware response.
  • Enable redirect: Check this box and enter an email address, such as an admin or quarantine account.
  • Apply the above selection if malware scanning for attachments times out or error occurs: Check this box.
  • *Applied to: The recipient domain is > select your domain.

More information: Safe Attachments for SharePoint, OneDrive, and Microsoft Teams and Set up Safe Attachments policies

Safe Links in Microsoft Defender for Office 365 Yes On the main page for Safe Links, click Global settings:
  • Use Safe Links in: Office 365 applications: Verify this setting is turned on.
  • Do not track when users click Safe Links: Turn this setting off to track user clicks.

Create a Safe Links policy with these settings:

  • Select the action for unknown potentially malicious URLs in messages: Verify this setting is On.
  • Select the action for unknown or potentially malicious URLs within Microsoft Teams: Verify this setting is On.
  • Apply real-time URL scanning for suspicious links and links that point to files: Check this box.
  • Wait for URL scanning to complete before delivering the message: Check this box.
  • Apply Safe Links to email messages sent within the organization: Check this box
  • Do not allow users to click through to original URL: Check this box.
  • Applied To: The recipient domain is > select your domain.

More information: Set up Safe Links policies.

Anti-Spam (Mail filtering) Yes What to watch for:
  • Too much spam — Choose the Custom settings and edit the Default spam filter policy.
  • Spoof intelligence — Review senders that are spoofing your domain. Block or allow these senders.

More information: Microsoft 365 Email Anti-Spam Protection.

Email Authentication Yes Email authentication uses a Domain Name System (DNS) to add verifiable information to email messages about the sender of an email. Microsoft 365 sets up email authentication for its default domain (, but Microsoft 365 admins can also use email authentication for custom domains. Three authentication methods are used:


For non-standard deployments of SPF, hybrid deployments, and troubleshooting: How Microsoft 365 uses Sender Policy Framework (SPF) to prevent spoofing.

View dashboards and reports in the security and compliance centers

Visit these reports and dashboards to learn more about the health of your environment. The data in these reports will become richer as your organization uses Office 365 services. For now, be familiar with what you can monitor and take action on. For more information, see : Reports in the Microsoft 365 security and compliance centers.

Dashboard Description
Threat management dashboard In the Threat management section of the security center, use this dashboard to see threats that have already been handled, and as a handy tool for reporting out to business decision makers on what threat investigation and response capabilities have already done to secure your business.
Threat Explorer (or real-time detections) This is also in the Threat management section of the security center. If you are investigating or experiencing an attack against your tenant, use Explorer (or real-time detections) to analyze threats. Explorer (and the real-time detections report) shows you the volume of attacks over time, and you can analyze this data by threat families, attacker infrastructure, and more. You can also mark any suspicious email for the Incidents list.
Reports — Dashboard In the Reports section of security center, view audit reports for your SharePoint Online and Exchange Online organizations. You can also access Azure Active Directory (Azure AD) user sign-in reports, user activity reports, and the Azure AD audit log from the View reports page.

Security center Dashboard

Configure additional Exchange Online tenant-wide settings

Many of the controls for security and protection in the Exchange admin center are also included in the security center. You do not need to configure these in both places. Here are a couple of additional settings that are recommended.

Area Includes a default policy Recommendation
Mail Flow (mail flow rules, also known as transport rules) No Add a mail flow rule to help protect against ransomware by blocking executable file types and Office file types that contain macros. For more information, see Use mail flow rules to inspect message attachments in Exchange Online.

See these additional topics:

Create a mail flow rule to prevent auto-forwarding of email to external domains. For more information, see Mitigating Client External Forwarding Rules with Secure Score.

More information: Mail flow rules (transport rules) in Exchange Online

Enable modern authentication No Modern authentication is a prerequisite for using multi-factor authentication (MFA). MFA is recommended for securing access to cloud resources, including email.

See these topics:

Modern authentication is enabled by default for Office 2016 clients, SharePoint Online, and OneDrive for Business.

More information: How modern authentication works for Office 2013 and Office 2016 client apps

Configure tenant-wide sharing policies in SharePoint admin center

Microsoft recommendations for configuring SharePoint team sites at increasing levels of protection, starting with baseline protection. For more information, see Policy recommendations for securing SharePoint sites and files.

SharePoint team sites configured at the baseline level allow sharing files with external users by using anonymous access links. This approach is recommended instead of sending files in email.

To support the goals for baseline protection, configure tenant-wide sharing policies as recommended here. Sharing settings for individual sites can be more restrictive than this tenant-wide policy, but not more permissive.

Area Includes a default policy Recommendation
Sharing (SharePoint Online and OneDrive for Business) Yes External sharing is enabled by default. These settings are recommended:
  • Allow sharing to authenticated external users and using anonymous access links (default setting).
  • Anonymous access links expire in this many days. Enter a number, if desired, such as 30 days.
  • Default link type — select Internal (people in the organization only). Users who wish to share using anonymous links must choose this option from the sharing menu.

More information: External sharing overview

SharePoint admin center and OneDrive for Business admin center include the same settings. The settings in either admin center apply to both.

Configure settings in Azure Active Directory

Be sure to visit these two areas in Azure Active Directory to complete tenant-wide setup for more secure environments.

Configure named locations (under conditional access)

If your organization includes offices with secure network access, add the trusted IP address ranges to Azure Active Directory as named locations. This feature helps reduce the number of reported false positives for sign-in risk events.

See: Named locations in Azure Active Directory

Block apps that don't support modern authentication

Multi-factor authentication requires apps that support modern authentication. Apps that do not support modern authentication cannot be blocked by using conditional access rules.

For secure environments, be sure to disable authentication for apps that do not support modern authentication. You can do this in Azure Active Directory with a control that is coming soon.

In the meantime, use one of the following methods to accomplish this for SharePoint Online and OneDrive for Business:

Get started with Cloud App Security or Office 365 Cloud App Security

Use Office 365 Cloud App Security to evaluate risk, to alert on suspicious activity, and to automatically take action. Requires Office 365 E5 plan.

Or, use Microsoft Cloud App Security to obtain deeper visibility even after access is granted, comprehensive controls, and improved protection for all your cloud applications, including Office 365.

Because this solution recommends the EMS E5 plan, we recommend you start with Cloud App Security so you can use this with other SaaS applications in your environment. Start with default policies and settings.

More information:

Cloud App Security dashboard

Additional resources

These articles and guides provide additional prescriptive information for securing your Microsoft 365 environment: