top of page

Top Tips to Secure Your Microsoft 365 Environment

This article outlines some of our consultants' top tips within Microsoft 365 to enhance your NFP organisation's security posture, ensuring that sensitive information and business operations are protected against potential threats. These tips are based on the experience of our team of consultants who help NFPs improve their security, leverage the tools available with the Microsoft 365 suite and how to support management and staff to make the right decisions: 

1. Monitor Microsoft Secure Score

Microsoft Secure Score is a free tool within Microsoft 365 that provides a measurement of an organisation's security posture, through a visual representation of security settings and recommended actions in Microsoft 365.  

Key insights: 

  • Access the Microsoft 365 security centre and navigate to the Secure Score dashboard to gain visibility into your organisation's security score. 

  • Understand the recommendations provided and take proactive steps to implement them to enhance your security posture. 

  • Set goals to increase your Secure Score gradually, focusing on addressing high-impact recommendations first. 

  • Use Secure Score to benchmark your organisation’s security posture against similar organisations. 

  • Leverage Secure Score data to enhance decision-making and prioritise security investments effectively. 

2. Use Multi-Factor Authentication (MFA) 

This involves combining two or more independent credentials: what the user knows (password), what the user has (security token) and who the user is (biometric verification). The goal of MFA is to create a layered defence and make it more difficult for an unauthorised person to access a target such as a physical location, computing device, network, or database. If one factor is compromised or broken, the attacker still has at least one more barrier to breach before successfully breaking into the target. 

Key insights: 

  • Enable MFA to add an extra layer of security beyond passwords. 

  • Educate users on the importance of MFA and guide them through the setup process. 

  • Regularly review MFA adoption and compliance across your organisation. 

  • Learn more about MFA setup on the MFA guidance page. 

3. Apply Security Defaults  Security defaults are basic security settings that protect against many identity-related attacks. The security defaults include require all users to register for Azure multi-factor authentication, require administrators to perform multi-factor authentication, blocking legacy authentication protocols, and protecting privileged activities. 

Key insights:  

  • Activate Security Defaults in the Azure AD portal to implement basic security measures against common threats. 

  • Consider moving to Conditional Access policies for more granular security controls. 

  • Regularly review and update your security settings in-line with evolving security threats. 

4. SharePoint vs Client Data 

When using SharePoint for document management, it's important to consider the type of information that should be stored on the platform. While SharePoint offers robust capabilities for collaboration and storage, it's not always the ideal solution for storing sensitive or extensive client data, such as in Excel spreadsheets or Word documents. 

Instead, consider implementing a dedicated client management system for storing and managing client-related information. A client management system provides specialised tools and features tailored to the needs of managing client relationships, such as contact information, communication history, service details, and more. 

Key insights:    

  • Data Security: Consider who has access to sensitive information as well as security, privacy and compliance when storing sensitive client info. 

  • Compliance Concerns: Consider your compliance and regulatory requirements to store and retain information as often it’s a condition of funding agreements or contracts that information is secured in a certain way eg. hosted in Australia. 

  • Advanced Functionality: Storing client information in a system or database instead of documents offers more advanced functionality like tracking client interactions, online portals for client access, outcome measurement, reporting and marketing communications. 

  • Workflow Efficiency: Client management systems often provide opportunities to improve efficiencies, centralise data and streamline workflows through the data input process  

5. SharePoint: Permissions and Security Groups 

In SharePoint, ‘permissions’ and security groups’ are two key elements that govern access to resources within the platform. While both serve the purpose of controlling access, they differ in their approach and scope. 

Permissions: In SharePoint, permissions refer to the specific rights granted to users or groups to perform actions on individual items or documents within a site or document library. These permissions can be changed to allow or restrict actions such as viewing, editing, deleting, or sharing specific content. 

Security Groups: Security groups on the other hand, are collections of users who share common access requirements. By assigning permissions to a security group rather than individual users, administrators can streamline access management and simplify permission assignments. This approach is particularly useful in scenarios where multiple users require the same level of access to certain resources. 

Key insights: 

  • Assigning permissions to security groups streamlines user management by handling permissions at a group level, reducing the need for individual user permissions management. 

  • Security groups ensure users with similar roles or responsibilities consistently have access to resources throughout the SharePoint environment, promoting uniformity in access management. 

  • As the number of resources in SharePoint increases, managing permissions through security groups becomes more scalable and efficient, compared to managing individually, enabling easier management as the platform grows.  

  • Security groups can be easily modified to accommodate changes in organisational structure or access requirements, thereby providing flexibility and adaptability in managing access control over time. 

6. Train Your Users

Users should be made aware of the potential risks and threats in the digital world, and how their behaviour can help foster a safe virtual environment. This can be achieved through regular security training and educational programs to help users recognise potential security risks and how to manage them. This particularly includes phishing attempts and online safety practices. 

Key insights: 

  • Implement ongoing security awareness training and phishing simulation processes to help users recognise and respond to security threats. 

  • Use resources like Microsoft's security training to educate your team. 

  • Encourage a security-first culture where users are prompt to report suspicious activities. 

  • Speak to your IT team or IT provider to see if they can help with this process or have access to tools or training 

7. Monitor Unusual and Risky Activities 

Microsoft 365 has built-in tools that administrators can use to monitor user activities in real time. It is crucial that administrators pay particular attention to uncommon patterns in logon activities which could indeed signal unauthorised attempts to access company data. Patterns to watch out for include logons from unknown devices or locations, multiple failed logins, and non-business hours logins. 

Key insights: 

  • Limit access to admin privileges and accounts and set up alerts and monitoring for any administrator accounts. 

  • Use the built-in monitoring tools within Microsoft 365 to track and analyse login behaviours. 

  • Set up alerts for unusual login activities to quickly detect potential security breaches. 

  • Regularly audit login reports and adjust security measures based on observed patterns. 

8. Regularly Update and Patch 

Updates usually come with patches to resolved bugs and other security vulnerabilities detected since the last update. Regularly updating your Microsoft 365 applications ensures you benefit from the security patches and keep these vulnerabilities at bay. 

Key insights: 

  • Ensure your Microsoft 365 applications are always up to date with the latest security patches and updates. 

  • Setup automatic updates where possible to minimise the risk of vulnerabilities. 

  • Stay informed about new releases and updates on the Microsoft 365 update page.

9. Email Filtering and Advanced Threat Protection (ATP)  

Email filtering is a crucial component of cyber security for organisations, aimed at safeguarding against various threats lurking in email communications. It serves as a frontline defence, particularly against phishing attacks, malware, and other forms of malicious content. 

An example of email filtering within the Microsoft 365 ecosystem is Advanced Threat Protection (ATP), which includes features to protect your organisation against malicious threats embedded in email, with safe link protection that proactively protect users from dangerous URLs. 

Key insights: 

  • Activate ATP to protect against sophisticated threats like phishing and zero-day malware. 

  • Configure ATP policies to suit your organisation's security needs. 

  • Educate users about the protections ATP provides and how to respond to alerts. 

10. Implement Conditional Access Policies 

Conditional Access is used to enforce controls on the access to apps in your environment based on specific conditions from a central location. For example, you can set a policy to block access to any application for a user who is trying to login from a suspicious location or device. 

Key insights: 

  • Define and enforce access policies based on user, location, device, and application. 

  • Regularly review and refine these policies to adapt to new security challenges. 

  • Use the Conditional Access documentation to explore advanced configurations. 

11. Secure Mobile Devices with MDM 

Mobile Device Management (MDM) is a vital component of modern IT security strategies, offering administrators the ability to enforce policies and safeguard company data on mobile devices. Whether in a Bring Your Own Device (BYOD) environment or company-owned devices, MDM provides essential capabilities to protect sensitive information.  

Key insights: 

  • Use MDM solutions like Microsoft InTune to manage and secure mobile devices accessing your environment. 

  • Establish policies for device compliance, app management, and data protection to enhance security. 

  • Educate users on best practices for securing their devices, particularly in BYOD scenarios, to mitigate risks and safeguard company data. 

12. Finding an Appropriate Managed Services Provider 

Most NFP organisations don’t have the luxury of IT professionals, so usually require some level of external support from an IT provider or managed service. Selecting the right Managed Services Provider (MSP) is crucial for ensuring the efficiency, security, and continued growth of your organisation. Partnering with an MSP that aligns with your organisation’s needs and objectives offers numerous benefits. 

Key insights: 

  • Gain access to a team of IT experts with specialised skills and extensive experience in managing complex IT environments. 

  • Benefit from scalable services and enhanced cyber security measures provided by the MSP. 

  • By outsourcing IT management to an MSP, you can reduce operational costs associated with hiring and training in-house IT staff, as well as the expense-related to maintaining and upgrading infrastructure. 

  • Take advantage of round-the-clock support, access to the latest technology, and strategic partnership opportunities with an appropriately sourced MSP. 


By following these tips, organisations can build a robust security framework, mitigate risks and create a secure, reliable Microsoft 365 environment that fosters productivity while safeguarding data integrity. 


Get in touch

We'd love to chat with you on how we can help through technology and telecommunications strategy, procurement and management.