top of page
Search

Data Strategy Breakdown Series - Basic Security Hygiene (2)

  • welka2111
  • 7 minutes ago
  • 5 min read
Data Strategy Breakdown Series - Basic Security Hygiene

Introduction

Welcome back! This is the second post in my blog series on how to build a bulletproof data strategy – not just Fort Knox level, but smarter (Part 1 here).


In this instalment, we’re focusing on basic security hygiene – the kind of stuff that should be second nature, like knowing your Wi-Fi password (except way more secure and less likely to be “Password123”).


Table of contents



What’s Microsoft doing about basic security hygiene?

You’d think by now Microsoft would have locked everything down tighter than Fort Knox. And to be fair, they’re working on it – enter the Microsoft Secure Future Initiative (SFI).


The three principles of SFI:

  1. Secure by design – Build security into everything from day one.

  2. Secure by default – Security settings should be ON by default, no fiddling required.

  3. Secure operations – Keep updating, keep improving, keep threats out.


Microsoft Secure Future Initiative (SFI)

That said... Microsoft tenants still aren’t as secure by default as we’d like. So if you think you can “set it and forget it,” think again.

You know that old phrase: trust, but always verify? Make it your mantra.


Top 10 Microsoft-recommended data security practices

Even with Microsoft 365 Business Premium, you can and should be doing the basics. Here's a rundown of top recommendations straight from Microsoft:

1) Use multi-factor authentication

2) Protect admin accounts

3) Use preset security policies

4) Protect all devices

5) Use email securely

6) Work together in Microsoft Teams

7) Set file sharing settings

8) Use Microsoft 365 Apps

9) Manage calendar sharing

10) Maintain your environment

Top 10 ways to secure your business data

Sounds good, right? The catch: these are often vague, and you might need to click through 100 help articles just to figure out what’s actually required.

So I’ve done the hard bit for you.


Rapid-fire basic security recommendations (Welka's edition)

Here are 15 basic but essential tips you might not know (or might’ve forgotten) to keep your Microsoft 365 environment in check:


1) Have 'break glass'/emergency access accounts in place

Let’s start with the "in case of emergency, smash glass" option. If you accidentally enforce a restrictive policy that locks everyone out - including yourself - you’ll wish you had set up emergency admin accounts.

  • Create at least two Global Admin accounts used only for emergencies.

  • Store credentials securely (offline password manager or secure vault).

  • Use phish-resistant MFA for both break glass accounts (such as FIDO2)

  • Exclude these accounts from the necessary conditional access policies.


2) Enforce MFA for all users

It’s 2025. If you’ve got users logging in without Multi-Factor Authentication (MFA), you’ve basically handed your environment a “Hack Me” sign.

  • Enforce MFA via conditional access for all users.

  • For non-MFA-capable accounts (e.g., service accounts), apply network/location restrictions.


3) Block legacy authentication

Legacy authentication = authentication that can’t use MFA. It’s outdated, insecure, and should be blocked for everyone. If some systems still need it, isolate them like a contagious virus.

  • Use conditional access to block legacy auth.

  • Apply tight controls (IP/location restrictions) on allowed exceptions.


4) Protect administrator accounts

Admin accounts are your crown jewels - treat them accordingly.

  • Use separate admin and user accounts (e.g., john.bloggs@domain.com vs. admin.john.bloggs@domain.com).

  • Don’t sync on-prem admin accounts to the cloud.

  • Follow least privilege and use Just-in-Time access with Privileged Identity Management (PIM) if available.


5) Disable inactive users

Former employees don’t need access to your systems - period.

  • Block sign-ins immediately when staff leave.

  • Regularly review and disable inactive guest or privileged accounts.


6) Set up DNS settings for all owned domains

Email spoofing is still a thing. Prevent attackers from sending emails that look like they’re from your domain.

  • Implement SPF, DKIM, and DMARC.

  • Do it for every domain you own, even if it's not used for email.

References:

7) Don’t let any email bypass spam filtering

Whitelisting domains might sound like a good idea - until that domain gets compromised. Instead of giving blind trust, use more nuanced rules.

  • Avoid global allow lists.

  • Use Exchange Transport Rules with SPF/DKIM/DMARC checks for better control.

References:

8) Set up native external email callouts

Let users know when emails are from outside your organisation - it helps stop impersonation attacks dead in their tracks.

  • Enable the ‘External’ tag in Outlook via mail flow rules or built-in features.


9) Block automatic email forwarding

A common hacker tactic: compromise a user, then silently auto-forward emails. Shut this down.

  • Block automatic external forwarding by default.

  • Allow exceptions only where there’s a real business need.


10) Implement domain and user impersonation protection

Protect your people from targeted spoofing and phishing by enabling anti-impersonation features in Defender for Office 365.

  • Use domain impersonation protection.

  • Enable user impersonation protection.

References:

11) Block users from starting Microsoft trials

You don’t want a user firing up a random trial and introducing shadow IT into your carefully curated ecosystem.

  • Disable users’ ability to start organisation-wide trials.

References:

12) Block self-service license purchases

So you’re holding off on Copilot for now. Great! But your users might not be…

  • Use the Admin Centre to block self-service purchases of Copilot or any other licences.


13) Control user app consent

Allowing users to grant app permissions to their data is asking for trouble - especially if that app wasn’t vetted.

  • Disable default app consent.

  • Set up an approval workflow for OAuth app registrations.


14) Block standard users from registering applications

There’s no reason for most users to register their own applications - unless you're aiming for a chaos-driven IT model.

  • Disable default ability for users to register apps via Entra ID settings.


15) Restrict access to the Entra admin centre

Out of the box, non-admins can poke around in the Microsoft Entra portal. That’s a hard no.

  • Review and restrict default user permissions across your tenant.

  • Secure access to the Entra Admin Centre.


Conclusion

Think of this list as your cyber hygiene starter pack. Clean configs, secure defaults, and smart practices keep your digital hands germ-free.

This is just Part 2 in the series, so make sure to subscribe or check back soon. I’ll be diving deeper into how to create a defence-in-depth strategy that’s actually practical in the modern workplace.

Got questions? Want me to dive into a particular topic next? Drop a comment or send a carrier pigeon (or just a DM, really).

Until next time, stay secure and don’t click on suspicious links. 🛡️

Drop Me a Line, Let Me Know What You Think

Thanks for submitting!

© 2035 by Train of Thoughts. Powered and secured by Wix

bottom of page