Data Strategy Breakdown Series - Basic Security Hygiene (2)
- welka2111
- 7 minutes ago
- 5 min read

Introduction
Welcome back! This is the second post in my blog series on how to build a bulletproof data strategy – not just Fort Knox level, but smarter (Part 1 here).
In this instalment, we’re focusing on basic security hygiene – the kind of stuff that should be second nature, like knowing your Wi-Fi password (except way more secure and less likely to be “Password123”).
Table of contents
What’s Microsoft doing about basic security hygiene?
You’d think by now Microsoft would have locked everything down tighter than Fort Knox. And to be fair, they’re working on it – enter the Microsoft Secure Future Initiative (SFI).
The three principles of SFI:
Secure by design – Build security into everything from day one.
Secure by default – Security settings should be ON by default, no fiddling required.
Secure operations – Keep updating, keep improving, keep threats out.

That said... Microsoft tenants still aren’t as secure by default as we’d like. So if you think you can “set it and forget it,” think again.
You know that old phrase: trust, but always verify? Make it your mantra.
Top 10 Microsoft-recommended data security practices
Even with Microsoft 365 Business Premium, you can and should be doing the basics. Here's a rundown of top recommendations straight from Microsoft:
1) Use multi-factor authentication
2) Protect admin accounts
3) Use preset security policies
4) Protect all devices
5) Use email securely
6) Work together in Microsoft Teams
7) Set file sharing settings
8) Use Microsoft 365 Apps
9) Manage calendar sharing
10) Maintain your environment

Sounds good, right? The catch: these are often vague, and you might need to click through 100 help articles just to figure out what’s actually required.
So I’ve done the hard bit for you.
Rapid-fire basic security recommendations (Welka's edition)
Here are 15 basic but essential tips you might not know (or might’ve forgotten) to keep your Microsoft 365 environment in check:
1) Have 'break glass'/emergency access accounts in place
Let’s start with the "in case of emergency, smash glass" option. If you accidentally enforce a restrictive policy that locks everyone out - including yourself - you’ll wish you had set up emergency admin accounts.
Create at least two Global Admin accounts used only for emergencies.
Store credentials securely (offline password manager or secure vault).
Use phish-resistant MFA for both break glass accounts (such as FIDO2)
Exclude these accounts from the necessary conditional access policies.
Reference: Microsoft Security Emergency Access
2) Enforce MFA for all users
It’s 2025. If you’ve got users logging in without Multi-Factor Authentication (MFA), you’ve basically handed your environment a “Hack Me” sign.
Enforce MFA via conditional access for all users.
For non-MFA-capable accounts (e.g., service accounts), apply network/location restrictions.
Reference: Microsoft Conditional Access - MFA for All
3) Block legacy authentication
Legacy authentication = authentication that can’t use MFA. It’s outdated, insecure, and should be blocked for everyone. If some systems still need it, isolate them like a contagious virus.
Use conditional access to block legacy auth.
Apply tight controls (IP/location restrictions) on allowed exceptions.
Reference: Block Legacy Authentication
4) Protect administrator accounts
Admin accounts are your crown jewels - treat them accordingly.
Use separate admin and user accounts (e.g., john.bloggs@domain.com vs. admin.john.bloggs@domain.com).
Don’t sync on-prem admin accounts to the cloud.
Follow least privilege and use Just-in-Time access with Privileged Identity Management (PIM) if available.
Reference: Protect Admin Accounts
5) Disable inactive users
Former employees don’t need access to your systems - period.
Block sign-ins immediately when staff leave.
Regularly review and disable inactive guest or privileged accounts.
Reference: Manage Inactive User Accounts
6) Set up DNS settings for all owned domains
Email spoofing is still a thing. Prevent attackers from sending emails that look like they’re from your domain.
Implement SPF, DKIM, and DMARC.
Do it for every domain you own, even if it's not used for email.
References:
7) Don’t let any email bypass spam filtering
Whitelisting domains might sound like a good idea - until that domain gets compromised. Instead of giving blind trust, use more nuanced rules.
Avoid global allow lists.
Use Exchange Transport Rules with SPF/DKIM/DMARC checks for better control.
References:
8) Set up native external email callouts
Let users know when emails are from outside your organisation - it helps stop impersonation attacks dead in their tracks.
Enable the ‘External’ tag in Outlook via mail flow rules or built-in features.
Reference: External Sender Callouts in Outlook
9) Block automatic email forwarding
A common hacker tactic: compromise a user, then silently auto-forward emails. Shut this down.
Block automatic external forwarding by default.
Allow exceptions only where there’s a real business need.
Reference: Block External Email Forwarding
10) Implement domain and user impersonation protection
Protect your people from targeted spoofing and phishing by enabling anti-impersonation features in Defender for Office 365.
Use domain impersonation protection.
Enable user impersonation protection.
References:
11) Block users from starting Microsoft trials
You don’t want a user firing up a random trial and introducing shadow IT into your carefully curated ecosystem.
Disable users’ ability to start organisation-wide trials.
References:
12) Block self-service license purchases
So you’re holding off on Copilot for now. Great! But your users might not be…
Use the Admin Centre to block self-service purchases of Copilot or any other licences.
Reference: Manage Self-Service Purchases
13) Control user app consent
Allowing users to grant app permissions to their data is asking for trouble - especially if that app wasn’t vetted.
Disable default app consent.
Set up an approval workflow for OAuth app registrations.
Reference: User Consent Overview
14) Block standard users from registering applications
There’s no reason for most users to register their own applications - unless you're aiming for a chaos-driven IT model.
Disable default ability for users to register apps via Entra ID settings.
Reference: Disable App Registrations
15) Restrict access to the Entra admin centre
Out of the box, non-admins can poke around in the Microsoft Entra portal. That’s a hard no.
Review and restrict default user permissions across your tenant.
Secure access to the Entra Admin Centre.
Reference: Restrict Default User Permissions
Conclusion
Think of this list as your cyber hygiene starter pack. Clean configs, secure defaults, and smart practices keep your digital hands germ-free.
This is just Part 2 in the series, so make sure to subscribe or check back soon. I’ll be diving deeper into how to create a defence-in-depth strategy that’s actually practical in the modern workplace.
Got questions? Want me to dive into a particular topic next? Drop a comment or send a carrier pigeon (or just a DM, really).
Until next time, stay secure and don’t click on suspicious links. 🛡️