Data Strategy Breakdown Series - Basic Security Hygiene (2)

Introduction

Welcome back! This is the second post in my blog series on how to build a bulletproof data strategy – not just Fort Knox level, but smarter (Part 1 here).

In this instalment, we’re focusing on basic security hygiene – the kind of stuff that should be second nature, like knowing your Wi-Fi password (except way more secure and less likely to be “Password123”).

Table of contents

What’s Microsoft doing about security hygiene?

Top 10 Microsoft-recommended data security practices

Rapid-fire basic security recommendations (Welka's edition)

Conclusion

What’s Microsoft doing about basic security hygiene?

You’d think by now Microsoft would have locked everything down tighter than Fort Knox. And to be fair, they’re working on it – enter the Microsoft Secure Future Initiative (SFI).

The three principles of SFI:

1. Secure by design – Build security into everything from day one.

2. Secure by default – Security settings should be ON by default, no fiddling required.

3. Secure operations – Keep updating, keep improving, keep threats out.

That said... Microsoft tenants still aren’t as secure by default as we’d like. So if you think you can “set it and forget it,” think again.

You know that old phrase: trust, but always verify? Make it your mantra.

Top 10 Microsoft-recommended data security practices

Even with Microsoft 365 Business Premium, you can and should be doing the basics. Here's a rundown of top recommendations straight from Microsoft:

1) Use multi-factor authentication

2) Protect admin accounts

3) Use preset security policies

4) Protect all devices

5) Use email securely

6) Work together in Microsoft Teams

7) Set file sharing settings

8) Use Microsoft 365 Apps

9) Manage calendar sharing

10) Maintain your environment

Sounds good, right? The catch: these are often vague, and you might need to click through 100 help articles just to figure out what’s actually required.

So I’ve done the hard bit for you.

Rapid-fire basic security recommendations (Welka's edition)

Here are 15 basic but essential tips you might not know (or might’ve forgotten) to keep your Microsoft 365 environment in check:

1) Have 'break glass'/emergency access accounts in place

Let’s start with the "in case of emergency, smash glass" option. If you accidentally enforce a restrictive policy that locks everyone out - including yourself - you’ll wish you had set up emergency admin accounts.

• Create at least two Global Admin accounts used only for emergencies.

• Store credentials securely (offline password manager or secure vault).

• Use phish-resistant MFA for both break glass accounts (such as FIDO2)

• Exclude these accounts from the necessary conditional access policies.

Reference: Microsoft Security Emergency Access

2) Enforce MFA for all users

It’s 2025. If you’ve got users logging in without Multi-Factor Authentication (MFA), you’ve basically handed your environment a “Hack Me” sign.

• Enforce MFA via conditional access for all users.

• For non-MFA-capable accounts (e.g., service accounts), apply network/location restrictions.

Reference: Microsoft Conditional Access - MFA for All

3) Block legacy authentication

Legacy authentication = authentication that can’t use MFA. It’s outdated, insecure, and should be blocked for everyone. If some systems still need it, isolate them like a contagious virus.

• Use conditional access to block legacy auth.

• Apply tight controls (IP/location restrictions) on allowed exceptions.

Reference: Block Legacy Authentication

4) Protect administrator accounts

Admin accounts are your crown jewels - treat them accordingly.

• Use separate admin and user accounts (e.g., john.bloggs@domain.com vs. admin.john.bloggs@domain.com).

• Don’t sync on-prem admin accounts to the cloud.

• Follow least privilege and use Just-in-Time access with Privileged Identity Management (PIM) if available.

Reference: Protect Admin Accounts

5) Disable inactive users

Former employees don’t need access to your systems - period.

• Block sign-ins immediately when staff leave.

• Regularly review and disable inactive guest or privileged accounts.

Reference: Manage Inactive User Accounts

6) Set up DNS settings for all owned domains

Email spoofing is still a thing. Prevent attackers from sending emails that look like they’re from your domain.

• Implement SPF, DKIM, and DMARC.

• Do it for every domain you own, even if it's not used for email.

References:

• Overview of Email Authentication

• SPF Configuration

• DKIM Configuration

• DMARC Configuration

• Common Microsoft 365 Security Mistakes

• Create DNS Records

  
  

7) Don’t let any email bypass spam filtering

Whitelisting domains might sound like a good idea - until that domain gets compromised. Instead of giving blind trust, use more nuanced rules.

• Avoid global allow lists.

• Use Exchange Transport Rules with SPF/DKIM/DMARC checks for better control.

References:

• Avoid Bypassing Spam Filters

• Common Microsoft 365 Security Mistakes

  
  

8) Set up native external email callouts

Let users know when emails are from outside your organisation - it helps stop impersonation attacks dead in their tracks.

• Enable the ‘External’ tag in Outlook via mail flow rules or built-in features.

Reference: External Sender Callouts in Outlook

9) Block automatic email forwarding

A common hacker tactic: compromise a user, then silently auto-forward emails. Shut this down.

• Block automatic external forwarding by default.

• Allow exceptions only where there’s a real business need.

Reference: Block External Email Forwarding

10) Implement domain and user impersonation protection

Protect your people from targeted spoofing and phishing by enabling anti-impersonation features in Defender for Office 365.

• Use domain impersonation protection.

• Enable user impersonation protection.

References:

• Anti-Phishing Policies Overview

• User Impersonation Protection

• Domain Impersonation Protection

  
  

11) Block users from starting Microsoft trials

You don’t want a user firing up a random trial and introducing shadow IT into your carefully curated ecosystem.

• Disable users’ ability to start organisation-wide trials.

References:

• Disable Trial Sign-Ups

• Prevent Self-Service Trials

  
  

12) Block self-service license purchases

So you’re holding off on Copilot for now. Great! But your users might not be…

• Use the Admin Centre to block self-service purchases of Copilot or any other licences.

Reference: Manage Self-Service Purchases

13) Control user app consent

Allowing users to grant app permissions to their data is asking for trouble - especially if that app wasn’t vetted.

• Disable default app consent.

• Set up an approval workflow for OAuth app registrations.

Reference: User Consent Overview

14) Block standard users from registering applications

There’s no reason for most users to register their own applications - unless you're aiming for a chaos-driven IT model.

• Disable default ability for users to register apps via Entra ID settings.

Reference: Disable App Registrations

15) Restrict access to the Entra admin centre

Out of the box, non-admins can poke around in the Microsoft Entra portal. That’s a hard no.

• Review and restrict default user permissions across your tenant.

• Secure access to the Entra Admin Centre.

Reference: Restrict Default User Permissions

Conclusion

Think of this list as your cyber hygiene starter pack. Clean configs, secure defaults, and smart practices keep your digital hands germ-free.

This is just Part 2 in the series, so make sure to subscribe or check back soon. I’ll be diving deeper into how to create a defence-in-depth strategy that’s actually practical in the modern workplace.

Got questions? Want me to dive into a particular topic next? Drop a comment or send a carrier pigeon (or just a DM, really).

Until next time, stay secure and don’t click on suspicious links. 🛡️