Are you taking advantage of Microsoft 365 Security? The security features in Microsoft 365 are so voluminous and change so rapidly that it’s difficult for IT leaders to confidently answer this question. Nearly all of our clients are using Microsoft 365 to some extent, and we often help guide them on their journey to avoid pitfalls, protect data, and, most importantly, keep their businesses moving forward. This article will explain some of the most important security capabilities included in Microsoft 365 (formerly Office 365) and provide tips on how organizations can quickly improve security without much effort.

About half of all small and medium-sized businesses (SMBs) use Microsoft 365 as their primary productivity tool for its rich features and benefits, making it a popular target for attacks by malicious actors. And if not appropriately configured, an organization’s implementation of Microsoft 365 could put the company at risk of loss from data theft, reputational damage, regulatory compliance penalties, and worse.

As many security industry veterans will admit, Microsoft’s early track record in security was not exactly stellar. Just a decade ago, Windows Security was likened to a “Swiss Cheese Flak Jacket”. That all changed in 2015, when the then-new CEO, Satya Nadella, committed to investing $1 billion annually into security. Jump forward to today, and Microsoft now touches nearly every enterprise security category and generates $10 billion in revenue from security annually.

Rett Blog Graphic 2

This summer, after meeting with President Biden, Nadella committed to an additional $20 billion investment in security over the next five years

Security and Protection with Microsoft 365 

The options from Microsoft 365 may seem endless, but the availability of security tools depends on your license. The table below summarizes some of the more common security features and capabilities: 

FeatureFocusDetailsLicense class/ type
Defender for
Mobile Devices Advanced threat protection that includes antivirus, antimalware, ransomware mitigation, and more, together with centralized management and reporting.M365 E5 or F5 Plan 2 
(Plan 1 in preview) 
Windows 10 E5  
Defender for
Office 365 
Exchange Online Safeguards against malicious threats posed by email messages, links (URLs), and collaboration tools.    
Plan 1 includes safe attachments, safe links, anti-phishing and detection 
Plan 2 adds automation, threat tracking, investigation, remediation, and education capabilities. 
M365 E5 or F5  
O365 E5  
Plan 1 or Plan 2  
Cloud App Security Office 365 
Cloud Apps 
On prem log files 
Provides threat detection, data security, adaptive access control & monitoring, compliance and auditing at application level. M365 E5 or F5 
O365 E5 
Defender for Identity Active Directory Cloud-based security solution that leverages Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization. M365 E5 or F5 

Quick Security Wins for Organizations 

Clients often ask me what Microsoft 365 Security features they should use, and my answer depends on their security maturity. I always aim to guide clients to get the most value for the least cost and effort. For organizations with low to moderate security maturity, several capabilities can quickly be enabled to improve Microsoft 365 security health without requiring significant effort:  

Some Microsoft 365 security quick wins include: 

Implement multi-factor authentication (MFA)  

  • Passwords present many problems that MFA helps solve. A 2019 report from Microsoft concluded that MFA blocks 99.9% of automated cyber attacks. MFA is easy to deploy if thoughtfully planned, and CREO helps our clients rollout MFA in as little as 2-3 weeks. It’s important to also disable legacy authentication to prevent attackers from bypassing MFA. ropbox. This has many security benefits and is easy to setup. 

Enable single sign-on with Azure AD

  • Centralize credential management and simplify end user login experience for SaaS applications such as Slack, Salesforce, Service Now, Dropbox. This has many security benefits and is easy to setup. 

Disable admin privileges as default capability on endpoints 

  • SMBs will often grant end-users administrator privileges on their PC and laptops to reduce help desk calls. However, the security risks that come with over-privileged users are high. CREO embraces the principle of least privilege and works with clients to remove admin privileges while ensuring end-users can perform their jobs. 

Implement exchange online protection  

  • Exchange online protection is a cloud-based filtering service that protects organizations against spam, malware, and other email threats. It is easy to enable and provides immediate benefits. Further technical tuning can be achieved to verify inbound email by configuring DMARC, DKIM, and SPF records. 

Enable Azure AD geo-blocking 

  • Attackers are often located in another state or country from where they are targeting. Microsoft Azure AD allows conditional access policies that prevent user access by country or region, reducing the risk of attack. For example, if your organization doesn’t have users in Russia or China, you can block attempted access from these locations. 

Disable auto-forwarding of emails 

  • Email forwarding may be appropriate in some instances, but it also can pose a significant security risk. Auto forwarding is a common mail rule that attackers use to get persistent access to a compromised mailbox to steal sensitive data.Most users don’t need auto-forwarding, so CREO recommends disabling it by default and only allowing users with an approved business case.

The benefits extend beyond protecting your organization to also reducing costs by utilizing capabilities available within your existing license rather than purchasing another technical solution.

Security Expertise  

Even though Microsoft has made incredible strides with its security capabilities, they still have a way to go to make correct implementation easy. While many configurations can be completed with point and click settings, it’s also easy to inadvertently make mistakes. For example, simply clicking a box to retain GDPR data can have far-reaching consequences, which can overwhelm storage capacity and create a mess to clean up. Microsoft security is driven by policy which must be configured properly for the organization. Checking a box to enable a security feature is only as effective as the underlying policy, and the policy should align with the organization’s business objectives and culture.

CREO’s team of security experts strives to continually stay up to date on the rapidly evolving Microsoft security landscape. It’s common for Microsoft to make changes to their security consoles on a monthly basis, which can be challenging for busy IT teams to track and maintain. If your organization doesn’t have in-house security expertise that is able to keep up with the constant Microsoft changes, then you may not be taking full advantage of what Microsoft 365 security has to offer.

CREO performs affordable, value-packed Microsoft 365 security health checks for clients. We’ll assess your organization’s security configurations for adherence to best practices and the needs of your business. We’ll also identify functionality available with your Microsoft license that you should be taking advantage of to optimize value. Whether it’s turning on a security policy, enabling a new feature, or reducing inefficiencies, we’ll provide concrete recommendations that are prioritized to protect your organization even within limited budgets. Contact us today for a no-cost consultation.


CREO, Inc. helps organizations manage their cybersecurity risks and deploy security solutions to protect high-value systems and data assets. CREO is recognized in the 2021 Inc 5000 list of fastest-growing companies in the US. 

Rett Summerville is the Director of Cybersecurity & Compliance at CREO, and a seasoned IT security and risk management leader with over 20 years of experience working in technical and business roles in software, fintech, and consulting services. He is passionate about helping clients transform their culture to improve security awareness, manage risk, and maintain compliance. Rett promotes business-driven security and believes that good IT security practices can help companies be more competitive by enabling them to make better decisions quickly and confidently. Rett’s areas of expertise include information security leadership, integrated risk management, data security and regulatory compliance. Rett enjoys community service and is a volunteer high school pole vault coach.