Microsoft 365 • Security
Microsoft 365 baseline checklist
These are the “core settings” we recommend for most businesses to improve security without breaking daily workflows. Start here before chasing advanced tools.
Baseline controls (quick wins)
If you only do a few things, do these first.
| Area | What to set | Why it matters |
|---|---|---|
| Identity | Require MFA for all users and disable legacy authentication. | Stops most password-only account takeovers. |
| Admin | Separate admin accounts; enforce stronger access rules for admins. | Prevents “one login” from becoming total compromise. |
| Enable anti-phishing, impersonation protection, safe links/attachments (license-dependent). | Reduces spoofing and malicious clicks. | |
| Devices | Require compliant devices (where possible) + endpoint protection + patching. | Blocks risky devices from accessing company data. |
| Sharing | Review SharePoint/OneDrive external sharing defaults; restrict if needed. | Prevents accidental data exposure. |
| Recovery | Set break-glass admin, recovery methods, and ensure audit logging is enabled. | Prevents lockouts and supports investigations. |
Common mistakes we fix
- MFA enabled but not enforced for all users.
- Admins using the same account for daily email and admin tasks.
- Legacy authentication still allowed.
- External sharing left wide open.
Want Vanguard to baseline your Microsoft 365 tenant?
We’ll secure your settings without disrupting daily work.