Microsoft 365 Security Basics: Entra ID, MFA, and Device Compliance

Microsoft 365 is the most targeted platform in enterprise IT. It holds your email, files, identity, and collaboration tools — which makes it exactly what attackers go after. The good news is that most account takeovers are preventable with a handful of controls that M365 already includes.

Why M365 is the top attack surface

Business email compromise, phishing, and credential stuffing attacks are all after the same thing: a valid Microsoft account. Once an attacker has access, they can exfiltrate data, send phishing emails from your domain, and move laterally through connected systems. The average time to detect a business email compromise is over 200 days.

The default M365 security configuration is not hardened. Licenses are shipped with most security features off or in report-only mode. You need to turn them on.

1. Multi-Factor Authentication (MFA) — the single highest-ROI control

Microsoft's own data shows that MFA blocks over 99% of account compromise attacks. It is the most effective single control you can deploy, and it costs nothing extra on most M365 licenses.

• Enable Security Defaults (free) or Conditional Access MFA (requires Entra ID P1+)
• Require MFA for all users — including admins and shared accounts
• Use the Microsoft Authenticator app, not SMS (SMS is vulnerable to SIM-swapping)
• Disable legacy authentication protocols (Basic Auth, SMTP Auth) which bypass MFA

2. Entra ID Conditional Access — enforce context, not just credentials

Conditional Access lets you require additional verification based on context: who is signing in, from where, on what device, and to what application. It moves security beyond a static password.

• Require MFA for all cloud app access
• Block legacy authentication at the tenant level
• Require compliant or Entra ID-joined devices for sensitive apps
• Create a break-glass admin account that bypasses CA — store credentials in a sealed envelope
• Enable Sign-in Risk policies (requires Entra ID P2) to block high-risk logins automatically

3. Intune device compliance — don't trust unmanaged endpoints

Even with MFA enabled, an unmanaged personal device accessing corporate data is a risk. Intune lets you define compliance policies and enforce them through Conditional Access.

• Enrol all corporate devices into Intune (Windows, macOS, iOS, Android)
• Set minimum OS version and encryption requirements
• Require Windows Hello or PIN — remove local admin rights from standard users
• Enable Microsoft Defender for Endpoint on all devices
• Use Autopilot for zero-touch provisioning of new Windows devices

4. Other controls worth enabling now

• Defender for Office 365 — anti-phishing, safe links, safe attachments
• Exchange Online Protection — SPF, DKIM, and DMARC for your domain
• Microsoft 365 Backup (or third-party backup) — M365 data retention is not a backup
• Privileged Identity Management (PIM) — just-in-time admin access
• Unified Audit Log — enable it and forward to a SIEM or monitoring tool

Where to start

Run Microsoft Secure Score (security.microsoft.com) to see your current posture and a ranked list of recommended actions. Most tenants have significant gaps even with paid E3 or E5 licenses — the features exist, they just haven't been turned on.

If you want a structured review of your M365 security configuration, the Aegisys team can walk through your tenant and prioritize what matters most for your organization and industry.