Cybersecurity blog · Microsoft 365

Microsoft 365 security: 7 controls to implement first

Microsoft 365 is often well-configured at the start… then business use cases, guests, project teams and licenses pile up. That’s when the attack surface grows. Here’s a sequence of 7 simple controls to regain control without blocking the business.

Last updated: November 1, 2025 · Written by AspharTech Solutions

Who is this article for? IT, security and governance teams, MSPs managing multiple tenants, compliance leads (Law 25 / GDPR) and any organization that has let guest accounts multiply.

Why start with these 7 controls?

In 90% of environments we assess, gaps don’t come from a Microsoft flaw, but from a series of small decisions: "everyone" sharing, guest accounts never cleaned up, MFA not generalized, shared mailboxes too open, no access review. The good news: these problems can be fixed quickly.

The list below is intentionally short, actionable, and doesn’t necessarily require you to buy extra modules. You can roll it out over several iterations.

Control #1

Roll out multi-factor authentication (MFA) broadly

MFA is still the most effective way to block the use of compromised credentials. In many tenants, it’s activated only for IT or executives — not for guest accounts or service accounts. That’s exactly what attackers target.

• Enable MFA conditionally (by role, group, or location).
• Include guest accounts in the MFA policy.
• Document exceptions (app accounts) so they can be handled separately.

Control #2

Clean up guest accounts and inactive accounts

M365 environments that collaborate with vendors, agencies, consultants or students quickly accumulate guests. A guest that is no longer used but still allowed to sign in is an open door.

What to do: list guests who haven't signed in for 60–90 days, disable them then delete them after a grace period, and set up a monthly review.

Control #3

Find and close public / anonymous sharing links

SharePoint and OneDrive make collaboration easy… sometimes too easy. A one-time anonymous link can stay active for months.

The goal is not to forbid sharing, but to make it traceable and time-limited.

• Run a report on existing anonymous links.
• Set a default expiry time for links.
• Require authentication for specific sensitive sites.

Control #4

Secure privileged and service accounts

General admin accounts or application/service accounts are prime targets. They need to be isolated, monitored and used as rarely as possible.

Tip: create an “M365 Admins – secured” group that enforces all strong rules (mandatory MFA, conditional access, no external access).

Control #5

Enable logging and keep logs long enough

Many M365 incidents are hard to investigate because logging is not enabled or log retention is too short. Law 25 / GDPR expectations also push towards stronger traceability.

Configure sufficient retention (at least 90 days, more if possible) and, if you have a SIEM, forward the important events there.

Control #6

Control the devices that access M365

If any device can connect (unencrypted personal phone, unpatched PC), all the work done inside M365 is weakened. Even a simple rule like “no full access from non-compliant devices” significantly raises your security level.

Control #7

Inventory applications connected to M365

Third-party apps connected to Microsoft 365 (signature tools, automation, CRM, business apps) sometimes get more permissions than they actually need. A regular inventory helps you identify overly permissive or unused applications.

This is also where cost optimization becomes possible: unused licenses, accounts never used, access left for former employees.

What comes after these 7 controls?

You can then move to a more formal quarterly review (reports, compliance, SIEM integration, DLP, alert scenarios). The key is to build a solid foundation before making the architecture more complex.

For multi-entity environments or those with a lot of temporary accounts, automation quickly becomes almost mandatory.