If your organisation utilises the Microsoft Office 365 (‘O365’) ecosystem in any capacity, do you recall the last time you performed a security audit on the system? Most companies make use of O365 for key technology services such as emails, document storage, and collaboration, yet believe that out-of-the-box it is secure and safe. The fact is that by default, many security policies are not enabled and require manual configuration to be enforced within your organisation.
Enter Microsoft Secure Score – a feature within Office 365 that provides an overall measurement of your organisations security position and allows you to improve your security on the platform. The score varies depending on your setup, but is usually ranked from 0 to 450. The average score globally is 40, indicating no actions have been taken to improve their environment and is quite concerning.

Below we have listed the top 5 changes to make within the platform to enhance your online security.
1. Enforce Multi-Factor Authentication (MFA) for all users & administrators
Sadly, Microsoft admits that the standard implementation out-of-the-box doesn’t have complex security requirements. Enabling MFA is highly recommended and the number one item on our list of security enhancements.
2. Disable Legacy Authentication
By default, Microsoft still allows users to bypass the MFA policy by setting up their own app passwords, this should be disabled as it enables external parties to target your passwords and breach accounts.
3. Enable Audit Data recording
Microsoft does log user actions, but only for a very short timeframe until you enable the audit data policies which will keep logs of user actions indefinitely.
4. Enable User Sign-in Risk policy
This policy will protect again password cracking and mitigate account breaches on your organisation. It is important to make sure that the organisation also has MFA enabled.
5. Do not expire passwords
It may seem odd but it is recommended that passwords don’t change. If you are changing passwords frequently, standard behaviour is to just throw another character at the end of the password. It is much better to choose a long, secure password and manage via your password manager, changing it periodically as opposed to frequently.