Microsoft Office 365 is built from the ground up to be a highly secure platform, but that doesn’t necessarily mean that your own Office 365 environment is configured securely. There are numerous different ways that organisations can use Office 365, and just as many ways that it can be configured.

Ultimately the responsibility for securing your Office 365 environment, and the information and data stored in there, rests with you. Microsoft provides the platform and the means, but it’s up to you to consider your unique situation and ensure that appropriate security measures are taken.

So how do you know if your Office 365 environment is secure? Every organisation is different, and with so many ways of using and securing Office 365 there is no one-size-fits-all solution. The good news is that there are some well-established best-practices that can significantly strengthen the security of your environment.

Here are five critical questions that you need to ask about your Office 365 security to ensure that you’re properly protected.

#1. What Microsoft Office 365 plan do we use?

Let me start by saying that Microsoft has a frustrating habit of changing product names and bundles regularly, which can lead to some confusion. So, for the sake of clarity, let me share a bit of history with you.

First there were the Office 365 plans, offering a suite of products such as Word, Excel, Email and Teams. Then Microsoft added a whole new line of plans called Microsoft 365, which included all the things from Office 365, plus added a whole lot more, mainly to do with security and governance. Then more recently the Office 365 name has been retired entirely, leaving only Microsoft 365 plans to choose from. If you were using Office 365 plans before these changes happened, you will still be on those same Office 365 plans now.

It’s important to understand which Microsoft Office 365 plan you subscribe to, because not all of them have access to the better security features. For most organisations, we recommend that you subscribe to the Microsoft 365 Business Premium plan, or for some larger organisations, the enterprise level Microsoft 365 E3 or Microsoft 365 E5 plans. The important services that are included in these plans (but not the lower plans) are Azure Information Protection and Intune, both of which bring a range of security and data governance capabilities to your environment.


Review all your Microsoft Office 365 subscriptions and consider upgrading any that are not Microsoft 365 Business Premium, E3 or E5 so that you can take advantage of the better security and governance capabilities.

#2. What’s our Microsoft Secure Score?

Microsoft Secure Score is a rating of your organisation’s Microsoft 365 security posture, compiled from a range of configurations, metrics and various other data points, depending on what Microsoft 365 plan you subscribe to, and what services you use. The higher the number, the more secure you are.

In addition to a numeric score, the Secure Score dashboard will also provide actionable insights and prioritized recommendations tailored to your unique needs. By following these recommendations, you can progressively improve your Secure Score and strengthen the security posture of your Microsoft 365 environment to provide better protection for your confidential data.


Review your Secure Score and progressively implement the recommendations to improve your score.

#3. Is Multi-factor Authentication enabled on all our Microsoft 365 accounts?

Multi-factor authentication (MFA) is an authentication method that requires a user to provide two or more verification factors to prove their identity and gain access to your Microsoft 365 environment, most often a password plus a unique code provided by a separate app.

Despite being one of the most effective cybersecurity measures you can implement in your Microsoft 365 environment, MFA is not always enabled by default or enforced across all accounts. The important point to remember is that your security is only as strong as the weakest link, so for MFA to be most effective it must be enforced on all accounts in your Microsoft 365 environment, not only some of them.


Review all accounts in your Microsoft 365 environment and enable MFA where necessary. Configure Microsoft 365 to enforce MFA on all accounts by default.

Read more: 3 reasons you need to enable Multi-factor Authentication (MFA) today

#4. Are we using dedicated Microsoft 365 admin user accounts?

Every Microsoft 365 environment has one or more “admin” user accounts. These accounts possess elevated privileges that allow them to perform sensitive tasks such as changing system settings and accessing data anywhere across the environment. These admin privileges can be seen as the “keys to the kingdom”, and if allowed to fall into the wrong hands can be exploited to cause significant damage.

User accounts used for everyday tasks such as checking email and editing work documents should never be granted such elevated admin privileges, so as to reduce any potential harm should the account be compromised. Instead, dedicated “admin” accounts should only ever be used for duties requiring elevated security privileges.

Not only does this approach reduce the risk of accidental changes or security breaches, but it also makes it easier to monitor and audit their activities, improving accountability and traceability of any suspicious actions taken within your Microsoft 365 environment.


Review all user accounts in your Microsoft 365 environment for elevated admin privileges and remove such privileges in favor of dedicated admin accounts.

#5. How are we monitoring for suspicious activity within Microsoft 365?

Even with a well secured Microsoft 365 environment, ongoing monitoring and alerting of unusual activity is important for the prevention of a full-blown security incident. Monitoring can help identify a range of suspicious activities, such as multiple failed login attempts, unusual data access or transfers, and changes in user permissions. These could be signs of a brute force attack, data breach, or insider threat.

Moreover, monitoring isn’t just about detection, it’s also about response. When you spot suspicious activity, you can quickly investigate, take corrective action, and learn from the incident to strengthen your defenses.


Ensure monitoring is configured within your Microsoft 365 environment, and alerts are sent to the most appropriate person to take action as required.

Microsoft 365 is a highly secure platform, but that doesn’t mean that your organisation’s Microsoft 365 environment is secure by default. Microsoft provides the means, but ultimately, it’s up to you to ensure that your environment is secured appropriately, and that starts with asking the right questions.

If you have questions about your Microsoft 365 security, Grassroots IT can help. Speak with us today.