What is Microsoft 365 Security?

The Microsoft 365 Security Architecture

Microsoft 365 is not a monolithic product — it is a suite of cloud services with a layered security architecture. Understanding the layers helps clarify both where security controls apply and where gaps exist.

The identity layer — Microsoft Entra ID (formerly Azure Active Directory) — manages authentication and authorization for all Microsoft 365 services. Every login to Microsoft 365 passes through Entra ID. The security controls available at this layer — MFA policies, conditional access, sign-in risk detection, privileged identity management — are the highest-leverage controls in the Microsoft 365 security stack because they apply to every service simultaneously.

The email and collaboration layer — Exchange Online, Teams, SharePoint Online, OneDrive — is where the majority of sensitive organizational data lives and where the majority of attacks are targeted. Microsoft Defender for Office 365 provides the security filtering and threat protection for this layer. The specific features available depend on the Defender for Office 365 plan included in the Microsoft 365 license tier — Microsoft 365 Business Premium, E3, and E5 include significantly different security capabilities.

The Most Common Microsoft 365 Security Failures

Legacy authentication protocols are the most consistently identified Microsoft 365 security gap. SMTP, IMAP, POP3, and basic authentication allow email clients to authenticate without MFA — an attacker with a compromised password can authenticate to Exchange Online using legacy protocols regardless of the MFA policies applied to the account. Microsoft has been progressively disabling legacy authentication by default, but many organizations have legacy applications or devices that require basic authentication, leading to explicit re-enablement of protocols that bypass MFA. Blocking legacy authentication is one of the highest-impact single configuration changes available in Microsoft 365 security.

Conditional access policy gaps are the second most common critical finding. Organizations that have enabled MFA but have not configured conditional access policies to enforce it consistently — particularly for legacy protocols, unmanaged devices, and high-risk sign-ins — have MFA gaps that sophisticated attackers specifically target. Microsoft's baseline conditional access policies provide the minimum recommended configuration; organizations without these baselines enabled are operating below the minimum security standard for their Microsoft investment.

Microsoft 365 Security Assessment

Microsoft 365 security configuration is one of the highest-value and most accessible components of a cyber risk assessment because Microsoft provides extensive visibility into configuration posture through its own tools. Microsoft Secure Score — a dashboard that scores the organization's Microsoft 365 security configuration against a set of recommended controls — provides an immediate view of security posture and specific remediation recommendations. However, Secure Score has limitations: it assesses configuration but not whether that configuration is correctly enforced, and some Secure Score recommendations are not appropriate for all environments.

Comprehensive Microsoft 365 security assessment covers: Entra ID configuration (MFA enforcement, conditional access policies, legacy authentication status, privileged role assignments), Exchange Online configuration (DMARC/DKIM/SPF, mail flow rules, Defender for Office 365 policies), SharePoint and OneDrive settings (external sharing policies, sensitivity label deployment), Teams configuration (external access policies, guest access settings), and audit log retention and monitoring.

Real-World Example: The Midnight Blizzard Microsoft Exchange Attack

In January 2024, Microsoft disclosed that Midnight Blizzard — a Russian state-sponsored threat actor — had compromised Microsoft corporate email accounts including senior leadership and security team accounts. The initial access was achieved through a legacy test tenant account that did not have MFA enabled. The attacker used password spraying to compromise the account, then used that access to pivot to additional accounts. The incident demonstrated that legacy authentication gaps — accounts without MFA enforcement — remain a critical vulnerability even for organizations with sophisticated security programs. For Microsoft 365 customers, the lesson is that legacy authentication gaps in any account, including service accounts and test accounts, represent an attack path that bypasses all conditional access policies applied to standard accounts.