How to Lock Down Microsoft 365 Email

Microsoft 365 ships reasonably secure, but a handful of defaults are looser than a small business wants—and a few of the best protections are switched off until you turn them on. This guide walks through each one in the order we'd do it. You don't have to do everything in one sitting; even the first three steps dramatically cut your risk.

You'll move between three admin areas. It's worth bookmarking them:

• Microsoft Entra admin center entra.microsoft.com — identity and MFA.
• Microsoft Defender portal security.microsoft.com — email threat protection.
• Exchange admin center admin.exchange.microsoft.com — mail flow and mailbox settings.

A couple of settings are only available in Exchange Online PowerShell; we'll give you the exact command.

1. Require MFA for everyone

Stolen or guessed passwords are how the overwhelming majority of Microsoft 365 accounts get taken over. Multi-factor authentication blocks the vast majority of those attempts. This is the single highest-impact change on the list—do it first.

The simple path (any plan): turn on Security Defaults, which forces every user to register for MFA and blocks legacy authentication in one move.

1. Go to entra.microsoft.com → Identity → Overview → Properties.
2. Select Manage security defaults, set it to Enabled, and save.

The flexible path (Business Premium / Entra ID P1): use Conditional Access instead, which lets you require MFA with finer control—trusted locations, specific apps, and an excluded break-glass account. Create a policy that requires MFA for all users and all cloud apps.

• Prefer phishing-resistant methods: the Microsoft Authenticator app with number matching, or passkeys. Avoid text-message codes where you can—they can be intercepted or SIM-swapped.
• Keep one break-glass admin account (cloud-only, a long unique passphrase, credentials stored somewhere safe) excluded from Conditional Access so a misconfiguration can't lock you out—then monitor it closely.

2. Block legacy authentication

Old protocols—legacy/basic auth used by outdated Outlook versions, POP, IMAP, and SMTP—can't do MFA, so they're a favorite way to slip past it. Microsoft has retired Basic Auth in Exchange Online for most tenants, but you should confirm it's truly off.

• If you enabled Security Defaults above, legacy auth is already blocked.
• If you use Conditional Access, add a policy named "Block legacy authentication" targeting the legacy clients and set it to Block.

3. Turn on external-sender warnings

Two small features make impersonation and look-alike senders far easier for your team to catch. Turn on both.

External email tag. This stamps a visible "External" tag on any message from outside your organization, so a "CEO" email that's actually external stands out immediately. Run this in Exchange Online PowerShell:

1. Set-ExternalInOutlook -Enabled $true
2. It can take 24–48 hours to appear in everyone's Outlook. You can also add trusted external domains to an allow-list so internal partners aren't tagged.

First contact safety tip. This shows a gentle banner the first time you receive mail from someone you don't normally correspond with—exactly when impersonation is most likely.

1. Go to security.microsoft.com → Email & collaboration → Policies & rules → Threat policies → Anti-phishing.
2. Open your policy and enable Show first contact safety tip. (If you turn on preset policies in step 5, this is included.)

4. Stop external auto-forwarding

A classic business-email-compromise move: an attacker who gets into a mailbox quietly sets a rule forwarding every message to an outside address, then reads your mail for weeks. Block external auto-forwarding for the whole organization.

1. Go to security.microsoft.com → Threat policies → Anti-spam.
2. Open the Anti-spam outbound policy, and under Automatic forwarding rules set it to Off (forwarding disabled).
3. While you're at it, review existing inbox rules across mailboxes for any surprise forwards.

5. Switch on preset security policies

This is the one-click way to apply Microsoft's recommended anti-spam, anti-malware, anti-phishing, Safe Links, and Safe Attachments settings—and Microsoft keeps them current for you, so you're not hand-tuning dozens of toggles.

1. Go to security.microsoft.com → Threat policies → Preset security policies.
2. Turn on Standard protection for all users. Strict is more aggressive—great protection, but more legitimate mail lands in quarantine, so review it before rolling out widely.

The Safe Links and Safe Attachments portions of the preset require Defender for Office 365 (see the licensing note above); the anti-spam, anti-malware, and spoof protection work on every plan.

6. Harden anti-impersonation & spoofing

Spoofing fakes your domain; impersonation fakes a specific person (your owner, your bookkeeper) or a partner company. The preset policy covers the basics, but it's worth naming your highest-risk people and domains explicitly.

• Spoof intelligence (every plan): make sure it's on in the anti-phishing policy—it catches mail that forges your own domain.
• User impersonation protection (Defender): add the handful of people most likely to be impersonated—owner, finance, HR—so look-alike display names get flagged.
• Domain impersonation (Defender): protect your own domain and key vendors against near-identical look-alikes.
• Set the action for detected impersonation to Quarantine rather than just a warning, and enable mailbox intelligence.

7. Safe Links & Safe Attachments (Defender)

These are the protections people notice most.

• Safe Links checks a URL at the moment you click it—not just when the mail arrived—so a link that's weaponized after delivery is still caught. It covers email and Teams.
• Safe Attachments opens attachments in an isolated sandbox first and only delivers them if they're clean.

Both turn on automatically with the Standard or Strict preset in step 5. If you'd rather tune them, create custom policies under Threat policies → Safe Links and Threat policies → Safe Attachments.

8. Set up SPF, DKIM & DMARC

These three DNS records prove that mail claiming to be from your domain really is—and stop scammers spoofing you to your own customers and staff. You add them at your domain's DNS host.

1. SPF — add (or confirm) a TXT record: v=spf1 include:spf.protection.outlook.com -all
2. DKIM — go to security.microsoft.com → Email & collaboration → Email authentication settings → DKIM, enable signing for your domain, then add the two CNAME records Microsoft shows you.
3. DMARC — publish a TXT record at _dmarc.yourdomain.com. Start in monitor mode: v=DMARC1; p=none; rua=mailto:[email protected]. Once the reports look clean, tighten to p=quarantine and eventually p=reject.

Start DMARC at p=none so you don't accidentally block your own legitimate mail (newsletters, invoicing tools) before you've confirmed they're aligned.

9. Turn off unused protocols

If nobody uses POP or IMAP—and on modern Outlook, almost nobody does—turn them off. They're a common path for password-spray attacks and they sidestep some protections.

1. Go to admin.exchange.microsoft.com → Recipients → Mailboxes, open a user, and under Manage email apps uncheck POP and IMAP.
2. Disable SMTP AUTH unless a specific device or app (like a scanner or a line-of-business app) genuinely needs it—then scope it to just that mailbox.

10. Watch for trouble

Locking the doors is most of the job; the rest is noticing when someone rattles them.

• Mailbox auditing is on by default—confirm it's still enabled so you have a record if an account is compromised.
• Turn on alert policies for risky behavior—suspicious email sending, new forwarding rules, suspected impersonation—at security.microsoft.com → Policies & rules → Alert policy.
• Periodically skim the unified audit log and sign-in logs for logins from unexpected places.

Microsoft moves these settings and renames portals from time to time, so a menu may sit a click away from where it's described here. The names in bold are stable search terms—if a path has moved, searching the admin center for it will get you there.