Microsoft 365 — Exchange Online, SharePoint, Teams, OneDrive — sits on top of Entra ID and is the email + collaboration layer for most enterprises. It is also the most common entry point for attackers in 2026: phishing → credential or session theft → mailbox exfil → BEC fraud or lateral movement to Azure. This module covers the M365 security posture, Exchange-specific controls, and the Microsoft Defender stack.

The M365 attack surface

Authentication: Entra ID — covered in M1; the foundation
Email: Exchange Online — phishing in/out; mailbox exfil; BEC; auto-forward abuse
File sharing: SharePoint, OneDrive — overshared documents, external sharing, link sprawl
Collaboration: Teams — channels, files, external guest access
Apps: Power Platform (Power Apps, Power Automate) — citizen-developed apps with broad data access
Endpoints: managed via Intune; Defender for Endpoint integration

Exchange Online hardening

Anti-phishing

Microsoft Defender for Office 365 Plan 2 if budget allows; Plan 1 minimum
Safe Links — rewrite URLs in mail; check at click time
Safe Attachments — sandbox detonation before delivery
Anti-phishing policies with impersonation protection (executive lookalikes, domain lookalikes)
Mailbox auditing enabled for all mailboxes

Auth + transport

SPF, DKIM, DMARC at p=reject for sender domain (covered in DPDP/Email security)
Disable legacy authentication (POP, IMAP, SMTP basic) via Authentication Policies
Outbound spam policy with high-risk send blocking
Safe Senders / Safe Domains lists reviewed quarterly

BEC defenses

External sender warnings on emails (banner)
Conditional Access blocking sign-ins from unsupported countries
Sign-in risk policies require MFA on suspicious signins
Auto-forward to external addresses blocked or alerted
Mailbox rule changes monitored — attackers create rules to hide their tracks

SharePoint & OneDrive

External sharing settings per-tenant: most-restrictive default; opt-in to broader where business need
Sensitivity labels with auto-application via Microsoft Purview
Default link type — Specific People, not Anyone with the link
Anonymous link expiration — 30 days max
Block download/print for sensitivity-labeled docs
Conditional Access for SharePoint — require compliant device for unmanaged scenarios

Teams security

External access control — federation with which tenants?
Guest access — restrict guest permissions per business need
Meeting policies — anonymous join controls, lobby behavior
App permission policies — what apps users can install in Teams
Recording & transcription — sensitivity considerations
Information barriers — segments that cannot communicate (compliance use case)

Power Platform — the shadow IT vector

Power Apps and Power Automate let business users build apps and workflows without IT. They can connect to any data the user has access to — and share with others. Risks:

App reads sensitive data; shared with broad audience
Flow auto-forwards data externally
Connector credentials stored in user contexts; survive role changes
DLP not native; configure DLP policies explicitly

Controls:

Tenant-level DLP policies — group connectors by sensitivity, restrict cross-group flows
Environment governance — production environment with restricted creators
App auditing — review production apps quarterly for over-permission
Center of Excellence (CoE) toolkit — Microsoft-published governance accelerator

The Defender stack

Defender for Office 365 — email + Teams threat protection
Defender for Endpoint — EDR (covered in Blue Team M4)
Defender for Identity — on-prem AD telemetry (Lateral movement, Pass-the-Hash, Golden Ticket detection)
Defender for Cloud Apps (formerly MCAS) — CASB; SaaS visibility, OAuth app discovery, anomaly detection
Defender XDR — unified portal for the above

If you’ve licensed M365 E5, you have most of this. Activate it; tune it. Many tenants have it dormant.

Microsoft Purview — compliance & data governance

Sensitivity labels — classify and protect documents/emails
Data loss prevention (DLP) — block sensitive data movement (across email, Teams, SharePoint, endpoints)
Information barriers — prevent communication between defined groups
Insider risk management — detect anomalous user behavior
eDiscovery — for legal/HR investigations
Audit (Premium) — extended log retention and forensic queries

Audit and logging

Unified audit log enabled (mandatory for forensics)
Mailbox auditing enabled for all mailboxes (Microsoft enables by default since 2019; verify)
Sign-in logs to Sentinel
Audit logs retained 90 days standard; 1+ year with E5/Purview Audit Premium
Defender alerts piped to SOC ticketing

Incident response in M365

When an account is compromised:

Confirm via sign-in logs (unusual location, MFA fatigue patterns)
Disable the account immediately
Revoke active sessions/tokens
Reset password (long, complex)
Re-enable MFA setup (forces re-registration of MFA methods)
Audit mailbox rules created in last 90 days
Check sent items, drafts, deleted items
Audit Application Consents granted by the user
Audit OAuth tokens issued
Check for new sign-in risk events
If admin account: full tenant audit (new SPs, new admins, policy changes)

The recommended baseline (2026)

FIDO2 MFA for all users; phone-based methods deprecated
Conditional Access blocking legacy auth + requiring compliant devices for sensitive apps
Defender for Office 365 Plan 1 minimum, Plan 2 preferred
External sharing in SharePoint set to most-restrictive default; per-site overrides
Power Platform DLP policies in place
Sentinel ingest of M365 logs
Privileged Identity Management for all admin roles
Quarterly review of OAuth app consents

Where this leads

Module 4 covers GCP — Google Cloud’s distinct security model and the tooling that fits.

🔐 Intermediate Module · Basic Tier

Continue reading with Basic tier (₹499/month)

You've read 43% of this module. Unlock the remaining deep-dive, quiz, and every other Intermediate module.

99+ modulesAll levels up to this tier

20-question quizzesUnlimited retries with explanations

Completion certificatesShareable on LinkedIn

See pricing → Sign in

1 more section locked below

Module 3 · Microsoft 365 Security 🔒