Office 365 security roadmap - Top priorities for the first 30 days, 90 days, and beyond

This article includes top recommendations from Microsoft’s cybersecurity team for implementing security capabilities to protect your Office 365 environment. This article is adapted from a Microsoft Ignite session — Secure Office 365 like a cybersecurity pro: Top priorities for the first 30 days, 90 days, and beyond. This session was developed and presented by Mark Simos and Matt Kemelhar, Enterprise Cybersecurity Architects.

In this article:

Roadmap outcomes

These roadmap recommendations are staged across three phases in a logical order with the following goals.

30 days

90 days



Rapid configuration:

  • Basic admin protections

  • Logging and analytics

  • Basic identity protections

Tenant configuration

Prepare stakeholders

Advanced protections:

  • Admin accounts

  • Data & user accounts

Visibility into compliance, threat, and user needs

Adapt and implement default policies and protections

Adjust and refine key policies and controls

Extend protections to on-premises dependencies

Integrate with business and security processes (legal, insider threat, etc.)

30 days — powerful quick wins

These tasks can be accomplished quickly and have low impact to users.



Security management

Threat protection

  • Connect Office 365 to Microsoft Cloud App Security to start monitoring using the default threat detection policies for anomalous behaviors. It takes seven days to build a baseline for anomaly detection.

  • Implement protection for admin accounts:

    • Use dedicated admin accounts for admin activity.

    • Enforce multi-factor authentication (MFA) for admin accounts.

    • Use a highly secure Windows 10 device for admin activity.

Identity and access management

Enable Azure Active Directory Identity Protection.

For federated identity environments, enforce account security (password length, age, complexity, etc.).

Information protection

Review example information protection recommendations. Information protection requires coordination across your organization. Get started with these resources:

90 days — enhanced protections

These tasks take a bit more time to plan and implement but greatly increase your security posture.



Security management

  • Check Secure Score for recommended actions for your environment (

  • Continue to regularly review dashboards and reports in the Office 365 Security and Compliance Center, Cloud App Security, and SIEM tools.

  • Look for and implement software updates.

  • Conduct attack simulations for spear-phishing, password-spray, and brute-force password attacks using Attack Simulator (included with Office 365 Threat Intelligence).

  • Look for sharing risk by reviewing the built-in reports in Cloud App Security (on the Investigate tab).

  • Check Compliance Manager to review status for regulations that apply to your organization (such as GDPR, NIST 800-171).

Threat protection

Implement enhanced protections for admin accounts:

Configure a security information and event management (SIEM) tool to collect logging data from Office 365, Cloud App Security, and other services, including AD FS. The Office 365 Audit Log stores data for only 90 days. Capturing this data in SIEM tool allows you to store data for a longer period.

Identity and access management

Enable and enforce MFA for all users.

Adapt and implement conditional access policies. These resources include example policies that work together:

Information protection

Adapt and implement information protection policies. These resources include examples:

Use data loss prevention policies and monitoring tools in Office 365 for data stored in Office 365 (instead of Cloud App Security). Use Cloud App Security with Office 365 for advanced alerting features (other than data loss prevention).


These are important security measures that build on previous work.



Security management

  • Continue planning next actions by using Secure Score (

  • Continue to regularly review dashboards and reports in the Office 365 Security and Compliance Center, Cloud App Security, and SIEM tools.

  • Continue to look for and implement software updates.

  • Integrate eDiscovery into your legal and threat response processes.

Threat protection

  • Implement Secure Privileged Access (SPA) for identity components on premises (AD, AD FS).

  • Use Cloud App Security to monitor for insider threats.

  • Discover shadow IT SaaS usage by using Cloud App Security.

Identity and access management

Refine information protection policies:

  • Azure Information Protection and Office 365 data loss prevention (DLP).

  • Cloud App Security policies and alerts.

Information protection

  • Refine policies and operational processes.

  • Use Azure AD Identity Protection to identify insider threats.

Also see: How to mitigate rapid cyberattacks such as Petya and WannaCrypt.

Expand your Office skills
Explore training
Get new features first
Join Office Insiders

Was this information helpful?

Thank you for your feedback!

Thank you for your feedback! It sounds like it might be helpful to connect you to one of our Office support agents.