Microsoft 365 security settings in 2026 extends far beyond basic endpoint protection. With AI-powered agents, enhanced collaboration features, and expanded external access capabilities, a single misconfiguration can expose your clients to data breaches, compliance violations, and operational disruption.
The challenge for MSPs managing multiple client tenants isn’t just knowing which settings exist—it’s implementing them consistently across dozens or hundreds of environments while maintaining visibility into configuration drift. Microsoft introduced 20+ new security controls in 2026, but only 40% of organizations have properly configured critical protections like Baseline Security Mode or external access restrictions.
This guide identifies the essential security settings every Microsoft 365 tenant requires in 2026, organized by implementation priority. You’ll learn which controls deliver immediate risk reduction, how to configure them efficiently across multiple tenants, and which settings require careful client-specific evaluation before deployment.
For MSPs and consultants responsible for client security postures, these configurations represent the baseline protection standard your clients expect. The difference between a secure tenant and a compromised one often comes down to these specific settings being properly configured.
Priority 1: Authentication and Access Control Settings
Authentication vulnerabilities remain the primary attack vector for Microsoft 365 compromises. The following settings establish fundamental identity protection across your client tenants.
Enable Baseline Security Mode
Microsoft Baseline Security Mode consolidates 20 critical security controls into a centralized management interface. Previously scattered across PowerShell scripts and multiple admin portals, these protections now deploy through a unified workflow in the Microsoft 365 admin center.
The feature divides controls into two categories: seven low-impact policies that apply immediately without disruption, and 13 additional controls that generate impact reports before deployment. This tiered approach lets MSPs implement fundamental protections instantly while evaluating client-specific dependencies for advanced controls.
Configuration Path: Settings > Org Settings > Security & Privacy > Baseline Security Mode
Implementation Strategy: Enable automatic application of default policies immediately for all new client onboarding. For existing clients, run impact reports first to identify potential application dependencies before enabling the remaining controls.
Common Dependencies: Exchange Web Services settings may affect legacy email archiving tools or third-party integrations. SharePoint custom scripts may conflict with existing automation. Teams resource account controls require architectural review for meeting room configurations.
License Requirement: Available across all Microsoft 365 subscriptions
Required Admin Role: Security Administrator or Global Administrator
The impact analysis capability represents the critical differentiator that makes Baseline Security Mode practical for MSP deployments. You can preview effects before committing changes, reducing the risk of unexpected client disruption that erodes trust and generates support tickets.
Block Legacy Authentication Protocols
Legacy authentication protocols that don’t support modern security mechanisms like multi-factor authentication continue enabling the majority of successful account compromises. Microsoft reports that organizations blocking these protocols experience 67% fewer credential-based attacks.
Basic authentication in Exchange, legacy RPS protocols in SharePoint, and older authentication methods across Microsoft 365 apps all create attack surfaces that sophisticated threat actors routinely exploit. The transition to modern authentication protocols should be universal across your client base.
Configuration Method: Baseline Security Mode includes multiple legacy protocol blocking controls, or configure individually through Conditional Access policies and service-specific PowerShell cmdlets.
Key Protocols to Block:
- Basic authentication in Exchange Online
- Legacy browser authentication (RPS) in SharePoint/OneDrive
- Legacy client authentication (IDCRL) in SharePoint/OneDrive
- Legacy authentication flows organization-wide through Conditional Access
Client Communication: Legacy protocol blocking occasionally affects older mobile devices or third-party email clients. Provide clients with 30-day advance notice and specific instructions for updating to modern authentication methods.
Implement Phishing-Resistant MFA for Administrators
Administrative accounts represent the highest-value targets in any Microsoft 365 environment. Traditional SMS or authenticator app-based MFA remains vulnerable to sophisticated phishing attacks, AiTM (Adversary-in-the-Middle) techniques, and prompt fatigue exploitation.
Phishing-resistant authentication using FIDO2 security keys, Windows Hello for Business, or certificate-based authentication provides cryptographic proof that can’t be intercepted, forwarded, or replayed by attackers. This protection should be mandatory for all administrative access.
Configuration Path: Entra ID > Conditional Access > Create policy targeting admin roles requiring phishing-resistant authentication methods
Implementation Considerations: Budget for FIDO2 keys (typically $20-50 per admin). Plan onboarding sessions to configure Windows Hello for Business or distribute and register security keys. Establish key recovery procedures for lost or damaged devices.
Policy Scope: Apply to all privileged directory roles: Global Administrators, Security Administrators, Exchange Administrators, SharePoint Administrators, Teams Administrators, and any custom roles with elevated permissions.
Enable QR Code Authentication for Frontline Workers
For clients with frontline workers, deskless employees, or shared device scenarios, traditional username/password authentication creates friction and security risks. QR code authentication combined with device-bound PINs provides secure, passwordless access that works efficiently in manufacturing, retail, healthcare, and similar environments.
Users authenticate by scanning a QR code displayed on the sign-in screen with their mobile device, then entering a PIN. The cryptographic exchange eliminates password transmission and protects against credential theft.
Configuration Path: Entra ID > Authentication Methods > Policies > QR Code
Target Users: Enable for specific security groups containing frontline worker accounts. Avoid enabling organization-wide to prevent confusion among office-based employees accustomed to traditional authentication.
License Requirement: Microsoft 365 F1/F3/E3/E5, Entra ID P1/P2
Configuration Options:
- QR PIN length: 6-12 digits (recommend 8 minimum)
- QR PIN lifetime: 5-60 minutes (recommend 10 minutes for balance between security and usability)
Control External User Consent for Applications
Default Microsoft 365 configurations allow users to grant third-party applications access to organizational data through consent prompts. While convenient for productivity, this practice bypasses IT review and creates significant data exfiltration risk.
Restrict user consent to only Microsoft-verified publishers and applications classified as low risk. This forces review of any application requiring elevated permissions or coming from unvetted publishers.
Configuration Path: Entra ID > Enterprise Applications > Consent and Permissions > User Consent Settings
Recommended Configuration:
- Allow user consent for apps from verified publishers with low-risk permissions
- Require admin approval for all other consent requests
- Configure admin consent workflow to notify IT teams of pending requests
Admin Consent Workflow: Designated reviewers receive notifications when users attempt to consent to restricted applications. Reviewers can approve, deny, or request additional information before granting access.
Priority 2: Collaboration and Data Protection Settings
Modern Microsoft 365 environments enable extensive collaboration with external users and across organizational boundaries. These settings ensure collaboration doesn’t compromise security.
Enforce Granular External Access Controls in Teams
Traditional Teams external access settings apply tenant-wide, creating all-or-nothing scenarios where you either allow external federation or block it entirely. New granular controls let you create custom policies for specific users or groups.
This capability proves essential for clients where sales teams require unrestricted external collaboration while finance, legal, or R&D departments need strict controls.
Configuration Method: PowerShell (Teams admin center support coming in future release)
# Enable custom external access policies
Set-CsTenantFederationConfiguration -ExternalAccessWithTrialTenants "Allowed"
# Create policy for restricted departments
New-CsExternalAccessPolicy -Identity "Finance-Restricted" -EnableFederationAccess $false
# Assign to specific users
Grant-CsExternalAccessPolicy -Identity user@domain.com -PolicyName "Finance-Restricted"Use Cases:
- Finance: Block all external access
- Legal: Allow only specific trusted partner domains
- Sales: Enable unrestricted external collaboration
- R&D: Block external access except for verified partner organizations
License Requirement: Standard Microsoft 365 licenses
Enable File Protection in Microsoft Teams
Teams file attachments represent a persistent attack vector. Malicious actors embed exploits in documents, spreadsheets, and other file types that execute when users open attachments sent through seemingly legitimate Teams messages.
File protection scans attachments for weaponizable file types and dangerous content before allowing message delivery. Blocked files generate notifications to both sender and recipient, creating awareness of the attempted threat.
Configuration Path: Teams Admin Center > Messaging > Messaging Settings > Weaponizable File Protection
Protected File Types: The feature automatically updates based on current threat intelligence, but commonly includes:
- Executable files (.exe, .dll, .cmd, .bat, .ps1)
- Script files (.js, .vbs, .wsf)
- Archive files containing executables
- Office files with embedded macros from untrusted sources
False Positive Management: Legitimate file transfers occasionally trigger blocks. Establish a process for users to report false positives and configure exceptions for trusted internal workflows that require transferring script files or executables.
Block Malicious URLs in Teams Messages
Phishing links in Teams messages exploit user trust in internal communication platforms. Microsoft Defender URL scanning analyzes links in real-time, checking against threat intelligence databases and analyzing destination websites for malicious content.
Suspicious links are blocked and replaced with warning messages, preventing users from inadvertently compromising credentials or downloading malware.
Configuration Path: Teams Admin Center > Messaging > Messaging Settings > Malicious URL Protection
Protection Scope: Covers all links in:
- Direct messages (1:1 chats)
- Group chats
- Channel conversations
- Meeting chat windows
Time-of-Click Protection: URLs are re-scanned when clicked, not just when initially sent. This catches links that become compromised after the original message, such as legitimate sites that get hacked or domains that change ownership.
Prevent Screen Capture in Sensitive Teams Meetings
Certain client meetings involve confidential information, M&A discussions, privileged legal communications, or sensitive HR matters where unauthorized recording creates serious risk. Screen capture prevention blocks device-level screenshot tools and recording software during specific meetings.
Configuration Location: Meeting Options > Advanced Protection > Prevent Screen Capture
License Requirement: Microsoft Teams Premium
Implementation Note: This is a per-meeting setting that must be enabled by meeting organizers, not a tenant-wide default. MSPs should:
- Document the feature in client security policies
- Train meeting organizers on when and how to enable protection
- Create meeting templates with protection pre-enabled for sensitive meeting types
Technical Limitation: Prevents capture using device native tools but can’t prevent external cameras or phone photos. Consider supplementing with organization-wide policies against recording meetings without consent.
Enforce SharePoint Content Security Policy
Content Security Policy (CSP) enforcement instructs browsers which resources a SharePoint page is permitted to load. This protection prevents cross-site scripting (XSS) attacks, malicious code injection, and unauthorized script execution that bypasses other security controls.
Microsoft will automatically enable CSP enforcement for all tenants on March 1, 2026. MSPs should enable it now to identify and remediate any custom solutions that depend on blocked resources before the forced migration.
Configuration Method: SharePoint Online PowerShell
Set-SPOTenant -EnforceContentSecurityPolicyConfiguration $trueImpact Analysis: Custom SharePoint Framework (SPFx) solutions, embedded scripts, and third-party integrations may break when CSP enforcement enables. Test in non-production sites first. Document any required exemptions or code modifications.
Remediation Path: Solutions failing CSP validation need code updates to:
- Load resources from approved origins only
- Eliminate inline JavaScript and CSS
- Use Content Security Policy meta tags appropriately
- Remove dependencies on deprecated APIs
Implement Data Security Posture Management
Data Security Posture Management (DSPM) in Microsoft Purview provides unified visibility into sensitive data exposure, policy gaps, and risky user behavior across Microsoft 365. The platform correlates insights from DLP, Information Protection, Insider Risk Management, and Adaptive Protection to generate actionable security recommendations.
DSPM identifies unprotected sensitive data, unusual access patterns, policy violations, and configuration weaknesses that create compliance and security risk.
Configuration Path: Microsoft Purview Portal > Data Security Posture Management > Turn on Analytics
License Requirement: Microsoft 365 E5 or Purview Suite
Key Capabilities:
- Auto-discovery of sensitive content without protection
- Risk scoring for users based on activity patterns
- Policy gap identification (sensitive data types without corresponding DLP policies)
- Remediation recommendations prioritized by risk
MSP Implementation: DSPM becomes particularly valuable when managing clients with compliance requirements (HIPAA, GDPR, SOC 2, etc.). The unified dashboard eliminates manual correlation across multiple security tools and generates evidence for auditors.
Priority 3: Exchange and Email Security Settings
Email remains the primary entry point for security threats. These controls harden Exchange Online against common attack vectors.
Block Direct Send in Exchange Online
Direct Send allows devices and applications to send email from organizational domains without authentication. While convenient for on-premises printers, scanners, and legacy applications, this capability enables threat actors who compromise these devices to send convincing phishing emails from legitimate domains.
The new Reject Direct Send setting blocks all unauthenticated SMTP submission at the tenant level.
Configuration Method: Exchange Online PowerShell
Set-OrganizationConfig -RejectDirectSend $truePropagation Time: 30 minutes for change to take effect across all Exchange Online servers
Migration Planning: Before enabling, identify all devices and applications using Direct Send:
- Multifunction printers with scan-to-email
- Legacy application servers sending alerts
- Monitoring systems generating email notifications
- Security cameras with email alert features
Alternative Authentication Methods:
- Microsoft 365 SMTP relay (requires device registration)
- Application-specific passwords for basic auth clients
- Modern authentication with OAuth 2.0 for supported applications
Disable Organization-Wide EWS Access
Exchange Web Services (EWS) provides programmatic access to mailboxes, calendars, and contacts. While necessary for some integrations, organization-wide EWS access creates extensive attack surface. Compromised credentials with EWS access enable attackers to exfiltrate all email, calendar, and contact data programmatically.
Microsoft’s modern alternative, Microsoft Graph API, provides equivalent functionality with better security, throttling, and monitoring.
Configuration Path: Available through Baseline Security Mode or Exchange Online PowerShell
Migration Considerations:
- First-party Outlook features and web add-ins require specific build versions
- Third-party applications may need updates to use Graph API instead of EWS
- Cross-tenant calendar sharing currently requires EWS (Microsoft working on Graph API support)
Minimum Required Builds:
- Current Channel: Already available
- Monthly Enterprise Channel: October 2025
- Semi-Annual Channel: January 2026
Phased Rollout Strategy:
- Audit current EWS usage to identify affected applications
- Contact vendors for Graph API migration timelines
- Test Graph API alternatives in pilot group
- Disable EWS once all critical applications migrate
Prevent Personal Email Accounts in Outlook
Microsoft Outlook allows users to add personal email accounts (Gmail, Yahoo, etc.) alongside their work accounts for convenience. This feature creates data loss risks through accidental sending from wrong accounts, intentional data exfiltration, and difficulty enforcing DLP policies on personal accounts.
Configuration Method: Exchange Online PowerShell
Set-OwaMailboxPolicy -Identity "Default" -PersonalAccountsEnabled $false -PersonalAccountsCalendarEnabled $falseCurrent Limitation: This setting only prevents adding NEW personal accounts. Previously added accounts remain functional. Microsoft is developing functionality to remove existing personal accounts.
User Communication: Provide clear notification before implementing this restriction. Explain security rationale and provide alternatives for users who legitimately need access to personal email during work hours (separate device, web browser, mobile phone).
Priority 4: Settings to Disable for Security
Some Microsoft 365 features, while designed for convenience and collaboration, introduce security risks that outweigh their benefits for most organizations.
Disable “Chat with Anyone” in Microsoft Teams
Teams “Chat with Anyone” allows users to initiate chats with external users by email address without requiring B2B guest invitation or admin approval. While convenient, this bypasses traditional access controls and eliminates IT visibility into external collaboration.
Configuration Method: Teams PowerShell
Set-CsTeamsMessagingPolicy -Identity Global -UseB2BInvitesToAddExternalUsers $falseRisk Factors:
- No admin approval or review of external relationships
- Difficult to audit external communication
- Potential for social engineering and pretexting attacks
- Data loss through unmonitored external channels
Alternative: Maintain formal B2B guest invitation process that provides:
- IT visibility into external relationships
- Conditional Access policy enforcement
- Terms of use acknowledgment
- MFA requirements for external users
Block Auto-Archiving in Exchange Online
Auto-archiving automatically moves older items to archive mailboxes when primary mailboxes reach 96% capacity. While this prevents delivery failures, it can interfere with backup strategies, complicate eDiscovery, and create compliance concerns if data moves to archives outside retention policies.
Configuration Method: Disable per-mailbox via PowerShell
Set-Mailbox user@domain.com -AutoArchivingEnabled $falseConsiderations: Auto-archiving only configures per-mailbox, not tenant-wide. For clients where you manage archiving through third-party solutions or have specific compliance requirements, disable auto-archiving for affected mailboxes.
Alternative Approaches:
- Increase primary mailbox quotas where appropriate
- Implement retention policies that automatically delete aged items
- Use litigation hold for compliance rather than relying on archives
Restrict Apps and Agents from External Publishers
Microsoft 365 now supports AI agents and applications from external publishers. While this enables ecosystem innovation, external agents execute with delegated user permissions and may handle data according to third-party privacy policies outside your control.
Configuration Path: Microsoft 365 Admin Center > Agents > Settings > Allowed Agent Types
Recommended Configuration: Uncheck “Allow apps and agents built by external publishers” unless specific business requirements justify the risk.
Risk Assessment Factors:
- External agents may access all data their authorizing user can access
- Third-party privacy policies may permit data retention or usage beyond your organization’s policies
- Security incidents involving external agents are outside your security team’s visibility and control
- Compliance frameworks may prohibit delegating data access to unverified third parties
Automating Security Configuration Across Client Tenants
Manually configuring these settings across multiple client tenants introduces inconsistency, configuration drift, and significant time investment that doesn’t scale. Security automation platforms purpose-built for MSPs eliminate this operational burden.
The Security Configuration Challenge at Scale
Managing 20+ security settings across 50 client tenants means 1,000+ individual configuration points. Each setting requires:
- Initial configuration
- Documentation of current state
- Periodic validation of configuration persistence
- Remediation when settings drift from desired state
- Evidence collection for client reporting and compliance audits
Manual processes for this scope inevitably create gaps. Some clients receive comprehensive protection while others operate with partial configurations based on when they onboarded or which technician performed the setup.
Automated Security Scanning and Compliance
Platforms like 365TUNE provide automated tenant scanning that validates security configuration status across all client environments simultaneously. The system identifies:
- Which Baseline Security Mode controls are enabled/disabled per tenant
- Legacy authentication protocol status
- External access configurations
- File protection and URL scanning deployment
- Configuration drift from established security baselines
This visibility transforms security management from reactive ticket-driven work to proactive portfolio-level governance. You identify and remediate gaps before they become security incidents.
Standardized Security Templates for Client Classes
Not all clients require identical security configurations. Regulated industries (healthcare, finance, legal) need stricter controls than general businesses. Organizations with extensive external collaboration require different settings than isolated internal environments.
Security templates let you define standard configurations for each client class, then apply and monitor these standards consistently. Templates typically include:
- Regulated Clients: Maximum security with strict external access controls, mandatory phishing-resistant MFA, disabled personal accounts, full Baseline Security Mode
- Standard Enterprise: Balanced security with selective external access, standard MFA, core Baseline Security Mode controls
- Small Business: Simplified security focused on critical controls without excessive operational burden
Continuous Compliance Monitoring and Remediation
Security configurations don’t remain static. Microsoft updates default settings, administrators make changes for specific scenarios and forget to revert them, and licensing changes can disable security features. Continuous monitoring validates configuration persistence and triggers automatic remediation or alerts when drift occurs.
This capability proves particularly valuable for clients with compliance requirements (SOC 2, ISO 27001, HIPAA, etc.) where auditors expect evidence of ongoing security control effectiveness, not just point-in-time configurations.
Your Security Configuration Roadmap
Implementing these 10+ settings across your client portfolio requires systematic execution. The following roadmap prioritizes by risk reduction and implementation complexity.
Week 1-2: Authentication Controls (Highest Risk Reduction)
Enable Baseline Security Mode with automatic application of default policies for all clients. Run impact reports for remaining controls and document dependencies.
Block legacy authentication protocols organization-wide through Conditional Access. Communicate 30-day transition period for clients to update any affected devices or applications.
Week 3-4: Collaboration and Data Protection
Configure granular external access controls in Teams based on client requirements. Create department-specific policies where needed.
Enable file protection and malicious URL protection in Teams for all clients.
Week 5-6: Exchange Security and Email Protection
Enable Reject Direct Send for clients without on-premises infrastructure. For clients with legacy devices using Direct Send, document migration plan and timeline.
Audit Exchange Web Services usage. Begin contacting vendors regarding Graph API migration timelines. Disable EWS for clients where all critical applications already support modern alternatives.
Week 7-8: Risk Reduction Through Feature Restrictions
Disable “Chat with Anyone” in Teams for clients without specific business requirements justifying the risk.
Block external publisher apps and agents unless client has approved specific external agents.
Ongoing: Monitoring and Validation
Implement automated scanning to validate security configurations persist across all client tenants. Schedule monthly security configuration reviews. Generate quarterly security posture reports for clients documenting controls implemented and risk reduction achieved.
Which authentication control will you implement first across your client portfolio? Start there, document the process, and build the systematic approach that scales your security practice.
Ready to automate security configuration across all your Microsoft 365 clients? 365TUNE provides automated tenant scanning, comprehensive security compliance reporting, and one-click configuration deployments that help MSPs deliver consistent protection efficiently. Discover how 365TUNE streamlines Microsoft 365 security management.
