Microsoft 365 Security Hardening: The Complete 2026 Checklist for Houston Businesses

Enforce Multi-Factor Authentication for Every User — No Exceptions

This is the single highest-impact security control in M365. Accounts protected by MFA are more than 99% less likely to be compromised, according to Microsoft's own telemetry. Yet many organizations still have MFA gaps — legacy service accounts, executives who requested exemptions, or shared accounts that were never enrolled.

• Enable Security Defaults or Conditional Access MFA policies in Entra ID (formerly Azure Active Directory)
• Audit for MFA gaps: in the Entra admin center, run a sign-in report filtered for "MFA not required" to find every user authenticating without MFA
• Eliminate SMS-based MFA where possible — SMS codes are vulnerable to SIM-swapping attacks. Prefer the Microsoft Authenticator app or FIDO2 hardware keys for high-value accounts
• Enforce phishing-resistant MFA (FIDO2 passkeys or certificate-based auth) for all admin accounts and any account with access to financial workflows, HR data, or client information

Block Legacy Authentication Protocols

Legacy authentication protocols — SMTP AUTH, POP3, IMAP, and older Exchange ActiveSync — do not support modern MFA. Attackers specifically target these protocols to bypass MFA entirely. If your tenant still allows legacy authentication, an attacker with a stolen password can authenticate to your environment without triggering any MFA challenge.

• Create a Conditional Access policy that blocks all legacy authentication protocols
• Check for legitimate legacy auth usage first — some older email clients, shared printers, and legacy line-of-business applications still depend on basic auth. These need to be migrated before the block is enforced
• Use the M365 sign-in logs to identify any current legacy auth usage in your tenant before enabling the block

Implement Conditional Access Policies

Conditional Access is the policy engine that controls when and how users can authenticate — evaluating signals like user identity, device compliance, location, and application being accessed before granting access. Basic Conditional Access policies every M365 tenant should have:

• Require MFA for all users (or target high-risk users and admins first if a staged rollout is needed)
• Require compliant devices for access to sensitive applications — users on unmanaged personal devices should not have the same access as users on enrolled, managed devices
• Block access from high-risk countries — if your business has no legitimate activity in Russia, North Korea, Iran, or China, block authentication attempts from those locations entirely
• Block high-risk sign-ins — Entra ID Identity Protection assigns risk scores to authentication events based on behavioral signals. Conditional Access can automatically block or require step-up authentication for high-risk sign-ins
• Require MFA registration from trusted locations only — prevent attackers who've compromised a password from registering their own MFA device by requiring the initial registration to occur on your corporate network or a compliant device

---

Deploy SPF, DKIM, and DMARC — All Three

These three DNS-based email authentication standards work together to prevent attackers from sending email that appears to come from your domain. Many Houston businesses have SPF configured (because it's been around the longest) but are missing DKIM and DMARC.

• SPF (Sender Policy Framework): Lists the mail servers authorized to send email from your domain. Without SPF, anyone can send email "from" your domain
• DKIM (DomainKeys Identified Mail): Cryptographically signs outbound email so recipients can verify it was genuinely sent by you. Enable DKIM signing in the M365 Defender portal under Email & Collaboration → Policies & Rules → DKIM
• DMARC (Domain-based Message Authentication, Reporting and Conformance): Tells receiving mail servers what to do with email that fails SPF or DKIM. Start with p=none (monitoring mode), review the reports, then advance to p=quarantine and eventually p=reject to actively block spoofed email. A DMARC policy at p=reject makes it extremely difficult for attackers to send phishing emails impersonating your domain

Configure Anti-Phishing Policies in Microsoft Defender

Exchange Online Protection (the baseline email filter included with M365) is a starting point, not a complete solution. Microsoft Defender for Office 365 (Plan 1 is included with M365 Business Premium) adds significantly more protection:

• Enable impersonation protection for your executives and key employees — this catches emails that impersonate your CEO or CFO even when sent from look-alike domains
• Enable mailbox intelligence — uses your organization's email communication patterns to identify unusual sender/recipient combinations that may indicate compromise
• Enable Safe Links — rewrites URLs in email and Teams messages to scan them at click-time, catching links that were safe when delivered but changed to malicious destinations afterward
• Enable Safe Attachments — detonates attachments in a sandbox environment before delivery, catching malicious files that bypass signature-based scanning

Audit and Disable Malicious Inbox Rules

When attackers compromise an M365 inbox, one of their first actions is creating inbox rules that forward all email to an external address, delete security alerts, or hide replies to their own messages. These rules persist even after a password reset if you don't explicitly look for and remove them.

• Regularly audit inbox rules across your tenant using PowerShell: Get-Mailbox -ResultSize Unlimited | Get-InboxRule
• Specifically look for rules that forward to external addresses, delete messages matching certain keywords, or mark specific messages as read without showing them in the inbox
• Alert on new inbox rule creation as a security signal — legitimate users rarely create forwarding rules, so this is a high-fidelity indicator of compromise

---

Separate Admin Accounts from Day-to-Day User Accounts

Admin accounts used to read email and browse the web are admin accounts waiting to be compromised. Global administrators, Exchange administrators, SharePoint administrators, and other privileged roles should exist as dedicated, separate accounts — used only for administrative tasks, never for email or general computing.

• Create cloud-only admin accounts (not synced from on-premises Active Directory) so an on-premises compromise can't directly elevate to M365 admin
• Require phishing-resistant MFA (FIDO2) for all admin accounts — no exceptions
• Admin accounts should have no mailbox, no licenses for regular productivity applications, and should not be used to browse the web

Implement Privileged Identity Management (PIM)

PIM (available with Entra ID P2 or Microsoft 365 E5) implements just-in-time privileged access — admin roles are not permanently assigned but must be explicitly activated for a time-limited period when needed. This eliminates the large standing attack surface of permanently assigned admin privileges.

• Convert all Global Administrator assignments from permanent to eligible — admins must activate the role with MFA and a justification when they need it, and it automatically expires
• Require approval for Global Administrator activation — a second admin must approve the request before the role is granted
• Alert on all role activations — every time a privileged role is activated, your security team should know

Establish Break-Glass Emergency Access Accounts

Before enabling strict Conditional Access policies, ensure you have two emergency access accounts that are excluded from all Conditional Access policies and can be used if your primary admin accounts are locked out. These accounts should use long, complex passwords stored securely offline, be monitored for any sign-in activity (any use is an alert), and use FIDO2 hardware keys as their authentication method.

---

Configure SharePoint and OneDrive Sharing Policies

Default sharing settings in M365 allow users to share files with anyone who has the link — including people outside your organization who aren't authenticated. For most Houston businesses handling client data, this is too permissive.

• Set the tenant-level external sharing policy to "New and existing guests" at minimum — never "Anyone" for business data
• Require external sharing links to have expiration dates (30-90 days depending on your needs)
• Require MFA for external guest access
• Restrict sharing to specific approved domains where possible (e.g., only allow sharing with client domains you've explicitly approved)

Enable Microsoft Purview Data Loss Prevention (DLP)

DLP policies prevent users from sharing sensitive information — Social Security numbers, credit card numbers, HIPAA-regulated health data, ITAR-controlled technical information — through email, Teams, or SharePoint. For Houston businesses in regulated industries, DLP is not optional.

• Start with the built-in templates for your relevant regulations (HIPAA, PCI-DSS, GDPR)
• Begin in audit/notification mode before enforcing blocking — review the alerts for 30 days to tune policies before enabling hard blocks
• Apply DLP to email, Teams messages, SharePoint, OneDrive, and endpoint devices for comprehensive coverage

---

Enable Unified Audit Logging

Microsoft 365's audit log records user and admin activities across Exchange, SharePoint, OneDrive, Teams, and Entra ID. This is your primary forensic resource after an incident — but only if it was enabled before the incident. Audit logging is not enabled by default in all tenants.

• Verify audit logging is enabled in the Microsoft Purview compliance portal
• Extend audit log retention — the default 90-day retention is typically insufficient for incident investigation. Extend to 1 year (available with M365 E3/E5) or longer where compliance requires it

Configure Microsoft Secure Score Baseline

Microsoft Secure Score (available in the M365 Defender portal) gives your tenant a score out of 100 based on which security controls are enabled. It provides a prioritized list of recommended actions with estimated score impact. Most organizations start between 30-50%; a well-hardened tenant targeting 70%+ has meaningfully reduced its attack surface.

Forward Logs to a SIEM

For organizations with more mature security requirements — multi-location businesses, those in regulated industries, or companies with a high-risk profile — forwarding M365 audit and sign-in logs to a SIEM (Security Information and Event Management) platform or a managed SOC enables correlated alerting across your entire environment, not just M365 in isolation.

---

Category	Control	Priority
Identity	MFA enforced for all users	Critical
Identity	Legacy authentication blocked	Critical
Identity	Conditional Access policies deployed	Critical
Identity	Phishing-resistant MFA for admins	Critical
Email	SPF + DKIM + DMARC configured	High
Email	Defender anti-phishing with impersonation protection	High
Email	Safe Links + Safe Attachments enabled	High
Email	Regular inbox rule audit	High
Admin	Dedicated admin accounts (no mailbox)	High
Admin	PIM for just-in-time privileged access	Medium
Admin	Break-glass emergency access accounts	High
Data	SharePoint external sharing restricted	High
Data	DLP policies for regulated data types	Medium
Monitoring	Unified audit logging enabled + retained	Critical
Monitoring	Microsoft Secure Score reviewed quarterly	Medium

---

After working with businesses across Harris County, Montgomery County, Fort Bend County, and Brazoria County, the gaps we see most consistently are:

1. MFA gaps for "temporary" or service accounts — accounts that were created quickly and never got proper MFA enrollment. These are the accounts attackers find and exploit.
2. Legacy auth still enabled — often because someone's old iPhone or a network printer still uses basic SMTP auth, the block was never enabled. The workaround is migrating those legacy connections, not leaving legacy auth open indefinitely.
3. No DMARC policy (or DMARC at p=none forever) — monitoring mode with no enforcement means attackers can still spoof your domain. The goal is p=reject.
4. Global admins using their admin account for email — when a Global Admin's primary account is compromised through phishing, the attacker immediately has full tenant control.
5. Audit logging disabled or at 90-day retention — discovered only when an incident investigation requires logs that no longer exist.

---

LayerLogix offers Microsoft 365 security assessments and hardening for businesses across Greater Houston — from small professional services firms in Sugar Land and Katy to mid-market manufacturers in Conroe and multi-location healthcare groups serving patients across The Woodlands and Pearland.

Our M365 security service includes a full configuration audit against the CIS Microsoft 365 Benchmarks, a prioritized remediation plan with business-impact context for each finding, implementation assistance for all controls, and ongoing monitoring to catch configuration drift before it creates exposure.

Request a Microsoft 365 security assessment. We'll tell you exactly where your tenant stands and what needs to change — no jargon, no upsell pressure, just a clear picture of your current posture. Call 713-571-2390 or use our contact form.

Related: The Three Cyberthreats Dominating 2026 | Dark Web Monitoring for Houston Businesses | Zero Trust Architecture for Texas Businesses