Microsoft 365

Tenant admin and licensing

User creation, licence assignment, domain verification, and admin role management live in the Microsoft 365 admin centre. Service health, message centre announcements, and tenant-wide configuration (security defaults, multi-tenant settings) are monitored here. Licence management affects which features are available per user — misconfigured licences are one of the most common sources of "feature X is not available" tickets.

Exchange Online

Mailbox provisioning, mail flow rules, accepted domains, connectors, anti-spam and anti-phishing policies, shared mailboxes, distribution groups, resource mailboxes, and email authentication (SPF, DKIM, DMARC) are managed in the Exchange admin centre (admin.exchange.microsoft.com). Litigation hold and compliance archiving require Exchange Online Plan 2 or above.

SharePoint Online and OneDrive

Site collection creation and management, external sharing controls, storage quotas, content type governance, and hub site configuration are managed in the SharePoint admin centre. OneDrive admin controls per-user storage, sync client policy, and known folder move. Both integrate with Microsoft Purview for sensitivity labels and data loss prevention.

Microsoft Teams

Teams admin covers calling policies, meeting policies, messaging policies, external access, guest access, app permission policies, and channel governance. Phone System (PSTN calling) and Direct Routing configuration also lives in the Teams admin centre. Teams data — channels, chats, meetings — has separate retention and eDiscovery considerations from Exchange mailbox data.

Identity and Conditional Access

Every Microsoft 365 authentication event passes through Entra ID. Conditional Access policies, MFA configuration, SSPR, and user risk policies all affect M365 access. The identity layer is the highest-impact security surface in a Microsoft 365 tenant — a misconfigured CA policy can lock out users or leave access ungated across the entire service.

Security, compliance, and audit

Microsoft Purview (compliance.microsoft.com) hosts the unified audit log, data loss prevention policies, sensitivity labels, insider risk management, eDiscovery, and communication compliance. Microsoft Defender for Office 365 provides anti-phishing, safe attachments, safe links, and the email threat explorer. Both require specific licence tiers.

Disable security defaults — use Conditional Access instead

Security defaults (Entra ID > Properties > Manage security defaults) apply basic MFA to all users via a blunt policy. Once you deploy Conditional Access policies — which provide per-application, per-device, per-location granularity — disable security defaults. Running both simultaneously causes unexpected MFA prompts and is not a supported configuration.

Global Admin hygiene

Global Admin is the highest-privilege role in a Microsoft 365 tenant. No one's day-to-day account should be Global Admin. Create dedicated admin accounts used only for administrative tasks, protect them with phishing-resistant MFA, and use PIM (P2) for just-in-time activation. Audit Global Admin membership monthly — the Microsoft 365 admin centre flags this as a Secure Score recommendation.

Secure Score as a baseline tracker

Microsoft Secure Score (security.microsoft.com > Secure Score) aggregates security control implementation into a single score. Use it to identify the highest-impact unimplemented controls — MFA coverage, admin role hygiene, anti-phishing policy configuration, and legacy auth blocking consistently appear in the top recommendations. Track score trend weekly rather than chasing individual actions in isolation.

Service health and message centre

The Microsoft 365 admin centre Service health dashboard shows current and historical service incidents. The Message centre posts planned changes — feature additions, deprecations, and behaviour changes — with a target date. Subscribe the message centre to a shared mailbox or Teams channel so the team sees upcoming changes before users are affected. Filter by your specific services to reduce noise.

Delegated admin and partner access

If a Microsoft partner manages your tenant, delegated admin relationships appear in Settings > Partner relationships. Review these periodically — a former MSP may retain delegated admin access after a transition. Granular Delegated Admin Privileges (GDAP) replaced the legacy DAP model; verify partners use GDAP with scoped roles rather than Global Admin delegation.

Legacy authentication blocking

Legacy authentication protocols (IMAP, POP3, SMTP Auth, Exchange Web Services with basic auth) bypass Conditional Access and MFA. Block legacy authentication via a CA policy (Condition: client apps = Exchange ActiveSync and Other clients; Grant: Block) before retiring it in Exchange Online. Monitor the Sign-in logs in Entra for client apps using legacy auth before enforcing the block to avoid breaking Outlook 2010/2013 or third-party mail clients.

Email authentication: SPF, DKIM, DMARC

SPF (TXT record in DNS) authorises sending IP ranges. DKIM (CNAME records) cryptographically signs outbound messages — enable in Exchange admin > Mail flow > DKIM for every accepted domain. DMARC (TXT record) tells receiving servers what to do when SPF and DKIM fail — start with p=none to monitor, then move to p=quarantine and p=reject once you have confirmed all legitimate senders are covered. All three are required for Microsoft 365 to deliver consistently to Gmail and other major providers.

Mail flow rules and connectors

Transport rules (mail flow rules) in the Exchange admin centre intercept messages based on sender, recipient, subject, attachment type, or header and apply actions — redirect, add disclaimer, encrypt, reject. Inbound and outbound connectors configure SMTP relay for on-premises mail servers, multi-function devices, and third-party email hygiene services. Connector configuration errors cause silent mail delivery failures that are difficult to diagnose without message trace.

Anti-spam and anti-phishing policies

Microsoft 365 includes Exchange Online Protection (EOP) by default. Configure the anti-spam inbound policy for high-confidence spam action (quarantine vs junk folder), anti-phishing impersonation protection for key executive names, and the outbound spam policy threshold. Defender for Office 365 Plan 1 adds Safe Attachments and Safe Links — these are not enabled by default even when licensed.

Shared mailboxes and resource mailboxes

Shared mailboxes (no licence required if under 50GB) are accessed via full access permission. Do not set a password on a shared mailbox account — disable sign-in on the Entra account. Resource mailboxes (room/equipment) accept or decline booking requests automatically based on calendar policy. Both shared and resource mailboxes need a licence if they require litigation hold or the mailbox exceeds 50GB.

Litigation hold and archiving

Litigation hold (Set-Mailbox -LitigationHoldEnabled $true) prevents the managed folder assistant from permanently deleting items — content is retained indefinitely in the Recoverable Items folder, which grows until the hold is removed. In-place archiving provides an additional mailbox for users to move older mail. Both require Exchange Online Plan 2 or Microsoft 365 E3/E5 — Plan 1 licences do not include unlimited archiving or indefinite holds.

Message trace for delivery issues

Exchange admin centre > Mail flow > Message trace. Search by sender, recipient, or message ID to follow an email through the Exchange transport pipeline. Output shows each hop — EOP spam filter, transport rules applied, delivery status, and if rejected, the rejection reason and code. For messages older than 10 days, use the enhanced summary or extended reports which take longer to generate but cover up to 90 days.

Unified audit log

The Microsoft Purview unified audit log records user and admin operations across Exchange, SharePoint, Teams, OneDrive, Entra ID, and other services. Default retention: 180 days (E3 and above). Microsoft 365 E5 or the Audit (Premium) add-on extends retention to 1 year and adds crucial event types including MailItemsAccessed (needed to determine which mail was read during a compromise). Audit log must be enabled — it is not on by default in all tenants. Check via Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled.

Searching the audit log

Purview compliance portal > Audit > New search. Filter by user, date range, activity type, and workload. Exchange admin audit and mailbox audit are separate from the unified log — enable mailbox auditing via Set-Mailbox -AuditEnabled $true -AuditOwner MailboxLogin,FolderBind,SendAs. For bulk export and scripted queries, use Search-UnifiedAuditLog in the ExchangeOnlineManagement PowerShell module.

Data Loss Prevention (DLP)

DLP policies in Purview scan content in Exchange, SharePoint, OneDrive, and Teams for sensitive information types (credit card numbers, NHS numbers, social security numbers, custom regex patterns) and apply protective actions — block sharing, apply sensitivity label, notify user, alert admin. Start DLP policies in Audit mode and review matches for two weeks before switching to enforcement to avoid blocking legitimate business processes.

Sensitivity labels

Sensitivity labels (Purview > Information protection) classify documents and emails with a persistent label that travels with the content. Labels can apply encryption, header/footer visual marking, and access restrictions. Deploy via Office apps through the Microsoft Information Protection unified labelling client. Labels require Entra ID P1 at minimum — encryption enforcement requires Azure Information Protection (included in E3/E5).

Defender for Office 365

Safe Attachments detonates email attachments in a sandbox before delivery — configure via Defender portal > Policies & rules > Safe Attachments. Safe Links rewrites URLs and checks them at click time against Microsoft's threat intelligence feed. Both are enabled via policies — having the Defender for Office 365 Plan 1 licence does not enable them automatically. Apply policies to all users, not selected groups, to avoid protection gaps.

eDiscovery and content search

Purview eDiscovery allows admins and compliance officers to search and export content from Exchange, SharePoint, Teams, and OneDrive for legal holds and investigations. Standard eDiscovery is included in E3. Premium eDiscovery (E5 or add-on) adds custodian management, advanced indexing, and relevance scoring. Content searches can be placed on legal hold to preserve content in place without affecting user experience.

Microsoft's native retention — what it actually covers

Deleted emails go to Deleted Items, then Recoverable Items (retained 30 days by default, 14 days for soft-deleted mailboxes). Deleted SharePoint and OneDrive files go to the recycle bin (93 days). Deleted Teams messages are retained per your retention policy. None of this is a backup — it is versioning and recycle bin functionality. There is no restore to a specific point-in-time snapshot without a third-party tool.

Retention policies vs backup

Purview retention policies preserve content for compliance — they prevent deletion during the retention period and can trigger deletion after it. This is not a backup: retained content cannot be restored to its original location after accidental deletion, and retention does not protect against an admin deleting a site or mailbox outright. Retention policies serve a legal compliance purpose; a third-party backup tool serves a recovery purpose. Both are needed.

Deleted item and site recovery windows

Exchange: recoverable items default 30 days (extendable to 180 days via Set-Mailbox -RetainDeletedItemsFor). SharePoint and OneDrive: first-stage recycle bin 93 days, second-stage recycle bin an additional 93 days before permanent deletion. Teams channels: channel deletion gives 30 days to restore from Teams admin centre. Microsoft 365 Groups: soft-deleted groups can be restored within 30 days via Entra ID or PowerShell.

Third-party backup: what to look for

Evaluate M365 backup tools on: granular restore (can you restore a single email, file version, or Teams message?), storage flexibility (your own Azure storage vs vendor-managed?), retention period support (do you need 7 years for GDPR or sector compliance?), and licensing model (per-user, per-seat, consumption-based?). The market leaders are Veeam Backup for Microsoft 365, Acronis, and Rubrik — each with different storage and licensing trade-offs.

Ransomware recovery in Microsoft 365

OneDrive and SharePoint have built-in versioning (up to 500 versions per file) and a Files Restore feature that lets users roll back all files to a point up to 30 days ago. Exchange Online does not have an equivalent point-in-time restore. For ransomware scenarios where attackers remained in the tenant for weeks before triggering encryption, the 30-day window may not be sufficient — making third-party backup with longer retention critical.

Microsoft 365 Backup (native — in preview/GA)

Microsoft has introduced a native Microsoft 365 Backup product covering Exchange, SharePoint, and OneDrive. It is charged per GB per month and managed from the Microsoft 365 admin centre. It provides point-in-time restore at a shorter retention window than most third-party tools. Evaluate against your RPO/RTO requirements and existing backup investment — it does not yet cover Teams chat history or cover all workloads at the same granularity as mature third-party products.