Microsoft 365 is the most widely used productivity platform in Tanzanian SMEs. It is also deployed with insecure defaults by a significant majority of organisations. Microsoft optimises the out-of-the-box configuration for ease of use, not security — and the gap between the defaults and a hardened configuration is often wide.
Here are ten specific settings to change. Each one is actionable today, without specialist security knowledge.
1. Enforce Multi-Factor Authentication with Conditional Access
What it does: Requires users to verify their identity with a second factor — an authenticator app, SMS code, or hardware token — when signing in.
Why it matters: Stolen passwords are the most common way accounts get compromised. MFA stops most password-based attacks cold, even when a password is known to the attacker. Without MFA, a single phishing email can give an attacker full access to your organisation’s email, files, and systems.
Where to find it: Microsoft Entra admin centre → Protection → Conditional Access → New policy. Create a policy targeting all users, all cloud apps, with Grant control requiring MFA. Microsoft also provides Security Defaults (Entra ID → Overview → Properties) which automatically enforce MFA — a simpler starting point if Conditional Access is unfamiliar.
Note: Per-user MFA (the older method, found in the M365 admin centre) is less reliable and being phased out. Use Conditional Access.
2. Block Legacy Authentication Protocols
What it does: Prevents sign-ins using older authentication protocols — IMAP, POP3, basic SMTP auth, and older ActiveSync versions — that cannot support MFA.
Why it matters: Legacy authentication bypasses MFA entirely. An attacker who knows a password can use a legacy authentication protocol to sign in without ever triggering an MFA prompt. Microsoft data shows that over 99% of password spray attacks use legacy authentication. If you enforce MFA but allow legacy auth, MFA provides no protection against this attack vector.
Where to find it: Conditional Access → New policy → Cloud apps or actions → All cloud apps → Conditions → Client apps → Legacy authentication clients (enable this condition) → Grant → Block access.
3. Restrict External Sharing in SharePoint and OneDrive
What it does: Controls whether your files and folders can be shared with people outside your organisation, and under what conditions.
Why it matters: Microsoft’s default settings allow sharing with anyone who has a link — including people outside your organisation, with no authentication required. This means any file shared via an “Anyone with the link” link is publicly accessible if that link is forwarded, posted, or found by an attacker.
Where to find it: SharePoint admin centre → Policies → Sharing. Set the external sharing slider for SharePoint and OneDrive to “New and existing guests” (requires sign-in) or “Only people in your organisation” if external sharing is not needed at all. Audit your existing shared links while you are there.
4. Configure Email Authentication — SPF, DKIM, and DMARC
What it does: SPF (Sender Policy Framework) specifies which mail servers are authorised to send email from your domain. DKIM (DomainKeys Identified Mail) cryptographically signs your outgoing emails. DMARC tells receiving mail servers what to do with emails that fail SPF and DKIM checks.
Why it matters: Without these records, your domain can be spoofed — an attacker can send emails that appear to come from your address. This enables highly convincing phishing attacks against your clients, suppliers, and staff. DMARC on enforcement mode (p=reject) stops this.
Where to find it: Your DNS registrar (not M365 directly). Add SPF and DKIM records for your Microsoft 365 tenancy (Microsoft provides the values in the M365 admin centre → Setup → Domain). Set DMARC progressively: start with p=none for monitoring, move to p=quarantine, then p=reject once you have confirmed legitimate mail is passing.
5. Enable Safe Links and Safe Attachments (Defender for Office 365)
What it does: Safe Links rewrites URLs in emails and documents, checking them against Microsoft’s threat intelligence database when clicked. Safe Attachments detonates email attachments in a sandbox before delivering them.
Why it matters: These features intercept phishing links and malicious attachments before they reach your users. A staff member who clicks on a phishing link that Safe Links has already identified as malicious will see a warning page rather than a credential-harvesting site.
Where to find it: Microsoft 365 Defender portal → Email & Collaboration → Policies & Rules → Threat Policies → Safe Links and Safe Attachments. These features require a Microsoft 365 Business Premium or Defender for Office 365 Plan 1 licence.
6. Enable Unified Audit Logging
What it does: Records user and admin activity across Microsoft 365 services — who signed in, what files were accessed, what emails were sent, what settings were changed.
Why it matters: Without audit logging, you have no forensic trail when something goes wrong. When an account is compromised, audit logs tell you what the attacker accessed, what they exfiltrated, and what settings they changed. Without logs, you are guessing. Audit logs are also required by several compliance frameworks including the Tanzania PDPA and BoT guidelines.
Where to find it: Microsoft Purview compliance portal → Audit → Start recording user and admin activity. Note: default retention is 90 days for standard licences. For longer retention (required by many compliance frameworks), you need Purview Audit (Premium) or to export logs to an external system.
7. Minimise Admin Role Assignments
What it does: Reduces the number of accounts holding the Global Administrator role and ensures admin roles are appropriately scoped.
Why it matters: Global Administrator accounts are the highest-privilege accounts in your Microsoft 365 environment. If a Global Admin account is compromised, an attacker has complete control over your entire tenancy — they can create new accounts, disable MFA, access all email and files, and exfiltrate everything. Many organisations have more Global Admins than they need, and some Global Admin accounts are everyday user accounts that are also used for browsing and email.
Where to find it: Microsoft Entra admin centre → Users → Roles. Review who holds Global Administrator. Remove it from accounts where it is not needed. Create dedicated admin accounts (separate from day-to-day user accounts) for anyone who genuinely needs Global Admin, and ensure those accounts have MFA enforced and are not used for daily work.
8. Review and Restrict Guest Access
What it does: Controls what guest users (external accounts invited to your Teams and SharePoint) can see and do within your environment.
Why it matters: Guest users often have broader access than intended. A former partner or contractor whose guest account was never removed retains access to any Teams or SharePoint site they were added to — indefinitely, unless access is actively revoked. Guest access misconfiguration is a common path for data exposure.
Where to find it: Microsoft Entra admin centre → External Identities → External collaboration settings. Also review Microsoft Teams admin centre → Guests → Guest access settings. Quarterly, review all active guest accounts in Entra ID → Users → filter by user type “Guest” and remove any that should no longer have access.
9. Restrict Microsoft Teams External Access
What it does: Controls whether your users can communicate with people from external organisations in Microsoft Teams.
Why it matters: Unrestricted Teams external access allows anyone with a Teams account to message or call your users directly — including to send malicious files or phishing links. Social engineering via Teams is an increasingly common attack vector.
Where to find it: Microsoft Teams admin centre → Users → External access. Configure to allow only specific trusted domains rather than all external organisations, or disable external access entirely if your business does not need to communicate with external Teams users. Note that this is separate from guest access — guests are invited into your tenant, while external access is federation with other tenants.
10. Configure Automatic Session Timeouts
What it does: Automatically signs users out after a defined period of inactivity.
Why it matters: An unattended laptop with an active Microsoft 365 session is an open door. In an office environment or a shared workspace, an unlocked session represents a genuine risk of unauthorised access to email, files, and sensitive business information.
Where to find it: Microsoft Entra admin centre → Conditional Access → Session → Sign-in frequency. Set a re-authentication frequency appropriate to your risk profile — typically 8–24 hours for managed devices, 4–8 hours for unmanaged or shared devices. Also ensure all devices are configured to lock after 5–15 minutes of inactivity at the operating system level — this is a device policy, not an M365 setting.
Where to Start
If this list feels overwhelming, start with three: MFA enforcement, legacy authentication blocking, and audit logging. These three controls address the most common and most damaging attack vectors, and they are available on most Microsoft 365 business licence tiers without additional cost.
The remaining seven improve your posture further and address specific risks — external sharing, email spoofing, malicious links and attachments, over-privileged admin accounts, and session management.
If you want a systematic assessment of your entire tenant configuration against CIS Foundations Benchmarks — not just these ten settings — a Cloud Security Posture Assessment covers the full picture.
Book a free discovery call to discuss your Microsoft 365 configuration.