The single highest-leverage hour you can spend on cybersecurity this month is probably an Entra ID audit. The settings below are individually small, collectively decisive, and applicable to almost every Microsoft 365 tenant. Here are the seven we check first in every Risk Management assessment.
1. Block legacy authentication
POP3, IMAP, SMTP-Auth, and other legacy protocols bypass conditional access and MFA entirely. If they're enabled, your MFA strategy has a permanent backdoor.
Action: Conditional Access policy → Block legacy authentication for all users. Verify in sign-in logs that Client app = "Other clients" produces zero successful sign-ins after a 14-day soak.
2. Disable user-initiated app consent
By default, regular users can grant third-party apps permissions to their mailbox, files, and calendar. OAuth phishing exploits this directly — the user "logs in" to a malicious app and grants Mail.Read on a token that doesn't expire.
Action: Enterprise applications → Consent and permissions → "Do not allow user consent." Set up an admin consent workflow so legitimate requests get reviewed.
3. Enforce MFA via Conditional Access (not Security Defaults)
Security Defaults is good if you have nothing else. Conditional Access is required for anything more sophisticated — phishing-resistant authenticators, risk-based prompts, named-location exceptions.
Action: Disable Security Defaults. Create CA policies that require phishing-resistant MFA (FIDO2 / Windows Hello / passkeys) for all admins, and number-matching MFA at minimum for everyone else.
4. Require compliant device for sensitive apps
This is the single most effective control against AiTM token theft. The attacker has a stolen session cookie but cannot replay it from their unmanaged machine.
Action: Conditional Access → require Compliant device OR Microsoft Entra hybrid joined for access to Office 365 cloud apps. Pilot with IT first, expand carefully.
5. Stale account cleanup
Most tenants have accounts that haven't signed in for 6+ months. Some are former employees who weren't fully off-boarded. Some are service accounts no one remembers. All of them are attack surface.
Action: Run the Microsoft Graph PowerShell query for signInActivity.lastSignInDateTime < 90 days ago. Disable matching accounts. Remove license. Confirm with the owning team. Repeat monthly.
6. Privileged Identity Management (PIM)
If your Global Admins are permanent, you have a problem. Standing privilege is the goal of every attacker. PIM converts permanent admin assignments into just-in-time elevations that require approval, MFA, and time-bounded windows.
Action: Enable Entra ID P2 (it's worth the cost). Convert all Global Admin assignments to "Eligible." Require approval and MFA on activation. Aim for under 2 active Global Admins at any moment.
7. Sign-in risk + user risk policies
Identity Protection scores every sign-in for risk based on dozens of signals — atypical location, leaked credentials, anonymous IP, malware-linked IP. Most tenants have it licensed and never turned on.
Action: Conditional Access policies that require MFA on Medium+ sign-in risk and require password change on High+ user risk. Confirm Identity Protection is licensed (Entra ID P2 or M365 E5).
The 80/20 priority
If you can only do three this week, do 1, 2, and 4. They block the three most common Microsoft 365 attack patterns of 2026: legacy auth bypass, OAuth consent phishing, and AiTM token replay. Everything else compounds the gains.
Identity is the new perimeter. Treat it that way.