Most of the breaches we are called to in 2026 do not require an advanced attacker. They require a defender who has not turned on the controls Microsoft already gave them. These five settings will not solve every problem, but they will close 80 percent of the doors that get used in real attacks.
1. Conditional Access: at minimum, block legacy authentication
Legacy authentication (POP, IMAP, SMTP AUTH, older Outlook clients, EWS basic auth) bypasses MFA. It is the single most common entry point we see in business email compromise. Microsoft has been deprecating it for years and now blocks it by default on new tenants, but if your tenant is older than 2022 you almost certainly still have it enabled somewhere.
Create a Conditional Access policy that blocks legacy authentication for all users. Run it in report-only mode for two weeks first to identify any legitimate clients still using it (line-of-business apps are the usual culprit). Then move it to enforced.
2. Sign-in risk and user risk policies
If you have Entra ID P2 (included in Microsoft 365 E5 and EMS E5), turn on the two risk-based Conditional Access policies. The recommended baseline is:
- Sign-in risk: medium and above requires MFA
- User risk: high requires password change
These are the policies that catch credential-stuffing attacks before the attacker establishes persistence. We have seen them stop active attacks within minutes of the first risky sign-in.
3. Defender for Office 365 anti-phishing
If you have any Defender for Office 365 license (Plan 1 or Plan 2, or Microsoft 365 Business Premium), the anti-phishing policy is not configured to its strongest settings out of the box. Specifically:
- Mailbox intelligence: enable and set 'move to Junk' or 'quarantine' for impersonation attempts
- User impersonation: add the 5 to 10 most-impersonated users in your org (CEO, CFO, finance lead)
- Domain impersonation: add your own domains and any look-alike domains you have seen
- Spoof intelligence: enable, with the action set to 'quarantine'
4. Safe Links and Safe Attachments
Safe Links rewrites URLs in email and Teams to route through Microsoft scanning at click time, which catches the time-of-click attacks that look benign at delivery. Safe Attachments detonates attachments in a sandbox before delivery. Both are enabled by default on new tenants but the policy that ships with the default has a notable gap: it does not cover the Office apps (Word, Excel, PowerPoint clicking out to web links). Enable the 'Office 365 Apps' setting under Safe Links policy to close that gap.
5. Audit log retention: extend it now
The unified audit log retains 90 days by default on the lower SKUs and 1 year on E5. The first thing any incident responder asks for is 90+ days of audit data. The first thing every incident responder discovers is that the breach started 91 days ago. If you have any version of Audit (Premium), set the retention to at least 1 year, and ideally to the maximum your license allows. If you do not have Audit Premium, export and archive the unified audit log monthly to your SIEM or a blob with immutability.
What about MFA?
Yes, obviously. We assumed you have MFA enforced for all users including admins, with phishing-resistant methods (FIDO2 keys or device-bound passkeys) for privileged accounts. If you do not, fix that before you do anything else on this list.