Security Best Practices Using Only the Org Settings Portal
Microsoft 365 provides robust tools for businesses of all sizes, but with this power comes responsibility. Securing your tenant doesn’t always require premium licenses or access to multiple admin portals. You can significantly improve your organisation’s security posture using only the Microsoft 365 Admin Centre’s “Org Settings”.
This blog walks you through the most important security settings available directly within the Org Settings tab. It ensures your environment is hardened without needing to touch Exchange Admin Centre, EntraID, Microsoft Defender XDR, or Microsoft Purview. This guide is specifically tailored to what’s available under the “Org Settings” section.
Enable Modern Authentication (Disable Legacy Auth)
Path: Org Settings → Services → Modern Authentication
Legacy authentication protocols (like POP, IMAP, and SMTP Auth) are notoriously insecure because they don’t support modern security features like Multi-Factor Authentication (MFA). Disable them unless necessary.
Best practices:
- Enable modern authentication
- Disable:
- POP
- IMAP
- SMTP Auth
- MAPI over HTTP
Why it matters: This blocks attackers from exploiting outdated protocols to bypass security.
Set a Strong Password Expiration Policy
Path: Org Settings → Security & Privacy → Password expiration policy
Although Microsoft recommends modern password practices (like not requiring expiration), some environments may still benefit from controlled resets.
Recommended actions:
- Set passwords to never expire or
- Define a rotation period (e.g., every 90 days)
Pro tip: Combine with MFA for best results if you choose “never expire.”
Fill Out Your Privacy Profile
Path: Org Settings → Security & privacy → Privacy profile
Your privacy profile communicates how your organisation handles user data, which is especially important for GDPR compliance and building trust with employees or customers.
Best practices:
- Include a link to your privacy statement
- Add a contact for data privacy-related queries
Control External Sharing in SharePoint & OneDrive
Path: Org Settings → Services → SharePoint
Files and folders shared outside the organisation can quickly become a security risk if unrestricted.
Best practices:
- Limit external sharing to the most restrictive settings possible
- Disable anonymous access links
- Require expiration dates on all shared links
- Set the default permission to access links to view
This ensures sensitive data isn’t floating around in the wild. Configure additional settings on the SharePoint admin centre.
Lock Down Microsoft Forms External Access
Path: Org Settings → Services → Microsoft Forms
Microsoft Forms is useful, but attackers can abuse it for phishing or data harvesting when left wide open.
Best practices:
- Enable phishing protection
- Restrict responses to internal users only
This prevents public submission abuse or phishing distribution.
Manage Microsoft Teams Guest Access
Path: Org Settings → Services → Microsoft Teams
Collaboration is key, but not at the expense of security, limiting who can access Teams conversations and shared documents.
Best practices:
- Disable or tightly control guest access
- Restrict file and screen sharing for guests
Controls who can join internal Teams and access internal comms.
Tighten Calendar Sharing Options
Path: Org Settings → Services → Calendar
While calendar transparency is convenient, exposing your availability or meeting content externally can be a threat.
Best practices:
- Limit sharing capabilities
- Restrict external sharing to specific users
Limits exposure of sensitive meeting details and employee availability.
Control Sharing and Content Allowed for Sway
Path: Org Settings → Services → Sway
Use licenses to restrict Sway access to individual users.
Best practices:
- Restrict sharing to the least possible settings.
- Turn off content sources not required.
Avoids unintentional data or policy breaches through external reports and presentations.
Enable the Privileged Access Default Approval Group
Path: Org Settings → Security & Privacy → Privileged access
Over-assigning global administrator rights is a huge security risk. Instead, apply least-privilege principles. When someone submits a request to access a privileged task, the default approval group you choose can approve or deny it.
Best Practices:
- Use role-based access control (RBAC).
- Assign roles like:
- Exchange Admin
- Teams Admin
- Billing Admin
- Limit Global Admin to 2–3 accounts maximum.
It helps protect your organisation from breaches exploiting privileged admin accounts with standing access to sensitive data or critical settings.
Restrict Sharing Outside the Organisation
Path: Org Settings → Services → Sharing
Restricting sharing across M365 ensures that sensitive content doesn’t leave your organisation unnoticed.
Best Practice:
- Uncheck the Let users add new guests to the organisation to restrict adding guest users to only admins
Also review SharePoint sharing settings and learn more about guests.
Restrict Office Scripts to Specific Groups
Path: Org Settings → Services → Office Scripts
Office Scripts (in Excel for the web) let users automate workflows, which can be risky if misused.
Best Practices:
- Restrict access to specific groups or power users.
- Disable for general users unless business cases demand it.
Helps prevent abuse, accidental data loss, or scripting-based attacks.
Restrict Self-Service Trials and Purchases
Path: Org Settings → Services → Self-service trails and purchases
If set to Allow, users can start trials or purchase a product on their own, which introduces compliance or budgeting issues.
Best Practices:
- Set to Allow trials only to allow users to try the product, but cannot buy it themselves.
- Set it to Do not allow the disablement of self-service purchases.
Prevents shadow IT and simplifies license auditing.
Restrict User-Owned Apps and Services Access
Path: Org Settings → Services → User owned apps and services
Users may access the Office Store and create Microsoft 365 trial accounts, which allow them to access applications not curated or managed by Microsoft.
Best Practices:
- Uncheck the options
- Office store access
- Starting trials on behalf of your organisation
- Auto-claim licenses
Helps control unauthorised purchases and license sprawl. See how to manage access to the Office Store.
Final Thought
Securing your Microsoft 365 environment doesn’t have to be complicated or expensive. With the Org Settings portal, you can enforce strong access controls, reduce external risks, and limit unnecessary data exposure.
As your organisation grows or your needs evolve, consider layering these controls with advanced tools like Microsoft Defender XDR, Microsoft Purview and Conditional Access policies.