Zero Trust: Never Trust, Always Verify
Zero Trust means never trust, always verify: learn the principles, microsegmentation, MFA and how your company can realistically start its Z
Read
Microsoft 365 security does not come automatically with a subscription: by default, M365 is open and convenient, but not hardened. To protect email, files and identities across Exchange Online, SharePoint, OneDrive and Teams, you need to enable multi-factor authentication, set up Conditional Access policies, harden the default settings, roll out DLP, secure an independent backup and put monitoring in place. Below we explain how to do this concretely, in an order that makes sense, and where the most common mistakes lie that we see at companies in the region.
Our solution
Cyber protection for businesses - protecting cloud and IT environments. You do not have to do it alone; we handle it for your company. Request a free assessment.
Why Microsoft 365 security is a priority today
For most companies in Bosnia and Herzegovina, Croatia and Serbia, M365 has become the central hub of the business: email, contracts, quotes, finances and client communication all live there. That is precisely why it is also the first target for attackers. Compromising a single user account today is not merely an inconvenience; it can lead to payment fraud (for example, changing the IBAN on an invoice), data leakage and business disruption.
The issue is that the vast majority of incidents do not begin with sophisticated hacking, but with three very mundane things: phishing, weak or reused passwords, and excessive file sharing. The good news is that all three can be drastically reduced with settings that are already included in the licenses companies are paying for anyway.
Three risks that account for most incidents
- Phishing and account takeover. A fake login page captures the password, and increasingly advanced attacks (adversary-in-the-middle) also steal the session token, thereby bypassing standard MFA.
- Weak and reused passwords. The same password used on a leaked personal service means an attacker simply tries the combination (credential stuffing) and gets in.
- Excessive sharing. Files and folders shared via an "Anyone with the link" link, external guests in Teams channels, and public SharePoint sites: data leaks out without a single attack.
MFA and Conditional Access: the foundation of protection
If you were to do only one thing, let it be multi-factor authentication (MFA) for all users, without exception. MFA blocks the overwhelming majority of password-based attacks because a stolen password is no longer enough on its own. But the way it is rolled out matters too.
The recommendation is to use the Microsoft Authenticator app (push approval or code) rather than SMS, because SMS is vulnerable to interception and SIM swapping. For administrators and sensitive roles, consider phishing-resistant methods (FIDO2 keys or Windows Hello), which an attacker cannot fool even with a fake page.
MFA is reinforced by Conditional Access, which decides who can access, from where and from which device. This way MFA is requested intelligently (for example, only from unknown locations or risky sign-ins) rather than constantly, which keeps users from being annoyed and tempted to work around the rules.
Concrete Conditional Access policies to start with
- Require MFA for all users, while blocking legacy authentication protocols that do not support MFA.
- Block or apply additional verification to sign-ins from countries the company never operates from.
- Require a compliant or managed device for access to sensitive data.
- Strengthen protection for administrator accounts: separate admin accounts, MFA with no exceptions, and ideally a phishing-resistant factor.
- Restrict or control access from unmanaged, personal devices (for example, web only, with no file downloads).
An important warning: always test Conditional Access policies on a smaller group first, and keep one break-glass (emergency) administrator account excluded from the policies so you do not lock yourself out of your own tenant.
Hardening: tightening the default M365 settings
By default, M365 prioritizes simplicity, not security. Hardening means closing off what you do not need. The most important points:
- Disable legacy authentication (POP, IMAP, basic auth) if you do not use it, since it is the main route for bypassing MFA.
- Restrict self-service app registrations and OAuth consents. Rogue apps requesting access to email are an increasingly common vector; route approval through an administrator.
- Set up policies against external fraud: warnings on emails from outside the organization, and blocking automatic forwarding of mail to external addresses (a frequent sign of compromise).
- Tighten sharing in SharePoint and OneDrive: default to the organization or named guests, and disable "Anyone" links or set an expiration date on them.
- Govern guests in Teams and Entra ID: who may invite them, how long they last, and clean out old ones regularly.
- Track Microsoft Secure Score as a measurable indicator of progress, but do not treat it as an end in itself.
DLP, backup and monitoring: what to do when something happens anyway
The previous steps reduce the likelihood of an incident. These three reduce the damage when one occurs.
DLP (data loss prevention)
Data Loss Prevention policies recognize sensitive data (for example, national ID numbers, card numbers, IBANs, contracts) and prevent it from being sent outside the company or warn the user. Start with a few clear policies in warning mode, and only then move to blocking, so you do not halt legitimate business on day one.
Backup: yes, M365 needs a backup too
A common and dangerous misconception is that Microsoft keeps all of your data forever. Microsoft takes care of infrastructure availability, but for your data the shared responsibility model applies. If a user (or an attacker) deletes email or files, the data is permanently lost once the short retention periods expire. Ransomware or a disgruntled employee can do serious damage. That is why we recommend an independent third-party backup of Exchange, SharePoint, OneDrive and Teams, with tested data recovery.
Monitoring and response
Security that no one watches is only half-security. Enable audit logs, monitor risky sign-ins and impossible travel (a login from Mostar followed 10 minutes later by one from another country), failed MFA prompts and suspicious mail rules. Ideally these signals feed into a SOC that monitors them 24/7 and responds before a minor incident turns into a major one.
Summary: what, with what, and how urgently
| Measure | What it addresses | Priority |
|---|---|---|
| MFA for everyone | Password theft, account takeover | Immediately |
| Conditional Access | Risky sign-ins, unmanaged devices | Immediately |
| Disabling legacy auth | Bypassing MFA | High |
| Sharing controls | Data leakage, external guests | High |
| DLP policies | Sending sensitive data out | Medium |
| Independent backup | Deletion, ransomware, human error | High |
| Monitoring / SOC | Timely incident detection | Ongoing |
How NeoBit helps with Microsoft 365 security
At NeoBit we do exactly what is described above, but tailored to your company and without disrupting the business. We start with an assessment of your M365 tenant: we review the Secure Score, MFA coverage, Conditional Access, sharing settings, admin roles and existing backup, and you receive a clear report with priorities and concrete steps. We then help with rolling out MFA and policies, hardening, DLP and independent backup, and through our SOC we can also take over monitoring and response 24/7.
If you want to know how exposed your Microsoft 365 actually is and which three things you should fix first, get in touch for a free introductory assessment. It is better to close the gaps today than to explain an incident to your clients tomorrow.
Frequently asked questions
Is MFA enough to protect Microsoft 365?
MFA is the single most important step and blocks the vast majority of password-based attacks, but it is not enough on its own. More advanced phishing can steal the session token and thus bypass standard MFA. That is why MFA should be combined with Conditional Access, disabling legacy authentication, sharing controls and monitoring, and administrators should use phishing-resistant sign-in methods.
Do I need a separate backup for Microsoft 365?
Yes. Microsoft guarantees the availability of its infrastructure, but for your data the shared responsibility model applies. Deleted email, files or the effects of ransomware become permanently unrecoverable once the short retention periods pass. An independent third-party backup of Exchange, SharePoint, OneDrive and Teams, with tested recovery, is the only reliable way to recover.
What is Conditional Access and does my company need it?
Conditional Access is a set of policies in Entra ID (Azure AD) that decides who can access M365, from where and from which device, and when additional verification is required. It is useful for companies of all sizes because it allows MFA to be requested intelligently, risky sign-ins to be blocked, and sensitive data to be accessed only from trusted devices.
How quickly can M365 security be improved?
The basic and most effective measures, such as MFA for everyone, disabling legacy authentication and the first Conditional Access policies, are usually rolled out within a few days, with careful testing so that no one gets locked out. Hardening, DLP and backup are added in the following steps. Through its introductory assessment, NeoBit defines a realistic plan and sequence based on your risk.
Related guides: Cyber security in Bosnia and Herzegovina - the complete guide ยท Zero Trust: never trust, always verify
