Microsoft 365 Security Questions & Answers
Get expert answers to common questions about Microsoft 365 and Entra ID security. Learn best practices for authentication, privileged access, compliance, and more.
Privileged Access
How many Global Admin accounts should I have in Microsoft 365?
Microsoft recommends 2-4 Global Admin accounts per tenant. Having fewer than 2 creates risk if one account is locked out. Having more than 4 unnecessarily expands your attack surface.
What is a break-glass account in Microsoft 365?
A break-glass (or emergency access) account is a highly privileged account used only during emergencies when normal admin accounts are unavailable. It should be excluded from Conditional Access and use a long, complex password stored securely offline.
What is Privileged Identity Management (PIM) in Microsoft Entra ID?
Privileged Identity Management (PIM) is an Entra ID feature that provides just-in-time privileged access, time-limited role assignments, and approval workflows for sensitive roles. It reduces the risk of standing admin access.
Conditional Access
Authentication
What is legacy authentication and why should I block it?
Legacy authentication refers to older protocols (IMAP, SMTP, POP3, older Office versions) that do not support MFA. Blocking legacy auth is critical because attackers use it to bypass MFA and compromise accounts through credential stuffing.
What is Security Defaults in Microsoft 365?
Security Defaults is a free security baseline that enables MFA for all users, blocks legacy authentication, and requires MFA for admin roles. It is recommended for organizations without Conditional Access licenses but provides less flexibility.
What is phishing-resistant MFA and why does it matter?
Phishing-resistant MFA uses cryptographic authentication (FIDO2 keys, Windows Hello) that cannot be phished or intercepted. Unlike SMS or push notifications, the authentication is bound to the legitimate site and cannot be replayed by attackers.