Protect user and device access

Protecting access to your Microsoft 365 data and services is crucial to defending against cyberattacks and guarding against data loss. The same protections can be applied to other SaaS applications in your environment and even to on-premises applications published with Azure Active Directory Application Proxy.


If you're not an E5 customer, use the 90-day Microsoft Purview solutions trial to explore how additional Purview capabilities can help your organization manage data security and compliance needs. Start now at the Microsoft Purview compliance portal trials hub. Learn details about signing up and trial terms.

Step 1: Review recommendations

Recommended capabilities for protecting identities and devices that access Office 365, other SaaS services, and on-premises applications published with Azure AD Application Proxy.

PDF | Visio | More languages

Step 2: Protect administrator accounts and access

The administrative accounts you use to administer your Microsoft 365 environment include elevated privileges. These are valuable targets for hackers and cyberattackers.

Begin by using administrator accounts only for administration. Admins should have a separate user account for regular, non-administrative use and only use their administrative account when necessary to complete a task associated with their job function.

Protect your administrator accounts with multi-factor authentication and conditional access. For more information, see Protecting administrator accounts.

Next, configure Microsoft Purview Privileged Access Management. Privileged access management allows granular access control over privileged admin tasks in Office 365. It can help protect your organization from breaches that may use existing privileged admin accounts with standing access to sensitive data or access to critical configuration settings.

Another top recommendation is to use workstations especially configured for administrative work. These are dedicated devices that are only used for administrative tasks. See Securing privileged access.

Finally, you can mitigate the impact of inadvertent lack of administrative access by creating two or more emergency access accounts in your tenant. See Manage emergency access accounts in Azure AD.

Multi-factor authentication (MFA) and conditional access policies are powerful tools for mitigating against compromised accounts and unauthorized access. We recommend implementing a set of policies that have been tested together. For more information, including deployment steps, see Identity and device access configurations.

These policies implement the following capabilities:

  • Multi-factor authentication
  • Conditional access
  • Intune app protection (app and data protection for devices)
  • Intune device compliance
  • Azure AD Identity Protection

Implementing Intune device compliance requires device enrollment. Managing devices allows you to ensure that they are healthy and compliant before allowing them access to resources in your environment. See Enroll devices for management in Intune

Step 4: Configure SharePoint device access policies

Microsoft recommends you protect content in SharePoint sites with sensitive and highly regulated content with device access controls. For more information, see Policy recommendations for securing SharePoint sites and files.