Is Microsoft 365 secure by default?

Microsoft 365 provides security defaults that offer a baseline level of protection — requiring MFA for admin accounts, blocking legacy authentication, and enabling basic alerting. However, these defaults are intentionally conservative to minimize friction for initial deployment. They do not enforce MFA for all users, do not implement risk-based conditional access, do not audit OAuth application permissions, and do not configure data loss prevention policies. Most organizations that have not actively hardened their M365 tenant have meaningful security gaps. Our cloud security assessment identifies those gaps with a prioritized remediation plan.

What is a Conditional Access policy and why does it matter?

A Conditional Access policy is a rule that governs when and how users can access Microsoft 365 services, based on conditions like who the user is, what device they're on, where they are signing in from, and what application they're accessing. Example policies include: require MFA when signing in from outside your corporate network, block access from countries you don't do business in, require a compliant device to access SharePoint, or force a password reset when a sign-in is flagged as high-risk. Without Conditional Access policies, a compromised account can be used from anywhere with no additional friction. Conditional access is the single highest-impact M365 security control for most organizations.

What is the Shared Responsibility Model and what does it mean for our security?

The Shared Responsibility Model is Microsoft's framework for describing what security obligations Microsoft owns versus what the customer owns. Microsoft is responsible for the physical security of data centers, the availability of the cloud platform, and the security of the underlying infrastructure. Customers are responsible for their data, their identities, their configurations, and their applications running on the platform. In practice, this means that Microsoft will not prevent your users from clicking phishing links, will not stop a compromised admin account from exfiltrating data, and will not configure your conditional access policies. Those are your responsibilities — and ours, as your security partner.

We already pay for Microsoft Defender for Cloud Apps — are we covered?

Microsoft Defender for Cloud Apps (formerly MCAS) is a powerful tool — but a tool that requires configuration and active monitoring to deliver value. Out of the box, it generates findings and alerts but requires tuning, policy configuration, and an analyst team reviewing its output. Organizations that deploy Defender for Cloud Apps without configuring discovery policies, session controls, and anomaly detection alerts often have the license but not the protection. We evaluate your Defender for Cloud Apps configuration during our assessment and, for managed clients, we monitor its alerts and maintain its policies as part of our cloud security service.

How do you handle cloud security for organizations using Google Workspace instead of Microsoft 365?

Our primary cloud security expertise is in the Microsoft ecosystem — Microsoft 365, Entra ID, and Azure — which aligns with the majority of our client base. For organizations on Google Workspace, we can conduct security assessments and provide hardening guidance, but our continuous managed security service is optimized for Microsoft environments. If your organization is evaluating a migration from Google Workspace to Microsoft 365, we can advise on the security posture implications and support the security configuration of the new M365 tenant from day one.

Cloud Security Services | Vigil Cyber — Microsoft 365 & Azure Protection

Cloud Doesn't Mean Secure — It Means Shared Responsibility

Microsoft secures the Azure and Microsoft 365 infrastructure. You are responsible for everything that runs on it — your data, your identities, your configurations, and your applications. This Shared Responsibility Model means that the most common cloud breaches are not Microsoft's failures — they are customer misconfigurations, overprivileged accounts, and absent monitoring. Vigil Cyber closes the gap that the Shared Responsibility Model leaves open.

82%

Breaches Involve Cloud Assets

The majority of successful breaches now involve cloud-hosted data or applications.

#1

Misconfiguration as Root Cause

Cloud misconfiguration is the leading cause of cloud security incidents, ahead of external attacks.

197 Days

Average Dwell Time in Cloud

Cloud environment compromises go undetected for months without continuous monitoring.

Common Cloud Threats

How Cloud Environments Get Compromised

Identity and Credential Compromise

Phished M365 credentials give attackers full access to email, files, Teams, and any connected SaaS application. Without conditional access policies, a compromised account can be used from anywhere in the world — including attacker infrastructure.

Misconfigured Cloud Storage and Permissions

SharePoint sites, Teams channels, and Azure storage accounts with overly permissive access controls expose sensitive data to unauthorized internal users and, in misconfiguration cases, to the public internet.

Malicious OAuth Application Grants

Attackers trick users into granting OAuth permissions to malicious third-party applications that silently read email, access files, and exfiltrate data — without ever needing the user's password.

Privilege Escalation in Entra ID

Overprivileged service accounts, guest users with excessive permissions, and dormant admin accounts are exploited by attackers who have gained initial access to escalate to Global Admin and take full control of the M365 tenant.

Our Approach

Posture Management Plus Continuous Monitoring

Cloud security requires two parallel disciplines: hardening your environment against known misconfigurations, and continuously monitoring for the threats that hardening alone cannot stop. We deliver both.

Cloud Security Posture Management (CSPM) continuously scans your Microsoft 365 and Azure configuration against security benchmarks — CIS Controls, Microsoft Secure Score, and NIST — and surfaces misconfiguration risks before attackers find them.

Monitoring ingests sign-in logs, audit logs, and security alerts to detect identity-based attacks, data exfiltration, and tenant compromise in real time — providing the SOC visibility that CSPM alone cannot deliver.

Microsoft 365

Microsoft 365 Security Hardening

Microsoft 365 ships with security defaults that are designed for ease of use, not security-first operation. Every organization using M365 has configuration gaps that create risk — most don't know where they are.

Microsoft Secure Score Optimization

Posture Management and Benchmarking

Identify and close the configuration gaps that put your M365 tenant at risk.

Microsoft Secure Score measures your M365 configuration against security best practices. We systematically address Secure Score recommendations in priority order — focusing on the high-impact, low-friction changes first — and maintain your score as Microsoft adds new recommendations over time.

Conditional Access Policy Management

Identity-Based Access Control

Enforce MFA, device compliance, and location-based access across all M365 services.

Conditional access policies are the most powerful security control in Microsoft 365 — and among the most commonly misconfigured. We design, implement, and maintain CA policy sets that enforce MFA for all users, require compliant devices for sensitive data access, block legacy authentication protocols, and restrict access from high-risk locations and sign-in conditions.

Entra ID Identity Protection

Sign-In Risk and User Risk Monitoring

Detect and respond to compromised accounts before attackers achieve persistence.

Entra ID Identity Protection uses Microsoft's threat intelligence to assign risk scores to sign-in events and user accounts based on behavioral signals. We configure Identity Protection policies to enforce step-up authentication or block access when risk scores exceed thresholds — automatically containing account compromises that human analysts might not catch in time.

SOC Monitoring — M365 Audit Logs

Continuous Cloud Activity Monitoring

Detect data exfiltration, account takeover, and admin permission abuse in real time.

M365 Unified Audit Logs capture every action taken in your tenant — file downloads, mail forwarding rule creation, admin role assignments, OAuth app grants, and external sharing events. Our SOC ingests and analyzes these logs continuously, alerting on activity patterns that indicate account compromise or data theft in progress.

SaaS Application Security

Shadow IT and OAuth Permission Management

Inventory every SaaS app connected to your tenant and revoke unauthorized access.

Users grant OAuth permissions to dozens of applications over time — productivity tools, file converters, AI assistants — and most organizations have no visibility into what permissions these apps hold or whether they are still in use. We inventory all OAuth app grants, assess permission risk levels, revoke unauthorized or overprivileged applications, and establish an app governance policy going forward.

Privileged Identity Management

Just-in-Time Admin Access

Eliminate standing admin privileges that make compromised accounts catastrophic.

Permanent Global Admin accounts are a critical risk — if compromised, they hand an attacker complete control of your M365 tenant. Entra ID Privileged Identity Management (PIM) implements just-in-time admin access: admins request elevated privileges for specific tasks, privileges are time-limited, and all activations are logged and reviewed. We configure and operate PIM as part of our cloud security service.

Azure Security

Azure Infrastructure and Cloud Workload Protection

Azure provides powerful security tooling — Microsoft Defender for Cloud, Azure Policy, Entra ID Privileged Identity Management — but these tools require expertise to configure and ongoing management to keep current. We operate your Azure security posture so your team can focus on what runs on the platform, not the security of the platform itself.

For organizations migrating workloads to Azure, we conduct security architecture reviews at the design stage — not after deployment — so security is built in rather than bolted on.

Assess Your Azure Security Posture

Azure Security Capabilities We Deliver

Microsoft Defender for Cloud configuration and alert monitoring

Azure Policy assignment and compliance reporting

Network Security Group rule review and hardening

Azure Key Vault access policy management

Storage account public access audit and remediation

Virtual machine security baseline configuration

Azure AD (Entra ID) B2B guest user access review

Resource lock configuration for critical assets

Diagnostic log enablement and centralized SIEM forwarding

Azure Security Benchmark compliance gap analysis

Identity and SaaS

Identity Protection and SaaS Application Security

Identity is the new perimeter. When attackers compromise credentials, they become legitimate users — and most organizations have no visibility into what those legitimate-looking sessions are actually doing.

Multi-factor authentication enforcement for all users

Legacy authentication protocol blocking (Basic Auth, SMTP Auth)

Sign-in risk policy configuration and monitoring

User risk policy with automatic password reset enforcement

Guest user access review and lifecycle management

Service principal and app registration permission audit

Admin role assignment review and least-privilege enforcement

Break-glass emergency access account configuration

Cross-tenant access policy configuration

Entra ID audit log monitoring for privilege escalation

Suspicious mail forwarding rule detection and alerting

OneDrive and SharePoint external sharing policy enforcement

Cloud Data Loss Prevention

Microsoft 365 Purview DLP policies prevent sensitive data from leaving your environment via email, Teams, SharePoint, and OneDrive. We configure and tune DLP policies that protect regulated data — PII, financial information, health records — without creating excessive friction for legitimate business workflows.

DLP alerts are monitored by our SOC team, and policy violations are reviewed to distinguish data exfiltration from legitimate business transfers.

Get a Cloud Security Assessment

Our cloud security assessment covers your Microsoft 365 Secure Score, Entra ID configuration, Azure policy compliance, conditional access gaps, and SaaS application permissions. You receive a prioritized remediation roadmap, not just a findings list.

Microsoft 365 Secure Score gap analysis
Conditional access policy coverage review
Entra ID configuration and privilege audit
OAuth app permission inventory
Azure security posture review
Prioritized remediation roadmap

Request Your Assessment

Learn more about protecting healthcare organizations in the cloud.

See our Healthcare Cybersecurity practice →

Related Resources

Article

Frequently Asked Questions

Ready to Secure Your Business?

Get a free security assessment and discover how Vigil Cyber can protect your organization for a fraction of the cost of building an internal team.

24/7

SOC Coverage

<1hr

Response Time

99.9%

Uptime SLA

Schedule a Consultation Call (980) 300-8737

Cloud Security: Protect Your Microsoft 365, Azure, and SaaS Applications