How to Keep Your Microsoft 365 Account Secure

Keys in hand

If your company uses Microsoft 365 for email, Office apps, and other services, it’s important to make sure your Microsoft account is protected. There’s a lot of information behind it that you don’t want outside parties to access.

Let’s go over some of the ways to increase the strength of your Microsoft 365 account security. Be aware that these options may differ depending on your environment’s setup.

1. Set a Strong Password

As we’ve discussed before, one of the most important ways to keep any account safe is by protecting it with a strong password. The password that protects your email is particularly important, since a nefarious party could use it to reset the passwords for other accounts.

To change your Microsoft 365 account password, head to and log in with your credentials if needed. On the overview screen, you’ll see a number of tiles; select Change Password under Password.

Microsoft 365 Account change Password Menu

Here, enter your Old password, then a new password twice. Your new password needs to be at least 8 characters, but can go up to 256. Be sure to use one that you don’t use on any other sites.

We strongly recommend that you start using a password manager if you don’t already. These tools allow you to create unique, complex passwords for every site and lock them all behind one master password.

2. Add Recovery Login Methods

If you ever forget your password or otherwise lose access to your account, it’s easier to get back in when you have up-to-date recovery info on your account. To check yours, click Update Info under Security Info on the overview page.

Here, you’ll see all the methods that you can use to sign into your Microsoft 365 account or reset your password if you get locked out. If you no longer use any of them, click Delete to remove the link to your account. Make sure that the Default sign-in method is correct, too.

Choose Add method to add another secondary email address or phone number, then walk through the steps to confirm it.

Microsoft Account Security Method

If you think someone else has access to your account, or you no longer have a device where you were logged into your Microsoft account, choose Sign out everywhere to close all active sessions. You’ll have to log in again everywhere to access your account.

3. Enable Two-Factor Authentication

One of the options on the above menu is particularly important. You should set up two-factor authentication if you don’t already use it for your Microsoft account. As we’ve discussed before, this vital security option requires something you have—usually a code from your phone—to log in, in addition to your password.

To add a 2FA method to your Microsoft 365 account, head back to the Update Info page as discussed above. Click Add method, followed by Authenticator app or Alternate phone.

We recommend using an authenticator app to generate codes since they work anywhere and are more secure, but getting codes via phone is better than nothing. If you choose Authenticator app, you’ll be guided through installing Microsoft Authenticator (or another 2FA app, like Duo) and scanning a QR code to add this security to your account.

Microsoft 365 Add 2FA

If you add another phone number, you’ll need to enter a code sent via call or text to confirm it’s yours. Once you have 2FA set up, you’ll need to enter the code from your phone after successfully entering your password upon login.

4. Check Active Devices

Next, you should also check the Manage Devices menu under Devices to see which of your organization’s devices you’re logged into.

Microsoft 365 Device List

Disable any devices you no longer use here. If you see a deactivated device that should be active, talk to your IT team to fix the issue.

5. Review Recent Sign-Ins

Your Microsoft account keeps a record of all login activity, which is an important security tool. Click Review Recent Activity under My sign-ins to take a look.

Each one contains a broad location, the browser and operation system used, and what app was logged into. You’ll see Successful sign-in next to any attempt that logged in without a problem.

Microsoft 365 Account Sign In

If someone tried to break into your account and failed, take note of this. It’s not a bad idea to take a screenshot of this and let your IT admin know. And in case you see a login that succeeded but wasn’t you, click Looks unfamiliar? Secure your account to walk through some steps to resolve the issue.

6. Do a Full Audit of More Advanced Microsoft 365 Settings

There are many additional controls in Microsoft 365 that a professional can review to confirm that they meet your requirements. For example, additional malware filtering, phishing protection, and conditional access are all available.

These can help prevent someone from accidentally clicking a link and crypto-locking your computers.

Keep Your Microsoft 365 Account Protected

As we’ve seen, it only takes a few minutes to look over the security options on your Microsoft 365 account and confirm that everything looks right. It’s important to be proactive and set up the right protections ahead of time, as well as check in every so often to catch signs of malicious activity.

For more general tips, be aware of the ways that your password could be stolen so you don’t walk into a trap.

About the author


Our award winning managed IT services for small businesses can help elevate your company’s IT solutions.
Get in touch today to find out why we were named among the top MSPs in the world.

Share on: