M365 Security Architecture Cheatsheet
The secure-by-design baseline for a Microsoft 365 tenant: the architecture decisions across identity, conditional access, privileged access, data, endpoint, email, Sentinel, and posture. The decisions, not just the toggles. No account needed.
Security architecture is the set of decisions that determine whether a tenant is defensible, made deliberately and recorded, not assembled from defaults. This is the whole-tenant baseline: one layer at a time, the architecture decision that matters and why. It is the map; the deep single-domain references (identity, SOC, hunting) are the territory. Set against your own licensing and risk before applying.
Architecture thinking
A control is not an architecture. Enabling MFA is a feature; deciding which methods, for which users, enforced by which policy, with which exclusions and why, is architecture. Good security architecture records each significant decision as a tradeoff with a rationale (an architecture decision record), so that six months later the reason a control exists, or was deliberately not applied, is written down rather than reverse-engineered during an incident. The discipline matters because the dangerous configurations are rarely the ones someone chose; they are the defaults nobody decided about.
| Principle | In practice |
|---|---|
| Decide, do not default | Every security-relevant default is a decision deferred. Inventory the defaults and choose explicitly. |
| Record the decision | Capture the what, the why, and the rejected alternative. The rationale is the durable part. |
| Layer the controls | No single control holds. Identity, device, session, and data controls compound; design for one failing. |
| Assume breach | Architect so that a compromised credential or device is contained, not catastrophic. |
Identity and authentication architecture
Identity is the control plane, so its architecture is foundational: every other layer assumes the identity layer holds. The decisions here are the authentication methods you permit, how privileged and standard identities differ, and how external and non-human identities are modeled. Get this layer wrong and the rest of the architecture is built on sand, because an attacker with a valid identity inherits whatever the identity is trusted to do.
| Decision | The secure baseline |
|---|---|
| Authentication methods | Phishing-resistant (FIDO2, passkeys, certificate) for privileged; at minimum app-based MFA for all. Retire SMS and voice. |
| Legacy authentication | Blocked tenant-wide. It bypasses MFA entirely; there is no secure architecture that leaves it open. |
| Identity types | Human, guest, service principal, and workload identities modeled and governed separately, each has a different threat profile. |
| Hybrid vs cloud-only | Decide the source of authority. Hybrid extends on-prem compromise into the cloud; design the trust direction deliberately. |
The decision people skip is the non-human one. Service principals and workload identities authenticate with secrets and certificates that never expire unless someone sets them to, and they sit outside the MFA and conditional-access controls that govern users. An identity architecture that hardens human sign-in while leaving app credentials long-lived and unmonitored has secured the front door and left the loading dock open, which is exactly where mature attackers now go.
Conditional access architecture
Conditional access is where identity, device, and session signals become an access decision, so it is the architecture's enforcement point. The decision is not which policies to enable but how the policy set is structured: a small number of named policies with clear single intents, deployed in rings (report-only, then pilot, then broad) so their combined effect is understood before it is enforced. A CA estate that grew policy by policy without a structure becomes a set of rules nobody dares change.
| Decision | The secure baseline |
|---|---|
| Policy structure | Named, single-intent policies (require-MFA, require-compliant-device, block-legacy, risk-based). Not one monolith, not uncounted overlaps. |
| Deployment | Report-only, then pilot ring, then broad. Measure impact before enforcement. |
| Device trust | Require compliant or hybrid-joined device for sensitive access; tie access to a known device, not just a credential. |
| Exclusions | Minimal, documented, monitored. Every exclusion is a bypass; break-glass accounts are the only routine exception. |
| Session controls | Sign-in frequency and persistent-browser limits for high-value apps; continuous access evaluation enabled. |
Privileged access architecture
Privileged access is architected on the assumption that admin credentials are the prize and will be targeted. The model is tiered: privileged accounts are separate from daily-use accounts, privilege is just-in-time rather than standing, and the most sensitive administration happens from hardened workstations that never touch email or the web. This is the layer where assume-breach is most concrete, you design so that a phished user account cannot reach Global Admin.
| Decision | The secure baseline |
|---|---|
| Account separation | Admin identities distinct from daily-use; cloud-only for the most privileged; no mailbox on admin accounts. |
| Just-in-time privilege | PIM: privileged roles eligible not active, activation time-bound, justified, approved. |
| Privileged workstations | Secure admin workstations / PAW for tier-0 administration; isolated from general productivity. |
| Break-glass | Two cloud-only emergency Global Admins, CA-excluded, phishing-resistant auth, alerted on any use, validated quarterly. |
Data protection architecture
Data protection architecture answers what happens after the perimeter and identity controls are bypassed: can the attacker read, exfiltrate, or destroy the data they reach. The chain is classify, then protect: sensitivity labels mark what matters, label-driven encryption and DLP enforce handling, and the protection travels with the data rather than depending on where it sits. The common architectural failure is protection that stops at the tenant boundary while the data freely leaves it.
| Decision | The secure baseline |
|---|---|
| Classification | Sensitivity labels with a small, used taxonomy. A label scheme nobody applies protects nothing. |
| Encryption | Label-driven encryption so protection follows the file outside the tenant. |
| DLP | Policies aligned to the labels and the real exfiltration paths (email, upload, copy), tuned to alert not just block. |
| Retention & recovery | Retention and recoverability designed against ransomware and insider deletion, not just compliance. |
The architecture fails at the seam between classification and protection: labels applied inconsistently, or protection rules that do not match the labels, leave data marked sensitive but handled freely. Design the two as one chain, the label is the input the encryption and DLP act on, and audit that the chain actually fires, because a label with no enforcement behind it is documentation, not protection.
Endpoint and email architecture
Endpoints and email are the two surfaces where most intrusions begin, so their architecture is about reducing what an attacker can do once they land. On the endpoint that means enrollment, compliance, and attack-surface reduction; in email it means authentication standards and content protection. The architectural number that matters most is coverage: a device or mailbox the controls never evaluate is an unmonitored door, and that gap is where the next compromise walks in.
| Decision | The secure baseline |
|---|---|
| Device enrollment | All productivity devices enrolled and compliance-policed. Enrolled-vs-user-count is the coverage gap to close. |
| Compliance enforcement | secureByDefault on, so a device with no compliance policy fails rather than silently passes CA. |
| Attack surface reduction | Defender for Endpoint ASR rules in block mode; tamper protection on; EDR in active mode. |
| Email authentication | SPF, DKIM, DMARC enforced (not monitor-only) for owned domains; anti-spoofing on. |
| Email content protection | Defender for Office: Safe Links, Safe Attachments, anti-phishing with impersonation protection. |
Sentinel and detection architecture
Detection architecture is where cost and coverage are traded against each other, because in Sentinel ingestion is the bill. The decisions are which data sources earn their ingestion, how the workspace is structured, and whether detection coverage maps to the techniques you actually face. The mistake is ingesting everything (expensive, noisy) or ingesting by habit (gaps in the techniques nobody chose to cover); the architecture is deliberate coverage at a justified cost.
| Decision | The secure baseline |
|---|---|
| Workspace design | Single workspace where possible for query simplicity; cross-workspace only with a clear reason (sovereignty, scale). |
| Data sources | Ingest what you detect or investigate on. The free M365 sources (sign-in, audit, Defender) cost nothing, take them all. |
| Detection coverage | Analytics rules mapped to ATT&CK; coverage gaps known and accepted, not accidental. |
| Retention tiering | Hot for active hunting, archive for compliance, set per table against cost. |
The architectural tension is real: the data you do not ingest is the detection you cannot write and the investigation you cannot run, but ingesting everything turns the workspace into a cost centre that gets trimmed in the next budget round, taking your coverage with it. Resolve it deliberately, take the free M365 sources unconditionally, ingest paid sources against a named detection or investigation use, and write down the gaps you accept so they are a decision rather than a surprise mid-incident.
Posture and compliance
Posture management measures whether the architecture is actually in force, and its central trap is mistaking the score for the security. Secure Score and compliance dashboards report what is configured, not what is enforced or effective. A control can exist, be reported as present, and protect nothing, because it is in audit mode, scoped to no one, or silently overridden. The architectural discipline is to read posture as a starting question, not an answer.
| Decision | The secure baseline |
|---|---|
| Secure Score | A directional signal, not a target. Investigate what each recommendation actually enforces. |
| Enforcement verification | Confirm controls are enforcing, not auditing, and scoped to the real population. |
| Benchmarking | Compare against your own trend and a relevant baseline, not the industry average alone. |
| Drift detection | Re-verify the baseline on a cadence; configuration drifts as people make exceptions. |
The architecture baseline checklist
The whole-tenant baseline in one view. Each line is an architecture decision with a defensible secure default; the deep references expand each into its full design.
| Layer | Baseline decision |
|---|---|
| Identity | Phishing-resistant MFA for privileged; legacy auth blocked; identity types governed separately. |
| Conditional access | Named single-intent policies, ringed deployment, compliant-device requirement, minimal exclusions. |
| Privileged access | Separated admin accounts, PIM just-in-time, secure admin workstations, designed break-glass. |
| Data | Sensitivity labels applied, label-driven encryption, DLP on real exfil paths, ransomware-aware recovery. |
| Endpoint | Full enrollment, secureByDefault on, ASR in block mode, tamper protection. |
| SPF/DKIM/DMARC enforced, Defender for Office Safe Links/Attachments/anti-phishing. | |
| Detection | Single workspace, all free M365 sources, ATT&CK-mapped coverage, tiered retention. |
| Posture | Secure Score as signal, enforcement verified, drift re-checked on cadence. |
From the baseline to the designed tenant
This cheatsheet is the map. M365 Security Architecture teaches the whole design: every layer from identity to posture, the decisions and their tradeoffs, and how they compose into a tenant that holds under attack.
Explore the course