Onboarding to Microsoft Defender for Office 365 is often treated as a quick setup task, but it should be seen as a critical opportunity to establish strong security foundations. In my roles supporting incident response and security operations in Microsoft 365, I have observed that onboarding is often underestimated. - Purav Desai, Dual Security MVP
This blog covers four key areas that are frequently missed, but they are essential for a secure and auditable deployment of Defender for Office 365. Before diving into the technical details, it is important to clarify a common misconception about Defender for Office 365 protections.
Blocking Malicious File Downloads in SharePoint and OneDrive
A common assumption during onboarding is that Microsoft Defender for Office 365 protections only apply to email. In reality, Safe Attachments also integrates with SharePoint Online, OneDrive for Business and Microsoft Teams. It scans files for malware even after they are uploaded or shared internally.
However, this protection is only effective when the configuration explicitly prevents users from downloading files flagged as malicious. Without this setting, files detected as threats can still be downloaded locally. This creates a major risk particularly if the malware is detected post-delivery.
In one investigation, I found that this setting had been left at its default, allowing users to download malicious files from SharePoint. This oversight created a significant exposure risk until it was corrected. This setting is part of the Safe Attachments for SPO/ODB policy and is critical in reducing internal exposure. Once enabled, this setting protects users in real time and acts as a powerful audit point. If someone disables this setting, whether intentionally or by accident, that action is recorded in Purview's Unified Audit Log under the DisallowInfectedFileDownloadDisabled operation.
The video below offers a brief walkthrough on how to enable the setting, details the associated audit log events, and provides guidance on configuring alerts for any modifications:
Video 1 – Enable, Audit, Alert: Full Setting Overview
Regularly auditing for this event can help identify misconfiguration or potentially malicious administrative activity that could indicate insider threat behaviour. Including this check as part of your continuous security monitoring process is a smart, proactive move. Learn more at Step 2: (Recommended) Use SharePoint Online PowerShell to prevent users from downloading malicious files
Once you have established protection against malicious files, the next step is ensuring your tenant is correctly set up to create and manage threat policies.
Ensuring Organization Customization is Enabled
A frustrating yet common hurdle during Defender for Office 365 onboarding is the inability to create threat policies such as anti-phishing or Safe Attachments policies. This confusion often stems from a basic configuration oversight: the tenant has not been enabled for organization customization. Without this step, the Microsoft 365 platform prevents the creation or editing of many critical security policies in Defender for Office 365.
Figure 1 – Defender for Office 365 policies blocked until Enable-OrganizationCustomization is run.
A few years prior with a new client being onboarded to Defender for Office 365, I encountered a situation where policy creation kept failing because this step wasn’t followed. It caused unnecessary delays and frustrated the security team until we identified the missing customization.
The fix is simple. Run the Enable-OrganizationCustomization PowerShell cmdlet from Exchange Online. It is a one-time configuration task, but it is essential for policy management and overall service functionality.
Figure 2 - Output if you re-run the Enable-OrganizationCustomization command
Including this step early in your deployment or migration plan prevents unnecessary delays and ensures the security team can fully leverage Defender for Office 365's capabilities from day one. This is particularly important for consultants who are brought in to assist after issues have already arisen. Getting ahead of this configuration means one less troubleshooting rabbit hole.
Figure 3 - Output shows 'false' when customization is enabled.Figure 3 - Output shows 'false' when customization is enabled.
With customization enabled, you can now take advantage of the preset security policies to quickly build a solid baseline.
Using Preset Security Policies for a Strong Starting Point
One of the best tools Microsoft has provided for onboarding is the Preset Security Policies feature. These come in two flavors: Standard and Strict.
Figure 4 - Defender for Office 365 Preset security policies (Standard & Strict protection)
They represent Microsoft’s recommended baseline configurations for anti-malware, anti-phishing, and spam protection. Learn more at Preset security policies in cloud organizations.
For customers with limited security maturity or time to deeply understand the inner workings of Defender for Office 365, these presets are a game-changer.
Figure 5 - Microsoft recommendation is to apply standard protection to all users
In several cases, I have seen organizations with limited security teams benefit from activating these presets early. This approach gave them immediate protection while freeing up time to better understand and tune policies over time. For incident response, having a consistent and known-good baseline also helps reduce noise and false positives in the initial stages of deployment.
Figure 6 - Apply strict Defender for Office 365 protection for priority users
After setting foundational policies, controlling who has access to what within Defender for Office 365 is crucial to maintaining a secure environment.
Implementing Unified RBAC for Least Privilege Access
As more business units engage with Defender for Office 365 for everything from investigation to reporting, it is important to ensure each role has access only to what they need. Unified Role-Based Access Control (RBAC) in Defender for Office 365 makes this possible by allowing granular control over who can see and change what within the security portal.
Figure 7 – Example least privilege role configuration for a Defender for Office 365 Incident Responder (image trimmed).
This becomes critically valuable in larger or more complex organizations where responsibilities are split between security, compliance, IT, and operations teams.
Figure 8 - Activating Microsoft Defender for Office 365 Workload in Defender XDR Roles.
By using unified RBAC, you can avoid the dangerous and often default behavior of assigning Security Administrator rights to everyone involved. Instead, define roles based on function. For example, Tier 1 analysts might only need view and investigation access, while admins can manage policies.
Figure 9 - Assigning a user to a Custom Microsoft Defender for Office 365 role, Entra Security Groups are also supported.
This approach aligns with zero trust principles and makes it easier to audit who has access to sensitive areas. During onboarding, I recommend mapping stakeholders to the available roles and applying this model as early as possible. This helps establish accountability and improves your security posture before an incident occurs. Learn more at Map Defender for Office 365 permissions to the Microsoft Defender XDR Unified RBAC permissions
Having set the right roles and permissions, it is vital to understand how these configurations contribute to a resilient and well-prepared security posture.
Final Thoughts
Successful onboarding to Microsoft Defender for Office 365 is not just about flipping switches. It is about making intentional configuration choices that support operational efficiency and long-term security goals. The points covered here are often missed in quick start guides but they are essential for building a solid foundation. Those who invest time in proper configuration are far better prepared when incidents arise. Migration is just the beginning. Set up Defender for Office 365 right to reduce risk and build real resilience.
Please take two minutes to take this survey to let us know what you think of this blog (series), video, and community content.
Questions or comments on this blog "Microsoft Defender for Office 365 Migration & Onboarding" for the author or other readers? Please log in and post your response below!
_____________
This blog has been generously and expertly authored by Microsoft Security MVP, Purav Desai. with support of the Microsoft Defender for Office 365 product team.
Purav DesaiLead M365 Incident Responder, Financial Services | Dual Microsoft Security MVP
- Log in and follow this Microsoft Defender for Office 365 blog and follow/post in the Microsoft Defender for Office discussion space.
- Follow = Click the heart in the upper right when you're logged in 🤍
- Learn more about the Microsoft MVP Program.
- Join the Microsoft Security Community and be notified of upcoming events, product feedback surveys, and more.
- Get early access to Microsoft Security products and provide feedback to engineers by joining the Microsoft Customer Connection Community.
- Join the Microsoft Security Community LinkedIn
Microsoft