Microsoft 365 Admin Centre: What Every IT Admin in a Philippine Office Should Configure First
A newly provisioned Microsoft 365 tenant is not secure by default. Microsoft's out-of-the-box configuration balances usability and security in a way that is appropriate for the broadest possible audience — which means it is too permissive for most Philippine business environments. Several defaults that need changing are not obvious and are not prompted during the setup wizard.
This is the priority configuration list for Philippine IT administrators setting up a new M365 tenant, or auditing an existing one. Every item here should be completed before adding users, enabling Microsoft Copilot, or migrating any business data.
1. Enable Security Defaults or Conditional Access
Admin Centre path: Entra ID → Properties → Manage Security Defaults
What Security Defaults does:
- Requires MFA for all users via the Microsoft Authenticator app
- Blocks legacy authentication protocols (SMTP, IMAP, POP) that do not support MFA
- Requires MFA for all admin accounts
Should you use Security Defaults or Conditional Access?
- Security Defaults: appropriate for small tenants (under 20 users) without advanced licensing. Simple, one-switch configuration.
- Conditional Access policies (Entra ID P1, included in Business Premium): more granular control. Required for businesses that need to allow specific legacy authentication for specific apps, exclude specific service accounts, or create location-based policies.
Action: Enable Security Defaults immediately if no Conditional Access is configured. If on Business Premium, disable Security Defaults and configure Conditional Access policies instead (see our dedicated Conditional Access guide at /insights/conditional-access-policies-m365-philippines-2026).
2. Configure Password Policies
Admin Centre path: Settings → Security & Privacy → Password Policy
The outdated default: Many M365 tenants are inherited with "password never expires" or short expiry periods prompting constant changes.
Microsoft's current guidance (aligned with NIST 2020 standards):
- Do NOT force frequent password changes (every 30/60/90 days) — this encourages weak, predictable passwords
- Set passwords to never expire IF MFA is enforced — MFA provides the second factor that compensates for password weakness
- Set minimum password length to 12+ characters
- Enable "Prevent users from using common passwords"
Action:
- If MFA is enabled: set password expiry to "Never expire"
- Enable "Notify users when their password is changed"
- Enable "Notify admins when other admins reset their password"
3. Configure External Sharing Policies
Admin Centre path: SharePoint Admin Centre → Policies → Sharing
The dangerous default: SharePoint and OneDrive allow "Anyone with the link" sharing by default — a link that works for anyone anywhere with no sign-in required, indefinitely.
Recommended settings for Philippine SMEs:
| Resource | Recommended Setting |
|---|---|
| SharePoint | "New and existing guests" (require sign-in to access shared content) |
| OneDrive | "New and existing guests" |
| Default link type | "People in your organisation" (not "Anyone") |
| Link expiration | 30 days for external links |
| Guest access expiration | 180 days (guests must be re-authorised) |
Action: Change default link type to "People in your organisation" — this is the single highest-impact change that prevents accidental public link creation.
4. Enable Audit Logging
Admin Centre path: Compliance Centre (compliance.microsoft.com) → Audit
What it does: Records user and admin activity across M365 — sign-ins, file access, sharing events, admin changes, email forwards. Required for security incident investigation and NPC breach reporting.
The problem: Audit logging is on by default for new tenants provisioned after 2019. For older tenants, it may be off.
Action: Verify audit logging is enabled. Set retention to 90 days minimum (standard for M365 E3; up to 1 year requires audit premium or E5).
What to monitor for Philippine offices:
- Admin privilege grant/revocation (who has been made admin)
- External sharing events (when files are shared outside the tenant)
- Email forwarding rule creation (a key indicator of business email compromise — attacker creates a forward rule to copy all email to an external address)
- Failed sign-in spikes (brute force indicators)
5. Block Legacy Authentication
Admin Centre path: Entra ID → Security → Conditional Access (or via Security Defaults)
What legacy authentication is: SMTP, IMAP, POP3, and older Exchange ActiveSync protocols that do not support MFA. When an attacker has a stolen password, they can use these protocols to authenticate without being challenged for MFA.
The Philippine context: Business email compromise attacks frequently use legacy authentication to bypass MFA after stealing credentials via phishing.
Action: Block legacy authentication via Conditional Access (Business Premium) or Security Defaults (all tiers). Exception: if any business application (printer scanning to email, line-of-business app using SMTP) requires legacy auth, create an exception for that specific service account — do not leave it open for all users.
6. Configure Email Authentication (SPF, DKIM, DMARC)
Admin Centre path: Microsoft 365 Admin Centre → Settings → Domains; Exchange Admin Centre → Mail flow → DKIM
Why this matters: Without SPF and DKIM, anyone can send email that appears to come from your domain. Without DMARC, receiving servers cannot reject those spoofed emails.
Action:
- Add SPF record:
v=spf1 include:spf.protection.outlook.com -all(DNS TXT record) - Enable DKIM in Exchange Admin Centre → DKIM
- Add DMARC record:
v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com.ph(start with p=none, move to p=quarantine after 30 days of reviewing reports)
7. Review Admin Account Configuration
Admin Centre path: Entra ID → Users → All users → filter by "Global administrator"
The risk: Many Philippine SME M365 tenants have only one admin account — the one used for daily IT work. If this account is compromised, the attacker has full control of the tenant.
Best practices:
- Separate daily-use account from admin account: Create a dedicated admin account (e.g.,
it-admin@yourdomain.com.ph) used only for admin tasks — never for email or Teams - Break-glass account: Create one "emergency" admin account with a very strong password stored securely offline — in case the primary admin account is locked or compromised
- Limit Global Admin count: Global Admin should have fewer than 5 holders. Delegate specific admin roles (Exchange Admin, SharePoint Admin, User Admin) for tasks that do not require Global Admin
8. Configure Data Loss Prevention Baseline
Admin Centre path: Microsoft Purview Compliance Portal → Data Loss Prevention → Policies
Action for Business Premium and above:
- Enable the "Philippine financial data" or custom sensitive information type policy
- Configure a policy that alerts when files containing bulk personal data (names + SSS/PhilHealth numbers) are shared externally
- Set admin notification email for DLP alerts
See our full DLP guide at /insights/data-loss-prevention-philippines-2026 for detailed configuration.
9. Set Up Self-Service Password Reset
Admin Centre path: Entra ID → Password Reset
What it does: Allows users to reset their own passwords via the SSPR portal without calling IT. Reduces helpdesk burden significantly.
Action: Enable SSPR for all users. Require two authentication methods (Authenticator app + email, or Authenticator app + phone). Verify the SSPR portal URL (aka.ms/sspr) is communicated to users during onboarding.
10. Configure Retention Policies for Compliance
Admin Centre path: Microsoft Purview → Data Lifecycle Management → Retention Policies
What it does: Automatically retain email and files for a defined period. Required for organisations subject to SEC record-keeping requirements, BIR audit requirements, or NPC compliance.
Minimum recommended retention for Philippine SMEs:
- Email and Teams chat: 3 years (covers BIR audit window)
- SharePoint and OneDrive documents: 7 years (aligns with general document retention practices)
For Philippine organisations setting up or auditing a Microsoft 365 tenant, get in touch.
Talk to our Cloud & I.T. team →
