- Regaining access is step one; the real risk is the persistence an attacker leaves behind.
- Enforce MFA and conditional access, then audit mailbox rules and app consents for hidden back doors.
- Review sign-in logs to understand the true scope before you call it contained.
- Microsoft Secure Score measures tenant posture; it is separate from the partner security requirements that gate CSP standing.
A couple weeks back, a small Microsoft reseller called us a day after an account compromise. Someone had gotten into one of their Microsoft 365 accounts, and they'd done the obvious thing: changed the password, regained access, felt the relief. An hour later the relief turned into a question: "Are they actually gone, or did they leave themselves a way back in?"
That second question is the one that matters, and it's the one most people never ask. Attackers rarely read some email and leave; they set up persistence, the quiet hooks that let them come back after a password change. For this reseller the stakes were sharper, because their access was tied to their partner standing, but the checklist applies to anyone facing a takeover. Regaining access is only the beginning. Work it in order: step one stops the bleeding, the rest evict the intruder.
1. Enforce multi-factor authentication everywhere
Multi-factor authentication (MFA), a second proof of identity beyond the password, is the single most effective control against account takeover, and after an incident it's non-negotiable. Enforce it for every user, especially the administrator, service, and shared accounts people forget, and reset affected passwords.
2. Lock down access with conditional access
Where MFA proves who a user is, conditional access decides under what circumstances they're let in at all: block sign-ins from countries you never operate in, require a managed device for administrators, challenge risky sign-ins, and block legacy authentication that bypasses MFA, so a stolen credential becomes far less useful.
3. Audit mailbox rules
A favorite attacker trick is a hidden inbox rule that auto-forwards or auto-deletes mail, to exfiltrate messages or hide the password-reset and alert emails that would tip you off. On compromised accounts, and ideally tenant-wide, delete any you didn't create.
An auto-forwarding rule left in place is an open back channel even after everything else is locked. The attacker doesn't need to log in anymore; your own mailbox is quietly mailing them copies.
4. Review app consents and OAuth grants
Attackers also trick a user into granting a malicious app permission to the account, an OAuth consent (OAuth being the standard that lets one app act on your behalf in another), and that app keeps access independent of the password. Review the applications granted access and revoke anything you don't recognize. This is the most overlooked form of persistence, because the password reset does nothing to it.
5. Review sign-in logs
Comb the sign-in logs for the fingerprints of the intrusion: sign-ins from unexpected countries, at odd hours, from strange devices, or logins that should've been impossible. That's what tells you the scope: which accounts were affected, whether the attacker reached beyond the first, and how long.
6. Tighten credential hygiene
With the immediate response done, address the conditions that allowed it. Retire shared accounts where you can, give admins separate accounts for admin work rather than their daily login, and pull access for people who no longer need it. Plenty of incidents trace back to exactly that kind of account.
7. Harden the endpoints
Often the entry point was a device: an unpatched laptop, a machine without protection, a phone with no controls. Make sure devices accessing your environment are patched, protected, and managed, so a compromised machine doesn't undo your identity work. The device-management and threat-protection in the higher Microsoft 365 tiers exist for exactly this.
What Secure Score is, and what it isn't
You'll run into Microsoft Secure Score, a measurement of your security posture in the Microsoft Defender portal. It looks at MFA, conditional access, and other settings, and returns a score plus prioritized recommendations to track your hardening. But here's the clarification that saves a lot of confusion: Secure Score measures the posture of your tenant. It's a guide for hardening, not a gate.
The path back to compliance for partners
For Microsoft partners, in particular Cloud Solution Provider (CSP) partners who resell and manage Microsoft services, there's an additional layer. Microsoft has partner security requirements, distinct from Secure Score, that gate your standing and are tracked in Partner Center: mandatory MFA for everyone in the partner tenant, a designated security contact, and responding to alerts.
It's the partner security requirements, met or not met, that affect partner standing, not a particular Microsoft Secure Score number. Hardening your tenant is good and necessary, but don't assume a high Secure Score is what keeps you a partner in good standing.
So a partner's path back runs through both: harden the tenant, and confirm you meet the partner security requirements in Partner Center. A CSP partner should also review delegated access to customer environments for least-privilege, time-bound access.
Let's talk it through
If you've had a Microsoft 365 compromise, or the thought of one keeps you up at night, we're glad to walk through this hardening process and confirm there's no quiet way back in. For partners, we can also sort out your Secure Score versus your partner security requirements. Reach out and we'll help you lock it down.