All insights
ProtectMicrosoft SecurityExplainer

The post-incident Microsoft 365 hardening checklist

After a Microsoft 365 account compromise, getting back in is only step one. This is the checklist for locking the door, evicting the intruder, and not leaving a way back in.

Wired CIOJune 11, 2026
The short version
  • Regaining access is step one; the real risk is the persistence an attacker leaves behind.
  • Enforce MFA and conditional access, then audit mailbox rules and app consents for hidden back doors.
  • Review sign-in logs to understand the true scope before you call it contained.
  • Microsoft Secure Score measures tenant posture; it is separate from the partner security requirements that gate CSP standing.
Bottom line: Work the whole list in order: move from 'we changed the password' to 'we have actually evicted them.'

A couple weeks back, a small Microsoft reseller called us a day after an account compromise. Someone had gotten into one of their Microsoft 365 accounts, and they'd done the obvious thing: changed the password, regained access, felt the relief. An hour later the relief turned into a question: "Are they actually gone, or did they leave themselves a way back in?"

That second question is the one that matters, and it's the one most people never ask. Attackers rarely read some email and leave; they set up persistence, the quiet hooks that let them come back after a password change. For this reseller the stakes were sharper, because their access was tied to their partner standing, but the checklist applies to anyone facing a takeover. Regaining access is only the beginning. Work it in order: step one stops the bleeding, the rest evict the intruder.

1. Enforce multi-factor authentication everywhere

Multi-factor authentication (MFA), a second proof of identity beyond the password, is the single most effective control against account takeover, and after an incident it's non-negotiable. Enforce it for every user, especially the administrator, service, and shared accounts people forget, and reset affected passwords.

2. Lock down access with conditional access

Where MFA proves who a user is, conditional access decides under what circumstances they're let in at all: block sign-ins from countries you never operate in, require a managed device for administrators, challenge risky sign-ins, and block legacy authentication that bypasses MFA, so a stolen credential becomes far less useful.

3. Audit mailbox rules

A favorite attacker trick is a hidden inbox rule that auto-forwards or auto-deletes mail, to exfiltrate messages or hide the password-reset and alert emails that would tip you off. On compromised accounts, and ideally tenant-wide, delete any you didn't create.

The back door that survives a password change

An auto-forwarding rule left in place is an open back channel even after everything else is locked. The attacker doesn't need to log in anymore; your own mailbox is quietly mailing them copies.

4. Review app consents and OAuth grants

Attackers also trick a user into granting a malicious app permission to the account, an OAuth consent (OAuth being the standard that lets one app act on your behalf in another), and that app keeps access independent of the password. Review the applications granted access and revoke anything you don't recognize. This is the most overlooked form of persistence, because the password reset does nothing to it.

5. Review sign-in logs

Comb the sign-in logs for the fingerprints of the intrusion: sign-ins from unexpected countries, at odd hours, from strange devices, or logins that should've been impossible. That's what tells you the scope: which accounts were affected, whether the attacker reached beyond the first, and how long.

6. Tighten credential hygiene

With the immediate response done, address the conditions that allowed it. Retire shared accounts where you can, give admins separate accounts for admin work rather than their daily login, and pull access for people who no longer need it. Plenty of incidents trace back to exactly that kind of account.

7. Harden the endpoints

Often the entry point was a device: an unpatched laptop, a machine without protection, a phone with no controls. Make sure devices accessing your environment are patched, protected, and managed, so a compromised machine doesn't undo your identity work. The device-management and threat-protection in the higher Microsoft 365 tiers exist for exactly this.

What Secure Score is, and what it isn't

You'll run into Microsoft Secure Score, a measurement of your security posture in the Microsoft Defender portal. It looks at MFA, conditional access, and other settings, and returns a score plus prioritized recommendations to track your hardening. But here's the clarification that saves a lot of confusion: Secure Score measures the posture of your tenant. It's a guide for hardening, not a gate.

The path back to compliance for partners

For Microsoft partners, in particular Cloud Solution Provider (CSP) partners who resell and manage Microsoft services, there's an additional layer. Microsoft has partner security requirements, distinct from Secure Score, that gate your standing and are tracked in Partner Center: mandatory MFA for everyone in the partner tenant, a designated security contact, and responding to alerts.

Don't confuse the two scores

It's the partner security requirements, met or not met, that affect partner standing, not a particular Microsoft Secure Score number. Hardening your tenant is good and necessary, but don't assume a high Secure Score is what keeps you a partner in good standing.

So a partner's path back runs through both: harden the tenant, and confirm you meet the partner security requirements in Partner Center. A CSP partner should also review delegated access to customer environments for least-privilege, time-bound access.

Let's talk it through

If you've had a Microsoft 365 compromise, or the thought of one keeps you up at night, we're glad to walk through this hardening process and confirm there's no quiet way back in. For partners, we can also sort out your Secure Score versus your partner security requirements. Reach out and we'll help you lock it down.

Filed under
Explainer
Read more insights
Free strategy session

See where you stand. Then move forward.

Book a free intro call. We'll talk through where you are today and map a strategic plan for growth, protection, automation, and alignment.

A 30-minute discovery call, no obligationA full team of specialists at a fraction of in-house costA clear next step before you spend a dollar
Loading scheduler…