Tenant Configuration
Configure your Microsoft 365 tenant’s foundational settings including custom domains, organization settings, emergency access accounts, email security baseline, and alert policies.
Overview
| Section | Description |
|---|---|
| Vanity Domains | Associate custom domains to Microsoft 365 |
| Organization Settings | Customize password policy, org info, and support details |
| Emergency Access Accounts | Create break-glass accounts and security group |
| EOP & ATP Baseline | Apply email security baseline policies |
| Report Message Add-in | Enable users to report spam/phishing |
| Alert Policies | Configure security & compliance alerts |
Vanity Domains
Associate your organization’s custom domain(s) with Microsoft 365.
Steps
- Go to Microsoft 365 Admin Center > Settings > Domains
- Click Add domain and enter your custom domain name
- Follow the wizard to verify domain ownership via DNS TXT record
- Update MX, CNAME, and TXT records at your DNS registrar as instructed
- Set the custom domain as the default domain if desired
Allow up to 48 hours for DNS propagation after updating records.
Organization Settings
Customize your tenant’s general organization settings.
Steps
- Navigate to Microsoft 365 Admin Center > Settings > Org settings
- Under the Organization profile tab, update:
- Organization name
- Technical contact email
- Support contact details (phone, website, URL)
- Under the Security & privacy tab, configure the Password expiration policy:
- Recommended: Set passwords to never expire if using MFA
- Review and update Release preferences (targeted/standard release)
Emergency Access Accounts
Create at least one break-glass (emergency) account that is excluded from all Conditional Access policies.
Why It Matters
Without emergency access accounts, a misconfigured Conditional Access policy can lock all administrators out of the tenant.
Steps
- Create a dedicated security group named something like
Excluded from CA - Create 2 emergency access accounts with:
- Cloud-only accounts (not synced from on-premises AD)
- Strong, randomly generated passwords (20+ characters)
- No MFA requirements (these accounts are excluded from CA)
- Permanent Global Administrator role assignment
- Store credentials securely — use a physical safe or offline password vault
- Add accounts to the
Excluded from CAsecurity group - Monitor sign-in activity for these accounts via Azure AD sign-in logs
These accounts should NEVER be used for day-to-day administration. Set up alerts (see Alert Policies) to notify you immediately if they are used.
EOP & ATP Baseline
Apply baseline security policies for Exchange Online Protection (EOP) and Microsoft Defender for Office 365 (formerly Office 365 ATP).
Steps
-
Navigate to security.microsoft.com > Email & Collaboration > Policies & Rules > Threat policies
- Anti-phishing policy — configure:
- Enable mailbox intelligence
- Enable impersonation protection for key users and domains
- Set action for impersonation detections to Quarantine message
- Anti-spam policy — configure:
- Review and tighten bulk email threshold (recommended: 5–6)
- Enable Safety Tips
- Anti-malware policy — configure:
- Enable common attachment filter
- Enable zero-hour auto purge (ZAP)
- Safe Attachments (requires Defender for Office 365):
- Enable for all users
- Set action to Dynamic Delivery (reduces delay)
- Safe Links (requires Defender for Office 365):
- Enable for Office 365 Apps
- Enable Do not rewrite URLs option for trusted domains if needed
-
Configure SPF, DKIM, and DMARC at your DNS registrar:
Record Purpose SPF TXT Authorizes which servers can send email for your domain DKIM CNAME Cryptographically signs outbound email DMARC TXT Instructs receivers what to do with failed SPF/DKIM
Run the Configuration Analyzer (security.microsoft.com > Email & Collaboration > Configuration analyzer) to compare your settings against Microsoft’s Standard and Strict recommendations.
Report Message Add-in
Enable end users to report suspicious emails directly to Microsoft from Outlook.
Steps
- Go to Microsoft 365 Admin Center > Settings > Integrated apps
- Search for and deploy the Report Message add-in to all users
- Alternatively, deploy via Exchange Admin Center > Organization > Add-ins
Users will then see a Report Message button in Outlook (desktop and web) allowing them to flag emails as Junk, Phishing, or Not Junk.
Alert Policies
Configure default alert policies in the Microsoft 365 Security & Compliance center.
Steps
- Navigate to compliance.microsoft.com > Policies > Alert policy
- Review the default alert policies and ensure notifications go to the right email addresses
-
Recommended alerts to verify/enable:
Alert Severity Description Elevation of Exchange admin privilege High Detects privilege escalation eDiscovery search started or exported Medium Tracks eDiscovery activity Unusual external user file activity Medium Detects anomalous sharing Malware campaign detected High Email-borne malware alerts Unusual volume of file deletion Medium Ransomware early detection - Create a custom alert for Emergency Access account sign-ins:
- Go to Alert policy > New alert policy
- Activity: User signed in
- Filter by the emergency access account UPNs
- Set severity to High
- Notify Global Admins immediately