Microsoft 365 security for schools
Microsoft 365 is where most of your school now lives: email, files, Teams, and every staff and student account. That also makes it the thing most worth protecting, and the place attackers aim for first. This guide covers what securing Microsoft 365 actually involves in a school, in plain terms.
Why Microsoft 365 is where security matters most
If someone gets into a staff Microsoft 365 account, they get a lot: email, documents, contacts, and often a path further into your systems. Most attacks on schools don't break through a firewall, they simply log in with a stolen or guessed password. So the security that matters most isn't at the edge of your network, it's around your accounts and your data inside Microsoft 365.
The weak spots in a school's Microsoft 365
The same gaps turn up again and again:
- Multi-factor authentication not switched on, or only on some accounts.
- Default settings left as they came, which are built for convenience rather than security.
- Old or unused accounts still active, including for staff who've left.
- Files and folders shared more widely than anyone intended.
- Too many people holding global admin rights "just in case".
What to get right
- Identity first: multi-factor authentication on every account, plus conditional access rules that add checks for risky sign-ins. This is the single biggest win.
- Email security: filtering for phishing and dodgy attachments, and settings that make impersonation harder.
- Data and sharing: sensible defaults for who can share what, and with whom, so student and staff data doesn't leak by accident.
- Admin accounts: as few as possible, kept separate from everyday accounts, and protected the hardest.
- Leavers: a clear process so accounts are disabled the day someone leaves.
Licensing, in plain terms
Schools get Microsoft 365 through education licensing, usually across the A1, A3 and A5 tiers. The thing to know is that a lot of the stronger security tools live in the higher tiers. You don't necessarily need the top tier everywhere, but it's worth knowing what your licences include, because many schools are already paying for security features they've never switched on.
Where to start
Securing Microsoft 365 properly is mostly about identity first, then email, then data, in that order. If you'd like a hand working out where your tenant stands, that's part of what we do. Our Essential Eight readiness check is also a quick way to see how your accounts and backups measure up. You can also read our Essential Eight for schools guide for a broader view of the standard.
Find out where your Microsoft 365 stands
A quick check on your identity, email and data security.