Office 365 includes many services, such as Exchange Online, Teams, SharePoint Online, Flow, and many useful services, but more and more services are more settings and controls to manage and secure.
The security issue in Office 365 (the big one) is how to secure the Office 365 services, even those not in use.
One of the examples is the Global Admin membership and the fact that most of the time is the same regular user in Active Directory that configured as Global Admin.
Another example is when you’ve full licenses for Office 365 E5. Still, you’re using only Exchange Online, so the other services are open and exposed and open to anyone with default security (default security=no security).

Base on that and many other security misconfigurations in Office 365 services, you need to take care of your Office 365 services and use the built-in and useful Security features.
The Security and Compliance (SCC) has many security features that allow configuring, hardening, and make sure that you on the safe side.

How to mitigate risk immediately for Admins

There are many ways configuration, settings, and features that allow you to reduce the attack area and be done immediately.
Some security issues: Global Admin and other security roles include many members.
Many members used the same user for Global Admin and simple Active Directory user. In many cases, the same Global admins are the member of Domain Admin.


Global Admin – keep Global Admin account members as minimal as possible. The more global admin users you have, the more likely an external attacker will successfully breach one of those accounts.
Roles and administrators – Based on administrative tasks, you can configure specific roles and administrators and reduce the number of global admin role holders, which will lower the breach of an account.
MFA for all security roles – Configure MFA for global admins and other security roles.
The MFA for that admin must be externally and internally, and whether you’ve Azure AD Premium or even use the current Office 365 MFA.
Enable audit data recording – You should examine the security breach’s scope after the attack and daily to predict a potential violation.
Disable admin accounts are not used – There are many scenarios where admin accounts remain for a long period.
In this situation, you must block, delete, and disable those accounts to prevent the attack.
Azure AD Privileged Identity Management (ADPIM) – With Azure AD Privileged Identity Management, you can manage, control, and monitor access within your organization.
This includes access to Azure AD, Azure Resources, and other Microsoft Online Services like Office 365 or Microsoft Intune.
Azure AD Identity Protection (ADIP) – This allows you to detect potential vulnerabilities affecting your identities, automated responses to detect suspicious actions, investigate suspicious incidents, and take appropriate action to resolve them.

More information

The security of most or all business assets in the modern organization depends on the privileged accounts’ integrity that administers and manages IT systems.
Malicious actors, including cyber-attackers, often target admin accounts and other privileged access elements to attempt to rapidly gain access to sensitive data and systems using credential theft attacks.
For cloud services, prevention and response are the joint responsibilities of the cloud service provider and the customer.

• Office 365 Security Risks to Mitigate Immediately (part2)
• Securing privileged access in Azure AD