Security and compliance questions IT hears during Microsoft 365 adoption.
Phishing and mail
Does Microsoft stop all phishing?
No vendor does. Layer Defender, user training, and MFA together.
A user clicked a link—now what?
Reset password, revoke sessions, check mailbox rules and forwarding, hunt for similar clicks.
Authentication
What is legacy authentication?
Old protocols that do not support MFA well—block when your apps are migrated.
Can we use SMS MFA only?
Possible but weaker than Authenticator; regulators increasingly prefer app or FIDO methods.
Admin and audit
Who should be Global Admin?
Few people, separate from daily mail accounts, with MFA and monitoring.
How long are audit logs kept?
Default periods vary; advanced audit extends retention on higher plans.
Data location
Where is our data stored?
Microsoft 365 data residency depends on tenant geography and services; review Microsoft's trust center for your region and industry promises.
Can we stop US government access?
Legal questions need counsel; technical controls focus on encryption, access, and contracts.
Devices
Can we wipe a lost phone without wiping photos?
Intune selective wipe removes org data from managed apps.
Upgrades
Advanced threat hunting and DLP often require Premium or E5—compare on M365 Deals.
