Your guide to security, compliance, and governance
Here you can find out how to configure your tenant not only productively, but also securely and GDPR-compliant. We’ll walk you through the latest best practices, from global organization settings to the depth of each service.
🆕 Last update on 25.12.2025 | As the cloud is constantly changing, we are constantly reviewing this guide. Nevertheless, a look at the official Microsoft documentation is mandatory to stay up to date with critical changes.
Organization Settings
Before you roll out individual tools, the foundation must be right. These global settings determine the security level of your entire environment.
Services
Don’t blindly trust default values. Use the principle of “privacy by design” to make your environment GDPR-compliant. By minimizing data by default—such as pseudonymizing usernames in reports—and disabling unnecessary “connected experiences,” you actively minimize risk.
👉 Organization Settings – SERVICES
Security and privacy
Who is allowed to see what? Define granular access rights to keep sensitive data protected. Also enable audit logs. They make access traceable and, in the event of an emergency, are your most important proof of compliance with auditors.
👉 Organization Settings – Security Privacy
Organization Profile
Your organization profile is the legal imprint of your client. Always keep master data and technical contacts (e.g. for data protection requests) up to date. This not only ensures that Microsoft can be reached in the event of incidents, but is also part of your due diligence obligation under the GDPR.
👉 Organization Settings – Organization Profile
Privacy in the Services
The fundamental safety framework is in place – but this is only the beginning. Now that the global guidelines have been set, we dive deep into the individual specialist applications.
Whether Microsoft Teams, SharePoint or Entra ID: Each service has its own architecture, specific admin centers and individual pitfalls that are often not covered by general guidelines. At this point, it is decided in detail how safe and productive your users really work in everyday life.
🔐 Microsoft Entra ID
Identity is the new firewall. Entra ID controls who is allowed through the door at all.
- Cooperation between clients: Secure B2B scenarios. Use cross-tenant access settings to control exactly which external companies you exchange data with.
- Directory synchronization: If you drive a hybrid (Entra Connect), pay attention to data economy. Synchronize only the attributes and users that really need to go to the cloud.
- Data Quality: Outdated accounts are a security risk. Regular access reviews are mandatory.
👉 To the guide: Data protection in Microsoft Entra ID
💬 Microsoft Teams
The center of collaboration – and often the largest data pot.
- Team Channel Management: Prevent uncontrolled growth. Clearly define who is allowed to create new teams (lifecycle management) so that you don’t have to manage thousands of orphaned data graves.
- Guest access: Cooperation yes, but controlled. Make sure guests only have access to the bare essentials and need to use MFA.
- Employee training: Technology is only half the battle. Make your users aware of how to handle chats, file sharing, and recordings.
👉 To the guide: Data protection in Microsoft Teams
📂 Microsoft SharePoint
Here are your documents. Managing permissions is key here.
- External sharing: The biggest risk. Limit “sharing with anyone” (Anonymous Links) and set expiration dates for external links.
- Safety Measures: Use Data Loss Prevention (DLP) to block accidental sharing of credit card information or employee numbers.
- Eligibility check: Regularly check inherited permissions on libraries. “Less is more.”
👉 To the guide: Data protection in Microsoft SharePoint Online
🤖 Microsoft Copilot
AI amplifies everything – including your security gaps. Copilot finds everything the user has access to (oversharing problem).
- Control data access: Before you turn on Copilot, you’ll need to clean up your permissions (Just Enough Access). Copilot respects existing rights – if these are too broad, the AI sees too much.
- Safety Measures: Use sensitivity labels. A document marked as “Strictly Confidential” will not be used by Copilot for responses.
- Protection: Prevent copy-paste errors caused by DLP in the Copilot responses.
👉 Get the guide: Privacy in Microsoft Copilot
🛡️ Microsoft Purview
The command center for your compliance. Here you leave the level of the individual apps and lay a protective net over all your data.
- Information Protection: Know your data. Use sensitivity labels to classify documents and, if necessary, automatically encrypt them, no matter where they are.
- Audit eDiscovery: Who did what and when? Make sure that audit logs are stored long enough to remain evidentiary and informative in the event of a data breach or litigation.
👉 To the guide: Data protection with Microsoft Purview
📧 Microsoft Exchange Online
Those who are declared dead live longer. Even in the age of Teams, email remains the number 1 gateway for ransomware and phishing attacks.
- Protection against attacks: Harden your defenses. Strictly configure anti-phishing and anti-malware policies to protect users from malicious attachments and fake boss emails.
- Authentication (SPF/DKIM/DMARC): No shipping without ID. Protect your domain reputation from spoofing and make sure your legitimate emails don’t end up in customers’ spam.
- Deprecated protocols: Close the back doors. Disable Legacy Authentication (IMAP/POP) globally to prevent brute force attacks on passwords.
👉 To the guide: Hardening | Security Privacy Best Practices
Microsoft Documentation
Microsoft 365 admin center documentation
Microsoft Entra ID documentation
Microsoft Exchange Online Documentation
Changelog
| DATE | TYPE OF CHANGE |
| 23.09.2023 | Publication of the Data Protection Guide Laying the foundation of the documentation with a focus on secure basic configuration of: • SharePoint Online: Sharing permissions and access protection. • Microsoft Teams: Guidelines for external communication and guest access. • Entra ID: Identity protection and basic security standards. |
| 10.04.2024 | Update Aktualisierung Comprehensively review and adapt existing content to Microsoft default settings. Integration of new best practices to harden the environment as well as editorial revision of the data protection notice. |
| 28.09.2024 | Update Aktualisierung Check existing content for changed Microsoft settings. |
| 19.03.2025 | Enhancement: Microsoft 365 Copilot Added a new chapter on the introduction and validation of AI assistants in the company. Focus: Licensing, requirements for the “Semantic Index” and data protection-compliant provision of Copilot for end users. |
| 01.09.2025 | Enhancement: Microsoft Purview Expansion of the documentation to include information protection, configuration of sensitivity labels and strategies for Copilot Data Loss Prevention (Copilot DLP). |
| 14.09.2025 | Update Aktualisierung Harmonizing terminology and updating outdated screenshots due to UI changes in the admin center. |
| 20.12.2025 | Update Aktualisierung Checking all linked Microsoft sources for validity. Adapting PowerShell commands to new modules and discontinued features. |
| 21.12.2025 | Remodeling: Microsoft 365 Data Protection Guide • Structure and formatting of the Privacy Guide landing page adjusted |
| 25.12.2025 | Expansion: Microsoft 365 Copilot • Copilot settings in a separate article and expanded. |
| 25.12.2025 | Enhancement: Exchange Online Hardening • Implementation of SPF, DKIM DMARC. • Protection against phishing spoofing (external tagging, anti-spam). • Hardening of transport routes (SMTP auth shutdown, TLS 1.2). |
Be the first to comment