1. THE OUTCOME
You will finish with an executive security posture that’s hard to phish and hard to misconfigure: phishing‑resistant MFA enforced for privileged roles, legacy auth blocked, user app consent constrained, Teams links scanned, device access governed, Office apps hardened, Defender policies applied, and executive mail risk reduced by switching from “guessing what’s bad” to “only allowing what’s known-good.”
2. BEFORE YOU START
- Required permissions (assign only as needed): Global Administrator, Security Administrator, Conditional Access Administrator, Application Administrator, or Privileged Role Administrator
- Required portals: Microsoft 365 Admin Center, Entra admin center, Microsoft 365 Defender, Teams admin center, Intune (Endpoint Manager), Microsoft Purview (compliance)
- Licensing notes (common):
- Conditional Access typically needs Entra ID P1/P2
- Defender for Office 365 settings require Plan 1 or Plan 2
- Intune security baselines require Intune licensing for targeted users/devices
- Browser: Edge/Chrome/Firefox latest; enable cookies + JavaScript
- Operational requirement: Create an Executives security group and an IT-BreakGlass group (excluded from tight policies)
- Time estimate: ~2–3 hours of focused configuration + staged rollout time (1–7 days depending on device/user readiness)
Do not apply executive Conditional Access policies tenant-wide first. Start with a pilot group and a break-glass account excluded from Conditional Access.
3. THE STEPS
Step 1: Inventory executive identities and create targeting groups
Navigate to Microsoft 365 admin center → Teams & groups → Active teams & groups → Security groups → Add a group.
Create:
- SG-Executives
- SG-Exec-Assistants (optional)
- SG-IT-BreakGlass-ExcludeCA
Expected result: You have at least one executive-targeting group and one exclusion group you can use in every policy.
Use groups everywhere. It prevents “one-off” settings that silently drift over time.
Step 2: Turn on Baseline Security Mode low-impact policies
Navigate to Microsoft 365 admin center → Settings → Org settings → Security & Privacy → Baseline Security Mode.
- Select Enable for Low-impact policies first.
- Select View impact report for any high-impact category before enabling it.
Expected result: Baseline low-impact controls show as enabled, and you can see an impact report listing affected users/apps for higher-impact changes.
High-impact baseline items commonly break older mail clients, third-party calendar sharing, and legacy service accounts. Always read the impact report first.
Step 3: Require phishing-resistant MFA for privileged roles
Navigate to Entra admin center → Protection / Security → Conditional Access → Policies → New policy.
Configure:
- Name: CA - Admins - Phishing Resistant MFA
- Assignments → Users:
- Include: Directory roles → select privileged roles (at minimum Global Administrator, Privileged Role Administrator, Security Administrator, Conditional Access Administrator, Exchange Administrator, SharePoint Administrator)
- Exclude: SG-IT-BreakGlass-ExcludeCA
- Target resources: All cloud apps
- Grant: Require authentication strength → select Phishing-resistant MFA
- Enable policy: Start with Report-only, then move to On after validation
Expected result: Admin sign-ins require methods like FIDO2 or Windows Hello for Business (depending on your configured authentication strengths).
Use Report-only for 24–48 hours and review sign-in logs to find who will break before you flip it to On.
Step 4: Block legacy authentication at sign-in
Navigate to Entra admin center → Security → Conditional Access → Policies → New policy.
Configure:
- Name: CA - Block Legacy Auth
- Assignments → Users:
- Include: All users (or start with SG-Executives for pilot)
- Exclude: SG-IT-BreakGlass-ExcludeCA and any verified service accounts you are actively migrating
- Conditions → Client apps: select Other clients (legacy authentication)
- Access controls → Block access
- Enable policy: Report-only → then On
Expected result: Basic/legacy auth sign-ins are blocked, and report-only logs show which apps would have failed.
Legacy auth blocks can disrupt cross-tenant Free/Busy, MailTips, and older calendar integrations. Validate business-critical flows before turning On.
Step 5: Restrict user consent to apps (stop OAuth drive-by)
Navigate to Entra admin center → Enterprise applications → Consent and permissions → User consent settings.
Set:
- User consent for applications: allow only low-risk (prefer Microsoft-verified apps and low-permission scopes)
- Enable Admin consent workflow (if available) so executives can request access without self-approving risky permissions
Expected result: Executives can’t casually grant mailbox/file access to unknown OAuth apps; risky consent requires admin approval.
This is one of the highest ROI executive controls because many “phishing” attacks now end with OAuth consent, not passwords.
Step 6: Enable Teams malicious URL protection
Navigate to Teams admin center → Messaging → Messaging settings.
Turn on:
- Malicious URL Protection (Safe Links for Teams messages)
Expected result: URLs in Teams chats and channels get scanned and rewritten/protected according to your policy.
Step 7: Create a basic device security baseline for executive mobile access
Navigate to https://compliance.microsoft.com/basicmobilityandsecurity → Policies → Create.
Use the wizard:
- Name: BMS - Executives - Minimum Device Security
- Access requirements: require a PIN/password, block jailbroken/rooted devices
- Configurations: enable device encryption where supported
- Deployment: assign to SG-Executives
Expected result: Executive devices must meet minimum security requirements to access Microsoft 365 services.
This is not a replacement for full Intune management. It’s a minimum viable gate when you need fast protection.
Step 8: Deploy Intune security baseline for Microsoft 365 Apps
Navigate to Intune admin center → Apps → Policies for Microsoft 365 Apps.
- Filter for Security Baseline policies.
- Create or assign the baseline to
SG-Executives(or executive devices).
If the UI shows recommended settings but Apply is disabled:
- Change one setting manually (toggle a value) to activate Apply
- Or confirm whether a baseline is already deployed and you’re viewing a read-only recommended set
Expected result: Office app security settings (macro controls, trusted locations, add-in constraints where applicable) are enforced consistently.
If the portal is slow or inconsistent, validate via the same channel you used to configure (Intune UI vs Graph). UI reflection can lag.
Step 9: Harden Defender for Office 365 attachment filtering
Navigate to Microsoft 365 Defender (or security portal) → Email & collaboration → Policies & rules → Threat policies → Anti-malware.
Edit the default policy (or create an executive-specific one) and enable:
- Common Attachment Types Filter = On
- Add high-risk types such as: exe, js, vbs, bat, cmd, scr, ps1, jar, iso (adjust to your environment)
Expected result: High-risk attachment types are blocked or quarantined before executives can open them.
Blocking iso/zip can break legitimate workflows. Use an executive-specific policy first, then expand when you have exceptions documented.
Step 10: Apply endpoint security policies and force sync
Navigate to Microsoft 365 Defender → Endpoints → Endpoint security policies.
- Create or adjust endpoint security policies for executive devices (AV, ASR rules, firewall, device control—based on your platform mix).
- Assign to the executive device group.
To speed enforcement:
- On a device, run Sync (Device actions → Policy sync) to reduce wait from up to ~90 minutes to ~10 minutes.
Expected result: Defender endpoint policies show as assigned, and devices begin reporting compliance/assignment status.
If Endpoints menu is missing, click any “Get started/Activate features” tile in Defender. Backend provisioning can take up to 24 hours.
Step 11: Disable algorithmic inbox guessing for executives (reduce misses)
Navigate in Outlook (per executive mailbox policy decision) and turn off the “guessing” features that hide messages:
- Disable Focused Inbox (and any legacy clutter-like sorting still enabled)
Use this for the exact clicks and enforcement patterns: How to Disable Focused Inbox and Clutter Permanently
Expected result: Executives see one deterministic inbox view instead of messages being silently routed by probabilistic sorting.
Algorithmic sorting reduces trust. Executives stop checking “Other,” and attackers exploit that.
Step 12: Implement strict contact-first email screening for executives
This is the executive-specific control that changes the game: stop trying to “detect bad,” and instead only allow known-good senders to hit the primary attention channel.
Methodology shift:
- Bad method: spam filters + AI sorting + “unsubscribe” cleanup (probabilistic)
- Good method: strict allow-listing / contact-first filtering (deterministic)
Manual approach (baseline):
- Define who is allowed to reach executives (contacts, approved domains, VIP vendors)
- Route everyone else to a reviewed folder for assistants/security
For the Outlook/Microsoft 365 version of the deterministic approach, use: How to Configure Strict Allow Listing in Outlook 365
Expected result: Unknown senders no longer land in the executive’s primary workflow; they are separated for review.
This directly reduces “notification anxiety” and shrinks the phishing surface without waiting for detection engines to guess correctly.
Step 13: Validate outcomes with logs and staged rollout
Validate in three places:
- Entra admin center → Sign-in logs (filter for executives/admins) to confirm Conditional Access results
- Microsoft 365 Defender → Email / Threat Explorer (if licensed) to confirm attachment/link actions
- Intune/Defender device reports to confirm policy assignment success
Rollout sequence:
1) Pilot with 2–5 executives (and their assistants)
2) Fix breakages (older clients, service accounts, device enrollment)
3) Expand to all executives
Expected result: Policies move from report-only to enforced with minimal disruption and clear exception handling.
4. COMMON PATTERNS (copy/paste-ready)
Use these patterns to make executive security operational (not theoretical).
1) Executive allow-list rule (domain VIPs)
- Allowed domains: @boardpartner.com, @yourbank.com, @toplawfirm.com
- Action: deliver normally
- Everyone else: route to review
2) Assistant triage workflow
- Inbox A: “Known senders” (executive reads)
- Inbox B: “Outsiders/Unknown” (assistant reviews)
- SLA: review Outsiders 2–3 times/day
3) Conditional Access pilot pattern
- Start in Report-only
- Collect failures for 48 hours
- Move to On after you have:
- FIDO2/WHfB enrolled for admins
- documented exceptions (rare)
4) Attachment-risk pattern
- Block: exe, js, vbs, cmd, scr, ps1
- Quarantine (optional): zip, iso if business tolerates it
- Exception process: assistant/security requests release with justification
5. THE BETTER WAY (KeepKnown)
Even hardened Microsoft 365 tenants still lose executives to email because the default model is the “Open Inbox.” That model assumes strangers should reach the most important people in your company—and then tries to guess what’s malicious.
KeepKnown flips the model.
- Mechanism: KeepKnown is an API-based email filter (server-side, not a plugin).
- Method: Contact-first filtering (deterministic). Unknown senders are not “scored.” They are simply separated.
- Action: Moves non-contacts to a dedicated label/folder like KK:OUTSIDERS.
- Security posture: OAuth2 verified, CASA Tier 2, uses encrypted hashes (no plaintext storage).
- Platforms: Microsoft 365/Outlook included.
Why this matters for executives:
- It cuts phishing exposure dramatically by removing unknown senders from the executive’s attention channel.
- It reduces decision fatigue (less deleting/triage) and lowers the chance of a rushed click.
If you want the philosophy and data behind deterministic filtering, read:
- Deterministic vs Probabilistic Email Filtering for Executives
- Spear Phishing Statistics 2026 Filters Failing
To deploy the KeepKnown methodology, start at https://keepknown.com.
6. TROUBLESHOOTING
Use this section when the UI lies, the menu is missing, or policies don’t stick.
1) If the “Endpoints” menu doesn’t appear in Defender, then activate provisioning
- Click Microsoft 365 Defender → any Get started/Activate features tile
- Wait for backend provisioning (can take up to 24 hours)
2) If Conditional Access blocks an executive unexpectedly, then use report-only and exclude break-glass
- Set policy to Report-only
- Confirm SG-IT-BreakGlass-ExcludeCA is excluded
- Check Entra admin center → Sign-in logs → open the failure → confirm which control triggered
3) If Intune baseline “Apply” is greyed out, then change one setting manually
- Toggle a single setting away from “recommended”
- Save/apply
- Re-check whether the baseline is already deployed (some views are informational)
4) If the admin portal doesn’t reflect a change, then validate via the same control plane
- Changes made via Graph/PowerShell can lag in UI
- Re-check via Graph/PowerShell, and treat the portal as “eventually consistent”