Not all accounts in an organization are created equal. Certain accounts—like those belonging to CEOs, CFOs, CISOs, and IT administrators—have access to highly sensitive data and critical systems, making them prime targets for cyberattacks. These accounts, referred to as priority accounts, require enhanced security measures to minimize the risk of compromise.

This blog will guide you through the best practices for securing priority accounts in Microsoft 365, leveraging insights from Microsoft’s recommendations and the CIS Microsoft 365 Foundations Benchmark.

What Are Priority Accounts?

Priority accounts are user accounts with access to sensitive, confidential, or business-critical information, including:

• Financial records

• Product development data

• Infrastructure configurations

• Partner systems

Due to their elevated access and influence, these accounts are frequently targeted by spear phishing, whaling, and other advanced threats. A compromise of these accounts can lead to:

• Data breaches

• Operational disruption

• Financial and reputational loss

Key Recommendations for Priority Accounts Protection

Protecting priority accounts requires a strategic approach, leveraging Microsoft’s best practices and advanced tools to mitigate risks. Here’s how to do it effectively.

Use Multi-Factor Authentication (MFA)

MFA is a must for priority accounts. By requiring an additional verification step, such as a security key or mobile app notification, you ensure that even if a password is stolen, unauthorized access is blocked. Conditional Access policies in Microsoft 365 make it easy to enforce MFA for specific users or groups. Additionally, disabling legacy authentication protocols like POP and IMAP helps reduce vulnerabilities.

MFA is one of the simplest yet most effective ways to protect against unauthorized access. If it’s not already part of your security strategy, now is the time to implement it. Follow the detailed instructions provided in Microsoft's documentation:

• Enable MFA via Conditional Access

• Block Legacy Authentication Protocols

Configure Priority Account Protection

Microsoft Defender for Office 365 offers a dedicated feature for priority accounts. This tool enhances security by tagging high-risk accounts and applying tailored protections, including prioritized alerts and advanced threat detection.

The Priority account protection feature is available only to organizations that meet the following requirements:

• Microsoft Defender for Office 365 Plan 2, including those with Office 365 E3, Office 365 E5, Microsoft 365 E5, or Microsoft 365 E5 Security.

Step 1: Enable Priority account protection in Microsoft 365 Defender

1. Navigate to Microsoft 365 Defender https://security.microsoft.com/

2. Click Settings.

3. Select E-mail & Collaboration > Priority account protection

4. Ensure Priority account protection is set to On

Step 2: Tag priority accounts

5. Select User tags

6. Select the PRIORITY ACCOUNT tag and click Edit

7. Select Add members to add users, or groups. Mail-enabled groups are recommended.

8. Repeat the previous 2 steps for any additional tags needed, such as Finance or HR.

9. Next and Submit.

Step 3: Configure E-mail alerts for Priority Accounts

10. Under E-mail & Collaboration on the left column, select Policies & rules.

11. Select Alert policy and click New Alert Policy

12. Enter a valid policy Name & Description. Set Severity to High and Category to Threat management.

13. Set Activity is to Phishing email detected at time of delivery.

14. Mail direction is Inbound

15. Select Add Condition and User: recipient tags are

16. In the Selection option field add chosen priority tags such as Priority account.

17. Next and Verify valid recipient(s) are selected.

18. Next and select Yes, turn it on right away. Click Submit to save the alert.

19. Repeat steps 10 - 18 for the Activity field Activity is: Detected malware in a file

Any additional activity types may be added as needed. Above are the minimum recommended.

Apply Strict Protection Presets

Strict Protection Presets in Microsoft 365 provide a comprehensive defense against phishing, spoofing, and other advanced threats. These pre-configured policies leverage Microsoft’s vast experience in data protection to strike a balance between security and usability.

Strict Protection includes features like:

• Anti-spam, anti-malware, and anti-phishing protections (EOP).

• Safe Links and Safe Attachments in Defender for Office 365.

• Spoof and impersonation protection.

While these presets are highly effective, they don’t directly target Priority Account tags. Instead, use mail-enabled groups for these users to apply strict policies consistently.

To enable Strict Preset policies:

1. Navigate to Microsoft 365 Defender https://security.microsoft.com/

2. Select to expand E-mail & collaboration.

3. Select Policies & rules > Threat policies > Preset security policies.

4. Click to Manage protection settings for Strict protection preset.

5. For Apply Exchange Online Protection select at minimum Specific recipients and include the Accounts/Groups identified as Priority Accounts.

6. For Apply Defender for Office 365 Protection select at minimum Specific recipients and include the Accounts/Groups identified as Priority Accounts.

7. For Impersonation protection click Next and add valid e-mails or priority accounts both internal and external that may be subject to impersonation.

8. For Protected custom domains add the organization's domain name, along side other key partners.

9. Click Next and finally Confirm.

Monitor and Audit Activities

Monitoring is critical for protecting priority accounts. Microsoft 365 allows you to track user activity, configure custom alert policies, and retain logs for compliance and investigation purposes. Unified Audit Logs provide detailed insights into actions performed by priority users, enabling you to spot unusual behavior quickly.

For added protection, use real-time alerts in Microsoft Defender to flag activities like suspicious sign-ins or role changes. Monitoring these accounts closely ensures that any compromise is detected and mitigated swiftly.

Educate Priority Account Holders

Even the best tools can’t protect against human error. Educating priority account holders on recognizing phishing attempts, using strong passwords, and reporting suspicious activity is essential. Tailored training sessions can help them understand their role in maintaining account security.

Priority accounts are the backbone of your organization’s security. By following best practices—such as enabling MFA, using Priority Account Protection, and applying Strict Protection Presets—you can significantly reduce the risk of compromise. With PlexHosted as your trusted partner, you’ll gain the expertise and support needed to safeguard your Microsoft 365 environment.

Ready to secure your priority accounts? Contact PlexHosted today to learn how we can help you protect your most critical assets.