How to lock down your Microsoft account and guard it from attackers

    Published on:

    Go Guy Photo/Getty Images

    What are your most valuable online accounts and the ones most worth protecting? If you have a personal Microsoft account, it’s probably one of the accounts you’re most wary of. This allows you to use that account and its associated email address to sign in to one or more Windows PCs, and to create and store documents using Office apps in Microsoft 365 or Microsoft’s OneDrive cloud storage service. This is especially true if you do.

    In this post, we will show you 7 steps you can take to safely lock your account from online attacks. The goal is to prevent unauthorized persons from stealing account credentials and using them to access personal information.

    As always, we need to balance convenience and security, so we’ve divided the steps into three groups based on how strictly you want to lock down your Microsoft account.

    Related article: 6 simple cybersecurity rules to follow

    Here are some important notes. This article describes the free consumer Microsoft account used with Microsoft 365 Family and Personal editions and the personal OneDrive service. These accounts are typically associated with email addresses using the domain, but older accounts may also use,, or settings for business and enterprise Microsoft 365 accounts; They use the OneDrive for Business cloud service and are managed by domain administrators through Azure Active Directory using a completely different set of tools.

    How much security do I need?

    Base line: The baseline level of security (steps 1-3) is perfectly acceptable for most casual users of Microsoft services, especially those who do not use their Microsoft email address as the primary factor for signing in to other sites. . These options can be very helpful if you’re helping a friend or relative who isn’t technically savvy and is intimidated by passwords.

    The first step is to create a strong password for your Microsoft account that isn’t used on any other account. Next, enable two-step verification (Microsoft’s term for multi-factor authentication) to protect yourself from phishing and other forms of password theft. If you enable this feature, you will be required to provide additional proof of identity the first time you sign in to a new device or perform high-risk activities such as changing your password or adding a credit card to your account. . Additional verification typically consists of a code sent to a trusted device in an SMS text message or to a registered alternate account in an email message.

    Finally, save a recovery code that allows you to access your account if you forget your password and cannot access other authentication methods.

    Better: While these basic precautions are sufficient, taking the actions described in steps 4 and 5 can significantly increase your security.

    SEE ALSO: User forgetfulness puts biometrics ahead of passwords

    First, install the Microsoft Authenticator app on your smartphone ( iPhone and android device) and make it available as a sign-in and verification option. Next, add your secure email address as a backup element to verify your identity.

    maximum: The last two steps provide the highest level of security. Add at least one physical hardware key with the Microsoft Authenticator app and remove SMS text messages as a backup verification factor. This configuration still allows you to use your mobile phone as an authentication factor, but it prevents would-be attackers from gaining access to your account by intercepting your text messages or hijacking your mobile phone account.

    This configuration presents a major hurdle for even the most determined attacker. Although it does require an additional investment in hardware and the sign-in process is a little more involved, it is the most effective way to protect your Microsoft account.

    let’s start.

    Here’s how to lock down your Microsoft account

    First things first: Microsoft accounts require strong, unique passwords. Microsoft requires a minimum password length of 8 characters, but security experts recommend longer passwords. A good length is 12 to 16 characters, using a random combination of uppercase and lowercase letters, numbers, and special characters. You can also use a passphrase that consists of four or more randomly selected words separated by special characters such as hyphens.

    The best way to ensure you meet this requirement is to use the tools in your password manager to generate a completely new, random password or passphrase. (If you don’t have a password manager, try online options like: 1Password Strong Password Generator or Bitwarden password generator. )

    Generating a new password prevents your account credentials from being shared with other accounts. It also ensures that a password breach does not include old passwords that you may have accidentally reused.

    Also: The best password managers to save you the hassle of logging in

    To change your password, visit the Microsoft account security basics page at: Sign in if necessary and click Change Password. (But don’t check the box that says you have to change your password every 72 days. That will certainly be frustrating, and it won’t make your account much safer.)

    Follow the instructions to save your new password using a password manager. If you need a physical backup, feel free to write it down. However, keep your documents in a secure location, such as a locked file drawer or safe.

    Don’t leave the Microsoft account security page yet. instead,[2 段階認証]section ([追加のセキュリティ](under the heading) and make sure this option is turned on.

    The setup process is a very simple wizard that will check to see if you can receive a confirmation message. If you have a modern smartphone with the latest version of iOS or Android, you can safely ignore the prompt to create an app password for your email client on those smartphones.

    The next step is to save your recovery code. If you can’t sign in to your account because you forgot your password, access this code to avoid being locked out permanently.

    If you set up two-step verification as you did in the previous step, you’ll automatically be prompted to create a recovery code. If you don’t have a copy of that code saved, you’ll need to create a new one.[Microsoft アカウントのセキュリティの基本]on the page,[高度なセキュリティ オプション]Find the section and[開始する]Click. This will take you to a not-so-basic Microsoft account security page. (Bookmark this address for direct access: )

    Related article: How AI can leverage diversity to improve cybersecurity

    Scroll to the bottom of the page and look for the “Recovery Code” section.[新しいコードを生成]When you click , a dialog box similar to the one shown here will appear.

    Print your recovery code and store it in the same locked file cabinet or safe where you left your password. (Microsoft can only generate one code at a time for a Microsoft account. Generating a new code invalidates the old code.)

    Next, we’ll discuss more advanced security options.

    Smartphone apps that generate Time-Based One-Time Password Algorithm (TOTP) codes are an increasingly popular form of multi-factor authentication and are highly recommended for use with services that support them. (For more information about these options, see Protect Yourself: How to Choose the Right Two-Factor Authentication App.)

    We recommend using Microsoft Authenticator with your Microsoft account, even if you use another authenticator app for most services. With this configuration, push notifications are sent to your smartphone when a sign-in attempt is made that requires verification. Approve the request and you’re done.

    Also: The easiest thing you can do to keep your phone safe

    An added benefit is that you can use the Microsoft Authenticator app for passwordless sign-in and verification.

    To set up Microsoft Authenticator using your Microsoft account, visit: Advanced Microsoft account security page then click Add a new way to sign in or verify.[アプリを使用する]Select your option, install the Microsoft Authenticator app, and then sign in using your account credentials.

    Microsoft recommends having at least two forms of authentication in addition to passwords. If you have two-step verification enabled and need to reset your password, you’ll need to provide both forms of identification. Otherwise, you risk being locked out permanently.

    If your security needs are minimal, a free email address such as a Gmail account is fine, but a business email address protected by professional IT staff is a much better choice. If you want, you can have a verification code sent to that email address.

    going to Advanced Microsoft account security page then click Add a new way to sign in or verify.

    [コードを電子メールで送信]Select your option, enter your email address, and enter the code you received to confirm your verification options.

    This step is the most advanced of all steps. It requires an investment in additional hardware, but adds the highest level of security as the device must be inserted into a USB port or connected via Bluetooth or NFC.

    For an overview of how this type of hardware works, see YubiKey Hands-on: Hardware-based 2FA is more secure, but be aware of these caveats.

    Also: The best security keys to protect yourself and your business

    To set up your hardware key, go to the next page. Advanced Microsoft account security page then click Add a new way to sign in or verify.[セキュリティ キーを使用する]Select your options and follow the prompts. You must enter her PIN for the hardware key and tap to activate it. Once this setup is complete, you’ll have a powerful way to sign in to any service with your Microsoft account without worrying about passwords.

    As mentioned at the beginning of this article, most people do not need this level of advanced protection. However, if your OneDrive account contains valuable documents such as tax returns or bank statements, you should lock it down as tightly as possible.


    Leave a Reply

    Please enter your comment!
    Please enter your name here