How to protect Google Workspace and Microsoft 365 accounts

For many organizations, Google Workspace or Microsoft 365 is the center of daily work. It holds email, calendars, documents, shared drives, identity, meetings, and often access to other business systems.

That makes it a high-value target. If an attacker gets into a staff mailbox or administrator account, they may be able to reset passwords, impersonate the organization, read sensitive files, approve fake payments, or access other applications.

Protecting these accounts well is one of the most practical cybersecurity investments a team can make.

Start with administrators

Administrator accounts should be few, named, and protected. They should not be shared casually, and they should not be used for everyday email and browsing.

Review:

• Who has super administrator or global administrator access
• Whether each administrator still needs that level of access
• Whether admin accounts use strong multi-factor authentication
• Whether emergency access is documented
• Whether admin actions can be reviewed later

If a person only needs to manage users, billing, groups, devices, or security settings, give them the narrowest role that fits the work. Broad admin access should be reserved for the few cases that truly need it.

Make multi-factor authentication real

Multi-factor authentication is useful only when it is actually enforced and hard to bypass.

At a minimum, require MFA for administrators, finance users, executives, IT support, and anyone with access to sensitive data. Over time, extend enforcement to all staff.

Where possible, prefer stronger methods such as passkeys, security keys, or app-based authentication over SMS codes. SMS is better than no MFA, but it should not be the final target for high-risk accounts.

Also check recovery methods. Weak recovery emails, old phone numbers, or unmanaged personal accounts can become a back door into the organization.

Remove stale users and risky sharing

Many organizations have old accounts that nobody wants to delete because the process is unclear. That creates risk.

A cleanup should review:

• Former staff accounts
• Contractor accounts
• Vendor accounts
• Suspended users that still own important files
• Shared mailboxes and group accounts
• Public or external file links

Before deleting an account, transfer ownership of important files, calendars, groups, and shared resources. The goal is not to lose business history. The goal is to remove unnecessary access.

Protect email from impersonation

Email is where fraud attempts often begin. Attackers may try to impersonate leadership, vendors, finance teams, or trusted partners.

Basic protection includes reviewing domain email authentication, user display-name rules, suspicious forwarding settings, and external sharing warnings. Teams should also know how to report suspicious emails and who reviews those reports.

Finance and procurement workflows need special attention. A payment instruction should not change because one email says so. Use a separate verification path for changes to bank details, urgent payments, or vendor instructions.

Review third-party apps and integrations

Staff often connect third-party apps to Google or Microsoft accounts. Some are useful. Some are forgotten. Some have more access than they need.

Review connected apps and OAuth grants. Remove apps that are no longer used. Restrict high-risk permissions. Pay attention to apps that can read mail, access files, manage calendars, or act on behalf of a user.

This work is not only technical. It also requires a simple rule for how new tools are approved.

Set a realistic operating rhythm

Security settings should not be reviewed once and forgotten.

A practical rhythm could include:

• Monthly review of administrator accounts
• Quarterly review of external sharing and third-party apps
• Immediate access removal during staff offboarding
• Periodic testing of account recovery
• A clear process for reporting suspicious email

The rhythm matters because organizations change. People join, leave, switch roles, add tools, and share files. Security has to keep up with that movement.

What SHM helps with

SHM helps teams review and harden Google Workspace, Microsoft 365, and related business tools. The work usually includes administrator review, MFA rollout, offboarding cleanup, sharing review, email fraud controls, and a short operating checklist the team can keep using.