Microsoft 365, as a service, contains many features that focus on security. Each service uses Azure Active Directory for authentication and authorization to access either the app itself or the content that resides within it. Organization-specific security controls and procedures should augment all out-of-the-box configurations.
Remember that security within Microsoft 365 is not just about enabling features and controls; it also involves teaching and guiding end-users to understand the restrictions and knowing how to use them.
Knowing which controls to enable, licenses to purchase, or rules to create is critical to deploying successful security capabilities. All organization types and sizes will benefit from enabling the most common controls regardless of whether the tenant is new or currently being used.