Outlook Has No "Advanced Protection" Switch. The Reason Is the Lesson.

The Microsoft answer is the one that finally says the quiet part out loud.

This is the third and last post in the series. The first looked at directors moving off personal Gmail to Proton and found that a more private personal account is still a personal account. The second covered Google's free Advanced Protection Programme and found that a more secure personal account is still a personal account too. Both landed in the same place: you can improve a director's mailbox all you like, but improving it is not the same as the organisation controlling it.

Which leaves the directors who don't use Gmail at all. Roughly half of any board, in my experience, runs personal email on Outlook or another Microsoft account. So the natural question after the last post was: what's the Microsoft equivalent of Advanced Protection?

The short answer is that there isn't one. And once you see why, the entire series resolves into a single, simpler instruction.

The good news: Microsoft has quietly fixed the worst part

The biggest weakness in any email account is the password, and Microsoft has spent two years dismantling it. Personal Microsoft accounts have supported passkeys since 2024, and in May 2025 Microsoft went further: new accounts are now passwordless by default, created with no password at all. Existing users get prompted to add a passkey when they sign in, and the login screen now detects the strongest method on the account and offers that first rather than defaulting to the password.

This matters for the same reason it mattered in the last post. A passkey (your fingerprint, face, or device PIN, backed by cryptography rather than a memorised secret) can't be phished, guessed, reused, or intercepted from a text message. Microsoft's own figures put the sign-in success rate for passkey users at around 98%, against roughly a third for passwords, and Microsoft alone now registers close to a million new passkeys a day. The technology has gone mainstream.

So a personal Microsoft account can be made strongly resistant to the most common attack. You add a passkey, you remove the password entirely, you use the Microsoft Authenticator app, and you set proper recovery options. Done deliberately, that closes most of the same gap Advanced Protection closes on the Gmail side.

The catch: you have to build it yourself, and it can be undone

Here's where Microsoft and Google part company. Google's Advanced Protection is a single programme you switch on, and it does three things at once: it enforces phishing-resistant sign-in, adds stricter checks on downloads and apps, and, crucially, locks a set of security settings on so they can't quietly be turned off later, including by anyone who breaks in.

There is no consumer equivalent of that bundle for a personal Microsoft account. You can reach a similar level of sign-in security, but you assemble it yourself, setting by setting, and nothing holds it in place. A user can re-add a password, drop back to a text-message code, or relax a setting, and the account silently weakens. The protection depends on the individual getting it right and keeping it right.

That's a meaningful difference for a board to understand. On the Microsoft consumer side, "is this director's account properly protected?" has no one-click answer and no enforcement. It's a matter of trust in each individual's configuration, which is exactly the kind of thing governance is supposed to replace with something checkable.

Where Microsoft's real protection lives, and why that's the tell

Now the part that completes the series. Microsoft does have a genuinely strong, enforceable, lock-it-on security model. It just isn't on personal accounts. It's on work accounts: Microsoft 365 mailboxes governed by an organisation's Entra identity system.

On the managed side, an administrator can require phishing-resistant passkeys, switch on security defaults, apply conditional access rules about who signs in from where, and have passkey protections enforced across the tenant rather than left to each individual. None of it relies on each person voluntarily configuring their own account, because the organisation sets the policy and the organisation enforces it.

Read that against the two earlier posts and the whole thing clicks into place. The strongest version of Microsoft security is the one where the organisation controls the account, not the individual. That is precisely the distinction Proton and Advanced Protection kept gesturing at. Microsoft just states it plainly: serious, enforceable protection is something an organisation does to accounts it owns, not something a director does to an account it doesn't.

So the absence of an "Outlook Advanced Protection button" isn't a gap Microsoft forgot to fill. It's a signpost. The button you're looking for exists, on the managed account you should be using for board business in the first place.

What to do

If directors are on personal Outlook today, harden it as an interim step. Add a passkey, remove the password, use the Authenticator app, set recovery options, and turn off text-message fallback where you can. This is the same harm-reduction move as the Gmail fix, better than nothing and free, and the board can reasonably ask for it and minute that it has.
Be honest that it's DIY and unenforced. Unlike Advanced Protection, this configuration isn't locked on and can be weakened later. Treat it as a stopgap, not a solution, and don't let switching on a few settings stand in for the real question.
Make the real move: board business on organisation-managed accounts. Whether that's Microsoft 365 with enforced policies, a properly administered alternative, or a board portal where papers live and are retained centrally, the point is that the organisation sets and enforces the controls and owns the record. That is the answer all three posts have been circling.
Start with an inventory. Most boards genuinely don't know which directors are on personal versus managed accounts, on Gmail versus Outlook, on which devices. You can't enforce or audit what you haven't mapped. That map is the first hour of work, and it's usually where the surprises are.

The point that matters, for all three posts

Across this series the specific tool kept changing (Proton, then Advanced Protection, now the Microsoft account) and the lesson never did. A private mailbox, a secure mailbox, a phishing-resistant mailbox: all of them are improvements to an account, and none of them answers the only question a board should care about, which is whether the organisation controls its own record and can prove it.

The toggle was never the point. Ownership was. Microsoft, by having no consumer switch at all, just happens to say it out loud: the protection worth having is the kind your organisation enforces, on accounts it actually holds.