Depend on your Microsoft 365 license, you can start off by leveraging existing Microsoft security features you have. For example, Identity Protection, Privilege Identity Management...etc.
Microsoft 365 Security Center and Compliance Center will give score base on your environment. It also outline tasks that can improve the score. You can use that as a good starting point and gradually improve the security score to enhance security posture.