Your Zoho account holds your entire business — customer data in Zoho CRM, financial records in Zoho Books, employee information in Zoho People, and business email in Zoho Mail. A single compromised account, weak password, or misconfigured permission can expose all of it to attackers. These Zoho security best practices 2026 cover every layer of protection: MFA enforcement, email authentication, role-based access, IP restrictions, audit log monitoring, API security, data backup, and phishing prevention. Whether you are a solo Zoho user, a growing business with 20 team members, or a Zoho One administrator managing 200 users, implementing these practices is the difference between a business that recovers from a security incident and one that does not.
This guide is structured as 12 actionable Zoho security practices with the exact Admin Console navigation path for each setting — not generic advice. At the end is a complete security checklist you can review quarterly to ensure your Zoho environment remains secure as your team and product configuration changes over time.
Written by Codroid Labs — Certified Zoho Partner | April 2026 | 19 min read
Zoho Admin Security Expert Guide
Why Zoho Security Matters More in 2026
91%
Of breaches start with phishing or stolen credentials
99%
Of account takeovers blocked by MFA alone
72 hrs
Average time for attackers to monetise a compromised account
12
Security layers in this guide, each independently blocking threats
Table of Contents
- MFA with Zoho OneAuth — Enforce for All Users
- SPF, DKIM, DMARC — Email Authentication
- Role-Based Access Control — Least Privilege
- Password Policy — Strength and Expiry Rules
- IP Restrictions — Allowlist Your Networks
- Session Timeout and Trusted Devices
- Audit Logs — Monitor Every Admin Action
- API Security — Tokens, OAuth and Permissions
- Third-Party App Access Control
- Data Backup and Export Strategy
- Phishing Prevention and Team Training
- Complete Zoho Security Checklist 2026
1. MFA with Zoho OneAuth — Enforce for All Users Critical
Multi-factor authentication is the single highest-impact Zoho security best practice for 2026. A password alone is not sufficient protection — phishing attacks, credential stuffing, and data breaches from third-party services mean that passwords are routinely compromised without the account owner’s knowledge. MFA ensures that even a stolen password cannot be used to access your Zoho account without the second factor from your registered device.
Enforce MFA Organisation-Wide (Admin)
Admin Console → Security → Multi-Factor Authentication → Enforce MFA for all users
Set a 7-day grace period for existing users, then monitor enrolment from Admin Console → Security → MFA → User Status. Users who have not enrolled after the grace period are blocked from accessing Zoho until they complete MFA setup. This is the intended and correct behaviour — do not extend the grace period indefinitely for non-compliant users.
Zoho OneAuth — The Recommended MFA App
Zoho OneAuth (available for Android, iOS, Mac, and Windows — free) is the recommended MFA method over SMS codes. SMS-based MFA is vulnerable to SIM-swap attacks — where attackers convince a mobile carrier to transfer your number to their SIM. Zoho OneAuth’s push notification and TOTP methods are immune to SIM-swap because they are device-bound, not number-bound.
Secure MFA Methods
- Zoho OneAuth push notification
- Zoho OneAuth TOTP (offline capable)
- Zoho OneAuth biometric (fingerprint/Face ID)
- Hardware security key (FIDO2/WebAuthn)
Weaker MFA Methods (Avoid as Primary)
- SMS OTP — SIM-swap vulnerable
- Email OTP — compromised if email is breached
- Security questions — easily researched
Admin action after employee departure: When a team member leaves, immediately disable their Zoho account. Do not just remove their role — a disabled account cannot log in even with the correct credentials. Admin Console → Users → select user → Disable Account. Then review all API tokens and third-party app authorisations the user may have created.
2. SPF, DKIM, and DMARC — Protect Your Zoho Mail Domain Critical
Email authentication is a critical component of Zoho security best practices 2026 — yet it is one of the most commonly skipped settings. Without SPF, DKIM, and DMARC, attackers can send emails that appear to come from your company’s domain. Your clients receive phishing emails that look like they are from your actual email address, damaging trust and enabling fraud.
SPF Record
Lists authorised mail servers. India users: v=spf1 include:zoho.in ~all. Global: include:zoho.com. TXT record at @ in your DNS.
DKIM Record
Cryptographic signature proving email content is unmodified. Generated in Zoho Mail Admin Console → Domains → DKIM. Publish the TXT record provided by Zoho to your DNS.
DMARC Record
Policy for failed SPF/DKIM. Start: v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com. Progress to p=reject after 4-6 weeks of monitoring reports.
Zoho Mail Admin Console: mailadmin.zoho.in → Domains → DKIM → Add DKIM → Generate → Publish to DNS → Verify
See our complete Zoho Mail SPF DKIM DMARC Setup Guide for the full step-by-step configuration with exact DNS record values.
3. Role-Based Access Control — Enforce Least Privilege Critical
The principle of least privilege is a foundational Zoho security best practice: every user gets access to only the data and functionality required for their specific job — nothing more. Over-permissioned users are a major internal security risk, whether through intentional data theft, accidental deletion, or an attacker gaining access to a high-privilege account.
Role Configuration by Zoho Product
Zoho CRM — Role Best Practices
- Sales rep: access own leads and deals only, no bulk export
- Sales manager: access team records, view-only reports
- CRM admin: configuration access, no financial data
- Management: read-only analytics dashboards, no edit access
- Never give sales reps the ability to delete records
Zoho Books — Role Best Practices
- Accountant: invoice and report access, no settings
- CA/auditor: read-only access for filing and audit trail
- Staff: create purchase requests only, no approval
- Manager: approve invoices, no bank account access
- Admin only: bank account integration, settings, data export
Admin Console Role Management
Admin Console → Users and Control → Users → select user → Roles → Assign/Modify Role
Zoho CRM: Settings → Users and Roles → Roles → Configure record-level access per role
Quarterly access review: Schedule a quarterly calendar event to review all user roles in every Zoho product. Remove access for users who have changed departments, left the company, or no longer require specific permissions. Stale access is one of the most common sources of insider security incidents.
4. Password Policy — Strength, Expiry, and Reuse Rules High Priority
A strong password policy is a foundational Zoho security best practice, but it only protects against specific attack types — credential stuffing uses previously leaked passwords, which a policy alone cannot prevent. Combine strong password policy with MFA for complete protection.
Admin Console → Security → Password Policy → Configure
| Setting | Minimum Recommended | High Security |
|---|---|---|
| Minimum password length | 12 characters | 16+ characters |
| Require uppercase letters | Yes | Yes |
| Require numbers | Yes | Yes |
| Require special characters | Yes | Yes |
| Password expiry | 90 days | 60 days |
| Prevent reuse of last N passwords | Last 5 | Last 10 |
5. IP Restrictions — Allowlist Your Trusted Networks High Priority
IP restriction is one of the most powerful Zoho security best practices for businesses with fixed office locations. When enabled, even a correct password and MFA cannot grant access from an unapproved IP address. This completely blocks remote attacker access from unknown networks.
Admin Console → Security → IP Restrictions → Add IP Address or Range
Add IP ranges in CIDR notation (e.g., 203.0.113.0/24 for a /24 subnet). Individual IPs can be added without CIDR notation. Best practice is to add: your office’s static IP, your IT team’s remote work IPs, and any branch office IPs.
Add to IP Allowlist
- Office network static IP
- IT admin personal IPs for remote admin
- Branch office or warehouse IPs
- Known remote worker IPs (for permanent staff)
- VPN server exit IP (if team uses corporate VPN)
Important Considerations
- Static IP required — dynamic IP changes cause lockouts
- Before enabling: add ALL admin IPs or you lock yourself out
- Review IP list monthly — ISPs change IPs without warning
- For dynamic IPs: use corporate VPN + IP restriction together
6. Session Timeout and Trusted Device Management High Priority
Session management prevents unauthorised access through abandoned browser sessions. If a team member logs into Zoho on a shared computer and walks away without logging out, an idle session timeout automatically signs them out — protecting data from anyone who accesses the computer later.
Configure Session Timeout
Admin Console → Security → Session Management → Set idle timeout and maximum session duration
Recommended settings: Idle session timeout — 30 minutes for most teams, 15 minutes for finance and admin roles. Maximum session duration — 8 hours (one working day). Re-authentication required after maximum duration even for active sessions.
Review and Manage Trusted Devices
accounts.zoho.com → Security → Trusted Devices → Review and Remove
Trusted devices skip MFA for 30 days. Review the list quarterly and remove any device that is no longer owned by your organisation, any device from an unrecognised location, and any device belonging to a former employee. Compromised trusted devices are a significant security risk — they bypass MFA entirely.
7. Audit Logs — Monitor Every Admin Action and Data Access High Priority
Zoho’s audit log is one of the most valuable — and most underused — Zoho security best practices tools. It records a timestamped log of every significant action in your Zoho organisation: admin configuration changes, user access modifications, data exports, API key creation, and login activity. Reviewing this log regularly is the difference between detecting a breach in hours versus discovering it months later.
Admin Console → Security → Audit Log → Filter by Event Type, User, Date Range
Critical Audit Log Events to Monitor Weekly
Critical
Bulk data export events: Any CSV export of CRM contacts, Books transactions, or People employee records. A legitimate employee rarely exports more than a few hundred records. A bulk export of thousands of records warrants immediate investigation and confirmation from the user.
Critical
Admin privilege elevation: Any event where a user’s role is upgraded to Admin or Super Admin. This should match a documented, approved IT change request — not an unplanned change. Unrecognised privilege elevations indicate a compromised account or insider threat.
High
MFA disable events: When any user disables their MFA. The timing of MFA disablement — especially outside business hours or immediately before a large data export — is a red flag requiring immediate investigation.
High
New API token or OAuth app authorisation: Every new API key created or third-party app connected to your Zoho organisation appears in the audit log. Unrecognised app connections can exfiltrate data continuously without triggering other alerts.
Monitor
Login failures: More than 5 consecutive login failures from the same user account or IP address indicates either a forgotten password (low risk) or a brute-force attack (high risk). The location of the login failures — especially if from a foreign country — determines urgency.
Set up audit log email alerts: Admin Console → Security → Alert Notifications → Configure. Set email alerts for: role changes, data exports above a threshold, MFA disable events, and new admin account creation. These alerts arrive in real time — audit log review catches everything they miss.
8. API Security — Tokens, Scopes, and OAuth Management High Priority
API access is one of the most overlooked attack surfaces in Zoho environments. API tokens and OAuth connections grant programmatic access to your Zoho data — often with the same or broader permissions than a logged-in user. A leaked API token provides silent, continuous access to your data without triggering login alerts.
API Token Best Practices
accounts.zoho.com → Security → API Tokens → View All Active Tokens
API Token Security Rules
- Never share API tokens via email or chat
- Store tokens in a password manager or secrets vault — never in code
- Create tokens with minimum required scope (not full-access)
- Set expiry dates on all API tokens — maximum 6 months
- Create separate tokens for each integration — not one master token
- Revoke tokens immediately when an integration is decommissioned
OAuth Scope Minimisation
- Grant only the specific Zoho API scopes the integration needs
- For read-only integrations: use ZohoCRM.modules.READ, not ALL
- Never grant ZohoMail.accounts.ALL to a non-mail integration
- Review OAuth scopes when renewing tokens — requirements may have changed
- Revoke OAuth apps that have not made an API call in 30+ days
9. Third-Party App Access Control — Know What Can Read Your Data Medium Priority
Every third-party application connected to your Zoho account through OAuth can read — and in many cases write — data from your Zoho CRM, Books, or Mail. These connections are often made by well-intentioned team members installing productivity tools without IT awareness. An unauthorised or compromised third-party app is a silent data exfiltration channel.
accounts.zoho.com → Security → Authorised Applications → Review All Connected Apps
Review this list monthly. For each connected application, ask: Is this app still in use? Does it need the scope level it was granted? Is this an approved business application or a personal tool installed by a team member without IT review?
Admin Control Over Third-Party App Connections
Admin Console → Security → Application Access Control → Restrict user-initiated app connections
In high-security environments, restrict the ability to connect third-party OAuth apps to admins only. This prevents individual team members from granting external applications access to your Zoho data without IT review and approval. Whitelist pre-approved integrations (Razorpay, IndiaMart, approved marketing tools) while blocking unapproved connections.
10. Data Backup and Export Strategy — Protect Against Data Loss Medium Priority
Security is not just about preventing unauthorised access — it also means ensuring your business data survives accidental deletion, ransomware, or account termination. Zoho maintains data availability with high redundancy, but platform-level backup does not protect against accidental bulk deletion by a user or deliberate data destruction by a disgruntled employee.
Zoho CRM Data Backup
Zoho CRM: Settings → Data Administration → Export → Schedule Monthly Export → CSV of all modules
Schedule a monthly automated CRM data export covering all modules: Leads, Contacts, Accounts, Deals, Activities, Custom modules. Store exports in a secure location outside of Zoho — a cloud storage provider (encrypted) or secure local server. Verify the export contents after each scheduled run to confirm the file is complete and readable.
Zoho Books Data Backup
Zoho Books: Settings → Preferences → Data Backup → Schedule Backup → Weekly or Monthly
Zoho Books has a dedicated backup feature that exports your complete accounting data including all transactions, contacts, items, and reports. Enable weekly backups for active accounts. The backup files are delivered to your registered email — forward them to a secure storage location and do not leave them only in email.
Zoho Mail Backup
Export Zoho Mail data in IMAP/EML format using a desktop mail client (Thunderbird, Outlook) configured with IMAP. This allows local backup of all email folders. For business-critical email, enable Mail archiving from Zoho Mail Admin Console → Mail Archiving — this preserves a searchable archive of all organisation email.
11. Phishing Prevention and Team Security Training Medium Priority
The most technically sophisticated security configuration can be bypassed by a team member who clicks a phishing link and enters their Zoho credentials on a fake login page. Phishing awareness is a critical Zoho security best practice that protects the human layer of your security stack.
Technical Phishing Defences
- DMARC p=reject prevents spoofed emails from your domain
- Zoho Mail’s built-in spam filter blocks known phishing domains
- Enable “Mark external email” banner in Zoho Mail for all incoming emails from outside your domain
- Configure Zoho Mail anti-phishing rules: Admin Console → Mail → Security → Phishing Protection
- Block executable attachments (.exe, .bat, .vbs) in Zoho Mail
Team Training and Process
- Train team to verify Zoho login URL — accounts.zoho.com or accounts.zoho.in only
- Never enter Zoho credentials from a link in an email — type the URL directly
- Legitimate Zoho support never asks for your password via email
- Report suspicious emails using Zoho Mail’s “Report Phishing” option
- Conduct a quarterly phishing simulation — send a test phishing email to your team
The accounts.zoho.in vs accounts.zoho.com distinction matters: India users of Zoho (who signed up at zoho.in) should access their account at accounts.zoho.in. Phishing sites often create convincing fake login pages at similar-looking domains. Train your team to verify the exact URL and browser padlock before entering any credentials.
12. Complete Zoho Security Checklist 2026 — Quarterly Review
Use this checklist as a quarterly Zoho security review. Security is not a one-time setup — team membership changes, IP addresses change, API tokens expire or accumulate, and new products are added to your Zoho ecosystem. A quarterly review catches drift before it becomes a vulnerability.
Identity and Access
MFA enforced for ALL users — verify from Admin Console → Security → MFA → User Status (0 unenrolled users)
No users with Super Admin role except designated IT administrators
Former employee accounts disabled and removed from all roles
All user role assignments reviewed against current job functions
Password policy set: 12+ characters, expiry 90 days, no reuse of last 5
Email Security
SPF record published at @ domain, includes zoho.in or zoho.com, single record only
DKIM record published and showing Active (green) in Zoho Mail Admin Console
DMARC record at _dmarc.yourdomain.com, progressing toward p=reject policy
External email warning banner enabled in Zoho Mail for all inbound external emails
Network and Session
IP restriction allowlist reviewed — all listed IPs are current and belong to your organisation
Session timeout configured: 30 minutes idle, 8 hours maximum
Trusted devices list reviewed — removed devices not owned by current team members
API and Integration Security
All active API tokens reviewed — revoked unused tokens, confirmed scopes are minimum required
Authorised OAuth applications reviewed — removed apps not used in 30+ days
All active integrations documented with purpose, owner, and access scope
Monitoring and Backup
Audit log reviewed for last 90 days — no unexplained bulk exports, role changes, or login anomalies
Audit log email alerts configured for: role changes, MFA disables, bulk data exports
CRM data export completed and stored securely (monthly)
Zoho Books backup completed and verified (weekly/monthly)
Backup codes for all admin accounts are current and stored in separate secure location
Related Security and Setup Guides from Codroid Labs:
Certified Zoho Partner — India
Secure Your Zoho Environment — Get a Free Security Audit
Codroid Labs conducts Zoho security audits for organisations across India — reviewing MFA enrolment, email authentication, role assignments, API connections, IP restrictions, audit log configuration, and data backup strategy. We provide a written security report with prioritised remediation steps.
Delhi NCR, Mumbai, Bangalore, Ahmedabad, Surat. Remote audits available India-wide.
Frequently Asked Questions — Zoho Security Best Practices 2026
What are the most critical Zoho security best practices in 2026?
The five most critical Zoho security best practices are: (1) MFA enforcement with Zoho OneAuth for every user in your organisation. (2) SPF, DKIM, and DMARC configuration for Zoho Mail to prevent domain spoofing. (3) Role-based access control with least privilege — no user has more permission than their job requires. (4) Regular audit log review — weekly for bulk data export and role change events. (5) Data backup on a scheduled basis — CRM monthly, Books weekly — stored outside of Zoho. Implementing these five alone addresses the majority of Zoho account security risks.
How do I check if my Zoho account has been compromised?
Signs your Zoho account may be compromised: login activity from unfamiliar IP addresses or countries (Admin Console → Security → Audit Log → filter by login events), unrecognised API tokens in accounts.zoho.com → Security → API Tokens, unexpected role changes or new admin accounts in the audit log, missing records or unexplained data changes in CRM or Books, Zoho Mail sent items containing emails you did not write, and unfamiliar third-party apps in your authorised applications list. If you suspect compromise: immediately change your Zoho password, disable all API tokens, review and revoke all OAuth connections, enable or verify MFA, and contact Zoho Support.
Should I use SMS OTP or Zoho OneAuth for MFA?
Zoho OneAuth is significantly more secure than SMS OTP for MFA. SMS-based OTP is vulnerable to SIM-swap attacks — where attackers convince a mobile carrier to transfer your phone number to a SIM they control, redirecting your OTP codes. Zoho OneAuth’s push notification and TOTP methods are device-bound (tied to the specific phone, not the phone number), making them immune to SIM-swap. For business accounts in 2026, OneAuth push or TOTP is the recommended MFA method. SMS OTP should only be used as a secondary backup method, not as the primary MFA for any business-critical Zoho account.
How often should I run a Zoho security audit?
Quarterly security reviews are the recommended frequency for the full checklist in this Zoho security best practices 2026 guide. In addition: review audit logs weekly for high-risk events (bulk exports, role changes, MFA disables). Review the IP allowlist and trusted devices list monthly. Immediately review API tokens and OAuth connections whenever a team member leaves. Immediately run a full security review whenever a suspected security incident occurs — even if later determined to be a false alarm.
What Zoho security settings should I configure first for a new organisation?
For a new Zoho organisation, configure security in this priority order: (1) Enable and enforce MFA for all users — do this before adding any data. (2) Configure SPF, DKIM, and DMARC for your Zoho Mail domain — before sending any business email. (3) Set up role-based access — before adding team members. (4) Configure password policy. (5) Set session timeout. (6) Enable audit log email alerts for critical events. (7) Schedule first data backup. This sequence ensures your basic security posture is established before any business-critical data enters your Zoho environment.