Microsoft 365 is the productivity suite for most small businesses — email, documents, Teams, everything. It's also a primary target for attackers, and the default security configuration is not designed to protect you. Here are the settings that matter most.
This single change blocks over 99% of automated account takeover attacks. Go to the Microsoft 365 admin center → Security → Identity → MFA. Enable it for every user, including admins. Authenticator app is more secure than SMS.
Microsoft's Security Defaults enable a baseline of security settings automatically. If your plan includes Azure AD P1/P2, Conditional Access policies give you more granular control — requiring MFA only when signing in from unfamiliar locations, blocking legacy authentication protocols, etc.
IMAP, POP3, and basic auth bypass MFA. Attackers know this and specifically look for legacy auth endpoints. Block them in the Exchange admin center and in Conditional Access if available.
Safe Links and Safe Attachments scan URLs and attachments in real time, even after delivery. This catches malicious content that gets through initial filters. Available in Business Premium and higher.
In the Security admin center, configure anti-phishing policies to enable impersonation protection for your domain and key users (CEO, CFO, HR), spoof intelligence, and mailbox intelligence.
Audit logging is not enabled by default in all tenants. Without it, you have no way to reconstruct what happened after an incident. Enable it in the compliance center and set retention to at least 90 days.
Business Email Compromise (BEC) attacks often involve compromising an account and setting up auto-forwarding rules to capture emails. Block this by default in the Exchange admin center under mail flow rules.
If your business handles sensitive data (SSNs, credit cards, health information), DLP policies can detect and block accidental or malicious transmission via email or file sharing. Available in E3 and above.
Third-party apps that connect to your Microsoft 365 tenant can have broad permissions. Review connected apps in the Azure AD admin center and revoke access to anything not actively used or from unknown publishers.
In the Security & Compliance center, configure alerts for: impossible travel sign-ins, forwarding rules being created, mass file deletion, and privileged role assignments. These are the canary events that often precede a serious incident.
Most of these settings take under 10 minutes to configure. The combination creates a dramatically harder target than the default M365 configuration most small businesses are running on today.
We'll review your current setup, identify gaps, and show you exactly what we'd do. No commitment, no obligation.
Schedule Free Assessment →