Microsoft 365 Security: 10 Settings Every Small Business Should Enable

TL;DR:

• Microsoft 365’s default settings are not the secure settings — you need to actively turn on protections that are off by default
• These 10 settings are free to enable on any Microsoft 365 Business Basic, Standard, or Premium plan
• MFA and security defaults alone block over 99% of account compromise attempts, according to Microsoft’s own telemetry

If your business uses Microsoft 365, you’re probably already paying for security features you haven’t turned on. Most small businesses set up 365, create the email accounts, and leave everything else at default — which means MFA is off, external email warnings are missing, legacy authentication is still enabled, and attackers are having an easy time.

None of these changes require a consultant. They take 30–60 minutes in the Microsoft 365 admin centre and the Microsoft Defender portal.

1. Enable Security Defaults (or Conditional Access)

Where: Microsoft 365 Admin Centre → Azure Active Directory → Properties → Manage Security Defaults

Security Defaults is Microsoft’s baseline security policy for smaller organisations. It does three things: requires MFA for all users, blocks legacy authentication protocols, and requires MFA for admin actions. If you’re on a Business Basic or Standard plan without Azure AD P1 licences, Security Defaults is the quickest way to enable all of these at once.

If you have Microsoft 365 Business Premium (which includes Azure AD P1), disable Security Defaults and use Conditional Access policies instead — they’re more flexible and let you exclude trusted locations.

Why it matters: Microsoft’s data shows that enabling MFA blocks 99.9% of account compromise attacks. This is the single highest-impact change you can make.

2. Enable Multi-Factor Authentication for All Users

Where: Microsoft 365 Admin Centre → Users → Active Users → Multi-factor authentication

If Security Defaults is on, MFA is already required. If not, enable it per-user here. Choose the Microsoft Authenticator app as the default method — SMS-based MFA is vulnerable to SIM-swapping attacks and should be a fallback only.

Require all staff to register for MFA before their next login. Build this into your onboarding checklist for new hires.

3. Block Legacy Authentication Protocols

Where: Azure Active Directory → Security → Conditional Access (or covered by Security Defaults)

Legacy protocols (SMTP AUTH, IMAP, POP3, basic auth) don’t support MFA. Attackers who steal a username and password can use these protocols to log in even if MFA is enabled on the web account. Block them unless you have specific line-of-business applications that require them. Printers that scan-to-email are a common exception — use App Passwords for those.

4. Enable Microsoft Defender for Office 365 Safe Links and Safe Attachments

Where: Microsoft Defender portal (security.microsoft.com) → Policies & Rules → Threat Policies

On Microsoft 365 Business Premium, Defender for Office 365 Plan 1 is included. Enable:

• Safe Links — rewrites URLs in emails and documents to scan them in real time when clicked
• Safe Attachments — detonates attachments in a sandbox before delivering them; adds 1–2 minutes to email delivery but catches malicious attachments that signature-based scanning misses

Both are off by default. Set them to “Standard protection” as a starting point.

5. Enable the External Email Warning Banner

Where: Exchange Admin Centre → Mail Flow → Rules → New Rule

Create a mail flow rule that prepends a warning to all emails from outside your organisation:

Condition: Sender is located outside the organisation Action: Prepend the disclaimer: [EXTERNAL EMAIL] This message came from outside your organisation. Be cautious about clicking links or opening attachments.

This is the single most effective anti-phishing measure for non-technical staff. It creates a visible prompt at exactly the moment someone is about to make a click decision.

6. Enable Anti-Phishing Policies

Where: Microsoft Defender portal → Policies & Rules → Threat Policies → Anti-phishing

Enable impersonation protection for your domain and for key individuals (CEO, finance director, anyone who handles payments or payroll). This catches emails that spoof your company name or a trusted individual’s name to bypass standard filters.

Set the action for impersonation attempts to “Move to quarantine” rather than junk — quarantine requires admin review, reducing the chance something important gets overlooked.

7. Configure DMARC, DKIM, and SPF

Where: Your DNS provider + Exchange Admin Centre

These three DNS records protect your domain from being spoofed in emails sent to others:

• SPF — tells receiving mail servers which servers are allowed to send email from your domain
• DKIM — cryptographically signs outbound email so recipients can verify it came from you
• DMARC — tells receiving servers what to do with emails that fail SPF or DKIM checks (quarantine or reject)

Microsoft 365 auto-generates DKIM keys for your domain — enable them in the Defender portal. SPF and DMARC records go in your DNS. Start DMARC with p=none (monitoring mode) and check the reports before moving to p=quarantine or p=reject.

8. Enable Unified Audit Logging

Where: Microsoft Defender portal → Audit → Start recording user and admin activity

Audit logging records who accessed what, when, from where. It’s off by default on some plans. Enable it now so that if you ever have a security incident, you have a log to investigate. Logs are retained for 90 days on standard plans; Microsoft 365 Business Premium extends this to 180 days.

9. Configure Automatic Session Timeouts

Where: Microsoft 365 Admin Centre → Settings → Org Settings → Security & Privacy → Idle Session Timeout

Enable an idle session timeout (recommended: 1–3 hours). This signs out browser-based Microsoft 365 sessions after a period of inactivity — important for shared computers, open-plan offices, or staff who step away from their machines.

10. Review and Restrict Admin Role Assignments

Where: Microsoft 365 Admin Centre → Users → Active Users → filter by Admin roles

Most small businesses have too many users with Global Administrator rights because it’s the default when setting up accounts. Review admin roles:

• Only 1–2 trusted people should have Global Administrator
• IT support staff can use Helpdesk Administrator or User Administrator roles instead
• Finance should not have Global Administrator unless specifically required

Enable privileged identity management (PIM) if you have Azure AD P2 licences — it requires admins to explicitly activate elevated access with MFA for a time-limited window, rather than having permanent admin rights.

Time investment: 60–90 minutes to implement all ten. Book a half-day with your IT contact or work through them yourself in the admin portals. The Microsoft Secure Score dashboard (Defender portal → Secure Score) gives you a running score and further recommendations once these basics are in place.